[Samba] Domain users not resolving...

L.P.H. van Belle belle at bazuin.nl
Mon Aug 25 07:45:23 MDT 2014


Hai Rowland, 

yeah.. i know. 
The DC's are using sernet-samba and the links arent there because i dont use it. ;-) 

Thats the same with the "Proper sysvol replication solution..." threat.. 
Yes i have mixed XIDs on my DC's, but i have all correct UIDs on my sysvol. 
and yes, samba-tool ntacl sysvolcheck gives. . 
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception  etc... 

but i dont mind. all my shares on the DC (sysvol and netlogon) ( used from within windows ) work 100% ok.
GPO is processed without errors so i dont care. i just dont run samba-tool ntacl sysvolcheck  :-) 

my logs on my DC are all (whole my debian server logs ) error free. 
and i rechecked my windows logs after a login, after is saw the threat about it to be really long.. 
but same there 100% error free.. 

But thanks for the notice! 

and for Ryan. 

The debian Samba (backports 4.1.11 ) paths
Paths:
   SBINDIR: /usr/sbin
   BINDIR: /usr/bin
   CONFIGFILE: /etc/samba/smb.conf
   LOGFILEBASE: /var/log/samba
   LMHOSTSFILE: /etc/samba/lmhosts
   LIBDIR: /usr/lib/x86_64-linux-gnu
   MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
   SHLIBEXT: so
   LOCKDIR: /var/run/samba
   STATEDIR: /var/lib/samba
   CACHEDIR: /var/cache/samba
   PIDDIR: /var/run/samba
   SMB_PASSWD_FILE: /etc/samba/smbpasswd
   PRIVATE_DIR: /var/lib/samba/private

just compare them with you local installed then stop samba, install backports samba, stop samba ( the backports version) copy the old files the above locations and start samba. 



