[Samba] Samba 4.51 Solaris 11 AD client
Gaiseric Vandal
gaiseric.vandal at gmail.com
Sun Dec 11 16:57:41 UTC 2016
If I add
winbind rpc only = Yes
to smb.conf file then "wbinfo -u" will list users in the current domain. It
won't list users in any trusted domains (including domains in the same
forest.) This indicates that the domain is having some issue retrieving
user names via LDAP.
The forest is 2008 function level. The domain was 2003 functional level
but I just raised that to 2008. The domain has Windows 2008 SP2 domain
controllers. The child domain has a Windows 2012 domain controller but is
also at the 2008 forest functional level. I upgrade registry in the Win
2008 SP2 domain controllers to disable DES.
Solaris 11 has both "solaris" ldap (not openldap) and openldap ldap.
The solaris ldap files should have been in the default path for the software
build.
I also set
create krb5 conf = No
to prevent samba recreating /usr/local/samba/var/lock/smb_krb5/krb5.conf
each time it restarted, since it would enable DES encryption by default.
Maybe I need to compile latest openldap and add to the C_INCLUDE_PATH and
CPLUS_INCLUDE_PATH variables.
From: Gaiseric Vandal [mailto:gaiseric.vandal at gmail.com]
Sent: Wednesday, December 07, 2016 9:33 PM
To: 'Samba' <samba at lists.samba.org>
Subject: Samba 4.51 Solaris 11 AD client
Solaris 11 include samba 3.6.25. I compiled samba 4.5.1 using GCC 4.8 and
gmake. Had set following env variables to make sure krb5.conf was found
# CPLUS_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/
# C_INCLUDE_PATH=/usr/include:/usr/include/kerberosv5/
After setting "client ldap sasl wrapping = plain" I was able to join to a
Windows 2008 domain with samba 4.
The samba 4.5.1 "wbinfo -m" showed the domain. However "wbinfo -u" did not
show any users.
This works OK with samba 3.6.25 .
With Samba 3
# testparm -v | grep signing
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
client signing = required
client ipc signing = required
server signing = No
With samba4
# /usr/local/samba/bin/testparm -v | grep signing
Load smb config files from /usr/local/samba-4.5.1/etc/smb.conf
rlimit_max: increasing rlimit_max (256) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
client ipc signing = default
client signing = default
server signing = default
log.winbindd has
[2016/12/07 21:16:22.781818, 1, pid=1520, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:352(trustdom_list_done)
trustdom_list_done: Could not receive trusts for domain MYDOMAIN
both samba3 and samba4 create krb5.conf.MYDOMAIN files
#/usr/local/samba/var/lock/smb_krb5# cat krb5.conf.MYDOMAIN
[libdefaults]
default_realm = MYDOMAIN.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
RC4-HMAC DES-CBC-CRC DES-CBC-MD5
dns_lookup_realm = false
[realms]
MYDOMAIN.COM = {
kdc = 192.168.x.y
kdc = 192.168.x.z
}
#:/usr/local/samba/var/lock/smb_krb5#
I would like to disable DES encryption. Or maybe have samba use the system
krb5.conf .
With samba3, wbinfo will not show users from "classic" trusted domains but
will show users from AD trusted domains.
Beginning to think that I should have uninstalled samba3 before compiling
samba4 to make sure no conflicts between different versions of samba
libraries.
More information about the samba
mailing list