> On 29.09.2017 14:32 Rowland Penny wrote: > I cannot see where it says not to use on a DCI misread the first section.> What does 'getent passwd username' actually produce ?root at dc1:~# getent passwd administrator COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false root at dc1:~# getent passwd klaus COMPANY\klaus:*:10000:100::/home/COMPANY/klaus:/bin/false> if PAM isn't set up, then set it up by installing the > required packages and try againOk, I ran "pam-auth-update" and pressed enter twice. Have no idea what this does. But is PAM really necessary on a DC? The Wiki says that winbindd is optional. Should not at least sysvol work without it? Klaus
On Fri, 29 Sep 2017 15:42:17 +0200 Klaus Hartnegg via samba <samba at lists.samba.org> wrote:> > > On 29.09.2017 14:32 Rowland Penny wrote: > > I cannot see where it says not to use on a DC > > I misread the first section. > > > What does 'getent passwd username' actually produce ? > > root at dc1:~# getent passwd administrator > COMPANY\administrator:*:0:100::/home/COMPANY/administrator:/bin/false > root at dc1:~# getent passwd klaus > COMPANY\klaus:*:10000:100::/home/COMPANY/klaus:/bin/false > > > if PAM isn't set up, then set it up by installing the > > required packages and try again > > Ok, I ran "pam-auth-update" and pressed enter twice. > Have no idea what this does. > > But is PAM really necessary on a DC?Yes, if you want to use it as a fileserver> The Wiki says that winbindd is optional.Point me to where it says that and if required, I will alter it.> Should not at least sysvol work without it?Yes, sysvol will work without it, but sysvol is only used by Windows clients and users. Rowland
On 29.09.2017 16:00 Rowland Penny wrote;>> But is PAM really necessary on a DC? > Yes, if you want to use it as a fileserver >> The Wiki says that winbindd is optional. > Point me to where it says that and if required, I will alter it.Page: Setting_up_Samba_as_an_Active_Directory_Domain_Controller Section: Configuring Winbindd on a Samba AD DC> Yes, sysvol will work without it, but sysvol is only used by Windows > clients and users.But it does not work! Only Administrator can access the contents of shares, users cannot. Can I somehow ask samba to log the reason for why it denies users access to all shares? I could not find that in any of the logfiles. By the way the page Pam_winbind_Link had a typo 368 vs 386 in the command ln -s /usr/local/samba/lib/security/pam_winbind.so /lib/i368-linux-gnu/security/ I fixed that in the wiki, ran the correct command, then ran "pam-auth-update" again. Chown still cannot use AD-Names. The wiki is confusing. If several more steps are required to get a working AD (like links for nss and pam), it should tell so IN ONE PLACE. Not ask the readers to jump around between several different pages, which themselves point to yet other pages. Klaus