[Samba] Samba 4.1.17-Debian as ADS member
rpenny at samba.org
Wed Feb 24 12:32:09 UTC 2016
On 24/02/16 11:49, Stefan G. Weichinger wrote:
> I lose track here and I have to fix this as users get angry (we all know
> that ...)
> debian 8.3, samba 4.1.17
> (substituted customer name by "CUST" below ...)
> workgroup = CUST
> realm = MABC.CUST
> security = ADS
> map untrusted to domain = Yes
> load printers = No
> printcap name = /dev/null
> disable spoolss = Yes
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> idmap config CUST:range = 10000-99999
> idmap config CUST:backend = ad
> idmap config *:range = 2000-9999
> idmap config * : backend = tdb
I would add a few extra lines:
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = Yes
idmap config CUST:schema_mode = rfc2307
The first three should ensure the tickets never expire and the last one
defines the schema that idmap will use.
> # /etc/nsswitch.conf
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> I have correct time.
> I have a valid join:
> # net ads testjoin
> Join is OK
> # wbinfo -t
> checking the trust secret for domain CUST via RPC calls succeeded
> I get users and groups via "wbinfo -[ug]".
> 1) smbstatus displays "-1" for Username and Group *sometimes* ... why?
> 2) right now I don't get ADS-users/groups via getent.
Is PAM setup correctly ?
Do you have libpam-winbind, libpam-krb5 and libnss-winbind installed ?
> 3) in turn I only see UIDs and GIDs in the linux filesystem, no
This looks like something set up incorrectly in PAM.
> please help me to get that correct at last ... thanks
More information about the samba