[Samba] pam_winbind fails to authenticate domain users on my debian wheezy domain member servers

Rowland Penny rowlandpenny at googlemail.com
Thu Jan 9 06:56:21 MST 2014 

On 09/01/14 13:42, mourik jan heupink wrote:
> Hi Rowland, list,
>
> That is _very_ interesting. :-)
>
> I'm testing on wheezy and self-compiled samba, and find it much easier 
> than I initially expected. So I intend to stick with the self-compiled 
> packages, as is also often recommended here.
>
> However, for building sssd I find fas less info, plus it seems sssd is 
> a much 'deeper' system component. So it scares me a bit.
>
> I guess now the easiest way to have sssd 1.11.3 plus samba 4.3.1, is 
> to start using ubuntu with the sssd ppa, and use self compiled samba 
> as an AD controller only?

As far as I can see, for ease of use, you have two choices, either use 
Ubuntu 12.04 and compile samba4 yourself and use the sssd ppa (which 
will get you version 1.11.1) or try Ubuntu 14.04, this comes with Samba 
4.0.13 (but hopefully this will be updated to 4.1.3 before the freeze)  
& sssd 1.11.3, both of these options work.

Rowland

>
> Quite a change from our current only-debian servers... However, using 
> sssd as indicated in your post looks very interesting...!
>
> MJ
>
> On 01/09/2014 02:22 PM, Rowland Penny wrote:
>> On 09/01/14 13:05, mourik jan heupink wrote:
>>> Hi Rowland, list,
>>>
>>>> Yes, but you will have to be brave, stop using debian and the sernet
>>>> packages, download the latest Ubuntu 14.04 iso and then install 
>>>> samba4 &
>>>> sssd, this will work perfectly as a client.
>>>
>>> But I'm actually thinking about my AD controller, where I would like
>>> to make my AD samba4 users available as linux users as well. (as we
>>> use regular linux groups/users for access permissions)
>>>
>>> So, when using self-compiled samba4 (as I often see recommended here)
>>> I should be fine with wheezy/stock sssd, right..?
>>>
>>> MJ
>>
>> Hi, the preferred practice, at the moment, would be to use the S4 AD
>> server just for authentication and setup separate fileservers to store
>> shares etc.
>> Having said that, if you are going to use sssd, the higher the version
>> the better. With the latest version (1.11.3) you only need this in
>> sssd.conf:
>>
>>   [sssd]
>> services = nss, pam
>> config_file_version = 2
>> domains = example.com
>>
>> [nss]
>>
>> [pam]
>>
>> [domain/example.com]
>> #enumerate = true
>> cache_credentials = true
>> ldap_id_mapping = False
>> id_provider = ad
>> auth_provider = ad
>> access_provider = ad
>> chpass_provider = ad
>>
>> As you can see, no ranges to worry about or having to get the syntax
>> correct, you do not even have to map anything, much easier than winbind
>> etc ;-)
>>
>> Rowland

More information about the samba mailing list