[Samba] [samba] Member server winbind issue

mathias dufresne infractory at gmail.com
Sun Jul 23 09:59:34 UTC 2017

2017-07-23 11:23 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:

> On Sun, 2017-07-23 at 11:10 +0200, mathias dufresne via samba wrote:
> > Hi all,
> >
> > Thank you both for your replies. I did tried both options (removing both
> > keytab related lines as proposed by Andrew then using both lines proposed
> > by Rowland) without success.
> Just because it didn't work doesn't mean just put it back.
> I'm not going to help you any more until you can confirm you have an
> smb.conf like:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_
> Domain_Member#Setting_up_a_Basic_smb.conf_File
> and joined the domain with:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_
> Domain_Member#Joining_the_Domain
> Please follow that HOWTO, try not to be fancy, special or different
> until you have it working.

That's the whole point, I don't see what I'm doing wrong (except
re-inserting keytab lines).

The whole smb.conf is the following:
        security = ADS
        workgroup = AD
        realm = AD.DOMAIN.TLD

        log file = /var/log/samba/%m.log
        log level = 1

        # Default ID mapping configuration for local BUILTIN accounts
        # and groups on a domain member. The default (*) domain:
        # - must not overlap with any domain ID mapping configuration!
        # - must use a read-write-enabled back end, such as tdb.
        # - Adding just this is not enough
        # - You must set a DOMAIN backend configuration, see below
        idmap config * : backend = tdb
        idmap config * : range = 3000-7999

        winbind nss info = rfc2307

        # idmap config for the AD domain
        idmap config AD:backend = ad
        idmap config AD:schema_mode = rfc2307
        idmap config AD:range = 8000-99999999

It was obtained with copy paste from first given link, modifying ranges and
domain names. I didn't added user mapping as it is mentioned to be optional.

The join is the following, using kerberos as authentication method (which
works well and, I hope, should not be considered as too much fancy), after
I left the domain:

smbsrv:/etc/samba# net ads leave -k
Deleted account for 'SMBSRV' in realm 'AD.DOMAIN.TLD'
smbsrv:/etc/samba# net ads join -k
Using short domain name -- AD
Joined 'SMBSRV' to dns domain 'ad.domain.tld'

And here the behavior is the same: wbinfo -n and -S are working, -i is not

I've got no more logs generated in log.winbindd which is normal as I
removed log level.

And I still don't understand what I do wrong :/

> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba

More information about the samba mailing list