[Samba] Setting up user authentication on a Samba DC

Rowland Penny rpenny at samba.org
Fri Aug 23 16:55:40 UTC 2024


On Fri, 23 Aug 2024 16:38:38 +0000
Darin via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I am trying to get WIndbind authentication working on a Domain 
> controller. However, I am struggling to get it working. From what I
> can tell it should be as simple as adding winbind to
> /etc/nsswitch.conf but it doesn't seem to work. When I run getent
> passwd it just returns nothing but when I run wbinfo --ping-dc it
> succeeds.

You are probably missing the links between winbind and nsswitch, if
this was on Debian, I would advise installing the libpam-winbind and
libnss-winbind, I think on Fedora they are called samba-winbind-clients.

> 
> Here is my smb.conf
> 
> # Global parameters
> [global]
>          ad dc functional level = 2012_R2
>          dns forwarder = 192.168.x.x
>          netbios name = DC
>          realm = MYDOMAIN.LAN
>          server role = active directory domain controller
>          workgroup = MYDOMAIN
>          idmap_ldb:use rfc2307 = yes
> 
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/mydomain.lan/scripts
>          read only = No
> 
> The OS is Fedora 40 and samba 4.20.4

Are you aware that as the Fedora Samba packages use MIT for the KDC,
they are classed as experimental, so I hope that you are not using them
in production.

> 
> How would I properly setup Winbind authentication for a local login? 

Fairly easy, just everything up correctly.

> Also, I know that generally SSSD conflicts with Samba and WInbind

That is a bit of an understate in my opinion.
 
> however it seems to be better documented and more reliable. Is there
> a way to make SSSD work with Samba?

Not in my opinion and it isn't required.

Rowland





More information about the samba mailing list