L.P.H. van Belle
2015-Apr-02 06:36 UTC
[Samba] sssd-ad cannot be installed with sernet samba
I dont get al this hassle... ( again ) Sernet works fine, all my server (DCs/member) are useing sernet samba. Only not my proxy servers. these backported samba.. ( because of a modified squid im using) You just need to setup as the wiki says. nss/winbind does work, yes, there is 1 missing file, just created it. ( and this is not needed on a DC ! ) winbind does work, but on DC winbind a bit different yes. If you really want sernet support, buy the support at sernet. Is already nice of them that the are making packages. and still, lots of talk here, but no is saying what is not working. yes.. 1 missing file, read the wiki, the solution is there also. sssd does not works.. thats a sssd problem and WHY does sssd not work, ever try to recomple it.. i did on ubuntu and debian.. but then you know. sernet only supplies samba, and not sssd kerberos etc.. which are all depends of sssd. so setup samba from distro or source and use sssd, or setup samba with sernet packages, and use nss/winbind. then if you have a problem post it here again. Again to much time spend on a topic which cames over every few months. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: buhorojo.lcb at gmail.com >[mailto:samba-bounces at lists.samba.org] Namens buhorojo >Verzonden: woensdag 1 april 2015 22:12 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] sssd-ad cannot be installed with sernet samba > >On 01/04/15 22:00, Luca Olivetti wrote: >> El 01/04/15 a les 21:50, buhorojo ha escrit: >>> On 01/04/15 18:56, Luca Olivetti wrote: >>>> El 01/04/15 a les 17:59, buhorojo ha escrit: >>>> >>>>> The poster reported that nss doesn't work. Try it. Both >getent and id >>>>> return errors with winbind. That's an error with sernet, >not sssd. Many >>>>> of the questions on this list are about errors with nss. >sssd makes >>>>> those errors go away. >>>> Actually I reported that I couldn't install the sssd-ad package >>>> alongside the sernet-samba packages. >>>> I didn't even try winbind, because it's not supposed to >work on the DC. >>>> >>>> Bye >>> Ah, OK. We have samba 4.1 from about a year ago and it doesn't work, >>> which is why I think sssd was installed back then. If >sernet has a more >>> recent version it has most likely been fixed. Give it a try without >>> sssd? If you do, can you post back here? >> I'm currently using the ldap backend of sssd, previously I >tried nslcd, >> again, successfully. >> The ad backend of sssd seemed the most obvious solution, >however I won't >> lose sleep over it. >> >> Bye >> >I don't think you're losing so much. One of the best bits of >sssd-ad is >the dns update, which you don't use on a dc anyway. >B > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
On 02/04/15 07:36, L.P.H. van Belle wrote:> I dont get al this hassle... ( again )+1> > Sernet works fine, all my server (DCs/member) are useing sernet samba. > Only not my proxy servers. these backported samba.. ( because of a modified squid im using) > You just need to setup as the wiki says.+1> > nss/winbind does work, yes, there is 1 missing file, just created it. > ( and this is not needed on a DC ! ) > winbind does work, but on DC winbind a bit different yes.You could say the same about the standard Debian backports packages> > If you really want sernet support, buy the support at sernet. > Is already nice of them that the are making packages.Yes, please remember, they do not have to do this.> and still, lots of talk here, but no is saying what is not working. > yes.. 1 missing file, read the wiki, the solution is there also.Er, I did point out that there was a missing file. Are you sure it mentions the missing file on the samba wiki ? If not, I will add it to the member server page (which really needs retitling, you can use the same setup for a Linux client).> sssd does not works.. thats a sssd problem and WHY does sssd not work, > ever try to recomple it.. i did on ubuntu and debian.. > but then you know. sernet only supplies samba, and not sssd kerberos etc.. > which are all depends of sssd.Ah, but sssd does work, it just doesn't install with the sernet packages, so you pay your money (nothing) and take your choice, either samba from Jessie and sssd, or use the sernet packages and do not use sssd. Rowland> so setup samba from distro or source and use sssd, > or setup samba with sernet packages, and use nss/winbind. > > then if you have a problem post it here again. > Again to much time spend on a topic which cames over every few months. > > > Greetz, > > Louis > > > > >
El 02/04/15 a les 10:05, Rowland Penny ha escrit:> Ah, but sssd does work, it just doesn't install with the sernet > packages,Which is exactly what I reported in my first mail (as per the subject)> so you pay your money (nothing) and take your choice, either > samba from Jessie and sssd, or use the sernet packages and do not use sssd.Or use sssd without the ad backend, which is what I did and said so in a follow-up email. I apologize if I offended some sensibilities by insinuating that it could be a bug in the ubuntu packaging of sernet-samba and asking where I could report it. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007
On 02/04/15 08:36, L.P.H. van Belle wrote:> nss/winbind does work, yes, there is 1 missing file, just created it. > ( and this is not needed on a DC ! )So you are telling us that something that returns: /bin/false when: /bin/bash is specified in the database is a piece of software that is working?
On 02/04/15 10:20, buhorojo wrote:> On 02/04/15 08:36, L.P.H. van Belle wrote: >> nss/winbind does work, yes, there is 1 missing file, just created it. >> ( and this is not needed on a DC ! ) > So you are telling us that something that returns: > /bin/false > when: > /bin/bash > is specified in the database is a piece of software that is working? >You only need a shell if you are logging into the DC and you shouldn't be, the samba wiki couldn't be much plainer, it is not recommended to use the DC as a fileserver! However, if you must use the DC as a fileserver, investigate the 'template' lines for smb.conf Rowland
L.P.H. van Belle
2015-Apr-02 09:31 UTC
[Samba] sssd-ad cannot be installed with sernet samba
>Er, I did point out that there was a missing file. Are you sure it >mentions the missing file on the samba wiki ? If not, I will add it to >the member server page (which really needs retitling, you can use the >same setup for a Linux client).here you go. https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Setting_up_PAM_authentication not the missing file, but the solution to it to avoid the problem. ;-) Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: donderdag 2 april 2015 10:05 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] sssd-ad cannot be installed with sernet samba > >On 02/04/15 07:36, L.P.H. van Belle wrote: >> I dont get al this hassle... ( again ) > >+1 > >> >> Sernet works fine, all my server (DCs/member) are useing >sernet samba. >> Only not my proxy servers. these backported samba.. ( >because of a modified squid im using) >> You just need to setup as the wiki says. > >+1 > >> >> nss/winbind does work, yes, there is 1 missing file, just created it. >> ( and this is not needed on a DC ! ) >> winbind does work, but on DC winbind a bit different yes. > >You could say the same about the standard Debian backports packages > >> >> If you really want sernet support, buy the support at sernet. >> Is already nice of them that the are making packages. > >Yes, please remember, they do not have to do this. > >> and still, lots of talk here, but no is saying what is not working. >> yes.. 1 missing file, read the wiki, the solution is there also. > >Er, I did point out that there was a missing file. Are you sure it >mentions the missing file on the samba wiki ? If not, I will add it to >the member server page (which really needs retitling, you can use the >same setup for a Linux client). > >> sssd does not works.. thats a sssd problem and WHY does sssd >not work, >> ever try to recomple it.. i did on ubuntu and debian.. >> but then you know. sernet only supplies samba, and not sssd >kerberos etc.. >> which are all depends of sssd. > >Ah, but sssd does work, it just doesn't install with the sernet >packages, so you pay your money (nothing) and take your choice, either >samba from Jessie and sssd, or use the sernet packages and do >not use sssd. > >Rowland > > >> so setup samba from distro or source and use sssd, >> or setup samba with sernet packages, and use nss/winbind. >> >> then if you have a problem post it here again. >> Again to much time spend on a topic which cames over every >few months. >> >> >> Greetz, >> >> Louis >> >> >> >> >> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
L.P.H. van Belle
2015-Apr-02 09:50 UTC
[Samba] sssd-ad cannot be installed with sernet samba
Looks to me your setup is not correct..
just set the UID for the user if you have an AD backend configured. ( like my
setup below )
configure nsswitch and you see it works.
OR like below , setup a RID backedn and enable the template lines.
look here this is my DC setup.
[global]
workgroup = DOMAIN
realm = DOMAIN.PRIVATE
netbios name = DC1
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
## KEEP THIS OFF !! Only used for modify-ing the AD Schema
## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
sdb:schema update allowed = no
## Dont forget to set the idmap_ldb on ALL DC's if you use it
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-3999999
#when using idmap backend RID enable these
#template shell = /bin/false
#template homedir = /home/users/%ACCOUNTNAME%
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
interfaces = 127.0.0.1 192.168.0.1
bind interfaces only = yes
time server = yes
wins support = yes
and this is my member setup.
[global]
netbios name = MEMBER5
workgroup = DOMAIN
security = ADS
realm = DOMAIN.PRIVATE
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
interfaces = 127.0.0.1 192.168.0.5
bind interfaces only = yes
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : range = 10000-3999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
# user Administrator workaround, without it you are unable to set
privileges
username map = /etc/samba/user.map
#when using idmap backend RID enable these
#template shell = /bin/bash
#template homedir = /home/users/%ACCOUNTNAME%
>-----Oorspronkelijk bericht-----
>Van: buhorojo.lcb at gmail.com
>[mailto:samba-bounces at lists.samba.org] Namens buhorojo
>Verzonden: donderdag 2 april 2015 11:21
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] sssd-ad cannot be installed with sernet samba
>
>On 02/04/15 08:36, L.P.H. van Belle wrote:
>> nss/winbind does work, yes, there is 1 missing file, just created it.
>> ( and this is not needed on a DC ! )
>So you are telling us that something that returns:
>/bin/false
> when:
>/bin/bash
>is specified in the database is a piece of software that is working?
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
Greetings, L.P.H. van Belle!> I dont get al this hassle... ( again )> Sernet works fine, all my server (DCs/member) are useing sernet samba. > Only not my proxy servers. these backported samba.. ( because of a modified squid im using) > You just need to setup as the wiki says.> nss/winbind does work, yes, there is 1 missing file, just created it. > ( and this is not needed on a DC ! ) > winbind does work, but on DC winbind a bit different yes.> If you really want sernet support, buy the support at sernet. > Is already nice of them that the are making packages.> and still, lots of talk here, but no is saying what is not working. > yes.. 1 missing file, read the wiki, the solution is there also.> sssd does not works.. thats a sssd problem and WHY does sssd not work, > ever try to recomple it.. i did on ubuntu and debian.. > but then you know. sernet only supplies samba, and not sssd kerberos etc.. > which are all depends of sssd.> so setup samba from distro or source and use sssd, > or setup samba with sernet packages, and use nss/winbind.> then if you have a problem post it here again. > Again to much time spend on a topic which cames over every few months.If it comes up so often, isn't it obvious that there's something fundamentally wrong with the subject of the topic? If you are only using functionality provided by that package, it doesn't mean there's no other use cases possible. Said that, I can give you one argument and I would like to see you counter it. Providing an application package under a different name, that it is known in respective package management system is only sensible, if your package is supposed to coexist with the same application packaged by a different vendor. PHP5x packages by https://launchpad.net/~skettler would be an example. But if that not the case, and your packaging is supposed to be a complete replacement, you absolutely must provide same names, or you will break whole packaging manager, and anything that is dependent on the application you package will not be able to be installed, until your packages are removed. Also, I would really appreciate, if you don't top-post. It makes reading the messages unnecessarily hard. -- With best regards, Andrey Repin Thursday, April 2, 2015 19:02:57 Sorry for my terrible english...