[Samba] Domain member seems to work, wbinfo -u not (update3)
L.P.H. van Belle
belle at bazuin.nl
Sun Apr 17 13:51:10 UTC 2016
Ok some new info.
Yesterday file server worked, print server not.
Today, both dont work.
Same test today, proxy1 and proxy2.
Proxy1 didnt work, proxy2 did ( at that time 4.3.6)
I upgraded (to 4.3.8) proxy2, tested again, still working.
Ok, now this proxy 2 is an vm ( a copy of proxy1 ), so lets try something..
I remove proxy2 from the ad domain (proxy1 is our main proxy) so this one is to test with.
Cleared up /var/(lib/cache)/samba folders
Re-added the server to the domain, started samba and winbind, and..
Same problem here now.
Im thinking its something related to the kerberos keytab file.
I checked also the (yesterday) working file server, and i did see that
Only the keytab file was refreshed.
Since there where no changed on that server, why did it work yesterday and not today.. so keytab related is my guess.
And i noticed some mount where not automounting on bootup and these use kerberos also.
Re-creating the keytab file didnt help.
Tomorrow more testing..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: zondag 17 april 2016 12:41
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not
> (update2)
>
> On 16/04/16 21:31, Rowland penny wrote:
> > On 16/04/16 21:09, L.P.H. van Belle wrote:
> >> New update.
> >>
> >>
> >> I now have done about 6 machines.
> >>
> >> 2 with samba 4.2.10 work fine, 2 not.
> >>
> >> 1 with samba 4.3.7 works fine, 1 not.
> >>
> >>
> >> I saw Jelmer updated the samba to 4.3.8 in sid, so i recompiled these
> >> to jessie.
> >>
> >> I upgraded the 4.3.7 to 4.3.8
> >
> > Hi Louis, debian 4.2.10 is the same as Samba 4.2.11 and debian 4.3.7
> > is the same as 4.3.8. There was a regression and this was fixed with a
> > patch, the debian packages install the patch separately, the later
> > Samba tarballs include the patch. This confused the hell out of me,
> > until it was explained.
> >
> >>
> >> Same result. Wbinfo -g works, -u not. For both servers.
> >>
> >>
> >> I notice one strange thing here.
> >>
> >> I have 2 servers, both samba 4.2.10, all stock debian packages.
> >>
> >> My file server and my print server, both installed with the same
> script.
> >>
> >> Only the name changed here in the script. One works ok, one not.
> >>
> >>
> >> I notice some difference between these 2.
> >>
> >>
> >> The file server, "wbinfo -u" works, and "getent passwd" works.
> >>
> >> The print server, "wbinfo -u" does not work, and "getent passwd"
> >> works not,
> >>
> >> but "getent passwd username" works.
> >>
> >>
> >> Also the output is bit different.
> >>
> >> File server shows : username:*:10002:10000:U.
> >> username:/home/users/username:/bin/bash
> >>
> >> Print server shows :
> >> username:*:10002:10000::/home/users/username:/bin/bash
> >>
> >>
> >> So anyone an idea where to look from here. But ^^^ must be a clue..
> >>
> >>
> >>
> >> What did i check if settings are the same on both servers.
> >>
> >> Samba smb.conf, beside hostnames ip shares used, all same.
> >>
> >> Resolv.conf checked.
> >>
> >> Nsswitch.conf checked.
> >>
> >> Added the TLS parameters, ssl, checked.
> >>
> >> Idmap.conf checked. ( needed for the nfs kerberized things )
> >>
> >> UID/GID all there where its needed.
> >>
> >>
> >> And example of my config.
> >>
> >>
> >> [global]
> >>
> >> workgroup = NTDOM
> >>
> >> security = ADS
> >>
> >> realm = REALM.DOM
> >>
> >> netbios name = PRINT1
> >>
> >> domain master = no
> >>
> >> host msdfs = no
> >>
> >> dns proxy = yes
> >>
> >>
> >> kerberos method = secrets and keytab
> >>
> >> dedicated keytab file = /etc/krb5.keytab
> >>
> >> client signing = if_required
> >>
> >>
> >> ## map id's outside to domain to tdb files.
> >>
> >> idmap config *: backend = tdb
> >>
> >> idmap config *: range = 2000-9999
> >>
> >> ## map ids from the domain and (*) the range may not overlap !
> >>
> >> idmap config NTDOM: backend = ad
> >>
> >> idmap config NTDOM: schema_mode = rfc2307
> >>
> >> idmap config NTDOM: range = 10000-3999999
> >>
> >>
> >> # Use home directory and shell information from AD
> >>
> >> winbind nss info = rfc2307
> >>
> >>
> >> winbind trusted domains only = no
> >>
> >> winbind use default domain = yes
> >>
> >> winbind expand groups = 4
> >>
> >> winbind enum users = yes
> >>
> >> winbind enum groups = yes
> >>
> >> # offline login and refresh keytab (tickets)
> >>
> >> winbind refresh tickets = yes
> >>
> >> winbind offline logon = yes
> >>
> >>
> >> # disable printing completely
> >>
> >> load printers = no
> >>
> >> printing = bsd
> >>
> >> printcap name = /dev/null
> >>
> >> disable spoolss = yes
> >>
> >>
> >> #Add and Update TLS Key
> >>
> >> tls enabled = yes
> >>
> >> tls keyfile = /etc/ssl/private/SOMEFILEk.pem
> >>
> >> tls certfile = /etc/ssl/certs/SOMEFILEc.pem
> >>
> >> tls cafile = /etc/ssl/certs/COMPANY-ca.pem
> >>
> >>
> >>
> >> Greetz,
> >>
> >>
> >> Louis
> >>
> >>
> >
> > I am now updating my DC's and I will set up a new domain member (in a
> > VM) using a self compiled 4.4.2, I will report back later.
> >
> > Rowland
> >
>
> OK, it is now later :-)
>
> My DCs are now running a self-compiled Samba 4.4.2, I set up a domain
> member in a VM running 4.4.2, again self compiled. My laptop runs Wheezy
> and Samba Version 4.2.11-SerNet-Debian-9.wheezy.
>
> Every thing works, wbinfo -u, wbinfo -g, wbinfo -r, id and getent, so
> either I am very lucky or something else is causing the problem.
> If it is something else causing the problem, I do not know what it is,
> but the only real difference between my OS and all the others that are
> having problems, is that I use Devuan.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list