[Samba] Winbind timeouts/hangs(?)

Thu Aug 22 14:44:57 UTC 2019

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Heiko Wundram via samba
> Verzonden: donderdag 22 augustus 2019 16:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Winbind timeouts/hangs(?)
> 
> Am 22.08.2019 15:31, schrieb Rowland penny via samba:
> > Sorry, but you cannot rely on the output of 'id' to identify your
> > users group memberships. Having said that, I wouldn't have 
> thought it
> > would take 60 secs to do nothing ;-)
> 
> That's clear and I know, but I can rely on login sessions to have the 
> correct groups when Kerberos has completed. That's what this 
> (and also 
> recursive group membership) is about; it's a shared directory 
> which is 
> used by several users to store files which are then hosted by 
> an Apache 
> webserver (with the directory in question having g+s, and 
> default ACLs 
> for a shared group). So, yeah, I do know the limitations of 
> winbind. ;-)
> 
> > Please post your smb.conf.
> 
> Anyway, here goes:
> 
> [global]
>          security = ADS
>          workgroup = <wg>
wg = <WG>
>          realm = <domain>

!!!!
realm = <REALM> 
realm is not <domain> 
!!!!

> 
>          idmap config * : backend = tdb
>          idmap config * : range = 60001-65000
> 
>          idmap config <wg> : backend = rid
>          idmap config <wg> : range = 65001-100000
> 
>          winbind nss info = template
>          template shell = /bin/bash
>          template homedir = /home/%U
> 
>          winbind nested groups = yes
>          winbind refresh tickets = yes
>          winbind offline logon = yes

>          winbind enum users = yes
>          winbind enum groups = yes
Set the 2 enum to no. 

>          allow trusted domains = no
> 
>          dedicated keytab file = /etc/krb5.keytab
>          kerberos method = secrets and keytab
> 
>          client signing = auto
>          server signing = auto
Remove these 2 

> 
>          bind interfaces only = yes
>          interfaces = lo eth0
> 
> So, nothing out of the ordinary; I've replaced workgroup and 
> domain by 
> placeholders.
> 
> krb5.conf is set up as follows:
> 
> [libdefaults]
>          default_realm = <domain>
!!!!
realm = <REALM> 
realm is not <domain> 
!!!!

>          ticket_lifetime = 1d
>          clockskew = 300
>          forwardable = true
>          proxiable = true
>          dns_lookup_realm = true

  dns_lookup_realm = false

>          dns_lookup_kdc = true

> 
> [realms]
>          <domain> = {
>                  auth_to_local = RULE:[1:<wg>\$1]
>          }
> 
> with the same placeholders.

> 
> Thanks for any hints!
> 
> -- 
> --- Heiko.
> 

I really advice to keep some parts CAPS not caps, correct. 

So in smb.conf
Netbios = IN-CAPS
Workgroup = IN-CAPS
REALM = IN-CAPS
dns-domain = no-caps
dns-search = no-caps

Small things but these small things help a lot! 

Greetz, 

Louis