[Samba] Problem with AD users and groups

Ricky Nance ricky.nance at gmail.com
Fri Jun 7 13:31:52 MDT 2013


Re provisioning will wipe out your entire samba DB, so I would try to avoid
that if at all possible, figure out if something else is listening on port
88, stop it, and restart samba (its the kerberos stuff).  The smbclient
command isn't all that helpful (sometimes it is, sometimes not), so you may
try it with a higher debug level (-d10) but don't paste that here as it
will get quite lengthy, use a pastebin and give us the link if you don't
mind (if you think its more helpful that is).

Good luck,
Ricky


On Fri, Jun 7, 2013 at 12:56 PM, Marcelo Ruriani <
systemadmin at helpinghandsofgreenup.org> wrote:

>  On 6/7/13 10:51 AM, Ricky Nance wrote:
>
> I'd double check on the samba server it self if you can connect to it
> using smbclient... `smbclient //localhost/sysvol -Uadministrator` .... if
> that fails try `smbclient //localhost/sysvol -d5 -Uadministrator` and paste
> the output in your reply. If it succeeds then you can pretty much bet on a
> connectivity issue... by the way, why isn't samba listening on port 88 in
> your last mail? It might be worth it to try a `killall samba && sleep 5 &&
> samba -i -M single -d3` and look for any error messages ... anyway those
> are just a couple of my suggestions.
>
>  Ricky
>
>
> On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani <
> systemadmin at helpinghandsofgreenup.org> wrote:
>
>> On 6/6/13 5:15 PM, Marc Muehlfeld wrote:
>>
>>> Hello Marcelo,
>>>
>>> Am 06.06.2013 22:47, schrieb Marcelo Ruriani:
>>>
>>>> It seems I locked myself out. I have tried these steps: turn off the
>>>> firewall, ntacl sysvol reset, and dis-join from domain.
>>>> The ntacl sysvol reset returns errors (which I'll post if necessary) the
>>>> dis-join worked fine but I cannot re-join to the domain because it
>>>> doesn't detect our domain and throws up an error "domain could not be
>>>> contacted" and "DNS name doesn't exist".
>>>>
>>>
>>> * IP connection between the hosts is fine? (ping each other)
>>>
>>> * Do you use the internal DNS or Bind DLZ?
>>>
>>> * Is Samba/Bind listening on port 53? Use 'netstat -taunp', to make
>>> sure, that nothing else is listening on this port and prevent the correct
>>> DNS to start up.
>>>
>>> * Can you check:
>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>  Dear List & Mark,
>>
>>     Thank you for the reply. To answer your questions. I am using the
>> internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on)
>> plus host -t SRV _kerberos (and so on) return with a "not found" error. The
>> A record test works fine.
>>
>> Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135 (and
>> UDP 53)
>> smbd is listening on TCP port 139, 445
>>
>> The clients ping the server (ip and domain name) fine and the server
>> pings the clients fine.
>>
>> My followup question will appear after this reply.
>>
>> Marcelo
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>  To list, Mark, Ricky,
>
>     I must admit I am unsure why it isn't listening on port 88! I will do
> that "kill all samba" thing later and reply if that does the trick. On the
> tests you asked me to do, this is my output of terminal: (I apologize for
> formatting)
>
> root at ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol
> -U%administrator
>
> Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f11e9]
>
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> root at ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol -d5
> -U%administrator
>
> INFO: Current debug levels:
>
> all: 5
>
> tdb: 5
>
> printdrivers: 5
>
> lanman: 5
>
> smb: 5
>
> rpc_parse: 5
>
> rpc_srv: 5
>
> rpc_cli: 5
>
> passdb: 5
>
> sam: 5
>
> auth: 5
>
> winbind: 5
>
> vfs: 5
>
> idmap: 5
>
> quota: 5
>
> acls: 5
>
> locking: 5
>
> msdfs: 5
>
> dmapi: 5
>
> registry: 5
>
> lp_load_ex: refreshing parameters
>
> Initialising global parameters
>
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>
> INFO: Current debug levels:
>
> all: 5
>
> tdb: 5
>
> printdrivers: 5
>
> lanman: 5
>
> smb: 5
>
> rpc_parse: 5
>
> rpc_srv: 5
>
> rpc_cli: 5
>
> passdb: 5
>
> sam: 5
>
> auth: 5
>
> winbind: 5
>
> vfs: 5
>
> idmap: 5
>
> quota: 5
>
> acls: 5
>
> locking: 5
>
> msdfs: 5
>
> dmapi: 5
>
> registry: 5
>
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
>
> Processing section "[global]"
>
> doing parameter workgroup = AD.HHG.COM
>
> doing parameter realm = HHG.COM
>
> doing parameter netbios name = AD
>
> doing parameter server role = active directory domain controller
>
> doing parameter dns forwarder = 192.168.1.1
>
> pm_process() returned Yes
>
> added interface eth0 ip=fe80::222:19ff:fe95:7f31%eth0
> bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
>
> added interface eth0 ip=192.168.1.10 bcast=192.168.1.255
> netmask=255.255.255.0
>
> Netbios name list:-
>
> my_netbios_names[0]="AD"
>
> Client started (version 4.1.0pre1-GIT-94f11e9).
>
> Opening cache file at /usr/local/samba/var/lock/gencache.tdb
>
> Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb
>
> sitename_fetch: No stored sitename for HHG.COM
>
> name localhost#20 found.
>
> Connecting to ::1 at port 445
>
> Socket options:
>
> SO_KEEPALIVE = 0
>
> SO_REUSEADDR = 0
>
> SO_BROADCAST = 0
>
> TCP_NODELAY = 1
>
> TCP_KEEPCNT = 9
>
> TCP_KEEPIDLE = 7200
>
> TCP_KEEPINTVL = 75
>
> IPTOS_LOWDELAY = 0
>
> IPTOS_THROUGHPUT = 0
>
> SO_SNDBUF = 173200
>
> SO_RCVBUF = 87380
>
> SO_SNDLOWAT = 1
>
> SO_RCVLOWAT = 1
>
> SO_SNDTIMEO = 0
>
> SO_RCVTIMEO = 0
>
> TCP_QUICKACK = 1
>
> TCP_DEFER_ACCEPT = 0
>
> session request ok
>
> Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f11e9]
>
> session setup ok
>
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> My questions are if the worst were if I had to re-provision, would the
> re-provision be enough? OR Woul d I have to do the entire compile, make,
> install procedure? Thanks.
>
> Marcelo
>


More information about the samba mailing list