Re: [Samba] Samba 3 member server connected to Samba 4 DC (using nslcd)

2013-07-09 Thread Chris Alavoine 
Update.

Have tried creating an Ubuntu 12.04 domain member fileserver following
these docs here:

https://wiki.samba.org/index.php/Samba4/Domain_Member

With some minor package name changes all seems to work ok... except when I
create a share the permissions appear to be being read from the *nix side.
I'm seeing this:

Everyone
root (Unix User\root)
root (Unix Group\root)

Which looks very much like the posix perms on the member server.

If I try and add my own permissions from the DC I get "Access Denied" when
applying the security changes.

Has anyone encountered this before?

Thanks,
Chris.







On 9 July 2013 11:37, Chris Alavoine  wrote:

> Hi Daniel,
>
> This is what I have so far:
>
> - /etc/nslcd.conf should look like this:
>
>  # /etc/nslcd.conf
>
> # nslcd configuration file. See nslcd.conf(5)
>
> # for details.
>
> # The user and group nslcd should run as.
>
> uid nslcd
>
> gid nslcd
>
> # The location at which the LDAP server(s) should be reachable.
>
> uri ldap://10.30.54.2
>
> # The search base that will be used for all queries.
>
> base dc=test,dc=internal,dc=com
>
>  binddn cn=nslcd-service,cn=Users,dc=essence,dc=internal,dc=com
>
> bindpw XX (commented out!)
>
> pagesize 1000
> referrals off
>
> # users
>
> map passwd uid sAMAccountName
>
> map passwd gidNumber primaryGroupID
>
> map passwd homeDirectory unixHomeDirectory
>
> # groups
>
> map group cn sAMAccountName
>
> mapgroup  uniqueMember member
>
>
>
>
> - Add this to top of /etc/pam.d/common-sessions:
>
> session required  pam_mkhomedir.so skel=/etc/skel umask=0022
>
>
> - I also needed to remove nscd otherwise groups were not being updated
> correctly:
>
> apt-get remove nscd
>
>
> This works fine for the *nix side of things, am having further
> difficulties getting the Samba side to work. So much so, that I'm
> considering building a new Samba member server from scratch using Samba 4
> instead of 3.
>
> Thanks,
> Chris.
>
>
>
>
> On 9 July 2013 11:30, Daniel Müller  wrote:
>
>> How about post your nslcd-config? This would be a great help for other
>> users.
>>
>> Greetings
>> Daniel
>>
>> ---
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>>
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: muel...@tropenklinik.de
>> Internet: www.tropenklinik.de
>> ---------------
>> -Ursprüngliche Nachricht-
>> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
>> Im
>> Auftrag von Chris Alavoine
>> Gesendet: Montag, 8. Juli 2013 19:13
>> An: Marc Muehlfeld
>> Cc: samba@lists.samba.org
>> Betreff: Re: [Samba] Samba 3 member server connected to Samba 4 DC (using
>> nslcd)
>>
>> Hi Marc,
>>
>> I've had many many problems with Winbind and after a few weeks of
>> dead-ends
>> I decided to switch to nslcd and everything started working very nicely,
>> so
>> I haven't looked back.
>>
>> I've just had a major success on getting getent passwd to work by adding
>> this to my nslcd.conf:
>>
>> # users
>> map passwd uid sAMAccountName
>> map passwd gidNumber primaryGroupID
>> map passwd homeDirectory unixHomeDirectory
>>
>> # groups
>> map group cn sAMAccountName
>> mapgroup  uniqueMember member
>>
>> This now lets me see all users and groups via getent. Just doing some more
>> testing now, but I think this may be fixed.
>>
>> Typical, you spend all day on something, finally decided to post on samba
>> lists and then fix it 5 mins later :)
>>
>> Thanks for the swift reply though!
>>
>> Cheers,
>> c:)
>>
>>
>>
>>
>>
>> On 8 July 2013 18:05, Marc Muehlfeld  wrote:
>>
>> > Hello Chris,
>> >
>> > Am 08.07.2013 18:54, schrieb Chris Alavoine:
>> >
>> >  My problem is that I have a Samba 3 member server (fileserver) that
>> > I'm
>> >> trying to get to get work in this scenario. I've installed nslcd and
>> >> am using the following conf file:
>> >>
>> >
>> > Why don't you use winbind on your member server?
>> > http://wiki.samba.org/index.**php/Samba4/Domain_Member<http://wiki.sam
>> > ba.org/index.php/Samba4/Domain_Member>
>> >
>> >
>> >
>&

Re: [Samba] Samba 3 member server connected to Samba 4 DC (using nslcd)

2013-07-09 Thread Chris Alavoine 
Hi Daniel,

This is what I have so far:

- /etc/nslcd.conf should look like this:

 # /etc/nslcd.conf

# nslcd configuration file. See nslcd.conf(5)

# for details.

# The user and group nslcd should run as.

uid nslcd

gid nslcd

# The location at which the LDAP server(s) should be reachable.

uri ldap://10.30.54.2

# The search base that will be used for all queries.

base dc=test,dc=internal,dc=com

binddn cn=nslcd-service,cn=Users,dc=essence,dc=internal,dc=com

bindpw XX (commented out!)

pagesize 1000
referrals off

# users

map passwd uid sAMAccountName

map passwd gidNumber primaryGroupID

map passwd homeDirectory unixHomeDirectory

# groups

map group cn sAMAccountName

mapgroup  uniqueMember member




- Add this to top of /etc/pam.d/common-sessions:

session required  pam_mkhomedir.so skel=/etc/skel umask=0022


- I also needed to remove nscd otherwise groups were not being updated
correctly:

apt-get remove nscd


This works fine for the *nix side of things, am having further difficulties
getting the Samba side to work. So much so, that I'm considering building a
new Samba member server from scratch using Samba 4 instead of 3.

Thanks,
Chris.




On 9 July 2013 11:30, Daniel Müller  wrote:

> How about post your nslcd-config? This would be a great help for other
> users.
>
> Greetings
> Daniel
>
> ---
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: muel...@tropenklinik.de
> Internet: www.tropenklinik.de
> ---
> -Ursprüngliche Nachricht-
> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> Im
> Auftrag von Chris Alavoine
> Gesendet: Montag, 8. Juli 2013 19:13
> An: Marc Muehlfeld
> Cc: samba@lists.samba.org
> Betreff: Re: [Samba] Samba 3 member server connected to Samba 4 DC (using
> nslcd)
>
> Hi Marc,
>
> I've had many many problems with Winbind and after a few weeks of dead-ends
> I decided to switch to nslcd and everything started working very nicely, so
> I haven't looked back.
>
> I've just had a major success on getting getent passwd to work by adding
> this to my nslcd.conf:
>
> # users
> map passwd uid sAMAccountName
> map passwd gidNumber primaryGroupID
> map passwd homeDirectory unixHomeDirectory
>
> # groups
> map group cn sAMAccountName
> mapgroup  uniqueMember member
>
> This now lets me see all users and groups via getent. Just doing some more
> testing now, but I think this may be fixed.
>
> Typical, you spend all day on something, finally decided to post on samba
> lists and then fix it 5 mins later :)
>
> Thanks for the swift reply though!
>
> Cheers,
> c:)
>
>
>
>
>
> On 8 July 2013 18:05, Marc Muehlfeld  wrote:
>
> > Hello Chris,
> >
> > Am 08.07.2013 18:54, schrieb Chris Alavoine:
> >
> >  My problem is that I have a Samba 3 member server (fileserver) that
> > I'm
> >> trying to get to get work in this scenario. I've installed nslcd and
> >> am using the following conf file:
> >>
> >
> > Why don't you use winbind on your member server?
> > http://wiki.samba.org/index.**php/Samba4/Domain_Member<http://wiki.sam
> > ba.org/index.php/Samba4/Domain_Member>
> >
> >
> >
> >
> >
> >
> >  If I then do a "getent group" I get success and can see all the
> > groups,
> >> however "getent passwd" fails and I see this in the logs:
> >>
> >> Jul  8 17:51:46 test-fs-001 nslcd[4587]: [8e1f29] passwd entry
> >> CN=ice,CN=Users,DC=test,DC=**internal,DC=com does not contain uid
> >> value
> >>
> >
> > Does this account have an "uid" attribute in AD?
> >
> >
> >
> > Regards,
> > Marc
> >
>
>
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730
> www.alavoinecs.co.uk
> http://twitter.com/#!/alavoinecs
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3 member server connected to Samba 4 DC (using nslcd)

2013-07-09 Thread Daniel Müller 
How about post your nslcd-config? This would be a great help for other
users.

Greetings
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Chris Alavoine
Gesendet: Montag, 8. Juli 2013 19:13
An: Marc Muehlfeld
Cc: samba@lists.samba.org
Betreff: Re: [Samba] Samba 3 member server connected to Samba 4 DC (using
nslcd)

Hi Marc,

I've had many many problems with Winbind and after a few weeks of dead-ends
I decided to switch to nslcd and everything started working very nicely, so
I haven't looked back.

I've just had a major success on getting getent passwd to work by adding
this to my nslcd.conf:

# users
map passwd uid sAMAccountName
map passwd gidNumber primaryGroupID
map passwd homeDirectory unixHomeDirectory

# groups
map group cn sAMAccountName
mapgroup  uniqueMember member

This now lets me see all users and groups via getent. Just doing some more
testing now, but I think this may be fixed.

Typical, you spend all day on something, finally decided to post on samba
lists and then fix it 5 mins later :)

Thanks for the swift reply though!

