[Samba] Samba 4.1.17-Debian as ADS member

Rowland penny rpenny at samba.org
Wed Feb 24 13:16:14 UTC 2016


On 24/02/16 13:05, Stefan G. Weichinger wrote:
> Am 2016-02-24 um 13:32 schrieb Rowland penny:
>> I would add a few extra lines:
>>
>>     dedicated keytab file = /etc/krb5.keytab
>>     kerberos method = secrets and keytab
>>     winbind refresh tickets = Yes
>>     idmap config CUST:schema_mode = rfc2307
>>
>> The first three should ensure the tickets never expire and the last one
>> defines the schema that idmap will use.
> I had crashes as the /etc/krb5.keytab does not yet exist and the howto
> looked complicated. Will attack that one again, OK.

with those lines in smb.conf, the keytab will be created when the 
machine is joined to the domain.

>
>> Is PAM setup correctly ?
> I tried my best. The examples in the docs always look slightly different
> from the files in the various distros.
>
> ran pam-auth-update now (as recommended for Debian)
>
>> Do you have libpam-winbind, libpam-krb5 and libnss-winbind installed ?
> 3x yes
>
>>> 3) in turn I only see UIDs and GIDs in the linux filesystem, no
>>> ADS-user/group-names.
>> This looks like something set up incorrectly in PAM.
> hmm
>
> --
>
> status on the production machine:
>
> I get users and groups via wbinfo AND via getent
>
> clients are connected and tell me things work so far
>
> In the shell I still see only numbers for owners of files
>
> # ls -l
>
> [..]
> -rwxrwxr--.  1  1026 1009  1037630 Jän 24  2013 20130102.txt
> [..]
>
> This is better than people not able to access their files ;)
> but still not satisfying
>
> as mentioned in my other reply I think of using "rid" later, ok?

As your other post proves, you didn't have any uidNumber & gidNumber 
attributes in AD, the 'ad' backend *will not* work without these attributes.

Rowland

>
>
>
>
>




More information about the samba mailing list