[Samba] security = ads parameter not working in samba 4.9.5
Rowland penny
rpenny at samba.org
Wed Nov 27 15:33:44 UTC 2019
On 27/11/2019 14:36, Sac Isilia wrote:
> Hi Rowland,
>
> I reconfigured my smb.conf taking reference from the link provided
> earlier but still the winbind service is not able to start.
Sorry, but no, you haven't ;-)
> Below is the output of testparm.
>
> root at esmad1apl01:~# testparm
> Registered MSG_REQ_POOL_USAGE
> Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[printers]"
> Processing section "[print$]"
> Loaded services file OK.
> ERROR: Do not use the 'ad' backend as the default idmap backend!
The error message tells you what is wrong.
>
> Server role: ROLE_DOMAIN_MEMBER
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> log file = /var/log/samba/log.%m
> logging = file
> map to guest = Bad User
> max log size = 1000
> obey pam restrictions = Yes
> pam password change = Yes
> panic action = /usr/share/samba/panic-action %d
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> passwd program = /usr/bin/passwd %u
> realm = EMEA.MEDIA.GLOBAL.LOC
> security = ADS
> server role = standalone server
> unix password sync = Yes
> usershare allow guests = Yes
> winbind use default domain = Yes
> workgroup = EMEA-MEDIA
> idmap config *: unix_nss_info = yes
> idmap config * : schema_mode = rfc2307
> idmap config * : range = 16777216-33554431
> idmap config * : backend = ad
The 'idmap config' lines should be:
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config EMEA-MEDIA : backend = ad
idmap config EMEA-MEDIA : range = 16777216-33554431
idmap config EMEA-MEDIA: unix_nss_info = yes
idmap config EMEA-MEDIA : schema_mode = rfc2307
Of course, the 'EMEA-MEDIA' range would be better as '10000-999999' if
you haven't added rfc2307 attributes to AD
You must also remove these lines:
server role = standalone server
unix password sync = Yes
You are running Samba as a Unix domain member, not as a standalone
server and you cannot have the same usernames in AD and /etc/passwd, so
how can you sync the passwords ?
Rowland
More information about the samba
mailing list