[Samba] Winbind timeouts/hangs(?)
Heiko Wundram
modelnine at modelnine.org
Thu Aug 22 14:12:52 UTC 2019
Am 22.08.2019 15:31, schrieb Rowland penny via samba:
> Sorry, but you cannot rely on the output of 'id' to identify your
> users group memberships. Having said that, I wouldn't have thought it
> would take 60 secs to do nothing ;-)
That's clear and I know, but I can rely on login sessions to have the
correct groups when Kerberos has completed. That's what this (and also
recursive group membership) is about; it's a shared directory which is
used by several users to store files which are then hosted by an Apache
webserver (with the directory in question having g+s, and default ACLs
for a shared group). So, yeah, I do know the limitations of winbind. ;-)
> Please post your smb.conf.
Anyway, here goes:
[global]
security = ADS
workgroup = <wg>
realm = <domain>
idmap config * : backend = tdb
idmap config * : range = 60001-65000
idmap config <wg> : backend = rid
idmap config <wg> : range = 65001-100000
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U
winbind nested groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind enum users = yes
winbind enum groups = yes
allow trusted domains = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
client signing = auto
server signing = auto
bind interfaces only = yes
interfaces = lo eth0
So, nothing out of the ordinary; I've replaced workgroup and domain by
placeholders.
krb5.conf is set up as follows:
[libdefaults]
default_realm = <domain>
ticket_lifetime = 1d
clockskew = 300
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
<domain> = {
auth_to_local = RULE:[1:<wg>\$1]
}
with the same placeholders.
Thanks for any hints!
--
--- Heiko.
More information about the samba
mailing list