[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers

mourik jan heupink heupink at merit.unu.edu
Thu Jan 9 06:42:11 MST 2014 

Hi Rowland, list,

That is _very_ interesting. :-)

I'm testing on wheezy and self-compiled samba, and find it much easier 
than I initially expected. So I intend to stick with the self-compiled 
packages, as is also often recommended here.

However, for building sssd I find fas less info, plus it seems sssd is a 
much 'deeper' system component. So it scares me a bit.

I guess now the easiest way to have sssd 1.11.3 plus samba 4.3.1, is to 
start using ubuntu with the sssd ppa, and use self compiled samba as an 
AD controller only?

Quite a change from our current only-debian servers... However, using 
sssd as indicated in your post looks very interesting...!

MJ

On 01/09/2014 02:22 PM, Rowland Penny wrote:
> On 09/01/14 13:05, mourik jan heupink wrote:
>> Hi Rowland, list,
>>
>>> Yes, but you will have to be brave, stop using debian and the sernet
>>> packages, download the latest Ubuntu 14.04 iso and then install samba4 &
>>> sssd, this will work perfectly as a client.
>>
>> But I'm actually thinking about my AD controller, where I would like
>> to make my AD samba4 users available as linux users as well. (as we
>> use regular linux groups/users for access permissions)
>>
>> So, when using self-compiled samba4 (as I often see recommended here)
>> I should be fine with wheezy/stock sssd, right..?
>>
>> MJ
>
> Hi, the preferred practice, at the moment, would be to use the S4 AD
> server just for authentication and setup separate fileservers to store
> shares etc.
> Having said that, if you are going to use sssd, the higher the version
> the better. With the latest version (1.11.3) you only need this in
> sssd.conf:
>
>   [sssd]
> services = nss, pam
> config_file_version = 2
> domains = example.com
>
> [nss]
>
> [pam]
>
> [domain/example.com]
> #enumerate = true
> cache_credentials = true
> ldap_id_mapping = False
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> chpass_provider = ad
>
> As you can see, no ranges to worry about or having to get the syntax
> correct, you do not even have to map anything, much easier than winbind
> etc ;-)
>
> Rowland

More information about the samba mailing list