[Samba] making pam_winbind to work
Michael Tokarev
mjt at tls.msk.ru
Mon Feb 14 13:50:06 UTC 2022
14.02.2022 16:39, Rowland Penny via samba wrote:
> Just noticed 'debian' in your post, so please go here:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh
I fixed a bunch of errors in this script (mostly assumption that
nslookup is installed, and also hardcoding Administrator user).
Here it goes.
Note: it does not include pam configuration which is the most relevant
here, I think.
Samba packages were rebuilt by me yesterday to include the fix for
client cache poisoning.
Collected config --- 2022-02-14-16:43 -----------
Hostname: tsrv
DNS Domain: tls.msk.ru
FQDN: tsrv.tls.msk.ru
ipaddress: 192.168.177.2 192.168.177.4 192.168.177.10
-----------
Kerberos SRV _kerberos._tcp.tls.msk.ru record verified ok, sample output:
_kerberos._tcp.tls.msk.ru. SRV 10 25 88 ai.tls.msk.ru.
Samba is running as a Unix domain member
Checking file: /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-----------
This computer is running Debian 11.2 x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
7: host0 at if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 42:b3:b3:26:e3:f3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.177.2/26 brd 192.168.177.63 scope global host0
inet 192.168.177.4/26 scope global secondary host0:pvcs
inet 192.168.177.10/26 scope global secondary host0:vesta
inet6 fe80::40b3:b3ff:fe26:e3f3/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
192.168.177.2 tsrv.tls.msk.ru tsrv
-----------
Checking file: /etc/resolv.conf
search tls.msk.ru corpit.ru
nameserver 192.168.177.15
#nameserver 192.168.177.5
-----------
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = TLS.MSK.RU
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
TLS.MSK.RU = {
kdc = ai.tls.msk.ru
}
[domain_realm]
.tls.msk.ru = TLS.MSK.RU
tls.msk.ru = TLS.MSK.RU
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files winbind
group: files winbind
shadow: files
hosts: files dns
networks: files
protocols: files
services: files
ethers: files
rpc: files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
[global]
server string = %h samba server %v
netbios name = TSRV
netbios aliases = LINUX FS
realm = TLS.MSK.RU
workgroup = TLS
server role = member server
security = ADS
idmap config TLS : backend = ad
idmap config TLS : range = 1000-3000
#idmap config TLS : schema_mode = rfc2307 # rfc2307 is the default
idmap config TLS : unix_primary_group = yes
template homedir = /home/%U
template shell = /bin/bash
idmap config * : backend = tdb
idmap config * : range = 5000-7000
winbind use default domain = yes
acl allow execute always = true
interfaces = 192.168.177.2/26 127.0.0.1/8
bind interfaces only = yes
allow hosts = 192.168.177.0/26 127.0.0.0/8
hostname lookups = yes
log file = /var/log/samba/log.%m
max log size = 1000
log level = 2
# disable user shares
usershare max shares = 0
load printers = no
printing = bsd
disable spoolss = yes
map hidden = yes
create mask = 0775
directory mask = 0775
# unix ext and wide links are incompatible. we need wide links.
unix extensions = no
wide links = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
[ws]
comment = TLS Workspace
path = /ws/ws
writable = yes
[ekis]
comment = EKIS RDS
path = /share/ekis
writable = no
[stage]
path = /stage/tmp
browseable = no
writable = yes
short preserve case = yes
[git]
path = /ws/git
browseable = no
writable = yes
short preserve case = yes
[soft]
comment = Software
path = /share/soft
writable = no
public = yes
[pkg]
copy = soft
browseable = no
[dist]
copy = soft
browseable = no
[wpkg]
comment = WPKG automatic software distribution
path = /share/wpkg
browsable = no
writable = no
guest ok = yes
[mail-storage]
comment = Mail storage
path = /home/mail
browseable = no
writable = yes
guest ok = no
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Warning, /etc/idmapd.conf does not exist
-----------
Installed packages:
ii acl 2.2.53-10 amd64 access control list - utilities
ii attr 1:2.4.48-6 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config-dummy 1.0 all dummy version of krb5-config
ii krb5-user 1.18.3-6+deb11u1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-10 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-6 amd64 extended attribute handling - shared library
ii libdbd-oracle11-perl 1.80-2 amd64 Oracle10g database interface for Perl
ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-3:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.18.3-6+deb11u1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba nameservice integration plugins
ii libpam-winbind:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Windows domain authentication integration plugin
ii libsmbclient:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 shared library for communication with SMB/CIFS servers
ii libwbclient0:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba winbind client library
ii python3-samba 2:4.13.13+dfsg-1~deb11u3.1 amd64 Python 3 bindings for Samba
ii samba 2:4.13.13+dfsg-1~deb11u3.1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.13.13+dfsg-1~deb11u3.1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba Virtual FileSystem plugins
ii smbclient 2:4.13.13+dfsg-1~deb11u3.1 amd64 command-line SMB/CIFS clients for Unix
ii weblogic-forms 11.1.2.2.0-4 amd64 Oracle Forms 11g
ii winbind 2:4.13.13+dfsg-1~deb11u3.1 amd64 service to resolve user and group information from Windows NT
servers
-----------
More information about the samba
mailing list