[Samba] FW: FW: Domain member seems to work, wbinfo -u not (update10)
L.P.H. van Belle
belle at bazuin.nl
Wed Apr 20 09:05:55 UTC 2016
Hai again.
Today i did some new test.
The trick below ( previous e-mail), works sometime with 4.2.10 and 4.3.8
The trick works always with 4.4.2
My own deb build not installed from source and tested now on 3 servers.
All same result.
I checked out the server i did yesterday, still working without any problems.
So im wondering whats the difference between 4.2.10 4.3.8 4.4.1.
in the debian packages and my debian build of 4.4.2
The 4.4.2 build i made was the source from samba.org.
I took the "debian" folder from 4.4.1 and added this in the source samba 4.4.2.
i removed only one patch, since that is in 4.4.2 from source.
Patch: security-2016-04-12-prerequisite-v4-4-regression-fixes.metze01.txt
I did rebuild tevent ldb tdb talloc etc from debian sid.
And now i cant make it fail again undepended of the settings.
I hope this helps someone.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: dinsdag 19 april 2016 15:11
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not
> (update8)( solved maybe?)
>
> Ok.
> New test, debian samba 4.2.10 ( all stock debian packages )
>
> So others with 4.2.10 stock debian packages, please test also if below
> works.
>
>
> The file server on which (wbinfo -u) worked saterday, and not on Sunday
> until now.
>
>
> None of these three settings below are in the config and wbinfo -u fails.
>
>
> Now adding these settings !! one at the time !!
> And i reloaded samba and restarted winbind every time.
>
>
>
> client ldap sasl wrapping = plain
> client ldap sasl wrapping = seal
> client ldap sasl wrapping = sign
>
> Result in the end.
>
>
> I started with plain, wbinfo -u works, but first time a long delay before
> i see the output, ( long is +4-5 sec)
>
> Changed it to seal, wbinfo -u works
>
>
> And back to the samba default "sign" which now also works.
> So seems fixed now. Strange..
>
>
>
> Removed the client ldap sasl wrapping from the config.
> All still works.
>
>
>
> I'll check this server tomorrow again.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
> > -----Oorspronkelijk bericht-----
>
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
> Belle
>
> > Verzonden: dinsdag 19 april 2016 12:48
>
> > Aan: samba at lists.samba.org
>
> > Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not
>
> > (update7)
>
> >
>
> > @Patrick Thanks, that helped.
>
> > @Mathias, only 10.000 objects.
>
> >
>
> > >> client ldap sasl wrapping = plain <<
>
> >
>
> > I've tested that on my members.
>
> > 4.2.10
>
> > 4.3.8
>
> > 4.4.1
>
> > 4.4.2
>
> > wbinfo -u now work.
>
> >
>
> > Ok tested all 3 options of that settings.
>
> > Tested als in the order, plain seal sign
>
> >
>
> > Samba 4.2.10 (debian stable)
>
> > client ldap sasl wrapping = plain wbinfo -u works.
>
> > client ldap sasl wrapping = seal wbinfo -u fails
>
> > client ldap sasl wrapping = sign wbinfo -u fails
>
> > only plain works, en keeps working.
>
> >
>
> >
>
> > Other server.
>
> > Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 )
>
> > Default it fails, now the funny part.
>
> > ( default samba setting is sign )
>
> > We start with a NOT working wbinfo -u.
>
> >
>
> > Test with following changes.
>
> > Try1) client ldap sasl wrapping = plain wbinfo -u works.
>
> > Try2) client ldap sasl wrapping = seal wbinfo -u also works now.
>
> > Try3) client ldap sasl wrapping = sign wbinfo -u also works now.
>
> >
>
> > Only the 4.4.2 now keeps working independed of the setting.
>
> > Lunch first, i'll test the 4.3.8 also.
>
> >
>
> >
>
> > Greetz,
>
> >
>
> > Louis
>
> >
>
> >
>
> >
>
> > > -----Oorspronkelijk bericht-----
>
> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G.
>
> > > Stoesser
>
> > > Verzonden: dinsdag 19 april 2016 12:21
>
> > > Aan: samba at lists.samba.org
>
> > > Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as
> member
>
> > > server / No user and goup resolution
>
> > >
>
> > > Hello,
>
> > >
>
> > > a reply in debianforum.de led me to:
>
> > >
>
> > > client ldap sasl wrapping = plain
>
> > >
>
> > > and with that setting at least wbinfo works.
>
> > >
>
> > > But still my problems are not completely gone: On the filesystem
> level,
>
> > > AD users and groups are still not resolved. "Invalid user". But kinit
>
> > > "USER" works. Still have to try...
>
> > >
>
> > > Regards, pgs
>
> > >
>
> > >
>
> > > Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser:
>
> > > > Hello everybody,
>
> > > >
>
> > > > I've bin running Samba as a AD member server for ages (Debian
> stable).
>
> > > > After the last update to 4.2, I just can't get it to work.
>
> > > >
>
> > > > Symptoms: unable to map AD user / groups.
>
> > > >
>
> > > > After two days of successlessly fiddling (and moving all data to
>
> > another
>
> > > > server with still Samba 3.6, which I will definitely NOT update at
> the
>
> > > > moment), I decided to purge my Installation and start over again
> like
>
> > > > described in
>
> > > >
> <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>
>
> > > >
>
> > > > So now my setup is (all names and IPs are masked, but are correct
>
> > here):
>
> > > >
>
> > > > ********************************************************************
>
> > > > smb.conf
>
> > > > ********************************************************************
>
> > > > [global]
>
> > > >
>
> > > > netbios name = test-fileserver3
>
> > > > security = ADS
>
> > > > workgroup = AD
>
> > > > realm = AD.test.loc
>
> > > >
>
> > > > log file = /var/log/samba/%m.log
>
> > > > log level = 3
>
> > > >
>
> > > > dedicated keytab file = /etc/krb5.keytab
>
> > > > kerberos method = secrets and keytab
>
> > > > winbind refresh tickets = yes
>
> > > >
>
> > > > winbind trusted domains only = no
>
> > > > winbind use default domain = yes
>
> > > > winbind enum users = yes
>
> > > > winbind enum groups = yes
>
> > > >
>
> > > > idmap config *:backend = tdb
>
> > > > idmap config *:range = 2000-9999
>
> > > >
>
> > > > idmap config AD:backend = ad
>
> > > > idmap config AD:schema_mode = rfc2307
>
> > > > idmap config AD:range = 10000-95000
>
> > > >
>
> > > > winbind nss info = template
>
> > > > # template shell = /sbin/nologin
>
> > > > # template homedir = /home/%U
>
> > > > ********************************************************************
>
> > > >
>
> > > >
>
> > > >
>
> > > > ********************************************************************
>
> > > > nsswitch.conf
>
> > > > ********************************************************************
>
> > > > passwd: files winbind
>
> > > > group: files winbind
>
> > > > hosts: files dns.
>
> > > > shadow: files winbind
>
> > > >
>
> > > > networks: files
>
> > > >
>
> > > > protocols: db files
>
> > > > services: db files
>
> > > > ethers: db files
>
> > > > rpc: db files
>
> > > >
>
> > > > netgroup: nis
>
> > > > ********************************************************************
>
> > > >
>
> > > >
>
> > > >
>
> > > > My krb5.keytab has been generated correctly. I also have a
> krb5.conf:
>
> > > >
>
> > > > ********************************************************************
>
> > > > krb5.conf
>
> > > > ********************************************************************
>
> > > >
>
> > > > [libdefaults]
>
> > > > default_realm = AD.TEST.LOC
>
> > > > clockskew = 900
>
> > > >
>
> > > > # The following libdefaults parameters are only for Heimdal
> Kerberos.
>
> > > > v4_instance_resolve = false
>
> > > > v4_name_convert = {
>
> > > > host = {
>
> > > > rcmd = host
>
> > > > ftp = ftp
>
> > > > }
>
> > > > plain = {
>
> > > > something = something-else
>
> > > > }
>
> > > > }
>
> > > > fcc-mit-ticketflags = true
>
> > > >
>
> > > > [realms]
>
> > > > TEST.TEST.LOC = {
>
> > > > kdc = dc.ad.test.loc
>
> > > > kdc = dc1.ad.test.loc
>
> > > > kdc = dc2.ad.test.loc
>
> > > > kdc = dc3.ad.test.loc
>
> > > > admin_server = dc.test.loc
>
> > > > }
>
> > > >
>
> > > > [domain_realm]
>
> > > > .test.loc = AD.TEST.LOC
>
> > > >
>
> > > > [login]
>
> > > > krb4_convert = true
>
> > > > krb4_get_tickets = false
>
> > > >
>
> > > > [logging]
>
> > > > kdc = FILE:/var/log/krb5/krb5kdc.log
>
> > > > admin_server = FILE:/var/log/krb5/kadmind.log
>
> > > > default = SYSLOG:NOTICE:DAEMON
>
> > > > ********************************************************************
>
> > > >
>
> > > > libpam.winbind and libnss.winbind are installed.
>
> > > >
>
> > > >
>
> > > > Name resolution works (as before...):
>
> > > >
>
> > > > host -t A dc.ad.test.loc
>
> > > > dc.ad.test.loc has address 123.456.789.208
>
> > > >
>
> > > > getent hosts
>
> > > > 127.0.0.1 localhost
>
> > > > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3
>
> > > >
>
> > > > Time is synchronized (as before...)
>
> > > >
>
> > > > net join ads -U "Domainadmin" worked.
>
> > > >
>
> > > > smbd, nmbd, winbind start sucessfully.
>
> > > > wbinfo -t and -p are successful.
>
> > > >
>
> > > > But still no resolution. wbinfo -g and -u give no result. Also,
> getent
>
> > > > passwd delivers only local accounts.
>
> > > >
>
> > > > Log says (as expected) "Username AD\ps-15-16 is invalid on this
> system
>
> > > > [2016/04/16 18:52:45.713298, 3]
>
> > > > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)
>
> > > > Failed to map kerberos principal to system user
>
> > > > (NT_STATUS_LOGON_FAILURE)"
>
> > > >
>
> > > > I tried, as read in the list, to change idmap config AD:backend = ad
>
> > to
>
> > > > rid. No change in results.
>
> > > >
>
> > > > Anyone any idea? I'm momentarily at the end of mine.
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > > >
>
> > >
>
> > >
>
> > > --
>
> > > To unsubscribe from this list go to the following URL and read the
>
> > > instructions: https://lists.samba.org/mailman/options/samba
>
> >
>
> >
>
> >
>
> > --
>
> > To unsubscribe from this list go to the following URL and read the
>
> > instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list