[Samba] WinbinD no longer available in Samba 4.7.6
Rowland Penny
rpenny at samba.org
Tue Dec 4 09:28:30 UTC 2018
On Tue, 4 Dec 2018 09:59:14 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai,
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Konstantin Boyandin via samba
> > Verzonden: dinsdag 4 december 2018 6:35
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6
> >
> > Hello,
> >
> > Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.
> >
> > After recent update, winbind failed to update, until I
> > disabled it (it
> > didn't start anyway). When run as
> >
> > # winbindd -d 9 -i
> >
> > it prints in the end:
> >
> > server role = 'active directory domain controller' not
> > compatible with
> > running the winbindd binary.
> > You should start 'samba' instead, and it will control starting the
> > internal AD DC winbindd implementation, which is not the same as
> > this one
> >
> > smbd currently is listening on 139 and 445 ports - thus, I assume,
> > it serves winbind itself. However, it isn't available any more
> > for PAM. How
> > shall I use Samba internal winbind implementation? When I initially
> > installed and set up ADs, wbinfo worked fine. Currently, it says:
> >
> > # wbinfo -P
> > could not obtain winbind interface details:
> > WBC_ERR_WINBIND_NOT_AVAILABLE
> > could not obtain winbind domain name!
> > checking the NETLOGON for domain[] dc connection to "" failed
> > failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> >
> > How do I make winbind available (that means available for
> > PAM,a s well)?
> I suggest reading :
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> Short version: samba-ad-dc is starting winbind, so dont start it
> manualy. For pam support install : libnss-winbind libpam-winbind
> Configure nss_switch.conf and run pam-auth-update
>
> And set these to to no, when your done testing.
> > winbind enum users = yes
> > winbind enum groups = yes
> See your users: id username or getent passwd username.
>
> >
> > Note: libpam_winbind is installed.
> >
> > Current smb.conf:
> >
> > [global]
> > bind interfaces only = Yes
> > interfaces = lo ens3
> > netbios name = DC
> > realm = EXAMPLE.COM
> > server role = active directory domain controller
> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > idmap_ldb:use rfc2307 = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind nss info = rfc2307
> > template shell = /bin/bash
> > template homedir = /home/%u
> > workgroup = EXAMPLE
> > server string = EXAMPLE.COM domain controller
> > dns proxy = no
> > log file = /var/log/samba/log.%m
> > max log size = 1000
> > log level = 0
> > tls enabled = yes
> > tls keyfile = tls/key.pem
> > tls certfile = tls/cert.pem
> > tls cafile = tls/ca.pem
> > tls verify peer = no_check
> > acl:search = no
> > panic action = /usr/share/samba/panic-action %d
> > passdb backend = tdbsam
> > obey pam restrictions = yes
> > unix password sync = yes
> > passwd program = /usr/bin/passwd %u
> > passwd chat = *Enter\snew\s*\spassword:* %n\n
> > *Retype\snew\s*\spassword:
> > pam password change = yes
> > map to guest = bad user
> > usershare allow guests = yes
> >
> > [netlogon]
> > comment = Network Logon Service
> > path = /var/lib/samba/sysvol/example.com/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> > [profiles]
> > comment = Users profiles
> > path = /srv/samba/profiles/
> > browseable = No
> > read only = No
> > force create mode = 0600
> > force directory mode = 0700
> > csc policy = disable
> > store dos attributes = yes
> > vfs objects = acl_xattr
> >
> > --
> > Sincerely,
> >
> > Konstantin
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
> Greetz,
>
> Louis
>
>
Go and read 'man smb.conf', then remove most of the lines you have
added to the [global] section of your smb.conf.
Go and read this:
https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
Which I think you may have already have done, but if you have done,
read it again, but this time ignore the POSIX ACLs section, you can
only use those on a Unix domain member, you must use Windows ACLs on a
DC.
Rowland
More information about the samba
mailing list