[Samba] [Samba 3, Debian wheezy] All of a sudden, resolving ADS user fails completely

steve steve at steve-ss.com
Tue Dec 10 09:48:08 MST 2013


On Tue, 2013-12-10 at 15:49 +0100, Patrick G. Stoesser wrote:
> Am 10.12.2013 15:25, schrieb steve:

> /etc/samba/smb.conf (anonymized with "***"). the directives "server 
> signing", "client signing", "max protocol" were added by me a few 
> minutes ago but did not help.
> 
> 
> [global]
> server signing = auto
> client signing = auto
> max protocol = smb2
> security = ADS
> encrypt passwords = true
> password server = ***.***.15.146 ***.***.15.208 ***.***.15.144
> workgroup = AD
> netbios name = fileserver3
> enhanced browsing = no
> realm = AD.***.DE
> winbind separator = #
> winbind use default domain = Yes
> client use spnego = yes
> server string = %h Debian GNU/Linux
> log file = /var/log/samba/%m.log
> syslog only = no
> syslog = 0
> log level = 1
> machine password timeout = 0
> winbind enum users = no
> winbind enum groups = no
> socket options = TCP_NODELAY.
> 
> hostname lookups = no
> dnsproxy = no
> local master = no
> domain master = no
> directory mask = 0700
> create mask = 0700
> wins support = no
> wins server = ***.***.15.208 ***.***.15.144
> admin users = root
> dos charset = cp850
> unix charset = ISO-8859-15
> display charset = ISO-8859-15
> deadtime = 30
> name resolve order = wins bcast host
> disable spoolss = yes
> follow symlinks = no
> show add printer wizard = no
> oplocks = no
> level2 oplocks = no
> max log size = 1000
> load printers = no
> vfs object = recycle
> recycle:repository = ___TRASH___
> recycle:keeptree = yes
> recycle:touch = yes
> recycle:versions = yes

Mmm. That doesn't look like a file server that's joined to AD. There is
no reference to a kerberos method and no winbind ranges are specified.
>From what you've said (about the rejoin etc.), is it a domain member? As
it stands, there's no way it's going to resolve the user uid to the
username. As you say you've just moved the users (or some users at
least) from one server to another, there is no guara?ntee that the uid
willbe preserved by winbind on the new server. There are ways of
transferring the winbind database to a new server but Id strongly
recommend you store your uid along with the DN of the user; in AD.
Otherwise, you're always going to have mismatches.

How many users do you need to transfer? Do you have admin access to the
DC?
HTH
Steve
  



More information about the samba mailing list