[Samba] Problems with winbind cache
Rowland Penny
rpenny at samba.org
Fri Feb 3 13:57:09 UTC 2017
On Fri, 3 Feb 2017 13:20:55 +0000
Roger Lovato via samba <samba at lists.samba.org> wrote:
> Hi guys!!
>
>
> I'm facing problem with Samba 4 + winbind that I spent some days to
> solve that without success and I'll appreciate any help.
>
>
> I self compile samba 4 and apparently everything is working fine. I
> installed samba on six distributed servers at remote branch offices
> and all users, groups, dns and other components are replicating with
> success.
>
>
> But last week I saw that windind cache was not been updated and when
> I try to get users and groups with getent command, new members is not
> shown.
>
>
> I tried some tricks and tips that I found in several websites and
> forums, but nothing is working. Yesterday I tried to flush winbind
> cache with command:
>
>
> net cache flush
>
>
> All winbind cache has been erased, but is not updated and now I don't
> have any users and groups when I try to get with getent command.
>
>
> I read in the winbind manual that when I restart the daemon, all
> cache is erased and updated, but this not happens. I'm not found
> where winbind saves its cache!
>
>
> My wbinfo listing correctly:
>
>
> # wbinfo -u
> LOVATO\rafael
> LOVATO\xl.teste
> LOVATO\dns-movd-gcp-007
> LOVATO\dns-movd-mgf-001
> LOVATO\dns-movd-gcp-006
> LOVATO\administrator
> LOVATO\xl.teste1
> LOVATO\squid
> LOVATO\krbtgt
> LOVATO\guest
> LOVATO\roger
>
>
> wbinfo -g
> LOVATO\cert publishers
> LOVATO\ras and ias servers
> LOVATO\allowed rodc password replication group
> LOVATO\denied rodc password replication group
> LOVATO\dnsadmins
> LOVATO\enterprise read-only domain controllers
> LOVATO\domain admins
> LOVATO\domain users
> LOVATO\domain guests
> LOVATO\domain computers
> LOVATO\domain controllers
> LOVATO\schema admins
> LOVATO\enterprise admins
> LOVATO\group policy creator owners
> LOVATO\read-only domain controllers
> LOVATO\dnsupdateproxy
> LOVATO\teste
> LOVATO\proxynivel1
> LOVATO\proxynivel2
> LOVATO\proxynivel3
>
>
> My smb.conf
>
>
> [global]
> workgroup = LOVATO
> realm = LOVATO.INTRANET
> netbios name = LVT-006
> server role = active directory domain controller
> passdb backend = samba_dsdb
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> #IDMAP
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> idmap config *:range = 70001-80000
> idmap config LOVATO:backend = ad
> idmap config LOVATO:schema_mode = rfc2307
> idmap config LOVATO:range = 500-40000
> #WINBIND
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind cache time = 10
> winbind refresh tickets = yes
> map archive = No
> map readonly = no
> store dos attributes = Yes
> vfs objects = dfs_samba4, acl_xattr
> template shell = /bin/bash
> #DESABILITANDO AS IMPRESSORAS
> printcap name = /dev/null
> printcap name = /dev/null
> load printers = no
> disable spoolss = yes
> disable spoolss = yes
> printing = bsd
> ### LOGS
> log file = /var/log/samba/smbd.log
> max log size = 50
> log level = 10
> vfs objects = recycle full_audit
> ### LIXEIRA
> recycle:repository = Lixeira
> recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
> recycle:keeptree = yes
> full_audit:success = rmdir mkdir open write rename unlink
> full_audit:failure = rmdir mkdir open write rename unlink
> full_audit:prefix = %U|%I|%m|%S
> full_audit:failure = none
> full_audit:facility = local5
> full_audit:priority = notice
> veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
> delete veto files = yes
> dos filemode = yes
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/lovato.intranet/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
> My krb5.conf
>
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = LOVATO.INTRANET
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [realm]
> LOVATO.INTRANET = {
> kdc = lvt-006.lovato.intranet:88
> default_domain = lovato.intranet
> }
>
> [domain_realm]
> .lovato.intranet = LOVATO.INTRANET
> lovato.intranet = LOVATO.INTRANET
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
>
> My nsswitch.conf
>
>
> passwd: files sss winbind
> shadow: files sss
> group: files sss winbind
>
>
First, remove ALL these lines from the DC smb.conf, they either
shouldn't be there, or are default settings:
passdb backend = samba_dsdb
idmap config * : backend = tdb
idmap config *:range = 70001-80000
idmap config LOVATO:backend = ad
idmap config LOVATO:schema_mode = rfc2307
idmap config LOVATO:range = 500-40000
vfs objects = dfs_samba4, acl_xattr
winbind use default domain = yes
winbind nss info = rfc2307
winbind trusted domains only = no
winbind cache time = 10
winbind refresh tickets = yes
map archive = No
map readonly = no
store dos attributes = Yes
dos filemode = yes
Change /etc/krb5.conf to:
[libdefaults]
default_realm = LOVATO.INTRANET
dns_lookup_realm = false
dns_lookup_kdc = true
Finally, you are NOT using winbind!!
Change /etc/nsswitch to:
passwd: files winbind
shadow: files
group: files winbind
You will then be using winbind.
Just a note, running 'wbinfo -u' or 'wbinfo -g' is pretty meaningless
on a Unix machine, it just shows the users are in AD, you need to run
'getent passwd USERNAME' and receive an output to know it is working.
Rowland
More information about the samba
mailing list