[Samba] Domain member seems to work, wbinfo -u not

Rowland penny rpenny at samba.org
Fri Apr 15 10:34:47 UTC 2016 

On 15/04/16 11:11, Oktay Akbal wrote:
>> On 15/04/16 10:33, Oktay Akbal wrote:
>>> [global]
>>>           workgroup = DOMAIN
>>>           realm = DOMAIN.DE
>>>           netbios name = HOST
>>>           server string = HOST
>>>           security = ADS
>>>           encrypt passwords = Yes
>>>           map to guest = Bad User
>>>           password server = *
>>>           log level = 3 vfs:0
>>>           log file = /var/log/samba/log.%U
>>>           max log size = 2000
>>>           syslog = 0
>>>           time server = Yes
>>>           unix extensions = Yes
>>>           os level = 2
>>>           winbind uid = 10000-20000
>>>           winbind gid = 10000-20000
>>>           winbind enum users = yes
>>>           winbind enum groups = yes
>>> #       template homedir = /raid1/fileserver/homes/%U
>>>           winbind separator = /
>>>           printing = cups
>>>           printcap name = cups
>>>           cups server = other.domain.de
>>>           veto files = /*.{*}/
>>>           lanman auth = No
>>>           client lanman auth = No
>>>           cups options ="raw"
>>>           create mask = 0775
>>>           force create mode = 0775
>>>           username map = /etc/samba/smbusers
>>>
>>>
>>> The config should not be the problem.
>>> The Problem seems to be related to the badlock-patch. See samba-technical post of Hansjoerg Maurer.
>>> It seems that downgrading to older rpm works. But on Centos7 that means to downgrade from 4.2.10 to 4.2.3.
>>>    
>>>    
>>>
>>>
>> I beg to differ, your config is using the old depreciated setup, see
>> here for the the latest setup:
>>
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>> Are you running the 'winbindd' deamon ?
>>
> Sure.
>
> I don't see where exactly the ways differ. I already played with idmap settings and keytab. It makes no difference.
> BTW the wiki entry does not explain how to create the keytab, so the setting is not really useful if you just follow that page.

With the 'old system' you just have one range, this is now depreciated 
and you should use the new 'idmap config' . The old system could be removed.

The wiki entry does explain how to create the keytab:

net ads join -U administrator

The keytab will created for you during the join.

Does 'Sure' mean you are running winbindd ?
Are you also using 'sssd' ?

Rowland

More information about the samba mailing list