[Samba] Domain member?

Joachim Lindenberg samba at lindenberg.one
Tue Oct 26 09:59:29 UTC 2021


Hello Louis,
sure. I know I configured /etc/resolv.conf during join, pointing to a DC manually. Is the local resolver the culprit?
Thanks,
Joachim

root at le:/tmp# cat samba-debug-info.txt
Collected config  --- 2021-10-26-09:12 -----------

Hostname: le
DNS Domain: samba.lindenberg.one
FQDN: le.samba.lindenberg.one
ipaddress: 192.168.176.9

-----------

Kerberos SRV _kerberos._tcp.samba.lindenberg.one record verified ok, sample output:
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
_kerberos._tcp.samba.lindenberg.one     service = 0 100 88 boa.samba.lindenberg.one.
_kerberos._tcp.samba.lindenberg.one     service = 0 100 88 mamba.samba.lindenberg.one.
_kerberos._tcp.samba.lindenberg.one     service = 0 100 88 cobra.samba.lindenberg.one.

Authoritative answers can be found from:
Samba is running as a Unix domain member
       Checking file: /etc/os-release

NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

-----------


This computer is running Ubuntu 20.04.3 LTS x86_64

-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq state UP group default qlen 1000
    link/ether 00:15:5d:b1:0c:70 brd ff:ff:ff:ff:ff:ff
    inet 192.168.176.9/24 brd 192.168.176.255 scope global eth0
    inet6 fe80::215:5dff:feb1:c70/64 scope link

-----------
       Checking file: /etc/hosts

127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
192.168.176.9 le.samba.lindenberg.one le
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

-----------

       Checking file: /etc/resolv.conf

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search samba.lindenberg.one

-----------

systemd stub resolver detected, running command : systemd-resolve --status
-----------
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 2 (eth0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 192.168.177.19
         DNS Servers: 192.168.177.18
                      192.168.177.19
          DNS Domain: samba.lindenberg.one

-------resolv.conf end----

       Checking file: /etc/krb5.conf

[libdefaults]
        default_realm = SAMBA.LINDENBERG.ONE
        dns_lookup_realm = false
        dns_lookup_kdc = true

-----------

       Checking file: /etc/nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files systemd winbind
group:          files systemd winbind
shadow:         files
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

-----------

       Checking file: /etc/samba/smb.conf

# Global parameters
[global]
        netbios name = LE
        realm = SAMBA.LINDENBERG.ONE
        workgroup = SAMBA
        security = ADS
#        dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
#        idmap_ldb:use rfc2307 = yes
        disable netbios = yes
        smb encrypt = mandatory
        kerberos method = secrets and keytab
#        winbind refresh tickets = yes
        template shell = /bin/bash
        template homedir = /home/%U
        winbind use default domain = yes

-----------

Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
    Warning, /etc/idmapd.conf does not exist

-----------


Installed packages:
ii  acl                                  2.2.53-6                              amd64        access control list - utilities
ii  attr                                 1:2.4.48-5                            amd64        utilities for manipulating filesystem extended attributes
ii  krb5-config                          2.6ubuntu1                            all          Configuration files for Kerberos Version 5
ii  krb5-locales                         1.17-6ubuntu4.1                       all          internationalization support for MIT Kerberos
ii  krb5-user                            1.17-6ubuntu4.1                       amd64        basic programs to authenticate using MIT Kerberos
ii  libacl1:amd64                        2.2.53-6                              amd64        access control list - shared library
ii  libattr1:amd64                       1:2.4.48-5                            amd64        extended attribute handling - shared library
ii  libgssapi-krb5-2:amd64               1.17-6ubuntu4.1                       amd64        MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii  libkrb5-26-heimdal:amd64             7.7.0+dfsg-1ubuntu1                   amd64        Heimdal Kerberos - libraries
ii  libkrb5-3:amd64                      1.17-6ubuntu4.1                       amd64        MIT Kerberos runtime libraries
ii  libkrb5support0:amd64                1.17-6ubuntu4.1                       amd64        MIT Kerberos runtime libraries - Support library
ii  libnss-winbind:amd64                 2:4.14.8+dfsg-0.1focal1               amd64        Samba nameservice integration plugins
ii  libpam-krb5:amd64                    4.8-2ubuntu1                          amd64        PAM module for MIT Kerberos
ii  libpam-winbind:amd64                 2:4.14.8+dfsg-0.1focal1               amd64        Windows domain authentication integration plugin
ii  libwbclient0:amd64                   2:4.14.8+dfsg-0.1focal1               amd64        Samba winbind client library
ii  python3-attr                         19.3.0-2                              all          Attributes without boilerplate (Python 3)
ii  python3-nacl                         1.3.0-5                               amd64        Python bindings to libsodium (Python 3)
ii  python3-samba                        2:4.14.8+dfsg-0.1focal1               amd64        Python 3 bindings for Samba
ii  samba                                2:4.14.8+dfsg-0.1focal1               amd64        SMB/CIFS file, print, and login server for Unix
ii  samba-common                         2:4.14.8+dfsg-0.1focal1               all          common files used by both the Samba server and client
ii  samba-common-bin                     2:4.14.8+dfsg-0.1focal1               amd64        Samba common files used by both the server and the client
ii  samba-dsdb-modules:amd64             2:4.14.8+dfsg-0.1focal1               amd64        Samba Directory Services Database
ii  samba-libs:amd64                     2:4.14.8+dfsg-0.1focal1               amd64        Samba core libraries
ii  samba-vfs-modules:amd64              2:4.14.8+dfsg-0.1focal1               amd64        Samba Virtual FileSystem plugins
ii  winbind                              2:4.14.8+dfsg-0.1focal1               amd64        service to resolve user and group information from Windows NT servers

