[Samba] samba 4.1.17 on raspberry pi as ad dc - winbind breaks it again

Fri Mar 13 04:16:02 MDT 2015

On 13/03/15 09:34, Matthias Busch wrote:
> okay, I started to look into winbind and the /etc/nsswitch.conf (and 
> smb.conf)... and it wreaked havoc...
>
> I was using the guide at 
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> - right guide?

Well, yes and no :-)

> the guide is talking about "samba member server that is part of an 
> active directory"
> Is that correct? I mean, THE ad domain controller is member of the ad, 
> but it sounds like this guide is about samba being added to AD, not 
> samba being the AD

You only need the part that starts: Make domain users/groups available 
locally through Winbind

If you compile samba yourself and are going to login into the DC as a 
domain user, you need to setup 'libnss_winbind.so'

>
> - added the idmap and winbind lines to smb.conf

Remove them, not needed on a DC

>
> - net [rpc|ads] join -u administrator
> I do not exactly get what this does and if rpc or ads is the "right one"

You do not do this on a DC, it is done for you when you provision.

>
> which made me think. when I setup samba4 as ad controller (samba-tool 
> domain provision ...) does it not become member of the its own domain? 
> do I need to add it by hand? I always assumed not do...
>
> - ln -s ... + ldconfig
> here I ran into trouble. I saw the notice about needing to subsitute 
> lib64 with lib if running x86
> Well, the pi is definately not x64. but neither is it x86. i chose to 
> use lib, betting it should fit.
> x86_64-linux-gnu I replaced with i386-linux-gnu
>

AH, good question, on my laptop the links are in:

/lib/x86_64-linux-gnu/libnss_winbind.so
/lib/x86_64-linux-gnu/libnss_winbind.so.2

which as you can see is a 64bit computer, an i386 one would be a 32bit, 
the raspberrypi is neither, so the links need to go somewhere else, 
probably /lib , is there a large amount of files in there starting with 
'lib' ??

> - nsswitch.conf
> I added the winbind as stated
>
> - samba start
> now samba wont start anymore. I guess samba will be replaced by smbd, 
> nmbd and winbindd (error message in daemon.log hints at that)

when you start samba as a DC, you need to start the samba daemon with 
'samba -i' to run it interactively, or 'samba -D' as a daemon in the 
background. The samba daemon will then start the smbd daemon, you must 
not start the smbd, nmbd or winbindd deamons yourself.

> for which I have no startscripts. any quick solutions or do I have to 
> manually fix it?
>
> the link for start script under starting the daemons will lead to the 
> site I got my script from though...
>
> - testing
> wbinfo -u and wbinfo -g show nothing and no error
>
> - configure wrong?
> I did not use --with-ads --with-shared-modules=idmap_ad
> According to the guide I should have... Guess Ill have to start again
> If only configure, make and make install wouldnt take ages...

 From my testing, what ever you are compiling samba, you do not need to 
use '--with-ads --with-shared-modules=idmap_a', you definitely don't 
need it for a DC.

>
> - why winbind?
> I dont exactly get the benefit of dealing with winbind. a quick test 
> yesterday let me add a pc to the domain and access the domain via 
> windows 7 server tools. I have not further tested the capabilities of 
> the samba ad. What wont work without winbind, what does it accomplish.
>
>

You only need to set winbind up if you want to login to the DC as a 
domain user, if your domain user will never login directly to the DC, 
you do not need to do this.

Rowland