[Samba] winbind problems
dale at BriannasSaladDressing.com
Fri Nov 6 20:33:25 UTC 2015
Forgot to copy list.
On 11/06/2015 1:44 PM, Rowland Penny wrote:
> On 06/11/15 17:51, Dale Schroeder wrote:
>> I had to move an existing member server to new hardware. Using
>> getent on this Debian Jessie system, I cannot get winbind to retrieve
>> the domain users, except for administrator, guest, tsinternetuser,
>> and krbtgt.
> wbinfo -u should show all your users, 'getent passwd domainuser'
> should show the info for just 'domainuser', but getent normally
> doesn't show anything for Administrator, guest or krbtgt on a domain
wbinfo works, getent in any form or shape does not.
>> Although none of my other working systems have it, I added the
>> "dedicated keytab", "kerberos method", and "winbind refresh tickets"
>> parameters to match the wiki.
> These are required to get kerberos tickets and to enable them being
I don't doubt you at all, but that makes it impossible for me to explain
the 4 others that don't have those parameters and are happily humming
along. The difference is that they have been upgraded in place from
previous versions to 4.1.17. The problem child is a "from scratch"
upgrade install on new hardware.
>> The only problem I have noticed is that installing libnss-winbind no
>> longer creates the symbolic link between libnss_winbind.so.2 and
>> libnss_winbind.so. I had to do that manually. Unlike the WIKI, the
>> other directory to link does not exist on this system or the working
> OK, how have you installed samba and on what?
I have used the Debian Jessie repositories on a new x64 system.
>> net ads testjoin is OK. The domain SID matches the other servers.
>> wbinfo works.
>> I must have missed something, but I'm at a loss as to what it is. Can
>> anyone see anything?
> Any chance of seeing your smb.conf as stored on the samba machine.
I replaced the testparm output with the actual conf file below.
OK, the following is as it exists on the server.
The contents of the users.map file is one line:
root = @"DOMAIN\Domain Admins"
>> netbios name = DEBFSRV
>> workgroup = DOMAIN
>> realm = DOMAIN.COM
>> #server role = member server
>> server string = Samba File Server
>> security = ADS
>> #map untrusted to domain = Yes
>> allow trusted domains = No
>> map to guest = Bad User
>> #obey pam restrictions = Yes
>> password server = *
>> passdb backend = tdbsam
>> passwd program = /usr/bin/passwd %u
>> passwd chat =*Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
>> %n\n *password\supdated\ssuccessfully* .
>> username map = /etc/samba/users.map
>> syslog = 0
>> log level = 1 winbind:3 idmap:3
>> log file = /var/log/samba/log.%m
>> #max log size = 1000 # default=5000
>> name resolve order = host wins bcast
>> deadtime = 15
>> load printers = No
>> printing = bsd
>> #printcap cache time = 300
>> printcap name = /dev/null
>> disable spoolss = Yes
>> dns proxy = No
>> wins server = 192.168.1.223
>> ldap ssl = no
>> panic action = /usr/share/samba/panic-action %d
>> #idmap backend = rid:DOMAIN=1000-20000000
>> #idmap uid = 1000-20000000
>> #idmap gid = 1000-20000000
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000 - 2000000
>> #idmap config DOMAIN : default = Yes
>> idmap config DOMAIN : backend = rid
>> idmap config DOMAIN : range = 1000 - 2000
>> template homedir =/data/users/%U
>> template shell = /bin/bash
>> winbind cache time = 300
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = Yes
>> winbind offline logon = Yes
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> winbind refresh tickets = Yes
>> #recycle:repository =/var/domain/trash/%U
>> #recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o *.obj ~$* *.~??
>> #recycle:maxsize = 20971520
>> #recycle:versions = Yes
>> admin users = root, DOMAIN\administrator
>> hosts allow = 192.168.0.0/16
>> veto files =/trash/
>> veto oplock files = /*.doc/*.xls/*.mdb/*.ldb/*.bkf/*.DOC/*.XLS/*.MDB/*.LDB/*.pst/*.PST/
>> kernel oplocks = No
>> map archive = No
>> map readonly = No
>> ea support = Yes
>> store dos attributes = Yes
>> #vfs objects = recycle
>> #krb5.conf as per wiki
>> default_realm = DOMAIN.COM
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> *resolv.conf per wiki
>> search domain.com
>> nameserver 192.168.1.abc
>> passwd: compat winbind
>> group: compat winbind
>> shadow: compat
>> gshadow: files
>> hosts: fines dns wins
>> networks: files dns
>> protocols: db files
>> services: db files
>> ethers: db files
>> rpc: db files
More information about the samba