samba - Nov 2024 - First Linux Machine Domain Join

I apparently haven't created the correct formula to get Samba to start 
winbindd on my workstation in the process of joining my domain. Testing 
winbindd connectivity fails:

 ??? ~ # wbinfo --ping-dc
 ??? could not obtain winbind interface details: 
WBC_ERR_WINBIND_NOT_AVAILABLE
 ??? could not obtain winbind domain name!
 ??? checking the NETLOGON for domain[] dc connection to "" failed
 ??? failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE

The join /partially/ succeeded:

 ??? ~ # net ads join -U administrator
 ??? Password for [SAMDOM\administrator]:
 ??? Using short domain name -- SAMDOM
 ??? Joined 'TERRA' to dns domain 'samdom.example.com'
 ??? DNS Update for terra.samdom.example.com failed: ERROR_DNS_UPDATE_FAILED
 ??? DNS update failed: NT_STATUS_UNSUCCESSFUL

I say "partially" in that, despite the errors above, the machine
record
is now present in the AD DC's /var/lib/samba/private/sam.ldb database 
and appears to be complete.

My current /etc/samba/smb.conf is:

[global]
 ?? security = domain
 ?? workgroup = SAMDOM
 ?? realm = SAMDOM.EXAMPLE.COM
 ?? server string = "John's Terra Workstation"
 ?? server role = member server

 ?? log file = /var/log/samba/log.%m
 ?? log level = 1
 ?? max log size = 50

 ?? idmap config * : backend = tdb
 ?? idmap config * : range = 3000-7999
 ?? idmap config SAMDOM:backend = ad
 ?? idmap config SAMDOM:schema_mode = rfc2307
 ?? idmap config SAMDOM:range = 10000-9999999
 ?? idmap config SAMDOM:unix_nss_info = yes

 ?? vfs objects = acl_xattr
 ?? map acl inherit = yes
 ?? store dos attributes = yes

 ?? template shell = /bin/bash
 ?? template homedir = /home/%U

I've made the requisite changes in /etc/nsswitch.conf and my 
distribution's Samba package supplies the pam configuration. Still, I'm 
obviously missing something.

- John

On Sat, 16 Nov 2024 10:38:06 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> I apparently haven't created the correct formula to get Samba to
> start winbindd on my workstation in the process of joining my domain.
> Testing winbindd connectivity fails:
Samba doesn't start any daemons on a Unix domain member, you have to do
it yourself.
> 
>  ??? ~ # wbinfo --ping-dc
>  ??? could not obtain winbind interface details: 
> WBC_ERR_WINBIND_NOT_AVAILABLE
>  ??? could not obtain winbind domain name!
>  ??? checking the NETLOGON for domain[] dc connection to ""
failed
>  ??? failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE
> 
> The join /partially/ succeeded:
> 
>  ??? ~ # net ads join -U administrator
>  ??? Password for [SAMDOM\administrator]:
>  ??? Using short domain name -- SAMDOM
>  ??? Joined 'TERRA' to dns domain 'samdom.example.com'
>  ??? DNS Update for terra.samdom.example.com failed:
> ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
That is usually caused by a mis-configuration of /etc/hosts.

 > 
> I say "partially" in that, despite the errors above, the machine
> record is now present in the AD DC's /var/lib/samba/private/sam.ldb
> database and appears to be complete.
> 
> My current /etc/samba/smb.conf is:
> 
> [global]
>  ?? security = domain
Sorry but that is incorrect, it should be 'security = ADS'
 
>  ?? workgroup = SAMDOM
>  ?? realm = SAMDOM.EXAMPLE.COM
>  ?? server string = "John's Terra Workstation"
>  ?? server role = member server
> 
>  ?? log file = /var/log/samba/log.%m
>  ?? log level = 1
>  ?? max log size = 50
> 
>  ?? idmap config * : backend = tdb
>  ?? idmap config * : range = 3000-7999
>  ?? idmap config SAMDOM:backend = ad
>  ?? idmap config SAMDOM:schema_mode = rfc2307
>  ?? idmap config SAMDOM:range = 10000-9999999
>  ?? idmap config SAMDOM:unix_nss_info = yes
> 
>  ?? vfs objects = acl_xattr
>  ?? map acl inherit = yes
>  ?? store dos attributes = yes
> 
>  ?? template shell = /bin/bash
>  ?? template homedir = /home/%U
> 
> I've made the requisite changes in /etc/nsswitch.conf and my 
> distribution's Samba package supplies the pam configuration. Still,
> I'm obviously missing something.
I use Debian and everything is setup automatically, but you need PAM
configuring correctly, along with the winbind nss links and
/etc/nsswitch.conf, but most of all, you need to have winbind running
;-)

Rowland