[Samba] winbind problems

Dale Schroeder dale at BriannasSaladDressing.com
Fri Nov 6 20:33:25 UTC 2015


Forgot to copy list.

On 11/06/2015 1:44 PM, Rowland Penny wrote:
> On 06/11/15 17:51, Dale Schroeder wrote:
>> I had to move an existing member server to new hardware.  Using 
>> getent on this Debian Jessie system, I cannot get winbind to retrieve 
>> the domain users, except for administrator, guest, tsinternetuser, 
>> and krbtgt.
>
> wbinfo -u should show all your users, 'getent passwd domainuser' 
> should show the info for just 'domainuser', but getent normally 
> doesn't show anything for Administrator, guest or krbtgt on a domain 
> member.
wbinfo works, getent in any form or shape does not.
>
>>
>> Although none of my other working systems have it, I added the 
>> "dedicated keytab", "kerberos method", and "winbind refresh tickets" 
>> parameters to match the wiki.
>
> These are required to get kerberos tickets and to enable them being 
> refreshed.
I don't doubt you at all, but that makes it impossible for me to explain 
the 4 others that don't have those parameters and are happily humming 
along.  The difference is that they have been upgraded in place from 
previous versions to 4.1.17.  The problem child is a "from scratch" 
upgrade install on new hardware.
>
>>
>> The only problem I have noticed is that installing libnss-winbind no 
>> longer creates the symbolic link between libnss_winbind.so.2 and 
>> libnss_winbind.so.  I had to do that manually.  Unlike the WIKI, the 
>> other directory to link does not exist on this system or the working 
>> systems.
>
> OK, how have you installed samba and on what?
I have used the Debian Jessie repositories on a new x64 system.
>
>
>>
>> net ads testjoin is OK.  The domain SID matches the other servers. 
>> wbinfo works.
>>
>> I must have missed something, but I'm at a loss as to what it is. Can 
>> anyone see anything?
>
> Any chance of seeing your smb.conf as stored on the samba machine.
I replaced the testparm output with the actual conf file below.
>
>
> Rowland
>
>>
>> Thanks,
>> Dale
OK, the following is as it exists on the server.
The contents of the users.map file is one line:
root = @"DOMAIN\Domain Admins"

Dale

>>
>> [global]
>> 	netbios name = DEBFSRV
>> 	workgroup = DOMAIN
>> 	realm = DOMAIN.COM
>> 	#server role = member server
>> 	server string = Samba File Server
>> 	security = ADS
>> 	#map untrusted to domain = Yes
>> 	allow trusted domains = No
>> 	map to guest = Bad User
>> 	#obey pam restrictions = Yes
>> 	password server = *
>> 	passdb backend = tdbsam
>> 	passwd program = /usr/bin/passwd %u
>> 	passwd chat =*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* 
>> %n\n *password\supdated\ssuccessfully*  .
>> 	username map = /etc/samba/users.map
>> 	syslog = 0
>> 	log level = 1 winbind:3 idmap:3
>> 	log file = /var/log/samba/log.%m
>> 	#max log size = 1000 # default=5000
>> 	name resolve order = host wins bcast
>> 	deadtime = 15
>> 	load printers = No
>> 	printing = bsd
>> 	#printcap cache time = 300
>> 	printcap name = /dev/null
>> 	disable spoolss = Yes
>> 	dns proxy = No
>> 	wins server = 192.168.1.223
>> 	ldap ssl = no
>> 	panic action = /usr/share/samba/panic-action %d
>> 	#idmap backend = rid:DOMAIN=1000-20000000
>> 	#idmap uid = 1000-20000000
>> 	#idmap gid = 1000-20000000
>> 	idmap config * : backend		= tdb
>> 	idmap config * : range			= 1000000 - 2000000
>> 	#idmap config DOMAIN : default	= Yes
>> 	idmap config DOMAIN : backend	= rid
>> 	idmap config DOMAIN : range		= 1000 - 2000
>> 	template homedir =/data/users/%U
>> 	template shell = /bin/bash
>> 	winbind cache time = 300
>> 	winbind enum users = Yes
>> 	winbind enum groups = Yes
>> 	winbind use default domain = Yes
>> 	winbind offline logon = Yes
>> 	dedicated keytab file = /etc/krb5.keytab
>> 	kerberos method = secrets and keytab
>> 	winbind refresh tickets = Yes
>> 	#recycle:repository =/var/domain/trash/%U
>> 	#recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o *.obj ~$* *.~??
>> 	#recycle:maxsize = 20971520
>> 	#recycle:versions = Yes
>> 	admin users = root, DOMAIN\administrator
>> 	hosts allow = 192.168.0.0/16
>> 	veto files =/trash/
>> 	veto oplock files = /*.doc/*.xls/*.mdb/*.ldb/*.bkf/*.DOC/*.XLS/*.MDB/*.LDB/*.pst/*.PST/
>> 	kernel oplocks = No
>> 	map archive = No
>> 	map readonly = No
>> 	ea support = Yes
>> 	store dos attributes = Yes
>> 	#vfs objects = recycle
>>
>>
>> #krb5.conf as per wiki
>> [libdefaults]
>>     default_realm = DOMAIN.COM
>>     dns_lookup_realm = false
>>     dns_lookup_kdc = true
>>
>> *resolv.conf per wiki
>>
>> search domain.com
>> nameserver 192.168.1.abc
>>
>>
>> *nsswitch.conf
>>
>> passwd:        compat winbind
>> group:        compat winbind
>> shadow:        compat
>> gshadow:    files
>>
>> hosts:        fines dns wins
>> networks:    files dns
>>
>> protocols:    db files
>> services:    db files
>> ethers:        db files
>> rpc:        db files
>>
>>
>>
>>
>>
>>
>>
>
>




More information about the samba mailing list