[Samba] Member server - winbind unable to resolve users/groups
Andrey Repin
anrdaemon at yandex.ru
Fri Apr 3 12:33:03 MDT 2015
Greetings, Rowland Penny!
>>>>> I'm trying to get the former PDC back into domain after performing a
>>>> classic
>>>>> migration.
>>>>> AD DC is running fine... if you can call it that.
>>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article,
>>>> and
>>>>> rejoined the domain. Went fine apart from failed DNS update with local
>>>> zone.
>>>>
>>>>> # net ads testjoin
>>>>> Join is OK
>>>>> But there's no data in getent, and domain users are unable to
>>>> authenticate on
>>>>> the server.
>>>>> So, where do I start looking?
>>> Please check your /etc/nsswitch.conf file, it should look contains this,
>>> passwd: compat winbind
>>> group: compat winbind
>>> For more information, please go through Samba Wiki first,
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>> Please read the message - I explicitly stated that nsswitch.conf is amended as
>> suggested on the wiki.
>>
>>
> OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain
> classicupgrade', this should have given you users with uidNumber
> attributes and groups with gidNumber attributes.
> If,as you said, you used the smb.conf from the member server wiki page,
> you will have something like this in your smb.conf:
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config SAMDOM:backend = ad
> idmap config SAMDOM:schema_mode = rfc2307
> idmap config SAMDOM:range = 10000-99999
> Two questions:
> Did you change 'SAMDOM' to your workgroup name ?
> Are your users & groups uidNumber & gidNumber attributes inside the
> '10000=99999' range ?
It was a little more complicated process, than that.
Host: Ubuntu 12.04 running Samba 3.6.3->4.1.11 and LXC 1.0.7 stable.
On host, I've set up container DC1, copied over the 3.6.3 TDB's from host and
performed classicupgrade with hostname change. After initial failure and a
month of head cracking, it somehow worked out on April 1st.
The container runs as it could, resolving uids to domain names within itself,
at least.
Now, I need to get the same resolution on the host.
The Samba 3 configuration files were moved away on the host before Samba
upgrade, so that I could have one more backup copy of the configuration, if
things go wrong.
After upgrading Samba, I've edited {smb,nsswitch}.conf as outlined on the
Wiki, and then commanded to join the AD.
Join went fine except for a notice "unable to update DNS record for
userl.ccenter.lan".
After that, I removed startup blocks on smbd/nmbd/winbind and rebooted
everything.
Currently, the situation is as follows:
DC1 (AD DC): http://pastebin.com/WncfgLb6
root at dc1:~# smbclient -L dc1 -U domainuser
Enter domainuser's password:
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu)
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Server Comment
--------- -------
Workgroup Master
--------- -------
root at dc1:~# smbclient -L userl -U domainuser
Enter domainuser's password:
session setup failed: NT_STATUS_LOGON_FAILURE
USERL (member server): http://pastebin.com/25Lx6z9v
root at userl:~# net ads testjoin
Join is OK
root at userl:~# smbclient -L dc1 -U domainuser
Enter domainuser's password:
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu)
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
Server Comment
--------- -------
Workgroup Master
--------- -------
root at userl:~# smbclient -L userl -U domainuser
Enter domainuser's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Looking at winbind/idmap logs,
[2015/04/03 21:16:17.636654, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4446(pack_tdc_domains)
pack_tdc_domains: Packing domain CCENTER (ADS.CCENTER.LAN)
[2015/04/03 21:16:17.636687, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:230(add_trusted_domain)
idmap config CCENTER : range = 1000-50000
[2015/04/03 21:16:17.636720, 2, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:255(add_trusted_domain)
Added domain CCENTER ADS.CCENTER.LAN S-1-5-21-1031481445-3291699540-3997755762
[2015/04/03 21:16:17.636766, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:561(set_domain_online_request)
set_domain_online_request: called for domain CCENTER
[2015/04/03 21:16:17.636803, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:596(set_domain_online_request)
set_domain_online_request: domain CCENTER was globally offline.
Eh? What the? Why? Google says it may be an issue with DNS, but mine works
fine. Especially since a few lines before it successfully contact AD DC.
--
With best regards,
Andrey Repin
Friday, April 3, 2015 16:06:14
Sorry for my terrible english...
More information about the samba
mailing list