[Samba] winbind problems

Rowland Penny rowlandpenny241155 at gmail.com
Thu Nov 12 20:59:14 UTC 2015 

On 12/11/15 20:31, Dale Schroeder wrote:
> OK, try this smb.conf, don't add anything else until you have getent 
> working:
>>
>> [global]
>>     workgroup = DOMAIN
>>     security = ADS
>>     realm = DOMAIN.COM
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>     idmap config * : range = 1000000-2000000
>>     idmap config * : backend = tdb
>>     idmap config DOMAIN : range = 1000-2000
>>     idmap config DOMAIN : backend = rid
>>     winbind nss info = template
>>     winbind trusted domains only = no
>>     winbind use default domain = yes
>>     winbind enum users = Yes
>>     winbind enum groups = Yes
>>     winbind refresh tickets = Yes
>>     winbind offline logon = Yes
>>     username map = /etc/samba/users.map
>>     template homedir = /data/users/%U
>>     template shell = /bin/bash
>>     vfs objects = acl_xattr
>>     map acl inherit = yes
>>     store dos attributes = yes
>>
>> The above should work against an AD DC
>>
>> Your users.map should be:
>>
>> !root = DOMAIN\Administrator DOMAIN\administrator
>>
>> Rowland
>>
>>
> Thanks, Rowland.  I've gotten it working for the most part.  There are 
> some permissions issues with vfs recycle, but I'll have to work those 
> out later.
>
> Just to satisfy my curiosity more than anything, I'd like to clarify a 
> few things.
>
> 1.  What is the benefit of using 'secrets and keytab'?  All of my 
> other member servers seem to function OK with the default 'secrets only'.

It tries to use the secrets.tdb first for kerberos verification and if 
it cannot do this, it uses the system keytab, bit of a belt & braces 
situation really.

> 2.  What does the syntax of the users.map file that you have presented 
> mean, or maybe it would be better stated as what does it do?  That is 
> nothing at all like the mapping files I have used for the past 12 
> years.  I have seen this before, but have never seen an explanation of it.

Fairly simple, it maps the windows domain Administrator to the local 
Unix 'root' user, you can then change file permissions on samba Unix 
shares from windows.

>
> 3.  Some time back, you mentioned the name of the file in Debian that 
> listed the default mount options.  Would you please state it again?  I 
> can't seem to locate that particular email in the archives.

Well I would if could, but what do you mean by 'default mount options' ? 
autofs ? cifs ? ???

Rowland

>
> Thanks again,
> Dale
>

More information about the samba mailing list