Cheers,
c:)





On 8 July 2013 18:05, Marc Muehlfeld  wrote:

> Hello Chris,
>
> Am 08.07.2013 18:54, schrieb Chris Alavoine:
>
>  My problem is that I have a Samba 3 member server (fileserver) that 
> I'm
>> trying to get to get work in this scenario. I've installed nslcd and 
>> am using the following conf file:
>>
>
> Why don't you use winbind on your member server?
> http://wiki.samba.org/index.**php/Samba4/Domain_Member<http://wiki.sam
> ba.org/index.php/Samba4/Domain_Member>
>
>
>
>
>
>
>  If I then do a "getent group" I get success and can see all the 
> groups,
>> however "getent passwd" fails and I see this in the logs:
>>
>> Jul  8 17:51:46 test-fs-001 nslcd[4587]: [8e1f29] passwd entry 
>> CN=ice,CN=Users,DC=test,DC=**internal,DC=com does not contain uid 
>> value
>>
>
> Does this account have an "uid" attribute in AD?
>
>
>
> Regards,
> Marc
>



--
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3 member server connected to Samba 4 DC (using nslcd)

2013-07-08 Thread Marc Muehlfeld 

Am 08.07.2013 19:12, schrieb Chris Alavoine:

Typical, you spend all day on something, finally decided to post on samba
lists and then fix it 5 mins later :)


Yes, I know that :-)


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3 member server connected to Samba 4 DC (using nslcd)

2013-07-08 Thread Chris Alavoine 
Hi Marc,

I've had many many problems with Winbind and after a few weeks of dead-ends
I decided to switch to nslcd and everything started working very nicely, so
I haven't looked back.

I've just had a major success on getting getent passwd to work by adding
this to my nslcd.conf:

# users
map passwd uid sAMAccountName
map passwd gidNumber primaryGroupID
map passwd homeDirectory unixHomeDirectory

# groups
map group cn sAMAccountName
mapgroup  uniqueMember member

This now lets me see all users and groups via getent. Just doing some more
testing now, but I think this may be fixed.

Typical, you spend all day on something, finally decided to post on samba
lists and then fix it 5 mins later :)

Thanks for the swift reply though!

Cheers,
c:)





On 8 July 2013 18:05, Marc Muehlfeld  wrote:

> Hello Chris,
>
> Am 08.07.2013 18:54, schrieb Chris Alavoine:
>
>  My problem is that I have a Samba 3 member server (fileserver) that I'm
>> trying to get to get work in this scenario. I've installed nslcd and am
>> using the following conf file:
>>
>
> Why don't you use winbind on your member server?
> http://wiki.samba.org/index.**php/Samba4/Domain_Member
>
>
>
>
>
>
>  If I then do a "getent group" I get success and can see all the groups,
>> however "getent passwd" fails and I see this in the logs:
>>
>> Jul  8 17:51:46 test-fs-001 nslcd[4587]: [8e1f29] passwd entry
>> CN=ice,CN=Users,DC=test,DC=**internal,DC=com does not contain uid value
>>
>
> Does this account have an "uid" attribute in AD?
>
>
>
> Regards,
> Marc
>



-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3 member server connected to Samba 4 DC (using nslcd)

2013-07-08 Thread Marc Muehlfeld 

Hello Chris,

Am 08.07.2013 18:54, schrieb Chris Alavoine:

My problem is that I have a Samba 3 member server (fileserver) that I'm
trying to get to get work in this scenario. I've installed nslcd and am
using the following conf file:


Why don't you use winbind on your member server?
http://wiki.samba.org/index.php/Samba4/Domain_Member






If I then do a "getent group" I get success and can see all the groups,
however "getent passwd" fails and I see this in the logs:

Jul  8 17:51:46 test-fs-001 nslcd[4587]: [8e1f29] passwd entry
CN=ice,CN=Users,DC=test,DC=internal,DC=com does not contain uid value


Does this account have an "uid" attribute in AD?



Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 3 member server connected to Samba 4 DC (using nslcd)

2013-07-08 Thread Chris Alavoine 
Hi all,

I am having a problem connecting a Samba 3 member server to my newly
created Samba 4 DC.

I am using nslcd at the Samba 4 end successfully and this has allowed me to
login using domain accounts - I've also got this working with visudo and
/etc/security/access.conf to control sudo access with groups created on the
DC. All good.

My problem is that I have a Samba 3 member server (fileserver) that I'm
trying to get to get work in this scenario. I've installed nslcd and am
using the following conf file:

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://10.30.54.2

# The search base that will be used for all queries.
base dc=test,dc=internal,dc=com

# The LDAP protocol version to use.
#ldap_version 3

binddn cn=nslcd-service,cn=Users,dc=essence,dc=internal,dc=com
bindpw **


If I then do a "getent group" I get success and can see all the groups,
however "getent passwd" fails and I see this in the logs:

Jul  8 17:51:46 test-fs-001 nslcd[4587]: [8e1f29] passwd entry
CN=ice,CN=Users,DC=test,DC=internal,DC=com does not contain uid value

I've tried a few different conf attempts, but am confused why groups would
work and users wouldn't. Any help much appreciated.

Thanks,
Chris.

-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba