[Samba] [samba] Member server winbind issue
mathias dufresne
infractory at gmail.com
Sun Jul 23 09:10:35 UTC 2017
Hi all,
Thank you both for your replies. I did tried both options (removing both
keytab related lines as proposed by Andrew then using both lines proposed
by Rowland) without success.
Kerberos client is working:
"kinit administrator" gives me a valid ticket as do "kinit -k -t
/etc/krb5.keytab smbsrv"
So now the smb.conf is the following:
[global]
realm = AD.INFRACTORY.ORG
workgroup = AD
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
security = ADS
winbind nss info = rfc2307
winbind use default domain = Yes
idmap config ad:unix_primary_group = yes
idmap config ad:range = 1500-99999999
idmap config ad:schema_mode = rfc2307
idmap config ad:backend = ad
idmap config * : range = 1200-1499
idmap config * : backend = tdb
log level = 6
logs in log.winbindd are the following:
smbsrv:/etc/samba# wbinfo -n testuser
S-1-5-21-3491498633-2139045408-86603964-2607 SID_USER (1)
[2017/07/23 11:00:43.951016, 6]
../source3/winbindd/winbindd.c:918(new_connection)
accepted socket 27
[2017/07/23 11:00:43.951351, 3]
../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
[ 2464]: request interface version (version = 28)
[2017/07/23 11:00:43.951710, 3]
../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
[ 2464]: request location of privileged pipe
[2017/07/23 11:00:43.952052, 6]
../source3/winbindd/winbindd.c:918(new_connection)
accepted socket 30
[2017/07/23 11:00:43.952300, 6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
closing socket 27, client exited
[2017/07/23 11:00:43.952521, 3]
../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
[ 2464]: request interface version (version = 28)
[2017/07/23 11:00:43.952780, 3]
../source3/winbindd/winbindd_misc.c:384(winbindd_info)
[ 2464]: request misc info
[2017/07/23 11:00:43.953101, 3]
../source3/winbindd/winbindd_misc.c:417(winbindd_netbios_name)
[ 2464]: request netbios name
[2017/07/23 11:00:43.953398, 3]
../source3/winbindd/winbindd_misc.c:406(winbindd_domain_name)
[ 2464]: request domain name
[2017/07/23 11:00:43.953734, 3]
../source3/winbindd/winbindd_misc.c:238(winbindd_domain_info)
[ 2464]: domain_info [AD]
[2017/07/23 11:00:43.954049, 3]
../source3/winbindd/winbindd_lookupname.c:69(winbindd_lookupname_send)
lookupname AD\testuser
[2017/07/23 11:00:43.959921, 6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
closing socket 30, client exited
smbsrv:/etc/samba# wbinfo -S S-1-5-21-3491498633-2139045408-86603964-2607
10000001
[2017/07/23 11:01:39.600059, 6]
../source3/winbindd/winbindd.c:918(new_connection)
accepted socket 27
[2017/07/23 11:01:39.600408, 3]
../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
[ 2469]: request interface version (version = 28)
[2017/07/23 11:01:39.600756, 3]
../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
[ 2469]: request location of privileged pipe
[2017/07/23 11:01:39.601111, 6]
../source3/winbindd/winbindd.c:918(new_connection)
accepted socket 30
[2017/07/23 11:01:39.601301, 6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
closing socket 27, client exited
[2017/07/23 11:01:39.601562, 3]
../source3/winbindd/winbindd_sids_to_xids.c:50(winbindd_sids_to_xids_send)
sids_to_xids
[2017/07/23 11:01:39.867902, 6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
closing socket 30, client exited
smbsrv:/etc/samba# wbinfo -i testuser
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user testuser
[2017/07/23 11:02:06.047987, 6]
../source3/winbindd/winbindd.c:918(new_connection)
accepted socket 27
[2017/07/23 11:02:06.048103, 3]
../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
[ 2479]: request interface version (version = 28)
[2017/07/23 11:02:06.048369, 3]
../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
[ 2479]: request location of privileged pipe
[2017/07/23 11:02:06.048559, 6]
../source3/winbindd/winbindd.c:918(new_connection)
accepted socket 30
[2017/07/23 11:02:06.048607, 6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
closing socket 27, client exited
[2017/07/23 11:02:06.048647, 3]
../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send)
getpwnam testuser
[2017/07/23 11:02:06.234602, 5]
../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv)
Could not convert sid S-1-5-21-3491498633-2139045408-86603964-2607:
NT_STATUS_NONE_MAPPED
[2017/07/23 11:02:06.235151, 6]
../source3/winbindd/winbindd.c:967(winbind_client_request_read)
closing socket 30, client exited
This system is Debian 9.0, PAM configuration was auto-generated during
installation of libpam-winbind and libnss-winbind.
Related packages are:
# dpkg -l | egrep 'samba|winbind'
ii libnss-winbind:amd64 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba winbind client library
ii python-samba 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Python bindings for Samba
ii samba 2:4.5.8+dfsg-2+deb9u1+b1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.5.8+dfsg-2+deb9u1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba core libraries
ii samba-vfs-modules 2:4.5.8+dfsg-2+deb9u1+b1
amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.5.8+dfsg-2+deb9u1+b1
amd64 service to resolve user and group information from Windows NT
servers
As I've still no idea about what I did wrong, I'm installing Samba on some
Gentoo to reproduce that configuration and see how it behaves. I expect the
behavior would the same.
2017-07-23 9:56 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Sun, 23 Jul 2017 14:14:20 +1200
> Andrew Bartlett via samba <samba at lists.samba.org> wrote:
>
> > It may or may not be your issue, but lets start by getting your
> > configuration 'typical':
> >
> > On Sun, 2017-07-23 at 01:33 +0200, mathias dufresne via samba wrote:
> > > security = ADS
> >
> > This (security=ads) is a contradiction with:
> >
> > > kerberos method = dedicated keytab
> > > dedicated keytab file = /etc/krb5.keytab
> >
> > Just remove these two lines, and let Samba handle the keytab and
> > domain membership. You do need to join the domain.
> >
> > Andrew Bartlett
> >
>
> You only need the 'dedicated keytab' line if you also need something
> else to be able to read the keytab (dovecot etc)
>
> If you are going to use a dedicated keytab, I would use 'kerberos
> method = secrets and keytab'
>
> With this in smb.conf:
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> 'wbinfo -i username' works.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list