[Samba] ADS domain member: winbind fails
Stefan G. Weichinger
lists at xunil.at
Fri Dec 30 14:52:33 UTC 2016
Am 2016-12-30 um 14:44 schrieb Rowland Penny via samba:
> On Fri, 30 Dec 2016 14:26:01 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
>
>> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba:
>>> Is this the smb.conf you got when you ran the classicupgrade ?
>>> I don't think it is, can I suggest you remove any and all lines you
>>> have added and restart samba
>>
>> that was the output of testparm
>
> Ah, can I introduce you to 'samba-tool testparm'
>
>>
>> smb.conf on DC:
>>
>>
>> [global]
>> workgroup = ARBEITSGRUPPE
>> realm = arbeitsgruppe.secret.tld
>> netbios name = BACKUP
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> dns forwarder = 10.0.0.254
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> --
>>
>> root at backup:/etc/samba# cat /etc/resolv.conf
>> search arbeitsgruppe.secret.tld
>> nameserver 10.0.0.224
>>
>> root at backup:/etc/samba# cat /etc/krb5.conf
>> [libdefaults]
>> default_realm = ARBEITSGRUPPE.SECRET.TLD
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> --
>>
>> editing the resolv.conf(s) helped in stabilizing RSAT editing
>>
>> winbindd on member still fails, I left and rejoined ...
>>
>> --
>>
>> although I see users and GPOs on the member, etc (via net ads)
>>
>> # net ads info
>> LDAP server: 10.0.0.224
>> LDAP server name: backup.arbeitsgruppe.secret.tld
>> Realm: ARBEITSGRUPPE.SECRET.TLD
>> Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD
>> LDAP port: 389
>> Server time: Fr, 30 Dez 2016 14:24:25 CET
>> KDC server: 10.0.0.224
>> Server time offset: 0
>>
>>
>>
>
> What this shows is that your dns domain is 'arbeitsgruppe.secret.tld'
> and your domain member should also be using this dns domain. Your
> earlier posts seem to suggest you are using 'secret.tld' on the domain
> member, this must be changed.
so you suggest to edit the hostname (did so via hostnamectl set-hostname) ?
did that, left domain and rejoined (on member server, sure), winbindd
fails again
[2016/12/30 15:44:55.762270, 10, pid=9066, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:232(add_trusted_domain)
idmap config BUILTIN : range = not defined
[2016/12/30 15:44:55.762307, 2, pid=9066, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:257(add_trusted_domain)
Added domain BUILTIN (null) S-1-5-32
[2016/12/30 15:44:55.762326, 10, pid=9066, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cache.c:4663(wcache_tdc_add_domain)
wcache_tdc_add_domain: Adding domain MAIN ((null)), SID
S-1-5-21-2777655458-4002997014-749295002, flags = 0x0, attributes = 0x0,
type = 0x0
[2016/12/30 15:44:55.762348, 10, pid=9066, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cache.c:4466(pack_tdc_domains)
pack_tdc_domains: Packing 2 trusted domains
[2016/12/30 15:44:55.762360, 10, pid=9066, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cache.c:4485(pack_tdc_domains)
pack_tdc_domains: Packing domain BUILTIN (UNKNOWN)
[2016/12/30 15:44:55.762370, 10, pid=9066, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_cache.c:4485(pack_tdc_domains)
pack_tdc_domains: Packing domain MAIN (UNKNOWN)
[2016/12/30 15:44:55.762391, 10, pid=9066, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:232(add_trusted_domain)
idmap config MAIN : range = not defined
[2016/12/30 15:44:55.762406, 2, pid=9066, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_util.c:257(add_trusted_domain)
Added domain MAIN (null) S-1-5-21-2777655458-4002997014-749295002
[2016/12/30 15:44:55.762426, 10, pid=9066, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:565(set_domain_online_request)
set_domain_online_request: called for domain MAIN
[2016/12/30 15:44:55.762436, 10, pid=9066, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:575(set_domain_online_request)
set_domain_online_request: Internal domains are always online
[2016/12/30 15:44:55.762649, 0, pid=9066, effective(0, 0), real(0, 0)]
../lib/util/become_daemon.c:124(daemon_ready)
STATUS=daemon 'winbindd' finished starting up and ready to serve
connections
[2016/12/30 15:44:55.762671, 0, pid=9066, effective(0, 0), real(0, 0)]
../source3/lib/util.c:788(smb_panic_s3)
PANIC (pid 9066): Could not find our domain
[2016/12/30 15:44:55.762942, 0, pid=9066, effective(0, 0), real(0, 0)]
../source3/lib/util.c:899(log_stack_trace)
BACKTRACE: 12 stack frames:
#0 /usr/lib64/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f907b4247aa]
#1 /usr/lib64/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f907b424890]
#2 /usr/lib64/libsamba-util.so.0(smb_panic+0x2f) [0x7f907e0ce0df]
#3 winbindd(+0x36623) [0x564b39618623]
#4 winbindd(rescan_trusted_domains+0x1d) [0x564b3961864d]
#5 /usr/lib64/libtevent.so.0(tevent_common_loop_timer_delay+0xcd)
[0x7f90785e2b0d]
#6 /usr/lib64/libtevent.so.0(+0x9b0a) [0x7f90785e3b0a]
#7 /usr/lib64/libtevent.so.0(+0x8227) [0x7f90785e2227]
#8 /usr/lib64/libtevent.so.0(_tevent_loop_once+0x8d) [0x7f90785de46d]
#9 winbindd(main+0xb7c) [0x564b396074cc]
#10 /lib64/libc.so.6(__libc_start_main+0xf0) [0x7f9078014620]
#11 winbindd(_start+0x29) [0x564b39607b59]
[2016/12/30 15:44:55.762995, 0, pid=9066, effective(0, 0), real(0, 0)]
../source3/lib/dumpcore.c:318(dump_core)
dumping core in /var/log/samba/cores/winbindd
-
interestingly old users work: my understanding is that as the upcoming
*member* server is the old NT4-PDC -> it has the old domain users in
/etc/passwd and so logins work without winbind, correct?
-
as I see in the logs above, winbind contacts *other* domains, and not
"ARBEITSGRUPPE" ... why that?
pls note that my "idmap *" lines for the member server are just cut and
paste mainly, maybe the ranges are bogus or something else.
I will now reply to Louis and provide configs.
More information about the samba
mailing list