Konstantin Boyandin
2018-Dec-04 09:45 UTC
[Samba] WinbinD no longer available in Samba 4.7.6
L.P.H. van Belle via samba писал 2018-12-04 15:59:> Hai, > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Konstantin Boyandin via samba >> Verzonden: dinsdag 4 december 2018 6:35 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] WinbinD no longer available in Samba 4.7.6 >> >> Hello, >> >> Using Samba 4.7.6 (from standard repository) on Ubuntu 18.04. >> >> After recent update, winbind failed to update, until I >> disabled it (it >> didn't start anyway). When run as >> >> # winbindd -d 9 -i >> >> it prints in the end: >> >> server role = 'active directory domain controller' not >> compatible with >> running the winbindd binary. >> You should start 'samba' instead, and it will control starting the >> internal AD DC winbindd implementation, which is not the same as this >> one >> >> smbd currently is listening on 139 and 445 ports - thus, I assume, it >> serves winbind itself. However, it isn't available any more >> for PAM. How >> shall I use Samba internal winbind implementation? When I initially >> installed and set up ADs, wbinfo worked fine. Currently, it says: >> >> # wbinfo -P >> could not obtain winbind interface details: >> WBC_ERR_WINBIND_NOT_AVAILABLE >> could not obtain winbind domain name! >> checking the NETLOGON for domain[] dc connection to "" failed >> failed to call wbcPingDc: WBC_ERR_WINBIND_NOT_AVAILABLE >> >> How do I make winbind available (that means available for >> PAM,a s well)? > I suggest reading : > https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC > Short version: samba-ad-dc is starting winbind, so dont start it > manualy. > For pam support install : libnss-winbind libpam-winbind > Configure nss_switch.conf and run pam-auth-update > > And set these to to no, when your done testing. >> winbind enum users = yes >> winbind enum groups = yes > See your users: id username or getent passwd username.None are returned, with 'yes' or 'no' settings. And As far as I see, the recommendations from the above document are met. But winbindd refuses to start (I cited its message), and no other 'winbind' process is running, either. How do I make samba 4.7-provided winbind run? Are there possibly missing some winbind settings (the smb.conf has been generated by domain upgrade process). Sincerely, Konstantin> >> >> Note: libpam_winbind is installed. >> >> Current smb.conf: >> >> [global] >> bind interfaces only = Yes >> interfaces = lo ens3 >> netbios name = DC >> realm = EXAMPLE.COM >> server role = active directory domain controller >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> idmap_ldb:use rfc2307 = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind nss info = rfc2307 >> template shell = /bin/bash >> template homedir = /home/%u >> workgroup = EXAMPLE >> server string = EXAMPLE.COM domain controller >> dns proxy = no >> log file = /var/log/samba/log.%m >> max log size = 1000 >> log level = 0 >> tls enabled = yes >> tls keyfile = tls/key.pem >> tls certfile = tls/cert.pem >> tls cafile = tls/ca.pem >> tls verify peer = no_check >> acl:search = no >> panic action = /usr/share/samba/panic-action %d >> passdb backend = tdbsam >> obey pam restrictions = yes >> unix password sync = yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *Enter\snew\s*\spassword:* %n\n >> *Retype\snew\s*\spassword: >> pam password change = yes >> map to guest = bad user >> usershare allow guests = yes >> >> [netlogon] >> comment = Network Logon Service >> path = /var/lib/samba/sysvol/example.com/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> [profiles] >> comment = Users profiles >> path = /srv/samba/profiles/ >> browseable = No >> read only = No >> force create mode = 0600 >> force directory mode = 0700 >> csc policy = disable >> store dos attributes = yes >> vfs objects = acl_xattr >> >> -- >> Sincerely, >> >> Konstantin
Le 04/12/2018 à 10:45, Konstantin Boyandin via samba a écrit :> > But winbindd refuses to start (I cited its message), and no other > 'winbind' process is running, either. > > How do I make samba 4.7-provided winbind run?try just to restart samba daemon
Konstantin Boyandin
2018-Dec-04 09:59 UTC
[Samba] WinbinD no longer available in Samba 4.7.6
Arnaud FLORENT via samba писал 2018-12-04 16:54:> Le 04/12/2018 à 10:45, Konstantin Boyandin via samba a écrit : >> >> But winbindd refuses to start (I cited its message), and no other >> 'winbind' process is running, either. >> >> How do I make samba 4.7-provided winbind run? > > try just to restart samba daemonThat worked (in fact, I restarted the entire system)! Thanks for saving me quite a time! getent (passwd|group), as well as the rest of expected functions. Sincerely, Konstantin
On Tue, 04 Dec 2018 16:45:43 +0700 Konstantin Boyandin via samba <samba at lists.samba.org> wrote:> > Are there possibly missing some winbind settings (the smb.conf has > been generated by domain upgrade process). >Sorry, but I do not believe that is true: winbind enum users = yes winbind enum groups = yes The lines above should only be used for testing purposes, they serve no other purpose. winbind nss info = rfc2307 The above line is only any use on a Unix domain member and then, only before Samba 4.6.0 dns proxy = no Really, on a DC that relies on DNS ? tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem tls verify peer = no_check acl:search = no They are default settings passdb backend = tdbsam Big mistake, you have turned off the correct password database. obey pam restrictions = yes Useless on a DC unix password sync = yes Extremely useless on a DC, you cannot have Unix users in /etc/passwd and AD passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword: pam password change = yes map to guest = bad user usershare allow guests = yes Only of real use on a Unix domain member [profiles] comment = Users profiles path = /srv/samba/profiles/ browseable = No read only = No force create mode = 0600 force directory mode = 0700 csc policy = disable store dos attributes = yes vfs objects = acl_xattr The above is a cut & paste from here: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles The only problem is, it also tells you, just above that block on the page, that it doesn't work on an AD DC. Rowland
Konstantin Boyandin
2018-Dec-05 02:57 UTC
[Samba] WinbinD no longer available in Samba 4.7.6
Rowland Penny via samba писал 2018-12-04 17:17:> On Tue, 04 Dec 2018 16:45:43 +0700 > Konstantin Boyandin via samba <samba at lists.samba.org> wrote: > >> >> Are there possibly missing some winbind settings (the smb.conf has >> been generated by domain upgrade process). >> > > Sorry, but I do not believe that is true:True. The configuration works. I assume that parameters that aren't applicable to AD DC role, are just ignored, even if mentioned.> winbind enum users = yes > winbind enum groups = yes > > The lines above should only be used for testing purposes, they serve no > other purpose.According to the 'man smb.conf', "On large installations using winbindd(8) it may be necessary to suppress enumeration...". Orus isn't large installations (number of users and computers taken together is below 100).> winbind nss info = rfc2307 > > The above line is only any use on a Unix domain member and then, only > before Samba 4.6.0That makes sense, set it explicitle to 'template'.> dns proxy = no > > Really, on a DC that relies on DNS ?Again, makes sense, set to 'yes'.> tls enabled = yes > tls keyfile = tls/key.pem > tls certfile = tls/cert.pem > tls cafile = tls/ca.pem > tls verify peer = no_check > acl:search = no > > They are default settingsYes, with the mentioned certificate files taken from real-life certificate for the real-life domain name we use.> passdb backend = tdbsam > > Big mistake, you have turned off the correct password database.I assume you are talking about ldapsam. Again, our installation isn't huge to feel the impact of the passwords backend. Also, I might get somewhat confused by the 'classic upgrade' description, where old ldapsam was explicitly disabled in favor of switching to tdbsam.> obey pam restrictions = yes > > Useless on a DC > > unix password sync = yes > > Extremely useless on a DC, you cannot have Unix users in /etc/passwd > and ADReasonable, set both to default.> passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword: > pam password change = yes > map to guest = bad user > usershare allow guests = yes > > Only of real use on a Unix domain memberThanks, set to default.> [profiles] > comment = Users profiles > path = /srv/samba/profiles/ > browseable = No > read only = No > force create mode = 0600 > force directory mode = 0700 > csc policy = disable > store dos attributes = yes > vfs objects = acl_xattr > > The above is a cut & paste from here: > > https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles > > The only problem is, it also tells you, just above that block on the > page, that it doesn't work on an AD DC.Actually, I used the 'above block' to set the permissions from Windows system. Question is, do the above settings actually conflict (I noticed no problems so far), if I do not attempt to change whatever after the mentioned permissions change has been performed? I really appreciate your comments. Pity there are no 'typical' smb.conf examples for typical roles, such as AD DC. Sincerely, Konstantin