[Samba] Unable to get primary group information when using AD authentication with samba-4.10.4
Rowland penny
rpenny at samba.org
Fri Feb 28 08:47:15 UTC 2020
On 28/02/2020 06:51, Goto, Ryoichi wrote:
> Mr. Roland,
> I missed the instruction email from you. sorry.
>
OK, I just installed:
samba samba-winbind samba-winbind-clients krb5-workstation
I removed these:
sssd sssd* realmd
Now for your files:
Your /etc/hostname is wrong, it should contain only your computers short
hostname: ms2
/etc/hosts should look like this (if using dhcp):
127.0.0.1 localhost
::1 localhost
However, if the computer has a fixed IP, then you also need a line like
this:
ComputerIP ms2.tesstdom.local ms2
Run this: rm -f /etc/krb5.conf.d/crypto-policies
Then make /etc/krb5.conf look like this:
[libdefaults]
default_realm = TESTDOM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
Change /etc/nsswitch.conf to this:
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Valid entries include:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files in /etc
# db Use the pre-processed /var/db files
# compat Use /etc files plus *_compat pseudo-databases
# hesiod Use Hesiod (DNS) for user lookups
# [NOTFOUND=return] Stop searching if not found so far
#
passwd: files winbind systemd
shadow: files systemd
group: files winbind systemd
hosts: files dns myhostname
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nis
publickey: files
automount: files
aliases: files
/etc/resolv.conf looks okay, provided that 172.16.84.5 is the IP of a DC.
Try this /etc/samba/smb.conf
[global]
workgroup = TESTDOM
security = ADS
realm = TESTDOM.LOCAL
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
winbind expand groups = 2
winbind refresh tickets = Yes
log file = /var/log/samba/%m.log
log level = 3
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config TESTDOM : backend = ad
idmap config TESTDOM : range = 10000-999999
idmap config TESTDOM : schema_mode = rfc2307
idmap config TESTDOM : unix_nss_info = yes
template shell = /bin/bash
template homedir = /home/%U
domain master = no
local master = no
preferred master = no
# user Administrator workaround, without it you are unable to
set privileges
username map = /etc/samba/user.map
# For ACL support on domain member
vfs objects = acl_xattr
map acl inherit = Yes
log file = /var/log/samba/log.%m
max log size = 50
log level = 4
The only other thing I would comment on is, you shouldn't use '.local'
as your TLD, it is reserved for Bonjour and Avahi.
Rowland
More information about the samba
mailing list