[Samba] Samba as a domain member:
Vieri Di Paola
vieridipaola at gmail.com
Wed Jun 17 08:42:25 UTC 2020
Nice call. It almost worked except for a small error in 'man
pam_winbind' -- DOMAIN\\GROUP should actually be DOMAIN\GROUP in the
pam.d file.
Now, I'm a bit confused.
The pam module 'pam_winbind' is from the Samba suite.
OpenVPN is just passing on the authentication decision to Samba.
However, I was expecting to just use the group name without the domain
name since I have 'winbind use default domain = yes' in smb.conf.
Maybe the fact that I initially used:
idmap config OTHERDOMAIN : backend = rid
idmap config OTHERDOMAIN : range = 1000000-9999999
in Samba 4.11.9 on this new server screwed this up (now they are commented out).
I might need to "leave" the domain, remove the tlb files and re-join
(with the OTHERDOMAIN entries in smb.conf commented out)?
I'm asking because I have two older systems (same distro, same
packages, but older versions) that work fine with
'require_membership_of=GROUP'.
On these systems, the smb.conf is different (configured at least a year ago):
samba-4.5.10 (also built with system-mitkrb5)
[global]
workgroup = DOMAIN
server role = standalone server
printcap name = cups
load printers = yes
log file = /var/log/samba/log.%m
max log size = 50
map to guest = bad user
security = ads
realm = DOMAIN.ORG
encrypt passwords = yes
unix password sync = Yes
pam password change = yes
username map = /etc/samba/smbusers
template homedir = /home/%U
template shell = /bin/bash
obey pam restrictions = yes
socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
local master = no
os level = 20
domain master = no
preferred master = no
idmap uid = 10000-20000
idmap gid = 10000-20000
wins server = 10.1.4.1
dns proxy = yes
dos charset = 850
unix charset = ISO8859-1
; max protocol = smb2
max protocol = NT1
winbind use default domain = yes
kerberos method = secrets and keytab
winbind refresh tickets = yes
Now, I don't really care for these older systems as they will be
removed. I want to use the new installation with the new smb.conf, and
I can live with specifying DOMAIN\GROUP in pam.d (no problem). It's
just that I'd prefer to understand why it is now required but it
wasn't before.
Thanks,
Vieri
More information about the samba
mailing list