[Samba] Problems with winbind and AD using Ubuntu 9.10
Mike Leone
turgon at mike-leone.com
Sat Mar 27 17:22:19 MDT 2010
Greetings! I am having a bit of an issue using Ubuntu 9.10 and AD 2003.
AD domain = dacrib.local
AD server = dim-2300.dacrib.local
IP = 10.0.0.60
Samba server = workhorse.dacrib.local
IP = 10.0.0.20
I have been following
<https://help.ubuntu.com/community/Samba/Kerberos>, and my Kerberos
seems set up properly, as I can get a ticket.
root at workhorse:/etc/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at DACRIB.LOCAL
Valid starting Expires Service principal
03/27/10 18:36:58 03/28/10 04:37:05 krbtgt/DACRIB.LOCAL at DACRIB.LOCAL
renew until 03/28/10 18:36:58
Then, following
<https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto>
I set up my Samba server, and was able to join it to the domain.
root at workhorse:/etc/samba# net ads info
LDAP server: 10.0.0.60
LDAP server name: dim-win2300.DaCrib.local
Realm: DACRIB.LOCAL
Bind Path: dc=DACRIB,dc=LOCAL
LDAP port: 389
Server time: Sat, 27 Mar 2010 19:09:28 EDT
KDC server: 10.0.0.60
Server time offset: 0
I can see my server in AD. Other domain members can browse to
\\10.0.0.20, and see the defined shares, and access the files in there.
So it appears to be properly joined to the domain, and sharing.
What's not working is winbind. I do *not* see any domain users or
groups, from "wbinfo -u" or "wbinfo -g". "wbinfo --all-domains" does
know about the AD domain, however:
root at workhorse:/etc/samba# wbinfo --all-domains
BUILTIN
WORKHORSE
DACRIB
I did edit nsswitch.conf:
root at workhorse:/etc/samba# more /etc/nsswitch.conf
# /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
At this point, I'm a bit lost. My eventual goal is to have any Linux
user authenticate against the AD domain, but before I can get that far,
I need winbind to work.
Any thoughts? Where do I go from here, to troubleshoot winbind not
returning any users or groups?
smb.conf:
[global]
workgroup = DACRIB
realm = DACRIB.LOCAL
server string = %h server (Samba)
security = ADS
map to guest = Bad User
client use spnego = true
client ntlmv2 auth = yes
eventlog list = Application System Security SyslogLinux
# PAM AUTH
encrypt passwords = Yes
obey pam restrictions = Yes
pam password change = true
password server = dim-win2300.DaCrib.local
passdb backend = tdbsam
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n
*password\supdated\ssuccessfully* .
unix password sync = Yes
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
preferred master = No
domain master = No
local master = No
os level = 31
browse list = Yes
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
# WINBIND
idmap backend = ad
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nested groups = Yes
winbind refresh tickets = true
winbind nss info = rfc2307
invalid users = root
create mask = 0700
directory mask = 0775
writable = Yes
enable privileges = Yes
restrict anonymous = 2
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
[OldHome]
comment = The Old Home Folder
read only = No
path = /OldHome
More information about the samba
mailing list