[Samba] AD Group lost from Winbind

L.P.H. van Belle belle at bazuin.nl
Fri Feb 12 10:30:40 UTC 2016 

Hai, 

Yes, only the DCs 
Change one, test and if all ok with you, change the others. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> Verzonden: vrijdag 12 februari 2016 11:24
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD Group lost from Winbind
> 
> i need to change it on all DCs, right?
> 
> so i need to change some other options on member?
> 
> 
> > Am 12.02.2016 um 10:59 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> >
> > This looks all good to me but the problem lays in the DC winbind code,
> not the member.
> >
> > You can try to witch back ( temperarly ) to winbind ( on the DC )
> > As i did, al least you get the correct id's back. ( for now )
> > For you this the change you need on the DC.
> >
> > server services = -winbindd +winbind
> >
> > Im recompiling the samba 4.3.3 from sid now atm, so ill test them out
> what happpens.
> >
> > I'll report back here.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> >> Verzonden: vrijdag 12 februari 2016 10:54
> >> Aan: L.P.H. van Belle
> >> CC: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] AD Group lost from Winbind
> >>
> >> This is DC:
> >> # Global parameters
> >> [global]
> >> 	workgroup = HQ
> >> 	realm = HQ.INTERNAL
> >> 	netbios name = DC1
> >> 	server role = active directory domain controller
> >> 	idmap_ldb:use rfc2307 = yes
> >>   interfaces=eth0
> >>   bind interfaces only=yes
> >> 	tls enabled  = yes
> >> 	tls keyfile  = /var/lib/samba/private/tls/key.pem
> >> 	tls certfile = /var/lib/samba/private/tls/cert.pem
> >> 	tls cafile   = /var/lib/samba/private/tls/ca.pem
> >>
> >> [netlogon]
> >> 	path = /var/lib/samba/sysvol/hq.kontrast/scripts
> >> 	read only = No
> >>
> >> [sysvol]
> >> 	path = /var/lib/samba/sysvol
> >> 	read only = No
> >>
> >>
> >>
> >> member config was shown in my first e-mail
> >>
> >>
> >>
> >>
> >>
> >>
> >>> Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> >>>
> >>> Thats strange, my members dont show this the problem, only my DC's
> >>>
> >>> Can you post your smb.conf of the DC and one of your member servers.
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> >>>> Verzonden: vrijdag 12 februari 2016 10:16
> >>>> Aan: L.P.H. van Belle
> >>>> CC: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
> >>>>
> >>>> In my Situation i don?t use DCs for Shares (only for sysvol)
> >>>>
> >>>>
> >>>> So my Member is has the problems.
> >>>>
> >>>>
> >>>>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> >>>>>
> >>>>> Ok, im having this :
> >>>>>
> >>>>> DC's
> >>>>> Debian Wheezy 7.9, sernet samba 4.2.8
> >>>>>
> >>>>>
> >>>>> Member servers.
> >>>>> Debian Jessie samba 4.1.17 ( fileserver )
> >>>>> Debian Jessie samba 4.2.7  ( print server )
> >>>>> 	This one isnt updated yet with latest updates.
> >>>>>
> >>>>> The following packages have been kept back:
> >>>>> samba sernet-samba sernet-samba-client sernet-samba-common sernet-
> >>>> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind
> >>>>> The following packages will be upgraded:
> >>>>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3
> >>>> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3
> libkrb5support0
> >>>> libtiff5
> >>>>>
> >>>>> on this one all id's are still correct.
> >>>>>
> >>>>> Thanks, Daniel Müller, for your addition..
> >>>>>
> >>>>> This is really a big problem.. what happend her in the samba code?
> >>>>> I've looked at the change log, but cant seen any related to this.
> >>>>>
> >>>>> So if anyone DEVS ? know what happend here in the samba code.
> >>>>> As far as i now know i have to.
> >>>>> Re-assign all my  uid / gids on all users / groups, with other id's,
> >> omg
> >>>> wat a hell...
> >>>>> And fix all idmaps on all servers.. pff. ... really no other fix ?
> >>>>>
> >>>>> There goes my weekend...
> >>>>>
> >>>>>
> >>>>> Greetz,
> >>>>>
> >>>>> Louis
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Oorspronkelijk bericht-----
> >>>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> >>>>>> Verzonden: vrijdag 12 februari 2016 9:06
> >>>>>> Aan: L.P.H. van Belle
> >>>>>> CC: samba at lists.samba.org
> >>>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
> >>>>>>
> >>>>>> my os is debian 8.3
> >>>>>>
> >>>>>> win bind and samba are in version 4.1.17
> >>>>>>
> >>>>>>
> >>>>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> >>>>>>>
> >>>>>>> Ok, same problem as im having..
> >>>>>>>
> >>>>>>> What is your os running?
> >>>>>>>
> >>>>>>>
> >>>>>>>> -----Oorspronkelijk bericht-----
> >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
> >>>> Werner
> >>>>>>>> Verzonden: vrijdag 12 februari 2016 8:56
> >>>>>>>> Aan: samba at lists.samba.org
> >>>>>>>> Onderwerp: [Samba] AD Group lost from Winbind
> >>>>>>>>
> >>>>>>>> Hello,
> >>>>>>>>
> >>>>>>>> the last two days i have problems with my AD group which is
> defined
> >>>> in
> >>>>>>>> share setting valid users
> >>>>>>>>
> >>>>>>>> Winbind looks to lost mapping of this group and so no user can
> >>>> connect
> >>>>>> to
> >>>>>>>> this share anymore.
> >>>>>>>>
> >>>>>>>> When restart winbind service mapping works again until mapping
> lost
> >>>>>> again.
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> ls -lsa shows me in issue this:
> >>>>>>>>
> >>>>>>>>     2      4 drwxr-x---  63 root               12001
> >>>>>>>> 4096 Feb  4 23:42 Share
> >>>>>>>>
> >>>>>>>> After restarting winbind:
> >>>>>>>>
> >>>>>>>>     2      4 drwxr-x---  63 root               group_intern
> >>>>>>>> 4096 Feb  4 23:42 Share
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> My smb.conf looks like
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> [global]
> >>>>>>>>    netbios name = MEMBER1
> >>>>>>>>    security = ADS
> >>>>>>>>    workgroup = HQ
> >>>>>>>>    realm = hq.internal
> >>>>>>>>
> >>>>>>>>    log file = /var/log/samba/%m.log
> >>>>>>>>    log level = 1
> >>>>>>>>
> >>>>>>>>    dedicated keytab file = /etc/krb5.keytab
> >>>>>>>>    kerberos method = secrets and keytab
> >>>>>>>>    winbind refresh tickets = yes
> >>>>>>>>
> >>>>>>>>    winbind trusted domains only = no
> >>>>>>>>    winbind use default domain = yes
> >>>>>>>>    winbind enum users  = yes
> >>>>>>>>    winbind enum groups = yes
> >>>>>>>> 	winbind cache time = 300
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>    idmap config *:backend = tdb
> >>>>>>>>    idmap config *:range = 500-9999
> >>>>>>>>
> >>>>>>>>    # idmap config for domain HQ
> >>>>>>>>    idmap config HQ:backend = ad
> >>>>>>>>    idmap config HQ:schema_mode = rfc2307
> >>>>>>>>    idmap config HQ:range = 10000-99999
> >>>>>>>>
> >>>>>>>>    # Use settings from AD for login shell and home directory
> >>>>>>>>    winbind nss info = rfc2307
> >>>>>>>>
> >>>>>>>> [Share]
> >>>>>>>> path = /data/share
> >>>>>>>> browseable = yes
> >>>>>>>> writeable = yes
> >>>>>>>> force group = Group_Intern
> >>>>>>>> valid users = @Group_Intern
> >>>>>>>> create mask = 0660
> >>>>>>>> directory mask = 0770
> >>>>>>>> #oplocks = 0
> >>>>>>>> vfs objects = full_audit recycle
> >>>>>>>> full_audit:prefix = %u
> >>>>>>>> full_audit:success = mkdir rename rmdir unlink pwrite
> >>>>>>>> full_audit:failure = none
> >>>>>>>> full_audit:facility = LOCAL5
> >>>>>>>> full_audit:priority = NOTICE
> >>>>>>>> recycle:versions = yes
> >>>>>>>> recycle:exclude = .*, ~*
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Anyone has an idea for this problem?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Regards
> >>>>>>>> Oliver
> >>>>>>>> --
> >>>>>>>> To unsubscribe from this list go to the following URL and read
> the
> >>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>> To unsubscribe from this list go to the following URL and read the
> >>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list