[Samba] Problem with Winbind and Windows Clients

L.P.H. van Belle belle at bazuin.nl
Tue Mar 22 11:10:05 UTC 2016 

Only thing i can think of now is enable higher log levels in the problem member server so we can have a better look in to the problem. 
im out of options, you config looks good, and dont think its the vlanning. 

 

Add in smb.conf something like : 

log level = 3 passdb:5 auth:10 winbind:10

 

and wait again untill the problem exists. 

You may need to increase the max log size. 

 

Rowland, you any suggestions? 

 

 

 

Greetz, 

 

Louis

 

 

 

 

 


Van: Oliver Werner [mailto:oliver.werner at kontrast.de] 
Verzonden: dinsdag 22 maart 2016 11:24
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients


 

My Logs looks like ok i can?t found errors?

 


my last restart of Samba and Winbind was 2 days before.


 


Now after restart winbind (not samba) works again for next?


 


Linux knows the ID of group (used with force user in share) but lost wbinfo -g 


 


 


Here is an config of my share where happen.


 


[Kundendaten]


   path = /daten/kundendaten


   browseable = yes


   writeable = yes


   force group = Kontrast_Intern


   valid users = @Kontrast_Intern


   create mask = 0660


   directory mask = 0770


   #oplocks = 0


   vfs objects = full_audit recycle


   full_audit:prefix = %u


   full_audit:success = mkdir rename rmdir unlink pwrite


   full_audit:failure = none


   full_audit:facility = LOCAL5


   full_audit:priority = NOTICE


   recycle:versions = yes


   recycle:exclude = .*, ~*



 


 


Next Information:


Our DCs are in other VLAN as member and WinClients so there is maybe a problem?


 


Multi-/Anycast?


 


 


 


kind regards


 


 

OLIVER WERNER
System-Administrator


 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist



                        




 

Am 22.03.2016 um 11:08 schrieb L.P.H. van Belle <belle at bazuin.nl>:


 

Any errors atm in 

syslog and/or messages

and the samba logs.

 

And the interval of the problem, still 5 days? 

 

 

 

Gr. 

 

Louis

 

 

 


Van: Oliver Werner [mailto:oliver.werner at kontrast.de] 
Verzonden: dinsdag 22 maart 2016 11:00
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients


 

Hi,

 

now i have tested again with libdefaults and same problems again? :(


 


So maybe we can found next tests with this informations:


 


1. 


 


the problem looks only happen on systems where much users will login.


 


i have an archivesystem as samba member where ~10 users login => here we not have the issue.


 


Also i have windows clients where only 3 persons can login => also not happen


 


 


BUT:


 


Samba Member where ~80-100 Users login over a day => problem will happen


 


Also i have an windows client where ~80-100 Users login that will also happen


 


2.


I?m using Samba 4.1.17 Debian Pkg.


 


 


 


kind regards


 


OLIVER WERNER
System-Administrator


 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist



                        




 

Am 18.03.2016 um 09:47 schrieb Oliver Werner <oliver.werner at kontrast.de>:


 

Ok i will test it.

 

 


So i have one more information that can maybe help?


 


the problem looks only happen on systems where much users will login.


 


i have an archive system as samba member where ~10 users login => here we not have the issue.


 


Also i have windows clients where only 3 persons can login => also not happen


 


 


BUT:


 


Samba Member where ~80-100 Users login over a day => problem will happen


 


Also i have an windows client where ~80-100 Users login that will also happen


 


 


that can help for more ideas :)?


 


 


Greetz


 


OLIVER WERNER
System-Administrator


 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist



                        




 

Am 18.03.2016 um 09:31 schrieb L.P.H. van Belle <belle at bazuin.nl>:


 

Ok, 

 

Its still every 5 days?  

 

Change krb5.conf to  on DC and Member servers to

 

[libdefaults]

    default_realm = HQ.KONTRAST

    dns_lookup_kdc = true

    dns_lookup_realm = false

    ticket_lifetime = 24h

    ccache_type = 4

    forwardable = true

    proxiable = true

 

Now Reboot DC and Member  and pc. 

This is how im run my config and i have multiple pc?s always logged in. 

 

My last option. :-/  you configs are good, so im getting out of options. 

