[Samba] security = ads parameter not working in samba 4.9.5
Sac Isilia
udaypratap.singh65 at gmail.com
Wed Nov 27 14:36:10 UTC 2019
Hi Rowland,
I reconfigured my smb.conf taking reference from the link provided earlier
but still the winbind service is not able to start. Below is the output of
testparm.
root at esmad1apl01:~# testparm
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
ERROR: Do not use the 'ad' backend as the default idmap backend!
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
# Global parameters
[global]
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
log file = /var/log/samba/log.%m
logging = file
map to guest = Bad User
max log size = 1000
obey pam restrictions = Yes
pam password change = Yes
panic action = /usr/share/samba/panic-action %d
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
passwd program = /usr/bin/passwd %u
realm = EMEA.MEDIA.GLOBAL.LOC
security = ADS
server role = standalone server
unix password sync = Yes
usershare allow guests = Yes
winbind use default domain = Yes
workgroup = EMEA-MEDIA
idmap config *: unix_nss_info = yes
idmap config * : schema_mode = rfc2307
idmap config * : range = 16777216-33554431
idmap config * : backend = ad
map acl inherit = Yes
vfs objects = acl_xattr
[homes]
browseable = No
comment = Home Directories
create mask = 0700
directory mask = 0700
valid users = %S
[printers]
browseable = No
comment = All Printers
create mask = 0700
path = /var/spool/samba
printable = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
I can see below logs in log.winbindd
Could not fetch our SID - did we join?
[2019/11/26 15:56:13.918337, 0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
unable to initialize domain list
[2019/11/26 15:56:15.843545, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/11/26 15:56:15.855817, 0]
../source3/winbindd/winbindd_util.c:1255(init_domain_list)
Could not fetch our SID - did we join?
[2019/11/26 15:56:15.855891, 0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
unable to initialize domain list
[2019/11/26 15:57:05.637011, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/11/26 15:57:05.647112, 0]
../source3/winbindd/winbindd_util.c:1255(init_domain_list)
Could not fetch our SID - did we join?
[2019/11/26 15:57:05.647198, 0]
../source3/winbindd/winbindd.c:1454(winbindd_register_handlers)
unable to initialize domain list
[2019/11/26 15:57:29.329423, 0]
../source3/winbindd/winbindd_cache.c:3160(initialize_winbindd_cache)
initialize_winbindd_cache: clearing cache and re-creating with version
number 2
[2019/11/26 15:57:29.337077, 0]
../lib/util/become_daemon.c:138(daemon_ready)
daemon_ready: STATUS=daemon 'winbindd' finished starting up and ready to
serve connections
[2019/11/26 16:55:23.571022, 0]
../source3/winbindd/winbindd.c:244(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=1)
[2019/11/26 16:55:23.700798, 0] ../source3/winbindd/winbindd.c:1771(main)
main: FATAL: Invalid idmap backend ad configured as the default backend!
[2019/11/27 14:36:42.619638, 0] ../source3/winbindd/winbindd.c:1771(main)
main: FATAL: Invalid idmap backend ad configured as the default backend!
Regards
Sachin Kumar
On Wed, Nov 27, 2019 at 5:59 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 27/11/2019 11:03, Sérgio Basto via samba wrote:
> > Sorry I meant man idmap_ad. But checking again man is equal of
> > https://wiki.samba.org/index.php/Idmap_config_ad in EXAMPLES of man
> > page [1]
> >
> > Examples don't mention netbios name ... I did [2] which instead use
> > workgroup I used netbios name and it is working but still don't know
> > why or even if it correct .
> You do not need to set 'netbios name', it will be set for you from the
> hostname
> >
> >
> >
> > [2]
> > [global]
> > netbios name = REPO
> > security = ADS
> > workgroup = SAMDOM
> > realm = SAMDOM.EXAMPLE.COM
> >
> > winbind use default domain = yes
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > idmap config REPO : backend = ad
> > idmap config REPO : schema_mode = rfc2307
> > idmap config REPO : range = 10000-999999
> > idmap config REPO : unix_nss_info = yes
>
> You need to use the workgroup name, not the netbios name. There will be
> three domains on your Unix domain member:
>
> BUILTIN : Mostly used for the Well Known SIDs
>
> SAMDOM : Your AD domain
>
> REPO : a local domain and not really relevant
>
> > vfs objects = acl_xattr
> > map acl inherit = yes
> > store dos attributes = yes
> >
> > template shell = /bin/false
> > template homedir = /srv/samba/users/%U
> > username map = /var/lib/samba/user.map
> >
> >
> >
> > [1]
> > EXAMPLES
> > The following example shows how to retrieve idmappings from our
> > principal and trusted AD domains. If trusted domains are present id
> > conflicts must be resolved beforehand, there is no guarantee on
> > the order conflicting mappings would be resolved at this point.
> > This example also shows how to leave a small non conflicting
> > range for local id allocation that may be used in internal backends
> > like BUILTIN.
> >
> > [global]
> > workgroup = CORP
> >
> > idmap config * : backend = tdb
> > idmap config * : range = 1000000-1999999
> >
> > idmap config CORP : backend = ad
> > idmap config CORP : range = 1000-999999
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list