Re: [Samba] S4 DC S3 file server: samba-tool and net ads user problems
On 08/16/2012 08:56 PM, Gémes Géza wrote: 2012-08-16 20:07 keltezéssel, steve írta: On 16/08/12 19:32, Gémes Géza wrote: 2012-08-16 18:53 keltezéssel, steve írta: Here is the conf which works on box2: [global] realm = hh3.site workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No The following are for the Samba3 box: Does net ads testjoin reports join ok? wbinfo -u lists all the users? wbinfo -g lists all the groups? wbinfo -i some_username is able to list all user info? Have you changed your /etc/nsswitch.conf to have? passwd:files winbind group: files winbind (others doesn't realy matter) does id some_username and getent passwd some_username give meaningless results? If all the above yes, have you checked, that the shared folder permits write access for the above some_username (from linux shell first)? Hi Geza, Rowland, everyone OK I found it. The answer to all the above is yes. I did one furcher check with getent group which does _not_ return AD groups. getent group ALTEA\\group_name does however work. Anyway I found the problem. Here is a user with rfc2307: dn: CN=steve2,CN=Users,DC=hh3,DC=site cn: steve2 instanceType: 4 whenCreated: 20120812101809.0Z uSNCreated: 3845 name: steve2 objectGUID: 30cef31e-fba8-418a-a0e7-293ddf232c7e badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-643408982-184040625-1139712187-1123 logonCount: 0 sAMAccountName: steve2 sAMAccountType: 805306368 userPrincipalName: ste...@hh3.site objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site pwdLastSet: 1298924029 uidNumber: 324 gidNumber: 20513 unixHomeDirectory: /home2/home/steve2 loginShell: /bin/bash homeDrive: Z: objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 66048 accountExpires: 0 homeDirectory: \\hh30\home\steve2 profilePath: \\hh30\profiles\steve2 whenChanged: 20120816093724.0Z uSNChanged: 4030 distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site hh30.hh3.site is the S4-DC and and hh32.hh3.site is the S3-file server. Note that the entries for: homeDirectory: \\hh30\home\steve2 profilePath: \\hh30\profiles\steve2 point to the DC _not_ the file server DOH! I changed the entries to: homeDirectory: \\hh32\home\steve2 profilePath: \\hh32\profiles\steve2 and home directories and profiles became meaninful once again :) Not an easy one that. The error came because I was using the two existing machines to to switch from s3fs all on one box to S4/S3 on two separate boxes. THanks everyone for staying with me on this. I must say I prefer the DC with s3fs on one box. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] S4 DC S3 file server: samba-tool and net ads user problems
Hi everyone I have a S4 DC with a S3 fileserver. I want to create users and their UninxHomeDirecory on the fileserver. I can do this with a script which uses ldapmodify. Fine so far. The user shows in getent passwd on the DC and in wbinfo -u on the S3 box but does not show in getent passwd on the fileserver. The user has been created with all his rfc2307 attributes but is invisible to winbind on the S3 box. I have tried restarting winbind on the S3 box but still no luck. Is there a cache I must clear somewhere? How can I get new users to show on the S3 box? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 DC S3 file server: samba-tool and net ads user problems
2012-08-16 18:53 keltezéssel, steve írta: Hi everyone I have a S4 DC with a S3 fileserver. I want to create users and their UninxHomeDirecory on the fileserver. I can do this with a script which uses ldapmodify. Fine so far. The user shows in getent passwd on the DC and in wbinfo -u on the S3 box but does not show in getent passwd on the fileserver. The user has been created with all his rfc2307 attributes but is invisible to winbind on the S3 box. I have tried restarting winbind on the S3 box but still no luck. Is there a cache I must clear somewhere? How can I get new users to show on the S3 box? Cheers, Steve Hi, I'm not sure I've understand your situation, so please correct me if I'm wrong. You have 3 computers: 1. Samba4 (everything work to the amount permitted by its winbind implementation) 2. Samba3 (everything works, including having homedirs and shells obtained via winbind from AD) 3. Samba3 (where do you intend to have home directories, and could not list users) If that is the situation you could simply copy the config from second box to third one, and add a [homes] share and everything should work. If not, in a previous e-mail of you've already wrote the samba config needed for having a working winbind with idmap_ad. On think I've learned the hard way: if any of the gidNumbers of a group a user belongs to is out of the range you've specified in your smb.conf for your domain that user is going to be invisible (I've avoided it with a range = 0-1000). If you have winbind installed by package I would try to delete /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 DC S3 file server: samba-tool and net ads user problems
