[Samba] WinbinD no longer available in Samba 4.7.6

Rowland Penny rpenny at samba.org
Tue Dec 4 09:28:30 UTC 2018 

On Tue, 4 Dec 2018 09:59:14 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai, 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Konstantin Boyandin via samba
> > Verzonden: dinsdag 4 december 2018 6:35
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6
> > 
> > Hello,
> > 
> > Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.
> > 
> > After recent update, winbind failed to update, until I 
> > disabled it (it 
> > didn't start anyway). When run as
> > 
> > # winbindd -d 9 -i
> > 
> > it prints in the end:
> > 
> > server role = 'active directory domain controller' not 
> > compatible with 
> > running the winbindd binary.
> > You should start 'samba' instead, and it will control starting the 
> > internal AD DC winbindd implementation, which is not the same as
> > this one
> > 
> > smbd currently is listening on 139 and 445 ports - thus, I assume,
> > it serves winbind itself. However, it isn't available any more 
> > for PAM. How 
> > shall I use Samba internal winbind implementation? When I initially 
> > installed and set up ADs, wbinfo worked fine. Currently, it says:
> > 
> > # wbinfo -P
> > could not obtain winbind interface details: 
> > WBC_ERR_WINBIND_NOT_AVAILABLE
> > could not obtain winbind domain name!
> > checking the NETLOGON for domain[] dc connection to "" failed
> > failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> > 
> > How do I make winbind available (that means available for 
> > PAM,a s well)?
> I suggest reading : 
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC 
> Short version:  samba-ad-dc is starting winbind, so dont start it
> manualy. For pam support install : libnss-winbind libpam-winbind 
> Configure nss_switch.conf and run pam-auth-update 
> 
> And set these to to no, when your done testing. 
> >          winbind enum users = yes
> >          winbind enum groups = yes 
> See your users: id username or getent passwd username. 
> 
> > 
> > Note: libpam_winbind is installed.
> > 
> > Current smb.conf:
> > 
> > [global]
> >          bind interfaces only = Yes
> >          interfaces = lo ens3
> >          netbios name = DC
> >          realm = EXAMPLE.COM
> >          server role = active directory domain controller
> >          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >          idmap_ldb:use rfc2307 = yes
> >          winbind enum users = yes
> >          winbind enum groups = yes
> >          winbind nss info = rfc2307
> >          template shell    = /bin/bash
> >          template homedir  = /home/%u
> >          workgroup = EXAMPLE
> >          server string = EXAMPLE.COM domain controller
> >          dns proxy = no
> >          log file = /var/log/samba/log.%m
> >          max log size = 1000
> >          log level = 0
> >          tls enabled  = yes
> >          tls keyfile  = tls/key.pem
> >          tls certfile = tls/cert.pem
> >          tls cafile   = tls/ca.pem
> >          tls verify peer = no_check
> >          acl:search = no
> >          panic action = /usr/share/samba/panic-action %d
> >          passdb backend = tdbsam
> >          obey pam restrictions = yes
> >          unix password sync = yes
> >          passwd program = /usr/bin/passwd %u
> >          passwd chat = *Enter\snew\s*\spassword:* %n\n 
> > *Retype\snew\s*\spassword:
> >          pam password change = yes
> >          map to guest = bad user
> >          usershare allow guests = yes
> > 
> > [netlogon]
> >          comment = Network Logon Service
> >          path = /var/lib/samba/sysvol/example.com/scripts
> >          read only = No
> > 
> > [sysvol]
> >          path = /var/lib/samba/sysvol
> >          read only = No
> > 
> > [profiles]
> >          comment = Users profiles
> >          path = /srv/samba/profiles/
> >          browseable = No
> >          read only = No
> >          force create mode = 0600
> >          force directory mode = 0700
> >          csc policy = disable
> >          store dos attributes = yes
> >          vfs objects = acl_xattr
> > 
> > --
> > Sincerely,
> > 
> > Konstantin
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> Greetz, 
> 
> Louis
> 
> 

Go and read 'man smb.conf', then remove most of the lines you have
added to the [global] section of your smb.conf.

Go and read this:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Which I think you may have already have done, but if you have done,
read it again, but this time ignore the POSIX ACLs section, you can
only use those on a Unix domain member, you must use Windows ACLs on a
DC.

Rowland

More information about the samba mailing list