4.2rc2 and winbindd
repenny241155 at gmail.com
Sun Oct 19 08:16:20 MDT 2014
On 19/10/14 14:23, steve wrote:
> On 19/10/14 14:46, Rowland Penny wrote:
>> OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up a
>> test DC. this was set up to test the new (old?) winbindd. From what I
>> have read this is exactly the same daemon that would be run if I setup a
>> client and presumably needs the same configuration in smb.conf.
>> Therefore, after provision, I changed smb.conf to this:
>> # Global parameters
>> workgroup = EXAMPLE
>> realm = example.com
>> netbios name = DEBDC
>> server role = active directory domain controller
>> dns forwarder = 184.108.40.206
>> idmap_ldb:use rfc2307 = yes
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind expand groups = 4
>> winbind nss info = rfc2307
>> winbind refresh tickets = Yes
>> winbind normalize names = Yes
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> idmap config HOME : backend = ad
>> idmap config HOME : range = 10000-999999
>> idmap config HOME : schema_mode = rfc2307
>> log level = 9
>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>> read only = No
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>> This is based on a working samba 4.1.6 client.
>> I gave Domain Users a gidNumber, created a user, gave the user a
>> uidNumber and the loginShell & unixHomeDirectory attributes.
>> Everything else is setup as standard.
>> wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
>> getent passwd & getent group, do not display anything from the domain
>> getent group Domain\ Users displays:
>> getent passwd rowland displays:
>> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>> As you can see, like the old builtin winbind, the users uidNumber and
>> the Domain Users gidNumber are displayed. The unixHomeDirectory &
>> loginShell attributes do not seem to be pulled from AD, are they
>> supposed to be ?
>> Am I barking up the wrong tree ? Am I doing something wrong or not doing
>> something I should ?
> Hi Rowland,
> Is Kerberos perhaps looking for host/ in the default keytab because it
> doesn't know the path to secrets? Maybe stick host/ and MACHINE$ at
Sorry Steve, that didn't work, but thanks for the idea, probably will
have to wait until Andrew makes an appearance, he seems to have done
most of the work getting samba to use the new/old winbind ;-)
More information about the samba-technical