[Samba] security = ads parameter not working in samba 4.9.5
Sac Isilia
udaypratap.singh65 at gmail.com
Wed Dec 11 13:04:27 UTC 2019
Hi Belle/Rowland,
Below is the journalctl logs.
Dec 11 14:01:10 esmad1apl01 systemd[1]:
/lib/systemd/system/samba-ad-dc.service:9: PIDFile= references path below
legacy directory /var/run/, updating /var/run/samba/sa
Dec 11 14:01:10 esmad1apl01 systemd[1]:
/lib/systemd/system/oddjobd.service:6: PIDFile= references path below
legacy directory /var/run/, updating /var/run/oddjobd.pid
Dec 11 14:01:10 esmad1apl01 systemd[1]: Reloading.
Dec 11 14:01:10 esmad1apl01 systemd[1]:
/lib/systemd/system/winbind.service:8: PIDFile= references path below
legacy directory /var/run/, updating /var/run/samba/winbin
Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/smbd.service:9:
PIDFile= references path below legacy directory /var/run/, updating
/var/run/samba/smbd.pid
Dec 11 14:01:10 esmad1apl01 systemd[1]:
/lib/systemd/system/samba-ad-dc.service:9: PIDFile= references path below
legacy directory /var/run/, updating /var/run/samba/sa
Dec 11 14:01:10 esmad1apl01 systemd[1]:
/lib/systemd/system/oddjobd.service:6: PIDFile= references path below
legacy directory /var/run/, updating /var/run/oddjobd.pid
Dec 11 14:01:10 esmad1apl01 systemd[1]: Reloading.
Dec 11 14:01:10 esmad1apl01 systemd[1]:
/lib/systemd/system/winbind.service:8: PIDFile= references path below
legacy directory /var/run/, updating /var/run/samba/winbin
Dec 11 14:01:10 esmad1apl01 systemd[1]: /lib/systemd/system/smbd.service:9:
PIDFile= references path below legacy directory /var/run/, updating
/var/run/samba/smbd.pid
Dec 11 14:01:10 esmad1apl01 systemd[1]:
/lib/systemd/system/samba-ad-dc.service:9: PIDFile= references path below
legacy directory /var/run/, updating /var/run/samba/sa
Dec 11 14:01:10 esmad1apl01 systemd[1]:
/lib/systemd/system/oddjobd.service:6: PIDFile= references path below
legacy directory /var/run/, updating /var/run/oddjobd.pid
Dec 11 14:01:10 esmad1apl01 systemd[1]: Reloading.
Dec 11 14:01:11 esmad1apl01 systemd[1]:
/lib/systemd/system/winbind.service:8: PIDFile= references path below
legacy directory /var/run/, updating /var/run/samba/winbin
Dec 11 14:01:11 esmad1apl01 systemd[1]: /lib/systemd/system/smbd.service:9:
PIDFile= references path below legacy directory /var/run/, updating
/var/run/samba/smbd.pid
Dec 11 14:01:11 esmad1apl01 systemd[1]:
/lib/systemd/system/samba-ad-dc.service:9: PIDFile= references path below
legacy directory /var/run/, updating /var/run/samba/sa
Dec 11 14:01:11 esmad1apl01 systemd[1]:
/lib/systemd/system/oddjobd.service:6: PIDFile= references path below
legacy directory /var/run/, updating /var/run/oddjobd.pid
Dec 11 14:01:20 esmad1apl01 systemd[1]: Starting Samba Winbind Daemon...
-- Subject: A start job for unit winbind.service has begun execution
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- A start job for unit winbind.service has begun execution.
--
-- The job identifier is 35804.
Dec 11 14:01:20 esmad1apl01 systemd[1]: winbind.service: Main process
exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- An ExecStart= process belonging to unit winbind.service has exited.
--
-- The process' exit code is 'exited' and its exit status is 1.
Dec 11 14:01:20 esmad1apl01 systemd[1]: winbind.service: Failed with result
'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The unit winbind.service has entered the 'failed' state with result
'exit-code'.
Dec 11 14:01:20 esmad1apl01 systemd[1]: Failed to start Samba Winbind
Daemon.
-- Subject: A start job for unit winbind.service has failed
-- Defined-By: systemd
Regards
Sachin Kumar
On Wed, Dec 11, 2019 at 6:24 PM Sac Isilia <udaypratap.singh65 at gmail.com>
wrote:
> Hi Belle,
>
> Below is the output after I performed the suggested steps.
>
> root at esmad1apl01:~# net ads join -U media\\svc_domjoin02 -d6
> INFO: Current debug levels:
> all: 6
> tdb: 6
> printdrivers: 6
> lanman: 6
> smb: 6
> rpc_parse: 6
> rpc_srv: 6
> rpc_cli: 6
> passdb: 6
> sam: 6
> auth: 6
> winbind: 6
> vfs: 6
> idmap: 6
> quota: 6
> acls: 6
> locking: 6
> msdfs: 6
> dmapi: 6
> registry: 6
> scavenger: 6
> dns: 6
> ldb: 6
> tevent: 6
> auth_audit: 6
> auth_json_audit: 6
> kerberos: 6
> drs_repl: 6
> smb2: 6
> smb2_credits: 6
> dsdb_audit: 6
> dsdb_json_audit: 6
> dsdb_password_audit: 6
> dsdb_password_json_audit: 6
> dsdb_transaction_audit: 6
> dsdb_transaction_json_audit: 6
> dsdb_group_audit: 6
> dsdb_group_json_audit: 6
> lp_load_ex: refreshing parameters
> Initialising global parameters
> INFO: Current debug levels:
> all: 6
> tdb: 6
> printdrivers: 6
> lanman: 6
> smb: 6
> rpc_parse: 6
> rpc_srv: 6
> rpc_cli: 6
> passdb: 6
> sam: 6
> auth: 6
> winbind: 6
> vfs: 6
> idmap: 6
> quota: 6
> acls: 6
> locking: 6
> msdfs: 6
> dmapi: 6
> registry: 6
> scavenger: 6
> dns: 6
> ldb: 6
> tevent: 6
> auth_audit: 6
> auth_json_audit: 6
> kerberos: 6
> drs_repl: 6
> smb2: 6
> smb2_credits: 6
> dsdb_audit: 6
> dsdb_json_audit: 6
> dsdb_password_audit: 6
> dsdb_password_json_audit: 6
> dsdb_transaction_audit: 6
> dsdb_transaction_json_audit: 6
> dsdb_group_audit: 6
> dsdb_group_json_audit: 6
> Processing section "[global]"
> doing parameter workgroup = EMEA-MEDIA
> doing parameter realm = EMEA.MEDIA.GLOBAL.LOC
> doing parameter security = ADS
> doing parameter dedicated keytab file = /etc/krb5.keytab
> doing parameter kerberos method = secrets and keytab
> doing parameter winbind use default domain = yes
> doing parameter winbind expand groups = 2
> doing parameter winbind refresh tickets = Yes
> doing parameter idmap config * : backend = tdb
> doing parameter idmap config * : range = 3000-7999
> doing parameter idmap config EMEA-MEDIA : backend = ad
> doing parameter idmap config EMEA-MEDIA : schema_mode = rfc2307
> doing parameter idmap config EMEA-MEDIA : unix_nss_info = yes
> doing parameter idmap config EMEA-MEDIA : range = 16777216-33554431
> doing parameter domain master = no
> doing parameter local master = no
> doing parameter preferred master = no
> doing parameter username map = /etc/samba/user.map
> doing parameter vfs objects = acl_xattr
> doing parameter map acl inherit = yes
> doing parameter store dos attributes = yes
> doing parameter log file = /var/log/samba/log.%m
> doing parameter max log size = 1000
> doing parameter logging = file
> doing parameter panic action = /usr/share/samba/panic-action %d
> pm_process() returned Yes
> Registering messaging pointer for type 2 - private_data=(nil)
> Registering messaging pointer for type 9 - private_data=(nil)
> Registered MSG_REQ_POOL_USAGE
> Registering messaging pointer for type 11 - private_data=(nil)
> Registering messaging pointer for type 12 - private_data=(nil)
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Registering messaging pointer for type 1 - private_data=(nil)
> Registering messaging pointer for type 5 - private_data=(nil)
> Registering messaging pointer for type 51 - private_data=(nil)
> lp_load_ex: refreshing parameters
> Freeing parametrics:
> Initialising global parameters
> INFO: Current debug levels:
> all: 6
> tdb: 6
> printdrivers: 6
> lanman: 6
> smb: 6
> rpc_parse: 6
> rpc_srv: 6
> rpc_cli: 6
> passdb: 6
> sam: 6
> auth: 6
> winbind: 6
> vfs: 6
> idmap: 6
> quota: 6
> acls: 6
> locking: 6
> msdfs: 6
> dmapi: 6
> registry: 6
> scavenger: 6
> dns: 6
> ldb: 6
> tevent: 6
> auth_audit: 6
> auth_json_audit: 6
> kerberos: 6
> drs_repl: 6
> smb2: 6
> smb2_credits: 6
> dsdb_audit: 6
> dsdb_json_audit: 6
> dsdb_password_audit: 6
> dsdb_password_json_audit: 6
> dsdb_transaction_audit: 6
> dsdb_transaction_json_audit: 6
> dsdb_group_audit: 6
> dsdb_group_json_audit: 6
> Processing section "[global]"
> doing parameter workgroup = EMEA-MEDIA
> doing parameter realm = EMEA.MEDIA.GLOBAL.LOC
> doing parameter security = ADS
> doing parameter dedicated keytab file = /etc/krb5.keytab
> doing parameter kerberos method = secrets and keytab
> doing parameter winbind use default domain = yes
> doing parameter winbind expand groups = 2
> doing parameter winbind refresh tickets = Yes
> doing parameter idmap config * : backend = tdb
> doing parameter idmap config * : range = 3000-7999
> doing parameter idmap config EMEA-MEDIA : backend = ad
> doing parameter idmap config EMEA-MEDIA : schema_mode = rfc2307
> doing parameter idmap config EMEA-MEDIA : unix_nss_info = yes
> doing parameter idmap config EMEA-MEDIA : range = 16777216-33554431
> doing parameter domain master = no
> doing parameter local master = no
> doing parameter preferred master = no
> doing parameter username map = /etc/samba/user.map
> doing parameter vfs objects = acl_xattr
> doing parameter map acl inherit = yes
> doing parameter store dos attributes = yes
> doing parameter log file = /var/log/samba/log.%m
> doing parameter max log size = 1000
> doing parameter logging = file
> doing parameter panic action = /usr/share/samba/panic-action %d
> pm_process() returned Yes
> Netbios name list:-
> my_netbios_names[0]="ESMAD1APL01"
> added interface ens192 ip=10.34.54.152 bcast=10.34.54.255
> netmask=255.255.255.0
> Enter media\svc_domjoin02's password:
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> in: struct libnet_JoinCtx
> dc_name : NULL
> machine_name : 'ESMAD1APL01'
> domain_name : *
> domain_name : 'EMEA.MEDIA.GLOBAL.LOC'
> domain_name_type : JoinDomNameTypeDNS (1)
> account_ou : NULL
> admin_account : 'media\svc_domjoin02'
> admin_domain : NULL
> machine_password : NULL
> join_flags : 0x00000023 (35)
> 0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
> 0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
> 0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
> 0: WKSSVC_JOIN_FLAGS_DEFER_SPN
> 0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
> 0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
> 1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
> 0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
> 0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
> 1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
> 1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
> os_version : NULL
> os_name : NULL
> os_servicepack : NULL
> create_upn : 0x00 (0)
> upn : NULL
> modify_config : 0x00 (0)
> ads : NULL
> debug : 0x01 (1)
> use_kerberos : 0x00 (0)
> secure_channel_type : SEC_CHAN_WKSTA (2)
> desired_encryption_types : 0x0000001f (31)
> Opening cache file at /var/cache/samba/gencache.tdb
> Opening cache file at /var/run/samba/gencache_notrans.tdb
> sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC':
> "ESMAD2"
> ads_dns_lookup_srv: 2 records returned in the answer section.
> sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC':
> "ESMAD2"
> no entry for ESMAD2DCM03.emea.media.global.loc#20 found.
> resolve_hosts: Attempting host lookup for name
> ESMAD2DCM03.emea.media.global.loc<0x20>
> namecache_store: storing 1 address for
> ESMAD2DCM03.emea.media.global.loc#20: 10.34.54.47
> Connecting to 10.34.54.47 at port 445
> Socket options:
> SO_KEEPALIVE = 0
> SO_REUSEADDR = 0
> SO_BROADCAST = 0
> TCP_NODELAY = 1
> TCP_KEEPCNT = 9
> TCP_KEEPIDLE = 7200
> TCP_KEEPINTVL = 75
> IPTOS_LOWDELAY = 0
> IPTOS_THROUGHPUT = 0
> SO_REUSEPORT = 0
> SO_SNDBUF = 87040
> SO_RCVBUF = 372480
> SO_SNDLOWAT = 1
> SO_RCVLOWAT = 1
> SO_SNDTIMEO = 0
> SO_RCVTIMEO = 0
> TCP_QUICKACK = 1
> TCP_DEFER_ACCEPT = 0
> got OID=1.3.6.1.4.1.311.2.2.30
> got OID=1.2.840.48018.1.2.2
> GENSEC backend 'gssapi_spnego' registered
> GENSEC backend 'gssapi_krb5' registered
> GENSEC backend 'gssapi_krb5_sasl' registered
> GENSEC backend 'spnego' registered
> GENSEC backend 'schannel' registered
> GENSEC backend 'naclrpc_as_system' registered
> GENSEC backend 'sasl-EXTERNAL' registered
> GENSEC backend 'ntlmssp' registered
> GENSEC backend 'ntlmssp_resume_ccache' registered
> GENSEC backend 'http_basic' registered
> GENSEC backend 'http_ntlm' registered
> GENSEC backend 'http_negotiate' registered
> GENSEC backend 'krb5' registered
> GENSEC backend 'fake_gssapi_krb5' registered
> Starting GENSEC mechanism spnego
> Starting GENSEC submechanism ntlmssp
> Got challenge flags:
> Got NTLMSSP neg_flags=0x62898215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_TARGET_TYPE_DOMAIN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_TARGET_INFO
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP: Set final flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x62088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
> NTLMSSP_NEGOTIATE_VERSION
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> signed SMB2 message
> signed SMB2 message
> Bind RPC Pipe: host ESMAD2DCM03.emea.media.global.loc auth_type 0,
> auth_level 1
> rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
> signed SMB2 message
> rpc_read_send: data_to_read: 52
> check_bind_response: accepted!
> rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
> signed SMB2 message
> rpc_read_send: data_to_read: 32
> rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
> signed SMB2 message
> rpc_read_send: data_to_read: 212
> rpc_api_pipe: host ESMAD2DCM03.emea.media.global.loc
> signed SMB2 message
> rpc_read_send: data_to_read: 32
> signed SMB2 message
> saf_fetch: failed to find server for "emea.media.global.loc" domain
> get_dc_list: preferred server list: ", *"
> resolve_ads: Attempting to resolve KDCs for emea.media.global.loc using DNS
> ads_dns_lookup_srv: 2 records returned in the answer section.
> get_dc_list: returning 2 ip addresses in an ordered list
> get_dc_list: 10.34.54.46:88 10.34.54.47:88
> saf_fetch: failed to find server for "emea.media.global.loc" domain
> get_dc_list: preferred server list: ", *"
> resolve_ads: Attempting to resolve KDCs for emea.media.global.loc using DNS
> ads_dns_lookup_srv: 19 records returned in the answer section.
> get_dc_list: returning 19 ip addresses in an ordered list
> get_dc_list: 10.34.54.47:88 10.57.102.101:88 10.43.2.2:88 10.19.26.136:88
> 10.48.128.12:88 10.53.75.3:88 10.19.26.137:88 10.10.136.85:88
> 10.10.136.101:88 10.53.4.3:88 10.34.54.46:88 10.8.32.53:88 10.53.4.2:88
> 10.19.17.132:88 10.49.67.180:88 10.8.32.54:88 10.10.136.95:88
> 10.19.17.133:88 10.49.214.7:88
> create_local_private_krb5_conf_for_domain: wrote file
> /var/run/samba/smb_krb5/krb5.conf.EMEA-MEDIA with realm
> EMEA.MEDIA.GLOBAL.LOC KDC list = kdc = 10.34.54.47
> kdc = 10.34.54.46
> kdc = 10.43.2.2
> kdc = 10.19.26.136
>
> sitename_fetch: Returning sitename for realm 'EMEA.MEDIA.GLOBAL.LOC':
> "ESMAD2"
> name ESMAD2DCM03.emea.media.global.loc#20 found.
> ads_try_connect: sending CLDAP request to 10.34.54.47 (realm:
> emea.media.global.loc)
> Successfully contacted LDAP server 10.34.54.47
> Connected to LDAP server ESMAD2DCM03.emea.media.global.loc
> KDC time offset is 0 seconds
> Found SASL mechanism GSS-SPNEGO
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.30
> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
> kerberos_kinit_password svc_domjoin02 at EMEA.MEDIA.GLOBAL.LOC failed:
> Client not found in Kerberos database
> ads_sasl_spnego_gensec_bind(KRB5) failed for
> ldap/esmad2dcm03.emea.media.global.loc with user[svc_domjoin02]
> realm=[EMEA.MEDIA.GLOBAL.LOC]: Client not found in Kerberos database
> libnet_Join:
> libnet_JoinCtx: struct libnet_JoinCtx
> out: struct libnet_JoinCtx
> account_name : 'ESMAD1APL01$'
> netbios_domain_name : 'EMEA-MEDIA'
> dns_domain_name : 'emea.media.global.loc'
> forest_name : 'global.loc'
> dn : NULL
> domain_guid : 28b8ead4-212a-4eb4-b9ce-b9b2096fab5e
> domain_sid : *
> domain_sid :
> S-1-5-21-1175101033-2187731779-11171261
> modified_config : 0x00 (0)
> error_string : 'failed to connect to AD: Client
> not found in Kerberos database'
> domain_is_ad : 0x01 (1)
> set_encryption_types : 0x00000000 (0)
> krb5_salt : NULL
> result : WERR_NERR_DEFAULTJOINREQUIRED
> Failed to join domain: failed to connect to AD: Client not found in
> Kerberos database
> return code = -1
> root at esmad1apl01:~# systemctl unmask smbd winbind
> Removed /etc/systemd/system/smbd.service.
> Removed /etc/systemd/system/winbind.service.
> root at esmad1apl01:~# systemctl enable smbd winbind
> Synchronizing state of smbd.service with SysV service script with
> /lib/systemd/systemd-sysv-install.
> Executing: /lib/systemd/systemd-sysv-install enable smbd
> Synchronizing state of winbind.service with SysV service script with
> /lib/systemd/systemd-sysv-install.
> Executing: /lib/systemd/systemd-sysv-install enable winbind
> Created symlink /etc/systemd/system/multi-user.target.wants/smbd.service
> -> /lib/systemd/system/smbd.service.
> Created symlink
> /etc/systemd/system/multi-user.target.wants/winbind.service ->
> /lib/systemd/system/winbind.service.
> root at esmad1apl01:~# systemctl start smbd winbind
> Job for winbind.service failed because the control process exited with
> error code.
> See "systemctl status winbind.service" and "journalctl -xe" for details.
>
> Regards
> Sachin Kumar
>
> On Tue, Dec 10, 2019 at 6:21 PM L.P.H. van Belle via samba <
> samba at lists.samba.org> wrote:
>
>> I've re-read this thread but its a bit confusing due to 2 persons with
>> the same probem in one thread.
>>
>> Im thinking here, how is samba started, since winbind is not running.
>> Im suspecting samba-addc or samba is starting. Not smbd nmbd winbind.
>>
>> I suggest to run this:
>>
>> Disable that all again.
>> systemctl disable samba-addc samba smbd nmbd winbind
>> systemctl mask samba-addc samba smbd nmbd winbind
>> systemctl stop samba-addc samba smbd nmbd winbind
>>
>> Make sure you config matches up with we already showed.
>> my setup or Rowland's are the same.
>>
>> Now try to join again with :
>> net ads join -UAdministrator -d6
>> And post the needed output to see what is still going on.
>>
>> Enable only the needed for a member server.
>> !note, only nmbd if you really need, less remove it from the below lines.
>>
>> systemctl unmask smbd winbind nmbd
>> systemctl enable smbd winbind nmbd
>>
>> systemctl start smbd winbind
>>
>> Greetz,
>>
>> Louis
>> (ps. Expect slow responce from me, im on vacation)
>>
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> > Rowland penny via samba
>> > Verzonden: dinsdag 10 december 2019 12:29
>> > Aan: sambalist
>> > Onderwerp: Re: [Samba] security = ads parameter not working
>> > in samba 4.9.5
>> >
>> > On 10/12/2019 11:10, Sac Isilia wrote:
>> > > Hi Rowland,
>> > >
>> > > Please let me know what else I can try from my side. We are
>> > stuck as
>> > > the server cant be joined to domain.
>> > >
>> > Sorry, I thought you had fixed this :-(
>> >
>> > You seem to be doing everything correctly, so it should work, but
>> > obviously, it isn't for you.
>> >
>> > Can I suggest you use Louis's repo: http://apt.van-belle.nl/
>> >
>> > This will get you a more up to date Samba version and may, by itself,
>> > fix your problem.
>> >
>> > Try this smb.conf:
>> >
>> > [global]
>> > workgroup = SAMDOM
>> > security = ADS
>> > realm = SAMDOM.EXAMPLE.COM
>> >
>> > dedicated keytab file = /etc/krb5.keytab
>> > kerberos method = secrets and keytab
>> >
>> > winbind use default domain = yes
>> > winbind expand groups = 2
>> > winbind refresh tickets = Yes
>> >
>> > idmap config *:backend = tdb
>> > idmap config *:range = 3000-7999
>> > idmap config SAMDOM : backend = rid
>> > idmap config SAMDOM : range = 10000-999999
>> > template shell = /bin/bash
>> > template homedir = /home/%U
>> >
>> > # user Administrator workaround, without it you are
>> > unable to set
>> > privileges
>> > username map = /etc/samba/user.map
>> >
>> > # For ACL support on domain member
>> > vfs objects = acl_xattr
>> > map acl inherit = Yes
>> > store dos attributes = Yes
>> >
>> > # disable printing completely
>> > load printers = no
>> > printing = bsd
>> > printcap name = /dev/null
>> > disable spoolss = yes
>> >
>> > # logging
>> > log level = 4
>> >
>> > Create /etc/samba/user.map
>> > !root = SAMDOM\Administrator
>> >
>> > Replace 'SAMDOM' with your workgroup name and the realm name
>> > 'SAMDOM.EXAMPLE.COM' with your realm name (which must be the
>> > dns domain
>> > in uppercase)
>> >
>> > If this doesn't work, I am running out of ideas, it normally
>> > just works.
>> >
>> > Rowland
>> >
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions: https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
More information about the samba
mailing list