samba - Jan 2015 - Member Server Setup Assistance

That is actually the wiki page I am currently referencing in my 
question.  From the wiki you can see the 'Everyone' group. I would 
normally remove and add domain users or authenticated users. That 
prompted me to ask myself "what if I wanted the everyone group to have 
access"? How does the member server know who the everyone group is since 
the share is created on the server. What mappings if any do I need to 
make sure are in place.

On 1/5/2015 9:12 AM, Rowland Penny wrote:
> On 05/01/15 14:00, James wrote:
>> Hi Rowland,
>>
>>     Yes. When I create a share I get the expected 'Everyone'
group
>> under 'Share Permissions' for example. I'm assuming I must
map this
>> object to Unix so all windows users can access this share. However in 
>> AD there is no 'Everyone' group to set a gid. I wouldn't
necessarily
>> expect one either. I'm currently under the mind set that with a 
>> member server I must have a uid/gid for every object assigned on the 
>> share.
>
> AH, light dawns, you are creating a share on a windows machine and 
> setting the permissions from windows. You cannot really map the users 
> & groups you refer to, because they are windows only users.
>
> Samba 4 does map them to xidNumber's via idmap.ldb, you can see them
via:
>
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>
> There is a wiki page you might like to take a look at: 
>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>
> Rowland
>
>>
>> On 1/5/2015 8:37 AM, Rowland Penny wrote:
>>> On 05/01/15 13:28, James wrote:
>>>> Rowland,
>>>>
>>>>     Thanks so far for the assistance. I have a question about 
>>>> setting up shares on a member server. How do I map to users or 
>>>> groups that do not display in AD(Everyone,System,Authenticated
Users)?
>>>
>>> Could you be a bit more specific here, are you talking about
mapping
>>> these windows objects to Unix, or something else ?
>>>
>>> Rowland
>>>>
>>>> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>>>>> On 02/01/15 18:59, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>>     That was the issue. Windows computer management
console
>>>>>> showed 0 connections. That obviously wasn't
correct. A reboot
>>>>>> corrected the issue. ACL's working as expected. I
probably should
>>>>>> have ran a 'netstat' to verify.
>>>>>>
>>>>>>     Any best practices on who should or shouldn't
have uid's or
>>>>>> gid's set in AD? I've read where the
Administrator account should
>>>>>> not have one set.
>>>>>
>>>>> Cannot say that I know of any best practices, but I only
give
>>>>> Domain Admins and Domain Users a gidNumber and
Administrator
>>>>> should already be mapped to root (that is if you changed
'Example'
>>>>> in /etc/samba/smbmap).
>>>>>
>>>>> Rowland
>>>>>>
>>>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 18:35, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     Thanks for the clarification. It appears
the member server
>>>>>>>> is joined and I have created a share.
>>>>>>>>
>>>>>>>> [demoshare]
>>>>>>>>     path = /srv/samba/test
>>>>>>>>     read only = no
>>>>>>>>
>>>>>>>>
>>>>>>>> I have enabled ACL support and given
'SeDiskOperatorPrivilege'
>>>>>>>> per the wiki. I can navigate to the share using
Windows
>>>>>>>> Explorer. If I set the share permissions to
only me(Full
>>>>>>>> Control). I can't access the share. The
'Everyone' and 'Domain
>>>>>>>> Users' group allows me access. On my
DC's this has worked in
>>>>>>>> the past. Am I missing something? This is the
error I receive.
>>>>>>>>
>>>>>>>> \\pfmember1\demoshare is not accessible. You
might not have
>>>>>>>> permission to use this network resource.
Contact the
>>>>>>>> administrator of this server to find out if you
have access
>>>>>>>> permissions.
>>>>>>>>
>>>>>>>> Multiple connections to a server or shared
resource by the same
>>>>>>>> user, using more than one user name, are not
allowed.
>>>>>>>> Disconnect all previous connections to the
server or shared
>>>>>>>> resource and try again.
>>>>>>>
>>>>>>> You seem to have a connection to the share already
open, close
>>>>>>> this and try again.
>>>>>>> If this fails, post the results of:
>>>>>>>
>>>>>>> ls -la /srv/samba/test
>>>>>>>
>>>>>>> and
>>>>>>>
>>>>>>> getfacl /srv/samba/test
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>>>
>>>>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>>     That did it! Thank you so much. I
do have a question
>>>>>>>>>> regarding the 'getent' command
before setting up file shares.
>>>>>>>>>> When I run 'getent group Domain\
Users' I get
>>>>>>>>>>
>>>>>>>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>>>>
>>>>>>>>>> Why does it show these specific users?
I would assume it
>>>>>>>>>> would only show my 'tuser'. I
don't have uid's set for anyone
>>>>>>>>>> else.
>>>>>>>>>
>>>>>>>>> When you run 'getent group Domain\
Users' it gets the groups
>>>>>>>>> gidNumber (10000 in your case) and the
contents any 'member'
>>>>>>>>> attributes, so I presume if you examine the
groups AD object,
>>>>>>>>> you would find 8 'member' attribute
lines.
>>>>>>>>>
>>>>>>>>> But if you were to run 'getent passwd
user5', you would only
>>>>>>>>> get a response if 'user5' has a
'uidNumber'.
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     I did forget to change it.
Is it as simple as renaming
>>>>>>>>>>>> now or did I screw up?
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/2/2015 12:18 PM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 02/01/15 17:07, James
wrote:
>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     I had a typo in my
hosts file which is the reason my
>>>>>>>>>>>>>> initial DNS update
failed. Corrected and joined again.
>>>>>>>>>>>>>> Successfully joined and
updated DNS A record. I then made
>>>>>>>>>>>>>> sure to give
'Domain users' a id of 10000. I am now able
>>>>>>>>>>>>>> to run' getent
passwd' and see all my domain users! YES!
>>>>>>>>>>>>>> However I still see
something that confuses me. When I
>>>>>>>>>>>>>> run 'id tuser'
I get the following.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> uid=2155(tuser)
gid=2002(domain_users)
>>>>>>>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Why is the uid 2155 and
not 10001?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 1/2/2015 12:00 PM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 02/01/15 16:57,
James wrote:
>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     I've
gotten a bit further. It appears my use of
>>>>>>>>>>>>>>>>
'.local' is causing the issue from what I've
>>>>>>>>>>>>>>>> researched. I 
ran '|/etc/init.d/avahi-daemon stop'.
>>>>>>>>>>>>>>>> |This allowed
me to successfully join the domain.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Enter
administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>>>>>>> Using short
domain name -- DOMAIN
>>>>>>>>>>>>>>>> Joined
'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>>>>>> DNS Update for
pfmember1.local failed:
>>>>>>>>>>>>>>>>
ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>>>>> DNS update
failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>>>>> ||
>>>>>>>>>>>>>>>> On 1/2/2015
8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 02/01/15
13:41, James wrote:
>>>>>>>>>>>>>>>>>> Hi
Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>     If
you don't mind I like to post my member server
>>>>>>>>>>>>>>>>>>
configuration as I attempt again. This is how my
>>>>>>>>>>>>>>>>>> member
server(Ubuntu 12.04) is configured after fresh
>>>>>>>>>>>>>>>>>> install
and prior to Samba build. Anything I'm
>>>>>>>>>>>>>>>>>> missing
that could cause my issue as I proceed? I
>>>>>>>>>>>>>>>>>> assume
no other prerequisites must be done on the
>>>>>>>>>>>>>>>>>> other
DC's either? Thanks.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> /*#
From Wiki for DC build*/
>>>>>>>>>>>>>>>>>> apt-get
install build-essential libacl1-dev
>>>>>>>>>>>>>>>>>>
libattr1-dev libblkid-dev libgnutls-dev
>>>>>>>>>>>>>>>>>>
libreadline-dev python-dev libpam0g-dev
>>>>>>>>>>>>>>>>>>
python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>>>>>>
libldap2-dev dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>>>>>>>
docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> /*#
Fstab file*/
>>>>>>>>>>>>>>>>>> ext4
errors=remount-ro,user_xattr,acl,barrier=1 1       1
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> */#
Hosts File/*
>>>>>>>>>>>>>>>>>>
127.0.0.1       localhost
>>>>>>>>>>>>>>>>>>
172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> # The
following lines are desirable for IPv6 capable
>>>>>>>>>>>>>>>>>> hosts
>>>>>>>>>>>>>>>>>> ::1    
ip6-localhost ip6-loopback
>>>>>>>>>>>>>>>>>> fe00::0
ip6-localnet
>>>>>>>>>>>>>>>>>> ff00::0
ip6-mcastprefix
>>>>>>>>>>>>>>>>>> ff02::1
ip6-allnodes
>>>>>>>>>>>>>>>>>> ff02::2
ip6-allrouters
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> */#
Hostname/* */File/*
>>>>>>>>>>>>>>>>>>
pfmember1.domain.local
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> if you are
referring to /etc/hostname, then it should
>>>>>>>>>>>>>>>>> just
contain 'pfmember1'.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Also, are
you fixed on using Ubuntu 12.04, if you were
>>>>>>>>>>>>>>>>> to use
Debian Wheezy and backports, you wouldn't have
>>>>>>>>>>>>>>>>> to compile
samba4.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
*/#/network/interfaces/*
>>>>>>>>>>>>>>>>>> # This
file describes the network interfaces
>>>>>>>>>>>>>>>>>>
available on your system
>>>>>>>>>>>>>>>>>> # and
how to activate them. For more information, see
>>>>>>>>>>>>>>>>>>
interfaces(5).
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> # The
loopback network interface
>>>>>>>>>>>>>>>>>> auto lo
>>>>>>>>>>>>>>>>>> iface
lo inet loopback
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> # The
primary network interface
