[Samba] Problem with Winbind and Windows Clients
L.P.H. van Belle
belle at bazuin.nl
Tue Mar 22 11:10:05 UTC 2016
Only thing i can think of now is enable higher log levels in the problem member server so we can have a better look in to the problem.
im out of options, you config looks good, and dont think its the vlanning.
Add in smb.conf something like :
log level = 3 passdb:5 auth:10 winbind:10
and wait again untill the problem exists.
You may need to increase the max log size.
Rowland, you any suggestions?
Greetz,
Louis
Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
Verzonden: dinsdag 22 maart 2016 11:24
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
My Logs looks like ok i can?t found errors?
my last restart of Samba and Winbind was 2 days before.
Now after restart winbind (not samba) works again for next?
Linux knows the ID of group (used with force user in share) but lost wbinfo -g
Here is an config of my share where happen.
[Kundendaten]
path = /daten/kundendaten
browseable = yes
writeable = yes
force group = Kontrast_Intern
valid users = @Kontrast_Intern
create mask = 0660
directory mask = 0770
#oplocks = 0
vfs objects = full_audit recycle
full_audit:prefix = %u
full_audit:success = mkdir rename rmdir unlink pwrite
full_audit:failure = none
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
recycle:versions = yes
recycle:exclude = .*, ~*
Next Information:
Our DCs are in other VLAN as member and WinClients so there is maybe a problem?
Multi-/Anycast?
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
Am 22.03.2016 um 11:08 schrieb L.P.H. van Belle <belle at bazuin.nl>:
Any errors atm in
syslog and/or messages
and the samba logs.
And the interval of the problem, still 5 days?
Gr.
Louis
Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
Verzonden: dinsdag 22 maart 2016 11:00
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
Hi,
now i have tested again with libdefaults and same problems again? :(
So maybe we can found next tests with this informations:
1.
the problem looks only happen on systems where much users will login.
i have an archivesystem as samba member where ~10 users login => here we not have the issue.
Also i have windows clients where only 3 persons can login => also not happen
BUT:
Samba Member where ~80-100 Users login over a day => problem will happen
Also i have an windows client where ~80-100 Users login that will also happen
2.
I?m using Samba 4.1.17 Debian Pkg.
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
Am 18.03.2016 um 09:47 schrieb Oliver Werner <oliver.werner at kontrast.de>:
Ok i will test it.
So i have one more information that can maybe help?
the problem looks only happen on systems where much users will login.
i have an archive system as samba member where ~10 users login => here we not have the issue.
Also i have windows clients where only 3 persons can login => also not happen
BUT:
Samba Member where ~80-100 Users login over a day => problem will happen
Also i have an windows client where ~80-100 Users login that will also happen
that can help for more ideas :)?
Greetz
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
Am 18.03.2016 um 09:31 schrieb L.P.H. van Belle <belle at bazuin.nl>:
Ok,
Its still every 5 days?
Change krb5.conf to on DC and Member servers to
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
ccache_type = 4
forwardable = true
proxiable = true
Now Reboot DC and Member and pc.
This is how im run my config and i have multiple pc?s always logged in.
My last option. :-/ you configs are good, so im getting out of options.
Optionaly you can also try to recreate you keytab file. ( backup old )
But thats normaly not needed, i do that if i changes for example ?password expires ? on a service account user.
Greetz,
Louis
Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
Verzonden: vrijdag 18 maart 2016 9:11
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
Hi,
Next test is failed.
My Windows Clients lost everytime AD Authentication so i need to reboot.
On Samba i need also to restart winbind service since some hours?
here my samba and wind bind Versions
Samba: Version 4.1.17-Debian
Winbind: Version 4.1.17-Debian
Greetz
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
Am 15.03.2016 um 11:10 schrieb L.P.H. van Belle <belle at bazuin.nl>:
Ok, next test.
Change :
kerberos method = secrets and keytab
to
kerberos method = secrets
and wait again.
I'll explain by giving this link.
http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.6+dfsg-1ubuntu1/changelog
Look at the last line bugfix in this change log of 4.3.6.
Im testing here also, because this looks like its also involves the kerberos changes, now, i forgot what you was running, but this is an easy test.
Is ntp installed on this machine, if not, install it and point it to the DC.
Just to be sure.
On the DC's, make sure your DC dont use any pool ntp servers.
Point it to a stable ntp. ( preffered in germany, like, ntps1-0.eecsit.tu-berlin.de (130.149.17.21) )
Greetz,
Louis
-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
Verzonden: dinsdag 15 maart 2016 10:43
Aan: Rowland penny
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
Hi,
So now i have same Problem with Logins.
On Linux AD member i need to restart win bind again and again for working
samba shares.
On Windows clients i need to restart machine completely
so now i don?t have any idea
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
Vlist
<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Am 11.03.2016 um 10:52 schrieb Oliver Werner
<oliver.werner at kontrast.de>:
Ok, now my smb.con on DCs looks
[global]
workgroup = HQKONTRAST
realm = HQ.KONTRAST
netbios name = VL0227
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
interfaces = eth0:35
bind interfaces only=yes
log level = 3
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile = /var/lib/samba/private/tls/ca.pem
on Member smb.conf
[global]
netbios name = VL0173
security = ADS
workgroup = HQKONTRAST
realm = hq.kontrast
log file = /var/log/samba/%m.log
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 500-1023
# idmap config for domain HQKONTRAST
idmap config HQKONTRAST:backend = ad
idmap config HQKONTRAST:schema_mode = rfc2307
idmap config HQKONTRAST:range = 1024-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
and on all machines krb5.conf
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true
I will test it next days.
Thanks for help right now :D
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
Vlist
<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer.
Please consider the environment and only print this if required.
Am 11.03.2016 um 10:47 schrieb Rowland penny <rpenny at samba.org>:
On 11/03/16 09:40, Oliver Werner wrote:
Haha, really? :D
It should be possible without reboot not?
OLIVER WERNER
System-Administrator
Yes, remove the kdc lines :-D
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list