[Samba] Samba 4 without winbind
Shannon Price
pricesw at auburn.edu
Sat Sep 17 15:17:58 UTC 2022
We support our Windows clients via Samba since the 1990s. Our main infrastructure is NIS/NFS to support our servers and Linux clients. We have Samba using ADS for authentication for many years, but our users and groups still come from NIS. Our last Samba server is running on Ubuntu 18 (Samba 4.7.6) and is rock solid using smbd/nmbd. Our newest Samba server is running on Ubuntu 20.04 (Samba 4.11.6 - we found severe problems with the current versions: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1954342 and have pinned Samba at 4.11.6 for now). We're running it the same way we always have - the machine is ADS joined (net join ads ....). I experimented with winbind for quite a while, but we don't need AD groups or user attributes, so it seems unnecessary and we couldn't get our NIS groups to work when we did that even trying to monkey with nsswitch.conf using nis for groups.
The problem now is only that I have full access to everything with unqualfied names (\\SERVER\homes<file://SERVER/homes> works), but FQDN (\\server.domain.edu\homes<file://server.domain.edu/homes>) doesn't work and the debug logs show that Samba wants winbind whenever I talk to the server with FQDN.
Logs with FQDN:
[2022/09/17 08:40:16.941558, 0] ../../source3/auth/auth_winbind.c:120(check_winbind_security)
check_winbind_security: winbindd not running - but required as domain member: NT_STATUS_NO_LOGON_SERVERS
[2022/09/17 08:40:16.943204, 2] ../../source3/auth/auth.c:343(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [USERNAME] -> [USERNAME] FAILED with error NT_STATUS_NO_LOGON_SERVERS, authoritative=1
[2022/09/17 08:40:16.943300, 2] ../../auth/auth_log.c:635(log_authentication_event_human_readable)
Logs without FQDN:
131.204.17.34 (ipv4:131.204.17.34:28915) connect to service USERNAME initially as user USERNAME (uid=12345, gid=123) (pid 454545)
[2022/09/17 10:15:38.595009, 0] ../../source3/param/loadparm.c:3358(process_usershare_file)
Smb.conf
[global]
# workgroup and naming
workgroup = DOMAIN
netbios name = SAMBASERVERNAME
# server settings
interfaces = MY IP ADDRESS
bind interfaces only = yes
deadtime = 15
strict locking = no
# disable server ntlmv1 support
# require ntlmv2.1 or higher (windows 7 and up)
server min protocol = SMB2_10
client max protocol = SMB3
client min protocol = SMB2_10
security = ads
password server = KERBEROS SERVER
passdb backend = tdbsam
realm = DOMAIN.EDU
idmap config * : backend = tdb
idmap config * : range = 1000000-1999999
# browsing settings
domain master = no
local master = no
preferred master = no
--
Shannon Price
College of Engineering
Auburn University
More information about the samba
mailing list