[Samba] Samba 4.2 AD, DC and winbindd
Jacky Chan
jacky at jesstech.com
Tue Jun 2 22:57:18 MDT 2015
Hi,
I am using samba 4.2.1 and want to clarify that do i need to start the
winbindd service in AD and DC?
Read form the doc https://wiki.samba.org/index.php/RFC2307_backend, it
said that:
Users having a „server services“ line in their DC smb.conf, need to
replace the „winbind“ entry by „winbindd“:
[global]
server services = ....., winbind, winbindd
Users not having a „server services“ line (default values), need to
add the parameter „winbindd“:
[global]
server services = +winbind, -winbindd
Does it means that we need to enable winbindd service in DC, the first
one is clear, but the second one making me confused.
1) server services = ....., winbind, winbindd
is that means remove winbind and add winbindd service?
2)server services = +winbind, -winbindd
is that means add winbind and remove winbindd service?
What is the different between winbind and winbindd service?
I tried:
With "server services = +winbind, -winbindd", the winbindd daemon will
not start.
Without "server services = +winbind, -winbindd", the winbindd daemon
will start.
(That means the default is start winbindd service)
Also, when winbindd is started in DC, uid and gid cannot synchronize
with AD.
Without starting the winbindd in DC, the uid and gid of AD and DC are
synchronized.
It does not affect the uid and gid in AD with or without winbindd.
By the way, I got a uncaught exception error when using samba-tool ntacl
sysvolcheck:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/lan-domain.xxxxxx.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1730, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
Run samba-tool ntacl sysvolreset and it finished without error, but
sysvolcheck still give the above error.
Is it a bug or I messed something up?
Thanks,
Jacky
More information about the samba
mailing list