[Samba] samba / debian 10 / security=ads

Rowland penny rpenny at samba.org
Wed Nov 18 13:29:11 UTC 2020

On 18/11/2020 13:12, Gregory ROCHER via samba wrote:
> No linux clients aren't binded by any mean to the AD
Then join them to the AD domain
> Their name servers in /etc/resolv.conf are standards bind resolvers
They need to be pointed to the AD DC(s)
> No I've just verified in the debian 9 server. We don't use sssd nor 
> nscd but yes nis are used on the host.
That is your problem, I will say this loudly: YOU DO NOT NEED NIS
>> Add libpam-krb5 if you haven't already installed it.
> The package is installed/configured and seems to work on the debian 10 
> server. Not on the linux clients
It wont do, because they are not joined to the domain.
>>>> root at vans-d10-cl:~# getent passwd grocher
>>>> grocher:$1$[password hash redacted]:21826:10022:Gregory ROCHER, 
>>>> Ifremer Brest PDG-IRSI-RIC, 02 29 00 85 
>>>> 79:/home1/homedir1/perso/grocher:/bin/csh
>>>> root at vans-d10-cl:~# getent passwd IFR\\grocher
>>>> IFR\grocher:*:11752:10513:Gregory ROCHER, Ifremer Brest 
>>>> PDG-IRSI-RIC, 02 2:/home/IFR/grocher:/bin/false
>> Why do you have a schizophrenic user ?
>> Do you by any chance have NIS setup ?
>> If you do have NIS set up, then remove it, you do not need it.
> We use nis to authenticate users by ssh by example. That may be the 
> root cause of our problem
Oh yes, that is your problem, I am typing this on a Unix domain member 
and I do not use NIS. NIS is virtually dead and is unneeded in AD.
> grocher : is the "unix user" via nis, used in the unix world we have a 
> mixed environment here
> IFR\grocher is the corresponding user in the IFR domain
> Do you mean that security=ads and nis completly incompatible for the 
> samba use case ?
Not so much incompatible as that they both do the same thing, it is just 
that AD does it better than NIS.
>>>>     include = /usr/local/samba/etc/smb.conf.global.vans-d10-cl
>> What is in the 'include' file ?
>>>>     include = /usr/local/samba/etc/smb.conf.vans-d10-cl
>> Again, what is in the 'include' file ?
> specific config files + shares definition on the host
I didn't mean that, perhaps I should have said 'Please post the include 

Just in case you haven't got it yet, you do not need NIS, AD will do 
everything that NIS does and if you only have one domain (and it looks 
like you do), you can add 'winbind use default domain = yes' to your 
smb.conf files and then use 'username' to login instead of 'DOMAIN\username'

logging via SSH works without NIS.


More information about the samba mailing list