[Samba] FW: Domain member seems to work, wbinfo -u not (update7)
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 19 10:47:52 UTC 2016
@Patrick Thanks, that helped.
@Mathias, only 10.000 objects.
>> client ldap sasl wrapping = plain <<
I've tested that on my members.
4.2.10
4.3.8
4.4.1
4.4.2
wbinfo -u now work.
Ok tested all 3 options of that settings.
Tested als in the order, plain seal sign
Samba 4.2.10 (debian stable)
client ldap sasl wrapping = plain wbinfo -u works.
client ldap sasl wrapping = seal wbinfo -u fails
client ldap sasl wrapping = sign wbinfo -u fails
only plain works, en keeps working.
Other server.
Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 )
Default it fails, now the funny part.
( default samba setting is sign )
We start with a NOT working wbinfo -u.
Test with following changes.
Try1) client ldap sasl wrapping = plain wbinfo -u works.
Try2) client ldap sasl wrapping = seal wbinfo -u also works now.
Try3) client ldap sasl wrapping = sign wbinfo -u also works now.
Only the 4.4.2 now keeps working independed of the setting.
Lunch first, i'll test the 4.3.8 also.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G.
> Stoesser
> Verzonden: dinsdag 19 april 2016 12:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
>
> Hello,
>
> a reply in debianforum.de led me to:
>
> client ldap sasl wrapping = plain
>
> and with that setting at least wbinfo works.
>
> But still my problems are not completely gone: On the filesystem level,
> AD users and groups are still not resolved. "Invalid user". But kinit
> "USER" works. Still have to try...
>
> Regards, pgs
>
>
> Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser:
> > Hello everybody,
> >
> > I've bin running Samba as a AD member server for ages (Debian stable).
> > After the last update to 4.2, I just can't get it to work.
> >
> > Symptoms: unable to map AD user / groups.
> >
> > After two days of successlessly fiddling (and moving all data to another
> > server with still Samba 3.6, which I will definitely NOT update at the
> > moment), I decided to purge my Installation and start over again like
> > described in
> > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
> >
> > So now my setup is (all names and IPs are masked, but are correct here):
> >
> > ********************************************************************
> > smb.conf
> > ********************************************************************
> > [global]
> >
> > netbios name = test-fileserver3
> > security = ADS
> > workgroup = AD
> > realm = AD.test.loc
> >
> > log file = /var/log/samba/%m.log
> > log level = 3
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind refresh tickets = yes
> >
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> >
> > idmap config AD:backend = ad
> > idmap config AD:schema_mode = rfc2307
> > idmap config AD:range = 10000-95000
> >
> > winbind nss info = template
> > # template shell = /sbin/nologin
> > # template homedir = /home/%U
> > ********************************************************************
> >
> >
> >
> > ********************************************************************
> > nsswitch.conf
> > ********************************************************************
> > passwd: files winbind
> > group: files winbind
> > hosts: files dns.
> > shadow: files winbind
> >
> > networks: files
> >
> > protocols: db files
> > services: db files
> > ethers: db files
> > rpc: db files
> >
> > netgroup: nis
> > ********************************************************************
> >
> >
> >
> > My krb5.keytab has been generated correctly. I also have a krb5.conf:
> >
> > ********************************************************************
> > krb5.conf
> > ********************************************************************
> >
> > [libdefaults]
> > default_realm = AD.TEST.LOC
> > clockskew = 900
> >
> > # The following libdefaults parameters are only for Heimdal Kerberos.
> > v4_instance_resolve = false
> > v4_name_convert = {
> > host = {
> > rcmd = host
> > ftp = ftp
> > }
> > plain = {
> > something = something-else
> > }
> > }
> > fcc-mit-ticketflags = true
> >
> > [realms]
> > TEST.TEST.LOC = {
> > kdc = dc.ad.test.loc
> > kdc = dc1.ad.test.loc
> > kdc = dc2.ad.test.loc
> > kdc = dc3.ad.test.loc
> > admin_server = dc.test.loc
> > }
> >
> > [domain_realm]
> > .test.loc = AD.TEST.LOC
> >
> > [login]
> > krb4_convert = true
> > krb4_get_tickets = false
> >
> > [logging]
> > kdc = FILE:/var/log/krb5/krb5kdc.log
> > admin_server = FILE:/var/log/krb5/kadmind.log
> > default = SYSLOG:NOTICE:DAEMON
> > ********************************************************************
> >
> > libpam.winbind and libnss.winbind are installed.
> >
> >
> > Name resolution works (as before...):
> >
> > host -t A dc.ad.test.loc
> > dc.ad.test.loc has address 123.456.789.208
> >
> > getent hosts
> > 127.0.0.1 localhost
> > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
> >
> > Time is synchronized (as before...)
> >
> > net join ads -U "Domainadmin" worked.
> >
> > smbd, nmbd, winbind start sucessfully.
> > wbinfo -t and -p are successful.
> >
> > But still no resolution. wbinfo -g and -u give no result. Also, getent
> > passwd delivers only local accounts.
> >
> > Log says (as expected) "Username AD\ps-15-16 is invalid on this system
> > [2016/04/16 18:52:45.713298, 3]
> > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
> > Failed to map kerberos principal to system user
> > (NT_STATUS_LOGON_FAILURE)"
> >
> > I tried, as read in the list, to change idmap config AD:backend = ad to
> > rid. No change in results.
> >
> > Anyone any idea? I'm momentarily at the end of mine.
> >
> >
> >
> >
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list