[Samba] Domain member seems to work, wbinfo -u not (update2)
Rowland penny
rpenny at samba.org
Sun Apr 17 10:41:00 UTC 2016
On 16/04/16 21:31, Rowland penny wrote:
> On 16/04/16 21:09, L.P.H. van Belle wrote:
>> New update.
>>
>>
>> I now have done about 6 machines.
>>
>> 2 with samba 4.2.10 work fine, 2 not.
>>
>> 1 with samba 4.3.7 works fine, 1 not.
>>
>>
>> I saw Jelmer updated the samba to 4.3.8 in sid, so i recompiled these
>> to jessie.
>>
>> I upgraded the 4.3.7 to 4.3.8
>
> Hi Louis, debian 4.2.10 is the same as Samba 4.2.11 and debian 4.3.7
> is the same as 4.3.8. There was a regression and this was fixed with a
> patch, the debian packages install the patch separately, the later
> Samba tarballs include the patch. This confused the hell out of me,
> until it was explained.
>
>>
>> Same result. Wbinfo -g works, -u not. For both servers.
>>
>>
>> I notice one strange thing here.
>>
>> I have 2 servers, both samba 4.2.10, all stock debian packages.
>>
>> My file server and my print server, both installed with the same script.
>>
>> Only the name changed here in the script. One works ok, one not.
>>
>>
>> I notice some difference between these 2.
>>
>>
>> The file server, "wbinfo -u" works, and "getent passwd" works.
>>
>> The print server, "wbinfo -u" does not work, and "getent passwd"
>> works not,
>>
>> but "getent passwd username" works.
>>
>>
>> Also the output is bit different.
>>
>> File server shows : username:*:10002:10000:U.
>> username:/home/users/username:/bin/bash
>>
>> Print server shows :
>> username:*:10002:10000::/home/users/username:/bin/bash
>>
>>
>> So anyone an idea where to look from here. But ^^^ must be a clue..
>>
>>
>>
>> What did i check if settings are the same on both servers.
>>
>> Samba smb.conf, beside hostnames ip shares used, all same.
>>
>> Resolv.conf checked.
>>
>> Nsswitch.conf checked.
>>
>> Added the TLS parameters, ssl, checked.
>>
>> Idmap.conf checked. ( needed for the nfs kerberized things )
>>
>> UID/GID all there where its needed.
>>
>>
>> And example of my config.
>>
>>
>> [global]
>>
>> workgroup = NTDOM
>>
>> security = ADS
>>
>> realm = REALM.DOM
>>
>> netbios name = PRINT1
>>
>> domain master = no
>>
>> host msdfs = no
>>
>> dns proxy = yes
>>
>>
>> kerberos method = secrets and keytab
>>
>> dedicated keytab file = /etc/krb5.keytab
>>
>> client signing = if_required
>>
>>
>> ## map id's outside to domain to tdb files.
>>
>> idmap config *: backend = tdb
>>
>> idmap config *: range = 2000-9999
>>
>> ## map ids from the domain and (*) the range may not overlap !
>>
>> idmap config NTDOM: backend = ad
>>
>> idmap config NTDOM: schema_mode = rfc2307
>>
>> idmap config NTDOM: range = 10000-3999999
>>
>>
>> # Use home directory and shell information from AD
>>
>> winbind nss info = rfc2307
>>
>>
>> winbind trusted domains only = no
>>
>> winbind use default domain = yes
>>
>> winbind expand groups = 4
>>
>> winbind enum users = yes
>>
>> winbind enum groups = yes
>>
>> # offline login and refresh keytab (tickets)
>>
>> winbind refresh tickets = yes
>>
>> winbind offline logon = yes
>>
>>
>> # disable printing completely
>>
>> load printers = no
>>
>> printing = bsd
>>
>> printcap name = /dev/null
>>
>> disable spoolss = yes
>>
>>
>> #Add and Update TLS Key
>>
>> tls enabled = yes
>>
>> tls keyfile = /etc/ssl/private/SOMEFILEk.pem
>>
>> tls certfile = /etc/ssl/certs/SOMEFILEc.pem
>>
>> tls cafile = /etc/ssl/certs/COMPANY-ca.pem
>>
>>
>>
>> Greetz,
>>
>>
>> Louis
>>
>>
>
> I am now updating my DC's and I will set up a new domain member (in a
> VM) using a self compiled 4.4.2, I will report back later.
>
> Rowland
>
OK, it is now later :-)
My DCs are now running a self-compiled Samba 4.4.2, I set up a domain
member in a VM running 4.4.2, again self compiled. My laptop runs Wheezy
and Samba Version 4.2.11-SerNet-Debian-9.wheezy.
Every thing works, wbinfo -u, wbinfo -g, wbinfo -r, id and getent, so
either I am very lucky or something else is causing the problem.
If it is something else causing the problem, I do not know what it is,
but the only real difference between my OS and all the others that are
having problems, is that I use Devuan.
Rowland
More information about the samba
mailing list