[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1

Tue Feb 16 13:46:39 UTC 2016

Hi Rowland


> OK, two things jump out at me, I wouldn't use 'EXAMPLE.COM' for the
> workgroup name, I would have just used 'EXAMPLE' i.e. no dot in the name.
>
>
I understand, but, change the workgroup involves migrate domain, right ??
Or can I simply change workgroup and restart samba ??


> Your idmap config stack is incorrect, you only have settings for the
> builtin users & groups, see here for how you should set it up:
>
> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>
> Follow the links on that page for the correct settings.
>
>
ldconfig -v | grep winbind shows "libnss_winbind.so.2 ->
libnss_winbind.so.2"

nsswitch.conf:
passwd:      files winbind
shadow:      files winbind
group:       files winbind


I changed smb.conf in a test environment with same problem with the
following parameters.
        idmap config *:backend = tdb
        idmap config *:range = 1000-1999
        idmap config EXAMPLE.COM:range = 2000-50000
        idmap config EXAMPLE.COM:backend = ad
        idmap config EXAMPLE.COM:schema_mode = rfc2307

getent passwd show local users only
getent group show all groups (loca and domain)
wbinfo -u show nothing
wbinfo -g show all groups (local and domain)

winbindd.log show the following lines when debug level = 10,

Running "wbinfo -g"
.
.
.
[2016/02/16 11:29:26.185376,  3, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name)
  [31101]: request domain name
[2016/02/16 11:29:26.185431, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd.c:861(winbind_client_response_written)
  winbind_client_response_written[31101:DOMAIN_NAME]: delivered response to
client
[2016/02/16 11:29:26.185540, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:758(process_request)
  process_request: request fn DOMAIN_INFO
[2016/02/16 11:29:26.185610,  3, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info)
  [31101]: domain_info [EXAMPLE.COM]
[2016/02/16 11:29:26.185710, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd.c:861(winbind_client_response_written)
  winbind_client_response_written[31101:DOMAIN_INFO]: delivered response to
client
[2016/02/16 11:29:26.185825, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:731(process_request)
  process_request: Handling async request 31101:LIST_GROUPS
[2016/02/16 11:29:26.185866,  3, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_list_groups.c:58(winbindd_list_groups_send)
  list_groups EXAMPLE.COM
[2016/02/16 11:29:26.185920,  1, pid=31022, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_QueryGroupList: struct wbint_QueryGroupList
          in: struct wbint_QueryGroupList
[2016/02/16 11:29:26.593525,  1, pid=31022, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_QueryGroupList: struct wbint_QueryGroupList
          out: struct wbint_QueryGroupList
              groups                   : *
                  groups: struct wbint_Principals
                      num_principals           : 562
                      principals: ARRAY(562)
                          principals: struct wbint_Principal
                              sid                      :
S-1-5-21-1479197986-680052183-3269973696-571
                              type                     : SID_NAME_DOM_GRP
(2)
                              name                     : *
                                  name                     : 'Allowed RODC
Password Replication Group'
                          principals: struct wbint_Principal
                              sid                      :
S-1-5-21-1479197986-680052183-3269973696-498
                              type                     : SID_NAME_DOM_GRP
(2)
                              name                     : *
                                  name                     : 'Enterprise
Read-Only Domain Controllers'
.
.
.


Running "wbinfo -u"

.
.
.
[2016/02/16 11:30:07.352308,  3, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name)
  [31117]: request domain name
[2016/02/16 11:30:07.352368, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd.c:861(winbind_client_response_written)
  winbind_client_response_written[31117:DOMAIN_NAME]: delivered response to
client
[2016/02/16 11:30:07.352428, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:758(process_request)
  process_request: request fn DOMAIN_INFO
[2016/02/16 11:30:07.352452,  3, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info)
  [31117]: domain_info [EXAMPLE.COM]
[2016/02/16 11:30:07.352526, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd.c:861(winbind_client_response_written)
  winbind_client_response_written[31117:DOMAIN_INFO]: delivered response to
client
[2016/02/16 11:30:07.352648, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:731(process_request)
  process_request: Handling async request 31117:LIST_USERS
[2016/02/16 11:30:07.352697,  3, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_list_users.c:58(winbindd_list_users_send)
  list_users EXAMPLE.COM
[2016/02/16 11:30:07.352740,  1, pid=31022, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_QueryUserList: struct wbint_QueryUserList
          in: struct wbint_QueryUserList
[2016/02/16 11:30:17.465320,  5, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:1132(remove_timed_out_clients)
  Idle client timed out, shutting down sock 33, pid 31053
[2016/02/16 11:31:07.763617, 10, pid=31022, effective(0, 0), real(0, 0)]
../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv)
  imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40c
[2016/02/16 11:31:07.763671, 10, pid=31022, effective(0, 0), real(0, 0)]
../source3/lib/messages.c:254(messaging_recv_cb)
  messaging_recv_cb: Received message 0x40c len 7 (num_fds:0) from 31026
[2016/02/16 11:31:07.763691, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:365(winbind_msg_domain_offline)
  Domain EXAMPLE.COM is marked as offline now.
[2016/02/16 11:31:07.764062,  1, pid=31022, effective(0, 0), real(0, 0)]
../librpc/ndr/ndr.c:439(ndr_print_function_debug)
       wbint_QueryUserList: struct wbint_QueryUserList
          out: struct wbint_QueryUserList
              users                    : *
                  users: struct wbint_userinfos
                      num_userinfos            : 0x00000000 (0)
                      userinfos: ARRAY(0)
              result                   : NT_STATUS_IO_TIMEOUT
[2016/02/16 11:31:07.764138, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_list_users.c:128(winbindd_list_users_done)
  Domain EXAMPLE.COM returned 0 users
[2016/02/16 11:31:07.764152, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_list_users.c:134(winbindd_list_users_done)
  List_users for domain EXAMPLE.COM failed
[2016/02/16 11:31:07.764167, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind] ../source3/winbindd/winbindd.c:793(wb_request_done)
  wb_request_done[31117:LIST_USERS]: NT_STATUS_OK
[2016/02/16 11:31:07.764222, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd.c:861(winbind_client_response_written)
  winbind_client_response_written[31117:LIST_USERS]: delivered response to
client
[2016/02/16 11:31:07.764940,  6, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd.c:965(winbind_client_request_read)
  closing socket 35, client exited
[2016/02/16 11:31:07.873705, 10, pid=31022, effective(0, 0), real(0, 0)]
../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv)
  imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40b
[2016/02/16 11:31:07.873752, 10, pid=31022, effective(0, 0), real(0, 0)]
../source3/lib/messages.c:254(messaging_recv_cb)
  messaging_recv_cb: Received message 0x40b len 7 (num_fds:0) from 31026
[2016/02/16 11:31:07.873775, 10, pid=31022, effective(0, 0), real(0, 0),
class=winbind]
../source3/winbindd/winbindd_cm.c:385(winbind_msg_domain_online)
  Domain EXAMPLE.COM is marked as online now.