[Samba] Using winbindd socket directory for multiple domains

Alex Yoon alexyuyoon at gmail.com
Tue Jan 30 19:00:50 UTC 2024 

Hello

We have a setup on Ubuntu to join multiple AD domains and authenticate
using NTLM_auth with freeRadius. Since there're multiple ADs domains
involved, we were using "WINBINDD_SOCKET_DIR" environment variable to
use the correct cache directory for each domain.

Everything looks fine and all worked when using samba 4.7.9 running on
Ubuntu 16.04.

Now, we're upgrading to the latest 4.19.3 on Ubuntu 20.04 and having
trouble making that work correctly.

The package we used from
"https://launchpad.net/~linux-schools/+archive/ubuntu/samba-latest".

As an example, joined 2 ADs successfully with 2 different smb
configuration files.
- smb.domainA.com
- smb.domainB.com

The winbindd is running
/usr/sbin/winbindd --foreground
--configfile=/opt/nac/radius/raddb/smb.domainA.com
/usr/sbin/winbindd --foreground
--configfile=/opt/nac/radius/raddb/smb.domainB.com

The smb.domainA.com looks like this.
[global]
log level = 3
   workgroup = DOMAINA
   security = ads
   password server = 10.54.20.12
   realm = DOMAINA.COM
   netbios name = nac20180
   ntlm auth = no
   log file = /var/log/samba/log.%m
   max log size = 50
;   passdb backend = tdbsam
   interfaces = 10.54.20.180/255.255.255.0
   allow trusted domains = yes
   winbind use default domain = no
   winbind nested groups = yes
   winbind separator = +
   winbind cache time = 3600
   winbind enum users = yes
   winbind enum groups = yes

   rpc start on demand helpers = false
   pid directory = /var/run/smb.domainA.com
   lock directory = /var/cache/smb.domainA.com
   private dir = /var/cache/smb.domainA.com
   state directory = /var/cache/smb.domainA.com
   winbindd socket directory = /var/cache/smb.domainA.com

and smb.domainB.com looks like this.
[global]
log level = 3
   workgroup = DOMAINB
   security = ads
   password server = 10.54.27.51
   realm = DOMAINB.COM
   netbios name = nac20180
   ntlm auth = no
   log file = /var/log/samba/log.%m
   max log size = 50
;   passdb backend = tdbsam
   interfaces = 10.54.20.180/255.255.255.0
   allow trusted domains = yes
   winbind use default domain = no
   winbind nested groups = yes
   winbind separator = +
   winbind cache time = 3600
   winbind enum users = yes
   winbind enum groups = yes

   rpc start on demand helpers = false
   pid directory = /var/run/smb.domainB.com
   lock directory = /var/cache/smb.domainB.com
   private dir = /var/cache/smb.domainB.com
   state directory = /var/cache/smb.domainB.com
   winbindd socket directory = /var/cache/smb.domainB.com

/var/log/samba/log.winbindd does seem to run okay and adding/updating both
domains in the appropriate cache directory.

The problem is that when using 'env WINBINDD_SOCKET_DIR' to run wbinfo
(or ntlm_auth) command, it's failing to find the winbindd. I can
confirm that the socket directories for both domains are updated /
created / etc properly as far as I can tell.

Examples of failure)
/usr/bin/env WINBINDD_SOCKET_DIR=/var/cache/smb.domainA.com/ /usr/bin/wbinfo -u

could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users

/usr/bin/env WINBINDD_SOCKET_DIR=/var/cache/smb.domainB.com/ /usr/bin/wbinfo -p

Ping to winbindd failed
could not ping winbindd!

/usr/bin/env WINBINDD_SOCKET_DIR=/var/cache/smb.domainA.com/
/usr/bin/ntlm_auth --configfile=/opt/nac/radius/raddb/smb.domainA.com
--request-nt-key --username=ntlmpeap --domain=DOMAINA.COM
--password=Password

interpret_interface: Adding interface 10.54.20.180/255.255.255.0
added interface 10.54.20.180/25 ip=10.54.20.180 bcast=10.54.20.255
netmask=255.255.255.0
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
interpret_interface: Adding interface 10.54.20.180/255.255.255.0
added interface 10.54.20.180/25 ip=10.54.20.180 bcast=10.54.20.255
netmask=255.255.255.0
lp_load_ex: refreshing parameters
Initialising global parameters
Processing section "[global]"
interpret_interface: Adding interface 10.54.20.180/255.255.255.0
added interface 10.54.20.180/25 ip=10.54.20.180 bcast=10.54.20.255
netmask=255.255.255.0
could not obtain winbind separator!
Reading winbind reply failed! (0x01)
:  (0x0)

Looking for some solution / suggestion or anything. Would be much appreicated!

Thank you!

More information about the samba mailing list