Greetz, 

Louis





>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: maandag 25 augustus 2014 15:32
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Domain users not resolving...
>
>On 25/08/14 14:22, L.P.H. van Belle wrote:
>> Why dont you upgrade to debian Wheezy and start using or 
>wheezy-backports samba of sernet-samba.
>> If you backup all your old samba files, the transfer for an 
>own build of samba to debian samba ( or sernet samba )
>> isnt that hard.
>>
>> about the id.
>>
>> on my DC : id user  => not found, but must say, i dont use 
>my dc for anything else but being a DC with sysvol.
>> getent passwd = > nothing  ( and correct i dont have winbind 
>set in my nsswitch.conf )
>> wbinfo -u = all my users
>> wbinfo -g = all my groups.
>Hi Louis, this is probably because you don't have the winbind links 
>installed, on Debian using samba from backports this is easy, you just 
>need to install a few packages, but when you compile samba4, 
>you need to 
>create a couple of symlinks. There used to be a samba4 winbind page in 
>the wiki, but this seems to have vanished.
>
>Rowland
>>
>> on my member server : id user1 : uid=5003(user1) 
>gid=5000(domain users) groups=5000(domain 
>users),4294967295,4294967295,4294967295,4294967295,50002(BUILTIN\users)
>> getent passwd => only the users with UID assigned.
>> getent group => only groups with GID assigned.
>> wbinfo -u = all my users
>> wbinfo -g = all my groups.
>>
>> but just a question for what are you using the RFC2307 uid 
>on the DC server for?
>>
>>
>> Check if your smb.conf on all your Domain Controllers 
>contain the following parameter in the „[global]“ section:
>> idmap_ldb:use rfc2307 = yes
>>
>> ( see http://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC  )
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: ryana at reachtechfp.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>> Verzonden: maandag 25 augustus 2014 14:59
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Domain users not resolving...
>>>
>>> On 08/23/2014 04:26 AM, Rowland Penny wrote:
>>>> On 23/08/14 01:19, Ryan Ashley wrote:
>>>>> Rowland, I did not do this. This is a new client who dropped their
>>>>> old IT support due to issues on the network. I found out 
>it was not
>>>>> having access to the sysvol. That is where I figured out
>>> what I have.
>>>>> I do use FHS in my builds, but I would never put it into a root
>>>>> directory like this. I guess the other team was testing Samba and
>>>>> using a client to test on! I do agree 100% that the issue is the
>>>>> path. However, I can feel good that I didn't do such a
>>> bone-headed move!
>>>>> Sorry for the lack of files, I had to figure out how it 
>was set up.
>>>>> Everything, including the configuration file is in "/samba", which
>>>>> appears to be a separate partition. Here is what you requested.
>>>>>
>>>>> Samba 4.1.11 64bit
>>>>> Debian Squeeze 64bit
>>>>>
>>>>> =========
>>>>> smb.conf:
>>>>> =========
>>>>> # Global parameters
>>>>> [global]
>>>>>          workgroup = DOMAIN
>>>>>          realm = DOMAIN.LOCAL
>>>>>          netbios name = DC01
>>>>>          server role = active directory domain controller
>>>>>          server services = s3fs, rpc, nbt, wrepl, ldap, 
>cldap, kdc,
>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>          interfaces = 127.0.0.1, 192.168.0.1
>>>>>
>>>>> [netlogon]
>>>>>          path = /samba/var/locks/sysvol/kigm.local/scripts
>>>>>          read only = No
>>>>>
>>>>> [sysvol]
>>>>>          path = /samba/var/locks/sysvol
>>>>>          read only = No
>>>>>
>>>>> =========
>>>>> krb5.conf:
>>>>> =========
>>>>> [libdefaults]
>>>>>          default_realm = DOMAIN.LOCAL
>>>>>          dns_lookup_realm = false
>>>>>          dns_lookup_kdc = true
>>>>>
>>>>> =================
>>>>> Rowland's Request:
>>>>> =================
>>>>> root at dc01:~# /samba/sbin/samba -b
>>>>> Samba version: 4.1.11
>>>>> Build environment:
>>>>>     Build host:  Linux dc01 2.6.32-5-amd64 #1 SMP Tue May 13
>>> 16:34:35
>>>>> UTC 2014 x86_64 GNU/Linux
>>>>> Paths:
>>>>>     BINDIR: /samba/bin
>>>>>     SBINDIR: /samba/sbin
>>>>>     CONFIGFILE: /samba/etc/smb.conf
>>>>>     NCALRPCDIR: /samba/var/run/ncalrpc
>>>>>     LOGFILEBASE: /samba/var
>>>>>     LMHOSTSFILE: /samba/etc/lmhosts
>>>>>     DATADIR: /samba/share
>>>>>     MODULESDIR: /samba/lib
>>>>>     LOCKDIR: /samba/var/lock
>>>>>     STATEDIR: /samba/var/locks
>>>>>     CACHEDIR: /samba/var/cache
>>>>>     PIDDIR: /samba/var/run
>>>>>     PRIVATE_DIR: /samba/private
>>>>>     CODEPAGEDIR: /samba/share/codepages
>>>>>     SETUPDIR: /samba/share/setup
>>>>>     WINBINDD_SOCKET_DIR: /samba/var/run/winbindd
>>>>>     WINBINDD_PRIVILEGED_SOCKET_DIR:
>>> /samba/var/lib/winbindd_privileged
>>>>>     NTP_SIGND_SOCKET_DIR: /samba/var/lib/ntp_signd
>>>>>
>>>>> No ID's have been setup. The rfc2307 stuff is there, but
>>> they're not
>>>>> using it. They have two Samba DC's and everything else is
>>> Windows 7.
>>>>> They were using rsync to sync the sysvol, which had caused issues
>>>>> with GID/UID on the second DC, but I fixed that already.
>>> Well, tried
>>>>> to anyway. It is setup the EXACT same way. It also has issues with
>>>>> this stuff.
>>>>>
>>>>> I have a theory as to how to fix this but want advice
>>> first. If I am
>>>>> wrong, so be it. I would like to build Samba the STANDARD 
>way (FHS,
>>>>> bin files go to /bin, etc) but have one concern. If I do 
>this, do I
>>>>> simply need to adjust the paths in the configuration file and move
>>>>> the sysvol to the proper location? On all of the systems 
>I do, this
>>>>> is always "/var/lib/samba/sysvol". I would obviously have
>>> to move the
>>>>> tdb files and such to "/var/lib/samba" as well. Would 
>that work, or
>>>>> am I going to have to deal with this the way it is?
>>>>>
>>>>> If you need anything else, please ask. Remember, this is a DC and
>>>>> while rfc2307 attributes exist, they're not being used.
>>> Probably due
>>>>> to no Linux member servers.
>>>>>
>>>>> On 8/22/2014 4:54 PM, Rowland Penny wrote:
>>>>>> On 22/08/14 21:40, Marc Muehlfeld wrote:
>>>>>>> Hello,
>>>>>>>
>>>>>>> Am 22.08.2014 20:48, schrieb Ryan Ashley:
>>>>>>>> I stepped into a setup where Samba was compiled and
>>> installed into
>>>>>>>> "/samba". The configure command on the DC is "configure
>>>>>>>> --prefix=/samba". The links for libnss_wins.so.2 and
>>>>>>>> libnss_winbind.so.2
>>>>>>>> are there and nsswitch.conf is told to use winbind.
>>> However, "getent
>>>>>>>> group" returns only local users, "id" finds NO domain 
>users, and
>>>>>>>> "getent
>>>>>>>> passwd" returns only local users. I did do a rebuild of
>>> Samba after
>>>>>>>> verifying the dependencies were there and
>>> configured/installed the
>>>>>>>> same
>>>>>>>> way so everything is in place. Still no dice. This guy 
>was still
>>>>>>>> running
>>>>>>>> Debian Squeeze so the install is probably old. Things
>>> seem to run,
>>>>>>>> but
>>>>>>>> no systems can access the sysvol even after a reset,
>>> which led to
>>>>>>>> this
>>>>>>>> discovery.
>>>>>>>>
>>>>>>>> Now, my thinking is that maybe the binaries in
>>> "/samba/bin" should be
>>>>>>>> linked to "/bin" and the same goes for the sbin stuff.
>>> Is this my
>>>>>>>> issue
>>>>>>>> or what am I looking at? Yes, I stepped into it this time...
>>>>>>> It would be much easier to help, if you give some
>>> information about
>>>>>>> your
>>>>>>> environment.
>>>>>>>
>>>>>>> - smb.conf
>>>>>>> - Samba version
>>>>>>> - IDs, etc. configured in your backend (depending on your Idmap
>>>>>>> config)
>>>>>>> - etc.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Marc
>>>>>>>
>>>>>> It would also help if you followed the howto and didn't
>>> change bits
>>>>>> that you don't like, just why did you install into /samba
>>> instead of
>>>>>> /usr/local/samba ?
>>>>>> Everything out there is based on self compiling into
>>>>>> /usr/local/samba, the wiki gives you the instructions
>>> based on this.
>>>>>> having said this, it is possibly/probably a path problem,
>>> could you
