[Samba] winbind issues

Patrick Goetz pgoetz at math.utexas.edu
Thu Nov 4 15:45:25 UTC 2021


You're missing the id mapping sections for the actual domain; * is the 
default (internally used) domain.

On 11/4/21 10:42, Campbell McLeay via samba wrote:
> Hi,
> 
> I'm switching Samba shares to use Winbind rather than SSSD for
> authentication, with AD as the auth provider. nsswitch and pam have
> been updated to use winbind via authconfig. The domain is example.com,
> and 'ad.example.com' is a srv record that points to the domain
> controllers. The samba server has been joined to the domain via 'net
> ads join' and when I run a 'wbinfo -t' it reports the trust secret has
> succeeded, and 'wbinfo -u' lists all the users (e.g., EXAMPLE\cam) on
> the domain, and a wbinfo -g lists the groups in the domain. But I
> cannot look up users via 'id' (either via 'id EXAMPLE\cam' or 'id
> cam'). OS version is RHEL 7.6, Samba version is 4.8.3-4.
> 
> smb.conf:
> 
> # Global parameters
> [global]
> max log size = 0
> realm = AD.EXAMPLE.COM
> security = ADS
> template homedir = /u/%U
> template shell = /bin/bash
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = EXAMPLE
> idmap config * : range = 1000-20000000
> idmap config * : rangesize = 19900000
> idmap config * : backend = autorid
> 
> 
> [user_data]
> comment = user_data
> path = /user_data
> read only = No
> 
> nsswitch.conf:
> 
> passwd:     files winbind
> shadow:     files winbind
> group:      files winbind
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> netgroup:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
> 
> pam.d/system-auth:
> 
> auth        required      pam_env.so
> auth        required      pam_faildelay.so delay=2000000
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
> auth        sufficient    pam_winbind.so cached_login use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_access.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore]
> pam_winbind.so cached_login
> account     required      pam_permit.so
> 
> password    requisite     pam_pwquality.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_oddjob_mkhomedir.so umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_winbind.so cached_login
> 
> krb5.conf:
> 
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>   default_realm = AD.EXAMPLE.COM
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   ticket_lifetime = 7d
>   renew_lifetime = 14d
>   allow_weak_crypto = true
>   forwardable = true
>   rdns=false
> 
> [realms]
>   AD.EXAMPLE.COM = {
>     kdc = ad.example.com
>   }
> 
> [domain_realm]
>   dneg.com = AD.EXAMPLE.COM
>   .dneg.com = AD.EXAMPLE.COM
> 
> I've followed the official Redhat guide, and have done various
> searches on the web, but every solution out there seems to offer
> different configurations, none of which have worked for me as yet.
> sssd used to work fine but I believe is no longer supported after
> Samba 4.8.0. Any ideas what I am doing wrong here?
> 
> Thanks for any help
> 
> Cam
> 



More information about the samba mailing list