[Samba] winbind problems
Rowland Penny
rowlandpenny241155 at gmail.com
Fri Nov 6 19:44:05 UTC 2015
On 06/11/15 17:51, Dale Schroeder wrote:
> I had to move an existing member server to new hardware. Using getent
> on this Debian Jessie system, I cannot get winbind to retrieve the
> domain users, except for administrator, guest, tsinternetuser, and
> krbtgt.
wbinfo -u should show all your users, 'getent passwd domainuser' should
show the info for just 'domainuser', but getent normally doesn't show
anything for Administrator, guest or krbtgt on a domain member.
>
> Although none of my other working systems have it, I added the
> "dedicated keytab", "kerberos method", and "winbind refresh tickets"
> parameters to match the wiki.
These are required to get kerberos tickets and to enable them being
refreshed.
>
> The only problem I have noticed is that installing libnss-winbind no
> longer creates the symbolic link between libnss_winbind.so.2 and
> libnss_winbind.so. I had to do that manually. Unlike the WIKI, the
> other directory to link does not exist on this system or the working
> systems.
OK, how have you installed samba and on what?
>
> net ads testjoin is OK. The domain SID matches the other servers.
> wbinfo works.
>
> I must have missed something, but I'm at a loss as to what it is. Can
> anyone see anything?
Any chance of seeing your smb.conf as stored on the samba machine.
Rowland
>
> Thanks,
> Dale
>
> Samba version: 4.1.17+dfsg-2
>
> Output of testparm -s
>
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.COM
> server string = Samba File Server
> #server role = member server
> security = ADS
> allow trusted domains = No
> map to guest = Bad User
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
> username map = /etc/samba/users.map
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> #map untrusted to domain = Yes
> syslog = 0
> log file = /var/log/samba/log.%m
> name resolve order = host, wins, bcast
> deadtime = 15
> load printers = No
> printcap name = /dev/null
> disable spoolss = Yes
> dns proxy = No
> wins server = 192.168.1.xyz
> ldap ssl = no
> panic action = /usr/share/samba/panic-action %d
> template homedir = /data/users/%U
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> winbind refresh tickets = Yes
> winbind offline logon = Yes
> recycle:versions = Yes
> recycle:maxsize = 20971520
> recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o *.obj
> ~$* *.~??
> recycle:repository = /var/domain/trash/%U
> idmap config DOMAIN : range = 1000 - 2000
> idmap config DOMAIN : backend = rid
> idmap config * : range = 1000000 - 2000000
> idmap config * : backend = tdb
> admin users = root, DOMAIN\administrator
> hosts allow = 192.168.0.0/16
> ea support = Yes
> printing = bsd
> print command = lpr -r -P'%p' %s
> lpq command = lpq -P'%p'
> lprm command = lprm -P'%p' %j
> veto files = /trash/
> veto oplock files =
> /*.doc/*.xls/*.mdb/*.ldb/*.bkf/*.DOC/*.XLS/*.MDB/*.LDB/*.pst/*.PST/
> map archive = No
> map readonly = no
> store dos attributes = Yes
> vfs objects = recycle
>
> #krb5.conf as per wiki
> [libdefaults]
> default_realm = DOMAIN.COM
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> *resolv.conf per wiki
>
> search domain.com
> nameserver 192.168.1.abc
>
>
> *nsswitch.conf
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
>
> hosts: fines dns wins
> networks: files dns
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
>
>
>
>
>
>
More information about the samba
mailing list