[Samba] AD Group lost from Winbind

Oliver Werner oliver.werner at kontrast.de
Fri Feb 12 09:54:03 UTC 2016


This is DC:
# Global parameters
[global]
	workgroup = HQ
	realm = HQ.INTERNAL
	netbios name = DC1
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
   interfaces=eth0
   bind interfaces only=yes
	tls enabled  = yes
	tls keyfile  = /var/lib/samba/private/tls/key.pem
	tls certfile = /var/lib/samba/private/tls/cert.pem
	tls cafile   = /var/lib/samba/private/tls/ca.pem

[netlogon]
	path = /var/lib/samba/sysvol/hq.kontrast/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No



member config was shown in my first e-mail






> Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> 
> Thats strange, my members dont show this the problem, only my DC's
> 
> Can you post your smb.conf of the DC and one of your member servers.
> 
> 
> Greetz,
> 
> Louis
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>> Verzonden: vrijdag 12 februari 2016 10:16
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>> 
>> In my Situation i don?t use DCs for Shares (only for sysvol)
>> 
>> 
>> So my Member is has the problems.
>> 
>> 
>>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>> 
>>> Ok, im having this :
>>> 
>>> DC's
>>> Debian Wheezy 7.9, sernet samba 4.2.8
>>> 
>>> 
>>> Member servers.
>>> Debian Jessie samba 4.1.17 ( fileserver )
>>> Debian Jessie samba 4.2.7  ( print server )
>>> 	This one isnt updated yet with latest updates.
>>> 
>>> The following packages have been kept back:
>>> samba sernet-samba sernet-samba-client sernet-samba-common sernet-
>> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind
>>> The following packages will be upgraded:
>>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3
>> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0
>> libtiff5
>>> 
>>> on this one all id's are still correct.
>>> 
>>> Thanks, Daniel Müller, for your addition..
>>> 
>>> This is really a big problem.. what happend her in the samba code?
>>> I've looked at the change log, but cant seen any related to this.
>>> 
>>> So if anyone DEVS ? know what happend here in the samba code.
>>> As far as i now know i have to.
>>> Re-assign all my  uid / gids on all users / groups, with other id's, omg
>> wat a hell...
>>> And fix all idmaps on all servers.. pff. ... really no other fix ?
>>> 
>>> There goes my weekend...
>>> 
>>> 
>>> Greetz,
>>> 
>>> Louis
>>> 
>>> 
>>> 
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>>>> Verzonden: vrijdag 12 februari 2016 9:06
>>>> Aan: L.P.H. van Belle
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>>>> 
>>>> my os is debian 8.3
>>>> 
>>>> win bind and samba are in version 4.1.17
>>>> 
>>>> 
>>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>>>> 
>>>>> Ok, same problem as im having..
>>>>> 
>>>>> What is your os running?
>>>>> 
>>>>> 
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
>> Werner
>>>>>> Verzonden: vrijdag 12 februari 2016 8:56
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: [Samba] AD Group lost from Winbind
>>>>>> 
>>>>>> Hello,
>>>>>> 
>>>>>> the last two days i have problems with my AD group which is defined
>> in
>>>>>> share setting valid users
>>>>>> 
>>>>>> Winbind looks to lost mapping of this group and so no user can
>> connect
>>>> to
>>>>>> this share anymore.
>>>>>> 
>>>>>> When restart winbind service mapping works again until mapping lost
>>>> again.
>>>>>> 
>>>>>> 
>>>>>> ls -lsa shows me in issue this:
>>>>>> 
>>>>>>      2      4 drwxr-x---  63 root               12001
>>>>>> 4096 Feb  4 23:42 Share
>>>>>> 
>>>>>> After restarting winbind:
>>>>>> 
>>>>>>      2      4 drwxr-x---  63 root               group_intern
>>>>>> 4096 Feb  4 23:42 Share
>>>>>> 
>>>>>> 
>>>>>> My smb.conf looks like
>>>>>> 
>>>>>> 
>>>>>> [global]
>>>>>>     netbios name = MEMBER1
>>>>>>     security = ADS
>>>>>>     workgroup = HQ
>>>>>>     realm = hq.internal
>>>>>> 
>>>>>>     log file = /var/log/samba/%m.log
>>>>>>     log level = 1
>>>>>> 
>>>>>>     dedicated keytab file = /etc/krb5.keytab
>>>>>>     kerberos method = secrets and keytab
>>>>>>     winbind refresh tickets = yes
>>>>>> 
>>>>>>     winbind trusted domains only = no
>>>>>>     winbind use default domain = yes
>>>>>>     winbind enum users  = yes
>>>>>>     winbind enum groups = yes
>>>>>> 	winbind cache time = 300
>>>>>> 
>>>>>> 
>>>>>>     idmap config *:backend = tdb
>>>>>>     idmap config *:range = 500-9999
>>>>>> 
>>>>>>     # idmap config for domain HQ
>>>>>>     idmap config HQ:backend = ad
>>>>>>     idmap config HQ:schema_mode = rfc2307
>>>>>>     idmap config HQ:range = 10000-99999
>>>>>> 
>>>>>>     # Use settings from AD for login shell and home directory
>>>>>>     winbind nss info = rfc2307
>>>>>> 
>>>>>> [Share]
>>>>>> path = /data/share
>>>>>> browseable = yes
>>>>>> writeable = yes
>>>>>> force group = Group_Intern
>>>>>> valid users = @Group_Intern
>>>>>> create mask = 0660
>>>>>> directory mask = 0770
>>>>>> #oplocks = 0
>>>>>> vfs objects = full_audit recycle
>>>>>> full_audit:prefix = %u
>>>>>> full_audit:success = mkdir rename rmdir unlink pwrite
>>>>>> full_audit:failure = none
>>>>>> full_audit:facility = LOCAL5
>>>>>> full_audit:priority = NOTICE
>>>>>> recycle:versions = yes
>>>>>> recycle:exclude = .*, ~*
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Anyone has an idea for this problem?
>>>>>> 
>>>>>> 
>>>>>> Regards
>>>>>> Oliver
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>> 
>>>>> 
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>>> 
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/samba/attachments/20160212/e14b561a/signature.sig>


More information about the samba mailing list