[Samba] security = ads parameter not working in samba 4.9.5

L.P.H. van Belle belle at bazuin.nl
Tue Dec 10 12:51:04 UTC 2019


I've re-read this thread but its a bit confusing due to 2 persons with the same probem in one thread. 

Im thinking here, how is samba started, since winbind is not running. 
Im suspecting samba-addc or samba is starting. Not smbd nmbd winbind.

I suggest to run this: 

Disable that all again. 
systemctl disable samba-addc samba smbd nmbd winbind
systemctl mask samba-addc samba smbd nmbd winbind
systemctl stop samba-addc samba smbd nmbd winbind

Make sure you config matches up with we already showed. 
my setup or Rowland's are the same. 

Now try to join again with : 
net ads join -UAdministrator -d6 
And post the needed output to see what is still going on.  

Enable only the needed for a member server. 
!note, only nmbd if you really need, less remove it from the below lines. 

systemctl unmask smbd winbind nmbd 
systemctl enable smbd winbind nmbd 

systemctl start smbd winbind

Greetz, 

Louis
(ps. Expect slow responce from me, im on vacation)



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 10 december 2019 12:29
> Aan: sambalist
> Onderwerp: Re: [Samba] security = ads parameter not working 
> in samba 4.9.5
> 
> On 10/12/2019 11:10, Sac Isilia wrote:
> > Hi Rowland,
> >
> > Please let me know what else I can try from my side. We are 
> stuck as 
> > the server cant be joined to domain.
> >
> Sorry, I thought you had fixed this :-(
> 
> You seem to be doing everything correctly, so it should work, but 
> obviously, it isn't for you.
> 
> Can I suggest you use Louis's repo: http://apt.van-belle.nl/
> 
> This will get you a more up to date Samba version and may, by itself, 
> fix your problem.
> 
> Try this smb.conf:
> 
> [global]
>      workgroup = SAMDOM
>      security = ADS
>      realm = SAMDOM.EXAMPLE.COM
> 
>      dedicated keytab file = /etc/krb5.keytab
>      kerberos method = secrets and keytab
> 
>      winbind use default domain = yes
>      winbind expand groups = 2
>      winbind refresh tickets = Yes
> 
>      idmap config *:backend = tdb
>      idmap config *:range = 3000-7999
>      idmap config SAMDOM : backend = rid
>      idmap config SAMDOM : range = 10000-999999
>      template shell = /bin/bash
>      template homedir = /home/%U
> 
>      # user Administrator workaround, without it you are 
> unable to set 
> privileges
>      username map = /etc/samba/user.map
> 
>      # For ACL support on domain member
>      vfs objects = acl_xattr
>      map acl inherit = Yes
>      store dos attributes = Yes
> 
>      # disable printing completely
>      load printers = no
>      printing = bsd
>      printcap name = /dev/null
>      disable spoolss = yes
> 
>      # logging
>      log level = 4
> 
> Create /etc/samba/user.map
> !root = SAMDOM\Administrator
> 
> Replace 'SAMDOM' with your workgroup name and the realm name 
> 'SAMDOM.EXAMPLE.COM' with your realm name (which must be the 
> dns domain 
> in uppercase)
> 
> If this doesn't work, I am running out of ideas, it normally 
> just works.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list