[Samba] Samba(3.2.12 and 3.4.0) - Winbind - trusted domains -
Problem!
Richard Lamboj
Richard.Lamboj at gmx.at
Fri Jul 10 02:30:13 MDT 2009
Good Morning!
We got in some troubles using trusted domains and winbind. First i will tell you something about the network and samba configuration.
For our SMB Environment we use Samba 3.2.12. We have three trusted domains. Our Samba Server uses LDAP as Backend. Most of the time it worked nice, but after some time Winbind loses User Entrys. On the windows side i can see "unknown user 1-0-0". If i set winbind cache time to 0. Winbind will uses 100% off CPU time. So when i switch it back to something higher than 0, winbind will take 0% and alle Users can be mapped. After some time the problem returns slowly.
"wbinfo -u" shows all users, but "getent passwd" not. Some Users are Missing. Domain Logon on trusted domains does work, but the User has no right on his files -> "unknown user 1-0-0"!
Here is the Error Log:
[2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_fill_pwent(84)
error getting user id for sid S-1-5-21-1801630100-1912888146-724944298-3840
[2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_getpwent(766)
could not lookup domain user c.akgay
[2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_fill_pwent(84)
error getting user id for sid S-1-5-21-1801630100-1912888146-724944298-3842
[2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_getpwent(766)
could not lookup domain user p.singh
[2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_fill_pwent(84)
error getting user id for sid S-1-5-21-1801630100-1912888146-724944298-3844
[2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_getpwent(766)
could not lookup domain user h.sahi
[2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_fill_pwent(84)
error getting user id for sid S-1-5-21-1801630100-1912888146-724944298-3846
[2009/07/08 07:36:44, 1] winbindd/winbindd_user.c:winbindd_getpwent(766)
could not lookup domain user a.nur
[2009/07/08 07:36:54, 0] libsmb/clientgen.c:cli_receive_smb(165)
Receiving SMB: Server stopped responding
[2009/07/08 07:36:54, 1] winbindd/winbindd_cm.c:cm_prepare_connection(947)
failed tcon_X with NT_STATUS_IO_TIMEOUT
[2009/07/08 07:36:57, 0] libsmb/namequery.c:saf_store(75)
saf_store: refusing to store 0 length domain or servername!
[2009/07/08 07:37:07, 0] libsmb/clientgen.c:cli_receive_smb(165)
Receiving SMB: Server stopped responding
[2009/07/08 07:37:07, 1] winbindd/winbindd_cm.c:cm_prepare_connection(947)
failed tcon_X with NT_STATUS_IO_TIMEOUT
Whats Wrong?
So we have switched on one Server to Samba 3.4.0. It seems to work! "wbinfo -u" and "getent passwd" shows the same count of users. But after one hour i got this when i logon from Domain1 to Domain2: "session setup failed: NT code 0x1c010002". "dom1:/# smbclient -U MITARBEITER+r.lamboj //server-dom2/all-homes". Domain Logons work. You can logon from a PC that is Member of Domain1 to Domain2. But i cant Access Shares from the other Domain. When i send a SIGHUP Signal to winbindd it will work again for one hour(or less), sometimes i need to kill winbindd and restart it.
I have tried to Upgrade the other Samba PDC(from 3.2.12 to 3.4.0) Samba worked fine, but winbind wont work. It seems to hang.
After all that trouble i have tried soemthing new.
I will give every trusted domain its own range of user- and group- ids.
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at
idmap alloc config:ldap_url = ldap://127.0.0.1/
idmap alloc config:range = 100000-300000
idmap alloc config:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at
idmap config DOMAIN1:range = 100000-199999
idmap config DOMAIN1:backend = ldap
idmap config DOMAIN1:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at
idmap config DOMAIN1:ldap_url = ldap://127.0.0.1/
idmap config DOMAIN1:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at
idmap config DOMAIN2:range = 200000-299999
idmap config DOMAIN2:backend = ldap
idmap config DOMAIN2:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at
idmap config DOMAIN2:ldap_url = ldap://127.0.0.1/
idmap config DOMAIN2:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at
But this doesnt work, it starts at a range from 10000 for all Domains.
I also have set the secrets with:
net idmap secret domain1 mypassword
net idmap secret domain2 mypassword
net idmap secret alloc mypassword
Does i need to clear the idmap database? How can i CHANGE the range?
Thos does not work too:
idmap uid = 100000-200000
idmap gid = 100000-200000
It starts at 10000 and not at 100000.
Full Configuration of one of the Samba Servers:
[global]
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
netbios name = SERVER-DOM1
workgroup = DOMAIN1
server string = Samba PDC %v
hosts allow = 127.0.0.0/8 192.168.10.0/24
security = user
encrypt passwords = true
interfaces = eth0
bind interfaces only = yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 10000
local master = yes
#os level = 65
os level = 254
domain master = yes
preferred master = yes
domain logons = yes
logon script = default.bat
logon path = \\%L\profiles
logon drive = H:
null passwords = no
hide unreadable = yes
hide dot files = yes
ldap passwd sync = yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap delete dn = yes
ldap ssl = no
ldap admin dn = cn=Manager,dc=intern,dc=domain,dc=at
ldap suffix = dc=intern,dc=domain,dc=at
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
encrypt passwords = yes
pam password change = yes
unix password sync = no
map acl inherit = Yes
dos charset = 850
#client code page = 850
#character set = ISO8859-1
unix charset = UTF-8
display charset = UTF-8
wins support = yes
dns proxy = yes
#name resolve order = wins hosts bcast
name resolve order = lmhosts hosts wins bcast
time server = yes
allow trusted domains = yes
load printers = yes
printing = cups
printcap name = cups
show add printer wizard = Yes
username map = /etc/samba/user.map
admin users = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users", "MITARBEITER+r.lamboj", "MITARBEITER+a.firato"
idmap cache time = 3600
winbind cache time = 3600
# Trenne Domäne und Benutzername durch '/', wie DOMÄNE/benutzername
winbind separator = +
# Verwende UIDs von 10000 bis 20000 für Domänen-Benutzer
idmap uid = 10000-20000
#idmap uid = 100000-300000
# Verwende GIDs von 10000 bis 20000 für Domänen-Gruppen
idmap gid = 10000-20000
#idmap gid = 100000-300000
# Erlaube die Aufzählung von winbind-Benutzern und -Gruppen
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = Yes
winbind trusted domains only = No
idmap backend = ldap:ldap://127.0.0.1/
ldap idmap suffix = ou=Idmap
#idmap alloc backend = ldap
#idmap alloc config:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at
#idmap alloc config:ldap_url = ldap://127.0.0.1/
#idmap alloc config:range = 100000-300000
#idmap alloc config:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at
# Trusted Domain 2
#idmap config DOMAIN2:range = 100000-199999
#idmap config DOMAIN2:backend = ldap
#idmap config DOMAIN2:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at
#idmap config DOMAIN2:ldap_url = ldap://127.0.0.1/
#idmap config DOMAIN2:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at
# Trusted Domain 3
#idmap config DOMAIN3:range = 200000-299999
#idmap config DOMAIN3:backend = ldap
#idmap config DOMAIN3:ldap_base_dn = ou=Idmap,dc=intern,dc=domain,dc=at
#idmap config DOMAIN3:ldap_url = ldap://127.0.0.1/
#idmap config DOMAIN3:ldap_user_dn = cn=Manager,dc=intern,dc=domain,dc=at
#socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=16384 SO_SNDBUF=16384
#read raw = yes
#write raw = yes
#oplocks = yes
#max xmit = 65535
#dead time = 15
dead time = 0
getwd cache = yes
directory name cache size = 1000
# Just for testing
kernel oplocks = no
oplocks = no
level2 oplocks = no
client schannel = no
[netlogon]
path = /home/samba/netlogon
public = no
writeable = no
browseable = no
write list = "@Domain Admins", "@MITARBEITER+Domain Admins"
[profiles]
force user = %U
#path=/home/%U/profiles
path = %H/profiles
browseable = no
writeable = yes
guest ok = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
create mode = 0660
directory mode = 0770
[profdata]
force user = %U
#path=/home/%U/profdata
path = %H/profdata
browseable = no
writeable = yes
guest ok = yes
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
create mode = 0660
directory mode = 0770
csc policy = disable
[homes]
force user = %U
path = /home/%U
browseable = no
valid users = %S
writeable = yes
guest ok = no
inherit permissions = yes
hide files = /profiles/profdata/mails/
# PAPIERKORB + ANTIVIRUS(ClamAV)
#vfs objects = recycle, vscan-clamav
vfs objects = recycle
# ANTIVIRUS(ClamAV)
#vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
# PAPIERKORB
# Name des Papierkorbs
recycle: repository = Papierkorb
# Alte Ordnerstruktur beibehalten
recycle: keeptree = Yes
# Dateien mit dieser Dateiendung nicht sichern
recycle: exclude = *.tmp, *.temp, *.log, *.ldb
# Verzechnisse mit diesem Namen ausschliesen
recycle: exclude_dir = tmp
# Bei gleichen Dateinamen wird eine fortlaufende Versionshistory angelegt
recycle:versions = Yes
[programmieren]
path = /home/%U/programmieren
browseable = no
valid users = %S
writeable = yes
