[Samba] Member server - winbind unable to resolve users/groups

Rowland Penny rowlandpenny at googlemail.com
Fri Apr 3 13:15:42 MDT 2015


On 03/04/15 19:33, Andrey Repin wrote:
> Greetings, Rowland Penny!
>
>>>>>> I'm trying to get the former PDC back into domain after performing a
>>>>> classic
>>>>>> migration.
>>>>>> AD DC is running fine... if you can call it that.
>>>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article,
>>>>> and
>>>>>> rejoined the domain. Went fine apart from failed DNS update with local
>>>>> zone.
>>>>>
>>>>>> # net ads testjoin
>>>>>> Join is OK
>>>>>> But there's no data in getent, and domain users are unable to
>>>>> authenticate on
>>>>>> the server.
>>>>>> So, where do I start looking?
>>>> Please check your  /etc/nsswitch.conf file, it should look contains this,
>>>> passwd: compat winbind
>>>> group:    compat winbind
>>>> For more information, please go through Samba Wiki first,
>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>> Please read the message - I explicitly stated that nsswitch.conf is amended as
>>> suggested on the wiki.
>>>
>>>
>> OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain
>> classicupgrade', this should have given you users with uidNumber
>> attributes and groups with gidNumber attributes.
>> If,as you said, you used the smb.conf from the member server wiki page,
>> you will have something like this in your smb.conf:
>>      idmap config *:backend = tdb
>>      idmap config *:range = 2000-9999
>>      idmap config SAMDOM:backend = ad
>>      idmap config SAMDOM:schema_mode = rfc2307
>>      idmap config SAMDOM:range = 10000-99999
>> Two questions:
>> Did you change 'SAMDOM' to your workgroup name ?
>> Are your users & groups uidNumber & gidNumber attributes inside the
>> '10000=99999' range ?
> It was a little more complicated process, than that.
>
> Host: Ubuntu 12.04 running Samba 3.6.3->4.1.11 and LXC 1.0.7 stable.
>
> On host, I've set up container DC1, copied over the 3.6.3 TDB's from host and
> performed classicupgrade with hostname change. After initial failure and a
> month of head cracking, it somehow worked out on April 1st.
>
> The container runs as it could, resolving uids to domain names within itself,
> at least.
>
> Now, I need to get the same resolution on the host.
> The Samba 3 configuration files were moved away on the host before Samba
> upgrade, so that I could have one more backup copy of the configuration, if
> things go wrong.
>
> After upgrading Samba, I've edited {smb,nsswitch}.conf as outlined on the
> Wiki, and then commanded to join the AD.
> Join went fine except for a notice "unable to update DNS record for
> userl.ccenter.lan".
> After that, I removed startup blocks on smbd/nmbd/winbind and rebooted
> everything.
>
> Currently, the situation is as follows:
>
> DC1 (AD DC): http://pastebin.com/WncfgLb6
>
> root at dc1:~# smbclient -L dc1 -U domainuser
> Enter domainuser's password:
> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>
>          Sharename       Type      Comment
>          ---------       ----      -------
>          netlogon        Disk
>          sysvol          Disk
>          IPC$            IPC       IPC Service (Samba 4.1.11-Ubuntu)
> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>
>          Server               Comment
>          ---------            -------
>
>          Workgroup            Master
>          ---------            -------
>
> root at dc1:~# smbclient -L userl -U domainuser
> Enter domainuser's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> USERL (member server): http://pastebin.com/25Lx6z9v
>
> root at userl:~# net ads testjoin
> Join is OK
>
> root at userl:~# smbclient -L dc1 -U domainuser
> Enter domainuser's password:
> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>
>          Sharename       Type      Comment
>          ---------       ----      -------
>          netlogon        Disk
>          sysvol          Disk
>          IPC$            IPC       IPC Service (Samba 4.1.11-Ubuntu)
> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>
>          Server               Comment
>          ---------            -------
>
>          Workgroup            Master
>          ---------            -------
>
> root at userl:~# smbclient -L userl -U domainuser
> Enter domainuser's password:
> session setup failed: NT_STATUS_LOGON_FAILURE
>
> Looking at winbind/idmap logs,
>
> [2015/04/03 21:16:17.636654, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4446(pack_tdc_domains)
>    pack_tdc_domains: Packing domain CCENTER (ADS.CCENTER.LAN)
> [2015/04/03 21:16:17.636687, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:230(add_trusted_domain)
>    idmap config CCENTER : range = 1000-50000
> [2015/04/03 21:16:17.636720,  2, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:255(add_trusted_domain)
>    Added domain CCENTER ADS.CCENTER.LAN S-1-5-21-1031481445-3291699540-3997755762
> [2015/04/03 21:16:17.636766, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:561(set_domain_online_request)
>    set_domain_online_request: called for domain CCENTER
> [2015/04/03 21:16:17.636803, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:596(set_domain_online_request)
>    set_domain_online_request: domain CCENTER was globally offline.
>
> Eh? What the? Why? Google says it may be an issue with DNS, but mine works
> fine. Especially since a few lines before it successfully contact AD DC.
>
>

I am struggling to understand this setup, you have created a samba AD DC 
running on Ubuntu 12.04 inside a container (docker  ??), you then seem 
to have altered the AD DCs smb.conf for some reason, can I ask why ?

You then setup a member server, joined it to the domain, but now cannot 
connect to the member server from the DC via smbclient, is this correct ?

what have you got in:

/etc/resolv.conf
/etc/krb5.conf

This on both machines

can you ping from each machine to the other, both by ip and hostname ?

what does 'host -t SRV _ldap._tcp.ads.ccenter.lan.' show ?

does the 'container' have all the required ports open ?

Rowland


More information about the samba mailing list