Re: [Samba] [samba] Member server winbind issue
- Date: Sun, 23 Jul 2017 12:03:03 +0200
- From: mathias dufresne via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] [samba] Member server winbind issue
2017-07-23 11:59 GMT+02:00 mathias dufresne <infractory@xxxxxxxxx>:
> 2017-07-23 11:23 GMT+02:00 Andrew Bartlett <abartlet@xxxxxxxxx>:
>> On Sun, 2017-07-23 at 11:10 +0200, mathias dufresne via samba wrote:
>> > Hi all,
>> > Thank you both for your replies. I did tried both options (removing both
>> > keytab related lines as proposed by Andrew then using both lines
>> > by Rowland) without success.
>> Just because it didn't work doesn't mean just put it back.
>> I'm not going to help you any more until you can confirm you have an
>> smb.conf like:
>> and joined the domain with:
>> Please follow that HOWTO, try not to be fancy, special or different
>> until you have it working.
> That's the whole point, I don't see what I'm doing wrong (except
> re-inserting keytab lines).
> The whole smb.conf is the following:
> security = ADS
> workgroup = AD
> realm = AD.DOMAIN.TLD
> log file = /var/log/samba/%m.log
> log level = 1
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> # - Adding just this is not enough
> # - You must set a DOMAIN backend configuration, see below
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> winbind nss info = rfc2307
> # idmap config for the AD domain
> idmap config AD:backend = ad
> idmap config AD:schema_mode = rfc2307
> idmap config AD:range = 8000-99999999
> It was obtained with copy paste from first given link, modifying ranges
> and domain names. I didn't added user mapping as it is mentioned to be
> The join is the following, using kerberos as authentication method (which
> works well and, I hope, should not be considered as too much fancy), after
> I left the domain:
> smbsrv:/etc/samba# net ads leave -k
> Deleted account for 'SMBSRV' in realm 'AD.DOMAIN.TLD'
> smbsrv:/etc/samba# net ads join -k
> Using short domain name -- AD
> Joined 'SMBSRV' to dns domain 'ad.domain.tld'
> And here the behavior is the same: wbinfo -n and -S are working, -i is not
> I've got no more logs generated in log.winbindd which is normal as I
> removed log level.
> And I still don't understand what I do wrong :/
I forget to mentioned how is configured the testuser, so here it is:
dc02:~# ldbsearch -H $sam samaccountname=testuser uidNumber gidNumber
loginShell unixHomeDirectory primaryGroupID uid msSFU30Name msSFU30NisDomain
# record 1
dn: CN=test user,OU=Personnes,DC=ad,DC=domain,DC=tld
>> Andrew Bartlett
>> Andrew Bartlett http://samba.org/~abartlet/
>> Authentication Developer, Samba Team http://samba.org
>> Samba Developer, Catalyst IT http://catalyst.net.nz/service
To unsubscribe from this list go to the following URL and read the