>>>>>>>>>>>>>>>>>> auto
eth0
>>>>>>>>>>>>>>>>>> iface
eth0 inet static
>>>>>>>>>>>>>>>>>>        
address 172.16.232.25
>>>>>>>>>>>>>>>>>>        
netmask 255.255.255.0
>>>>>>>>>>>>>>>>>>        
gateway 172.16.232.201
>>>>>>>>>>>>>>>>>>        
network 172.16.232.0
>>>>>>>>>>>>>>>>>>        
broadcast 172.16.232.255
>>>>>>>>>>>>>>>>>>        
dns-search domain.local
>>>>>>>>>>>>>>>>>>        
dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On
1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On
01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
I forgot to tell you the results were from my
>>>>>>>>>>>>>>>>>>>>
Domain Controller and not the member server. Member
>>>>>>>>>>>>>>>>>>>>
server returned something to the effect of 'user
>>>>>>>>>>>>>>>>>>>>
not found'. I am only starting the 3
>>>>>>>>>>>>>>>>>>>>
services(smbd,nmbd and windbindd) listed in the
>>>>>>>>>>>>>>>>>>>>
wiki. Should I be starting Samba with command line
>>>>>>>>>>>>>>>>>>>>
switches to start as a member server? Is that even
>>>>>>>>>>>>>>>>>>>>
possible?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi,
there are two ways of running samba4, the
>>>>>>>>>>>>>>>>>>>
classic or original way that samba3 was used, or as
>>>>>>>>>>>>>>>>>>> an
AD DC. If you run samba4 in the classic way, you
>>>>>>>>>>>>>>>>>>>
need to start the smbd & nmbd deamons and optionally
>>>>>>>>>>>>>>>>>>> the
winbind daemon. If you use samba4 as an AD DC,
>>>>>>>>>>>>>>>>>>>
then you only start the samba daemon, this will
>>>>>>>>>>>>>>>>>>>
start any other required deamons, you only start the
>>>>>>>>>>>>>>>>>>>
samba daemon on an AD DC.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> As
you are trying to set up a member server, you
>>>>>>>>>>>>>>>>>>>
must carry out the tests on the member server.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Thanks for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>>>>>
using your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
I decided to start over with a fresh install
>>>>>>>>>>>>>>>>>>>>>>
and attempted again. Only change I made was to
>>>>>>>>>>>>>>>>>>>>>>
start my mappings at 10000. I gave 'Domain Users'
>>>>>>>>>>>>>>>>>>>>>>
group gid 10000 and 'tuser' has uid 10001. Still
>>>>>>>>>>>>>>>>>>>>>>
didn't work btw.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>
objectClass: top
>>>>>>>>>>>>>>>>>>>>>>
objectClass: person
>>>>>>>>>>>>>>>>>>>>>>
objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>>>>>
objectClass: user
>>>>>>>>>>>>>>>>>>>>>>
cn: Test User
>>>>>>>>>>>>>>>>>>>>>>
sn: User
>>>>>>>>>>>>>>>>>>>>>>
givenName: Test
>>>>>>>>>>>>>>>>>>>>>>
instanceType: 4
>>>>>>>>>>>>>>>>>>>>>>
whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>>>>>
displayName: Test User
>>>>>>>>>>>>>>>>>>>>>>
uSNCreated: 477557
>>>>>>>>>>>>>>>>>>>>>>
name: Test User
>>>>>>>>>>>>>>>>>>>>>>
objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>>>>>>>>
codePage: 0
>>>>>>>>>>>>>>>>>>>>>>
countryCode: 0
>>>>>>>>>>>>>>>>>>>>>>
pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>>>>>
primaryGroupID: 513
>>>>>>>>>>>>>>>>>>>>>>
objectSid:
>>>>>>>>>>>>>>>>>>>>>>
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>>>>>
accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>>>>>
sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>>>>>
sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>>>>>
objectCategory:
>>>>>>>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>>>>>
uid: tuser
>>>>>>>>>>>>>>>>>>>>>>
msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>>>>>
uidNumber: 10001
>>>>>>>>>>>>>>>>>>>>>>
loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>>>>>
gidNumber: 10000
>>>>>>>>>>>>>>>>>>>>>>
whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>>>>>
uSNChanged: 477620
>>>>>>>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
passwd: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>
group: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank
>>>>>>>>>>>>>>>>>>>>>>>>
terminal line.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>>>>>
amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>>>>>
group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
users group with a gid but I'm still unable
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
to view them using 'id'. I do notice a few
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
strange observations. If I go to another
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
user to attempt to assign a uid. I get the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
default value of 10000. I would expect 2001
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
given I set the first user with uid 2000.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Groups however appear to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
server. Following along with the wiki I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
get stuck at 'Testing the Winbind
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
user/group mapping'. Wbinfo works as
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
It will only retrieve local machine
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
users. Let me preface by saying this is a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Ubuntu 12.04 server with Samba 4.1.14.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the wiki(Setup
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
a Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
order for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
using the 'ad' backend. For this to work,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
you need to add 'uidNumber' attributes to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
your users and a 'gidNumber' attribute to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
at least the Domain Users group. the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
numbers that you add must be between the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
range you set in your smb.conf, again if
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
you followed the wiki, this will be
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or clear
>>>>>>>>>>>>>>>>>>>>>>>>>>>
the cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
OK, can you post the 'passwd' & 'group' lines
>>>>>>>>>>>>>>>>>>>>>>>>>
from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Do you get anything from 'getent passwd <a
>>>>>>>>>>>>>>>>>>>>>>>>>
domain user>'
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
OK, install ldb-tools if not already installed,
>>>>>>>>>>>>>>>>>>>>>>>
then run:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
ldbedit -e nano -H
>>>>>>>>>>>>>>>>>>>>>>>
/var/lib/samba/private/sam.ldb sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
OK, you added that user with ADUC (RSAT) and as
>>>>>>>>>>>>>>>>>>>>>
such you are using the std windows start number
>>>>>>>>>>>>>>>>>>>>>
10000, which is the way I run samba. Here is my
>>>>>>>>>>>>>>>>>>>>>
smb.conf from the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
[global]
>>>>>>>>>>>>>>>>>>>>>
workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>>>>>
security = ADS
>>>>>>>>>>>>>>>>>>>>>
realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>>>>>
dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>>>>>
kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>>>>>
server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>>>>>
winbind enum users = yes
>>>>>>>>>>>>>>>>>>>>>
winbind enum groups = yes
>>>>>>>>>>>>>>>>>>>>>
winbind use default domain = yes
>>>>>>>>>>>>>>>>>>>>>
winbind expand groups = 4
>>>>>>>>>>>>>>>>>>>>>
winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>>>>>
winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>>>>>
winbind normalize names = Yes
>>>>>>>>>>>>>>>>>>>>>
idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>>>>>
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>>>>>
idmap config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>>>>>>>
idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>>>>>
idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>>>>>
printcap name = cups
>>>>>>>>>>>>>>>>>>>>>
cups options = raw
>>>>>>>>>>>>>>>>>>>>>
usershare allow guests = yes
>>>>>>>>>>>>>>>>>>>>>
domain master = no
>>>>>>>>>>>>>>>>>>>>>
local master = no
>>>>>>>>>>>>>>>>>>>>>
preferred master = no
>>>>>>>>>>>>>>>>>>>>>
os level = 20
>>>>>>>>>>>>>>>>>>>>>
map to guest = bad user
>>>>>>>>>>>>>>>>>>>>>
vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>>>>>
map acl inherit = Yes
>>>>>>>>>>>>>>>>>>>>>
store dos attributes = Yes
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, you have *now*
found out one of the reasons you
>>>>>>>>>>>>>>> shouldn't use
the .local suffix
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> But does anything
else work?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>
>>>>>>>>>>>>> OK, well it seems to be a
step in the right direction :-)
>>>>>>>>>>>>>
>>>>>>>>>>>>> Have you changed
'EXAMPLE' in these lines:
>>>>>>>>>>>>>
>>>>>>>>>>>>>         idmap config * :
backend = tdb
>>>>>>>>>>>>>         idmap config * :
range = 2000-9999
>>>>>>>>>>>>>         idmap config
EXAMPLE : backend  = ad
>>>>>>>>>>>>>         idmap config
EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>         idmap config
EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>>>>
>>>>>>>>>>>>> They need to be changed for
your *WORKGROUP* name.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>> Just change it, stop samba and
winbind, run 'net cache
>>>>>>>>>>> flush' and restart samba &
winbind.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> -James
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> -James
>>>>>
>>>>
>>>> -- 
>>>> -James
>>>
>>
>> -- 
>> -James
>
-- 
-James

