[Samba] FW: Domain member seems to work, wbinfo -u not (update7)

L.P.H. van Belle belle at bazuin.nl
Tue Apr 19 10:47:52 UTC 2016 

@Patrick Thanks, that helped. 
@Mathias, only 10.000 objects. 

>>  client ldap sasl wrapping = plain  << 

I've tested that on my members. 
4.2.10 
4.3.8 
4.4.1
4.4.2
wbinfo -u now work. 

Ok tested all 3 options of that settings. 
Tested als in the order, plain seal sign

Samba 4.2.10 (debian stable) 
   client ldap sasl wrapping = plain	wbinfo -u works. 
   client ldap sasl wrapping = seal		wbinfo -u fails
   client ldap sasl wrapping = sign		wbinfo -u fails
only plain works, en keeps working. 


Other server.
Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 ) 
Default it fails, now the funny part. 
( default samba setting is sign ) 
We start with a NOT working wbinfo -u. 

Test with following changes. 
Try1) client ldap sasl wrapping = plain	wbinfo -u works. 
Try2) client ldap sasl wrapping = seal	wbinfo -u also works now. 
Try3) client ldap sasl wrapping = sign	wbinfo -u also works now.

Only the 4.4.2 now keeps working independed of the setting. 
Lunch first, i'll test the 4.3.8 also. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G.
> Stoesser
> Verzonden: dinsdag 19 april 2016 12:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member
> server / No user and goup resolution
> 
> Hello,
> 
> a reply in debianforum.de led me to:
> 
> client ldap sasl wrapping = plain
> 
> and with that setting at least wbinfo works.
> 
> But still my problems are not completely gone: On the filesystem level,
> AD users and groups are still not resolved. "Invalid user". But kinit
> "USER" works. Still have to try...
> 
> Regards, pgs
> 
> 
> Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser:
> > Hello everybody,
> >
> > I've bin running Samba as a AD member server for ages (Debian stable).
> > After the last update to 4.2, I just can't get it to work.
> >
> > Symptoms: unable to map AD user / groups.
> >
> > After two days of successlessly fiddling (and moving all data to another
> > server with still Samba 3.6, which I will definitely NOT update at the
> > moment), I decided to purge my Installation and start over again like
> > described in
> > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
> >
> > So now my setup is (all names and IPs are masked, but are correct here):
> >
> > ********************************************************************
> > smb.conf
> > ********************************************************************
> > [global]
> >
> > netbios name = test-fileserver3
> > security = ADS
> > workgroup = AD
> > realm = AD.test.loc
> >
> > log file = /var/log/samba/%m.log
> > log level = 3
> >
> > dedicated keytab file = /etc/krb5.keytab
> > kerberos method = secrets and keytab
> > winbind refresh tickets = yes
> >
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind enum users  = yes
> > winbind enum groups = yes
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> >
> > idmap config AD:backend = ad
> > idmap config AD:schema_mode = rfc2307
> > idmap config AD:range = 10000-95000
> >
> > winbind nss info = template
> > #       template shell = /sbin/nologin
> > #       template homedir = /home/%U
> > ********************************************************************
> >
> >
> >
> > ********************************************************************
> > nsswitch.conf
> > ********************************************************************
> > passwd: files winbind
> > group:  files winbind
> > hosts:  files dns.
> > shadow: files winbind
> >
> > networks:       files
> >
> > protocols:      db files
> > services:       db files
> > ethers:         db files
> > rpc:            db files
> >
> > netgroup: nis
> > ********************************************************************
> >
> >
> >
> > My krb5.keytab has been generated correctly. I also have a krb5.conf:
> >
> > ********************************************************************
> > krb5.conf
> > ********************************************************************
> >
> > [libdefaults]
> > default_realm = AD.TEST.LOC
> > clockskew = 900
> >
> > # The following libdefaults parameters are only for Heimdal Kerberos.
> > v4_instance_resolve = false
> > v4_name_convert = {
> > host = {
> > rcmd = host
> > ftp = ftp
> > }
> > plain = {
> > something = something-else
> > }
> > }
> > fcc-mit-ticketflags = true
> >
> > [realms]
> > TEST.TEST.LOC = {
> > kdc = dc.ad.test.loc
> > kdc = dc1.ad.test.loc
> > kdc = dc2.ad.test.loc
> > kdc = dc3.ad.test.loc
> > admin_server = dc.test.loc
> > }
> >
> > [domain_realm]
> > .test.loc = AD.TEST.LOC
> >
> > [login]
> > krb4_convert = true
> > krb4_get_tickets = false
> >
> > [logging]
> > kdc = FILE:/var/log/krb5/krb5kdc.log
> > admin_server = FILE:/var/log/krb5/kadmind.log
> > default = SYSLOG:NOTICE:DAEMON
> > ********************************************************************
> >
> > libpam.winbind and libnss.winbind are installed.
> >
> >
> > Name resolution works (as before...):
> >
> > host -t A dc.ad.test.loc
> > dc.ad.test.loc has address 123.456.789.208
> >
> > getent hosts
> > 127.0.0.1       localhost
> > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
> >
> > Time is synchronized (as before...)
> >
> > net join ads -U "Domainadmin" worked.
> >
> > smbd, nmbd, winbind start sucessfully.
> > wbinfo -t and -p are successful.
> >
> > But still no resolution. wbinfo -g and -u give no result. Also, getent
> > passwd delivers only local accounts.
> >
> > Log says (as expected) "Username AD\ps-15-16 is invalid on this system
> > [2016/04/16 18:52:45.713298,  3]
> > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
> >    Failed to map kerberos principal to system user
> > (NT_STATUS_LOGON_FAILURE)"
> >
> > I tried, as read in the list, to change idmap config AD:backend = ad to
> > rid. No change in results.
> >
> > Anyone any idea? I'm momentarily at the end of mine.
> >
> >
> >
> >
> >
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list