[Samba] Samba loose the user forward as member Server
Rylan Merritt
rylanmrrtt5 at gmail.com
Wed Sep 21 16:35:53 UTC 2016
Hi,
Is your replication between you PDC and you member server working?
You can run "samba-tool drs showrepl". Which should help you determine
if the replication is functioning correctly.
Here is a related link to the Samba wiki that may help :-)
https://wiki.samba.org/index.php/Samba_AD_DC_Troubleshooting
Best Regards,
- Rylan
On Wed, Sep 21, 2016 at 2:32 AM, admins aixtema via samba
<samba at lists.samba.org> wrote:
> Hi,
> i am at the end of my knowledge.
> Our PDC works fine all user can access the Samba Shares, Windows Logins are
> Working, all fine.
>
> But our Member Server makes me ($=%§=(%(§=.
>
> When i join the Domain all is fine and all Shares are working
>
> net rpc join -S DOMAINSERVER -U Administrator
> Using short domain name -- DOMAIN
> Joined 'SERVER1' to domain 'DOMAIN'
>
> net rpc testjoin -S DOMAINSERVER -U ADMINISTRATOR
> Join to 'DOMAIN' is OK
>
> but after some time, mostly over night the User forward to the PDC wont work
> anymore
>
> [2016/08/31 08:29:14.347232, 2]
> ../source3/rpc_server/samr/srv_samr_nt.c:4004(_samr_LookupDomain)
> Returning domain sid for domain DOMAIN ->
> S-1-5-21-1978212312-4363474585695-122580615
> 2016/08/31 08:27:51.706586, 2]
> ../source3/lib/smbldap.c:794(smbldap_open_connection)
> smbldap_open_connection: connection opened
> [2016/08/31 08:27:51.707693, 2]
> ../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: isso-dev-back$
> [2016/08/31 08:27:51.709160, 0]
> ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
> Failed to find a Unix account for isso-dev-back$
> [2016/08/31 08:27:51.710181, 0]
> ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
> Failed to find a Unix account for isso-dev-back$
> [2016/08/31 08:27:51.711121, 0]
> ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
> Failed to find a Unix account for isso-dev-back$
> [2016/08/31 08:27:51.711919, 0]
> ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
> Failed to find a Unix account for isso-dev-back$
> [2016/08/31 08:27:51.712797, 0]
> ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
> Failed to find a Unix account for isso-dev-back$
> [2016/08/31 08:27:51.717828, 2]
> ../source3/passdb/pdb_ldap.c:524(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: proggi4$
> [2016/08/31 08:27:51.718747, 0]
> ../source3/passdb/lookup_sid.c:1556(get_primary_group_sid)
> Failed to find a Unix account for proggi4$
> [2016/08/31 08:27:51.719473, 1]
> ../source3/auth/server_info_sam.c:85(make_server_info_sam)
> User proggi4$ in passdb, but getpwnam() fails!
> [2016/08/31 08:27:51.719513, 0]
> ../source3/auth/check_samsec.c:494(check_sam_security)
> check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2016/08/31 08:27:51.719549, 2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2016/08/31 08:29:28.291279, 2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [PC1$] -> [PC1$] FAILED
> with error NT_STATUS_NO_SUCH_USER
>
> the only thing what then works is to rejoin the domain
> net rpc join -S DOMAINSERVER -U Administrator
> after that all Shares work again, but that is not a solotuin to work with.
>
> smbclient -L \\memberserver -N
> Anonymous login successful
> Domain=[DOMAIn] OS=[Windows 6.1] Server=[Samba 4.5.0]
>
> Sharename Type Comment
> --------- ---- -------
> dev Disk Develop
> IPC$ IPC IPC Service (Samba Server Version 4.5.0)
>
> gives this and after around 1 min he stops
>
> after domain join
> Domain=[GALAXY] OS=[Windows 6.1] Server=[Samba 4.5.0]
>
> Sharename Type Comment
> --------- ---- -------
> dev Disk dev
> IPC$ IPC IPC Service (Samba Server Version 4.5.0)
> Anonymous login successful
> Domain=[DOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.0]
>
> Server Comment
> --------- -------
> MEMBERSERVER Samba Server Version 4.5.0
> DOMAIN DOMAIN
>
> Workgroup Master
> --------- -------
> DOMAIN PDC
>
> and all works fine
>
>
> Does anyone of you have a idea what is wrong?
> The last idea i have is to change from member Server to Standalone Server
> but this is only a workaround not a solution
>
> Systems (booth gentoo)
>
> PDC (NOT AD DC still old samba DC)
> net-fs/samba-4.2.12 USE="acl aio client cups fam gnutls ldap pam
> system-mitkrb5 systemd winbind -addc -addns -ads -avahi -cluster -dmapi
> -iprint -quota (-selinux) -syslog {-test}" ABI_X86="32 (64) (-x32)"
> PYTHON_TARGETS="python2_7"
>
> memberserver
> net-fs/samba-4.5.0::gentoo USE="acl client fam gnutls ldap pam
> system-mitkrb5 systemd -addc -addns -ads -avahi -cluster -cups -dmapi
> -iprint -quota (-selinux) -syslog {-test} -winbind" ABI_X86="32 (64) (-x32)"
> PYTHON_TARGETS="python2_7" 0 KiB
>
> Samba PDC 4.1.12
>
> global]
> panic action = /usr/share/samba/panic-action %d
> dos charset = cp1255
> unix charset = utf-8
> workgroup = DOMAIN
> netbios name = HOSTNAME
> # interfaces = bond0 lo eth5
> interfaces = 192.168.1.2/24
> bind interfaces only = yes
> hosts allow = 192.168.1.
> socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=4096
> SO_RCVBUF=4096
>
> # new from samba 3.6
> client ntlmv2 auth = yes
> #client use spnego principal = no
> #send spnego principal = no
>
> #max protocol = smb2
> ## notwendig für Windows 10
> max protocol = NT1
>
> # use client driver = no
>
> # WINNT specific
> # security = domain
> # domain logins = yes
> server string = PHOENIX
> load printers = yes
> printing = cups
> printcap = cups
> syslog only = no
> syslog = 1
> log level = 2
> log file = /var/log/samba/log.%m
> max log size = 1000
> encrypt passwords = true
> # null passwords = no
> wins support = yes
> domain master = yes
> local master = yes
> # preferred master = yes
> enhanced browsing = yes
> browse list = yes
> name resolve order = lmhosts host wins bcast
> domain logons = yes
> os level = 64
> # Domain Config
> allow trusted domains = yes
> logon home = \\%L\homes
> logon drive = H:
> logon script = %U.bat
> logon path = \\%L\%U\profiles
> dns proxy = no
> preserve case = yes
> short preserve case = yes
>
> ## getpeername fails
> # use sendfile = no
> # large readwrite = no
> # max xmit = 16644
>
> # LDAP
> # ldap trust ids = Yes
> # ldapsam:trusted=yes
> ldap ssl = off
> passdb backend = ldapsam:ldap://127.0.0.1/
> ldap admin dn = cn=admin,o=company,c=de
> ldap suffix = ou=company,o=company,c=de
> ldap user suffix = ou=people
> ldap group suffix = ou=group
> ldap machine suffix = ou=computers
> idmap backend = ldap:ldap://127.0.0.1/
> ldap idmap suffix = ou=idMap
> idmap uid = 40000-50000
> idmap gid = 40000-50000
> ldap passwd sync = yes
> check password script = /sbin/crackcheck -c -d /usr/lib64/cracklib_dict
>
>
> MEMBER SERVER
> Samba 4.1.12 /.14 / 4.5.0
>
> [global]
>
> workgroup = DOMAIN
> realm = DOMAIN
> #netbios name = %h
> server string = Samba Server Version %v
> #security = user
> security = domain
> server role = member server
> ntlm auth = No
> log file = /var/log/samba/log.%m
> max log size = 50
> idmap config * : backend = tdb
> cups options = raw
> interfaces = 192.168.1.20/24
> hosts allow = 192.168.1.
> #wins support = Yes
>
>
> [dev]
> comment = dev
> browsable = yes
> writeable = yes
> public = yes
> read only = no
> valid users = USER
> # delete readonly = yes
> create mode = 0774
> directory mode = 0775
> create mode = 0774
> directory mode = 0775
> force create mode = 0600
> force group = USER
> path = /mnt/folder
>
>
> Mit freundlichen Grüßen,
> René Fuchs
>
>
> --
> ***********************************************
> aixtema GmbH
> René Fuchs
> Philipsstr. 8, 52068 Aachen, Germany
> Tel.: +49 241 70515-1323, Fax: +49 241 70515-15
> mailto:r.fuchs at aixtema.de
>
> WWW: http://www.aixtema.de
> Shop: http://shop.aixtema.de
>
> Geschaeftsfuehrer: Oliver Rossbruch
> HRB 8201, Amtsgericht Aachen
> USt.-Id-Nr. DE 210 906 744
> St.-Nr. 201/5942/3737, Finanzamt Aachen Stadt
> ***********************************************
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list