[Samba] ADS domain member: winbind fails

Rowland Penny rpenny at samba.org
Fri Dec 30 13:01:06 UTC 2016 

On Fri, 30 Dec 2016 13:45:09 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 2016-12-30 um 13:09 schrieb Rowland Penny via samba:
> > On Fri, 30 Dec 2016 12:37:33 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> >
> >> Am 2016-12-30 um 12:10 schrieb Rowland Penny via samba:
> >>
> >>> Was Samba running before the join ?
> >>
> >> I can't tell that anymore as I did hundreds of things inbetween.
> >>
> >>> Remove this line from your smb.conf:
> >>>
> >>> idmap config ARBEITSGRUPPE:schema_mode = rfc2307
> >>>
> >>> It is not required as you are using the winbind 'rid' backend.
> >>
> >> "rid" was just a try as "ad" didn't work and I had no more
> >> ideas ... I 'd maybe prefer "ad" ?
> >>
> >>> Try stopping all Samba processes, then leave the domain and join
> >>> again. Now start smbd, nmbd and winbind.
> >>
> >> Did so.
> >>
> >> leave and join: at first try, nice.
> >>
> >> winbindd crashes immediately again.
> >>
> >>> If this doesn't fix it, can you tell us what OS you are using,
> >>> What is the AD DC and post your /etc/hosts, /etc/krb5.conf
> >>> and /etc/resolv.conf
> >>
> >> The DC "backup" is latest debian. Converted from NT4 today (you
> >> remember the lengthy thread!) ...
> >>
> >> The member server "main" is gentoo linux.
> >>
> >> Both run samba-4.2.14.
> >>
> >> We can access shares on "main" ! even without winbindd running ...
> >>
> >> -
> >>
> >> # MEMBER SERVER (-> file services)
> >> # cat /etc/hosts
> >>
> >> # IPv4 and IPv6 localhost aliases
> >> 127.0.0.1	localhost
> >> ::1		localhost
> >>
> >> 10.0.0.221 main.secret.tld main
> >> 10.0.0.224 backup.secret.tld backup
> >>
> >> # cat /etc/krb5.conf
> >> [libdefaults]
> >> 	default_realm = ARBEITSGRUPPE.SECRET.TLD
> >> 	dns_lookup_realm = false
> >> 	dns_lookup_kdc = true
> >
> >
> > OK, if your domain members short host is 'main', this makes its
> > domain name 'secret.tld', yet the realm is
> > 'ARBEITSGRUPPE.SECRET.TLD'
> >
> > ignoring case, 'secret.tld' != 'ARBEITSGRUPPE.SECRET.TLD' and it
> > should.
> 
> I am confused what to change now!?
> 
> 
> 

What is the dns domain of your DC ?
Whatever it is, this will have been used for your kerberos realm.
You will need to use the same dns domain and kerberos realm on your
domain member.

EXAMPLE:

The dns domain of your DC is 'arbeitsgruppe.secret.tld' and the realm
on the DC is 'ARBEITSGRUPPE.SECRET.TLD'
Your dns domain on the domain member will have to be
'arbeitsgruppe.secret.tld' and the realm 'ARBEITSGRUPPE.SECRET.TLD'

Rowland

More information about the samba mailing list