[Samba] Problem with Winbind and Windows Clients
Oliver Werner
oliver.werner at kontrast.de
Tue Mar 22 10:24:28 UTC 2016
My Logs looks like ok i can’t found errors…
my last restart of Samba and Winbind was 2 days before.
Now after restart winbind (not samba) works again for next…
Linux knows the ID of group (used with force user in share) but lost wbinfo -g
Here is an config of my share where happen.
[Kundendaten]
path = /daten/kundendaten
browseable = yes
writeable = yes
force group = Kontrast_Intern
valid users = @Kontrast_Intern
create mask = 0660
directory mask = 0770
#oplocks = 0
vfs objects = full_audit recycle
full_audit:prefix = %u
full_audit:success = mkdir rename rmdir unlink pwrite
full_audit:failure = none
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
recycle:versions = yes
recycle:exclude = .*, ~*
Next Information:
Our DCs are in other VLAN as member and WinClients so there is maybe a problem?
Multi-/Anycast?
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
> Am 22.03.2016 um 11:08 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>
> Any errors atm in
>
> syslog and/or messages
>
> and the samba logs.
>
>
>
> And the interval of the problem, still 5 days?
>
>
>
>
>
>
>
> Gr.
>
>
>
> Louis
>
>
>
>
>
>
>
>
> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> Verzonden: dinsdag 22 maart 2016 11:00
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
>
>
>
>
> Hi,
>
>
>
> now i have tested again with libdefaults and same problems again? :(
>
>
>
>
>
> So maybe we can found next tests with this informations:
>
>
>
>
>
> 1.
>
>
>
>
>
> the problem looks only happen on systems where much users will login.
>
>
>
>
>
> i have an archivesystem as samba member where ~10 users login => here we not have the issue.
>
>
>
>
>
> Also i have windows clients where only 3 persons can login => also not happen
>
>
>
>
>
>
>
>
> BUT:
>
>
>
>
>
> Samba Member where ~80-100 Users login over a day => problem will happen
>
>
>
>
>
> Also i have an windows client where ~80-100 Users login that will also happen
>
>
>
>
>
> 2.
>
>
> I?m using Samba 4.1.17 Debian Pkg.
>
>
>
>
>
>
>
>
>
>
>
> kind regards
>
>
>
>
>
> OLIVER WERNER
> System-Administrator
>
>
>
>
> Kontrast Communication Services GmbH
> Grafenberger Allee 100, 40237 Düsseldorf, Germany
>
> Fon +49-211-91505-500
> Fax +49-211-91505-530
> www.kontrast.de
>
> Amtsgericht Düsseldorf: HRB 26934
> Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
>
>
>
>
>
>
>
>
>
>
> Am 18.03.2016 um 09:47 schrieb Oliver Werner <oliver.werner at kontrast.de>:
>
>
>
>
> Ok i will test it.
>
>
>
>
>
>
> So i have one more information that can maybe help?
>
>
>
>
>
> the problem looks only happen on systems where much users will login.
>
>
>
>
>
> i have an archive system as samba member where ~10 users login => here we not have the issue.
>
>
>
>
>
> Also i have windows clients where only 3 persons can login => also not happen
>
>
>
>
>
>
>
>
> BUT:
>
>
>
>
>
> Samba Member where ~80-100 Users login over a day => problem will happen
>
>
>
>
>
> Also i have an windows client where ~80-100 Users login that will also happen
>
>
>
>
>
>
>
>
> that can help for more ideas :)?
>
>
>
>
>
>
>
>
> Greetz
>
>
>
>
>
> OLIVER WERNER
> System-Administrator
>
>
>
>
> Kontrast Communication Services GmbH
> Grafenberger Allee 100, 40237 Düsseldorf, Germany
>
> Fon +49-211-91505-500
> Fax +49-211-91505-530
> www.kontrast.de
>
> Amtsgericht Düsseldorf: HRB 26934
> Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
>
>
>
>
>
>
>
>
>
>
> Am 18.03.2016 um 09:31 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>
>
>
>
> Ok,
>
>
>
> Its still every 5 days?
>
>
>
> Change krb5.conf to on DC and Member servers to
>
>
>
> [libdefaults]
>
> default_realm = HQ.KONTRAST
>
> dns_lookup_kdc = true
>
> dns_lookup_realm = false
>
> ticket_lifetime = 24h
>
> ccache_type = 4
>
> forwardable = true
>
> proxiable = true
>
>
>
> Now Reboot DC and Member and pc.
>
> This is how im run my config and i have multiple pc?s always logged in.
>
>
>
> My last option. :-/ you configs are good, so im getting out of options.
>
>
>
> Optionaly you can also try to recreate you keytab file. ( backup old )
>
> But thats normaly not needed, i do that if i changes for example ?password expires ? on a service account user.
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
>
>
>
>
>
>
>
>
>
> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> Verzonden: vrijdag 18 maart 2016 9:11
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
>
>
>
>
> Hi,
>
>
>
>
> Next test is failed.
>
>
>
>
>
> My Windows Clients lost everytime AD Authentication so i need to reboot.
>
>
> On Samba i need also to restart winbind service since some hours?
>
>
>
>
>
> here my samba and wind bind Versions
>
>
>
>
>
> Samba: Version 4.1.17-Debian
>
>
> Winbind: Version 4.1.17-Debian
>
>
>
>
>
>
>
>
> Greetz
>
>
>
>
> OLIVER WERNER
> System-Administrator
>
>
>
>
> Kontrast Communication Services GmbH
> Grafenberger Allee 100, 40237 Düsseldorf, Germany
>
> Fon +49-211-91505-500
> Fax +49-211-91505-530
> www.kontrast.de
>
> Amtsgericht Düsseldorf: HRB 26934
> Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
>
>
>
>
>
>
>
>
>
>
> Am 15.03.2016 um 11:10 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>
>
>
>
> Ok, next test.
>
> Change :
> kerberos method = secrets and keytab
> to
> kerberos method = secrets
>
> and wait again.
>
> I'll explain by giving this link.
> http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.6+dfsg-1ubuntu1/changelog
>
> Look at the last line bugfix in this change log of 4.3.6.
> Im testing here also, because this looks like its also involves the kerberos changes, now, i forgot what you was running, but this is an easy test.
>
> Is ntp installed on this machine, if not, install it and point it to the DC.
> Just to be sure.
> On the DC's, make sure your DC dont use any pool ntp servers.
> Point it to a stable ntp. ( preffered in germany, like, ntps1-0.eecsit.tu-berlin.de (130.149.17.21) )
>
>
> Greetz,
>
> Louis
>
>
>
>
>
>
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
> Verzonden: dinsdag 15 maart 2016 10:43
> Aan: Rowland penny
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
>
> Hi,
>
> So now i have same Problem with Logins.
>
> On Linux AD member i need to restart win bind again and again for working
> samba shares.
> On Windows clients i need to restart machine completely
>
> so now i don?t have any idea
>
> kind regards
>
> OLIVER WERNER
> System-Administrator
>
>
>
>
> Kontrast Communication Services GmbH
> Grafenberger Allee 100, 40237 Düsseldorf, Germany
>
> Fon +49-211-91505-500
> Fax +49-211-91505-530
> www.kontrast.de <http://www.kontrast.de/>
>
> Amtsgericht Düsseldorf: HRB 26934
> Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
> Vlist
>
> <https://www.facebook.com/kontrast.communication>
> <https://twitter.com/KONTRAST_de>
> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
> <http://www.linkedin.com/company/kontrast-communication-services-gmbh>
> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
>
>
>
>
> Am 11.03.2016 um 10:52 schrieb Oliver Werner
>
> <oliver.werner at kontrast.de>:
>
>
>
>
> Ok, now my smb.con on DCs looks
>
> [global]
> workgroup = HQKONTRAST
> realm = HQ.KONTRAST
> netbios name = VL0227
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> interfaces = eth0:35
> bind interfaces only=yes
> log level = 3
>
> tls enabled = yes
> tls keyfile = /var/lib/samba/private/tls/key.pem
> tls certfile = /var/lib/samba/private/tls/cert.pem
> tls cafile = /var/lib/samba/private/tls/ca.pem
>
>
> on Member smb.conf
> [global]
> netbios name = VL0173
> security = ADS
> workgroup = HQKONTRAST
> realm = hq.kontrast
>
> log file = /var/log/samba/%m.log
> log level = 3
>
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 300
>
>
> # Default idmap config used for BUILTIN and local accounts/groups
> idmap config *:backend = tdb
> idmap config *:range = 500-1023
>
> # idmap config for domain HQKONTRAST
> idmap config HQKONTRAST:backend = ad
> idmap config HQKONTRAST:schema_mode = rfc2307
> idmap config HQKONTRAST:range = 1024-99999
>
> # Use settings from AD for login shell and home directory
> winbind nss info = rfc2307
>
> and on all machines krb5.conf
> [libdefaults]
> default_realm = HQ.KONTRAST
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> I will test it next days.
>
> Thanks for help right now :D
>
> kind regards
> OLIVER WERNER
> System-Administrator
>
>
>
>
>
> Kontrast Communication Services GmbH
> Grafenberger Allee 100, 40237 Düsseldorf, Germany
>
> Fon +49-211-91505-500
> Fax +49-211-91505-530
> www.kontrast.de <http://www.kontrast.de/>
>
> Amtsgericht Düsseldorf: HRB 26934
> Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
>
> Vlist
>
>
>
>
> <https://www.facebook.com/kontrast.communication>
>
> <https://twitter.com/KONTRAST_de>
> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
> <http://www.linkedin.com/company/kontrast-communication-services-gmbh>
> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
>
>
>
>
> Note: The information contained in this message may be privileged and
>
> confidential and protected from disclosure. If the reader of this message
> is not the intended recipient, or an employee or agent responsible for
> delivering this message to the intended recipient, you are hereby notified
> that any dissemination, distribution or copying of this communication is
> strictly prohibited. If you have received this communication in error,
> please notify us immediately by replying to the message and deleting it
> from your computer.
>
>
>
>
> Please consider the environment and only print this if required.
>
>
>
>
>
> Am 11.03.2016 um 10:47 schrieb Rowland penny <rpenny at samba.org>:
>
> On 11/03/16 09:40, Oliver Werner wrote:
>
>
>
> Haha, really? :D
>
> It should be possible without reboot not?
>
> OLIVER WERNER
> System-Administrator
>
>
>
>
>
>
>
>
> Yes, remove the kdc lines :-D
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.samba.org/pipermail/samba/attachments/20160322/8f803080/signature.sig>
More information about the samba
mailing list