[Samba] [samba] Member server winbind issue
mathias dufresne
infractory at gmail.com
Sun Jul 23 09:59:34 UTC 2017
2017-07-23 11:23 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Sun, 2017-07-23 at 11:10 +0200, mathias dufresne via samba wrote:
> > Hi all,
> >
> > Thank you both for your replies. I did tried both options (removing both
> > keytab related lines as proposed by Andrew then using both lines proposed
> > by Rowland) without success.
>
> Just because it didn't work doesn't mean just put it back.
>
> I'm not going to help you any more until you can confirm you have an
> smb.conf like:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_
> Domain_Member#Setting_up_a_Basic_smb.conf_File
>
> and joined the domain with:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_
> Domain_Member#Joining_the_Domain
>
> Please follow that HOWTO, try not to be fancy, special or different
> until you have it working.
>
That's the whole point, I don't see what I'm doing wrong (except
re-inserting keytab lines).
The whole smb.conf is the following:
--------------------------------------------------
[global]
security = ADS
workgroup = AD
realm = AD.DOMAIN.TLD
log file = /var/log/samba/%m.log
log level = 1
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
# - Adding just this is not enough
# - You must set a DOMAIN backend configuration, see below
idmap config * : backend = tdb
idmap config * : range = 3000-7999
winbind nss info = rfc2307
# idmap config for the AD domain
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 8000-99999999
--------------------------------------------------
It was obtained with copy paste from first given link, modifying ranges and
domain names. I didn't added user mapping as it is mentioned to be optional.
The join is the following, using kerberos as authentication method (which
works well and, I hope, should not be considered as too much fancy), after
I left the domain:
smbsrv:/etc/samba# net ads leave -k
Deleted account for 'SMBSRV' in realm 'AD.DOMAIN.TLD'
smbsrv:/etc/samba# net ads join -k
Using short domain name -- AD
Joined 'SMBSRV' to dns domain 'ad.domain.tld'
And here the behavior is the same: wbinfo -n and -S are working, -i is not
working.
I've got no more logs generated in log.winbindd which is normal as I
removed log level.
And I still don't understand what I do wrong :/
>
> Thanks,
>
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/
> services/samba
>
>
More information about the samba
mailing list