[Samba] Samba as a domain member:

Vieri Di Paola vieridipaola at gmail.com
Mon Jun 15 16:13:25 UTC 2020

OK for the DC.

I noticed that converting users and groups to sid with the example
below seems to work fine:

# wbinfo -n DOMAIN\\user
S-1-5-21-948789634-15155995-928725530-6864 SID_USER (1)

# wbinfo -n DOMAIN\\group
S-1-5-21-948789634-15155995-928725530-11178 SID_DOM_GROUP (2)

However, applications using PAM and winbind seem to fail when trying
to convert to sid.
For instance, just to name one, openvpn is failing with messages such as:

AUTH-PAM: BACKGROUND: my_conv[0] query='Cannot convert group GROUP to
sid, please contact your administrator to see if group GROUP is
valid.' style=4

I know this is the samba ML, but I just want to share part of the
openvpn config to see if my misconfiguration is here or there.

openvpn uses:
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn-ivpn

My pam.d config is:

# cat /etc/pam.d/openvpn-ivpn
# $Id$

auth        required      pam_env.so
auth        sufficient    pam_winbind.so require_membership_of=GROUP
auth        sufficient    pam_unix.so likeauth nullok use_first_pass
auth        required      pam_deny.so

account     sufficient    pam_winbind.so require_membership_of=GROUP
account     required      pam_unix.so

password    required      pam_cracklib.so retry=3
password    sufficient    pam_unix.so nullok use_authtok md5 shadow
password    required      pam_deny.so

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     required      pam_limits.so
session     required      pam_unix.so

And this is my smb.conf:

   workgroup = DOMAIN
   security = ADS
   realm = DOMAIN.ORG

   winbind refresh tickets = Yes
   vfs objects = acl_xattr
   map acl inherit = Yes
   store dos attributes = Yes

   dedicated keytab file = /etc/krb5.keytab
   kerberos method = secrets and keytab

   winbind use default domain = yes

   ; remove when in production:
   winbind enum users = yes
   winbind enum groups = yes

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

   log file = /var/log/samba/%m.log
   log level = 1

   idmap config * : backend = tdb
   idmap config * : range = 3000-7999

   idmap config DOMAIN : backend = rid
   idmap config DOMAIN : range = 10000-999999

   idmap config SSIB.ES : backend = rid
   idmap config SSIB.ES : range = 1000000-9999999

   template shell = /bin/bash
   template homedir = /home/%U

   server string = Samba2
   ; encrypt passwords = yes
   unix password sync = Yes
   pam password change = yes
   obey pam restrictions = yes
   dos charset = 850
   unix charset = ISO8859-1

What can I try?



More information about the samba mailing list