On 05/01/15 14:59, James wrote:
>     That is actually the wiki page I am currently referencing in my 
> question.  From the wiki you can see the 'Everyone' group. I would 
> normally remove and add domain users or authenticated users. That 
> prompted me to ask myself "what if I wanted the everyone group to have
> access"? How does the member server know who the everyone group is 
> since the share is created on the server. What mappings if any do I 
> need to make sure are in place.
OK, this is a good question :-)

If you examine your smb.conf, you should find these two lines:

         idmap config * : backend = tdb
         idmap config * : range = 2000-9999

What do they mean ?

Well, idmap is fairly obvious, map the ID, '*' is for trusted domains 
and local groups, 'backend = tdb' is where to store the result,
'range =
2000-9999' is for the numbers to use.
So the first line means, store trusted domains and local groups in a tdb 
file, the second line gives the number to start at (2000) and what the 
last number will be (9999). The users & groups are allocated numbers as 
they are found, this means that they could have different numbers on 
different machines, this is not a problem as they are treated as local 
identities. It works in a similar way to idmap.ldb on the DC, this is a 
problem when it comes to 'sysvol', which is why it is advisable to sync 
idmap.ldb between DC's.

OK, how do we prove that it works ?

Well you referred to 'Everyone', this has the well know SID
'S-1-1-0'

Run (on the member server): 'sudo wbinfo -Y S-1-1-0'

on mine it returns '2002'

So if we now create a directory on the member server

sudo mkdir /home/acltest

and set an ACL for 'Everyone'

sudo setfacl -m g:2002:rwx /home/acltest

read the directories ACL's

getfacl /home/acltest
getfacl: Removing leading '/' from absolute path names
# file: home/acltest
# owner: root
# group: root
user::rwx
group::r-x
group:2002:rwx
mask::rwx
other::r-x

It shows here that group '2002' has full permissions on the directory, 
but if you share the directory via samba and go to the share on a 
windows machine, it would show that 'Everyone' has full permissions on 
the share.

