[Samba] winbind issues

Rowland Penny rpenny at samba.org
Thu Nov 4 15:59:50 UTC 2021


On Thu, 2021-11-04 at 15:42 +0000, Campbell McLeay via samba wrote:
> Hi,
> 
> I'm switching Samba shares to use Winbind rather than SSSD for
> authentication, with AD as the auth provider. nsswitch and pam have
> been updated to use winbind via authconfig. The domain is
> example.com,
> and 'ad.example.com' is a srv record that points to the domain
> controllers. 

What do you mean by that ? Your dns domain must be the same as the AD
dns domain.

> The samba server has been joined to the domain via 'net
> ads join' and when I run a 'wbinfo -t' it reports the trust secret
> has
> succeeded, and 'wbinfo -u' lists all the users (e.g., EXAMPLE\cam) on
> the domain, and a wbinfo -g lists the groups in the domain. But I
> cannot look up users via 'id' (either via 'id EXAMPLE\cam' or 'id
> cam'). OS version is RHEL 7.6, Samba version is 4.8.3-4.

Have you installed 'samba-winbind-clients' and run the correct
'authselect' incantation ?

> 
> smb.conf:
> 
> # Global parameters
> [global]
> max log size = 0
> realm = AD.EXAMPLE.COM
> security = ADS
> template homedir = /u/%U
> template shell = /bin/bash
> winbind offline logon = Yes
> winbind refresh tickets = Yes
> winbind use default domain = Yes
> workgroup = EXAMPLE
> idmap config * : range = 1000-20000000
> idmap config * : rangesize = 19900000
> idmap config * : backend = autorid
> 
> 
> [user_data]
> comment = user_data
> path = /user_data
> read only = No
> 
> nsswitch.conf:
> 
> passwd:     files winbind
> shadow:     files winbind

Remove winbind from the 'shadow' line, it shouldn't be there.

> group:      files winbind
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> netgroup:   files
> publickey:  nisplus
> automount:  files
> aliases:    files nisplus
> 
> pam.d/system-auth:
> 
> auth        required      pam_env.so
> auth        required      pam_faildelay.so delay=2000000
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet_success
> auth        sufficient    pam_winbind.so cached_login use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_access.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore]
> pam_winbind.so cached_login
> account     required      pam_permit.so
> 
> password    requisite     pam_pwquality.so try_first_pass retry=3
> type=
> password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     optional      pam_oddjob_mkhomedir.so umask=0077
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_winbind.so cached_login
> 
> krb5.conf:
> 
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>  default_realm = AD.EXAMPLE.COM
>  dns_lookup_realm = true

The above should be 'false' not 'true'

>  dns_lookup_kdc = true
>  ticket_lifetime = 7d
>  renew_lifetime = 14d
>  allow_weak_crypto = true
>  forwardable = true
>  rdns=false
> 
> [realms]
>  AD.EXAMPLE.COM = {
>    kdc = ad.example.com
>  }
> 
> [domain_realm]
>  dneg.com = AD.EXAMPLE.COM
>  .dneg.com = AD.EXAMPLE.COM
> 
> I've followed the official Redhat guide, and have done various
> searches on the web, but every solution out there seems to offer
> different configurations, none of which have worked for me as yet.
> sssd used to work fine but I believe is no longer supported after
> Samba 4.8.0. Any ideas what I am doing wrong here?

Using the wrong OS :-D

Rowland





More information about the samba mailing list