[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution

L.P.H. van Belle belle at bazuin.nl
Sat Apr 16 20:11:25 UTC 2016


> nsswitch.conf
> ********************************************************************
> passwd: files winbind
> group:  files winbind
> hosts:  files dns. 

The dot after dns, do check if its in the config file please ;-) 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G.
> Stoesser
> Verzonden: zaterdag 16 april 2016 19:08
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
> 
> Hello everybody,
> 
> I've bin running Samba as a AD member server for ages (Debian stable).
> After the last update to 4.2, I just can't get it to work.
> 
> Symptoms: unable to map AD user / groups.
> 
> After two days of successlessly fiddling (and moving all data to another
> server with still Samba 3.6, which I will definitely NOT update at the
> moment), I decided to purge my Installation and start over again like
> described in
> <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
> 
> So now my setup is (all names and IPs are masked, but are correct here):
> 
> ********************************************************************
> smb.conf
> ********************************************************************
> [global]
> 
> netbios name = test-fileserver3
> security = ADS
> workgroup = AD
> realm = AD.test.loc
> 
> log file = /var/log/samba/%m.log
> log level = 3
> 
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> 
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users  = yes
> winbind enum groups = yes
> 
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> 
> idmap config AD:backend = ad
> idmap config AD:schema_mode = rfc2307
> idmap config AD:range = 10000-95000
> 
> winbind nss info = template
> #       template shell = /sbin/nologin
> #       template homedir = /home/%U
> ********************************************************************
> 
> 
> 
> ********************************************************************
> nsswitch.conf
> ********************************************************************
> passwd: files winbind
> group:  files winbind
> hosts:  files dns.
> shadow: files winbind
> 
> networks:       files
> 
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> 
> netgroup: nis
> ********************************************************************
> 
> 
> 
> My krb5.keytab has been generated correctly. I also have a krb5.conf:
> 
> ********************************************************************
> krb5.conf
> ********************************************************************
> 
> [libdefaults]
> default_realm = AD.TEST.LOC
> clockskew = 900
> 
> # The following libdefaults parameters are only for Heimdal Kerberos.
> v4_instance_resolve = false
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> plain = {
> something = something-else
> }
> }
> fcc-mit-ticketflags = true
> 
> [realms]
> TEST.TEST.LOC = {
> kdc = dc.ad.test.loc
> kdc = dc1.ad.test.loc
> kdc = dc2.ad.test.loc
> kdc = dc3.ad.test.loc
> admin_server = dc.test.loc
> }
> 
> [domain_realm]
> .test.loc = AD.TEST.LOC
> 
> [login]
> krb4_convert = true
> krb4_get_tickets = false
> 
> [logging]
> kdc = FILE:/var/log/krb5/krb5kdc.log
> admin_server = FILE:/var/log/krb5/kadmind.log
> default = SYSLOG:NOTICE:DAEMON
> ********************************************************************
> 
> libpam.winbind and libnss.winbind are installed.
> 
> 
> Name resolution works (as before...):
> 
> host -t A dc.ad.test.loc
> dc.ad.test.loc has address 123.456.789.208
> 
> getent hosts
> 127.0.0.1       localhost
> 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
> 
> Time is synchronized (as before...)
> 
> net join ads -U "Domainadmin" worked.
> 
> smbd, nmbd, winbind start sucessfully.
> wbinfo -t and -p are successful.
> 
> But still no resolution. wbinfo -g and -u give no result. Also, getent
> passwd delivers only local accounts.
> 
> Log says (as expected) "Username AD\ps-15-16 is invalid on this system
> [2016/04/16 18:52:45.713298,  3]
> ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>    Failed to map kerberos principal to system user
> (NT_STATUS_LOGON_FAILURE)"
> 
> I tried, as read in the list, to change idmap config AD:backend = ad to
> rid. No change in results.
> 
> Anyone any idea? I'm momentarily at the end of mine.
> 
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list