samba - Aug 2024 - Setting up user authentication on a Samba DC

Hello,

I am trying to get WIndbind authentication working on a Domain 
controller. However, I am struggling to get it working. From what I can 
tell it should be as simple as adding winbind to /etc/nsswitch.conf but 
it doesn't seem to work. When I run getent passwd it just returns 
nothing but when I run wbinfo --ping-dc it succeeds.

Here is my smb.conf

# Global parameters
[global]
         ad dc functional level = 2012_R2
         dns forwarder = 192.168.x.x
         netbios name = DC
         realm = MYDOMAIN.LAN
         server role = active directory domain controller
         workgroup = MYDOMAIN
         idmap_ldb:use rfc2307 = yes


[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

[netlogon]
         path = /var/lib/samba/sysvol/mydomain.lan/scripts
         read only = No

The OS is Fedora 40 and samba 4.20.4

How would I properly setup Winbind authentication for a local login? 
Also, I know that generally SSSD conflicts with Samba and WInbind 
however it seems to be better documented and more reliable. Is there a 
way to make SSSD work with Samba?

Thanks,

Darin

On Fri, 23 Aug 2024 16:38:38 +0000
Darin via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I am trying to get WIndbind authentication working on a Domain 
> controller. However, I am struggling to get it working. From what I
> can tell it should be as simple as adding winbind to
> /etc/nsswitch.conf but it doesn't seem to work. When I run getent
> passwd it just returns nothing but when I run wbinfo --ping-dc it
> succeeds.
You are probably missing the links between winbind and nsswitch, if
this was on Debian, I would advise installing the libpam-winbind and
libnss-winbind, I think on Fedora they are called samba-winbind-clients.
> 
> Here is my smb.conf
> 
> # Global parameters
> [global]
>          ad dc functional level = 2012_R2
>          dns forwarder = 192.168.x.x
>          netbios name = DC
>          realm = MYDOMAIN.LAN
>          server role = active directory domain controller
>          workgroup = MYDOMAIN
>          idmap_ldb:use rfc2307 = yes
> 
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/mydomain.lan/scripts
>          read only = No
> 
> The OS is Fedora 40 and samba 4.20.4
Are you aware that as the Fedora Samba packages use MIT for the KDC,
they are classed as experimental, so I hope that you are not using them
in production.
> 
> How would I properly setup Winbind authentication for a local login? 
Fairly easy, just everything up correctly.
> Also, I know that generally SSSD conflicts with Samba and WInbind
That is a bit of an understate in my opinion.
 
> however it seems to be better documented and more reliable. Is there
> a way to make SSSD work with Samba?
Not in my opinion and it isn't required.

Rowland