Thanks, Jose. That was helpful.
Our AD server doesn't have SFU set up, so I commented out the
rfc2307-related statements, but plugged in the rest of your recommended
config into our smb.conf file.
Some progress. I can now enumerate AD users and groups with the
"wbinfo" command. I can now also connect and authenticate from
Linux-based smbclient connections, and mount volumes from macOS (using
the "smb://..." notation), using AD account credentials.
However, Windows 7 and 10 clients still won't connect to our Samba
server. So I guess I had two separate problems, one of which persists.
The logs are not showing anything at all corresponding to these failed
connections.
Does anyone have any idea what else changed, either in the samba 4.8
version, or in the latest patches, that would cause issues with Windows
clients not connecting?
Gilbert
On 10/12/2018 3:26 a.m., Jose Marques wrote:
On 6 Dec 2018, at 15:45, Gilbert E. Detillieux <[email protected]> wrote:
What I'm now trying to set up is a working winbindd-based configuration to
essentially do what smbd used to do directly (communicating with the AD server)
before they took that functionality away, with as little fuss (and opportunity
for breakage) as possible.
We run Samba 4.7 on FreeBSD on our storage servers and hit the same issue with
the winbind requirement when testing 4.8. The problem is that not all AD setups
are alike. We store unix attributes in AD because we mix Samba and NFS. The
following works in our setup. YMMV.
idmap config * : backend = tdb
idmap config * : range = 9000-9999
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
winbind nss info = rfc2307
winbind expand groups = 3
idmap config <domain>:default = yes
idmap config <domain>:backend = ad
idmap config <domain>:range = 10000-60000
idmap config <domain>:schema_mode = rfc2307
Change <domain> to your AD domain and change the range to the uid range of the unix attributes given to your AD accounts. This must not overlap
with the range used by the tdb backend (which as I understand it should not overlap local accounts). You then need to run "net ads join -U
<user>" where "<user>" has rights to join a machine to the domain. You can test using "wbinfo -u" which should list
all your users. The command "wbinfo -i <user>" will show info for a user. We found that we needed to give the "Domain Users"
group unix attributes or winbind will fail to do lookups properly. We also find that winbind uses pre-w2k group names. Our AD domain was an add-on to our
setup (and we didn't really know what we were doing) so these names can differ on our AD.
--
Gilbert E. Detillieux E-mail: <[email protected]>
Dept. of Computer Science Web:
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cs.umanitoba.ca_-7Egedetil_&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=gC3gkFQtJY3PbxBQifLoxmaLd8HVhqJuX0z--kgtf-A&s=xjuoj2BTS4G7UGrU_XIcd12QSaLLdnKSA-_9ISC00zU&e=
University of Manitoba Phone: (204)474-8161
Winnipeg MB CANADA R3T 2N2 Fax: (204)474-7609
