[Samba] AD Group lost from Winbind

Oliver Werner oliver.werner at kontrast.de
Mon Feb 22 08:32:44 UTC 2016 

hi,

we have tested last week our problem with change parameter

server services = -winbindd +winbind

but our member server get also the issue that the winbind lost user and group mapping for valid users.

so for the test i have changed on our three DCs the parameter above.

May i need to set this parameter on member server also?


Oliver


> Am 12.02.2016 um 11:30 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> 
> Hai,
> 
> Yes, only the DCs
> Change one, test and if all ok with you, change the others.
> 
> Greetz,
> 
> Louis
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>> Verzonden: vrijdag 12 februari 2016 11:24
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>> 
>> i need to change it on all DCs, right?
>> 
>> so i need to change some other options on member?
>> 
>> 
>>> Am 12.02.2016 um 10:59 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>> 
>>> This looks all good to me but the problem lays in the DC winbind code,
>> not the member.
>>> 
>>> You can try to witch back ( temperarly ) to winbind ( on the DC )
>>> As i did, al least you get the correct id's back. ( for now )
>>> For you this the change you need on the DC.
>>> 
>>> server services = -winbindd +winbind
>>> 
>>> Im recompiling the samba 4.3.3 from sid now atm, so ill test them out
>> what happpens.
>>> 
>>> I'll report back here.
>>> 
>>> Greetz,
>>> 
>>> Louis
>>> 
>>> 
>>> 
>>>> -----Oorspronkelijk bericht-----
>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>>>> Verzonden: vrijdag 12 februari 2016 10:54
>>>> Aan: L.P.H. van Belle
>>>> CC: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>>>> 
>>>> This is DC:
>>>> # Global parameters
>>>> [global]
>>>> 	workgroup = HQ
>>>> 	realm = HQ.INTERNAL
>>>> 	netbios name = DC1
>>>> 	server role = active directory domain controller
>>>> 	idmap_ldb:use rfc2307 = yes
>>>>  interfaces=eth0
>>>>  bind interfaces only=yes
>>>> 	tls enabled  = yes
>>>> 	tls keyfile  = /var/lib/samba/private/tls/key.pem
>>>> 	tls certfile = /var/lib/samba/private/tls/cert.pem
>>>> 	tls cafile   = /var/lib/samba/private/tls/ca.pem
>>>> 
>>>> [netlogon]
>>>> 	path = /var/lib/samba/sysvol/hq.kontrast/scripts
>>>> 	read only = No
>>>> 
>>>> [sysvol]
>>>> 	path = /var/lib/samba/sysvol
>>>> 	read only = No
>>>> 
>>>> 
>>>> 
>>>> member config was shown in my first e-mail
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>>>> 
>>>>> Thats strange, my members dont show this the problem, only my DC's
>>>>> 
>>>>> Can you post your smb.conf of the DC and one of your member servers.
>>>>> 
>>>>> 
>>>>> Greetz,
>>>>> 
>>>>> Louis
>>>>> 
>>>>> 
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>>>>>> Verzonden: vrijdag 12 februari 2016 10:16
>>>>>> Aan: L.P.H. van Belle
>>>>>> CC: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>>>>>> 
>>>>>> In my Situation i don?t use DCs for Shares (only for sysvol)
>>>>>> 
>>>>>> 
>>>>>> So my Member is has the problems.
>>>>>> 
>>>>>> 
>>>>>>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>>>>>> 
>>>>>>> Ok, im having this :
>>>>>>> 
>>>>>>> DC's
>>>>>>> Debian Wheezy 7.9, sernet samba 4.2.8
>>>>>>> 
>>>>>>> 
>>>>>>> Member servers.
>>>>>>> Debian Jessie samba 4.1.17 ( fileserver )
>>>>>>> Debian Jessie samba 4.2.7  ( print server )
>>>>>>> 	This one isnt updated yet with latest updates.
>>>>>>> 
>>>>>>> The following packages have been kept back:
>>>>>>> samba sernet-samba sernet-samba-client sernet-samba-common sernet-
>>>>>> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind
>>>>>>> The following packages will be upgraded:
>>>>>>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3
>>>>>> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3
>> libkrb5support0
>>>>>> libtiff5
>>>>>>> 
>>>>>>> on this one all id's are still correct.
>>>>>>> 
>>>>>>> Thanks, Daniel Müller, for your addition..
>>>>>>> 
>>>>>>> This is really a big problem.. what happend her in the samba code?
>>>>>>> I've looked at the change log, but cant seen any related to this.
>>>>>>> 
>>>>>>> So if anyone DEVS ? know what happend here in the samba code.
