Web lists-archives.com

[Samba] Having problem with RID backend - must be missing something




Greetings, 

I currently am using Samba 4.8.5 as an AD DC on one server - working great! I am also using 4.8.5 on another server joined as a member server and I'm trying to configure the RID idmap backend and I believe I have the settings correct but when I try to access a share on the server from a joined Windows machine I am getting prompted for credentials.

Here is my config on the DC: 

#> cat /etc/samba/smb.conf 
# Global parameters 
[global] 
netbios name = SBS-DC1 
realm = CUSTOMER.LOCAL 
server role = active directory domain controller 
workgroup = CUSTOMER 
dns forwarder = 8.8.8.8 

[netlogon] 
path = /var/locks/sysvol/customer.local/scripts 
read only = No 

[sysvol] 
path = /var/locks/sysvol 
read only = No

Here is my config on the File Server:

#> cat /etc/samba/smb.conf
[global]

   netbios name = fs1
   workgroup = CUSTOMER
   security = ADS
   realm = CUSTOMER.LOCAL
#   dedicated keytab file = /etc/krb5.keytab
#   kerberos method = secrets and keytab

   idmap config *:backend = tdb
   idmap config *:range = 3000-7999
   idmap config CUSTOMER:backend = rid
   idmap config CUSTOMER:range = 10000-999999

    winbind nss info = template
    template shell = /bin/false
    template homedir = /home/%U

#   winbind trusted domains only = no
#   winbind use default domain = yes
#   winbind enum users  = yes
#   winbind enum groups = yes
#   winbind refresh tickets = Yes

   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

[Shared]
        writeable = yes
        path = /server/shared

[AdminOnly]
        writeable = yes
        path = /server/adminonly

The kerberos items I just commented to test - same with the winbind lines.  With them not commented the results are the same.

Another piece to the puzzle is that I had this configured and working with the AD backend but I wanted to try to set it up a little simpler so that I don't have to select unix attributes every time I create a new user.  So due to this some of my users already have the unix attributes assigned to them in the AD.  The one that I am testing with (that is asking for credentials) does not.  In fact the behavior that I am seeing is identical to that of having created a new user and forgetting to add the unix attributes.  The result is no access to the file server shares.

Some background is that There is only ever going to be one file server in this setup and one or two domain controllers but all running samba 4.  No network users are ever going to log into the linux servers - they will all be Windows users accessing file shares.  Samba was compiled from source - only change on the file server compile was that I included --without-ad-dc.  

I tried to follow the wiki on Setting up Samba as a domain member. 

I hope I have included enough information for someone to go "Ah Ha!" and know exactly what is wrong with my setup here.

Thanks in advance, 
Rich

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba