[Samba] FW: Domain member seems to work, wbinfo -u not (update8)( solved maybe?)
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 19 13:11:03 UTC 2016
Ok.
New test, debian samba 4.2.10 ( all stock debian packages )
So others with 4.2.10 stock debian packages, please test also if below works.
The file server on which (wbinfo -u) worked saterday, and not on Sunday until now.
None of these three settings below are in the config and wbinfo -u fails.
Now adding these settings !! one at the time !!
And i reloaded samba and restarted winbind every time.
client ldap sasl wrapping = plain
client ldap sasl wrapping = seal
client ldap sasl wrapping = sign
Result in the end.
I started with plain, wbinfo -u works, but first time a long delay before i see the output, ( long is +4-5 sec)
Changed it to seal, wbinfo -u works
And back to the samba default "sign" which now also works.
So seems fixed now. Strange..
Removed the client ldap sasl wrapping from the config.
All still works.
I'll check this server tomorrow again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: dinsdag 19 april 2016 12:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not
> (update7)
>
> @Patrick Thanks, that helped.
> @Mathias, only 10.000 objects.
>
> >> client ldap sasl wrapping = plain <<
>
> I've tested that on my members.
> 4.2.10
> 4.3.8
> 4.4.1
> 4.4.2
> wbinfo -u now work.
>
> Ok tested all 3 options of that settings.
> Tested als in the order, plain seal sign
>
> Samba 4.2.10 (debian stable)
> client ldap sasl wrapping = plain wbinfo -u works.
> client ldap sasl wrapping = seal wbinfo -u fails
> client ldap sasl wrapping = sign wbinfo -u fails
> only plain works, en keeps working.
>
>
> Other server.
> Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 )
> Default it fails, now the funny part.
> ( default samba setting is sign )
> We start with a NOT working wbinfo -u.
>
> Test with following changes.
> Try1) client ldap sasl wrapping = plain wbinfo -u works.
> Try2) client ldap sasl wrapping = seal wbinfo -u also works now.
> Try3) client ldap sasl wrapping = sign wbinfo -u also works now.
>
> Only the 4.4.2 now keeps working independed of the setting.
> Lunch first, i'll test the 4.3.8 also.
>
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G.
> > Stoesser
> > Verzonden: dinsdag 19 april 2016 12:21
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as member
> > server / No user and goup resolution
> >
> > Hello,
> >
> > a reply in debianforum.de led me to:
> >
> > client ldap sasl wrapping = plain
> >
> > and with that setting at least wbinfo works.
> >
> > But still my problems are not completely gone: On the filesystem level,
> > AD users and groups are still not resolved. "Invalid user". But kinit
> > "USER" works. Still have to try...
> >
> > Regards, pgs
> >
> >
> > Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser:
> > > Hello everybody,
> > >
> > > I've bin running Samba as a AD member server for ages (Debian stable).
> > > After the last update to 4.2, I just can't get it to work.
> > >
> > > Symptoms: unable to map AD user / groups.
> > >
> > > After two days of successlessly fiddling (and moving all data to
> another
> > > server with still Samba 3.6, which I will definitely NOT update at the
> > > moment), I decided to purge my Installation and start over again like
> > > described in
> > > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
> > >
> > > So now my setup is (all names and IPs are masked, but are correct
> here):
> > >
> > > ********************************************************************
> > > smb.conf
> > > ********************************************************************
> > > [global]
> > >
> > > netbios name = test-fileserver3
> > > security = ADS
> > > workgroup = AD
> > > realm = AD.test.loc
> > >
> > > log file = /var/log/samba/%m.log
> > > log level = 3
> > >
> > > dedicated keytab file = /etc/krb5.keytab
> > > kerberos method = secrets and keytab
> > > winbind refresh tickets = yes
> > >
> > > winbind trusted domains only = no
> > > winbind use default domain = yes
> > > winbind enum users = yes
> > > winbind enum groups = yes
> > >
> > > idmap config *:backend = tdb
> > > idmap config *:range = 2000-9999
> > >
> > > idmap config AD:backend = ad
> > > idmap config AD:schema_mode = rfc2307
> > > idmap config AD:range = 10000-95000
> > >
> > > winbind nss info = template
> > > # template shell = /sbin/nologin
> > > # template homedir = /home/%U
> > > ********************************************************************
> > >
> > >
> > >
> > > ********************************************************************
> > > nsswitch.conf
> > > ********************************************************************
> > > passwd: files winbind
> > > group: files winbind
> > > hosts: files dns.
> > > shadow: files winbind
> > >
> > > networks: files
> > >
> > > protocols: db files
> > > services: db files
> > > ethers: db files
> > > rpc: db files
> > >
> > > netgroup: nis
> > > ********************************************************************
> > >
> > >
> > >
> > > My krb5.keytab has been generated correctly. I also have a krb5.conf:
> > >
> > > ********************************************************************
> > > krb5.conf
> > > ********************************************************************
> > >
> > > [libdefaults]
> > > default_realm = AD.TEST.LOC
> > > clockskew = 900
> > >
> > > # The following libdefaults parameters are only for Heimdal Kerberos.
> > > v4_instance_resolve = false
> > > v4_name_convert = {
> > > host = {
> > > rcmd = host
> > > ftp = ftp
> > > }
> > > plain = {
> > > something = something-else
> > > }
> > > }
> > > fcc-mit-ticketflags = true
> > >
> > > [realms]
> > > TEST.TEST.LOC = {
> > > kdc = dc.ad.test.loc
> > > kdc = dc1.ad.test.loc
> > > kdc = dc2.ad.test.loc
> > > kdc = dc3.ad.test.loc
> > > admin_server = dc.test.loc
> > > }
> > >
> > > [domain_realm]
> > > .test.loc = AD.TEST.LOC
> > >
> > > [login]
> > > krb4_convert = true
> > > krb4_get_tickets = false
> > >
> > > [logging]
> > > kdc = FILE:/var/log/krb5/krb5kdc.log
> > > admin_server = FILE:/var/log/krb5/kadmind.log
> > > default = SYSLOG:NOTICE:DAEMON
> > > ********************************************************************
> > >
> > > libpam.winbind and libnss.winbind are installed.
> > >
> > >
> > > Name resolution works (as before...):
> > >
> > > host -t A dc.ad.test.loc
> > > dc.ad.test.loc has address 123.456.789.208
> > >
> > > getent hosts
> > > 127.0.0.1 localhost
> > > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
> > >
> > > Time is synchronized (as before...)
> > >
> > > net join ads -U "Domainadmin" worked.
> > >
> > > smbd, nmbd, winbind start sucessfully.
> > > wbinfo -t and -p are successful.
> > >
> > > But still no resolution. wbinfo -g and -u give no result. Also, getent
> > > passwd delivers only local accounts.
> > >
> > > Log says (as expected) "Username AD\ps-15-16 is invalid on this system
> > > [2016/04/16 18:52:45.713298, 3]
> > > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
> > > Failed to map kerberos principal to system user
> > > (NT_STATUS_LOGON_FAILURE)"
> > >
> > > I tried, as read in the list, to change idmap config AD:backend = ad
> to
> > > rid. No change in results.
> > >
> > > Anyone any idea? I'm momentarily at the end of mine.
> > >
> > >
> > >
> > >
> > >
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list