samba - Jul 2021 - Problem with Samba as Member to AD

On Sun, 2021-07-18 at 08:49 +0200, Mr Typo via samba
wrote:
> Hello all,
> 
> i hope you can help me. I have successfully set up a connection with
> samba to my domain controller. What works:
> * wbinfo -u / wbinfo -g
> * wbinfo -a
> * bet ads info
> 
> i hope you can help me! thank you!
> 
Lets start by fixing your smb.conf:

You have 'password server = 10.40.130.10' , you should remove this and
allow Samba to find a DC.

You have 'winbind use default domain = true' , you cannot use this with
autorid. Either remove this line or change the winbind backend to
'rid'.

You have 'guest ok = yes' in the 'shareshare' share, but you do
not
have 'map to guest = bad user' in '[global]' , so guest access
will not
work.

Now to your problem. Whilst 'wbinfo -u' may show your AD users, it does
not mean that the Unix OS knows your AD users. If you run 'getent
passwd an_AD_username' on the Samba server, does it produce output ?

As you haven't given us any information about your OS, I cannot advise
further, except to comment about your TLD. Using '.local' isn't
recommended, so if it is your TLD (and not sanitisation), then I
suggest you turn off Avahi on the Unix domain member (if it is running.

Rowland

Hello Rowland,

thank you for your first input. I did alot of testing, and yeah the
global section was not really clean :( Thank you!
i am using Centos8 and i was running nscd (system auth pure ldap
against the domain controller).

When i was shutting down nscd the authentication with samba/winbind was working.

When i search the internet i find messages that tells me that nscd +
winbind is NOT working, but other say that it is working. Can you
advise me here?

If you want to ask why i should want to run nscd/ldap + winbind. Well
i dont want to start winbind/samba on every linux machine just for
authentication. before trying nscd with winbind i tried sssd + winbind
-> complete messup.

any advice here?


best regards

On Sun, Jul 18, 2021 at 9:40 AM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Sun, 2021-07-18 at 08:49 +0200, Mr Typo via samba wrote:
> > Hello all,
> >
> > i hope you can help me. I have successfully set up a connection with
> > samba to my domain controller. What works:
> > * wbinfo -u / wbinfo -g
> > * wbinfo -a
> > * bet ads info
> >
> > i hope you can help me! thank you!
> >
>
> Lets start by fixing your smb.conf:
>
> You have 'password server = 10.40.130.10' , you should remove this
and
> allow Samba to find a DC.
>
> You have 'winbind use default domain = true' , you cannot use this
with
> autorid. Either remove this line or change the winbind backend to
> 'rid'.
>
> You have 'guest ok = yes' in the 'shareshare' share, but
you do not
> have 'map to guest = bad user' in '[global]' , so guest
access will not
> work.
>
> Now to your problem. Whilst 'wbinfo -u' may show your AD users, it
does
> not mean that the Unix OS knows your AD users. If you run 'getent
> passwd an_AD_username' on the Samba server, does it produce output ?
>
> As you haven't given us any information about your OS, I cannot advise
> further, except to comment about your TLD. Using '.local' isn't
> recommended, so if it is your TLD (and not sanitisation), then I
> suggest you turn off Avahi on the Unix domain member (if it is running.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba