[Samba] Not able to join Debian 10 to AD using winbind
Sac Isilia
udaypratap.singh65 at gmail.com
Mon Oct 11 15:26:04 UTC 2021
Hi Team,
I have a Debian 10 machine and tried integrating it to AD using winbind but
when i restart the winbind service , it fails . The surprising thing is as
soon as I disable the security = ADS parameter in smb.conf , the winbind
service restart happens just fine but again the net ads join command fails.
I have been scratching my head over this for past 3 days . Any guidance
will be appreciated.
*********
smb.conf
***********
[global]
workgroup = EMEA-MEDIA
realm = EMEA.MEDIA.GLOBAL.LOC
password server = 10.19.26.136
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
domain master = no
local master = no
preferred master = no
os level = 0
allow trusted domains = yes
winbind nested groups = yes
winbind rpc only = yes
idmap config * : backend = autorid
idmap config * : range = 10000-9999999
; wins server = w.x.y.z
include = /var/lib/samba/dhcp.conf
dns proxy = no
; interfaces = 127.0.0.0/8 eth0
; bind interfaces only = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = standalone server
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
; logon path = \\%N\profiles\%U
; logon drive = H:
; logon script = logon.cmd
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos
"" %u
; add machine script = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u
; add group script = /usr/sbin/addgroup --force-badname %g
; include = /home/samba/etc/smb.conf.%m
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
; usershare max shares = 100
usershare allow guests = yes
[homes]
comment = Home Directories
browseable = no
read only = yes
create mask = 0700
directory mask = 0700
valid users = %S
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
; write list = root, @lpadmin
**********
krb5.conf
***********
[libdefaults]
default_realm = EMEA.MEDIA.GLOBAL.LOC
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
EMEA.MEDIA.GLOBAL.LOC = {
kdc = 10.19.26.136
admin_server = 10.19.26.136
default_domain = emea.media.global.loc
}
MEDIA.GLOBAL.LOC = {
kdc = 10.19.26.144
admin_server = 10.19.26.144
default_domain = media.global.loc
}
[domain-realm]
emea.media.global.loc = EMEA.MEDIA.GLOBAL.LOC
.emea.media.global.loc = EMEA.MEDIA.GLOBAL.LOC
.media.global.loc = MEDIA.GLOBAL.LOC
media.global.loc = MEDIA.GLOBAL.LOC
[login]
krb4_convert = true
krb4_get_tickets = false
Please let us know if you need more information.
Regards
Sachin K
More information about the samba
mailing list