[Samba] Problem with Winbind and Windows Clients
L.P.H. van Belle
belle at bazuin.nl
Fri Mar 18 08:31:40 UTC 2016
Ok,
Its still every 5 days?
Change krb5.conf to on DC and Member servers to
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_kdc = true
dns_lookup_realm = false
ticket_lifetime = 24h
ccache_type = 4
forwardable = true
proxiable = true
Now Reboot DC and Member and pc.
This is how im run my config and i have multiple pc?s always logged in.
My last option. :-/ you configs are good, so im getting out of options.
Optionaly you can also try to recreate you keytab file. ( backup old )
But thats normaly not needed, i do that if i changes for example ?password expires ? on a service account user.
Greetz,
Louis
Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
Verzonden: vrijdag 18 maart 2016 9:11
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
Hi,
Next test is failed.
My Windows Clients lost everytime AD Authentication so i need to reboot.
On Samba i need also to restart winbind service since some hours?
here my samba and wind bind Versions
Samba: Version 4.1.17-Debian
Winbind: Version 4.1.17-Debian
Greetz
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
Am 15.03.2016 um 11:10 schrieb L.P.H. van Belle <belle at bazuin.nl>:
Ok, next test.
Change :
kerberos method = secrets and keytab
to
kerberos method = secrets
and wait again.
I'll explain by giving this link.
http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.6+dfsg-1ubuntu1/changelog
Look at the last line bugfix in this change log of 4.3.6.
Im testing here also, because this looks like its also involves the kerberos changes, now, i forgot what you was running, but this is an easy test.
Is ntp installed on this machine, if not, install it and point it to the DC.
Just to be sure.
On the DC's, make sure your DC dont use any pool ntp servers.
Point it to a stable ntp. ( preffered in germany, like, ntps1-0.eecsit.tu-berlin.de (130.149.17.21) )
Greetz,
Louis
-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
Verzonden: dinsdag 15 maart 2016 10:43
Aan: Rowland penny
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
Hi,
So now i have same Problem with Logins.
On Linux AD member i need to restart win bind again and again for working
samba shares.
On Windows clients i need to restart machine completely
so now i don?t have any idea
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
Vlist
<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Am 11.03.2016 um 10:52 schrieb Oliver Werner
<oliver.werner at kontrast.de>:
Ok, now my smb.con on DCs looks
[global]
workgroup = HQKONTRAST
realm = HQ.KONTRAST
netbios name = VL0227
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
interfaces = eth0:35
bind interfaces only=yes
log level = 3
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile = /var/lib/samba/private/tls/ca.pem
on Member smb.conf
[global]
netbios name = VL0173
security = ADS
workgroup = HQKONTRAST
realm = hq.kontrast
log file = /var/log/samba/%m.log
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 500-1023
# idmap config for domain HQKONTRAST
idmap config HQKONTRAST:backend = ad
idmap config HQKONTRAST:schema_mode = rfc2307
idmap config HQKONTRAST:range = 1024-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
and on all machines krb5.conf
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true
I will test it next days.
Thanks for help right now :D
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
Vlist
<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer.
Please consider the environment and only print this if required.
Am 11.03.2016 um 10:47 schrieb Rowland penny <rpenny at samba.org>:
On 11/03/16 09:40, Oliver Werner wrote:
Haha, really? :D
It should be possible without reboot not?
OLIVER WERNER
System-Administrator
Yes, remove the kdc lines :-D
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list