4.2rc2 and winbindd
steve
steve at steve-ss.com
Sun Oct 19 07:23:40 MDT 2014
On 19/10/14 14:46, Rowland Penny wrote:
> OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up a
> test DC. this was set up to test the new (old?) winbindd. From what I
> have read this is exactly the same daemon that would be run if I setup a
> client and presumably needs the same configuration in smb.conf.
>
> Therefore, after provision, I changed smb.conf to this:
>
> # Global parameters
> [global]
> workgroup = EXAMPLE
> realm = example.com
> netbios name = DEBDC
> server role = active directory domain controller
> dns forwarder = 8.8.8.8
> idmap_ldb:use rfc2307 = yes
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> winbind expand groups = 4
> winbind nss info = rfc2307
> winbind refresh tickets = Yes
> winbind normalize names = Yes
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> idmap config HOME : backend = ad
> idmap config HOME : range = 10000-999999
> idmap config HOME : schema_mode = rfc2307
> log level = 9
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> This is based on a working samba 4.1.6 client.
>
> I gave Domain Users a gidNumber, created a user, gave the user a
> uidNumber and the loginShell & unixHomeDirectory attributes.
>
> Everything else is setup as standard.
>
> wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
>
> getent passwd & getent group, do not display anything from the domain
>
> getent group Domain\ Users displays:
>
> domain_users:x:10000:
>
> getent passwd rowland displays:
>
> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>
> As you can see, like the old builtin winbind, the users uidNumber and
> the Domain Users gidNumber are displayed. The unixHomeDirectory &
> loginShell attributes do not seem to be pulled from AD, are they
> supposed to be ?
>
> Am I barking up the wrong tree ? Am I doing something wrong or not doing
> something I should ?
>
> Rowland
>
>
Hi Rowland,
Is Kerberos perhaps looking for host/ in the default keytab because it
doesn't know the path to secrets? Maybe stick host/ and MACHINE$ at
/etc/krb5.keytab
More information about the samba-technical
mailing list