Rowland
>
> On 1/5/2015 9:12 AM, Rowland Penny wrote:
>> On 05/01/15 14:00, James wrote:
>>> Hi Rowland,
>>>
>>>     Yes. When I create a share I get the expected
'Everyone' group
>>> under 'Share Permissions' for example. I'm assuming I
must map this
>>> object to Unix so all windows users can access this share. However 
>>> in AD there is no 'Everyone' group to set a gid. I
wouldn't
>>> necessarily expect one either. I'm currently under the mind set
that
>>> with a member server I must have a uid/gid for every object
assigned
>>> on the share.
>>
>> AH, light dawns, you are creating a share on a windows machine and 
>> setting the permissions from windows. You cannot really map the users 
>> & groups you refer to, because they are windows only users.
>>
>> Samba 4 does map them to xidNumber's via idmap.ldb, you can see
them
>> via:
>>
>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>
>> There is a wiki page you might like to take a look at: 
>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>
>> Rowland
>>
>>>
>>> On 1/5/2015 8:37 AM, Rowland Penny wrote:
>>>> On 05/01/15 13:28, James wrote:
>>>>> Rowland,
>>>>>
>>>>>     Thanks so far for the assistance. I have a question
about
>>>>> setting up shares on a member server. How do I map to users
or
>>>>> groups that do not display in
AD(Everyone,System,Authenticated
>>>>> Users)?
>>>>
>>>> Could you be a bit more specific here, are you talking about 
>>>> mapping these windows objects to Unix, or something else ?
>>>>
>>>> Rowland
>>>>>
>>>>> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>>>>>> On 02/01/15 18:59, James wrote:
>>>>>>> Rowland,
>>>>>>>
>>>>>>>     That was the issue. Windows computer management
console
>>>>>>> showed 0 connections. That obviously wasn't
correct. A reboot
>>>>>>> corrected the issue. ACL's working as expected.
I probably
>>>>>>> should have ran a 'netstat' to verify.
>>>>>>>
>>>>>>>     Any best practices on who should or
shouldn't have uid's or
>>>>>>> gid's set in AD? I've read where the
Administrator account
>>>>>>> should not have one set.
>>>>>>
>>>>>> Cannot say that I know of any best practices, but I
only give
>>>>>> Domain Admins and Domain Users a gidNumber and
Administrator
>>>>>> should already be mapped to root (that is if you
changed
>>>>>> 'Example' in /etc/samba/smbmap).
>>>>>>
>>>>>> Rowland
>>>>>>>
>>>>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>>>>>> On 02/01/15 18:35, James wrote:
>>>>>>>>> Rowland,
>>>>>>>>>
>>>>>>>>>     Thanks for the clarification. It
appears the member server
>>>>>>>>> is joined and I have created a share.
>>>>>>>>>
>>>>>>>>> [demoshare]
>>>>>>>>>     path = /srv/samba/test
>>>>>>>>>     read only = no
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have enabled ACL support and given
'SeDiskOperatorPrivilege'
>>>>>>>>> per the wiki. I can navigate to the share
using Windows
>>>>>>>>> Explorer. If I set the share permissions to
only me(Full
>>>>>>>>> Control). I can't access the share. The
'Everyone' and 'Domain
>>>>>>>>> Users' group allows me access. On my
DC's this has worked in
>>>>>>>>> the past. Am I missing something? This is
the error I receive.
>>>>>>>>>
>>>>>>>>> \\pfmember1\demoshare is not accessible.
You might not have
>>>>>>>>> permission to use this network resource.
Contact the
>>>>>>>>> administrator of this server to find out if
you have access
>>>>>>>>> permissions.
>>>>>>>>>
>>>>>>>>> Multiple connections to a server or shared
resource by the
>>>>>>>>> same user, using more than one user name,
are not allowed.
>>>>>>>>> Disconnect all previous connections to the
server or shared
>>>>>>>>> resource and try again.
>>>>>>>>
>>>>>>>> You seem to have a connection to the share
already open, close
>>>>>>>> this and try again.
>>>>>>>> If this fails, post the results of:
>>>>>>>>
>>>>>>>> ls -la /srv/samba/test
>>>>>>>>
>>>>>>>> and
>>>>>>>>
>>>>>>>> getfacl /srv/samba/test
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/2/2015 1:14 PM, Rowland Penny wrote:
>>>>>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>>>>>> Rowland,
>>>>>>>>>>>
>>>>>>>>>>>     That did it! Thank you so much.
I do have a question
>>>>>>>>>>> regarding the 'getent'
command before setting up file
>>>>>>>>>>> shares. When I run 'getent
group Domain\ Users' I get
>>>>>>>>>>>
>>>>>>>>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>>>>>
>>>>>>>>>>> Why does it show these specific
users? I would assume it
>>>>>>>>>>> would only show my 'tuser'.
I don't have uid's set for
>>>>>>>>>>> anyone else.
>>>>>>>>>>
>>>>>>>>>> When you run 'getent group Domain\
Users' it gets the groups
>>>>>>>>>> gidNumber (10000 in your case) and the
contents any 'member'
>>>>>>>>>> attributes, so I presume if you examine
the groups AD object,
>>>>>>>>>> you would find 8 'member'
attribute lines.
>>>>>>>>>>
>>>>>>>>>> But if you were to run 'getent
passwd user5', you would only
>>>>>>>>>> get a response if 'user5' has a
'uidNumber'.
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 1/2/2015 12:38 PM, Rowland Penny
wrote:
>>>>>>>>>>>> On 02/01/15 17:26, James wrote:
>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>
>>>>>>>>>>>>>     I did forget to change
it. Is it as simple as renaming
>>>>>>>>>>>>> now or did I screw up?
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 1/2/2015 12:18 PM,
Rowland Penny wrote:
>>>>>>>>>>>>>> On 02/01/15 17:07,
James wrote:
>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>     I had a typo in
my hosts file which is the reason my
>>>>>>>>>>>>>>> initial DNS update
failed. Corrected and joined again.
>>>>>>>>>>>>>>> Successfully joined
and updated DNS A record. I then
>>>>>>>>>>>>>>> made sure to give
'Domain users' a id of 10000. I am now
>>>>>>>>>>>>>>> able to run'
getent passwd' and see all my domain users!
>>>>>>>>>>>>>>> YES! However I
still see something that confuses me.
>>>>>>>>>>>>>>> When I run 'id
tuser' I get the following.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> uid=2155(tuser)
gid=2002(domain_users)
>>>>>>>>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Why is the uid 2155
and not 10001?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 1/2/2015 12:00
PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>> On 02/01/15
16:57, James wrote:
>>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>    
I've gotten a bit further. It appears my use of
>>>>>>>>>>>>>>>>>
'.local' is causing the issue from what I've
>>>>>>>>>>>>>>>>> researched.
I  ran '|/etc/init.d/avahi-daemon stop'.
>>>>>>>>>>>>>>>>> |This
allowed me to successfully join the domain.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Enter
administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>>>>>>>> Using short
domain name -- DOMAIN
>>>>>>>>>>>>>>>>> Joined
'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>>>>>>> DNS Update
for pfmember1.local failed:
>>>>>>>>>>>>>>>>>
ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>>>>>> DNS update
failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>>>>>> ||
>>>>>>>>>>>>>>>>> On 1/2/2015
8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>> On
02/01/15 13:41, James wrote:
>>>>>>>>>>>>>>>>>>> Hi
Rowland,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>    
If you don't mind I like to post my member
>>>>>>>>>>>>>>>>>>>
server configuration as I attempt again. This is how
>>>>>>>>>>>>>>>>>>> my
member server(Ubuntu 12.04) is configured after
>>>>>>>>>>>>>>>>>>>
fresh install and prior to Samba build. Anything I'm
>>>>>>>>>>>>>>>>>>>
missing that could cause my issue as I proceed? I
>>>>>>>>>>>>>>>>>>>
assume no other prerequisites must be done on the
>>>>>>>>>>>>>>>>>>>
other DC's either? Thanks.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> /*#
From Wiki for DC build*/
>>>>>>>>>>>>>>>>>>>
apt-get install build-essential libacl1-dev
>>>>>>>>>>>>>>>>>>>
libattr1-dev libblkid-dev libgnutls-dev
>>>>>>>>>>>>>>>>>>>
libreadline-dev python-dev libpam0g-dev
>>>>>>>>>>>>>>>>>>>
python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>>>>>>>
libldap2-dev dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>>>>>>>>
docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> /*#
Fstab file*/
>>>>>>>>>>>>>>>>>>>
ext4 errors=remount-ro,user_xattr,acl,barrier=1
>>>>>>>>>>>>>>>>>>> 1  
1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> */#
Hosts File/*
>>>>>>>>>>>>>>>>>>>
127.0.0.1       localhost
>>>>>>>>>>>>>>>>>>>
172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> #
The following lines are desirable for IPv6 capable
>>>>>>>>>>>>>>>>>>>
hosts
>>>>>>>>>>>>>>>>>>> ::1
ip6-localhost ip6-loopback
>>>>>>>>>>>>>>>>>>>
fe00::0 ip6-localnet
>>>>>>>>>>>>>>>>>>>
ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>>>>>>>
ff02::1 ip6-allnodes
>>>>>>>>>>>>>>>>>>>
ff02::2 ip6-allrouters
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> */#
Hostname/* */File/*
>>>>>>>>>>>>>>>>>>>
pfmember1.domain.local
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> if you
are referring to /etc/hostname, then it should
>>>>>>>>>>>>>>>>>> just
contain 'pfmember1'.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Also,
are you fixed on using Ubuntu 12.04, if you
>>>>>>>>>>>>>>>>>> were to
use Debian Wheezy and backports, you wouldn't
>>>>>>>>>>>>>>>>>> have to
compile samba4.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
*/#/network/interfaces/*
>>>>>>>>>>>>>>>>>>> #
This file describes the network interfaces
>>>>>>>>>>>>>>>>>>>
available on your system
>>>>>>>>>>>>>>>>>>> #
and how to activate them. For more information,
>>>>>>>>>>>>>>>>>>> see
interfaces(5).
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> #
The loopback network interface
>>>>>>>>>>>>>>>>>>>
auto lo
>>>>>>>>>>>>>>>>>>>
iface lo inet loopback
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> #
The primary network interface
>>>>>>>>>>>>>>>>>>>
auto eth0
>>>>>>>>>>>>>>>>>>>
iface eth0 inet static
>>>>>>>>>>>>>>>>>>>    
address 172.16.232.25
>>>>>>>>>>>>>>>>>>>    
netmask 255.255.255.0
>>>>>>>>>>>>>>>>>>>    
gateway 172.16.232.201
>>>>>>>>>>>>>>>>>>>    
network 172.16.232.0
>>>>>>>>>>>>>>>>>>>    
broadcast 172.16.232.255
>>>>>>>>>>>>>>>>>>>    
dns-search domain.local
>>>>>>>>>>>>>>>>>>>    
dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On
1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>
On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
I forgot to tell you the results were from my
>>>>>>>>>>>>>>>>>>>>>
Domain Controller and not the member server.
>>>>>>>>>>>>>>>>>>>>>
Member server returned something to the effect of
>>>>>>>>>>>>>>>>>>>>>
'user not found'. I am only starting the 3
>>>>>>>>>>>>>>>>>>>>>
services(smbd,nmbd and windbindd) listed in the
>>>>>>>>>>>>>>>>>>>>>
wiki. Should I be starting Samba with command line
>>>>>>>>>>>>>>>>>>>>>
switches to start as a member server? Is that even
>>>>>>>>>>>>>>>>>>>>>
possible?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Hi, there are two ways of running samba4, the
>>>>>>>>>>>>>>>>>>>>
classic or original way that samba3 was used, or as
>>>>>>>>>>>>>>>>>>>>
an AD DC. If you run samba4 in the classic way, you
>>>>>>>>>>>>>>>>>>>>
need to start the smbd & nmbd deamons and
>>>>>>>>>>>>>>>>>>>>
optionally the winbind daemon. If you use samba4 as
>>>>>>>>>>>>>>>>>>>>
an AD DC, then you only start the samba daemon,
>>>>>>>>>>>>>>>>>>>>
this will start any other required deamons, you
>>>>>>>>>>>>>>>>>>>>
only start the samba daemon on an AD DC.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
As you are trying to set up a member server, you
>>>>>>>>>>>>>>>>>>>>
must carry out the tests on the member server.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Thanks for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>>>>>>
using your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
I decided to start over with a fresh install
>>>>>>>>>>>>>>>>>>>>>>>
and attempted again. Only change I made was to
>>>>>>>>>>>>>>>>>>>>>>>
start my mappings at 10000. I gave 'Domain
>>>>>>>>>>>>>>>>>>>>>>>
Users' group gid 10000 and 'tuser' has uid
>>>>>>>>>>>>>>>>>>>>>>>
10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>
objectClass: top
>>>>>>>>>>>>>>>>>>>>>>>
objectClass: person
>>>>>>>>>>>>>>>>>>>>>>>
objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>>>>>>
objectClass: user
>>>>>>>>>>>>>>>>>>>>>>>
cn: Test User
>>>>>>>>>>>>>>>>>>>>>>>
sn: User
>>>>>>>>>>>>>>>>>>>>>>>
givenName: Test
>>>>>>>>>>>>>>>>>>>>>>>
instanceType: 4
>>>>>>>>>>>>>>>>>>>>>>>
whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>>>>>>
displayName: Test User
>>>>>>>>>>>>>>>>>>>>>>>
uSNCreated: 477557
>>>>>>>>>>>>>>>>>>>>>>>
name: Test User
>>>>>>>>>>>>>>>>>>>>>>>
objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>>>>>>>>>
codePage: 0
>>>>>>>>>>>>>>>>>>>>>>>
countryCode: 0
>>>>>>>>>>>>>>>>>>>>>>>
pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>>>>>>
primaryGroupID: 513
>>>>>>>>>>>>>>>>>>>>>>>
objectSid:
>>>>>>>>>>>>>>>>>>>>>>>
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>>>>>>
accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>>>>>>
sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>>>>>>
sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>>>>>>
objectCategory:
>>>>>>>>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>>>>>>
uid: tuser
>>>>>>>>>>>>>>>>>>>>>>>
msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>>>>>>
uidNumber: 10001
>>>>>>>>>>>>>>>>>>>>>>>
loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>>>>>>
gidNumber: 10000
>>>>>>>>>>>>>>>>>>>>>>>
whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>>>>>>
uSNChanged: 477620
>>>>>>>>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
passwd: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>>
group: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank
>>>>>>>>>>>>>>>>>>>>>>>>>
terminal line.
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>>>>>>
amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>>>>>>
group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
users group with a gid but I'm still
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
unable to view them using 'id'. I do
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
notice a few strange observations. If I go
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
to another user to attempt to assign a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
uid. I get the default value of 10000. I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
would expect 2001 given I set the first
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
user with uid 2000. Groups however appear
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about .local.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
server. Following along with the wiki I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
get stuck at 'Testing the Winbind
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
user/group mapping'. Wbinfo works as
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such user'.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
It will only retrieve local machine
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
users. Let me preface by saying this is
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
a Ubuntu 12.04 server with Samba 4.1.14.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
wiki(Setup a Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
the 'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
order for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
using the 'ad' backend. For this to work,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
you need to add 'uidNumber' attributes to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
your users and a 'gidNumber' attribute to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
at least the Domain Users group. the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
numbers that you add must be between the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
range you set in your smb.conf, again if
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
you followed the wiki, this will be
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or clear
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
the cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
OK, can you post the 'passwd' & 'group' lines
>>>>>>>>>>>>>>>>>>>>>>>>>>
from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
Do you get anything from 'getent passwd <a
>>>>>>>>>>>>>>>>>>>>>>>>>>
domain user>'
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
OK, install ldb-tools if not already installed,
>>>>>>>>>>>>>>>>>>>>>>>>
then run:
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
ldbedit -e nano -H
>>>>>>>>>>>>>>>>>>>>>>>>
/var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
OK, you added that user with ADUC (RSAT) and as
>>>>>>>>>>>>>>>>>>>>>>
such you are using the std windows start number
>>>>>>>>>>>>>>>>>>>>>>
10000, which is the way I run samba. Here is my
>>>>>>>>>>>>>>>>>>>>>>
smb.conf from the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
[global]
>>>>>>>>>>>>>>>>>>>>>>
workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>>>>>>
security = ADS
>>>>>>>>>>>>>>>>>>>>>>
realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>>>>>>
dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>>>>>>
kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>>>>>>
server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>>>>>>
winbind enum users = yes
>>>>>>>>>>>>>>>>>>>>>>
winbind enum groups = yes
>>>>>>>>>>>>>>>>>>>>>>
winbind use default domain = yes
>>>>>>>>>>>>>>>>>>>>>>
winbind expand groups = 4
>>>>>>>>>>>>>>>>>>>>>>
winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>>>>>>
winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>>>>>>
winbind normalize names = Yes
>>>>>>>>>>>>>>>>>>>>>>
idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>>>>>>
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>>>>>>
idmap config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>>>>>>>>
idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>>>>>>
idmap config EXAMPLE : schema_mode = rfc2307
>>>>>>>>>>>>>>>>>>>>>>
printcap name = cups
>>>>>>>>>>>>>>>>>>>>>>
cups options = raw
>>>>>>>>>>>>>>>>>>>>>>
usershare allow guests = yes
>>>>>>>>>>>>>>>>>>>>>>
domain master = no
>>>>>>>>>>>>>>>>>>>>>>
local master = no
>>>>>>>>>>>>>>>>>>>>>>
preferred master = no
>>>>>>>>>>>>>>>>>>>>>>
os level = 20
>>>>>>>>>>>>>>>>>>>>>>
map to guest = bad user
>>>>>>>>>>>>>>>>>>>>>>
vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>>>>>>
map acl inherit = Yes
>>>>>>>>>>>>>>>>>>>>>>
store dos attributes = Yes
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>>>
-James
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> OK, you have
*now* found out one of the reasons you
>>>>>>>>>>>>>>>> shouldn't
use the .local suffix
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> But does
anything else work?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> OK, well it seems to be
a step in the right direction :-)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Have you changed
'EXAMPLE' in these lines:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>         idmap config *
: backend = tdb
>>>>>>>>>>>>>>         idmap config *
: range = 2000-9999
>>>>>>>>>>>>>>         idmap config
EXAMPLE : backend = ad
>>>>>>>>>>>>>>         idmap config
EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>         idmap config
EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> They need to be changed
for your *WORKGROUP* name.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> -- 
>>>>>>>>>>>>> -James
>>>>>>>>>>>>
>>>>>>>>>>>> Just change it, stop samba and
winbind, run 'net cache
>>>>>>>>>>>> flush' and restart samba
& winbind.
>>>>>>>>>>>>
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> -- 
>>>>>>>>>>> -James
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> -James
>>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> -James
>>>>>>
>>>>>
>>>>> -- 
>>>>> -James
>>>>
>>>
>>> -- 
>>> -James
>>
>
> -- 
> -James

Rowland,

     Thanks. I understand now.


On 1/5/2015 11:00 AM, Rowland Penny wrote:
> On 05/01/15 14:59, James wrote:
>>     That is actually the wiki page I am currently referencing in my 
>> question.  From the wiki you can see the 'Everyone' group. I
would
>> normally remove and add domain users or authenticated users. That 
>> prompted me to ask myself "what if I wanted the everyone group to 
>> have access"? How does the member server know who the everyone
group
>> is since the share is created on the server. What mappings if any do 
>> I need to make sure are in place.
>
> OK, this is a good question :-)
>
> If you examine your smb.conf, you should find these two lines:
>
>         idmap config * : backend = tdb
>         idmap config * : range = 2000-9999
>
> What do they mean ?
>
> Well, idmap is fairly obvious, map the ID, '*' is for trusted
domains
> and local groups, 'backend = tdb' is where to store the result,
'range
> = 2000-9999' is for the numbers to use.
> So the first line means, store trusted domains and local groups in a 
> tdb file, the second line gives the number to start at (2000) and what 
> the last number will be (9999). The users & groups are allocated 
> numbers as they are found, this means that they could have different 
> numbers on different machines, this is not a problem as they are 
> treated as local identities. It works in a similar way to idmap.ldb on 
> the DC, this is a problem when it comes to 'sysvol', which is why
it
> is advisable to sync idmap.ldb between DC's.
>
> OK, how do we prove that it works ?
>
> Well you referred to 'Everyone', this has the well know SID
'S-1-1-0'
>
> Run (on the member server): 'sudo wbinfo -Y S-1-1-0'
>
> on mine it returns '2002'
>
> So if we now create a directory on the member server
>
> sudo mkdir /home/acltest
>
> and set an ACL for 'Everyone'
>
> sudo setfacl -m g:2002:rwx /home/acltest
>
> read the directories ACL's
>
> getfacl /home/acltest
> getfacl: Removing leading '/' from absolute path names
> # file: home/acltest
> # owner: root
> # group: root
> user::rwx
> group::r-x
> group:2002:rwx
> mask::rwx
> other::r-x
>
> It shows here that group '2002' has full permissions on the
directory,
> but if you share the directory via samba and go to the share on a 
> windows machine, it would show that 'Everyone' has full permissions
on
> the share.
>
> Rowland
>>
>> On 1/5/2015 9:12 AM, Rowland Penny wrote:
>>> On 05/01/15 14:00, James wrote:
>>>> Hi Rowland,
>>>>
>>>>     Yes. When I create a share I get the expected
'Everyone' group
>>>> under 'Share Permissions' for example. I'm assuming
I must map this
>>>> object to Unix so all windows users can access this share.
However
>>>> in AD there is no 'Everyone' group to set a gid. I
wouldn't
>>>> necessarily expect one either. I'm currently under the mind
set
>>>> that with a member server I must have a uid/gid for every
object
>>>> assigned on the share.
>>>
>>> AH, light dawns, you are creating a share on a windows machine and 
>>> setting the permissions from windows. You cannot really map the 
>>> users & groups you refer to, because they are windows only
users.
>>>
>>> Samba 4 does map them to xidNumber's via idmap.ldb, you can see
them
>>> via:
>>>
>>> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>>>
>>> There is a wiki page you might like to take a look at: 
>>>
https://wiki.samba.org/index.php/Setup_and_configure_file_shares_with_Windows_ACLs
>>>
>>> Rowland
>>>
>>>>
>>>> On 1/5/2015 8:37 AM, Rowland Penny wrote:
>>>>> On 05/01/15 13:28, James wrote:
>>>>>> Rowland,
>>>>>>
>>>>>>     Thanks so far for the assistance. I have a question
about
>>>>>> setting up shares on a member server. How do I map to
users or
>>>>>> groups that do not display in
AD(Everyone,System,Authenticated
>>>>>> Users)?
>>>>>
>>>>> Could you be a bit more specific here, are you talking
about
>>>>> mapping these windows objects to Unix, or something else ?
>>>>>
>>>>> Rowland
>>>>>>
>>>>>> On 1/2/2015 2:08 PM, Rowland Penny wrote:
>>>>>>> On 02/01/15 18:59, James wrote:
>>>>>>>> Rowland,
>>>>>>>>
>>>>>>>>     That was the issue. Windows computer
management console
>>>>>>>> showed 0 connections. That obviously wasn't
correct. A reboot
>>>>>>>> corrected the issue. ACL's working as
expected. I probably
>>>>>>>> should have ran a 'netstat' to verify.
>>>>>>>>
>>>>>>>>     Any best practices on who should or
shouldn't have uid's or
>>>>>>>> gid's set in AD? I've read where the
Administrator account
>>>>>>>> should not have one set.
>>>>>>>
>>>>>>> Cannot say that I know of any best practices, but I
only give
>>>>>>> Domain Admins and Domain Users a gidNumber and
Administrator
>>>>>>> should already be mapped to root (that is if you
changed
>>>>>>> 'Example' in /etc/samba/smbmap).
>>>>>>>
>>>>>>> Rowland
>>>>>>>>
>>>>>>>> On 1/2/2015 1:47 PM, Rowland Penny wrote:
>>>>>>>>> On 02/01/15 18:35, James wrote:
>>>>>>>>>> Rowland,
>>>>>>>>>>
>>>>>>>>>>     Thanks for the clarification. It
appears the member
>>>>>>>>>> server is joined and I have created a
share.
>>>>>>>>>>
>>>>>>>>>> [demoshare]
>>>>>>>>>>     path = /srv/samba/test
>>>>>>>>>>     read only = no
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I have enabled ACL support and given 
>>>>>>>>>> 'SeDiskOperatorPrivilege' per
the wiki. I can navigate to the
>>>>>>>>>> share using Windows Explorer. If I set
the share permissions
>>>>>>>>>> to only me(Full Control). I can't
access the share. The
>>>>>>>>>> 'Everyone' and 'Domain
Users' group allows me access. On my
>>>>>>>>>> DC's this has worked in the past.
Am I missing something?
>>>>>>>>>> This is the error I receive.
>>>>>>>>>>
>>>>>>>>>> \\pfmember1\demoshare is not
accessible. You might not have
>>>>>>>>>> permission to use this network
resource. Contact the
>>>>>>>>>> administrator of this server to find
out if you have access
>>>>>>>>>> permissions.
>>>>>>>>>>
>>>>>>>>>> Multiple connections to a server or
shared resource by the
>>>>>>>>>> same user, using more than one user
name, are not allowed.
>>>>>>>>>> Disconnect all previous connections to
the server or shared
>>>>>>>>>> resource and try again.
>>>>>>>>>
>>>>>>>>> You seem to have a connection to the share
already open, close
>>>>>>>>> this and try again.
>>>>>>>>> If this fails, post the results of:
>>>>>>>>>
>>>>>>>>> ls -la /srv/samba/test
>>>>>>>>>
>>>>>>>>> and
>>>>>>>>>
>>>>>>>>> getfacl /srv/samba/test
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/2/2015 1:14 PM, Rowland Penny
wrote:
>>>>>>>>>>> On 02/01/15 18:01, James wrote:
>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>
>>>>>>>>>>>>     That did it! Thank you so
much. I do have a question
>>>>>>>>>>>> regarding the 'getent'
command before setting up file
>>>>>>>>>>>> shares. When I run 'getent
group Domain\ Users' I get
>>>>>>>>>>>>
>>>>>>>>>>>>
domain_users:x:10000:user1,user2,user3,user4,user5,user6,user7,user8
>>>>>>>>>>>>
>>>>>>>>>>>> Why does it show these specific
users? I would assume it
>>>>>>>>>>>> would only show my
'tuser'. I don't have uid's set for
>>>>>>>>>>>> anyone else.
>>>>>>>>>>>
>>>>>>>>>>> When you run 'getent group
Domain\ Users' it gets the groups
>>>>>>>>>>> gidNumber (10000 in your case) and
the contents any 'member'
>>>>>>>>>>> attributes, so I presume if you
examine the groups AD
>>>>>>>>>>> object, you would find 8
'member' attribute lines.
>>>>>>>>>>>
>>>>>>>>>>> But if you were to run 'getent
passwd user5', you would only
>>>>>>>>>>> get a response if 'user5'
has a 'uidNumber'.
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/2/2015 12:38 PM, Rowland
Penny wrote:
>>>>>>>>>>>>> On 02/01/15 17:26, James
wrote:
>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>     I did forget to
change it. Is it as simple as
>>>>>>>>>>>>>> renaming now or did I
screw up?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 1/2/2015 12:18 PM,
Rowland Penny wrote:
>>>>>>>>>>>>>>> On 02/01/15 17:07,
James wrote:
>>>>>>>>>>>>>>>> Rowland,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>     I had a
typo in my hosts file which is the reason
>>>>>>>>>>>>>>>> my initial DNS
update failed. Corrected and joined
>>>>>>>>>>>>>>>> again.
Successfully joined and updated DNS A record. I
>>>>>>>>>>>>>>>> then made sure
to give 'Domain users' a id of 10000. I
>>>>>>>>>>>>>>>> am now able to
run' getent passwd' and see all my
>>>>>>>>>>>>>>>> domain users!
YES! However I still see something that
>>>>>>>>>>>>>>>> confuses me.
When I run 'id tuser' I get the following.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> uid=2155(tuser)
gid=2002(domain_users)
>>>>>>>>>>>>>>>>
groups=2002(domain_users),2004(remote_desktop_users_group),2001(BUILTIN\users)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Why is the uid
2155 and not 10001?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On 1/2/2015
12:00 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>> On 02/01/15
16:57, James wrote:
>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>    
I've gotten a bit further. It appears my use of
>>>>>>>>>>>>>>>>>>
'.local' is causing the issue from what I've
>>>>>>>>>>>>>>>>>>
researched. I  ran '|/etc/init.d/avahi-daemon stop'.
>>>>>>>>>>>>>>>>>> |This
allowed me to successfully join the domain.
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Enter
administrator at DOMAIN.LOCAL's password:
>>>>>>>>>>>>>>>>>> Using
short domain name -- DOMAIN
>>>>>>>>>>>>>>>>>> Joined
'PFMEMBER1' to dns domain 'domain.local'
>>>>>>>>>>>>>>>>>> DNS
Update for pfmember1.local failed:
>>>>>>>>>>>>>>>>>>
ERROR_DNS_UPDATE_FAILED
>>>>>>>>>>>>>>>>>> DNS
