samba - Mar 2015 - samba 4.1.17 on raspberry pi as ad dc - winbind breaks it again

okay, I started to look into winbind and the /etc/nsswitch.conf (and 
smb.conf)... and it wreaked havoc...

I was using the guide at 
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

- right guide?
the guide is talking about "samba member server that is part of an 
active directory"
Is that correct? I mean, THE ad domain controller is member of the ad, 
but it sounds like this guide is about samba being added to AD, not 
samba being the AD

- added the idmap and winbind lines to smb.conf

- net [rpc|ads] join -u administrator
I do not exactly get what this does and if rpc or ads is the "right
one"

which made me think. when I setup samba4 as ad controller (samba-tool 
domain provision ...) does it not become member of the its own domain? 
do I need to add it by hand? I always assumed not do...

- ln -s ... + ldconfig
here I ran into trouble. I saw the notice about needing to subsitute 
lib64 with lib if running x86
Well, the pi is definately not x64. but neither is it x86. i chose to 
use lib, betting it should fit.
x86_64-linux-gnu I replaced with i386-linux-gnu

- nsswitch.conf
I added the winbind as stated

- samba start
now samba wont start anymore. I guess samba will be replaced by smbd, 
nmbd and winbindd (error message in daemon.log hints at that)
for which I have no startscripts. any quick solutions or do I have to 
manually fix it?

the link for start script under starting the daemons will lead to the 
site I got my script from though...

- testing
wbinfo -u and wbinfo -g show nothing and no error

- configure wrong?
I did not use --with-ads --with-shared-modules=idmap_ad
According to the guide I should have... Guess Ill have to start again
If only configure, make and make install wouldnt take ages...

- why winbind?
I dont exactly get the benefit of dealing with winbind. a quick test 
yesterday let me add a pc to the domain and access the domain via 
windows 7 server tools. I have not further tested the capabilities of 
the samba ad. What wont work without winbind, what does it accomplish.

On 13/03/15 09:34, Matthias Busch wrote:
> okay, I started to look into winbind and the /etc/nsswitch.conf (and 
> smb.conf)... and it wreaked havoc...
>
> I was using the guide at 
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> - right guide?
Well, yes and no :-)
> the guide is talking about "samba member server that is part of an 
> active directory"
> Is that correct? I mean, THE ad domain controller is member of the ad, 
> but it sounds like this guide is about samba being added to AD, not 
> samba being the AD
You only need the part that starts: Make domain users/groups available 
locally through Winbind

If you compile samba yourself and are going to login into the DC as a 
domain user, you need to setup 'libnss_winbind.so'
>
> - added the idmap and winbind lines to smb.conf
Remove them, not needed on a DC
>
> - net [rpc|ads] join -u administrator
> I do not exactly get what this does and if rpc or ads is the "right
one"
You do not do this on a DC, it is done for you when you provision.
>
> which made me think. when I setup samba4 as ad controller (samba-tool 
> domain provision ...) does it not become member of the its own domain? 
> do I need to add it by hand? I always assumed not do...
>
> - ln -s ... + ldconfig
> here I ran into trouble. I saw the notice about needing to subsitute 
> lib64 with lib if running x86
> Well, the pi is definately not x64. but neither is it x86. i chose to 
> use lib, betting it should fit.
> x86_64-linux-gnu I replaced with i386-linux-gnu
>
AH, good question, on my laptop the links are in:

/lib/x86_64-linux-gnu/libnss_winbind.so
/lib/x86_64-linux-gnu/libnss_winbind.so.2

which as you can see is a 64bit computer, an i386 one would be a 32bit, 
the raspberrypi is neither, so the links need to go somewhere else, 
probably /lib , is there a large amount of files in there starting with 
'lib' ??

> - nsswitch.conf
> I added the winbind as stated
>
> - samba start
> now samba wont start anymore. I guess samba will be replaced by smbd, 
> nmbd and winbindd (error message in daemon.log hints at that)
when you start samba as a DC, you need to start the samba daemon with 
'samba -i' to run it interactively, or 'samba -D' as a daemon in
the
background. The samba daemon will then start the smbd daemon, you must 
not start the smbd, nmbd or winbindd deamons yourself.
> for which I have no startscripts. any quick solutions or do I have to 
> manually fix it?
>
> the link for start script under starting the daemons will lead to the 
> site I got my script from though...
>
> - testing
> wbinfo -u and wbinfo -g show nothing and no error
>
> - configure wrong?
> I did not use --with-ads --with-shared-modules=idmap_ad
> According to the guide I should have... Guess Ill have to start again
> If only configure, make and make install wouldnt take ages...
 From my testing, what ever you are compiling samba, you do not need to 
use '--with-ads --with-shared-modules=idmap_a', you definitely don't
need it for a DC.
>
> - why winbind?
> I dont exactly get the benefit of dealing with winbind. a quick test 
> yesterday let me add a pc to the domain and access the domain via 
> windows 7 server tools. I have not further tested the capabilities of 
> the samba ad. What wont work without winbind, what does it accomplish.
>
>
You only need to set winbind up if you want to login to the DC as a 
domain user, if your domain user will never login directly to the DC, 
you do not need to do this.

Rowland

Matthias Busch schrieb am 13.03.2015 10:34:
> - ln -s ... + ldconfig
> here I ran into trouble. I saw the notice about needing to subsitute 
> lib64 with lib if running x86
> Well, the pi is definately not x64. but neither is it x86. i chose to 
> use lib, betting it should fit.
> x86_64-linux-gnu I replaced with i386-linux-gnu
I guess, you should link the stuff in to the /usr/lib/arm-linux-gnueabihf 
directory. I have linked it to /usr/lib, and it seems to work, too. 
 
You should first implement the steps proposed by Rowland. Once it starts 
OK from the command line, and all the tests are OK, then You can implement 
the startup script.

first, let me give a huge thanks to everyone who replied and helped.
I learned a lot and I could not have done it in any reasonable time 
frame without your suggestions and answers!

I've reported my succes here: 
https://lists.samba.org/archive/samba/2015-March/190057.html

Hey List,

first, let me give a huge thanks to everyone who replied and helped.
I learned a lot and I could not have done it in any reasonable time 
frame without your suggestions and answers!

I started new from scratch to make sure no old configuration / data was 
screwing with further attempts.

It pretty much worked without problem. A few things that were done 
different ...

- samba 4.2, not 4.1.17
- no slapd installed
- no cups installed (cups will install avahi) - dont plan on using pi as 
print server
- my-domain.home instead of .local (or .lan or maybe .private)
- not getting confused by the issue ad member and ad d controller :)

see reported succes here: 
https://lists.samba.org/archive/samba/2015-March/190057.html

Hey List,

first, let me give a huge thanks to everyone who replied and helped.
I learned a lot and I could not have done it in any reasonable time 
frame without your suggestions and answers!

I started new from scratch to make sure no old configuration / data was 
screwing with further attempts.

It pretty much worked without problem. A few things that were done 
different ...

- samba 4.2, not 4.1.17
- no slapd installed
- no cups installed (cups will install avahi) - dont plan on using pi as 
print server
- my-domain.home instead of .local (or .lan or maybe .private)
- not getting confused by the issue ad member and ad d controller

see reported success here: 
https://lists.samba.org/archive/samba/2015-March/190057.html