Re: [Samba] The problem with setting up AD domain to Samba 4
On Thu, 2013-06-27 at 17:28 +0400, Vladimir A Fomkin wrote: How add one parameter by ldbedit without interactive editor? (for scripting) ldbmodify There are scripts here: http://linuxcostablanca.blogspot.com.es/p/s4bind.html hth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hi! samba-tool don't work with --uid-number option! root@bdc:/usr/local/samba/var/profiles# ../../bin/samba-tool user add repl4 --uid-number=313 Usage: samba-tool user add username [password] [options] samba-tool user add: error: no such option: --uid-number and internal help for this command does not have this option: root@bdc:/usr/local/samba/var/profiles# ../../bin/samba-tool user add --help Usage: samba-tool user add username [password] [options] Create a new user. This command creates a new user account in the Active Directory domain. The username specified on the command is the sAMaccountName. User accounts may represent physical entities, such as people or may be used as service accounts for applications. User accounts are also referred to as security principals and are assigned a security identifier (SID). A user account enables a user to logon to a computer and domain with an identity that can be authenticated. To maximize security, each user should have their own unique user account and password. A user's access to domain resources is based on permissions assigned to the user account. The command may be run from the root userid or another authorized userid. The -H or --URL= option can be used to execute the command against a remote server. Example1: samba-tool user add User1 passw0rd --given-name=John --surname=Smith --must- change-at-next-login -H ldap://samba.samdom.example.com -Uadministrator%passw1rd Example1 shows how to create a new user in the domain against a remote LDAP server. The -H parameter is used to specify the remote target server. The -U option is used to pass the userid and password authorized to issue the command remotely. Example2: sudo samba-tool user add User2 passw2rd --given-name=Jane --surname=Doe --must-change-at-next-login Example2 shows how to create a new user in the domain against the local server. sudo is used so a user may run the command as root. In this example, after User2 is created, he/she will be forced to change their password when they logon. Example3: samba-tool user add User3 passw3rd --userou=OrgUnit Example3 shows how to create a new user in the OrgUnit organizational unit. Options: -h, --helpshow this help message and exit -H URL, --URL=URL LDB URL for database or target server --must-change-at-next-login Force password to be changed on next login --random-password Generate random password --use-username-as-cn Force use of username as user's CN --userou=USEROU Alternative location (without domainDN counterpart) to default CN=Users in which new user object will be created --surname=SURNAME User's surname --given-name=GIVEN_NAME User's given name --initials=INITIALS User's initials --profile-path=PROFILE_PATH User's profile path --script-path=SCRIPT_PATH User's logon script path --home-drive=HOME_DRIVE User's home drive letter --home-directory=HOME_DIRECTORY User's home directory path --job-title=JOB_TITLE User's job title --department=DEPARTMENT User's department --company=COMPANY User's company --description=DESCRIPTION User's description --mail-address=MAIL_ADDRESS User's email address --internet-address=INTERNET_ADDRESS User's home page --telephone-number=TELEPHONE_NUMBER User's phone number --physical-delivery-office=PHYSICAL_DELIVERY_OFFICE User's office location Samba Common Options: -s FILE, --configfile=FILE Configuration file -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL debug level --option=OPTION set smb.conf option from command line --realm=REALM set the realm name Credentials Options: --simple-bind-dn=DN DN to use for a simple bind --password=PASSWORD Password -U USERNAME, --username=USERNAME Username -W WORKGROUP, --workgroup=WORKGROUP Workgroup -N, --no-pass Don't ask for a password -k KERBEROS, --kerberos=KERBEROS Use Kerberos --ipaddress=IPADDRESS IP address of server Version Options: -V, --version Display version number 2013/6/26 steve st...@steve-ss.com On Wed, 2013-06-26 at 15:06 +0400, Vladimir A Fomkin wrote: Hi again! I configured my AD samba PDC and BDC for applying uid from uidNumber line in AD LDAP. But I have a problem - uidNumber is not a creating automaticaly. I must create this for each user by hands. How to solve this problem? Thx! samba-tool user add vladimir
Re: [Samba] The problem with setting up AD domain to Samba 4
On 27/06/13 13:58, Vladimir A Fomkin wrote: Hi! samba-tool don't work with --uid-number option! Hi It only works with the development version. Why not add the uidNumber to the user using ldbedit or ldbadd? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
How add one parameter by ldbedit without interactive editor? (for scripting) 2013/6/27 steve st...@steve-ss.com On 27/06/13 13:58, Vladimir A Fomkin wrote: Hi! samba-tool don't work with --uid-number option! Hi It only works with the development version. Why not add the uidNumber to the user using ldbedit or ldbadd? Steve -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hi again! I configured my AD samba PDC and BDC for applying uid from uidNumber line in AD LDAP. But I have a problem - uidNumber is not a creating automaticaly. I must create this for each user by hands. How to solve this problem? Thx! root@pdc:/usr/local/samba/etc# cat smb.conf # Global parameters [global] workgroup = TEST realm = TEST.LOCAL netbios name = PDC server role = active directory domain controller dns forwarder = 192.168.1.102 idmap_ldb:use rfc2307 = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config TEST:backend = ad idmap config TEST:schema_mode = rfc2307 idmap config TEST:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/test.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [profiles] path = /usr/local/samba/var/profiles read only = No root@pdc:/usr/local/samba/etc# 2013/6/19 Rowland Penny rowlandpe...@googlemail.com Hi Steve, yes I agree with you, the problem is that people still try to set up an S4 AD server as if it was S3, this will never work. What people need to realise is that an S4 AD server is for all intents and purposes a windows AD server clone and to set it up the same It might be easier for the OP to reprovision again and start with a blank slate and this time do some searching on 'how do I connect a linux client to a windows server' Rowland On 19 June 2013 10:54, steve st...@steve-ss.com wrote: On Wed, 2013-06-19 at 10:34 +0100, Rowland Penny wrote: The problem is that you are mixing up how samba 4 works with how samba 3 works, samba 4 winbind does not work the same as the samba 3 winbind. What you need to do is give your linux users a uidNumber and groups like Domain Users a gidNumber, how you do this is up to you, it can be done from windows (ADUC?) or by using an ldif on linux, try a web search. You then need to extract this information on the linux clients, you can use winbind, but do not use the rid backend. If do you use the rid backend, whilst you will get the same UID for a user on any linux client that uses the exact same winbind settings, you will never get the same UID on the server. Using the ad backend will get you the same UID where ever you ask for it, but in my opinion is not the way to go, try using sssd, it is a lot easier to set up. Rowland Hi Rowland From what I can work out from the posts, the OP is trying to do this on a DC. What I find difficult to get across is the idea of storing stuff in AD. In cases such as these I really can't see any other way to go. The OP's idmap is really screwed up. I've had a go via the DC winbind and the only way I could go with this was to delete the idmap entries and start again. This is in the other post about an hour or so ago, if you have any easier way. . . Cheers, Steve -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Wed, 2013-06-26 at 15:06 +0400, Vladimir A Fomkin wrote: Hi again! I configured my AD samba PDC and BDC for applying uid from uidNumber line in AD LDAP. But I have a problem - uidNumber is not a creating automaticaly. I must create this for each user by hands. How to solve this problem? Thx! samba-tool user add vladimir --uid-number=1234567 Now for your next question: How do I choose the uid-number;) hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hi! I'm tried to change idmap backend from tdb to rid and setting up idmap range, but samba uses old type of UIDs. What am I doing wrong? [global] workgroup = TEST realm = test.local netbios name = BDC-SAMBA server role = active directory domain controller dns forwarder = 192.168.1.102 idmap config TEST:backend = rid idmap config TEST:range = 400 - 500 idmap config TEST:schema_mode = rfc2307 idmap config *:backend = rid root@bdc-samba:~# /usr/local/samba/bin/testparm -sv /usr/local/samba/etc/smb.conf | grep backend Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] Processing section [sysvol] Processing section [profiles] Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC passdb backend = samba_dsdb idmap backend = tdb share backend = idmap config TEST:backend = rid idmap config * : backend = rid root@bdc-samba:~# 2013/6/17 Vladimir A Fomkin v...@vaf.net.ru Hi! root@debian-samba4:/usr/local/samba/private# /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4 sAMAccountName: tester4 userPrincipalName: tester4@test.local root@debian-samba4:/usr/local/samba/private# And I found there UID is saved - /usr/local/samba/bin/ldbedit --url=/usr/local/samba/private/idmap.ldb On PDC shows (cutted): # record 7 dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 cn: S-1-5-21-3451120384-2816699473-3647757164-1110 objectClass: sidMap objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 type: ID_TYPE_BOTH xidNumber: 323 distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 On BDC shows (cutted): # record 5 dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 cn: S-1-5-21-3451120384-2816699473-3647757164-1110 objectClass: sidMap objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 type: ID_TYPE_BOTH xidNumber: 320 distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 SID is the same, but the UID is different! 2013/6/17 steve st...@steve-ss.com On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote: HI! root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4 New Password: Retype Password: ERROR(ldb): Failed to add user 'tester4': - samldb: Account name (sAMAccountName) 'tester4' already in use! root@bdc-samba:~# Hi ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4 -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
The problem is that you are mixing up how samba 4 works with how samba 3 works, samba 4 winbind does not work the same as the samba 3 winbind. What you need to do is give your linux users a uidNumber and groups like Domain Users a gidNumber, how you do this is up to you, it can be done from windows (ADUC?) or by using an ldif on linux, try a web search. You then need to extract this information on the linux clients, you can use winbind, but do not use the rid backend. If do you use the rid backend, whilst you will get the same UID for a user on any linux client that uses the exact same winbind settings, you will never get the same UID on the server. Using the ad backend will get you the same UID where ever you ask for it, but in my opinion is not the way to go, try using sssd, it is a lot easier to set up. Rowland On 19 June 2013 09:59, Vladimir A Fomkin v...@vaf.net.ru wrote: Hi! I'm tried to change idmap backend from tdb to rid and setting up idmap range, but samba uses old type of UIDs. What am I doing wrong? [global] workgroup = TEST realm = test.local netbios name = BDC-SAMBA server role = active directory domain controller dns forwarder = 192.168.1.102 idmap config TEST:backend = rid idmap config TEST:range = 400 - 500 idmap config TEST:schema_mode = rfc2307 idmap config *:backend = rid root@bdc-samba:~# /usr/local/samba/bin/testparm -sv /usr/local/samba/etc/smb.conf | grep backend Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] Processing section [sysvol] Processing section [profiles] Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC passdb backend = samba_dsdb idmap backend = tdb share backend = idmap config TEST:backend = rid idmap config * : backend = rid root@bdc-samba:~# 2013/6/17 Vladimir A Fomkin v...@vaf.net.ru Hi! root@debian-samba4:/usr/local/samba/private# /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4 sAMAccountName: tester4 userPrincipalName: tester4@test.local root@debian-samba4:/usr/local/samba/private# And I found there UID is saved - /usr/local/samba/bin/ldbedit --url=/usr/local/samba/private/idmap.ldb On PDC shows (cutted): # record 7 dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 cn: S-1-5-21-3451120384-2816699473-3647757164-1110 objectClass: sidMap objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 type: ID_TYPE_BOTH xidNumber: 323 distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 On BDC shows (cutted): # record 5 dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 cn: S-1-5-21-3451120384-2816699473-3647757164-1110 objectClass: sidMap objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 type: ID_TYPE_BOTH xidNumber: 320 distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 SID is the same, but the UID is different! 2013/6/17 steve st...@steve-ss.com On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote: HI! root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4 New Password: Retype Password: ERROR(ldb): Failed to add user 'tester4': - samldb: Account name (sAMAccountName) 'tester4' already in use! root@bdc-samba:~# Hi ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4 -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Wed, 2013-06-19 at 12:59 +0400, Vladimir A Fomkin wrote: Hi! I'm tried to change idmap backend from tdb to rid and setting up idmap range, but samba uses old type of UIDs. What am I doing wrong? [global] workgroup = TEST realm = test.local netbios name = BDC-SAMBA server role = active directory domain controller dns forwarder = 192.168.1.102 idmap config TEST:backend = rid idmap config TEST:range = 400 - 500 idmap config TEST:schema_mode = rfc2307 idmap config *:backend = rid Change to this: [global] workgroup = TEST realm = test.local netbios name = BDC-SAMBA server role = active directory domain controller dns forwarder = 192.168.1.102 idmap_ldb use:rfc2307 = Yes root@bdc-samba:~# /usr/local/samba/bin/testparm -sv /usr/local/samba/etc/smb.conf | grep backend Load smb config files from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] Processing section [sysvol] Processing section [profiles] Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC passdb backend = samba_dsdb idmap backend = tdb share backend = idmap config TEST:backend = rid idmap config * : backend = rid root@bdc-samba:~# 2013/6/17 Vladimir A Fomkin v...@vaf.net.ru Hi! root@debian-samba4:/usr/local/samba/private# /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4 sAMAccountName: tester4 userPrincipalName: tester4@test.local root@debian-samba4:/usr/local/samba/private# And I found there UID is saved - /usr/local/samba/bin/ldbedit --url=/usr/local/samba/private/idmap.ldb On PDC shows (cutted): # record 7 dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 cn: S-1-5-21-3451120384-2816699473-3647757164-1110 objectClass: sidMap objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 type: ID_TYPE_BOTH xidNumber: 323 distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 On BDC shows (cutted): # record 5 dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 cn: S-1-5-21-3451120384-2816699473-3647757164-1110 objectClass: sidMap objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 type: ID_TYPE_BOTH xidNumber: 320 distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 SID is the same, but the UID is different! Good. Now delete the whole of BOTH these entries: ldbedit --url=/usr/local/samba/private/idmap.ldb Now delete tester4: samba-tool user delete tester4 Now add the user tester4: samba-tool user add tester4 wbinfo -i tester4 (I don't have tester4 so I'll use steve2 as an example) wbinfo -i steve2 HH3\steve2:*:321:20513::/home/HH3/steve2:/bin/false Note the uid 321 Now, we add uidNumber: 321 to AD: ldbedit --url=/usr/local/samba/private/sam.ldb cn=steve2 # editing 1 records # record 1 dn: CN=steve2,CN=Users,DC=hh3,DC=site cn: steve2 instanceType: 4 whenCreated: 20130605152701.0Z uSNCreated: 3800 name: steve2 objectGUID: 3dfcb8e8-fca2-49ea-9ac8-8e1b0563a379 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-451355595-2219208293-2714859210-1107 logonCount: 0 sAMAccountName: steve2 sAMAccountType: 805306368 userPrincipalName: ste...@hh3.site objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site pwdLastSet: 13014919621000 userAccountControl: 66048 accountExpires: 0 uidNumber: 321 snip Now: ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 and edit /etc/nsswitch.conf passwd: files winbind group: files winbind Test it: getent passwd steve2 steve2:*:321:20513:steve2:/home/users/steve2:/bin/bash login as steve2 and create a file: su steve2 touch /tmp/somefile ls -l somefile -rw-r--r-- 1 steve2 Domain Users 0 Jun 19 11:41 somefile HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Wed, 2013-06-19 at 10:34 +0100, Rowland Penny wrote: The problem is that you are mixing up how samba 4 works with how samba 3 works, samba 4 winbind does not work the same as the samba 3 winbind. What you need to do is give your linux users a uidNumber and groups like Domain Users a gidNumber, how you do this is up to you, it can be done from windows (ADUC?) or by using an ldif on linux, try a web search. You then need to extract this information on the linux clients, you can use winbind, but do not use the rid backend. If do you use the rid backend, whilst you will get the same UID for a user on any linux client that uses the exact same winbind settings, you will never get the same UID on the server. Using the ad backend will get you the same UID where ever you ask for it, but in my opinion is not the way to go, try using sssd, it is a lot easier to set up. Rowland Hi Rowland From what I can work out from the posts, the OP is trying to do this on a DC. What I find difficult to get across is the idea of storing stuff in AD. In cases such as these I really can't see any other way to go. The OP's idmap is really screwed up. I've had a go via the DC winbind and the only way I could go with this was to delete the idmap entries and start again. This is in the other post about an hour or so ago, if you have any easier way. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hi Steve, yes I agree with you, the problem is that people still try to set up an S4 AD server as if it was S3, this will never work. What people need to realise is that an S4 AD server is for all intents and purposes a windows AD server clone and to set it up the same It might be easier for the OP to reprovision again and start with a blank slate and this time do some searching on 'how do I connect a linux client to a windows server' Rowland On 19 June 2013 10:54, steve st...@steve-ss.com wrote: On Wed, 2013-06-19 at 10:34 +0100, Rowland Penny wrote: The problem is that you are mixing up how samba 4 works with how samba 3 works, samba 4 winbind does not work the same as the samba 3 winbind. What you need to do is give your linux users a uidNumber and groups like Domain Users a gidNumber, how you do this is up to you, it can be done from windows (ADUC?) or by using an ldif on linux, try a web search. You then need to extract this information on the linux clients, you can use winbind, but do not use the rid backend. If do you use the rid backend, whilst you will get the same UID for a user on any linux client that uses the exact same winbind settings, you will never get the same UID on the server. Using the ad backend will get you the same UID where ever you ask for it, but in my opinion is not the way to go, try using sssd, it is a lot easier to set up. Rowland Hi Rowland From what I can work out from the posts, the OP is trying to do this on a DC. What I find difficult to get across is the idea of storing stuff in AD. In cases such as these I really can't see any other way to go. The OP's idmap is really screwed up. I've had a go via the DC winbind and the only way I could go with this was to delete the idmap entries and start again. This is in the other post about an hour or so ago, if you have any easier way. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Good day! What is DN? smb.conf on PDC: root@debian-samba4:/usr/local/samba/etc# cat smb.conf # Global parameters [global] workgroup = TEST realm = TEST.LOCAL netbios name = DEBIAN-SAMBA4 server role = active directory domain controller dns forwarder = 192.168.1.102 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/test.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [profiles] path = /usr/local/samba/var/profiles read only = No root@debian-samba4:/usr/local/samba/etc# smb.conf on BDC: root@bdc-samba:/usr/local/samba/etc# cat ./smb.conf # Global parameters [global] workgroup = TEST realm = test.local netbios name = BDC-SAMBA server role = active directory domain controller dns forwarder = 192.168.1.102 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/test.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [profiles] path = /usr/local/samba/var/profiles read only = No root@bdc-samba:/usr/local/samba/etc# 2013/6/14 steve st...@steve-ss.com On Fri, 2013-06-14 at 18:05 +0400, Vladimir A Fomkin wrote: Hello Marc! Thank you for response! I added this string in smb.conf on PDC and BDC, but after sync BDC again do not give access. I see UID for files created for one user via PDC - 322 and via BDC - 319 Hi Make sure that you have the rfc2307 line in both the DC's. Add: uidNumber: 322 to the the DN of the user on one of the DC's. Wait a few minutes. Now create a file. It will have uid 322 no matter which DC is consulted. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On 17/06/13 08:57, Vladimir A Fomkin wrote: Good day! What is DN? Hi Make sure that you have the rfc2307 line in both the DC's. Add: uidNumber: 322 to the the DN of the user on one of the DC's. Wait a few minutes. Now create a file. It will have uid 322 no matter which DC is consulted. HTH Steve Hi DN is ldap for Distingished Name e.g. a user could have an entry in the directory: dn: CN=vladimir, CN=Users,DC=samba,DC=com just add: uidNumber: 322 somewhere for that user. The easiest way to do that so that you can understand what's happening, is to add it like this: ldbedit --url=/usr/local/samba/private/sam.ldb CN=vladimir That will use vi. If you don't know vi, use your favourite editor (e.g. let's say it's called 'yfe') instead: ldbedit -e yfe --url=/usr/local/samba/private/sam.ldb CN=vladimir HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hi Just try adding the user anyway and let's see what happens: samba-rool user add tester4 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Mon, 2013-06-17 at 12:27 +0200, steve wrote: Hi Just try adding the user anyway and let's see what happens: samba-rool user add tester4 * samba-tool sorry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
HI! root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4 New Password: Retype Password: ERROR(ldb): Failed to add user 'tester4': - samldb: Account name (sAMAccountName) 'tester4' already in use! root@bdc-samba:~# 2013/6/17 steve st...@steve-ss.com Hi Just try adding the user anyway and let's see what happens: samba-rool user add tester4 -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hi! All users created from windows exist here! root@bdc-samba:~# /usr/local/samba/bin/samba-tool user list tester4 vaf tester tester2 tester3 Administrator krbtgt Guest root@bdc-samba:~# 2013/6/17 Vladimir A Fomkin v...@vaf.net.ru HI! root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4 New Password: Retype Password: ERROR(ldb): Failed to add user 'tester4': - samldb: Account name (sAMAccountName) 'tester4' already in use! root@bdc-samba:~# 2013/6/17 steve st...@steve-ss.com Hi Just try adding the user anyway and let's see what happens: samba-rool user add tester4 -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote: HI! root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4 New Password: Retype Password: ERROR(ldb): Failed to add user 'tester4': - samldb: Account name (sAMAccountName) 'tester4' already in use! root@bdc-samba:~# Hi ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hi! root@debian-samba4:/usr/local/samba/private# /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4 sAMAccountName: tester4 userPrincipalName: tester4@test.local root@debian-samba4:/usr/local/samba/private# And I found there UID is saved - /usr/local/samba/bin/ldbedit --url=/usr/local/samba/private/idmap.ldb On PDC shows (cutted): # record 7 dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 cn: S-1-5-21-3451120384-2816699473-3647757164-1110 objectClass: sidMap objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 type: ID_TYPE_BOTH xidNumber: 323 distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 On BDC shows (cutted): # record 5 dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 cn: S-1-5-21-3451120384-2816699473-3647757164-1110 objectClass: sidMap objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110 type: ID_TYPE_BOTH xidNumber: 320 distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110 SID is the same, but the UID is different! 2013/6/17 steve st...@steve-ss.com On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote: HI! root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4 New Password: Retype Password: ERROR(ldb): Failed to add user 'tester4': - samldb: Account name (sAMAccountName) 'tester4' already in use! root@bdc-samba:~# Hi ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4 -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] The problem with setting up AD domain to Samba 4
Good day! I set up a domain controller AD (PDC and BDC) by Samba 4 on Debian Wheezy. I took a configuration from examples. After setting the PDC I configured a second controller(BDC) and connected it to the domain. On PDC server has created a network folder for portable user profiles and synchronized it to the BDC through csync2 . My problem that the PDC and the BDC on the same user names has different UID and users can not access their network profile on the BDC. Please help deal with the problem! P.S. Sorry for my English! http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] The problem with setting up AD domain to Samba 4
Good day! I set up a domain controller AD (PDC and BDC) by Samba 4 on Debian Wheezy. I took a configuration from examples. After setting the PDC I configured a second controller(BDC) and connected it to the domain. On PDC server has created a network folder for portable user profiles and synchronized it to the BDC through csync2 . My problem that the PDC and the BDC on the same user names has different UID and users can not access their network profile on the BDC. Please help deal with the problem! P.S. Sorry for my English! http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hello Vladimir, Am 14.06.2013 14:18, schrieb Vladimir A Fomkin: On PDC server has created a network folder for portable user profiles and synchronized it to the BDC through csync2 . My problem that the PDC and the BDC on the same user names has different UID and users can not access their network profile on the BDC. Do the users have uidNumbers in AD? Try idmap_ldb:use rfc2307 = yes in your smb.conf Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
Hello Marc! Thank you for response! I added this string in smb.conf on PDC and BDC, but after sync BDC again do not give access. I see UID for files created for one user via PDC - 322 and via BDC - 319 2013/6/14 Marc Muehlfeld sa...@marc-muehlfeld.de Hello Vladimir, Am 14.06.2013 14:18, schrieb Vladimir A Fomkin: On PDC server has created a network folder for portable user profiles and synchronized it to the BDC through csync2 . My problem that the PDC and the BDC on the same user names has different UID and users can not access their network profile on the BDC. Do the users have uidNumbers in AD? Try idmap_ldb:use rfc2307 = yes in your smb.conf Regards, Marc -- С уважением, Фомкин Владимир Андреевич ICQ:220967838 Skype:vladimir.fomkin http://vaf.net.ru -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The problem with setting up AD domain to Samba 4
On Fri, 2013-06-14 at 18:05 +0400, Vladimir A Fomkin wrote: Hello Marc! Thank you for response! I added this string in smb.conf on PDC and BDC, but after sync BDC again do not give access. I see UID for files created for one user via PDC - 322 and via BDC - 319 Hi Make sure that you have the rfc2307 line in both the DC's. Add: uidNumber: 322 to the the DN of the user on one of the DC's. Wait a few minutes. Now create a file. It will have uid 322 no matter which DC is consulted. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba