BISI
2015-Jan-09 03:16 UTC
[Samba] help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
Hello, all! Well, third time is *not* the charm for me. (I've been through the process 3 times with 3 different DCs). I am trying to set up a member server, using Samba 4.1.14, and washing out when getting to the winbind testing. I've tried ignoring the failure and pressing on, but that didn't get anywhere. In this instance, I have a freshly-installed, configured and functioning Server 2008r2 Domain Controller, operating at server 2003 forest and domain functional level. following the instructions in: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server https://wiki.samba.org/index.php/OS_Requirements Completely stock compile from the tarball. I am using Debian 7.7 (wheezy), and samba 4.1.14, ./configure --with-ads --with-shared-modules=idmap_ad --enable-cups \ --enable-selftest make quicktest passes: make quicktest ...ALL OK (2086 tests in 310 testsuites) ...A summary with detailed information can be found in: ... ./st/summary ...'testonly' finished successfully (11m24.779s) ./st/summary is found here: http://pastebin.com/zjkHDYUX daemons started manually with /usr/local/samba/sbin/smbd --daemon -l /var/log/samba/ -d 1 /usr/local/samba/sbin/nmbd --daemon -l /var/log/samba/ -d 1 /usr/local/samba/sbin/winbindd --daemon -l /var/log/samba/ -d 1 The commands: wbinfo -u wbinfo -g show the users and groups from the AD Domain. but the other tests # id DomainUser # getent passwd # getent group # chown DomainUser:DomainGroup file # chgrp DomainGroup file etc. do not get any information from the domain, seemingly only working with the local user information. Where do I begin troubleshooting? Any help/guidance is greatly appreciated. my smb.conf is here: http://pastebin.com/QJfh4RLN log.winbindd (created with debug level 1) is here: http://pastebin.com/S2maUADf Kerberos seems to be working: root at testmember:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: userID at HO.NAME.ORG Valid starting Expires Service principal 08/01/2015 18:46 09/01/2015 04:46 krbtgt/HO.NAME.ORG at HO.NAME.ORG renew until 09/01/2015 18:46 root at testmember:~# cat /etc/nsswitch.conf # /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat <snip> DNS seems to be working: root at testmember:~# host -t SRV _ldap._tcp.ho.name.org. _ldap._tcp.ho.name.org has SRV record 0 100 389 namedc.ho.name.org. root at testmember:~# host -t SRV _kerberos._udp.ho.name.org. _kerberos._udp.ho.name.org has SRV record 0 100 88 namedc.ho.name.org. root at testmember:~# host -t A namedc.ho.name.org. namedc.ho.name.org has address 192.168.8.1 Thanks in advance for any help! d.
L.P.H. van Belle
2015-Jan-09 08:34 UTC
[Samba] help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
Hai, Did you assign any UID/GID to users/groups in the AD.. i think not. If No, please do so first else you wont see any output. how : https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC My advice use the windows ADUC to set the GID/UID If Yes.. Ok.. thats strange,.. post your (sanitized) smb.conf Greetz, Louis>-----Oorspronkelijk bericht----- >Van: d3r3kshaw at gmail.com >[mailto:samba-bounces at lists.samba.org] Namens BISI >Verzonden: vrijdag 9 januari 2015 4:16 >Aan: samba at lists.samba.org >Onderwerp: [Samba] help, please, troubleshooting winbind >testing during setup of Samba 4 AD member server > >Hello, all! > >Well, third time is *not* the charm for me. (I've been through the >process 3 times with 3 different DCs). > >I am trying to set up a member server, using Samba 4.1.14, and washing >out when getting to the winbind testing. I've tried ignoring >the failure >and pressing on, but that didn't get anywhere. > >In this instance, I have a freshly-installed, configured and >functioning >Server 2008r2 Domain Controller, operating at server 2003 forest and >domain functional level. > >following the instructions in: >https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >https://wiki.samba.org/index.php/OS_Requirements > > >Completely stock compile from the tarball. I am using Debian 7.7 >(wheezy), and samba 4.1.14, > >./configure --with-ads --with-shared-modules=idmap_ad --enable-cups \ > --enable-selftest > >make quicktest passes: >make quicktest > ...ALL OK (2086 tests in 310 testsuites) > > ...A summary with detailed information can be found in: > ... ./st/summary > ...'testonly' finished successfully (11m24.779s) > >./st/summary is found here: >http://pastebin.com/zjkHDYUX > > >daemons started manually with >/usr/local/samba/sbin/smbd --daemon -l /var/log/samba/ -d 1 >/usr/local/samba/sbin/nmbd --daemon -l /var/log/samba/ -d 1 >/usr/local/samba/sbin/winbindd --daemon -l /var/log/samba/ -d 1 > > >The commands: >wbinfo -u >wbinfo -g >show the users and groups from the AD Domain. > >but the other tests ># id DomainUser ># getent passwd ># getent group ># chown DomainUser:DomainGroup file ># chgrp DomainGroup file >etc. >do not get any information from the domain, seemingly only >working with >the local user information. > >Where do I begin troubleshooting? > >Any help/guidance is greatly appreciated. > >my smb.conf is here: >http://pastebin.com/QJfh4RLN > >log.winbindd (created with debug level 1) is here: >http://pastebin.com/S2maUADf > >Kerberos seems to be working: >root at testmember:~# klist >Ticket cache: FILE:/tmp/krb5cc_0 >Default principal: userID at HO.NAME.ORG > >Valid starting Expires Service principal >08/01/2015 18:46 09/01/2015 04:46 krbtgt/HO.NAME.ORG at HO.NAME.ORG > renew until 09/01/2015 18:46 > > >root at testmember:~# cat /etc/nsswitch.conf ># /etc/nsswitch.conf > >passwd: compat winbind >group: compat winbind >shadow: compat ><snip> > >DNS seems to be working: >root at testmember:~# host -t SRV _ldap._tcp.ho.name.org. >_ldap._tcp.ho.name.org has SRV record 0 100 389 namedc.ho.name.org. > >root at testmember:~# host -t SRV _kerberos._udp.ho.name.org. >_kerberos._udp.ho.name.org has SRV record 0 100 88 namedc.ho.name.org. > >root at testmember:~# host -t A namedc.ho.name.org. >namedc.ho.name.org has address 192.168.8.1 > >Thanks in advance for any help! >d. > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
BISI
2015-Jan-09 17:16 UTC
[Samba] help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
On 15-01-09 12:34 AM, L.P.H. van Belle wrote:> Hai, > > Did you assign any UID/GID to users/groups in the AD.. i think not. > > If No, please do so first else you wont see any output. > how : https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC > My advice use the windows ADUC to set the GID/UID > > If Yes.. Ok.. thats strange,.. > post your (sanitized) smb.conf > > Greetz, > > Louis > >Thanks, Louis! This document seems aimed at a samba DC. I am using a windows DC for troubleshooting this problem. Am I missing something? smb.conf is here: http://pastebin.com/QJfh4RLN # /usr/local/samba/etc/smb.conf [global] netbios name = testmember workgroup = HO realm = HO.NAME.ORG security = ADS encrypt passwords = yes winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 winbind trusted domains only = no idmap config HO:range = 500-40000 idmap config HO:schema_mode = rfc2307 idmap config HO:backend = ad idmap config *:range = 70001-80000 idmap config *: backend = tdb [demoshare] path = /mnt/smbshares/test read only = No #eof Cheers! d. PS - as a matter of etiquette / effective communication should I send to the list as well, or just post to the gmane.org newsgroup?> >> -----Oorspronkelijk bericht----- >> Van: d3r3kshaw at gmail.com >> [mailto:samba-bounces at lists.samba.org] Namens BISI >> Verzonden: vrijdag 9 januari 2015 4:16 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] help, please, troubleshooting winbind >> testing during setup of Samba 4 AD member server >> >> Hello, all! >> >> Well, third time is *not* the charm for me. (I've been through the >> process 3 times with 3 different DCs). >> >> I am trying to set up a member server, using Samba 4.1.14, and washing >> out when getting to the winbind testing. I've tried ignoring >> the failure >> and pressing on, but that didn't get anywhere. >> >> In this instance, I have a freshly-installed, configured and >> functioning >> Server 2008r2 Domain Controller, operating at server 2003 forest and >> domain functional level. >> >> following the instructions in: >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> https://wiki.samba.org/index.php/OS_Requirements >> >> >> Completely stock compile from the tarball. I am using Debian 7.7 >> (wheezy), and samba 4.1.14, >> >> ./configure --with-ads --with-shared-modules=idmap_ad --enable-cups \ >> --enable-selftest >> >> make quicktest passes: >> make quicktest >> ...ALL OK (2086 tests in 310 testsuites) >> >> ...A summary with detailed information can be found in: >> ... ./st/summary >> ...'testonly' finished successfully (11m24.779s) >> >> ./st/summary is found here: >> http://pastebin.com/zjkHDYUX >> >> >> daemons started manually with >> /usr/local/samba/sbin/smbd --daemon -l /var/log/samba/ -d 1 >> /usr/local/samba/sbin/nmbd --daemon -l /var/log/samba/ -d 1 >> /usr/local/samba/sbin/winbindd --daemon -l /var/log/samba/ -d 1 >> >> >> The commands: >> wbinfo -u >> wbinfo -g >> show the users and groups from the AD Domain. >> >> but the other tests >> # id DomainUser >> # getent passwd >> # getent group >> # chown DomainUser:DomainGroup file >> # chgrp DomainGroup file >> etc. >> do not get any information from the domain, seemingly only >> working with >> the local user information. >> >> Where do I begin troubleshooting? >> >> Any help/guidance is greatly appreciated. >> >> my smb.conf is here: >> http://pastebin.com/QJfh4RLN >> >> log.winbindd (created with debug level 1) is here: >> http://pastebin.com/S2maUADf >> >> Kerberos seems to be working: >> root at testmember:~# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: userID at HO.NAME.ORG >> >> Valid starting Expires Service principal >> 08/01/2015 18:46 09/01/2015 04:46 krbtgt/HO.NAME.ORG at HO.NAME.ORG >> renew until 09/01/2015 18:46 >> >> >> root at testmember:~# cat /etc/nsswitch.conf >> # /etc/nsswitch.conf >> >> passwd: compat winbind >> group: compat winbind >> shadow: compat >> <snip> >> >> DNS seems to be working: >> root at testmember:~# host -t SRV _ldap._tcp.ho.name.org. >> _ldap._tcp.ho.name.org has SRV record 0 100 389 namedc.ho.name.org. >> >> root at testmember:~# host -t SRV _kerberos._udp.ho.name.org. >> _kerberos._udp.ho.name.org has SRV record 0 100 88 namedc.ho.name.org. >> >> root at testmember:~# host -t A namedc.ho.name.org. >> namedc.ho.name.org has address 192.168.8.1 >> >> Thanks in advance for any help! >> d. >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >
BISI
2015-Jan-13 01:07 UTC
[Samba] help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
Found it! (Thanks to Louis van Belle and Rowland Penny for their guidance). The wiki page for https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server *really* needs a note about this to be added. It will save a lot of frustration and wasted time for others coming behind. The reason I say this is that a default Windows Server 2008 R2 install, *does not provide* the necessary tools to allow a Samba 4 AD Member Server to enumerate the users and groups for the domain. So it will join the domain, and wbinfo -u and wbinfo -g report info, but the member server is still essentially useless - unavailable to the domain users. Thus, if you using the wiki as a guide, with a Windows server 2008 R2 Domain Controller, you will hit the same wall as I have. To fix this situation, somewhere in "Section 2 Preconditions" there should be a mention (say, section 2.3) of installing said tools. Feel free to cut and paste the following in place if you have editing privileges (formatted for mediaWiki). ==Windows Domain Controller='''This will require a server reboot''' If you have a windows Domain Controller you are '''strongly advised''' add the "Identity Management for Unix" Role (IDMU), so that you will be able to use the schema_mode = rfc2307 option of Samba to keep userIDs in sync on multiple member servers. Not doing so invites a lot of problems, and all the documentation presented here assumes you will be using the schema_mode = rfc2307 option. Here's what Microsoft have to say about IDMU: <blockquote>Identity Management for UNIX is deprecated. If you try to upgrade a computer that runs Identity Management for UNIX, you may receive a warning that it must be removed before the upgrade can proceed. In that case, see Installing or removing Identity Management for UNIX by using a command line.</blockquote> [http://technet.microsoft.com/en-us/library/cc772571.aspx MS Technet Article cc772571] *Damn the torpedos! (install IDMU on server 2008 r2) #Control Panel -> administrative tools -> server manager #Expand Roles #Click on "Active Directory Domain Services" (AD DS, in the technet docs) #Scroll down to "Role Services" section #Click on "Add Role Services" (link) #Select "Identity Management for UNIX" ##That will also select 3 sub-services, including "Server for Network Information Services" and "Administration Tools" #Next (button) #Install (button) Now you can use ADUC to see and set the "UNIX Attributes" tab in properties for users and groups. Next step is to set the UID and GID for users/groups you want to be able to see from the Member Server. some people say you need to to match your settings in the smb.conf for the member server (or vice-versa). I'm not sure that's true -- windows defaults to 10000, and using that number or 500 had no apparent affect on the reported UID or GID at the member server. So, using the example smb.conf from the [https://wiki.samba.org/index.php?title=Setup_a_Samba_AD_Member_Server AD Member Server page], matching the UID/GID numbers means: <blockquote> idmap config SAMDOM:range = 500-40000 </blockquote> nb - this is probably *not* a good range to use, since 500 is well within the normal linux userID ranges. Start with the groups in Builtin OU ('cause the users need a primary group) (Assuming a stock Server 2008 R2 Server Standard install) Administrators NIS domain: samdom; GID: 500 Now go to the Users OU and do the groups: Domain Admins NIS Domain: samdom; GID: 501 Domain Users NIS Domain: samdom; GID: 502 Enterprise Admins NIS Domain: samdom; GID 503 etc. NOTE - I think you have to manually keep track of the NEXT UID number 'cause ADUC always pops up with 10000 by default (I'm sure there's a way to configure it -- I've spent enough time on this already. Future me (or future you) can figure that out. Now edit the built-in Administrator user Administrator NIS Domain: samdom; UID: 500; Login Shell: /bin/whatever; Home Directory: /home/administrator; Primary group name/GID:Administrators (Should be what you set up in the Builtin OU) Now edit any existing users in any other OUs you might be using... Fred NIS Domain: samdom; UID: 501; Login Shell: /bin/false; Home Directory: /home/fred Primary group name/GID: Domain Users Sally etc. Now you should be able to enumerate the users and groups of the AD Domain from the member server with the tests shown in Section 9 of the wiki (id DomainUser, getent passwd, etc.). At least I was finally able to do so. Cheers! d. On 15-01-08 07:16 PM, BISI wrote:> Hello, all! > > Well, third time is *not* the charm for me. (I've been through the > process 3 times with 3 different DCs). > > I am trying to set up a member server, using Samba 4.1.14, and washing > out when getting to the winbind testing. I've tried ignoring the failure > and pressing on, but that didn't get anywhere. > > In this instance, I have a freshly-installed, configured and functioning > Server 2008r2 Domain Controller, operating at server 2003 forest and > domain functional level. > > following the instructions in: > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > https://wiki.samba.org/index.php/OS_Requirements > > > Completely stock compile from the tarball. I am using Debian 7.7 > (wheezy), and samba 4.1.14, > > ./configure --with-ads --with-shared-modules=idmap_ad --enable-cups \ > --enable-selftest > > make quicktest passes: > make quicktest > ...ALL OK (2086 tests in 310 testsuites) > > ...A summary with detailed information can be found in: > ... ./st/summary > ...'testonly' finished successfully (11m24.779s) > > ./st/summary is found here: > http://pastebin.com/zjkHDYUX > > > daemons started manually with > /usr/local/samba/sbin/smbd --daemon -l /var/log/samba/ -d 1 > /usr/local/samba/sbin/nmbd --daemon -l /var/log/samba/ -d 1 > /usr/local/samba/sbin/winbindd --daemon -l /var/log/samba/ -d 1 > > > The commands: > wbinfo -u > wbinfo -g > show the users and groups from the AD Domain. > > but the other tests > # id DomainUser > # getent passwd > # getent group > # chown DomainUser:DomainGroup file > # chgrp DomainGroup file > etc. > do not get any information from the domain, seemingly only working with > the local user information. > > Where do I begin troubleshooting? > > Any help/guidance is greatly appreciated. > > my smb.conf is here: > http://pastebin.com/QJfh4RLN > > log.winbindd (created with debug level 1) is here: > http://pastebin.com/S2maUADf > > Kerberos seems to be working: > root at testmember:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: userID at HO.NAME.ORG > > Valid starting Expires Service principal > 08/01/2015 18:46 09/01/2015 04:46 krbtgt/HO.NAME.ORG at HO.NAME.ORG > renew until 09/01/2015 18:46 > > > root at testmember:~# cat /etc/nsswitch.conf > # /etc/nsswitch.conf > > passwd: compat winbind > group: compat winbind > shadow: compat > <snip> > > DNS seems to be working: > root at testmember:~# host -t SRV _ldap._tcp.ho.name.org. > _ldap._tcp.ho.name.org has SRV record 0 100 389 namedc.ho.name.org. > > root at testmember:~# host -t SRV _kerberos._udp.ho.name.org. > _kerberos._udp.ho.name.org has SRV record 0 100 88 namedc.ho.name.org. > > root at testmember:~# host -t A namedc.ho.name.org. > namedc.ho.name.org has address 192.168.8.1 > > Thanks in advance for any help! > d. >
Rowland Penny
2015-Jan-13 09:50 UTC
[Samba] help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
On 13/01/15 01:07, BISI wrote:> Found it! (Thanks to Louis van Belle and Rowland Penny for their > guidance). > > The wiki page for > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > *really* needs a note about this to be added. It will save a lot of > frustration and wasted time for others coming behind. > > The reason I say this is that a default Windows Server 2008 R2 > install, *does not provide* the necessary tools to allow a Samba 4 AD > Member Server to enumerate the users and groups for the domain. So it > will join the domain, and wbinfo -u and wbinfo -g report info, but the > member server is still essentially useless - unavailable to the domain > users. > > Thus, if you using the wiki as a guide, with a Windows server 2008 R2 > Domain Controller, you will hit the same wall as I have. > > To fix this situation, somewhere in "Section 2 Preconditions" there > should be a mention (say, section 2.3) of installing said tools. > > Feel free to cut and paste the following in place if you have editing > privileges (formatted for mediaWiki). > > ==Windows Domain Controller=> '''This will require a server reboot''' > > If you have a windows Domain Controller you are '''strongly advised''' > add the "Identity Management for Unix" Role (IDMU), so that you will > be able to use the schema_mode = rfc2307 option of Samba to keep > userIDs in sync on multiple member servers. Not doing so invites a > lot of problems, and all the documentation presented here assumes you > will be using the schema_mode = rfc2307 option. > > Here's what Microsoft have to say about IDMU: > <blockquote>Identity Management for UNIX is deprecated. If you try to > upgrade a computer that runs Identity Management for UNIX, you may > receive a warning that it must be removed before the upgrade can > proceed. In that case, see Installing or removing Identity Management > for UNIX by using a command line.</blockquote> > [http://technet.microsoft.com/en-us/library/cc772571.aspx MS Technet > Article cc772571] > > *Damn the torpedos! (install IDMU on server 2008 r2) > #Control Panel -> administrative tools -> server manager > #Expand Roles > #Click on "Active Directory Domain Services" (AD DS, in the technet docs) > #Scroll down to "Role Services" section > #Click on "Add Role Services" (link) > #Select "Identity Management for UNIX" > ##That will also select 3 sub-services, including "Server for Network > Information Services" and "Administration Tools" > #Next (button) > #Install (button) > > Now you can use ADUC to see and set the "UNIX Attributes" tab in > properties for users and groups. > > Next step is to set the UID and GID for users/groups you want to be > able to see from the Member Server. > > some people say you need to to match your settings in the smb.conf for > the member server (or vice-versa). I'm not sure that's true -- windows > defaults to 10000, and using that number or 500 had no apparent affect > on the reported UID or GID at the member server. > > So, using the example smb.conf from the > [https://wiki.samba.org/index.php?title=Setup_a_Samba_AD_Member_Server > AD Member Server page], matching the UID/GID numbers means: > <blockquote> idmap config SAMDOM:range = 500-40000 </blockquote> > nb - this is probably *not* a good range to use, since 500 is well > within the normal linux userID ranges. > > Start with the groups in Builtin OU ('cause the users need a primary > group) (Assuming a stock Server 2008 R2 Server Standard install) > Administrators > NIS domain: samdom; GID: 500 > > Now go to the Users OU and do the groups: > Domain Admins > NIS Domain: samdom; GID: 501 > Domain Users > NIS Domain: samdom; GID: 502 > Enterprise Admins > NIS Domain: samdom; GID 503 > etc. > NOTE - I think you have to manually keep track of the NEXT UID number > 'cause ADUC always pops up with 10000 by default (I'm sure there's a > way to configure it -- I've spent enough time on this already. Future > me (or future you) can figure that out. > > Now edit the built-in Administrator user > Administrator > NIS Domain: samdom; UID: 500; Login Shell: /bin/whatever; Home > Directory: /home/administrator; Primary group name/GID:Administrators > (Should be what you set up in the Builtin OU) > > Now edit any existing users in any other OUs you might be using... > Fred > NIS Domain: samdom; UID: 501; Login Shell: /bin/false; Home > Directory: /home/fred Primary group name/GID: Domain Users > Sally > etc. > > Now you should be able to enumerate the users and groups of the AD > Domain from the member server with the tests shown in Section 9 of the > wiki (id DomainUser, getent passwd, etc.). At least I was finally > able to do so. > > Cheers! > d. > > On 15-01-08 07:16 PM, BISI wrote: >> Hello, all! >> >> Well, third time is *not* the charm for me. (I've been through the >> process 3 times with 3 different DCs). >> >> I am trying to set up a member server, using Samba 4.1.14, and washing >> out when getting to the winbind testing. I've tried ignoring the failure >> and pressing on, but that didn't get anywhere. >> >> In this instance, I have a freshly-installed, configured and functioning >> Server 2008r2 Domain Controller, operating at server 2003 forest and >> domain functional level. >> >> following the instructions in: >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> https://wiki.samba.org/index.php/OS_Requirements >> >> >> Completely stock compile from the tarball. I am using Debian 7.7 >> (wheezy), and samba 4.1.14, >> >> ./configure --with-ads --with-shared-modules=idmap_ad --enable-cups \ >> --enable-selftest >> >> make quicktest passes: >> make quicktest >> ...ALL OK (2086 tests in 310 testsuites) >> >> ...A summary with detailed information can be found in: >> ... ./st/summary >> ...'testonly' finished successfully (11m24.779s) >> >> ./st/summary is found here: >> http://pastebin.com/zjkHDYUX >> >> >> daemons started manually with >> /usr/local/samba/sbin/smbd --daemon -l /var/log/samba/ -d 1 >> /usr/local/samba/sbin/nmbd --daemon -l /var/log/samba/ -d 1 >> /usr/local/samba/sbin/winbindd --daemon -l /var/log/samba/ -d 1 >> >> >> The commands: >> wbinfo -u >> wbinfo -g >> show the users and groups from the AD Domain. >> >> but the other tests >> # id DomainUser >> # getent passwd >> # getent group >> # chown DomainUser:DomainGroup file >> # chgrp DomainGroup file >> etc. >> do not get any information from the domain, seemingly only working with >> the local user information. >> >> Where do I begin troubleshooting? >> >> Any help/guidance is greatly appreciated. >> >> my smb.conf is here: >> http://pastebin.com/QJfh4RLN >> >> log.winbindd (created with debug level 1) is here: >> http://pastebin.com/S2maUADf >> >> Kerberos seems to be working: >> root at testmember:~# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: userID at HO.NAME.ORG >> >> Valid starting Expires Service principal >> 08/01/2015 18:46 09/01/2015 04:46 krbtgt/HO.NAME.ORG at HO.NAME.ORG >> renew until 09/01/2015 18:46 >> >> >> root at testmember:~# cat /etc/nsswitch.conf >> # /etc/nsswitch.conf >> >> passwd: compat winbind >> group: compat winbind >> shadow: compat >> <snip> >> >> DNS seems to be working: >> root at testmember:~# host -t SRV _ldap._tcp.ho.name.org. >> _ldap._tcp.ho.name.org has SRV record 0 100 389 namedc.ho.name.org. >> >> root at testmember:~# host -t SRV _kerberos._udp.ho.name.org. >> _kerberos._udp.ho.name.org has SRV record 0 100 88 namedc.ho.name.org. >> >> root at testmember:~# host -t A namedc.ho.name.org. >> namedc.ho.name.org has address 192.168.8.1 >> >> Thanks in advance for any help! >> d. >> >Why use the windows group RID's ? Just start at 10000 and go from there, Oh and windows stores the uid & gid numbers in the msSFU30MaxUidNumber & msSFU30MaxGidNumber attributes. If you had started from 10000, windows would have created these for you Rowland
Seemingly Similar Threads
- help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
- help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
- help, please, troubleshooting winbind testing during setup of Samba 4 AD member server
- Samba4 - Cannot get quick test to succeed
- samba 4.5.0 on HPUX(IA-64) make quicktest fails as not able to pick workgroup and netbios name.