[Samba] AD Group lost from Winbind
Rowland penny
rpenny at samba.org
Fri Feb 12 08:54:46 UTC 2016
On 12/02/16 08:20, L.P.H. van Belle wrote:
> Ok, im having this : > > DC's Debian Wheezy 7.9, sernet samba 4.2.8 > > > Member servers.
Debian Jessie samba 4.1.17 ( fileserver ) Debian > Jessie samba 4.2.7 (
print server ) This one isnt updated yet with > latest updates. > > The
following packages have been kept back: samba sernet-samba >
sernet-samba-client sernet-samba-common sernet-samba-libs >
sernet-samba-libsmbclient0 sernet-samba-winbind The following > packages
will be upgraded: krb5-locales krb5-user libgssapi-krb5-2 > libgssrpc4
libk5crypto3 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 > libkrb5-3
libkrb5support0 libtiff5 > > on this one all id's are still correct. > >
Thanks, Daniel Müller, for your addition.. > > This is really a big
problem.. what happend her in the samba code? > I've looked at the
change log, but cant seen any related to this. > > So if anyone DEVS ?
know what happend here in the samba code. As far > as i now know i have
to. Re-assign all my uid / gids on all users / > groups, with other
id's, omg wat a hell... And fix all idmaps on all > servers.. pff. ...
really no other fix ? > > There goes my weekend... > > > Greetz, > >
Louis > > > >> -----Oorspronkelijk bericht----- Van: Oliver Werner >>
[mailto:oliver.werner at kontrast.de] Verzonden: vrijdag 12 februari >>
2016 9:06 Aan: L.P.H. van Belle CC: samba at lists.samba.org >> Onderwerp:
Re: [Samba] AD Group lost from Winbind >> >> my os is debian 8.3 >> >>
win bind and samba are in version 4.1.17 >> >> >>> Am 12.02.2016 um
08:58 schrieb L.P.H. van Belle >>> <belle at bazuin.nl>: >>> >>> Ok, same
problem as im having.. >>> >>> What is your os running? >>> >>> >>>>
-----Oorspronkelijk bericht----- Van: samba >>>>
[mailto:samba-bounces at lists.samba.org] Namens Oliver Werner >>>>
Verzonden: vrijdag 12 februari 2016 8:56 Aan: >>>> samba at lists.samba.org
Onderwerp: [Samba] AD Group lost from >>>> Winbind >>>> >>>> Hello, >>>>
>>>> the last two days i have problems with my AD group which is >>>>
defined in share setting valid users >>>> >>>> Winbind looks to lost
mapping of this group and so no user can >>>> connect >> to >>>> this
share anymore. >>>> >>>> When restart winbind service mapping works
again until mapping >>>> lost >> again. >>>> >>>> >>>> ls -lsa shows me
in issue this: >>>> >>>> 2 4 drwxr-x--- 63 root
12001 4096 Feb 4 >>>> 23:42 Share >>>> >>>> After restarting winbind:
>>>> >>>> 2 4 drwxr-x--- 63 root group_intern 4096
>>>> Feb 4 23:42 Share >>>> >>>> >>>> My smb.conf looks like >>>> >>>>
>>>> [global] netbios name = MEMBER1 security = ADS workgroup = HQ >>>>
realm = hq.internal >>>> >>>> log file = /var/log/samba/%m.log log level
= 1 >>>> >>>> dedicated keytab file = /etc/krb5.keytab kerberos method =
>>>> secrets and keytab winbind refresh tickets = yes >>>> >>>> winbind
trusted domains only = no winbind use default domain = >>>> yes winbind
enum users = yes winbind enum groups = yes winbind >>>> cache time =
300 >>>> >>>> >>>> idmap config *:backend = tdb idmap config *:range =
500-9999 >>>> >>>> # idmap config for domain HQ idmap config HQ:backend
= ad idmap >>>> config HQ:schema_mode = rfc2307 idmap config HQ:range =
>>>> 10000-99999 >>>> >>>> # Use settings from AD for login shell and
home directory >>>> winbind nss info = rfc2307 >>>> >>>> [Share] path =
/data/share browseable = yes writeable = yes >>>> force group =
Group_Intern valid users = @Group_Intern create >>>> mask = 0660
directory mask = 0770 #oplocks = 0 vfs objects = >>>> full_audit recycle
full_audit:prefix = %u full_audit:success = >>>> mkdir rename rmdir
unlink pwrite full_audit:failure = none >>>> full_audit:facility =
LOCAL5 full_audit:priority = NOTICE >>>> recycle:versions = yes
recycle:exclude = .*, ~* >>>> >>>> >>>> >>>> Anyone has an idea for this
problem? >>>> >>>> >>>> Regards Oliver -- To unsubscribe from this list
go to the >>>> following URL and read the instructions: >>>>
https://lists.samba.org/mailman/options/samba >>> >>> >>> -- To
unsubscribe from this list go to the following URL and read >>> the
instructions: https://lists.samba.org/mailman/options/samba > > >
Well, I did say that I could never get the lines you add to smb.conf on
a DC to work :-)
Lets see if I understand the situation correctly.
Users & groups have been given a uidNumber or gidNumber attribute.
You are now getting different results on different DCs.
You used to get the same results and all that has changed is the version
of Samba.
If the above is correct, I think you need to log a bug report, it might
help if you can supply a level 10 log from asking for 'getent group
Domain\ Users' on both DCs
Rowland
More information about the samba
mailing list