[Samba] Failed to find domain 'NT AUTHORITY'

[Giuseppe Arvati]

Il 06/11/2017 17:50, Rowland Penny via samba ha scritto:
>>> Yes, do not use the DC as a fileserver;-)
>>> If you must, don't run a backup system that relies on IDs
>>>
>>> A DC has no concept of 'NT AUTHORITY':
>>>
>>> root at dc1:~# wbinfo --sid-to-name S-1-5-18
>>> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not lookup sid S-1-5-18
>>> root at dc1:~# wbinfo --name-to-sid='NT Authority\SYSTEM'
>>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>>> Could not lookup name NT Authority\SYSTEM
>>>
>> my DC works different
>>
>> [root at apamfs2 ~]# wbinfo --sid-to-name S-1-5-18
>> NT AUTHORITY\SYSTEM 5
>> [root at apamfs2 ~]# wbinfo --name-to-sid='NT Authority\SYSTEM'
>> failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not lookup name NT Authority\SYSTEM
>> [root at apamfs2 ~]#
>>
>> ???
>>
> Do you have libnss_winbind & PAM set up correctly ?
Hello,
I review the samba wiki about libnss_winbind & PAM
and libnss_winbind looks ok
[root at apamfs2 ~]# ll /usr/local/samba/lib/*winbind*
lrwxrwxrwx. 1 root root    19 Apr 16  2014 
/usr/local/samba/lib/libnss_winbind.so -> libnss_winbind.so.2
-rwxr-xr-x  1 root root 18288 Oct 29 19:35 
/usr/local/samba/lib/libnss_winbind.so.2
-rwxr-xr-x  1 root root 12717 Oct 29 19:35 
/usr/local/samba/lib/winbind_krb5_locator.so
[root at apamfs2 ~]# ll /lib64/*winb*
lrwxrwxrwx 1 root root 26 Feb 23  2017 /lib64/libnss_winbind.so -> 
/lib64/libnss_winbind.so.2
lrwxrwxrwx 1 root root 40 Feb 23  2017 /lib64/libnss_winbind.so.2 -> 
/usr/local/samba/lib/libnss_winbind.so.2

but /etc/pam.d/password-auth-ac isn't
compliant to 
https://wiki.samba.org/index.php/Authenticating_Domain_Users_Using_PAM

I understand that's time to upgrade my system
and split AD from fileserver. In another post
Rowland suggest me to upgrade bind. So the time
is come.

I'll return to ask for a better way to
split my AD&FS in AD+FS.

thank you all
giuseppe