samba4 winbind desperation

intelligence: an expert at work, yesterday
You are most likely here because it just doesn't work. The hobbyists living with their mums have sent you off in all manner of directions and the coders have ignored you. Well, here's something else to try. A check-list. We've had howtos, forums, mailing lists, statistics and damn lies. But never a check-list. So here goes. A check -list.

This is a check-list. It is a check-list for when winbind doesn't work. It is a domain called hh3.site. The file server is called altea and the DC is called hh16. We have added a domain user called steve2 using samba-tool user add steve2. The DC and file server were both built from 4.1.9 source. The DC was provisioned without rfc2307. The IP of the DC running bind9 dlz is and that of the file server is If this is simply a client using DHCP, please see the notes in grey.

Remember that this is a check-list. It doesn't tell you how to do it. You've already done that. This is a last attempt. A check-list.

1. This is smb.conf on the DC 
        workgroup = HH3
        realm = HH3.SITE
        netbios name = HH16
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
        read only = No
        path = /usr/local/samba/var/locks/sysvol
        read only = No

2. This is smb.conf on the file server
 workgroup = HH3
 realm = HH3.SITE
 security = ADS
 kerberos method = system keytab
 server string = hh3.site file-server
 winbind enum users = Yes
 winbind enum groups = Yes
 winbind use default domain = Yes
 winbind nss info = rfc2307
 idmap config * : backend = tdb
 idmap config * : range = 10000-20000
 idmap config HH3 : backend  = ad
 idmap config HH3 : range = 20001-4000000
 idmap config HH3 : schema_mode = rfc2307

3. Does the group Domain Users have a gidNumber?
On the DC, take a look:
ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users

dn: CN=Domain Users,CN=Users,DC=hh3,DC=site
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20130605151145.0Z
uSNCreated: 3541
name: Domain Users
objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b
objectSid: S-1-5-21-451355595-2219208293-2714859210-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site
gidNumber: 20513
objectClass: top
objectClass: group
whenChanged: 20140519084720.0Z
uSNChanged: 8131
distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site

If yes, good. If no:
ldbedit -e leafpad --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users

4. Is your domain user also a local user?
On the file server:
cat /etc/passwd | grep steve2
Domain users only please. If not, decide which one you wish to keep and revise your naming plan accordingly.

5. Does your domain user have a minimum of uidNumber and gidNumber?
You know how to get the dn thing on the DC now, so have a look at steve2:

dn: CN=steve2,CN=Users,DC=hh3,DC=site
cn: steve2
instanceType: 4
whenCreated: 20130605152701.0Z
uSNCreated: 3800
name: steve2
objectGUID: 3dfcb8e8-fca2-49ea-9ac8-8e1b0563a379
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-451355595-2219208293-2714859210-1107
logonCount: 0
sAMAccountType: 805306368
userPrincipalName: steve2@hh3.site
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=hh3,DC=site
pwdLastSet: 130149196210000000
userAccountControl: 66048
accountExpires: 0
unixHomeDirectory: /home/users/steve2
loginShell: /bin/bash
profilePath: \\altea\profiles\steve2
homeDrive: Z:
homeDirectory: \\altea\users\steve2
gidNumber: 20513
uidNumber: 3000021
memberOf: CN=staff2,CN=Users,DC=hh3,DC=site
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
mail: steve@steve-ss.com
sAMAccountName: steve2
whenChanged: 20140527111834.0Z
uSNChanged: 9644
distinguishedName: CN=steve2,CN=Users,DC=hh3,DC=site

If not, ldbedit him adding uidNumber and gidNumber to taste. Note: steve2 is fortunate to have a complete set of attributes which allow him to log onto both Linux and windows workstations alike and have access to the same data on both.

5. Do you have a keytab?
On the file server:
 klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/altea.hh3.site@HH3.SITE
   1 host/altea.hh3.site@HH3.SITE
   1 host/altea.hh3.site@HH3.SITE
   1 host/altea.hh3.site@HH3.SITE
   1 host/altea.hh3.site@HH3.SITE
   1 host/altea@HH3.SITE
   1 host/altea@HH3.SITE
   1 host/altea@HH3.SITE
   1 host/altea@HH3.SITE
   1 host/altea@HH3.SITE

If not:
net ads keytab create -UAdministrator

No -k? Use ktutil:
 rkt /etc/krb5.conf

6. DNS I
cat /etc/HOSTNAME (or perhaps, /etc/hostname)

Go no further until the following commands return:

hostname -d

hostname -f

hostname -s

If not, set hosts properly:
cat /etc/hosts localhost altea.hh3.site altea

(for a client without smbd under DHCP use instead: altea.hh3.site altea localhost)

search hh3.site

        default_realm = HH3.SITE
        dns_lookup_realm = false
        dns_lookup_kdc = true
systemd? No problem. Just add the line:
        default_ccache_name = /tmp/krb5cc_%{uid}
to /etc/krb5.conf

8. Still with us?
Tell nss to use winbind and some dns stuff:
passwd: files winbind
group:  files winbind
hosts:   files dns
networks: files dns

9. remove nscd

10. remove the winbind cache
net cache flush

11. PAM priorities
WARNING: keep open a root terminal. Blow this and you lock yourself out. So, in this order:

auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_winbind.so use_first_pass

account requisite pam_unix2.so
account required pam_winbind.so use_first_pass

password sufficient pam_winbind.so
password requisite pam_pwcheck.so cracklib
password required pam_unix2.so use_authtok

session required pam_unix2.so
session required pam_winbind.so

12. If you changed anything
leave the domain:
net ads leave -UAdministrator

remove the keytab:
rm /etc/krb5.keytab

and rejoin:
net ads join -UAdministrator

13. I'm not allowed to say reboot

14. Restart smbd and winbind (restart winbind)

15. Do you see this?
getent passwd steve2
If so, congratulate yourself. And remember, there is much more fun to come; you may now go back and add your shares to smb.conf.

16. No?
The links? You did of course make the links when you installed:
for 32 bit:
ln -s /usr/local/samba/lib/libnss_winbind.so /lib
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

17. winbind still doesn't work?
There is an easy alternative.

No hay comentarios:

Publicar un comentario