Not able to list domain in new samba DC

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Not able to list domain in new samba DC

Samba - General mailing list
Hello list

Samba newbie here, loolking for help.
I am trying to follow the samba wiki to setup a domain controller and
an attendant file server.  I built samba from 4.7.1 source and I am
installing on a set  of Centos 7 VMs.

So far everything looks ok, but when I run smbclient on the DC I get
the following, and cant see the domain presented:

[root@testbox ~]# smbclient -L localhost -U%

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.7.1)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
On the file server joined to the domain:

[root@testfsrv ~]# smbclient -L testbox -U%

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.7.1)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

        Sharename       Type      Comment
        ---------       ----      -------
        Anonymous       Disk
        IPC$            IPC       IPC Service (Samba 4.7.1)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        SAMDOM               TESTFSRV

Please can someone tell me what I am doing wrong?
My smb.confs are:

DC:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = TESTBOX
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/%m.log
        log level = 3
        tls enabled = yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

File server:
[global]
        security = ADS
        workgroup = SAMDOM
        realm = SAMDOM.TESTING.COM

        log file = /var/log/samba/%m.log
        log level = 1
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config SAMDOM:backend = ad
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config  SAMDOM : range = 10000-999999
        idmap config  SAMDOM : unix_nss_info = yes
        idmap config SAMDOM:unix_primary_group = yes

        template shell = /bin/bash
        template homedir = /share/%U

        username map = /usr/local/samba/etc/user.map
        map to guest = Bad User

[Anonymous]
        path = /anonymous
        writable = yes
        browsable = yes
        guest ok = yes
        guest only = yes
        create mode = 0777
        directory mode = 0777

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
On Thu, 9 Nov 2017 11:19:02 +0100
Sina Owolabi via samba <[hidden email]> wrote:

> Hello list
>
> Samba newbie here, loolking for help.
> I am trying to follow the samba wiki to setup a domain controller and
> an attendant file server.  I built samba from 4.7.1 source and I am
> installing on a set  of Centos 7 VMs.
>
> So far everything looks ok, but when I run smbclient on the DC I get
> the following, and cant see the domain presented:
>
> Please can someone tell me what I am doing wrong?

Not reading the release notes ;-)

See here:
https://wiki.samba.org/index.php/Samba_4.7_Features_added/changed

'smbclient' no longer prints a 'Domain=[...] OS=[Windows 6.1]
Server=[...]' banner when connecting to the first server.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
On Thu, 9 Nov 2017 12:56:35 +0100
Sina Owolabi <[hidden email]> wrote:

> Thanks a lot :-)
> Does this mean my current configuration is correct?
>

Yes, as far as it goes, as long as you have added uidNumber attributes
to the users in AD, containing a unique number inside the range
'10000-999999', they also have a gidNumber that points to a group that
has a gidNumber attribute containing the same number and this number is
also inside the '10000-999999' range.
NOTE: these uidNumber & gidNumber attributes are not added
automatically.

I would also add:

    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
Thanks Rowland!

My current configs are:

DC:

# Global parameters
[global]
        dns forwarder = 8.8.8.8
        netbios name = TESTBOX
        realm = SAMDOM.TESTING.COM
        server role = active directory domain controller
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        log file = /var/log/samba/%m.log
        log level = 3
        tls enabled = yes
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        winbind enum groups = Yes
        winbind enum users = Yes
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config SAMDOM:backend = ad
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config  SAMDOM : range = 10000-999999
        idmap config  SAMDOM : unix_nss_info = yes
        idmap config SAMDOM:unix_primary_group = yes

        template shell = /bin/bash
        template homedir = /share/%U

        username map = /usr/local/samba/etc/user.map
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.testing.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

Domain member/file server:

[global]
        security = ADS
        workgroup = SAMDOM
        realm = SAMDOM.TESTING.COM

        log file = /var/log/samba/%m.log
        log level = 1
        vfs objects = acl_xattr
        map acl inherit = yes
        store dos attributes = yes
        winbind enum groups = Yes
        winbind enum users = Yes
        idmap_ldb:use rfc2307 = yes
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999
        idmap config SAMDOM:backend = ad
        idmap config SAMDOM:schema_mode = rfc2307
        idmap config  SAMDOM : range = 10000-999999
        idmap config  SAMDOM : unix_nss_info = yes
        idmap config SAMDOM:unix_primary_group = yes

        template shell = /bin/bash
        template homedir = /share/%U

        username map = /usr/local/samba/etc/user.map
        map to guest = Bad User

[Anonymous]
        path = /anonymous
        writable = yes
        browsable = yes
        guest ok = yes
        guest only = yes
        create mode = 0777
        directory mode = 0777

[Demo]
        path = /srv/samba/Demo/
        read only = no

I was trying to walk through the creating shares bit and I noticed
that getent passwd and getent group dont work
Am I missing something else?


On Thu, Nov 9, 2017 at 1:13 PM, Rowland Penny via samba
<[hidden email]> wrote:

> On Thu, 9 Nov 2017 12:56:35 +0100
> Sina Owolabi <[hidden email]> wrote:
>
>> Thanks a lot :-)
>> Does this mean my current configuration is correct?
>>
>
> Yes, as far as it goes, as long as you have added uidNumber attributes
> to the users in AD, containing a unique number inside the range
> '10000-999999', they also have a gidNumber that points to a group that
> has a gidNumber attribute containing the same number and this number is
> also inside the '10000-999999' range.
> NOTE: these uidNumber & gidNumber attributes are not added
> automatically.
>
> I would also add:
>
>     vfs objects = acl_xattr
>     map acl inherit = Yes
>     store dos attributes = Yes
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
On Thu, 9 Nov 2017 15:17:22 +0100
Sina Owolabi <[hidden email]> wrote:

> Thanks Rowland!
>
> My current configs are:
>
> DC:
>
> # Global parameters
> [global]
>         dns forwarder = 8.8.8.8
>         netbios name = TESTBOX
>         realm = SAMDOM.TESTING.COM
>         server role = active directory domain controller
>         workgroup = SAMDOM
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/%m.log
>         log level = 3
>         tls enabled = yes
>         template shell = /bin/bash
>         template homedir = /share/%U

See notes below:

>         vfs objects = acl_xattr
>         map acl inherit = yes
>         store dos attributes = yes
>         winbind enum groups = Yes
>         winbind enum users = Yes
>         idmap config * : backend = tdb
>         idmap config * : range = 3000-7999
>         idmap config SAMDOM:backend = ad
>         idmap config SAMDOM:schema_mode = rfc2307
>         idmap config  SAMDOM : range = 10000-999999
>         idmap config  SAMDOM : unix_nss_info = yes
>         idmap config SAMDOM:unix_primary_group = yes
>         username map = /usr/local/samba/etc/user.map

I think you may have misunderstood me, the 13 lines above should NEVER
be added to the smb.conf on a DC, they belong in a Unix domain
member smb.conf (except for the 'winbind enum' lines and they should
only be used for testing purposes)

>
> Domain member/file server:

>         idmap_ldb:use rfc2307 = yes

This line should only be in a DC smb.conf

> I was trying to walk through the creating shares bit and I noticed
> that getent passwd and getent group dont work
> Am I missing something else?
>

Have you set up libnss_winbind ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
Yes I did setup libnss_winbind.
wbinfo -u and -g on the domain member both work:

[root@testfsrv ~]# wbinfo -u
SAMDOM\testakin
SAMDOM\testsina
SAMDOM\testigein
SAMDOM\administrator
SAMDOM\krbtgt
SAMDOM\guest
[root@testfsrv ~]# wbinfo -g
SAMDOM\allowed rodc password replication group
SAMDOM\enterprise read-only domain controllers
SAMDOM\denied rodc password replication group
SAMDOM\read-only domain controllers
SAMDOM\group policy creator owners
SAMDOM\ras and ias servers
SAMDOM\domain controllers
SAMDOM\enterprise admins
SAMDOM\domain computers
SAMDOM\cert publishers
SAMDOM\dnsupdateproxy
SAMDOM\domain admins
SAMDOM\domain guests
SAMDOM\schema admins
SAMDOM\domain users
SAMDOM\dnsadmins

On Thu, Nov 9, 2017 at 3:35 PM, Rowland Penny <[hidden email]> wrote:

> On Thu, 9 Nov 2017 15:17:22 +0100
> Sina Owolabi <[hidden email]> wrote:
>
>> Thanks Rowland!
>>
>> My current configs are:
>>
>> DC:
>>
>> # Global parameters
>> [global]
>>         dns forwarder = 8.8.8.8
>>         netbios name = TESTBOX
>>         realm = SAMDOM.TESTING.COM
>>         server role = active directory domain controller
>>         workgroup = SAMDOM
>>         idmap_ldb:use rfc2307 = yes
>>         log file = /var/log/samba/%m.log
>>         log level = 3
>>         tls enabled = yes
>>         template shell = /bin/bash
>>         template homedir = /share/%U
>
> See notes below:
>
>>         vfs objects = acl_xattr
>>         map acl inherit = yes
>>         store dos attributes = yes
>>         winbind enum groups = Yes
>>         winbind enum users = Yes
>>         idmap config * : backend = tdb
>>         idmap config * : range = 3000-7999
>>         idmap config SAMDOM:backend = ad
>>         idmap config SAMDOM:schema_mode = rfc2307
>>         idmap config  SAMDOM : range = 10000-999999
>>         idmap config  SAMDOM : unix_nss_info = yes
>>         idmap config SAMDOM:unix_primary_group = yes
>>         username map = /usr/local/samba/etc/user.map
>
> I think you may have misunderstood me, the 13 lines above should NEVER
> be added to the smb.conf on a DC, they belong in a Unix domain
> member smb.conf (except for the 'winbind enum' lines and they should
> only be used for testing purposes)
>
>>
>> Domain member/file server:
>
>>         idmap_ldb:use rfc2307 = yes
>
> This line should only be in a DC smb.conf
>
>> I was trying to walk through the creating shares bit and I noticed
>> that getent passwd and getent group dont work
>> Am I missing something else?
>>
>
> Have you set up libnss_winbind ?
>
> Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
On Thu, 9 Nov 2017 15:58:04 +0100
Sina Owolabi <[hidden email]> wrote:

> Yes I did setup libnss_winbind.
> wbinfo -u and -g on the domain member both work:
>
> [root@testfsrv ~]# wbinfo -u
> SAMDOM\testakin
> SAMDOM\testsina
> SAMDOM\testigein
> SAMDOM\administrator
> SAMDOM\krbtgt
> SAMDOM\guest
> [root@testfsrv ~]# wbinfo -g
> SAMDOM\allowed rodc password replication group
> SAMDOM\enterprise read-only domain controllers
> SAMDOM\denied rodc password replication group
> SAMDOM\read-only domain controllers
> SAMDOM\group policy creator owners
> SAMDOM\ras and ias servers
> SAMDOM\domain controllers
> SAMDOM\enterprise admins
> SAMDOM\domain computers
> SAMDOM\cert publishers
> SAMDOM\dnsupdateproxy
> SAMDOM\domain admins
> SAMDOM\domain guests
> SAMDOM\schema admins
> SAMDOM\domain users
> SAMDOM\dnsadmins
>

All 'wbinfo -u' and 'wbinfo -g' prove is that winbind can connect to
AD, it does not prove that the Unix OS knows who the users are.

'getent passwd username' should produce something like this:

rowland@devstation:~$ getent passwd rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

What OS is this and how have you set up libnss_winbind ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
It’s Centos 7 and I thought all I had to do was set up nsswitch.conf for it to work.


cordially yours,

Sina Owolabi
Mob: +2348034022578
Skype: darkchild2011

On 9 Nov 2017, 4:24 PM +0100, Rowland Penny via samba <[hidden email]>, wrote:

> On Thu, 9 Nov 2017 15:58:04 +0100
> Sina Owolabi <[hidden email]> wrote:
>
> > Yes I did setup libnss_winbind.
> > wbinfo -u and -g on the domain member both work:
> >
> > [root@testfsrv ~]# wbinfo -u
> > SAMDOM\testakin
> > SAMDOM\testsina
> > SAMDOM\testigein
> > SAMDOM\administrator
> > SAMDOM\krbtgt
> > SAMDOM\guest
> > [root@testfsrv ~]# wbinfo -g
> > SAMDOM\allowed rodc password replication group
> > SAMDOM\enterprise read-only domain controllers
> > SAMDOM\denied rodc password replication group
> > SAMDOM\read-only domain controllers
> > SAMDOM\group policy creator owners
> > SAMDOM\ras and ias servers
> > SAMDOM\domain controllers
> > SAMDOM\enterprise admins
> > SAMDOM\domain computers
> > SAMDOM\cert publishers
> > SAMDOM\dnsupdateproxy
> > SAMDOM\domain admins
> > SAMDOM\domain guests
> > SAMDOM\schema admins
> > SAMDOM\domain users
> > SAMDOM\dnsadmins
> >
>
> All 'wbinfo -u' and 'wbinfo -g' prove is that winbind can connect to
> AD, it does not prove that the Unix OS knows who the users are.
>
> 'getent passwd username' should produce something like this:
>
> rowland@devstation:~$ getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> What OS is this and how have you set up libnss_winbind ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
On Thu, 9 Nov 2017 17:24:03 +0100
Sina Owolabi <[hidden email]> wrote:

> It’s Centos 7 and I thought all I had to do was set up nsswitch.conf
> for it to work.
>
>

Unfortunately no, if it was debian, I could tell you exactly how to set
up libnss_winbind.

I have setup Centos 7 recently and this worked for me. YMMV:

authconfig --enablekrb5 --enablewinbind --enablewinbindauth
--enablemkhomedir --update

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
On Fri, 10 Nov 2017 11:04:15 +0100
Sina Owolabi <[hidden email]> wrote:

> Thank you thank you thank you thank you
> It worked!
> I'd been fighting with the source build for so long.
> Please do you have any extra notes for multiple domain controllers
> and the like? I would really appreciate them!
>

Yes, it is called the 'Samba wiki' ;-)

See here:

https://wiki.samba.org/index.php/Main_Page

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Not able to list domain in new samba DC

Samba - General mailing list
Awww that has been the bane of my last three weeks with it.
Lots of conflicting and old information in there.
And so many changes!
Last time I setup samba was about 5 years ago.
My scripts are unrecognizable now.

On Fri, Nov 10, 2017 at 11:09 AM, Rowland Penny via samba
<[hidden email]> wrote:

> On Fri, 10 Nov 2017 11:04:15 +0100
> Sina Owolabi <[hidden email]> wrote:
>
>> Thank you thank you thank you thank you
>> It worked!
>> I'd been fighting with the source build for so long.
>> Please do you have any extra notes for multiple domain controllers
>> and the like? I would really appreciate them!
>>
>
> Yes, it is called the 'Samba wiki' ;-)
>
> See here:
>
> https://wiki.samba.org/index.php/Main_Page
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba