[Samba] WinbinD no longer available in Samba 4.7.6
Konstantin Boyandin
lists at boyandin.info
Tue Dec 4 09:45:43 UTC 2018
L.P.H. van Belle via samba писал 2018-12-04 15:59:
> Hai,
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Konstantin Boyandin via samba
>> Verzonden: dinsdag 4 december 2018 6:35
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6
>>
>> Hello,
>>
>> Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.
>>
>> After recent update, winbind failed to update, until I
>> disabled it (it
>> didn't start anyway). When run as
>>
>> # winbindd -d 9 -i
>>
>> it prints in the end:
>>
>> server role = 'active directory domain controller' not
>> compatible with
>> running the winbindd binary.
>> You should start 'samba' instead, and it will control starting the
>> internal AD DC winbindd implementation, which is not the same as this
>> one
>>
>> smbd currently is listening on 139 and 445 ports - thus, I assume, it
>> serves winbind itself. However, it isn't available any more
>> for PAM. How
>> shall I use Samba internal winbind implementation? When I initially
>> installed and set up ADs, wbinfo worked fine. Currently, it says:
>>
>> # wbinfo -P
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> checking the NETLOGON for domain[] dc connection to "" failed
>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>>
>> How do I make winbind available (that means available for
>> PAM,a s well)?
> I suggest reading :
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> Short version: samba-ad-dc is starting winbind, so dont start it
> manualy.
> For pam support install : libnss-winbind libpam-winbind
> Configure nss_switch.conf and run pam-auth-update
>
> And set these to to no, when your done testing.
>> winbind enum users = yes
>> winbind enum groups = yes
> See your users: id username or getent passwd username.
None are returned, with 'yes' or 'no' settings. And
As far as I see, the recommendations from the above document are met.
But winbindd refuses to start (I cited its message), and no other
'winbind' process is running, either.
How do I make samba 4.7-provided winbind run?
Are there possibly missing some winbind settings (the smb.conf has been
generated by domain upgrade process).
Sincerely,
Konstantin
>
>>
>> Note: libpam_winbind is installed.
>>
>> Current smb.conf:
>>
>> [global]
>> bind interfaces only = Yes
>> interfaces = lo ens3
>> netbios name = DC
>> realm = EXAMPLE.COM
>> server role = active directory domain controller
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>> idmap_ldb:use rfc2307 = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind nss info = rfc2307
>> template shell = /bin/bash
>> template homedir = /home/%u
>> workgroup = EXAMPLE
>> server string = EXAMPLE.COM domain controller
>> dns proxy = no
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> log level = 0
>> tls enabled = yes
>> tls keyfile = tls/key.pem
>> tls certfile = tls/cert.pem
>> tls cafile = tls/ca.pem
>> tls verify peer = no_check
>> acl:search = no
>> panic action = /usr/share/samba/panic-action %d
>> passdb backend = tdbsam
>> obey pam restrictions = yes
>> unix password sync = yes
>> passwd program = /usr/bin/passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:
>> pam password change = yes
>> map to guest = bad user
>> usershare allow guests = yes
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /var/lib/samba/sysvol/example.com/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> [profiles]
>> comment = Users profiles
>> path = /srv/samba/profiles/
>> browseable = No
>> read only = No
>> force create mode = 0600
>> force directory mode = 0700
>> csc policy = disable
>> store dos attributes = yes
>> vfs objects = acl_xattr
>>
>> --
>> Sincerely,
>>
>> Konstantin
More information about the samba
mailing list