samba - Dec 2018 - WinbinD no longer available in Samba 4.7.6

Hello,

Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.

After recent update, winbind failed to update, until I disabled it (it 
didn't start anyway). When run as

# winbindd -d 9 -i

it prints in the end:

server role = 'active directory domain controller' not compatible with 
running the winbindd binary.
You should start 'samba' instead, and it will control starting the 
internal AD DC winbindd implementation, which is not the same as this 
one

smbd currently is listening on 139 and 445 ports - thus, I assume, it 
serves winbind itself. However, it isn't available any more for PAM. How 
shall I use Samba internal winbind implementation? When I initially 
installed and set up ADs, wbinfo worked fine. Currently, it says:

# wbinfo -P
could not obtain winbind interface details: 
WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
checking the NETLOGON for domain[] dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE

How do I make winbind available (that means available for PAM,a s well)?

Note: libpam_winbind is installed.

Current smb.conf:

[global]
         bind interfaces only = Yes
         interfaces = lo ens3
         netbios name = DC
         realm = EXAMPLE.COM
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         idmap_ldb:use rfc2307 = yes
         winbind enum users = yes
         winbind enum groups = yes
         winbind nss info = rfc2307
         template shell    = /bin/bash
         template homedir  = /home/%u
         workgroup = EXAMPLE
         server string = EXAMPLE.COM domain controller
         dns proxy = no
         log file = /var/log/samba/log.%m
         max log size = 1000
         log level = 0
         tls enabled  = yes
         tls keyfile  = tls/key.pem
         tls certfile = tls/cert.pem
         tls cafile   = tls/ca.pem
         tls verify peer = no_check
         acl:search = no
         panic action = /usr/share/samba/panic-action %d
         passdb backend = tdbsam
         obey pam restrictions = yes
         unix password sync = yes
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:
         pam password change = yes
         map to guest = bad user
         usershare allow guests = yes

[netlogon]
         comment = Network Logon Service
         path = /var/lib/samba/sysvol/example.com/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[profiles]
         comment = Users profiles
         path = /srv/samba/profiles/
         browseable = No
         read only = No
         force create mode = 0600
         force directory mode = 0700
         csc policy = disable
         store dos attributes = yes
         vfs objects = acl_xattr

--
Sincerely,

Konstantin

Hai, 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Konstantin Boyandin via samba
> Verzonden: dinsdag 4 december 2018 6:35
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6
> 
> Hello,
> 
> Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.
> 
> After recent update, winbind failed to update, until I 
> disabled it (it 
> didn't start anyway). When run as
> 
> # winbindd -d 9 -i
> 
> it prints in the end:
> 
> server role = 'active directory domain controller' not 
> compatible with 
> running the winbindd binary.
> You should start 'samba' instead, and it will control starting the 
> internal AD DC winbindd implementation, which is not the same as this 
> one
> 
> smbd currently is listening on 139 and 445 ports - thus, I assume, it 
> serves winbind itself. However, it isn't available any more 
> for PAM. How 
> shall I use Samba internal winbind implementation? When I initially 
> installed and set up ADs, wbinfo worked fine. Currently, it says:
> 
> # wbinfo -P
> could not obtain winbind interface details: 
> WBC_ERR_WINBIND_NOT_AVAILABLE
> could not obtain winbind domain name!
> checking the NETLOGON for domain[] dc connection to "" failed
> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> 
> How do I make winbind available (that means available for 
> PAM,a s well)?
I suggest reading : 
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC 
Short version:  samba-ad-dc is starting winbind, so dont start it manualy. 
For pam support install : libnss-winbind libpam-winbind 
Configure nss_switch.conf and run pam-auth-update 

And set these to to no, when your done testing. 
>          winbind enum users = yes
>          winbind enum groups = yes 
See your users: id username or getent passwd username. 
> 
> Note: libpam_winbind is installed.
> 
> Current smb.conf:
> 
> [global]
>          bind interfaces only = Yes
>          interfaces = lo ens3
>          netbios name = DC
>          realm = EXAMPLE.COM
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          idmap_ldb:use rfc2307 = yes
>          winbind enum users = yes
>          winbind enum groups = yes
>          winbind nss info = rfc2307
>          template shell    = /bin/bash
>          template homedir  = /home/%u
>          workgroup = EXAMPLE
>          server string = EXAMPLE.COM domain controller
>          dns proxy = no
>          log file = /var/log/samba/log.%m
>          max log size = 1000
>          log level = 0
>          tls enabled  = yes
>          tls keyfile  = tls/key.pem
>          tls certfile = tls/cert.pem
>          tls cafile   = tls/ca.pem
>          tls verify peer = no_check
>          acl:search = no
>          panic action = /usr/share/samba/panic-action %d
>          passdb backend = tdbsam
>          obey pam restrictions = yes
>          unix password sync = yes
>          passwd program = /usr/bin/passwd %u
>          passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:
>          pam password change = yes
>          map to guest = bad user
>          usershare allow guests = yes
> 
> [netlogon]
>          comment = Network Logon Service
>          path = /var/lib/samba/sysvol/example.com/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [profiles]
>          comment = Users profiles
>          path = /srv/samba/profiles/
>          browseable = No
>          read only = No
>          force create mode = 0600
>          force directory mode = 0700
>          csc policy = disable
>          store dos attributes = yes
>          vfs objects = acl_xattr
> 
> --
> Sincerely,
> 
> Konstantin
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Greetz, 

