[Pkg-samba-maint] Bug#862580: Bug #862580: Winbind crashes on ssh login of a domain user.

Christian Meyer c2h5oh at web.de
Fri May 19 18:41:07 UTC 2017 

Hello Louis and Mathieu,

thanks for your fast reply.
I'm using 2:4.5.8+dfsg amd64 from stretch and my Debian machines are
members of a Windows 2008R2 DC Active Directory ("net ads join ...")
with a single server and about 100 Windows 7 members and 40 Debian
members. ("Server role: ROLE_DOMAIN_MEMBER")

I followed the guide from
https://wiki.debian.org/AuthenticatingLinuxWithActiveDirectory
and changed some settings in smb.conf to fix certain issues after
reading 'man smb.conf' (and various online sources from forums, howtos,
tutorials, up to https://www.samba.org/samba/docs/* and
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection )

Samba configuration worked acceptable for jessie: about 3 to 8 login
issues a day with 40+ Computers and about 60-70 domain logins.
Testparm dumps the following service definitions (without shares):

# Global parameters
[global]
	realm = WORK.COMPANY
	workgroup = WORK
	domain master = No
	local master = No
	os level = 0
	preferred master = No
	client ldap sasl wrapping = seal
	log file = /var/log/samba/winbind-debug.log
	name resolve order = lmhosts host bcast
	password server = 172.16.0.1 *
	restrict anonymous = 2
	security = ADS
	template shell = /bin/bash
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	idmap config * : range = 11000-20000
	idmap config * : backend = tdb

There are some things missing in testparms output, that are in smb.conf:
   client use spnego = yes
   client ntlmv2 auth = yes
   encrypt passwords = yes
   log level = 2 winbind:3
   template homedir = /home/%D/%U

testparm says:
"The setting 'security=ads' should NOT be combined with the 'password
server' parameter."
Since I had problems with WINS and name resolution (e.g. failing
nmblookup) I decided to use 'password server' anyway and to remove WINS.

I'm only using the tdb backend since SID/uid/gid mapping is not that
important for me (I work with temporary user accounts and all user data
is stored on the Windows 2008R2 DC in NTFS shares). Homedirs of domain
users are created with pam_mkhomedir and deleted on logout.
The range starts with 11000 because I had different backends some time
ago, but that has been before I installed the current machine.

I would like to test samba-4.5.9 or samba-4.6 (or at least the new
testparm), but I didn't build samba from sources before.

Thanks for your interest,

Christian Meyer

More information about the Pkg-samba-maint mailing list