[Samba] AD Group lost from Winbind
Rowland penny
rpenny at samba.org
Mon Feb 22 09:21:42 UTC 2016
On 22/02/16 08:32, Oliver Werner wrote:
> hi,
>
> we have tested last week our problem with change parameter
>
> server services = -winbindd +winbind
>
> but our member server get also the issue that the winbind lost user and group mapping for valid users.
>
> so for the test i have changed on our three DCs the parameter above.
>
> May i need to set this parameter on member server also?
>
>
> Oliver
>
>
>
OK, I have been rereading this thread and I think Louis may have been
sending you off on a wild goose chase here, if the problem occurs on a
domain member, it very probably has nothing to do with how smb.conf is
setup on the DC.
What I did notice (and it is probably a typo) is this:
In domain member smb.conf: realm = hq.internal
In DC smb.conf:
[netlogon]
path = /var/lib/samba/sysvol/hq.kontrast/scripts
Which is it ? 'hq.internal' or 'hq.kontrast'
You should also add these lines to the smb.conf on the domain member:
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
Have you given a uidNumber attribute to users in AD and if you have,
does this include Administrator ?
Have you given a gidNumber attribute to groups in AD and if you have,
does this include groups such as Administrators ?
To be honest it sounds like the kerberos ticket could be expiring and
not getting renewed.
Rowland
More information about the samba
mailing list