On Sat, Dec 10, 2016 at 9:10 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sat, 10 Dec 2016 13:56:38 +0000 > Philippe LeCavalier <support at plecavalier.com> wrote: > > > The main docs page, really? That's not helpful at all. > > > > On Sat, Dec 10, 2016 at 3:04 AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Sat, 10 Dec 2016 02:00:53 +0000 > > > Philippe LeCavalier via samba <samba at lists.samba.org> wrote: > > > > > > > Hey guys, > > > > > > > > I'm setting up a Samba 4 AD DC server on Debian 8 (see pkg list > > > > below). > > > > > > > > Things are working relatively well except that I'm concerned that > > > > the domain accounts are not available to the OS. ie getent group > > > > "Domain Admins" returns nothing. > > > > > > > > I've implemented roaming profiles which is working very well but > > > > redirected folders are not and I'm thinking it's a permissions > > > > issue relating back to the OS not seeing the domain users/groups. > > > > > > > > I'm a long time Samba NT domain admin but this is my first brush > > > > with Samba as a true AD DC. I do also have extensive knowledge of > > > > Windows AD DC's from back in the day. > > > > > > > > samba 2:4.2.10+dfsg-0+deb8u > > > > winbind 2:4.2.10+dfsg-0+deb8u > > > > Debian 3.16.36-1+deb8u2 > > > > Whatever other pkg info is required just ask. > > > > > > > > Thanks in advance! > > > > > > Go and read this: > > > > > > https://wiki.samba.org/index.php/Main_Page > > > > > > Rowland > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > It is a darn sight more helpful than the info you provided to try and > get your problem fixed, but lets try going a bit deeper into the wiki, > see here: > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > and > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > They should supply you with enough info to fix your problem. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI provided what I thought was relevant and stated if more info was needed to just ask. Instead, you just refer me to the main page of the wiki. I don't know why you assume I didn't comb through the entire wiki looking for the answer to my problem. Naturally, that's the first thing I did. Also, I went through all the config related to NIS and Winbind and cannot find anything that would lead me to think the OS shouldn't see the domain groups and users. I checked the logs, still no errors related to that. Can we get past this? I don't know what you expect from me? I'm asking for help. What is it that you're missing from me to actually help me? -- Regards, Phil
On Sat, 10 Dec 2016 14:37:11 +0000 Philippe LeCavalier <support at plecavalier.com> wrote:> On Sat, Dec 10, 2016 at 9:10 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Sat, 10 Dec 2016 13:56:38 +0000 > > Philippe LeCavalier <support at plecavalier.com> wrote: > > > > > The main docs page, really? That's not helpful at all. > > > > > > On Sat, Dec 10, 2016 at 3:04 AM Rowland Penny via samba < > > > samba at lists.samba.org> wrote: > > > > > > > On Sat, 10 Dec 2016 02:00:53 +0000 > > > > Philippe LeCavalier via samba <samba at lists.samba.org> wrote: > > > > > > > > > Hey guys, > > > > > > > > > > I'm setting up a Samba 4 AD DC server on Debian 8 (see pkg > > > > > list below). > > > > > > > > > > Things are working relatively well except that I'm concerned > > > > > that the domain accounts are not available to the OS. ie > > > > > getent group "Domain Admins" returns nothing. > > > > > > > > > > I've implemented roaming profiles which is working very well > > > > > but redirected folders are not and I'm thinking it's a > > > > > permissions issue relating back to the OS not seeing the > > > > > domain users/groups. > > > > > > > > > > I'm a long time Samba NT domain admin but this is my first > > > > > brush with Samba as a true AD DC. I do also have extensive > > > > > knowledge of Windows AD DC's from back in the day. > > > > > > > > > > samba 2:4.2.10+dfsg-0+deb8u > > > > > winbind 2:4.2.10+dfsg-0+deb8u > > > > > Debian 3.16.36-1+deb8u2 > > > > > Whatever other pkg info is required just ask. > > > > > > > > > > Thanks in advance! > > > > > > > > Go and read this: > > > > > > > > https://wiki.samba.org/index.php/Main_Page > > > > > > > > Rowland > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read > > > > the instructions: https://lists.samba.org/mailman/options/samba > > > > > > > It is a darn sight more helpful than the info you provided to try > > and get your problem fixed, but lets try going a bit deeper into > > the wiki, see here: > > > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > > and > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > > > They should supply you with enough info to fix your problem. > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > I provided what I thought was relevant and stated if more info was > needed to just ask. Instead, you just refer me to the main page of > the wiki. I don't know why you assume I didn't comb through the > entire wiki looking for the answer to my problem. Naturally, that's > the first thing I did. Also, I went through all the config related to > NIS and Winbind and cannot find anything that would lead me to think > the OS shouldn't see the domain groups and users. I checked the logs, > still no errors related to that. > > Can we get past this? I don't know what you expect from me? I'm > asking for help. What is it that you're missing from me to actually > help me?Lets start with your smb.conf and whether you have given any of your users a uidNumber attribute and any groups a gidNumber attribute. Have you installed any packages other than the ones you mentioned earlier. Rowland
