[Samba] Samba as a domain member:
Vieri Di Paola
vieridipaola at gmail.com
Mon Jun 15 16:13:25 UTC 2020
OK for the DC.
I noticed that converting users and groups to sid with the example
below seems to work fine:
# wbinfo -n DOMAIN\\user
S-1-5-21-948789634-15155995-928725530-6864 SID_USER (1)
# wbinfo -n DOMAIN\\group
S-1-5-21-948789634-15155995-928725530-11178 SID_DOM_GROUP (2)
However, applications using PAM and winbind seem to fail when trying
to convert to sid.
For instance, just to name one, openvpn is failing with messages such as:
AUTH-PAM: BACKGROUND: my_conv[0] query='Cannot convert group GROUP to
sid, please contact your administrator to see if group GROUP is
valid.' style=4
I know this is the samba ML, but I just want to share part of the
openvpn config to see if my misconfiguration is here or there.
openvpn uses:
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn-ivpn
My pam.d config is:
# cat /etc/pam.d/openvpn-ivpn
#%PAM-1.0
# $Id$
auth required pam_env.so
auth sufficient pam_winbind.so require_membership_of=GROUP
auth sufficient pam_unix.so likeauth nullok use_first_pass
auth required pam_deny.so
account sufficient pam_winbind.so require_membership_of=GROUP
account required pam_unix.so
password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session required pam_unix.so
And this is my smb.conf:
[global]
workgroup = DOMAIN
security = ADS
realm = DOMAIN.ORG
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
; remove when in production:
winbind enum users = yes
winbind enum groups = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
log file = /var/log/samba/%m.log
log level = 1
idmap config * : backend = tdb
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = rid
idmap config DOMAIN : range = 10000-999999
idmap config SSIB.ES : backend = rid
idmap config SSIB.ES : range = 1000000-9999999
template shell = /bin/bash
template homedir = /home/%U
server string = Samba2
; encrypt passwords = yes
unix password sync = Yes
pam password change = yes
obey pam restrictions = yes
dos charset = 850
unix charset = ISO8859-1
What can I try?
Regards,
Vieri
More information about the samba
mailing list