[Samba] AD Group lost from Winbind

L.P.H. van Belle belle at bazuin.nl
Fri Feb 12 08:36:26 UTC 2016 

Ok, possible solution. 

TEST DC1. Wrong
id admin
uid=10000(admin) gid=10000(domain users) groups=10000(domain users), 3000008(domain admins),3000005(denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators)


TEST DC2. Correct. 
id admin
uid=10000(DOMAIN\admin) gid=10000(DOMAIN \Domain Users) groups=10000(DOMAIN \Domain Users),10001(DOMAIN \Domain Admins)


and , after config change DC1. 

id admin
uid=10000(DOMAIN \admin) gid=10000(DOMAIN \Domain Users) groups=10000(DOMAIN \Domain Users), 10001(DOMAIN \Domain Admins)

Pfeww.. my weekend is saved..  :-) 

The fix for me :

I only changed this on the DC's 

#       server services = -dns
        server services = -dns -winbindd +winbind

so its something in the winbindd code. 



Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle
> Verzonden: vrijdag 12 februari 2016 9:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD Group lost from Winbind
> 
> Ok, im having this :
> 
> DC's
> Debian Wheezy 7.9, sernet samba 4.2.8
> 
> 
> Member servers.
> Debian Jessie samba 4.1.17 ( fileserver )
> Debian Jessie samba 4.2.7  ( print server )
> 	This one isnt updated yet with latest updates.
> 
> The following packages have been kept back:
>   samba sernet-samba sernet-samba-client sernet-samba-common sernet-samba-
> libs sernet-samba-libsmbclient0 sernet-samba-winbind
> The following packages will be upgraded:
>   krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3
> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0
> libtiff5
> 
> on this one all id's are still correct.
> 
> Thanks, Daniel Müller, for your addition..
> 
> This is really a big problem.. what happend her in the samba code?
> I've looked at the change log, but cant seen any related to this.
> 
> So if anyone DEVS ? know what happend here in the samba code.
> As far as i now know i have to.
> Re-assign all my  uid / gids on all users / groups, with other id's, omg
> wat a hell...
> And fix all idmaps on all servers.. pff. ... really no other fix ?
> 
> There goes my weekend...
> 
> 
> Greetz,
> 
> Louis
> 
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> > Verzonden: vrijdag 12 februari 2016 9:06
> > Aan: L.P.H. van Belle
> > CC: samba at lists.samba.org
> > Onderwerp: Re: [Samba] AD Group lost from Winbind
> >
> > my os is debian 8.3
> >
> > win bind and samba are in version 4.1.17
> >
> >
> > > Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> > >
> > > Ok, same problem as im having..
> > >
> > > What is your os running?
> > >
> > >
> > >> -----Oorspronkelijk bericht-----
> > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
> Werner
> > >> Verzonden: vrijdag 12 februari 2016 8:56
> > >> Aan: samba at lists.samba.org
> > >> Onderwerp: [Samba] AD Group lost from Winbind
> > >>
> > >> Hello,
> > >>
> > >> the last two days i have problems with my AD group which is defined
> in
> > >> share setting valid users
> > >>
> > >> Winbind looks to lost mapping of this group and so no user can
> connect
> > to
> > >> this share anymore.
> > >>
> > >> When restart winbind service mapping works again until mapping lost
> > again.
> > >>
> > >>
> > >> ls -lsa shows me in issue this:
> > >>
> > >>        2      4 drwxr-x---  63 root               12001
> > >> 4096 Feb  4 23:42 Share
> > >>
> > >> After restarting winbind:
> > >>
> > >>        2      4 drwxr-x---  63 root               group_intern
> > >> 4096 Feb  4 23:42 Share
> > >>
> > >>
> > >> My smb.conf looks like
> > >>
> > >>
> > >> [global]
> > >>       netbios name = MEMBER1
> > >>       security = ADS
> > >>       workgroup = HQ
> > >>       realm = hq.internal
> > >>
> > >>       log file = /var/log/samba/%m.log
> > >>       log level = 1
> > >>
> > >>       dedicated keytab file = /etc/krb5.keytab
> > >>       kerberos method = secrets and keytab
> > >>       winbind refresh tickets = yes
> > >>
> > >>       winbind trusted domains only = no
> > >>       winbind use default domain = yes
> > >>       winbind enum users  = yes
> > >>       winbind enum groups = yes
> > >> 	winbind cache time = 300
> > >>
> > >>
> > >>       idmap config *:backend = tdb
> > >>       idmap config *:range = 500-9999
> > >>
> > >>       # idmap config for domain HQ
> > >>       idmap config HQ:backend = ad
> > >>       idmap config HQ:schema_mode = rfc2307
> > >>       idmap config HQ:range = 10000-99999
> > >>
> > >>       # Use settings from AD for login shell and home directory
> > >>       winbind nss info = rfc2307
> > >>
> > >> [Share]
> > >>   path = /data/share
> > >>   browseable = yes
> > >>   writeable = yes
> > >>   force group = Group_Intern
> > >>   valid users = @Group_Intern
> > >>   create mask = 0660
> > >>   directory mask = 0770
> > >>   #oplocks = 0
> > >>   vfs objects = full_audit recycle
> > >>   full_audit:prefix = %u
> > >>   full_audit:success = mkdir rename rmdir unlink pwrite
> > >>   full_audit:failure = none
> > >>   full_audit:facility = LOCAL5
> > >>   full_audit:priority = NOTICE
> > >>   recycle:versions = yes
> > >>   recycle:exclude = .*, ~*
> > >>
> > >>
> > >>
> > >> Anyone has an idea for this problem?
> > >>
> > >>
> > >> Regards
> > >> Oliver
> > >> --
> > >> To unsubscribe from this list go to the following URL and read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list