[Samba] ADS domain member: winbind fails
L.P.H. van Belle
belle at bazuin.nl
Fri Dec 30 13:49:47 UTC 2016
I think we are mixing 2 things now.
You corrected DC, thats good.
And the debian server member is the member?
Did you add in /etc/ldap/ldap.conf
TLS_REQCERT allow
Now, this part i didnt test, but should work since losts of users are missing the correct TLS settings/certificates.
This is a DEBIAN ( or Ubuntu ) setup.
apt-get install ca-certificates
echo “TLS_REQCERT allow” > /etc/ldap/ldap.conf
Locate you SAMBA CA root.
ln -s path_to_samba_TLS-CA-ROOT /usr/local/share/ca-certificates/samba-ca.crt
update-ca-certificates
done, thats it.
Do that on the debian server, reboot it and after reboot type wbinfo –u
And post /etc/hosts /etc/resolv.conf /etc/samba/smb.conf of that server.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan G.
> Weichinger via samba
> Verzonden: vrijdag 30 december 2016 14:26
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] ADS domain member: winbind fails
>
> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba:
> > Is this the smb.conf you got when you ran the classicupgrade ?
> > I don't think it is, can I suggest you remove any and all lines you
> > have added and restart samba
>
> that was the output of testparm
>
> smb.conf on DC:
>
>
> [global]
> workgroup = ARBEITSGRUPPE
> realm = arbeitsgruppe.secret.tld
> netbios name = BACKUP
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 10.0.0.254
>
> [netlogon]
> path = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> --
>
> root at backup:/etc/samba# cat /etc/resolv.conf
> search arbeitsgruppe.secret.tld
> nameserver 10.0.0.224
>
> root at backup:/etc/samba# cat /etc/krb5.conf
> [libdefaults]
> default_realm = ARBEITSGRUPPE.SECRET.TLD
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> --
>
> editing the resolv.conf(s) helped in stabilizing RSAT editing
>
> winbindd on member still fails, I left and rejoined ...
>
> --
>
> although I see users and GPOs on the member, etc (via net ads)
>
> # net ads info
> LDAP server: 10.0.0.224
> LDAP server name: backup.arbeitsgruppe.secret.tld
> Realm: ARBEITSGRUPPE.SECRET.TLD
> Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD
> LDAP port: 389
> Server time: Fr, 30 Dez 2016 14:24:25 CET
> KDC server: 10.0.0.224
> Server time offset: 0
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list