2013-04-10 01:32 keltezéssel, François Lafont írta:
Le 09/04/2013 09:34, Matthieu Patou a écrit :
Le 08/04/2013 01:37, Matthieu Patou a écrit :
Then, in the DC server, I have done:
-----------------------------------------------
samba-tool domain provision # I keep the default answers each time,
seems to work fine
# 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
echo "nameserver 192.168.0.21" > /etc/resolv.conf
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
samba
-----------------------------------------------
[...]
-----------------------------------------------
echo "nameserver 192.168.0.21" > /etc/resolv.conf
samba-tool domain join chezmoi.priv MEMBER -U administrator
--realm=CHEZMOI.PRIV # seems to work fine
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
vi /usr/local/samba/etc/smb.conf # see below
smbd && nmbd
winbindd -i -d 10
-----------------------------------------------
And Boum ! I have the same error which I have described in my previous
message. The winbindd command is stopped.
[...]
Are you sure that the two host have a different name as you are creating
everything from the same base ?
Yes I'm absolutely sure because the names of the 2 servers have been set
*during* the installation with a netinstall CD :
- hostname == "wheezy-server" for the DC server
- hostname == "wheezy-2" for the MEMBER server
Also could you do a net join -d 10 and attach the secrets.tdb after the
first join ?
Yes, no problem. But, you suggest I use this command:
net ads join -d 10 -U administrator
I would like to understand. For join a member server in a domain (with a Samba4
DC), which command should I use:
1. "net ads join -U administrator"
or
2. "samba-tool domain join chezmoi.priv member -U administrator" ?
So, if I understand well, you ask me to try the first command (net ads join) with
"-d 10" option. Here:
http://sisco.laf.free.fr/codes/samba4.zip
you'll find the output of the "join" command in debug mode and the secrets.*db
files (before and after the join, in the member server and in the dc server):
- with the "net ads join -U administrator -d 10" command
- and with the "samba-tool domain join chezmoi.priv MEMBER -U administrator"
command
if so for the new user did you set the needed attributes ?
I have just run: samba-tool user add test12 --random-password
That's all. Which are the needed attributes?
When you specify rfc2307 winbindd expect to use uidNumber and gidNumber
in order to convert the SID to uid/gid, hence the error message.
But is the "rfc2307" option in smb.conf really mandatory?
1. For example, when I install a "simple" Samba4 DC like this:
-------------------------------------------------------------------
samba-tool domain provision # I keep the default answers each time
echo "nameserver 192.168.0.21" > /etc/resolv.conf # The DNS is the DC himself
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
samba
-------------------------------------------------------------------
It seems to work fine. "getent password", "wbinfo -u", "wbinfo -i user1", "wbinfo -n=user1" are OK,
yet there is no "rfc2307" string in the default "smb.conf" file.
2. Another example. I have installed a member server like this (member of a
Samba4 DC, I have no Windows server):
-------------------------------------------------------------------
vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file
vi /usr/local/samba/etc/smb.conf # The DC is the DNS server
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind
ldconfig
net ads join -U administrator
smbd && nmbd && winbindd
-------------------------------------------------------------------
with this smb.conf file:
-------------------------------------------------------------------
# No refer to "rfc2307".
[global]
workgroup = CHEZMOI
security = ADS
realm = CHEZMOI.PRIV
encrypt passwords = yes
idmap config *:backend = tdb
idmap config *:range = 70001-80000
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
-------------------------------------------------------------------
and the member server seems to work fine. If I create a user toto on the DC:
samba-tool user add toto --random-password
In the member, I have:
root@member:~# wbinfo -i toto
toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false
root@member:~# wbinfo -n=toto
S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1)
The only "problem" that I see, it's with:
root@member:~# wbinfo -u
root@member:~# getent passwd
Because the toto user isn't printed in the output. However, I wait during 5-6
minutes, the toto user appears in the output of this commands. Another
solution: if I do:
root@member:~# killall smbd nmbd winbindd
root@member:~# smbd && nmbd && winbindd
the toto user appears in the member server immediately
Is this behavior (the 5-6 minutes period) normal?
Is this configuration correct for a member server?
Thanks for your help.
You should check rfc2307 on the samba AD, if your users do not have
uidNumber gidNumber attributes they are going to be ignored by the
winbind daemon if you specify rfc2307 schema mode on the domain member.
Regards
Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
