Web lists-archives.com

Re: [Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all




On Sat, 18 Feb 2017 19:12:39 +0000
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> I will set up debian in a VM and install the OS Samba packages and see
> if I have problems, bear with me ;-)
> 

OK, back with the result and it works for me ;-)

Debian Jessie network install, no GUI, using DHCP to set ipaddress.

Only change I made before installing Samba, was to comment the
'127.0.1.1' line in /etc/hosts

apt-get install samba acl attr quota fam
winbind libpam-winbind libpam-krb5 libnss-winbind krb5-config krb5-user
ntp dnsutils ldb-tools

service smbd stop
service nmbd stop
service winbind stop

/etc/samba/smb.conf

[global]
    workgroup = SAMDOM
    security = ADS
    realm = SAMDOM.EXAMPLE.COM

    dedicated keytab file = /etc/krb5.keytab
    kerberos method = secrets and keytab
    server string = Samba 4 Client %h

    winbind use default domain = yes
    winbind expand groups = 4
    winbind nss info = rfc2307
    winbind refresh tickets = Yes
    winbind offline logon = yes
    winbind normalize names = Yes

    ## map ids outside of domain to tdb files.
    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = rid
    idmap config SAMDOM : range = 10000-999999
    template shell = /bin/bash
    template homedir = /home/SAMDOM/%U

    domain master = no
    local master = no
    preferred master = no
    os level = 20
    map to guest = bad user
    host msdfs = no

    # user Administrator workaround, without it you are unable to set privileges
    username map = /etc/samba/user.map

    # For ACL support on domain member
    vfs objects = acl_xattr
    map acl inherit = Yes
    store dos attributes = Yes

    # Share Setting Globally
    unix extensions = no
    reset on zero vc = yes
    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
    hide unreadable = yes

    # disable printing completely
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes

/etc/samba/user.map

!root = SAMDOM\Administrator SAMDOM\administrator Administrator
administrator

samba -V
Version 4.2.14-Debian

/etc/krb5.conf

[libdefaults]
    default_realm = SAMDOM.EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

chmod 644 /etc/krb5.conf

net ads join -U Administrator
Using short domain name -- SAMDOM
Joined 'DEBMEMBER' to dns domain 'samdom.example.com'

service smbd start
service nmbd start
service winbind start

/etc/nsswitch.conf

Add 'winbind' to the passwd & group lines

'getent passwd' displays all users, local and AD

getent passwd rowland
rowland:*:11107:10513:Rowland Penny:/home/rowland:/bin/bash

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba