[Samba] Domain member seems to work, wbinfo -u not
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 15 12:43:36 UTC 2016
Ok, i have tested a bit more also.
Now i have this problem also on some other servers with D. Jessie.
The sernet 4.2.11 debian wheezy works fine as far i can see now.
All my member servers have these settings ( see below),.
Versies used are
4.1.17 (all ok) ( debian jessie packages )
4.2.20 (fail wbinfo -u) ( debian jessie packages )
4.2.11 (all ok) ( debian wheezy sernet packages )
4.3.6 (all ok) ( debian sid recompiled to jessie package )
4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package )
2 servers, now both on 4.2.10
On both work :
And both not wbinfo -u
disable-ing tls didnt help.
Setting : ldap server require strong auth = no, yes or allow_sasl_over_tls didnt help.
Rebooted the server also.
All users have UID and needed groups also.
Config member server.
workgroup = NTDOM
security = ADS
realm = INTERNAL.DOMAIN.TLD
netbios name = memberserver10
domain master = no
host msdfs = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
client signing = if_required
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config NTDOM:backend = ad
idmap config NTDOM:schema_mode = rfc2307
idmap config NTDOM:range = 10000-3999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind expand groups = 4
wins server = 192.168.0.1, 192.168.0.2
username map = /etc/samba/samba_usermapping
usershare path =
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
unix extensions = no
wide links = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
load printers = Yes
printing = cups
printcap name = cups
tls enabled = yes
tls keyfile = ....
tls certfile = ....
tls cafile = ....
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: vrijdag 15 april 2016 13:50
> Aan: sambalist
> Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not
> On 15/04/16 12:05, Oktay Akbal wrote:
> >>> I don't see where exactly the ways differ. I already played with idmap
> settings and keytab. It makes no difference.
> >>> BTW the wiki entry does not explain how to create the keytab, so the
> setting is not really useful if you just follow that page.
> >> With the 'old system' you just have one range, this is now depreciated
> >> and you should use the new 'idmap config' . The old system could be
> >> The wiki entry does explain how to create the keytab:
> >> net ads join -U administrator
> >> The keytab will created for you during the join.
> >> Does 'Sure' mean you are running winbindd ?
> >> Are you also using 'sssd' ?
> > Already tried the idmap config and it does not make a difference. Will
> keep it.
> > Indeed the join creates that file. Since I already was in domain I had
> to create it.
> > Rejoined domain, keytab gets created. Still no difference. Everything
> works. wbinfo -u not.
> > Yes I use winbind and no to sssd.
> > I see other comments on how the latest updates broke domain
> authentication to some users (debian-list, centos7 forum etc.). I fear
> that there is a deeper problem with that patch.
> OK, so your smb.conf is similar to the one on the wiki page, which idmap
> backend did you use ?
> If it was the 'rid' backend then everything should work.
> If it was the 'ad' backend, do your users have a unique 'uidNumber'
> attribute in AD and does 'Domain Users' have a 'gidNumber' attribute ?
> Lets rule everything else out first, before pointing the finger at the
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba