[Samba] Samba as a domain member:

Vieri Di Paola vieridipaola at gmail.com
Wed Jun 17 08:42:25 UTC 2020 

Nice call. It almost worked except for a small error in 'man
pam_winbind' -- DOMAIN\\GROUP should actually be DOMAIN\GROUP in the
pam.d file.

Now, I'm a bit confused.
The pam module 'pam_winbind' is from the Samba suite.
OpenVPN is just passing on the authentication decision to Samba.
However, I was expecting to just use the group name without the domain
name since I have 'winbind use default domain = yes' in smb.conf.

Maybe the fact that I initially used:
   idmap config OTHERDOMAIN : backend = rid
   idmap config OTHERDOMAIN : range = 1000000-9999999
in Samba 4.11.9 on this new server screwed this up (now they are commented out).
I might need to "leave" the domain, remove the tlb files and re-join
(with the OTHERDOMAIN entries in smb.conf commented out)?

I'm asking because I have two older systems (same distro, same
packages, but older versions) that work fine with
'require_membership_of=GROUP'.
On these systems, the smb.conf is different (configured at least a year ago):

samba-4.5.10 (also built with system-mitkrb5)

[global]
   workgroup = DOMAIN
   server role = standalone server
   printcap name = cups
   load printers = yes
   log file = /var/log/samba/log.%m
   max log size = 50
   map to guest = bad user
   security = ads
   realm = DOMAIN.ORG
   encrypt passwords = yes
   unix password sync = Yes
   pam password change = yes
   username map = /etc/samba/smbusers
   template homedir = /home/%U
   template shell = /bin/bash
   obey pam restrictions = yes
   socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
   local master = no
   os level = 20
   domain master = no
   preferred master = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   wins server = 10.1.4.1
   dns proxy = yes
   dos charset = 850
   unix charset = ISO8859-1
   ; max protocol = smb2
   max protocol = NT1
   winbind use default domain = yes
   kerberos method = secrets and keytab
   winbind refresh tickets = yes

Now, I don't really care for these older systems as they will be
removed. I want to use the new installation with the new smb.conf, and
I can live with specifying DOMAIN\GROUP in pam.d (no problem). It's
just that I'd prefer to understand why it is now required but it
wasn't before.

Thanks,

Vieri

More information about the samba mailing list