Web lists-archives.com

Re: [Samba] Troubleshooting help?




I probably should have lead with this, but I did not create or deploy this particular setup, I was charged with keeping it going after the main person left.  I have zero experience with Samba or Centrify, or I should say *had* no experience until this.

So, I frankly have very little idea of what most of these options are for or why they're set the way they are.  I can certainly edit per your suggestions and see if it helps at all.  I have noticed that as people are getting window pop-ups asking them to enter their credentials (which they shouldn't get of course), I'm seeing a corresponding error in the log.smbd file that says "lookup_name_smbconf for <domain>\<user> failed", so I'm trying to see if I can find anything more specific about what might be causing that issue.

Also, I do have samba-winbind-4.8.3 installed and winbind appears to be running (ps -ef |grep winbind returns two lines of "/usr/sbin/winbindd -s /etc/centrifydc/smb2.conf"). As to why this is using Centrify vice any other product, I cannot speak to that.
Thanks much!
Scott

________________________________
From: samba <samba-bounces@xxxxxxxxxxxxxxx> on behalf of Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
Sent: Monday, January 28, 2019 8:35 AM
To: samba@xxxxxxxxxxxxxxx
Subject: Re: [Samba] Troubleshooting help?

On Mon, 28 Jan 2019 17:19:03 +0000
Scott Z. <sudz28@xxxxxxxxxxx> wrote:

> Thank you Rowland!  I guess that's part of my confusion, I'm not sure
> how to best debug where Centrify ends and Samba begins.  But if these
> log.smbd errors indicate Centrify vice Samba, I'm good with that.  My
> global smb.conf is (didn't bother with the commented out stuff):

I have added some comments to your smb.conf:

[global]
security = ADS
realm = <our domain name>
workgroup = <our workgroup name>
netbios name = <the server name> <-- don't really need this
machine password timeout = 0 <-- Why is this turned off ?
passdb backend = tdbsam:/var/lib/samba/private/passdb.tdb <-- you don need anything after 'tdbsam', but you do not need the whole line, it is the default setting
kerberos method = secrets and keytab
server signing = auto <-- bad idea to set this
client ntlmv2 auth = yes <-- Default setting
ntlm auth = yes <-- do you really want to use
client use spnego = yes <-- Default setting
template shell = /bin/bash
winbind use default domain = Yes
winbind enum users = No <-- Default setting
winbind enum groups = No <-- Default setting
winbind nested groups = Yes <-- Default setting
idmap cache time = 0 <-- this turns winbind's cache off
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000 <-- bad range, you cannot have any local Unix users
idmap config * : base_tdb = 0 <-- what is this ??
enable core files = false <-- if Samba crashes, you will not get any core dumps
log level = 2

Or to put it another way, it only needs to be this:

[global]
security = ADS
realm = <our domain name>
workgroup = <our workgroup name>
kerberos method = secrets and keytab
template shell = /bin/bash
winbind use default domain = Yes
idmap config * : backend = tdb
idmap config * : range = 1000 - 200000000
log level = 2

If this was a normal Samba Unix domain member
it would also have (at least) these two lines:

idmap config <our workgroup name> : backend = rid
idmap config <our workgroup name> : range = 2000000001 - 300000000

You are using Samba 4.8.3, so you need to have winbind running, so now
we come to the big question:

Why do you feel you need Centrify instead of winbind ?

What does it give you that Samba + winbind doesn't ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba