It's definitely a problem with backend ad. I don't know what, but with ad backend I also cannot list rpc rights on the server because it cannot find the user. With rid: no problem. Bug? Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 09/01/15 16:48, Tim wrote: >> Definitely. >> >> With backend=ad only two user can be seen by getent passwd. Then >> changing backend=rid, all users are resolved by getent passwd >> >> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: >> >> On 09/01/15 15:45, Tim wrote: >> >> That's what I tried to say. I set the gid/uid attribs in Unix >> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote: >> >> When I switch back to backend ad, getent passwd returns >> nothing - getent group only returns by adding a dedicated >> group name. There is at least one user and one group with >> Id set in ad. >> >> Yes, but do *any* of your AD users have a uidNumber >attribute. >> Rowland >> >> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim >> wrote: I switched to rid module of idmapping and now >> winbind offers all groups and I can set >> SeDiskOperatorPrivilege. getent group and getent passwd >> are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb >> Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15 >> 13:47, Tim wrote: Hello all, I have a AD DC based on >> CentOS7 with sernet samba 4.1.14 with rfc2307 and >function >> level 2008_R2. This one works so far and I can manage the >> AD from a windows client. Now I setup a member server >> based on CentOS7 with sernet samba 4.1.14 just like the >> wiki advises with the same smb.conf (realm etc is >> configured to my needs. I joined the AD and configured >> nsswitch. wbinfo works so far but getent passwd or getent >> group doesn't list domain objects. getent group >testgroup1 >> works, but getent passwd testuser1 does not. I created a >> share in smb.conf. Now I want to set the >> SeDiskOperatorPrivilege like the wiki advises. But it >> doesn't work. It says that it can't connect to server >> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1> >> <http://127.0.0.1>. I tried it with net rpc rights grant >> 'DOM\Domain Admins' SeDiskOperatorPrivilege >> -U'DOM\administrator' Now I can not access the server >from >> windows to set share permissions. What to do? The wiki >> told nothing about kerberos so I did not do anything to >> it. Thanks in advance Hi, you appear to be the second >> person in two days having a similar, if not the same >> problem with the sernet packages. I don't think it is a >> kerberos problem, can you check if you have >> 'libnss_winbind.so <http://winbind.so> ><http://winbind.so> >> <http://winbind.so>.2' anywhere. Rowland I take it from >> this, that you do not have any uidNumber or gidNumber >> attributes in AD. Rowland >> >> >> OK, then where they inside the range set in smb.conf i.e. idmap >config >> DOMAIN : range = 10000-999999 >> >> Rowland >> > >That is strange, if you use the winbind 'ad' backend and have AD users >with a uidNumber, then all the users with uidNumbers should be shown by > >getent passwd, but any users without a uidNumber will not be shown. > >The 'rid' backend works differently, it allocates id numbers to each >and >every user. > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On 15-01-09 09:19 AM, Tim wrote:> It's definitely a problem with backend ad. I don't know what, but with ad backend I also cannot list rpc rights on the server because it cannot find the user. With rid: no problem. > > Bug?I appear to be about 12 hours behind Tim, except that I am using Debian 7.7, and (now) following Louis van Belle's script for making a member server with the sernet repos (smbd reports Version 4.1.14-SerNet-Debian-9.wheezy) The script is at https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh Louis' script hangs up at line 406> echo {$PASSWORD} | net rpc rights list accounts -UAdministratorwith Enter Administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE I chose to set up PAMauth in the script, based on the comment> ########## pam autheristation modifications. > ## the original files /etc/pam.d/samba and sshd wil be backuped to *.original > ## set to 1 if you want winbindd to work.unfortunately for me, Louis is off enjoying himself on a ski hill somewhere. any guidance would be greatly appreciated. BTW - script and sernet packages do not make the links in /lib64 that the wiki calls for, but the script does replace the default krb5.conf file. also the DC in this case is a windows 2008 R2 server running at server 2003 forest and domain functional level And before he left, he also mentioned assigning UID/GID to users/groups in the AD -- what UID and GID numbers would I assign to a windows DC, and to which users? The reference he gave didn't really shed any light on the subject for me. Thanks in advance! Derek.> > > Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>: >> On 09/01/15 16:48, Tim wrote: >>> Definitely. >>> >>> With backend=ad only two user can be seen by getent passwd. Then >>> changing backend=rid, all users are resolved by getent passwd >>> >>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny >>> <rowlandpenny at googlemail.com>: >>> >>> On 09/01/15 15:45, Tim wrote: >>> >>> That's what I tried to say. I set the gid/uid attribs in Unix >>> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny >>> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote: >>> >>> When I switch back to backend ad, getent passwd returns >>> nothing - getent group only returns by adding a dedicated >>> group name. There is at least one user and one group with >>> Id set in ad. >>> >>> Yes, but do *any* of your AD users have a uidNumber >> attribute. >>> Rowland >>> >>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >>> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim >>> wrote: I switched to rid module of idmapping and now >>> winbind offers all groups and I can set >>> SeDiskOperatorPrivilege. getent group and getent passwd >>> are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb >>> Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15 >>> 13:47, Tim wrote: Hello all, I have a AD DC based on >>> CentOS7 with sernet samba 4.1.14 with rfc2307 and >> function >>> level 2008_R2. This one works so far and I can manage the >>> AD from a windows client. Now I setup a member server >>> based on CentOS7 with sernet samba 4.1.14 just like the >>> wiki advises with the same smb.conf (realm etc is >>> configured to my needs. I joined the AD and configured >>> nsswitch. wbinfo works so far but getent passwd or getent >>> group doesn't list domain objects. getent group >> testgroup1 >>> works, but getent passwd testuser1 does not. I created a >>> share in smb.conf. Now I want to set the >>> SeDiskOperatorPrivilege like the wiki advises. But it >>> doesn't work. It says that it can't connect to server >>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1> >>> <http://127.0.0.1>. I tried it with net rpc rights grant >>> 'DOM\Domain Admins' SeDiskOperatorPrivilege >>> -U'DOM\administrator' Now I can not access the server >> from >>> windows to set share permissions. What to do? The wiki >>> told nothing about kerberos so I did not do anything to >>> it. Thanks in advance Hi, you appear to be the second >>> person in two days having a similar, if not the same >>> problem with the sernet packages. I don't think it is a >>> kerberos problem, can you check if you have >>> 'libnss_winbind.so <http://winbind.so> >> <http://winbind.so> >>> <http://winbind.so>.2' anywhere. Rowland I take it from >>> this, that you do not have any uidNumber or gidNumber >>> attributes in AD. Rowland >>> >>> >>> OK, then where they inside the range set in smb.conf i.e. idmap >> config >>> DOMAIN : range = 10000-999999 >>> >>> Rowland >>> >> >> That is strange, if you use the winbind 'ad' backend and have AD users >> with a uidNumber, then all the users with uidNumbers should be shown by >> >> getent passwd, but any users without a uidNumber will not be shown. >> >> The 'rid' backend works differently, it allocates id numbers to each >> and >> every user. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
On 10/01/15 05:58, BISI wrote:> On 15-01-09 09:19 AM, Tim wrote: >> It's definitely a problem with backend ad. I don't know what, but >> with ad backend I also cannot list rpc rights on the server because >> it cannot find the user. With rid: no problem. >> >> Bug? > > I appear to be about 12 hours behind Tim, except that I am using > Debian 7.7, and (now) following Louis van Belle's script for making a > member server with the sernet repos (smbd reports Version > 4.1.14-SerNet-Debian-9.wheezy) > The script is at > https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh > > Louis' script hangs up at line 406 >> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator > with > Enter Administrator's password: > Could not connect to server 127.0.0.1 > The username or password was not correct. > Connection failed: NT_STATUS_LOGON_FAILURE > > I chose to set up PAMauth in the script, based on the comment >> ########## pam autheristation modifications. >> ## the original files /etc/pam.d/samba and sshd wil be backuped to >> *.original >> ## set to 1 if you want winbindd to work. > > unfortunately for me, Louis is off enjoying himself on a ski hill > somewhere. > > any guidance would be greatly appreciated. > > BTW - script and sernet packages do not make the links in /lib64 that > the wiki calls for, but the script does replace the default krb5.conf > file.OK, I normally use the samba packages from backports (4.1.11 at present) and also install libpam-winbind & libnss-winbind, you cannot install these with the sernet packages because they depend on samba packages that do not start with 'sernet'. This is not really a problem because the files in the two packages are in 'sernet-samba-libs', there is however one file missing. The missing file is /usr/share/pam-configs/winbind, this file configures pam for winbind authentication by running 'pam-auth-update --package' after installing the file, this way you do not need Louis's pam modifications. The reference to /lib64 on the wiki refers to redhat based distros, the links on Debian are in /lib/x86_64-linux-gnu My big problem now, after installing a member server following Louis's script, is that though I can ssh into the server as a domain user, I cannot connect to a share via smbclient, I just get 'tree connect failed: NT_STATUS_ACCESS_DENIED'. I can connect to the DC from the member server and a client and I can connect from the DC to the client, I just cannot connect to the member server from anywhere via smbclient.> > also the DC in this case is a windows 2008 R2 server running at > server 2003 forest and domain functional level > > > And before he left, he also mentioned assigning UID/GID to > users/groups in the AD -- what UID and GID numbers would I assign to a > windows DC, and to which users? The reference he gave didn't really > shed any light on the subject for me.The smb.conf is setup to use rfc2307 attributes: idmap config INTERNAL:backend = ad idmap config INTERNAL:schema_mode = rfc2307 idmap config INTERNAL:range = 2000-40000 NOTE: that is a bug in the script, what if you change this line: SETNTDOM="INTERNAL" The first two lines say to use the winbind 'ad' backend with rfc2307 attributes, the next line tells what range to use, ignore any ID number below 2000 or above 40000. You set these two numbers on a user or group basis and use the 'uidNumber' attribute for users, 'gidNumber' attribute for groups. You only need to give the 'uidnumber' to users that you want to connect from Unix, you do not have to give all users a 'uidNumber'. It is usual to only give the 'Domain Users' group a 'gidNumber' but you can if you so wish also give 'Domain Admins' a 'gidNumber'. There is no need to give all groups a 'gidNumber', although some people do, but you must give at least one group a 'gidNumber' if you want winbind to work. Rowland> > Thanks in advance! > > Derek. > >> >> >> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: >>> On 09/01/15 16:48, Tim wrote: >>>> Definitely. >>>> >>>> With backend=ad only two user can be seen by getent passwd. Then >>>> changing backend=rid, all users are resolved by getent passwd >>>> >>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny >>>> <rowlandpenny at googlemail.com>: >>>> >>>> On 09/01/15 15:45, Tim wrote: >>>> >>>> That's what I tried to say. I set the gid/uid attribs in Unix >>>> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny >>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim wrote: >>>> >>>> When I switch back to backend ad, getent passwd returns >>>> nothing - getent group only returns by adding a dedicated >>>> group name. There is at least one user and one group with >>>> Id set in ad. >>>> >>>> Yes, but do *any* of your AD users have a uidNumber >>> attribute. >>>> Rowland >>>> >>>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim >>>> wrote: I switched to rid module of idmapping and now >>>> winbind offers all groups and I can set >>>> SeDiskOperatorPrivilege. getent group and getent passwd >>>> are now working! Am 9. Januar 2015 15:21:32 MEZ, schrieb >>>> Rowland Penny <rowlandpenny at googlemail.com>: On 09/01/15 >>>> 13:47, Tim wrote: Hello all, I have a AD DC based on >>>> CentOS7 with sernet samba 4.1.14 with rfc2307 and >>> function >>>> level 2008_R2. This one works so far and I can manage the >>>> AD from a windows client. Now I setup a member server >>>> based on CentOS7 with sernet samba 4.1.14 just like the >>>> wiki advises with the same smb.conf (realm etc is >>>> configured to my needs. I joined the AD and configured >>>> nsswitch. wbinfo works so far but getent passwd or getent >>>> group doesn't list domain objects. getent group >>> testgroup1 >>>> works, but getent passwd testuser1 does not. I created a >>>> share in smb.conf. Now I want to set the >>>> SeDiskOperatorPrivilege like the wiki advises. But it >>>> doesn't work. It says that it can't connect to server >>>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1> >>>> <http://127.0.0.1>. I tried it with net rpc rights grant >>>> 'DOM\Domain Admins' SeDiskOperatorPrivilege >>>> -U'DOM\administrator' Now I can not access the server >>> from >>>> windows to set share permissions. What to do? The wiki >>>> told nothing about kerberos so I did not do anything to >>>> it. Thanks in advance Hi, you appear to be the second >>>> person in two days having a similar, if not the same >>>> problem with the sernet packages. I don't think it is a >>>> kerberos problem, can you check if you have >>>> 'libnss_winbind.so <http://winbind.so> >>> <http://winbind.so> >>>> <http://winbind.so>.2' anywhere. Rowland I take it from >>>> this, that you do not have any uidNumber or gidNumber >>>> attributes in AD. Rowland >>>> >>>> >>>> OK, then where they inside the range set in smb.conf i.e. idmap >>> config >>>> DOMAIN : range = 10000-999999 >>>> >>>> Rowland >>>> >>> >>> That is strange, if you use the winbind 'ad' backend and have AD users >>> with a uidNumber, then all the users with uidNumbers should be shown by >>> >>> getent passwd, but any users without a uidNumber will not be shown. >>> >>> The 'rid' backend works differently, it allocates id numbers to each >>> and >>> every user. >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > >
Interesting: I rebuild everything. But after setting up the DCs they had the same issue - net rpc rights grant can't connect to server 127.0.0.1. I tried the following global parameters in smb.conf: bind interfaces only = yes interfaces = lo eth0 And like magic it worked! Samba is now bind to127.0.0.1?(lo) and eth0 and net rpc rights grant works. Try this also on a member server. Give it a try! Am 10. Januar 2015 06:58:07 MEZ, schrieb BISI <d3r3kshaw at gmail.com>:>On 15-01-09 09:19 AM, Tim wrote: >> It's definitely a problem with backend ad. I don't know what, but >with ad backend I also cannot list rpc rights on the server because it >cannot find the user. With rid: no problem. >> >> Bug? > >I appear to be about 12 hours behind Tim, except that I am using Debian > >7.7, and (now) following Louis van Belle's script for making a member >server with the sernet repos (smbd reports Version >4.1.14-SerNet-Debian-9.wheezy) >The script is at >https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh > >Louis' script hangs up at line 406 >> echo {$PASSWORD} | net rpc rights list accounts -UAdministrator >with >Enter Administrator's password: >Could not connect to server 127.0.0.1 >The username or password was not correct. >Connection failed: NT_STATUS_LOGON_FAILURE > >I chose to set up PAMauth in the script, based on the comment >> ########## pam autheristation modifications. >> ## the original files /etc/pam.d/samba and sshd wil be backuped to >*.original >> ## set to 1 if you want winbindd to work. > >unfortunately for me, Louis is off enjoying himself on a ski hill >somewhere. > >any guidance would be greatly appreciated. > >BTW - script and sernet packages do not make the links in /lib64 that >the wiki calls for, but the script does replace the default krb5.conf >file. > >also the DC in this case is a windows 2008 R2 server running at server > >2003 forest and domain functional level > > >And before he left, he also mentioned assigning UID/GID to users/groups > >in the AD -- what UID and GID numbers would I assign to a windows DC, >and to which users? The reference he gave didn't really shed any light > >on the subject for me. > >Thanks in advance! > >Derek. > >> >> >> Am 9. Januar 2015 17:56:59 MEZ, schrieb Rowland Penny ><rowlandpenny at googlemail.com>: >>> On 09/01/15 16:48, Tim wrote: >>>> Definitely. >>>> >>>> With backend=ad only two user can be seen by getent passwd. Then >>>> changing backend=rid, all users are resolved by getent passwd >>>> >>>> Am 9. Januar 2015 17:09:19 MEZ, schrieb Rowland Penny >>>> <rowlandpenny at googlemail.com>: >>>> >>>> On 09/01/15 15:45, Tim wrote: >>>> >>>> That's what I tried to say. I set the gid/uid attribs in >Unix >>>> tab. Am 9. Januar 2015 16:44:28 MEZ, schrieb Rowland Penny >>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:40, Tim >wrote: >>>> >>>> When I switch back to backend ad, getent passwd >returns >>>> nothing - getent group only returns by adding a >dedicated >>>> group name. There is at least one user and one group >with >>>> Id set in ad. >>>> >>>> Yes, but do *any* of your AD users have a uidNumber >>> attribute. >>>> Rowland >>>> >>>> Am 9. Januar 2015 16:29:39 MEZ, schrieb Rowland Penny >>>> <rowlandpenny at googlemail.com>: On 09/01/15 15:19, Tim >>>> wrote: I switched to rid module of idmapping and now >>>> winbind offers all groups and I can set >>>> SeDiskOperatorPrivilege. getent group and getent >passwd >>>> are now working! Am 9. Januar 2015 15:21:32 MEZ, >schrieb >>>> Rowland Penny <rowlandpenny at googlemail.com>: On >09/01/15 >>>> 13:47, Tim wrote: Hello all, I have a AD DC based on >>>> CentOS7 with sernet samba 4.1.14 with rfc2307 and >>> function >>>> level 2008_R2. This one works so far and I can manage >the >>>> AD from a windows client. Now I setup a member server >>>> based on CentOS7 with sernet samba 4.1.14 just like >the >>>> wiki advises with the same smb.conf (realm etc is >>>> configured to my needs. I joined the AD and configured >>>> nsswitch. wbinfo works so far but getent passwd or >getent >>>> group doesn't list domain objects. getent group >>> testgroup1 >>>> works, but getent passwd testuser1 does not. I created >a >>>> share in smb.conf. Now I want to set the >>>> SeDiskOperatorPrivilege like the wiki advises. But it >>>> doesn't work. It says that it can't connect to server >>>> 127.0.0.1 <http://127.0.0.1> <http://127.0.0.1> >>>> <http://127.0.0.1>. I tried it with net rpc rights >grant >>>> 'DOM\Domain Admins' SeDiskOperatorPrivilege >>>> -U'DOM\administrator' Now I can not access the server >>> from >>>> windows to set share permissions. What to do? The wiki >>>> told nothing about kerberos so I did not do anything >to >>>> it. Thanks in advance Hi, you appear to be the second >>>> person in two days having a similar, if not the same >>>> problem with the sernet packages. I don't think it is >a >>>> kerberos problem, can you check if you have >>>> 'libnss_winbind.so <http://winbind.so> >>> <http://winbind.so> >>>> <http://winbind.so>.2' anywhere. Rowland I take it >from >>>> this, that you do not have any uidNumber or gidNumber >>>> attributes in AD. Rowland >>>> >>>> >>>> OK, then where they inside the range set in smb.conf i.e. >idmap >>> config >>>> DOMAIN : range = 10000-999999 >>>> >>>> Rowland >>>> >>> >>> That is strange, if you use the winbind 'ad' backend and have AD >users >>> with a uidNumber, then all the users with uidNumbers should be shown >by >>> >>> getent passwd, but any users without a uidNumber will not be shown. >>> >>> The 'rid' backend works differently, it allocates id numbers to each >>> and >>> every user. >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba