[Samba] winbind problems
rowlandpenny241155 at gmail.com
Fri Nov 6 21:13:25 UTC 2015
On 06/11/15 20:33, Dale Schroeder wrote:
> Forgot to copy list.
> On 11/06/2015 1:44 PM, Rowland Penny wrote:
>> On 06/11/15 17:51, Dale Schroeder wrote:
>>> I had to move an existing member server to new hardware. Using
>>> getent on this Debian Jessie system, I cannot get winbind to
>>> retrieve the domain users, except for administrator, guest,
>>> tsinternetuser, and krbtgt.
>> wbinfo -u should show all your users, 'getent passwd domainuser'
>> should show the info for just 'domainuser', but getent normally
>> doesn't show anything for Administrator, guest or krbtgt on a domain
> wbinfo works, getent in any form or shape does not.
>>> Although none of my other working systems have it, I added the
>>> "dedicated keytab", "kerberos method", and "winbind refresh tickets"
>>> parameters to match the wiki.
>> These are required to get kerberos tickets and to enable them being
> I don't doubt you at all, but that makes it impossible for me to
> explain the 4 others that don't have those parameters and are happily
> humming along. The difference is that they have been upgraded in
> place from previous versions to 4.1.17. The problem child is a "from
> scratch" upgrade install on new hardware.
>>> The only problem I have noticed is that installing libnss-winbind no
>>> longer creates the symbolic link between libnss_winbind.so.2 and
>>> libnss_winbind.so. I had to do that manually. Unlike the WIKI, the
>>> other directory to link does not exist on this system or the working
>> OK, how have you installed samba and on what?
> I have used the Debian Jessie repositories on a new x64 system.
>>> net ads testjoin is OK. The domain SID matches the other servers.
>>> wbinfo works.
>>> I must have missed something, but I'm at a loss as to what it is.
>>> Can anyone see anything?
>> Any chance of seeing your smb.conf as stored on the samba machine.
> I replaced the testparm output with the actual conf file below.
> OK, the following is as it exists on the server.
> The contents of the users.map file is one line:
> root = @"DOMAIN\Domain Admins"
>>> netbios name = DEBFSRV
>>> workgroup = DOMAIN
>>> realm = DOMAIN.COM
>>> #server role = member server
>>> server string = Samba File Server
>>> security = ADS
>>> #map untrusted to domain = Yes
>>> allow trusted domains = No
>>> map to guest = Bad User
>>> #obey pam restrictions = Yes
>>> password server = *
>>> passdb backend = tdbsam
>>> passwd program = /usr/bin/passwd %u
>>> passwd chat =*Enter\snew\sUNIX\spassword:* %n\n
>>> *Retype\snew\sUNIX\spassword:* %n\n
>>> *password\supdated\ssuccessfully* .
>>> username map = /etc/samba/users.map
>>> syslog = 0
>>> log level = 1 winbind:3 idmap:3
>>> log file = /var/log/samba/log.%m
>>> #max log size = 1000 # default=5000
>>> name resolve order = host wins bcast
>>> deadtime = 15
>>> load printers = No
>>> printing = bsd
>>> #printcap cache time = 300
>>> printcap name = /dev/null
>>> disable spoolss = Yes
>>> dns proxy = No
>>> wins server = 192.168.1.223
>>> ldap ssl = no
>>> panic action = /usr/share/samba/panic-action %d
>>> #idmap backend = rid:DOMAIN=1000-20000000
>>> #idmap uid = 1000-20000000
>>> #idmap gid = 1000-20000000
>>> idmap config * : backend = tdb
>>> idmap config * : range = 1000000 - 2000000
>>> #idmap config DOMAIN : default = Yes
>>> idmap config DOMAIN : backend = rid
>>> idmap config DOMAIN : range = 1000 - 2000
>>> template homedir =/data/users/%U
>>> template shell = /bin/bash
>>> winbind cache time = 300
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind use default domain = Yes
>>> winbind offline logon = Yes
>>> dedicated keytab file = /etc/krb5.keytab
>>> kerberos method = secrets and keytab
>>> winbind refresh tickets = Yes
>>> #recycle:repository =/var/domain/trash/%U
>>> #recycle:exclude = *.bks *.BKF *.tmp *.TMP *.temp *.TEMP *.o
>>> *.obj ~$* *.~??
>>> #recycle:maxsize = 20971520
>>> #recycle:versions = Yes
>>> admin users = root, DOMAIN\administrator
>>> hosts allow = 192.168.0.0/16
>>> veto files =/trash/
>>> veto oplock files =
>>> kernel oplocks = No
>>> map archive = No
>>> map readonly = No
>>> ea support = Yes
>>> store dos attributes = Yes
>>> #vfs objects = recycle
>>> #krb5.conf as per wiki
>>> default_realm = DOMAIN.COM
>>> dns_lookup_realm = false
>>> dns_lookup_kdc = true
>>> *resolv.conf per wiki
>>> search domain.com
>>> nameserver 192.168.1.abc
>>> passwd: compat winbind
>>> group: compat winbind
>>> shadow: compat
>>> gshadow: files
>>> hosts: fines dns wins
>>> networks: files dns
>>> protocols: db files
>>> services: db files
>>> ethers: db files
>>> rpc: db files
OK, try this smb.conf, don't add anything else until you have getent
workgroup = DOMAIN
security = ADS
realm = DOMAIN.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
idmap config * : range = 1000000-2000000
idmap config * : backend = tdb
idmap config DOMAIN : range = 1000-2000
idmap config DOMAIN : backend = rid
winbind nss info = template
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = Yes
winbind enum groups = Yes
winbind refresh tickets = Yes
winbind offline logon = Yes
username map = /etc/samba/users.map
template homedir = /data/users/%U
template shell = /bin/bash
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
The above should work against an AD DC
Your users.map should be:
!root = DOMAIN\Administrator DOMAIN\administrator
More information about the samba