[Samba] AD Group lost from Winbind
Oliver Werner
oliver.werner at kontrast.de
Fri Feb 12 10:24:14 UTC 2016
i need to change it on all DCs, right?
so i need to change some other options on member?
> Am 12.02.2016 um 10:59 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>
> This looks all good to me but the problem lays in the DC winbind code, not the member.
>
> You can try to witch back ( temperarly ) to winbind ( on the DC )
> As i did, al least you get the correct id's back. ( for now )
> For you this the change you need on the DC.
>
> server services = -winbindd +winbind
>
> Im recompiling the samba 4.3.3 from sid now atm, so ill test them out what happpens.
>
> I'll report back here.
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>> Verzonden: vrijdag 12 februari 2016 10:54
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>>
>> This is DC:
>> # Global parameters
>> [global]
>> workgroup = HQ
>> realm = HQ.INTERNAL
>> netbios name = DC1
>> server role = active directory domain controller
>> idmap_ldb:use rfc2307 = yes
>> interfaces=eth0
>> bind interfaces only=yes
>> tls enabled = yes
>> tls keyfile = /var/lib/samba/private/tls/key.pem
>> tls certfile = /var/lib/samba/private/tls/cert.pem
>> tls cafile = /var/lib/samba/private/tls/ca.pem
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/hq.kontrast/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
>>
>> member config was shown in my first e-mail
>>
>>
>>
>>
>>
>>
>>> Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>>
>>> Thats strange, my members dont show this the problem, only my DC's
>>>
>>> Can you post your smb.conf of the DC and one of your member servers.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>>>> Verzonden: vrijdag 12 februari 2016 10:16
>>>> Aan: L.P.H. van Belle
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>>>>
>>>> In my Situation i don?t use DCs for Shares (only for sysvol)
>>>>
>>>>
>>>> So my Member is has the problems.
>>>>
>>>>
>>>>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>>>>
>>>>> Ok, im having this :
>>>>>
>>>>> DC's
>>>>> Debian Wheezy 7.9, sernet samba 4.2.8
>>>>>
>>>>>
>>>>> Member servers.
>>>>> Debian Jessie samba 4.1.17 ( fileserver )
>>>>> Debian Jessie samba 4.2.7 ( print server )
>>>>> This one isnt updated yet with latest updates.
>>>>>
>>>>> The following packages have been kept back:
>>>>> samba sernet-samba sernet-samba-client sernet-samba-common sernet-
>>>> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind
>>>>> The following packages will be upgraded:
>>>>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3
>>>> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0
>>>> libtiff5
>>>>>
>>>>> on this one all id's are still correct.
>>>>>
>>>>> Thanks, Daniel Müller, for your addition..
>>>>>
>>>>> This is really a big problem.. what happend her in the samba code?
>>>>> I've looked at the change log, but cant seen any related to this.
>>>>>
>>>>> So if anyone DEVS ? know what happend here in the samba code.
>>>>> As far as i now know i have to.
>>>>> Re-assign all my uid / gids on all users / groups, with other id's,
>> omg
>>>> wat a hell...
>>>>> And fix all idmaps on all servers.. pff. ... really no other fix ?
>>>>>
>>>>> There goes my weekend...
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>>>>>> Verzonden: vrijdag 12 februari 2016 9:06
>>>>>> Aan: L.P.H. van Belle
>>>>>> CC: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>>>>>>
>>>>>> my os is debian 8.3
>>>>>>
>>>>>> win bind and samba are in version 4.1.17
>>>>>>
>>>>>>
>>>>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>>>>>>
>>>>>>> Ok, same problem as im having..
>>>>>>>
>>>>>>> What is your os running?
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
>>>> Werner
>>>>>>>> Verzonden: vrijdag 12 februari 2016 8:56
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: [Samba] AD Group lost from Winbind
>>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> the last two days i have problems with my AD group which is defined
>>>> in
>>>>>>>> share setting valid users
>>>>>>>>
>>>>>>>> Winbind looks to lost mapping of this group and so no user can
>>>> connect
>>>>>> to
>>>>>>>> this share anymore.
>>>>>>>>
>>>>>>>> When restart winbind service mapping works again until mapping lost
>>>>>> again.
>>>>>>>>
>>>>>>>>
>>>>>>>> ls -lsa shows me in issue this:
>>>>>>>>
>>>>>>>> 2 4 drwxr-x--- 63 root 12001
>>>>>>>> 4096 Feb 4 23:42 Share
>>>>>>>>
>>>>>>>> After restarting winbind:
>>>>>>>>
>>>>>>>> 2 4 drwxr-x--- 63 root group_intern
>>>>>>>> 4096 Feb 4 23:42 Share
>>>>>>>>
>>>>>>>>
>>>>>>>> My smb.conf looks like
>>>>>>>>
>>>>>>>>
>>>>>>>> [global]
>>>>>>>> netbios name = MEMBER1
>>>>>>>> security = ADS
>>>>>>>> workgroup = HQ
>>>>>>>> realm = hq.internal
>>>>>>>>
>>>>>>>> log file = /var/log/samba/%m.log
>>>>>>>> log level = 1
>>>>>>>>
>>>>>>>> dedicated keytab file = /etc/krb5.keytab
>>>>>>>> kerberos method = secrets and keytab
>>>>>>>> winbind refresh tickets = yes
>>>>>>>>
>>>>>>>> winbind trusted domains only = no
>>>>>>>> winbind use default domain = yes
>>>>>>>> winbind enum users = yes
>>>>>>>> winbind enum groups = yes
>>>>>>>> winbind cache time = 300
>>>>>>>>
>>>>>>>>
>>>>>>>> idmap config *:backend = tdb
>>>>>>>> idmap config *:range = 500-9999
>>>>>>>>
>>>>>>>> # idmap config for domain HQ
>>>>>>>> idmap config HQ:backend = ad
>>>>>>>> idmap config HQ:schema_mode = rfc2307
>>>>>>>> idmap config HQ:range = 10000-99999
>>>>>>>>
>>>>>>>> # Use settings from AD for login shell and home directory
>>>>>>>> winbind nss info = rfc2307
>>>>>>>>
>>>>>>>> [Share]
>>>>>>>> path = /data/share
>>>>>>>> browseable = yes
>>>>>>>> writeable = yes
>>>>>>>> force group = Group_Intern
>>>>>>>> valid users = @Group_Intern
>>>>>>>> create mask = 0660
>>>>>>>> directory mask = 0770
>>>>>>>> #oplocks = 0
>>>>>>>> vfs objects = full_audit recycle
>>>>>>>> full_audit:prefix = %u
>>>>>>>> full_audit:success = mkdir rename rmdir unlink pwrite
>>>>>>>> full_audit:failure = none
>>>>>>>> full_audit:facility = LOCAL5
>>>>>>>> full_audit:priority = NOTICE
>>>>>>>> recycle:versions = yes
>>>>>>>> recycle:exclude = .*, ~*
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Anyone has an idea for this problem?
>>>>>>>>
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Oliver
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/samba/attachments/20160212/c6a834de/signature.sig>
More information about the samba
mailing list