Hi Rowland, Yes. When I create a share I get the expected 'Everyone' group under 'Share Permissions' for example. I'm assuming I must map this object to Unix so all windows users can access this share. However in AD there is no 'Everyone' group to set a gid. I wouldn't necessarily expect one either. I'm currently under the mind set that with a member server I must have a uid/gid for every object assigned on the share. On 1/5/2015 8:37 AM, Rowland Penny wrote:> On 05/01/15 13:28, James wrote: >> Rowland, >> >> Thanks so far for the assistance. I have a question about setting >> up shares on a member server. How do I map to users or groups that do >> not display in AD(Everyone,System,Authenticated Users)? > > Could you be a bit more specific here, are you talking about mapping > these windows objects to Unix, or something else ? > > Rowland >> >> On 1/2/2015 2:08 PM, Rowland Penny wrote: >>> On 02/01/15 18:59, James wrote: >>>> Rowland, >>>> >>>> That was the issue. Windows computer management console showed >>>> 0 connections. That obviously wasn't correct. A reboot corrected >>>> the issue. ACL's working as expected. I probably should have ran a >>>> 'netstat' to verify. >>>> >>>> Any best practices on who should or shouldn't have uid's or >>>> gid's set in AD? I've read where the Administrator account should >>>> not have one set. >>> >>> Cannot say that I know of any best practices, but I only give Domain >>> Admins and Domain Users a gidNumber and Administrator should already >>> be mapped to root (that is if you changed 'Example' in >>> /etc/samba/smbmap). >>> >>> Rowland >>>> >>>> On 1/2/2015 1:47 PM, Rowland Penny wrote: >>>>> On 02/01/15 18:35, James wrote: >>>>>> Rowland, >>>>>> >>>>>> Thanks for the clarification. It appears the member server is >>>>>> joined and I have created a share. >>>>>> >>>>>> [demoshare] >>>>>> path = /srv/samba/test >>>>>> read only = no >>>>>> >>>>>> >>>>>> I have enabled ACL support and given 'SeDiskOperatorPrivilege' >>>>>> per the wiki. I can navigate to the share using Windows Explorer. >>>>>> If I set the share permissions to only me(Full Control). I can't >>>>>> access the share. The 'Everyone' and 'Domain Users' group allows >>>>>> me access. On my DC's this has worked in the past. Am I missing >>>>>> something? This is the error I receive. >>>>>> >>>>>> \\pfmember1\demoshare is not accessible. You might not have >>>>>> permission to use this network resource. Contact the >>>>>> administrator of this server to find out if you have access >>>>>> permissions. >>>>>> >>>>>> Multiple connections to a server or shared resource by the same >>>>>> user, using more than one user name, are not allowed. Disconnect >>>>>> all previous connections to the server or shared resource and try >>>>>> again. >>>>> >>>>> You seem to have a connection to the share already open, close >>>>> this and try again. >>>>> If this fails, post the results of: >>>>> >>>>> ls -la /srv/samba/test >>>>> >>>>> and >>>>> >>>>> getfacl /srv/samba/test >>>>> >>>>> Rowland >>>>> >>>>>> >>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote: >>>>>>> On 02/01/15 18:01, James wrote: >>>>>>>> Rowland, >>>>>>>> >>>>>>>> That did it! Thank you so much. I do have a question >>>>>>>> regarding the 'getent' command before setting up file shares. >>>>>>>> When I run 'getent group Domain\ Users' I get >>>>>>>> >>>>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8 >>>>>>>> >>>>>>>> Why does it show these specific users? I would assume it would >>>>>>>> only show my 'tuser'. I don't have uid's set for anyone else. >>>>>>> >>>>>>> When you run 'getent group Domain\ Users' it gets the groups >>>>>>> gidNumber (10000 in your case) and the contents any 'member' >>>>>>> attributes, so I presume if you examine the groups AD object, >>>>>>> you would find 8 'member' attribute lines. >>>>>>> >>>>>>> But if you were to run 'getent passwd user5', you would only get >>>>>>> a response if 'user5' has a 'uidNumber'. >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>>> >>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote: >>>>>>>>> On 02/01/15 17:26, James wrote: >>>>>>>>>> Rowland, >>>>>>>>>> >>>>>>>>>> I did forget to change it. Is it as simple as renaming >>>>>>>>>> now or did I screw up? >>>>>>>>>> >>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote: >>>>>>>>>>> On 02/01/15 17:07, James wrote: >>>>>>>>>>>> Rowland, >>>>>>>>>>>> >>>>>>>>>>>> I had a typo in my hosts file which is the reason my >>>>>>>>>>>> initial DNS update failed. Corrected and joined again. >>>>>>>>>>>> Successfully joined and updated DNS A record. I then made >>>>>>>>>>>> sure to give 'Domain users' a id of 10000. I am now able to >>>>>>>>>>>> run' getent passwd' and see all my domain users! YES! >>>>>>>>>>>> However I still see something that confuses me. When I run >>>>>>>>>>>> 'id tuser' I get the following. >>>>>>>>>>>> >>>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users) >>>>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>>>>>>>>>>> >>>>>>>>>>>> Why is the uid 2155 and not 10001? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>>>>>>>>>>> On 02/01/15 16:57, James wrote: >>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I've gotten a bit further. It appears my use of >>>>>>>>>>>>>> '.local' is causing the issue from what I've researched. >>>>>>>>>>>>>> I ran '|/etc/init.d/avahi-daemon stop'. |This allowed me >>>>>>>>>>>>>> to successfully join the domain. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>>>>>>>>>>> Using short domain name -- DOMAIN >>>>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>>>>>>>>>>> DNS Update for pfmember1.local failed: >>>>>>>>>>>>>> ERROR_DNS_UPDATE_FAILED >>>>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>>>>>>>>>>> || >>>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>>>>>>>>>>> On 02/01/15 13:41, James wrote: >>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If you don't mind I like to post my member server >>>>>>>>>>>>>>>> configuration as I attempt again. This is how my member >>>>>>>>>>>>>>>> server(Ubuntu 12.04) is configured after fresh install >>>>>>>>>>>>>>>> and prior to Samba build. Anything I'm missing that >>>>>>>>>>>>>>>> could cause my issue as I proceed? I assume no other >>>>>>>>>>>>>>>> prerequisites must be done on the other DC's either? >>>>>>>>>>>>>>>> Thanks. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> /*# From Wiki for DC build*/ >>>>>>>>>>>>>>>> apt-get install build-essential libacl1-dev >>>>>>>>>>>>>>>> libattr1-dev libblkid-dev libgnutls-dev libreadline-dev >>>>>>>>>>>>>>>> python-dev libpam0g-dev python-dnspython gdb pkg-config >>>>>>>>>>>>>>>> libpopt-dev libldap2-dev dnsutils libbsd-dev attr >>>>>>>>>>>>>>>> krb5-user docbook-xsl libcups2-dev acl >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> /*# Fstab file*/ >>>>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> */# Hosts File/* >>>>>>>>>>>>>>>> 127.0.0.1 localhost >>>>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>>>>>>>>>>> fe00::0 ip6-localnet >>>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix >>>>>>>>>>>>>>>> ff02::1 ip6-allnodes >>>>>>>>>>>>>>>> ff02::2 ip6-allrouters >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> */# Hostname/* */File/* >>>>>>>>>>>>>>>> pfmember1.domain.local >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> if you are referring to /etc/hostname, then it should >>>>>>>>>>>>>>> just contain 'pfmember1'. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were >>>>>>>>>>>>>>> to use Debian Wheezy and backports, you wouldn't have to >>>>>>>>>>>>>>> compile samba4. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> */#/network/interfaces/* >>>>>>>>>>>>>>>> # This file describes the network interfaces available >>>>>>>>>>>>>>>> on your system >>>>>>>>>>>>>>>> # and how to activate them. For more information, see >>>>>>>>>>>>>>>> interfaces(5). >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> # The loopback network interface >>>>>>>>>>>>>>>> auto lo >>>>>>>>>>>>>>>> iface lo inet loopback >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> # The primary network interface >>>>>>>>>>>>>>>> auto eth0 >>>>>>>>>>>>>>>> iface eth0 inet static >>>>>>>>>>>>>>>> address 172.16.232.25 >>>>>>>>>>>>>>>> netmask 255.255.255.0 >>>>>>>>>>>>>>>> gateway 172.16.232.201 >>>>>>>>>>>>>>>> network 172.16.232.0 >>>>>>>>>>>>>>>> broadcast 172.16.232.255 >>>>>>>>>>>>>>>> dns-search domain.local >>>>>>>>>>>>>>>> dns-nameservers 172.16.232.29 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I forgot to tell you the results were from my >>>>>>>>>>>>>>>>>> Domain Controller and not the member server. Member >>>>>>>>>>>>>>>>>> server returned something to the effect of 'user not >>>>>>>>>>>>>>>>>> found'. I am only starting the 3 services(smbd,nmbd >>>>>>>>>>>>>>>>>> and windbindd) listed in the wiki. Should I be >>>>>>>>>>>>>>>>>> starting Samba with command line switches to start as >>>>>>>>>>>>>>>>>> a member server? Is that even possible? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic >>>>>>>>>>>>>>>>> or original way that samba3 was used, or as an AD DC. >>>>>>>>>>>>>>>>> If you run samba4 in the classic way, you need to >>>>>>>>>>>>>>>>> start the smbd & nmbd deamons and optionally the >>>>>>>>>>>>>>>>> winbind daemon. If you use samba4 as an AD DC, then >>>>>>>>>>>>>>>>> you only start the samba daemon, this will start any >>>>>>>>>>>>>>>>> other required deamons, you only start the samba >>>>>>>>>>>>>>>>> daemon on an AD DC. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> As you are trying to set up a member server, you must >>>>>>>>>>>>>>>>> carry out the tests on the member server. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again >>>>>>>>>>>>>>>>>> using your smb.conf as a template and try again. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I decided to start over with a fresh install >>>>>>>>>>>>>>>>>>>> and attempted again. Only change I made was to >>>>>>>>>>>>>>>>>>>> start my mappings at 10000. I gave 'Domain Users' >>>>>>>>>>>>>>>>>>>> group gid 10000 and 'tuser' has uid 10001. Still >>>>>>>>>>>>>>>>>>>> didn't work btw. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>>>>>>> objectClass: top >>>>>>>>>>>>>>>>>>>> objectClass: person >>>>>>>>>>>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>>>>>>>>>>> objectClass: user >>>>>>>>>>>>>>>>>>>> cn: Test User >>>>>>>>>>>>>>>>>>>> sn: User >>>>>>>>>>>>>>>>>>>> givenName: Test >>>>>>>>>>>>>>>>>>>> instanceType: 4 >>>>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>>>>>>>>>>> displayName: Test User >>>>>>>>>>>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>>>>>>>>>>> name: Test User >>>>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>>>>>>>>>>> codePage: 0 >>>>>>>>>>>>>>>>>>>> countryCode: 0 >>>>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>>>>>>>>>>> objectSid: >>>>>>>>>>>>>>>>>>>> S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>>>>>>>>>>> objectCategory: >>>>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>>>>>>>>>>> uid: tuser >>>>>>>>>>>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>>>>>>>>>>> distinguishedName: CN=Test >>>>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank terminal >>>>>>>>>>>>>>>>>>>>>> line. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still >>>>>>>>>>>>>>>>>>>>>>>> amiss. I do receive a response from 'getent >>>>>>>>>>>>>>>>>>>>>>>> group domain users'(users:x:100). >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users >>>>>>>>>>>>>>>>>>>>>>>>>> group with a gid but I'm still unable to view >>>>>>>>>>>>>>>>>>>>>>>>>> them using 'id'. I do notice a few strange >>>>>>>>>>>>>>>>>>>>>>>>>> observations. If I go to another user to >>>>>>>>>>>>>>>>>>>>>>>>>> attempt to assign a uid. I get the default >>>>>>>>>>>>>>>>>>>>>>>>>> value of 10000. I would expect 2001 given I >>>>>>>>>>>>>>>>>>>>>>>>>> set the first user with uid 2000. Groups >>>>>>>>>>>>>>>>>>>>>>>>>> however appear to increment. >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I >>>>>>>>>>>>>>>>>>>>>>>>>>>> understand going forward. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server. >>>>>>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck >>>>>>>>>>>>>>>>>>>>>>>>>>>> at 'Testing the Winbind user/group >>>>>>>>>>>>>>>>>>>>>>>>>>>> mapping'. Wbinfo works as expected but not >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. It >>>>>>>>>>>>>>>>>>>>>>>>>>>> will only retrieve local machine users. Let >>>>>>>>>>>>>>>>>>>>>>>>>>>> me preface by saying this is a Ubuntu 12.04 >>>>>>>>>>>>>>>>>>>>>>>>>>>> server with Samba 4.1.14. Thanks. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> Hello, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Samba AD Member Server) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'Set up a basic smb.conf' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order >>>>>>>>>>>>>>>>>>>>>>>>>>>>> for my member server to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy >>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf to your new memberserver >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu >>>>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre >>>>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using >>>>>>>>>>>>>>>>>>>>>>>>>>> the 'ad' backend. For this to work, you need >>>>>>>>>>>>>>>>>>>>>>>>>>> to add 'uidNumber' attributes to your users >>>>>>>>>>>>>>>>>>>>>>>>>>> and a 'gidNumber' attribute to at least the >>>>>>>>>>>>>>>>>>>>>>>>>>> Domain Users group. the numbers that you add >>>>>>>>>>>>>>>>>>>>>>>>>>> must be between the range you set in your >>>>>>>>>>>>>>>>>>>>>>>>>>> smb.conf, again if you followed the wiki, >>>>>>>>>>>>>>>>>>>>>>>>>>> this will be between 500-40000. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear >>>>>>>>>>>>>>>>>>>>>>>>> the cache with 'net cache flush' >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines >>>>>>>>>>>>>>>>>>>>>>> from /etc/nsswitch >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a >>>>>>>>>>>>>>>>>>>>>>> domain user>' >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, >>>>>>>>>>>>>>>>>>>>> then run: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>>>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as such >>>>>>>>>>>>>>>>>>> you are using the std windows start number 10000, >>>>>>>>>>>>>>>>>>> which is the way I run samba. Here is my smb.conf >>>>>>>>>>>>>>>>>>> from the laptop I am writing this on: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> [global] >>>>>>>>>>>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>>>>>>>>>>> security = ADS >>>>>>>>>>>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>>>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>>>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>>>>>>>>>>> winbind enum users = yes >>>>>>>>>>>>>>>>>>> winbind enum groups = yes >>>>>>>>>>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>>>>>>>>>> winbind expand groups = 4 >>>>>>>>>>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>>>>>>>>>>> winbind normalize names = Yes >>>>>>>>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>>>>>>>>>>> printcap name = cups >>>>>>>>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>>>>>>>> usershare allow guests = yes >>>>>>>>>>>>>>>>>>> domain master = no >>>>>>>>>>>>>>>>>>> local master = no >>>>>>>>>>>>>>>>>>> preferred master = no >>>>>>>>>>>>>>>>>>> os level = 20 >>>>>>>>>>>>>>>>>>> map to guest = bad user >>>>>>>>>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> -James >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> -James >>>>>>>>>>>>> >>>>>>>>>>>>> OK, you have *now* found out one of the reasons you >>>>>>>>>>>>> shouldn't use the .local suffix >>>>>>>>>>>>> >>>>>>>>>>>>> But does anything else work? >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> -James >>>>>>>>>>> >>>>>>>>>>> OK, well it seems to be a step in the right direction :-) >>>>>>>>>>> >>>>>>>>>>> Have you changed 'EXAMPLE' in these lines: >>>>>>>>>>> >>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307 >>>>>>>>>>> >>>>>>>>>>> They need to be changed for your *WORKGROUP* name. >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> -James >>>>>>>>> >>>>>>>>> Just change it, stop samba and winbind, run 'net cache flush' >>>>>>>>> and restart samba & winbind. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> -James >>>>>>> >>>>>> >>>>>> -- >>>>>> -James >>>>> >>>> >>>> -- >>>> -James >>> >> >> -- >> -James >-- -James
On 05/01/15 14:00, James wrote:> Hi Rowland, > > Yes. When I create a share I get the expected 'Everyone' group > under 'Share Permissions' for example. I'm assuming I must map this > object to Unix so all windows users can access this share. However in > AD there is no 'Everyone' group to set a gid. I wouldn't necessarily > expect one either. I'm currently under the mind set that with a member > server I must have a uid/gid for every object assigned on the share.AH, light dawns, you are creating a share on a windows machine and setting the permissions from windows. You cannot really map the users & groups you refer to, because they are windows only users. Samba 4 does map them to xidNumber's via idmap.ldb, you can see them via: ldbedit -e nano -H /var/lib/samba/private/idmap.ldb There is a wiki page you might like to take a look at: https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs Rowland> > On 1/5/2015 8:37 AM, Rowland Penny wrote: >> On 05/01/15 13:28, James wrote: >>> Rowland, >>> >>> Thanks so far for the assistance. I have a question about >>> setting up shares on a member server. How do I map to users or >>> groups that do not display in AD(Everyone,System,Authenticated Users)? >> >> Could you be a bit more specific here, are you talking about mapping >> these windows objects to Unix, or something else ? >> >> Rowland >>> >>> On 1/2/2015 2:08 PM, Rowland Penny wrote: >>>> On 02/01/15 18:59, James wrote: >>>>> Rowland, >>>>> >>>>> That was the issue. Windows computer management console showed >>>>> 0 connections. That obviously wasn't correct. A reboot corrected >>>>> the issue. ACL's working as expected. I probably should have ran a >>>>> 'netstat' to verify. >>>>> >>>>> Any best practices on who should or shouldn't have uid's or >>>>> gid's set in AD? I've read where the Administrator account should >>>>> not have one set. >>>> >>>> Cannot say that I know of any best practices, but I only give >>>> Domain Admins and Domain Users a gidNumber and Administrator should >>>> already be mapped to root (that is if you changed 'Example' in >>>> /etc/samba/smbmap). >>>> >>>> Rowland >>>>> >>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote: >>>>>> On 02/01/15 18:35, James wrote: >>>>>>> Rowland, >>>>>>> >>>>>>> Thanks for the clarification. It appears the member server >>>>>>> is joined and I have created a share. >>>>>>> >>>>>>> [demoshare] >>>>>>> path = /srv/samba/test >>>>>>> read only = no >>>>>>> >>>>>>> >>>>>>> I have enabled ACL support and given 'SeDiskOperatorPrivilege' >>>>>>> per the wiki. I can navigate to the share using Windows >>>>>>> Explorer. If I set the share permissions to only me(Full >>>>>>> Control). I can't access the share. The 'Everyone' and 'Domain >>>>>>> Users' group allows me access. On my DC's this has worked in the >>>>>>> past. Am I missing something? This is the error I receive. >>>>>>> >>>>>>> \\pfmember1\demoshare is not accessible. You might not have >>>>>>> permission to use this network resource. Contact the >>>>>>> administrator of this server to find out if you have access >>>>>>> permissions. >>>>>>> >>>>>>> Multiple connections to a server or shared resource by the same >>>>>>> user, using more than one user name, are not allowed. Disconnect >>>>>>> all previous connections to the server or shared resource and >>>>>>> try again. >>>>>> >>>>>> You seem to have a connection to the share already open, close >>>>>> this and try again. >>>>>> If this fails, post the results of: >>>>>> >>>>>> ls -la /srv/samba/test >>>>>> >>>>>> and >>>>>> >>>>>> getfacl /srv/samba/test >>>>>> >>>>>> Rowland >>>>>> >>>>>>> >>>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote: >>>>>>>> On 02/01/15 18:01, James wrote: >>>>>>>>> Rowland, >>>>>>>>> >>>>>>>>> That did it! Thank you so much. I do have a question >>>>>>>>> regarding the 'getent' command before setting up file shares. >>>>>>>>> When I run 'getent group Domain\ Users' I get >>>>>>>>> >>>>>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8 >>>>>>>>> >>>>>>>>> Why does it show these specific users? I would assume it would >>>>>>>>> only show my 'tuser'. I don't have uid's set for anyone else. >>>>>>>> >>>>>>>> When you run 'getent group Domain\ Users' it gets the groups >>>>>>>> gidNumber (10000 in your case) and the contents any 'member' >>>>>>>> attributes, so I presume if you examine the groups AD object, >>>>>>>> you would find 8 'member' attribute lines. >>>>>>>> >>>>>>>> But if you were to run 'getent passwd user5', you would only >>>>>>>> get a response if 'user5' has a 'uidNumber'. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>>> >>>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote: >>>>>>>>>> On 02/01/15 17:26, James wrote: >>>>>>>>>>> Rowland, >>>>>>>>>>> >>>>>>>>>>> I did forget to change it. Is it as simple as renaming >>>>>>>>>>> now or did I screw up? >>>>>>>>>>> >>>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote: >>>>>>>>>>>> On 02/01/15 17:07, James wrote: >>>>>>>>>>>>> Rowland, >>>>>>>>>>>>> >>>>>>>>>>>>> I had a typo in my hosts file which is the reason my >>>>>>>>>>>>> initial DNS update failed. Corrected and joined again. >>>>>>>>>>>>> Successfully joined and updated DNS A record. I then made >>>>>>>>>>>>> sure to give 'Domain users' a id of 10000. I am now able >>>>>>>>>>>>> to run' getent passwd' and see all my domain users! YES! >>>>>>>>>>>>> However I still see something that confuses me. When I run >>>>>>>>>>>>> 'id tuser' I get the following. >>>>>>>>>>>>> >>>>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users) >>>>>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>>>>>>>>>>>> >>>>>>>>>>>>> Why is the uid 2155 and not 10001? >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>>>>>>>>>>>> On 02/01/15 16:57, James wrote: >>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> I've gotten a bit further. It appears my use of >>>>>>>>>>>>>>> '.local' is causing the issue from what I've researched. >>>>>>>>>>>>>>> I ran '|/etc/init.d/avahi-daemon stop'. |This allowed >>>>>>>>>>>>>>> me to successfully join the domain. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>>>>>>>>>>>> Using short domain name -- DOMAIN >>>>>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>>>>>>>>>>>> DNS Update for pfmember1.local failed: >>>>>>>>>>>>>>> ERROR_DNS_UPDATE_FAILED >>>>>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>>>>>>>>>>>> || >>>>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>> On 02/01/15 13:41, James wrote: >>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> If you don't mind I like to post my member server >>>>>>>>>>>>>>>>> configuration as I attempt again. This is how my >>>>>>>>>>>>>>>>> member server(Ubuntu 12.04) is configured after fresh >>>>>>>>>>>>>>>>> install and prior to Samba build. Anything I'm missing >>>>>>>>>>>>>>>>> that could cause my issue as I proceed? I assume no >>>>>>>>>>>>>>>>> other prerequisites must be done on the other DC's >>>>>>>>>>>>>>>>> either? Thanks. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> /*# From Wiki for DC build*/ >>>>>>>>>>>>>>>>> apt-get install build-essential libacl1-dev >>>>>>>>>>>>>>>>> libattr1-dev libblkid-dev libgnutls-dev >>>>>>>>>>>>>>>>> libreadline-dev python-dev libpam0g-dev >>>>>>>>>>>>>>>>> python-dnspython gdb pkg-config libpopt-dev >>>>>>>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user >>>>>>>>>>>>>>>>> docbook-xsl libcups2-dev acl >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> /*# Fstab file*/ >>>>>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> */# Hosts File/* >>>>>>>>>>>>>>>>> 127.0.0.1 localhost >>>>>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> # The following lines are desirable for IPv6 capable hosts >>>>>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>>>>>>>>>>>> fe00::0 ip6-localnet >>>>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix >>>>>>>>>>>>>>>>> ff02::1 ip6-allnodes >>>>>>>>>>>>>>>>> ff02::2 ip6-allrouters >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> */# Hostname/* */File/* >>>>>>>>>>>>>>>>> pfmember1.domain.local >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> if you are referring to /etc/hostname, then it should >>>>>>>>>>>>>>>> just contain 'pfmember1'. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were >>>>>>>>>>>>>>>> to use Debian Wheezy and backports, you wouldn't have >>>>>>>>>>>>>>>> to compile samba4. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> */#/network/interfaces/* >>>>>>>>>>>>>>>>> # This file describes the network interfaces available >>>>>>>>>>>>>>>>> on your system >>>>>>>>>>>>>>>>> # and how to activate them. For more information, see >>>>>>>>>>>>>>>>> interfaces(5). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> # The loopback network interface >>>>>>>>>>>>>>>>> auto lo >>>>>>>>>>>>>>>>> iface lo inet loopback >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> # The primary network interface >>>>>>>>>>>>>>>>> auto eth0 >>>>>>>>>>>>>>>>> iface eth0 inet static >>>>>>>>>>>>>>>>> address 172.16.232.25 >>>>>>>>>>>>>>>>> netmask 255.255.255.0 >>>>>>>>>>>>>>>>> gateway 172.16.232.201 >>>>>>>>>>>>>>>>> network 172.16.232.0 >>>>>>>>>>>>>>>>> broadcast 172.16.232.255 >>>>>>>>>>>>>>>>> dns-search domain.local >>>>>>>>>>>>>>>>> dns-nameservers 172.16.232.29 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I forgot to tell you the results were from my >>>>>>>>>>>>>>>>>>> Domain Controller and not the member server. Member >>>>>>>>>>>>>>>>>>> server returned something to the effect of 'user not >>>>>>>>>>>>>>>>>>> found'. I am only starting the 3 services(smbd,nmbd >>>>>>>>>>>>>>>>>>> and windbindd) listed in the wiki. Should I be >>>>>>>>>>>>>>>>>>> starting Samba with command line switches to start >>>>>>>>>>>>>>>>>>> as a member server? Is that even possible? >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the classic >>>>>>>>>>>>>>>>>> or original way that samba3 was used, or as an AD DC. >>>>>>>>>>>>>>>>>> If you run samba4 in the classic way, you need to >>>>>>>>>>>>>>>>>> start the smbd & nmbd deamons and optionally the >>>>>>>>>>>>>>>>>> winbind daemon. If you use samba4 as an AD DC, then >>>>>>>>>>>>>>>>>> you only start the samba daemon, this will start any >>>>>>>>>>>>>>>>>> other required deamons, you only start the samba >>>>>>>>>>>>>>>>>> daemon on an AD DC. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> As you are trying to set up a member server, you must >>>>>>>>>>>>>>>>>> carry out the tests on the member server. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again >>>>>>>>>>>>>>>>>>> using your smb.conf as a template and try again. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> I decided to start over with a fresh install >>>>>>>>>>>>>>>>>>>>> and attempted again. Only change I made was to >>>>>>>>>>>>>>>>>>>>> start my mappings at 10000. I gave 'Domain Users' >>>>>>>>>>>>>>>>>>>>> group gid 10000 and 'tuser' has uid 10001. Still >>>>>>>>>>>>>>>>>>>>> didn't work btw. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>>>>>>>> objectClass: top >>>>>>>>>>>>>>>>>>>>> objectClass: person >>>>>>>>>>>>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>>>>>>>>>>>> objectClass: user >>>>>>>>>>>>>>>>>>>>> cn: Test User >>>>>>>>>>>>>>>>>>>>> sn: User >>>>>>>>>>>>>>>>>>>>> givenName: Test >>>>>>>>>>>>>>>>>>>>> instanceType: 4 >>>>>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>>>>>>>>>>>> displayName: Test User >>>>>>>>>>>>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>>>>>>>>>>>> name: Test User >>>>>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>>>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>>>>>>>>>>>> codePage: 0 >>>>>>>>>>>>>>>>>>>>> countryCode: 0 >>>>>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>>>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>>>>>>>>>>>> objectSid: >>>>>>>>>>>>>>>>>>>>> S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>>>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>>>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>>>>>>>>>>>> objectCategory: >>>>>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>>>>>>>>>>>> uid: tuser >>>>>>>>>>>>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>>>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>>>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>>>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>>>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>>>>>>>>>>>> distinguishedName: CN=Test >>>>>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank >>>>>>>>>>>>>>>>>>>>>>> terminal line. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still >>>>>>>>>>>>>>>>>>>>>>>>> amiss. I do receive a response from 'getent >>>>>>>>>>>>>>>>>>>>>>>>> group domain users'(users:x:100). >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain users >>>>>>>>>>>>>>>>>>>>>>>>>>> group with a gid but I'm still unable to >>>>>>>>>>>>>>>>>>>>>>>>>>> view them using 'id'. I do notice a few >>>>>>>>>>>>>>>>>>>>>>>>>>> strange observations. If I go to another >>>>>>>>>>>>>>>>>>>>>>>>>>> user to attempt to assign a uid. I get the >>>>>>>>>>>>>>>>>>>>>>>>>>> default value of 10000. I would expect 2001 >>>>>>>>>>>>>>>>>>>>>>>>>>> given I set the first user with uid 2000. >>>>>>>>>>>>>>>>>>>>>>>>>>> Groups however appear to increment. >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. I >>>>>>>>>>>>>>>>>>>>>>>>>>>>> understand going forward. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member server. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Following along with the wiki I get stuck >>>>>>>>>>>>>>>>>>>>>>>>>>>>> at 'Testing the Winbind user/group >>>>>>>>>>>>>>>>>>>>>>>>>>>>> mapping'. Wbinfo works as expected but not >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> It will only retrieve local machine users. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Let me preface by saying this is a Ubuntu >>>>>>>>>>>>>>>>>>>>>>>>>>>>> 12.04 server with Samba 4.1.14. Thanks. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> a Samba AD Member Server) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'Set up a basic smb.conf' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in order >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> for my member server to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf to your new memberserver >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be using >>>>>>>>>>>>>>>>>>>>>>>>>>>> the 'ad' backend. For this to work, you >>>>>>>>>>>>>>>>>>>>>>>>>>>> need to add 'uidNumber' attributes to your >>>>>>>>>>>>>>>>>>>>>>>>>>>> users and a 'gidNumber' attribute to at >>>>>>>>>>>>>>>>>>>>>>>>>>>> least the Domain Users group. the numbers >>>>>>>>>>>>>>>>>>>>>>>>>>>> that you add must be between the range you >>>>>>>>>>>>>>>>>>>>>>>>>>>> set in your smb.conf, again if you followed >>>>>>>>>>>>>>>>>>>>>>>>>>>> the wiki, this will be between 500-40000. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear >>>>>>>>>>>>>>>>>>>>>>>>>> the cache with 'net cache flush' >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines >>>>>>>>>>>>>>>>>>>>>>>> from /etc/nsswitch >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a >>>>>>>>>>>>>>>>>>>>>>>> domain user>' >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, >>>>>>>>>>>>>>>>>>>>>> then run: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb >>>>>>>>>>>>>>>>>>>>>> sAMAccountName=tuser >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as >>>>>>>>>>>>>>>>>>>> such you are using the std windows start number >>>>>>>>>>>>>>>>>>>> 10000, which is the way I run samba. Here is my >>>>>>>>>>>>>>>>>>>> smb.conf from the laptop I am writing this on: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> [global] >>>>>>>>>>>>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>>>>>>>>>>>> security = ADS >>>>>>>>>>>>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>>>>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>>>>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>>>>>>>>>>>> winbind enum users = yes >>>>>>>>>>>>>>>>>>>> winbind enum groups = yes >>>>>>>>>>>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>>>>>>>>>>> winbind expand groups = 4 >>>>>>>>>>>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>>>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>>>>>>>>>>>> winbind normalize names = Yes >>>>>>>>>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>>>>>>>>>>>> printcap name = cups >>>>>>>>>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>>>>>>>>> usershare allow guests = yes >>>>>>>>>>>>>>>>>>>> domain master = no >>>>>>>>>>>>>>>>>>>> local master = no >>>>>>>>>>>>>>>>>>>> preferred master = no >>>>>>>>>>>>>>>>>>>> os level = 20 >>>>>>>>>>>>>>>>>>>> map to guest = bad user >>>>>>>>>>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> -James >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> -James >>>>>>>>>>>>>> >>>>>>>>>>>>>> OK, you have *now* found out one of the reasons you >>>>>>>>>>>>>> shouldn't use the .local suffix >>>>>>>>>>>>>> >>>>>>>>>>>>>> But does anything else work? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Rowland >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> -James >>>>>>>>>>>> >>>>>>>>>>>> OK, well it seems to be a step in the right direction :-) >>>>>>>>>>>> >>>>>>>>>>>> Have you changed 'EXAMPLE' in these lines: >>>>>>>>>>>> >>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307 >>>>>>>>>>>> >>>>>>>>>>>> They need to be changed for your *WORKGROUP* name. >>>>>>>>>>>> >>>>>>>>>>>> Rowland >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> -James >>>>>>>>>> >>>>>>>>>> Just change it, stop samba and winbind, run 'net cache flush' >>>>>>>>>> and restart samba & winbind. >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> -James >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> -James >>>>>> >>>>> >>>>> -- >>>>> -James >>>> >>> >>> -- >>> -James >> > > -- > -James
That is actually the wiki page I am currently referencing in my question. From the wiki you can see the 'Everyone' group. I would normally remove and add domain users or authenticated users. That prompted me to ask myself "what if I wanted the everyone group to have access"? How does the member server know who the everyone group is since the share is created on the server. What mappings if any do I need to make sure are in place. On 1/5/2015 9:12 AM, Rowland Penny wrote:> On 05/01/15 14:00, James wrote: >> Hi Rowland, >> >> Yes. When I create a share I get the expected 'Everyone' group >> under 'Share Permissions' for example. I'm assuming I must map this >> object to Unix so all windows users can access this share. However in >> AD there is no 'Everyone' group to set a gid. I wouldn't necessarily >> expect one either. I'm currently under the mind set that with a >> member server I must have a uid/gid for every object assigned on the >> share. > > AH, light dawns, you are creating a share on a windows machine and > setting the permissions from windows. You cannot really map the users > & groups you refer to, because they are windows only users. > > Samba 4 does map them to xidNumber's via idmap.ldb, you can see them via: > > ldbedit -e nano -H /var/lib/samba/private/idmap.ldb > > There is a wiki page you might like to take a look at: > https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs > > Rowland > >> >> On 1/5/2015 8:37 AM, Rowland Penny wrote: >>> On 05/01/15 13:28, James wrote: >>>> Rowland, >>>> >>>> Thanks so far for the assistance. I have a question about >>>> setting up shares on a member server. How do I map to users or >>>> groups that do not display in AD(Everyone,System,Authenticated Users)? >>> >>> Could you be a bit more specific here, are you talking about mapping >>> these windows objects to Unix, or something else ? >>> >>> Rowland >>>> >>>> On 1/2/2015 2:08 PM, Rowland Penny wrote: >>>>> On 02/01/15 18:59, James wrote: >>>>>> Rowland, >>>>>> >>>>>> That was the issue. Windows computer management console >>>>>> showed 0 connections. That obviously wasn't correct. A reboot >>>>>> corrected the issue. ACL's working as expected. I probably should >>>>>> have ran a 'netstat' to verify. >>>>>> >>>>>> Any best practices on who should or shouldn't have uid's or >>>>>> gid's set in AD? I've read where the Administrator account should >>>>>> not have one set. >>>>> >>>>> Cannot say that I know of any best practices, but I only give >>>>> Domain Admins and Domain Users a gidNumber and Administrator >>>>> should already be mapped to root (that is if you changed 