4.2rc2 and winbindd

steve steve at steve-ss.com
Sun Oct 19 07:23:40 MDT 2014 

On 19/10/14 14:46, Rowland Penny wrote:
> OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up a
> test DC. this was set up to test the new (old?) winbindd. From what I
> have read this is exactly the same daemon that would be run if I setup a
> client and presumably needs the same configuration in smb.conf.
>
> Therefore, after provision, I changed smb.conf to this:
>
> # Global parameters
> [global]
>          workgroup = EXAMPLE
>          realm = example.com
>          netbios name = DEBDC
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>          idmap_ldb:use rfc2307 = yes
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind use default domain = yes
>          winbind expand groups = 4
>          winbind nss info = rfc2307
>          winbind refresh tickets = Yes
>          winbind normalize names = Yes
>          idmap config * : backend = tdb
>          idmap config * : range = 2000-9999
>          idmap config HOME : backend  = ad
>          idmap config HOME : range = 10000-999999
>          idmap config HOME : schema_mode = rfc2307
>          log level = 9
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> This is based on a working samba 4.1.6 client.
>
> I gave Domain Users a gidNumber, created a user, gave the user a
> uidNumber and the loginShell & unixHomeDirectory attributes.
>
> Everything else is setup as standard.
>
> wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
>
> getent passwd & getent group, do not display anything from the domain
>
> getent group Domain\ Users displays:
>
> domain_users:x:10000:
>
> getent passwd rowland displays:
>
> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>
> As you can see, like the old builtin winbind, the users uidNumber and
> the Domain Users gidNumber are displayed. The unixHomeDirectory &
> loginShell attributes do not seem to be pulled from AD, are they
> supposed to be ?
>
> Am I barking up the wrong tree ? Am I doing something wrong or not doing
> something I should ?
>
> Rowland
>
>
Hi Rowland,
Is Kerberos perhaps looking for host/ in the default keytab because it 
doesn't know the path to secrets? Maybe stick host/ and MACHINE$ at 
/etc/krb5.keytab

More information about the samba-technical mailing list