[Samba] Problem with Winbind and Windows Clients
L.P.H. van Belle
belle at bazuin.nl
Fri Mar 11 08:14:41 UTC 2016
Beside 2 x winbind refresh tickets = yes
This looks good.
In what ?interval? is this happing
Every day, every week. Is it consistent?
This if often a time sync problem, but i do recall a previous message of you.
Your time is in sync ? servers and pc?s and you use a pool ntp. But a stratum 1 or 2 ntp.
Pools can case out of syncs.
Other option is to set the GPO for kerberos, but since this is normaly not needed.
Other question, is this a ?cloned? windows, and did you sysprep. ( must ask sorry )
Last, what is the windows even log telling you when your trying to login, can be very usefull.
Im asking all above because im have also multple pc?s always on and i dont see this problem here.
im using for the DC 4.2.9 sernet samba.
Members vary between 4.1.17 upto 4.3.4, dependes on there function/servcies there running.
Greetz,
Louis
Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
Verzonden: vrijdag 11 maart 2016 9:03
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
Here is smb.conf
[global]
netbios name = VL0173
security = ADS
workgroup = HQKONTRAST
realm = hq.kontrast
log file = /var/log/samba/%m.log
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind refresh tickets = yes
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 500-1023
# idmap config for domain HQKONTRAST
idmap config HQKONTRAST:backend = ad
idmap config HQKONTRAST:schema_mode = rfc2307
idmap config HQKONTRAST:range = 1024-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.
Please consider the environment and only print this if required.
Am 11.03.2016 um 09:01 schrieb L.P.H. van Belle <belle at bazuin.nl>:
Please Post your member smb.conf.
But probely your missing.
winbind refresh tickets = yes
and/or
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
greetz,
Louis
-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
Verzonden: vrijdag 11 maart 2016 8:55
Aan: samba at lists.samba.org
Onderwerp: [Samba] Problem with Winbind and Windows Clients
Hi,
i have a permanent problem with my samba members. there lost after some
times his connections to DCs and i need to restart winbind.
Also same problem with winds client that running 24x7. After few days i
can not logged in.
i think thats a problem with kerberos tickets.
i have checks samba logs and found that samba member and windows client
ask for new tickets and get new expiration.
in my DCs i have set
kdc:service ticket lifetime = 1
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 120
and Master krb5.conf looks
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 1d
renew_lifetime = 5d
[realms]
HQ.KONTRAST = {
kdc = vl0227.hq.kontrast
kdc = vl0230.hq.kontrast
kdc = pl0231.hq.kontrast
master_kdc = vl0227.hq.kontrast
admin_server = vl0227.hq.kontrast
}
[domain_realm]
.hq.kontrast = HQ.KONTRAST
hq.kontrast = HQ.KONTRAST
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/var/log/kadmind.log
So what i saw was GPOs are default empty. i need for winbind configure
Kerberos Policy?
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
Vlist
<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer.
Please consider the environment and only print this if required.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list