[Samba] [Samba 3, Debian wheezy] All of a sudden, resolving ADS user fails completely

Patrick G. Stoesser lists at pgs-info.de
Wed Dec 11 05:04:44 MST 2013


Am 10.12.2013 17:48, schrieb steve:
> On Tue, 2013-12-10 at 15:49 +0100, Patrick G. Stoesser wrote:
>> Am 10.12.2013 15:25, schrieb steve:
>
>> /etc/samba/smb.conf (anonymized with "***"). the directives "server
>> signing", "client signing", "max protocol" were added by me a few
>> minutes ago but did not help.
>>
>>
>> [global]
>> server signing = auto
>> client signing = auto
>> max protocol = smb2
>> security = ADS
>> encrypt passwords = true
>> password server = ***.***.15.146 ***.***.15.208 ***.***.15.144
>> workgroup = AD
>> netbios name = fileserver3
>> enhanced browsing = no
>> realm = AD.***.DE
>> winbind separator = #
>> winbind use default domain = Yes
>> client use spnego = yes
>> server string = %h Debian GNU/Linux
>> log file = /var/log/samba/%m.log
>> syslog only = no
>> syslog = 0
>> log level = 1
>> machine password timeout = 0
>> winbind enum users = no
>> winbind enum groups = no
>> socket options = TCP_NODELAY.
>>
>> hostname lookups = no
>> dnsproxy = no
>> local master = no
>> domain master = no
>> directory mask = 0700
>> create mask = 0700
>> wins support = no
>> wins server = ***.***.15.208 ***.***.15.144
>> admin users = root
>> dos charset = cp850
>> unix charset = ISO-8859-15
>> display charset = ISO-8859-15
>> deadtime = 30
>> name resolve order = wins bcast host
>> disable spoolss = yes
>> follow symlinks = no
>> show add printer wizard = no
>> oplocks = no
>> level2 oplocks = no
>> max log size = 1000
>> load printers = no
>> vfs object = recycle
>> recycle:repository = ___TRASH___
>> recycle:keeptree = yes
>> recycle:touch = yes
>> recycle:versions = yes
>
> Mmm. That doesn't look like a file server that's joined to AD. There is
> no reference to a kerberos method and no winbind ranges are specified.
>  From what you've said (about the rejoin etc.), is it a domain member? As
> it stands, there's no way it's going to resolve the user uid to the
> username.

Well, all I can say is that this config (which I made according to the 
official Samba Howto) worked for years on three servers. That doesn't 
mean I don't believe you.

Yes, it's a domain member (successfully joined), and it resolved the 
names in the AD.

  As you say you've just moved the users (or some users at
> least) from one server to another, there is no guara?ntee that the uid
> willbe preserved by winbind on the new server. There are ways of
> transferring the winbind database to a new server but Id strongly
> recommend you store your uid along with the DN of the user; in AD.
> Otherwise, you're always going to have mismatches.

Oh, when I said I move the users I meant I move their data. The user 
accounts themselves are stored in the AD.
I copy the user data via scp, and after that I chown and chmod the data, 
and after that I make an entry in smb.conf.

> How many users do you need to transfer? Do you have admin access to the
> DC?

I do not have full admin access to the DC, I can create users und 
machine accounts and edit the GPO in my OU.

> HTH
> Steve

Thank you. Patrick



More information about the samba mailing list