Re: [Samba] Samba4 member of an another « Samba4 » domain
Le 15/04/2013 04:28, steve a écrit : Indeed, for each new user or group you create you always end up with an idmap entry too. What idmap_ldb:use rfc2307 = yes is saying is 'ignore idmap and give priority to AD'. Of course, the attributes must be there in the first place otherwise it will fall back to idmap again. Exactly what we are trying to avoid at all costs. I had to prove this to myself by creating a user in AD with rfc2307 stuff and then deleting his entry in idmap. With the idmap_ldb:use rfc2307 = yes in place then no problem. All his stuff came from AD as expected:) Ok. I think it's clear for me now. I think we're speaking the same language now. Yes, thank you for your help Steve. :-) Bye. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 14/04/13 01:37, François Lafont wrote: Hello, Le 13/04/2013 20:24, steve a écrit : You still have to add the objects. Yourself! Ok, if I understand, after a provision of a domain with samba-tool and the --use-rfc2307 option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself. It can do that whether you provision with --use-rfc2307 or not. I believe that it adds the possibility of adding the uid:gid from windows. I've never used windows for this. But, after this: --- samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \ --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' \ --use-rfc2307 ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 # I had winbind in nsswitch.conf sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g' /etc/nsswitch.conf samba --- I have a few users and groups which are already created: # wbinfo -u Administrator Guest krbtgt # wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy Must I add objectclass: posixAccount, uid:..., uidNumber:... etc. entries for each account above? And must I add objetclass: posixGroup, gidNumber: ... etc. entries for each group above? If you want to pull uid:gid from AD then you'll need to add uidNumber and gidNumber for users and gidNumber for groups. All users which need to login will need the attributes but there's no need to allocate gidNumber to al the groups. Many of them have no meaning in Linux. e.g. To begin with, just allocate a gidNumber to Domain Users. A good way to decide which gidNumber to allocate is to take the RID of the group and add, say, 2 to keep it well away from local groups. As the RID of Domain Users is 513 then our gidNumber becomes 20513. For users, we allocated our first user uidNumber 332 to avoid collision with the xidnumbers which have to remain in idmap. Each subsequent user increments this value. It's tedious doing this by hand but easy to create an ldif which contains the values to add as and when a new user is created. Which uid/gid numbers should I use? Without posixAccount uid uidNumber etc. entries, the domain accounts are automatically already allied to a uid number that I can see with getent passwd: # getent passwd Guest CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false uid=311 although I have done no change in the Guest account.oming from /ur/ Those uid:gid pairs are coming from idmap. idmap is not part of AD and confuses the issue for many of us. If you are going to add more DC's, these uid:gid's will change depending upon which DC you refer to. Probably (almost certainly) not what you want. How choose Samba these uid/gid numbers (e.g 311/312) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba? That is best answered by looking at: ldbsearch --url=/usr/local/samba/private/idmap.ldb There, you'll see the sids with the xidnumber that Samba has allocated to them. This xidnumber becomes the uid or gid depending upon whether the object is a user, group or both. A basic set of objects has to remain in idmap so leave it as it is after provision. If you add the line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the provision has already done for you) then any new user or group object that is created will not have an entry in idmap. You are then free to add the necessary uid/gidNumbers to AD. Another problem: just after provision, the /usr/local/samba/var/locks/sysvol/ repository is already created with particulary settings regarding the unix rights and the alc (with particulary uid/gid numbers). Must I change the (unix/acl) rights of this repository too ? There's another thread here at the moment about how or how not to do that. Some of us have given up on winbind for idmapping. There are easier ways to get rfc2307 from the database which keep the uid:gid consistent independent of which DC is consulted. nss-ldapd is one of them and sssd seems to be gaining ground because of its simplicity. I'm a strong believer in keeping things as simple as possible. Because of this I believe that rfc2307 stuff should always be sourced from AD and we should not use an external idmap Where? I don't see it. Personally, I never succeed in the rfc2307 working, until now. My purpose is to have the same uid/gid numbers between 2 samba4 servers. Sorry, I can't access the list archive at the moment. The thread is called 'Some clarification?' Cheers, Steve -- To unsubscribe from this list go to the
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 14/04/13 07:00, steve wrote: On 14/04/13 01:37, François Lafont wrote: Hello, Le 13/04/2013 20:24, steve a écrit : You still have to add the objects. Yourself! Ok, if I understand, after a provision of a domain with samba-tool and the --use-rfc2307 option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself. It can do that whether you provision with --use-rfc2307 or not. I believe that it adds the possibility of adding the uid:gid from windows. I've never used windows for this. But, after this: --- samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \ --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' \ --use-rfc2307 ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 # I had winbind in nsswitch.conf sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g' /etc/nsswitch.conf samba --- I have a few users and groups which are already created: # wbinfo -u Administrator Guest krbtgt # wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy Must I add objectclass: posixAccount, uid:..., uidNumber:... etc. entries for each account above? And must I add objetclass: posixGroup, gidNumber: ... etc. entries for each group above? If you want to pull uid:gid from AD then you'll need to add uidNumber and gidNumber for users and gidNumber for groups. All users which need to login will need the attributes but there's no need to allocate gidNumber to al the groups. Many of them have no meaning in Linux. e.g. To begin with, just allocate a gidNumber to Domain Users. A good way to decide which gidNumber to allocate is to take the RID of the group and add, say, 2 to keep it well away from local groups. As the RID of Domain Users is 513 then our gidNumber becomes 20513. For users, we allocated our first user uidNumber 332 to avoid collision with the xidnumbers which have to remain in idmap. Each subsequent user increments this value. It's tedious doing this by hand but easy to create an ldif which contains the values to add as and when a new user is created. Which uid/gid numbers should I use? Without posixAccount uid uidNumber etc. entries, the domain accounts are automatically already allied to a uid number that I can see with getent passwd: # getent passwd Guest CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false uid=311 although I have done no change in the Guest account.oming from /ur/ Those uid:gid pairs are coming from idmap. idmap is not part of AD and confuses the issue for many of us. If you are going to add more DC's, these uid:gid's will change depending upon which DC you refer to. Probably (almost certainly) not what you want. How choose Samba these uid/gid numbers (e.g 311/312) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba? That is best answered by looking at: ldbsearch --url=/usr/local/samba/private/idmap.ldb There, you'll see the sids with the xidnumber that Samba has allocated to them. This xidnumber becomes the uid or gid depending upon whether the object is a user, group or both. A basic set of objects has to remain in idmap so leave it as it is after provision. If you add the line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the provision has already done for you) then any new user or group object that is created will not have an entry in idmap. You are then free to add the necessary uid/gidNumbers to AD. Another problem: just after provision, the /usr/local/samba/var/locks/sysvol/ repository is already created with particulary settings regarding the unix rights and the alc (with particulary uid/gid numbers). Must I change the (unix/acl) rights of this repository too ? There's another thread here at the moment about how or how not to do that. Some of us have given up on winbind for idmapping. There are easier ways to get rfc2307 from the database which keep the uid:gid consistent independent of which DC is consulted. nss-ldapd is one of them and sssd seems to be gaining ground because of its simplicity. I'm a strong believer in keeping things as simple as possible. Because of this I believe that rfc2307 stuff should always be sourced from AD and we should not use an external idmap Where? I don't see it. Personally, I never succeed in the rfc2307 working, until now. My purpose is to have the same uid/gid numbers between 2 samba4 servers. Sorry, I can't access the list archive at the moment. The thread is called 'Some clarification?' Cheers, Steve The
Re: [Samba] Samba4 member of an another « Samba4 » domain
Le 14/04/2013 08:00, steve a écrit : Ok, if I understand, after a provision of a domain with samba-tool and the --use-rfc2307 option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself. It can do that whether you provision with --use-rfc2307 or not. Are you sure? In this case, I won't use this option. I believe that it adds the possibility of adding the uid:gid from windows. I've never used windows for this. Me too. I prefer to manage the AD in the samba server. If you want to pull uid:gid from AD then you'll need to add uidNumber and gidNumber for users and gidNumber for groups. And memberUid too for groups, isn't it? All users which need to login will need the attributes but there's no need to allocate gidNumber to al the groups. Many of them have no meaning in Linux. e.g. To begin with, just allocate a gidNumber to Domain Users. A good way to decide which gidNumber to allocate is to take the RID of the group and add, say, 2 to keep it well away from local groups. As the RID of Domain Users is 513 then our gidNumber becomes 20513. For users, we allocated our first user uidNumber 332 to avoid collision with the xidnumbers which have to remain in idmap. I don't think that 332 is a good uidNumber because idmap seems to use the 300-400 range. # getent passwd Guest CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false uid=311 although I have done no change in the Guest account.oming from /ur/ Those uid:gid pairs are coming from idmap. idmap is not part of AD and confuses the issue for many of us. If you are going to add more DC's, these uid:gid's will change depending upon which DC you refer to. Probably (almost certainly) not what you want. Absolutely. :) How choose Samba these uid/gid numbers (e.g 311/312) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba? That is best answered by looking at: ldbsearch --url=/usr/local/samba/private/idmap.ldb Ok, it's a good answer indeed. And I can see: # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=config # record 1 dn: CN=CONFIG cn: CONFIG lowerBound: 300 upperBound: 400 xidNumber: 317 distinguishedName: CN=CONFIG Then, I understand that idmap uses the 300-400 range to assign xidNumber to the users and groups. There, you'll see the sids with the xidnumber that Samba has allocated to them. This xidnumber becomes the uid or gid depending upon whether the object is a user, group or both. A basic set of objects has to remain in idmap so leave it as it is after provision. If you add the line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the provision has already done for you) then any new user or group object that is created will not have an entry in idmap. You are then free to add the necessary uid/gidNumbers to AD. Yes, indeed: # grep 'rfc' /usr/local/samba/etc/smb.conf idmap_ldb:use rfc2307 = yes # samba # samba-tool user add test4 test4 User 'test4' created successfully # ldbsearch --url=/usr/local/samba/private/sam.ldb cn=test4 | grep -i objectsid objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106 # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106 # returned 0 records # 0 entries # 0 referrals But after this: # getent passwd test4 CHEZMOI\test4:*:319:100::/home/CHEZMOI/test4:/bin/false the idmap entry is automatically created: # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106 # record 1 dn: CN=S-1-5-21-3840058276-1254623269-3939424142-1106 cn: S-1-5-21-3840058276-1254623269-3939424142-1106 objectClass: sidMap objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106 type: ID_TYPE_BOTH xidNumber: 319 distinguishedName: CN=S-1-5-21-3840058276-1254623269-3939424142-1106 I have noticed that I have exactly the same behavior without the idmap_ldb:use rfc2307 = yes option. Then, I don't see exactly the meaning of this option... Sorry, I can't access the list archive at the moment. The thread is called 'Some clarification?' Ok, I see. Thanks a lot for yours explanations Steeve. It's become more clean in my mind. :) -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 15/04/13 03:17, François Lafont wrote: Le 14/04/2013 08:00, steve a écrit : Ok, if I understand, after a provision of a domain with samba-tool and the --use-rfc2307 option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself. It can do that whether you provision with --use-rfc2307 or not. Are you sure? In this case, I won't use this option. 99.99% it's just adding a bit to the schema so that you can add rfc2307 bits from windows. I always do that from Linux can anyone add the 0.01% for us? I believe that it adds the possibility of adding the uid:gid from windows. I've never used windows for this. Me too. I prefer to manage the AD in the samba server. If you want to pull uid:gid from AD then you'll need to add uidNumber and gidNumber for users and gidNumber for groups. And memberUid too for groups, isn't it? No. AD uses the member attribute. Here is a group called staff where steve2 is its only member: # record 1 dn: CN=staff,CN=Users,DC=hh3,DC=site cn: staff instanceType: 4 whenCreated: 20130414144050.0Z uSNCreated: 3795 name: staff objectGUID: 5267385f-c466-41f1-be7c-dddcb4640a33 objectSid: S-1-5-21-1555648365-2472922434-3126067274-1118 sAMAccountName: staff sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site objectClass: top objectClass: posixGroup objectClass: group gidNumber: 21118 member: CN=steve2,CN=Users,DC=hh3,DC=site whenChanged: 20130414144415.0Z uSNChanged: 3799 distinguishedName: CN=staff,CN=Users,DC=hh3,DC=site The good news is that all that samba-tool looks after all this for you: samba-tool group addmembers staff steve2 You can use e.g. sssd to pull the info: getent group staff staff:*:21118:steve2 All users which need to login will need the attributes but there's no need to allocate gidNumber to al the groups. Many of them have no meaning in Linux. e.g. To begin with, just allocate a gidNumber to Domain Users. A good way to decide which gidNumber to allocate is to take the RID of the group and add, say, 2 to keep it well away from local groups. As the RID of Domain Users is 513 then our gidNumber becomes 20513. For users, we allocated our first user uidNumber 332 to avoid collision with the xidnumbers which have to remain in idmap. I don't think that 332 is a good uidNumber because idmap seems to use the 300-400 range. No. It doesn't matter. AD knows nothing about idmap.ldb but if you're happier, then use an even higher range;) # getent passwd Guest CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false uid=311 although I have done no change in the Guest account.oming from /ur/ Those uid:gid pairs are coming from idmap. idmap is not part of AD and confuses the issue for many of us. If you are going to add more DC's, these uid:gid's will change depending upon which DC you refer to. Probably (almost certainly) not what you want. Absolutely. :) How choose Samba these uid/gid numbers (e.g 311/312) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba? That is best answered by looking at: ldbsearch --url=/usr/local/samba/private/idmap.ldb Ok, it's a good answer indeed. And I can see: # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=config # record 1 dn: CN=CONFIG cn: CONFIG lowerBound: 300 upperBound: 400 xidNumber: 317 distinguishedName: CN=CONFIG Then, I understand that idmap uses the 300-400 range to assign xidNumber to the users and groups. There, you'll see the sids with the xidnumber that Samba has allocated to them. This xidnumber becomes the uid or gid depending upon whether the object is a user, group or both. A basic set of objects has to remain in idmap so leave it as it is after provision. If you add the line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the provision has already done for you) then any new user or group object that is created will not have an entry in idmap. You are then free to add the necessary uid/gidNumbers to AD. Yes, indeed: # grep 'rfc' /usr/local/samba/etc/smb.conf idmap_ldb:use rfc2307 = yes # samba # samba-tool user add test4 test4 User 'test4' created successfully # ldbsearch --url=/usr/local/samba/private/sam.ldb cn=test4 | grep -i objectsid objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106 # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106 # returned 0 records # 0 entries # 0 referrals But after this: # getent passwd test4 CHEZMOI\test4:*:319:100::/home/CHEZMOI/test4:/bin/false
Re: [Samba] Samba4 member of an another « Samba4 » domain
Hi, Le 11/04/2013 22:39, Gémes Géza a écrit : The easiest way to test out rfc2307 would be to provision a new domain with samba-tool domain provision --use-rfc2307 --the-other-options-of-your-choice, and test a rfc2307 client against it. The difference is, that in this case the provisioning script loads a schema file (ypServ30.ldif) which makes it easier to administer the rfc2307 attributes using ADUC. [...] Ok. I try this in a wheezy server: --- samba-tool domain provision --realm=CHEZMOI.PRIV \ --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \ --adminpass='+toto123' --use-rfc2307 echo nameserver 192.168.0.21 /etc/resolv.conf samba samba-tool user add test1 +test123 --- Here is my smb.conf file after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-1 server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- But when I run: ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1 --- # editing 1 records # record 1 dn: CN=test1,CN=Users,DC=chezmoi,DC=priv objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test1 instanceType: 4 whenCreated: 20130413162647.0Z whenChanged: 20130413162647.0Z uSNCreated: 3769 name: test1 objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3595212667-731548510-1075401445-1103 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test1 sAMAccountType: 805306368 userPrincipalName: te...@chezmoi.priv objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv pwdLastSet: 13010344007000 userAccountControl: 512 uSNChanged: 3771 distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv --- I have no objectClass: posixAccount entry and then no uidNumber, gidNumber attribute. Is it normal? I thought that use-rfc2307 option allowed to create posixaccount users. Isn't It the case? -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 13/04/13 18:49, François Lafont wrote: Hi, Le 11/04/2013 22:39, Gémes Géza a écrit : The easiest way to test out rfc2307 would be to provision a new domain with samba-tool domain provision --use-rfc2307 --the-other-options-of-your-choice, and test a rfc2307 client against it. The difference is, that in this case the provisioning script loads a schema file (ypServ30.ldif) which makes it easier to administer the rfc2307 attributes using ADUC. [...] Ok. I try this in a wheezy server: --- samba-tool domain provision --realm=CHEZMOI.PRIV \ --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \ --adminpass='+toto123' --use-rfc2307 echo nameserver 192.168.0.21 /etc/resolv.conf samba samba-tool user add test1 +test123 --- Here is my smb.conf file after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-1 server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- But when I run: ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1 --- # editing 1 records # record 1 dn: CN=test1,CN=Users,DC=chezmoi,DC=priv objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test1 instanceType: 4 whenCreated: 20130413162647.0Z whenChanged: 20130413162647.0Z uSNCreated: 3769 name: test1 objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3595212667-731548510-1075401445-1103 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test1 sAMAccountType: 805306368 userPrincipalName: te...@chezmoi.priv objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv pwdLastSet: 13010344007000 userAccountControl: 512 uSNChanged: 3771 distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv --- I have no objectClass: posixAccount entry and then no uidNumber, gidNumber attribute. Is it normal? I thought that use-rfc2307 option allowed to create posixaccount users. Isn't It the case? Hi You still have to add the objects. Yourself! I think provsioning with the rfc2307 option allows you to use the windows tools instead of using ldbedit or ldif's. If you just want uid:gid you can use ldbedit like you have above and add e.g. objectClass: posixGroup gidNumber: 20513 to Domain Users then, e.g. objectClass posixAccount uidNumber: 3000100 gidNumber: 20513 to each of your users. With a different uid for each user of course. You then decide how to get the uid:gid out of AD. There's another thread here at the moment about how or how not to do that. hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 13/04/13 19:24, steve wrote: On 13/04/13 18:49, François Lafont wrote: Hi, Le 11/04/2013 22:39, Gémes Géza a écrit : The easiest way to test out rfc2307 would be to provision a new domain with samba-tool domain provision --use-rfc2307 --the-other-options-of-your-choice, and test a rfc2307 client against it. The difference is, that in this case the provisioning script loads a schema file (ypServ30.ldif) which makes it easier to administer the rfc2307 attributes using ADUC. [...] Ok. I try this in a wheezy server: --- samba-tool domain provision --realm=CHEZMOI.PRIV \ --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \ --adminpass='+toto123' --use-rfc2307 echo nameserver 192.168.0.21 /etc/resolv.conf samba samba-tool user add test1 +test123 --- Here is my smb.conf file after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-1 server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- But when I run: ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1 --- # editing 1 records # record 1 dn: CN=test1,CN=Users,DC=chezmoi,DC=priv objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test1 instanceType: 4 whenCreated: 20130413162647.0Z whenChanged: 20130413162647.0Z uSNCreated: 3769 name: test1 objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3595212667-731548510-1075401445-1103 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test1 sAMAccountType: 805306368 userPrincipalName: te...@chezmoi.priv objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv pwdLastSet: 13010344007000 userAccountControl: 512 uSNChanged: 3771 distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv --- I have no objectClass: posixAccount entry and then no uidNumber, gidNumber attribute. Is it normal? I thought that use-rfc2307 option allowed to create posixaccount users. Isn't It the case? Hi You still have to add the objects. Yourself! I think provsioning with the rfc2307 option allows you to use the windows tools instead of using ldbedit or ldif's. If you just want uid:gid you can use ldbedit like you have above and add e.g. objectClass: posixGroup gidNumber: 20513 to Domain Users then, e.g. objectClass posixAccount uidNumber: 3000100 gidNumber: 20513 to each of your users. With a different uid for each user of course. You then decide how to get the uid:gid out of AD. There's another thread here at the moment about how or how not to do that. hth Steve Hi, You do not need the posix objectclasses, you can add the uidNumbers etc without them. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 13/04/13 20:38, Rowland Penny wrote: On 13/04/13 19:24, steve wrote: On 13/04/13 18:49, François Lafont wrote: Hi, Le 11/04/2013 22:39, Gémes Géza a écrit : The easiest way to test out rfc2307 would be to provision a new domain with samba-tool domain provision --use-rfc2307 --the-other-options-of-your-choice, and test a rfc2307 client against it. The difference is, that in this case the provisioning script loads a schema file (ypServ30.ldif) which makes it easier to administer the rfc2307 attributes using ADUC. [...] Ok. I try this in a wheezy server: --- samba-tool domain provision --realm=CHEZMOI.PRIV \ --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \ --adminpass='+toto123' --use-rfc2307 echo nameserver 192.168.0.21 /etc/resolv.conf samba samba-tool user add test1 +test123 --- Here is my smb.conf file after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-1 server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- But when I run: ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1 --- # editing 1 records # record 1 dn: CN=test1,CN=Users,DC=chezmoi,DC=priv objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test1 instanceType: 4 whenCreated: 20130413162647.0Z whenChanged: 20130413162647.0Z uSNCreated: 3769 name: test1 objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3595212667-731548510-1075401445-1103 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test1 sAMAccountType: 805306368 userPrincipalName: te...@chezmoi.priv objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv pwdLastSet: 13010344007000 userAccountControl: 512 uSNChanged: 3771 distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv --- I have no objectClass: posixAccount entry and then no uidNumber, gidNumber attribute. Is it normal? I thought that use-rfc2307 option allowed to create posixaccount users. Isn't It the case? Hi You still have to add the objects. Yourself! I think provsioning with the rfc2307 option allows you to use the windows tools instead of using ldbedit or ldif's. If you just want uid:gid you can use ldbedit like you have above and add e.g. objectClass: posixGroup gidNumber: 20513 to Domain Users then, e.g. objectClass posixAccount uidNumber: 3000100 gidNumber: 20513 to each of your users. With a different uid for each user of course. You then decide how to get the uid:gid out of AD. There's another thread here at the moment about how or how not to do that. hth Steve Hi, You do not need the posix objectclasses, you can add the uidNumbers etc without them. Rowland Hi Yes, but please be careful. The Samba4 LDAP allows you to add uidNumber without the class from the schema which provides it. In this case posixAccount. However, the uidNumber in that case will just be ignored. e.g. it will not show in getent passwd. I'm not certain but I think in openldap with the rfc2307 schema, it would be an error: you wouldn't be able to do it. @Rowland. Maybe your method with sssd doesn't need uidNumber to be present in AD? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 13/04/13 20:22, steve wrote: On 13/04/13 20:38, Rowland Penny wrote: On 13/04/13 19:24, steve wrote: On 13/04/13 18:49, François Lafont wrote: Hi, Le 11/04/2013 22:39, Gémes Géza a écrit : The easiest way to test out rfc2307 would be to provision a new domain with samba-tool domain provision --use-rfc2307 --the-other-options-of-your-choice, and test a rfc2307 client against it. The difference is, that in this case the provisioning script loads a schema file (ypServ30.ldif) which makes it easier to administer the rfc2307 attributes using ADUC. [...] Ok. I try this in a wheezy server: --- samba-tool domain provision --realm=CHEZMOI.PRIV \ --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \ --adminpass='+toto123' --use-rfc2307 echo nameserver 192.168.0.21 /etc/resolv.conf samba samba-tool user add test1 +test123 --- Here is my smb.conf file after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-1 server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- But when I run: ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1 --- # editing 1 records # record 1 dn: CN=test1,CN=Users,DC=chezmoi,DC=priv objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test1 instanceType: 4 whenCreated: 20130413162647.0Z whenChanged: 20130413162647.0Z uSNCreated: 3769 name: test1 objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3595212667-731548510-1075401445-1103 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test1 sAMAccountType: 805306368 userPrincipalName: te...@chezmoi.priv objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv pwdLastSet: 13010344007000 userAccountControl: 512 uSNChanged: 3771 distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv --- I have no objectClass: posixAccount entry and then no uidNumber, gidNumber attribute. Is it normal? I thought that use-rfc2307 option allowed to create posixaccount users. Isn't It the case? Hi You still have to add the objects. Yourself! I think provsioning with the rfc2307 option allows you to use the windows tools instead of using ldbedit or ldif's. If you just want uid:gid you can use ldbedit like you have above and add e.g. objectClass: posixGroup gidNumber: 20513 to Domain Users then, e.g. objectClass posixAccount uidNumber: 3000100 gidNumber: 20513 to each of your users. With a different uid for each user of course. You then decide how to get the uid:gid out of AD. There's another thread here at the moment about how or how not to do that. hth Steve Hi, You do not need the posix objectclasses, you can add the uidNumbers etc without them. Rowland Hi Yes, but please be careful. The Samba4 LDAP allows you to add uidNumber without the class from the schema which provides it. In this case posixAccount. However, the uidNumber in that case will just be ignored. e.g. it will not show in getent passwd. I'm not certain but I think in openldap with the rfc2307 schema, it would be an error: you wouldn't be able to do it. @Rowland. Maybe your method with sssd doesn't need uidNumber to be present in AD? Cheers, Steve Hi Steve, I thought like you until someone posted either on here or on the technical list that windows does not use the posix objectclasses, and as Samba 4 AD is supposed to be exactly like windows AD, then obviously you do not need them. If they were required, you would not be able to add the uidNumbers etc, it would just error out. If you are having problems pulling the uidNumber with nss-ldapd without the posix objectclasses, then this might be because nss-ldapd was written for ldap but AD != LDAP. All I can say is sssd works without the posix objectclasses. Rowland -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 13/04/13 23:32, Rowland Penny wrote: On 13/04/13 20:22, steve wrote: On 13/04/13 20:38, Rowland Penny wrote: On 13/04/13 19:24, steve wrote: On 13/04/13 18:49, François Lafont wrote: Hi, Le 11/04/2013 22:39, Gémes Géza a écrit : The easiest way to test out rfc2307 would be to provision a new domain with samba-tool domain provision --use-rfc2307 --the-other-options-of-your-choice, and test a rfc2307 client against it. The difference is, that in this case the provisioning script loads a schema file (ypServ30.ldif) which makes it easier to administer the rfc2307 attributes using ADUC. [...] Ok. I try this in a wheezy server: --- samba-tool domain provision --realm=CHEZMOI.PRIV \ --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \ --adminpass='+toto123' --use-rfc2307 echo nameserver 192.168.0.21 /etc/resolv.conf samba samba-tool user add test1 +test123 --- Here is my smb.conf file after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-1 server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- But when I run: ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1 --- # editing 1 records # record 1 dn: CN=test1,CN=Users,DC=chezmoi,DC=priv objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test1 instanceType: 4 whenCreated: 20130413162647.0Z whenChanged: 20130413162647.0Z uSNCreated: 3769 name: test1 objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3595212667-731548510-1075401445-1103 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test1 sAMAccountType: 805306368 userPrincipalName: te...@chezmoi.priv objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv pwdLastSet: 13010344007000 userAccountControl: 512 uSNChanged: 3771 distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv --- I have no objectClass: posixAccount entry and then no uidNumber, gidNumber attribute. Is it normal? I thought that use-rfc2307 option allowed to create posixaccount users. Isn't It the case? Hi You still have to add the objects. Yourself! I think provsioning with the rfc2307 option allows you to use the windows tools instead of using ldbedit or ldif's. If you just want uid:gid you can use ldbedit like you have above and add e.g. objectClass: posixGroup gidNumber: 20513 to Domain Users then, e.g. objectClass posixAccount uidNumber: 3000100 gidNumber: 20513 to each of your users. With a different uid for each user of course. You then decide how to get the uid:gid out of AD. There's another thread here at the moment about how or how not to do that. hth Steve Hi, You do not need the posix objectclasses, you can add the uidNumbers etc without them. Rowland Hi Yes, but please be careful. The Samba4 LDAP allows you to add uidNumber without the class from the schema which provides it. In this case posixAccount. However, the uidNumber in that case will just be ignored. e.g. it will not show in getent passwd. I'm not certain but I think in openldap with the rfc2307 schema, it would be an error: you wouldn't be able to do it. @Rowland. Maybe your method with sssd doesn't need uidNumber to be present in AD? Cheers, Steve Hi Steve, I thought like you until someone posted either on here or on the technical list that windows does not use the posix objectclasses, and as Samba 4 AD is supposed to be exactly like windows AD, then obviously you do not need them. If they were required, you would not be able to add the uidNumbers etc, it would just error out. If you are having problems pulling the uidNumber with nss-ldapd without the posix objectclasses, then this might be because nss-ldapd was written for ldap but AD != LDAP. All I can say is sssd works without the posix objectclasses. Rowland Thanks Rowland. I'd no idea that windows didn't need the classes but as I came from a Linux openldap background I understood that as you quite rightly say, that openldap wouln't allow you to add uidNumber without posixAccount. For the record, nss-ldapd _does_ require the class to be present. If it isn't then as far as ldapd is concerned, the user doesn't exist. Well, that's the end of another 48 hour day. Why do we
Re: [Samba] Samba4 member of an another « Samba4 » domain
Hello, Le 13/04/2013 20:24, steve a écrit : You still have to add the objects. Yourself! Ok, if I understand, after a provision of a domain with samba-tool and the --use-rfc2307 option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself. But, after this: --- samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \ --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' \ --use-rfc2307 ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 # I had winbind in nsswitch.conf sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g' /etc/nsswitch.conf samba --- I have a few users and groups which are already created: # wbinfo -u Administrator Guest krbtgt # wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy Must I add objectclass: posixAccount, uid:..., uidNumber:... etc. entries for each account above? And must I add objetclass: posixGroup, gidNumber: ... etc. entries for each group above? Which uid/gid numbers should I use? Without posixAccount uid uidNumber etc. entries, the domain accounts are automatically already allied to a uid number that I can see with getent passwd: # getent passwd Guest CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false uid=311 although I have done no change in the Guest account. How choose Samba these uid/gid numbers (e.g 311/312) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba? Another problem: just after provision, the /usr/local/samba/var/locks/sysvol/ repository is already created with particulary settings regarding the unix rights and the alc (with particulary uid/gid numbers). Must I change the (unix/acl) rights of this repository too ? There's another thread here at the moment about how or how not to do that. Where? I don't see it. Personally, I never succeed in the rfc2307 working, until now. My purpose is to have the same uid/gid numbers between 2 samba4 servers. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
2013-04-11 01:14 keltezéssel, François Lafont írta: Le 10/04/2013 06:59, Gémes Géza a écrit : You should check rfc2307 on the samba AD, if your users do not have uidNumber gidNumber attributes they are going to be ignored by the winbind daemon if you specify rfc2307 schema mode on the domain member. If I have understood, when I don't use rfc2307 in the dc server (this is the default) and if I don't use rfc2307 in the member server with this config: --- # No refer to rfc2307. [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- It seems to work well, but the uid and the gid of the domain accounts are different between the dc and the member. And if I use the rfc2307, then it's possible to have the same uid and gid on the dc and the member. Is it correct ? For the moment, I don't succeed in the use rfc2307 with a dc and a member. Without rfc2307, I think It works well with: 1. For the dc: --- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- 2. And for the member: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- It works well (imho), but, for each account, the uid/gid are different between the dc and the member, and I don't like it. When I try to use rfc2307, it doesn't work for me (but I should make mistakes). For example, I have tried this: 1. On the dc server: # samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' --use-rfc2307 that creates this smb.conf: --- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- Next, I use winbind in nsswitch.conf in order to resolv the uid/gid -- names. 2. On the member, I edit this smb.conf file (found here https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf): --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- and I join the server with net ads join (next I use winbind too in nsswitch.conf). Next, I create a account in the dc (samba-tool user add test1 --random-password) and, under a Windows station, I edit this account with dsa.msc and I set: - the UID attribute in the Unix attributes tab - the GID attribute in the Unix attributes tab But, the dc and the member seems to ignore this value and, for example, with getent passwd the uid/gid are different for each user between the dc and the member. If you are advices or links to install dc and member so that the uid/gid are the same between the dc and the member, It interest me very much. :-) Thanks in advance. PS: and very sorry for my poor english. The easiest way to test out rfc2307 would be to provision a new domain with samba-tool domain provision --use-rfc2307
Re: [Samba] Samba4 member of an another « Samba4 » domain
Le 10/04/2013 06:59, Gémes Géza a écrit : You should check rfc2307 on the samba AD, if your users do not have uidNumber gidNumber attributes they are going to be ignored by the winbind daemon if you specify rfc2307 schema mode on the domain member. If I have understood, when I don't use rfc2307 in the dc server (this is the default) and if I don't use rfc2307 in the member server with this config: --- # No refer to rfc2307. [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- It seems to work well, but the uid and the gid of the domain accounts are different between the dc and the member. And if I use the rfc2307, then it's possible to have the same uid and gid on the dc and the member. Is it correct ? For the moment, I don't succeed in the use rfc2307 with a dc and a member. Without rfc2307, I think It works well with: 1. For the dc: --- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- 2. And for the member: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- It works well (imho), but, for each account, the uid/gid are different between the dc and the member, and I don't like it. When I try to use rfc2307, it doesn't work for me (but I should make mistakes). For example, I have tried this: 1. On the dc server: # samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' --use-rfc2307 that creates this smb.conf: --- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- Next, I use winbind in nsswitch.conf in order to resolv the uid/gid -- names. 2. On the member, I edit this smb.conf file (found here https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf): --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- and I join the server with net ads join (next I use winbind too in nsswitch.conf). Next, I create a account in the dc (samba-tool user add test1 --random-password) and, under a Windows station, I edit this account with dsa.msc and I set: - the UID attribute in the Unix attributes tab - the GID attribute in the Unix attributes tab But, the dc and the member seems to ignore this value and, for example, with getent passwd the uid/gid are different for each user between the dc and the member. If you are advices or links to install dc and member so that the uid/gid are the same between the dc and the member, It interest me very much. :-) Thanks in advance. PS: and very sorry for my poor english. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 04/08/2013 06:01 PM, François Lafont wrote: Thank you Matthieu for your answer. Le 08/04/2013 01:37, Matthieu Patou a écrit : 1) First attempt to join the domain in the member server root@member~# samba-tool domain join chezmoi.priv member -U administrator --realm=chezmoi.priv Password for [CHEZMOI\administrator]: Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687) root@member~# ldconfig root@member~# smbd nmbd And now impossible to run winbindd. --- root@member~# winbindd -i -d 10 [...] pack_tdc_domains: Packing 2 trusted domains pack_tdc_domains: Packing domain BUILTIN () pack_tdc_domains: Packing domain WHEEZY-2 () idmap config WHEEZY-2 : range = not defined Added domain WHEEZY-2 S-1-5-21-210096926-4033722923-1792459932 Could not fetch our SID - did we join? unable to initialize domain list --- Hum, interesting, would be worth to check that from a clean setup you have this issue again and again. I have 2 virtualbox snapshots of Debian Wheezy with a Samba 4.0.4 installation in /usr/local/samba/. And I have the problem each time. Let me explain you what I have done exactly. In the DC server *and* in the MEMBER server (both in static IP), I have done this: --- apt-get update apt-get dist-upgrade apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc ntp libtalloc2 libtalloc-dev vi /etc/fstab # I add the acl and user_xattr options for / partition mount -o remount / cd /usr/local/src/ wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz tar -zxvf ldb-1.1.15.tar.gz wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz tar -zxvf samba-4.0.4.tar.gz cd /usr/local/src/ldb-1.1.15/ ./configure make make install cd /usr/local/src/samba-4.0.4 ./configure make make install echo 'export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH' ~/.bashrc halt --- Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-) Then, in the DC server, I have done: --- samba-tool domain provision # I keep the default answers each time, seems to work fine # 192.168.0.21 = IP of DC server which are DNS server (internal DNS) echo nameserver 192.168.0.21 /etc/resolv.conf ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- Just for information, here is the smb.conf on the DC server after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- In the MEMBER server, I have done: --- echo nameserver 192.168.0.21 /etc/resolv.conf samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig vi /usr/local/samba/etc/smb.conf # see below smbd nmbd winbindd -i -d 10 --- And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped. Just for information, here is the smb.conf in the MEMBER server: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- Do I have forgotten one step ? Are you sure that the two host have a different name as you are creating everything from the same base ? Also could you do a net join -d 10 and attach the secrets.tdb after the first join ? 2) Second attempt to join the domain in the member server. It's better but It
Re: [Samba] Samba4 member of an another « Samba4 » domain
Le 09/04/2013 09:34, Matthieu Patou a écrit : Le 08/04/2013 01:37, Matthieu Patou a écrit : Then, in the DC server, I have done: --- samba-tool domain provision # I keep the default answers each time, seems to work fine # 192.168.0.21 = IP of DC server which are DNS server (internal DNS) echo nameserver 192.168.0.21 /etc/resolv.conf ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- [...] --- echo nameserver 192.168.0.21 /etc/resolv.conf samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig vi /usr/local/samba/etc/smb.conf # see below smbd nmbd winbindd -i -d 10 --- And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped. [...] Are you sure that the two host have a different name as you are creating everything from the same base ? Yes I'm absolutely sure because the names of the 2 servers have been set *during* the installation with a netinstall CD : - hostname == wheezy-server for the DC server - hostname == wheezy-2 for the MEMBER server Also could you do a net join -d 10 and attach the secrets.tdb after the first join ? Yes, no problem. But, you suggest I use this command: net ads join -d 10 -U administrator I would like to understand. For join a member server in a domain (with a Samba4 DC), which command should I use: 1. net ads join -U administrator or 2. samba-tool domain join chezmoi.priv member -U administrator ? So, if I understand well, you ask me to try the first command (net ads join) with -d 10 option. Here: http://sisco.laf.free.fr/codes/samba4.zip you'll find the output of the join command in debug mode and the secrets.*db files (before and after the join, in the member server and in the dc server): - with the net ads join -U administrator -d 10 command - and with the samba-tool domain join chezmoi.priv MEMBER -U administrator command if so for the new user did you set the needed attributes ? I have just run: samba-tool user add test12 --random-password That's all. Which are the needed attributes? When you specify rfc2307 winbindd expect to use uidNumber and gidNumber in order to convert the SID to uid/gid, hence the error message. But is the rfc2307 option in smb.conf really mandatory? 1. For example, when I install a simple Samba4 DC like this: --- samba-tool domain provision # I keep the default answers each time echo nameserver 192.168.0.21 /etc/resolv.conf # The DNS is the DC himself ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- It seems to work fine. getent password, wbinfo -u, wbinfo -i user1, wbinfo -n=user1 are OK, yet there is no rfc2307 string in the default smb.conf file. 2. Another example. I have installed a member server like this (member of a Samba4 DC, I have no Windows server): --- vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file vi /usr/local/samba/etc/smb.conf # The DC is the DNS server ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind ldconfig net ads join -U administrator smbd nmbd winbindd --- with this smb.conf file: --- # No refer to rfc2307. [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- and the member server seems to work fine. If I create a user toto on the DC: samba-tool user add toto --random-password In the member, I have: root@member:~# wbinfo -i toto toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false root@member:~# wbinfo -n=toto S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1) The only problem that I see, it's with: root@member:~# wbinfo -u
Re: [Samba] Samba4 member of an another « Samba4 » domain
2013-04-10 01:32 keltezéssel, François Lafont írta: Le 09/04/2013 09:34, Matthieu Patou a écrit : Le 08/04/2013 01:37, Matthieu Patou a écrit : Then, in the DC server, I have done: --- samba-tool domain provision # I keep the default answers each time, seems to work fine # 192.168.0.21 = IP of DC server which are DNS server (internal DNS) echo nameserver 192.168.0.21 /etc/resolv.conf ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- [...] --- echo nameserver 192.168.0.21 /etc/resolv.conf samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig vi /usr/local/samba/etc/smb.conf # see below smbd nmbd winbindd -i -d 10 --- And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped. [...] Are you sure that the two host have a different name as you are creating everything from the same base ? Yes I'm absolutely sure because the names of the 2 servers have been set *during* the installation with a netinstall CD : - hostname == wheezy-server for the DC server - hostname == wheezy-2 for the MEMBER server Also could you do a net join -d 10 and attach the secrets.tdb after the first join ? Yes, no problem. But, you suggest I use this command: net ads join -d 10 -U administrator I would like to understand. For join a member server in a domain (with a Samba4 DC), which command should I use: 1. net ads join -U administrator or 2. samba-tool domain join chezmoi.priv member -U administrator ? So, if I understand well, you ask me to try the first command (net ads join) with -d 10 option. Here: http://sisco.laf.free.fr/codes/samba4.zip you'll find the output of the join command in debug mode and the secrets.*db files (before and after the join, in the member server and in the dc server): - with the net ads join -U administrator -d 10 command - and with the samba-tool domain join chezmoi.priv MEMBER -U administrator command if so for the new user did you set the needed attributes ? I have just run: samba-tool user add test12 --random-password That's all. Which are the needed attributes? When you specify rfc2307 winbindd expect to use uidNumber and gidNumber in order to convert the SID to uid/gid, hence the error message. But is the rfc2307 option in smb.conf really mandatory? 1. For example, when I install a simple Samba4 DC like this: --- samba-tool domain provision # I keep the default answers each time echo nameserver 192.168.0.21 /etc/resolv.conf # The DNS is the DC himself ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- It seems to work fine. getent password, wbinfo -u, wbinfo -i user1, wbinfo -n=user1 are OK, yet there is no rfc2307 string in the default smb.conf file. 2. Another example. I have installed a member server like this (member of a Samba4 DC, I have no Windows server): --- vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file vi /usr/local/samba/etc/smb.conf # The DC is the DNS server ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind ldconfig net ads join -U administrator smbd nmbd winbindd --- with this smb.conf file: --- # No refer to rfc2307. [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- and the member server seems to work fine. If I create a user toto on the DC: samba-tool user add toto --random-password In the member, I have: root@member:~# wbinfo -i toto toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false root@member:~# wbinfo -n=toto S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1) The only problem that I see,
Re: [Samba] Samba4 member of an another « Samba4 » domain
Thank you Matthieu for your answer. Le 08/04/2013 01:37, Matthieu Patou a écrit : 1) First attempt to join the domain in the member server root@member~# samba-tool domain join chezmoi.priv member -U administrator --realm=chezmoi.priv Password for [CHEZMOI\administrator]: Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687) root@member~# ldconfig root@member~# smbd nmbd And now impossible to run winbindd. --- root@member~# winbindd -i -d 10 [...] pack_tdc_domains: Packing 2 trusted domains pack_tdc_domains: Packing domain BUILTIN () pack_tdc_domains: Packing domain WHEEZY-2 () idmap config WHEEZY-2 : range = not defined Added domain WHEEZY-2 S-1-5-21-210096926-4033722923-1792459932 Could not fetch our SID - did we join? unable to initialize domain list --- Hum, interesting, would be worth to check that from a clean setup you have this issue again and again. I have 2 virtualbox snapshots of Debian Wheezy with a Samba 4.0.4 installation in /usr/local/samba/. And I have the problem each time. Let me explain you what I have done exactly. In the DC server *and* in the MEMBER server (both in static IP), I have done this: --- apt-get update apt-get dist-upgrade apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc ntp libtalloc2 libtalloc-dev vi /etc/fstab # I add the acl and user_xattr options for / partition mount -o remount / cd /usr/local/src/ wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz tar -zxvf ldb-1.1.15.tar.gz wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz tar -zxvf samba-4.0.4.tar.gz cd /usr/local/src/ldb-1.1.15/ ./configure make make install cd /usr/local/src/samba-4.0.4 ./configure make make install echo 'export PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH' ~/.bashrc halt --- Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-) Then, in the DC server, I have done: --- samba-tool domain provision # I keep the default answers each time, seems to work fine # 192.168.0.21 = IP of DC server which are DNS server (internal DNS) echo nameserver 192.168.0.21 /etc/resolv.conf ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- Just for information, here is the smb.conf on the DC server after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- In the MEMBER server, I have done: --- echo nameserver 192.168.0.21 /etc/resolv.conf samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig vi /usr/local/samba/etc/smb.conf # see below smbd nmbd winbindd -i -d 10 --- And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped. Just for information, here is the smb.conf in the MEMBER server: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- Do I have forgotten one step ? 2) Second attempt to join the domain in the member server. It's better but It doesn't work too. root@member:~# net ads join -U administrator Enter administrator's password: Using short domain name -- CHEZMOI Joined 'WHEEZY-2' to dns domain 'chezmoi.priv' DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
Re: [Samba] Samba4 member of an another « Samba4 » domain
On 04/06/2013 06:08 PM, François Lafont wrote: Hello, I have progressed but It still doesn't work. I recall: - Domain controller on Debian Wheezy (domain = chezmoi.priv) with Samba version 4.0.4 (works fine). - I *try* to install a member of the chezmoi.priv domain on an another Debian Wheezy with Samba version 4.0.4. Below, I explain what I have done on the member server. I have made 2 attemps which don't work. Thanks in advance for your help. Here is my /usr/local/samba/etc/smb.conf file in the member server: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- root@member~# ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so root@member~# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 Here is my /etc/nsswitch.conf file: --- passwd: compat winbind group: compat winbind ... --- 1) First attempt to join the domain in the member server root@member~# samba-tool domain join chezmoi.priv member -U administrator --realm=chezmoi.priv Password for [CHEZMOI\administrator]: Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687) root@member~# ldconfig root@member~# smbd nmbd And now impossible to run winbindd. --- root@member~# winbindd -i -d 10 INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 Maximum core file size limits now 16777216(soft) -1(hard) winbindd version 4.0.4 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] doing parameter workgroup = CHEZMOI doing parameter security = ADS doing parameter realm = CHEZMOI.PRIV doing parameter encrypt passwords = yes doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 70001-8 doing parameter idmap config CHEZMOI:backend = ad doing parameter idmap config CHEZMOI:schema_mode = rfc2307 doing parameter idmap config CHEZMOI:range = 500-4 doing parameter winbind nss info = rfc2307 doing parameter winbind trusted domains only = no doing parameter winbind use default domain = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes pm_process() returned Yes lp_servicenumber: couldn't find homes Maximum core file size limits now 16777216(soft) -1(hard) Registering messaging pointer for type 2 - private_data=(nil) Registering messaging pointer for type 9 - private_data=(nil) Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=(nil) Registering messaging pointer for type 12 - private_data=(nil) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=(nil) Registering messaging pointer for type 5 - private_data=(nil) lp_load_ex: refreshing parameters Freeing parametrics: Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] doing parameter workgroup = CHEZMOI doing parameter security = ADS doing parameter realm = CHEZMOI.PRIV doing parameter encrypt passwords = yes doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 70001-8 doing parameter idmap config CHEZMOI:backend = ad doing parameter idmap config CHEZMOI:schema_mode = rfc2307
[Samba] Samba4 member of an another « Samba4 » domain
Hi, I have a Samba4 domain controller installed on Debian Wheezy (Domain = CHEZMOI.PRIV). I try to installed an another Samba4 server which is just a member of the CHEZMOI.PRIV domain. But I don't succeed. I have followed this page : https://wiki.samba.org/index.php/Samba4/Domain_Member But I have : ~# net ads join -U administrator Enter administrator's password: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials Failed to join domain: failed to connect to AD: Invalid credentials I don't know what to do... Did you have an idea ? -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
Hello, I have progressed but It still doesn't work. I recall: - Domain controller on Debian Wheezy (domain = chezmoi.priv) with Samba version 4.0.4 (works fine). - I *try* to install a member of the chezmoi.priv domain on an another Debian Wheezy with Samba version 4.0.4. Below, I explain what I have done on the member server. I have made 2 attemps which don't work. Thanks in advance for your help. Here is my /usr/local/samba/etc/smb.conf file in the member server: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- root@member~# ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so root@member~# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 Here is my /etc/nsswitch.conf file: --- passwd: compat winbind group: compat winbind ... --- 1) First attempt to join the domain in the member server root@member~# samba-tool domain join chezmoi.priv member -U administrator --realm=chezmoi.priv Password for [CHEZMOI\administrator]: Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687) root@member~# ldconfig root@member~# smbd nmbd And now impossible to run winbindd. --- root@member~# winbindd -i -d 10 INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 Maximum core file size limits now 16777216(soft) -1(hard) winbindd version 4.0.4 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] doing parameter workgroup = CHEZMOI doing parameter security = ADS doing parameter realm = CHEZMOI.PRIV doing parameter encrypt passwords = yes doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 70001-8 doing parameter idmap config CHEZMOI:backend = ad doing parameter idmap config CHEZMOI:schema_mode = rfc2307 doing parameter idmap config CHEZMOI:range = 500-4 doing parameter winbind nss info = rfc2307 doing parameter winbind trusted domains only = no doing parameter winbind use default domain = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes pm_process() returned Yes lp_servicenumber: couldn't find homes Maximum core file size limits now 16777216(soft) -1(hard) Registering messaging pointer for type 2 - private_data=(nil) Registering messaging pointer for type 9 - private_data=(nil) Registered MSG_REQ_POOL_USAGE Registering messaging pointer for type 11 - private_data=(nil) Registering messaging pointer for type 12 - private_data=(nil) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Registering messaging pointer for type 1 - private_data=(nil) Registering messaging pointer for type 5 - private_data=(nil) lp_load_ex: refreshing parameters Freeing parametrics: Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] doing parameter workgroup = CHEZMOI doing parameter security = ADS doing parameter realm = CHEZMOI.PRIV doing parameter encrypt passwords = yes doing parameter idmap config *:backend = tdb doing parameter idmap config *:range = 70001-8 doing parameter idmap config CHEZMOI:backend = ad doing parameter idmap config CHEZMOI:schema_mode = rfc2307 doing parameter idmap config CHEZMOI:range = 500-4 doing parameter winbind nss info = rfc2307 doing parameter winbind