Hi,
I am using samba 4.2.1 and want to clarify that do i need to start the
winbindd service in AD and DC?
Read form the doc https://wiki.samba.org/index.php/RFC2307_backend, it
said that:
Users having a ?server services? line in their DC smb.conf, need to
replace the ?winbind? entry by ?winbindd?:
[global]
server services = ....., winbind, winbindd
Users not having a ?server services? line (default values), need to
add the parameter ?winbindd?:
[global]
server services = +winbind, -winbindd
Does it means that we need to enable winbindd service in DC, the first
one is clear, but the second one making me confused.
1) server services = ....., winbind, winbindd
is that means remove winbind and add winbindd service?
2)server services = +winbind, -winbindd
is that means add winbind and remove winbindd service?
What is the different between winbind and winbindd service?
I tried:
With "server services = +winbind, -winbindd", the winbindd daemon will
not start.
Without "server services = +winbind, -winbindd", the winbindd daemon
will start.
(That means the default is start winbindd service)
Also, when winbindd is started in DC, uid and gid cannot synchronize
with AD.
Without starting the winbindd in DC, the uid and gid of AD and DC are
synchronized.
It does not affect the uid and gid in AD with or without winbindd.
By the way, I got a uncaught exception error when using samba-tool ntacl
sysvolcheck:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/lan-domain.xxxxxx.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py",
line
249, in run
lp)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1730, in checksysvolacl
direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1681, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/lib64/python2.7/site-packages/samba/provision/__init__.py", line
1628, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
Run samba-tool ntacl sysvolreset and it finished without error, but
sysvolcheck still give the above error.
Is it a bug or I messed something up?
Thanks,
Jacky
Hello, Am 03.06.2015 um 06:57 schrieb Jacky Chan:> I am using samba 4.2.1 and want to clarify that do i need to start the > winbindd service in AD and DC?I tried to clarify this on the page now: https://wiki.samba.org/index.php/RFC2307_backend#Using_Winbindd_on_a_Samba_DC> By the way, I got a uncaught exception error when using samba-tool ntacl > sysvolcheck:There are some uncaught exceptions in sysvolcheck. :-) Yours is already on bugzilla, too: https://bugzilla.samba.org/show_bug.cgi?id=9483 Regards, Marc
Hi Marc, On Wednesday, June 03, 2015 02:00 PM, Marc Muehlfeld wrote:> Hello, > > Am 03.06.2015 um 06:57 schrieb Jacky Chan: >> I am using samba 4.2.1 and want to clarify that do i need to start the >> winbindd service in AD and DC? > I tried to clarify this on the page now: > https://wiki.samba.org/index.php/RFC2307_backend#Using_Winbindd_on_a_Samba_DCDoes it means that use winbindd in member server and use winbind in DC?> > > >> By the way, I got a uncaught exception error when using samba-tool ntacl >> sysvolcheck: > There are some uncaught exceptions in sysvolcheck. :-) > Yours is already on bugzilla, too: > https://bugzilla.samba.org/show_bug.cgi?id=9483And what is the right owner of the policy object? In AD ls -l /var/lib/samba/sysvol/lan-domain.xxxxxx.com/Policies total 16 drwxrwx---+ 4 LAN-DOMAIN\Administrator LAN-DOMAIN\Domain Admins 4096 Mar 24 20:22 {31B2F340-016D-11D2-945F-00C04FB984F9}/ drwxrwx---+ 4 LAN-DOMAIN\Administrator LAN-DOMAIN\Domain Admins 4096 Mar 24 20:22 {6AC1786C-016F-11D2-945F-00C04FB984F9}/ In DC ls -l /var/lib/samba/sysvol/lan-domain.xxxxxx.com/Policies total 16 drwxrwx---+ 4 root LAN-DOMAIN\Domain Admins 4096 Mar 24 20:22 {31B2F340-016D-11D2-945F-00C04FB984F9}/ drwxrwx---+ 4 root LAN-DOMAIN\Domain Admins 4096 Mar 24 20:22 {6AC1786C-016F-11D2-945F-00C04FB984F9}/ Administrator or root? I rsync the sysvol from AD to DC and run sysvolreset on DC and it changed the owner to root. Thanks> > Regards, > Marc
El 03/06/15 a les 08:00, Marc Muehlfeld ha escrit:> Hello, > > Am 03.06.2015 um 06:57 schrieb Jacky Chan: >> I am using samba 4.2.1 and want to clarify that do i need to start the >> winbindd service in AD and DC? > > I tried to clarify this on the page now: > https://wiki.samba.org/index.php/RFC2307_backend#Using_Winbindd_on_a_Samba_DCMmmh, I don't have a "server services" line, I didn't add one and apparently uid/gid to names mapping is working properly (there are several winbindd processes running). Besides, it seem to me that the advice is contradictory: with "server services" you say to start winbindd instead of winbind, while without you say to do the opposite? And regarding "Additionally the steps described in Configuring RFC2307 for Winbindd are required": those settings are ignored on the DC (well, I'm not sure *all* of them are ignored, but I see no difference with or without them, specifically "winbind nss info" *doesn't* pull the information from AD, but, unfortunately, only from "template homedir" and "template shell"). The only line that matters on the DC seems to be "idmap_ldb:use rfc2307 = yes" Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007
> I don't have a "server services" linesee the defaults of smb.conf : testparm -vv | grep "server services" and you have your defaults. now you know what the defaults are.., now for example my DC. testparm -vv ( on the DC, samba-tool testparm -vv | grep "server services" ) gives back: server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate imagine, i want to use winbind and not winbindd. then i just add this to smb.conf server services = -winbindd +winbind Greetz, Louis>-----Oorspronkelijk bericht----- >Van: luca at wetron.es [mailto:samba-bounces at lists.samba.org] >Namens Luca Olivetti >Verzonden: woensdag 3 juni 2015 9:50 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] Samba 4.2 AD, DC and winbindd > >El 03/06/15 a les 08:00, Marc Muehlfeld ha escrit: >> Hello, >> >> Am 03.06.2015 um 06:57 schrieb Jacky Chan: >>> I am using samba 4.2.1 and want to clarify that do i need >to start the >>> winbindd service in AD and DC? >> >> I tried to clarify this on the page now: >> >https://wiki.samba.org/index.php/RFC2307_backend#Using_Winbindd >_on_a_Samba_DC > > >Mmmh, I don't have a "server services" line, I didn't add one and >apparently uid/gid to names mapping is working properly (there are >several winbindd processes running). >Besides, it seem to me that the advice is contradictory: with "server >services" you say to start winbindd instead of winbind, while without >you say to do the opposite? >And regarding "Additionally the steps described in Configuring RFC2307 >for Winbindd are required": those settings are ignored on the DC (well, >I'm not sure *all* of them are ignored, but I see no difference with or >without them, specifically "winbind nss info" *doesn't* pull the >information from AD, but, unfortunately, only from "template homedir" >and "template shell"). >The only line that matters on the DC seems to be "idmap_ldb:use rfc2307 >= yes" > >Bye >-- >Luca Olivetti >Wetron Automation Technology http://www.wetron.es >Tel. +34 935883004 Fax +34 935883007 >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
I think i figure out what is the cause of the problem and why the uid and gid is not synchronized in my AD and DC. The answer is: flush the cache (net cache flush) after changing smb.conf The case is that: 1) I setup the AD with " idmap_ldb:use rfc2307 = yes" 2) start up the samba in AD 3) use RSAT to assign uid and gid to all the build-in users and groups 4) test with wbinfo in AD to make sure that the assigned uids and gids are correct. 5) setup a DC but forgot to add "idmap_ldb:use rfc2307 = yes" in the smb.conf 6) start up the samba in DC 7) wbinfo in DC give mismatch uid and gid 8) add "idmap_ldb:use rfc2307 = yes" back to the smb.conf of the DC 9) restart the samba in DC, but the wbinfo still give the wrong uid and gid (later i found out i need to flush the cache) 10) add the "server services = +winbind, -winbindd" (use winbind not winbindd) to the smb.conf of the DC 11) restart the samba in DC, wbinfo give the correct uids and gids. So, is that mean winbind does not use the cache but winbindd does? After flush the cache in AD and DC, i removed the "server services = +winbind, -winbindd" from smb.conf, and wbinfo give the correct uid and gid Here comes other problem: with winbind, "getent passwd" can list local and domain users but with winbindd, why it only show local users? I have passwd: compat winbind group: compat winbind in /etc/nsswitch.conf Thanks
El 03/06/15 a les 11:58, Jacky Chan ha escrit:> Here comes other problem: > with winbind, "getent passwd" can list local and domain users > but with winbindd, why it only show local users? > > I have > passwd: compat winbind > group: compat winbind > in /etc/nsswitch.conf >Did you put winbind enum users = yes in smb.conf? Note that it will only work on a member server *not* on a DC. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007