[Samba] winbind issues
Rowland Penny
rpenny at samba.org
Thu Nov 4 15:59:50 UTC 2021
On Thu, 2021-11-04 at 15:42 +0000, Campbell McLeay via samba wrote:
> Hi,
>
> I'm switching Samba shares to use Winbind rather than SSSD for
> authentication, with AD as the auth provider. nsswitch and pam have
> been updated to use winbind via authconfig. The domain is
> example.com,
> and 'ad.example.com' is a srv record that points to the domain
> controllers.
What do you mean by that ? Your dns domain must be the same as the AD
dns domain.
> The samba server has been joined to the domain via 'net
> ads join' and when I run a 'wbinfo -t' it reports the trust secret
> has
> succeeded, and 'wbinfo -u' lists all the users (e.g., EXAMPLE\cam) on
> the domain, and a wbinfo -g lists the groups in the domain. But I
> cannot look up users via 'id' (either via 'id EXAMPLE\cam' or 'id
> cam'). OS version is RHEL 7.6, Samba version is 4.8.3-4.
Have you installed 'samba-winbind-clients' and run the correct
'authselect' incantation ?
>
> smb.conf:
>
> # Global parameters
> [global]
> max log size = 0
> realm = AD.EXAMPLE.COM
> security = ADS
> template homedir = /u/%U
> template shell = /bin/bash
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = EXAMPLE
> idmap config * : range = 1000-20000000
> idmap config * : rangesize = 19900000
> idmap config * : backend = autorid
>
>
> [user_data]
> comment = user_data
> path = /user_data
> read only = No
>
> nsswitch.conf:
>
> passwd: files winbind
> shadow: files winbind
Remove winbind from the 'shadow' line, it shouldn't be there.
> group: files winbind
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
> netgroup: files
> publickey: nisplus
> automount: files
> aliases: files nisplus
>
> pam.d/system-auth:
>
> auth required pam_env.so
> auth required pam_faildelay.so delay=2000000
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet_success
> auth sufficient pam_winbind.so cached_login use_first_pass
> auth required pam_deny.so
>
> account required pam_access.so
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore]
> pam_winbind.so cached_login
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass retry=3
> type=
> password sufficient pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password sufficient pam_winbind.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session optional pam_oddjob_mkhomedir.so umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session required pam_unix.so
> session optional pam_winbind.so cached_login
>
> krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = AD.EXAMPLE.COM
> dns_lookup_realm = true
The above should be 'false' not 'true'
> dns_lookup_kdc = true
> ticket_lifetime = 7d
> renew_lifetime = 14d
> allow_weak_crypto = true
> forwardable = true
> rdns=false
>
> [realms]
> AD.EXAMPLE.COM = {
> kdc = ad.example.com
> }
>
> [domain_realm]
> dneg.com = AD.EXAMPLE.COM
> .dneg.com = AD.EXAMPLE.COM
>
> I've followed the official Redhat guide, and have done various
> searches on the web, but every solution out there seems to offer
> different configurations, none of which have worked for me as yet.
> sssd used to work fine but I believe is no longer supported after
> Samba 4.8.0. Any ideas what I am doing wrong here?
Using the wrong OS :-D
Rowland
More information about the samba
mailing list