[Samba] security = ads parameter not working in samba 4.9.5

Rowland penny rpenny at samba.org
Wed Nov 27 15:33:44 UTC 2019 

On 27/11/2019 14:36, Sac Isilia wrote:
> Hi Rowland,
>
> I reconfigured my smb.conf taking reference from the link provided 
> earlier but still the winbind service is not able to start.
Sorry, but no, you haven't ;-)
> Below is the output of testparm.
>
> root at esmad1apl01:~# testparm
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[printers]"
> Processing section "[print$]"
> Loaded services file OK.
> ERROR: Do not use the 'ad' backend as the default idmap backend!
The error message tells you what is wrong.
>
> Server role: ROLE_DOMAIN_MEMBER
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = secrets and keytab
>         log file = /var/log/samba/log.%m
>         logging = file
>         map to guest = Bad User
>         max log size = 1000
>         obey pam restrictions = Yes
>         pam password change = Yes
>         panic action = /usr/share/samba/panic-action %d
>         passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>         passwd program = /usr/bin/passwd %u
>         realm = EMEA.MEDIA.GLOBAL.LOC
>         security = ADS
>         server role = standalone server
>         unix password sync = Yes
>         usershare allow guests = Yes
>         winbind use default domain = Yes
>         workgroup = EMEA-MEDIA
>         idmap config *: unix_nss_info = yes
>         idmap config * : schema_mode = rfc2307
>         idmap config * : range = 16777216-33554431
>         idmap config * : backend = ad

The 'idmap config' lines should be:

         idmap config * : backend = tdb
         idmap config * : range = 3000-7999
         idmap config EMEA-MEDIA : backend = ad
         idmap config EMEA-MEDIA : range = 16777216-33554431
         idmap config EMEA-MEDIA: unix_nss_info = yes
         idmap config EMEA-MEDIA : schema_mode = rfc2307

Of course, the 'EMEA-MEDIA' range would be better as '10000-999999' if 
you haven't added rfc2307 attributes to AD

You must also remove these lines:

         server role = standalone server
         unix password sync = Yes

You are running Samba as a Unix domain member, not as a standalone 
server and you cannot have the same usernames in AD and /etc/passwd, so 
how can you sync the passwords ?

Rowland

More information about the samba mailing list