[Samba] AD Group lost from Winbind

L.P.H. van Belle belle at bazuin.nl
Fri Feb 12 08:20:44 UTC 2016 

Ok, im having this : 

DC's 
Debian Wheezy 7.9, sernet samba 4.2.8 


Member servers. 
Debian Jessie samba 4.1.17 ( fileserver ) 
Debian Jessie samba 4.2.7  ( print server ) 
	This one isnt updated yet with latest updates. 

The following packages have been kept back:
  samba sernet-samba sernet-samba-client sernet-samba-common sernet-samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind
The following packages will be upgraded:
  krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0 libtiff5

on this one all id's are still correct. 

Thanks, Daniel Müller, for your addition..

This is really a big problem.. what happend her in the samba code? 
I've looked at the change log, but cant seen any related to this. 

So if anyone DEVS ? know what happend here in the samba code. 
As far as i now know i have to. 
Re-assign all my  uid / gids on all users / groups, with other id's, omg wat a hell...  
And fix all idmaps on all servers.. pff. ... really no other fix ? 

There goes my weekend...  


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> Verzonden: vrijdag 12 februari 2016 9:06
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD Group lost from Winbind
> 
> my os is debian 8.3
> 
> win bind and samba are in version 4.1.17
> 
> 
> > Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> >
> > Ok, same problem as im having..
> >
> > What is your os running?
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
> >> Verzonden: vrijdag 12 februari 2016 8:56
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] AD Group lost from Winbind
> >>
> >> Hello,
> >>
> >> the last two days i have problems with my AD group which is defined in
> >> share setting valid users
> >>
> >> Winbind looks to lost mapping of this group and so no user can connect
> to
> >> this share anymore.
> >>
> >> When restart winbind service mapping works again until mapping lost
> again.
> >>
> >>
> >> ls -lsa shows me in issue this:
> >>
> >>        2      4 drwxr-x---  63 root               12001
> >> 4096 Feb  4 23:42 Share
> >>
> >> After restarting winbind:
> >>
> >>        2      4 drwxr-x---  63 root               group_intern
> >> 4096 Feb  4 23:42 Share
> >>
> >>
> >> My smb.conf looks like
> >>
> >>
> >> [global]
> >>       netbios name = MEMBER1
> >>       security = ADS
> >>       workgroup = HQ
> >>       realm = hq.internal
> >>
> >>       log file = /var/log/samba/%m.log
> >>       log level = 1
> >>
> >>       dedicated keytab file = /etc/krb5.keytab
> >>       kerberos method = secrets and keytab
> >>       winbind refresh tickets = yes
> >>
> >>       winbind trusted domains only = no
> >>       winbind use default domain = yes
> >>       winbind enum users  = yes
> >>       winbind enum groups = yes
> >> 	winbind cache time = 300
> >>
> >>
> >>       idmap config *:backend = tdb
> >>       idmap config *:range = 500-9999
> >>
> >>       # idmap config for domain HQ
> >>       idmap config HQ:backend = ad
> >>       idmap config HQ:schema_mode = rfc2307
> >>       idmap config HQ:range = 10000-99999
> >>
> >>       # Use settings from AD for login shell and home directory
> >>       winbind nss info = rfc2307
> >>
> >> [Share]
> >>   path = /data/share
> >>   browseable = yes
> >>   writeable = yes
> >>   force group = Group_Intern
> >>   valid users = @Group_Intern
> >>   create mask = 0660
> >>   directory mask = 0770
> >>   #oplocks = 0
> >>   vfs objects = full_audit recycle
> >>   full_audit:prefix = %u
> >>   full_audit:success = mkdir rename rmdir unlink pwrite
> >>   full_audit:failure = none
> >>   full_audit:facility = LOCAL5
> >>   full_audit:priority = NOTICE
> >>   recycle:versions = yes
> >>   recycle:exclude = .*, ~*
> >>
> >>
> >>
> >> Anyone has an idea for this problem?
> >>
> >>
> >> Regards
> >> Oliver
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list