[Samba] making pam_winbind to work

Michael Tokarev mjt at tls.msk.ru
Mon Feb 14 13:50:06 UTC 2022

14.02.2022 16:39, Rowland Penny via samba wrote:

> Just noticed 'debian' in your post, so please go here:
> https://github.com/thctlo/samba4/blob/master/samba-collect-debug-info.sh

I fixed a bunch of errors in this script (mostly assumption that
nslookup is installed, and also hardcoding Administrator user).
Here it goes.

Note: it does not include pam configuration which is the most relevant
here, I think.

Samba packages were rebuilt by me yesterday to include the fix for
client cache poisoning.

  Collected config  --- 2022-02-14-16:43 -----------

Hostname: tsrv
DNS Domain: tls.msk.ru
FQDN: tsrv.tls.msk.ru


Kerberos SRV _kerberos._tcp.tls.msk.ru record verified ok, sample output:
_kerberos._tcp.tls.msk.ru. SRV 10 25 88 ai.tls.msk.ru.
Samba is running as a Unix domain member
        Checking file: /etc/os-release

PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION="11 (bullseye)"


This computer is running Debian 11.2 x86_64

running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet scope host lo
     inet6 ::1/128 scope host
7: host0 at if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
     link/ether 42:b3:b3:26:e3:f3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
     inet brd scope global host0
     inet scope global secondary host0:pvcs
     inet scope global secondary host0:vesta
     inet6 fe80::40b3:b3ff:fe26:e3f3/64 scope link

        Checking file: /etc/hosts	localhost	tsrv.tls.msk.ru tsrv


        Checking file: /etc/resolv.conf

search tls.msk.ru corpit.ru


        Checking file: /etc/krb5.conf

	default_realm = TLS.MSK.RU
	dns_lookup_realm = false
	dns_lookup_kdc = true

		kdc = ai.tls.msk.ru

	.tls.msk.ru = TLS.MSK.RU
	tls.msk.ru = TLS.MSK.RU


        Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:		files winbind
group:		files winbind
shadow:		files

hosts:		files dns
networks:	files

protocols:	files
services:	files
ethers:		files
rpc:		files

netgroup:	nis


        Checking file: /etc/samba/smb.conf

  server string = %h samba server %v
  netbios name = TSRV
  netbios aliases = LINUX FS
  realm = TLS.MSK.RU
  workgroup = TLS
  server role = member server
  security = ADS

  idmap config TLS : backend = ad
  idmap config TLS : range = 1000-3000
  #idmap config TLS : schema_mode = rfc2307 # rfc2307 is the default
  idmap config TLS : unix_primary_group = yes
  template homedir = /home/%U
  template shell = /bin/bash
  idmap config * : backend = tdb
  idmap config * : range = 5000-7000
  winbind use default domain = yes

  acl allow execute always = true

  interfaces =
  bind interfaces only = yes
  allow hosts =

  hostname lookups = yes
  log file = /var/log/samba/log.%m
  max log size = 1000
  log level = 2

  # disable user shares
  usershare max shares = 0

  load printers = no
  printing = bsd
  disable spoolss = yes

  map hidden = yes
  create mask = 0775
  directory mask = 0775

  # unix ext and wide links are incompatible. we need wide links.
  unix extensions = no
  wide links = yes

  comment = Home Directories
  browseable = no
  writable = yes

  comment = TLS Workspace
  path = /ws/ws
  writable = yes

  comment = EKIS RDS
  path = /share/ekis
  writable = no

  path = /stage/tmp
  browseable = no
  writable = yes
  short preserve case = yes

  path = /ws/git
  browseable = no
  writable = yes
  short preserve case = yes

  comment = Software
  path = /share/soft
  writable = no
  public = yes

  copy = soft
  browseable = no

  copy = soft
  browseable = no

  comment = WPKG automatic software distribution
  path = /share/wpkg
  browsable = no
  writable = no
  guest ok = yes

  comment = Mail storage
  path = /home/mail
  browseable = no
  writable = yes
  guest ok = no


Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
     Warning, /etc/idmapd.conf does not exist


Installed packages:
ii  acl                                2.2.53-10                           amd64        access control list - utilities
ii  attr                               1:2.4.48-6                          amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config-dummy                  1.0                                 all          dummy version of krb5-config
ii  krb5-user                          1.18.3-6+deb11u1                    amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                      2.2.53-10                           amd64        access control list - shared library
ii  libattr1:amd64                     1:2.4.48-6                          amd64        extended attribute handling - shared library
ii  libdbd-oracle11-perl               1.80-2                              amd64        Oracle10g database interface for Perl
ii  libgssapi-krb5-2:amd64             1.18.3-6+deb11u1                    amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-3:amd64                    1.18.3-6+deb11u1                    amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64              1.18.3-6+deb11u1                    amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64               2:4.13.13+dfsg-1~deb11u3.1          amd64        Samba nameservice integration plugins
ii  libpam-winbind:amd64               2:4.13.13+dfsg-1~deb11u3.1          amd64        Windows domain authentication integration plugin
ii  libsmbclient:amd64                 2:4.13.13+dfsg-1~deb11u3.1          amd64        shared library for communication with SMB/CIFS servers
ii  libwbclient0:amd64                 2:4.13.13+dfsg-1~deb11u3.1          amd64        Samba winbind client library
ii  python3-samba                      2:4.13.13+dfsg-1~deb11u3.1          amd64        Python 3 bindings for Samba
ii  samba                              2:4.13.13+dfsg-1~deb11u3.1          amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                       2:4.13.13+dfsg-1~deb11u3.1          all          common files used by both the Samba server and client
ii  samba-common-bin                   2:4.13.13+dfsg-1~deb11u3.1          amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64           2:4.13.13+dfsg-1~deb11u3.1          amd64        Samba Directory Services Database
ii  samba-libs:amd64                   2:4.13.13+dfsg-1~deb11u3.1          amd64        Samba core libraries
ii  samba-vfs-modules:amd64            2:4.13.13+dfsg-1~deb11u3.1          amd64        Samba Virtual FileSystem plugins
ii  smbclient                          2:4.13.13+dfsg-1~deb11u3.1          amd64        command-line SMB/CIFS clients for Unix
ii  weblogic-forms                                   amd64        Oracle Forms 11g
ii  winbind                            2:4.13.13+dfsg-1~deb11u3.1          amd64        service to resolve user and group information from Windows NT 


More information about the samba mailing list