Web lists-archives.com

Re: [Samba] Troubleshooting help?




On Mon, 28 Jan 2019 17:19:03 +0000
Scott Z. <sudz28@xxxxxxxxxxx> wrote:

> Thank you Rowland!  I guess that's part of my confusion, I'm not sure
> how to best debug where Centrify ends and Samba begins.  But if these
> log.smbd errors indicate Centrify vice Samba, I'm good with that.  My
> global smb.conf is (didn't bother with the commented out stuff):

I have added some comments to your smb.conf:

[global]
security = ADS
realm = <our domain name>
workgroup = <our workgroup name>
netbios name = <the server name> <-- don't really need this
machine password timeout = 0 <-- Why is this turned off ?
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb <-- you don need anything after 'tdbsam', but you do not need the whole line, it is the default setting
kerberos method = secrets and keytab
server signing = auto <-- bad idea to set this
client ntlmv2 auth = yes <-- Default setting
ntlm auth = yes <-- do you really want to use 
client use spnego = yes <-- Default setting
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No <-- Default setting
winbind enum groups = No <-- Default setting
winbind nested groups = Yes <-- Default setting
idmap cache time = 0 <-- this turns winbind's cache off
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000 <-- bad range, you cannot have any local Unix users
idmap config * : base_tdb = 0 <-- what is this ??
enable core files = false <-- if Samba crashes, you will not get any core dumps
log level = 2

Or to put it another way, it only needs to be this:

[global]
security = ADS
realm = <our domain name>
workgroup = <our workgroup name>
kerberos method = secrets and keytab
template shell = /bin/bash
winbind use default domain = Yes
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
log level = 2

If this was a normal Samba Unix domain member
it would also have (at least) these two lines:

idmap config <our workgroup name> : backend = rid 
idmap config <our workgroup name> : range = 2000000001 - 300000000

You are using Samba 4.8.3, so you need to have winbind running, so now
we come to the big question:

Why do you feel you need Centrify instead of winbind ?

What does it give you that Samba + winbind doesn't ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba