Hi Rowland, We did the classicupgrade. Post the classicupgrade, we added a Windows 2008R2 server and dcpomo'd it. The original Samba box (classic DC) was where we did the classicupgrade. Did you mean that we need to shut that box down? Leaving a Windows DC (FSMO?) and Samba member server? Sorry I was not aware of this step. What if we hadn't added a Windows 08 box? Here is the smb.conf # Global parameters [global] netbios name = CDR-FS01 security = ADS workgroup = CDR realm = CDR.INTERNAL idmap config * : backend = tdb idmap config * : range = 3000-7999 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes idmap config CDR:backend = ad idmap config CDR:schema_mode = rfc2307 idmap config CDR:range = 5000-6000 log level = 2 auth:5 log file = /var/log/samba/sambalog.%m logon script = %U.bat [homes] comment = Home Directories create mask = 0700 directory mask = 0700 browseable = No read only = No path = %H/samba follow symlinks = yes wide links = yes I've tried both files winbind and the reverse. Same results. On Mon, Apr 23, 2018 at 6:22 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 23 Apr 2018 16:48:15 +1000 > Rob Thoman via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > Our setup: > > > > Samba (classic) DC: cdr-dc01 > > Samba (classic) member server: cdr-fs01. This is also a file server > > AD realm: CDR.internal > > > > We migrated to AD and came across an issue with accessing shares. The > > shares in question worked pre-migrated. i.e using a windows machine a > > user was able to access that share. The share in question was locked > > down to just that user > > > > Post migration, we are able to access any shares which are not locked > > down to users i.e shares which are accessible to groups. > > > > For the particular share in question, we get > > > > canonicalize_connect_path failed for service user01, path > > /home/CDR/user01/samba > > > > There is no /home/CDR . > > Oh yes there is ;-) > > > Where is this coming from? > > From 'template homedir', it is the default setting. > > > The curios thing getent passwd gives the following > > user01:*:3029:3000:user01:/home/CDR/user01:/bin/false > > > > The user is not in the local /etc/passwd > > As it it shouldn't be > > > > > > > The cdr-fs01 has been joined to the AD domain, and we have the > > following in /etc/nsswitch.conf > > > > shadow: files > > passwd: winbind files > > group: winbind files > > It should be 'files winbind' > > What is the AD DC ? > > Can you please post the smb.conf from 'cdr-fs01' > > How did you migrate ? did you use 'samba-tool domain classicupgrade' ? > If you did is the original PDC still running as a PDC ? if so, turn it > off. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Mon, 23 Apr 2018 20:09:50 +1000 Rob Thoman <emailthomasrob at gmail.com> wrote:> Hi Rowland, > > We did the classicupgrade. Post the classicupgrade, we added a Windows > 2008R2 server and dcpomo'd it. The original Samba box (classic DC)It is the 'classic DC' that is throwing me, do you mean the original PDC, or are you referring to the Samba AD DC that .classicupgrade' produces ? if it is a PDC, then yes, turn it off or turn it into a Unix domain member. If it is a Samba AD DC, then please stop using the term 'classic DC' because it is confusing.> was where we did the classicupgrade. Did you mean that we need to > shut that box down? Leaving a Windows DC (FSMO?) and Samba member > server? Sorry I was not aware of this step. What if we hadn't added > a Windows 08 box?A Samba AD DC is just an AD DC, just as a Windows AD DC is just an AD DC. I have reorganised the [global] part of your smb.conf and added comments: # Global parameters [global] netbios name = CDR-FS01 security = ADS workgroup = CDR realm = CDR.INTERNAL winbind use default domain = yes winbind enum users = yes winbind enum groups = yes You do not need the above two lines, they do two things: They make 'getent passwd' & 'getent group' show all records, this isn't required. They slow things down. idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config CDR:backend = ad idmap config CDR:schema_mode = rfc2307 idmap config CDR:range = 5000-6000 The ranges cannot overlap. Do your users & groups have uidNumber & gidNumber attributes containing numbers inside the '3000-7999' or '5000-6000' ranges ? Based on what the user & group numbers are, will give you what the range for 'CDR' should be. The '*' domain is for the Well Known SIDS and anything outside the 'CDR' domain. Also the 'idmap config' lines for 'CDR' may be incorrect, depending on what version of Samba you are using, can I suggest you read this wiki page: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member log level = 2 auth:5 log file = /var/log/samba/sambalog.%m logon script = %U.bat You don't use 'logon script' with AD, you just put the script in netlogon. Rowland
Hi Rowland, Sorry about the confusion. I was referring to Samba PDC which we classicupgraded to AD DC. So it is AD DC The ranges don't overlap, there was a typo, it was meant to idmap config * : range = 3000-7999 idmap config CDR:range = 10000-110000 getent passwd of the users in member server gives me user01:3029:3000: The uid number of the user in question according to AD is 1070. gid number of groups starts from 10000. The version of Samba in the member server is 3.6. I've added the winbind nss info = rfc2307 bit idmap config * : backend = tdb idmap config * : range = 3000-7999 winbind use default domain = yes winbind nss info = rfc2307 idmap config CDR:backend = ad idmap config CDR:schema_mode = rfc2307 idmap config CDR:range = 11000-12000 winbind use default domain = yes I did the above changes, reloaded the Samba config and got the same result canonicalize_connect_path failed for service user01, path /home/CDR/user01/samba I also have the following connect to service data initially as user CDR\user01(uid=3029, gid=3000) (pid 5620) Had some errors about the wide links so have removed them Share 'user01 has wide links and unix extensions enabled. These parameters are incompatible. Wide links will be disabled for this share RT On Mon, Apr 23, 2018 at 8:48 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 23 Apr 2018 20:09:50 +1000 > Rob Thoman <emailthomasrob at gmail.com> wrote: > > > Hi Rowland, > > > > We did the classicupgrade. Post the classicupgrade, we added a Windows > > 2008R2 server and dcpomo'd it. The original Samba box (classic DC) > > It is the 'classic DC' that is throwing me, do you mean the original > PDC, or are you referring to the Samba AD DC that .classicupgrade' > produces ? if it is a PDC, then yes, turn it off or turn it into a Unix > domain member. If it is a Samba AD DC, then please stop using the term > 'classic DC' because it is confusing. > > > was where we did the classicupgrade. Did you mean that we need to > > shut that box down? Leaving a Windows DC (FSMO?) and Samba member > > server? Sorry I was not aware of this step. What if we hadn't added > > a Windows 08 box? > > A Samba AD DC is just an AD DC, just as a Windows AD DC is just an AD > DC. > > I have reorganised the [global] part of your smb.conf and added > comments: > > # Global parameters > [global] > netbios name = CDR-FS01 > security = ADS > workgroup = CDR > realm = CDR.INTERNAL > > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > You do not need the above two lines, they do two things: > They make 'getent passwd' & 'getent group' show all records, this isn't > required. > They slow things down. > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config CDR:backend = ad > idmap config CDR:schema_mode = rfc2307 > idmap config CDR:range = 5000-6000 > > The ranges cannot overlap. > Do your users & groups have uidNumber & gidNumber attributes > containing numbers inside the '3000-7999' or '5000-6000' ranges ? > Based on what the user & group numbers are, will give you what the > range for 'CDR' should be. The '*' domain is for the Well Known SIDS > and anything outside the 'CDR' domain. > > Also the 'idmap config' lines for 'CDR' may be incorrect, depending on > what version of Samba you are using, can I suggest you read this wiki > page: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > log level = 2 auth:5 > log file = /var/log/samba/sambalog.%m > logon script = %U.bat > > You don't use 'logon script' with AD, you just put the script in > netlogon. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >