samba - Jan 2015 - Member Server Setup Assistance

Rowland,

     That was the issue. Windows computer management console showed 0 
connections. That obviously wasn't correct. A reboot corrected the 
issue. ACL's working as expected. I probably should have ran a
'netstat'
to verify.

     Any best practices on who should or shouldn't have uid's or
gid's
set in AD? I've read where the Administrator account should not have one 
set.

On 1/2/2015 1:47 PM, Rowland Penny wrote:
> On 02/01/15 18:35, James wrote:
>> Rowland,
>>
>>     Thanks for the clarification. It appears the member server is 
>> joined and I have created a share.
>>
>> [demoshare]
>>     path = /srv/samba/test
>>     read only = no
>>
>>
>> I have enabled ACL support and given 'SeDiskOperatorPrivilege'
per
>> the wiki. I can navigate to the share using Windows Explorer. If I 
>> set the share permissions to only me(Full Control). I can't access 
>> the share. The 'Everyone' and 'Domain Users' group
allows me access.
>> On my DC's this has worked in the past. Am I missing something?
This
>> is the error I receive.
>>
>> \\pfmember1\demoshare is not accessible. You might not have 
>> permission to use this network resource. Contact the administrator of 
>> this server to find out if you have access permissions.
>>
>> Multiple connections to a server or shared resource by the same user, 
>> using more than one user name, are not allowed. Disconnect all 
>> previous connections to the server or shared resource and try again.
>
> You seem to have a connection to the share already open, close this 
> and try again.
> If this fails, post the results of:
>
> ls -la /srv/samba/test
>
> and
>
> getfacl /srv/samba/test
>
> Rowland
>
>>
>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>> On 02/01/15 18:01, James wrote:
>>>> Rowland,
>>>>
>>>>     That did it! Thank you so much. I do have a question
regarding
>>>> the 'getent' command before setting up file shares.
When I run
>>>> 'getent group Domain\ Users' I get
>>>>
>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>
>>>> Why does it show these specific users? I would assume it would
only
>>>> show my 'tuser'. I don't have uid's set for
anyone else.
>>>
>>> When you run 'getent group Domain\ Users' it gets the
groups
>>> gidNumber (10000 in your case) and the contents any
'member'
>>> attributes, so I presume if you examine the groups AD object, you 
>>> would find 8 'member' attribute lines.
>>>
>>> But if you were to run 'getent passwd user5', you would
only get a
>>> response if 'user5' has a 'uidNumber'.
>>>
>>> Rowland
>>>
>>>>
>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>> On 02/01/15 17:26, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>>     I did forget to change it. Is it as simple as
renaming now or
>>>>>> did I screw up?
>>>>>>
>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     I had a typo in my hosts file which is the
reason my
>>>>>>>> initial DNS update failed. Corrected and joined
again.
>>>>>>>> Successfully joined and updated DNS A record. I
then made sure
>>>>>>>> to give 'Domain users' a id of 10000. I
am now able to run'
>>>>>>>> getent passwd' and see all my domain users!
YES! However I
>>>>>>>> still see something that confuses me. When I
run 'id tuser' I
>>>>>>>> get the following.
>>>>>>>>
>>>>>>>> uid=2155(tuser) gid=2002(domain_users) 
>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>
>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>>     I've gotten a bit further. It
appears my use of '.local'
>>>>>>>>>> is causing the issue from what I've
researched. I  ran
>>>>>>>>>> '|/etc/init.d/avahi-daemon
stop'. |This allowed me to
>>>>>>>>>> successfully join the domain.
>>>>>>>>>>
>>>>>>>>>> Enter administrator at
DOMAIN.LOCAL's password:
>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>> Joined 'PFMEMBER1' to dns
domain 'domain.local'
>>>>>>>>>> DNS Update for pfmember1.local failed:
ERROR_DNS_UPDATE_FAILED
>>>>>>>>>> DNS update failed:
NT_STATUS_UNSUCCESSFUL
>>>>>>>>>> ||
>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny
wrote:
>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     If you don't mind I
like to post my member server
>>>>>>>>>>>> configuration as I attempt
again. This is how my member
>>>>>>>>>>>> server(Ubuntu 12.04) is
configured after fresh install and
>>>>>>>>>>>> prior to Samba build. Anything
I'm missing that could cause
>>>>>>>>>>>> my issue as I proceed? I assume
no other prerequisites must
>>>>>>>>>>>> be done on the other DC's
either? Thanks.
>>>>>>>>>>>>
>>>>>>>>>>>> /*# From Wiki for DC build*/
>>>>>>>>>>>> apt-get install build-essential
libacl1-dev libattr1-dev
>>>>>>>>>>>> libblkid-dev libgnutls-dev
libreadline-dev python-dev
>>>>>>>>>>>> libpam0g-dev python-dnspython
gdb pkg-config libpopt-dev
>>>>>>>>>>>> libldap2-dev dnsutils
libbsd-dev attr krb5-user docbook-xsl
>>>>>>>>>>>> libcups2-dev acl
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>> 127.0.0.1       localhost
>>>>>>>>>>>> 172.16.232.25  
pfmember1.domain.local pfmember1
>>>>>>>>>>>>
>>>>>>>>>>>> # The following lines are
desirable for IPv6 capable hosts
>>>>>>>>>>>> ::1     ip6-localhost
ip6-loopback
>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>
>>>>>>>>>>> if you are referring to
/etc/hostname, then it should just
>>>>>>>>>>> contain 'pfmember1'.
>>>>>>>>>>>
>>>>>>>>>>> Also, are you fixed on using Ubuntu
12.04, if you were to
>>>>>>>>>>> use Debian Wheezy and backports,
you wouldn't have to
>>>>>>>>>>> compile samba4.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>> # This file describes the
network interfaces available on
>>>>>>>>>>>> your system
>>>>>>>>>>>> # and how to activate them. For
more information, see
>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>
>>>>>>>>>>>> # The loopback network
interface
>>>>>>>>>>>> auto lo
>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>
>>>>>>>>>>>> # The primary network interface
>>>>>>>>>>>> auto eth0
>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>         address 172.16.232.25
>>>>>>>>>>>>         netmask 255.255.255.0
>>>>>>>>>>>>         gateway 172.16.232.201
>>>>>>>>>>>>         network 172.16.232.0
>>>>>>>>>>>>         broadcast
172.16.232.255
>>>>>>>>>>>>         dns-search domain.local
>>>>>>>>>>>>         dns-nameservers
172.16.232.29
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 01/01/15 00:07, James
wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     I forgot to tell
you the results were from my Domain
>>>>>>>>>>>>>> Controller and not the
member server. Member server
>>>>>>>>>>>>>> returned something to
the effect of 'user not found'. I
>>>>>>>>>>>>>> am only starting the 3
services(smbd,nmbd and windbindd)
>>>>>>>>>>>>>> listed in the wiki.
Should I be starting Samba with
>>>>>>>>>>>>>> command line switches
to start as a member server? Is
>>>>>>>>>>>>>> that even possible?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi, there are two ways of
running samba4, the classic or
>>>>>>>>>>>>> original way that samba3
was used, or as an AD DC. If you
>>>>>>>>>>>>> run samba4 in the classic
way, you need to start the smbd
>>>>>>>>>>>>> & nmbd deamons and
optionally the winbind daemon. If you
>>>>>>>>>>>>> use samba4 as an AD DC,
then you only start the samba
>>>>>>>>>>>>> daemon, this will start any
other required deamons, you
>>>>>>>>>>>>> only start the samba daemon
on an AD DC.
>>>>>>>>>>>>>
>>>>>>>>>>>>> As you are trying to set up
a member server, you must
>>>>>>>>>>>>> carry out the tests on the
member server.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     Thanks for you
smb.conf. I will attempt again using
>>>>>>>>>>>>>> your smb.conf as a
template and try again.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 12/31/2014 2:20 PM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 31/12/14 19:07,
James wrote:
>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     I decided
to start over with a fresh install and
>>>>>>>>>>>>>>>> attempted
again. Only change I made was to start my
>>>>>>>>>>>>>>>> mappings at
10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>> 10000 and
'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>  dn: CN=Test
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>> objectClass:
top
>>>>>>>>>>>>>>>> objectClass:
person
>>>>>>>>>>>>>>>> objectClass:
organizationalPerson
>>>>>>>>>>>>>>>> objectClass:
user
>>>>>>>>>>>>>>>> cn: Test User
>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>> givenName: Test
>>>>>>>>>>>>>>>> instanceType: 4
>>>>>>>>>>>>>>>> whenCreated:
20141231172021.0Z
>>>>>>>>>>>>>>>> displayName:
Test User
>>>>>>>>>>>>>>>> uSNCreated:
477557
>>>>>>>>>>>>>>>> name: Test User
>>>>>>>>>>>>>>>> objectGUID:
90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>> countryCode: 0
>>>>>>>>>>>>>>>> pwdLastSet:
130645200220000000
>>>>>>>>>>>>>>>> primaryGroupID:
513
>>>>>>>>>>>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>> accountExpires:
9223372036854775807
>>>>>>>>>>>>>>>> sAMAccountName:
tuser
>>>>>>>>>>>>>>>> sAMAccountType:
805306368
>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>> objectCategory:
>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>> msSFU30Name:
tuser
>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>> uidNumber:
10001
>>>>>>>>>>>>>>>> loginShell:
/bin/sh
>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>> gidNumber:
10000
>>>>>>>>>>>>>>>> whenChanged:
20141231185807.0Z
>>>>>>>>>>>>>>>> uSNChanged:
477620
>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014
1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14
18:28, James wrote:
>>>>>>>>>>>>>>>>>> Hi
Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>    
passwd:         compat winbind
>>>>>>>>>>>>>>>>>>    
group:            compat winbind
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On
31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still amiss.
>>>>>>>>>>>>>>>>>>>>
I do receive a response from 'getent group domain
>>>>>>>>>>>>>>>>>>>>
users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>
group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>
them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>
observations. If I go to another user to attempt
>>>>>>>>>>>>>>>>>>>>>>
to assign a uid. I get the default value of
>>>>>>>>>>>>>>>>>>>>>>
10000. I would expect 2001 given I set the first
>>>>>>>>>>>>>>>>>>>>>>
user with uid 2000. Groups however appear to
>>>>>>>>>>>>>>>>>>>>>>
increment.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>
understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>
Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>>
'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>>
Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>
will only retrieve local machine users. Let me
>>>>>>>>>>>>>>>>>>>>>>>>
preface by saying this is a Ubuntu 12.04 server
>>>>>>>>>>>>>>>>>>>>>>>>
with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>
Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the 'Set
>>>>>>>>>>>>>>>>>>>>>>>>>>
up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order for
>>>>>>>>>>>>>>>>>>>>>>>>>
my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy krb5.conf
>>>>>>>>>>>>>>>>>>>>>>>>>
to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be using the
>>>>>>>>>>>>>>>>>>>>>>>
'ad' backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>>>>>>>
'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>>>>>>>
'gidNumber' attribute to at least the Domain
>>>>>>>>>>>>>>>>>>>>>>>
Users group. the numbers that you add must be
>>>>>>>>>>>>>>>>>>>>>>>
between the range you set in your smb.conf,
>>>>>>>>>>>>>>>>>>>>>>>
again if you followed the wiki, this will be
>>>>>>>>>>>>>>>>>>>>>>>
between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>>
cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> OK,
can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>>>
/etc/nsswitch
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Do
you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>>
user>'
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> OK, install
ldb-tools if not already installed, then run:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> ldbedit -e
nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Post the
(sanitized) result
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, you added that
user with ADUC (RSAT) and as such you
>>>>>>>>>>>>>>> are using the std
windows start number 10000, which is
>>>>>>>>>>>>>>> the way I run
samba. Here is my smb.conf from the laptop
>>>>>>>>>>>>>>> I am writing this
on:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>         workgroup =
EXAMPLE
>>>>>>>>>>>>>>>         security =
ADS
>>>>>>>>>>>>>>>         realm =
EXAMPLE.COM
>>>>>>>>>>>>>>>         dedicated
keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>         kerberos
method = secrets and keytab
>>>>>>>>>>>>>>>         server
string = Samba 4 Client %h
>>>>>>>>>>>>>>>         winbind
enum users = yes
>>>>>>>>>>>>>>>         winbind
enum groups = yes
>>>>>>>>>>>>>>>         winbind use
default domain = yes
>>>>>>>>>>>>>>>         winbind
expand groups = 4
>>>>>>>>>>>>>>>         winbind nss
info = rfc2307
>>>>>>>>>>>>>>>         winbind
refresh tickets = Yes
>>>>>>>>>>>>>>>         winbind
normalize names = Yes
>>>>>>>>>>>>>>>         idmap
config * : backend = tdb
>>>>>>>>>>>>>>>         idmap
config * : range = 2000-9999
>>>>>>>>>>>>>>>         idmap
config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>         idmap
config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>         idmap
config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>         printcap
name = cups
>>>>>>>>>>>>>>>         cups
options = raw
>>>>>>>>>>>>>>>         usershare
allow guests = yes
>>>>>>>>>>>>>>>         domain
master = no
>>>>>>>>>>>>>>>         local
master = no
>>>>>>>>>>>>>>>         preferred
master = no
>>>>>>>>>>>>>>>         os level =
20
>>>>>>>>>>>>>>>         map to
guest = bad user
>>>>>>>>>>>>>>>         vfs objects
= acl_xattr
>>>>>>>>>>>>>>>         map acl
inherit = Yes
>>>>>>>>>>>>>>>         store dos
attributes = Yes
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Compare it with
yours, I can assure you it works.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>> OK, you have *now* found out one of the
reasons you shouldn't
>>>>>>>>> use the .local suffix
>>>>>>>>>
>>>>>>>>> But does anything else work?
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> -James
>>>>>>>
>>>>>>> OK, well it seems to be a step in the right
direction :-)
>>>>>>>
>>>>>>> Have you changed 'EXAMPLE' in these lines:
>>>>>>>
>>>>>>>         idmap config * : backend = tdb
>>>>>>>         idmap config * : range = 2000-9999
>>>>>>>         idmap config EXAMPLE : backend  = ad
>>>>>>>         idmap config EXAMPLE : range = 10000-999999
>>>>>>>         idmap config EXAMPLE:schema_mode = rfc2307
>>>>>>>
>>>>>>> They need to be changed for your *WORKGROUP* name.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> -James
>>>>>
>>>>> Just change it, stop samba and winbind, run 'net cache
flush' and
>>>>> restart samba & winbind.
>>>>>
>>>>> Rowland
>>>>>
>>>>
>>>> -- 
>>>> -James
>>>
>>
>> -- 
>> -James
>
-- 
-James

On 02/01/15 18:59, James wrote:
> Rowland,
>
>     That was the issue. Windows computer management console showed 0 
> connections. That obviously wasn't correct. A reboot corrected the 
> issue. ACL's working as expected. I probably should have ran a 
> 'netstat' to verify.
>
>     Any best practices on who should or shouldn't have uid's or
gid's
> set in AD? I've read where the Administrator account should not have 
> one set.
Cannot say that I know of any best practices, but I only give Domain 
Admins and Domain Users a gidNumber and Administrator should already be 
mapped to root (that is if you changed 'Example' in /etc/samba/smbmap).

Rowland
>
> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>> On 02/01/15 18:35, James wrote:
>>> Rowland,
>>>
>>>     Thanks for the clarification. It appears the member server is 
>>> joined and I have created a share.
>>>
>>> [demoshare]
>>>     path = /srv/samba/test
>>>     read only = no
>>>
>>>
>>> I have enabled ACL support and given
'SeDiskOperatorPrivilege' per
>>> the wiki. I can navigate to the share using Windows Explorer. If I 
>>> set the share permissions to only me(Full Control). I can't
access
>>> the share. The 'Everyone' and 'Domain Users' group
allows me access.
>>> On my DC's this has worked in the past. Am I missing something?
This
>>> is the error I receive.
>>>
>>> \\pfmember1\demoshare is not accessible. You might not have 
>>> permission to use this network resource. Contact the administrator 
>>> of this server to find out if you have access permissions.
>>>
>>> Multiple connections to a server or shared resource by the same 
>>> user, using more than one user name, are not allowed. Disconnect
all
>>> previous connections to the server or shared resource and try
again.
>>
>> You seem to have a connection to the share already open, close this 
>> and try again.
>> If this fails, post the results of:
>>
>> ls -la /srv/samba/test
>>
>> and
>>
>> getfacl /srv/samba/test
>>
>> Rowland
>>
>>>
>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>> On 02/01/15 18:01, James wrote:
>>>>> Rowland,
>>>>>
>>>>>     That did it! Thank you so much. I do have a question
regarding
>>>>> the 'getent' command before setting up file shares.
