Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-28 Thread steve 
On Thu, 2013-06-27 at 17:28 +0400, Vladimir A Fomkin wrote:
> How add one parameter by ldbedit without interactive editor? (for
> scripting)

ldbmodify

There are scripts here:
http://linuxcostablanca.blogspot.com.es/p/s4bind.html
hth


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-27 Thread Vladimir A Fomkin 
How add one parameter by ldbedit without interactive editor? (for scripting)


2013/6/27 steve 

> On 27/06/13 13:58, Vladimir A Fomkin wrote:
>
>> Hi!
>> samba-tool don't work with --uid-number option!
>>
> Hi
> It only works with the development version.
>
> Why not add the uidNumber to the user using ldbedit or ldbadd?
> Steve
>



-- 
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-27 Thread steve 

On 27/06/13 13:58, Vladimir A Fomkin wrote:

Hi!
samba-tool don't work with --uid-number option!

Hi
It only works with the development version.

Why not add the uidNumber to the user using ldbedit or ldbadd?
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-27 Thread Vladimir A Fomkin 
Hi!
samba-tool don't work with --uid-number option!

root@bdc:/usr/local/samba/var/profiles# ../../bin/samba-tool user add repl4
--uid-number=313
Usage: samba-tool user add  [] [options]

samba-tool user add: error: no such option: --uid-number



and internal help for this command does not have this option:

root@bdc:/usr/local/samba/var/profiles# ../../bin/samba-tool user add --help
Usage: samba-tool user add  [] [options]

Create a new user.

This command creates a new user account in the Active Directory domain.  The
username specified on the command is the sAMaccountName.

User accounts may represent physical entities, such as people or may be used
as service accounts for applications.  User accounts are also referred to as
security principals and are assigned a security identifier (SID).

A user account enables a user to logon to a computer and domain with an
identity that can be authenticated.  To maximize security, each user should
have their own unique user account and password.  A user's access to domain
resources is based on permissions assigned to the user account.

The command may be run from the root userid or another authorized userid.
The
-H or --URL= option can be used to execute the command against a remote
server.

Example1:
samba-tool user add User1 passw0rd --given-name=John --surname=Smith --must-
change-at-next-login -H ldap://samba.samdom.example.com
-Uadministrator%passw1rd

Example1 shows how to create a new user in the domain against a remote LDAP
server.  The -H parameter is used to specify the remote target server.  The
-U
option is used to pass the userid and password authorized to issue the
command
remotely.

Example2:
sudo samba-tool user add User2 passw2rd --given-name=Jane --surname=Doe
--must-change-at-next-login

Example2 shows how to create a new user in the domain against the local
server.   sudo is used so a user may run the command as root.  In this
example, after User2 is created, he/she will be forced to change their
password when they logon.

Example3:
samba-tool user add User3 passw3rd --userou=OrgUnit

Example3 shows how to create a new user in the OrgUnit organizational unit.



Options:
  -h, --helpshow this help message and exit
  -H URL, --URL=URL LDB URL for database or target server
  --must-change-at-next-login
Force password to be changed on next login
  --random-password Generate random password
  --use-username-as-cn  Force use of username as user's CN
  --userou=USEROU   Alternative location (without domainDN counterpart)
to
default CN=Users in which new user object will be
created
  --surname=SURNAME User's surname
  --given-name=GIVEN_NAME
User's given name
  --initials=INITIALS   User's initials
  --profile-path=PROFILE_PATH
User's profile path
  --script-path=SCRIPT_PATH
User's logon script path
  --home-drive=HOME_DRIVE
User's home drive letter
  --home-directory=HOME_DIRECTORY
User's home directory path
  --job-title=JOB_TITLE
User's job title
  --department=DEPARTMENT
User's department
  --company=COMPANY User's company
  --description=DESCRIPTION
User's description
  --mail-address=MAIL_ADDRESS
User's email address
  --internet-address=INTERNET_ADDRESS
User's home page
  --telephone-number=TELEPHONE_NUMBER
User's phone number
  --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE
User's office location

  Samba Common Options:
-s FILE, --configfile=FILE
Configuration file
-d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
debug level
--option=OPTION set smb.conf option from command line
--realm=REALM   set the realm name

  Credentials Options:
--simple-bind-dn=DN
DN to use for a simple bind
--password=PASSWORD
Password
-U USERNAME, --username=USERNAME
Username
-W WORKGROUP, --workgroup=WORKGROUP
Workgroup
-N, --no-pass   Don't ask for a password
-k KERBEROS, --kerberos=KERBEROS
Use Kerberos
--ipaddress=IPADDRESS
IP address of server

  Version Options:
-V, --version   Display version number



2013/6/26 steve 

> On Wed, 2013-06-26 at 15:06 +0400, Vladimir A Fomkin wrote:
> > Hi again!
> > I configured my AD samba PDC and BDC for applying uid from uidNumber
> > line in AD LDAP.
> > But I have a problem - "uidNumber" is not a creating automaticaly. I
> > must create this for each user by hands. How to solve this problem?
> > Thx!
> >
>
> samba-tool user add vladimir --uid-number=1234567
>
> Now for your next question

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-26 Thread steve 
On Wed, 2013-06-26 at 15:06 +0400, Vladimir A Fomkin wrote:
> Hi again!
> I configured my AD samba PDC and BDC for applying uid from uidNumber
> line in AD LDAP.
> But I have a problem - "uidNumber" is not a creating automaticaly. I
> must create this for each user by hands. How to solve this problem?
> Thx!
> 

samba-tool user add vladimir --uid-number=1234567

Now for your next question:
How do I choose the uid-number;)

hth
Steve
 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-26 Thread Vladimir A Fomkin 
Hi again!
I configured my AD samba PDC and BDC for applying uid from uidNumber line
in AD LDAP.
But I have a problem - "uidNumber" is not a creating automaticaly. I must
create this for each user by hands. How to solve this problem?
Thx!




root@pdc:/usr/local/samba/etc# cat smb.conf
# Global parameters
[global]
workgroup = TEST
realm = TEST.LOCAL
netbios name = PDC
server role = active directory domain controller
dns forwarder = 192.168.1.102
idmap_ldb:use rfc2307 = yes
idmap config *:backend = tdb
idmap config *:range = 70001-8
idmap config TEST:backend = ad
idmap config TEST:schema_mode = rfc2307
idmap config TEST:range = 500-4
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/test.local/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[profiles]
path = /usr/local/samba/var/profiles
read only = No
root@pdc:/usr/local/samba/etc#



2013/6/19 Rowland Penny 

> Hi Steve, yes I agree with you, the problem is that people still try to
> set up an S4 AD server as if it was S3, this will never work.
> What people need to realise is that an S4 AD server is for all intents and
> purposes a windows AD server clone and to set it up the same
>
> It might be easier for the OP to reprovision again and start with a blank
> slate and this time do some searching on 'how do I connect a linux client
> to a windows server'
>
> Rowland
>
>
>
> On 19 June 2013 10:54, steve  wrote:
>
>> On Wed, 2013-06-19 at 10:34 +0100, Rowland Penny wrote:
>> > The problem is that you are mixing up how samba 4 works with how samba
>> > 3 works, samba 4 winbind does not work the same as the samba 3
>> > winbind.
>> >
>> > What you need to do is give your linux users a uidNumber and groups
>> > like Domain Users a gidNumber, how you do this is up to you, it can be
>> > done from windows (ADUC?) or by using an ldif on linux, try a web
>> > search.
>> >
>> > You then need to extract this information on the linux clients, you
>> > can use winbind, but do not use the rid backend. If do you use the rid
>> > backend, whilst you will get the same UID for a user on any linux
>> > client that uses the exact same winbind settings, you will never get
>> > the same UID on the server.  Using the ad backend will get you the
>> > same UID where ever you ask for it, but in my opinion is not the way
>> > to go, try using sssd, it is a lot easier to set up.
>> >
>> >
>> > Rowland
>> >
>>
>> Hi Rowland
>> From what I can work out from the posts, the OP is trying to do this on
>> a DC. What I find difficult to get across is the idea of storing stuff
>> in AD. In cases such as these I really can't see any other way to go.
>> The OP's idmap is really screwed up. I've had a go via the DC winbind
>> and the only way I could go with this was to delete the idmap entries
>> and start again. This is in the other post about an hour or so ago, if
>> you have any easier way. . .
>> Cheers,
>> Steve
>>
>>
>>
>


-- 
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-19 Thread Rowland Penny 
Hi Steve, yes I agree with you, the problem is that people still try to set
up an S4 AD server as if it was S3, this will never work.
What people need to realise is that an S4 AD server is for all intents and
purposes a windows AD server clone and to set it up the same

It might be easier for the OP to reprovision again and start with a blank
slate and this time do some searching on 'how do I connect a linux client
to a windows server'

Rowland



On 19 June 2013 10:54, steve  wrote:

> On Wed, 2013-06-19 at 10:34 +0100, Rowland Penny wrote:
> > The problem is that you are mixing up how samba 4 works with how samba
> > 3 works, samba 4 winbind does not work the same as the samba 3
> > winbind.
> >
> > What you need to do is give your linux users a uidNumber and groups
> > like Domain Users a gidNumber, how you do this is up to you, it can be
> > done from windows (ADUC?) or by using an ldif on linux, try a web
> > search.
> >
> > You then need to extract this information on the linux clients, you
> > can use winbind, but do not use the rid backend. If do you use the rid
> > backend, whilst you will get the same UID for a user on any linux
> > client that uses the exact same winbind settings, you will never get
> > the same UID on the server.  Using the ad backend will get you the
> > same UID where ever you ask for it, but in my opinion is not the way
> > to go, try using sssd, it is a lot easier to set up.
> >
> >
> > Rowland
> >
>
> Hi Rowland
> From what I can work out from the posts, the OP is trying to do this on
> a DC. What I find difficult to get across is the idea of storing stuff
> in AD. In cases such as these I really can't see any other way to go.
> The OP's idmap is really screwed up. I've had a go via the DC winbind
> and the only way I could go with this was to delete the idmap entries
> and start again. This is in the other post about an hour or so ago, if
> you have any easier way. . .
> Cheers,
> Steve
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-19 Thread steve 
On Wed, 2013-06-19 at 10:34 +0100, Rowland Penny wrote:
> The problem is that you are mixing up how samba 4 works with how samba
> 3 works, samba 4 winbind does not work the same as the samba 3
> winbind.
> 
> What you need to do is give your linux users a uidNumber and groups
> like Domain Users a gidNumber, how you do this is up to you, it can be
> done from windows (ADUC?) or by using an ldif on linux, try a web
> search.
> 
> You then need to extract this information on the linux clients, you
> can use winbind, but do not use the rid backend. If do you use the rid
> backend, whilst you will get the same UID for a user on any linux
> client that uses the exact same winbind settings, you will never get
> the same UID on the server.  Using the ad backend will get you the
> same UID where ever you ask for it, but in my opinion is not the way
> to go, try using sssd, it is a lot easier to set up.
> 
> 
> Rowland
> 

Hi Rowland
>From what I can work out from the posts, the OP is trying to do this on
a DC. What I find difficult to get across is the idea of storing stuff
in AD. In cases such as these I really can't see any other way to go.
The OP's idmap is really screwed up. I've had a go via the DC winbind
and the only way I could go with this was to delete the idmap entries
and start again. This is in the other post about an hour or so ago, if
you have any easier way. . .
Cheers,
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-19 Thread steve 
On Wed, 2013-06-19 at 12:59 +0400, Vladimir A Fomkin wrote:
> Hi!
> 
> I'm tried to change idmap backend from tdb to rid and setting up idmap
> range, but samba uses old type of UIDs. 
> What am I doing wrong?
> 
> 
> [global]
> workgroup = TEST
> realm = test.local
> netbios name = BDC-SAMBA
> server role = active directory domain controller
> dns forwarder = 192.168.1.102
> idmap config TEST:backend = rid
> idmap config TEST:range = 400 - 500
> idmap config TEST:schema_mode = rfc2307
> idmap config *:backend = rid
> 
> 
Change to this:
[global]
workgroup = TEST
 realm = test.local
 netbios name = BDC-SAMBA
 server role = active directory domain controller
 dns forwarder = 192.168.1.102
idmap_ldb use:rfc2307 = Yes

> 
> 
> 
> root@bdc-samba:~# /usr/local/samba/bin/testparm
> -sv /usr/local/samba/etc/smb.conf | grep backend
> Load smb config files from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[profiles]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> passdb backend = samba_dsdb
> idmap backend = tdb
> share backend = 
> idmap config TEST:backend = rid
> idmap config * : backend = rid
> root@bdc-samba:~# 
> 
> 
> 
> 
> 2013/6/17 Vladimir A Fomkin 
> Hi!
> 
> root@debian-samba4:/usr/local/samba/private# 
> /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb | grep 
> tester4
> sAMAccountName: tester4
> userPrincipalName: tester4@test.local
> root@debian-samba4:/usr/local/samba/private#
> 
> 
> 
> And I found there UID is saved - /usr/local/samba/bin/ldbedit
> --url=/usr/local/samba/private/idmap.ldb 
> On PDC shows (cutted):
> 
> # record 7
> dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> cn: S-1-5-21-3451120384-2816699473-3647757164-1110
> objectClass: sidMap
> objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
> type: ID_TYPE_BOTH
> xidNumber: 323
> distinguishedName:
> CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> 
> 
> On BDC shows (cutted):
> # record 5
> dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> cn: S-1-5-21-3451120384-2816699473-3647757164-1110
> objectClass: sidMap
> objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
> type: ID_TYPE_BOTH
> xidNumber: 320
> distinguishedName:
> CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> 
> 
> 
> SID is the same, but the UID is different!
> 

Good. Now delete the whole of BOTH these entries:
ldbedit --url=/usr/local/samba/private/idmap.ldb

Now delete tester4:
samba-tool user delete tester4

Now add the user tester4:
samba-tool user add tester4

wbinfo -i tester4
(I don't have tester4 so I'll use steve2 as an example)

 wbinfo -i steve2
HH3\steve2:*:321:20513::/home/HH3/steve2:/bin/false

Note the uid 321

Now, we add
uidNumber: 321
to AD:

ldbedit --url=/usr/local/samba/private/sam.ldb cn=steve2
# editing 1 records
# record 1
dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20130605152701.0Z
uSNCreated: 3800
name: steve2
objectGUID: 3dfcb8e8-fca2-49ea-9ac8-8e1b0563a379
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-451355595-2219208293-2714859210-1107
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: ste...@hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 13014919621000
userAccountControl: 66048
accountExpires: 0
uidNumber: 321


Now:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

and edit /etc/nsswitch.conf

passwd:  files winbind
group:   files winbind

Test it:
getent passwd steve2 
steve2:*:321:20513:steve2:/home/users/steve2:/bin/bash  

login as steve2 and create a file:
su steve2
touch /tmp/somefile
ls -l somefile
-rw-r--r-- 1 steve2 Domain Users 0 Jun 19 11:41 somefile

HTH
Steve

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-19 Thread Rowland Penny 
The problem is that you are mixing up how samba 4 works with how samba 3
works, samba 4 winbind does not work the same as the samba 3 winbind.
What you need to do is give your linux users a uidNumber and groups like
Domain Users a gidNumber, how you do this is up to you, it can be done from
windows (ADUC?) or by using an ldif on linux, try a web search.
You then need to extract this information on the linux clients, you can use
winbind, but do not use the rid backend. If do you use the rid backend,
whilst you will get the same UID for a user on any linux client that uses
the exact same winbind settings, you will never get the same UID on the
server.  Using the ad backend will get you the same UID where ever you ask
for it, but in my opinion is not the way to go, try using sssd, it is a lot
easier to set up.

Rowland


On 19 June 2013 09:59, Vladimir A Fomkin  wrote:

> Hi!
> I'm tried to change idmap backend from tdb to rid and setting up idmap
> range, but samba uses old type of UIDs.
> What am I doing wrong?
>
>
> [global]
> workgroup = TEST
> realm = test.local
> netbios name = BDC-SAMBA
> server role = active directory domain controller
> dns forwarder = 192.168.1.102
> idmap config TEST:backend = rid
> idmap config TEST:range = 400 - 500
> idmap config TEST:schema_mode = rfc2307
> idmap config *:backend = rid
>
>
>
>
>
> root@bdc-samba:~# /usr/local/samba/bin/testparm -sv
> /usr/local/samba/etc/smb.conf | grep backend
> Load smb config files from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[profiles]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
> passdb backend = samba_dsdb
> idmap backend = tdb
> share backend =
> idmap config TEST:backend = rid
> idmap config * : backend = rid
> root@bdc-samba:~#
>
>
>
> 2013/6/17 Vladimir A Fomkin 
>
> > Hi!
> >
> > root@debian-samba4:/usr/local/samba/private#
> > /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb |
> > grep tester4
> > sAMAccountName: tester4
> > userPrincipalName: tester4@test.local
> > root@debian-samba4:/usr/local/samba/private#
> >
> >
> > And I found there UID is saved - /usr/local/samba/bin/ldbedit
> > --url=/usr/local/samba/private/idmap.ldb
> > On PDC shows (cutted):
> > # record 7
> > dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> > cn: S-1-5-21-3451120384-2816699473-3647757164-1110
> > objectClass: sidMap
> > objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
> > type: ID_TYPE_BOTH
> > xidNumber: 323
> > distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> >
> > On BDC shows (cutted):
> > # record 5
> > dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> > cn: S-1-5-21-3451120384-2816699473-3647757164-1110
> > objectClass: sidMap
> > objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
> > type: ID_TYPE_BOTH
> > xidNumber: 320
> > distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> >
> >
> >
> > SID is the same, but the UID is different!
> >
> >
> >
> > 2013/6/17 steve 
> >
> >> On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote:
> >> > HI!
> >> > root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
> >> > New Password:
> >> > Retype Password:
> >> > ERROR(ldb): Failed to add user 'tester4':  - samldb: Account name
> >> > (sAMAccountName) 'tester4' already in use!
> >> > root@bdc-samba:~#
> >>
> >>
> >> Hi
> >> ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4
> >>
> >>
> >>
> >>
> >
> >
> > --
> > С уважением,
> > Фомкин Владимир Андреевич
> > ICQ:220967838
> > Skype:vladimir.fomkin
> > http://vaf.net.ru
> >
>
>
>
> --
> С уважением,
> Фомкин Владимир Андреевич
> ICQ:220967838
> Skype:vladimir.fomkin
> http://vaf.net.ru
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-19 Thread Vladimir A Fomkin 
Hi!
I'm tried to change idmap backend from tdb to rid and setting up idmap
range, but samba uses old type of UIDs.
What am I doing wrong?


[global]
workgroup = TEST
realm = test.local
netbios name = BDC-SAMBA
server role = active directory domain controller
dns forwarder = 192.168.1.102
idmap config TEST:backend = rid
idmap config TEST:range = 400 - 500
idmap config TEST:schema_mode = rfc2307
idmap config *:backend = rid





root@bdc-samba:~# /usr/local/samba/bin/testparm -sv
/usr/local/samba/etc/smb.conf | grep backend
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[profiles]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
passdb backend = samba_dsdb
idmap backend = tdb
share backend =
idmap config TEST:backend = rid
idmap config * : backend = rid
root@bdc-samba:~#



2013/6/17 Vladimir A Fomkin 

> Hi!
>
> root@debian-samba4:/usr/local/samba/private#
> /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb |
> grep tester4
> sAMAccountName: tester4
> userPrincipalName: tester4@test.local
> root@debian-samba4:/usr/local/samba/private#
>
>
> And I found there UID is saved - /usr/local/samba/bin/ldbedit
> --url=/usr/local/samba/private/idmap.ldb
> On PDC shows (cutted):
> # record 7
> dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> cn: S-1-5-21-3451120384-2816699473-3647757164-1110
> objectClass: sidMap
> objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
> type: ID_TYPE_BOTH
> xidNumber: 323
> distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
>
> On BDC shows (cutted):
> # record 5
> dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
> cn: S-1-5-21-3451120384-2816699473-3647757164-1110
> objectClass: sidMap
> objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
> type: ID_TYPE_BOTH
> xidNumber: 320
> distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
>
>
>
> SID is the same, but the UID is different!
>
>
>
> 2013/6/17 steve 
>
>> On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote:
>> > HI!
>> > root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
>> > New Password:
>> > Retype Password:
>> > ERROR(ldb): Failed to add user 'tester4':  - samldb: Account name
>> > (sAMAccountName) 'tester4' already in use!
>> > root@bdc-samba:~#
>>
>>
>> Hi
>> ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4
>>
>>
>>
>>
>
>
> --
> С уважением,
> Фомкин Владимир Андреевич
> ICQ:220967838
> Skype:vladimir.fomkin
> http://vaf.net.ru
>



-- 
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-17 Thread Vladimir A Fomkin 
Hi!

root@debian-samba4:/usr/local/samba/private# /usr/local/samba/bin/ldbsearch
--url=/usr/local/samba/private/sam.ldb | grep tester4
sAMAccountName: tester4
userPrincipalName: tester4@test.local
root@debian-samba4:/usr/local/samba/private#


And I found there UID is saved - /usr/local/samba/bin/ldbedit
--url=/usr/local/samba/private/idmap.ldb
On PDC shows (cutted):
# record 7
dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
cn: S-1-5-21-3451120384-2816699473-3647757164-1110
objectClass: sidMap
objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
type: ID_TYPE_BOTH
xidNumber: 323
distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110

On BDC shows (cutted):
# record 5
dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
cn: S-1-5-21-3451120384-2816699473-3647757164-1110
objectClass: sidMap
objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
type: ID_TYPE_BOTH
xidNumber: 320
distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110



SID is the same, but the UID is different!



2013/6/17 steve 

> On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote:
> > HI!
> > root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
> > New Password:
> > Retype Password:
> > ERROR(ldb): Failed to add user 'tester4':  - samldb: Account name
> > (sAMAccountName) 'tester4' already in use!
> > root@bdc-samba:~#
>
>
> Hi
> ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4
>
>
>
>


-- 
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-17 Thread steve 
On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote:
> HI!
> root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
> New Password: 
> Retype Password: 
> ERROR(ldb): Failed to add user 'tester4':  - samldb: Account name
> (sAMAccountName) 'tester4' already in use!
> root@bdc-samba:~# 


Hi
ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-17 Thread Vladimir A Fomkin 
Hi!
All users created from windows exist here!

root@bdc-samba:~# /usr/local/samba/bin/samba-tool user list
tester4
vaf
tester
tester2
tester3
Administrator
krbtgt
Guest
root@bdc-samba:~#



2013/6/17 Vladimir A Fomkin 

> HI!
> root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
> New Password:
> Retype Password:
> ERROR(ldb): Failed to add user 'tester4':  - samldb: Account name
> (sAMAccountName) 'tester4' already in use!
> root@bdc-samba:~#
>
>
>
> 2013/6/17 steve 
>
>> Hi
>> Just try adding the user anyway and let's see what happens:
>>
>> samba-rool user add tester4
>>
>>
>
>
> --
> С уважением,
> Фомкин Владимир Андреевич
> ICQ:220967838
> Skype:vladimir.fomkin
> http://vaf.net.ru
>



-- 
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-17 Thread Vladimir A Fomkin 
HI!
root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
New Password:
Retype Password:
ERROR(ldb): Failed to add user 'tester4':  - samldb: Account name
(sAMAccountName) 'tester4' already in use!
root@bdc-samba:~#



2013/6/17 steve 

> Hi
> Just try adding the user anyway and let's see what happens:
>
> samba-rool user add tester4
>
>


-- 
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-17 Thread steve 
On Mon, 2013-06-17 at 12:27 +0200, steve wrote:
> Hi
> Just try adding the user anyway and let's see what happens:
> 
> samba-rool user add tester4
> 

*
samba-tool
sorry


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-17 Thread steve 
Hi
Just try adding the user anyway and let's see what happens:

samba-rool user add tester4

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-17 Thread steve 

On 17/06/13 08:57, Vladimir A Fomkin wrote:

Good day!
What is "DN"?



Hi
Make sure that you have the rfc2307 line in both the DC's. Add:
uidNumber: 322
to the the DN of the user on one of the DC's. Wait a few minutes. Now
create a file. It will have uid 322 no matter which DC is consulted.
HTH
Steve


Hi
DN is ldap for Distingished Name

e.g. a user could have an entry in the directory:
 dn: CN=vladimir, CN=Users,DC=samba,DC=com

just add:
 uidNumber: 322
somewhere for that user. The easiest way to do that so that you can 
understand what's happening, is to add it like this:


ldbedit --url=/usr/local/samba/private/sam.ldb CN=vladimir

That will use vi. If you don't know vi, use your favourite editor (e.g. 
let's say it's called 'yfe') instead:


ldbedit -e yfe --url=/usr/local/samba/private/sam.ldb CN=vladimir

HTH
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-16 Thread Vladimir A Fomkin 
Good day!
What is "DN"?

smb.conf on PDC:
root@debian-samba4:/usr/local/samba/etc# cat smb.conf
# Global parameters
[global]
workgroup = TEST
realm = TEST.LOCAL
netbios name = DEBIAN-SAMBA4
server role = active directory domain controller
dns forwarder = 192.168.1.102
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/test.local/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[profiles]
path = /usr/local/samba/var/profiles
read only = No
root@debian-samba4:/usr/local/samba/etc#

smb.conf on BDC:
root@bdc-samba:/usr/local/samba/etc# cat ./smb.conf
# Global parameters
[global]
workgroup = TEST
realm = test.local
netbios name = BDC-SAMBA
server role = active directory domain controller
dns forwarder = 192.168.1.102
idmap_ldb:use rfc2307 = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/test.local/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[profiles]
path = /usr/local/samba/var/profiles
read only = No
root@bdc-samba:/usr/local/samba/etc#



2013/6/14 steve 

> On Fri, 2013-06-14 at 18:05 +0400, Vladimir A Fomkin wrote:
> > Hello Marc!
> > Thank you for response!
> > I added this string in smb.conf on PDC and BDC, but after sync BDC again
> do
> > not give access. I see UID for files created for one user via PDC -
> 322
> > and via BDC - 319
>
> Hi
> Make sure that you have the rfc2307 line in both the DC's. Add:
> uidNumber: 322
> to the the DN of the user on one of the DC's. Wait a few minutes. Now
> create a file. It will have uid 322 no matter which DC is consulted.
> HTH
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-14 Thread steve 
On Fri, 2013-06-14 at 18:05 +0400, Vladimir A Fomkin wrote:
> Hello Marc!
> Thank you for response!
> I added this string in smb.conf on PDC and BDC, but after sync BDC again do
> not give access. I see UID for files created for one user via PDC - 322
> and via BDC - 319

Hi
Make sure that you have the rfc2307 line in both the DC's. Add:
uidNumber: 322
to the the DN of the user on one of the DC's. Wait a few minutes. Now
create a file. It will have uid 322 no matter which DC is consulted.
HTH
Steve
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-14 Thread Vladimir A Fomkin 
Hello Marc!
Thank you for response!
I added this string in smb.conf on PDC and BDC, but after sync BDC again do
not give access. I see UID for files created for one user via PDC - 322
and via BDC - 319


2013/6/14 Marc Muehlfeld 

> Hello Vladimir,
>
> Am 14.06.2013 14:18, schrieb Vladimir A Fomkin:
>
>  On PDC server has
>> created a network folder for portable user profiles and synchronized it to
>> the BDC through csync2 . My problem that the PDC and the BDC on the same
>> user names has different UID and users can not access their network
>> profile
>> on the BDC.
>>
>
> Do the users have uidNumbers in AD? Try
> idmap_ldb:use rfc2307 = yes
> in your smb.conf
>
>
> Regards,
> Marc
>
>


-- 
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] The problem with setting up AD domain to Samba 4

2013-06-14 Thread Marc Muehlfeld 

Hello Vladimir,

Am 14.06.2013 14:18, schrieb Vladimir A Fomkin:

On PDC server has
created a network folder for portable user profiles and synchronized it to
the BDC through csync2 . My problem that the PDC and the BDC on the same
user names has different UID and users can not access their network profile
on the BDC.


Do the users have uidNumbers in AD? Try
idmap_ldb:use rfc2307 = yes
in your smb.conf


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] The problem with setting up AD domain to Samba 4

2013-06-14 Thread Vladimir A Fomkin 
Good day!
I set up a domain controller AD (PDC and BDC) by Samba 4 on Debian Wheezy.
I took a configuration from examples. After setting the PDC I configured a
second controller(BDC) and connected it to the domain. On PDC server has
created a network folder for portable user profiles and synchronized it to
the BDC through csync2 . My problem that the PDC and the BDC on the same
user names has different UID and users can not access their network profile
on the BDC.
Please help deal with the problem!
P.S. Sorry for my English!



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] The problem with setting up AD domain to Samba 4

2013-06-14 Thread Vladimir A Fomkin 
Good day!
I set up a domain controller AD (PDC and BDC) by Samba 4 on Debian Wheezy.
I took a configuration from examples. After setting the PDC I configured a
second controller(BDC) and connected it to the domain. On PDC server has
created a network folder for portable user profiles and synchronized it to
the BDC through csync2 . My problem that the PDC and the BDC on the same
user names has different UID and users can not access their network profile
on the BDC.
Please help deal with the problem!
P.S. Sorry for my English!


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba