[Samba] ADS domain member: winbind fails

[Stefan G. Weichinger]

Am 2016-12-30 um 12:10 schrieb Rowland Penny via samba:

> Was Samba running before the join ?

I can't tell that anymore as I did hundreds of things inbetween.

> Remove this line from your smb.conf:
>
> idmap config ARBEITSGRUPPE:schema_mode = rfc2307
>
> It is not required as you are using the winbind 'rid' backend.

"rid" was just a try as "ad" didn't work and I had no more ideas ...
I 'd maybe prefer "ad" ?

> Try stopping all Samba processes, then leave the domain and join again.
> Now start smbd, nmbd and winbind.

Did so.

leave and join: at first try, nice.

winbindd crashes immediately again.

> If this doesn't fix it, can you tell us what OS you are using, What is
> the AD DC and post your /etc/hosts, /etc/krb5.conf and /etc/resolv.conf

The DC "backup" is latest debian. Converted from NT4 today (you remember 
the lengthy thread!) ...

The member server "main" is gentoo linux.

Both run samba-4.2.14.

We can access shares on "main" ! even without winbindd running ...

-

# MEMBER SERVER (-> file services)
# cat /etc/hosts

# IPv4 and IPv6 localhost aliases
127.0.0.1	localhost
::1		localhost

10.0.0.221 main.secret.tld main
10.0.0.224 backup.secret.tld backup

# cat /etc/krb5.conf
[libdefaults]
	default_realm = ARBEITSGRUPPE.SECRET.TLD
	dns_lookup_realm = false
	dns_lookup_kdc = true

# cat /etc/samba/smb.conf
[global]
	security = ADS
	workgroup = ARBEITSGRUPPE
	realm = ARBEITSGRUPPE.SECRET.TLD
	map to guest = Bad User
	log file = /var/log/samba/%m.log
	log level = 3
	
	idmap config * : backend = tdb
	idmap config * : range = 3000-7999

	## idmap config for the ARBEITSGRUPPE domain
	idmap config ARBEITSGRUPPE:backend = rid
	idmap config ARBEITSGRUPPE:range = 10000-999999

	username map = /etc/samba/user.map

	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind refresh tickets = Yes

- and we had an issue joining a win7 client, I provide details on this 
later ...

Thank you!