Re: [Samba] The problem with setting up AD domain to Samba 4
Vladimir A Fomkin
What is "DN"?
smb.conf on PDC:
root@debian-samba4:/usr/local/samba/etc# cat smb.conf
# Global parameters
[global]
workgroup = TEST
realm = TEST.LOCAL
netbios name = DEBIAN-SAMBA4
server role = active directory domain controller
dns forwarder = 192.168.1.102
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/test.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[profiles]
path = /usr/local/samba/var/profiles
read only = No
root@debian-samba4:/usr/local/samba/etc#
smb.conf on BDC:
root@bdc-samba:/usr/local/samba/etc# cat ./smb.conf
# Global parameters
[global]
workgroup = TEST
realm = test.local
netbios name = BDC-SAMBA
server role = active directory domain controller
dns forwarder = 192.168.1.102
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/test.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[profiles]
path = /usr/local/samba/var/profiles
read only = No
root@bdc-samba:/usr/local/samba/etc#
2013/6/14 steve <st...@steve-ss.com>
> On Fri, 2013-06-14 at 18:05 +0400, Vladimir A Fomkin wrote:
> > Hello Marc!
> > Thank you for response!
> > I added this string in smb.conf on PDC and BDC, but after sync BDC again
> do
> > not give access. I see UID for files created for one user via PDC -
> 3000022
> > and via BDC - 3000019
>
> Hi
> Make sure that you have the rfc2307 line in both the DC's. Add:
> uidNumber: 3000022
> to the the DN of the user on one of the DC's. Wait a few minutes. Now
> create a file. It will have uid 3000022 no matter which DC is consulted.
> HTH
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
steve
> Good day!
> What is "DN"?
> Make sure that you have the rfc2307 line in both the DC's. Add:
> uidNumber: 3000022
> to the the DN of the user on one of the DC's. Wait a few minutes. Now
> create a file. It will have uid 3000022 no matter which DC is consulted.
> HTH
> Steve
DN is ldap for Distingished Name
e.g. a user could have an entry in the directory:
dn: CN=vladimir, CN=Users,DC=samba,DC=com
just add:
uidNumber: 3000022
somewhere for that user. The easiest way to do that so that you can
understand what's happening, is to add it like this:
ldbedit --url=/usr/local/samba/private/sam.ldb CN=vladimir
That will use vi. If you don't know vi, use your favourite editor (e.g.
let's say it's called 'yfe') instead:
ldbedit -e yfe --url=/usr/local/samba/private/sam.ldb CN=vladimir
steve
Just try adding the user anyway and let's see what happens:
samba-rool user add tester4
steve
> Hi
> Just try adding the user anyway and let's see what happens:
>
> samba-rool user add tester4
>
samba-tool
sorry
Vladimir A Fomkin
root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
New Password:
Retype Password:
ERROR(ldb): Failed to add user 'tester4': - samldb: Account name
(sAMAccountName) 'tester4' already in use!
root@bdc-samba:~#
2013/6/17 steve <st...@steve-ss.com>
> Hi
> Just try adding the user anyway and let's see what happens:
>
> samba-rool user add tester4
>
>
--
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
Vladimir A Fomkin
All users created from windows exist here!
root@bdc-samba:~# /usr/local/samba/bin/samba-tool user list
tester4
vaf
tester
tester2
tester3
Administrator
krbtgt
Guest
root@bdc-samba:~#
2013/6/17 Vladimir A Fomkin <v...@vaf.net.ru>
steve
> HI!
> root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
> New Password:
> Retype Password:
> ERROR(ldb): Failed to add user 'tester4': - samldb: Account name
> (sAMAccountName) 'tester4' already in use!
> root@bdc-samba:~#
ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4
Vladimir A Fomkin
root@debian-samba4:/usr/local/samba/private# /usr/local/samba/bin/ldbsearch
--url=/usr/local/samba/private/sam.ldb | grep tester4
sAMAccountName: tester4
userPrincipalName: tes...@test.local
root@debian-samba4:/usr/local/samba/private#
And I found there UID is saved - /usr/local/samba/bin/ldbedit
--url=/usr/local/samba/private/idmap.ldb
On PDC shows (cutted):
# record 7
dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
cn: S-1-5-21-3451120384-2816699473-3647757164-1110
objectClass: sidMap
objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
type: ID_TYPE_BOTH
xidNumber: 3000023
distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
On BDC shows (cutted):
# record 5
dn: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
cn: S-1-5-21-3451120384-2816699473-3647757164-1110
objectClass: sidMap
objectSid: S-1-5-21-3451120384-2816699473-3647757164-1110
type: ID_TYPE_BOTH
xidNumber: 3000020
distinguishedName: CN=S-1-5-21-3451120384-2816699473-3647757164-1110
SID is the same, but the UID is different!
2013/6/17 steve <st...@steve-ss.com>
> On Mon, 2013-06-17 at 14:50 +0400, Vladimir A Fomkin wrote:
> > HI!
> > root@bdc-samba:~# /usr/local/samba/bin/samba-tool user add tester4
> > New Password:
> > Retype Password:
> > ERROR(ldb): Failed to add user 'tester4': - samldb: Account name
> > (sAMAccountName) 'tester4' already in use!
> > root@bdc-samba:~#
>
>
> Hi
> ldbsearch --url=/usr/local/samba/private/sam.ldb | grep tester4
>
>
>
>
--
С уважением,
Фомкин Владимир Андреевич
ICQ:220967838
Skype:vladimir.fomkin
http://vaf.net.ru
Vladimir A Fomkin
I'm tried to change idmap backend from tdb to rid and setting up idmap
range, but samba uses old type of UIDs.
What am I doing wrong?
[global]
workgroup = TEST
realm = test.local
netbios name = BDC-SAMBA
server role = active directory domain controller
dns forwarder = 192.168.1.102
idmap config TEST:backend = rid
idmap config TEST:range = 4000000 - 5000000
idmap config TEST:schema_mode = rfc2307
idmap config *:backend = rid
root@bdc-samba:~# /usr/local/samba/bin/testparm -sv
/usr/local/samba/etc/smb.conf | grep backend
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[profiles]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
passdb backend = samba_dsdb
idmap backend = tdb
share backend =
idmap config TEST:backend = rid
idmap config * : backend = rid
root@bdc-samba:~#
2013/6/17 Vladimir A Fomkin <v...@vaf.net.ru>
> Hi!
Rowland Penny
works, samba 4 winbind does not work the same as the samba 3 winbind.
What you need to do is give your linux users a uidNumber and groups like
Domain Users a gidNumber, how you do this is up to you, it can be done from
windows (ADUC?) or by using an ldif on linux, try a web search.
You then need to extract this information on the linux clients, you can use
winbind, but do not use the rid backend. If do you use the rid backend,
whilst you will get the same UID for a user on any linux client that uses
the exact same winbind settings, you will never get the same UID on the
server. Using the ad backend will get you the same UID where ever you ask
for it, but in my opinion is not the way to go, try using sssd, it is a lot
easier to set up.
Rowland
steve
> Hi!
>
> I'm tried to change idmap backend from tdb to rid and setting up idmap
> range, but samba uses old type of UIDs.
> What am I doing wrong?
>
>
> [global]
> workgroup = TEST
> realm = test.local
> netbios name = BDC-SAMBA
> server role = active directory domain controller
> dns forwarder = 192.168.1.102
> idmap config TEST:backend = rid
> idmap config TEST:range = 4000000 - 5000000
> idmap config TEST:schema_mode = rfc2307
> idmap config *:backend = rid
>
>
workgroup = TEST
realm = test.local
netbios name = BDC-SAMBA
server role = active directory domain controller
dns forwarder = 192.168.1.102
ldbedit --url=/usr/local/samba/private/idmap.ldb
Now delete tester4:
samba-tool user delete tester4
Now add the user tester4:
samba-tool user add tester4
wbinfo -i tester4
(I don't have tester4 so I'll use steve2 as an example)
wbinfo -i steve2
HH3\steve2:*:3000021:20513::/home/HH3/steve2:/bin/false
Note the uid 3000021
Now, we add
uidNumber: 3000021
to AD:
ldbedit --url=/usr/local/samba/private/sam.ldb cn=steve2
# editing 1 records
# record 1
dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20130605152701.0Z
uSNCreated: 3800
name: steve2
objectGUID: 3dfcb8e8-fca2-49ea-9ac8-8e1b0563a379
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-451355595-2219208293-2714859210-1107
logonCount: 0
sAMAccountName: steve2
sAMAccountType: 805306368
userPrincipalName: ste...@hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 130149196210000000
userAccountControl: 66048
accountExpires: 0
uidNumber: 3000021
<snip>
Now:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
and edit /etc/nsswitch.conf
passwd: files winbind
group: files winbind
Test it:
getent passwd steve2
steve2:*:3000021:20513:steve2:/home/users/steve2:/bin/bash
login as steve2 and create a file:
su steve2
touch /tmp/somefile
ls -l somefile
-rw-r--r-- 1 steve2 Domain Users 0 Jun 19 11:41 somefile
HTH
Steve
steve
> The problem is that you are mixing up how samba 4 works with how samba
> 3 works, samba 4 winbind does not work the same as the samba 3
> winbind.
>
> What you need to do is give your linux users a uidNumber and groups
> like Domain Users a gidNumber, how you do this is up to you, it can be
> done from windows (ADUC?) or by using an ldif on linux, try a web
> search.
>
> You then need to extract this information on the linux clients, you
> can use winbind, but do not use the rid backend. If do you use the rid
> backend, whilst you will get the same UID for a user on any linux
> client that uses the exact same winbind settings, you will never get
> the same UID on the server. Using the ad backend will get you the
> same UID where ever you ask for it, but in my opinion is not the way
> to go, try using sssd, it is a lot easier to set up.
>
>
> Rowland
>
From what I can work out from the posts, the OP is trying to do this on
a DC. What I find difficult to get across is the idea of storing stuff
in AD. In cases such as these I really can't see any other way to go.
The OP's idmap is really screwed up. I've had a go via the DC winbind
and the only way I could go with this was to delete the idmap entries
and start again. This is in the other post about an hour or so ago, if
you have any easier way. . .
Cheers,
Rowland Penny
up an S4 AD server as if it was S3, this will never work.
What people need to realise is that an S4 AD server is for all intents and
purposes a windows AD server clone and to set it up the same
It might be easier for the OP to reprovision again and start with a blank
slate and this time do some searching on 'how do I connect a linux client
to a windows server'
Rowland