On 04/08/2013 06:01 PM, François Lafont wrote:
Thank you Matthieu for your answer.
Le 08/04/2013 01:37, Matthieu Patou a écrit :
1) First attempt to join the domain in the member server
root@member~# samba-tool domain join chezmoi.priv member -U
administrator --realm=chezmoi.priv
Password for [CHEZMOI\administrator]:
Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687)
root@member~# ldconfig
root@member~# smbd && nmbd
And now impossible to run winbindd.
-----------------------------------------------
root@member~# winbindd -i -d 10
[...]
pack_tdc_domains: Packing 2 trusted domains
pack_tdc_domains: Packing domain BUILTIN ()
pack_tdc_domains: Packing domain WHEEZY-2 ()
idmap config WHEEZY-2 : range = not defined
Added domain WHEEZY-2 S-1-5-21-210096926-4033722923-1792459932
Could not fetch our SID - did we join?
unable to initialize domain list
-----------------------------------------------
Hum, interesting, would be worth to check that from a clean setup you
have this issue again and again.
I have 2 "virtualbox" snapshots of Debian Wheezy with a Samba 4.0.4
installation in /usr/local/samba/. And I have the problem each time. Let me explain you
what I have done exactly.
In the DC server *and* in the MEMBER server (both in static IP), I have done
this:
-----------------------------------------------
apt-get update
apt-get dist-upgrade
apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev
libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config
libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc
ntp libtalloc2 libtalloc-dev
vi /etc/fstab # I add the acl and user_xattr options for "/" partition
mount -o remount /
cd /usr/local/src/
wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz && tar -zxvf
ldb-1.1.15.tar.gz
wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz && tar -zxvf
samba-4.0.4.tar.gz
cd /usr/local/src/ldb-1.1.15/ && ./configure && make && make install
cd /usr/local/src/samba-4.0.4 && ./configure && make && make install
echo 'export PATH="/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH"' >
~/.bashrc
halt
-----------------------------------------------
Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-)
Then, in the DC server, I have done:
-----------------------------------------------
samba-tool domain provision # I keep the default answers each time, seems to
work fine
# 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
echo "nameserver 192.168.0.21" > /etc/resolv.conf
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
samba
-----------------------------------------------
Just for information, here is the smb.conf on the DC server after this commands:
-----------------------------------------------
# Global parameters
[global]
workgroup = CHEZMOI
realm = CHEZMOI.PRIV
netbios name = WHEEZY-SERVER
server role = active directory domain controller
dns forwarder = 212.27.40.241
[netlogon]
path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
-----------------------------------------------
In the MEMBER server, I have done:
-----------------------------------------------
echo "nameserver 192.168.0.21" > /etc/resolv.conf
samba-tool domain join chezmoi.priv MEMBER -U administrator
--realm=CHEZMOI.PRIV # seems to work fine
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
vi /usr/local/samba/etc/smb.conf # see below
smbd && nmbd
winbindd -i -d 10
-----------------------------------------------
And Boum ! I have the same error which I have described in my previous message.
The winbindd command is stopped.
Just for information, here is the smb.conf in the MEMBER server:
-----------------------------------------------
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
idmap config CHEZMOI:backend = ad
idmap config CHEZMOI:schema_mode = rfc2307
idmap config CHEZMOI:range = 500-40000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-----------------------------------------------
Do I have forgotten one step ?
Are you sure that the two host have a different name as you are creating
everything from the same base ?
Also could you do a net join -d 10 and attach the secrets.tdb after the
first join ?
2) Second attempt to join the domain in the member server. It's better
but It doesn't work too.
root@member:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- CHEZMOI
Joined 'WHEEZY-2' to dns domain 'chezmoi.priv'
DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
root@member:~# ldconfig
root@member:~# smbd && nmbd
root@member:~# winbindd -i -d 10
And winbindd seems to be ok. I have :
root@member:~# wbinfo -u
administrator
krbtgt
test10
test11
guest
test1
test2
test3
test4
test5
test6
...
root@member:~# wbinfo -i test9
test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false
But if I create an user in the domain controller server:
root@dc:~# samba-tool user add test12 --random-password
User 'test12' created successfully
after in the member server:
root@member:~# wbinfo -i test12
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test12
Here is the stdout of winbindd during the command :
-----------------------------------------------
info : *
info: struct wbint_userinfo
acct_name : *
acct_name : 'test12'
full_name : NULL
homedir : NULL
shell : NULL
primary_gid : 0x00000000ffffffff
(4294967295)
user_sid :
S-1-5-21-3370545617-3166960116-3193249687-1115
group_sid :
S-1-5-21-3370545617-3166960116-3193249687-513
result : NT_STATUS_NOT_FOUND
Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115:
NT_STATUS_NOT_FOUND
wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND
winbind_client_response_written[2813:GETPWNAM]: delivered response to
client
closing socket 23, client exited
-----------------------------------------------
Don't you have rfc2307 configured ?
The smb.conf of DC server and the smb.conf of MEMBER server are exacty like
above in this message. So, I have « winbind nss info = rfc2307 » in the
smb.conf of the MEMBER server.
if so for the new user did you set the needed attributes ?
I have just run: samba-tool user add test12 --random-password
That's all. Which are the needed attributes?
When you specify rfc2307 winbindd expect to use uidNumber and gidNumber
in order to convert the SID to uid/gid, hence the error message.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
