thr3ads.net - samba - [Samba] Member Server Setup Assistance [Jan 2015]

If this information is useful, please help other people find it:
Share via:

James

2015-Jan-05 13:28 UTC

[Samba] Member Server Setup Assistance

Rowland,

     Thanks so far for the assistance. I have a question about setting 
up shares on a member server. How do I map to users or groups that do 
not display in AD(Everyone,System,Authenticated Users)?

On 1/2/2015 2:08 PM, Rowland Penny wrote:> On 02/01/15 18:59, James wrote:
>> Rowland,
>>
>>     That was the issue. Windows computer management console showed 0 
>> connections. That obviously wasn't correct. A reboot corrected the 
>> issue. ACL's working as expected. I probably should have ran a 
>> 'netstat' to verify.
>>
>>     Any best practices on who should or shouldn't have uid's or
gid's
>> set in AD? I've read where the Administrator account should not
have
>> one set.
>
> Cannot say that I know of any best practices, but I only give Domain 
> Admins and Domain Users a gidNumber and Administrator should already 
> be mapped to root (that is if you changed 'Example' in
/etc/samba/smbmap).
>
> Rowland
>>
>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>> On 02/01/15 18:35, James wrote:
>>>> Rowland,
>>>>
>>>>     Thanks for the clarification. It appears the member server
is
>>>> joined and I have created a share.
>>>>
>>>> [demoshare]
>>>>     path = /srv/samba/test
>>>>     read only = no
>>>>
>>>>
>>>> I have enabled ACL support and given
'SeDiskOperatorPrivilege' per
>>>> the wiki. I can navigate to the share using Windows Explorer.
If I
>>>> set the share permissions to only me(Full Control). I can't
access
>>>> the share. The 'Everyone' and 'Domain Users'
group allows me
>>>> access. On my DC's this has worked in the past. Am I
missing
>>>> something? This is the error I receive.
>>>>
>>>> \\pfmember1\demoshare is not accessible. You might not have 
>>>> permission to use this network resource. Contact the
administrator
>>>> of this server to find out if you have access permissions.
>>>>
>>>> Multiple connections to a server or shared resource by the same
>>>> user, using more than one user name, are not allowed.
Disconnect
>>>> all previous connections to the server or shared resource and
try
>>>> again.
>>>
>>> You seem to have a connection to the share already open, close this
>>> and try again.
>>> If this fails, post the results of:
>>>
>>> ls -la /srv/samba/test
>>>
>>> and
>>>
>>> getfacl /srv/samba/test
>>>
>>> Rowland
>>>
>>>>
>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>> On 02/01/15 18:01, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>>     That did it! Thank you so much. I do have a
question
>>>>>> regarding the 'getent' command before setting
up file shares.
>>>>>> When I run 'getent group Domain\ Users' I get
>>>>>>
>>>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>
>>>>>> Why does it show these specific users? I would assume
it would
>>>>>> only show my 'tuser'. I don't have
uid's set for anyone else.
>>>>>
>>>>> When you run 'getent group Domain\ Users' it gets
the groups
>>>>> gidNumber (10000 in your case) and the contents any
'member'
>>>>> attributes, so I presume if you examine the groups AD
object, you
>>>>> would find 8 'member' attribute lines.
>>>>>
>>>>> But if you were to run 'getent passwd user5', you
would only get a
>>>>> response if 'user5' has a 'uidNumber'.
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     I did forget to change it. Is it as simple
as renaming now
>>>>>>>> or did I screw up?
>>>>>>>>
>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>>     I had a typo in my hosts file which
is the reason my
>>>>>>>>>> initial DNS update failed. Corrected
and joined again.
>>>>>>>>>> Successfully joined and updated DNS A
record. I then made
>>>>>>>>>> sure to give 'Domain users' a
id of 10000. I am now able to
>>>>>>>>>> run' getent passwd' and see all
my domain users! YES! However
>>>>>>>>>> I still see something that confuses me.
When I run 'id tuser'
>>>>>>>>>> I get the following.
>>>>>>>>>>
>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users) 
>>>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>
>>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     I've gotten a bit
further. It appears my use of
>>>>>>>>>>>> '.local' is causing the
issue from what I've researched. I
>>>>>>>>>>>> ran
'|/etc/init.d/avahi-daemon stop'. |This allowed me to
>>>>>>>>>>>> successfully join the domain.
>>>>>>>>>>>>
>>>>>>>>>>>> Enter administrator at
DOMAIN.LOCAL's password:
>>>>>>>>>>>> Using short domain name --
DOMAIN
>>>>>>>>>>>> Joined 'PFMEMBER1' to
dns domain 'domain.local'
>>>>>>>>>>>> DNS Update for pfmember1.local
failed: ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>> DNS update failed:
NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>> ||
>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 02/01/15 13:41, James
wrote:
>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     If you don't
mind I like to post my member server
>>>>>>>>>>>>>> configuration as I
attempt again. This is how my member
>>>>>>>>>>>>>> server(Ubuntu 12.04) is
configured after fresh install
>>>>>>>>>>>>>> and prior to Samba
build. Anything I'm missing that could
>>>>>>>>>>>>>> cause my issue as I
proceed? I assume no other
>>>>>>>>>>>>>> prerequisites must be
done on the other DC's either? Thanks.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /*# From Wiki for DC
build*/
>>>>>>>>>>>>>> apt-get install
build-essential libacl1-dev libattr1-dev
>>>>>>>>>>>>>> libblkid-dev
libgnutls-dev libreadline-dev python-dev
>>>>>>>>>>>>>> libpam0g-dev
python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>> libldap2-dev dnsutils
libbsd-dev attr krb5-user
>>>>>>>>>>>>>> docbook-xsl
libcups2-dev acl
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>>> 127.0.0.1      
localhost
>>>>>>>>>>>>>> 172.16.232.25
pfmember1.domain.local    pfmember1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # The following lines
are desirable for IPv6 capable hosts
>>>>>>>>>>>>>> ::1     ip6-localhost
ip6-loopback
>>>>>>>>>>>>>> fe00::0 ip6-localnet
>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>> ff02::1 ip6-allnodes
>>>>>>>>>>>>>> ff02::2 ip6-allrouters
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> */# Hostname/* */File/*
>>>>>>>>>>>>>> pfmember1.domain.local
>>>>>>>>>>>>>
>>>>>>>>>>>>> if you are referring to
/etc/hostname, then it should just
>>>>>>>>>>>>> contain
'pfmember1'.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Also, are you fixed on
using Ubuntu 12.04, if you were to
>>>>>>>>>>>>> use Debian Wheezy and
backports, you wouldn't have to
>>>>>>>>>>>>> compile samba4.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
*/#/network/interfaces/*
>>>>>>>>>>>>>> # This file describes
the network interfaces available on
>>>>>>>>>>>>>> your system
>>>>>>>>>>>>>> # and how to activate
them. For more information, see
>>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # The loopback network
interface
>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>> iface lo inet loopback
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> # The primary network
interface
>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>> iface eth0 inet static
>>>>>>>>>>>>>>         address
172.16.232.25
>>>>>>>>>>>>>>         netmask
255.255.255.0
>>>>>>>>>>>>>>         gateway
172.16.232.201
>>>>>>>>>>>>>>         network
172.16.232.0
>>>>>>>>>>>>>>         broadcast
172.16.232.255
>>>>>>>>>>>>>>         dns-search
domain.local
>>>>>>>>>>>>>>         dns-nameservers
172.16.232.29
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 1/1/2015 4:34 AM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 01/01/15 00:07,
James wrote:
>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     I forgot to
tell you the results were from my
>>>>>>>>>>>>>>>> Domain
Controller and not the member server. Member
>>>>>>>>>>>>>>>> server returned
something to the effect of 'user not
>>>>>>>>>>>>>>>> found'. I
am only starting the 3 services(smbd,nmbd and
>>>>>>>>>>>>>>>> windbindd)
listed in the wiki. Should I be starting
>>>>>>>>>>>>>>>> Samba with
command line switches to start as a member