update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>>>>>>>>>> ||
>>>>>>>>>>>>>>>>>> On
1/2/2015 8:55 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>> On
02/01/15 13:41, James wrote:
>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
If you don't mind I like to post my member
>>>>>>>>>>>>>>>>>>>>
server configuration as I attempt again. This is
>>>>>>>>>>>>>>>>>>>>
how my member server(Ubuntu 12.04) is configured
>>>>>>>>>>>>>>>>>>>>
after fresh install and prior to Samba build.
>>>>>>>>>>>>>>>>>>>>
Anything I'm missing that could cause my issue as I
>>>>>>>>>>>>>>>>>>>>
proceed? I assume no other prerequisites must be
>>>>>>>>>>>>>>>>>>>>
done on the other DC's either? Thanks.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
/*# From Wiki for DC build*/
>>>>>>>>>>>>>>>>>>>>
apt-get install build-essential libacl1-dev
>>>>>>>>>>>>>>>>>>>>
libattr1-dev libblkid-dev libgnutls-dev
>>>>>>>>>>>>>>>>>>>>
libreadline-dev python-dev libpam0g-dev
>>>>>>>>>>>>>>>>>>>>
python-dnspython gdb pkg-config libpopt-dev
>>>>>>>>>>>>>>>>>>>>
libldap2-dev dnsutils libbsd-dev attr krb5-user
>>>>>>>>>>>>>>>>>>>>
docbook-xsl libcups2-dev acl
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
/*# Fstab file*/
>>>>>>>>>>>>>>>>>>>>
ext4 errors=remount-ro,user_xattr,acl,barrier=1
>>>>>>>>>>>>>>>>>>>>
1       1
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
*/# Hosts File/*
>>>>>>>>>>>>>>>>>>>>
127.0.0.1       localhost
>>>>>>>>>>>>>>>>>>>>
172.16.232.25 pfmember1.domain.local pfmember1
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
# The following lines are desirable for IPv6
>>>>>>>>>>>>>>>>>>>>
capable hosts
>>>>>>>>>>>>>>>>>>>>
::1     ip6-localhost ip6-loopback
>>>>>>>>>>>>>>>>>>>>
fe00::0 ip6-localnet
>>>>>>>>>>>>>>>>>>>>
ff00::0 ip6-mcastprefix
>>>>>>>>>>>>>>>>>>>>
ff02::1 ip6-allnodes
>>>>>>>>>>>>>>>>>>>>
ff02::2 ip6-allrouters
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
*/# Hostname/* */File/*
>>>>>>>>>>>>>>>>>>>>
pfmember1.domain.local
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> if
you are referring to /etc/hostname, then it
>>>>>>>>>>>>>>>>>>>
should just contain 'pfmember1'.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Also, are you fixed on using Ubuntu 12.04, if you
>>>>>>>>>>>>>>>>>>>
were to use Debian Wheezy and backports, you
>>>>>>>>>>>>>>>>>>>
wouldn't have to compile samba4.
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
*/#/network/interfaces/*
>>>>>>>>>>>>>>>>>>>>
# This file describes the network interfaces
>>>>>>>>>>>>>>>>>>>>
available on your system
>>>>>>>>>>>>>>>>>>>>
# and how to activate them. For more information,
>>>>>>>>>>>>>>>>>>>>
see interfaces(5).
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
# The loopback network interface
>>>>>>>>>>>>>>>>>>>>
auto lo
>>>>>>>>>>>>>>>>>>>>
iface lo inet loopback
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
# The primary network interface
>>>>>>>>>>>>>>>>>>>>
auto eth0
>>>>>>>>>>>>>>>>>>>>
iface eth0 inet static
>>>>>>>>>>>>>>>>>>>>
address 172.16.232.25
>>>>>>>>>>>>>>>>>>>>
netmask 255.255.255.0
>>>>>>>>>>>>>>>>>>>>
gateway 172.16.232.201
>>>>>>>>>>>>>>>>>>>>
network 172.16.232.0
>>>>>>>>>>>>>>>>>>>>
broadcast 172.16.232.255
>>>>>>>>>>>>>>>>>>>>
dns-search domain.local
>>>>>>>>>>>>>>>>>>>>
dns-nameservers 172.16.232.29
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
On 1/1/2015 4:34 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>
On 01/01/15 00:07, James wrote:
>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
I forgot to tell you the results were from my
>>>>>>>>>>>>>>>>>>>>>>
Domain Controller and not the member server.
>>>>>>>>>>>>>>>>>>>>>>
Member server returned something to the effect of
>>>>>>>>>>>>>>>>>>>>>>
'user not found'. I am only starting the 3
>>>>>>>>>>>>>>>>>>>>>>
services(smbd,nmbd and windbindd) listed in the
>>>>>>>>>>>>>>>>>>>>>>
wiki. Should I be starting Samba with command
>>>>>>>>>>>>>>>>>>>>>>
line switches to start as a member server? Is
>>>>>>>>>>>>>>>>>>>>>>
that even possible?
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Hi, there are two ways of running samba4, the
>>>>>>>>>>>>>>>>>>>>>
classic or original way that samba3 was used, or
>>>>>>>>>>>>>>>>>>>>>
as an AD DC. If you run samba4 in the classic way,
>>>>>>>>>>>>>>>>>>>>>
you need to start the smbd & nmbd deamons and
>>>>>>>>>>>>>>>>>>>>>
optionally the winbind daemon. If you use samba4
>>>>>>>>>>>>>>>>>>>>>
as an AD DC, then you only start the samba daemon,
>>>>>>>>>>>>>>>>>>>>>
this will start any other required deamons, you
>>>>>>>>>>>>>>>>>>>>>
only start the samba daemon on an AD DC.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
As you are trying to set up a member server, you
>>>>>>>>>>>>>>>>>>>>>
must carry out the tests on the member server.
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
Thanks for you smb.conf. I will attempt again
>>>>>>>>>>>>>>>>>>>>>>
using your smb.conf as a template and try again.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 2:20 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 19:07, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
I decided to start over with a fresh
>>>>>>>>>>>>>>>>>>>>>>>>
install and attempted again. Only change I made
>>>>>>>>>>>>>>>>>>>>>>>>
was to start my mappings at 10000. I gave
>>>>>>>>>>>>>>>>>>>>>>>>
'Domain Users' group gid 10000 and 'tuser' has
>>>>>>>>>>>>>>>>>>>>>>>>
uid 10001. Still didn't work btw.
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
dn: CN=Test User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>>
objectClass: top
>>>>>>>>>>>>>>>>>>>>>>>>
objectClass: person
>>>>>>>>>>>>>>>>>>>>>>>>
objectClass: organizationalPerson
>>>>>>>>>>>>>>>>>>>>>>>>
objectClass: user
>>>>>>>>>>>>>>>>>>>>>>>>
cn: Test User
>>>>>>>>>>>>>>>>>>>>>>>>
sn: User
>>>>>>>>>>>>>>>>>>>>>>>>
givenName: Test
>>>>>>>>>>>>>>>>>>>>>>>>
instanceType: 4
>>>>>>>>>>>>>>>>>>>>>>>>
whenCreated: 20141231172021.0Z
>>>>>>>>>>>>>>>>>>>>>>>>
displayName: Test User
>>>>>>>>>>>>>>>>>>>>>>>>
uSNCreated: 477557
>>>>>>>>>>>>>>>>>>>>>>>>
name: Test User
>>>>>>>>>>>>>>>>>>>>>>>>
objectGUID: 90f95763-fe52-42b9-af86-8a84a4d5dd78
>>>>>>>>>>>>>>>>>>>>>>>>
userAccountControl: 66048
>>>>>>>>>>>>>>>>>>>>>>>>
codePage: 0
>>>>>>>>>>>>>>>>>>>>>>>>
countryCode: 0
>>>>>>>>>>>>>>>>>>>>>>>>
pwdLastSet: 130645200220000000
>>>>>>>>>>>>>>>>>>>>>>>>
primaryGroupID: 513
>>>>>>>>>>>>>>>>>>>>>>>>
objectSid:
>>>>>>>>>>>>>>>>>>>>>>>>
S-1-5-21-940051827-2291820289-3341758437-3126
>>>>>>>>>>>>>>>>>>>>>>>>
accountExpires: 9223372036854775807
>>>>>>>>>>>>>>>>>>>>>>>>
sAMAccountName: tuser
>>>>>>>>>>>>>>>>>>>>>>>>
sAMAccountType: 805306368
>>>>>>>>>>>>>>>>>>>>>>>>
userPrincipalName: tuser at domain.local
>>>>>>>>>>>>>>>>>>>>>>>>
objectCategory:
>>>>>>>>>>>>>>>>>>>>>>>>
CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
unixUserPassword: ABCD!efgh12345$67890
>>>>>>>>>>>>>>>>>>>>>>>>
uid: tuser
>>>>>>>>>>>>>>>>>>>>>>>>
msSFU30Name: tuser
>>>>>>>>>>>>>>>>>>>>>>>>
msSFU30NisDomain: domain
>>>>>>>>>>>>>>>>>>>>>>>>
uidNumber: 10001
>>>>>>>>>>>>>>>>>>>>>>>>
loginShell: /bin/sh
>>>>>>>>>>>>>>>>>>>>>>>>
unixHomeDirectory: /home/tuser
>>>>>>>>>>>>>>>>>>>>>>>>
gidNumber: 10000
>>>>>>>>>>>>>>>>>>>>>>>>
whenChanged: 20141231185807.0Z
>>>>>>>>>>>>>>>>>>>>>>>>
uSNChanged: 477620
>>>>>>>>>>>>>>>>>>>>>>>>
distinguishedName: CN=Test
>>>>>>>>>>>>>>>>>>>>>>>>
User,CN=Users,DC=domain,DC=local
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:50 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 18:28, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
passwd: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>>>
group: compat winbind
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
'getent passwd tuser' results in a blank
>>>>>>>>>>>>>>>>>>>>>>>>>>
terminal line.
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 1:12 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:55, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hi Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I did. Unfortunately something is still
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
amiss. I do receive a response from 'getent
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
group domain users'(users:x:100).
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 12:26 PM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 17:23, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I set a user with a uid and domain
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
users group with a gid but I'm still
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
unable to view them using 'id'. I do
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
notice a few strange observations. If I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
go to another user to attempt to assign a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
uid. I get the default value of 10000. I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
would expect 2001 given I set the first
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
user with uid 2000. Groups however appear
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
to increment.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:52 AM, Rowland Penny wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 31/12/14 15:42, James wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello Stefan,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I learned the hard way about
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.local. I understand going forward.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I do have an issue with the member
