[Samba] winbind winbindd remote desktop

Rowland Penny rowlandpenny at googlemail.com
Mon Oct 27 09:08:59 MDT 2014


On 27/10/14 14:43, barış tombul wrote:
> The file sharing, remote desktop, active directory services in samba
> 4.1.X versions are working. The remote desktop is not working in samba
> 4.2rcX versions.

This is probably down to 4.2rcX using the 'winbindd' daemon instead of 
the earlier 'winbind' daemon.

>
> It is waiting at the remote desktop display. Simultaneously, if the
> samba service is aborted the remote desktop user can start a session. If
> the samba service is started, all other services operate without a problem.
>
> getent passwd
>
> In getent group commands,although the local user and domain users are
> enabled in samba 4.1.X versions, only the local users are enabled in
> 4.2.rcX versions.
>
> It only responds to a  command liker "gettent passwd michael command"

I believe that this is supposed to be a feature.

> The smb.conf file is as below:
>
> [global]
>     server services = s3fs, winbindd, rpc, nbt, wrepl, cldap, ldap, kdc,
> drepl, ntp_signd, kcc, dnsupdate
>     dcerpc endpoint servers = +winreg +srvsvc +netlogon +samr +epmapper
> +rpcecho +lsarpc +dssetup +unixinfo +browser +eventlog6 +backupkey +remote
>     obey pam restrictions = yes
>     bind interfaces only = yes
>     interfaces = ens192 lo
>     max protocol = smb3
>     logon path =
>     logon script =
>     logon home =
>     kerberos method = system keytab
>     name resolve order = wins bcast hosts
>     server string = Samba Server
>     security = user
>     server role = active directory domain controller
>     netbios name = SAMBA
>     disable netbios = no
>     preferred master = yes
>     domain master = yes
>     local master = yes
>     domain logons = yes
>     workgroup = FACILITY
>     password server = samba.facility.local
>     realm = FACILITY.LOCAL
>     client ldap sasl wrapping = sign
>     winbind separator = /
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind expand groups = 1
>     winbind nss info = rfc2307
>     winbind nested groups = yes
>     winbind offline logon = yes
>     winbind refresh tickets = yes
>     winbind normalize names = yes
>     winbind rpc only = yes
>     winbind sealed pipes = no
>     winbind trusted domains only = no
>     winbind cache time = 3600
>     winbind reconnect delay = 30
>     winbind max clients = 2000
>     winbind use default domain = true
>     hosts allow = ALL, 127.0.0.1
>     encrypt passwords = yes
>     machine password timeout = 0
>     wins proxy = yes
>     wins support = yes
>     lanman auth = yes
>     ntlm auth = yes
>     client lanman auth = yes
>     client ntlmv2 auth = yes
>     client plaintext auth = yes
>     hostname lookups = no
>     nt pipe support = yes
>     dns forwarder = 127.0.0.1
>     allow dns updates = secure
>     dns proxy = no
>     passdb backend = ldapsam:ldap://127.0.0.1/
>     dead time = 0
>     nsupdate command = /usr/local/bin/nsupdate -g
>     dbwrap_tdb_mutexes:* = yes
>     idmap config ALL:backend = ldapsam:ldap://127.0.0.1/
>     idmap config ALL:default = yes
>     idmap config ALL:readonly = yes
>     idmap_ldb:use rfc2307 = yes
>     idmap config * : range = 2000000-2999999
>     idmap config * : backend = ldapsam:ldap://127.0.0.1/
>     idmap config * : schema_mode = rfc2307
>     idmap config * : readonly = no
>     idmap config * : default = yes
>     idmap config * : range = 2000000-2999999
>     idmap config * : ldap_url = ldap://127.0.0.1/
>     idmap config FACILITY : schema_mode = rfc2307
>     idmap config FACILITY : readonly = no
>     idmap config FACILITY : backend = ldapsam:ldap://127.0.0.1/
>     idmap config FACILITY : default = yes
>     idmap config FACILITY : range = 2000000-2999999
>     idmap config FACILITY : ldap_url = ldap://127.0.0.1/
>     ldap admin dn = CN=Administrator,CN=Users,DC=facility,DC=local
>     ldap suffix = DC=facility,DC=local
>     ldap group suffix = ou=Groups
>     ldap idmap suffix = ou=Idmap
>     ldap machine suffix = ou=Hosts
>     ldap user suffix = ou=User
>     ldap ssl = no
>     ldapsam:trusted = yes
>     ldapsam:editposix = yes
>     ldap delete dn = yes
>     ldap passwd sync = yes
>     pam password change = yes
>     passwd program = /usr/local/samba/bin/smbpasswd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     os level = 255
>
>     [homes]
>     comment = Home Directories
>     path = /mnt/storage/homes/%U
>     browseable = no
>     guest ok = no
>     writable = yes
>     read only = no
>     create mask = 0664
>     directory mask = 0775
>     valid users = %U
>     admin users = @"FACILITY\Domain Admins"
Funny that you have posted this, I have just discovered that you do not 
need all the extra winbind lines in smb.conf with 4.2rcX, you get the 
same result without them:

rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/false

It would seem that 'winbindd' has been brought into use to get trusts 
working correctly, but the 'unixHomeDirectory'  & 'loginShell' 
attributes are still being ignored, they are being set on a domain basis 
by hidden smb.conf lines. Run 'samba-tool testparm -v' and amongst the 
output, you will find these:

     template homedir = /home/%D/%U
     template shell = /bin/false

Setting these to blank i.e.

     template homedir =
     template shell =

doesn't help, you just get:

rowland:*:10000:10000:Rowland Penny::

I have a bug report open, I cannot understand why all the work was done 
to use 'winbindd' instead of 'winbind' but did not get 'winbindd' to 
work just like it does on a member server.

Rowland


More information about the samba mailing list