[Samba] ADS domain member: winbind fails

L.P.H. van Belle belle at bazuin.nl
Fri Dec 30 13:49:47 UTC 2016 

I think we are mixing 2 things now. 

You corrected DC, thats good. 

 

And the debian server member is the member? 

 

Did you add in /etc/ldap/ldap.conf

TLS_REQCERT allow

 

Now, this part i didnt test, but should work since losts of users are missing the correct TLS settings/certificates. 

 

This is a DEBIAN ( or Ubuntu ) setup. 

 

apt-get install ca-certificates

 

echo “TLS_REQCERT allow” > /etc/ldap/ldap.conf

 

Locate you SAMBA CA root. 

ln -s path_to_samba_TLS-CA-ROOT /usr/local/share/ca-certificates/samba-ca.crt

 

update-ca-certificates

 

done, thats it. 

 

Do that on the debian server, reboot it and after reboot type wbinfo –u

 

And post /etc/hosts /etc/resolv.conf /etc/samba/smb.conf of that server.

 

 

Greetz, 

 

Louis

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan G.

> Weichinger via samba

> Verzonden: vrijdag 30 december 2016 14:26

> Aan: samba at lists.samba.org

> Onderwerp: Re: [Samba] ADS domain member: winbind fails

> 

> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba:

> > Is this the smb.conf you got when you ran the classicupgrade ?

> > I don't think it is, can I suggest you remove any and all lines you

> > have added and restart samba

> 

> that was the output of testparm

> 

> smb.conf on DC:

> 

> 

> [global]

>     workgroup = ARBEITSGRUPPE

>     realm = arbeitsgruppe.secret.tld

>     netbios name = BACKUP

>     server role = active directory domain controller

>     idmap_ldb:use rfc2307 = yes

>      dns forwarder = 10.0.0.254

> 

> [netlogon]

>     path = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts

>     read only = No

> 

> [sysvol]

>     path = /var/lib/samba/sysvol

>     read only = No

> 

> --

> 

> root at backup:/etc/samba# cat /etc/resolv.conf

> search arbeitsgruppe.secret.tld

> nameserver 10.0.0.224

> 

> root at backup:/etc/samba# cat /etc/krb5.conf

> [libdefaults]

>     default_realm = ARBEITSGRUPPE.SECRET.TLD

>     dns_lookup_realm = false

>     dns_lookup_kdc = true

> 

> --

> 

> editing the resolv.conf(s) helped in stabilizing RSAT editing

> 

> winbindd on member still fails, I left and rejoined ...

> 

> --

> 

> although I see users and GPOs on the member, etc (via net ads)

> 

> # net ads info

> LDAP server: 10.0.0.224

> LDAP server name: backup.arbeitsgruppe.secret.tld

> Realm: ARBEITSGRUPPE.SECRET.TLD

> Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD

> LDAP port: 389

> Server time: Fr, 30 Dez 2016 14:24:25 CET

> KDC server: 10.0.0.224

> Server time offset: 0

> 

> 

> 

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list