[Samba] AD Group lost from Winbind
L.P.H. van Belle
belle at bazuin.nl
Fri Feb 12 09:59:22 UTC 2016
This looks all good to me but the problem lays in the DC winbind code, not the member.
You can try to witch back ( temperarly ) to winbind ( on the DC )
As i did, al least you get the correct id's back. ( for now )
For you this the change you need on the DC.
server services = -winbindd +winbind
Im recompiling the samba 4.3.3 from sid now atm, so ill test them out what happpens.
I'll report back here.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> Verzonden: vrijdag 12 februari 2016 10:54
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD Group lost from Winbind
>
> This is DC:
> # Global parameters
> [global]
> workgroup = HQ
> realm = HQ.INTERNAL
> netbios name = DC1
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> interfaces=eth0
> bind interfaces only=yes
> tls enabled = yes
> tls keyfile = /var/lib/samba/private/tls/key.pem
> tls certfile = /var/lib/samba/private/tls/cert.pem
> tls cafile = /var/lib/samba/private/tls/ca.pem
>
> [netlogon]
> path = /var/lib/samba/sysvol/hq.kontrast/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
>
> member config was shown in my first e-mail
>
>
>
>
>
>
> > Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> >
> > Thats strange, my members dont show this the problem, only my DC's
> >
> > Can you post your smb.conf of the DC and one of your member servers.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> >> Verzonden: vrijdag 12 februari 2016 10:16
> >> Aan: L.P.H. van Belle
> >> CC: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] AD Group lost from Winbind
> >>
> >> In my Situation i don?t use DCs for Shares (only for sysvol)
> >>
> >>
> >> So my Member is has the problems.
> >>
> >>
> >>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> >>>
> >>> Ok, im having this :
> >>>
> >>> DC's
> >>> Debian Wheezy 7.9, sernet samba 4.2.8
> >>>
> >>>
> >>> Member servers.
> >>> Debian Jessie samba 4.1.17 ( fileserver )
> >>> Debian Jessie samba 4.2.7 ( print server )
> >>> This one isnt updated yet with latest updates.
> >>>
> >>> The following packages have been kept back:
> >>> samba sernet-samba sernet-samba-client sernet-samba-common sernet-
> >> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind
> >>> The following packages will be upgraded:
> >>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3
> >> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0
> >> libtiff5
> >>>
> >>> on this one all id's are still correct.
> >>>
> >>> Thanks, Daniel Müller, for your addition..
> >>>
> >>> This is really a big problem.. what happend her in the samba code?
> >>> I've looked at the change log, but cant seen any related to this.
> >>>
> >>> So if anyone DEVS ? know what happend here in the samba code.
> >>> As far as i now know i have to.
> >>> Re-assign all my uid / gids on all users / groups, with other id's,
> omg
> >> wat a hell...
> >>> And fix all idmaps on all servers.. pff. ... really no other fix ?
> >>>
> >>> There goes my weekend...
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> >>>> Verzonden: vrijdag 12 februari 2016 9:06
> >>>> Aan: L.P.H. van Belle
> >>>> CC: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
> >>>>
> >>>> my os is debian 8.3
> >>>>
> >>>> win bind and samba are in version 4.1.17
> >>>>
> >>>>
> >>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> >>>>>
> >>>>> Ok, same problem as im having..
> >>>>>
> >>>>> What is your os running?
> >>>>>
> >>>>>
> >>>>>> -----Oorspronkelijk bericht-----
> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
> >> Werner
> >>>>>> Verzonden: vrijdag 12 februari 2016 8:56
> >>>>>> Aan: samba at lists.samba.org
> >>>>>> Onderwerp: [Samba] AD Group lost from Winbind
> >>>>>>
> >>>>>> Hello,
> >>>>>>
> >>>>>> the last two days i have problems with my AD group which is defined
> >> in
> >>>>>> share setting valid users
> >>>>>>
> >>>>>> Winbind looks to lost mapping of this group and so no user can
> >> connect
> >>>> to
> >>>>>> this share anymore.
> >>>>>>
> >>>>>> When restart winbind service mapping works again until mapping lost
> >>>> again.
> >>>>>>
> >>>>>>
> >>>>>> ls -lsa shows me in issue this:
> >>>>>>
> >>>>>> 2 4 drwxr-x--- 63 root 12001
> >>>>>> 4096 Feb 4 23:42 Share
> >>>>>>
> >>>>>> After restarting winbind:
> >>>>>>
> >>>>>> 2 4 drwxr-x--- 63 root group_intern
> >>>>>> 4096 Feb 4 23:42 Share
> >>>>>>
> >>>>>>
> >>>>>> My smb.conf looks like
> >>>>>>
> >>>>>>
> >>>>>> [global]
> >>>>>> netbios name = MEMBER1
> >>>>>> security = ADS
> >>>>>> workgroup = HQ
> >>>>>> realm = hq.internal
> >>>>>>
> >>>>>> log file = /var/log/samba/%m.log
> >>>>>> log level = 1
> >>>>>>
> >>>>>> dedicated keytab file = /etc/krb5.keytab
> >>>>>> kerberos method = secrets and keytab
> >>>>>> winbind refresh tickets = yes
> >>>>>>
> >>>>>> winbind trusted domains only = no
> >>>>>> winbind use default domain = yes
> >>>>>> winbind enum users = yes
> >>>>>> winbind enum groups = yes
> >>>>>> winbind cache time = 300
> >>>>>>
> >>>>>>
> >>>>>> idmap config *:backend = tdb
> >>>>>> idmap config *:range = 500-9999
> >>>>>>
> >>>>>> # idmap config for domain HQ
> >>>>>> idmap config HQ:backend = ad
> >>>>>> idmap config HQ:schema_mode = rfc2307
> >>>>>> idmap config HQ:range = 10000-99999
> >>>>>>
> >>>>>> # Use settings from AD for login shell and home directory
> >>>>>> winbind nss info = rfc2307
> >>>>>>
> >>>>>> [Share]
> >>>>>> path = /data/share
> >>>>>> browseable = yes
> >>>>>> writeable = yes
> >>>>>> force group = Group_Intern
> >>>>>> valid users = @Group_Intern
> >>>>>> create mask = 0660
> >>>>>> directory mask = 0770
> >>>>>> #oplocks = 0
> >>>>>> vfs objects = full_audit recycle
> >>>>>> full_audit:prefix = %u
> >>>>>> full_audit:success = mkdir rename rmdir unlink pwrite
> >>>>>> full_audit:failure = none
> >>>>>> full_audit:facility = LOCAL5
> >>>>>> full_audit:priority = NOTICE
> >>>>>> recycle:versions = yes
> >>>>>> recycle:exclude = .*, ~*
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> Anyone has an idea for this problem?
> >>>>>>
> >>>>>>
> >>>>>> Regards
> >>>>>> Oliver
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>>>
> >>>>> --
> >>>>> To unsubscribe from this list go to the following URL and read the
> >>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list