[Samba] Domain member seems to work, wbinfo -u not (update1)

L.P.H. van Belle belle at bazuin.nl
Sat Apr 16 12:26:44 UTC 2016 

Ok, an update on this. 

 

My setup was : 

DC's : Debian wheezy, sernet samba 4.2.11

Members: Debian jessie, ( different versions samba, show below ) 

 

Now i saw also some strang thing in my setup, which must be a inherretance of the install few years ago. 

 

What i did. 

I remove my DC2 from the domain with --demote.

Checked, and Removed all other DC2 references in AD and DNS. 

 

I upgraded my DC1 from wheezy to jessie, still sernet samba 4.2.11. 

After the complete upgrade of the os, i rechecked my dns and ad, all ok now. 

 

I upgraded my DC2 from wheezy to jessie, also sernet samba 4.2.11 

I rejoined the domain. 

 

I saw a few things.

      1) if the resolv.conf is set ad advices, i got auth fails, and i got errors with sambadns_upgrade.

      Solution, set both server its resolv.conf to first there selfs. 

      Sambadns updates works fine now, change it back when all is done. 

 

      2) after the DC2 join im still missing a right on /var/lib/samba/private/dns.keytab 

      Solution, chgrp bind /var/lib/samba/private/dns.keytab && chmod 640 /var/lib/samba/private/dns.keytab

      

I gave my servers now some time to sync, to soon check results in errors, so give it some time. 

Checked my status of both servers, all ok. 

 

Now i logged in on one of the failing (wbinfo –u) servers. 

So i tested 2 server for now. 

Both exact same setup, ( all my setups are the same, because of the scripted installes ), 

The only diffence is where i use them for. 

So my print server, Debian samba 4.3.7 , wbinfo –u , not working, but everything works, 

And i see the delay where i normaly see the output. 

My mail server, Debian samba 4.2.10 , wbinfo –u works now, without changing everything. 

 

Im not done yet, but this is a head up. 

 

When i find more, i’ll post some extra info. 

 

Greetz, 

 

Louis

 

 

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle

> Verzonden: vrijdag 15 april 2016 15:55

> Aan: samba at lists.samba.org

> Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not

> 

> Yeah, i have an output of log level 10 while i do a wbinfo -u.

> 

> As for the packages below.

> 4.1.17, yes, im upgrading these as we speak, but now on hold due to this

> problem.

> 

> 4.2.20 .. error typo, is Version 4.2.10-Debian

> 

> 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package version

> debian used for the latest CVE fixes.

> 

> Im waiting until 4.4.2 is out of experimental so i can create a new

> package.

> 

> As far i can see, it only happens with the jessie patched packages.

> 

> Still testing..

> What i also see it that when i do the "wbinfo -u" i see a slow down.

> Looks like it getting info but not displaying.

> 

> I see for example :

> log.winbindd:  validate_ns: NS/NTDOM/USERNAME ok

> ( all my users are there like this )

> 

> But im not good at debugging the samba log.. :-( there to many in there..

> Still looking...  Tried a third server, same problem.

> 

> Greetz,

> 

> Louis

> 

> > -----Oorspronkelijk bericht-----

> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny

> > Verzonden: vrijdag 15 april 2016 15:08

> > Aan: samba at lists.samba.org

> > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not

> >

> > On 15/04/16 13:43, L.P.H. van Belle wrote:

> > > Ok, i have tested a bit more also.

> > >

> > > Now i have this problem also on some other servers with D. Jessie.

> > >

> > > The sernet 4.2.11 debian wheezy works fine as far i can see now.

> > >

> > > All my member servers have these settings ( see below),.

> > > Versies used are

> > > 4.1.17 (all ok) ( debian jessie packages )

> > > 4.2.20 (fail wbinfo -u) ( debian jessie packages )

> > > 4.2.11 (all ok) ( debian wheezy sernet packages )

> > > 4.3.6 (all ok) ( debian sid recompiled to jessie package )

> > > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package )

> > >

> > > 2 servers, now both on 4.2.10

> > > On both work :

> > > id username

> > > getent username

> > > wbinfo -g

> > >

> > > And both not wbinfo -u

> > > disable-ing tls didnt help.

> > >

> > > Setting : ldap server require strong auth = no, yes or

> > allow_sasl_over_tls didnt help.

> > >

> > > Rebooted the server also.

> > >

> > > DC's setup.

> > > Backend AD.

> > > All users have UID and needed groups also.

> > >

> > > Config member server.

> > > [global]

> > >      workgroup = NTDOM

> > >      security = ADS

> > >      realm = INTERNAL.DOMAIN.TLD

> > >

> > >      netbios name = memberserver10

> > >      domain master = no

> > >      host msdfs = no

> > >

> > >      dedicated keytab file = /etc/krb5.keytab

> > >      kerberos method = secrets and keytab

> > >      client signing = if_required

> > >

> > >      idmap config *:backend = tdb

> > >      idmap config *:range = 2000-9999

> > >      idmap config NTDOM:backend = ad

> > >      idmap config NTDOM:schema_mode = rfc2307

> > >      idmap config NTDOM:range = 10000-3999999

> > >

> > >      winbind nss info = rfc2307

> > >      winbind trusted domains only = no

> > >      winbind use default domain = yes

> > >      winbind enum users  = yes

> > >      winbind enum groups = yes

> > >      winbind refresh tickets = yes

> > >      winbind offline logon = yes

> > >      winbind expand groups = 4

> > >

> > >      wins server = 192.168.0.1, 192.168.0.2

> > >

> > >      username map = /etc/samba/samba_usermapping

> > >

> > >      usershare path =

> > >

> > >      vfs objects = acl_xattr

> > >      map acl inherit = Yes

> > >      store dos attributes = Yes

> > >

> > >      unix extensions = no

> > >      wide links = no

> > >      reset on zero vc = yes

> > >      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/

> > >      hide unreadable = yes

> > >

> > >      load printers = Yes

> > >      printing = cups

> > >      printcap name = cups

> > >

> > >      tls enabled = yes

> > >      tls keyfile = ....

> > >      tls certfile = ....

> > >      tls cafile = ....

> > >

> > >

> > >

> > >

> >

> > OK, this is strange, getent works but 'wbinfo -u' doesn't, it is usually

> > the other way round :-)

> >

> > Louis, you probably already have cranked the log level up to 10, but if

> > you haven't, can you and then see if anything pops up.

> >

> > As for your list of versions:

> >

> > 4.1.17 (all ok) ( debian jessie packages )                  You really

> > need to upgrade

> > 4.2.20 (fail wbinfo -u) ( debian jessie packages ) Where did this come

> > from, highest Samba 4.2 version: 4.2.11

> > 4.2.11 (all ok) ( debian wheezy sernet packages )

> > 4.3.6 (all ok) ( debian sid recompiled to jessie package )

> > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) Do

> > not use, use 4.3.8

> >

> > Rowland

> >

> >

> >

> > --

> > To unsubscribe from this list go to the following URL and read the

> > instructions:  https://lists.samba.org/mailman/options/samba

> 

> 

> 

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

 

More information about the samba mailing list