On Sat, Dec 10, 2016 at 9:37 AM Philippe LeCavalier <support at plecavalier.com> wrote: On Sat, Dec 10, 2016 at 9:10 AM Rowland Penny via samba < samba at lists.samba.org> wrote: On Sat, 10 Dec 2016 13:56:38 +0000 Philippe LeCavalier <support at plecavalier.com> wrote:> The main docs page, really? That's not helpful at all. > > On Sat, Dec 10, 2016 at 3:04 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > > On Sat, 10 Dec 2016 02:00:53 +0000 > > Philippe LeCavalier via samba <samba at lists.samba.org> wrote: > > > > > Hey guys, > > > > > > I'm setting up a Samba 4 AD DC server on Debian 8 (see pkg list > > > below). > > > > > > Things are working relatively well except that I'm concerned that > > > the domain accounts are not available to the OS. ie getent group > > > "Domain Admins" returns nothing. > > > > > > I've implemented roaming profiles which is working very well but > > > redirected folders are not and I'm thinking it's a permissions > > > issue relating back to the OS not seeing the domain users/groups. > > > > > > I'm a long time Samba NT domain admin but this is my first brush > > > with Samba as a true AD DC. I do also have extensive knowledge of > > > Windows AD DC's from back in the day. > > > > > > samba 2:4.2.10+dfsg-0+deb8u > > > winbind 2:4.2.10+dfsg-0+deb8u > > > Debian 3.16.36-1+deb8u2 > > > Whatever other pkg info is required just ask. > > > > > > Thanks in advance! > > > > Go and read this: > > > > https://wiki.samba.org/index.php/Main_Page > > > > Rowland > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba >It is a darn sight more helpful than the info you provided to try and get your problem fixed, but lets try going a bit deeper into the wiki, see here: https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller and https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member They should supply you with enough info to fix your problem. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I provided what I thought was relevant and stated if more info was needed to just ask. Instead, you just refer me to the main page of the wiki. I don't know why you assume I didn't comb through the entire wiki looking for the answer to my problem. Naturally, that's the first thing I did. Also, I went through all the config related to NIS and Winbind and cannot find anything that would lead me to think the OS shouldn't see the domain groups and users. I checked the logs, still no errors related to that. Can we get past this? I don't know what you expect from me? I'm asking for help. What is it that you're missing from me to actually help me? -- Regards, Phil FWIW in the "SeDiskOperatorPrivilege" section of the wiki it suggests that if the output of "getent group "Domain Admins" does not return the expected result, to refer to the NSS Configuration -which is blank. So I'm not clear at all on how to troubleshoot that side. For the idmap, in the Prerequisite section, there is no detail on how to set: "Users must have at least the uidNumber and groups the gidNumber attribute set. When using the rfc2307 winbind NSS info mode, user accounts must also have the loginShell, unixHomeDirectory and primaryGroupID set." I have RSAT / ADUC install on a workstation and can connect to the DC and open the UNIX Attributes tab. -- Regards, Phil
On Sat, 10 Dec 2016 19:37:40 +0000 Philippe LeCavalier via samba <samba at lists.samba.org> wrote:> On Sat, Dec 10, 2016 at 9:37 AM Philippe LeCavalier > <support at plecavalier.com> wrote: > > On Sat, Dec 10, 2016 at 9:10 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > On Sat, 10 Dec 2016 13:56:38 +0000 > Philippe LeCavalier <support at plecavalier.com> wrote: > > > The main docs page, really? That's not helpful at all. > > > > On Sat, Dec 10, 2016 at 3:04 AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Sat, 10 Dec 2016 02:00:53 +0000 > > > Philippe LeCavalier via samba <samba at lists.samba.org> wrote: > > > > > > > Hey guys, > > > > > > > > I'm setting up a Samba 4 AD DC server on Debian 8 (see pkg list > > > > below). > > > > > > > > Things are working relatively well except that I'm concerned > > > > that the domain accounts are not available to the OS. ie > > > > getent group "Domain Admins" returns nothing. > > > > > > > > I've implemented roaming profiles which is working very well but > > > > redirected folders are not and I'm thinking it's a permissions > > > > issue relating back to the OS not seeing the domain > > > > users/groups. > > > > > > > > I'm a long time Samba NT domain admin but this is my first brush > > > > with Samba as a true AD DC. I do also have extensive knowledge > > > > of Windows AD DC's from back in the day. > > > > > > > > samba 2:4.2.10+dfsg-0+deb8u > > > > winbind 2:4.2.10+dfsg-0+deb8u > > > > Debian 3.16.36-1+deb8u2 > > > > Whatever other pkg info is required just ask. > > > > > > > > Thanks in advance! > > > > > > Go and read this: > > > > > > https://wiki.samba.org/index.php/Main_Page > > > > > > Rowland > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > It is a darn sight more helpful than the info you provided to try and > get your problem fixed, but lets try going a bit deeper into the wiki, > see here: >> >> FWIW in the "SeDiskOperatorPrivilege" section of the wiki it suggests > that > if the output of "getent group "Domain Admins" does not return the > expected result, to refer to the NSS Configuration -which is blank. So > I'm not clear at all on how to troubleshoot that side.I will look into this.> For the idmap, in the Prerequisite section, there is no detail on how > to > set: "Users must have at least the uidNumber and groups the gidNumber > attribute set. When using the rfc2307 winbind NSS info mode, user > accounts must also have the loginShell, unixHomeDirectory and > primaryGroupID set."You can add them with samba-tool when creating new users, but you need to use either ADUC or script around ldbmodify to add them to existing users.> I have RSAT / ADUC install on a workstation and can connect to the DC > and > open the UNIX Attributes tab.Are you doing this as the Administrator ? If you have no other option but must add a gidNumber to Domain Admins, try this: logon to the Samba AD DC as root run this command: ldbedit -e nano -H /usr/local/samba/private/sam.ldb replace nano with your favourite editor and /usr/localsamba/private/sam.ldb with the path to sam.ldb on your DC Once the editor opens, search for the Domain Admins object, when you find it, add 'gidNumber: 10001', then close and save. You can replace '10001' with whatever number you like. Rowland
Anyone? On Sat, Dec 10, 2016 at 2:37 PM Philippe LeCavalier <support at plecavalier.com> wrote:> On Sat, Dec 10, 2016 at 9:37 AM Philippe LeCavalier < > support at plecavalier.com> wrote: > > On Sat, Dec 10, 2016 at 9:10 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > > On Sat, 10 Dec 2016 13:56:38 +0000 > Philippe LeCavalier <support at plecavalier.com> wrote: > > > The main docs page, really? That's not helpful at all. > > > > On Sat, Dec 10, 2016 at 3:04 AM Rowland Penny via samba < > > samba at lists.samba.org> wrote: > > > > > On Sat, 10 Dec 2016 02:00:53 +0000 > > > Philippe LeCavalier via samba <samba at lists.samba.org> wrote: > > > > > > > Hey guys, > > > > > > > > I'm setting up a Samba 4 AD DC server on Debian 8 (see pkg list > > > > below). > > > > > > > > Things are working relatively well except that I'm concerned that > > > > the domain accounts are not available to the OS. ie getent group > > > > "Domain Admins" returns nothing. > > > > > > > > I've implemented roaming profiles which is working very well but > > > > redirected folders are not and I'm thinking it's a permissions > > > > issue relating back to the OS not seeing the domain users/groups. > > > > > > > > I'm a long time Samba NT domain admin but this is my first brush > > > > with Samba as a true AD DC. I do also have extensive knowledge of > > > > Windows AD DC's from back in the day. > > > > > > > > samba 2:4.2.10+dfsg-0+deb8u > > > > winbind 2:4.2.10+dfsg-0+deb8u > > > > Debian 3.16.36-1+deb8u2 > > > > Whatever other pkg info is required just ask. > > > > > > > > Thanks in advance! > > > > > > Go and read this: > > > > > > https://wiki.samba.org/index.php/Main_Page > > > > > > Rowland > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > It is a darn sight more helpful than the info you provided to try and > get your problem fixed, but lets try going a bit deeper into the wiki, > see here: > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > and > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > They should supply you with enough info to fix your problem. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > I provided what I thought was relevant and stated if more info was needed > to just ask. Instead, you just refer me to the main page of the wiki. I > don't know why you assume I didn't comb through the entire wiki looking for > the answer to my problem. Naturally, that's the first thing I did. Also, I > went through all the config related to NIS and Winbind and cannot find > anything that would lead me to think the OS shouldn't see the domain groups > and users. I checked the logs, still no errors related to that. > > Can we get past this? I don't know what you expect from me? I'm asking for > help. What is it that you're missing from me to actually help me? > -- > Regards, > Phil > > > FWIW in the "SeDiskOperatorPrivilege" section of the wiki it suggests that > if the output of "getent group "Domain Admins" does not return the expected > result, to refer to the NSS Configuration -which is blank. So I'm not clear > at all on how to troubleshoot that side. > > For the idmap, in the Prerequisite section, there is no detail on how to > set: "Users must have at least the uidNumber and groups the gidNumber > attribute set. When using the rfc2307 winbind NSS info mode, user accounts > must also have the loginShell, unixHomeDirectory and primaryGroupID set." > > I have RSAT / ADUC install on a workstation and can connect to the DC and > open the UNIX Attributes tab. > -- > Regards, > Phil >-- Regards, Phil