[Samba] potential machine account expiry question
Jason Keltz
jas at eecs.yorku.ca
Tue Nov 2 17:31:23 UTC 2021
On 11/2/2021 1:24 PM, Rowland Penny via samba wrote:
> On Tue, 2021-11-02 at 12:57 -0400, Jason Keltz via samba wrote:
>> On 11/2/2021 10:54 AM, Rowland Penny via samba wrote:
>>
>>> On Tue, 2021-11-02 at 15:31 +0100, L.P.H. van Belle via samba
>>> wrote:
>>>> Keep in mind, if you use SSSD with my packages, you MUST
>>>> recompile
>>>> SSSD
>>>>
>>> The OP never mentioned sssd.
>>> I have just started a Unix domain member that hadn't run since
>>> January
>>> and it worked for myself.
>>> This could be just misconfiguration, so it might help if the OP
>>> posted
>>> a smb.conf from one of the machines that isn't working.
>>>
>>> Rowland
>>>
>> Hi Rowland,
>>
>> Thanks for clarifying - you are correct that I am not using SSSD at
>> all.
>>
>> I'm more than happy to share my smb.conf with you. I removed
>> comments
>> to make it smaller. The same file is used by every single Linux
>> machine
>> in the domain - working and not working, and only the ones that have
>> been off for awhile have the problem...
>>
>> [global]
>> workgroup = MYCOMPANY
>> security = ADS
>> realm = AD.MY.COMPANY.COM
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>> idmap config * : backend = tdb
>> idmap config * : range = 1000000-1999999
>> idmap config MYCOMPANY : backend = ad
>> idmap config MYCOMPANY: schema_mode = rfc2307
>> idmap config MYCOMPANY: range = 1000-999999
>> idmap config MYCOMPANY: unix_primary_group = yes
>> idmap config MYWORKGROUP: unix_nss_info = yes
> I do hope that 'MYWORKGROUP' is a typo.
>
>> winbind refresh tickets = yes
>> winbind offline logon = yes
>> winbind nss info = rfc2307
>> winbind use default domain = yes
>> winbind enum users = no
>> winbind enum groups = no
>> vfs objects = acl_xattr
>> map acl inherit = yes
>> store dos attributes = yes
>> template shell = /bin/bash
>> template homedir = /eecs/home/%U
>> debug timestamp = yes
>> debug uid = yes
>> debug pid = yes
>> debug level = 1
>> max log size = 0
>>
>> ----
>>
>> Any thoughts on commands I might try to see my domain join status?
> That's easy, run 'net ads testjoin' , it should return 'Join is OK'
>
>> As I
>> mentioned, wbinfo -u and wbinfo -g are working
> They go direct to AD
>
>> , but getent passwd is
>> failing...
> They go via linux
>
>> (same kerberos config, same /etc/nsswitch.conf, etc. on every host).
> This is weird, as I said, I started up a VM that was last started in
> January and it worked, the only real difference was that used 'rid' and
> you use 'ad'. Could it be that winbind isn't starting early enough, or
> not starting at all ?
Weird indeed, but we now have a solution... so fortunately I can see
that the problem is not related to machine account expiry after all.
Something deleted our symlink /lib64/libnss_winbind.so.2 to
/opt/samba/lib/libnss_winbind.so.2 :( Hmm... putting it back, and
things are back to working again.
Putting on my investigators hack...
Jason.
More information about the samba
mailing list