Hai, Ok, you used the "wrong" info for configuring smb.conf. Mail got longer then expected, but read through it. Run samba-tool testparm ( not testparm , these results can differ. )
The debian wiki is a bit out detect when it comes to samba 4.x. A quick test with 4.5.9 is possible, i can share my packages if needed, but for what i read, this is not your problem. Im running the same on jessie en i dont see this beheavor. I suggest, you have a look at this link after you did read this completely first. https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Now below is a samba member setup, a basic one. I left out the shares setup, but added usefull tips on the setup on debian systems. Review your setup base on this. I suggest start here, this is setup is very well tested. Setup jessie: # Choose expert install, and at taskselect choose only ssh server. ( optional and the standard package, but i setup really minimal ) # install WITH static ip from the start, ( best ) or install with dhcp ip and change /etc/hosts /etc/resolv.conf /etc/network/interfaces. # Check all these. hostname -s hostname -d hostname -f hostname -i # install samba winbind and needed extras. apt-get install samba smbclient samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind krb5-user ntp bind9-host libpam-krb5 When questions come, fill in : # AD DC ipnumbers at ntp questions # krb5-user fill in your REALM in CAPS. ! CAPS YES ! # keep all other defaults. # stop samba en winbind systemctl stop samba systemctl stop winbind # Change your /etc/nsswitch.conf cp /etc/nsswitch.conf{,.backup} sed -i 's]passwd: compat]passwd: compat winbind]g' /etc/nsswitch.conf sed -i 's]group: compat]group: compat winbind]g' /etc/nsswitch.conf now if you didnt change anything else, you should be ready.. ;-) , yes ready. Test: kinit administrator ( should respond with administrator@REALM and login ) Setup a "correct smb.conf" like this one. This is how i would have exected to how your smb.conf would/should look like. I'll add some comment to it. ## ---------- START AD MEMBER SMB.CONF --------- ## workgroup = WORK security = ADS realm = WORK.COMPANY # The netbiosname if empty/not in config, this will use the server hostname. netbios name = SERVERNAME # only one server should be the master browser. # ( ! Samba AD cannot be master browserver, never, no nmbd that starts ) preferred master = no domain master = no host msdfs = no # speeds up name resolving, (WINS), through dns. dns proxy = yes # I preffer to define the ip. # and if you use bind interfaces, also define the interfaces. bind interfaces only = yes interfaces = IP_OR_ETH 127.0.0.1 # I've added these, mustly same as the defaults, but this explains things for others # if they have auth problems. # mandatory will still require SMB2 clients to use signing server signing = mandatory # if ntlm and lanman auth are both disabled, then only NTLMv2 logins will be permited ntlm auth = no lanman auth = no # Add and Update TLS Key, change/update these to your windows 2008R2 domain. # ( read: https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ ) # and setup your keys correctly, the depends on you u use this server. # ! SSO with proxy (kerberos auth), the ROOT CA of you DC should be in this config file defined. # I deployed my own CA Root for this. ###----------# this part, id ranges may not overlap. ### id setup shown is samba default. # These match samba AD preffered settings, you can play with these but 2 tings. # 1) try to keep the "*" to local/other domain below 9999. ## map id's outside to domain to tdb files. idmap config *: backend = tdb idmap config *: range = 2000-9999 # https://wiki.samba.org/index.php/Idmap_config_rid # idmap config for the WORK domain. idmap config WORK : backend = rid idmap config WORK : range = 10000-999999 ###----------# # Template settings for login shell and home directory (RID backend) winbind nss info = template template shell = /bin/bash template homedir = /home/%U kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab # renew the kerberos ticket winbind refresh tickets = yes winbind trusted domains only = no # use default domain, preffered no. # wbinfo -u shows (default domain no) : NTODOM\username # wbinfo -u shows (default domain yes) : username winbind use default domain = no # If you dont need uid/gid of groups set to no, speeds up samba. # if you login local the server, you may need it, depends on use of server. winbind enum users = yes winbind enum groups = yes # Enable offline logins, if needed. winbind offline logon = yes # If winbind offline logon is set to Yes, then only one DC connection is allowed per domain, regardless of this setting # winbind max domain connections = 10 # check depth of nested groups, ! slows down your samba, if group to many in groups winbind expand groups = 4 # User Administrator workaround, without it you are unable to set privileges # Add a/your domain admin in it. # Like this: !root = BAZRTD\Administrator BAZRTD\administrator username map = /etc/samba/samba_usermapping # disable usershares creating, no log errors. usershare path = # Disable printing completely, no log errors. load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # For ACL support on member servers with shares (oblicated member setting) vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes # Share Setting Globally veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes # preffered, setup share from witin windows. # https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs # ! Tip, use acl_xattr:ignore system acl = yes # for the profile shares, optional for user shares. # this was a big discussion on the samba list about users SYSTEM. # changes are comming here. ( due to mismath security id's on users system between DC and PC ) ## ---------- END AD MEMBER SMB.CONF --------- ## # Join the domain. net ads join -S hostname-DC.your.domain.tld -k # Setup pam configs for ssh krb5 and winbind, needed for your ssh logins. pam-auth-update --force # setup the SePrivileges then reboot the server. The samba Wiki only shows: SeDiskOperatorPrivilege But this list if for "Domain Admins" net rpc rights grant "WORK\Domain Admins" SeDiskOperatorPrivilege -Uadministrator Repeat for, ( or what you want, minimaal needed: SeDiskOperatorPrivilege ) SeDiskOperatorPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeSecurityPrivilege SeSystemtimePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeSystemProfilePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege SeEnableDelegationPrivilege # configure your shares from within windows with a "domain admin" user and a domain joined pc. ! After you have checked you setup and rebooted, run : net cache flush systemctl restart samba systemctl restart winbind. Now its up to you and see if you problem dissapered. And tell us your results. Best regards, Louis > -----Oorspronkelijk bericht----- > Van: Pkg-samba-maint > [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@lists.alioth.d > ebian.org] Namens Christian Meyer > Verzonden: vrijdag 19 mei 2017 20:41 > Aan: 862...@bugs.debian.org > Onderwerp: [Pkg-samba-maint] Bug#862580: Bug #862580: Winbind > crashes on ssh login of a domain user. > > Hello Louis and Mathieu, > > thanks for your fast reply. > I'm using 2:4.5.8+dfsg amd64 from stretch and my Debian > machines are members of a Windows 2008R2 DC Active Directory > ("net ads join ...") with a single server and about 100 > Windows 7 members and 40 Debian members. ("Server role: > ROLE_DOMAIN_MEMBER") > > I followed the guide from > https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory > and changed some settings in smb.conf to fix certain issues > after reading 'man smb.conf' (and various online sources from > forums, howtos, tutorials, up to > https://www.samba.org/samba/docs/* and > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection ) > > Samba configuration worked acceptable for jessie: about 3 to > 8 login issues a day with 40+ Computers and about 60-70 domain logins. > Testparm dumps the following service definitions (without shares): > > # Global parameters > [global] > realm = WORK.COMPANY > workgroup = WORK > domain master = No > local master = No > os level = 0 > preferred master = No > client ldap sasl wrapping = seal > log file = /var/log/samba/winbind-debug.log > name resolve order = lmhosts host bcast > password server = 172.16.0.1 * > restrict anonymous = 2 > security = ADS > template shell = /bin/bash > winbind enum groups = Yes > winbind enum users = Yes > winbind refresh tickets = Yes > winbind use default domain = Yes > idmap config * : range = 11000-20000 > idmap config * : backend = tdb > > There are some things missing in testparms output, that are > in smb.conf: > client use spnego = yes > client ntlmv2 auth = yes > encrypt passwords = yes > log level = 2 winbind:3 > template homedir = /home/%D/%U > > testparm says: > "The setting 'security=ads' should NOT be combined with the > 'password server' parameter." > Since I had problems with WINS and name resolution (e.g. failing > nmblookup) I decided to use 'password server' anyway and to > remove WINS. > > I'm only using the tdb backend since SID/uid/gid mapping is > not that important for me (I work with temporary user > accounts and all user data is stored on the Windows 2008R2 DC > in NTFS shares). Homedirs of domain users are created with > pam_mkhomedir and deleted on logout. > The range starts with 11000 because I had different backends > some time ago, but that has been before I installed the > current machine. > > I would like to test samba-4.5.9 or samba-4.6 (or at least > the new testparm), but I didn't build samba from sources before. > > Thanks for your interest, > > Christian Meyer > > _______________________________________________ > Pkg-samba-maint mailing list > pkg-samba-ma...@lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-sa > mba-maint > >
