[Samba] After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
L.P.H. van Belle
belle at bazuin.nl
Sat Apr 16 20:23:08 UTC 2016
Try it with a simple krb5.conf, or you have errors there, or you change to much to anonimize..
Like :
[libdefaults]
default_realm = AD.TEST.LOC
dns_lookup_kdc = true
dns_lookup_realm = false
greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: zaterdag 16 april 2016 20:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
>
> On 16/04/16 18:08, Patrick G. Stoesser wrote:
> > Hello everybody,
> >
> > I've bin running Samba as a AD member server for ages (Debian stable).
> > After the last update to 4.2, I just can't get it to work.
> >
> > Symptoms: unable to map AD user / groups.
> >
> > After two days of successlessly fiddling (and moving all data to
> > another server with still Samba 3.6, which I will definitely NOT
> > update at the moment), I decided to purge my Installation and start
> > over again like described in
> > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
> >
> > So now my setup is (all names and IPs are masked, but are correct here):
> >
> > ********************************************************************
> > smb.conf
> > ********************************************************************
> > [global]
> >
> > netbios name = test-fileserver3
> > security = ADS
> > workgroup = AD
> > realm = AD.test.loc
> >
> > log file = /var/log/samba/%m.log
> > log level = 3
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind refresh tickets = yes
> >
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> >
> > idmap config AD:backend = ad
> > idmap config AD:schema_mode = rfc2307
> > idmap config AD:range = 10000-95000
> >
> > winbind nss info = template
> > # template shell = /sbin/nologin
> > # template homedir = /home/%U
> > ********************************************************************
> >
> >
> >
> > ********************************************************************
> > nsswitch.conf
> > ********************************************************************
> > passwd: files winbind
> > group: files winbind
> > hosts: files dns.
> > shadow: files winbind
>
> Try removing 'winbind' from the shadow line, I have never used it,
> another user a few days ago was using it and was having similar problems
> to you, he removed windbind and reported back that everything was now
> working ok.
>
> >
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> > ********************************************************************
> >
> >
> >
> > My krb5.keytab has been generated correctly. I also have a krb5.conf:
> >
> > ********************************************************************
> > krb5.conf
> > ********************************************************************
> >
> > [libdefaults]
> > default_realm = AD.TEST.LOC
> > clockskew = 900
> >
> > # The following libdefaults parameters are only for Heimdal Kerberos.
> > v4_instance_resolve = false
> > v4_name_convert = {
> > host = {
> > rcmd = host
> > ftp = ftp
> > }
> > plain = {
> > something = something-else
> > }
> > }
> > fcc-mit-ticketflags = true
> >
> > [realms]
> > TEST.TEST.LOC = {
> > kdc = dc.ad.test.loc
> > kdc = dc1.ad.test.loc
> > kdc = dc2.ad.test.loc
> > kdc = dc3.ad.test.loc
> > admin_server = dc.test.loc
> > }
> >
> > [domain_realm]
> > .test.loc = AD.TEST.LOC
> >
> > [login]
> > krb4_convert = true
> > krb4_get_tickets = false
> >
> > [logging]
> > kdc = FILE:/var/log/krb5/krb5kdc.log
> > admin_server = FILE:/var/log/krb5/kadmind.log
> > default = SYSLOG:NOTICE:DAEMON
> > ********************************************************************
> >
> > libpam.winbind and libnss.winbind are installed.
> >
> >
> > Name resolution works (as before...):
> >
> > host -t A dc.ad.test.loc
> > dc.ad.test.loc has address 123.456.789.208
> >
> > getent hosts
> > 127.0.0.1 localhost
> > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
> >
> > Time is synchronized (as before...)
> >
> > net join ads -U "Domainadmin" worked.
> >
> > smbd, nmbd, winbind start sucessfully.
> > wbinfo -t and -p are successful.
> >
> > But still no resolution. wbinfo -g and -u give no result. Also, getent
> > passwd delivers only local accounts.
> >
> > Log says (as expected) "Username AD\ps-15-16 is invalid on this system
> > [2016/04/16 18:52:45.713298, 3]
> > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
> > Failed to map kerberos principal to system user
> > (NT_STATUS_LOGON_FAILURE)"
> >
> > I tried, as read in the list, to change idmap config AD:backend = ad
> > to rid. No change in results.
>
> the 'ad' backend only works if your users have a unique uidNumber
> attribute, this number must be inside the range you set in smb.conf.
> Domain Users must also have a gidNumber.
>
> 'rid' is different, you do not have to add anything to AD
>
> Rowland
>
> >
> > Anyone any idea? I'm momentarily at the end of mine.
> >
> >
> >
> >
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list