[Samba] problems after migrating NT domain to AD (samba 4.7.x)

Bartłomiej Solarz-Niesłuchowski Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Sat Sep 28 20:39:39 UTC 2019 

W dniu 28.09.2019 o 21:29, Rowland penny via samba pisze:
> On 28/09/2019 19:40, Bartłomiej Solarz-Niesłuchowski via samba wrote:
>> Dear List,
>>
>> My domain +/- works, so I try to fix rest services based on domain 
>> NT/AD....
>>
>> I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before 
>> migration it works).
>>
>> And after migration autorization does not work.
>>
>> Freeradius server is on samba domain member.
>>
>> So i check domain connectivity:
>>
>> [root at see-you-later samba]# net ads testjoin
>> Join is OK
>> [root at see-you-later samba]# wbinfo -a test%XXXX
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>> [root at see-you-later samba]# wbinfo -g
>>
>> here list of domain group
>>
>> smb.conf
>>
>> [global]
>>        dos charset = CP852
>>         unix charset = UTF8
>>         workgroup = WSISIZ.EDU.PL
>>         realm = ad.wsisiz.edu.pl
>>         server role = member server
>>         security = ads
>>         allow trusted domains = No
>>         log level = 0
>>         time server = Yes
>>         deadtime = 60
>>         hostname lookups = Yes
>>         printcap cache time = 600
>>         printcap name = cups
>>         wins support = Yes
>>         remote browse sync = oxygene.ibspan.waw.pl antarctica china 
>> direct odyssey
>>         winbind use default domain = Yes
>>         create mask = 0644
>>         inherit acls = Yes
>>         remote browse sync = oceanic.wsisiz.edu.pl
>>         create mask = 0644
>>         hosts allow = 127., 213.135.34.0/255.255.255.0, 
>> 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0, 
>> 2001:1a68:a::/48, ::1
>>         hide dot files = No
>>         ea support = Yes
>>         map acl inherit = Yes
>>         cups options = raw
>>         hide dot files = No
>>         store dos attributes = Yes
>>         wide links = Yes
>>         acl allow execute always = yes
>>         ntlm auth = mschapv2-and-ntlmv2-only
>
> I suspect you are back on a red-hat distro here or at least you are 
> using sssd, if so do this:
>
> yum remove sssd*
on those machine i have no sssd installed
>
> you cannot use sssd with Samba on a Unix domain member, you must use 
> winbind, sssd and winbind are mutually exclusive.

> Samba does not provide support for sssd because we do not produce it, 
> you will need to ask on the sssd-users mailing list.
>
> If you are not using sssd, your smb.conf does not have any 'idmap 
> config'  lines, see here for more info:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member


so if i have on every user on my ad domain rfc2307 attributes lines must 
looks like:

         idmap config WSISIZ.EDU.PL:backend = ad
         idmap config WSISIZ.EDU.PL:schema_mode = rfc2307
         idmap config *:range = 500-200000

?



>
> Rowland
>
>

-- 
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz

More information about the samba mailing list