Quantcast

Samba4 member of an another « Samba4 » domain

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Samba4 member of an another « Samba4 » domain

Francois Lafont-2
Hi,

I have a Samba4 domain controller installed on Debian Wheezy (Domain = CHEZMOI.PRIV). I try to installed an another Samba4 server which is just a member of the CHEZMOI.PRIV domain. But I don't succeed. I have followed this page :

https://wiki.samba.org/index.php/Samba4/Domain_Member

But I have :

~#  net ads join -U administrator
Enter administrator's password:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials
Failed to join domain: failed to connect to AD: Invalid credentials

I don't know what to do... Did you have an idea ?

--
François Lafont

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

lucrol
This post has NOT been accepted by the mailing list yet.
Did you try using root instead of adminisrator ?

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

François Lafont
In reply to this post by Francois Lafont-2
Hello,

I have progressed but It still doesn't work. I recall:

- Domain controller on Debian Wheezy (domain = chezmoi.priv) with Samba version 4.0.4 (works fine).
- I *try* to install a member of the "chezmoi.priv" domain on an another Debian Wheezy with Samba version 4.0.4.

Below, I explain what I have done on the member server. I have made 2 attemps which don't work. Thanks in advance for your help.


Here is my /usr/local/samba/etc/smb.conf file in the member server:

-----------------------------------------------
[global]
   workgroup = CHEZMOI
   security = ADS
   realm = CHEZMOI.PRIV
   encrypt passwords = yes
   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config CHEZMOI:backend = ad
   idmap config CHEZMOI:schema_mode = rfc2307
   idmap config CHEZMOI:range = 500-40000
   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
-----------------------------------------------

root@member~# ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
root@member~# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

Here is my /etc/nsswitch.conf file:

-----------------------------------------------
passwd:         compat winbind
group:          compat winbind
...
-----------------------------------------------


1) First attempt to join the domain in the member server

root@member~# samba-tool domain join chezmoi.priv member -U administrator --realm=chezmoi.priv
Password for [CHEZMOI\administrator]:
Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687)

root@member~# ldconfig

root@member~# smbd && nmbd

And now impossible to run winbindd.

-----------------------------------------------
root@member~# winbindd -i -d 10
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
Maximum core file size limits now 16777216(soft) -1(hard)
winbindd version 4.0.4 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
doing parameter workgroup = CHEZMOI
doing parameter security = ADS
doing parameter realm = CHEZMOI.PRIV
doing parameter encrypt passwords = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 70001-80000
doing parameter idmap config CHEZMOI:backend = ad
doing parameter idmap config CHEZMOI:schema_mode = rfc2307
doing parameter idmap config CHEZMOI:range = 500-40000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Maximum core file size limits now 16777216(soft) -1(hard)
Registering messaging pointer for type 2 - private_data=(nil)
Registering messaging pointer for type 9 - private_data=(nil)
Registered MSG_REQ_POOL_USAGE
Registering messaging pointer for type 11 - private_data=(nil)
Registering messaging pointer for type 12 - private_data=(nil)
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Registering messaging pointer for type 1 - private_data=(nil)
Registering messaging pointer for type 5 - private_data=(nil)
lp_load_ex: refreshing parameters
Freeing parametrics:
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
Processing section "[global]"
doing parameter workgroup = CHEZMOI
doing parameter security = ADS
doing parameter realm = CHEZMOI.PRIV
doing parameter encrypt passwords = yes
doing parameter idmap config *:backend = tdb
doing parameter idmap config *:range = 70001-80000
doing parameter idmap config CHEZMOI:backend = ad
doing parameter idmap config CHEZMOI:schema_mode = rfc2307
doing parameter idmap config CHEZMOI:range = 500-40000
doing parameter winbind nss info = rfc2307
doing parameter winbind trusted domains only = no
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
added interface eth0 ip=fe80::a00:27ff:fe4b:65d3%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
Netbios name list:-
my_netbios_names[0]="WHEEZY-2"
added interface eth0 ip=fe80::a00:27ff:fe4b:65d3%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
added interface eth0 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
Process with PID=2689 does not exist.
Deleting /usr/local/samba/var/run/winbindd.pid, since 2689 is not a Samba process.
fcntl_lock 8 6 0 1 1
fcntl_lock: Lock call successful
TimeInit: Serverzone is -7200
initialize_winbindd_cache: clearing cache and re-creating with version number 2
check lock order 2 for /usr/local/samba/var/lock/serverid.tdb
lock order:  1:<none> 2:/usr/local/samba/var/lock/serverid.tdb 3:<none>
Locking key 870A000000000000FFFF
Allocated locked data 0x0x2136700
Unlocking key 870A000000000000FFFF
release lock order 2 for /usr/local/samba/var/lock/serverid.tdb
lock order:  1:<none> 2:<none> 3:<none>
Registering messaging pointer for type 33 - private_data=(nil)
Registering messaging pointer for type 13 - private_data=(nil)
Registering messaging pointer for type 1028 - private_data=(nil)
Registering messaging pointer for type 1027 - private_data=(nil)
Registering messaging pointer for type 1029 - private_data=(nil)
Registering messaging pointer for type 1280 - private_data=(nil)
Registering messaging pointer for type 1032 - private_data=(nil)
Registering messaging pointer for type 1033 - private_data=(nil)
Registering messaging pointer for type 1034 - private_data=(nil)
Registering messaging pointer for type 1 - private_data=(nil)
Overriding messaging pointer for type 1 - private_data=(nil)
wcache_tdc_add_domain: Adding domain BUILTIN (), SID S-1-5-32, flags = 0x0, attributes = 0x0, type = 0x0
pack_tdc_domains: Packing 1 trusted domains
pack_tdc_domains: Packing domain BUILTIN ()
idmap config BUILTIN : range = not defined
Added domain BUILTIN  S-1-5-32
wcache_tdc_add_domain: Adding domain WHEEZY-2 (), SID S-1-5-21-210096926-4033722923-1792459932, flags = 0x0, attributes = 0x0, type = 0x0
pack_tdc_domains: Packing 2 trusted domains
pack_tdc_domains: Packing domain BUILTIN ()
pack_tdc_domains: Packing domain WHEEZY-2 ()
idmap config WHEEZY-2 : range = not defined
Added domain WHEEZY-2  S-1-5-21-210096926-4033722923-1792459932
Could not fetch our SID - did we join?
unable to initialize domain list
-----------------------------------------------

Boum !!! The command is stopped.


2) Second attempt to join the domain in the member server. It's better but It doesn't work too.

root@member:~# net ads join -U administrator
Enter administrator's password:
Using short domain name -- CHEZMOI
Joined 'WHEEZY-2' to dns domain 'chezmoi.priv'
DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL

root@member:~# ldconfig
root@member:~# smbd && nmbd
root@member:~# winbindd -i -d 10

And winbindd seems to be ok. I have :

root@member:~# wbinfo -u
administrator
krbtgt
test10
test11
guest
test1
test2
test3
test4
test5
test6
...

root@member:~# wbinfo -i test9
test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false

But if I create an user in the domain controller server:

root@dc:~# samba-tool user add test12 --random-password
User 'test12' created successfully

after in the member server:

root@member:~# wbinfo -i test12
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user test12

Here is the stdout of winbindd during the command :

-----------------------------------------------
           info                     : *
                info: struct wbint_userinfo
                    acct_name                : *
                        acct_name                : 'test12'
                    full_name                : NULL
                    homedir                  : NULL
                    shell                    : NULL
                    primary_gid              : 0x00000000ffffffff (4294967295)
                    user_sid                 : S-1-5-21-3370545617-3166960116-3193249687-1115
                    group_sid                : S-1-5-21-3370545617-3166960116-3193249687-513
            result                   : NT_STATUS_NOT_FOUND
Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115: NT_STATUS_NOT_FOUND
wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND
winbind_client_response_written[2813:GETPWNAM]: delivered response to client
closing socket 23, client exited
-----------------------------------------------

Sorry for this long message.


--
François Lafont
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

Matthieu Patou-7
On 04/06/2013 06:08 PM, François Lafont wrote:

> Hello,
>
> I have progressed but It still doesn't work. I recall:
>
> - Domain controller on Debian Wheezy (domain = chezmoi.priv) with Samba version 4.0.4 (works fine).
> - I *try* to install a member of the "chezmoi.priv" domain on an another Debian Wheezy with Samba version 4.0.4.
>
> Below, I explain what I have done on the member server. I have made 2 attemps which don't work. Thanks in advance for your help.
>
>
> Here is my /usr/local/samba/etc/smb.conf file in the member server:
>
> -----------------------------------------------
> [global]
>     workgroup = CHEZMOI
>     security = ADS
>     realm = CHEZMOI.PRIV
>     encrypt passwords = yes
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config CHEZMOI:backend = ad
>     idmap config CHEZMOI:schema_mode = rfc2307
>     idmap config CHEZMOI:range = 500-40000
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
> -----------------------------------------------
>
> root@member~# ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> root@member~# ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>
> Here is my /etc/nsswitch.conf file:
>
> -----------------------------------------------
> passwd:         compat winbind
> group:          compat winbind
> ...
> -----------------------------------------------
>
>
> 1) First attempt to join the domain in the member server
>
> root@member~# samba-tool domain join chezmoi.priv member -U administrator --realm=chezmoi.priv
> Password for [CHEZMOI\administrator]:
> Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687)
>
> root@member~# ldconfig
>
> root@member~# smbd && nmbd
>
> And now impossible to run winbindd.
>
> -----------------------------------------------
> root@member~# winbindd -i -d 10
> INFO: Current debug levels:
>    all: 10
>    tdb: 10
>    printdrivers: 10
>    lanman: 10
>    smb: 10
>    rpc_parse: 10
>    rpc_srv: 10
>    rpc_cli: 10
>    passdb: 10
>    sam: 10
>    auth: 10
>    winbind: 10
>    vfs: 10
>    idmap: 10
>    quota: 10
>    acls: 10
>    locking: 10
>    msdfs: 10
>    dmapi: 10
>    registry: 10
> Maximum core file size limits now 16777216(soft) -1(hard)
> winbindd version 4.0.4 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2012
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> INFO: Current debug levels:
>    all: 10
>    tdb: 10
>    printdrivers: 10
>    lanman: 10
>    smb: 10
>    rpc_parse: 10
>    rpc_srv: 10
>    rpc_cli: 10
>    passdb: 10
>    sam: 10
>    auth: 10
>    winbind: 10
>    vfs: 10
>    idmap: 10
>    quota: 10
>    acls: 10
>    locking: 10
>    msdfs: 10
>    dmapi: 10
>    registry: 10
> params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
> Processing section "[global]"
> doing parameter workgroup = CHEZMOI
> doing parameter security = ADS
> doing parameter realm = CHEZMOI.PRIV
> doing parameter encrypt passwords = yes
> doing parameter idmap config *:backend = tdb
> doing parameter idmap config *:range = 70001-80000
> doing parameter idmap config CHEZMOI:backend = ad
> doing parameter idmap config CHEZMOI:schema_mode = rfc2307
> doing parameter idmap config CHEZMOI:range = 500-40000
> doing parameter winbind nss info = rfc2307
> doing parameter winbind trusted domains only = no
> doing parameter winbind use default domain = yes
> doing parameter winbind enum users = yes
> doing parameter winbind enum groups = yes
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> Maximum core file size limits now 16777216(soft) -1(hard)
> Registering messaging pointer for type 2 - private_data=(nil)
> Registering messaging pointer for type 9 - private_data=(nil)
> Registered MSG_REQ_POOL_USAGE
> Registering messaging pointer for type 11 - private_data=(nil)
> Registering messaging pointer for type 12 - private_data=(nil)
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Registering messaging pointer for type 1 - private_data=(nil)
> Registering messaging pointer for type 5 - private_data=(nil)
> lp_load_ex: refreshing parameters
> Freeing parametrics:
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> INFO: Current debug levels:
>    all: 10
>    tdb: 10
>    printdrivers: 10
>    lanman: 10
>    smb: 10
>    rpc_parse: 10
>    rpc_srv: 10
>    rpc_cli: 10
>    passdb: 10
>    sam: 10
>    auth: 10
>    winbind: 10
>    vfs: 10
>    idmap: 10
>    quota: 10
>    acls: 10
>    locking: 10
>    msdfs: 10
>    dmapi: 10
>    registry: 10
> params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf"
> Processing section "[global]"
> doing parameter workgroup = CHEZMOI
> doing parameter security = ADS
> doing parameter realm = CHEZMOI.PRIV
> doing parameter encrypt passwords = yes
> doing parameter idmap config *:backend = tdb
> doing parameter idmap config *:range = 70001-80000
> doing parameter idmap config CHEZMOI:backend = ad
> doing parameter idmap config CHEZMOI:schema_mode = rfc2307
> doing parameter idmap config CHEZMOI:range = 500-40000
> doing parameter winbind nss info = rfc2307
> doing parameter winbind trusted domains only = no
> doing parameter winbind use default domain = yes
> doing parameter winbind enum users = yes
> doing parameter winbind enum groups = yes
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> added interface eth0 ip=fe80::a00:27ff:fe4b:65d3%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> added interface eth0 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
> Netbios name list:-
> my_netbios_names[0]="WHEEZY-2"
> added interface eth0 ip=fe80::a00:27ff:fe4b:65d3%eth0 bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
> added interface eth0 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0
> Process with PID=2689 does not exist.
> Deleting /usr/local/samba/var/run/winbindd.pid, since 2689 is not a Samba process.
> fcntl_lock 8 6 0 1 1
> fcntl_lock: Lock call successful
> TimeInit: Serverzone is -7200
> initialize_winbindd_cache: clearing cache and re-creating with version number 2
> check lock order 2 for /usr/local/samba/var/lock/serverid.tdb
> lock order:  1:<none> 2:/usr/local/samba/var/lock/serverid.tdb 3:<none>
> Locking key 870A000000000000FFFF
> Allocated locked data 0x0x2136700
> Unlocking key 870A000000000000FFFF
> release lock order 2 for /usr/local/samba/var/lock/serverid.tdb
> lock order:  1:<none> 2:<none> 3:<none>
> Registering messaging pointer for type 33 - private_data=(nil)
> Registering messaging pointer for type 13 - private_data=(nil)
> Registering messaging pointer for type 1028 - private_data=(nil)
> Registering messaging pointer for type 1027 - private_data=(nil)
> Registering messaging pointer for type 1029 - private_data=(nil)
> Registering messaging pointer for type 1280 - private_data=(nil)
> Registering messaging pointer for type 1032 - private_data=(nil)
> Registering messaging pointer for type 1033 - private_data=(nil)
> Registering messaging pointer for type 1034 - private_data=(nil)
> Registering messaging pointer for type 1 - private_data=(nil)
> Overriding messaging pointer for type 1 - private_data=(nil)
> wcache_tdc_add_domain: Adding domain BUILTIN (), SID S-1-5-32, flags = 0x0, attributes = 0x0, type = 0x0
> pack_tdc_domains: Packing 1 trusted domains
> pack_tdc_domains: Packing domain BUILTIN ()
> idmap config BUILTIN : range = not defined
> Added domain BUILTIN  S-1-5-32
> wcache_tdc_add_domain: Adding domain WHEEZY-2 (), SID S-1-5-21-210096926-4033722923-1792459932, flags = 0x0, attributes = 0x0, type = 0x0
> pack_tdc_domains: Packing 2 trusted domains
> pack_tdc_domains: Packing domain BUILTIN ()
> pack_tdc_domains: Packing domain WHEEZY-2 ()
> idmap config WHEEZY-2 : range = not defined
> Added domain WHEEZY-2  S-1-5-21-210096926-4033722923-1792459932
> Could not fetch our SID - did we join?
> unable to initialize domain list
> -----------------------------------------------
Hum, interesting, would be worth to check that from a clean setup you
have this issue again and again.



> Boum !!! The command is stopped.
>
>
> 2) Second attempt to join the domain in the member server. It's better but It doesn't work too.
>
> root@member:~# net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- CHEZMOI
> Joined 'WHEEZY-2' to dns domain 'chezmoi.priv'
> DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> root@member:~# ldconfig
> root@member:~# smbd && nmbd
> root@member:~# winbindd -i -d 10
>
> And winbindd seems to be ok. I have :
>
> root@member:~# wbinfo -u
> administrator
> krbtgt
> test10
> test11
> guest
> test1
> test2
> test3
> test4
> test5
> test6
> ...
>
> root@member:~# wbinfo -i test9
> test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false
>
> But if I create an user in the domain controller server:
>
> root@dc:~# samba-tool user add test12 --random-password
> User 'test12' created successfully
>
> after in the member server:
>
> root@member:~# wbinfo -i test12
> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for user test12
>
> Here is the stdout of winbindd during the command :
>
> -----------------------------------------------
>             info                     : *
>                  info: struct wbint_userinfo
>                      acct_name                : *
>                          acct_name                : 'test12'
>                      full_name                : NULL
>                      homedir                  : NULL
>                      shell                    : NULL
>                      primary_gid              : 0x00000000ffffffff (4294967295)
>                      user_sid                 : S-1-5-21-3370545617-3166960116-3193249687-1115
>                      group_sid                : S-1-5-21-3370545617-3166960116-3193249687-513
>              result                   : NT_STATUS_NOT_FOUND
> Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115: NT_STATUS_NOT_FOUND
> wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND
> winbind_client_response_written[2813:GETPWNAM]: delivered response to client
> closing socket 23, client exited
> -----------------------------------------------
Don't you have rfc2307 configured ? if so for the new user did you set
the needed attributes ?

Matthieu.


--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

François Lafont
Thank you Matthieu for your answer.

Le 08/04/2013 01:37, Matthieu Patou a écrit :

>> 1) First attempt to join the domain in the member server
>>
>> root@member~# samba-tool domain join chezmoi.priv member -U
>> administrator --realm=chezmoi.priv
>> Password for [CHEZMOI\administrator]:
>> Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687)
>>
>> root@member~# ldconfig
>>
>> root@member~# smbd && nmbd
>>
>> And now impossible to run winbindd.
>>
>> -----------------------------------------------
>> root@member~# winbindd -i -d 10

[...]

>> pack_tdc_domains: Packing 2 trusted domains
>> pack_tdc_domains: Packing domain BUILTIN ()
>> pack_tdc_domains: Packing domain WHEEZY-2 ()
>> idmap config WHEEZY-2 : range = not defined
>> Added domain WHEEZY-2  S-1-5-21-210096926-4033722923-1792459932
>> Could not fetch our SID - did we join?
>> unable to initialize domain list
>> -----------------------------------------------
> Hum, interesting, would be worth to check that from a clean setup you
> have this issue again and again.

I have 2 "virtualbox" snapshots of Debian Wheezy with a Samba 4.0.4 installation in /usr/local/samba/. And I have the problem each time. Let me explain you what I have done exactly.

In the DC server *and* in the MEMBER server (both in static IP), I have done this:

-----------------------------------------------
apt-get update
apt-get dist-upgrade
apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc ntp libtalloc2 libtalloc-dev
vi /etc/fstab # I add the acl and user_xattr options for "/" partition
mount -o remount /
cd /usr/local/src/
wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz && tar -zxvf ldb-1.1.15.tar.gz
wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz && tar -zxvf samba-4.0.4.tar.gz
cd /usr/local/src/ldb-1.1.15/ && ./configure && make && make install
cd /usr/local/src/samba-4.0.4 && ./configure && make && make install
echo 'export PATH="/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH"' > ~/.bashrc
halt
-----------------------------------------------

Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-)

Then, in the DC server, I have done:

-----------------------------------------------
samba-tool domain provision # I keep the default answers each time, seems to work fine

# 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
echo "nameserver 192.168.0.21" > /etc/resolv.conf

ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
samba
-----------------------------------------------

Just for information, here is the smb.conf on the DC server after this commands:

-----------------------------------------------
# Global parameters
[global]
        workgroup = CHEZMOI
        realm = CHEZMOI.PRIV
        netbios name = WHEEZY-SERVER
        server role = active directory domain controller
        dns forwarder = 212.27.40.241

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
-----------------------------------------------

In the MEMBER server, I have done:

-----------------------------------------------
echo "nameserver 192.168.0.21" > /etc/resolv.conf
samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
vi /usr/local/samba/etc/smb.conf # see below
smbd && nmbd
winbindd -i -d 10
-----------------------------------------------

And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped.

Just for information, here is the smb.conf in the MEMBER server:

-----------------------------------------------
[global]
    workgroup = CHEZMOI
    security = ADS
    realm = CHEZMOI.PRIV
    encrypt passwords = yes
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000
    idmap config CHEZMOI:backend = ad
    idmap config CHEZMOI:schema_mode = rfc2307
    idmap config CHEZMOI:range = 500-40000
    winbind nss info = rfc2307
    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
-----------------------------------------------

Do I have forgotten one step ?

>> 2) Second attempt to join the domain in the member server. It's better
>> but It doesn't work too.
>>
>> root@member:~# net ads join -U administrator
>> Enter administrator's password:
>> Using short domain name -- CHEZMOI
>> Joined 'WHEEZY-2' to dns domain 'chezmoi.priv'
>> DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> root@member:~# ldconfig
>> root@member:~# smbd && nmbd
>> root@member:~# winbindd -i -d 10
>>
>> And winbindd seems to be ok. I have :
>>
>> root@member:~# wbinfo -u
>> administrator
>> krbtgt
>> test10
>> test11
>> guest
>> test1
>> test2
>> test3
>> test4
>> test5
>> test6
>> ...
>>
>> root@member:~# wbinfo -i test9
>> test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false
>>
>> But if I create an user in the domain controller server:
>>
>> root@dc:~# samba-tool user add test12 --random-password
>> User 'test12' created successfully
>>
>> after in the member server:
>>
>> root@member:~# wbinfo -i test12
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user test12
>>
>> Here is the stdout of winbindd during the command :
>>
>> -----------------------------------------------
>>             info                     : *
>>                  info: struct wbint_userinfo
>>                      acct_name                : *
>>                          acct_name                : 'test12'
>>                      full_name                : NULL
>>                      homedir                  : NULL
>>                      shell                    : NULL
>>                      primary_gid              : 0x00000000ffffffff
>> (4294967295)
>>                      user_sid                 :
>> S-1-5-21-3370545617-3166960116-3193249687-1115
>>                      group_sid                :
>> S-1-5-21-3370545617-3166960116-3193249687-513
>>              result                   : NT_STATUS_NOT_FOUND
>> Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115:
>> NT_STATUS_NOT_FOUND
>> wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND
>> winbind_client_response_written[2813:GETPWNAM]: delivered response to
>> client
>> closing socket 23, client exited
>> -----------------------------------------------
> Don't you have rfc2307 configured ?

The smb.conf of DC server and the smb.conf of MEMBER server are exacty like above in this message. So, I have « winbind nss info = rfc2307 » in the smb.conf of the MEMBER server.

> if so for the new user did you set the needed attributes ?

I have just run: samba-tool user add test12 --random-password
That's all. Which are the needed attributes?

Thanks for your help.

--
François Lafont
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

Matthieu Patou-7
On 04/08/2013 06:01 PM, François Lafont wrote:

> Thank you Matthieu for your answer.
>
> Le 08/04/2013 01:37, Matthieu Patou a écrit :
>>> 1) First attempt to join the domain in the member server
>>>
>>> root@member~# samba-tool domain join chezmoi.priv member -U
>>> administrator --realm=chezmoi.priv
>>> Password for [CHEZMOI\administrator]:
>>> Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687)
>>>
>>> root@member~# ldconfig
>>>
>>> root@member~# smbd && nmbd
>>>
>>> And now impossible to run winbindd.
>>>
>>> -----------------------------------------------
>>> root@member~# winbindd -i -d 10
> [...]
>
>>> pack_tdc_domains: Packing 2 trusted domains
>>> pack_tdc_domains: Packing domain BUILTIN ()
>>> pack_tdc_domains: Packing domain WHEEZY-2 ()
>>> idmap config WHEEZY-2 : range = not defined
>>> Added domain WHEEZY-2  S-1-5-21-210096926-4033722923-1792459932
>>> Could not fetch our SID - did we join?
>>> unable to initialize domain list
>>> -----------------------------------------------
>> Hum, interesting, would be worth to check that from a clean setup you
>> have this issue again and again.
> I have 2 "virtualbox" snapshots of Debian Wheezy with a Samba 4.0.4 installation in /usr/local/samba/. And I have the problem each time. Let me explain you what I have done exactly.
>
> In the DC server *and* in the MEMBER server (both in static IP), I have done this:
>
> -----------------------------------------------
> apt-get update
> apt-get dist-upgrade
> apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc ntp libtalloc2 libtalloc-dev
> vi /etc/fstab # I add the acl and user_xattr options for "/" partition
> mount -o remount /
> cd /usr/local/src/
> wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz && tar -zxvf ldb-1.1.15.tar.gz
> wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz && tar -zxvf samba-4.0.4.tar.gz
> cd /usr/local/src/ldb-1.1.15/ && ./configure && make && make install
> cd /usr/local/src/samba-4.0.4 && ./configure && make && make install
> echo 'export PATH="/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH"' > ~/.bashrc
> halt
> -----------------------------------------------
>
> Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-)
>
> Then, in the DC server, I have done:
>
> -----------------------------------------------
> samba-tool domain provision # I keep the default answers each time, seems to work fine
>
> # 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> vi /etc/nsswitch.conf # add winbind for passwd and group
> ldconfig
> samba
> -----------------------------------------------
>
> Just for information, here is the smb.conf on the DC server after this commands:
>
> -----------------------------------------------
> # Global parameters
> [global]
>          workgroup = CHEZMOI
>          realm = CHEZMOI.PRIV
>          netbios name = WHEEZY-SERVER
>          server role = active directory domain controller
>          dns forwarder = 212.27.40.241
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> -----------------------------------------------
>
> In the MEMBER server, I have done:
>
> -----------------------------------------------
> echo "nameserver 192.168.0.21" > /etc/resolv.conf
> samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> vi /etc/nsswitch.conf # add winbind for passwd and group
> ldconfig
> vi /usr/local/samba/etc/smb.conf # see below
> smbd && nmbd
> winbindd -i -d 10
> -----------------------------------------------
>
> And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped.
>
> Just for information, here is the smb.conf in the MEMBER server:
>
> -----------------------------------------------
> [global]
>      workgroup = CHEZMOI
>      security = ADS
>      realm = CHEZMOI.PRIV
>      encrypt passwords = yes
>      idmap config *:backend = tdb
>      idmap config *:range = 70001-80000
>      idmap config CHEZMOI:backend = ad
>      idmap config CHEZMOI:schema_mode = rfc2307
>      idmap config CHEZMOI:range = 500-40000
>      winbind nss info = rfc2307
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> -----------------------------------------------
>
> Do I have forgotten one step ?
Are you sure that the two host have a different name as you are creating
everything from the same base ?

Also could you do a net join -d 10  and attach the secrets.tdb after the
first join ?

>
>>> 2) Second attempt to join the domain in the member server. It's better
>>> but It doesn't work too.
>>>
>>> root@member:~# net ads join -U administrator
>>> Enter administrator's password:
>>> Using short domain name -- CHEZMOI
>>> Joined 'WHEEZY-2' to dns domain 'chezmoi.priv'
>>> DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED
>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>
>>> root@member:~# ldconfig
>>> root@member:~# smbd && nmbd
>>> root@member:~# winbindd -i -d 10
>>>
>>> And winbindd seems to be ok. I have :
>>>
>>> root@member:~# wbinfo -u
>>> administrator
>>> krbtgt
>>> test10
>>> test11
>>> guest
>>> test1
>>> test2
>>> test3
>>> test4
>>> test5
>>> test6
>>> ...
>>>
>>> root@member:~# wbinfo -i test9
>>> test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false
>>>
>>> But if I create an user in the domain controller server:
>>>
>>> root@dc:~# samba-tool user add test12 --random-password
>>> User 'test12' created successfully
>>>
>>> after in the member server:
>>>
>>> root@member:~# wbinfo -i test12
>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not get info for user test12
>>>
>>> Here is the stdout of winbindd during the command :
>>>
>>> -----------------------------------------------
>>>              info                     : *
>>>                   info: struct wbint_userinfo
>>>                       acct_name                : *
>>>                           acct_name                : 'test12'
>>>                       full_name                : NULL
>>>                       homedir                  : NULL
>>>                       shell                    : NULL
>>>                       primary_gid              : 0x00000000ffffffff
>>> (4294967295)
>>>                       user_sid                 :
>>> S-1-5-21-3370545617-3166960116-3193249687-1115
>>>                       group_sid                :
>>> S-1-5-21-3370545617-3166960116-3193249687-513
>>>               result                   : NT_STATUS_NOT_FOUND
>>> Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115:
>>> NT_STATUS_NOT_FOUND
>>> wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND
>>> winbind_client_response_written[2813:GETPWNAM]: delivered response to
>>> client
>>> closing socket 23, client exited
>>> -----------------------------------------------
>> Don't you have rfc2307 configured ?
> The smb.conf of DC server and the smb.conf of MEMBER server are exacty like above in this message. So, I have « winbind nss info = rfc2307 » in the smb.conf of the MEMBER server.
>
>> if so for the new user did you set the needed attributes ?
> I have just run: samba-tool user add test12 --random-password
> That's all. Which are the needed attributes?
When you specify rfc2307 winbindd expect to use uidNumber and gidNumber
in order to convert the SID to uid/gid, hence the error message.

Matthieu.

--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

François Lafont
Le 09/04/2013 09:34, Matthieu Patou a écrit :

>> Le 08/04/2013 01:37, Matthieu Patou a écrit :
>> Then, in the DC server, I have done:
>>
>> -----------------------------------------------
>> samba-tool domain provision # I keep the default answers each time,
>> seems to work fine
>>
>> # 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>
>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>> vi /etc/nsswitch.conf # add winbind for passwd and group
>> ldconfig
>> samba
>> -----------------------------------------------

[...]

>> -----------------------------------------------
>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>> samba-tool domain join chezmoi.priv MEMBER -U administrator
>> --realm=CHEZMOI.PRIV # seems to work fine
>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>> vi /etc/nsswitch.conf # add winbind for passwd and group
>> ldconfig
>> vi /usr/local/samba/etc/smb.conf # see below
>> smbd && nmbd
>> winbindd -i -d 10
>> -----------------------------------------------
>>
>> And Boum ! I have the same error which I have described in my previous
>> message. The winbindd command is stopped.

[...]

> Are you sure that the two host have a different name as you are creating
> everything from the same base ?

Yes I'm absolutely sure because the names of the 2 servers have been set *during* the installation with a netinstall CD :
- hostname == "wheezy-server" for the DC server
- hostname == "wheezy-2" for the MEMBER server

> Also could you do a net join -d 10  and attach the secrets.tdb after the
> first join ?

Yes, no problem. But, you suggest I use this command:
net ads join -d 10 -U administrator

I would like to understand. For join a member server in a domain (with a Samba4 DC), which command should I use:

1. "net ads join -U administrator"

or

2. "samba-tool domain join chezmoi.priv member -U administrator" ?

So, if I understand well, you ask me to try the first command (net ads join) with  "-d 10" option. Here:

http://sisco.laf.free.fr/codes/samba4.zip

you'll find the output of the "join" command in debug mode and the secrets.*db files (before and after the join, in the member server and in the dc server):
- with the "net ads join -U administrator -d 10" command
- and with the "samba-tool domain join chezmoi.priv MEMBER -U administrator" command

>>> if so for the new user did you set the needed attributes ?
>> I have just run: samba-tool user add test12 --random-password
>> That's all. Which are the needed attributes?
> When you specify rfc2307 winbindd expect to use uidNumber and gidNumber
> in order to convert the SID to uid/gid, hence the error message.

But is the "rfc2307" option in smb.conf really mandatory?

1. For example, when I install a "simple" Samba4 DC like this:

-------------------------------------------------------------------
samba-tool domain provision # I keep the default answers each time
echo "nameserver 192.168.0.21" > /etc/resolv.conf # The DNS is the DC himself
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind for passwd and group
ldconfig
samba
-------------------------------------------------------------------

It seems to work fine. "getent password", "wbinfo -u", "wbinfo -i user1", "wbinfo -n=user1" are OK, yet there is no "rfc2307" string in the default "smb.conf" file.

2. Another example. I have installed a member server like this (member of a Samba4 DC, I have no Windows server):

-------------------------------------------------------------------
vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file
vi /usr/local/samba/etc/smb.conf # The DC is the DNS server
ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
vi /etc/nsswitch.conf # add winbind
ldconfig
net ads join -U administrator
smbd && nmbd && winbindd
-------------------------------------------------------------------

with this smb.conf file:

-------------------------------------------------------------------
# No refer to "rfc2307".

[global]
    workgroup = CHEZMOI
    security = ADS
    realm = CHEZMOI.PRIV
    encrypt passwords = yes
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000

    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
-------------------------------------------------------------------

and the member server seems to work fine. If I create a user toto on the DC:

samba-tool user add toto --random-password

In the member, I have:

root@member:~# wbinfo -i toto
toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false
root@member:~# wbinfo -n=toto
S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1)

The only "problem" that I see, it's with:

root@member:~# wbinfo -u
root@member:~# getent passwd

Because the toto user isn't printed in the output. However, I wait during 5-6 minutes, the toto user appears in the output of this commands. Another solution: if I do:

root@member:~# killall smbd nmbd winbindd
root@member:~# smbd && nmbd && winbindd

the toto user appears in the member server  immediately

Is this behavior (the 5-6 minutes period) normal?

Is this configuration correct for a member server?

Thanks for your help.


--
François Lafont
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

Gémes Géza-2
2013-04-10 01:32 keltezéssel, François Lafont írta:

> Le 09/04/2013 09:34, Matthieu Patou a écrit :
>
>>> Le 08/04/2013 01:37, Matthieu Patou a écrit :
>>> Then, in the DC server, I have done:
>>>
>>> -----------------------------------------------
>>> samba-tool domain provision # I keep the default answers each time,
>>> seems to work fine
>>>
>>> # 192.168.0.21 = IP of DC server which are DNS server (internal DNS)
>>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>>
>>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>>> vi /etc/nsswitch.conf # add winbind for passwd and group
>>> ldconfig
>>> samba
>>> -----------------------------------------------
> [...]
>
>>> -----------------------------------------------
>>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>> samba-tool domain join chezmoi.priv MEMBER -U administrator
>>> --realm=CHEZMOI.PRIV # seems to work fine
>>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>>> vi /etc/nsswitch.conf # add winbind for passwd and group
>>> ldconfig
>>> vi /usr/local/samba/etc/smb.conf # see below
>>> smbd && nmbd
>>> winbindd -i -d 10
>>> -----------------------------------------------
>>>
>>> And Boum ! I have the same error which I have described in my previous
>>> message. The winbindd command is stopped.
> [...]
>
>> Are you sure that the two host have a different name as you are creating
>> everything from the same base ?
> Yes I'm absolutely sure because the names of the 2 servers have been set *during* the installation with a netinstall CD :
> - hostname == "wheezy-server" for the DC server
> - hostname == "wheezy-2" for the MEMBER server
>
>> Also could you do a net join -d 10  and attach the secrets.tdb after the
>> first join ?
> Yes, no problem. But, you suggest I use this command:
> net ads join -d 10 -U administrator
>
> I would like to understand. For join a member server in a domain (with a Samba4 DC), which command should I use:
>
> 1. "net ads join -U administrator"
>
> or
>
> 2. "samba-tool domain join chezmoi.priv member -U administrator" ?
>
> So, if I understand well, you ask me to try the first command (net ads join) with  "-d 10" option. Here:
>
> http://sisco.laf.free.fr/codes/samba4.zip
>
> you'll find the output of the "join" command in debug mode and the secrets.*db files (before and after the join, in the member server and in the dc server):
> - with the "net ads join -U administrator -d 10" command
> - and with the "samba-tool domain join chezmoi.priv MEMBER -U administrator" command
>
>>>> if so for the new user did you set the needed attributes ?
>>> I have just run: samba-tool user add test12 --random-password
>>> That's all. Which are the needed attributes?
>> When you specify rfc2307 winbindd expect to use uidNumber and gidNumber
>> in order to convert the SID to uid/gid, hence the error message.
> But is the "rfc2307" option in smb.conf really mandatory?
>
> 1. For example, when I install a "simple" Samba4 DC like this:
>
> -------------------------------------------------------------------
> samba-tool domain provision # I keep the default answers each time
> echo "nameserver 192.168.0.21" > /etc/resolv.conf # The DNS is the DC himself
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> vi /etc/nsswitch.conf # add winbind for passwd and group
> ldconfig
> samba
> -------------------------------------------------------------------
>
> It seems to work fine. "getent password", "wbinfo -u", "wbinfo -i user1", "wbinfo -n=user1" are OK, yet there is no "rfc2307" string in the default "smb.conf" file.
>
> 2. Another example. I have installed a member server like this (member of a Samba4 DC, I have no Windows server):
>
> -------------------------------------------------------------------
> vi /usr/local/samba/etc/smb.conf # see below for the smb.conf file
> vi /usr/local/samba/etc/smb.conf # The DC is the DNS server
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> vi /etc/nsswitch.conf # add winbind
> ldconfig
> net ads join -U administrator
> smbd && nmbd && winbindd
> -------------------------------------------------------------------
>
> with this smb.conf file:
>
> -------------------------------------------------------------------
> # No refer to "rfc2307".
>
> [global]
>      workgroup = CHEZMOI
>      security = ADS
>      realm = CHEZMOI.PRIV
>      encrypt passwords = yes
>      idmap config *:backend = tdb
>      idmap config *:range = 70001-80000
>
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> -------------------------------------------------------------------
>
> and the member server seems to work fine. If I create a user toto on the DC:
>
> samba-tool user add toto --random-password
>
> In the member, I have:
>
> root@member:~# wbinfo -i toto
> toto:*:70011:70001:toto:/home/CHEZMOI/toto:/bin/false
> root@member:~# wbinfo -n=toto
> S-1-5-21-1430849794-1775759099-2616264933-1112 SID_USER (1)
>
> The only "problem" that I see, it's with:
>
> root@member:~# wbinfo -u
> root@member:~# getent passwd
>
> Because the toto user isn't printed in the output. However, I wait during 5-6 minutes, the toto user appears in the output of this commands. Another solution: if I do:
>
> root@member:~# killall smbd nmbd winbindd
> root@member:~# smbd && nmbd && winbindd
>
> the toto user appears in the member server  immediately
>
> Is this behavior (the 5-6 minutes period) normal?
>
> Is this configuration correct for a member server?
>
> Thanks for your help.
>
>
You should check rfc2307 on the samba AD, if your users do not have
uidNumber gidNumber attributes they are going to be ignored by the
winbind daemon if you specify rfc2307 schema mode on the domain member.

Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

François Lafont
Le 10/04/2013 06:59, Gémes Géza a écrit :
> You should check rfc2307 on the samba AD, if your users do not have
> uidNumber gidNumber attributes they are going to be ignored by the
> winbind daemon if you specify rfc2307 schema mode on the domain member.

If I have understood, when I don't use rfc2307 in the dc server (this is
the default) and if I don't use rfc2307 in the member server with this
config:

-------------------------------------------------------------------
# No refer to "rfc2307".

[global]
    workgroup = CHEZMOI
    security = ADS
    realm = CHEZMOI.PRIV
    encrypt passwords = yes
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000

    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
-------------------------------------------------------------------

It seems to work well, but the uid and the gid of the domain accounts
are different between the dc and the member. And if I use the rfc2307,
then it's possible to have the same uid and gid on the dc and the
member. Is it correct ?

For the moment, I don't succeed in the use "rfc2307" with a dc and a
member. Without "rfc2307", I think It works well with:

1. For the dc:

-------------------------------------------------------------------
[global]
        workgroup = CHEZMOI
        realm = CHEZMOI.PRIV
        netbios name = WHEEZY-SERVER
        server role = active directory domain controller
        dns forwarder = 212.27.40.241

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
-------------------------------------------------------------------

2. And for the member:

-------------------------------------------------------------------
[global]
    workgroup = CHEZMOI
    security = ADS
    realm = CHEZMOI.PRIV
    encrypt passwords = yes
    idmap config *:backend = tdb
    idmap config *:range = 70001-80000

    winbind trusted domains only = no
    winbind use default domain = yes
    winbind enum users  = yes
    winbind enum groups = yes
-------------------------------------------------------------------

It works well (imho), but, for each account, the uid/gid are different
between the dc and the member, and I don't like it.


When I try to use "rfc2307", it doesn't work for me (but I should make
mistakes). For example, I have tried this:

1. On the dc server:

# samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI
--server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123'
--use-rfc2307

that creates this smb.conf:

-------------------------------------------------------------------
[global]
        workgroup = CHEZMOI
        realm = CHEZMOI.PRIV
        netbios name = WHEEZY-SERVER
        server role = active directory domain controller
        dns forwarder = 212.27.40.241
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
-------------------------------------------------------------------

Next, I use winbind in nsswitch.conf in order to resolv the uid/gid -->
names.

2. On the member, I edit this smb.conf file (found here
https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf):

-------------------------------------------------------------------
[global]
   workgroup = CHEZMOI
   security = ADS
   realm = CHEZMOI.PRIV
   encrypt passwords = yes
   idmap config *:backend = tdb
   idmap config *:range = 70001-80000
   idmap config CHEZMOI:backend = ad
   idmap config CHEZMOI:schema_mode = rfc2307
   idmap config CHEZMOI:range = 500-40000
   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes
-------------------------------------------------------------------

and I join the server with "net ads join" (next I use winbind too in
nsswitch.conf).

Next, I create a account in the dc (samba-tool user add test1
--random-password) and, under a Windows station, I edit this account
with dsa.msc and I set:
- the UID attribute in the "Unix attributes" tab
- the GID attribute in the "Unix attributes" tab

But, the dc and the member seems to ignore this value and, for example,
with "getent passwd" the uid/gid are different for each user between the
dc and the member.

If you are advices or links to install dc and member so that the uid/gid
are the same between the dc and the member,  It interest me very much. :-)

Thanks in advance.
PS: and very sorry for my poor english.

--
François Lafont
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

Gémes Géza-2
2013-04-11 01:14 keltezéssel, François Lafont írta:

> Le 10/04/2013 06:59, Gémes Géza a écrit :
>> You should check rfc2307 on the samba AD, if your users do not have
>> uidNumber gidNumber attributes they are going to be ignored by the
>> winbind daemon if you specify rfc2307 schema mode on the domain member.
> If I have understood, when I don't use rfc2307 in the dc server (this is
> the default) and if I don't use rfc2307 in the member server with this
> config:
>
> -------------------------------------------------------------------
> # No refer to "rfc2307".
>
> [global]
>      workgroup = CHEZMOI
>      security = ADS
>      realm = CHEZMOI.PRIV
>      encrypt passwords = yes
>      idmap config *:backend = tdb
>      idmap config *:range = 70001-80000
>
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> -------------------------------------------------------------------
>
> It seems to work well, but the uid and the gid of the domain accounts
> are different between the dc and the member. And if I use the rfc2307,
> then it's possible to have the same uid and gid on the dc and the
> member. Is it correct ?
>
> For the moment, I don't succeed in the use "rfc2307" with a dc and a
> member. Without "rfc2307", I think It works well with:
>
> 1. For the dc:
>
> -------------------------------------------------------------------
> [global]
>          workgroup = CHEZMOI
>          realm = CHEZMOI.PRIV
>          netbios name = WHEEZY-SERVER
>          server role = active directory domain controller
>          dns forwarder = 212.27.40.241
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> -------------------------------------------------------------------
>
> 2. And for the member:
>
> -------------------------------------------------------------------
> [global]
>      workgroup = CHEZMOI
>      security = ADS
>      realm = CHEZMOI.PRIV
>      encrypt passwords = yes
>      idmap config *:backend = tdb
>      idmap config *:range = 70001-80000
>
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> -------------------------------------------------------------------
>
> It works well (imho), but, for each account, the uid/gid are different
> between the dc and the member, and I don't like it.
>
>
> When I try to use "rfc2307", it doesn't work for me (but I should make
> mistakes). For example, I have tried this:
>
> 1. On the dc server:
>
> # samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI
> --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123'
> --use-rfc2307
>
> that creates this smb.conf:
>
> -------------------------------------------------------------------
> [global]
>          workgroup = CHEZMOI
>          realm = CHEZMOI.PRIV
>          netbios name = WHEEZY-SERVER
>          server role = active directory domain controller
>          dns forwarder = 212.27.40.241
>          idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> -------------------------------------------------------------------
>
> Next, I use winbind in nsswitch.conf in order to resolv the uid/gid -->
> names.
>
> 2. On the member, I edit this smb.conf file (found here
> https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf):
>
> -------------------------------------------------------------------
> [global]
>     workgroup = CHEZMOI
>     security = ADS
>     realm = CHEZMOI.PRIV
>     encrypt passwords = yes
>     idmap config *:backend = tdb
>     idmap config *:range = 70001-80000
>     idmap config CHEZMOI:backend = ad
>     idmap config CHEZMOI:schema_mode = rfc2307
>     idmap config CHEZMOI:range = 500-40000
>     winbind nss info = rfc2307
>     winbind trusted domains only = no
>     winbind use default domain = yes
>     winbind enum users  = yes
>     winbind enum groups = yes
> -------------------------------------------------------------------
>
> and I join the server with "net ads join" (next I use winbind too in
> nsswitch.conf).
>
> Next, I create a account in the dc (samba-tool user add test1
> --random-password) and, under a Windows station, I edit this account
> with dsa.msc and I set:
> - the UID attribute in the "Unix attributes" tab
> - the GID attribute in the "Unix attributes" tab
>
> But, the dc and the member seems to ignore this value and, for example,
> with "getent passwd" the uid/gid are different for each user between the
> dc and the member.
>
> If you are advices or links to install dc and member so that the uid/gid
> are the same between the dc and the member,  It interest me very much. :-)
>
> Thanks in advance.
> PS: and very sorry for my poor english.
>
The easiest way to test out rfc2307 would be to provision a new domain
with samba-tool domain provision --use-rfc2307
--the-other-options-of-your-choice, and test a rfc2307 client against
it. The difference is, that in this case the provisioning script loads a
schema file (ypServ30.ldif) which makes it easier to administer the
rfc2307 attributes using ADUC. Then join a client to the domain and see
if rfc2307 schema mode works or not. If it works, then you will probably
need to load the schema modifications and a few other entries from the
provisioning with --use-rfc2307.
BTW. I use in production a classicupgraded Samba (actually two
replicating DCs) where --use-rfc2307 is (was) enabled by default, and a
few samba 3.6 installations using rfc2307 schema mode successfully
authenticate, get account data from the AD.

Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

François Lafont
Hi,

Le 11/04/2013 22:39, Gémes Géza a écrit :

> The easiest way to test out rfc2307 would be to provision a new domain
> with samba-tool domain provision --use-rfc2307
> --the-other-options-of-your-choice, and test a rfc2307 client against
> it. The difference is, that in this case the provisioning script loads a
> schema file (ypServ30.ldif) which makes it easier to administer the
> rfc2307 attributes using ADUC. [...]

Ok. I try this in a wheezy server:

---------------------------------------------------
samba-tool domain provision --realm=CHEZMOI.PRIV \
    --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \
    --adminpass='+toto123' --use-rfc2307
echo "nameserver 192.168.0.21" > /etc/resolv.conf
samba
samba-tool user add test1 "+test123"
---------------------------------------------------

Here is my smb.conf file after this commands:

---------------------------------------------------
# Global parameters
[global]
        workgroup = CHEZMOI
        realm = CHEZMOI.PRIV
        netbios name = WHEEZY-1
        server role = active directory domain controller
        dns forwarder = 212.27.40.241
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No
---------------------------------------------------

But when I run:
ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1

---------------------------------------------------
# editing 1 records
# record 1
dn: CN=test1,CN=Users,DC=chezmoi,DC=priv
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test1
instanceType: 4
whenCreated: 20130413162647.0Z
whenChanged: 20130413162647.0Z
uSNCreated: 3769
name: test1
objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-3595212667-731548510-1075401445-1103
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test1
sAMAccountType: 805306368
userPrincipalName: [hidden email]
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv
pwdLastSet: 130103440070000000
userAccountControl: 512
uSNChanged: 3771
distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv
---------------------------------------------------

I have no "objectClass: posixAccount" entry and then no "uidNumber", "gidNumber" attribute. Is it normal?

I thought that "use-rfc2307" option allowed to create "posixaccount" users. Isn't It the case?


--
François Lafont
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

steve-2
On 13/04/13 18:49, François Lafont wrote:

> Hi,
>
> Le 11/04/2013 22:39, Gémes Géza a écrit :
>
>> The easiest way to test out rfc2307 would be to provision a new domain
>> with samba-tool domain provision --use-rfc2307
>> --the-other-options-of-your-choice, and test a rfc2307 client against
>> it. The difference is, that in this case the provisioning script loads a
>> schema file (ypServ30.ldif) which makes it easier to administer the
>> rfc2307 attributes using ADUC. [...]
> Ok. I try this in a wheezy server:
>
> ---------------------------------------------------
> samba-tool domain provision --realm=CHEZMOI.PRIV \
>      --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \
>      --adminpass='+toto123' --use-rfc2307
> echo "nameserver 192.168.0.21" > /etc/resolv.conf
> samba
> samba-tool user add test1 "+test123"
> ---------------------------------------------------
>
> Here is my smb.conf file after this commands:
>
> ---------------------------------------------------
> # Global parameters
> [global]
>          workgroup = CHEZMOI
>          realm = CHEZMOI.PRIV
>          netbios name = WHEEZY-1
>          server role = active directory domain controller
>          dns forwarder = 212.27.40.241
>          idmap_ldb:use rfc2307 = yes
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> ---------------------------------------------------
>
> But when I run:
> ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1
>
> ---------------------------------------------------
> # editing 1 records
> # record 1
> dn: CN=test1,CN=Users,DC=chezmoi,DC=priv
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: test1
> instanceType: 4
> whenCreated: 20130413162647.0Z
> whenChanged: 20130413162647.0Z
> uSNCreated: 3769
> name: test1
> objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-3595212667-731548510-1075401445-1103
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: test1
> sAMAccountType: 805306368
> userPrincipalName: [hidden email]
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv
> pwdLastSet: 130103440070000000
> userAccountControl: 512
> uSNChanged: 3771
> distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv
> ---------------------------------------------------
>
> I have no "objectClass: posixAccount" entry and then no "uidNumber", "gidNumber" attribute. Is it normal?
>
> I thought that "use-rfc2307" option allowed to create "posixaccount" users. Isn't It the case?
>
>
Hi
You still have to add the objects. Yourself! I think provsioning with
the rfc2307 option allows you to use the windows tools instead of using
ldbedit or ldif's. If you just want uid:gid you can use ldbedit like you
have above and

add e.g.
objectClass: posixGroup
gidNumber: 20513

to Domain Users

then, e.g.
objectClass posixAccount
uidNumber: 3000100
gidNumber: 20513

to each of your users. With a different uid for each user of course. You
then decide how to get the uid:gid out of AD. There's another thread
here at the moment about how or how not to do that.
hth
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

Rowland Penny-2
On 13/04/13 19:24, steve wrote:

> On 13/04/13 18:49, François Lafont wrote:
>> Hi,
>>
>> Le 11/04/2013 22:39, Gémes Géza a écrit :
>>
>>> The easiest way to test out rfc2307 would be to provision a new domain
>>> with samba-tool domain provision --use-rfc2307
>>> --the-other-options-of-your-choice, and test a rfc2307 client against
>>> it. The difference is, that in this case the provisioning script
>>> loads a
>>> schema file (ypServ30.ldif) which makes it easier to administer the
>>> rfc2307 attributes using ADUC. [...]
>> Ok. I try this in a wheezy server:
>>
>> ---------------------------------------------------
>> samba-tool domain provision --realm=CHEZMOI.PRIV \
>>      --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \
>>      --adminpass='+toto123' --use-rfc2307
>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>> samba
>> samba-tool user add test1 "+test123"
>> ---------------------------------------------------
>>
>> Here is my smb.conf file after this commands:
>>
>> ---------------------------------------------------
>> # Global parameters
>> [global]
>>          workgroup = CHEZMOI
>>          realm = CHEZMOI.PRIV
>>          netbios name = WHEEZY-1
>>          server role = active directory domain controller
>>          dns forwarder = 212.27.40.241
>>          idmap_ldb:use rfc2307 = yes
>>
>> [netlogon]
>>          path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /usr/local/samba/var/locks/sysvol
>>          read only = No
>> ---------------------------------------------------
>>
>> But when I run:
>> ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1
>>
>> ---------------------------------------------------
>> # editing 1 records
>> # record 1
>> dn: CN=test1,CN=Users,DC=chezmoi,DC=priv
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: test1
>> instanceType: 4
>> whenCreated: 20130413162647.0Z
>> whenChanged: 20130413162647.0Z
>> uSNCreated: 3769
>> name: test1
>> objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> primaryGroupID: 513
>> objectSid: S-1-5-21-3595212667-731548510-1075401445-1103
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: test1
>> sAMAccountType: 805306368
>> userPrincipalName: [hidden email]
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv
>> pwdLastSet: 130103440070000000
>> userAccountControl: 512
>> uSNChanged: 3771
>> distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv
>> ---------------------------------------------------
>>
>> I have no "objectClass: posixAccount" entry and then no "uidNumber",
>> "gidNumber" attribute. Is it normal?
>>
>> I thought that "use-rfc2307" option allowed to create "posixaccount"
>> users. Isn't It the case?
>>
>>
> Hi
> You still have to add the objects. Yourself! I think provsioning with
> the rfc2307 option allows you to use the windows tools instead of
> using ldbedit or ldif's. If you just want uid:gid you can use ldbedit
> like you have above and
>
> add e.g.
> objectClass: posixGroup
> gidNumber: 20513
>
> to Domain Users
>
> then, e.g.
> objectClass posixAccount
> uidNumber: 3000100
> gidNumber: 20513
>
> to each of your users. With a different uid for each user of course.
> You then decide how to get the uid:gid out of AD. There's another
> thread here at the moment about how or how not to do that.
> hth
> Steve
>
Hi, You do not need the posix objectclasses, you can add the uidNumbers
etc without them.

Rowland



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

steve-2
On 13/04/13 20:38, Rowland Penny wrote:

> On 13/04/13 19:24, steve wrote:
>> On 13/04/13 18:49, François Lafont wrote:
>>> Hi,
>>>
>>> Le 11/04/2013 22:39, Gémes Géza a écrit :
>>>
>>>> The easiest way to test out rfc2307 would be to provision a new domain
>>>> with samba-tool domain provision --use-rfc2307
>>>> --the-other-options-of-your-choice, and test a rfc2307 client against
>>>> it. The difference is, that in this case the provisioning script
>>>> loads a
>>>> schema file (ypServ30.ldif) which makes it easier to administer the
>>>> rfc2307 attributes using ADUC. [...]
>>> Ok. I try this in a wheezy server:
>>>
>>> ---------------------------------------------------
>>> samba-tool domain provision --realm=CHEZMOI.PRIV \
>>>      --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \
>>>      --adminpass='+toto123' --use-rfc2307
>>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>> samba
>>> samba-tool user add test1 "+test123"
>>> ---------------------------------------------------
>>>
>>> Here is my smb.conf file after this commands:
>>>
>>> ---------------------------------------------------
>>> # Global parameters
>>> [global]
>>>          workgroup = CHEZMOI
>>>          realm = CHEZMOI.PRIV
>>>          netbios name = WHEEZY-1
>>>          server role = active directory domain controller
>>>          dns forwarder = 212.27.40.241
>>>          idmap_ldb:use rfc2307 = yes
>>>
>>> [netlogon]
>>>          path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /usr/local/samba/var/locks/sysvol
>>>          read only = No
>>> ---------------------------------------------------
>>>
>>> But when I run:
>>> ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1
>>>
>>> ---------------------------------------------------
>>> # editing 1 records
>>> # record 1
>>> dn: CN=test1,CN=Users,DC=chezmoi,DC=priv
>>> objectClass: top
>>> objectClass: person
>>> objectClass: organizationalPerson
>>> objectClass: user
>>> cn: test1
>>> instanceType: 4
>>> whenCreated: 20130413162647.0Z
>>> whenChanged: 20130413162647.0Z
>>> uSNCreated: 3769
>>> name: test1
>>> objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99
>>> badPwdCount: 0
>>> codePage: 0
>>> countryCode: 0
>>> badPasswordTime: 0
>>> lastLogoff: 0
>>> lastLogon: 0
>>> primaryGroupID: 513
>>> objectSid: S-1-5-21-3595212667-731548510-1075401445-1103
>>> accountExpires: 9223372036854775807
>>> logonCount: 0
>>> sAMAccountName: test1
>>> sAMAccountType: 805306368
>>> userPrincipalName: [hidden email]
>>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv
>>> pwdLastSet: 130103440070000000
>>> userAccountControl: 512
>>> uSNChanged: 3771
>>> distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv
>>> ---------------------------------------------------
>>>
>>> I have no "objectClass: posixAccount" entry and then no "uidNumber",
>>> "gidNumber" attribute. Is it normal?
>>>
>>> I thought that "use-rfc2307" option allowed to create "posixaccount"
>>> users. Isn't It the case?
>>>
>>>
>> Hi
>> You still have to add the objects. Yourself! I think provsioning with
>> the rfc2307 option allows you to use the windows tools instead of
>> using ldbedit or ldif's. If you just want uid:gid you can use ldbedit
>> like you have above and
>>
>> add e.g.
>> objectClass: posixGroup
>> gidNumber: 20513
>>
>> to Domain Users
>>
>> then, e.g.
>> objectClass posixAccount
>> uidNumber: 3000100
>> gidNumber: 20513
>>
>> to each of your users. With a different uid for each user of course.
>> You then decide how to get the uid:gid out of AD. There's another
>> thread here at the moment about how or how not to do that.
>> hth
>> Steve

>>
> Hi, You do not need the posix objectclasses, you can add the
> uidNumbers etc without them.
>
> Rowland
>
>
>
Hi
Yes, but please be careful. The Samba4 LDAP allows you to add uidNumber
without the class from the schema which provides it. In this case
posixAccount. However, the uidNumber in that case will just be ignored.
e.g. it will not show in getent passwd.

I'm not certain but I think in openldap with the rfc2307 schema, it
would be an error: you wouldn't be able to do it.

@Rowland. Maybe your method with sssd doesn't need uidNumber to be
present in AD?
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

Rowland Penny-2
On 13/04/13 20:22, steve wrote:

> On 13/04/13 20:38, Rowland Penny wrote:
>> On 13/04/13 19:24, steve wrote:
>>> On 13/04/13 18:49, François Lafont wrote:
>>>> Hi,
>>>>
>>>> Le 11/04/2013 22:39, Gémes Géza a écrit :
>>>>
>>>>> The easiest way to test out rfc2307 would be to provision a new
>>>>> domain
>>>>> with samba-tool domain provision --use-rfc2307
>>>>> --the-other-options-of-your-choice, and test a rfc2307 client against
>>>>> it. The difference is, that in this case the provisioning script
>>>>> loads a
>>>>> schema file (ypServ30.ldif) which makes it easier to administer the
>>>>> rfc2307 attributes using ADUC. [...]
>>>> Ok. I try this in a wheezy server:
>>>>
>>>> ---------------------------------------------------
>>>> samba-tool domain provision --realm=CHEZMOI.PRIV \
>>>>      --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \
>>>>      --adminpass='+toto123' --use-rfc2307
>>>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>>> samba
>>>> samba-tool user add test1 "+test123"
>>>> ---------------------------------------------------
>>>>
>>>> Here is my smb.conf file after this commands:
>>>>
>>>> ---------------------------------------------------
>>>> # Global parameters
>>>> [global]
>>>>          workgroup = CHEZMOI
>>>>          realm = CHEZMOI.PRIV
>>>>          netbios name = WHEEZY-1
>>>>          server role = active directory domain controller
>>>>          dns forwarder = 212.27.40.241
>>>>          idmap_ldb:use rfc2307 = yes
>>>>
>>>> [netlogon]
>>>>          path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
>>>>          read only = No
>>>>
>>>> [sysvol]
>>>>          path = /usr/local/samba/var/locks/sysvol
>>>>          read only = No
>>>> ---------------------------------------------------
>>>>
>>>> But when I run:
>>>> ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1
>>>>
>>>> ---------------------------------------------------
>>>> # editing 1 records
>>>> # record 1
>>>> dn: CN=test1,CN=Users,DC=chezmoi,DC=priv
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: test1
>>>> instanceType: 4
>>>> whenCreated: 20130413162647.0Z
>>>> whenChanged: 20130413162647.0Z
>>>> uSNCreated: 3769
>>>> name: test1
>>>> objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> badPasswordTime: 0
>>>> lastLogoff: 0
>>>> lastLogon: 0
>>>> primaryGroupID: 513
>>>> objectSid: S-1-5-21-3595212667-731548510-1075401445-1103
>>>> accountExpires: 9223372036854775807
>>>> logonCount: 0
>>>> sAMAccountName: test1
>>>> sAMAccountType: 805306368
>>>> userPrincipalName: [hidden email]
>>>> objectCategory:
>>>> CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv
>>>> pwdLastSet: 130103440070000000
>>>> userAccountControl: 512
>>>> uSNChanged: 3771
>>>> distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv
>>>> ---------------------------------------------------
>>>>
>>>> I have no "objectClass: posixAccount" entry and then no
>>>> "uidNumber", "gidNumber" attribute. Is it normal?
>>>>
>>>> I thought that "use-rfc2307" option allowed to create
>>>> "posixaccount" users. Isn't It the case?
>>>>
>>>>
>>> Hi
>>> You still have to add the objects. Yourself! I think provsioning
>>> with the rfc2307 option allows you to use the windows tools instead
>>> of using ldbedit or ldif's. If you just want uid:gid you can use
>>> ldbedit like you have above and
>>>
>>> add e.g.
>>> objectClass: posixGroup
>>> gidNumber: 20513
>>>
>>> to Domain Users
>>>
>>> then, e.g.
>>> objectClass posixAccount
>>> uidNumber: 3000100
>>> gidNumber: 20513
>>>
>>> to each of your users. With a different uid for each user of course.
>>> You then decide how to get the uid:gid out of AD. There's another
>>> thread here at the moment about how or how not to do that.
>>> hth
>>> Steve
>
>>>
>> Hi, You do not need the posix objectclasses, you can add the
>> uidNumbers etc without them.
>>
>> Rowland
>>
>>
>>
> Hi
> Yes, but please be careful. The Samba4 LDAP allows you to add
> uidNumber without the class from the schema which provides it. In this
> case posixAccount. However, the uidNumber in that case will just be
> ignored. e.g. it will not show in getent passwd.
>
> I'm not certain but I think in openldap with the rfc2307 schema, it
> would be an error: you wouldn't be able to do it.
>
> @Rowland. Maybe your method with sssd doesn't need uidNumber to be
> present in AD?
> Cheers,
> Steve
>
Hi Steve, I thought like you until someone posted either on here or on
the technical list that windows does not use the posix objectclasses,
and as Samba 4 AD is supposed to be exactly like windows AD, then
obviously you do not need them. If they were required, you would not be
able to add the uidNumbers etc, it would just error out.
If you are having problems pulling the uidNumber with nss-ldapd without
the posix objectclasses, then this might be because nss-ldapd was
written for ldap but AD != LDAP. All I can say is sssd works without the
posix objectclasses.

Rowland

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

steve-2
On 13/04/13 23:32, Rowland Penny wrote:

> On 13/04/13 20:22, steve wrote:
>> On 13/04/13 20:38, Rowland Penny wrote:
>>> On 13/04/13 19:24, steve wrote:
>>>> On 13/04/13 18:49, François Lafont wrote:
>>>>> Hi,
>>>>>
>>>>> Le 11/04/2013 22:39, Gémes Géza a écrit :
>>>>>
>>>>>> The easiest way to test out rfc2307 would be to provision a new
>>>>>> domain
>>>>>> with samba-tool domain provision --use-rfc2307
>>>>>> --the-other-options-of-your-choice, and test a rfc2307 client
>>>>>> against
>>>>>> it. The difference is, that in this case the provisioning script
>>>>>> loads a
>>>>>> schema file (ypServ30.ldif) which makes it easier to administer the
>>>>>> rfc2307 attributes using ADUC. [...]
>>>>> Ok. I try this in a wheezy server:
>>>>>
>>>>> ---------------------------------------------------
>>>>> samba-tool domain provision --realm=CHEZMOI.PRIV \
>>>>>      --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \
>>>>>      --adminpass='+toto123' --use-rfc2307
>>>>> echo "nameserver 192.168.0.21" > /etc/resolv.conf
>>>>> samba
>>>>> samba-tool user add test1 "+test123"
>>>>> ---------------------------------------------------
>>>>>
>>>>> Here is my smb.conf file after this commands:
>>>>>
>>>>> ---------------------------------------------------
>>>>> # Global parameters
>>>>> [global]
>>>>>          workgroup = CHEZMOI
>>>>>          realm = CHEZMOI.PRIV
>>>>>          netbios name = WHEEZY-1
>>>>>          server role = active directory domain controller
>>>>>          dns forwarder = 212.27.40.241
>>>>>          idmap_ldb:use rfc2307 = yes
>>>>>
>>>>> [netlogon]
>>>>>          path =
>>>>> /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts
>>>>>          read only = No
>>>>>
>>>>> [sysvol]
>>>>>          path = /usr/local/samba/var/locks/sysvol
>>>>>          read only = No
>>>>> ---------------------------------------------------
>>>>>
>>>>> But when I run:
>>>>> ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1
>>>>>
>>>>> ---------------------------------------------------
>>>>> # editing 1 records
>>>>> # record 1
>>>>> dn: CN=test1,CN=Users,DC=chezmoi,DC=priv
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: user
>>>>> cn: test1
>>>>> instanceType: 4
>>>>> whenCreated: 20130413162647.0Z
>>>>> whenChanged: 20130413162647.0Z
>>>>> uSNCreated: 3769
>>>>> name: test1
>>>>> objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99
>>>>> badPwdCount: 0
>>>>> codePage: 0
>>>>> countryCode: 0
>>>>> badPasswordTime: 0
>>>>> lastLogoff: 0
>>>>> lastLogon: 0
>>>>> primaryGroupID: 513
>>>>> objectSid: S-1-5-21-3595212667-731548510-1075401445-1103
>>>>> accountExpires: 9223372036854775807
>>>>> logonCount: 0
>>>>> sAMAccountName: test1
>>>>> sAMAccountType: 805306368
>>>>> userPrincipalName: [hidden email]
>>>>> objectCategory:
>>>>> CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv
>>>>> pwdLastSet: 130103440070000000
>>>>> userAccountControl: 512
>>>>> uSNChanged: 3771
>>>>> distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv
>>>>> ---------------------------------------------------
>>>>>
>>>>> I have no "objectClass: posixAccount" entry and then no
>>>>> "uidNumber", "gidNumber" attribute. Is it normal?
>>>>>
>>>>> I thought that "use-rfc2307" option allowed to create
>>>>> "posixaccount" users. Isn't It the case?
>>>>>
>>>>>
>>>> Hi
>>>> You still have to add the objects. Yourself! I think provsioning
>>>> with the rfc2307 option allows you to use the windows tools instead
>>>> of using ldbedit or ldif's. If you just want uid:gid you can use
>>>> ldbedit like you have above and
>>>>
>>>> add e.g.
>>>> objectClass: posixGroup
>>>> gidNumber: 20513
>>>>
>>>> to Domain Users
>>>>
>>>> then, e.g.
>>>> objectClass posixAccount
>>>> uidNumber: 3000100
>>>> gidNumber: 20513
>>>>
>>>> to each of your users. With a different uid for each user of
>>>> course. You then decide how to get the uid:gid out of AD. There's
>>>> another thread here at the moment about how or how not to do that.
>>>> hth
>>>> Steve
>>
>>>>
>>> Hi, You do not need the posix objectclasses, you can add the
>>> uidNumbers etc without them.
>>>
>>> Rowland
>>>
>>>
>>>
>> Hi
>> Yes, but please be careful. The Samba4 LDAP allows you to add
>> uidNumber without the class from the schema which provides it. In
>> this case posixAccount. However, the uidNumber in that case will just
>> be ignored. e.g. it will not show in getent passwd.
>>
>> I'm not certain but I think in openldap with the rfc2307 schema, it
>> would be an error: you wouldn't be able to do it.
>>
>> @Rowland. Maybe your method with sssd doesn't need uidNumber to be
>> present in AD?
>> Cheers,
>> Steve
>>
> Hi Steve, I thought like you until someone posted either on here or on
> the technical list that windows does not use the posix objectclasses,
> and as Samba 4 AD is supposed to be exactly like windows AD, then
> obviously you do not need them. If they were required, you would not
> be able to add the uidNumbers etc, it would just error out.
> If you are having problems pulling the uidNumber with nss-ldapd
> without the posix objectclasses, then this might be because nss-ldapd
> was written for ldap but AD != LDAP. All I can say is sssd works
> without the posix objectclasses.
>
> Rowland
>
Thanks Rowland. I'd no idea that windows didn't need the classes but as
I came from a Linux openldap background I understood that as you quite
rightly say, that openldap wouln't allow you to add uidNumber without
posixAccount.  For the record, nss-ldapd _does_ require the class to be
present. If it isn't then as far as ldapd is concerned, the user doesn't
exist.

Well, that's the end of another 48 hour day. Why do we do this!
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

François Lafont
In reply to this post by steve-2
Hello,

Le 13/04/2013 20:24, steve a écrit :

> You still have to add the objects. Yourself!

Ok, if I understand, after a provision of a domain with samba-tool and the "--use-rfc2307" option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself.

But, after this:

-------------------------------------------
samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \
    --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' \
    --use-rfc2307

ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

# I had winbind in nsswitch.conf
sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g' /etc/nsswitch.conf

samba
-------------------------------------------

I have a few users and groups which are already created:

# wbinfo -u
Administrator
Guest
krbtgt

# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy

Must I add "objectclass: posixAccount", "uid:...", uidNumber:..." etc. entries for each account above?
And must I add "objetclass: posixGroup", "gidNumber: ..." etc. entries for each group above?

Which uid/gid numbers should I use?

Without "posixAccount" "uid" "uidNumber" etc. entries, the domain accounts are automatically already allied to a uid number that I can see with "getent passwd":

# getent passwd Guest
CHEZMOI\Guest:*:3000011:3000012::/home/CHEZMOI/Guest:/bin/false

uid=3000011 although I have done no change in the Guest account.

How choose Samba these uid/gid numbers (e.g 3000011/3000012) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba?

Another problem: just after provision, the /usr/local/samba/var/locks/sysvol/ repository is already created with particulary settings regarding the unix rights and the alc (with particulary uid/gid numbers). Must I change the (unix/acl) rights of this repository too ?

> There's another thread
> here at the moment about how or how not to do that.

Where? I don't see it. Personally, I never succeed in the "rfc2307" working, until now.
My purpose is to have the same uid/gid numbers between 2 samba4 servers.

--
François Lafont
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

steve-2
On 14/04/13 01:37, François Lafont wrote:
> Hello,
>
> Le 13/04/2013 20:24, steve a écrit :
>
>> You still have to add the objects. Yourself!
> Ok, if I understand, after a provision of a domain with samba-tool and the "--use-rfc2307" option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself.
It can do that whether you provision with --use-rfc2307 or not. I
believe that it adds the possibility of adding the uid:gid from windows.
I've never used windows for this.

>
> But, after this:
>
> -------------------------------------------
> samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \
>      --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' \
>      --use-rfc2307
>
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>
> # I had winbind in nsswitch.conf
> sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g' /etc/nsswitch.conf
>
> samba
> -------------------------------------------
>
> I have a few users and groups which are already created:
>
> # wbinfo -u
> Administrator
> Guest
> krbtgt
>
> # wbinfo -g
> Enterprise Read-Only Domain Controllers
> Domain Admins
> Domain Users
> Domain Guests
> Domain Computers
> Domain Controllers
> Schema Admins
> Enterprise Admins
> Group Policy Creator Owners
> Read-Only Domain Controllers
> DnsUpdateProxy
>
> Must I add "objectclass: posixAccount", "uid:...", uidNumber:..." etc. entries for each account above?
> And must I add "objetclass: posixGroup", "gidNumber: ..." etc. entries for each group above?
If you want to pull uid:gid from AD then you'll need to add uidNumber
and gidNumber for users and gidNumber for groups. All users which need
to login will need the attributes but there's no need to allocate
gidNumber to al the groups. Many of them have no meaning in Linux. e.g.
To begin with, just allocate a gidNumber to Domain Users. A good way to
decide which gidNumber to allocate is to take the RID of the group and
add, say, 20000 to keep it well away from local groups. As the RID of
Domain Users is 513 then our gidNumber becomes 20513.

For users, we allocated our first user uidNumber 3000032 to avoid
collision with the xidnumbers which have to remain in idmap. Each
subsequent user increments this value. It's tedious doing this by hand
but easy to create an ldif which contains the values to add as and when
a new user is created.
>
> Which uid/gid numbers should I use?
>
> Without "posixAccount" "uid" "uidNumber" etc. entries, the domain accounts are automatically already allied to a uid number that I can see with "getent passwd":
>
> # getent passwd Guest
> CHEZMOI\Guest:*:3000011:3000012::/home/CHEZMOI/Guest:/bin/false
>
> uid=3000011 although I have done no change in the Guest account.oming from /ur/
Those uid:gid pairs are coming from idmap. idmap is not part of AD and
confuses the issue for many of us. If you are going to add more DC's,
these uid:gid's  will change depending upon which DC you refer to.
Probably (almost certainly) not what you want.
>
> How choose Samba these uid/gid numbers (e.g 3000011/3000012) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba?
That is best answered by looking at:
ldbsearch --url=/usr/local/samba/private/idmap.ldb
There, you'll see the sids with the xidnumber that Samba has allocated
to them. This xidnumber becomes the uid or gid depending upon whether
the object is a user, group or both. A basic set of objects has to
remain in idmap so leave it as it is after provision. If you add the
line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the
provision has already done for you) then any new user or group object
that is created will not have an entry in idmap. You are then free to
add the necessary uid/gidNumbers to AD.
>
> Another problem: just after provision, the /usr/local/samba/var/locks/sysvol/ repository is already created with particulary settings regarding the unix rights and the alc (with particulary uid/gid numbers). Must I change the (unix/acl) rights of this repository too ?
>
>> There's another thread
>> here at the moment about how or how not to do that.
Some of us have given up on winbind for idmapping. There are easier ways
to get rfc2307 from the database which keep the uid:gid consistent
independent of which DC is consulted. nss-ldapd is one of them and sssd
seems to be gaining ground because of its simplicity. I'm a strong
believer in keeping things as simple as possible. Because of this I
believe that rfc2307 stuff should always be sourced from AD and we
should not use an external idmap
> Where? I don't see it. Personally, I never succeed in the "rfc2307" working, until now.
> My purpose is to have the same uid/gid numbers between 2 samba4 servers.
>
Sorry, I can't access the list archive at the moment. The thread is
called 'Some clarification?'
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

Rowland Penny-2
On 14/04/13 07:00, steve wrote:

> On 14/04/13 01:37, François Lafont wrote:
>> Hello,
>>
>> Le 13/04/2013 20:24, steve a écrit :
>>
>>> You still have to add the objects. Yourself!
>> Ok, if I understand, after a provision of a domain with samba-tool
>> and the "--use-rfc2307" option, samba4 can support posixaccount etc.
>> in its database, but I have to add the object class and the mandatory
>> attributes myself.
> It can do that whether you provision with --use-rfc2307 or not. I
> believe that it adds the possibility of adding the uid:gid from
> windows. I've never used windows for this.
>>
>> But, after this:
>>
>> -------------------------------------------
>> samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \
>>      --server-role=dc --dns-backend=SAMBA_INTERNAL
>> --adminpass='+toto123' \
>>      --use-rfc2307
>>
>> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
>> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
>>
>> # I had winbind in nsswitch.conf
>> sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1
>> winbind/g' /etc/nsswitch.conf
>>
>> samba
>> -------------------------------------------
>>
>> I have a few users and groups which are already created:
>>
>> # wbinfo -u
>> Administrator
>> Guest
>> krbtgt
>>
>> # wbinfo -g
>> Enterprise Read-Only Domain Controllers
>> Domain Admins
>> Domain Users
>> Domain Guests
>> Domain Computers
>> Domain Controllers
>> Schema Admins
>> Enterprise Admins
>> Group Policy Creator Owners
>> Read-Only Domain Controllers
>> DnsUpdateProxy
>>
>> Must I add "objectclass: posixAccount", "uid:...", uidNumber:..."
>> etc. entries for each account above?
>> And must I add "objetclass: posixGroup", "gidNumber: ..." etc.
>> entries for each group above?
> If you want to pull uid:gid from AD then you'll need to add uidNumber
> and gidNumber for users and gidNumber for groups. All users which need
> to login will need the attributes but there's no need to allocate
> gidNumber to al the groups. Many of them have no meaning in Linux.
> e.g. To begin with, just allocate a gidNumber to Domain Users. A good
> way to decide which gidNumber to allocate is to take the RID of the
> group and add, say, 20000 to keep it well away from local groups. As
> the RID of Domain Users is 513 then our gidNumber becomes 20513.
>
> For users, we allocated our first user uidNumber 3000032 to avoid
> collision with the xidnumbers which have to remain in idmap. Each
> subsequent user increments this value. It's tedious doing this by hand
> but easy to create an ldif which contains the values to add as and
> when a new user is created.
>>
>> Which uid/gid numbers should I use?
>>
>> Without "posixAccount" "uid" "uidNumber" etc. entries, the domain
>> accounts are automatically already allied to a uid number that I can
>> see with "getent passwd":
>>
>> # getent passwd Guest
>> CHEZMOI\Guest:*:3000011:3000012::/home/CHEZMOI/Guest:/bin/false
>>
>> uid=3000011 although I have done no change in the Guest account.oming
>> from /ur/
> Those uid:gid pairs are coming from idmap. idmap is not part of AD and
> confuses the issue for many of us. If you are going to add more DC's,
> these uid:gid's  will change depending upon which DC you refer to.
> Probably (almost certainly) not what you want.
>>
>> How choose Samba these uid/gid numbers (e.g 3000011/3000012) and how
>> can I choose my uid/gid numbers in order that there is never conflict
>> with uid/gid choose automatically by Samba?
> That is best answered by looking at:
> ldbsearch --url=/usr/local/samba/private/idmap.ldb
> There, you'll see the sids with the xidnumber that Samba has allocated
> to them. This xidnumber becomes the uid or gid depending upon whether
> the object is a user, group or both. A basic set of objects has to
> remain in idmap so leave it as it is after provision. If you add the
> line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the
> provision has already done for you) then any new user or group object
> that is created will not have an entry in idmap. You are then free to
> add the necessary uid/gidNumbers to AD.
>>
>> Another problem: just after provision, the
>> /usr/local/samba/var/locks/sysvol/ repository is already created with
>> particulary settings regarding the unix rights and the alc (with
>> particulary uid/gid numbers). Must I change the (unix/acl) rights of
>> this repository too ?
>>
>>> There's another thread
>>> here at the moment about how or how not to do that.
> Some of us have given up on winbind for idmapping. There are easier
> ways to get rfc2307 from the database which keep the uid:gid
> consistent independent of which DC is consulted. nss-ldapd is one of
> them and sssd seems to be gaining ground because of its simplicity.
> I'm a strong believer in keeping things as simple as possible. Because
> of this I believe that rfc2307 stuff should always be sourced from AD
> and we should not use an external idmap
>> Where? I don't see it. Personally, I never succeed in the "rfc2307"
>> working, until now.
>> My purpose is to have the same uid/gid numbers between 2 samba4 servers.
>>
> Sorry, I can't access the list archive at the moment. The thread is
> called 'Some clarification?'
> Cheers,
> Steve

The main problem is, as far as I see it, if you use winbind on the
clients, you need to use the same smb.conf on all clients to get the
same uidNumbers etc but they will still be different to the ones on the
server. The reason? S4 winbind != S3 winbind, using winbind I cannot see
any way round this, also you need to use rfc2307 and add the uidNumbers
etc.

My feelings are that it is time to put winbind to rest and come up with
something that pulls the info direct from AD based on the SID and use
this on the server and clients.

Rowland


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Samba4 member of an another « Samba4 » domain

François Lafont
In reply to this post by steve-2
Le 14/04/2013 08:00, steve a écrit :

>> Ok, if I understand, after a provision of a domain with samba-tool and
>> the "--use-rfc2307" option, samba4 can support posixaccount etc. in
>> its database, but I have to add the object class and the mandatory
>> attributes myself.
> It can do that whether you provision with --use-rfc2307 or not.

Are you sure? In this case, I won't use this option.

> I
> believe that it adds the possibility of adding the uid:gid from windows.
> I've never used windows for this.

Me too. I prefer to manage the AD in the samba server.

> If you want to pull uid:gid from AD then you'll need to add uidNumber
> and gidNumber for users and gidNumber for groups.

And "memberUid" too for groups, isn't it?

> All users which need
> to login will need the attributes but there's no need to allocate
> gidNumber to al the groups. Many of them have no meaning in Linux. e.g.
> To begin with, just allocate a gidNumber to Domain Users. A good way to
> decide which gidNumber to allocate is to take the RID of the group and
> add, say, 20000 to keep it well away from local groups. As the RID of
> Domain Users is 513 then our gidNumber becomes 20513.
>
> For users, we allocated our first user uidNumber 3000032 to avoid
> collision with the xidnumbers which have to remain in idmap.

I don't think that 3000032 is a good uidNumber because idmap seems to use the "3000000-4000000" range.

>> # getent passwd Guest
>> CHEZMOI\Guest:*:3000011:3000012::/home/CHEZMOI/Guest:/bin/false
>>
>> uid=3000011 although I have done no change in the Guest account.oming
>> from /ur/
> Those uid:gid pairs are coming from idmap. idmap is not part of AD and
> confuses the issue for many of us. If you are going to add more DC's,
> these uid:gid's  will change depending upon which DC you refer to.
> Probably (almost certainly) not what you want.

Absolutely. :)

>> How choose Samba these uid/gid numbers (e.g 3000011/3000012) and how
>> can I choose my uid/gid numbers in order that there is never conflict
>> with uid/gid choose automatically by Samba?
> That is best answered by looking at:
> ldbsearch --url=/usr/local/samba/private/idmap.ldb

Ok, it's a good answer indeed. And I can see:

----------------------------------------------------
# ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=config
# record 1
dn: CN=CONFIG
cn: CONFIG
lowerBound: 3000000
upperBound: 4000000
xidNumber: 3000017
distinguishedName: CN=CONFIG
----------------------------------------------------

Then, I understand that idmap uses the "3000000-4000000" range to assign xidNumber to the users and groups.

> There, you'll see the sids with the xidnumber that Samba has allocated
> to them. This xidnumber becomes the uid or gid depending upon whether
> the object is a user, group or both. A basic set of objects has to
> remain in idmap so leave it as it is after provision. If you add the
> line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the
> provision has already done for you) then any new user or group object
> that is created will not have an entry in idmap. You are then free to
> add the necessary uid/gidNumbers to AD.

Yes, indeed:

----------------------------------------------------
# grep 'rfc' /usr/local/samba/etc/smb.conf
        idmap_ldb:use rfc2307 = yes

# samba
# samba-tool user add test4 "test4"
User 'test4' created successfully

# ldbsearch --url=/usr/local/samba/private/sam.ldb cn=test4 | grep -i objectsid
objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106

# ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106
# returned 0 records
# 0 entries
# 0 referrals
----------------------------------------------------

But after this:

----------------------------------------------------
# getent passwd test4
CHEZMOI\test4:*:3000019:100::/home/CHEZMOI/test4:/bin/false
----------------------------------------------------

the idmap entry is automatically created:

----------------------------------------------------
# ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106
# record 1
dn: CN=S-1-5-21-3840058276-1254623269-3939424142-1106
cn: S-1-5-21-3840058276-1254623269-3939424142-1106
objectClass: sidMap
objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106
type: ID_TYPE_BOTH
xidNumber: 3000019
distinguishedName: CN=S-1-5-21-3840058276-1254623269-3939424142-1106
----------------------------------------------------

I have noticed that I have exactly the same behavior without the "idmap_ldb:use rfc2307 = yes" option. Then, I don't see exactly the meaning of this option...

> Sorry, I can't access the list archive at the moment. The thread is
> called 'Some clarification?'

Ok, I see.

Thanks a lot for yours explanations Steeve. It's become more clean in my mind. :)

--
François Lafont
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
12
Loading...