[Samba] Domain member?

Joachim Lindenberg samba at lindenberg.one
Tue Oct 26 06:45:08 UTC 2021 

Hello Rowland,
I read https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, and I specifically read "If your users will only use the Samba AD DC for authentication and will not store data on it or log into it, you can use the the winbind 'rid' backend, this calculates the user and group IDs from the Windows RID, if you use the same [global] section of the smb.conf on every Unix domain member, you will get the same IDs." - that´s the reason I started with a smb.conf of a DC and removed stuff that was apparently irrelevant. Is this section of documentation also wrong?

> sudo dpkg -l winbind
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version                 Architecture Description
+++-==============-=======================-============-=============================================>
ii  winbind        2:4.14.8+dfsg-0.1focal1 amd64        service to resolve user and group information>

in fact winbind is running after yet another system restart, i.e. it looks like some initialization issue during or after installation. However it reports:
Oct 26 06:25:46 le winbindd[832]: [2021/10/26 06:25:46.806438,  0] ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
Oct 26 06:25:46 le winbindd[832]:   gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Client (L>
Oct 26 06:25:52 le winbindd[832]: [2021/10/26 06:25:52.951201,  0] ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
Oct 26 06:25:52 le winbindd[832]:   gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Client (L>
Oct 26 06:26:32 le winbindd[832]: [2021/10/26 06:26:32.079056,  0] ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
Oct 26 06:26:32 le winbindd[832]:   gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Client (L>
Oct 26 06:26:38 le winbindd[832]: [2021/10/26 06:26:38.202614,  0] ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)

On the right: gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Client (LE$@SAMBA.LINDENBERG.ONE) unknown]

I searched for that error, but only M$ or ancient stuff..
Thanks, Joachim


-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba
Gesendet: Monday, 25 October 2021 22:28
An: samba at lists.samba.org
Betreff: Re: [Samba] Domain member?

On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via samba wrote:
> > How did you join the domain ?
> I joined using net ads join -U Joachim (which happens to be domain 
> admin). No error (after fixing a hostname setup issue).

OK.

> 
> > The line above is only used on a DC
> I excerpted this from an existing DC. Removed it. No change. 
> Is there a consistency check I can run?

Yes, but you probably don't need it (more on this later)

> 
> > Are you using sssd ?
> I don´t (yet) know what sssd is about.

As this is Ubuntu, you may have it installed.
You can check with:
sudo dpkg -l winbind

The last line will look like this if it isn't installed:

un  sssd           <none>       <none>       (no description available)

> 
> > Have you installed winbind ?
> I followed
> https://wiki.samba.org/index.php/Distribution-specific_Package_Install
> ation#Ubuntu
> , and yes, winbind is installed.
> 
> > You have only stopped Samba using nmbd, you need to stop it and then 
> > disable it.
> I didn´t enable it at all. Some magic? If smb.conf asks for no 
> netbios, shouldn´t the process exit?

Debian based distros start packages when they are installed, so no magic is involved.

I suggest you go and read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and one of these:
https://wiki.samba.org/index.php/Idmap_config_ad
https://wiki.samba.org/index.php/Idmap_config_rid
https://wiki.samba.org/index.php/Idmap_config_autorid

You need to add 'idmap config' lines to your smb.conf (if you don't know what they are, you will once you have read the above wiki pages).
You also need to find out why 'systemctl start winbind' doesn't work.

Rowland





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list