[Samba] Can't create/update Group Policy in Samba 4.6.5
Rowland Penny
rpenny at samba.org
Thu Jul 6 18:59:01 UTC 2017
On Thu, 6 Jul 2017 15:35:09 -0300
Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:
> Hi Rowland
>
> I had not installed Winbind, but I installed it now. (winbind,
> libnss-winbind and libpam-winbind packages).
I cannot understand why you hadn't installed winbind, you need it.
>
> I configured /etc/nsswitch as below:
>
> passwd: compat winbind
> group: compat winbind
> shadow: compat
> gshadow: files
> hosts: files dns
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
Where did 'gshadow' come from, I do not have it.
>
> My /etc/pam.d/common-session looks like this:
>
> session [default=1] pam_permit.so
> session requisite pam_deny.so
> session required pam_permit.so
> session required pam_unix.so
> session optional pam_winbind.so
>
>
Mine has kerberos in it, because I have libpam_krb5 installed.
> Below is my /usr/local/samba/etc/smb.conf of the DC
>
> [global]
> workgroup = EMPRESA
> realm = EMPRESA.COM.BR
> netbios name = EMPRESA
> server role = active directory domain controller
> dns forwarder = 192.168.0.88
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = no
> template shell = /bin/bash
> template homedir = home/%U
>
Why is the netbios name of your DC the same as your netbios domain
name (workgroup) ?
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> acl_xattr:ignore system acls = yes
> ##########################################
>
> wbinfo -u, wbinfo -g, wbinfo -a <user> commands are Ok,
wbinfo connects direct to winbind, getent doesn't and you will need to
use 'getent passwd username' to get any output for domain users.
> but "getent
> passwd" only shows local users.
> wbinfo --ping-dc doesn't show the short domain name, please see the
> output:
>
> checking the NETLOGON dc connection to "" succeeded
This could be an artifact of your netbios name and netbios domain name
being the same.
>
> id <user> command doesn't work too:
> id marcio
> id: marcio: no such user
It should.
>
>
> Do I need set up smb.conf Domain Controller with the parameters below?
>
> idmap config *:backend = tdb
> idmap config *:range = 1000-3000
> idmap config EMPRESA:backend = ad
> idmap config EMPRESA:schema_mode = rfc2307
> idmap config EMPRESA:range = 10000-9999999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
>
No, definitely not, apart from the 'winbind enum' lines.
> What else could be wrong?
>
No idea, mainly because I am not sat where you are and I didn't set up
your Samba AD DC ;-)
Rowland
More information about the samba
mailing list