[Samba] ADS domain member: winbind fails

Rowland Penny rpenny at samba.org
Fri Dec 30 15:05:13 UTC 2016 

On Fri, 30 Dec 2016 15:52:33 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 2016-12-30 um 14:44 schrieb Rowland Penny via samba:
> > On Fri, 30 Dec 2016 14:26:01 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> >
> >> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba:
> >>> Is this the smb.conf you got when you ran the classicupgrade ?
> >>> I don't think it is, can I suggest you remove any and all lines
> >>> you have added and restart samba
> >>
> >> that was the output of testparm
> >
> > Ah, can I introduce you to 'samba-tool testparm'
> >
> >>
> >> smb.conf on DC:
> >>
> >>
> >> [global]
> >> 	workgroup = ARBEITSGRUPPE
> >> 	realm = arbeitsgruppe.secret.tld
> >> 	netbios name = BACKUP
> >> 	server role = active directory domain controller
> >> 	idmap_ldb:use rfc2307 = yes
> >>      dns forwarder = 10.0.0.254
> >>
> >> [netlogon]
> >> 	path
> >> = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts read only
> >> = No
> >>
> >> [sysvol]
> >> 	path = /var/lib/samba/sysvol
> >> 	read only = No
> >>
> >> --
> >>
> >> root at backup:/etc/samba# cat /etc/resolv.conf
> >> search arbeitsgruppe.secret.tld
> >> nameserver 10.0.0.224
> >>
> >> root at backup:/etc/samba# cat /etc/krb5.conf
> >> [libdefaults]
> >> 	default_realm = ARBEITSGRUPPE.SECRET.TLD
> >> 	dns_lookup_realm = false
> >> 	dns_lookup_kdc = true
> >>
> >> --
> >>
> >> editing the resolv.conf(s) helped in stabilizing RSAT editing
> >>
> >> winbindd on member still fails, I left and rejoined ...
> >>
> >> --
> >>
> >> although I see users and GPOs on the member, etc (via net ads)
> >>
> >> # net ads info
> >> LDAP server: 10.0.0.224
> >> LDAP server name: backup.arbeitsgruppe.secret.tld
> >> Realm: ARBEITSGRUPPE.SECRET.TLD
> >> Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD
> >> LDAP port: 389
> >> Server time: Fr, 30 Dez 2016 14:24:25 CET
> >> KDC server: 10.0.0.224
> >> Server time offset: 0
> >>
> >>
> >>
> >
> > What this shows is that your dns domain is
> > 'arbeitsgruppe.secret.tld' and your domain member should also be
> > using this dns domain. Your earlier posts seem to suggest you are
> > using 'secret.tld' on the domain member, this must be changed.
> 
> so you suggest to edit the hostname (did so via hostnamectl
> set-hostname) ?
> 
> did that, left domain and rejoined (on member server, sure), winbindd 
> fails again

No, not the hostname, the domain name, what does 'hostname -s',
'hostname -d' and 'hostname -f' show ?

Rowland

More information about the samba mailing list