Bug#862580: Bug #862580: Winbind crashes on ssh login of a domain user.

Fri, 19 May 2017 11:45:30 -0700 

Hello Louis and Mathieu,

thanks for your fast reply.
I'm using 2:4.5.8+dfsg amd64 from stretch and my Debian machines are
members of a Windows 2008R2 DC Active Directory ("net ads join ...")
with a single server and about 100 Windows 7 members and 40 Debian
members. ("Server role: ROLE_DOMAIN_MEMBER")

I followed the guide from
https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory
and changed some settings in smb.conf to fix certain issues after
reading 'man smb.conf' (and various online sources from forums, howtos,
tutorials, up to https://www.samba.org/samba/docs/* and
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection )

Samba configuration worked acceptable for jessie: about 3 to 8 login
issues a day with 40+ Computers and about 60-70 domain logins.
Testparm dumps the following service definitions (without shares):

# Global parameters
[global]
        realm = WORK.COMPANY
        workgroup = WORK
        domain master = No
        local master = No
        os level = 0
        preferred master = No
        client ldap sasl wrapping = seal
        log file = /var/log/samba/winbind-debug.log
        name resolve order = lmhosts host bcast
        password server = 172.16.0.1 *
        restrict anonymous = 2
        security = ADS
        template shell = /bin/bash
        winbind enum groups = Yes
        winbind enum users = Yes
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        idmap config * : range = 11000-20000
        idmap config * : backend = tdb

There are some things missing in testparms output, that are in smb.conf:
   client use spnego = yes
   client ntlmv2 auth = yes
   encrypt passwords = yes
   log level = 2 winbind:3
   template homedir = /home/%D/%U

testparm says:
"The setting 'security=ads' should NOT be combined with the 'password
server' parameter."
Since I had problems with WINS and name resolution (e.g. failing
nmblookup) I decided to use 'password server' anyway and to remove WINS.

I'm only using the tdb backend since SID/uid/gid mapping is not that
important for me (I work with temporary user accounts and all user data
is stored on the Windows 2008R2 DC in NTFS shares). Homedirs of domain
users are created with pam_mkhomedir and deleted on logout.
The range starts with 11000 because I had different backends some time
ago, but that has been before I installed the current machine.

I would like to test samba-4.5.9 or samba-4.6 (or at least the new
testparm), but I didn't build samba from sources before.

Thanks for your interest,

Christian Meyer

Reply via email to