[Samba] after classicupgrade
rpenny at samba.org
Thu Aug 11 09:19:50 UTC 2016
On Thu, 11 Aug 2016 10:36:57 +0200
Pisch Tamás via samba <samba at lists.samba.org> wrote:
> I have Samba 4.2.10 server with NT4 configuration, with ldap backend
> on Debian Jessie, and I want to upgrade it to AD. I test it now in
> virtul environment. The classicupgrade was succesful.
> getent passwd username
> chown "username:Domain Users" test.txt
> didn't work with this nsswitch.conf:
> passwd: files ldap
> group: files ldap
> shadow: files ldap
> , so I changed ldap to winbind. Now the two above commands work, but
> the local login delays some seconds. Which nss setup is better: ldap,
> or winbind?
It isn't a case of which is better, it is a case of which will work ;-)
You need to use 'winbind' with AD. you also need to remove 'winbind'
from the shadow line.
>Ldap doesn't work perfectly, because I cannot use
> ldapsearch: ldapsearch -xLL -H ldap://localhost:389 -D
> "cn=Administrator,dc=Users,dc=our,dc=site" -b "dc=our,dc=site"
> ldap_bind: Strong(er) authentication required(8)
> additional info: BindSimple: transport encryption required.
This has nothing to do ldap, there was a rather major update to do with
stopping man-in-the-middle attacks, see here:
Yes, I know thats for 4.2.11, but that is what you actually have.
Temporarily, you can set 'ldap server require strong auth = no' in
smb.conf whilst reading up on using ssl with your ldap searches.
> workgroup = OUR
> realm = our.site
> interfaces = lo eth0
> bind interfaces only = yes
> server role = active directory domain controller
> passdb backend = samba_dsdb
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain =yes
> dns forwarder = 188.8.131.52
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = enabled
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap config our : range = 10000-100000
> idmap config our : backend = ad
> idmap config * : range = 1000000-1999999
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = no
> map readonly = no
> store dos attributes = yes
> vfs objects = dfs_samba4 acl_xattr
> path= /var/lib/samba/sysvol/perczelmor.site/scripts
> read only = no
> path= /var/lib/samba/sysvol
> read only = no
Can I suggest you remove the lines you added to smb.conf, they will not
do anything, or are defaults, or will make things worse.
Then add the line I suggested above.
> host 127.0.0.1
> base dc=our,dc=site
> logdir /var/lib/ldap/log
> TLS_REQCERT hard
> TLS_CACERT /etc/ssl/certs/cacert.pem
> I tried to integrate winbind login into pam according to this:
> https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto but it
> didn't work.
If you have these packages installed: libpam-krb5 libpam-winbind
You shouldn't have to do anything else.
More information about the samba