[Samba] WinbinD no longer available in Samba 4.7.6
Konstantin Boyandin
lists at boyandin.info
Tue Dec 4 10:01:28 UTC 2018
Rowland Penny via samba писал 2018-12-04 16:56:
> On Tue, 04 Dec 2018 16:44:55 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>
>> Rowland Penny via samba писал 2018-12-04 16:28:
>> > On Tue, 4 Dec 2018 09:59:14 +0100
>> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>> >
>> >> Hai,
>> >>
>> >> > -----Oorspronkelijk bericht-----
>> >> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> >> > Konstantin Boyandin via samba
>> >> > Verzonden: dinsdag 4 december 2018 6:35
>> >> > Aan: samba at lists.samba.org
>> >> > Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6
>> >> >
>> >> > Hello,
>> >> >
>> >> > Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.
>> >> >
>> >> > After recent update, winbind failed to update, until I
>> >> > disabled it (it
>> >> > didn't start anyway). When run as
>> >> >
>> >> > # winbindd -d 9 -i
>> >> >
>> >> > it prints in the end:
>> >> >
>> >> > server role = 'active directory domain controller' not
>> >> > compatible with
>> >> > running the winbindd binary.
>> >> > You should start 'samba' instead, and it will control starting
>> >> > the internal AD DC winbindd implementation, which is not the
>> >> > same as this one
>> >> >
>> >> > smbd currently is listening on 139 and 445 ports - thus, I
>> >> > assume, it serves winbind itself. However, it isn't available
>> >> > any more for PAM. How
>> >> > shall I use Samba internal winbind implementation? When I
>> >> > initially installed and set up ADs, wbinfo worked fine.
>> >> > Currently, it says:
>> >> >
>> >> > # wbinfo -P
>> >> > could not obtain winbind interface details:
>> >> > WBC_ERR_WINBIND_NOT_AVAILABLE
>> >> > could not obtain winbind domain name!
>> >> > checking the NETLOGON for domain[] dc connection to "" failed
>> >> > failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>> >> >
>> >> > How do I make winbind available (that means available for
>> >> > PAM,a s well)?
>> >> I suggest reading :
>> >> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>> >> Short version: samba-ad-dc is starting winbind, so dont start it
>> >> manualy. For pam support install : libnss-winbind libpam-winbind
>> >> Configure nss_switch.conf and run pam-auth-update
>> >>
>> >> And set these to to no, when your done testing.
>> >> > winbind enum users = yes
>> >> > winbind enum groups = yes
>> >> See your users: id username or getent passwd username.
>> >>
>> >> >
>> >> > Note: libpam_winbind is installed.
>> >> >
>> >> > Current smb.conf:
>> >> >
>> >> > [global]
>> >> > bind interfaces only = Yes
>> >> > interfaces = lo ens3
>> >> > netbios name = DC
>> >> > realm = EXAMPLE.COM
>> >> > server role = active directory domain controller
>> >> > server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>> >> > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>> >> > idmap_ldb:use rfc2307 = yes
>> >> > winbind enum users = yes
>> >> > winbind enum groups = yes
>> >> > winbind nss info = rfc2307
>> >> > template shell = /bin/bash
>> >> > template homedir = /home/%u
>> >> > workgroup = EXAMPLE
>> >> > server string = EXAMPLE.COM domain controller
>> >> > dns proxy = no
>> >> > log file = /var/log/samba/log.%m
>> >> > max log size = 1000
>> >> > log level = 0
>> >> > tls enabled = yes
>> >> > tls keyfile = tls/key.pem
>> >> > tls certfile = tls/cert.pem
>> >> > tls cafile = tls/ca.pem
>> >> > tls verify peer = no_check
>> >> > acl:search = no
>> >> > panic action = /usr/share/samba/panic-action %d
>> >> > passdb backend = tdbsam
>> >> > obey pam restrictions = yes
>> >> > unix password sync = yes
>> >> > passwd program = /usr/bin/passwd %u
>> >> > passwd chat = *Enter\snew\s*\spassword:* %n\n
>> >> > *Retype\snew\s*\spassword:
>> >> > pam password change = yes
>> >> > map to guest = bad user
>> >> > usershare allow guests = yes
>> >> >
>> >> > [netlogon]
>> >> > comment = Network Logon Service
>> >> > path = /var/lib/samba/sysvol/example.com/scripts
>> >> > read only = No
>> >> >
>> >> > [sysvol]
>> >> > path = /var/lib/samba/sysvol
>> >> > read only = No
>> >> >
>> >> > [profiles]
>> >> > comment = Users profiles
>> >> > path = /srv/samba/profiles/
>> >> > browseable = No
>> >> > read only = No
>> >> > force create mode = 0600
>> >> > force directory mode = 0700
>> >> > csc policy = disable
>> >> > store dos attributes = yes
>> >> > vfs objects = acl_xattr
>> >> >
>> >> > --
>> >> > Sincerely,
>> >> >
>> >> > Konstantin
>> >> >
>> >> > --
>> >> > To unsubscribe from this list go to the following URL and read
>> >> > the instructions: https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> >> Greetz,
>> >>
>> >> Louis
>> >>
>> >>
>> >
>> > Go and read 'man smb.conf', then remove most of the lines you have
>> > added to the [global] section of your smb.conf.
>> >
>> > Go and read this:
>> >
>> > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>> >
>> > Which I think you may have already have done, but if you have done,
>> > read it again, but this time ignore the POSIX ACLs section, you can
>> > only use those on a Unix domain member, you must use Windows ACLs
>> > on a DC.
>>
>> May I kindly ask you how will that help me to handle missing Winbind
>> problem?
>>
>> The setup I am using is in real use, and ruining it is not an option.
>>
>> The winbindd from winbind package explicitly refuses to run on the
>> current computer role, but no other process seem to provide winbind
>> services. How can I handle this?
>>
>> Sincerely,
>>
>> Konstantin
>>
>
> It should run, try replacing the server services line with this:
>
> server services = -dns
>
> It does exactly the same thing as your existing line, it turns off the
> internal DNS server, but if there is anything wrong with your line it
> will remove those errors without changing anything else.
>
> I take it you are only starting the 'samba' binary and are not also
> trying to start any other Samba binary.
Thanks. I will try the above "server services" line, too. Restarting
samba handled the issue.
Sincerely,
Konstantin
More information about the samba
mailing list