>>>>>> please post (along with what Marc has asked for) the result of
>>>>>> 'samba -b'
>>>>>>
>>>>>> Rowland
>>>> OK, what does 'echo "$PATH"' return, does it have '/samba/sbin' &
>>>> '/samba/bin' in it ?
>>>>
>>>> If not, try this:
>>>>
>>>> export PATH=/samba/sbin:/samba/bin:$PATH
>>>>
>>>> if everything now works correctly, do this:
>>>>
>>>> echo "PATH=/samba/sbin:/samba/bin:$PATH" > /etc/profile.d/samba4.sh
>>>>
>>>> Rowland
>>> Rowland, nothing in /samba is in the path. I had already tried your
>>> suggestion, but I did it again this morning and here are my
>>> results. It
>>> does not fix the issue. I also included some configuration
>>> files and such.
>>>
>>> root at dc01:~# echo "$PATH"
>>> /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>>> root at dc01:~# export PATH=$PATH:/samba/bin:/samba/sbin
>>> root at dc01:~# id maliag
>>> id: maliag: No such user
>>> root at dc01:~# id michaelh
>>> id: michaelh: No such user
>>> root at dc01:~# getent passwd
>>> root:x:0:0:root:/root:/bin/bash
>>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>>> bin:x:2:2:bin:/bin:/bin/sh
>>> sys:x:3:3:sys:/dev:/bin/sh
>>> sync:x:4:65534:sync:/bin:/bin/sync
>>> games:x:5:60:games:/usr/games:/bin/sh
>>> man:x:6:12:man:/var/cache/man:/bin/sh
>>> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>>> mail:x:8:8:mail:/var/mail:/bin/sh
>>> news:x:9:9:news:/var/spool/news:/bin/sh
>>> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>>> proxy:x:13:13:proxy:/bin:/bin/sh
>>> www-data:x:33:33:www-data:/var/www:/bin/sh
>>> backup:x:34:34:backup:/var/backups:/bin/sh
>>> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>>> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>>> gnats:x:41:41:Gnats Bug-Reporting System 
>(admin):/var/lib/gnats:/bin/sh
>>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
>>> ntp:x:101:103::/home/ntp:/bin/false
>>> sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
>>> bind:x:103:105::/var/cache/bind:/bin/false
>>> root at dc01:~# cat /samba/etc/smb.conf
>>> # Global parameters
>>> [global]
>>>          workgroup = KIGM
>>>          realm = KIGM.LOCAL
>>>          netbios name = DC01
>>>          server role = active directory domain controller
>>>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>          interfaces = 127.0.0.1, 192.168.0.1
>>>
>>> [netlogon]
>>>          path = /samba/var/locks/sysvol/kigm.local/scripts
>>>          read only = No
>>>
>>> [sysvol]
>>>          path = /samba/var/locks/sysvol
>>>          read only = No
>>> root at dc01:~# cat /etc/nsswitch.conf
>>> # /etc/nsswitch.conf
>>> #
>>> # Example configuration of GNU Name Service Switch functionality.
>>> # If you have the `glibc-doc-reference' and `info' packages
>>> installed, try:
>>> # `info libc "Name Service Switch"' for information about this file.
>>>
>>> passwd:         compat winbind
>>> group:          compat winbind
>>> shadow:         compat
>>>
>>> hosts:          files dns wins
>>> networks:       files
>>>
>>> protocols:      db files
>>> services:       db files
>>> ethers:         db files
>>> rpc:            db files
>>>
>>> netgroup:       nis
>>> root at dc01:~# wbinfo -g
>>> Enterprise Read-Only Domain Controllers
>>> Domain Admins
>>> Domain Users
>>> Domain Guests
>>> Domain Computers
>>> Domain Controllers
>>> Schema Admins
>>> Enterprise Admins
>>> Group Policy Creator Owners
>>> Read-Only Domain Controllers
>>> DnsUpdateProxy
>>> Operations
>>> AV
>>> Graphics
>>> WAFA
>>> Finance
>>> Logos
>>> Streaming
>>> root at dc01:~# cat /etc/krb5.conf
>>> [libdefaults]
>>>          default_realm = KIGM.LOCAL
>>>          dns_lookup_realm = false
>>>          dns_lookup_kdc = true
>>>
>>> Thanks for the help. What about my suggestion to perform a normal
>>> install per the book and then move everything in 
>/samba/var/lib to the
>>> correct location? Would that not work? I agree with you that
>>> this issue
>>> is caused by the odd install location.
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>



More information about the samba mailing list