[Samba] Winbind issues with AD member file server

Eric Shell eshell at ucsc.edu
Wed Jul 10 17:22:45 UTC 2019

> When I try to
> > access even an already-mounted NFS directory to which I have permission,
> > gssproxy complains:
> >
> > Jul 10 08:55:51 smb gssproxy: gssproxy[1469]: (OID: { 1 2 840 113554 1 2
> 2
> > }) Unspecified GSS failure.  Minor code may provide more information,
> > Client 'host/smb.soe.ucsc.edu at AD.SOE.UCSC.EDU' not found in Kerberos
> > database
> It would complain, GSS is a kerberos thing, so you need a ticket for it.
> Can you kerberise NFS ?

Kerberizing NFS is something we've wanted to do for a while as a way out of
our low ID issue but wasn't ever implemented.  We may be forced to do it

> > We have an existing Samba 4.8.3 server that is configured to use the ldap
> > backend and does not run winbind, which gives us the desired behavior.  I
> > was hoping to replace that server because it has its own issues, but with
> > the ad backend since the ldap one is no longer recommended.  gssproxy's
> man
> > page indicates that it cannot be configured to mount otherwise.  Am I out
> > of luck with winbind?
> So, it isn't an AD domain member, if it was, you would have to run winbind.

No, the old server isn't a member.  It only uses AD for authentication.
Please see the bottom of this message for that server's smb.conf file.
It's a real Frankenstein's monster which began as a Samba 3 configuration
and has been touched by many hands since then, but it more or less does its
job.  Maybe I should focus on recreating this configuration instead of
using the ad backend, despite the ldap one being deprecated?

> I think I have asked this twice already, but you never know, third time
> lucky ;-)
> What do you use the openldap server for ?

I'm sorry, I thought I had answered this.  It is used to provide
authentication and user information services to various Unix systems and
web services.  It's still in place largely due to legacy reasons.

> Could you use an AD DC instead ?

Similar to Kerberizing NFS, this was also a plan that was backburnered for
a long while.


 workgroup = BSOE
 server string = SAMBA-01
 netbios name = SAMBA-01
 realm = ad.soe.ucsc.edu
 security = ads
 winbind nss info = template
 logging = syslog at 2
 log level = 2
 browseable = yes
 read only = no
 local master = no
 load printers = no
 preserve case = yes
 case sensitive = yes
 wins support = no
 passdb backend = tdbsam
 printing = bsd
 printcap name = /dev/null
 disable spoolss = yes
 client ldap sasl wrapping = sign
 short preserve case = yes
 nt acl support = no
 wide links = no
 unix extensions = no
 strict locking = yes
 kernel change notify = no
 idmap config * : backend = ldap
 idmap config * : range = 100-999999999
 idmap config * : ldap_url = ldaps://ldap-01.soe.ucsc.edu/
 idmap config * : ldap_base_dn = dc=soe,dc=ucsc,dc=edu

Eric Shell
BSOE Technical Staff
eshell at ucsc.edu
831 459 4919
Baskin Engineering, Room 313

More information about the samba mailing list