[Samba] Windows 2016 RSAT not connect with samba4 DC
Rowland penny
rpenny at samba.org
Tue Dec 1 10:00:38 UTC 2020
On 30/11/2020 22:25, Rommel Rodriguez Toirac via samba wrote:
> El 30 de noviembre de 2020 16:27:10 GMT-05:00, Rowland penny via samba <samba at lists.samba.org> escribió:
>> On 30/11/2020 20:55, Rommel Rodriguez Toirac wrote:
>>> El 30 de noviembre de 2020 15:43:24 GMT-05:00, Rowland penny via
>> samba <samba at lists.samba.org> escribió:
>>>> On 30/11/2020 20:32, Rommel Rodriguez Toirac via samba wrote:
>>>>> El 30 de noviembre de 2020 14:19:19 GMT-05:00, Rowland penny via
>>>> samba <samba at lists.samba.org> escribió:
>>>>>> On 30/11/2020 19:09, Rommel Rodriguez Toirac wrote:
>>>>>>> El 30 de noviembre de 2020 13:41:09 GMT-05:00, Rowland penny via
>>>>>> samba <samba at lists.samba.org> escribió:
>>>>>>>> On 30/11/2020 18:21, Rommel Rodriguez Toirac wrote:
>>>>>>>>> I do not have installed sssd. I use winbind.
>>>>>>>>>
>>>>>>>> in which case, edit /etc/nsswitch.conf and make the passwd,
>> shadow
>>>>>> and
>>>>>>>> group lines look like this:
>>>>>>>>
>>>>>>>> passwd: files winbind systemd
>>>>>>>> shadow: files
>>>>>>>> group: files winbind systemd
>>>>>>>>
>>>>>>>> remove every mention of 'sss'
>>>>>>>>
>>>>>>>> Rowland
>>>>>>> Done, now look like this:
>>>>>>>
>>>>>>>
>>>>>>> [root at gtmad1 sbin]# cat /etc/nsswitch.conf
>>>>>>> #
>>>>>>> # /etc/nsswitch.conf
>>>>>>> #
>>>>>>> # An example Name Service Switch config file. This file should be
>>>>>>> # sorted with the most-used services at the beginning.
>>>>>>> #
>>>>>>> # The entry '[NOTFOUND=return]' means that the search for an
>>>>>>> # entry should stop if the search in the previous entry turned
>>>>>>> # up nothing. Note that if the search failed due to some other
>>>> reason
>>>>>>> # (like no NIS server responding) then the search continues with
>>>> the
>>>>>>> # next entry.
>>>>>>> #
>>>>>>> # Valid entries include:
>>>>>>> #
>>>>>>> # nisplus Use NIS+ (NIS version 3)
>>>>>>> # nis Use NIS (NIS version 2), also
>>>> called
>>>>>> YP
>>>>>>> # dns Use DNS (Domain Name Service)
>>>>>>> # files Use the local files in /etc
>>>>>>> # db Use the pre-processed /var/db
>> files
>>>>>>> # compat Use /etc files plus *_compat
>>>>>> pseudo-databases
>>>>>>> # hesiod Use Hesiod (DNS) for user lookups
>>>>>>> # sss Use sssd (System Security
>> Services
>>>>>> Daemon)
>>>>>>> # [NOTFOUND=return] Stop searching if not found so
>> far
>>>>>>> #
>>>>>>> # 'sssd' performs its own 'files'-based caching, so it should
>>>>>>> # generally come before 'files'.
>>>>>>>
>>>>>>> # To use 'db', install the nss_db package, and put the 'db' in
>>>> front
>>>>>>> # of 'files' for entries you want to be looked up first in the
>>>>>>> # databases, like this:
>>>>>>> #
>>>>>>> # passwd: db files
>>>>>>> # shadow: db files
>>>>>>> # group: db files
>>>>>>>
>>>>>>> passwd: files winbind systemd
>>>>>>> shadow: files
>>>>>>> group: files winbind systemd
>>>>>>>
>>>>>>> hosts: files dns myhostname
>>>>>>>
>>>>>>> bootparams: files
>>>>>>>
>>>>>>> ethers: files
>>>>>>> netmasks: files
>>>>>>> networks: files
>>>>>>> protocols: files
>>>>>>> rpc: files
>>>>>>> services: files sss
>>>>>>>
>>>>>>> netgroup: sss
>>>>>>>
>>>>>>> publickey: files
>>>>>>>
>>>>>>> automount: files sss
>>>>>>> aliases: files
>>>>>>>
>>>>>>>
>>>>>> You still have 'sss' in the file, you do not need them if you
>> don't
>>>>>> have
>>>>>> sssd installed, I would change 'netgroup: sss' to 'netgroup: nis'
>>>> and
>>>>>> remove the other 'sss'
>>>>>>
>>>>>> Rowland
>>>>>
>>>>> After send the messages I was change the file and lets it like
>>>> this:
>>>>> [root at gtmad1 var]# cat /etc/nsswitch.conf
>>>>> #
>>>>> # /etc/nsswitch.conf
>>>>> #
>>>>> # An example Name Service Switch config file. This file should be
>>>>> # sorted with the most-used services at the beginning.
>>>>> #
>>>>> # The entry '[NOTFOUND=return]' means that the search for an
>>>>> # entry should stop if the search in the previous entry turned
>>>>> # up nothing. Note that if the search failed due to some other
>> reason
>>>>> # (like no NIS server responding) then the search continues with
>> the
>>>>> # next entry.
>>>>> #
>>>>> # Valid entries include:
>>>>> #
>>>>> # nisplus Use NIS+ (NIS version 3)
>>>>> # nis Use NIS (NIS version 2), also
>> called
>>>> YP
>>>>> # dns Use DNS (Domain Name Service)
>>>>> # files Use the local files in /etc
>>>>> # db Use the pre-processed /var/db files
>>>>> # compat Use /etc files plus *_compat
>>>> pseudo-databases
>>>>> # hesiod Use Hesiod (DNS) for user lookups
>>>>> # sss Use sssd (System Security Services
>>>> Daemon)
>>>>> # [NOTFOUND=return] Stop searching if not found so far
>>>>> #
>>>>> # 'sssd' performs its own 'files'-based caching, so it should
>>>>> # generally come before 'files'.
>>>>>
>>>>> # To use 'db', install the nss_db package, and put the 'db' in
>> front
>>>>> # of 'files' for entries you want to be looked up first in the
>>>>> # databases, like this:
>>>>> #
>>>>> # passwd: db files
>>>>> # shadow: db files
>>>>> # group: db files
>>>>>
>>>>> passwd: files winbind
>>>>> shadow: files
>>>>> group: files winbind
>>>>> initgroups files
>>>>>
>>>>> hosts: files dns myhostname
>>>>>
>>>>> bootparams: nisplus files
>>>>>
>>>>> ethers: files
>>>>> netmasks: files
>>>>> networks: files
>>>>> protocols: files
>>>>> rpc: files
>>>>> services: files
>>>>>
>>>>> netgroup: nis
>>>>>
>>>>> publickey: nisplus
>>>>>
>>>>>
>>>>> automount: files nisplus
>>>>> aliases: files nisplus
>>>>>
>>>>> But, it not work when I run getent command:
>>>>>
>>>>>
>>>>> [root at gtmad1 var]# wbinfo -p
>>>>> Ping to winbindd succeeded
>>>>>
>>>>>
>>>>> [root at gtmad1 var]# getent passwd "ATGTM00\\rommel.rodriguez"
>>>>>
>>>>> [root at gtmad1 var]# getent group "ATGTM00\\Domain Users"
>>>>>
>>>>>
>>>>> ... and still do not connect from Windows (7) using RSAT neather
>> from
>>>> Windows 2016 Server Admin Tools/Active Directory Users and Computer
>>>> tool.
>>>> Do you have these packages installed: samba samba-winbind
>>>> samba-winbind-clients krb5-workstation
>>>>
>>>> Have you run this command: authselect select winbind with-mkhomedir
>>>>
>>>> Rowland
>>>
>>> (Sorry for all problems)
>>>
>>> Is needed this packeds even I compile from source
>> samba-4.13.2.tar.gz?
>>
>> No, but you will need to create the links, see here:
>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>>
>> Rowland
>
>
>
> Thanks, now is working. I made the links:
>
>
> ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
>
> ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
>
>
> Testing command getent:
>
>
> [root at gtmad1 ~]# getent passwd "ATGTM00\\rommel.rodriguez"
> ATGTM00\rommel.rodriguez:*:3000127:100::/home/ATGTM00/rommel.rodriguez:/bin/false
> [root at gtmad1 ~]# getent group "ATGTM00\\Domain Users"
> ATGTM00\domain users:x:100:
Well that's one thing fixed 😂
>
>
>
> I still can not to connect using Windows 7 RSAT or Windows 2016 Server Admin Tools/Active Directory User and Computers tools to make some task of administrations to this Domain Controller samba 4.13.2.
>
> I can do it to samba 4.11.2 (my ADDC)
>
Haven't got Windows 2016, but Win7 & win10 ADUC works against 4.13.2 for
me, the only differences are, I use Devuan with Louis's repo and pam-krb5.
Unlikely to be the OS (unless it is Selinux), The code in Louis's repo
will be the same code you used, so that leaves pam-krb5 and the lack of
that shouldn't cause your your problem, it should fall back to NTLM.
What error message are you getting when you try to use ADUC ?
Rowland
More information about the samba
mailing list