Web lists-archives.com

Re: [Samba] WinbinD no longer available in Samba 4.7.6




L.P.H. van Belle via samba писал 2018-12-04 15:59:
Hai,

-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Konstantin Boyandin via samba
Verzonden: dinsdag 4 december 2018 6:35
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6

Hello,

Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.

After recent update, winbind failed to update, until I
disabled it (it
didn't start anyway). When run as

# winbindd -d 9 -i

it prints in the end:

server role = 'active directory domain controller' not
compatible with
running the winbindd binary.
You should start 'samba' instead, and it will control starting the
internal AD DC winbindd implementation, which is not the same as this
one

smbd currently is listening on 139 and 445 ports - thus, I assume, it
serves winbind itself. However, it isn't available any more
for PAM. How
shall I use Samba internal winbind implementation? When I initially
installed and set up ADs, wbinfo worked fine. Currently, it says:

# wbinfo -P
could not obtain winbind interface details:
WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the NETLOGON for domain[] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE

How do I make winbind available (that means available for
PAM,a s well)?
I suggest reading :
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
Short version: samba-ad-dc is starting winbind, so dont start it manualy.
For pam support install : libnss-winbind libpam-winbind
Configure nss_switch.conf and run pam-auth-update

And set these to to no, when your done testing.
         winbind enum users = yes
         winbind enum groups = yes
See your users: id username or getent passwd username.

None are returned, with 'yes' or 'no' settings. And

As far as I see, the recommendations from the above document are met.

But winbindd refuses to start (I cited its message), and no other 'winbind' process is running, either.

How do I make samba 4.7-provided winbind run?

Are there possibly missing some winbind settings (the smb.conf has been generated by domain upgrade process).

Sincerely,
Konstantin



Note: libpam_winbind is installed.

Current smb.conf:

[global]
         bind interfaces only = Yes
         interfaces = lo ens3
         netbios name = DC
         realm = EXAMPLE.COM
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         winbind enum users = yes
         winbind enum groups = yes
         winbind nss info = rfc2307
         template shell    = /bin/bash
         template homedir  = /home/%u
         workgroup = EXAMPLE
         server string = EXAMPLE.COM domain controller
         dns proxy = no
         log file = /var/log/samba/log.%m
         max log size = 1000
         log level = 0
         tls enabled  = yes
         tls keyfile  = tls/key.pem
         tls certfile = tls/cert.pem
         tls cafile   = tls/ca.pem
         tls verify peer = no_check
         acl:search = no
         panic action = /usr/share/samba/panic-action %d
         passdb backend = tdbsam
         obey pam restrictions = yes
         unix password sync = yes
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:
         pam password change = yes
         map to guest = bad user
         usershare allow guests = yes

[netlogon]
         comment = Network Logon Service
         path = /var/lib/samba/sysvol/example.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[profiles]
         comment = Users profiles
         path = /srv/samba/profiles/
         browseable = No
         read only = No
         force create mode = 0600
         force directory mode = 0700
         csc policy = disable
         store dos attributes = yes
         vfs objects = acl_xattr

--
Sincerely,

Konstantin

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba