samba - Oct 2014 - winbind winbindd remote desktop

The file sharing, remote desktop, active directory services in samba
4.1.X versions are working. The remote desktop is not working in samba
4.2rcX versions.

It is waiting at the remote desktop display. Simultaneously, if the
samba service is aborted the remote desktop user can start a session. If
the samba service is started, all other services operate without a problem.

getent passwd

In getent group commands,although the local user and domain users are
enabled in samba 4.1.X versions, only the local users are enabled in
4.2.rcX versions.

It only responds to a  command liker "gettent passwd michael command"

The smb.conf file is as below:

[global]
   server services = s3fs, winbindd, rpc, nbt, wrepl, cldap, ldap, kdc,
drepl, ntp_signd, kcc, dnsupdate
   dcerpc endpoint servers = +winreg +srvsvc +netlogon +samr +epmapper
+rpcecho +lsarpc +dssetup +unixinfo +browser +eventlog6 +backupkey +remote
   obey pam restrictions = yes
   bind interfaces only = yes
   interfaces = ens192 lo
   max protocol = smb3
   logon path    logon script    logon home    kerberos method = system keytab
   name resolve order = wins bcast hosts
   server string = Samba Server
   security = user
   server role = active directory domain controller
   netbios name = SAMBA
   disable netbios = no
   preferred master = yes
   domain master = yes
   local master = yes
   domain logons = yes
   workgroup = FACILITY
   password server = samba.facility.local
   realm = FACILITY.LOCAL
   client ldap sasl wrapping = sign
   winbind separator = /
   winbind enum users = yes
   winbind enum groups = yes
   winbind expand groups = 1
   winbind nss info = rfc2307
   winbind nested groups = yes
   winbind offline logon = yes
   winbind refresh tickets = yes
   winbind normalize names = yes
   winbind rpc only = yes
   winbind sealed pipes = no
   winbind trusted domains only = no
   winbind cache time = 3600
   winbind reconnect delay = 30
   winbind max clients = 2000
   winbind use default domain = true
   hosts allow = ALL, 127.0.0.1
   encrypt passwords = yes
   machine password timeout = 0
   wins proxy = yes
   wins support = yes
   lanman auth = yes
   ntlm auth = yes
   client lanman auth = yes
   client ntlmv2 auth = yes
   client plaintext auth = yes
   hostname lookups = no
   nt pipe support = yes
   dns forwarder = 127.0.0.1
   allow dns updates = secure
   dns proxy = no
   passdb backend = ldapsam:ldap://127.0.0.1/
   dead time = 0
   nsupdate command = /usr/local/bin/nsupdate -g
   dbwrap_tdb_mutexes:* = yes
   idmap config ALL:backend = ldapsam:ldap://127.0.0.1/
   idmap config ALL:default = yes
   idmap config ALL:readonly = yes
   idmap_ldb:use rfc2307 = yes
   idmap config * : range = 2000000-2999999
   idmap config * : backend = ldapsam:ldap://127.0.0.1/
   idmap config * : schema_mode = rfc2307
   idmap config * : readonly = no
   idmap config * : default = yes
   idmap config * : range = 2000000-2999999
   idmap config * : ldap_url = ldap://127.0.0.1/
   idmap config FACILITY : schema_mode = rfc2307
   idmap config FACILITY : readonly = no
   idmap config FACILITY : backend = ldapsam:ldap://127.0.0.1/
   idmap config FACILITY : default = yes
   idmap config FACILITY : range = 2000000-2999999
   idmap config FACILITY : ldap_url = ldap://127.0.0.1/
   ldap admin dn = CN=Administrator,CN=Users,DC=facility,DC=local
   ldap suffix = DC=facility,DC=local
   ldap group suffix = ou=Groups
   ldap idmap suffix = ou=Idmap
   ldap machine suffix = ou=Hosts
   ldap user suffix = ou=User
   ldap ssl = no
   ldapsam:trusted = yes
   ldapsam:editposix = yes
   ldap delete dn = yes
   ldap passwd sync = yes
   pam password change = yes
   passwd program = /usr/local/samba/bin/smbpasswd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   os level = 255

   [homes]
   comment = Home Directories
   path = /mnt/storage/homes/%U
   browseable = no
   guest ok = no
   writable = yes
   read only = no
   create mask = 0664
   directory mask = 0775
   valid users = %U
   admin users = @"FACILITY\Domain Admins"

On 27/10/14 14:43, bar?? tombul wrote:
> The file sharing, remote desktop, active directory services in samba
> 4.1.X versions are working. The remote desktop is not working in samba
> 4.2rcX versions.
This is probably down to 4.2rcX using the 'winbindd' daemon instead of 
the earlier 'winbind' daemon.
>
> It is waiting at the remote desktop display. Simultaneously, if the
> samba service is aborted the remote desktop user can start a session. If
> the samba service is started, all other services operate without a problem.
>
> getent passwd
>
> In getent group commands,although the local user and domain users are
> enabled in samba 4.1.X versions, only the local users are enabled in
> 4.2.rcX versions.
>
> It only responds to a  command liker "gettent passwd michael
command"
I believe that this is supposed to be a feature.
> The smb.conf file is as below:
>
> [global]
>     server services = s3fs, winbindd, rpc, nbt, wrepl, cldap, ldap, kdc,
> drepl, ntp_signd, kcc, dnsupdate
>     dcerpc endpoint servers = +winreg +srvsvc +netlogon +samr +epmapper
> +rpcecho +lsarpc +dssetup +unixinfo +browser +eventlog6 +backupkey +remote
>     obey pam restrictions = yes
>     bind interfaces only = yes
>     interfaces = ens192 lo
>     max protocol = smb3
>     logon path >     logon script >     logon home >     kerberos
method = system keytab
>     name resolve order = wins bcast hosts
>     server string = Samba Server
>     security = user
>     server role = active directory domain controller
>     netbios name = SAMBA
>     disable netbios = no
>     preferred master = yes
>     domain master = yes
>     local master = yes
>     domain logons = yes
>     workgroup = FACILITY
>     password server = samba.facility.local
>     realm = FACILITY.LOCAL
>     client ldap sasl wrapping = sign
>     winbind separator = /
>     winbind enum users = yes
>     winbind enum groups = yes
>     winbind expand groups = 1
>     winbind nss info = rfc2307
>     winbind nested groups = yes
>     winbind offline logon = yes
>     winbind refresh tickets = yes
>     winbind normalize names = yes
>     winbind rpc only = yes
>     winbind sealed pipes = no
>     winbind trusted domains only = no
>     winbind cache time = 3600
>     winbind reconnect delay = 30
>     winbind max clients = 2000
>     winbind use default domain = true
>     hosts allow = ALL, 127.0.0.1
>     encrypt passwords = yes
>     machine password timeout = 0
>     wins proxy = yes
>     wins support = yes
>     lanman auth = yes
>     ntlm auth = yes
>     client lanman auth = yes
>     client ntlmv2 auth = yes
>     client plaintext auth = yes
>     hostname lookups = no
>     nt pipe support = yes
>     dns forwarder = 127.0.0.1
>     allow dns updates = secure
>     dns proxy = no
>     passdb backend = ldapsam:ldap://127.0.0.1/
>     dead time = 0
>     nsupdate command = /usr/local/bin/nsupdate -g
>     dbwrap_tdb_mutexes:* = yes
>     idmap config ALL:backend = ldapsam:ldap://127.0.0.1/
>     idmap config ALL:default = yes
>     idmap config ALL:readonly = yes
>     idmap_ldb:use rfc2307 = yes
>     idmap config * : range = 2000000-2999999
>     idmap config * : backend = ldapsam:ldap://127.0.0.1/
>     idmap config * : schema_mode = rfc2307
>     idmap config * : readonly = no
>     idmap config * : default = yes
>     idmap config * : range = 2000000-2999999
>     idmap config * : ldap_url = ldap://127.0.0.1/
>     idmap config FACILITY : schema_mode = rfc2307
>     idmap config FACILITY : readonly = no
>     idmap config FACILITY : backend = ldapsam:ldap://127.0.0.1/
>     idmap config FACILITY : default = yes
>     idmap config FACILITY : range = 2000000-2999999
>     idmap config FACILITY : ldap_url = ldap://127.0.0.1/
>     ldap admin dn = CN=Administrator,CN=Users,DC=facility,DC=local
>     ldap suffix = DC=facility,DC=local
>     ldap group suffix = ou=Groups
>     ldap idmap suffix = ou=Idmap
>     ldap machine suffix = ou=Hosts
>     ldap user suffix = ou=User
>     ldap ssl = no
>     ldapsam:trusted = yes
>     ldapsam:editposix = yes
>     ldap delete dn = yes
>     ldap passwd sync = yes
>     pam password change = yes
>     passwd program = /usr/local/samba/bin/smbpasswd %u
>     passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>     os level = 255
>
>     [homes]
>     comment = Home Directories
>     path = /mnt/storage/homes/%U
>     browseable = no
>     guest ok = no
>     writable = yes
>     read only = no
>     create mask = 0664
>     directory mask = 0775
>     valid users = %U
>     admin users = @"FACILITY\Domain Admins"
Funny that you have posted this, I have just discovered that you do not 
need all the extra winbind lines in smb.conf with 4.2rcX, you get the 
same result without them:

rowland:*:10000:10000:Rowland Penny:/home/EXAMPLE/rowland:/bin/false

It would seem that 'winbindd' has been brought into use to get trusts 
working correctly, but the 'unixHomeDirectory'  &
'loginShell'
attributes are still being ignored, they are being set on a domain basis 
by hidden smb.conf lines. Run 'samba-tool testparm -v' and amongst the 
output, you will find these:

     template homedir = /home/%D/%U
     template shell = /bin/false

Setting these to blank i.e.

     template homedir      template shell 
doesn't help, you just get:

rowland:*:10000:10000:Rowland Penny::

I have a bug report open, I cannot understand why all the work was done 
to use 'winbindd' instead of 'winbind' but did not get
'winbindd' to
work just like it does on a member server.

Rowland