Package: samba
Version: 4.1.3-Debian
I've got two debian installations: pdc and workstation. They are both fresh
Debian Jessie installations and has samba installed with apt-get.
PDC
-------
pdc has samba domain controller installed in it and it is working properly.
smb.conf
--8<--
[global]
server role = active directory domain controller
workgroup = EXAMPLE
realm = EXAMPLE.LOCAL
netbios name = %h
passdb backend = samba4
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile = /var/lib/samba/private/tls/ca.pem
template shell = /bin/bash
interfaces = eth0
allow dns updates = signed
dns forwarder = 8.8.8.8
--8<--
krb5.conf
--8<--
[libdefaults]
default_realm = TIETOHALLINTA.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
--8<--
Domain is provisioned with:
samba-tool domain provision --use-rfc2307
--realm=EXAMPLE.LOCAL --domain=EXAMPLE --adminpass=passwd --server-role=dc
Kerberos keytab is generated with (samba-tool gives segfault):
net rpc vampire keytab /etc/krb5.keytab -I[pdc_ip] -UAdministrator%passwd
nsswitch.conf:
--8<--
...
passwd: compat winbind
group: compat winbind
...
--8<--
Setup is working correctly:
root@pdc:~# wbinfo -u | grep Administrator
Administrator
root@pdc:~# id Administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000004(EXAMPLE\Group
Policy Creator Owners),3000006(EXAMPLE\Enterprise
Admins),3000008(EXAMPLE\Domain Admins),3000007(EXAMPLE\Schema Admins)
root@pdc:~# getent passwd Administrator
EXAMPLE\Administrator:*:0:100::/home/EXAMPLE/Administrator:/bin/bash
WORKSTATION
------------------------
workstation has samba domain member installed in it and it is NOT working
properly:
smb.conf
--8<--
[global]
workgroup = EXAMPLE
security = ads
realm = EXAMPLE.LOCAL
encrypt passwords = yes
template shell = /bin/bash
idmap config *:backend = tdb idmap config *:range =
70001-80000
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 500-40000
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
--8<--
krb5.conf
--8<--
[libdefaults]
default_realm = EXAMPLE.LOCAL
dns_lookup_realm = no
dns_lookup_kdc = yes
--8<--
Domain is joined with:
samba-tool domain join EXAMPLE.LOCAL member -UAdministrator%passws
--realm=EXAMPLE.LOCAL
Kerberos keytab is generated with (samba-tool gives segfault):
net rpc vampire keytab /etc/krb5.keytab -I[pdc_ip] -UAdministrator%passwd
nsswitch.conf:
--8<--
...
passwd: compat winbind
group: compat winbind
...
--8<--
Everything is working so far correctly.
root@workstation:~# wbinfo -u | grep Administrator
Administrator
*THEN* Winbind is working (see previous step), but id or getent (or other
resolving stuff) aren't:
root@workstation:~# id Administrator
id: Administrator: no such user
root@workstation:~# getent passwd Administrator
[nothing]
VERSIONS
-----------------
Linux XXX 3.12-1-amd64 #1 SMP Debian 3.12.6-2 (2013-12-29) x86_64 GNU/Linux
samba: 4.1.3-Debian
winbind: 4.1.3-Debian
BTW Debian Wheezy with samba4 worked with similar setup.
