[Samba] Samba 4.1.17-Debian as ADS member

Rowland penny rpenny at samba.org
Wed Feb 24 12:32:09 UTC 2016


On 24/02/16 11:49, Stefan G. Weichinger wrote:
> I lose track here and I have to fix this as users get angry (we all know
> that ...)
>
> debian 8.3, samba 4.1.17
>
> (substituted customer name by "CUST" below ...)
>
> [global]
> 	workgroup = CUST
> 	realm = MABC.CUST
> 	security = ADS
> 	map untrusted to domain = Yes
> 	load printers = No
> 	printcap name = /dev/null
> 	disable spoolss = Yes
> 	template shell = /bin/bash
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind use default domain = Yes
> 	idmap config CUST:range = 10000-99999
> 	idmap config CUST:backend = ad
> 	idmap config *:range = 2000-9999
> 	idmap config * : backend = tdb
>
> correct?

I would add a few extra lines:

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    winbind refresh tickets = Yes
    idmap config CUST:schema_mode = rfc2307

The first three should ensure the tickets never expire and the last one 
defines the schema that idmap will use.

>
>
> # /etc/nsswitch.conf
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
> ----
>
> I have correct time.
>
> I have a valid join:
>
> # net ads testjoin
> Join is OK
>
> # wbinfo -t
> checking the trust secret for domain CUST via RPC calls succeeded
>
> I get users and groups via "wbinfo -[ug]".
>
> 1) smbstatus displays "-1" for Username and Group *sometimes* ... why?
>
> 2) right now I don't get ADS-users/groups via getent.

Is PAM setup correctly ?
Do you have libpam-winbind, libpam-krb5 and libnss-winbind installed ?

>
> 3) in turn I only see UIDs and GIDs in the linux filesystem, no
> ADS-user/group-names.

This looks like something set up incorrectly in PAM.

Rowland

> -
>
> please help me to get that correct at last ... thanks
>
>
>
>




More information about the samba mailing list