[Samba] AD Group lost from Winbind

Oliver Werner oliver.werner at kontrast.de
Mon Feb 22 10:53:55 UTC 2016 

yeah

>  /var/lib/samba/sysvol/hq.kontrast/scripts

was i typo

hq.internal was correct.


uidNumber and gidNumber is set for our own users and group, but not Administrator or Administrators.

Today it was an issue again on a member so i test command

wbinfo --group-info=group_intern

and got the error

failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for group group_intern


After restart windbag on domain member all looks ok again.


> Am 22.02.2016 um 10:21 schrieb Rowland penny <rpenny at samba.org>:
> 
> On 22/02/16 08:32, Oliver Werner wrote:
>> hi,
>> 
>> we have tested last week our problem with change parameter
>> 
>> server services = -winbindd +winbind
>> 
>> but our member server get also the issue that the winbind lost user and group mapping for valid users.
>> 
>> so for the test i have changed on our three DCs the parameter above.
>> 
>> May i need to set this parameter on member server also?
>> 
>> 
>> Oliver
>> 
>> 
>> 
> 
> OK, I have been rereading this thread and I think Louis may have been sending you off on a wild goose chase here, if the problem occurs on a domain member, it very probably has nothing to do with how smb.conf is setup on the DC.
> 
> What I did notice (and it is probably a typo) is this:
> 
> In domain member smb.conf:        realm = hq.internal
> 
> In DC smb.conf:
> [netlogon]
>    path = /var/lib/samba/sysvol/hq.kontrast/scripts
> 
> Which is it ? 'hq.internal' or 'hq.kontrast'
> 
> You should also add these lines to the smb.conf on the domain member:
> 
>   vfs objects = acl_xattr
>   map acl inherit = yes
>   store dos attributes = yes
> 
> Have you given a uidNumber attribute to users in AD and if you have, does this include Administrator ?
> Have you given a gidNumber attribute to groups in AD and if you have, does this include groups such as Administrators ?
> 
> To be honest it sounds like the kerberos ticket could be expiring and not getting renewed.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/samba/attachments/20160222/2efc84e5/signature.sig>

More information about the samba mailing list