[Samba] after classicupgrade

Rowland Penny rpenny at samba.org
Thu Aug 11 09:19:50 UTC 2016 

On Thu, 11 Aug 2016 10:36:57 +0200
Pisch Tamás via samba <samba at lists.samba.org> wrote:

> Hi,
> 
> I have Samba 4.2.10 server with NT4 configuration, with ldap backend
> on Debian Jessie, and I want to upgrade it to AD. I test it now in
> virtul environment. The classicupgrade was succesful.
> getent passwd username
> and
> chown "username:Domain Users" test.txt
> didn't work with this nsswitch.conf:
> passwd: files ldap
> group: files ldap
> shadow: files ldap
> , so I changed ldap to winbind. Now the two above commands work, but
> the local login delays some seconds. Which nss setup is better: ldap,
> or winbind? 

It isn't a case of which is better, it is a case of which will work ;-)
You need to use 'winbind' with AD. you also need to remove 'winbind'
from the shadow line.

>Ldap doesn't work perfectly, because I cannot use
> ldapsearch: ldapsearch -xLL -H ldap://localhost:389 -D
> "cn=Administrator,dc=Users,dc=our,dc=site" -b "dc=our,dc=site"
> ldap_bind: Strong(er) authentication required(8)
>        additional info: BindSimple: transport encryption required.

This has nothing to do ldap, there was a rather major update to do with
stopping man-in-the-middle attacks, see here:

https://www.samba.org/samba/history/samba-4.2.11.html

Yes, I know thats for 4.2.11, but that is what you actually have.

Temporarily, you can set 'ldap server require strong auth = no' in
smb.conf whilst reading up on using ssl with your ldap searches.

> smb.conf:
> [global]
> workgroup = OUR
> realm = our.site
> interfaces = lo eth0
> bind interfaces only = yes
> server role = active directory domain controller
> passdb backend = samba_dsdb
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain =yes
> dns forwarder = 208.67.222.222
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = enabled
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap config our : range = 10000-100000
> idmap config our : backend = ad
> idmap config * : range = 1000000-1999999
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = no
> map readonly = no
> store dos attributes = yes
> vfs objects = dfs_samba4 acl_xattr
> 
> [netlogon]
> path= /var/lib/samba/sysvol/perczelmor.site/scripts
> read only = no
> 
> [sysvol]
> path= /var/lib/samba/sysvol
> read only =  no

Can I suggest you remove the lines you added to smb.conf, they will not
do anything, or are defaults, or will make things worse.
Then add the line I suggested above.


> 
> /etc/ldap/ldap.conf:
> host 127.0.0.1
> base dc=our,dc=site
> logdir /var/lib/ldap/log
> TLS_REQCERT hard
> TLS_CACERT /etc/ssl/certs/cacert.pem
> 
> I tried to integrate winbind login into pam according to this:
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto but it
> didn't work.
> 

If you have these packages installed: libpam-krb5 libpam-winbind
libnss-winbind
You shouldn't have to do anything else.

Rowland

More information about the samba mailing list