Louis

On Tue, 4 Dec 2018 09:59:14 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Konstantin Boyandin via samba
> > Verzonden: dinsdag 4 december 2018 6:35
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6
> > 
> > Hello,
> > 
> > Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.
> > 
> > After recent update, winbind failed to update, until I 
> > disabled it (it 
> > didn't start anyway). When run as
> > 
> > # winbindd -d 9 -i
> > 
> > it prints in the end:
> > 
> > server role = 'active directory domain controller' not 
> > compatible with 
> > running the winbindd binary.
> > You should start 'samba' instead, and it will control starting
the
> > internal AD DC winbindd implementation, which is not the same as
> > this one
> > 
> > smbd currently is listening on 139 and 445 ports - thus, I assume,
> > it serves winbind itself. However, it isn't available any more 
> > for PAM. How 
> > shall I use Samba internal winbind implementation? When I initially 
> > installed and set up ADs, wbinfo worked fine. Currently, it says:
> > 
> > # wbinfo -P
> > could not obtain winbind interface details: 
> > WBC_ERR_WINBIND_NOT_AVAILABLE
> > could not obtain winbind domain name!
> > checking the NETLOGON for domain[] dc connection to ""
failed
> > failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> > 
> > How do I make winbind available (that means available for 
> > PAM,a s well)?
> I suggest reading : 
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC 
> Short version:  samba-ad-dc is starting winbind, so dont start it
> manualy. For pam support install : libnss-winbind libpam-winbind 
> Configure nss_switch.conf and run pam-auth-update 
> 
> And set these to to no, when your done testing. 
> >          winbind enum users = yes
> >          winbind enum groups = yes 
> See your users: id username or getent passwd username. 
> 
> > 
> > Note: libpam_winbind is installed.
> > 
> > Current smb.conf:
> > 
> > [global]
> >          bind interfaces only = Yes
> >          interfaces = lo ens3
> >          netbios name = DC
> >          realm = EXAMPLE.COM
> >          server role = active directory domain controller
> >          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> > drepl, winbindd, ntp_signd, kcc, dnsupdate
> >          idmap_ldb:use rfc2307 = yes
> >          winbind enum users = yes
> >          winbind enum groups = yes
> >          winbind nss info = rfc2307
> >          template shell    = /bin/bash
> >          template homedir  = /home/%u
> >          workgroup = EXAMPLE
> >          server string = EXAMPLE.COM domain controller
> >          dns proxy = no
> >          log file = /var/log/samba/log.%m
> >          max log size = 1000
> >          log level = 0
> >          tls enabled  = yes
> >          tls keyfile  = tls/key.pem
> >          tls certfile = tls/cert.pem
> >          tls cafile   = tls/ca.pem
> >          tls verify peer = no_check
> >          acl:search = no
> >          panic action = /usr/share/samba/panic-action %d
> >          passdb backend = tdbsam
> >          obey pam restrictions = yes
> >          unix password sync = yes
> >          passwd program = /usr/bin/passwd %u
> >          passwd chat = *Enter\snew\s*\spassword:* %n\n 
> > *Retype\snew\s*\spassword:
> >          pam password change = yes
> >          map to guest = bad user
> >          usershare allow guests = yes
> > 
> > [netlogon]
> >          comment = Network Logon Service
> >          path = /var/lib/samba/sysvol/example.com/scripts
> >          read only = No
> > 
> > [sysvol]
> >          path = /var/lib/samba/sysvol
> >          read only = No
> > 
> > [profiles]
> >          comment = Users profiles
> >          path = /srv/samba/profiles/
> >          browseable = No
> >          read only = No
> >          force create mode = 0600
> >          force directory mode = 0700
> >          csc policy = disable
> >          store dos attributes = yes
> >          vfs objects = acl_xattr
> > 
> > --
> > Sincerely,
> > 
> > Konstantin
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> Greetz, 
> 
> Louis
> 
> 
Go and read 'man smb.conf', then remove most of the lines you have
added to the [global] section of your smb.conf.

Go and read this:

https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles

Which I think you may have already have done, but if you have done,
read it again, but this time ignore the POSIX ACLs section, you can
only use those on a Unix domain member, you must use Windows ACLs on a
DC.

Rowland

L.P.H. van Belle via samba писал 2018-12-04 15:59:
> Hai,
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Konstantin Boyandin via samba
>> Verzonden: dinsdag 4 december 2018 6:35
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6
>> 
>> Hello,
>> 
>> Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04.
>> 
>> After recent update, winbind failed to update, until I
>> disabled it (it
>> didn't start anyway). When run as
>> 
>> # winbindd -d 9 -i
>> 
>> it prints in the end:
>> 
>> server role = 'active directory domain controller' not
>> compatible with
>> running the winbindd binary.
>> You should start 'samba' instead, and it will control starting
the
>> internal AD DC winbindd implementation, which is not the same as this
>> one
>> 
>> smbd currently is listening on 139 and 445 ports - thus, I assume, it
>> serves winbind itself. However, it isn't available any more
>> for PAM. How
>> shall I use Samba internal winbind implementation? When I initially
>> installed and set up ADs, wbinfo worked fine. Currently, it says:
>> 
>> # wbinfo -P
>> could not obtain winbind interface details:
>> WBC_ERR_WINBIND_NOT_AVAILABLE
>> could not obtain winbind domain name!
>> checking the NETLOGON for domain[] dc connection to "" failed
>> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
>> 
>> How do I make winbind available (that means available for
>> PAM,a s well)?
> I suggest reading :
> https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
> Short version:  samba-ad-dc is starting winbind, so dont start it 
> manualy.
> For pam support install : libnss-winbind libpam-winbind
> Configure nss_switch.conf and run pam-auth-update
> 
> And set these to to no, when your done testing.
>>          winbind enum users = yes
>>          winbind enum groups = yes
> See your users: id username or getent passwd username.
None are returned, with 'yes' or 'no' settings. And

As far as I see, the recommendations from the above document are met.

But winbindd refuses to start (I cited its message), and no other 
'winbind' process is running, either.

How do I make samba 4.7-provided winbind run?

Are there possibly missing some winbind settings (the smb.conf has been 
generated by domain upgrade process).

Sincerely,
Konstantin
> 
>> 
>> Note: libpam_winbind is installed.
>> 
>> Current smb.conf:
>> 
>> [global]
>>          bind interfaces only = Yes
>>          interfaces = lo ens3
>>          netbios name = DC
>>          realm = EXAMPLE.COM
>>          server role = active directory domain controller
>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>          idmap_ldb:use rfc2307 = yes
>>          winbind enum users = yes
>>          winbind enum groups = yes
>>          winbind nss info = rfc2307
>>          template shell    = /bin/bash
>>          template homedir  = /home/%u
>>          workgroup = EXAMPLE
>>          server string = EXAMPLE.COM domain controller
>>          dns proxy = no
>>          log file = /var/log/samba/log.%m
>>          max log size = 1000
>>          log level = 0
>>          tls enabled  = yes
>>          tls keyfile  = tls/key.pem
>>          tls certfile = tls/cert.pem
>>          tls cafile   = tls/ca.pem
>>          tls verify peer = no_check
>>          acl:search = no
>>          panic action = /usr/share/samba/panic-action %d
>>          passdb backend = tdbsam
>>          obey pam restrictions = yes
>>          unix password sync = yes
>>          passwd program = /usr/bin/passwd %u
>>          passwd chat = *Enter\snew\s*\spassword:* %n\n
>> *Retype\snew\s*\spassword:
>>          pam password change = yes
>>          map to guest = bad user
>>          usershare allow guests = yes
>> 
>> [netlogon]
>>          comment = Network Logon Service
>>          path = /var/lib/samba/sysvol/example.com/scripts
>>          read only = No
>> 
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>> 
>> [profiles]
>>          comment = Users profiles
>>          path = /srv/samba/profiles/
>>          browseable = No
>>          read only = No
>>          force create mode = 0600
>>          force directory mode = 0700
>>          csc policy = disable
>>          store dos attributes = yes
>>          vfs objects = acl_xattr
>> 
>> --
>> Sincerely,
>> 
>> Konstantin

> >> server role = 'active directory domain controller' not
> >> compatible with
> >> running the winbindd binary.
> >> You should start 'samba' instead, and it will control
starting the
> >> internal AD DC winbindd implementation, which is not the 
> same as this
> >> one

This is all correct what i see: 
systemctl disable smbd nmbd winbind 
systemctl mask smbd nmbd winbind 
systemctl enable samba-ad-dc

This make sure you startup the correct parts of samba. 
You cannot start winbindd on the ADDC manualy, that is started by the
samba-ad-dc process..

systemctl restart samba-ad-dc 

With the compiles packages (debian/ubuntu) dont use 'samba', 
its smbd nmbd winbind  or samba-ad-dc 
Yes samba works, but dont use it, so confusing. 



Greetz, 

Louis