Web lists-archives.com

Re: [Samba] WinbinD no longer available in Samba 4.7.6




Rowland Penny via samba писал 2018-12-04 16:56:
On Tue, 04 Dec 2018 16:44:55 +0700
Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:

Rowland Penny via samba писал 2018-12-04 16:28:
> On Tue, 4 Dec 2018 09:59:14 +0100
> "L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Hai,
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
>> > Konstantin Boyandin via samba
>> > Verzonden: dinsdag 4 december 2018 6:35
>> > Aan: samba@xxxxxxxxxxxxxxx
>> > Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6
>> >
>> > Hello,
>> >
>> > Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.
>> >
>> > After recent update, winbind failed to update, until I
>> > disabled it (it
>> > didn't start anyway). When run as
>> >
>> > # winbindd -d 9 -i
>> >
>> > it prints in the end:
>> >
>> > server role = 'active directory domain controller' not
>> > compatible with
>> > running the winbindd binary.
>> > You should start 'samba' instead, and it will control starting
>> > the internal AD DC winbindd implementation, which is not the
>> > same as this one
>> >
>> > smbd currently is listening on 139 and 445 ports - thus, I
>> > assume, it serves winbind itself. However, it isn't available
>> > any more for PAM. How
>> > shall I use Samba internal winbind implementation? When I
>> > initially installed and set up ADs, wbinfo worked fine.
>> > Currently, it says:
>> >
>> > # wbinfo -P
>> > could not obtain winbind interface details:
>> > WBC_ERR_WINBIND_NOT_AVAILABLE
>> > could not obtain winbind domain name!
>> > checking the NETLOGON for domain[] dc connection to "" failed
>> > failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>> >
>> > How do I make winbind available (that means available for
>> > PAM,a s well)?
>> I suggest reading :
>> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
>> Short version:  samba-ad-dc is starting winbind, so dont start it
>> manualy. For pam support install : libnss-winbind libpam-winbind
>> Configure nss_switch.conf and run pam-auth-update
>>
>> And set these to to no, when your done testing.
>> >          winbind enum users = yes
>> >          winbind enum groups = yes
>> See your users: id username or getent passwd username.
>>
>> >
>> > Note: libpam_winbind is installed.
>> >
>> > Current smb.conf:
>> >
>> > [global]
>> >          bind interfaces only = Yes
>> >          interfaces = lo ens3
>> >          netbios name = DC
>> >          realm = EXAMPLE.COM
>> >          server role = active directory domain controller
>> >          server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>> > kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>> >          idmap_ldb:use rfc2307 = yes
>> >          winbind enum users = yes
>> >          winbind enum groups = yes
>> >          winbind nss info = rfc2307
>> >          template shell    = /bin/bash
>> >          template homedir  = /home/%u
>> >          workgroup = EXAMPLE
>> >          server string = EXAMPLE.COM domain controller
>> >          dns proxy = no
>> >          log file = /var/log/samba/log.%m
>> >          max log size = 1000
>> >          log level = 0
>> >          tls enabled  = yes
>> >          tls keyfile  = tls/key.pem
>> >          tls certfile = tls/cert.pem
>> >          tls cafile   = tls/ca.pem
>> >          tls verify peer = no_check
>> >          acl:search = no
>> >          panic action = /usr/share/samba/panic-action %d
>> >          passdb backend = tdbsam
>> >          obey pam restrictions = yes
>> >          unix password sync = yes
>> >          passwd program = /usr/bin/passwd %u
>> >          passwd chat = *Enter\snew\s*\spassword:* %n\n
>> > *Retype\snew\s*\spassword:
>> >          pam password change = yes
>> >          map to guest = bad user
>> >          usershare allow guests = yes
>> >
>> > [netlogon]
>> >          comment = Network Logon Service
>> >          path = /var/lib/samba/sysvol/example.com/scripts
>> >          read only = No
>> >
>> > [sysvol]
>> >          path = /var/lib/samba/sysvol
>> >          read only = No
>> >
>> > [profiles]
>> >          comment = Users profiles
>> >          path = /srv/samba/profiles/
>> >          browseable = No
>> >          read only = No
>> >          force create mode = 0600
>> >          force directory mode = 0700
>> >          csc policy = disable
>> >          store dos attributes = yes
>> >          vfs objects = acl_xattr
>> >
>> > --
>> > Sincerely,
>> >
>> > Konstantin
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read
>> > the instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>
> Go and read 'man smb.conf', then remove most of the lines you have
> added to the [global] section of your smb.conf.
>
> Go and read this:
>
> https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles
>
> Which I think you may have already have done, but if you have done,
> read it again, but this time ignore the POSIX ACLs section, you can
> only use those on a Unix domain member, you must use Windows ACLs
> on a DC.

May I kindly ask you how will that help me to handle missing Winbind
problem?

The setup I am using is in real use, and ruining it is not an option.

The winbindd from winbind package explicitly refuses to run on the
current computer role, but no other process seem to provide winbind
services. How can I handle this?

Sincerely,

Konstantin


It should run, try replacing the server services line with this:

server services = -dns

It does exactly the same thing as your existing line, it turns off the
internal DNS server, but if there is anything wrong with your line it
will remove those errors without changing anything else.

I take it you are only starting the 'samba' binary and are not also
trying to start any other Samba binary.

Thanks. I will try the above "server services" line, too. Restarting samba handled the issue.

Sincerely,
Konstantin

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba