[Samba] Winbind issues with AD member file server
Eric Shell
eshell at ucsc.edu
Wed Jul 10 17:22:45 UTC 2019
>
> When I try to
> > access even an already-mounted NFS directory to which I have permission,
> > gssproxy complains:
> >
> > Jul 10 08:55:51 smb gssproxy: gssproxy[1469]: (OID: { 1 2 840 113554 1 2
> 2
> > }) Unspecified GSS failure. Minor code may provide more information,
> > Client 'host/smb.soe.ucsc.edu at AD.SOE.UCSC.EDU' not found in Kerberos
> > database
>
> It would complain, GSS is a kerberos thing, so you need a ticket for it.
>
> Can you kerberise NFS ?
>
Kerberizing NFS is something we've wanted to do for a while as a way out of
our low ID issue but wasn't ever implemented. We may be forced to do it
now.
> > We have an existing Samba 4.8.3 server that is configured to use the ldap
> > backend and does not run winbind, which gives us the desired behavior. I
> > was hoping to replace that server because it has its own issues, but with
> > the ad backend since the ldap one is no longer recommended. gssproxy's
> man
> > page indicates that it cannot be configured to mount otherwise. Am I out
> > of luck with winbind?
> So, it isn't an AD domain member, if it was, you would have to run winbind.
>
No, the old server isn't a member. It only uses AD for authentication.
Please see the bottom of this message for that server's smb.conf file.
It's a real Frankenstein's monster which began as a Samba 3 configuration
and has been touched by many hands since then, but it more or less does its
job. Maybe I should focus on recreating this configuration instead of
using the ad backend, despite the ldap one being deprecated?
> I think I have asked this twice already, but you never know, third time
> lucky ;-)
>
> What do you use the openldap server for ?
>
I'm sorry, I thought I had answered this. It is used to provide
authentication and user information services to various Unix systems and
web services. It's still in place largely due to legacy reasons.
> Could you use an AD DC instead ?
>
Similar to Kerberizing NFS, this was also a plan that was backburnered for
a long while.
--
[global]
workgroup = BSOE
server string = SAMBA-01
netbios name = SAMBA-01
realm = ad.soe.ucsc.edu
security = ads
winbind nss info = template
logging = syslog at 2
log level = 2
browseable = yes
read only = no
local master = no
load printers = no
preserve case = yes
case sensitive = yes
wins support = no
passdb backend = tdbsam
printing = bsd
printcap name = /dev/null
disable spoolss = yes
client ldap sasl wrapping = sign
short preserve case = yes
nt acl support = no
wide links = no
unix extensions = no
strict locking = yes
kernel change notify = no
idmap config * : backend = ldap
idmap config * : range = 100-999999999
idmap config * : ldap_url = ldaps://ldap-01.soe.ucsc.edu/
idmap config * : ldap_base_dn = dc=soe,dc=ucsc,dc=edu
--
Eric Shell
BSOE Technical Staff
eshell at ucsc.edu
831 459 4919
Baskin Engineering, Room 313
More information about the samba
mailing list