[Samba] Domain member seems to work, wbinfo -u not (update2)

Rowland penny rpenny at samba.org
Sun Apr 17 10:41:00 UTC 2016 

On 16/04/16 21:31, Rowland penny wrote:
> On 16/04/16 21:09, L.P.H. van Belle wrote:
>> New update.
>>
>>
>> I now have done about 6 machines.
>>
>> 2 with samba 4.2.10 work fine, 2 not.
>>
>> 1 with samba 4.3.7 works fine, 1 not.
>>
>>
>> I saw Jelmer updated the samba to 4.3.8 in sid, so i recompiled these 
>> to jessie.
>>
>> I upgraded the 4.3.7 to 4.3.8
>
> Hi Louis, debian 4.2.10 is the same as Samba 4.2.11 and debian 4.3.7 
> is the same as 4.3.8. There was a regression and this was fixed with a 
> patch, the debian packages install the patch separately, the later 
> Samba tarballs include the patch. This confused the hell out of me, 
> until it was explained.
>
>>
>> Same result. Wbinfo -g works, -u not. For both servers.
>>
>>
>> I notice one strange thing here.
>>
>> I have 2 servers, both samba 4.2.10, all stock debian packages.
>>
>> My file server and my print server, both installed with the same script.
>>
>> Only the name changed here in the script. One works ok, one not.
>>
>>
>> I notice some difference between these 2.
>>
>>
>> The file server, "wbinfo -u" works, and "getent passwd" works.
>>
>> The print server, "wbinfo -u" does not work, and "getent passwd" 
>> works not,
>>
>> but "getent passwd username" works.
>>
>>
>> Also the output is bit different.
>>
>> File server shows  : username:*:10002:10000:U. 
>> username:/home/users/username:/bin/bash
>>
>> Print server shows : 
>> username:*:10002:10000::/home/users/username:/bin/bash
>>
>>
>> So anyone an idea where to look from here. But ^^^ must be a clue..
>>
>>
>>
>> What did i check if settings are the same on both servers.
>>
>> Samba smb.conf, beside hostnames ip shares used, all same.
>>
>> Resolv.conf checked.
>>
>> Nsswitch.conf checked.
>>
>> Added the TLS parameters, ssl, checked.
>>
>> Idmap.conf checked. ( needed for the nfs kerberized things )
>>
>> UID/GID all there where its needed.
>>
>>
>> And example of my config.
>>
>>
>> [global]
>>
>>      workgroup = NTDOM
>>
>>      security = ADS
>>
>>      realm = REALM.DOM
>>
>>      netbios name = PRINT1
>>
>>      domain master = no
>>
>>      host msdfs = no
>>
>>      dns proxy = yes
>>
>>
>>      kerberos method = secrets and keytab
>>
>>      dedicated keytab file = /etc/krb5.keytab
>>
>>      client signing = if_required
>>
>>
>>      ## map id's outside to domain to tdb files.
>>
>>      idmap config *: backend = tdb
>>
>>      idmap config *: range = 2000-9999
>>
>>      ## map ids from the domain and (*) the range may not overlap !
>>
>>      idmap config NTDOM: backend = ad
>>
>>      idmap config NTDOM: schema_mode = rfc2307
>>
>>      idmap config NTDOM: range = 10000-3999999
>>
>>
>>      # Use home directory and shell information from AD
>>
>>      winbind nss info = rfc2307
>>
>>
>>      winbind trusted domains only = no
>>
>>      winbind use default domain = yes
>>
>>      winbind expand groups = 4
>>
>>      winbind enum users  = yes
>>
>>      winbind enum groups = yes
>>
>>      # offline login and refresh keytab (tickets)
>>
>>      winbind refresh tickets = yes
>>
>>      winbind offline logon = yes
>>
>>
>>      # disable printing completely
>>
>>      load printers = no
>>
>>      printing = bsd
>>
>>      printcap name = /dev/null
>>
>>      disable spoolss = yes
>>
>>
>>      #Add and Update TLS Key
>>
>>      tls enabled = yes
>>
>>      tls keyfile = /etc/ssl/private/SOMEFILEk.pem
>>
>>      tls certfile = /etc/ssl/certs/SOMEFILEc.pem
>>
>>      tls cafile = /etc/ssl/certs/COMPANY-ca.pem
>>
>>
>>
>> Greetz,
>>
>>
>> Louis
>>
>>
>
> I am now updating my DC's and I will set up a new domain member (in a 
> VM) using a self compiled 4.4.2, I will report back later.
>
> Rowland
>

OK, it is now later :-)

My DCs are now running a self-compiled Samba 4.4.2, I set up a domain 
member in a VM running 4.4.2, again self compiled. My laptop runs Wheezy 
and Samba Version 4.2.11-SerNet-Debian-9.wheezy.

Every thing works, wbinfo -u, wbinfo -g, wbinfo -r, id and getent, so 
either I am very lucky or something else is causing the problem.
If it is something else causing the problem, I do not know what it is, 
but the only real difference between my OS and all the others that are 
having problems, is that I use Devuan.

Rowland

More information about the samba mailing list