[Samba] making pam_winbind to work
L.P.H. van Belle
belle at bazuin.nl
Mon Feb 14 14:10:30 UTC 2022
Hai Michael,
If you found errors, can you send me a copy, i'll update it.
Most apriciated.
And ps..
uid : 0x00000000000003e8 (1000) <<
primary_gid : 0x00000000000003e8 (1000) <<
Im wondering why i see UID 1000 there..
Normaly, IF you didnt give root a password, you get the first user with sudo rights.
This user is always UID/GID 1000.
So this will only work if you didnt add any user.
+ what Rowland said. ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Michael Tokarev via samba
> Verzonden: maandag 14 februari 2022 14:50
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] making pam_winbind to work
>
> 14.02.2022 16:39, Rowland Penny via samba wrote:
>
> > Just noticed 'debian' in your post, so please go here:
> >
> https://github.com/thctlo/samba4/blob/master/samba-collect-deb
ug-info.sh
>
> I fixed a bunch of errors in this script (mostly assumption that
> nslookup is installed, and also hardcoding Administrator user).
> Here it goes.
>
> Note: it does not include pam configuration which is the most relevant
> here, I think.
>
> Samba packages were rebuilt by me yesterday to include the fix for
> client cache poisoning.
>
> Collected config --- 2022-02-14-16:43 -----------
>
> Hostname: tsrv
> DNS Domain: tls.msk.ru
> FQDN: tsrv.tls.msk.ru
> ipaddress: 192.168.177.2 192.168.177.4 192.168.177.10
>
> -----------
>
> Kerberos SRV _kerberos._tcp.tls.msk.ru record verified ok,
> sample output:
> _kerberos._tcp.tls.msk.ru. SRV 10 25 88 ai.tls.msk.ru.
> Samba is running as a Unix domain member
> Checking file: /etc/os-release
>
> PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
> NAME="Debian GNU/Linux"
> VERSION_ID="11"
> VERSION="11 (bullseye)"
> VERSION_CODENAME=bullseye
> ID=debian
> HOME_URL="https://www.debian.org/"
> SUPPORT_URL="https://www.debian.org/support"
> BUG_REPORT_URL="https://bugs.debian.org/"
>
> -----------
>
>
> This computer is running Debian 11.2 x86_64
>
> -----------
> running command : ip a
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> UNKNOWN group default qlen 1000
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 scope host lo
> inet6 ::1/128 scope host
> 7: host0 at if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500
> qdisc noqueue state UP group default qlen 1000
> link/ether 42:b3:b3:26:e3:f3 brd ff:ff:ff:ff:ff:ff link-netnsid 0
> inet 192.168.177.2/26 brd 192.168.177.63 scope global host0
> inet 192.168.177.4/26 scope global secondary host0:pvcs
> inet 192.168.177.10/26 scope global secondary host0:vesta
> inet6 fe80::40b3:b3ff:fe26:e3f3/64 scope link
>
> -----------
> Checking file: /etc/hosts
>
> 127.0.0.1 localhost
> 192.168.177.2 tsrv.tls.msk.ru tsrv
>
> -----------
>
> Checking file: /etc/resolv.conf
>
> search tls.msk.ru corpit.ru
> nameserver 192.168.177.15
> #nameserver 192.168.177.5
>
> -----------
>
> Checking file: /etc/krb5.conf
>
> [libdefaults]
> default_realm = TLS.MSK.RU
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> TLS.MSK.RU = {
> kdc = ai.tls.msk.ru
> }
>
>
> [domain_realm]
> .tls.msk.ru = TLS.MSK.RU
> tls.msk.ru = TLS.MSK.RU
>
> -----------
>
> Checking file: /etc/nsswitch.conf
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd: files winbind
> group: files winbind
> shadow: files
>
> hosts: files dns
> networks: files
>
> protocols: files
> services: files
> ethers: files
> rpc: files
>
> netgroup: nis
>
> -----------
>
> Checking file: /etc/samba/smb.conf
>
> [global]
> server string = %h samba server %v
> netbios name = TSRV
> netbios aliases = LINUX FS
> realm = TLS.MSK.RU
> workgroup = TLS
> server role = member server
> security = ADS
>
> idmap config TLS : backend = ad
> idmap config TLS : range = 1000-3000
> #idmap config TLS : schema_mode = rfc2307 # rfc2307 is the default
> idmap config TLS : unix_primary_group = yes
> template homedir = /home/%U
> template shell = /bin/bash
> idmap config * : backend = tdb
> idmap config * : range = 5000-7000
> winbind use default domain = yes
>
> acl allow execute always = true
>
> interfaces = 192.168.177.2/26 127.0.0.1/8
> bind interfaces only = yes
> allow hosts = 192.168.177.0/26 127.0.0.0/8
>
> hostname lookups = yes
> log file = /var/log/samba/log.%m
> max log size = 1000
> log level = 2
>
> # disable user shares
> usershare max shares = 0
>
> load printers = no
> printing = bsd
> disable spoolss = yes
>
> map hidden = yes
> create mask = 0775
> directory mask = 0775
>
> # unix ext and wide links are incompatible. we need wide links.