On 16/08/12 19:32, Gémes Géza wrote: 2012-08-16 18:53 keltezéssel, steve írta: Hi everyone I have a S4 DC with a S3 fileserver. I want to create users and their UninxHomeDirecory on the fileserver. I can do this with a script which uses ldapmodify. Fine so far. The user shows in getent passwd on the DC and in wbinfo -u on the S3 box but does not show in getent passwd on the fileserver. The user has been created with all his rfc2307 attributes but is invisible to winbind on the S3 box. I have tried restarting winbind on the S3 box but still no luck. Is there a cache I must clear somewhere? How can I get new users to show on the S3 box? Cheers, Steve Hi, I'm not sure I've understand your situation, so please correct me if I'm wrong. You have 3 computers: 1. Samba4 (everything work to the amount permitted by its winbind implementation) Does winbindd have to be running on this DC? I thought it didn't matter whether it was or it wasn't. I use nss-ldapd for mapping on this box as the S4 winbindd seems to be broken for groups. 2. Samba3 (everything works, including having homedirs and shells obtained via winbind from AD) Yes. The home director shares are all on this box 3. Samba3 (where do you intend to have home directories, and could not list users) No. I have no box 3. Just 2 boxes. S4 Dc and S3 fileserver. Here is the conf which works on box2: [global] realm = hh3.site workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No However, m$ machines cannot write to the shares even though they are correctly listed as having the correct permissions and ownership. If that is the situation you could simply copy the config from second box to third one, and add a [homes] share and everything should work. If not, in a previous e-mail of you've already wrote the samba config needed for having a working winbind with idmap_ad. On think I've learned the hard way: if any of the gidNumbers of a group a user belongs to is out of the range you've specified in your smb.conf for your domain that user is going to be invisible (I've avoided it with a range = 0-1000). If you have winbind installed by package I would try to delete /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 DC S3 file server: samba-tool and net ads user problems
2012-08-16 20:07 keltezéssel, steve írta: On 16/08/12 19:32, Gémes Géza wrote: 2012-08-16 18:53 keltezéssel, steve írta: Hi everyone I have a S4 DC with a S3 fileserver. I want to create users and their UninxHomeDirecory on the fileserver. I can do this with a script which uses ldapmodify. Fine so far. The user shows in getent passwd on the DC and in wbinfo -u on the S3 box but does not show in getent passwd on the fileserver. The user has been created with all his rfc2307 attributes but is invisible to winbind on the S3 box. I have tried restarting winbind on the S3 box but still no luck. Is there a cache I must clear somewhere? How can I get new users to show on the S3 box? Cheers, Steve Hi, I'm not sure I've understand your situation, so please correct me if I'm wrong. You have 3 computers: 1. Samba4 (everything work to the amount permitted by its winbind implementation) Does winbindd have to be running on this DC? I thought it didn't matter whether it was or it wasn't. I use nss-ldapd for mapping on this box as the S4 winbindd seems to be broken for groups. It is running inside the samba binary, you don't have/can't start it independently 2. Samba3 (everything works, including having homedirs and shells obtained via winbind from AD) Yes. The home director shares are all on this box 3. Samba3 (where do you intend to have home directories, and could not list users) No. I have no box 3. Just 2 boxes. S4 Dc and S3 fileserver. Here is the conf which works on box2: [global] realm = hh3.site workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No However, m$ machines cannot write to the shares even though they are correctly listed as having the correct permissions and ownership. The following are for the Samba3 box: Does net ads testjoin reports join ok? wbinfo -u lists all the users? wbinfo -g lists all the groups? wbinfo -i some_username is able to list all user info? Have you changed your /etc/nsswitch.conf