• [Samba] Problem with adding an Samba Member Server to a Samba AD Do

    From Rowland Penny via samba@21:1/5 to samba@lists.samba.org on Sat Mar 18 10:50:01 2017
    On Sat, 18 Mar 2017 07:48:27 +0100
    Stefan Schäfer via samba <samba@lists.samba.org> wrote:

    Hi List,

    I found some threads here in the list with similar problems, but
    nothing helped to solve my problem.

    We have a very much to old Samba DC (Version 4.1.x) and a new Samba
    4.5.6 which should act as a member server.

    Don't suppose you can update the DC to a newer Samba version ?



    smbclient -L 127.0.0.1 -U administrator@baettenhausen.local
    Enter administrator@baettenhausen.local's password:
    session setup failed: NT_STATUS_LOGON_FAILURE


    You should be able to fix this by adding this line to smb.conf:

    username map = /etc/samba/user.map

    Then create the user.map:

    nano /etc/samba/user.map
    !root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator
    Administrator administrator


    Here the krb5.conf

    You only need:

    [libdefaults]
    default_realm = BAETTENHAUSEN.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true

    If your TLD really is '.local' turn off Avahi on the domain member

    Rowland

    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Stefan_Sch=c3=a4fer?= via@21:1/5 to All on Sat Mar 18 13:30:02 2017
    Am 18.03.2017 um 10:43 schrieb Rowland Penny via samba:
    On Sat, 18 Mar 2017 07:48:27 +0100
    Stefan Schäfer via samba <samba@lists.samba.org> wrote:

    Hi List,

    I found some threads here in the list with similar problems, but
    nothing helped to solve my problem.

    We have a very much to old Samba DC (Version 4.1.x) and a new Samba
    4.5.6 which should act as a member server.
    Don't suppose you can update the DC to a newer Samba version ?
    I know, I have to....


    smbclient -L 127.0.0.1 -U administrator@baettenhausen.local
    Enter administrator@baettenhausen.local's password:
    session setup failed: NT_STATUS_LOGON_FAILURE

    You should be able to fix this by adding this line to smb.conf:

    username map = /etc/samba/user.map

    Then create the user.map:

    nano /etc/samba/user.map
    !root = BAETTENHAUSEN\Administrator BAETTENHAUSEN\administrator
    Administrator administrator
    This works for the Administrator account, but I have this Problem with
    all users.
    It's a user mapping problem?

    Here the krb5.conf
    You only need:

    [libdefaults]
    default_realm = BAETTENHAUSEN.LOCAL
    dns_lookup_realm = false
    dns_lookup_kdc = true
    I tested this before, makes no difference.
    If your TLD really is '.local' turn off Avahi on the domain member
    Avahi isn't running.

    Rowland

    Stefan

    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Rowland Penny via samba@21:1/5 to samba@lists.samba.org on Sat Mar 18 13:40:01 2017
    On Sat, 18 Mar 2017 13:23:29 +0100
    Stefan Schäfer via samba <samba@lists.samba.org> wrote:


    This works for the Administrator account, but I have this Problem
    with all users.
    It's a user mapping problem?

    You are using the winbind 'ad' backend, Have you given Domain Users a
    gidNumber attribute containing a number inside the '500-30000' range?
    (by the way, this range isn't a good idea, no space for ANY local Unix
    users).

    Have you also given your users a uidNumber attribute containing a
    unique number inside the same range ?

    Rowland

    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Stefan_Sch=c3=a4fer?= via@21:1/5 to All on Sat Mar 18 14:30:02 2017
    Got it!

    There was "pam-32bit" installed on the server but without "/lib/security/pam_winbind.so". Removing pam-32bit was the solution.

    Thanx for your help Rowland.

    Stefan


    Am 18.03.2017 um 13:32 schrieb Rowland Penny via samba:
    On Sat, 18 Mar 2017 13:23:29 +0100
    Stefan Schäfer via samba <samba@lists.samba.org> wrote:


    This works for the Administrator account, but I have this Problem
    with all users.
    It's a user mapping problem?
    You are using the winbind 'ad' backend, Have you given Domain Users a gidNumber attribute containing a number inside the '500-30000' range?
    (by the way, this range isn't a good idea, no space for ANY local Unix users).

    Have you also given your users a uidNumber attribute containing a
    unique number inside the same range ?

    Rowland



    --
    To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)