4.2rc2 and winbindd
steve
steve at steve-ss.com
Sun Oct 19 08:55:28 MDT 2014
On 19/10/14 16:39, Rowland Penny wrote:
> On 19/10/14 15:29, steve wrote:
>> On 19/10/14 16:16, Rowland Penny wrote:
>>> On 19/10/14 14:23, steve wrote:
>>>> On 19/10/14 14:46, Rowland Penny wrote:
>>>>> OK, I have compiled 4.2rc2 on Debian 7.5 running in a VM and set up a
>>>>> test DC. this was set up to test the new (old?) winbindd. From what I
>>>>> have read this is exactly the same daemon that would be run if I
>>>>> setup a
>>>>> client and presumably needs the same configuration in smb.conf.
>>>>>
>>>>> Therefore, after provision, I changed smb.conf to this:
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>> workgroup = EXAMPLE
>>>>> realm = example.com
>>>>> netbios name = DEBDC
>>>>> server role = active directory domain controller
>>>>> dns forwarder = 8.8.8.8
>>>>> idmap_ldb:use rfc2307 = yes
>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>> kerberos method = secrets and keytab
>>>>> winbind enum users = yes
>>>>> winbind enum groups = yes
>>>>> winbind use default domain = yes
>>>>> winbind expand groups = 4
>>>>> winbind nss info = rfc2307
>>>>> winbind refresh tickets = Yes
>>>>> winbind normalize names = Yes
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000-9999
>>>>> idmap config HOME : backend = ad
>>>>> idmap config HOME : range = 10000-999999
>>>>> idmap config HOME : schema_mode = rfc2307
>>>>> log level = 9
>>>>>
>>>>> [netlogon]
>>>>> path = /usr/local/samba/var/locks/sysvol/example.com/scripts
>>>>> read only = No
>>>>>
>>>>> [sysvol]
>>>>> path = /usr/local/samba/var/locks/sysvol
>>>>> read only = No
>>>>>
>>>>> This is based on a working samba 4.1.6 client.
>>>>>
>>>>> I gave Domain Users a gidNumber, created a user, gave the user a
>>>>> uidNumber and the loginShell & unixHomeDirectory attributes.
>>>>>
>>>>> Everything else is setup as standard.
>>>>>
>>>>> wbinfo -u shows all domain users, wbinfo -g shows all domain groups.
>>>>>
>>>>> getent passwd & getent group, do not display anything from the domain
>>>>>
>>>>> getent group Domain\ Users displays:
>>>>>
>>>>> domain_users:x:10000:
>>>>>
>>>>> getent passwd rowland displays:
>>>>>
>>>>> rowland:*:10000:10000:Rowland Penny:/home/%D/%U:/bin/false
>>>>>
>>>>> As you can see, like the old builtin winbind, the users uidNumber and
>>>>> the Domain Users gidNumber are displayed. The unixHomeDirectory &
>>>>> loginShell attributes do not seem to be pulled from AD, are they
>>>>> supposed to be ?
>>>>>
>>>>> Am I barking up the wrong tree ? Am I doing something wrong or not
>>>>> doing
>>>>> something I should ?
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>> Hi Rowland,
>>>> Is Kerberos perhaps looking for host/ in the default keytab because it
>>>> doesn't know the path to secrets? Maybe stick host/ and MACHINE$ at
>>>> /etc/krb5.keytab
>>>>
>>> Sorry Steve, that didn't work, but thanks for the idea, probably will
>>> have to wait until Andrew makes an appearance, he seems to have done
>>> most of the work getting samba to use the new/old winbind ;-)
>>>
>>> Rowland
>>
>> Yeah, out of ideas over here too. Dunno, can we bugzilla on a rc?
>> Also, not that we've tried much, but we can't find anywhere where its
>> says, 'winbindd now works on the DC'. Maybe it will only be turned on
>> for the release? Can anyone help us?
> So you missed the release notes then ;-)
>
> Winbindd is now used on the Samba AD DC by default, replacing the
> partial rewrite used for winbind operations in Samba 4.0 and 4.1.
>
We have this:
> Release Announcements
> =====================
>
> This is the first preview release of Samba 4.3. This is *not*
> intended for production environments and is designed for testing
> purposes only. Please report any defects via the Samba bug reporting
> system at https://bugzilla.samba.org/.
>
> Samba 4.3 will be the next version of the Samba suite.
More information about the samba-technical
mailing list