'Example' >>>>> in /etc/samba/smbmap). >>>>> >>>>> Rowland >>>>>> >>>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote: >>>>>>> On 02/01/15 18:35, James wrote: >>>>>>>> Rowland, >>>>>>>> >>>>>>>> Thanks for the clarification. It appears the member server >>>>>>>> is joined and I have created a share. >>>>>>>> >>>>>>>> [demoshare] >>>>>>>> path = /srv/samba/test >>>>>>>> read only = no >>>>>>>> >>>>>>>> >>>>>>>> I have enabled ACL support and given 'SeDiskOperatorPrivilege' >>>>>>>> per the wiki. I can navigate to the share using Windows >>>>>>>> Explorer. If I set the share permissions to only me(Full >>>>>>>> Control). I can't access the share. The 'Everyone' and 'Domain >>>>>>>> Users' group allows me access. On my DC's this has worked in >>>>>>>> the past. Am I missing something? This is the error I receive. >>>>>>>> >>>>>>>> \\pfmember1\demoshare is not accessible. You might not have >>>>>>>> permission to use this network resource. Contact the >>>>>>>> administrator of this server to find out if you have access >>>>>>>> permissions. >>>>>>>> >>>>>>>> Multiple connections to a server or shared resource by the same >>>>>>>> user, using more than one user name, are not allowed. >>>>>>>> Disconnect all previous connections to the server or shared >>>>>>>> resource and try again. >>>>>>> >>>>>>> You seem to have a connection to the share already open, close >>>>>>> this and try again. >>>>>>> If this fails, post the results of: >>>>>>> >>>>>>> ls -la /srv/samba/test >>>>>>> >>>>>>> and >>>>>>> >>>>>>> getfacl /srv/samba/test >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>>> >>>>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote: >>>>>>>>> On 02/01/15 18:01, James wrote: >>>>>>>>>> Rowland, >>>>>>>>>> >>>>>>>>>> That did it! Thank you so much. I do have a question >>>>>>>>>> regarding the 'getent' command before setting up file shares. >>>>>>>>>> When I run 'getent group Domain\ Users' I get >>>>>>>>>> >>>>>>>>>> domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8 >>>>>>>>>> >>>>>>>>>> Why does it show these specific users? I would assume it >>>>>>>>>> would only show my 'tuser'. I don't have uid's set for anyone >>>>>>>>>> else. >>>>>>>>> >>>>>>>>> When you run 'getent group Domain\ Users' it gets the groups >>>>>>>>> gidNumber (10000 in your case) and the contents any 'member' >>>>>>>>> attributes, so I presume if you examine the groups AD object, >>>>>>>>> you would find 8 'member' attribute lines. >>>>>>>>> >>>>>>>>> But if you were to run 'getent passwd user5', you would only >>>>>>>>> get a response if 'user5' has a 'uidNumber'. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny wrote: >>>>>>>>>>> On 02/01/15 17:26, James wrote: >>>>>>>>>>>> Rowland, >>>>>>>>>>>> >>>>>>>>>>>> I did forget to change it. Is it as simple as renaming >>>>>>>>>>>> now or did I screw up? >>>>>>>>>>>> >>>>>>>>>>>> On 1/2/2015 12:18 PM, Rowland Penny wrote: >>>>>>>>>>>>> On 02/01/15 17:07, James wrote: >>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I had a typo in my hosts file which is the reason my >>>>>>>>>>>>>> initial DNS update failed. Corrected and joined again. >>>>>>>>>>>>>> Successfully joined and updated DNS A record. I then made >>>>>>>>>>>>>> sure to give 'Domain users' a id of 10000. I am now able >>>>>>>>>>>>>> to run' getent passwd' and see all my domain users! YES! >>>>>>>>>>>>>> However I still see something that confuses me. When I >>>>>>>>>>>>>> run 'id tuser' I get the following. >>>>>>>>>>>>>> >>>>>>>>>>>>>> uid=2155(tuser) gid=2002(domain_users) >>>>>>>>>>>>>> groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Why is the uid 2155 and not 10001? >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 1/2/2015 12:00 PM, Rowland Penny wrote: >>>>>>>>>>>>>>> On 02/01/15 16:57, James wrote: >>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I've gotten a bit further. It appears my use of >>>>>>>>>>>>>>>> '.local' is causing the issue from what I've >>>>>>>>>>>>>>>> researched. I ran '|/etc/init.d/avahi-daemon stop'. >>>>>>>>>>>>>>>> |This allowed me to successfully join the domain. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Enter administrator at DOMAIN.LOCAL's password: >>>>>>>>>>>>>>>> Using short domain name -- DOMAIN >>>>>>>>>>>>>>>> Joined 'PFMEMBER1' to dns domain 'domain.local' >>>>>>>>>>>>>>>> DNS Update for pfmember1.local failed: >>>>>>>>>>>>>>>> ERROR_DNS_UPDATE_FAILED >>>>>>>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL >>>>>>>>>>>>>>>> || >>>>>>>>>>>>>>>> On 1/2/2015 8:55 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>> On 02/01/15 13:41, James wrote: >>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> If you don't mind I like to post my member server >>>>>>>>>>>>>>>>>> configuration as I attempt again. This is how my >>>>>>>>>>>>>>>>>> member server(Ubuntu 12.04) is configured after fresh >>>>>>>>>>>>>>>>>> install and prior to Samba build. Anything I'm >>>>>>>>>>>>>>>>>> missing that could cause my issue as I proceed? I >>>>>>>>>>>>>>>>>> assume no other prerequisites must be done on the >>>>>>>>>>>>>>>>>> other DC's either? Thanks. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> /*# From Wiki for DC build*/ >>>>>>>>>>>>>>>>>> apt-get install build-essential libacl1-dev >>>>>>>>>>>>>>>>>> libattr1-dev libblkid-dev libgnutls-dev >>>>>>>>>>>>>>>>>> libreadline-dev python-dev libpam0g-dev >>>>>>>>>>>>>>>>>> python-dnspython gdb pkg-config libpopt-dev >>>>>>>>>>>>>>>>>> libldap2-dev dnsutils libbsd-dev attr krb5-user >>>>>>>>>>>>>>>>>> docbook-xsl libcups2-dev acl >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> /*# Fstab file*/ >>>>>>>>>>>>>>>>>> ext4 errors=remount-ro,user_xattr,acl,barrier=1 1 1 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> */# Hosts File/* >>>>>>>>>>>>>>>>>> 127.0.0.1 localhost >>>>>>>>>>>>>>>>>> 172.16.232.25 pfmember1.domain.local pfmember1 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> # The following lines are desirable for IPv6 capable >>>>>>>>>>>>>>>>>> hosts >>>>>>>>>>>>>>>>>> ::1 ip6-localhost ip6-loopback >>>>>>>>>>>>>>>>>> fe00::0 ip6-localnet >>>>>>>>>>>>>>>>>> ff00::0 ip6-mcastprefix >>>>>>>>>>>>>>>>>> ff02::1 ip6-allnodes >>>>>>>>>>>>>>>>>> ff02::2 ip6-allrouters >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> */# Hostname/* */File/* >>>>>>>>>>>>>>>>>> pfmember1.domain.local >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> if you are referring to /etc/hostname, then it should >>>>>>>>>>>>>>>>> just contain 'pfmember1'. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Also, are you fixed on using Ubuntu 12.04, if you were >>>>>>>>>>>>>>>>> to use Debian Wheezy and backports, you wouldn't have >>>>>>>>>>>>>>>>> to compile samba4. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> */#/network/interfaces/* >>>>>>>>>>>>>>>>>> # This file describes the network interfaces >>>>>>>>>>>>>>>>>> available on your system >>>>>>>>>>>>>>>>>> # and how to activate them. For more information, see >>>>>>>>>>>>>>>>>> interfaces(5). >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> # The loopback network interface >>>>>>>>>>>>>>>>>> auto lo >>>>>>>>>>>>>>>>>> iface lo inet loopback >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> # The primary network interface >>>>>>>>>>>>>>>>>> auto eth0 >>>>>>>>>>>>>>>>>> iface eth0 inet static >>>>>>>>>>>>>>>>>> address 172.16.232.25 >>>>>>>>>>>>>>>>>> netmask 255.255.255.0 >>>>>>>>>>>>>>>>>> gateway 172.16.232.201 >>>>>>>>>>>>>>>>>> network 172.16.232.0 >>>>>>>>>>>>>>>>>> broadcast 172.16.232.255 >>>>>>>>>>>>>>>>>> dns-search domain.local >>>>>>>>>>>>>>>>>> dns-nameservers 172.16.232.29 >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On 1/1/2015 4:34 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>> On 01/01/15 00:07, James wrote: >>>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I forgot to tell you the results were from my >>>>>>>>>>>>>>>>>>>> Domain Controller and not the member server. Member >>>>>>>>>>>>>>>>>>>> server returned something to the effect of 'user >>>>>>>>>>>>>>>>>>>> not found'. I am only starting the 3 >>>>>>>>>>>>>>>>>>>> services(smbd,nmbd and windbindd) listed in the >>>>>>>>>>>>>>>>>>>> wiki. Should I be starting Samba with command line >>>>>>>>>>>>>>>>>>>> switches to start as a member server? Is that even >>>>>>>>>>>>>>>>>>>> possible? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi, there are two ways of running samba4, the >>>>>>>>>>>>>>>>>>> classic or original way that samba3 was used, or as >>>>>>>>>>>>>>>>>>> an AD DC. If you run samba4 in the classic way, you >>>>>>>>>>>>>>>>>>> need to start the smbd & nmbd deamons and optionally >>>>>>>>>>>>>>>>>>> the winbind daemon. If you use samba4 as an AD DC, >>>>>>>>>>>>>>>>>>> then you only start the samba daemon, this will >>>>>>>>>>>>>>>>>>> start any other required deamons, you only start the >>>>>>>>>>>>>>>>>>> samba daemon on an AD DC. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> As you are trying to set up a member server, you >>>>>>>>>>>>>>>>>>> must carry out the tests on the member server. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Thanks for you smb.conf. I will attempt again >>>>>>>>>>>>>>>>>>>> using your smb.conf as a template and try again. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 12/31/2014 2:20 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>> On 31/12/14 19:07, James wrote: >>>>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> I decided to start over with a fresh install >>>>>>>>>>>>>>>>>>>>>> and attempted again. Only change I made was to >>>>>>>>>>>>>>>>>>>>>> start my mappings at 10000. I gave 'Domain Users' >>>>>>>>>>>>>>>>>>>>>> group gid 10000 and 'tuser' has uid 10001. Still >>>>>>>>>>>>>>>>>>>>>> didn't work btw. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> dn: CN=Test User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>>>>>>>>> objectClass: top >>>>>>>>>>>>>>>>>>>>>> objectClass: person >>>>>>>>>>>>>>>>>>>>>> objectClass: organizationalPerson >>>>>>>>>>>>>>>>>>>>>> objectClass: user >>>>>>>>>>>>>>>>>>>>>> cn: Test User >>>>>>>>>>>>>>>>>>>>>> sn: User >>>>>>>>>>>>>>>>>>>>>> givenName: Test >>>>>>>>>>>>>>>>>>>>>> instanceType: 4 >>>>>>>>>>>>>>>>>>>>>> whenCreated: 20141231172021.0Z >>>>>>>>>>>>>>>>>>>>>> displayName: Test User >>>>>>>>>>>>>>>>>>>>>> uSNCreated: 477557 >>>>>>>>>>>>>>>>>>>>>> name: Test User >>>>>>>>>>>>>>>>>>>>>> objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78 >>>>>>>>>>>>>>>>>>>>>> userAccountControl: 66048 >>>>>>>>>>>>>>>>>>>>>> codePage: 0 >>>>>>>>>>>>>>>>>>>>>> countryCode: 0 >>>>>>>>>>>>>>>>>>>>>> pwdLastSet: 130645200220000000 >>>>>>>>>>>>>>>>>>>>>> primaryGroupID: 513 >>>>>>>>>>>>>>>>>>>>>> objectSid: >>>>>>>>>>>>>>>>>>>>>> S-1-5-21-940051827-2291820289-3341758437-3126 >>>>>>>>>>>>>>>>>>>>>> accountExpires: 9223372036854775807 >>>>>>>>>>>>>>>>>>>>>> sAMAccountName: tuser >>>>>>>>>>>>>>>>>>>>>> sAMAccountType: 805306368 >>>>>>>>>>>>>>>>>>>>>> userPrincipalName: tuser at domain.local >>>>>>>>>>>>>>>>>>>>>> objectCategory: >>>>>>>>>>>>>>>>>>>>>> CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>>>>>>>>>>>>>>>>>>> uid: tuser >>>>>>>>>>>>>>>>>>>>>> msSFU30Name: tuser >>>>>>>>>>>>>>>>>>>>>> msSFU30NisDomain: domain >>>>>>>>>>>>>>>>>>>>>> uidNumber: 10001 >>>>>>>>>>>>>>>>>>>>>> loginShell: /bin/sh >>>>>>>>>>>>>>>>>>>>>> unixHomeDirectory: /home/tuser >>>>>>>>>>>>>>>>>>>>>> gidNumber: 10000 >>>>>>>>>>>>>>>>>>>>>> whenChanged: 20141231185807.0Z >>>>>>>>>>>>>>>>>>>>>> uSNChanged: 477620 >>>>>>>>>>>>>>>>>>>>>> distinguishedName: CN=Test >>>>>>>>>>>>>>>>>>>>>> User,CN=Users,DC=domain,DC=local >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:50 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 18:28, James wrote: >>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> passwd: compat winbind >>>>>>>>>>>>>>>>>>>>>>>> group: compat winbind >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> 'getent passwd tuser' results in a blank >>>>>>>>>>>>>>>>>>>>>>>> terminal line. >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 1:12 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:55, James wrote: >>>>>>>>>>>>>>>>>>>>>>>>>> Hi Rowland, >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> I did. Unfortunately something is still >>>>>>>>>>>>>>>>>>>>>>>>>> amiss. I do receive a response from 'getent >>>>>>>>>>>>>>>>>>>>>>>>>> group domain users'(users:x:100). >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 12:26 PM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 17:23, James wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland, >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> I set a user with a uid and domain >>>>>>>>>>>>>>>>>>>>>>>>>>>> users group with a gid but I'm still unable >>>>>>>>>>>>>>>>>>>>>>>>>>>> to view them using 'id'. I do notice a few >>>>>>>>>>>>>>>>>>>>>>>>>>>> strange observations. If I go to another >>>>>>>>>>>>>>>>>>>>>>>>>>>> user to attempt to assign a uid. I get the >>>>>>>>>>>>>>>>>>>>>>>>>>>> default value of 10000. I would expect 2001 >>>>>>>>>>>>>>>>>>>>>>>>>>>> given I set the first user with uid 2000. >>>>>>>>>>>>>>>>>>>>>>>>>>>> Groups however appear to increment. >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:52 AM, Rowland Penny wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 31/12/14 15:42, James wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello Stefan, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I learned the hard way about .local. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I understand going forward. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I do have an issue with the member >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> server. Following along with the wiki I >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> get stuck at 'Testing the Winbind >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> user/group mapping'. Wbinfo works as >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> expected but not >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*id DomainUser* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent passwd* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*getent group* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chown DomainUser:DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> #*chgrp DomainGroup file* >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> etc. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I receive 'id: sambauser: No such user'. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> It will only retrieve local machine >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> users. Let me preface by saying this is a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Ubuntu 12.04 server with Samba 4.1.14. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Thanks. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> On 12/31/2014 10:00 AM, Stefan Kania wrote: >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hash: SHA1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello James, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Am 31.12.2014 um 15:48 schrieb James:> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> I'm following along with the wiki(Setup >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> a Samba AD Member Server) >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> and I have a question after reading the >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 'Set up a basic smb.conf' >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> section. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Please show us your smb.conf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to extend the schema in >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> order for my member server to >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> successfully join and service file shares? >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> No, you dont have to. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Do I need to configure a >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf file? Thanks. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> If your DC is a samba4 DC just copy >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> krb5.conf to your new memberserver >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Stefan >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> - -- Stefan Kania >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Landweg 13 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> 25693 St. Michaelisdonn >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Signieren jeder E-Mail hilft Spam zu >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> reduzieren. Signieren Sie ihre >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> E-Mail. Weiter Informationen unter >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> http://www.gnupg.org >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Mein Schl?ssel liegt auf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> hkp://subkeys.pgp.net >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----BEGIN PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Version: GnuPG v1 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> LScAoLDzorUJNDCik4FP9dBUxKCbAbGN >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> =SOSt >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> -----END PGP SIGNATURE----- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> If you followed the wiki, you will be >>>>>>>>>>>>>>>>>>>>>>>>>>>>> using the 'ad' backend. For this to work, >>>>>>>>>>>>>>>>>>>>>>>>>>>>> you need to add 'uidNumber' attributes to >>>>>>>>>>>>>>>>>>>>>>>>>>>>> your users and a 'gidNumber' attribute to >>>>>>>>>>>>>>>>>>>>>>>>>>>>> at least the Domain Users group. the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> numbers that you add must be between the >>>>>>>>>>>>>>>>>>>>>>>>>>>>> range you set in your smb.conf, again if >>>>>>>>>>>>>>>>>>>>>>>>>>>>> you followed the wiki, this will be >>>>>>>>>>>>>>>>>>>>>>>>>>>>> between 500-40000. >>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> You have restarted samba, haven't you ? >>>>>>>>>>>>>>>>>>>>>>>>>>> You may have to wait a short time, or clear >>>>>>>>>>>>>>>>>>>>>>>>>>> the cache with 'net cache flush' >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> OK, can you post the 'passwd' & 'group' lines >>>>>>>>>>>>>>>>>>>>>>>>> from /etc/nsswitch >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Do you get anything from 'getent passwd <a >>>>>>>>>>>>>>>>>>>>>>>>> domain user>' >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> OK, install ldb-tools if not already installed, >>>>>>>>>>>>>>>>>>>>>>> then run: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> ldbedit -e nano -H >>>>>>>>>>>>>>>>>>>>>>> /var/lib/samba/private/sam.ldb sAMAccountName=tuser >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Post the (sanitized) result >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> OK, you added that user with ADUC (RSAT) and as >>>>>>>>>>>>>>>>>>>>> such you are using the std windows start number >>>>>>>>>>>>>>>>>>>>> 10000, which is the way I run samba. Here is my >>>>>>>>>>>>>>>>>>>>> smb.conf from the laptop I am writing this on: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> [global] >>>>>>>>>>>>>>>>>>>>> workgroup = EXAMPLE >>>>>>>>>>>>>>>>>>>>> security = ADS >>>>>>>>>>>>>>>>>>>>> realm = EXAMPLE.COM >>>>>>>>>>>>>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>>>>>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>>>>>>>>>>>>> server string = Samba 4 Client %h >>>>>>>>>>>>>>>>>>>>> winbind enum users = yes >>>>>>>>>>>>>>>>>>>>> winbind enum groups = yes >>>>>>>>>>>>>>>>>>>>> winbind use default domain = yes >>>>>>>>>>>>>>>>>>>>> winbind expand groups = 4 >>>>>>>>>>>>>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>>>>>>>>>>>>> winbind refresh tickets = Yes >>>>>>>>>>>>>>>>>>>>> winbind normalize names = Yes >>>>>>>>>>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>>>>>>>>>>>> idmap config EXAMPLE : schema_mode = rfc2307 >>>>>>>>>>>>>>>>>>>>> printcap name = cups >>>>>>>>>>>>>>>>>>>>> cups options = raw >>>>>>>>>>>>>>>>>>>>> usershare allow guests = yes >>>>>>>>>>>>>>>>>>>>> domain master = no >>>>>>>>>>>>>>>>>>>>> local master = no >>>>>>>>>>>>>>>>>>>>> preferred master = no >>>>>>>>>>>>>>>>>>>>> os level = 20 >>>>>>>>>>>>>>>>>>>>> map to guest = bad user >>>>>>>>>>>>>>>>>>>>> vfs objects = acl_xattr >>>>>>>>>>>>>>>>>>>>> map acl inherit = Yes >>>>>>>>>>>>>>>>>>>>> store dos attributes = Yes >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Compare it with yours, I can assure you it works. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> -James >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> -James >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> OK, you have *now* found out one of the reasons you >>>>>>>>>>>>>>> shouldn't use the .local suffix >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> But does anything else work? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Rowland >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> -James >>>>>>>>>>>>> >>>>>>>>>>>>> OK, well it seems to be a step in the right direction :-) >>>>>>>>>>>>> >>>>>>>>>>>>> Have you changed 'EXAMPLE' in these lines: >>>>>>>>>>>>> >>>>>>>>>>>>> idmap config * : backend = tdb >>>>>>>>>>>>> idmap config * : range = 2000-9999 >>>>>>>>>>>>> idmap config EXAMPLE : backend = ad >>>>>>>>>>>>> idmap config EXAMPLE : range = 10000-999999 >>>>>>>>>>>>> idmap config EXAMPLE:schema_mode = rfc2307 >>>>>>>>>>>>> >>>>>>>>>>>>> They need to be changed for your *WORKGROUP* name. >>>>>>>>>>>>> >>>>>>>>>>>>> Rowland >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> -James >>>>>>>>>>> >>>>>>>>>>> Just change it, stop samba and winbind, run 'net cache >>>>>>>>>>> flush' and restart samba & winbind. >>>>>>>>>>> >>>>>>>>>>> Rowland >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> -James >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> -James >>>>>>> >>>>>> >>>>>> -- >>>>>> -James >>>>> >>>> >>>> -- >>>> -James >>> >> >> -- >> -James >-- -James