Andrew Bartlett
2022-Jun-20 03:10 UTC
[Samba] Samba's winbindd is running but seems non-functional.
On Sun, 2022-06-19 at 23:01 -0400, Zombie Ryushu via samba wrote:> On 6/19/22 22:57, Andrew Bartlett wrote: > > On Sun, 2022-06-19 at 20:30 -0400, Zombie Ryushu via samba wrote: > > > /tmp/.winbindd/pipe > > > > > > The UNIX pipe over which clients communicate with the > > > |winbindd| > > > program. For security reasons, the winbind client will only > > > attempt > > > to connect to the winbindd daemon if both the > > > |/tmp/.winbindd| > > > directory and |/tmp/.winbindd/pipe| file are owned by root. > > > I noticed that I do not have the /tmp/.winbindd/pipe file. What > > > controls > > > it's creation? I do have the > > > $LOCKDIR/winbindd_privileged/pipe > > I spent far more than was warranted to fix this properly for Samba > > 4.17. The docs are old and out of date, we don't use > > /tmp/.winbindd > > any more. > > > > https://gitlab.com/samba-team/samba/-/merge_requests/2586 > > > > Note that if you are running Samba as an AD DC, winbindd is started > > internally by Samba, and should not be started by the system as > > well. > > > > Perhaps again work to ensure your system is as simple as possible. > > > > But also please just stop, then really stop and finally think about > > what might be different about your system compared to all the > > others > > that do 'just work' with Samba. > > > > Remove complexity. Perhaps set up a test environment that you can > > compare with - so you don't keep jumping at shadows - where you can > > see > > it does just work despite various errors in the docs. > > > > Finally, reopening old bugs isn't a good move to keep us helping > > you, > > so don't do that. If this thread (or worse, a mail stream) > > explodes > > like your many previous discussions then the Samba Team will not > > hesitate to put your posts under moderation. > > > > Andrew Bartlett > > > > > I have, I completely re-did everything, and removed all my extra > stuff > including my shares.A test environment means a new domain on a new host, where you can test out what 'success' looks like.> It's still the same problem, Bind DLZ or Samba Internal makes no > difference,I wouldn't expect any of those to make a difference. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
I use a Strongswan VPN to connect via IPSec over VPN. Due to an error on my part, I set the user identity to olympia.pukey (192.168.0.4) - which is the hostname to one of my Domain Controllers. I use the script for Kerberized updates with Bind DLZ, and it accepted the zone update, changing the A Record to 192.168.0.234, the DHCP lease given by dhcpd. This broke domain Authentication. There is no check in the script to see if a DC occupied that hostname. I was able to manually fix it back. This could be used by a malicious actor to intercept domain logins.