[Samba] Member server - winbind unable to resolve users/groups

Andrey Repin anrdaemon at yandex.ru
Fri Apr 3 12:33:03 MDT 2015 

Greetings, Rowland Penny!

>>>>> I'm trying to get the former PDC back into domain after performing a
>>>> classic
>>>>> migration.
>>>>> AD DC is running fine... if you can call it that.
>>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article,
>>>> and
>>>>> rejoined the domain. Went fine apart from failed DNS update with local
>>>> zone.
>>>>
>>>>> # net ads testjoin
>>>>> Join is OK
>>>>> But there's no data in getent, and domain users are unable to
>>>> authenticate on
>>>>> the server.
>>>>> So, where do I start looking?
>>> Please check your  /etc/nsswitch.conf file, it should look contains this,
>>> passwd: compat winbind
>>> group:    compat winbind
>>> For more information, please go through Samba Wiki first,
>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>> Please read the message - I explicitly stated that nsswitch.conf is amended as
>> suggested on the wiki.
>>
>>

> OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain 
> classicupgrade', this should have given you users with uidNumber 
> attributes and groups with gidNumber attributes.

> If,as you said, you used the smb.conf from the member server wiki page, 
> you will have something like this in your smb.conf:

>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     idmap config SAMDOM:backend = ad
>     idmap config SAMDOM:schema_mode = rfc2307
>     idmap config SAMDOM:range = 10000-99999

> Two questions:
> Did you change 'SAMDOM' to your workgroup name ?
> Are your users & groups uidNumber & gidNumber attributes inside the 
> '10000=99999' range ?

It was a little more complicated process, than that.

Host: Ubuntu 12.04 running Samba 3.6.3->4.1.11 and LXC 1.0.7 stable.

On host, I've set up container DC1, copied over the 3.6.3 TDB's from host and
performed classicupgrade with hostname change. After initial failure and a
month of head cracking, it somehow worked out on April 1st.

The container runs as it could, resolving uids to domain names within itself,
at least.

Now, I need to get the same resolution on the host.
The Samba 3 configuration files were moved away on the host before Samba
upgrade, so that I could have one more backup copy of the configuration, if
things go wrong.

After upgrading Samba, I've edited {smb,nsswitch}.conf as outlined on the
Wiki, and then commanded to join the AD.
Join went fine except for a notice "unable to update DNS record for
userl.ccenter.lan".
After that, I removed startup blocks on smbd/nmbd/winbind and rebooted
everything.

Currently, the situation is as follows:

DC1 (AD DC): http://pastebin.com/WncfgLb6

root at dc1:~# smbclient -L dc1 -U domainuser
Enter domainuser's password:
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.1.11-Ubuntu)
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

root at dc1:~# smbclient -L userl -U domainuser
Enter domainuser's password:
session setup failed: NT_STATUS_LOGON_FAILURE

USERL (member server): http://pastebin.com/25Lx6z9v

root at userl:~# net ads testjoin
Join is OK

root at userl:~# smbclient -L dc1 -U domainuser
Enter domainuser's password:
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.1.11-Ubuntu)
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

root at userl:~# smbclient -L userl -U domainuser
Enter domainuser's password:
session setup failed: NT_STATUS_LOGON_FAILURE

Looking at winbind/idmap logs,

[2015/04/03 21:16:17.636654, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4446(pack_tdc_domains)
  pack_tdc_domains: Packing domain CCENTER (ADS.CCENTER.LAN)
[2015/04/03 21:16:17.636687, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:230(add_trusted_domain)
  idmap config CCENTER : range = 1000-50000
[2015/04/03 21:16:17.636720,  2, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:255(add_trusted_domain)
  Added domain CCENTER ADS.CCENTER.LAN S-1-5-21-1031481445-3291699540-3997755762
[2015/04/03 21:16:17.636766, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:561(set_domain_online_request)
  set_domain_online_request: called for domain CCENTER
[2015/04/03 21:16:17.636803, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:596(set_domain_online_request)
  set_domain_online_request: domain CCENTER was globally offline.

Eh? What the? Why? Google says it may be an issue with DNS, but mine works
fine. Especially since a few lines before it successfully contact AD DC.


-- 
With best regards,
Andrey Repin
Friday, April 3, 2015 16:06:14

Sorry for my terrible english...

More information about the samba mailing list