[Samba] Domain member seems to work, wbinfo -u not (update1)
L.P.H. van Belle
belle at bazuin.nl
Sat Apr 16 12:26:44 UTC 2016
Ok, an update on this.
My setup was :
DC's : Debian wheezy, sernet samba 4.2.11
Members: Debian jessie, ( different versions samba, show below )
Now i saw also some strang thing in my setup, which must be a inherretance of the install few years ago.
What i did.
I remove my DC2 from the domain with --demote.
Checked, and Removed all other DC2 references in AD and DNS.
I upgraded my DC1 from wheezy to jessie, still sernet samba 4.2.11.
After the complete upgrade of the os, i rechecked my dns and ad, all ok now.
I upgraded my DC2 from wheezy to jessie, also sernet samba 4.2.11
I rejoined the domain.
I saw a few things.
1) if the resolv.conf is set ad advices, i got auth fails, and i got errors with sambadns_upgrade.
Solution, set both server its resolv.conf to first there selfs.
Sambadns updates works fine now, change it back when all is done.
2) after the DC2 join im still missing a right on /var/lib/samba/private/dns.keytab
Solution, chgrp bind /var/lib/samba/private/dns.keytab && chmod 640 /var/lib/samba/private/dns.keytab
I gave my servers now some time to sync, to soon check results in errors, so give it some time.
Checked my status of both servers, all ok.
Now i logged in on one of the failing (wbinfo –u) servers.
So i tested 2 server for now.
Both exact same setup, ( all my setups are the same, because of the scripted installes ),
The only diffence is where i use them for.
So my print server, Debian samba 4.3.7 , wbinfo –u , not working, but everything works,
And i see the delay where i normaly see the output.
My mail server, Debian samba 4.2.10 , wbinfo –u works now, without changing everything.
Im not done yet, but this is a head up.
When i find more, i’ll post some extra info.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: vrijdag 15 april 2016 15:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not
>
> Yeah, i have an output of log level 10 while i do a wbinfo -u.
>
> As for the packages below.
> 4.1.17, yes, im upgrading these as we speak, but now on hold due to this
> problem.
>
> 4.2.20 .. error typo, is Version 4.2.10-Debian
>
> 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package version
> debian used for the latest CVE fixes.
>
> Im waiting until 4.4.2 is out of experimental so i can create a new
> package.
>
> As far i can see, it only happens with the jessie patched packages.
>
> Still testing..
> What i also see it that when i do the "wbinfo -u" i see a slow down.
> Looks like it getting info but not displaying.
>
> I see for example :
> log.winbindd: validate_ns: NS/NTDOM/USERNAME ok
> ( all my users are there like this )
>
> But im not good at debugging the samba log.. :-( there to many in there..
> Still looking... Tried a third server, same problem.
>
> Greetz,
>
> Louis
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> > Verzonden: vrijdag 15 april 2016 15:08
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not
> >
> > On 15/04/16 13:43, L.P.H. van Belle wrote:
> > > Ok, i have tested a bit more also.
> > >
> > > Now i have this problem also on some other servers with D. Jessie.
> > >
> > > The sernet 4.2.11 debian wheezy works fine as far i can see now.
> > >
> > > All my member servers have these settings ( see below),.
> > > Versies used are
> > > 4.1.17 (all ok) ( debian jessie packages )
> > > 4.2.20 (fail wbinfo -u) ( debian jessie packages )
> > > 4.2.11 (all ok) ( debian wheezy sernet packages )
> > > 4.3.6 (all ok) ( debian sid recompiled to jessie package )
> > > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package )
> > >
> > > 2 servers, now both on 4.2.10
> > > On both work :
> > > id username
> > > getent username
> > > wbinfo -g
> > >
> > > And both not wbinfo -u
> > > disable-ing tls didnt help.
> > >
> > > Setting : ldap server require strong auth = no, yes or
> > allow_sasl_over_tls didnt help.
> > >
> > > Rebooted the server also.
> > >
> > > DC's setup.
> > > Backend AD.
> > > All users have UID and needed groups also.
> > >
> > > Config member server.
> > > [global]
> > > workgroup = NTDOM
> > > security = ADS
> > > realm = INTERNAL.DOMAIN.TLD
> > >
> > > netbios name = memberserver10
> > > domain master = no
> > > host msdfs = no
> > >
> > > dedicated keytab file = /etc/krb5.keytab
> > > kerberos method = secrets and keytab
> > > client signing = if_required
> > >
> > > idmap config *:backend = tdb
> > > idmap config *:range = 2000-9999
> > > idmap config NTDOM:backend = ad
> > > idmap config NTDOM:schema_mode = rfc2307
> > > idmap config NTDOM:range = 10000-3999999
> > >
> > > winbind nss info = rfc2307
> > > winbind trusted domains only = no
> > > winbind use default domain = yes
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > > winbind refresh tickets = yes
> > > winbind offline logon = yes
> > > winbind expand groups = 4
> > >
> > > wins server = 192.168.0.1, 192.168.0.2
> > >
> > > username map = /etc/samba/samba_usermapping
> > >
> > > usershare path =
> > >
> > > vfs objects = acl_xattr
> > > map acl inherit = Yes
> > > store dos attributes = Yes
> > >
> > > unix extensions = no
> > > wide links = no
> > > reset on zero vc = yes
> > > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
> > > hide unreadable = yes
> > >
> > > load printers = Yes
> > > printing = cups
> > > printcap name = cups
> > >
> > > tls enabled = yes
> > > tls keyfile = ....
> > > tls certfile = ....
> > > tls cafile = ....
> > >
> > >
> > >
> > >
> >
> > OK, this is strange, getent works but 'wbinfo -u' doesn't, it is usually
> > the other way round :-)
> >
> > Louis, you probably already have cranked the log level up to 10, but if
> > you haven't, can you and then see if anything pops up.
> >
> > As for your list of versions:
> >
> > 4.1.17 (all ok) ( debian jessie packages ) You really
> > need to upgrade
> > 4.2.20 (fail wbinfo -u) ( debian jessie packages ) Where did this come
> > from, highest Samba 4.2 version: 4.2.11
> > 4.2.11 (all ok) ( debian wheezy sernet packages )
> > 4.3.6 (all ok) ( debian sid recompiled to jessie package )
> > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) Do
> > not use, use 4.3.8
> >
> > Rowland
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list