[Samba] Getent doesn't show AD users/groups
L.P.H. van Belle
belle at bazuin.nl
Wed Dec 16 15:46:57 UTC 2020
> That is absolutely impossible, because there are a lot of things running
> on this server
> and I don’t want to spend weeks trying to make them work in new distro.
> Look, here
> I have a problem with one program that none can solve and there I have
> dozens of programs.
Now, this is always a problem, if you did keep everything up2date,
you would not been in this situation now.
And i know this problem i have 1 of these servers also.
It "should" work fine also as of wheezy. I know my DC's are running and upgraded from wheezy.. from 4.1.x all the way up to 4.13.x (buster now)
i had an other good look at the post of yesterday with the debug info.
172.16.0.1 server1.headoffice.example.com server1
you can remove the line 127.0.1.1 thats only if you installed with DHCP.
and, make sure the old name is not used anywhere else in the system before you remove it.
default_realm = HEADOFFICE.EXAMPLE.COM
dns_lookup_kdc = yes
dns_lookup_realm = no
ticket_lifetime = 24h
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
Thats it. ( you can/should remove the 2 des entries there, but test it with and without.
winbind enum users = yes
winbind enum groups = yes
Set these to now, just not needed to have yes.
For testing fine, production set no.
interfaces = eth0
bind interfaces only = yes
interfaces = lo eth0
bind interfaces only = yes
We need lo(calhost)
rerun : apt-get install libnss-winbind libpam-winbind winbind
now run : pam-auth-update
The upgrade path.
Now if want you can upgrade samba upto 4.8.latest of my repo.
Then, when your there. You can upgrade the full server to Stretch.
>From there stay on 4.8..
because now you have a choice..
If you want to run "vanilla" Debian Buster, just upgrade to Buster
and you end up with samba 4.9.5
Then you can deside use again my packages, or stay at debian's..
More information about the samba