[Samba] making pam_winbind to work

Patrick Goetz pgoetz at math.utexas.edu
Mon Feb 14 19:32:07 UTC 2022

On 2/14/22 08:51, Michael Tokarev via samba wrote:
> So, this was the issue.
> After digging in the source. Sigh.
> This is a container, -- as said in the wiki, single machine can not be
> both file server and an AD DC, so I created a new machine, actually a
> container, using systemd-nspawn.
> As it turned out, by default systemd-nspawn does not enable CAP_IPC_LOCK
> capability by default. So eg mlock() system call fails with ENOPERM.
> After adding this capability to the fileserver container, it started
> working.
> And now, HOW can we map this ENOPERM into WBC_ERR_DOMAIN_NOT_FOUND?
> This is just insane.

I ran into issues running samba-ad-dc in an unprivileged LXD container. 
Based on advice from this list, I switched to using a privileged 
container which seemed to fix everything.  I'm not sure if 
systemd-nspawn supports privileged containers, but if so, might be worth 
a try.

> Thanks,
> /mjt

More information about the samba mailing list