Greetings! I am having a bit of an issue using Ubuntu 9.10 and AD 2003. AD domain = dacrib.local AD server = dim-2300.dacrib.local IP = 10.0.0.60 Samba server = workhorse.dacrib.local IP = 10.0.0.20 I have been following <https://help.ubuntu.com/community/Samba/Kerberos>, and my Kerberos seems set up properly, as I can get a ticket. root at workhorse:/etc/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at DACRIB.LOCAL Valid starting Expires Service principal 03/27/10 18:36:58 03/28/10 04:37:05 krbtgt/DACRIB.LOCAL at DACRIB.LOCAL renew until 03/28/10 18:36:58 Then, following <https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto> I set up my Samba server, and was able to join it to the domain. root at workhorse:/etc/samba# net ads info LDAP server: 10.0.0.60 LDAP server name: dim-win2300.DaCrib.local Realm: DACRIB.LOCAL Bind Path: dc=DACRIB,dc=LOCAL LDAP port: 389 Server time: Sat, 27 Mar 2010 19:09:28 EDT KDC server: 10.0.0.60 Server time offset: 0 I can see my server in AD. Other domain members can browse to \\10.0.0.20, and see the defined shares, and access the files in there. So it appears to be properly joined to the domain, and sharing. What's not working is winbind. I do *not* see any domain users or groups, from "wbinfo -u" or "wbinfo -g". "wbinfo --all-domains" does know about the AD domain, however: root at workhorse:/etc/samba# wbinfo --all-domains BUILTIN WORKHORSE DACRIB I did edit nsswitch.conf: root at workhorse:/etc/samba# more /etc/nsswitch.conf # /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis At this point, I'm a bit lost. My eventual goal is to have any Linux user authenticate against the AD domain, but before I can get that far, I need winbind to work. Any thoughts? Where do I go from here, to troubleshoot winbind not returning any users or groups? smb.conf: [global] workgroup = DACRIB realm = DACRIB.LOCAL server string = %h server (Samba) security = ADS map to guest = Bad User client use spnego = true client ntlmv2 auth = yes eventlog list = Application System Security SyslogLinux # PAM AUTH encrypt passwords = Yes obey pam restrictions = Yes pam password change = true password server = dim-win2300.DaCrib.local passdb backend = tdbsam pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 preferred master = No domain master = No local master = No os level = 31 browse list = Yes dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d # WINBIND idmap backend = ad idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nested groups = Yes winbind refresh tickets = true winbind nss info = rfc2307 invalid users = root create mask = 0700 directory mask = 0775 writable = Yes enable privileges = Yes restrict anonymous = 2 [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [OldHome] comment = The Old Home Folder read only = No path = /OldHome
Mike Leone
2010-Mar-27 23:39 UTC
[Samba] Problems with winbind and AD using Ubuntu 9.10 - MORE
D'OH! So sorry, I had forgotten to restart the services. I am properly seeing all users and groups from "wbinfo" and from "getent passwd" and "getent group". Boy, do I feel stupid. :-) Sorry for the waste of bandwidth.