[Samba] samba4 AD - winbind Could not write result
Rowland penny
rpenny at samba.org
Mon May 23 16:18:32 UTC 2016
On 23/05/16 16:36, Sam wrote:
> Le 23/05/2016 à 14:46, Rowland penny a écrit :
>> On 23/05/16 12:56, Sam wrote:
>>>
>>
>> It looks like your problems have nothing to do with dhcp, one problem
>> appears to be related to dnssec:
>>
>> May 23 10:52:27 S4 named[2162]: validating @0x7eff24296b50:
>> choices.truste.com A: no valid signature found
>>
>> If you have 'dnssec-validation yes;' in 'named.conf.options', change
>> it to 'dnssec-validation auto;'
>>
>> Your main problem has been reported before, not sure if a fix was
>> found, can I suggest you upgrade to the latest Sernet 4.2 package
>> (4.2.12), this may contain a fix. If it doesn't, can you post the
>> smb.conf from the DCs, also both resolv.conf files, raise the log
>> level to 10 and see if anything else pops out.
>>
>> Rowland
>>
>> ||
> Hello Rowland,
> in named.conf.options, dnssec-validation is already set to auto.
> Ok I put syslog = 10 in smb.conf and tell if I get more details.
>
> I prefer not trying to upgrade, the servers are in production.
>
> here is the files :
>
> S4bis smb.conf file :
> # Global parameters
> [global]
> workgroup = ARIANE
> realm = ariane.intra
> netbios name = S4BIS
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>
> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
> sdb:schema update allowed = no
>
> ## Dont forget to set the idmap_ldb on ALL DC's if you use it
> idmap_ldb:use rfc2307 = yes
>
> idmap config * :backend = tdb
> idmap config * :range = 2000-9999
> idmap config ARIANE : backend = ad
> idmap config ARIANE : range = 10000-3999999
>
> #when using idmap backend RID enable these
> #template shell = /bin/sh
> template homedir = /home/users/%ACCOUNTNAME%
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind max clients = 800
>
> interfaces = 127.0.0.1 172.20.2.3
> bind interfaces only = yes
> time server = yes
> wins support = yes
>
> # Disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> kerberos method = system keytab
> client ldap sasl wrapping = sign
> allow dns updates = secure
> nsupdate command = /usr/bin/nsupdate -g
>
> [netlogon]
> path = /var/lib/samba/sysvol/ariane.intra/scripts
> read only = No
> acl_xattr:ignore system acl = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> acl_xattr:ignore system acl = yes
>
> S4bis Resolv.conf file :
> search ariane.intra
> nameserver 172.20.2.2
> nameserver 172.20.2.3
>
> S4 smb.conf file :
> # Global parameters
> [global]
> workgroup = ARIANE
> realm = ariane.intra
> netbios name = S4
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>
> ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
> ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
> sdb:schema update allowed = no
>
> ## Dont forget to set the idmap_ldb on ALL DC's if you use it
> idmap_ldb:use rfc2307 = yes
>
> idmap config * :backend = tdb
> idmap config * :range = 2000-9999
> idmap config ARIANE : backend = ad
> idmap config ARIANE : range = 10000-3999999
>
> #when using idmap backend RID enable these
> #template shell = /bin/sh
> template homedir = /home/users/%ACCOUNTNAME%
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind max clients = 800
>
> interfaces = 127.0.0.1 172.20.2.2
> bind interfaces only = yes
> time server = yes
> wins support = yes
>
> # Disable printing completely
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> kerberos method = system keytab
> client ldap sasl wrapping = sign
> allow dns updates = secure
> nsupdate command = /usr/bin/nsupdate -g
>
> syslog = 10
>
> [netlogon]
> path = /var/lib/samba/sysvol/ariane.intra/scripts
> read only = No
> acl_xattr:ignore system acl = yes
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> acl_xattr:ignore system acl = yes
>
> S4bis Resolv.conf file :
> search ariane.intra
> nameserver 172.20.2.3
> nameserver 172.20.2.2
>
> Thank you!
> Sam
OK, you have a few lines in smb.conf that do nothing or are defaults:
These do nothing on an AD DC:
idmap config * :backend = tdb
idmap config * :range = 2000-9999
idmap config ARIANE : backend = ad
idmap config ARIANE : range = 10000-3999999
You only need this when it is set to 'yes':
## KEEP THIS OFF !! Only used for modify-ing the AD Schema
## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
sdb:schema update allowed = no
These are default lines:
winbind trusted domains only = no
client ldap sasl wrapping = sign
nsupdate command = /usr/bin/nsupdate -g
allow dns updates = secure # Note: it is actually 'secure only' and that
is the default.
Your resolv.conf files seem to be wrong, each DC should point to the
other first and then themselves.
As for upgrading, this is of course your decision, but I should point
out that there was a major security update recently and the Samba
version you are running is liable to a possible MITM attack.
Rowland
More information about the samba
mailing list