Re: [Samba] Samba4 Member Server not working
Hi, Where can I enter this values in AD? 2013/8/29 steve st...@steve-ss.com On Thu, 2013-08-29 at 11:14 +1200, Andrew Bartlett wrote: On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote: Hi, I have one Samba4 server running as Active Directory Domain Controller. It's working like a charm. So I needed to add another server to be a Member Server (File Server). The server is running samba-4.0.9. Configured and compiled ok: ./configure --prefix=/usr/local/samba --sysconfdir=/etc --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads --with-shared-modules=idmap_ad,pam Installed ok. Kerberos OK. I can run kinit and klist root@MYNETSRV08:/etc/samba# kinit Administrator Password for administra...@mynet.net: root@MYSRV08:/etc/samba# root@MYNETSRV08:/etc/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@mynet.net Valid startingExpires Service principal 28/08/2013 19:59 29/08/2013 05:59 krbtgt/mynet@mynet.net renew until 29/08/2013 19:59 root@MYNETSRV08:/etc/samba# My SMB.CONF is below: [global] workgroup = MYNET security = ADS realm = MYNET.NET encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config MYNET:backend = ad idmap config MYNET:schema_mode = rfc2307 idmap config MYNET:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [test] path = /mnt/files read only = no I can add my server to domain: root@PCOSRV08:/etc/samba# net ads join -U administrator Enter administrator's password: Using short domain name -- MYNET Joined 'MYNETSRV08' to dns domain 'mynet.net' root@MYNETSRV08:/etc/samba# libnss_winbind.so is in the right place: root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so* /lib/libnss_winbind.so /lib/libnss_winbind.so.2 The libs are loaded fine: root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_ldap.so.2 - libnss_ldap.so.2 libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so libnss_wins.so - libnss_wins.so.2 libnss_winbind.so - libnss_winbind.so.2 libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so root@MYNETSRV08:/etc/samba# I added winbind to my nsswitch.conf passwd: compat winbind group: compat winbind I can start the daemon without issues: smbd nmbd winbindd wbinfo -u list all my domain users wbinfo -g list all my domain groups Here is the problems: When I run getent passwd, it lists only the local users. For performance reasons, by default we do not list users in the AD domain. See winbind enum users in your smb.conf His smb.conf above shows that the OP has those lines for both users and groups. When I run id Administrator, it returns No such user. You need to use 'id MYNET\\administrator' smb.conf has: winbind use default domain = Yes Do we still need MYNET\\? Do your users have entries for: uidNumber and gidNumber in AD? Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
Still not working: I created a test user: dn: CN=test,CN=Users,DC=mynet,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test givenName: test instanceType: 4 whenCreated: 20130827212151.0Z displayName: test uSNCreated: 45308 name: teste objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3124563532-696977291-52706181-1501131 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test sAMAccountType: 805306368 userPrincipalName: t...@mynet.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net pwdLastSet: 13022112112000 url: uidNumber userAccountControl: 512 msDS-SupportedEncryptionTypes: 0 gidNumber: 12345 uidNumber: 1234567 whenChanged: 20130829175016.0Z uSNChanged: 47069 distinguishedName: CN=test,CN=Users,DC=mynet,DC=net But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net I get No such ser 2013/8/29 steve st...@steve-ss.com On Thu, 2013-08-29 at 14:21 -0300, Carlos Alberto Borges Garcia wrote: Hi, Where can I enter this values in AD? Hi If you have a recent version of Samba4, you can add them when you create new users: samba-tool user add --help will give the options. If you already have the users, just edit their entries e.g.: ldbedit --url=/usr/local/samba/private/sam.ldb cn=carlos Add a minimum of: uidNumber: 1234567 gidNumber: 12345 Your winbind will then pull this information from AD when needed. You can get sensible values for uidNumber from idmap e.g.: wbinfo -i carlos HTH Steve -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
Still not working :( 2013/8/29 steve st...@steve-ss.com On Thu, 2013-08-29 at 14:59 -0300, Carlos Alberto Borges Garcia wrote: Still not working: I created a test user: dn: CN=test,CN=Users,DC=mynet,DC=net objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test givenName: test instanceType: 4 whenCreated: 20130827212151.0Z displayName: test uSNCreated: 45308 name: teste objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3124563532-696977291-52706181-1501131 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test sAMAccountType: 805306368 userPrincipalName: t...@mynet.net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net pwdLastSet: 13022112112000 url: uidNumber userAccountControl: 512 msDS-SupportedEncryptionTypes: 0 gidNumber: 12345 uidNumber: 1234567 whenChanged: 20130829175016.0Z uSNChanged: 47069 distinguishedName: CN=test,CN=Users,DC=mynet,DC=net But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net I get No such ser Change: uidNumber: 3000100 gidNumber: 80513 and in smb.conf: idmap config MYNET:range = 80001-310 -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
I give up. Configured the server as Secundary Domain Controller. Now it works. 2013/8/29 steve st...@steve-ss.com On 29/08/13 20:29, Carlos Alberto Borges Garcia wrote: But if I run: id test id MYNET\test id MYNET\\test id t...@mynet.net mailto:t...@mynet.net I get No such ser That should be: id test not: id MYNET\\test -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 Member Server not working
Hi, I have one Samba4 server running as Active Directory Domain Controller. It's working like a charm. So I needed to add another server to be a Member Server (File Server). The server is running samba-4.0.9. Configured and compiled ok: ./configure --prefix=/usr/local/samba --sysconfdir=/etc --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads --with-shared-modules=idmap_ad,pam Installed ok. Kerberos OK. I can run kinit and klist root@MYNETSRV08:/etc/samba# kinit Administrator Password for administra...@mynet.net: root@MYSRV08:/etc/samba# root@MYNETSRV08:/etc/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@mynet.net Valid startingExpires Service principal 28/08/2013 19:59 29/08/2013 05:59 krbtgt/mynet@mynet.net renew until 29/08/2013 19:59 root@MYNETSRV08:/etc/samba# My SMB.CONF is below: [global] workgroup = MYNET security = ADS realm = MYNET.NET encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config MYNET:backend = ad idmap config MYNET:schema_mode = rfc2307 idmap config MYNET:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [test] path = /mnt/files read only = no I can add my server to domain: root@PCOSRV08:/etc/samba# net ads join -U administrator Enter administrator's password: Using short domain name -- MYNET Joined 'MYNETSRV08' to dns domain 'mynet.net' root@MYNETSRV08:/etc/samba# libnss_winbind.so is in the right place: root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so* /lib/libnss_winbind.so /lib/libnss_winbind.so.2 The libs are loaded fine: root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_ldap.so.2 - libnss_ldap.so.2 libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so libnss_wins.so - libnss_wins.so.2 libnss_winbind.so - libnss_winbind.so.2 libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so root@MYNETSRV08:/etc/samba# I added winbind to my nsswitch.conf passwd: compat winbind group: compat winbind I can start the daemon without issues: smbd nmbd winbindd wbinfo -u list all my domain users wbinfo -g list all my domain groups Here is the problems: When I run getent passwd, it lists only the local users. When I run id Administrator, it returns No such user. If I try to access the share defined in smb.conf, the server does not recognizes my user/password. I'm lost. Thanks in advance. -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba