[Samba] Not able to join Debian 10 to AD using winbind

Rowland Penny rpenny at samba.org
Mon Oct 11 16:01:17 UTC 2021 

On Mon, 2021-10-11 at 20:56 +0530, Sac Isilia via samba wrote:
> Hi Team,
> 
> I have a Debian 10 machine and tried integrating it to AD using
> winbind but
> when i restart the winbind service , it fails . The surprising thing
> is as
> soon as I disable the security = ADS parameter in smb.conf , the
> winbind
> service restart happens just fine but again the net ads join command
> fails.
> I have been scratching my head over this for past 3 days . Any
> guidance
> will be appreciated.
> 

OK, I suggest you backup your existing smb.conf & krb5.conf files, then
replace them with these:

/etc/samba/smb.conf

[global]
    workgroup = EMEA-MEDIA
    realm = EMEA.MEDIA.GLOBAL.LOC
    security = ADS

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab

    winbind offline logon = yes
    winbind refresh tickets = yes
    winbind use default domain = yes
    template shell = /bin/bash
    restrict anonymous = 2
    domain master = no
    local master = no
    preferred master = no

    idmap config * : backend = autorid
    idmap config * : range = 10000-9999999

    dns proxy = no
    # user Administrator workaround, without it you are unable to set
privileges
    username map = /etc/samba/user.map

    vfs objects = acl_xattr
    map acl inherit = Yes

    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    obey pam restrictions = yes
    usershare allow guests = yes

[homes]
   comment = Home Directories
   browseable = no
   read only = no
   create mask = 0700!root = EMEA-MEDIA\Administrator
   directory mask = 0700
   valid users = %S

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   create mask = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers

/etc/krb5.conf

[libdefaults]
    default_realm = EMEA.MEDIA.GLOBAL.LOC
    dns_lookup_realm = false
    dns_lookup_kdc = true

Create /etc/samba/user.map containing this:

!root = EMEA-MEDIA\Administrator

Leave the domain with:

net ads leave -Uadministrator

Then join again with:

net ads join -Uadministrator

This should work.

Rowland

More information about the samba mailing list