[Samba] Winbind Craziness

Rowland Penny rpenny at samba.org
Wed Aug 1 16:46:17 UTC 2018 

On Wed, 1 Aug 2018 15:59:33 +0000 (UTC)
ray klassen <julius_ahenobarbus at yahoo.co.uk> wrote:

>  Thanks in advance. here's the total firehose drink. I've obscured
> host, domain, subnet. Hope that will still work for you. Don't want
> all the info publicized.
> 

> -----------
> Checking file: /etc/resolv.conf 
> search obscured.domain.com
> nameserver 10.10.1.14
> nameserver 10.10.1.22

Provided the nameservers are both AD DC's, or the first one is a DC,
then OK.


> -----------
> Checking file: /etc/nsswitch.conf 
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages
> installed, try: # `info libc "Name Service Switch"' for information
> about this file.
> 
> passwd:         files winbind
> group:          files winbind
> shadow:         files winbind

Remove 'winbind' from the shadow line.

> -----------
> Checking file: /etc/samba/smb.conf 

I have removed all the default settings and anything that shouldn't be
there and this is the result:

[global]
  workgroup = DOMAIN
   realm = OBSCURED.DOMAIN.COM
   security = ADS

   kerberos method = secrets and keytab
   dedicated keytab file = /etc/krb5.keytab

   winbind nss info = rfc2307
   winbind refresh tickets = yes
   winbind max domain connections = 20

   idmap config DOMAIN:backend = ad
   idmap config DOMAIN:schema_mode = rfc2307
   idmap config DOMAIN:range = 500-40000
   idmap config *:backend = tdb
   idmap config *:range = 70001-80000

   domain master = no
   local master = no

   printing = cups
   printcap = cups

   utmp = yes
   cups options = raw
   log file = /var/log/samba/log.%I
   max log size = 100000
   check password script = /usr/local/sbin/complexity.perl

   syslog = 0
   dos charset = 850
   unix charset = ISO8859-1
   username map = /etc/samba/smbusers
   interfaces =  eth0 lo
   passwd chat timeout = 30
   spoolss: architecture = Windows x64

   include = /etc/samba/smb.conf.client-%I
   include = /etc/samba/smb.conf.%I
   include = /etc/samba/shares.inc

Is the 'check password script' correct for AD ?

What is in the 'include' files ?

> 
> 
> -----------
> Content of /etc/samba/smbusers
> root = administrator

Should be '!root DOMAIN\administrator administrator'

More information about the samba mailing list