[Samba] Domain member?
Joachim Lindenberg
samba at lindenberg.one
Tue Oct 26 09:59:29 UTC 2021
Hello Louis,
sure. I know I configured /etc/resolv.conf during join, pointing to a DC manually. Is the local resolver the culprit?
Thanks,
Joachim
root at le:/tmp# cat samba-debug-info.txt
Collected config --- 2021-10-26-09:12 -----------
Hostname: le
DNS Domain: samba.lindenberg.one
FQDN: le.samba.lindenberg.one
ipaddress: 192.168.176.9
-----------
Kerberos SRV _kerberos._tcp.samba.lindenberg.one record verified ok, sample output:
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_kerberos._tcp.samba.lindenberg.one service = 0 100 88 boa.samba.lindenberg.one.
_kerberos._tcp.samba.lindenberg.one service = 0 100 88 mamba.samba.lindenberg.one.
_kerberos._tcp.samba.lindenberg.one service = 0 100 88 cobra.samba.lindenberg.one.
Authoritative answers can be found from:
Samba is running as a Unix domain member
Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
-----------
This computer is running Ubuntu 20.04.3 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq state UP group default qlen 1000
link/ether 00:15:5d:b1:0c:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.176.9/24 brd 192.168.176.255 scope global eth0
inet6 fe80::215:5dff:feb1:c70/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
192.168.176.9 le.samba.lindenberg.one le
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search samba.lindenberg.one
-----------
systemd stub resolver detected, running command : systemd-resolve --status
-----------
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (eth0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.177.19
DNS Servers: 192.168.177.18
192.168.177.19
DNS Domain: samba.lindenberg.one
-------resolv.conf end----
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAMBA.LINDENBERG.ONE
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = LE
realm = SAMBA.LINDENBERG.ONE
workgroup = SAMBA
security = ADS
# dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
# idmap_ldb:use rfc2307 = yes
disable netbios = yes
smb encrypt = mandatory
kerberos method = secrets and keytab
# winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Warning, /etc/idmapd.conf does not exist
-----------
Installed packages:
ii acl 2.2.53-6 amd64 access control list - utilities
ii attr 1:2.4.48-5 amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6ubuntu1 all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.1 all internationalization support for MIT Kerberos
ii krb5-user 1.17-6ubuntu4.1 amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-6 amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-5 amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1 amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.1 amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.14.8+dfsg-0.1focal1 amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2ubuntu1 amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.14.8+dfsg-0.1focal1 amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.14.8+dfsg-0.1focal1 amd64 Samba winbind client library
ii python3-attr 19.3.0-2 all Attributes without boilerplate (Python 3)
ii python3-nacl 1.3.0-5 amd64 Python bindings to libsodium (Python 3)
ii python3-samba 2:4.14.8+dfsg-0.1focal1 amd64 Python 3 bindings for Samba
ii samba 2:4.14.8+dfsg-0.1focal1 amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.14.8+dfsg-0.1focal1 all common files used by both the Samba server and client
ii samba-common-bin 2:4.14.8+dfsg-0.1focal1 amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.14.8+dfsg-0.1focal1 amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.14.8+dfsg-0.1focal1 amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.14.8+dfsg-0.1focal1 amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.14.8+dfsg-0.1focal1 amd64 service to resolve user and group information from Windows NT servers
-----------
-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von L.P.H. van Belle via samba
Gesendet: Tuesday, 26 October 2021 09:37
An: samba at lists.samba.org
Betreff: Re: [Samba] Domain member?
This is something in your setup.
Can you run this one and post the output.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
If needed, anonymize where needed.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Joachim
> Lindenberg via samba
> Verzonden: dinsdag 26 oktober 2021 8:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member?
>
> Hello Rowland,
> I read
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_
> Member, and I specifically read "If your users will only use the Samba
> AD DC for authentication and will not store data on it or log into it,
> you can use the the winbind 'rid' backend, this calculates the user
> and group IDs from the Windows RID, if you use the same [global]
> section of the smb.conf on every Unix domain member, you will get the
> same IDs." - that´s the reason I started with a smb.conf of a DC and
> removed stuff that was apparently irrelevant. Is this section of
> documentation also wrong?
>
> > sudo dpkg -l winbind
> Desired=Unknown/Install/Remove/Purge/Hold
> |
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-a
> Wait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name Version Architecture Description
> +++-==============-=======================-============-======
> =======================================>
> ii winbind 2:4.14.8+dfsg-0.1focal1 amd64
> service to resolve user and group information>
>
> in fact winbind is running after yet another system restart, i.e. it
> looks like some initialization issue during or after installation.
> However it reports:
> Oct 26 06:25:46 le winbindd[832]: [2021/10/26 06:25:46.806438, 0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> Oct 26 06:25:46 le winbindd[832]:
> gse_get_client_auth_token: gss_init_sec_context failed with [
> Miscellaneous failure (see text): Client (L> Oct 26 06:25:52 le
> winbindd[832]: [2021/10/26 06:25:52.951201, 0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> Oct 26 06:25:52 le winbindd[832]:
> gse_get_client_auth_token: gss_init_sec_context failed with [
> Miscellaneous failure (see text): Client (L> Oct 26 06:26:32 le
> winbindd[832]: [2021/10/26 06:26:32.079056, 0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> Oct 26 06:26:32 le winbindd[832]:
> gse_get_client_auth_token: gss_init_sec_context failed with [
> Miscellaneous failure (see text): Client (L> Oct 26 06:26:38 le
> winbindd[832]: [2021/10/26 06:26:38.202614, 0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
>
> On the right: gse_get_client_auth_token: gss_init_sec_context failed
> with [ Miscellaneous failure (see text): Client
> (LE$@SAMBA.LINDENBERG.ONE) unknown]
>
> I searched for that error, but only M$ or ancient stuff..
> Thanks, Joachim
>
>
> -----Ursprüngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland
> Penny via samba
> Gesendet: Monday, 25 October 2021 22:28
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Domain member?
>
> On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via samba wrote:
> > > How did you join the domain ?
> > I joined using net ads join -U Joachim (which happens to be domain
> > admin). No error (after fixing a hostname setup issue).
>
> OK.
>
> >
> > > The line above is only used on a DC
> > I excerpted this from an existing DC. Removed it. No change.
> > Is there a consistency check I can run?
>
> Yes, but you probably don't need it (more on this later)
>
> >
> > > Are you using sssd ?
> > I don´t (yet) know what sssd is about.
>
> As this is Ubuntu, you may have it installed.
> You can check with:
> sudo dpkg -l winbind
>
> The last line will look like this if it isn't installed:
>
> un sssd <none> <none> (no description
> available)
>
> >
> > > Have you installed winbind ?
> > I followed
> >
> https://wiki.samba.org/index.php/Distribution-specific_Package_Install
> > ation#Ubuntu
> > , and yes, winbind is installed.
> >
> > > You have only stopped Samba using nmbd, you need to stop
> it and then
> > > disable it.
> > I didn´t enable it at all. Some magic? If smb.conf asks for no
> > netbios, shouldn´t the process exit?
>
> Debian based distros start packages when they are installed, so no
> magic is involved.
>
> I suggest you go and read this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> and one of these:
> https://wiki.samba.org/index.php/Idmap_config_ad
> https://wiki.samba.org/index.php/Idmap_config_rid
> https://wiki.samba.org/index.php/Idmap_config_autorid
>
> You need to add 'idmap config' lines to your smb.conf (if you don't
> know what they are, you will once you have read the above wiki pages).
> You also need to find out why 'systemctl start winbind' doesn't work.
>
> Rowland
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list