When I run
>>>>> 'getent group Domain\ Users' I get
>>>>>
>>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>
>>>>> Why does it show these specific users? I would assume it
would
>>>>> only show my 'tuser'. I don't have uid's
set for anyone else.
>>>>
>>>> When you run 'getent group Domain\ Users' it gets the
groups
>>>> gidNumber (10000 in your case) and the contents any
'member'
>>>> attributes, so I presume if you examine the groups AD object,
you
>>>> would find 8 'member' attribute lines.
>>>>
>>>> But if you were to run 'getent passwd user5', you would
only get a
>>>> response if 'user5' has a 'uidNumber'.
>>>>
>>>> Rowland
>>>>
>>>>>
>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>>     I did forget to change it. Is it as simple as
renaming now
>>>>>>> or did I screw up?
>>>>>>>
>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>>     I had a typo in my hosts file which is
the reason my
>>>>>>>>> initial DNS update failed. Corrected and
joined again.
>>>>>>>>> Successfully joined and updated DNS A
record. I then made sure
>>>>>>>>> to give 'Domain users' a id of
10000. I am now able to run'
>>>>>>>>> getent passwd' and see all my domain
users! YES! However I
>>>>>>>>> still see something that confuses me. When
I run 'id tuser' I
>>>>>>>>> get the following.
>>>>>>>>>
>>>>>>>>> uid=2155(tuser) gid=2002(domain_users) 
>>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>
>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote:
>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>> Rowland,
>>>>>>>>>>>
>>>>>>>>>>>     I've gotten a bit further.
It appears my use of '.local'
>>>>>>>>>>> is causing the issue from what
I've researched. I  ran
>>>>>>>>>>> '|/etc/init.d/avahi-daemon
stop'. |This allowed me to
>>>>>>>>>>> successfully join the domain.
>>>>>>>>>>>
>>>>>>>>>>> Enter administrator at
DOMAIN.LOCAL's password:
>>>>>>>>>>> Using short domain name -- DOMAIN
>>>>>>>>>>> Joined 'PFMEMBER1' to dns
domain 'domain.local'
>>>>>>>>>>> DNS Update for pfmember1.local
failed: ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>> DNS update failed:
NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>> ||
>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny
wrote:
>>>>>>>>>>>> On 02/01/15 13:41, James wrote:
>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>>     If you don't mind I
like to post my member server
>>>>>>>>>>>>> configuration as I attempt
again. This is how my member
>>>>>>>>>>>>> server(Ubuntu 12.04) is
configured after fresh install and
>>>>>>>>>>>>> prior to Samba build.
Anything I'm missing that could
>>>>>>>>>>>>> cause my issue as I
proceed? I assume no other
>>>>>>>>>>>>> prerequisites must be done
on the other DC's either? Thanks.
>>>>>>>>>>>>>
>>>>>>>>>>>>> /*# From Wiki for DC
build*/
>>>>>>>>>>>>> apt-get install
build-essential libacl1-dev libattr1-dev
>>>>>>>>>>>>> libblkid-dev libgnutls-dev
libreadline-dev python-dev
>>>>>>>>>>>>> libpam0g-dev
python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>> libldap2-dev dnsutils
libbsd-dev attr krb5-user
>>>>>>>>>>>>> docbook-xsl libcups2-dev
acl
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>> 127.0.0.1       localhost
>>>>>>>>>>>>> 172.16.232.25  
pfmember1.domain.local pfmember1
>>>>>>>>>>>>>
>>>>>>>>>>>>> # The following lines are
desirable for IPv6 capable hosts
>>>>>>>>>>>>> ::1     ip6-localhost
ip6-loopback
>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>
>>>>>>>>>>>> if you are referring to
/etc/hostname, then it should just
>>>>>>>>>>>> contain 'pfmember1'.
>>>>>>>>>>>>
>>>>>>>>>>>> Also, are you fixed on using
Ubuntu 12.04, if you were to
>>>>>>>>>>>> use Debian Wheezy and
backports, you wouldn't have to
>>>>>>>>>>>> compile samba4.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> */#/network/interfaces/*
>>>>>>>>>>>>> # This file describes the
network interfaces available on
>>>>>>>>>>>>> your system
>>>>>>>>>>>>> # and how to activate them.
For more information, see
>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>
>>>>>>>>>>>>> # The loopback network
interface
>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>
>>>>>>>>>>>>> # The primary network
interface
>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>>         address
172.16.232.25
>>>>>>>>>>>>>         netmask
255.255.255.0
>>>>>>>>>>>>>         gateway
172.16.232.201
>>>>>>>>>>>>>         network
172.16.232.0
>>>>>>>>>>>>>         broadcast
172.16.232.255
>>>>>>>>>>>>>         dns-search
domain.local
>>>>>>>>>>>>>         dns-nameservers
172.16.232.29
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 1/1/2015 4:34 AM,
Rowland Penny wrote:
>>>>>>>>>>>>>> On 01/01/15 00:07,
James wrote:
>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>     I forgot to
tell you the results were from my Domain
>>>>>>>>>>>>>>> Controller and not
the member server. Member server
>>>>>>>>>>>>>>> returned something
to the effect of 'user not found'. I
>>>>>>>>>>>>>>> am only starting
the 3 services(smbd,nmbd and windbindd)
>>>>>>>>>>>>>>> listed in the wiki.
Should I be starting Samba with
>>>>>>>>>>>>>>> command line
switches to start as a member server? Is
>>>>>>>>>>>>>>> that even possible?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hi, there are two ways
of running samba4, the classic or
>>>>>>>>>>>>>> original way that
samba3 was used, or as an AD DC. If you
>>>>>>>>>>>>>> run samba4 in the
classic way, you need to start the smbd
>>>>>>>>>>>>>> & nmbd deamons and
optionally the winbind daemon. If you
>>>>>>>>>>>>>> use samba4 as an AD DC,
then you only start the samba
>>>>>>>>>>>>>> daemon, this will start
any other required deamons, you
>>>>>>>>>>>>>> only start the samba
daemon on an AD DC.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> As you are trying to
set up a member server, you must
>>>>>>>>>>>>>> carry out the tests on
the member server.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>     Thanks for you
smb.conf. I will attempt again using
>>>>>>>>>>>>>>> your smb.conf as a
template and try again.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 12/31/2014 2:20
PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 31/12/14
19:07, James wrote:
>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>     I
decided to start over with a fresh install and
>>>>>>>>>>>>>>>>> attempted
again. Only change I made was to start my
>>>>>>>>>>>>>>>>> mappings at
10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>>> 10000 and
'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>  dn:
CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>
objectClass: top
>>>>>>>>>>>>>>>>>
objectClass: person
>>>>>>>>>>>>>>>>>
objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>
objectClass: user
>>>>>>>>>>>>>>>>> cn: Test
User
>>>>>>>>>>>>>>>>> sn: User
>>>>>>>>>>>>>>>>> givenName:
Test
>>>>>>>>>>>>>>>>>
instanceType: 4
>>>>>>>>>>>>>>>>>
whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>
displayName: Test User
>>>>>>>>>>>>>>>>> uSNCreated:
477557
>>>>>>>>>>>>>>>>> name: Test
User
>>>>>>>>>>>>>>>>> objectGUID:
90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>>> codePage: 0
>>>>>>>>>>>>>>>>>
countryCode: 0
>>>>>>>>>>>>>>>>> pwdLastSet:
130645200220000000
>>>>>>>>>>>>>>>>>
primaryGroupID: 513
>>>>>>>>>>>>>>>>> objectSid:
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>
accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>
sAMAccountName: tuser
>>>>>>>>>>>>>>>>>
sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>
objectCategory:
>>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>> uid: tuser
>>>>>>>>>>>>>>>>>
msSFU30Name: tuser
>>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>> uidNumber:
10001
>>>>>>>>>>>>>>>>> loginShell:
/bin/sh
>>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>> gidNumber:
10000
>>>>>>>>>>>>>>>>>
whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>> uSNChanged:
477620
>>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On
12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>> On
31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>> Hi
Rowland,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>    
passwd:         compat winbind
>>>>>>>>>>>>>>>>>>>    
group:            compat winbind
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank terminal line.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On
12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still amiss.
>>>>>>>>>>>>>>>>>>>>>
I do receive a response from 'getent group domain
>>>>>>>>>>>>>>>>>>>>>
users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>>
group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>>
them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>>
observations. If I go to another user to attempt
>>>>>>>>>>>>>>>>>>>>>>>
to assign a uid. I get the default value of
>>>>>>>>>>>>>>>>>>>>>>>
10000. I would expect 2001 given I set the first
>>>>>>>>>>>>>>>>>>>>>>>
user with uid 2000. Groups however appear to
>>>>>>>>>>>>>>>>>>>>>>>
increment.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>>
understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>>
Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>>>
'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>>>
Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>>
will only retrieve local machine users. Let me
>>>>>>>>>>>>>>>>>>>>>>>>>
preface by saying this is a Ubuntu 12.04
>>>>>>>>>>>>>>>>>>>>>>>>>
server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the 'Set
>>>>>>>>>>>>>>>>>>>>>>>>>>>
up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order for
>>>>>>>>>>>>>>>>>>>>>>>>>>
my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy krb5.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>
to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be using the
>>>>>>>>>>>>>>>>>>>>>>>>
'ad' backend. For this to work, you need to add
>>>>>>>>>>>>>>>>>>>>>>>>
'uidNumber' attributes to your users and a
>>>>>>>>>>>>>>>>>>>>>>>>
'gidNumber' attribute to at least the Domain
>>>>>>>>>>>>>>>>>>>>>>>>
Users group. the numbers that you add must be
>>>>>>>>>>>>>>>>>>>>>>>>
between the range you set in your smb.conf,
>>>>>>>>>>>>>>>>>>>>>>>>
again if you followed the wiki, this will be
>>>>>>>>>>>>>>>>>>>>>>>>
between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>>>
cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>>>>
/etc/nsswitch
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Do you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>>>
user>'
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> OK,
install ldb-tools if not already installed, then
>>>>>>>>>>>>>>>>>> run:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> ldbedit
-e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Post
the (sanitized) result
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> OK, you added
that user with ADUC (RSAT) and as such
>>>>>>>>>>>>>>>> you are using
the std windows start number 10000, which
>>>>>>>>>>>>>>>> is the way I
run samba. Here is my smb.conf from the
>>>>>>>>>>>>>>>> laptop I am
writing this on:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>>        
workgroup = EXAMPLE
>>>>>>>>>>>>>>>>        
security = ADS
>>>>>>>>>>>>>>>>         realm =
EXAMPLE.COM
>>>>>>>>>>>>>>>>        
dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>        
kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>         server
string = Samba 4 Client %h
>>>>>>>>>>>>>>>>         winbind
enum users = yes
>>>>>>>>>>>>>>>>         winbind
enum groups = yes
>>>>>>>>>>>>>>>>         winbind
use default domain = yes
>>>>>>>>>>>>>>>>         winbind
expand groups = 4
>>>>>>>>>>>>>>>>         winbind
nss info = rfc2307
>>>>>>>>>>>>>>>>         winbind
refresh tickets = Yes
>>>>>>>>>>>>>>>>         winbind
normalize names = Yes
>>>>>>>>>>>>>>>>         idmap
config * : backend = tdb
>>>>>>>>>>>>>>>>         idmap
config * : range = 2000-9999
>>>>>>>>>>>>>>>>         idmap
config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>>         idmap
config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>         idmap
config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>        
printcap name = cups
>>>>>>>>>>>>>>>>         cups
options = raw
>>>>>>>>>>>>>>>>        
usershare allow guests = yes
>>>>>>>>>>>>>>>>         domain
master = no
>>>>>>>>>>>>>>>>         local
master = no
>>>>>>>>>>>>>>>>        
preferred master = no
>>>>>>>>>>>>>>>>         os
level = 20
>>>>>>>>>>>>>>>>         map to
guest = bad user
>>>>>>>>>>>>>>>>         vfs
objects = acl_xattr
>>>>>>>>>>>>>>>>         map acl
inherit = Yes
>>>>>>>>>>>>>>>>         store
dos attributes = Yes
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Compare it with
yours, I can assure you it works.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> -James
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> -James
>>>>>>>>>>
>>>>>>>>>> OK, you have *now* found out one of the
reasons you shouldn't
>>>>>>>>>> use the .local suffix
>>>>>>>>>>
>>>>>>>>>> But does anything else work?
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> -James
>>>>>>>>
>>>>>>>> OK, well it seems to be a step in the right
direction :-)
>>>>>>>>
>>>>>>>> Have you changed 'EXAMPLE' in these
lines:
>>>>>>>>
>>>>>>>>         idmap config * : backend = tdb
>>>>>>>>         idmap config * : range = 2000-9999
>>>>>>>>         idmap config EXAMPLE : backend  = ad
>>>>>>>>         idmap config EXAMPLE : range =
10000-999999
>>>>>>>>         idmap config EXAMPLE:schema_mode =
rfc2307
>>>>>>>>
>>>>>>>> They need to be changed for your *WORKGROUP*
name.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> -James
>>>>>>
>>>>>> Just change it, stop samba and winbind, run 'net
cache flush' and
>>>>>> restart samba & winbind.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>>> -- 
>>>>> -James
>>>>
>>>
>>> -- 
>>> -James
>>
>
> -- 
> -James

Rowland,

     Thanks so far for the assistance. I have a question about setting 
up shares on a member server. How do I map to users or groups that do 
not display in AD(Everyone,System,Authenticated Users)?

On 1/2/2015 2:08 PM, Rowland Penny wrote:
> On 02/01/15 18:59, James wrote:
>> Rowland,
>>
>>     That was the issue. Windows computer management console showed 0 
>> connections. That obviously wasn't correct. A reboot corrected the 
>> issue. ACL's working as expected. I probably should have ran a 
>> 'netstat' to verify.
>>
>>     Any best practices on who should or shouldn't have uid's or
gid's
>> set in AD? I've read where the Administrator account should not
have
>> one set.
>
> Cannot say that I know of any best practices, but I only give Domain 
> Admins and Domain Users a gidNumber and Administrator should already 
> be mapped to root (that is if you changed 'Example' in
/etc/samba/smbmap).
>
> Rowland
>>
>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>> On 02/01/15 18:35, James wrote:
>>>> Rowland,
>>>>
>>>>     Thanks for the clarification. It appears the member server
is
>>>> joined and I have created a share.
>>>>
>>>> [demoshare]
>>>>     path = /srv/samba/test
>>>>     read only = no
>>>>
>>>>
>>>> I have enabled ACL support and given
'SeDiskOperatorPrivilege' per
>>>> the wiki. I can navigate to the share using Windows Explorer.
If I
>>>> set the share permissions to only me(Full Control). I can't
access
>>>> the share. The 'Everyone' and 'Domain Users'
group allows me
>>>> access. On my DC's this has worked in the past. Am I
missing
>>>> something? This is the error I receive.
>>>>
>>>> \\pfmember1\demoshare is not accessible. You might not have 
>>>> permission to use this network resource. Contact the
administrator
>>>> of this server to find out if you have access permissions.
>>>>
>>>> Multiple connections to a server or shared resource by the same
>>>> user, using more than one user name, are not allowed.
Disconnect
>>>> all previous connections to the server or shared resource and
try
>>>> again.
>>>
>>> You seem to have a connection to the share already open, close this
>>> and try again.
>>> If this fails, post the results of:
>>>
>>> ls -la /srv/samba/test
>>>
>>> and
>>>
>>> getfacl /srv/samba/test
>>>
>>> Rowland
>>>
>>>>
>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>> On 02/01/15 18:01, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>>     That did it! Thank you so much. I do have a
question
>>>>>> regarding the 'getent' command before setting
up file shares.
>>>>>> When I run 'getent group Domain\ Users' I get
>>>>>>
>>>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>
>>>>>> Why does it show these specific users? I would assume
it would
>>>>>> only show my 'tuser'. I don't have
uid's set for anyone else.
>>>>>
>>>>> When you run 'getent group Domain\ Users' it gets
the groups
>>>>> gidNumber (10000 in your case) and the contents any
'member'
>>>>> attributes, so I presume if you examine the groups AD
object, you
>>>>> would find 8 'member' attribute lines.
>>>>>
>>>>> But if you were to run 'getent passwd user5', you
would only get a
>>>>> response if 'user5' has a 'uidNumber'.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     I did forget to change it. Is it as simple
as renaming now
>>>>>>>> or did I screw up?
>>>>>>>>
>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>>     I had a typo in my hosts file which
is the reason my
>>>>>>>>>> initial DNS update failed. Corrected
and joined again.
>>>>>>>>>> Successfully joined and updated DNS A
record. I then made
>>>>>>>>>> sure to give 'Domain users' a
id of 10000. I am now able to
>>>>>>>>>> run' getent passwd' and see all
my domain users! YES! However
>>>>>>>>>> I still see something that confuses me.
When I run 'id tuser'
>>>>>>>>>> I get the following.
>>>>>>>>>>
>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users) 
>>>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>
>>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     I've gotten a bit
further. It appears my use of
>>>>>>>>>>>> '.local' is causing the
issue from what I've researched. I
>>>>>>>>>>>> ran
'|/etc/init.d/avahi-daemon stop'. |This allowed me to
>>>>>>>>>>>> successfully join the domain.
>>>>>>>>>>>>
>>>>>>>>>>>> Enter administrator at
DOMAIN.LOCAL's password:
>>>>>>>>>>>> Using short domain name --
DOMAIN
>>>>>>>>>>>> Joined 'PFMEMBER1' to
dns domain 'domain.local'
>>>>>>>>>>>> DNS Update for pfmember1.local
failed: ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>> DNS update failed:
NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>> ||
>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 02/01/15 13:41, James
wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     If you don't
mind I like to post my member server
>>>>>>>>>>>>>> configuration as I
attempt again. This is how my member
>>>>>>>>>>>>>> server(Ubuntu 12.04) is
configured after fresh install
>>>>>>>>>>>>>> and prior to Samba
build. Anything I'm missing that could
>>>>>>>>>>>>>> cause my issue as I
proceed? I assume no other
>>>>>>>>>>>>>> prerequisites must be
done on the other DC's either? Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /*# From Wiki for DC
build*/
>>>>>>>>>>>>>> apt-get install
build-essential libacl1-dev libattr1-dev
>>>>>>>>>>>>>> libblkid-dev
libgnutls-dev libreadline-dev python-dev
>>>>>>>>>>>>>> libpam0g-dev
python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>> libldap2-dev dnsutils
libbsd-dev attr krb5-user
>>>>>>>>>>>>>> docbook-xsl
libcups2-dev acl
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>>> 127.0.0.1      
localhost
>>>>>>>>>>>>>> 172.16.232.25
pfmember1.domain.local    pfmember1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # The following lines
are desirable for IPv6 capable hosts
>>>>>>>>>>>>>> ::1     ip6-localhost
ip6-loopback
>>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>>
>>>>>>>>>>>>> if you are referring to
/etc/hostname, then it should just
>>>>>>>>>>>>> contain
'pfmember1'.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Also, are you fixed on
using Ubuntu 12.04, if you were to
>>>>>>>>>>>>> use Debian Wheezy and
backports, you wouldn't have to
>>>>>>>>>>>>> compile samba4.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
*/#/network/interfaces/*
>>>>>>>>>>>>>> # This file describes
the network interfaces available on
>>>>>>>>>>>>>> your system
>>>>>>>>>>>>>> # and how to activate
them. For more information, see
>>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # The loopback network
interface
>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # The primary network
interface
>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>>>         address
172.16.232.25
>>>>>>>>>>>>>>         netmask
255.255.255.0
>>>>>>>>>>>>>>         gateway
172.16.232.201
>>>>>>>>>>>>>>         network
172.16.232.0
>>>>>>>>>>>>>>         broadcast
172.16.232.255
>>>>>>>>>>>>>>         dns-search
domain.local
>>>>>>>>>>>>>>         dns-nameservers
172.16.232.29
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 1/1/2015 4:34 AM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 01/01/15 00:07,
James wrote:
>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     I forgot to
tell you the results were from my
>>>>>>>>>>>>>>>> Domain
Controller and not the member server. Member
>>>>>>>>>>>>>>>> server returned
something to the effect of 'user not
>>>>>>>>>>>>>>>> found'. I
am only starting the 3 services(smbd,nmbd and
>>>>>>>>>>>>>>>> windbindd)
listed in the wiki. Should I be starting
>>>>>>>>>>>>>>>> Samba with
command line switches to start as a member
>>>>>>>>>>>>>>>> server? Is that
even possible?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi, there are two
ways of running samba4, the classic or
>>>>>>>>>>>>>>> original way that
samba3 was used, or as an AD DC. If
>>>>>>>>>>>>>>> you run samba4 in
the classic way, you need to start the
>>>>>>>>>>>>>>> smbd & nmbd
deamons and optionally the winbind daemon.
>>>>>>>>>>>>>>> If you use samba4
as an AD DC, then you only start the
>>>>>>>>>>>>>>> samba daemon, this
will start any other required
>>>>>>>>>>>>>>> deamons, you only
start the samba daemon on an AD DC.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> As you are trying
to set up a member server, you must
>>>>>>>>>>>>>>> carry out the tests
on the member server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     Thanks for
you smb.conf. I will attempt again using
>>>>>>>>>>>>>>>> your smb.conf
as a template and try again.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014
2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14
19:07, James wrote:
>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>     I
decided to start over with a fresh install and
>>>>>>>>>>>>>>>>>>
attempted again. Only change I made was to start my
>>>>>>>>>>>>>>>>>>
mappings at 10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>>>> 10000
and 'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>  dn:
CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>
objectClass: top
>>>>>>>>>>>>>>>>>>
objectClass: person
>>>>>>>>>>>>>>>>>>
objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>
objectClass: user
>>>>>>>>>>>>>>>>>> cn:
Test User
>>>>>>>>>>>>>>>>>> sn:
User
>>>>>>>>>>>>>>>>>>
givenName: Test
>>>>>>>>>>>>>>>>>>
instanceType: 4
>>>>>>>>>>>>>>>>>>
whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>
displayName: Test User
>>>>>>>>>>>>>>>>>>
uSNCreated: 477557
>>>>>>>>>>>>>>>>>> name:
Test User
>>>>>>>>>>>>>>>>>>
objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>>>>
codePage: 0
>>>>>>>>>>>>>>>>>>
countryCode: 0
>>>>>>>>>>>>>>>>>>
pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>
primaryGroupID: 513
>>>>>>>>>>>>>>>>>>
objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>
accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>
sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>
sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>
objectCategory:
>>>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>> uid:
tuser
>>>>>>>>>>>>>>>>>>
msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>
uidNumber: 10001
>>>>>>>>>>>>>>>>>>
loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>
gidNumber: 10000
>>>>>>>>>>>>>>>>>>
whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>
uSNChanged: 477620
>>>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On
31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
passwd:         compat winbind
>>>>>>>>>>>>>>>>>>>>
group:            compat winbind
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank terminal
>>>>>>>>>>>>>>>>>>>>
line.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>
amiss. I do receive a response from 'getent group
>>>>>>>>>>>>>>>>>>>>>>
domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>>>
group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>>>
them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>>>
observations. If I go to another user to
>>>>>>>>>>>>>>>>>>>>>>>>
attempt to assign a uid. I get the default
>>>>>>>>>>>>>>>>>>>>>>>>
value of 10000. I would expect 2001 given I set
>>>>>>>>>>>>>>>>>>>>>>>>
the first user with uid 2000. Groups however
>>>>>>>>>>>>>>>>>>>>>>>>
appear to increment.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>>>
understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>>>
Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>>>>
'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>>>>
Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>>>
will only retrieve local machine users. Let
>>>>>>>>>>>>>>>>>>>>>>>>>>
me preface by saying this is a Ubuntu 12.04
>>>>>>>>>>>>>>>>>>>>>>>>>>
server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order
>>>>>>>>>>>>>>>>>>>>>>>>>>>
for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be using
>>>>>>>>>>>>>>>>>>>>>>>>>
the 'ad' backend. For this to work, you need
>>>>>>>>>>>>>>>>>>>>>>>>>
to add 'uidNumber' attributes to your users
>>>>>>>>>>>>>>>>>>>>>>>>>
and a 'gidNumber' attribute to at least the
>>>>>>>>>>>>>>>>>>>>>>>>>
Domain Users group. the numbers that you add
>>>>>>>>>>>>>>>>>>>>>>>>>
must be between the range you set in your
>>>>>>>>>>>>>>>>>>>>>>>>>
smb.conf, again if you followed the wiki, this
>>>>>>>>>>>>>>>>>>>>>>>>>
will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>>>>
cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>>>>>
/etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Do you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>>>>
user>'
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> OK,
install ldb-tools if not already installed, then
>>>>>>>>>>>>>>>>>>>
run:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> OK, you
added that user with ADUC (RSAT) and as such
>>>>>>>>>>>>>>>>> you are
using the std windows start number 10000,
>>>>>>>>>>>>>>>>> which is
the way I run samba. Here is my smb.conf from
>>>>>>>>>>>>>>>>> the laptop
I am writing this on:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>>>        
workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>        
security = ADS
>>>>>>>>>>>>>>>>>        
realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>        
dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>        
kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>        
server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>        
winbind enum users = yes
>>>>>>>>>>>>>>>>>        
winbind enum groups = yes
>>>>>>>>>>>>>>>>>        
winbind use default domain = yes
>>>>>>>>>>>>>>>>>        
winbind expand groups = 4
>>>>>>>>>>>>>>>>>        
winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>        
winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>        
winbind normalize names = Yes
>>>>>>>>>>>>>>>>>        
idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>        
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>        
idmap config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>>>        
idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>        
idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>        
printcap name = cups
>>>>>>>>>>>>>>>>>        
cups options = raw
>>>>>>>>>>>>>>>>>        
usershare allow guests = yes
>>>>>>>>>>>>>>>>>        
domain master = no
>>>>>>>>>>>>>>>>>        
local master = no
>>>>>>>>>>>>>>>>>        
preferred master = no
>>>>>>>>>>>>>>>>>         os
level = 20
>>>>>>>>>>>>>>>>>         map
to guest = bad user
>>>>>>>>>>>>>>>>>         vfs
objects = acl_xattr
>>>>>>>>>>>>>>>>>         map
acl inherit = Yes
>>>>>>>>>>>>>>>>>        
store dos attributes = Yes
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Compare it
with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>> OK, you have *now* found out one of
the reasons you
>>>>>>>>>>> shouldn't use the .local suffix
>>>>>>>>>>>
>>>>>>>>>>> But does anything else work?
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>> OK, well it seems to be a step in the right
direction :-)
>>>>>>>>>
>>>>>>>>> Have you changed 'EXAMPLE' in these
lines:
>>>>>>>>>
>>>>>>>>>         idmap config * : backend = tdb
>>>>>>>>>         idmap config * : range = 2000-9999
>>>>>>>>>         idmap config EXAMPLE : backend  =
ad
>>>>>>>>>         idmap config EXAMPLE : range =
10000-999999
>>>>>>>>>         idmap config EXAMPLE:schema_mode =
rfc2307
>>>>>>>>>
>>>>>>>>> They need to be changed for your
*WORKGROUP* name.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> -James
>>>>>>>
>>>>>>> Just change it, stop samba and winbind, run
'net cache flush'
>>>>>>> and restart samba & winbind.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> -James
>>>>>
>>>>
>>>> -- 
>>>> -James
>>>
>>
>> -- 
>> -James
>
-- 
-James