4.2rc2 and winbindd

Rowland Penny repenny241155 at gmail.com
Sun Oct 19 08:39:53 MDT 2014 

On 19/10/14 15:29, steve wrote:
> On 19/10/14 16:16, Rowland Penny wrote:
>> On 19/10/14 14:23, steve wrote:
>>> On 19/10/14 14:46, Rowland Penny wrote:
>>>> OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up a
>>>> test DC. this was set up to test the new (old?) winbindd. From what I
>>>> have read this is exactly the same daemon that would be run if I 
>>>> setup a
>>>> client and presumably needs the same configuration in smb.conf.
>>>>
>>>> Therefore, after provision, I changed smb.conf to this:
>>>>
>>>> # Global parameters
>>>> [global]
>>>>          workgroup = EXAMPLE
>>>>          realm = example.com
>>>>          netbios name = DEBDC
>>>>          server role = active directory domain controller
>>>>          dns forwarder = 8.8.8.8
>>>>          idmap_ldb:use rfc2307 = yes
>>>>          dedicated keytab file = /etc/krb5.keytab
>>>>          kerberos method = secrets and keytab
>>>>          winbind enum users = yes
>>>>          winbind enum groups = yes
>>>>          winbind use default domain = yes
>>>>          winbind expand groups = 4
>>>>          winbind nss info = rfc2307
>>>>          winbind refresh tickets = Yes
>>>>          winbind normalize names = Yes
>>>>          idmap config * : backend = tdb
>>>>          idmap config * : range = 2000-9999
>>>>          idmap config HOME : backend  = ad
>>>>          idmap config HOME : range = 10000-999999
>>>>          idmap config HOME : schema_mode = rfc2307
>>>>          log level = 9
>>>>
>>>> [netlogon]
>>>>          path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>          read only = No
>>>>
>>>> [sysvol]
>>>>          path = /usr/local/samba/var/locks/sysvol
>>>>          read only = No
>>>>
>>>> This is based on a working samba 4.1.6 client.
>>>>
>>>> I gave Domain Users a gidNumber, created a user, gave the user a
>>>> uidNumber and the loginShell & unixHomeDirectory attributes.
>>>>
>>>> Everything else is setup as standard.
>>>>
>>>> wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
>>>>
>>>> getent passwd & getent group, do not display anything from the domain
>>>>
>>>> getent group Domain\ Users displays:
>>>>
>>>> domain_users:x:10000:
>>>>
>>>> getent passwd rowland displays:
>>>>
>>>> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>>>>
>>>> As you can see, like the old builtin winbind, the users uidNumber and
>>>> the Domain Users gidNumber are displayed. The unixHomeDirectory &
>>>> loginShell attributes do not seem to be pulled from AD, are they
>>>> supposed to be ?
>>>>
>>>> Am I barking up the wrong tree ? Am I doing something wrong or not 
>>>> doing
>>>> something I should ?
>>>>
>>>> Rowland
>>>>
>>>>
>>> Hi Rowland,
>>> Is Kerberos perhaps looking for host/ in the default keytab because it
>>> doesn't know the path to secrets? Maybe stick host/ and MACHINE$ at
>>> /etc/krb5.keytab
>>>
>> Sorry Steve, that didn't work, but thanks for the idea, probably will
>> have to wait until Andrew makes an appearance, he seems to have done
>> most of the work getting samba to use the new/old winbind ;-)
>>
>> Rowland
>
> Yeah, out of ideas over here too. Dunno, can we bugzilla on a rc? 
> Also, not that we've tried much, but we can't find anywhere where its 
> says, 'winbindd now works on the DC'. Maybe it will only be turned on 
> for the release? Can anyone help us?
So you missed the release notes then ;-)

Winbindd is now used on the Samba AD DC by default, replacing the
partial rewrite used for winbind operations in Samba 4.0 and 4.1.

And on my test DC:

ps ax

PID TTY      STAT   TIME COMMAND
12531 ?        Ss     0:00 /usr/local/samba/sbin/samba -D
12549 ?        S      0:00 /usr/local/samba/sbin/samba -D
12550 ?        S      0:00 /usr/local/samba/sbin/samba -D
12551 ?        S      0:00 /usr/local/samba/sbin/samba -D
12552 ?        S      0:00 /usr/local/samba/sbin/samba -D
12553 ?        S      0:00 /usr/local/samba/sbin/samba -D
12554 ?        Ss     0:00 /usr/local/samba/sbin/smbd -D --option=server 
role check:inhibit=yes --foreground
12555 ?        S      0:00 /usr/local/samba/sbin/samba -D
12556 ?        S      0:00 /usr/local/samba/sbin/samba -D
12557 ?        S      0:01 /usr/local/samba/sbin/samba -D
12558 ?        S      0:00 /usr/local/samba/sbin/samba -D
12559 ?        S      0:00 /usr/local/samba/sbin/samba -D
12560 ?        S      0:00 /usr/local/samba/sbin/samba -D
12561 ?        S      0:00 /usr/local/samba/sbin/samba -D
12562 ?        S      0:00 /usr/local/samba/sbin/samba -D
12563 ?        Ss     0:00 /usr/local/samba/sbin/winbindd -D 
--option=server role check:inhibit=yes --foreground
12566 ?        S      0:00 /usr/local/samba/sbin/winbindd -D 
--option=server role check:inhibit=yes --foreground
12567 ?        S      0:00 /usr/local/samba/sbin/winbindd -D 
--option=server role check:inhibit=yes --foreground
12568 ?        S      0:00 /usr/local/samba/sbin/winbindd -D 
--option=server role check:inhibit=yes --foreground
12569 ?        S      0:00 /usr/local/samba/sbin/smbd -D --option=server 
role check:inhibit=yes --foreground

It's certainly running on my test DC!

Rowland

More information about the samba-technical mailing list