Thanks, Jose.  That was helpful.



Our AD server doesn't have SFU set up, so I commented out the 

rfc2307-related statements, but plugged in the rest of your recommended 

config into our smb.conf file.



Some progress.  I can now enumerate AD users and groups with the 

"wbinfo" command.  I can now also connect and authenticate from 

Linux-based smbclient connections, and mount volumes from macOS (using 

the "smb://..." notation), using AD account credentials.



However, Windows 7 and 10 clients still won't connect to our Samba 

server.  So I guess I had two separate problems, one of which persists. 

The logs are not showing anything at all corresponding to these failed 

connections.



Does anyone have any idea what else changed, either in the samba 4.8 

version, or in the latest patches, that would cause issues with Windows 

clients not connecting?



Gilbert



On 10/12/2018 3:26 a.m., Jose Marques wrote:

>> On 6 Dec 2018, at 15:45, Gilbert E. Detillieux <[log in to unmask]> wrote:

>>

>> What I'm now trying to set up is a working winbindd-based configuration to essentially do what smbd used to do directly (communicating with the AD server) before they took that functionality away, with as little fuss (and opportunity for breakage) as possible.

> 

> We run Samba 4.7 on FreeBSD on our storage servers and hit the same issue with the winbind requirement when testing 4.8. The problem is that not all AD setups are alike. We store unix attributes in AD because we mix Samba and NFS. The following works in our setup. YMMV.

> 

>    idmap config * : backend = tdb

>    idmap config * : range = 9000-9999

>    winbind enum users = yes

>    winbind enum groups = yes

>    winbind use default domain = yes

>    winbind nss info = rfc2307

>    winbind expand groups = 3

>    idmap config <domain>:default = yes

>    idmap config <domain>:backend = ad

>    idmap config <domain>:range = 10000-60000

>    idmap config <domain>:schema_mode = rfc2307

> 

> Change <domain> to your AD domain and change the range to the uid range of the unix attributes given to your AD accounts. This must not overlap with the range used by the tdb backend (which as I understand it should not overlap local accounts). You then need to run "net ads join -U <user>" where "<user>" has rights to join a machine to the domain. You can test using "wbinfo -u" which should list all your users. The command "wbinfo -i <user>" will show info for a user. We found that we needed to give the "Domain Users" group unix attributes or winbind will fail to do lookups properly. We also find that winbind uses pre-w2k group names. Our AD domain was an add-on to our setup (and we didn't really know what we were doing) so these names can differ on our AD.



-- 

Gilbert E. Detillieux		E-mail:	<[log in to unmask]>

Dept. of Computer Science	Web:	https://urldefense.proofpoint.com/v2/url?u=http-3A__www.cs.umanitoba.ca_-7Egedetil_&d=DwICaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=gd8BzeSQcySVxr0gDWSEbN-P-pgDXkdyCtaMqdCgPPdW1cyL5RIpaIYrCn8C5x2A&m=gC3gkFQtJY3PbxBQifLoxmaLd8HVhqJuX0z--kgtf-A&s=xjuoj2BTS4G7UGrU_XIcd12QSaLLdnKSA-_9ISC00zU&e=

University of Manitoba		Phone:	(204)474-8161

Winnipeg MB CANADA  R3T 2N2	Fax:	(204)474-7609