[Samba] problems after migrating NT domain to AD (samba 4.7.x)
Bartłomiej Solarz-Niesłuchowski
Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Sat Sep 28 20:39:39 UTC 2019
W dniu 28.09.2019 o 21:29, Rowland penny via samba pisze:
> On 28/09/2019 19:40, Bartłomiej Solarz-Niesłuchowski via samba wrote:
>> Dear List,
>>
>> My domain +/- works, so I try to fix rest services based on domain
>> NT/AD....
>>
>> I use WiFi authorization with PEAP/MSCHAPv2 + freeradius (before
>> migration it works).
>>
>> And after migration autorization does not work.
>>
>> Freeradius server is on samba domain member.
>>
>> So i check domain connectivity:
>>
>> [root at see-you-later samba]# net ads testjoin
>> Join is OK
>> [root at see-you-later samba]# wbinfo -a test%XXXX
>> plaintext password authentication succeeded
>> challenge/response password authentication succeeded
>> [root at see-you-later samba]# wbinfo -g
>>
>> here list of domain group
>>
>> smb.conf
>>
>> [global]
>> dos charset = CP852
>> unix charset = UTF8
>> workgroup = WSISIZ.EDU.PL
>> realm = ad.wsisiz.edu.pl
>> server role = member server
>> security = ads
>> allow trusted domains = No
>> log level = 0
>> time server = Yes
>> deadtime = 60
>> hostname lookups = Yes
>> printcap cache time = 600
>> printcap name = cups
>> wins support = Yes
>> remote browse sync = oxygene.ibspan.waw.pl antarctica china
>> direct odyssey
>> winbind use default domain = Yes
>> create mask = 0644
>> inherit acls = Yes
>> remote browse sync = oceanic.wsisiz.edu.pl
>> create mask = 0644
>> hosts allow = 127., 213.135.34.0/255.255.255.0,
>> 213.135.44.0/255.255.252.0, 213.135.48.0/255.255.254.0,
>> 2001:1a68:a::/48, ::1
>> hide dot files = No
>> ea support = Yes
>> map acl inherit = Yes
>> cups options = raw
>> hide dot files = No
>> store dos attributes = Yes
>> wide links = Yes
>> acl allow execute always = yes
>> ntlm auth = mschapv2-and-ntlmv2-only
>
> I suspect you are back on a red-hat distro here or at least you are
> using sssd, if so do this:
>
> yum remove sssd*
on those machine i have no sssd installed
>
> you cannot use sssd with Samba on a Unix domain member, you must use
> winbind, sssd and winbind are mutually exclusive.
> Samba does not provide support for sssd because we do not produce it,
> you will need to ask on the sssd-users mailing list.
>
> If you are not using sssd, your smb.conf does not have any 'idmap
> config' lines, see here for more info:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
so if i have on every user on my ad domain rfc2307 attributes lines must
looks like:
idmap config WSISIZ.EDU.PL:backend = ad
idmap config WSISIZ.EDU.PL:schema_mode = rfc2307
idmap config *:range = 500-200000
?
>
> Rowland
>
>
--
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz
More information about the samba
mailing list