SSSD is not installed but I did remove it from nsswitch.conf. I still see winbind always doing the group lookup for local user. On Thu, Oct 3, 2019 at 8:05 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 03/10/2019 15:46, Satay Epic wrote: > > Thank you Rowland for your reply. My knowledge is limited with Samba > > so please forgive me for any basic mistakes :) > > This is something was setup by a previous admin. > > > > We have had issues where "winbind" will just "give up" and won't let > > anyone login into the host not even from the console. > > I would like to fix that problem so started to investigate the > > configs. I don't know how to reproduce the issue but the goal is that > > local users > > should be able to login even if winbind is broken. > > > > I'm going to give a try with the settings suggested to see if the > > winbind group lookup doesn't happen for a local user. > > > The first thing I would do is to upgrade the OS, I do not use RHEL or > any of its derivatives, but I believe the latest versions supply Samba > 4.8.3 and this is a lot nearer a Samba supported version than 4.4.x is. > > Another question that springs to mind, is sssd installed, if it is, I > would remove it. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 04/10/2019 04:39, Satay Epic wrote:> SSSD is not installed but I did remove it from nsswitch.conf. I still > see winbind always doing the group lookup for local user. >You probably always will, Samba (when using the 'rid' backend) makes all AD users & groups into local users & groups. Also when it is searching for groups for 'root', it is probably really searching for groups for 'Administrator'. Rowland
Ok. Wondering if it fix by changing the idmap backend to "ad" ? Is "ad" backend a better option than "rid" since we have MS AD or otherwise ? My next task is to ensure PAM is setup correctly with winbind. I'm going to validate the PAM configs. Do you have any recommendations of PAM / winbind settings? We also having "nscd" running for the DNS host lookup. Is it right to have "nscd" running beside "winbind"? Thanks On Fri, Oct 4, 2019 at 1:02 AM Rowland penny via samba <samba at lists.samba.org> wrote:> > On 04/10/2019 04:39, Satay Epic wrote: > > SSSD is not installed but I did remove it from nsswitch.conf. I still > > see winbind always doing the group lookup for local user. > > > You probably always will, Samba (when using the 'rid' backend) makes all > AD users & groups into local users & groups. Also when it is searching > for groups for 'root', it is probably really searching for groups for > 'Administrator'. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba