On 27/10/14 14:43, bar?? tombul wrote:> The file sharing, remote desktop, active directory services in samba
> 4.1.X versions are working. The remote desktop is not working in samba
> 4.2rcX versions.
This is probably down to 4.2rcX using the 'winbindd' daemon instead of
the earlier 'winbind' daemon.
>
> It is waiting at the remote desktop display. Simultaneously, if the
> samba service is aborted the remote desktop user can start a session. If
> the samba service is started, all other services operate without a problem.
>
> getent passwd
>
> In getent group commands,although the local user and domain users are
> enabled in samba 4.1.X versions, only the local users are enabled in
> 4.2.rcX versions.
>
> It only responds to a command liker "gettent passwd michael
command"
I believe that this is supposed to be a feature.
> The smb.conf file is as below:
>
> [global]
> server services = s3fs, winbindd, rpc, nbt, wrepl, cldap, ldap, kdc,
> drepl, ntp_signd, kcc, dnsupdate
> dcerpc endpoint servers = +winreg +srvsvc +netlogon +samr +epmapper
> +rpcecho +lsarpc +dssetup +unixinfo +browser +eventlog6 +backupkey +remote
> obey pam restrictions = yes
> bind interfaces only = yes
> interfaces = ens192 lo
> max protocol = smb3
> logon path > logon script > logon home > kerberos
method = system keytab
> name resolve order = wins bcast hosts
> server string = Samba Server
> security = user
> server role = active directory domain controller
> netbios name = SAMBA
> disable netbios = no
> preferred master = yes
> domain master = yes
> local master = yes
> domain logons = yes
> workgroup = FACILITY
> password server = samba.facility.local
> realm = FACILITY.LOCAL
> client ldap sasl wrapping = sign
> winbind separator = /
> winbind enum users = yes
> winbind enum groups = yes
> winbind expand groups = 1
> winbind nss info = rfc2307
> winbind nested groups = yes
> winbind offline logon = yes
> winbind refresh tickets = yes
> winbind normalize names = yes
> winbind rpc only = yes
> winbind sealed pipes = no
> winbind trusted domains only = no
> winbind cache time = 3600
> winbind reconnect delay = 30
> winbind max clients = 2000
> winbind use default domain = true
> hosts allow = ALL, 127.0.0.1
> encrypt passwords = yes
> machine password timeout = 0
> wins proxy = yes
> wins support = yes
> lanman auth = yes
> ntlm auth = yes
> client lanman auth = yes
> client ntlmv2 auth = yes
> client plaintext auth = yes
> hostname lookups = no
> nt pipe support = yes
> dns forwarder = 127.0.0.1
> allow dns updates = secure
> dns proxy = no
> passdb backend = ldapsam:ldap://127.0.0.1/
> dead time = 0
> nsupdate command = /usr/local/bin/nsupdate -g
> dbwrap_tdb_mutexes:* = yes
> idmap config ALL:backend = ldapsam:ldap://127.0.0.1/
> idmap config ALL:default = yes
> idmap config ALL:readonly = yes
> idmap_ldb:use rfc2307 = yes
> idmap config * : range = 2000000-2999999
> idmap config * : backend = ldapsam:ldap://127.0.0.1/
> idmap config * : schema_mode = rfc2307
> idmap config * : readonly = no
> idmap config * : default = yes
> idmap config * : range = 2000000-2999999
> idmap config * : ldap_url = ldap://127.0.0.1/
> idmap config FACILITY : schema_mode = rfc2307
> idmap config FACILITY : readonly = no
> idmap config FACILITY : backend = ldapsam:ldap://127.0.0.1/
> idmap config FACILITY : default = yes
> idmap config FACILITY : range = 2000000-2999999
> idmap config FACILITY : ldap_url = ldap://127.0.0.1/
> ldap admin dn = CN=Administrator,CN=Users,DC=facility,DC=local
> ldap suffix = DC=facility,DC=local
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Hosts
> ldap user suffix = ou=User
> ldap ssl = no
> ldapsam:trusted = yes
> ldapsam:editposix = yes
> ldap delete dn = yes
> ldap passwd sync = yes
> pam password change = yes
> passwd program = /usr/local/samba/bin/smbpasswd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> os level = 255
>
> [homes]
> comment = Home Directories
> path = /mnt/storage/homes/%U
> browseable = no
> guest ok = no
> writable = yes
> read only = no
> create mask = 0664
> directory mask = 0775
> valid users = %U
> admin users = @"FACILITY\Domain Admins"
Funny that you have posted this, I have just discovered that you do not
need all the extra winbind lines in smb.conf with 4.2rcX, you get the
same result without them:
rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/false
It would seem that 'winbindd' has been brought into use to get trusts
working correctly, but the 'unixHomeDirectory' &
'loginShell'
attributes are still being ignored, they are being set on a domain basis
by hidden smb.conf lines. Run 'samba-tool testparm -v' and amongst the
output, you will find these:
template homedir = /home/%D/%U
template shell = /bin/false
Setting these to blank i.e.
template homedir template shell
doesn't help, you just get:
rowland:*:10000:10000:Rowland Penny::
I have a bug report open, I cannot understand why all the work was done
to use 'winbindd' instead of 'winbind' but did not get
'winbindd' to
work just like it does on a member server.
Rowland