[Samba] Sample smb.conf for ADs authentication

Rowland Penny rpenny at samba.org
Fri Dec 14 09:41:41 UTC 2018 

On Thu, 13 Dec 2018 19:10:38 -0500
Gilbert Soucy <gsoucy at 36pix.com> wrote:

> Hello,
> 
>  I was able to follow most of the steps in the wiki but I seem to
> have an issue with winbind :
> 
> wbinfo --ping-dc
> 
> is failing with:
> 
> [root at tungsten-2 samba]# wbinfo --ping-dc
> checking the NETLOGON for domain[-not available-] dc connection to ""
> failed failed to call wbcPingDc: WBC_ERR_NOT_IMPLEMENTED
> 
> 
> 
> Why is that all wrong since I was able to join the domain ?
> How to fix that ?
> 
> Also, just to confirm, do I need to touch sssd at all ? Should it be
> running, with any specific config ?

Well, in my opinion, 'yum remove sssd' would be a very good idea ;-)

You do not need sssd, it isn't a Samba product and, as such, it
isn't supported here.

> 
> See my config and details below.
> 
> Thanks
> 
> Gilbert
> 
> ===============================================
> 
> I have been able to join the domain:
> 
> [root at server samba]# net ads join -U admin
> Enter admin's password:
> Using short domain name -- DOMAIN
> Joined 'SERVER' to dns domain 'DOMAIN'

Is your short domain name (aka workgroup) really the same as your dns
domain ?

> 
> 
> I can list the domain users on the windows AD server:
> 
> [root at tungsten-2 samba]# net ads user
> 
> Administrator
> user1
> user2
> ...
> 
> 
> Here is my smb.conf file
> 
> [global]
>        security = ADS
>        workgroup = DOMAIN
>        realm = DOMAIN.COM
> 
>        log file = /var/log/samba/log.%m
>        log level = 2
> 
>        # Default ID mapping configuration for local BUILTIN accounts
>        # and groups on a domain member. The default (*) domain:
>        # - must not overlap with any domain ID mapping configuration!
>        # - must use a read-write-enabled back end, such as tdb.
>        idmap config * : backend = tdb
>        idmap config * : range = 0-499

Why are you using '0-499' for the '*' domain ?
The '*' domain is for the 'Well Known SIDs' and anything outside the
'DOMAIN' domain, you are using the same numbers as the Unix system
users & groups.
Can I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

>        # - You must set a DOMAIN backend configuration
>        # idmap config for the SAMDOM domain
>        idmap config DOMAIN:backend = ad
>        idmap config DOMAIN:schema_mode = rfc2307
>        idmap config DOMAIN:range = 500-20000
>        idmap config DOMAIN:unix_nss_info = yes
> 

Again, why '500-20000' ?
You have removed the possibility of having any local Unix users. 
Have you added any uidNumber & gidNumber attributes to AD ?
 
> [Share]
>    comment = Share
>    path = /share
>    hide dot files = no
>    dos filemode = yes
>    inherit acls = yes
>    inherit permissions = yes
>    create mode = 0664
>    directory mode = 0775
>    directory mask = 0775
>    force create mode = 0664
>    force directory mode = 0775
>    force group = lab
>    vfs objects = recycle
>    recycle: keeptree = yes
>    recycle: versions = yes
>    recycle:directory_mode = 770
>    recycle:touch_mtime = yes
>    guest ok = Yes

You really would be better off using Windows ACL's and setting these
from a Windows computer.
 
> 
> 
> In my  /etc/nsswitch.conf file (and I restarted all services after
> the edit)
> 
> passwd:     files sss winbind
> shadow:     files sss
> group:      files sss winbind

Remove all the 'sss'

> 
> 
> 
> The output of realm list::

Pointless here, 'realmd' isn't a Samba product, so we wouldn't know a
good one from a bad one and you do not need it anyway.

More information about the samba mailing list