[Samba] Domain users not resolving...
L.P.H. van Belle
belle at bazuin.nl
Mon Aug 25 08:33:23 MDT 2014
You have 2 dc's. thats good.
Wel now its easy...
first check where the FSMO Roles are running and if needed move them all to DC1.
samba-tool fsmo show
see: (https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_(FSMO)_roles)
remove the old server from the domain,
see: ( https://wiki.samba.org/index.php/Demote_a_Samba_DC )
and i advice to use an other name and other IP, to avoid possible problems with the old name/ip of the old server.
and install the new server and join the domain and let it sync its DB.
etc etc.
start from here i suggest.
You know where to find us. ;-)
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: ryana at reachtechfp.com
>[mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>Verzonden: maandag 25 augustus 2014 16:19
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] Domain users not resolving...
>
>Rowland, I would LOVE to upgrade, but as I am brand-new to
>this location
>and it has this borked Samba install, I am hesitant. Is there
>a guide or
>wiki article on the correct way to do this? If it was just going from
>Squeeze to Wheezy, that's cake! I am more concerned with the
>location of
>everything relating to Samba. Since it is all on "/samba", what do I
>need to backup? I am assuming the following is what I need to do, but
>must make sure first. I do not want to have to rebuild an
>entire domain
>if I can help it!
>
>/samba/etc -> /etc/samba
>/samba/lib -> /var/lib/samba
>/samba/private -> /var/lib/samba/private
>/samba/locks/sysvol -> /var/lib/samba/sysvol
>
>Is this correct? The locations on the right of the arrow are
>where those
>directories are on my functioning domain controllers at other
>locations.
>I've never seen a setup like this before. However, due to this
>location
>having TWO DC's, I could easily take one down, install Wheezy from
>scratch (clean install) and set it up correctly, allow it to
>sync, then
>do the other one. Am I correct in that?
>
>On 8/25/2014 9:45 AM, L.P.H. van Belle wrote:
>> Hai Rowland,
>>
>> yeah.. i know.
>> The DC's are using sernet-samba and the links arent there
>because i dont use it. ;-)
>>
>> Thats the same with the "Proper sysvol replication
>solution..." threat..
>> Yes i have mixed XIDs on my DC's, but i have all correct
>UIDs on my sysvol.
>> and yes, samba-tool ntacl sysvolcheck gives. .
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>exception etc...
>>
>> but i dont mind. all my shares on the DC (sysvol and
>netlogon) ( used from within windows ) work 100% ok.
>> GPO is processed without errors so i dont care. i just dont
>run samba-tool ntacl sysvolcheck :-)
>>
>> my logs on my DC are all (whole my debian server logs ) error free.
>> and i rechecked my windows logs after a login, after is saw
>the threat about it to be really long..
>> but same there 100% error free..
>>
>> But thanks for the notice!
>>
>> and for Ryan.
>>
>> The debian Samba (backports 4.1.11 ) paths
>> Paths:
>> SBINDIR: /usr/sbin
>> BINDIR: /usr/bin
>> CONFIGFILE: /etc/samba/smb.conf
>> LOGFILEBASE: /var/log/samba
>> LMHOSTSFILE: /etc/samba/lmhosts
>> LIBDIR: /usr/lib/x86_64-linux-gnu
>> MODULESDIR: /usr/lib/x86_64-linux-gnu/samba
>> SHLIBEXT: so
>> LOCKDIR: /var/run/samba
>> STATEDIR: /var/lib/samba
>> CACHEDIR: /var/cache/samba
>> PIDDIR: /var/run/samba
>> SMB_PASSWD_FILE: /etc/samba/smbpasswd
>> PRIVATE_DIR: /var/lib/samba/private
>>
>> just compare them with you local installed then stop samba,
>install backports samba, stop samba ( the backports version)
>copy the old files the above locations and start samba.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: rowlandpenny at googlemail.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>> Verzonden: maandag 25 augustus 2014 15:32
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Domain users not resolving...
>>>
>>> On 25/08/14 14:22, L.P.H. van Belle wrote:
>>>> Why dont you upgrade to debian Wheezy and start using or
>>> wheezy-backports samba of sernet-samba.
>>>> If you backup all your old samba files, the transfer for an
>>> own build of samba to debian samba ( or sernet samba )
>>>> isnt that hard.
>>>>
>>>> about the id.
>>>>
>>>> on my DC : id user => not found, but must say, i dont use
>>> my dc for anything else but being a DC with sysvol.
>>>> getent passwd = > nothing ( and correct i dont have winbind
>>> set in my nsswitch.conf )
>>>> wbinfo -u = all my users
>>>> wbinfo -g = all my groups.
>>> Hi Louis, this is probably because you don't have the winbind links
>>> installed, on Debian using samba from backports this is
>easy, you just
>>> need to install a few packages, but when you compile samba4,
>>> you need to
>>> create a couple of symlinks. There used to be a samba4
>winbind page in
>>> the wiki, but this seems to have vanished.
>>>
>>> Rowland
>>>> on my member server : id user1 : uid=5003(user1)
>>> gid=5000(domain users) groups=5000(domain
>>>
>users),4294967295,4294967295,4294967295,4294967295,50002(BUILTIN\users)
>>>> getent passwd => only the users with UID assigned.
>>>> getent group => only groups with GID assigned.
>>>> wbinfo -u = all my users
>>>> wbinfo -g = all my groups.
>>>>
>>>> but just a question for what are you using the RFC2307 uid
>>> on the DC server for?
>>>>
>>>> Check if your smb.conf on all your Domain Controllers
>>> contain the following parameter in the „[global]“ section:
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> ( see
>http://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC )
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: ryana at reachtechfp.com
>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>> Verzonden: maandag 25 augustus 2014 14:59
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Domain users not resolving...
>>>>>
>>>>> On 08/23/2014 04:26 AM, Rowland Penny wrote:
>>>>>> On 23/08/14 01:19, Ryan Ashley wrote:
>>>>>>> Rowland, I did not do this. This is a new client who
>dropped their
>>>>>>> old IT support due to issues on the network. I found out
>>> it was not
>>>>>>> having access to the sysvol. That is where I figured out
>>>>> what I have.
>>>>>>> I do use FHS in my builds, but I would never put it into a root
>>>>>>> directory like this. I guess the other team was testing
>Samba and
>>>>>>> using a client to test on! I do agree 100% that the issue is the
>>>>>>> path. However, I can feel good that I didn't do such a
>>>>> bone-headed move!
>>>>>>> Sorry for the lack of files, I had to figure out how it
>>> was set up.
>>>>>>> Everything, including the configuration file is in
>"/samba", which
>>>>>>> appears to be a separate partition. Here is what you requested.
>>>>>>>
>>>>>>> Samba 4.1.11 64bit
>>>>>>> Debian Squeeze 64bit
>>>>>>>
>>>>>>> =========
>>>>>>> smb.conf:
>>>>>>> =========
>>>>>>> # Global parameters
>>>>>>> [global]
>>>>>>> workgroup = DOMAIN
>>>>>>> realm = DOMAIN.LOCAL
>>>>>>> netbios name = DC01
>>>>>>> server role = active directory domain controller
>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap,
>>> cldap, kdc,
>>>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>>>> interfaces = 127.0.0.1, 192.168.0.1
>>>>>>>
>>>>>>> [netlogon]
>>>>>>> path = /samba/var/locks/sysvol/kigm.local/scripts
>>>>>>> read only = No
>>>>>>>
>>>>>>> [sysvol]
>>>>>>> path = /samba/var/locks/sysvol
>>>>>>> read only = No
>>>>>>>
>>>>>>> =========
>>>>>>> krb5.conf:
>>>>>>> =========
>>>>>>> [libdefaults]
>>>>>>> default_realm = DOMAIN.LOCAL
>>>>>>> dns_lookup_realm = false
>>>>>>> dns_lookup_kdc = true
>>>>>>>
>>>>>>> =================
>>>>>>> Rowland's Request:
>>>>>>> =================
>>>>>>> root at dc01:~# /samba/sbin/samba -b
>>>>>>> Samba version: 4.1.11
>>>>>>> Build environment:
>>>>>>> Build host: Linux dc01 2.6.32-5-amd64 #1 SMP Tue May 13
>>>>> 16:34:35
>>>>>>> UTC 2014 x86_64 GNU/Linux
>>>>>>> Paths:
>>>>>>> BINDIR: /samba/bin
>>>>>>> SBINDIR: /samba/sbin
>>>>>>> CONFIGFILE: /samba/etc/smb.conf
>>>>>>> NCALRPCDIR: /samba/var/run/ncalrpc
>>>>>>> LOGFILEBASE: /samba/var
>>>>>>> LMHOSTSFILE: /samba/etc/lmhosts
>>>>>>> DATADIR: /samba/share
>>>>>>> MODULESDIR: /samba/lib
>>>>>>> LOCKDIR: /samba/var/lock
>>>>>>> STATEDIR: /samba/var/locks
>>>>>>> CACHEDIR: /samba/var/cache
>>>>>>> PIDDIR: /samba/var/run
>>>>>>> PRIVATE_DIR: /samba/private
>>>>>>> CODEPAGEDIR: /samba/share/codepages
>>>>>>> SETUPDIR: /samba/share/setup
>>>>>>> WINBINDD_SOCKET_DIR: /samba/var/run/winbindd
>>>>>>> WINBINDD_PRIVILEGED_SOCKET_DIR:
>>>>> /samba/var/lib/winbindd_privileged
>>>>>>> NTP_SIGND_SOCKET_DIR: /samba/var/lib/ntp_signd
>>>>>>>
>>>>>>> No ID's have been setup. The rfc2307 stuff is there, but
>>>>> they're not
>>>>>>> using it. They have two Samba DC's and everything else is
>>>>> Windows 7.
>>>>>>> They were using rsync to sync the sysvol, which had
>caused issues
>>>>>>> with GID/UID on the second DC, but I fixed that already.
>>>>> Well, tried
>>>>>>> to anyway. It is setup the EXACT same way. It also has
>issues with
>>>>>>> this stuff.
>>>>>>>
>>>>>>> I have a theory as to how to fix this but want advice
>>>>> first. If I am
>>>>>>> wrong, so be it. I would like to build Samba the STANDARD
>>> way (FHS,
>>>>>>> bin files go to /bin, etc) but have one concern. If I do
>>> this, do I
>>>>>>> simply need to adjust the paths in the configuration
>file and move
>>>>>>> the sysvol to the proper location? On all of the systems
>>> I do, this
>>>>>>> is always "/var/lib/samba/sysvol". I would obviously have
>>>>> to move the
>>>>>>> tdb files and such to "/var/lib/samba" as well. Would
>>> that work, or
>>>>>>> am I going to have to deal with this the way it is?
>>>>>>>
>>>>>>> If you need anything else, please ask. Remember, this
>is a DC and
>>>>>>> while rfc2307 attributes exist, they're not being used.
>>>>> Probably due
>>>>>>> to no Linux member servers.
>>>>>>>
>>>>>>> On 8/22/2014 4:54 PM, Rowland Penny wrote:
>>>>>>>> On 22/08/14 21:40, Marc Muehlfeld wrote:
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>> Am 22.08.2014 20:48, schrieb Ryan Ashley:
>>>>>>>>>> I stepped into a setup where Samba was compiled and
>>>>> installed into
>>>>>>>>>> "/samba". The configure command on the DC is "configure
>>>>>>>>>> --prefix=/samba". The links for libnss_wins.so.2 and
>>>>>>>>>> libnss_winbind.so.2
>>>>>>>>>> are there and nsswitch.conf is told to use winbind.
>>>>> However, "getent
>>>>>>>>>> group" returns only local users, "id" finds NO domain
>>> users, and
>>>>>>>>>> "getent
>>>>>>>>>> passwd" returns only local users. I did do a rebuild of
>>>>> Samba after
>>>>>>>>>> verifying the dependencies were there and
>>>>> configured/installed the
>>>>>>>>>> same
>>>>>>>>>> way so everything is in place. Still no dice. This guy
>>> was still
>>>>>>>>>> running
>>>>>>>>>> Debian Squeeze so the install is probably old. Things
>>>>> seem to run,
>>>>>>>>>> but
>>>>>>>>>> no systems can access the sysvol even after a reset,
>>>>> which led to
>>>>>>>>>> this
>>>>>>>>>> discovery.
>>>>>>>>>>
>>>>>>>>>> Now, my thinking is that maybe the binaries in
>>>>> "/samba/bin" should be
>>>>>>>>>> linked to "/bin" and the same goes for the sbin stuff.
>>>>> Is this my
>>>>>>>>>> issue
>>>>>>>>>> or what am I looking at? Yes, I stepped into it this time...
>>>>>>>>> It would be much easier to help, if you give some
>>>>> information about
>>>>>>>>> your
>>>>>>>>> environment.
>>>>>>>>>
>>>>>>>>> - smb.conf
>>>>>>>>> - Samba version
>>>>>>>>> - IDs, etc. configured in your backend (depending on
>your Idmap
>>>>>>>>> config)
>>>>>>>>> - etc.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> Marc
>>>>>>>>>
>>>>>>>> It would also help if you followed the howto and didn't
>>>>> change bits
>>>>>>>> that you don't like, just why did you install into /samba
>>>>> instead of
>>>>>>>> /usr/local/samba ?
>>>>>>>> Everything out there is based on self compiling into
>>>>>>>> /usr/local/samba, the wiki gives you the instructions
>>>>> based on this.
>>>>>>>> having said this, it is possibly/probably a path problem,
>>>>> could you
>>>>>>>> please post (along with what Marc has asked for) the result of
>>>>>>>> 'samba -b'
>>>>>>>>
>>>>>>>> Rowland
>>>>>> OK, what does 'echo "$PATH"' return, does it have '/samba/sbin' &
>>>>>> '/samba/bin' in it ?
>>>>>>
>>>>>> If not, try this:
>>>>>>
>>>>>> export PATH=/samba/sbin:/samba/bin:$PATH
>>>>>>
>>>>>> if everything now works correctly, do this:
>>>>>>
>>>>>> echo "PATH=/samba/sbin:/samba/bin:$PATH" >
>/etc/profile.d/samba4.sh
>>>>>>
>>>>>> Rowland
>>>>> Rowland, nothing in /samba is in the path. I had already
>tried your
>>>>> suggestion, but I did it again this morning and here are my
>>>>> results. It
>>>>> does not fix the issue. I also included some configuration
>>>>> files and such.
>>>>>
>>>>> root at dc01:~# echo "$PATH"
>>>>> /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
>>>>> root at dc01:~# export PATH=$PATH:/samba/bin:/samba/sbin
>>>>> root at dc01:~# id maliag
>>>>> id: maliag: No such user
>>>>> root at dc01:~# id michaelh
>>>>> id: michaelh: No such user
>>>>> root at dc01:~# getent passwd
>>>>> root:x:0:0:root:/root:/bin/bash
>>>>> daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>>>>> bin:x:2:2:bin:/bin:/bin/sh
>>>>> sys:x:3:3:sys:/dev:/bin/sh
>>>>> sync:x:4:65534:sync:/bin:/bin/sync
>>>>> games:x:5:60:games:/usr/games:/bin/sh
>>>>> man:x:6:12:man:/var/cache/man:/bin/sh
>>>>> lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>>>>> mail:x:8:8:mail:/var/mail:/bin/sh
>>>>> news:x:9:9:news:/var/spool/news:/bin/sh
>>>>> uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>>>>> proxy:x:13:13:proxy:/bin:/bin/sh
>>>>> www-data:x:33:33:www-data:/var/www:/bin/sh
>>>>> backup:x:34:34:backup:/var/backups:/bin/sh
>>>>> list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>>>>> irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>>>>> gnats:x:41:41:Gnats Bug-Reporting System
>>> (admin):/var/lib/gnats:/bin/sh
>>>>> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>>>>> libuuid:x:100:101::/var/lib/libuuid:/bin/sh
>>>>> ntp:x:101:103::/home/ntp:/bin/false
>>>>> sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
>>>>> bind:x:103:105::/var/cache/bind:/bin/false
>>>>> root at dc01:~# cat /samba/etc/smb.conf
>>>>> # Global parameters
>>>>> [global]
>>>>> workgroup = KIGM
>>>>> realm = KIGM.LOCAL
>>>>> netbios name = DC01
>>>>> server role = active directory domain controller
>>>>> server services = s3fs, rpc, nbt, wrepl, ldap,
>cldap, kdc,
>>>>> drepl, winbind, ntp_signd, kcc, dnsupdate
>>>>> interfaces = 127.0.0.1, 192.168.0.1
>>>>>
>>>>> [netlogon]
>>>>> path = /samba/var/locks/sysvol/kigm.local/scripts
>>>>> read only = No
>>>>>
>>>>> [sysvol]
>>>>> path = /samba/var/locks/sysvol
>>>>> read only = No
>>>>> root at dc01:~# cat /etc/nsswitch.conf
>>>>> # /etc/nsswitch.conf
>>>>> #
>>>>> # Example configuration of GNU Name Service Switch functionality.
>>>>> # If you have the `glibc-doc-reference' and `info' packages
>>>>> installed, try:
>>>>> # `info libc "Name Service Switch"' for information about
>this file.
>>>>>
>>>>> passwd: compat winbind
>>>>> group: compat winbind
>>>>> shadow: compat
>>>>>
>>>>> hosts: files dns wins
>>>>> networks: files
>>>>>
>>>>> protocols: db files
>>>>> services: db files
>>>>> ethers: db files
>>>>> rpc: db files
>>>>>
>>>>> netgroup: nis
>>>>> root at dc01:~# wbinfo -g
>>>>> Enterprise Read-Only Domain Controllers
>>>>> Domain Admins
>>>>> Domain Users
>>>>> Domain Guests
>>>>> Domain Computers
>>>>> Domain Controllers
>>>>> Schema Admins
>>>>> Enterprise Admins
>>>>> Group Policy Creator Owners
>>>>> Read-Only Domain Controllers
>>>>> DnsUpdateProxy
>>>>> Operations
>>>>> AV
>>>>> Graphics
>>>>> WAFA
>>>>> Finance
>>>>> Logos
>>>>> Streaming
>>>>> root at dc01:~# cat /etc/krb5.conf
>>>>> [libdefaults]
>>>>> default_realm = KIGM.LOCAL
>>>>> dns_lookup_realm = false
>>>>> dns_lookup_kdc = true
>>>>>
>>>>> Thanks for the help. What about my suggestion to perform a normal
>>>>> install per the book and then move everything in
>>> /samba/var/lib to the
>>>>> correct location? Would that not work? I agree with you that
>>>>> this issue
>>>>> is caused by the odd install location.
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list