 

Optionaly you can also try to recreate you keytab file. ( backup old ) 

But thats normaly not needed, i do that if i changes for example ?password expires ? on a service account user. 

 

Greetz, 

 

Louis

 

 

 

 

 


Van: Oliver Werner [mailto:oliver.werner at kontrast.de] 
Verzonden: vrijdag 18 maart 2016 9:11
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients


 

Hi,

 


Next test is failed.


 


My Windows Clients lost everytime AD Authentication so i need to reboot.


On Samba i need also to restart winbind service since some hours?


 


here my samba and wind bind Versions


 


Samba: Version 4.1.17-Debian


Winbind: Version 4.1.17-Debian


 


 


Greetz


 

OLIVER WERNER
System-Administrator


 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist



                        




 

Am 15.03.2016 um 11:10 schrieb L.P.H. van Belle <belle at bazuin.nl>:


 

Ok, next test. 

Change :
kerberos method = secrets and keytab 
to 
kerberos method = secrets

and wait again. 

I'll explain by giving this link. 
http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.6+dfsg-1ubuntu1/changelog 

Look at the last line bugfix in this change log of 4.3.6.
Im testing here also, because this looks like its also involves the kerberos changes, now, i forgot what you was running, but this is an easy test. 

Is ntp installed on this machine, if not, install it and point it to the DC. 
Just to be sure. 
On the DC's, make sure your DC dont use any pool ntp servers. 
Point it to a stable ntp. ( preffered in germany, like, ntps1-0.eecsit.tu-berlin.de (130.149.17.21) )


Greetz, 

Louis






-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
Verzonden: dinsdag 15 maart 2016 10:43
Aan: Rowland penny
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients

Hi,

So now i have same Problem with Logins.

On Linux AD member i need to restart win bind again and again for working
samba shares.
On Windows clients i need to restart machine completely

so now i don?t have any idea

kind regards

OLIVER WERNER
System-Administrator




Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
Vlist

<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs>     <http://instagram.com/kontrast_de>




Am 11.03.2016 um 10:52 schrieb Oliver Werner

<oliver.werner at kontrast.de>:




Ok, now my smb.con on DCs looks

[global]
 workgroup = HQKONTRAST
 realm = HQ.KONTRAST
 netbios name = VL0227
 server role = active directory domain controller
 idmap_ldb:use rfc2307 = yes
 interfaces = eth0:35
 bind interfaces only=yes
 log level = 3

 tls enabled  = yes
 tls keyfile  = /var/lib/samba/private/tls/key.pem
 tls certfile = /var/lib/samba/private/tls/cert.pem
 tls cafile   = /var/lib/samba/private/tls/ca.pem


on Member smb.conf
[global]
     netbios name = VL0173
     security = ADS
     workgroup = HQKONTRAST
     realm = hq.kontrast

     log file = /var/log/samba/%m.log
     log level = 3

     dedicated keytab file = /etc/krb5.keytab
     kerberos method = secrets and keytab
     winbind refresh tickets = yes

     winbind trusted domains only = no
     winbind use default domain = yes
     winbind enum users  = yes
     winbind enum groups = yes
     winbind cache time = 300


     # Default idmap config used for BUILTIN and local accounts/groups
     idmap config *:backend = tdb
     idmap config *:range = 500-1023

     # idmap config for domain HQKONTRAST
     idmap config HQKONTRAST:backend = ad
     idmap config HQKONTRAST:schema_mode = rfc2307
     idmap config HQKONTRAST:range = 1024-99999

     # Use settings from AD for login shell and home directory
     winbind nss info = rfc2307

and on all machines krb5.conf
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true

I will test it next days.

Thanks for help right now :D

kind regards
OLIVER WERNER
System-Administrator





Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax  +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der

Vlist




<https://www.facebook.com/kontrast.communication>

<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs>     <http://instagram.com/kontrast_de>




Note: The information contained in this message may be privileged and

confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer.




Please consider the environment and only print this if required.





Am 11.03.2016 um 10:47 schrieb Rowland penny <rpenny at samba.org>:

On 11/03/16 09:40, Oliver Werner wrote:



Haha, really? :D

It should be possible without reboot not?

OLIVER WERNER
System-Administrator








Yes, remove the kdc lines :-D

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



 






 




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




 

More information about the samba mailing list