[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
L.P.H. van Belle
belle at bazuin.nl
Sat Apr 16 20:11:25 UTC 2016
> nsswitch.conf
> ********************************************************************
> passwd: files winbind
> group: files winbind
> hosts: files dns.
The dot after dns, do check if its in the config file please ;-)
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G.
> Stoesser
> Verzonden: zaterdag 16 april 2016 19:08
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
>
> Hello everybody,
>
> I've bin running Samba as a AD member server for ages (Debian stable).
> After the last update to 4.2, I just can't get it to work.
>
> Symptoms: unable to map AD user / groups.
>
> After two days of successlessly fiddling (and moving all data to another
> server with still Samba 3.6, which I will definitely NOT update at the
> moment), I decided to purge my Installation and start over again like
> described in
> <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
>
> So now my setup is (all names and IPs are masked, but are correct here):
>
> ********************************************************************
> smb.conf
> ********************************************************************
> [global]
>
> netbios name = test-fileserver3
> security = ADS
> workgroup = AD
> realm = AD.test.loc
>
> log file = /var/log/samba/%m.log
> log level = 3
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
>
> idmap config AD:backend = ad
> idmap config AD:schema_mode = rfc2307
> idmap config AD:range = 10000-95000
>
> winbind nss info = template
> # template shell = /sbin/nologin
> # template homedir = /home/%U
> ********************************************************************
>
>
>
> ********************************************************************
> nsswitch.conf
> ********************************************************************
> passwd: files winbind
> group: files winbind
> hosts: files dns.
> shadow: files winbind
>
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
> ********************************************************************
>
>
>
> My krb5.keytab has been generated correctly. I also have a krb5.conf:
>
> ********************************************************************
> krb5.conf
> ********************************************************************
>
> [libdefaults]
> default_realm = AD.TEST.LOC
> clockskew = 900
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
>
> [realms]
> TEST.TEST.LOC = {
> kdc = dc.ad.test.loc
> kdc = dc1.ad.test.loc
> kdc = dc2.ad.test.loc
> kdc = dc3.ad.test.loc
> admin_server = dc.test.loc
> }
>
> [domain_realm]
> .test.loc = AD.TEST.LOC
>
> [login]
> krb4_convert = true
> krb4_get_tickets = false
>
> [logging]
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
> default = SYSLOG:NOTICE:DAEMON
> ********************************************************************
>
> libpam.winbind and libnss.winbind are installed.
>
>
> Name resolution works (as before...):
>
> host -t A dc.ad.test.loc
> dc.ad.test.loc has address 123.456.789.208
>
> getent hosts
> 127.0.0.1 localhost
> 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
>
> Time is synchronized (as before...)
>
> net join ads -U "Domainadmin" worked.
>
> smbd, nmbd, winbind start sucessfully.
> wbinfo -t and -p are successful.
>
> But still no resolution. wbinfo -g and -u give no result. Also, getent
> passwd delivers only local accounts.
>
> Log says (as expected) "Username AD\ps-15-16 is invalid on this system
> [2016/04/16 18:52:45.713298, 3]
> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
> Failed to map kerberos principal to system user
> (NT_STATUS_LOGON_FAILURE)"
>
> I tried, as read in the list, to change idmap config AD:backend = ad to
> rid. No change in results.
>
> Anyone any idea? I'm momentarily at the end of mine.
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list