[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution

L.P.H. van Belle belle at bazuin.nl
Sat Apr 16 20:23:08 UTC 2016 

Try it with a simple krb5.conf, or you have errors there, or you change to much to anonimize.. 

 

Like :  

[libdefaults]

    default_realm = AD.TEST.LOC

    dns_lookup_kdc = true

    dns_lookup_realm = false

 

 

greetz, 

 

Louis

 

 

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny

> Verzonden: zaterdag 16 april 2016 20:34

> Aan: samba at lists.samba.org

> Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member

> server / No user and goup resolution

> 

> On 16/04/16 18:08, Patrick G. Stoesser wrote:

> > Hello everybody,

> >

> > I've bin running Samba as a AD member server for ages (Debian stable).

> > After the last update to 4.2, I just can't get it to work.

> >

> > Symptoms: unable to map AD user / groups.

> >

> > After two days of successlessly fiddling (and moving all data to

> > another server with still Samba 3.6, which I will definitely NOT

> > update at the moment), I decided to purge my Installation and start

> > over again like described in

> > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>

> >

> > So now my setup is (all names and IPs are masked, but are correct here):

> >

> > ********************************************************************

> > smb.conf

> > ********************************************************************

> > [global]

> >

> > netbios name = test-fileserver3

> > security = ADS

> > workgroup = AD

> > realm = AD.test.loc

> >

> > log file = /var/log/samba/%m.log

> > log level = 3

> >

> > dedicated keytab file = /etc/krb5.keytab

> > kerberos method = secrets and keytab

> > winbind refresh tickets = yes

> >

> > winbind trusted domains only = no

> > winbind use default domain = yes

> > winbind enum users  = yes

> > winbind enum groups = yes

> >

> > idmap config *:backend = tdb

> > idmap config *:range = 2000-9999

> >

> > idmap config AD:backend = ad

> > idmap config AD:schema_mode = rfc2307

> > idmap config AD:range = 10000-95000

> >

> > winbind nss info = template

> > #       template shell = /sbin/nologin

> > #       template homedir = /home/%U

> > ********************************************************************

> >

> >

> >

> > ********************************************************************

> > nsswitch.conf

> > ********************************************************************

> > passwd: files winbind

> > group:  files winbind

> > hosts:  files dns.

> > shadow: files winbind

> 

> Try removing 'winbind' from the shadow line, I have never used it,

> another user a few days ago was using it and was having similar problems

> to you, he removed windbind and reported back that everything was now

> working ok.

> 

> >

> > networks:       files

> >

> > protocols:      db files

> > services:       db files

> > ethers:         db files

> > rpc:            db files

> >

> > netgroup: nis

> > ********************************************************************

> >

> >

> >

> > My krb5.keytab has been generated correctly. I also have a krb5.conf:

> >

> > ********************************************************************

> > krb5.conf

> > ********************************************************************

> >

> > [libdefaults]

> > default_realm = AD.TEST.LOC

> > clockskew = 900

> >

> > # The following libdefaults parameters are only for Heimdal Kerberos.

> > v4_instance_resolve = false

> > v4_name_convert = {

> > host = {

> > rcmd = host

> > ftp = ftp

> > }

> > plain = {

> > something = something-else

> > }

> > }

> > fcc-mit-ticketflags = true

> >

> > [realms]

> > TEST.TEST.LOC = {

> > kdc = dc.ad.test.loc

> > kdc = dc1.ad.test.loc

> > kdc = dc2.ad.test.loc

> > kdc = dc3.ad.test.loc

> > admin_server = dc.test.loc

> > }

> >

> > [domain_realm]

> > .test.loc = AD.TEST.LOC

> >

> > [login]

> > krb4_convert = true

> > krb4_get_tickets = false

> >

> > [logging]

> > kdc = FILE:/var/log/krb5/krb5kdc.log

> > admin_server = FILE:/var/log/krb5/kadmind.log

> > default = SYSLOG:NOTICE:DAEMON

> > ********************************************************************

> >

> > libpam.winbind and libnss.winbind are installed.

> >

> >

> > Name resolution works (as before...):

> >

> > host -t A dc.ad.test.loc

> > dc.ad.test.loc has address 123.456.789.208

> >

> > getent hosts

> > 127.0.0.1       localhost

> > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3

> >

> > Time is synchronized (as before...)

> >

> > net join ads -U "Domainadmin" worked.

> >

> > smbd, nmbd, winbind start sucessfully.

> > wbinfo -t and -p are successful.

> >

> > But still no resolution. wbinfo -g and -u give no result. Also, getent

> > passwd delivers only local accounts.

> >

> > Log says (as expected) "Username AD\ps-15-16 is invalid on this system

> > [2016/04/16 18:52:45.713298,  3]

> > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)

> >   Failed to map kerberos principal to system user

> > (NT_STATUS_LOGON_FAILURE)"

> >

> > I tried, as read in the list, to change idmap config AD:backend = ad

> > to rid. No change in results.

> 

> the 'ad' backend only works if your users have a unique uidNumber

> attribute, this number must be inside the range you set in smb.conf.

> Domain Users must also have a gidNumber.

> 

> 'rid' is different, you do not have to add anything to AD

> 

> Rowland

> 

> >

> > Anyone any idea? I'm momentarily at the end of mine.

> >

> >

> >

> >

> >

> >

> 

> 

> --

> To unsubscribe from this list go to the following URL and read the

> instructions:  https://lists.samba.org/mailman/options/samba

 

More information about the samba mailing list