-----------




-----Ursprüngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von L.P.H. van Belle via samba
Gesendet: Tuesday, 26 October 2021 09:37
An: samba at lists.samba.org
Betreff: Re: [Samba] Domain member?

This is something in your setup. 

Can you run this one and post the output. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh

If needed, anonymize where needed. 


Greetz,

Louis
 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Joachim 
> Lindenberg via samba
> Verzonden: dinsdag 26 oktober 2021 8:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member?
> 
> Hello Rowland,
> I read
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_
> Member, and I specifically read "If your users will only use the Samba 
> AD DC for authentication and will not store data on it or log into it, 
> you can use the the winbind 'rid' backend, this calculates the user 
> and group IDs from the Windows RID, if you use the same [global] 
> section of the smb.conf on every Unix domain member, you will get the 
> same IDs." - that´s the reason I started with a smb.conf of a DC and 
> removed stuff that was apparently irrelevant. Is this section of 
> documentation also wrong?
> 
> > sudo dpkg -l winbind
> Desired=Unknown/Install/Remove/Purge/Hold
> | 
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-a
> Wait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name           Version                 Architecture Description
> +++-==============-=======================-============-======
> =======================================>
> ii  winbind        2:4.14.8+dfsg-0.1focal1 amd64        
> service to resolve user and group information>
> 
> in fact winbind is running after yet another system restart, i.e. it 
> looks like some initialization issue during or after installation. 
> However it reports:
> Oct 26 06:25:46 le winbindd[832]: [2021/10/26 06:25:46.806438,  0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> Oct 26 06:25:46 le winbindd[832]:   
> gse_get_client_auth_token: gss_init_sec_context failed with [ 
> Miscellaneous failure (see text): Client (L> Oct 26 06:25:52 le 
> winbindd[832]: [2021/10/26 06:25:52.951201,  0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> Oct 26 06:25:52 le winbindd[832]:   
> gse_get_client_auth_token: gss_init_sec_context failed with [ 
> Miscellaneous failure (see text): Client (L> Oct 26 06:26:32 le 
> winbindd[832]: [2021/10/26 06:26:32.079056,  0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> Oct 26 06:26:32 le winbindd[832]:   
> gse_get_client_auth_token: gss_init_sec_context failed with [ 
> Miscellaneous failure (see text): Client (L> Oct 26 06:26:38 le 
> winbindd[832]: [2021/10/26 06:26:38.202614,  0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> 
> On the right: gse_get_client_auth_token: gss_init_sec_context failed 
> with [ Miscellaneous failure (see text): Client
> (LE$@SAMBA.LINDENBERG.ONE) unknown]
> 
> I searched for that error, but only M$ or ancient stuff..
> Thanks, Joachim
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland 
> Penny via samba
> Gesendet: Monday, 25 October 2021 22:28
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Domain member?
> 
> On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via samba wrote:
> > > How did you join the domain ?
> > I joined using net ads join -U Joachim (which happens to be domain 
> > admin). No error (after fixing a hostname setup issue).
> 
> OK.
> 
> > 
> > > The line above is only used on a DC
> > I excerpted this from an existing DC. Removed it. No change. 
> > Is there a consistency check I can run?
> 
> Yes, but you probably don't need it (more on this later)
> 
> > 
> > > Are you using sssd ?
> > I don´t (yet) know what sssd is about.
> 
> As this is Ubuntu, you may have it installed.
> You can check with:
> sudo dpkg -l winbind
> 
> The last line will look like this if it isn't installed:
> 
> un  sssd           <none>       <none>       (no description 
> available)
> 
> > 
> > > Have you installed winbind ?
> > I followed
> > 
> https://wiki.samba.org/index.php/Distribution-specific_Package_Install
> > ation#Ubuntu
> > , and yes, winbind is installed.
> > 
> > > You have only stopped Samba using nmbd, you need to stop
> it and then
> > > disable it.
> > I didn´t enable it at all. Some magic? If smb.conf asks for no 
> > netbios, shouldn´t the process exit?
> 
> Debian based distros start packages when they are installed, so no 
> magic is involved.
> 
> I suggest you go and read this:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> and one of these:
> https://wiki.samba.org/index.php/Idmap_config_ad
> https://wiki.samba.org/index.php/Idmap_config_rid
> https://wiki.samba.org/index.php/Idmap_config_autorid
> 
> You need to add 'idmap config' lines to your smb.conf (if you don't 
> know what they are, you will once you have read the above wiki pages).
> You also need to find out why 'systemctl start winbind' doesn't work.
> 
> Rowland
> 
> 
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




More information about the samba mailing list