[Samba] Can't create/update Group Policy in Samba 4.6.5

Rowland Penny rpenny at samba.org
Thu Jul 6 18:59:01 UTC 2017 

On Thu, 6 Jul 2017 15:35:09 -0300
Marcio Demetrio Bacci <marciobacci at gmail.com> wrote:

> Hi Rowland
> 

> I had not installed Winbind, but I installed it now. (winbind,
> libnss-winbind and libpam-winbind packages).

I cannot understand why you hadn't installed winbind, you need it.

> 
> I configured /etc/nsswitch as below:
> 
> passwd:       compat winbind
> group:          compat winbind
> shadow:       compat
> gshadow:     files
> hosts:          files dns
> networks:    files
> protocols:   db files
> services:    db files
> ethers:       db files
> rpc:            db files
> netgroup:  nis

Where did 'gshadow' come from, I do not have it.

> 
> My /etc/pam.d/common-session looks like this:
> 
> session [default=1]             pam_permit.so
> session requisite                pam_deny.so
> session required                pam_permit.so
> session required                pam_unix.so
> session optional                pam_winbind.so
> 
> 

Mine has kerberos in it, because I have libpam_krb5 installed.

> Below is my /usr/local/samba/etc/smb.conf  of the DC
> 
> [global]
>  workgroup = EMPRESA
>  realm = EMPRESA.COM.BR
>  netbios name = EMPRESA
>  server role = active directory domain controller
>  dns forwarder = 192.168.0.88
>  idmap_ldb:use rfc2307 = yes
>  ldap server require strong auth = no
>  template shell = /bin/bash
>  template homedir = home/%U
> 

Why is the netbios name of your DC the same as your netbios domain
name (workgroup) ?

> [netlogon]
>  path = /usr/local/samba/var/locks/sysvol/empresa.com.br/scripts
>  read only = No
> 
> [sysvol]
>  path = /usr/local/samba/var/locks/sysvol
>  read only = No
>  acl_xattr:ignore system acls = yes
> ##########################################
> 
> wbinfo -u, wbinfo -g, wbinfo -a <user> commands are Ok, 

wbinfo connects direct to winbind, getent doesn't and you will need to
use 'getent passwd username' to get any output for domain users.

> but "getent
> passwd" only shows local users.
> wbinfo --ping-dc doesn't show the short domain name, please see the
> output:
> 
> checking the NETLOGON dc connection to "" succeeded

This could be an artifact of your netbios name and netbios domain name
being the same.

> 
> id <user> command doesn't work too:
> id marcio
> id: marcio: no such user

It should.

> 
> 
> Do I need set up smb.conf Domain Controller with the parameters below?
> 
>   idmap config *:backend = tdb
>   idmap config *:range = 1000-3000
>   idmap config EMPRESA:backend = ad
>   idmap config EMPRESA:schema_mode = rfc2307
>   idmap config EMPRESA:range = 10000-9999999
> 
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users = yes
>   winbind enum groups = yes
>   winbind refresh tickets = yes
> 
>

No, definitely not, apart from the 'winbind enum' lines.

> What else could be wrong?
> 

No idea, mainly because I am not sat where you are and I didn't set up
your Samba AD DC ;-)

Rowland

More information about the samba mailing list