[Samba] AD Group lost from Winbind

Oliver Werner oliver.werner at kontrast.de
Fri Feb 12 10:24:14 UTC 2016


i need to change it on all DCs, right?

so i need to change some other options on member?


> Am 12.02.2016 um 10:59 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> 
> This looks all good to me but the problem lays in the DC winbind code, not the member.
> 
> You can try to witch back ( temperarly ) to winbind ( on the DC )
> As i did, al least you get the correct id's back. ( for now )
> For you this the change you need on the DC.
> 
> server services = -winbindd +winbind
> 
> Im recompiling the samba 4.3.3 from sid now atm, so ill test them out what happpens.
> 
> I'll report back here.
> 
> Greetz,
> 
> Louis
> 
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>> Verzonden: vrijdag 12 februari 2016 10:54
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>> 
>> This is DC:
>> # Global parameters
>> [global]
>> 	workgroup = HQ
>> 	realm = HQ.INTERNAL
>> 	netbios name = DC1
>> 	server role = active directory domain controller
>> 	idmap_ldb:use rfc2307 = yes
>>   interfaces=eth0
>>   bind interfaces only=yes
>> 	tls enabled  = yes
>> 	tls keyfile  = /var/lib/samba/private/tls/key.pem
>> 	tls certfile = /var/lib/samba/private/tls/cert.pem
>> 	tls cafile   = /var/lib/samba/private/tls/ca.pem
>> 
>> [netlogon]
>> 	path = /var/lib/samba/sysvol/hq.kontrast/scripts
>> 	read only = No
>> 
>> [sysvol]
>> 	path = /var/lib/samba/sysvol
>> 	read only = No
>> 
>> 
>> 
>> member config was shown in my first e-mail
>> 
>> 
>> 
>> 
>> 
>> 
>>> Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>> 
>>> Thats strange, my members dont show this the problem, only my DC's
>>> 
>>> Can you post your smb.conf of the DC and one of your member servers.
>>> 
>>> 
>>> Greetz,
>>> 
>>> Louis
>>> 
>>> 
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>>>> Verzonden: vrijdag 12 februari 2016 10:16
>>>> Aan: L.P.H. van Belle
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>>>> 
>>>> In my Situation i don?t use DCs for Shares (only for sysvol)
>>>> 
>>>> 
>>>> So my Member is has the problems.
>>>> 
>>>> 
>>>>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>>>> 
>>>>> Ok, im having this :
>>>>> 
>>>>> DC's
>>>>> Debian Wheezy 7.9, sernet samba 4.2.8
>>>>> 
>>>>> 
>>>>> Member servers.
>>>>> Debian Jessie samba 4.1.17 ( fileserver )
>>>>> Debian Jessie samba 4.2.7  ( print server )
>>>>> 	This one isnt updated yet with latest updates.
>>>>> 
>>>>> The following packages have been kept back:
>>>>> samba sernet-samba sernet-samba-client sernet-samba-common sernet-
>>>> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind
>>>>> The following packages will be upgraded:
>>>>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3
>>>> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0
>>>> libtiff5
>>>>> 
>>>>> on this one all id's are still correct.
>>>>> 
>>>>> Thanks, Daniel Müller, for your addition..
>>>>> 
>>>>> This is really a big problem.. what happend her in the samba code?
>>>>> I've looked at the change log, but cant seen any related to this.
>>>>> 
>>>>> So if anyone DEVS ? know what happend here in the samba code.
>>>>> As far as i now know i have to.
>>>>> Re-assign all my  uid / gids on all users / groups, with other id's,
>> omg
>>>> wat a hell...
>>>>> And fix all idmaps on all servers.. pff. ... really no other fix ?
>>>>> 
>>>>> There goes my weekend...
>>>>> 
>>>>> 
>>>>> Greetz,
>>>>> 
>>>>> Louis
>>>>> 
>>>>> 
>>>>> 
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>>>>>> Verzonden: vrijdag 12 februari 2016 9:06
>>>>>> Aan: L.P.H. van Belle
>>>>>> CC: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>>>>>> 
>>>>>> my os is debian 8.3
>>>>>> 
>>>>>> win bind and samba are in version 4.1.17
>>>>>> 
>>>>>> 
>>>>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>>>>>> 
>>>>>>> Ok, same problem as im having..
>>>>>>> 
>>>>>>> What is your os running?
>>>>>>> 
>>>>>>> 
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
>>>> Werner
>>>>>>>> Verzonden: vrijdag 12 februari 2016 8:56
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: [Samba] AD Group lost from Winbind
>>>>>>>> 
>>>>>>>> Hello,
>>>>>>>> 
>>>>>>>> the last two days i have problems with my AD group which is defined
>>>> in
>>>>>>>> share setting valid users
>>>>>>>> 
>>>>>>>> Winbind looks to lost mapping of this group and so no user can
>>>> connect
>>>>>> to
>>>>>>>> this share anymore.
>>>>>>>> 
>>>>>>>> When restart winbind service mapping works again until mapping lost
>>>>>> again.
>>>>>>>> 
>>>>>>>> 
>>>>>>>> ls -lsa shows me in issue this:
>>>>>>>> 
>>>>>>>>     2      4 drwxr-x---  63 root               12001
>>>>>>>> 4096 Feb  4 23:42 Share
>>>>>>>> 
>>>>>>>> After restarting winbind:
>>>>>>>> 
>>>>>>>>     2      4 drwxr-x---  63 root               group_intern
>>>>>>>> 4096 Feb  4 23:42 Share
>>>>>>>> 
>>>>>>>> 
>>>>>>>> My smb.conf looks like
>>>>>>>> 
>>>>>>>> 
>>>>>>>> [global]
>>>>>>>>    netbios name = MEMBER1
>>>>>>>>    security = ADS
>>>>>>>>    workgroup = HQ
>>>>>>>>    realm = hq.internal
>>>>>>>> 
>>>>>>>>    log file = /var/log/samba/%m.log
>>>>>>>>    log level = 1
>>>>>>>> 
>>>>>>>>    dedicated keytab file = /etc/krb5.keytab
>>>>>>>>    kerberos method = secrets and keytab
>>>>>>>>    winbind refresh tickets = yes
>>>>>>>> 
>>>>>>>>    winbind trusted domains only = no
>>>>>>>>    winbind use default domain = yes
>>>>>>>>    winbind enum users  = yes
>>>>>>>>    winbind enum groups = yes
>>>>>>>> 	winbind cache time = 300
>>>>>>>> 
>>>>>>>> 
>>>>>>>>    idmap config *:backend = tdb
>>>>>>>>    idmap config *:range = 500-9999
>>>>>>>> 
>>>>>>>>    # idmap config for domain HQ
>>>>>>>>    idmap config HQ:backend = ad
>>>>>>>>    idmap config HQ:schema_mode = rfc2307
>>>>>>>>    idmap config HQ:range = 10000-99999
>>>>>>>> 
>>>>>>>>    # Use settings from AD for login shell and home directory
>>>>>>>>    winbind nss info = rfc2307
>>>>>>>> 
>>>>>>>> [Share]
>>>>>>>> path = /data/share
>>>>>>>> browseable = yes
>>>>>>>> writeable = yes
>>>>>>>> force group = Group_Intern
>>>>>>>> valid users = @Group_Intern
>>>>>>>> create mask = 0660
>>>>>>>> directory mask = 0770
>>>>>>>> #oplocks = 0
>>>>>>>> vfs objects = full_audit recycle
>>>>>>>> full_audit:prefix = %u
>>>>>>>> full_audit:success = mkdir rename rmdir unlink pwrite
>>>>>>>> full_audit:failure = none
>>>>>>>> full_audit:facility = LOCAL5
>>>>>>>> full_audit:priority = NOTICE
>>>>>>>> recycle:versions = yes
>>>>>>>> recycle:exclude = .*, ~*
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Anyone has an idea for this problem?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> Regards
>>>>>>>> Oliver
>>>>>>>> --
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>>> 
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/samba/attachments/20160212/c6a834de/signature.sig>


More information about the samba mailing list