[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
Patrick G. Stoesser
lists at pgs-info.de
Sat Apr 16 17:08:14 UTC 2016
Hello everybody,
I've bin running Samba as a AD member server for ages (Debian stable).
After the last update to 4.2, I just can't get it to work.
Symptoms: unable to map AD user / groups.
After two days of successlessly fiddling (and moving all data to another
server with still Samba 3.6, which I will definitely NOT update at the
moment), I decided to purge my Installation and start over again like
described in
<https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
So now my setup is (all names and IPs are masked, but are correct here):
********************************************************************
smb.conf
********************************************************************
[global]
netbios name = test-fileserver3
security = ADS
workgroup = AD
realm = AD.test.loc
log file = /var/log/samba/%m.log
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 10000-95000
winbind nss info = template
# template shell = /sbin/nologin
# template homedir = /home/%U
********************************************************************
********************************************************************
nsswitch.conf
********************************************************************
passwd: files winbind
group: files winbind
hosts: files dns.
shadow: files winbind
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
********************************************************************
My krb5.keytab has been generated correctly. I also have a krb5.conf:
********************************************************************
krb5.conf
********************************************************************
[libdefaults]
default_realm = AD.TEST.LOC
clockskew = 900
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
TEST.TEST.LOC = {
kdc = dc.ad.test.loc
kdc = dc1.ad.test.loc
kdc = dc2.ad.test.loc
kdc = dc3.ad.test.loc
admin_server = dc.test.loc
}
[domain_realm]
.test.loc = AD.TEST.LOC
[login]
krb4_convert = true
krb4_get_tickets = false
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
********************************************************************
libpam.winbind and libnss.winbind are installed.
Name resolution works (as before...):
host -t A dc.ad.test.loc
dc.ad.test.loc has address 123.456.789.208
getent hosts
127.0.0.1 localhost
123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
Time is synchronized (as before...)
net join ads -U "Domainadmin" worked.
smbd, nmbd, winbind start sucessfully.
wbinfo -t and -p are successful.
But still no resolution. wbinfo -g and -u give no result. Also, getent
passwd delivers only local accounts.
Log says (as expected) "Username AD\ps-15-16 is invalid on this system
[2016/04/16 18:52:45.713298, 3]
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
Failed to map kerberos principal to system user
(NT_STATUS_LOGON_FAILURE)"
I tried, as read in the list, to change idmap config AD:backend = ad to
rid. No change in results.
Anyone any idea? I'm momentarily at the end of mine.
More information about the samba
mailing list