>>>>>>> As far as i now know i have to.
>>>>>>> Re-assign all my  uid / gids on all users / groups, with other id's,
>>>> omg
>>>>>> wat a hell...
>>>>>>> And fix all idmaps on all servers.. pff. ... really no other fix ?
>>>>>>> 
>>>>>>> There goes my weekend...
>>>>>>> 
>>>>>>> 
>>>>>>> Greetz,
>>>>>>> 
>>>>>>> Louis
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
>>>>>>>> Verzonden: vrijdag 12 februari 2016 9:06
>>>>>>>> Aan: L.P.H. van Belle
>>>>>>>> CC: samba at lists.samba.org
>>>>>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind
>>>>>>>> 
>>>>>>>> my os is debian 8.3
>>>>>>>> 
>>>>>>>> win bind and samba are in version 4.1.17
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>>>>>>>>> 
>>>>>>>>> Ok, same problem as im having..
>>>>>>>>> 
>>>>>>>>> What is your os running?
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
>>>>>> Werner
>>>>>>>>>> Verzonden: vrijdag 12 februari 2016 8:56
>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>> Onderwerp: [Samba] AD Group lost from Winbind
>>>>>>>>>> 
>>>>>>>>>> Hello,
>>>>>>>>>> 
>>>>>>>>>> the last two days i have problems with my AD group which is
>> defined
>>>>>> in
>>>>>>>>>> share setting valid users
>>>>>>>>>> 
>>>>>>>>>> Winbind looks to lost mapping of this group and so no user can
>>>>>> connect
>>>>>>>> to
>>>>>>>>>> this share anymore.
>>>>>>>>>> 
>>>>>>>>>> When restart winbind service mapping works again until mapping
>> lost
>>>>>>>> again.
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> ls -lsa shows me in issue this:
>>>>>>>>>> 
>>>>>>>>>>    2      4 drwxr-x---  63 root               12001
>>>>>>>>>> 4096 Feb  4 23:42 Share
>>>>>>>>>> 
>>>>>>>>>> After restarting winbind:
>>>>>>>>>> 
>>>>>>>>>>    2      4 drwxr-x---  63 root               group_intern
>>>>>>>>>> 4096 Feb  4 23:42 Share
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> My smb.conf looks like
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> [global]
>>>>>>>>>>   netbios name = MEMBER1
>>>>>>>>>>   security = ADS
>>>>>>>>>>   workgroup = HQ
>>>>>>>>>>   realm = hq.internal
>>>>>>>>>> 
>>>>>>>>>>   log file = /var/log/samba/%m.log
>>>>>>>>>>   log level = 1
>>>>>>>>>> 
>>>>>>>>>>   dedicated keytab file = /etc/krb5.keytab
>>>>>>>>>>   kerberos method = secrets and keytab
>>>>>>>>>>   winbind refresh tickets = yes
>>>>>>>>>> 
>>>>>>>>>>   winbind trusted domains only = no
>>>>>>>>>>   winbind use default domain = yes
>>>>>>>>>>   winbind enum users  = yes
>>>>>>>>>>   winbind enum groups = yes
>>>>>>>>>> 	winbind cache time = 300
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>   idmap config *:backend = tdb
>>>>>>>>>>   idmap config *:range = 500-9999
>>>>>>>>>> 
>>>>>>>>>>   # idmap config for domain HQ
>>>>>>>>>>   idmap config HQ:backend = ad
>>>>>>>>>>   idmap config HQ:schema_mode = rfc2307
>>>>>>>>>>   idmap config HQ:range = 10000-99999
>>>>>>>>>> 
>>>>>>>>>>   # Use settings from AD for login shell and home directory
>>>>>>>>>>   winbind nss info = rfc2307
>>>>>>>>>> 
>>>>>>>>>> [Share]
>>>>>>>>>> path = /data/share
>>>>>>>>>> browseable = yes
>>>>>>>>>> writeable = yes
>>>>>>>>>> force group = Group_Intern
>>>>>>>>>> valid users = @Group_Intern
>>>>>>>>>> create mask = 0660
>>>>>>>>>> directory mask = 0770
>>>>>>>>>> #oplocks = 0
>>>>>>>>>> vfs objects = full_audit recycle
>>>>>>>>>> full_audit:prefix = %u
>>>>>>>>>> full_audit:success = mkdir rename rmdir unlink pwrite
>>>>>>>>>> full_audit:failure = none
>>>>>>>>>> full_audit:facility = LOCAL5
>>>>>>>>>> full_audit:priority = NOTICE
>>>>>>>>>> recycle:versions = yes
>>>>>>>>>> recycle:exclude = .*, ~*
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Anyone has an idea for this problem?
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Regards
>>>>>>>>>> Oliver
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and read
>> the
>>>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> --
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> 
>>> 
>>> 
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/samba/attachments/20160222/4937d44d/signature.sig>

More information about the samba mailing list