[Samba] Winbind not able to start
Timo Altun
olol13.samba at the-1337.org
Sat Apr 11 08:16:02 MDT 2015
Hi Rowland,
first and foremost thanks for the answer...on a saturday! Since I wrote I
got it running!
Did a complete purge of packages samba libnss-winbind libpam-winbind
krb5-user krb5-config libpam-krb5 and reinstalled.
Stopped smbd, nmbd and winbind and joined the domain. Started the services
again and winbind could start as well.
Thanks!
Fyi, the smb.conf on AD (got a bit of a strange naming convention for
workgroup/realm, but this way windows machines do not notice the change
from NT4 domain to AD):
# Global parameters
[global]
workgroup = MAYWEG.NET
realm = INTRANET.MAYWEG.NET
netbios name = SERVER06
interfaces = lo, eth0
bind interfaces only = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
On 11 April 2015 at 14:52, Rowland Penny <rowlandpenny at googlemail.com>
wrote:
> On 11/04/15 13:01, Timo Altun wrote:
>
>> Hi guys,
>>
>> we're testing the domain join of a Debian Wheezy machine to an Samba 4.17
>> AD with BIND9 backend (Debian Jessie). I can join the domain with "net ads
>> join" alright, but "wbinfo -u" delivers nothing, cause winbind is not able
>> to start.
>>
>> /etc/init.d/winbind status tells me it is not running.
>>
>> If I try winbindd -S -F I receive:
>>
>> initialize_winbindd_cache: clearing cache and re-creating with version
>> number 2
>> create_local_token failed: NT_STATUS_NO_SUCH_USER
>>
>> Is it possibly a rights issue? Some additional information:
>> - the machine was on squeezy before and we did a dist-upgrade to wheezy
>> - pam-auth-update lists kerberos and windows-nt/active directory
>> authentication as possible auth methods.
>> - windows machines can join the domain and communicate fine with the ad
>> dc.
>> Samba Version 3.6.6.
>> Following the configs of the domain member to be (wheezy), they worked for
>> a fresh wheezy install for the same domain:
>>
>>
>> *smb.conf:*
>> [global]
>>
>> netbios name = WheezyTest
>> workgroup = MAYWEG.NET
>> security = ADS
>> realm = INTRANET.MAYWEG.NET
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> idmap config MAYWEG.NET:backend = ad
>> idmap config MAYWEG.NET:schema_mode = rfc2307
>> idmap config MAYWEG.NET:range = 10000-99999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = Yes
>>
>> template homedir = /home/%U
>> template shell = /bin/bash
>>
>> *nsswitch.conf:*
>>
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>>
>> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
>> networks: files
>>
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
>>
>> netgroup: nis
>>
>>
>> *krb5.conf:*
>> [libdefaults]
>> default_realm = INTRANET.MAYWEG.NET
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> *hosts:*
>> nameserver 192.168.111.90
>> search intranet.mayweg.net
>>
>> As usual, I'm happy for every pointer or help I can get. Googling mostly
>> returned smbd not being able to start with this error, but that's running.
>>
>> Greetings,
>> Timo
>>
>
> You seem to be using the realm name for the workgroup, what is in the
> smb.conf on the Samba AD DC ?
>
> If you are updating to wheezy then you might as well use samba from
> backports, this will give you a version that isn't EOL.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list