>>>>>>>>>>>>>>>> server? Is that
even possible?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi, there are two
ways of running samba4, the classic or
>>>>>>>>>>>>>>> original way that
samba3 was used, or as an AD DC. If
>>>>>>>>>>>>>>> you run samba4 in
the classic way, you need to start the
>>>>>>>>>>>>>>> smbd & nmbd
deamons and optionally the winbind daemon.
>>>>>>>>>>>>>>> If you use samba4
as an AD DC, then you only start the
>>>>>>>>>>>>>>> samba daemon, this
will start any other required
>>>>>>>>>>>>>>> deamons, you only
start the samba daemon on an AD DC.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> As you are trying
to set up a member server, you must
>>>>>>>>>>>>>>> carry out the tests
on the member server.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     Thanks for
you smb.conf. I will attempt again using
>>>>>>>>>>>>>>>> your smb.conf
as a template and try again.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 12/31/2014
2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 31/12/14
19:07, James wrote:
>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>     I
decided to start over with a fresh install and
>>>>>>>>>>>>>>>>>>
attempted again. Only change I made was to start my
>>>>>>>>>>>>>>>>>>
mappings at 10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>>>> 10000
and 'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>  dn:
CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>
objectClass: top
>>>>>>>>>>>>>>>>>>
objectClass: person
>>>>>>>>>>>>>>>>>>
objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>
objectClass: user
>>>>>>>>>>>>>>>>>> cn:
Test User
>>>>>>>>>>>>>>>>>> sn:
User
>>>>>>>>>>>>>>>>>>
givenName: Test
>>>>>>>>>>>>>>>>>>
instanceType: 4
>>>>>>>>>>>>>>>>>>
whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>
displayName: Test User
>>>>>>>>>>>>>>>>>>
uSNCreated: 477557
>>>>>>>>>>>>>>>>>> name:
Test User
>>>>>>>>>>>>>>>>>>
objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>>>>
codePage: 0
>>>>>>>>>>>>>>>>>>
countryCode: 0
>>>>>>>>>>>>>>>>>>
pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>
primaryGroupID: 513
>>>>>>>>>>>>>>>>>>
objectSid: S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>
accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>
sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>
sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>
objectCategory:
>>>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>> uid:
tuser
>>>>>>>>>>>>>>>>>>
msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>
uidNumber: 10001
>>>>>>>>>>>>>>>>>>
loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>
gidNumber: 10000
>>>>>>>>>>>>>>>>>>
whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>
uSNChanged: 477620
>>>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On
31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
passwd:         compat winbind
>>>>>>>>>>>>>>>>>>>>
group:            compat winbind
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank terminal
>>>>>>>>>>>>>>>>>>>>
line.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>
amiss. I do receive a response from 'getent group
>>>>>>>>>>>>>>>>>>>>>>
domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>>>
group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>>>
them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>>>
observations. If I go to another user to
>>>>>>>>>>>>>>>>>>>>>>>>
attempt to assign a uid. I get the default
>>>>>>>>>>>>>>>>>>>>>>>>
value of 10000. I would expect 2001 given I set
>>>>>>>>>>>>>>>>>>>>>>>>
the first user with uid 2000. Groups however
>>>>>>>>>>>>>>>>>>>>>>>>
appear to increment.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>>>
understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>>>
Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>>>>
'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>>>>
Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>>>
will only retrieve local machine users. Let
>>>>>>>>>>>>>>>>>>>>>>>>>>
me preface by saying this is a Ubuntu 12.04
>>>>>>>>>>>>>>>>>>>>>>>>>>
server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order
>>>>>>>>>>>>>>>>>>>>>>>>>>>
for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be using
>>>>>>>>>>>>>>>>>>>>>>>>>
the 'ad' backend. For this to work, you need
>>>>>>>>>>>>>>>>>>>>>>>>>
to add 'uidNumber' attributes to your users
>>>>>>>>>>>>>>>>>>>>>>>>>
and a 'gidNumber' attribute to at least the
>>>>>>>>>>>>>>>>>>>>>>>>>
Domain Users group. the numbers that you add
>>>>>>>>>>>>>>>>>>>>>>>>>
must be between the range you set in your
>>>>>>>>>>>>>>>>>>>>>>>>>
smb.conf, again if you followed the wiki, this
>>>>>>>>>>>>>>>>>>>>>>>>>
will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>>>>
cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
OK, can you post the 'passwd' & 'group' lines from
>>>>>>>>>>>>>>>>>>>>>
/etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Do you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>>>>
user>'
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> OK,
install ldb-tools if not already installed, then
>>>>>>>>>>>>>>>>>>>
run:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> OK, you
added that user with ADUC (RSAT) and as such
>>>>>>>>>>>>>>>>> you are
using the std windows start number 10000,
>>>>>>>>>>>>>>>>> which is
the way I run samba. Here is my smb.conf from
>>>>>>>>>>>>>>>>> the laptop
I am writing this on:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> [global]
>>>>>>>>>>>>>>>>>        
workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>        
security = ADS
>>>>>>>>>>>>>>>>>        
realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>        
dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>        
kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>        
server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>        
winbind enum users = yes
>>>>>>>>>>>>>>>>>        
winbind enum groups = yes
>>>>>>>>>>>>>>>>>        
winbind use default domain = yes
>>>>>>>>>>>>>>>>>        
winbind expand groups = 4
>>>>>>>>>>>>>>>>>        
winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>        
winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>        
winbind normalize names = Yes
>>>>>>>>>>>>>>>>>        
idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>        
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>        
idmap config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>>>        
idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>        
idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>        
printcap name = cups
>>>>>>>>>>>>>>>>>        
cups options = raw
>>>>>>>>>>>>>>>>>        
usershare allow guests = yes
>>>>>>>>>>>>>>>>>        
domain master = no
>>>>>>>>>>>>>>>>>        
local master = no
>>>>>>>>>>>>>>>>>        
preferred master = no
>>>>>>>>>>>>>>>>>         os
level = 20
>>>>>>>>>>>>>>>>>         map
to guest = bad user
>>>>>>>>>>>>>>>>>         vfs
objects = acl_xattr
>>>>>>>>>>>>>>>>>         map
acl inherit = Yes
>>>>>>>>>>>>>>>>>        
store dos attributes = Yes
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Compare it
with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>> OK, you have *now* found out one of
the reasons you
>>>>>>>>>>> shouldn't use the .local suffix
>>>>>>>>>>>
>>>>>>>>>>> But does anything else work?
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>> OK, well it seems to be a step in the right
direction :-)
>>>>>>>>>
>>>>>>>>> Have you changed 'EXAMPLE' in these
lines:
>>>>>>>>>
>>>>>>>>>         idmap config * : backend = tdb
>>>>>>>>>         idmap config * : range = 2000-9999
>>>>>>>>>         idmap config EXAMPLE : backend  =
ad
>>>>>>>>>         idmap config EXAMPLE : range =
10000-999999
>>>>>>>>>         idmap config EXAMPLE:schema_mode =
rfc2307
>>>>>>>>>
>>>>>>>>> They need to be changed for your
*WORKGROUP* name.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> -James
>>>>>>>
>>>>>>> Just change it, stop samba and winbind, run
'net cache flush'
>>>>>>> and restart samba & winbind.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> -James
>>>>>
>>>>
>>>> -- 
>>>> -James
>>>
>>
>> -- 
>> -James
>
-- 
-James

Rowland Penny

2015-Jan-05 13:37 UTC

head link

[Samba] Member Server Setup Assistance

On 05/01/15 13:28, James wrote:> Rowland,
>
>     Thanks so far for the assistance. I have a question about setting 
> up shares on a member server. How do I map to users or groups that do 
> not display in AD(Everyone,System,Authenticated Users)?
Could you be a bit more specific here, are you talking about mapping 
these windows objects to Unix, or something else ?

Rowland>
> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>> On 02/01/15 18:59, James wrote:
>>> Rowland,
>>>
>>>     That was the issue. Windows computer management console showed
0
>>> connections. That obviously wasn't correct. A reboot corrected
the
>>> issue. ACL's working as expected. I probably should have ran a 
>>> 'netstat' to verify.
>>>
>>>     Any best practices on who should or shouldn't have
uid's or
>>> gid's set in AD? I've read where the Administrator account
should
>>> not have one set.
>>
>> Cannot say that I know of any best practices, but I only give Domain 
>> Admins and Domain Users a gidNumber and Administrator should already 
>> be mapped to root (that is if you changed 'Example' in 
>> /etc/samba/smbmap).
>>
>> Rowland
>>>
>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>> On 02/01/15 18:35, James wrote:
>>>>> Rowland,
>>>>>
>>>>>     Thanks for the clarification. It appears the member
server is
>>>>> joined and I have created a share.
>>>>>
>>>>> [demoshare]
>>>>>     path = /srv/samba/test
>>>>>     read only = no
>>>>>
>>>>>
>>>>> I have enabled ACL support and given
'SeDiskOperatorPrivilege' per
>>>>> the wiki. I can navigate to the share using Windows
Explorer. If I
>>>>> set the share permissions to only me(Full Control). I
can't access
>>>>> the share. The 'Everyone' and 'Domain
Users' group allows me
>>>>> access. On my DC's this has worked in the past. Am I
missing
>>>>> something? This is the error I receive.
>>>>>
>>>>> \\pfmember1\demoshare is not accessible. You might not have
>>>>> permission to use this network resource. Contact the
administrator
>>>>> of this server to find out if you have access permissions.
>>>>>
>>>>> Multiple connections to a server or shared resource by the
same
>>>>> user, using more than one user name, are not allowed.
Disconnect
>>>>> all previous connections to the server or shared resource
and try
>>>>> again.
>>>>
>>>> You seem to have a connection to the share already open, close
this
>>>> and try again.
>>>> If this fails, post the results of:
>>>>
>>>> ls -la /srv/samba/test
>>>>
>>>> and
>>>>
>>>> getfacl /srv/samba/test
>>>>
>>>> Rowland
>>>>
>>>>>
>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>>     That did it! Thank you so much. I do have a
question
>>>>>>> regarding the 'getent' command before
setting up file shares.
>>>>>>> When I run 'getent group Domain\ Users' I
get
>>>>>>>
>>>>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>
>>>>>>> Why does it show these specific users? I would
assume it would
>>>>>>> only show my 'tuser'. I don't have
uid's set for anyone else.
>>>>>>
>>>>>> When you run 'getent group Domain\ Users' it
gets the groups
>>>>>> gidNumber (10000 in your case) and the contents any
'member'
>>>>>> attributes, so I presume if you examine the groups AD
object, you
>>>>>> would find 8 'member' attribute lines.
>>>>>>
>>>>>> But if you were to run 'getent passwd user5',
you would only get
>>>>>> a response if 'user5' has a
'uidNumber'.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>>
>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>>     I did forget to change it. Is it as
simple as renaming now
>>>>>>>>> or did I screw up?
>>>>>>>>>
>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote:
>>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>>> Rowland,
>>>>>>>>>>>
>>>>>>>>>>>     I had a typo in my hosts file
which is the reason my
>>>>>>>>>>> initial DNS update failed.
Corrected and joined again.
>>>>>>>>>>> Successfully joined and updated DNS
A record. I then made
>>>>>>>>>>> sure to give 'Domain users'
a id of 10000. I am now able to
>>>>>>>>>>> run' getent passwd' and see
all my domain users! YES!
>>>>>>>>>>> However I still see something that
confuses me. When I run
>>>>>>>>>>> 'id tuser' I get the
following.
>>>>>>>>>>>
>>>>>>>>>>> uid=2155(tuser)
gid=2002(domain_users)
>>>>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>
>>>>>>>>>>> Why is the uid 2155 and not 10001?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny
wrote:
>>>>>>>>>>>> On 02/01/15 16:57, James wrote:
>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>>     I've gotten a bit
further. It appears my use of
>>>>>>>>>>>>> '.local' is causing
the issue from what I've researched.
>>>>>>>>>>>>> I  ran
'|/etc/init.d/avahi-daemon stop'. |This allowed me
>>>>>>>>>>>>> to successfully join the
domain.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Enter administrator at
DOMAIN.LOCAL's password:
>>>>>>>>>>>>> Using short domain name --
DOMAIN
>>>>>>>>>>>>> Joined 'PFMEMBER1'
to dns domain 'domain.local'
>>>>>>>>>>>>> DNS Update for
pfmember1.local failed: ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>> DNS update failed:
NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>> ||
>>>>>>>>>>>>> On 1/2/2015 8:55 AM,
Rowland Penny wrote:
>>>>>>>>>>>>>> On 02/01/15 13:41,
James wrote:
>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>     If you
don't mind I like to post my member server
>>>>>>>>>>>>>>> configuration as I
attempt again. This is how my member
>>>>>>>>>>>>>>> server(Ubuntu
12.04) is configured after fresh install
>>>>>>>>>>>>>>> and prior to Samba
build. Anything I'm missing that
>>>>>>>>>>>>>>> could cause my
issue as I proceed? I assume no other
>>>>>>>>>>>>>>> prerequisites must
be done on the other DC's either? Thanks.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /*# From Wiki for
DC build*/
>>>>>>>>>>>>>>> apt-get install
build-essential libacl1-dev libattr1-dev
>>>>>>>>>>>>>>> libblkid-dev
libgnutls-dev libreadline-dev python-dev
>>>>>>>>>>>>>>> libpam0g-dev
python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>>> libldap2-dev
dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>>>> docbook-xsl
libcups2-dev acl
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> /*# Fstab file*/
>>>>>>>>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> */# Hosts File/*
>>>>>>>>>>>>>>> 127.0.0.1      
localhost
>>>>>>>>>>>>>>> 172.16.232.25
pfmember1.domain.local    pfmember1
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # The following
lines are desirable for IPv6 capable hosts
>>>>>>>>>>>>>>> ::1    
ip6-localhost ip6-loopback
>>>>>>>>>>>>>>> fe00::0
ip6-localnet
>>>>>>>>>>>>>>> ff00::0
ip6-mcastprefix
>>>>>>>>>>>>>>> ff02::1
ip6-allnodes
>>>>>>>>>>>>>>> ff02::2
ip6-allrouters
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> */# Hostname/*
*/File/*
>>>>>>>>>>>>>>>
pfmember1.domain.local
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> if you are referring to
/etc/hostname, then it should
>>>>>>>>>>>>>> just contain
'pfmember1'.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Also, are you fixed on
using Ubuntu 12.04, if you were to
>>>>>>>>>>>>>> use Debian Wheezy and
backports, you wouldn't have to
>>>>>>>>>>>>>> compile samba4.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
*/#/network/interfaces/*
>>>>>>>>>>>>>>> # This file
describes the network interfaces available
>>>>>>>>>>>>>>> on your system
>>>>>>>>>>>>>>> # and how to
activate them. For more information, see
>>>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # The loopback
network interface
>>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>>> iface lo inet
loopback
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> # The primary
network interface
>>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>>> iface eth0 inet
static
>>>>>>>>>>>>>>>         address
172.16.232.25
>>>>>>>>>>>>>>>         netmask
255.255.255.0
>>>>>>>>>>>>>>>         gateway
172.16.232.201
>>>>>>>>>>>>>>>         network
172.16.232.0
>>>>>>>>>>>>>>>         broadcast
172.16.232.255
>>>>>>>>>>>>>>>         dns-search
domain.local
>>>>>>>>>>>>>>>        
dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 1/1/2015 4:34
AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 01/01/15
00:07, James wrote:
>>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>     I
forgot to tell you the results were from my
>>>>>>>>>>>>>>>>> Domain
Controller and not the member server. Member
>>>>>>>>>>>>>>>>> server
returned something to the effect of 'user not
>>>>>>>>>>>>>>>>> found'.
I am only starting the 3 services(smbd,nmbd
>>>>>>>>>>>>>>>>> and
windbindd) listed in the wiki. Should I be
>>>>>>>>>>>>>>>>> starting
Samba with command line switches to start as
>>>>>>>>>>>>>>>>> a member
server? Is that even possible?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi, there are
two ways of running samba4, the classic
>>>>>>>>>>>>>>>> or original way
that samba3 was used, or as an AD DC.
>>>>>>>>>>>>>>>> If you run
samba4 in the classic way, you need to start
>>>>>>>>>>>>>>>> the smbd &
nmbd deamons and optionally the winbind
>>>>>>>>>>>>>>>> daemon. If you
use samba4 as an AD DC, then you only
>>>>>>>>>>>>>>>> start the samba
daemon, this will start any other
>>>>>>>>>>>>>>>> required
deamons, you only start the samba daemon on an
>>>>>>>>>>>>>>>> AD DC.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> As you are
trying to set up a member server, you must
>>>>>>>>>>>>>>>> carry out the
tests on the member server.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>     Thanks
for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>> using your
smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On
12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>> On
31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>    
I decided to start over with a fresh install and
>>>>>>>>>>>>>>>>>>>
attempted again. Only change I made was to start my
>>>>>>>>>>>>>>>>>>>
mappings at 10000. I gave 'Domain Users' group gid
>>>>>>>>>>>>>>>>>>>
10000 and 'tuser' has uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 
dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>
objectClass: top
>>>>>>>>>>>>>>>>>>>
objectClass: person
>>>>>>>>>>>>>>>>>>>
objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>>
objectClass: user
>>>>>>>>>>>>>>>>>>> cn:
Test User
>>>>>>>>>>>>>>>>>>> sn:
User
>>>>>>>>>>>>>>>>>>>
givenName: Test
>>>>>>>>>>>>>>>>>>>
instanceType: 4
>>>>>>>>>>>>>>>>>>>
whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>>
displayName: Test User
>>>>>>>>>>>>>>>>>>>
uSNCreated: 477557
>>>>>>>>>>>>>>>>>>>
name: Test User
>>>>>>>>>>>>>>>>>>>
objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>>>>>
codePage: 0
>>>>>>>>>>>>>>>>>>>
countryCode: 0
>>>>>>>>>>>>>>>>>>>
pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>>
primaryGroupID: 513
>>>>>>>>>>>>>>>>>>>
objectSid:
>>>>>>>>>>>>>>>>>>>
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>>
accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>>
sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>>
sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>>
objectCategory:
>>>>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>>
uid: tuser
>>>>>>>>>>>>>>>>>>>
msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>>
uidNumber: 10001
>>>>>>>>>>>>>>>>>>>
loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>>
gidNumber: 10000
>>>>>>>>>>>>>>>>>>>
whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>>
uSNChanged: 477620
>>>>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On
12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>
On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
passwd:         compat winbind
>>>>>>>>>>>>>>>>>>>>>
group: compat winbind
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank terminal
>>>>>>>>>>>>>>>>>>>>>
line.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>>
amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>>
group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>>>>
group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>>>>
them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>>>>
observations. If I go to another user to
>>>>>>>>>>>>>>>>>>>>>>>>>
attempt to assign a uid. I get the default
>>>>>>>>>>>>>>>>>>>>>>>>>
value of 10000. I would expect 2001 given I
>>>>>>>>>>>>>>>>>>>>>>>>>
set the first user with uid 2000. Groups
>>>>>>>>>>>>>>>>>>>>>>>>>
however appear to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>>>>
understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Following along with the wiki I get stuck at
>>>>>>>>>>>>>>>>>>>>>>>>>>>
'Testing the Winbind user/group mapping'.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>>>>
will only retrieve local machine users. Let
>>>>>>>>>>>>>>>>>>>>>>>>>>>
me preface by saying this is a Ubuntu 12.04
>>>>>>>>>>>>>>>>>>>>>>>>>>>
server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be using
>>>>>>>>>>>>>>>>>>>>>>>>>>
the 'ad' backend. For this to work, you need
>>>>>>>>>>>>>>>>>>>>>>>>>>
to add 'uidNumber' attributes to your users
>>>>>>>>>>>>>>>>>>>>>>>>>>
and a 'gidNumber' attribute to at least the
>>>>>>>>>>>>>>>>>>>>>>>>>>
Domain Users group. the numbers that you add
>>>>>>>>>>>>>>>>>>>>>>>>>>
must be between the range you set in your
>>>>>>>>>>>>>>>>>>>>>>>>>>
smb.conf, again if you followed the wiki,
>>>>>>>>>>>>>>>>>>>>>>>>>>
this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or clear the
>>>>>>>>>>>>>>>>>>>>>>>>
cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
OK, can you post the 'passwd' & 'group' lines
>>>>>>>>>>>>>>>>>>>>>>
from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
Do you get anything from 'getent passwd <a domain
>>>>>>>>>>>>>>>>>>>>>>
user>'
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
OK, install ldb-tools if not already installed,
>>>>>>>>>>>>>>>>>>>>
then run:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> OK, you
added that user with ADUC (RSAT) and as such
>>>>>>>>>>>>>>>>>> you are
using the std windows start number 10000,
>>>>>>>>>>>>>>>>>> which
is the way I run samba. Here is my smb.conf
>>>>>>>>>>>>>>>>>> from
the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
[global]
>>>>>>>>>>>>>>>>>>        
workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>>        
security = ADS
>>>>>>>>>>>>>>>>>>        
realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>>        
dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>>        
kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>>        
server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>>        
winbind enum users = yes
>>>>>>>>>>>>>>>>>>        
winbind enum groups = yes
>>>>>>>>>>>>>>>>>>        
winbind use default domain = yes
>>>>>>>>>>>>>>>>>>        
winbind expand groups = 4
>>>>>>>>>>>>>>>>>>        
winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>>        
winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>>        
winbind normalize names = Yes
>>>>>>>>>>>>>>>>>>        
idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>>        
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>>        
idmap config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>>>>        
idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>>        
idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>>        
printcap name = cups
>>>>>>>>>>>>>>>>>>        
cups options = raw
>>>>>>>>>>>>>>>>>>        
usershare allow guests = yes
>>>>>>>>>>>>>>>>>>        
domain master = no
>>>>>>>>>>>>>>>>>>        
local master = no
>>>>>>>>>>>>>>>>>>        
preferred master = no
>>>>>>>>>>>>>>>>>>        
os level = 20
>>>>>>>>>>>>>>>>>>        
map to guest = bad user
>>>>>>>>>>>>>>>>>>        
vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>>        
map acl inherit = Yes
>>>>>>>>>>>>>>>>>>        
store dos attributes = Yes
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Compare
it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> -James
>>>>>>>>>>>>
>>>>>>>>>>>> OK, you have *now* found out
one of the reasons you
>>>>>>>>>>>> shouldn't use the .local
suffix
>>>>>>>>>>>>
>>>>>>>>>>>> But does anything else work?
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> -James
>>>>>>>>>>
>>>>>>>>>> OK, well it seems to be a step in the
right direction :-)
>>>>>>>>>>
>>>>>>>>>> Have you changed 'EXAMPLE' in
these lines:
>>>>>>>>>>
>>>>>>>>>>         idmap config * : backend = tdb
>>>>>>>>>>         idmap config * : range =
2000-9999
>>>>>>>>>>         idmap config EXAMPLE : backend 
= ad
>>>>>>>>>>         idmap config EXAMPLE : range =
10000-999999
>>>>>>>>>>         idmap config
EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>
>>>>>>>>>> They need to be changed for your
*WORKGROUP* name.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> -James
>>>>>>>>
>>>>>>>> Just change it, stop samba and winbind, run
'net cache flush'
>>>>>>>> and restart samba & winbind.
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> -James
>>>>>>
>>>>>
>>>>> -- 
>>>>> -James
>>>>
>>>
>>> -- 
>>> -James
>>
>
> -- 
> -James

James

2015-Jan-05 14:00 UTC

head link

[Samba] Member Server Setup Assistance

Hi Rowland,

     Yes. When I create a share I get the expected 'Everyone' group 
under 'Share Permissions' for example. I'm assuming I must map this 
object to Unix so all windows users can access this share. However in AD 
there is no 'Everyone' group to set a gid. I wouldn't necessarily
expect
one either. I'm currently under the mind set that with a member server I 
must have a uid/gid for every object assigned on the share.

On 1/5/2015 8:37 AM, Rowland Penny wrote:> On 05/01/15 13:28, James wrote:
>> Rowland,
>>
>>     Thanks so far for the assistance. I have a question about setting 
>> up shares on a member server. How do I map to users or groups that do 
>> not display in AD(Everyone,System,Authenticated Users)?
>
> Could you be a bit more specific here, are you talking about mapping 
> these windows objects to Unix, or something else ?
>
> Rowland
>>
>> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>>> On 02/01/15 18:59, James wrote:
>>>> Rowland,
>>>>
>>>>     That was the issue. Windows computer management console
showed
>>>> 0 connections. That obviously wasn't correct. A reboot
corrected
>>>> the issue. ACL's working as expected. I probably should
have ran a
>>>> 'netstat' to verify.
>>>>
>>>>     Any best practices on who should or shouldn't have
uid's or
>>>> gid's set in AD? I've read where the Administrator
account should
>>>> not have one set.
>>>
>>> Cannot say that I know of any best practices, but I only give
Domain
>>> Admins and Domain Users a gidNumber and Administrator should
already
>>> be mapped to root (that is if you changed 'Example' in 
>>> /etc/samba/smbmap).
>>>
>>> Rowland
>>>>
>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>>> On 02/01/15 18:35, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>>     Thanks for the clarification. It appears the member
server is
>>>>>> joined and I have created a share.
>>>>>>
>>>>>> [demoshare]
>>>>>>     path = /srv/samba/test
>>>>>>     read only = no
>>>>>>
>>>>>>
>>>>>> I have enabled ACL support and given
'SeDiskOperatorPrivilege'
>>>>>> per the wiki. I can navigate to the share using Windows
Explorer.
>>>>>> If I set the share permissions to only me(Full
Control). I can't
>>>>>> access the share. The 'Everyone' and
'Domain Users' group allows
>>>>>> me access. On my DC's this has worked in the past.
Am I missing
>>>>>> something? This is the error I receive.
>>>>>>
>>>>>> \\pfmember1\demoshare is not accessible. You might not
have
>>>>>> permission to use this network resource. Contact the 
>>>>>> administrator of this server to find out if you have
access
>>>>>> permissions.
>>>>>>
>>>>>> Multiple connections to a server or shared resource by
the same
>>>>>> user, using more than one user name, are not allowed.
Disconnect
>>>>>> all previous connections to the server or shared
resource and try
>>>>>> again.
>>>>>
>>>>> You seem to have a connection to the share already open,
close
>>>>> this and try again.
>>>>> If this fails, post the results of:
>>>>>
>>>>> ls -la /srv/samba/test
>>>>>
>>>>> and
>>>>>
>>>>> getfacl /srv/samba/test
>>>>>
>>>>> Rowland
>>>>>
>>>>>>
>>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     That did it! Thank you so much. I do have a
question
>>>>>>>> regarding the 'getent' command before
setting up file shares.
>>>>>>>> When I run 'getent group Domain\ Users'
I get
>>>>>>>>
>>>>>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>>
>>>>>>>> Why does it show these specific users? I would
assume it would
>>>>>>>> only show my 'tuser'. I don't have
uid's set for anyone else.
>>>>>>>
>>>>>>> When you run 'getent group Domain\ Users'
it gets the groups
>>>>>>> gidNumber (10000 in your case) and the contents any
'member'
>>>>>>> attributes, so I presume if you examine the groups
AD object,
>>>>>>> you would find 8 'member' attribute lines.
>>>>>>>
>>>>>>> But if you were to run 'getent passwd
user5', you would only get
>>>>>>> a response if 'user5' has a
'uidNumber'.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>>
>>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>>     I did forget to change it. Is it as
simple as renaming
>>>>>>>>>> now or did I screw up?
>>>>>>>>>>
>>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 02/01/15 17:07, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     I had a typo in my hosts
file which is the reason my
>>>>>>>>>>>> initial DNS update failed.
Corrected and joined again.
>>>>>>>>>>>> Successfully joined and updated
DNS A record. I then made
>>>>>>>>>>>> sure to give 'Domain
users' a id of 10000. I am now able to
>>>>>>>>>>>> run' getent passwd' and
see all my domain users! YES!
>>>>>>>>>>>> However I still see something
that confuses me. When I run
>>>>>>>>>>>> 'id tuser' I get the
following.
>>>>>>>>>>>>
>>>>>>>>>>>> uid=2155(tuser)
gid=2002(domain_users)
>>>>>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>>
>>>>>>>>>>>> Why is the uid 2155 and not
10001?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 02/01/15 16:57, James
wrote:
>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     I've gotten a
bit further. It appears my use of
>>>>>>>>>>>>>> '.local' is
causing the issue from what I've researched.
>>>>>>>>>>>>>> I ran
'|/etc/init.d/avahi-daemon stop'. |This allowed me
>>>>>>>>>>>>>> to successfully join
the domain.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Enter administrator at
DOMAIN.LOCAL's password:
>>>>>>>>>>>>>> Using short domain name
-- DOMAIN
>>>>>>>>>>>>>> Joined
'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>>>> DNS Update for
pfmember1.local failed:
>>>>>>>>>>>>>> ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>>> DNS update failed:
NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>>> ||
>>>>>>>>>>>>>> On 1/2/2015 8:55 AM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 02/01/15 13:41,
James wrote:
>>>>>>>>>>>>>>>> Hi Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     If you
don't mind I like to post my member server
>>>>>>>>>>>>>>>> configuration
as I attempt again. This is how my member
>>>>>>>>>>>>>>>> server(Ubuntu
12.04) is configured after fresh install
>>>>>>>>>>>>>>>> and prior to
Samba build. Anything I'm missing that
>>>>>>>>>>>>>>>> could cause my
issue as I proceed? I assume no other
>>>>>>>>>>>>>>>> prerequisites
must be done on the other DC's either?
>>>>>>>>>>>>>>>> Thanks.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> /*# From Wiki
for DC build*/
>>>>>>>>>>>>>>>> apt-get install
build-essential libacl1-dev
>>>>>>>>>>>>>>>> libattr1-dev
libblkid-dev libgnutls-dev libreadline-dev
>>>>>>>>>>>>>>>> python-dev
libpam0g-dev python-dnspython gdb pkg-config
>>>>>>>>>>>>>>>> libpopt-dev
libldap2-dev dnsutils libbsd-dev attr
>>>>>>>>>>>>>>>> krb5-user
docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> /*# Fstab
file*/
>>>>>>>>>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> */# Hosts
File/*
>>>>>>>>>>>>>>>> 127.0.0.1      
localhost
>>>>>>>>>>>>>>>> 172.16.232.25
pfmember1.domain.local    pfmember1
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # The following
lines are desirable for IPv6 capable hosts
>>>>>>>>>>>>>>>> ::1    
ip6-localhost ip6-loopback
>>>>>>>>>>>>>>>> fe00::0
ip6-localnet
>>>>>>>>>>>>>>>> ff00::0
ip6-mcastprefix
>>>>>>>>>>>>>>>> ff02::1
ip6-allnodes
>>>>>>>>>>>>>>>> ff02::2
ip6-allrouters
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> */# Hostname/*
*/File/*
>>>>>>>>>>>>>>>>
pfmember1.domain.local
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> if you are
referring to /etc/hostname, then it should
>>>>>>>>>>>>>>> just contain
'pfmember1'.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Also, are you fixed
on using Ubuntu 12.04, if you were
>>>>>>>>>>>>>>> to use Debian
Wheezy and backports, you wouldn't have to
>>>>>>>>>>>>>>> compile samba4.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
*/#/network/interfaces/*
>>>>>>>>>>>>>>>> # This file
describes the network interfaces available
>>>>>>>>>>>>>>>> on your system
>>>>>>>>>>>>>>>> # and how to
activate them. For more information, see
>>>>>>>>>>>>>>>> interfaces(5).
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # The loopback
network interface
>>>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>>>> iface lo inet
loopback
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> # The primary
network interface
>>>>>>>>>>>>>>>> auto eth0
>>>>>>>>>>>>>>>> iface eth0 inet
static
>>>>>>>>>>>>>>>>         address
172.16.232.25
>>>>>>>>>>>>>>>>         netmask
255.255.255.0
>>>>>>>>>>>>>>>>         gateway
172.16.232.201
>>>>>>>>>>>>>>>>         network
172.16.232.0
>>>>>>>>>>>>>>>>        
broadcast 172.16.232.255
>>>>>>>>>>>>>>>>        
dns-search domain.local
>>>>>>>>>>>>>>>>        
dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 1/1/2015
4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 01/01/15
00:07, James wrote:
>>>>>>>>>>>>>>>>>> Hi
Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>     I
forgot to tell you the results were from my
>>>>>>>>>>>>>>>>>> Domain
Controller and not the member server. Member
>>>>>>>>>>>>>>>>>> server
returned something to the effect of 'user not
>>>>>>>>>>>>>>>>>>
found'. I am only starting the 3 services(smbd,nmbd
>>>>>>>>>>>>>>>>>> and
windbindd) listed in the wiki. Should I be
>>>>>>>>>>>>>>>>>>
starting Samba with command line switches to start as
>>>>>>>>>>>>>>>>>> a
member server? Is that even possible?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hi, there
are two ways of running samba4, the classic
>>>>>>>>>>>>>>>>> or original
way that samba3 was used, or as an AD DC.
>>>>>>>>>>>>>>>>> If you run
samba4 in the classic way, you need to
>>>>>>>>>>>>>>>>> start the
smbd & nmbd deamons and optionally the
>>>>>>>>>>>>>>>>> winbind
daemon. If you use samba4 as an AD DC, then
>>>>>>>>>>>>>>>>> you only
start the samba daemon, this will start any
>>>>>>>>>>>>>>>>> other
required deamons, you only start the samba
>>>>>>>>>>>>>>>>> daemon on
an AD DC.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> As you are
trying to set up a member server, you must
>>>>>>>>>>>>>>>>> carry out
the tests on the member server.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>    
Thanks for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>>> using
your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On
31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
I decided to start over with a fresh install
>>>>>>>>>>>>>>>>>>>>
and attempted again. Only change I made was to
>>>>>>>>>>>>>>>>>>>>
start my mappings at 10000. I gave 'Domain Users'
>>>>>>>>>>>>>>>>>>>>
group gid 10000 and 'tuser' has uid 10001. Still
>>>>>>>>>>>>>>>>>>>>
didn't work btw.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>
objectClass: top
>>>>>>>>>>>>>>>>>>>>
objectClass: person
>>>>>>>>>>>>>>>>>>>>
objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>>>
objectClass: user
>>>>>>>>>>>>>>>>>>>>
cn: Test User
>>>>>>>>>>>>>>>>>>>>
sn: User
>>>>>>>>>>>>>>>>>>>>
givenName: Test
>>>>>>>>>>>>>>>>>>>>
instanceType: 4
>>>>>>>>>>>>>>>>>>>>
whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>>>
displayName: Test User
>>>>>>>>>>>>>>>>>>>>
uSNCreated: 477557
>>>>>>>>>>>>>>>>>>>>
name: Test User
>>>>>>>>>>>>>>>>>>>>
objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>>>>>>
codePage: 0
>>>>>>>>>>>>>>>>>>>>
countryCode: 0
>>>>>>>>>>>>>>>>>>>>
pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>>>
primaryGroupID: 513
>>>>>>>>>>>>>>>>>>>>
objectSid:
>>>>>>>>>>>>>>>>>>>>
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>>>
accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>>>
sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>>>
sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>>>
objectCategory:
>>>>>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>>>
uid: tuser
>>>>>>>>>>>>>>>>>>>>
msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>>>
uidNumber: 10001
>>>>>>>>>>>>>>>>>>>>
loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>>>
gidNumber: 10000
>>>>>>>>>>>>>>>>>>>>
whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>>>
uSNChanged: 477620
>>>>>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
passwd: compat winbind
>>>>>>>>>>>>>>>>>>>>>>
group: compat winbind
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank terminal
>>>>>>>>>>>>>>>>>>>>>>
line.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>>>
amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>>>
group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain users
>>>>>>>>>>>>>>>>>>>>>>>>>>
group with a gid but I'm still unable to view
>>>>>>>>>>>>>>>>>>>>>>>>>>
them using 'id'. I do notice a few strange
>>>>>>>>>>>>>>>>>>>>>>>>>>
observations. If I go to another user to
>>>>>>>>>>>>>>>>>>>>>>>>>>
attempt to assign a uid. I get the default
>>>>>>>>>>>>>>>>>>>>>>>>>>
value of 10000. I would expect 2001 given I
>>>>>>>>>>>>>>>>>>>>>>>>>>
set the first user with uid 2000. Groups
>>>>>>>>>>>>>>>>>>>>>>>>>>
however appear to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local. I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member server.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Following along with the wiki I get stuck
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
at 'Testing the Winbind user/group
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
mapping'. Wbinfo works as expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'. It
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
will only retrieve local machine users. Let
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
me preface by saying this is a Ubuntu 12.04
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
server with Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:> Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in order
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be using
>>>>>>>>>>>>>>>>>>>>>>>>>>>
the 'ad' backend. For this to work, you need
>>>>>>>>>>>>>>>>>>>>>>>>>>>
to add 'uidNumber' attributes to your users
>>>>>>>>>>>>>>>>>>>>>>>>>>>
and a 'gidNumber' attribute to at least the
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Domain Users group. the numbers that you add
>>>>>>>>>>>>>>>>>>>>>>>>>>>
must be between the range you set in your
>>>>>>>>>>>>>>>>>>>>>>>>>>>
smb.conf, again if you followed the wiki,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or clear
>>>>>>>>>>>>>>>>>>>>>>>>>
the cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
OK, can you post the 'passwd' & 'group' lines
>>>>>>>>>>>>>>>>>>>>>>>
from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Do you get anything from 'getent passwd <a
>>>>>>>>>>>>>>>>>>>>>>>
domain user>'
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
OK, install ldb-tools if not already installed,
>>>>>>>>>>>>>>>>>>>>>
then run:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
ldbedit -e nano -H /var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> OK,
you added that user with ADUC (RSAT) and as such
>>>>>>>>>>>>>>>>>>> you
are using the std windows start number 10000,
>>>>>>>>>>>>>>>>>>>
which is the way I run samba. Here is my smb.conf
>>>>>>>>>>>>>>>>>>>
from the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
[global]
>>>>>>>>>>>>>>>>>>>    
workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>>>    
security = ADS
>>>>>>>>>>>>>>>>>>>    
realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>>>    
dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>>>    
kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>>>    
server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>>>    
winbind enum users = yes
>>>>>>>>>>>>>>>>>>>    
winbind enum groups = yes
>>>>>>>>>>>>>>>>>>>    
winbind use default domain = yes
>>>>>>>>>>>>>>>>>>>    
winbind expand groups = 4
>>>>>>>>>>>>>>>>>>>    
winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>>>    
winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>>>    
winbind normalize names = Yes
>>>>>>>>>>>>>>>>>>>    
idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>>>    
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>>>    
idmap config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>>>>>    
idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>>>    
idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>>>    
printcap name = cups
>>>>>>>>>>>>>>>>>>>    
cups options = raw
>>>>>>>>>>>>>>>>>>>    
usershare allow guests = yes
>>>>>>>>>>>>>>>>>>>    
domain master = no
>>>>>>>>>>>>>>>>>>>    
local master = no
>>>>>>>>>>>>>>>>>>>    
preferred master = no
>>>>>>>>>>>>>>>>>>>    
os level = 20
>>>>>>>>>>>>>>>>>>>    
map to guest = bad user
>>>>>>>>>>>>>>>>>>>    
vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>>>    
map acl inherit = Yes
>>>>>>>>>>>>>>>>>>>    
store dos attributes = Yes
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, you have *now* found
out one of the reasons you
>>>>>>>>>>>>> shouldn't use the
.local suffix
>>>>>>>>>>>>>
>>>>>>>>>>>>> But does anything else
work?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>> OK, well it seems to be a step in
the right direction :-)
>>>>>>>>>>>
>>>>>>>>>>> Have you changed 'EXAMPLE'
in these lines:
>>>>>>>>>>>
>>>>>>>>>>>         idmap config * : backend =
tdb
>>>>>>>>>>>         idmap config * : range =
2000-9999
>>>>>>>>>>>         idmap config EXAMPLE :
backend  = ad
>>>>>>>>>>>         idmap config EXAMPLE :
range = 10000-999999
>>>>>>>>>>>         idmap config
EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>>
>>>>>>>>>>> They need to be changed for your
*WORKGROUP* name.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>> Just change it, stop samba and winbind, run
'net cache flush'
>>>>>>>>> and restart samba & winbind.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> -James
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> -James
>>>>>
>>>>
>>>> -- 
>>>> -James
>>>
>>
>> -- 
>> -James
>
-- 
-James

Seemingly Similar Threads

Search for more maybe matching threads

samba - Jan 2015 - Member Server Setup Assistance

[Samba] Member Server Setup Assistance

[Samba] Member Server Setup Assistance

[Samba] Member Server Setup Assistance

Seemingly Similar Threads