[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution

Patrick G. Stoesser lists at pgs-info.de
Sat Apr 16 17:08:14 UTC 2016 

Hello everybody,

I've bin running Samba as a AD member server for ages (Debian stable). 
After the last update to 4.2, I just can't get it to work.

Symptoms: unable to map AD user / groups.

After two days of successlessly fiddling (and moving all data to another 
server with still Samba 3.6, which I will definitely NOT update at the 
moment), I decided to purge my Installation and start over again like 
described in 
<https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>

So now my setup is (all names and IPs are masked, but are correct here):

********************************************************************
smb.conf
********************************************************************
[global]

netbios name = test-fileserver3
security = ADS
workgroup = AD
realm = AD.test.loc

log file = /var/log/samba/%m.log
log level = 3

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes

winbind trusted domains only = no
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes

idmap config *:backend = tdb
idmap config *:range = 2000-9999

idmap config AD:backend = ad
idmap config AD:schema_mode = rfc2307
idmap config AD:range = 10000-95000

winbind nss info = template
#       template shell = /sbin/nologin
#       template homedir = /home/%U
********************************************************************



********************************************************************
nsswitch.conf
********************************************************************
passwd: files winbind
group:  files winbind
hosts:  files dns.
shadow: files winbind

networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup: nis
********************************************************************



My krb5.keytab has been generated correctly. I also have a krb5.conf:

********************************************************************
krb5.conf
********************************************************************

[libdefaults]
default_realm = AD.TEST.LOC
clockskew = 900

# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true

[realms]
TEST.TEST.LOC = {
kdc = dc.ad.test.loc
kdc = dc1.ad.test.loc
kdc = dc2.ad.test.loc
kdc = dc3.ad.test.loc
admin_server = dc.test.loc
}

[domain_realm]
.test.loc = AD.TEST.LOC

[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
********************************************************************

libpam.winbind and libnss.winbind are installed.


Name resolution works (as before...):

host -t A dc.ad.test.loc
dc.ad.test.loc has address 123.456.789.208

getent hosts
127.0.0.1       localhost
123.456.789.244 test-fileserver3.test.test.loc test-fileserver3

Time is synchronized (as before...)

net join ads -U "Domainadmin" worked.

smbd, nmbd, winbind start sucessfully.
wbinfo -t and -p are successful.

But still no resolution. wbinfo -g and -u give no result. Also, getent 
passwd delivers only local accounts.

Log says (as expected) "Username AD\ps-15-16 is invalid on this system
[2016/04/16 18:52:45.713298,  3] 
../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
   Failed to map kerberos principal to system user 
(NT_STATUS_LOGON_FAILURE)"

I tried, as read in the list, to change idmap config AD:backend = ad to 
rid. No change in results.

Anyone any idea? I'm momentarily at the end of mine.

More information about the samba mailing list