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
server. Following along with the wiki I
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
get stuck at 'Testing the Winbind
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
user/group mapping'. Wbinfo works as
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
expected but not
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*id DomainUser*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent passwd*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*getent group*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chown DomainUser:DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
#*chgrp DomainGroup file*
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
etc.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I receive 'id: sambauser: No such
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
user'. It will only retrieve local
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
machine users. Let me preface by saying
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
this is a Ubuntu 12.04 server with
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Samba 4.1.14. Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
On 12/31/2014 10:00 AM, Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
wrote:
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNED MESSAGE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hash: SHA1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello James,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Am 31.12.2014 um 15:48 schrieb James:>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Hello,
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
I'm following along with the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
wiki(Setup a Samba AD Member Server)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
and I have a question after reading
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
the 'Set up a basic smb.conf'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
section.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Please show us your smb.conf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to extend the schema in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
order for my member server to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
successfully join and service file
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
shares?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
No, you dont have to.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do I need to configure a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf file? Thanks.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If your DC is a samba4 DC just copy
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
krb5.conf to your new memberserver
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Stefan
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
- -- Stefan Kania
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Landweg 13
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
25693 St. Michaelisdonn
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Signieren jeder E-Mail hilft Spam zu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
reduzieren. Signieren Sie ihre
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
E-Mail. Weiter Informationen unter
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
http://www.gnupg.org
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Mein Schl?ssel liegt auf
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
hkp://subkeys.pgp.net
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----BEGIN PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Version: GnuPG v1
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
iEYEARECAAYFAlSkD3EACgkQ2JOGcNAHDTZdlwCgwsQF0g/pFp65ldcTMWDcJ1O7
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
LScAoLDzorUJNDCik4FP9dBUxKCbAbGN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
=SOSt
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
-----END PGP SIGNATURE-----
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
If you followed the wiki, you will be
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
using the 'ad' backend. For this to
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
work, you need to add 'uidNumber'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
attributes to your users and a
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'gidNumber' attribute to at least the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Domain Users group. the numbers that you
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
add must be between the range you set in
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
your smb.conf, again if you followed the
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
wiki, this will be between 500-40000.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You have restarted samba, haven't you ?
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
You may have to wait a short time, or
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
clear the cache with 'net cache flush'
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
OK, can you post the 'passwd' & 'group'
>>>>>>>>>>>>>>>>>>>>>>>>>>>
lines from /etc/nsswitch
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Do you get anything from 'getent passwd <a
>>>>>>>>>>>>>>>>>>>>>>>>>>>
domain user>'
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
OK, install ldb-tools if not already
>>>>>>>>>>>>>>>>>>>>>>>>>
installed, then run:
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
ldbedit -e nano -H
>>>>>>>>>>>>>>>>>>>>>>>>>
/var/lib/samba/private/sam.ldb
>>>>>>>>>>>>>>>>>>>>>>>>>
sAMAccountName=tuser
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Post the (sanitized) result
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
OK, you added that user with ADUC (RSAT) and as
>>>>>>>>>>>>>>>>>>>>>>>
such you are using the std windows start number
>>>>>>>>>>>>>>>>>>>>>>>
10000, which is the way I run samba. Here is my
>>>>>>>>>>>>>>>>>>>>>>>
smb.conf from the laptop I am writing this on:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
[global]
>>>>>>>>>>>>>>>>>>>>>>>
workgroup = EXAMPLE
>>>>>>>>>>>>>>>>>>>>>>>
security = ADS
>>>>>>>>>>>>>>>>>>>>>>>
realm = EXAMPLE.COM
>>>>>>>>>>>>>>>>>>>>>>>
dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>>>>>>>>>>>>>>
kerberos method = secrets and keytab
>>>>>>>>>>>>>>>>>>>>>>>
server string = Samba 4 Client %h
>>>>>>>>>>>>>>>>>>>>>>>
winbind enum users = yes
>>>>>>>>>>>>>>>>>>>>>>>
winbind enum groups = yes
>>>>>>>>>>>>>>>>>>>>>>>
winbind use default domain = yes
>>>>>>>>>>>>>>>>>>>>>>>
winbind expand groups = 4
>>>>>>>>>>>>>>>>>>>>>>>
winbind nss info = rfc2307
>>>>>>>>>>>>>>>>>>>>>>>
winbind refresh tickets = Yes
>>>>>>>>>>>>>>>>>>>>>>>
winbind normalize names = Yes
>>>>>>>>>>>>>>>>>>>>>>>
idmap config * : backend = tdb
>>>>>>>>>>>>>>>>>>>>>>>
idmap config * : range = 2000-9999
>>>>>>>>>>>>>>>>>>>>>>>
idmap config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>>>>>>>>>
idmap config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>>>>>>>>>
idmap config EXAMPLE : schema_mode =
>>>>>>>>>>>>>>>>>>>>>>>
rfc2307
>>>>>>>>>>>>>>>>>>>>>>>
printcap name = cups
>>>>>>>>>>>>>>>>>>>>>>>
cups options = raw
>>>>>>>>>>>>>>>>>>>>>>>
usershare allow guests = yes
>>>>>>>>>>>>>>>>>>>>>>>
domain master = no
>>>>>>>>>>>>>>>>>>>>>>>
local master = no
>>>>>>>>>>>>>>>>>>>>>>>
preferred master = no
>>>>>>>>>>>>>>>>>>>>>>>
os level = 20
>>>>>>>>>>>>>>>>>>>>>>>
map to guest = bad user
>>>>>>>>>>>>>>>>>>>>>>>
vfs objects = acl_xattr
>>>>>>>>>>>>>>>>>>>>>>>
map acl inherit = Yes
>>>>>>>>>>>>>>>>>>>>>>>
store dos attributes = Yes
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Compare it with yours, I can assure you it works.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
Rowland
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
--
>>>>>>>>>>>>>>>>>>>>
-James
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> OK, you
have *now* found out one of the reasons you
>>>>>>>>>>>>>>>>>
shouldn't use the .local suffix
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> But does
anything else work?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> OK, well it seems
to be a step in the right direction :-)
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Have you changed
'EXAMPLE' in these lines:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>         idmap
config * : backend = tdb
>>>>>>>>>>>>>>>         idmap
config * : range = 2000-9999
>>>>>>>>>>>>>>>         idmap
config EXAMPLE : backend  = ad
>>>>>>>>>>>>>>>         idmap
config EXAMPLE : range = 10000-999999
>>>>>>>>>>>>>>>         idmap
config EXAMPLE:schema_mode = rfc2307
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> They need to be
changed for your *WORKGROUP* name.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> -James
>>>>>>>>>>>>>
>>>>>>>>>>>>> Just change it, stop samba
and winbind, run 'net cache
>>>>>>>>>>>>> flush' and restart
samba & winbind.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Rowland
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> -- 
>>>>>>>>>>>> -James
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> -James
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> -James
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> -James
>>>>>
>>>>
>>>> -- 
>>>> -James
>>>
>>
>> -- 
>> -James
>
-- 
-James