[Samba] winbind issues

Campbell McLeay cmcl at dneg.com
Thu Nov 4 15:42:50 UTC 2021 

Hi,

I'm switching Samba shares to use Winbind rather than SSSD for
authentication, with AD as the auth provider. nsswitch and pam have
been updated to use winbind via authconfig. The domain is example.com,
and 'ad.example.com' is a srv record that points to the domain
controllers. The samba server has been joined to the domain via 'net
ads join' and when I run a 'wbinfo -t' it reports the trust secret has
succeeded, and 'wbinfo -u' lists all the users (e.g., EXAMPLE\cam) on
the domain, and a wbinfo -g lists the groups in the domain. But I
cannot look up users via 'id' (either via 'id EXAMPLE\cam' or 'id
cam'). OS version is RHEL 7.6, Samba version is 4.8.3-4.

smb.conf:

# Global parameters
[global]
max log size = 0
realm = AD.EXAMPLE.COM
security = ADS
template homedir = /u/%U
template shell = /bin/bash
winbind offline logon = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = EXAMPLE
idmap config * : range = 1000-20000000
idmap config * : rangesize = 19900000
idmap config * : backend = autorid


[user_data]
comment = user_data
path = /user_data
read only = No

nsswitch.conf:

passwd:     files winbind
shadow:     files winbind
group:      files winbind
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  nisplus
automount:  files
aliases:    files nisplus

pam.d/system-auth:

auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
auth        sufficient    pam_winbind.so cached_login use_first_pass
auth        required      pam_deny.so

account     required      pam_access.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
pam_winbind.so cached_login
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_winbind.so cached_login

krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = AD.EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 7d
 renew_lifetime = 14d
 allow_weak_crypto = true
 forwardable = true
 rdns=false

[realms]
 AD.EXAMPLE.COM = {
   kdc = ad.example.com
 }

[domain_realm]
 dneg.com = AD.EXAMPLE.COM
 .dneg.com = AD.EXAMPLE.COM

I've followed the official Redhat guide, and have done various
searches on the web, but every solution out there seems to offer
different configurations, none of which have worked for me as yet.
sssd used to work fine but I believe is no longer supported after
Samba 4.8.0. Any ideas what I am doing wrong here?

Thanks for any help

Cam

More information about the samba mailing list