guest ok = no
inherit permissions = yes
dos filetimes = yes
fake directory create times = yes
dos filetime resolution = yes
delete readonly = yes
# PAPIERKORB + ANTIVIRUS(ClamAV)
#vfs objects = recycle, vscan-clamav
vfs objects = recycle
# ANTIVIRUS(ClamAV)
#vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
# PAPIERKORB
# Name des Papierkorbs
recycle: repository = Papierkorb
# Alte Ordnerstruktur beibehalten
recycle: keeptree = Yes
# Dateien mit dieser Dateiendung nicht sichern
recycle: exclude = *.tmp, *.temp, *.log, *.ldb
# Verzechnisse mit diesem Namen ausschliesen
recycle: exclude_dir = tmp
# Bei gleichen Dateinamen wird eine fortlaufende Versionshistory angelegt
recycle:versions = Yes
[all-homes]
comment = Alle Benutzerverzeichnisse
path = /home
browseable = yes
guest ok = no
read only = no
valid users = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users"
#force group = "Domain Users"
force user = root
inherit owner = yes
# PAPIERKORB + ANTIVIRUS(ClamAV)
#vfs objects = recycle, vscan-clamav
vfs objects = recycle
# ANTIVIRUS(ClamAV)
#vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
# PAPIERKORB
# Name des Papierkorbs
recycle: repository = Papierkorb
# Alte Ordnerstruktur beibehalten
recycle: keeptree = Yes
# Dateien mit dieser Dateiendung nicht sichern
recycle: exclude = *.tmp, *.temp, *.log, *.ldb
# Verzechnisse mit diesem Namen ausschliesen
recycle: exclude_dir = tmp
# Bei gleichen Dateinamen wird eine fortlaufende Versionshistory angelegt
recycle:versions = Yes
[public]
comment = Public
path = /home/public
browseable = yes
writeable = yes
write list = "@Domain Users", "@Domain Admins", "@MITARBEITER+Domain Users", "@MITARBEITER+Domain Admins"
create mode = 0666
directory mode = 0777
valid users = "@Domain Users", "@Domain Admins", "@MITARBEITER+Domain Users", "@MITARBEITER+Domain Admins"
guest ok = no
#force group = "Domain Users"
#force user = root
# PAPIERKORB + ANTIVIRUS(ClamAV)
#vfs objects = recycle, vscan-clamav
#vfs objects = extd_audit recycle
vfs objects = recycle
# ANTIVIRUS(ClamAV)
#vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
# PAPIERKORB
# Name des Papierkorbs
recycle: repository = Papierkorb
# Alte Ordnerstruktur beibehalten
recycle: keeptree = Yes
# Dateien mit dieser Dateiendung nicht sichern
recycle: exclude = *.tmp, *.temp, *.log, *.ldb
# Verzechnisse mit diesem Namen ausschliesen
recycle: exclude_dir = tmp
# Bei gleichen Dateinamen wird eine fortlaufende Versionshistory angelegt
#recycle:versions = Yes
[wpkg]
comment = Windows Packager
path = /home/samba/wpkg
#read only = yes
write list = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users"
browseable = no
guest ok = yes
force user = root
oplocks = no
[os]
comment = Operating Systems
path = /home/samba/os
read only = yes
write list = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users"
browseable = yes
guest ok = yes
force user = root
oplocks = no
[treiber]
comment = Treiber
path = /home/samba/treiber
read only = yes
write list = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users"
browseable = yes
guest ok = yes
force user = root
oplocks = no
[programme]
comment = Programme
path = /home/samba/programme
read only = yes
write list = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users"
browseable = yes
guest ok = yes
force user = root
oplocks = no
[skeleton]
comment = Skeleton Ordner
path = /etc/skel
browseable = yes
guest ok = no
read only = no
valid users = "@Domain Admins", "@MITARBEITER+Domain Admins", "@MITARBEITER+Domain Users"
#force group = "Domain Users"
force user = root
inherit owner = yes
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = Yes
[print$]
comment = Printer Drivers
#path = /etc/samba/drivers
path = /var/lib/samba/printers
browseable = yes
guest ok = no
read only = yes
write list = "@Domain Admins"
Maybe you can tell me what i can make better in my Samba Configuration.
Every Samba Server here is a Full PDC and have a trusted relationship to one of the other Domain.
The Domain Controllers for DOMAIN2 and DOMAIN3 uses the WINS Server from the PDC from DOMAIN1.
"net rpc trustdom list" shows all trusted domains.
DOMAIN2:/# net rpc trustdom establish DOMAIN1
Enter DOMAIN2$'s password:
Could not connect to server SERVER-DOM1
Trust to domain DOMAIN1 established
Why is "Could not connect to server SERVER-DOM1" popup? I Have a working WINS, LMHOSTS and HOSTS File.
The trusted domain accounts are createt with this command: "smbldap-useradd -a -i -P domain1"
NSCD is NOT running on any Server!
Thx for your help :)
MfG Richard Lamboj
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
More information about the samba
mailing list