[Samba] Domain member seems to work, wbinfo -u not (update2)

L.P.H. van Belle belle at bazuin.nl
Sat Apr 16 20:09:27 UTC 2016


New update. 

 

I now have done about 6 machines. 

2 with samba 4.2.10 work fine, 2 not. 

1 with samba 4.3.7 works fine, 1 not. 

 

I saw Jelmer updated the samba to 4.3.8 in sid, so i recompiled these to jessie.

I upgraded the 4.3.7 to 4.3.8

Same result. Wbinfo -g works, -u not. For both servers. 

 

I notice one strange thing here. 

I have 2 servers, both samba 4.2.10, all stock debian packages. 

My file server and my print server, both installed with the same script.

Only the name changed here in the script. One works ok, one not. 

 

I notice some difference between these 2. 

 

The file server, "wbinfo -u" works, and "getent passwd" works. 

The print server, "wbinfo -u" does not work, and "getent passwd" works not, 

but "getent passwd username" works. 

 

Also the output is bit different. 

File server shows  : username:*:10002:10000:U. username:/home/users/username:/bin/bash

Print server shows : username:*:10002:10000::/home/users/username:/bin/bash

 

So anyone an idea where to look from here. But ^^^ must be a clue.. 

 

 

What did i check if settings are the same on both servers. 

Samba smb.conf, beside hostnames ip shares used, all same.

Resolv.conf checked.

Nsswitch.conf checked.

Added the TLS parameters, ssl, checked. 

Idmap.conf checked. ( needed for the nfs kerberized things ) 

UID/GID all there where its needed. 

 

And example of my config.

 

[global]

    workgroup = NTDOM

    security = ADS

    realm = REALM.DOM

    netbios name = PRINT1

    domain master = no

    host msdfs = no

    dns proxy = yes

      

    kerberos method = secrets and keytab

    dedicated keytab file = /etc/krb5.keytab

    client signing = if_required

 

    ## map id's outside to domain to tdb files.

    idmap config *: backend = tdb

    idmap config *: range = 2000-9999

    ## map ids from the domain and (*) the range may not overlap !

    idmap config NTDOM: backend = ad

    idmap config NTDOM: schema_mode = rfc2307

    idmap config NTDOM: range = 10000-3999999

 

    # Use home directory and shell information from AD

    winbind nss info = rfc2307

 

    winbind trusted domains only = no

    winbind use default domain = yes

    winbind expand groups = 4

    winbind enum users  = yes

    winbind enum groups = yes

    # offline login and refresh keytab (tickets)

    winbind refresh tickets = yes

    winbind offline logon = yes

 

    # disable printing completely

    load printers = no

    printing = bsd

    printcap name = /dev/null

    disable spoolss = yes

 

    #Add and Update TLS Key

    tls enabled = yes

    tls keyfile = /etc/ssl/private/SOMEFILEk.pem

    tls certfile = /etc/ssl/certs/SOMEFILEc.pem

    tls cafile = /etc/ssl/certs/COMPANY-ca.pem

 

 

Greetz, 

 

Louis

 

 

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle

> Verzonden: zaterdag 16 april 2016 14:27

> Aan: samba at lists.samba.org

> Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not

> (update1)

> 

> Ok, an update on this.

> 

> 

> 

> My setup was :

> 

> DC's : Debian wheezy, sernet samba 4.2.11

> 

> Members: Debian jessie, ( different versions samba, show below )

> 

> 

> 

> Now i saw also some strang thing in my setup, which must be a inherretance

> of the install few years ago.

> 

> 

> 

> What i did.

> 

> I remove my DC2 from the domain with --demote.

> 

> Checked, and Removed all other DC2 references in AD and DNS.

> 

> 

> 

> I upgraded my DC1 from wheezy to jessie, still sernet samba 4.2.11.

> 

> After the complete upgrade of the os, i rechecked my dns and ad, all ok

> now.

> 

> 

> 

> I upgraded my DC2 from wheezy to jessie, also sernet samba 4.2.11

> 

> I rejoined the domain.

> 

> 

> 

> I saw a few things.

> 

>       1) if the resolv.conf is set ad advices, i got auth fails, and i got

> errors with sambadns_upgrade.

> 

>       Solution, set both server its resolv.conf to first there selfs.

> 

>       Sambadns updates works fine now, change it back when all is done.

> 

> 

> 

>       2) after the DC2 join im still missing a right on

> /var/lib/samba/private/dns.keytab

> 

>       Solution, chgrp bind /var/lib/samba/private/dns.keytab && chmod 640

> /var/lib/samba/private/dns.keytab

> 

> 

> 

> I gave my servers now some time to sync, to soon check results in errors,

> so give it some time.

> 

> Checked my status of both servers, all ok.

> 

> 

> 

> Now i logged in on one of the failing (wbinfo –u) servers.

> 

> So i tested 2 server for now.

> 

> Both exact same setup, ( all my setups are the same, because of the

> scripted installes ),

> 

> The only diffence is where i use them for.

> 

> So my print server, Debian samba 4.3.7 , wbinfo –u , not working, but

> everything works,

> 

> And i see the delay where i normaly see the output.

> 

> My mail server, Debian samba 4.2.10 , wbinfo –u works now, without

> changing everything.

> 

> 

> 

> Im not done yet, but this is a head up.

> 

> 

> 

> When i find more, i’ll post some extra info.

> 

> 

> 

> Greetz,

> 

> 

> 

> Louis

> 

> 

> 

> 

> 

> 

> 

> > -----Oorspronkelijk bericht-----

> 

> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van

> Belle

> 

> > Verzonden: vrijdag 15 april 2016 15:55

> 

> > Aan: samba at lists.samba.org

> 

> > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not

> 

> >

> 

> > Yeah, i have an output of log level 10 while i do a wbinfo -u.

> 

> >

> 

> > As for the packages below.

> 

> > 4.1.17, yes, im upgrading these as we speak, but now on hold due to this

> 

> > problem.

> 

> >

> 

> > 4.2.20 .. error typo, is Version 4.2.10-Debian

> 

> >

> 

> > 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package

> version

> 

> > debian used for the latest CVE fixes.

> 

> >

> 

> > Im waiting until 4.4.2 is out of experimental so i can create a new

> 

> > package.

> 

> >

> 

> > As far i can see, it only happens with the jessie patched packages.

> 

> >

> 

> > Still testing..

> 

> > What i also see it that when i do the "wbinfo -u" i see a slow down.

> 

> > Looks like it getting info but not displaying.

> 

> >

> 

> > I see for example :

> 

> > log.winbindd:  validate_ns: NS/NTDOM/USERNAME ok

> 

> > ( all my users are there like this )

> 

> >

> 

> > But im not good at debugging the samba log.. :-( there to many in

> there..

> 

> > Still looking...  Tried a third server, same problem.

> 

> >

> 

> > Greetz,

> 

> >

> 

> > Louis

> 

> >

> 

> > > -----Oorspronkelijk bericht-----

> 

> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny

> 

> > > Verzonden: vrijdag 15 april 2016 15:08

> 

> > > Aan: samba at lists.samba.org

> 

> > > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not

> 

> > >

> 

> > > On 15/04/16 13:43, L.P.H. van Belle wrote:

> 

> > > > Ok, i have tested a bit more also.

> 

> > > >

> 

> > > > Now i have this problem also on some other servers with D. Jessie.

> 

> > > >

> 

> > > > The sernet 4.2.11 debian wheezy works fine as far i can see now.

> 

> > > >

> 

> > > > All my member servers have these settings ( see below),.

> 

> > > > Versies used are

> 

> > > > 4.1.17 (all ok) ( debian jessie packages )

> 

> > > > 4.2.20 (fail wbinfo -u) ( debian jessie packages )

> 

> > > > 4.2.11 (all ok) ( debian wheezy sernet packages )

> 

> > > > 4.3.6 (all ok) ( debian sid recompiled to jessie package )

> 

> > > > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package )

> 

> > > >

> 

> > > > 2 servers, now both on 4.2.10

> 

> > > > On both work :

> 

> > > > id username

> 

> > > > getent username

> 

> > > > wbinfo -g

> 

> > > >

> 

> > > > And both not wbinfo -u

> 

> > > > disable-ing tls didnt help.

> 

> > > >

> 

> > > > Setting : ldap server require strong auth = no, yes or

> 

> > > allow_sasl_over_tls didnt help.

> 

> > > >

> 

> > > > Rebooted the server also.

> 

> > > >

> 

> > > > DC's setup.

> 

> > > > Backend AD.

> 

> > > > All users have UID and needed groups also.

> 

> > > >

> 

> > > > Config member server.

> 

> > > > [global]

> 

> > > >      workgroup = NTDOM

> 

> > > >      security = ADS

> 

> > > >      realm = INTERNAL.DOMAIN.TLD

> 

> > > >

> 

> > > >      netbios name = memberserver10

> 

> > > >      domain master = no

> 

> > > >      host msdfs = no

> 

> > > >

> 

> > > >      dedicated keytab file = /etc/krb5.keytab

> 

> > > >      kerberos method = secrets and keytab

> 

> > > >      client signing = if_required

> 

> > > >

> 

> > > >      idmap config *:backend = tdb

> 

> > > >      idmap config *:range = 2000-9999

> 

> > > >      idmap config NTDOM:backend = ad

> 

> > > >      idmap config NTDOM:schema_mode = rfc2307

> 

> > > >      idmap config NTDOM:range = 10000-3999999

> 

> > > >

> 

> > > >      winbind nss info = rfc2307

> 

> > > >      winbind trusted domains only = no

> 

> > > >      winbind use default domain = yes

> 

> > > >      winbind enum users  = yes

> 

> > > >      winbind enum groups = yes

> 

> > > >      winbind refresh tickets = yes

> 

> > > >      winbind offline logon = yes

> 

> > > >      winbind expand groups = 4

> 

> > > >

> 

> > > >      wins server = 192.168.0.1, 192.168.0.2

> 

> > > >

> 

> > > >      username map = /etc/samba/samba_usermapping

> 

> > > >

> 

> > > >      usershare path =

> 

> > > >

> 

> > > >      vfs objects = acl_xattr

> 

> > > >      map acl inherit = Yes

> 

> > > >      store dos attributes = Yes

> 

> > > >

> 

> > > >      unix extensions = no

> 

> > > >      wide links = no

> 

> > > >      reset on zero vc = yes

> 

> > > >      veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/

> 

> > > >      hide unreadable = yes

> 

> > > >

> 

> > > >      load printers = Yes

> 

> > > >      printing = cups

> 

> > > >      printcap name = cups

> 

> > > >

> 

> > > >      tls enabled = yes

> 

> > > >      tls keyfile = ....

> 

> > > >      tls certfile = ....

> 

> > > >      tls cafile = ....

> 

> > > >

> 

> > > >

> 

> > > >

> 

> > > >

> 

> > >

> 

> > > OK, this is strange, getent works but 'wbinfo -u' doesn't, it is

> usually

> 

> > > the other way round :-)

> 

> > >

> 

> > > Louis, you probably already have cranked the log level up to 10, but

> if

> 

> > > you haven't, can you and then see if anything pops up.

> 

> > >

> 

> > > As for your list of versions:

> 

> > >

> 

> > > 4.1.17 (all ok) ( debian jessie packages )                  You really

> 

> > > need to upgrade

> 

> > > 4.2.20 (fail wbinfo -u) ( debian jessie packages ) Where did this come

> 

> > > from, highest Samba 4.2 version: 4.2.11

> 

> > > 4.2.11 (all ok) ( debian wheezy sernet packages )

> 

> > > 4.3.6 (all ok) ( debian sid recompiled to jessie package )

> 

> > > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) Do

> 

> > > not use, use 4.3.8

> 

> > >

> 

> > > Rowland

> 

> > >

> 

> > >

> 

> > >

> 

> > > --

> 

> > > To unsubscribe from this list go to the following URL and read the

> 

> > > instructions:  https://lists.samba.org/mailman/options/samba

> 

> >

> 

> >

> 

> >

> 

> > --

> 

> > To unsubscribe from this list go to the following URL and read the

> 

> > instructions:  https://lists.samba.org/mailman/options/samba

> 

> 

> 

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

 



More information about the samba mailing list