Re: [Samba] Sample smb.conf for ADs authentication
- Date: Fri, 14 Dec 2018 09:41:41 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Sample smb.conf for ADs authentication
On Thu, 13 Dec 2018 19:10:38 -0500
Gilbert Soucy <gsoucy@xxxxxxxxx> wrote:
> I was able to follow most of the steps in the wiki but I seem to
> have an issue with winbind :
> wbinfo --ping-dc
> is failing with:
> [root@tungsten-2 samba]# wbinfo --ping-dc
> checking the NETLOGON for domain[-not available-] dc connection to ""
> failed failed to call wbcPingDc: WBC_ERR_NOT_IMPLEMENTED
> Why is that all wrong since I was able to join the domain ?
> How to fix that ?
> Also, just to confirm, do I need to touch sssd at all ? Should it be
> running, with any specific config ?
Well, in my opinion, 'yum remove sssd' would be a very good idea ;-)
You do not need sssd, it isn't a Samba product and, as such, it
isn't supported here.
> See my config and details below.
> I have been able to join the domain:
> [root@server samba]# net ads join -U admin
> Enter admin's password:
> Using short domain name -- DOMAIN
> Joined 'SERVER' to dns domain 'DOMAIN'
Is your short domain name (aka workgroup) really the same as your dns
> I can list the domain users on the windows AD server:
> [root@tungsten-2 samba]# net ads user
> Here is my smb.conf file
> security = ADS
> workgroup = DOMAIN
> realm = DOMAIN.COM
> log file = /var/log/samba/log.%m
> log level = 2
> # Default ID mapping configuration for local BUILTIN accounts
> # and groups on a domain member. The default (*) domain:
> # - must not overlap with any domain ID mapping configuration!
> # - must use a read-write-enabled back end, such as tdb.
> idmap config * : backend = tdb
> idmap config * : range = 0-499
Why are you using '0-499' for the '*' domain ?
The '*' domain is for the 'Well Known SIDs' and anything outside the
'DOMAIN' domain, you are using the same numbers as the Unix system
users & groups.
Can I suggest you read this:
> # - You must set a DOMAIN backend configuration
> # idmap config for the SAMDOM domain
> idmap config DOMAIN:backend = ad
> idmap config DOMAIN:schema_mode = rfc2307
> idmap config DOMAIN:range = 500-20000
> idmap config DOMAIN:unix_nss_info = yes
Again, why '500-20000' ?
You have removed the possibility of having any local Unix users.
Have you added any uidNumber & gidNumber attributes to AD ?
> comment = Share
> path = /share
> hide dot files = no
> dos filemode = yes
> inherit acls = yes
> inherit permissions = yes
> create mode = 0664
> directory mode = 0775
> directory mask = 0775
> force create mode = 0664
> force directory mode = 0775
> force group = lab
> vfs objects = recycle
> recycle: keeptree = yes
> recycle: versions = yes
> recycle:directory_mode = 770
> recycle:touch_mtime = yes
> guest ok = Yes
You really would be better off using Windows ACL's and setting these
from a Windows computer.
> In my /etc/nsswitch.conf file (and I restarted all services after
> the edit)
> passwd: files sss winbind
> shadow: files sss
> group: files sss winbind
Remove all the 'sss'
> The output of realm list::
Pointless here, 'realmd' isn't a Samba product, so we wouldn't know a
good one from a bad one and you do not need it anyway.
To unsubscribe from this list go to the following URL and read the