[Samba] Problem with Winbind and Windows Clients

L.P.H. van Belle belle at bazuin.nl
Fri Mar 18 08:31:40 UTC 2016 

Ok, 

 

Its still every 5 days?  

 

Change krb5.conf to  on DC and Member servers to

 

[libdefaults]

    default_realm = HQ.KONTRAST

    dns_lookup_kdc = true

    dns_lookup_realm = false

    ticket_lifetime = 24h

    ccache_type = 4

    forwardable = true

    proxiable = true

 

Now Reboot DC and Member  and pc. 

This is how im run my config and i have multiple pc?s always logged in. 

 

My last option. :-/  you configs are good, so im getting out of options. 

 

Optionaly you can also try to recreate you keytab file. ( backup old ) 

But thats normaly not needed, i do that if i changes for example ?password expires ? on a service account user. 

 

Greetz, 

 

Louis

 

 

 

 

 


Van: Oliver Werner [mailto:oliver.werner at kontrast.de] 
Verzonden: vrijdag 18 maart 2016 9:11
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients


 

Hi,

 


Next test is failed.


 


My Windows Clients lost everytime AD Authentication so i need to reboot.


On Samba i need also to restart winbind service since some hours?


 


here my samba and wind bind Versions


 


Samba: Version 4.1.17-Debian


Winbind: Version 4.1.17-Debian


 


 


Greetz


 

OLIVER WERNER
System-Administrator


 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist



                        




 

Am 15.03.2016 um 11:10 schrieb L.P.H. van Belle <belle at bazuin.nl>:


 

Ok, next test. 

Change :
kerberos method = secrets and keytab 
to 
kerberos method = secrets

and wait again. 

I'll explain by giving this link. 
http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.6+dfsg-1ubuntu1/changelog 

Look at the last line bugfix in this change log of 4.3.6.
Im testing here also, because this looks like its also involves the kerberos changes, now, i forgot what you was running, but this is an easy test. 

Is ntp installed on this machine, if not, install it and point it to the DC. 
Just to be sure. 
On the DC's, make sure your DC dont use any pool ntp servers. 
Point it to a stable ntp. ( preffered in germany, like, ntps1-0.eecsit.tu-berlin.de (130.149.17.21) )


Greetz, 

Louis






-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
Verzonden: dinsdag 15 maart 2016 10:43
Aan: Rowland penny
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients

Hi,

So now i have same Problem with Logins.

On Linux AD member i need to restart win bind again and again for working
samba shares.
On Windows clients i need to restart machine completely

so now i don?t have any idea

kind regards

OLIVER WERNER
System-Administrator




Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
Vlist

<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs>     <http://instagram.com/kontrast_de>




Am 11.03.2016 um 10:52 schrieb Oliver Werner

<oliver.werner at kontrast.de>:




Ok, now my smb.con on DCs looks

[global]
 workgroup = HQKONTRAST
 realm = HQ.KONTRAST
 netbios name = VL0227
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 interfaces = eth0:35
 bind interfaces only=yes
 log level = 3

 tls enabled  = yes
 tls keyfile  = /var/lib/samba/private/tls/key.pem
 tls certfile = /var/lib/samba/private/tls/cert.pem
 tls cafile   = /var/lib/samba/private/tls/ca.pem


on Member smb.conf
[global]
     netbios name = VL0173
     security = ADS
     workgroup = HQKONTRAST
     realm = hq.kontrast

     log file = /var/log/samba/%m.log
     log level = 3

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     winbind refresh tickets = yes

     winbind trusted domains only = no
     winbind use default domain = yes
     winbind enum users  = yes
     winbind enum groups = yes
     winbind cache time = 300


     # Default idmap config used for BUILTIN and local accounts/groups
     idmap config *:backend = tdb
     idmap config *:range = 500-1023

     # idmap config for domain HQKONTRAST
     idmap config HQKONTRAST:backend = ad
     idmap config HQKONTRAST:schema_mode = rfc2307
     idmap config HQKONTRAST:range = 1024-99999

     # Use settings from AD for login shell and home directory
     winbind nss info = rfc2307

and on all machines krb5.conf
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true

I will test it next days.

Thanks for help right now :D

kind regards
OLIVER WERNER
System-Administrator





Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax  +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der

Vlist




<https://www.facebook.com/kontrast.communication>

<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs>     <http://instagram.com/kontrast_de>




Note: The information contained in this message may be privileged and

confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer.




Please consider the environment and only print this if required.





Am 11.03.2016 um 10:47 schrieb Rowland penny <rpenny at samba.org>:

On 11/03/16 09:40, Oliver Werner wrote:



Haha, really? :D

It should be possible without reboot not?

OLIVER WERNER
System-Administrator








Yes, remove the kdc lines :-D

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




 

More information about the samba mailing list