Thanks for the reply Rowland (and sorry for replying twice). I actually used the wiki you linked to setup the dc. I just added those idmap settings because getent could not list my samba users after setting it up, due to your mail I realised I only needed the winbind options to make it work. The original problem still remains though, using \\SMB.WIE I can only access netlogon and sysvol, using \\192.168.1.50 I can only access the shares. I am not sure if I understand your comment about the rid backend: I added users with the samba-tool: samba-tool user create kirchner After that getent shows the user with ids: getent passwd kirchner SMB\kirchner:*:3000016:100::/home/SMB/kirchner:/bin/false So the user seems to have an id for user and group and I can use this uid to give access to files on the server. 2016-11-05 9:08 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:> On Sat, 05 Nov 2016 07:06:19 +0100 > Maximilian Kirchner via samba <samba at lists.samba.org> wrote: > > > I set up a samba ad dc (self compiled samba 4.5.1 on Ubuntu 16.04). > > If I connect to the server via \\smb.wie (its dns name) I can access > > netlogon and sysvol. If I connect via its IP then I can access all my > > shares (test as an example) - but either way I cannot connect to the > > other (I do see them though). Windows always tells me the login > > credentials would be wrong for the other one. > > > > This is my config: > > > > [global] > > netbios name = SRV > > realm = SMB.WIE > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate workgroup = SMB > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > > > interfaces = bond0:0 > > bind interfaces only = yes > > > > winbind enum users = Yes > > winbind enum groups = Yes > > winbind use default domain = Yes > > winbind refresh tickets = Yes > > winbind nested groups = No > > #winbind separator = + > > > > idmap backend = tdb > > idmap uid = 10000 - 20000 > > idmap gid = 10000 - 20000 > > idmap config DOMAIN : backend = rid > > idmap config DOMAIN : range = 10000 - 20000 > > > > passdb backend = tdbsam # should be default > > > > domain logons = yes > > [netlogon] > > path = /usr/local/samba/var/locks/sysvol/smb.wie/scripts > > read only = No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > [test] > > path = /usr/local/samba/var/locks/sysvol/test > > read only = No > > > > And this the access rights: > > Result of ll /usr/local/samba/var/locks/sysvol/test > > > > drwxrwx---+ 5 root users 4096 Nov 1 19:42 ./ > > Result of ll /usr/local/samba/var/locks/sysvol > > > > drwxrwx---+ 5 root users 4096 Nov 1 19:50 ./ > > log.smbd only tells me the server started successfully and log.samba > > throws the following warning which I found on the net to ignore: > > samba: setproctitle not initialized, please either call > > setproctitle_init() or link against libbsd-ctor. > > > > I guess it is due to this error that profile synchronization also > > does not work which is why I need to fix this. > > This is obviously a DC so you should remove the domain member > components from your smb.conf: > > idmap backend = tdb > idmap uid = 10000 - 20000 > idmap gid = 10000 - 20000 > idmap config DOMAIN : backend = rid > idmap config DOMAIN : range = 10000 - 20000 > > passdb backend = tdbsam # should be default > > domain logons = yes > > They will not work on a DC. > > you should also remove: > > winbind use default domain = Yes > > for the same reason. > > As you are trying to use the 'rid' backend, I take it you haven't given > your users and groups any uidNumber or gidNumber attributes. > > Can I suggest you try reading the Samba wiki: > > https://wiki.samba.org/index.php/Main_Page > > Paying attention to: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_ > Active_Directory_Domain_Controller#Using_the_Domain_ > Controller_as_a_File_Server > > https://wiki.samba.org/index.php/Shares_with_Windows_ACLs > > https://wiki.samba.org/index.php/Implementing_roaming_profiles > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Sat, 5 Nov 2016 12:11:20 +0100 Maximilian Kirchner <max.kirchner at gmail.com> wrote:> Thanks for the reply Rowland (and sorry for replying twice). I > actually used the wiki you linked to setup the dc. I just added those > idmap settings because getent could not list my samba users after > setting it up, due to your mail I realised I only needed the winbind > options to make it work. > > The original problem still remains though, using \\SMB.WIE I can only > access netlogon and sysvol, using \\192.168.1.50 I can only access the > shares.This sounds like a dns problem, are your windows machines using the DC as their nameserver ?> > I am not sure if I understand your comment about the rid backend: > I added users with the samba-tool: > samba-tool user create kirchner > After that getent shows the user with ids: > getent passwd kirchner > SMB\kirchner:*:3000016:100::/home/SMB/kirchner:/bin/false > > So the user seems to have an id for user and group and I can use this > uid to give access to files on the server. >OK, the '3000016' is allocated in idmap.ldb on the Samba DC, and the allocation is done on a first come, first served basis. This means that if you add another DC, your user may (and probably will) get a different ID number on the second DC. you can sync idmap.ldb to the second DC, but there is an easier way. Before explaining the easier way, I will explain what happens on domain member. There are several windbind backends you can use, but the two main ones are 'rid' and 'ad'. The 'rid' backend works similar to the DC, but the ID is calculated from the user or group RID, so you should get the same ID on all Samba domain members, but the ID would be different from the DC. The 'ad' backend is setup similarly to the 'rid' backend, but relies on the sysadmin (i.e. you) adding uidNumber & gidNumber attributes to AD. The benefit of doing this, these attributes will be used on the DC, replacing the ones stored in idmap.ldb, and on Samba domain members i.e. you will get the same ID everywhere. I hope now you can see the easiest way, use uidNumber & gidNumber attributes. This will allow for later expansion (adding another DC or domain members) Rowland
> > This sounds like a dns problem, are your windows machines using the DC > as their nameserver ? >yes they are using the server as dns. DNS is done through bind9 and implemented in samba via bind9_dlz. All looks fine: $ host -t A smb.wie smb.wie has address 192.168.1.50 $ host -t SRV _kerberos._udp.smb.wie _kerberos._udp.smb.wie has SRV record 0 100 88 srv.smb.wie. $ host -t SRV _ldap._tcp.smb.wie _ldap._tcp.smb.wie has SRV record 0 100 389 srv.smb.wie. And thanks for your explanation on rid / ad but it seems to me like it is not relevant here - I am using only one server for everything (I know it is not advised to do so).