AW: only admin idmap cannot resolved any longer
c.vielhauer at me.com
c.vielhauer at me.com
Wed Jan 18 22:58:07 UTC 2017
Hi Loius
Thanks, I have added the refresh tickets option and next time I will the correct list ;-)
The second ACL support option I use already in 3 shares, it works great.
And the wiki pages are always my first destination to find some help and check my settings, because a lot of third Party howtos and wikis are obsolete respectively for older samba versions.
Thanks
Chris
Von: L.P.H. van Belle
Gesendet: Mittwoch, 18. Januar 2017 14:53
An: samba-technical at lists.samba.org
Cc: c.vielhauer at me.com
Betreff: RE: only admin idmap cannot resolved any longer
Add this to your smb.conf
# renew the kerberos ticket
winbind refresh tickets = yes
see if that helps with your id problem.
Maybe the keytab wasnt refreshed.
(and optional)
# For Windows ACL support on member file server,
# enabled globaly is OBLIGATED.
# For a mixed setup of rights, put this per share!
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
Did you read the wiki member page?
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
And its better to use the samba at lists.samba.org next time ;-)
That more for the regular questions.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba-technical [mailto:samba-technical-bounces at lists.samba.org]
> Namens c.vielhauer at me.com
> Verzonden: woensdag 18 januari 2017 14:18
> Aan: Rowland Penny; samba-technical at lists.samba.org
> Onderwerp: AW: only admin idmap cannot resolved any longer
>
> It works without any changes or reboots over night.
> I really have no idea, what was wrong yesterday…
>
> All I have done after I send the smb.conf, I clear all log files on file
> Server and restart samba Service, to get clear logs in the morning.
> Maybe one of the log files was corrupt? :-/
>
>
> Von: c.vielhauer at me.com
> Gesendet: Mittwoch, 18. Januar 2017 01:02
> An: Rowland Penny; samba-technical at lists.samba.org
> Betreff: AW: only admin idmap cannot resolved any longer
>
>
> BEGIN smb.conf
> [global]
> workgroup = DOMAINNAME
> realm = DOMAINNAME.LOCAL
> netbios name = fs
> preferred master = no
> server string = FileServer
> security = ADS
> encrypt passwords = yes
> interfaces = eth0 10.27.0.0/16
> ldap server require strong auth = No
>
> log file = /var/log/samba/%m.log
> max log size = 50
> log level = 3 winbind:99 idmap:99
>
> time server = yes
> template shell = /bin/bash
> idmap config *:backend = tdb
> idmap config *:range = 70001-80000
> idmap config EXAMPLEDOM:backend = rid
> idmap config EXAMPLEDOM:range = 10000 - 49999
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> [file-exchange]
> comment = File Share
> path = /mnt/user-data/file-exchange
> guest ok = Yes
> browseable = Yes
> writeable = Yes
> force group = @file-exchange_writelist
> create mask = 0770
> write list = @file-exchange_writelist
> valid users = @file-exchange_userlist
>
> ….
> END smb.conf
>
>
>
>
>
> Maybe these Information are also helpful:
> The getent passwd and Group command works as expected.
> I can see all users and Groups from local and AD.
> If I add a new user on the Domain, i can also see this user in
> getent passwd and wbinfo -u,
> but I also cannot logon with this new user with smbclient.
>
> A reboot does not help….
>
> Update AD1 to latest stable 4.5.3 changed nothing to file server’s
> behavior
>
> On another file-server it still works with user admin. Same smb.conf, but
> netbios Name = fs-mbd and also member of same DC AD1
> #root at fs-mbd:~# smbclient -U admin \\\\fs-mbd\\file-exchange
> Enter admin's password:
> Domain=[SCHNIPPERING] OS=[Windows 6.1] Server=[Samba 4.3.11-Ubuntu]
> smb: \> ^C
>
>
>
>
>
>
>
>
>
> Von: Rowland Penny
> Gesendet: Dienstag, 17. Januar 2017 21:14
> An: samba-technical at lists.samba.org
> Betreff: Re: only admin idmap cannot resolved any longer
>
> On Tue, 17 Jan 2017 18:00:39 +0100
> c.vielhauer at me.com wrote:
>
> > Hi samba list,
> >
> > I have no idea what happens, but only the idmapping of my admin user
> > cannot be resolved any longer on my file Server (4.3.11-ubuntu).
> >
> > Maybe this is the wrong list, but I hope I am right here :-)
> >
> >
> > Following commands on file Server:
> > wbinfo -n admin
> > =>
> > S-1-5-21-4276986800-2750720779-1919105469-1107 SID_USER (1)
> >
> >
> > wbinfo -S S-1-5-21-4276986800-2750720779-1919105469-1107
> > =>
> > 11107
> >
> >
> > 4 drwx------ 33 11107 domain users 4096 Jan 11 19:12
> > admin 4 drwx------ 13 administrator domain users 4096 Okt 10
> > 2015 administrator
> >
> >
> > #root at fs:/mnt/user-data/home# smbclient -U admin \\\\fs\\file-exchange
> > WARNING: The "syslog" option is deprecated
> > Enter admin's password:
> > session setup failed: NT_STATUS_UNSUCCESSFUL
> >
> >
> > In the log I can see the this:
> > [2017/01/17 17:17:57.806761,
> > 1] ../source3/auth/token_util.c:430(add_local_groups) SID
> > S-1-5-21-4276986800-2750720779-1919105469-1107 -> getpwuid(11107)
> > failed [2017/01/17 17:17:57.806946,
> > 1] ../source3/auth/auth_generic.c:127(auth3_generate_session_info_pac)
> > Failed to map kerberos pac to server info (NT_STATUS_UNSUCCESSFUL)
> >
> >
> >
> > The admin user logon from file server on the AD Server sysvol
> > Directory works fine:
> >
> > smbclient -U admin \\\\ad1\\sysvol
> > Enter admin's password:
> > Domain=[SCHNIPPERING] OS=[Windows 6.1] Server=[Samba 4.5.2]
> > smb: \>
> >
> >
> >
> >
> > On my AD Server (4.5.2 build from source), Proxy (4.3.11-ubuntu) it
> > still works correctly.
> >
> >
> > Is there a way to clear idmap cache for the idmap 11107 / admin /
> > SID on the file Server, or maybe you have any other Idea?
> >
>
> Can you please post your smb.conf from the 'file server'
>
> Rowland
>
>
>
>
More information about the samba-technical
mailing list