to have? passwd:files winbind group: files winbind (others doesn't realy matter) does id some_username and getent passwd some_username give meaningless results? If all the above yes, have you checked, that the shared folder permits write access for the above some_username (from linux shell first)? If that is the situation you could simply copy the config from second box to third one, and add a [homes] share and everything should work. If not, in a previous e-mail of you've already wrote the samba config needed for having a working winbind with idmap_ad. On think I've learned the hard way: if any of the gidNumbers of a group a user belongs to is out of the range you've specified in your smb.conf for your domain that user is going to be invisible (I've avoided it with a range = 0-1000). If you have winbind installed by package I would try to delete /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it. Regards Geza Gemes Hope that the above order of checks help to find out the problem. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 DC S3 file server: samba-tool and net ads user problems
On 16/08/12 19:56, Gémes Géza wrote: 2012-08-16 20:07 keltezéssel, steve írta: On 16/08/12 19:32, Gémes Géza wrote: 2012-08-16 18:53 keltezéssel, steve írta: Hi everyone I have a S4 DC with a S3 fileserver. I want to create users and their UninxHomeDirecory on the fileserver. I can do this with a script which uses ldapmodify. Fine so far. The user shows in getent passwd on the DC and in wbinfo -u on the S3 box but does not show in getent passwd on the fileserver. The user has been created with all his rfc2307 attributes but is invisible to winbind on the S3 box. I have tried restarting winbind on the S3 box but still no luck. Is there a cache I must clear somewhere? How can I get new users to show on the S3 box? Cheers, Steve Hi, I'm not sure I've understand your situation, so please correct me if I'm wrong. You have 3 computers: 1. Samba4 (everything work to the amount permitted by its winbind implementation) Does winbindd have to be running on this DC? I thought it didn't matter whether it was or it wasn't. I use nss-ldapd for mapping on this box as the S4 winbindd seems to be broken for groups. It is running inside the samba binary, you don't have/can't start it independently 2. Samba3 (everything works, including having homedirs and shells obtained via winbind from AD) Yes. The home director shares are all on this box 3. Samba3 (where do you intend to have home directories, and could not list users) No. I have no box 3. Just 2 boxes. S4 Dc and S3 fileserver. Here is the conf which works on box2: [global] realm = hh3.site workgroup = ALTEA security = ADS winbind enum users = Yes winbind enum groups = Yes idmap config *:backend = tdb idmap config *:range = 3000-4000 idmap config ALTEA:backend = ad idmap config ALTEA:range = 2-4000 idmap config ALTEA:schema_mode = rfc2307 winbind nss info = rfc2307 winbind expand groups = 2 winbind nested groups = yes [home] path = /home2/home read only = No [profiles] path = /home2/profiles read only = No However, m$ machines cannot write to the shares even though they are correctly listed as having the correct permissions and ownership. The following are for the Samba3 box: Does net ads testjoin reports join ok? wbinfo -u lists all the users? wbinfo -g lists all the groups? wbinfo -i some_username is able to list all user info? Have you changed your /etc/nsswitch.conf to have? passwd:files winbind group: files winbind (others doesn't realy matter) does id some_username and getent passwd some_username give meaningless results? If all the above yes, have you checked, that the shared folder permits write access for the above some_username (from linux shell first)? If that is the situation you could simply copy the config from second box to third one, and add a [homes] share and everything should work. If not, in a previous e-mail of you've already wrote the samba config needed for having a working winbind with idmap_ad. On think I've learned the hard way: if any of the gidNumbers of a group a user belongs to is out of the range you've specified in your smb.conf for your domain that user is going to be invisible (I've avoided it with a range = 0-1000). If you have winbind installed by package I would try to delete /var/lib/samba/winbind* (WHILE winbind IS STOPED), and then reatart it. Regards Geza Gemes Hope that the above order of checks help to find out the problem. Regards Geza Gemes Steve, Try looking here: https://wiki.samba.org/index.php/Samba4/Winbind Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
