[Samba] Samba 4.6.2 member server errors

me at tdiehl.org me at tdiehl.org
Mon Oct 23 17:56:27 UTC 2017 

On Fri, 20 Oct 2017, Rowland Penny via samba wrote:

> On Fri, 20 Oct 2017 17:00:01 -0400 (EDT)
> me at tdiehl.org wrote:
>
>> On Mon, 16 Oct 2017, Rowland Penny via samba wrote:
>>> It seems to be treating computers as users (I could be barking up
>>> the wrong tree here), can you post the contents
>>> of /etc/hosts, /etc/hostname, /etc/resolv.conf
>>> and /etc/nsswitch.conf from the domain member
>>
>> Here you go:
>>
>> # cat /etc/resolv.conf
>> search kmg.mydomain.com mydomain.com
>> nameserver 172.30.0.7
>> nameserver 10.224.135.7
>>
>
> I would remove 'mydomain.com' from the search line.

Done

> I also take it that '10.224.135.7' is a DC in the 'kmg.mydomain.com',
> if it isn't, remove this nameserver.

Yes, 10.224.135.7 is a DC.

>
>>
>> The 2 name server ip addresses are the 2 dc's.
>>
>> # cat /etc/hosts
>>
>> 127.0.0.1    localhost localhost.localdomain
>> 172.30.0.8    vfs1.kmg.mydomain.com vfs1
>
> I would remove 'localhost.localdomain', there is no such thing as
> 'localdomain'

Done

>
>>
>>
>> # cat /etc/hostname
>> vfs1.kmg.mydomain.com
>
> The hostname should just be 'vfs1', it shouldn't be the FQDN.
>
>>
>> # cat /etc/nsswitch.conf
>> passwd:     files winbind
>> shadow:     files
>> group:      files winbind
>>
>> hosts:      files dns myhostname
>
> I would remove 'myhostname'

Done

>
>>
>> bootparams: nisplus [NOTFOUND=return] files
>> ethers:     files
>> netmasks:   files
>> networks:   files
>> protocols:  files
>> rpc:        files
>> services:   files sss
>>
>> netgroup:   files sss
>>
>> publickey:  nisplus
>>
>> automount:  files
>> aliases:    files nisplus
>>
>
> I would remove the two 'sss' instances

Done

I did net cache flush and rebooted. No change. Still getting the kerberos
errors and winbind not going to sleep when no one is in the office.

I am wondering if I were to remove the member server from the domain, delete
the tdb and ldb databases and then rejoin the domain if that would help.

Is there a db that tracks the kerberos information that I could reset?

Besides the added work and the downtime, is there a down side to doing this?
If I understand correctly all of the important information is stored in
the DC's. Is this correct?

I have the following in the smb.conf on the member servers:

idmap config * : backend = tdb 
idmap config * : range = 3000-7999

idmap config KMG:backend = ad 
idmap config KMG:schema_mode = rfc2307 
idmap config KMG:unix_nss_info = yes 
idmap config KMG:range = 10000-999999

Any other suggestions?

Regards,

-- 
Tom			me at tdiehl.org

More information about the samba mailing list