[Samba] security = ads parameter not working in samba 4.9.5

Sac Isilia udaypratap.singh65 at gmail.com
Wed Nov 27 14:36:10 UTC 2019


Hi Rowland,

I reconfigured my smb.conf taking reference from the link provided earlier
but still the winbind service is not able to start. Below is the output of
testparm.

root at esmad1apl01:~# testparm
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
ERROR: Do not use the 'ad' backend as the default idmap backend!

Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
        dedicated keytab file = /etc/krb5.keytab
        kerberos method = secrets and keytab
        log file = /var/log/samba/log.%m
        logging = file
        map to guest = Bad User
        max log size = 1000
        obey pam restrictions = Yes
        pam password change = Yes
        panic action = /usr/share/samba/panic-action %d
        passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        passwd program = /usr/bin/passwd %u
        realm = EMEA.MEDIA.GLOBAL.LOC
        security = ADS
        server role = standalone server
        unix password sync = Yes
        usershare allow guests = Yes
        winbind use default domain = Yes
        workgroup = EMEA-MEDIA
        idmap config *: unix_nss_info = yes
        idmap config * : schema_mode = rfc2307
        idmap config * : range = 16777216-33554431
        idmap config * : backend = ad
        map acl inherit = Yes
        vfs objects = acl_xattr


[homes]
        browseable = No
        comment = Home Directories
        create mask = 0700
        directory mask = 0700
        valid users = %S


[printers]
        browseable = No
        comment = All Printers
        create mask = 0700
        path = /var/spool/samba
        printable = Yes


[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printers

I can see below logs in log.winbindd

  Could not fetch our SID - did we join?
[2019/11/26 15:56:13.918337,  0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
  unable to initialize domain list
[2019/11/26 15:56:15.843545,  0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/11/26 15:56:15.855817,  0]
../source3/winbindd/winbindd_util.c:1255(init_domain_list)
  Could not fetch our SID - did we join?
[2019/11/26 15:56:15.855891,  0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
  unable to initialize domain list
[2019/11/26 15:57:05.637011,  0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/11/26 15:57:05.647112,  0]
../source3/winbindd/winbindd_util.c:1255(init_domain_list)
  Could not fetch our SID - did we join?
[2019/11/26 15:57:05.647198,  0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
  unable to initialize domain list
[2019/11/26 15:57:29.329423,  0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
  initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/11/26 15:57:29.337077,  0]
../lib/util/become_daemon.c:138(daemon_ready)
  daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to
serve connections
[2019/11/26 16:55:23.571022,  0]
../source3/winbindd/winbindd.c:244(winbindd_sig_term_handler)
  Got sig[15] terminate (is_parent=1)
[2019/11/26 16:55:23.700798,  0] ../source3/winbindd/winbindd.c:1771(main)
  main: FATAL: Invalid idmap backend ad configured as the default backend!
[2019/11/27 14:36:42.619638,  0] ../source3/winbindd/winbindd.c:1771(main)
  main: FATAL: Invalid idmap backend ad configured as the default backend!

Regards
Sachin Kumar

On Wed, Nov 27, 2019 at 5:59 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 27/11/2019 11:03, Sérgio Basto via samba wrote:
> > Sorry I meant man idmap_ad. But checking again man is equal of
> > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man
> > page [1]
> >
> > Examples don't mention netbios name ... I did [2] which instead use
> > workgroup I used netbios name and it is working but still don't know
> > why or even if it correct .
> You do not need to set 'netbios name', it will be set for you from the
> hostname
> >
> >
> >
> > [2]
> > [global]
> >      netbios name = REPO
> >      security = ADS
> >      workgroup = SAMDOM
> >      realm = SAMDOM.EXAMPLE.COM
> >
> >      winbind use default domain = yes
> >
> >      idmap config * : backend = tdb
> >      idmap config * : range = 1000000-1999999
> >
> >      idmap config REPO : backend = ad
> >      idmap config REPO : schema_mode = rfc2307
> >      idmap config REPO : range = 10000-999999
> >      idmap config REPO : unix_nss_info = yes
>
> You need to use the workgroup name, not the netbios name. There will be
> three domains on your Unix domain member:
>
> BUILTIN : Mostly used for the Well Known SIDs
>
> SAMDOM : Your AD domain
>
> REPO : a local domain and not really relevant
>
> >      vfs objects = acl_xattr
> >      map acl inherit = yes
> >      store dos attributes = yes
> >
> >      template shell = /bin/false
> >      template homedir = /srv/samba/users/%U
> >      username map = /var/lib/samba/user.map
> >
> >
> >
> > [1]
> > EXAMPLES
> >         The following example shows how to retrieve idmappings from our
> > principal and trusted AD domains. If trusted domains are present id
> >         conflicts must be resolved beforehand, there is no guarantee on
> > the order conflicting mappings would be resolved at this point.
> >         This example also shows how to leave a small non conflicting
> > range for local id allocation that may be used in internal backends
> >         like BUILTIN.
> >
> >                  [global]
> >                  workgroup = CORP
> >
> >                  idmap config * : backend = tdb
> >                  idmap config * : range = 1000000-1999999
> >
> >                  idmap config CORP : backend  = ad
> >                  idmap config CORP : range = 1000-999999
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list