> unix extensions = no
> wide links = yes
>
> [homes]
> comment = Home Directories
> browseable = no
> writable = yes
>
> [ws]
> comment = TLS Workspace
> path = /ws/ws
> writable = yes
>
> [ekis]
> comment = EKIS RDS
> path = /share/ekis
> writable = no
>
> [stage]
> path = /stage/tmp
> browseable = no
> writable = yes
> short preserve case = yes
>
> [git]
> path = /ws/git
> browseable = no
> writable = yes
> short preserve case = yes
>
> [soft]
> comment = Software
> path = /share/soft
> writable = no
> public = yes
>
> [pkg]
> copy = soft
> browseable = no
>
> [dist]
> copy = soft
> browseable = no
>
> [wpkg]
> comment = WPKG automatic software distribution
> path = /share/wpkg
> browsable = no
> writable = no
> guest ok = yes
>
> [mail-storage]
> comment = Mail storage
> path = /home/mail
> browseable = no
> writable = yes
> guest ok = no
>
> -----------
>
> Running as Unix domain member and no user.map detected.
> This is possible with an auth-only setup, checking also for NFS parts
> -----------
> Warning, /etc/idmapd.conf does not exist
>
> -----------
>
>
> Installed packages:
> ii acl 2.2.53-10
> amd64 access control list - utilities
> ii attr 1:2.4.48-6
> amd64 utilities for manipulating
> filesystem extended attributes
> ii krb5-config-dummy 1.0
> all dummy version of krb5-config
> ii krb5-user 1.18.3-6+deb11u1
> amd64 basic programs to authenticate
> using MIT Kerberos
> ii libacl1:amd64 2.2.53-10
> amd64 access control list - shared library
> ii libattr1:amd64 1:2.4.48-6
> amd64 extended attribute handling - shared library
> ii libdbd-oracle11-perl 1.80-2
> amd64 Oracle10g database interface for Perl
> ii libgssapi-krb5-2:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries -
> krb5 GSS-API Mechanism
> ii libkrb5-3:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries
> ii libkrb5support0:amd64 1.18.3-6+deb11u1
> amd64 MIT Kerberos runtime libraries -
> Support library
> ii libnss-winbind:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba
> nameservice integration plugins
> ii libpam-winbind:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Windows
> domain authentication integration plugin
> ii libsmbclient:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 shared
> library for communication with SMB/CIFS servers
> ii libwbclient0:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba
> winbind client library
> ii python3-samba
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Python 3
> bindings for Samba
> ii samba
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 SMB/CIFS
> file, print, and login server for Unix
> ii samba-common
> 2:4.13.13+dfsg-1~deb11u3.1 all common files
> used by both the Samba server and client
> ii samba-common-bin
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba common
> files used by both the server and the client
> ii samba-dsdb-modules:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba
> Directory Services Database
> ii samba-libs:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba core libraries
> ii samba-vfs-modules:amd64
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 Samba
> Virtual FileSystem plugins
> ii smbclient
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 command-line
> SMB/CIFS clients for Unix
> ii weblogic-forms 11.1.2.2.0-4
> amd64 Oracle Forms 11g
> ii winbind
> 2:4.13.13+dfsg-1~deb11u3.1 amd64 service to
> resolve user and group information from Windows NT
> servers
>
> -----------
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list