On 18/05/15 11:57, Tomasz B?asiak wrote:> /Hi
> /
> /sometimes 'getent group <domain group> is OK, but///sometimes is
wrong.
>
> //
> //Then I restart windind and for 5-10 minut is OK and//the situation is
repeated
>
> Sorry for my English
> /// //
> /
> /
>
>
>
>
> />>Know problem, does 'getent group <a domain group>'
work ?
>
> >>Rowland
>
>
> On 18/05/15 09:08, Tomasz B?asiak wrote:
> >/ Hi
> />/ Oracle Linux Server client with Samba 3.6.23 (file server) joined
to the
> />/ Samba4 AD domain.
> />/ ----------------
> />/ smb.conf
> />/ [global]
> />/ #--authconfig--start-line--
> />/ netbios name = FS
> />/ server string = "GSDAD Fileserver"
> />/ workgroup = GSDAD
> />/ realm = AD.GSD.LAN
> />/ security = ads
> />/ winbind use default domain = yes
> />/ idmap config * : backend = rid
> />/ idmap config * : range = 16777216-33554431
> />/ template shell = /sbin/nologin
> />/ winbind offline logon = false
> />/ winbind enum users = yes
> />/ winbind enum groups = yes
> />/ idmap cache time = 15
> />/ idmap negative cache time = 15
> />/ log level = 2
> />/
> />/ hide dot files = yes
> />/ hide unreadable = yes
> />/ access based share enum = yes
> />/
> />/ wide links = Yes
> />/ unix extensions = No
> />/ follow symlinks = Yes
> />/ socket options = TCP_NODELAY IPTOS_THROUGHPUT
> />/
> />/ vfs objects = full_audit
> />/ full_audit:prefix = %u|%I|%S
> />/ full_audit:success = mkdir rename rmdir write unlink
pwrite
> />/ full_audit:failure = none
> />/ recycle:repository = .deleted/%U
> />/ recycle:keeptree = No
> />/ recycle:touch = Yes
> />/ recycle:versions = Yes
> />/ recycle:maxsixe = 0
> />/ ;recycle:exclude = *.tmp *.ini *.dat
> />/ ;recycle:exclude_dir = /tmp /home /home/*
/storage/samba/homes
> />/ /storage/samba/homes/*
> />/
> />/ keepalive = 300
> />/ deadtime = 10
> />/
> />/ include = /etc/samba/smb.conf.shares
> />/ #--authconfig--end-line--
> />/ ----------------
> />/
> />/ getent passwd and wbinfo -u returns all AD users correctly
> />/ wbinfo -g returns all AD groups correctly
> />/ getent group fails. Only local groups are returned.
> />/
> />/ ------------
> />/ log.winbindd
> />/ winbindd/winbindd_group.c:45(fill_grent)
> />/ winbindd Failed to find domain 'GSD-DOK'. Check
connection to trusted
> />/ domains!
> />/ ------------
> />/
> />/ 'GSD-DOK' it is group in AD
> />/ I set log level = 10
> />/
> />/ ----------
> />/ log.winbindd
> />/
> />/ 2015/05/15 12:28:38.557668, 6]
winbindd/winbindd.c:822(new_connection)
> />/ accepted socket 23
> />/ [2015/05/15 12:28:38.558409, 10]
winbindd/winbindd.c:672(process_request)
> />/ process_request: request fn INTERFACE_VERSION
> />/ [2015/05/15 12:28:38.558654, 3]
> />/ winbindd/winbindd_misc.c:384(winbindd_interface_version)
> />/ [ 2718]: request interface version
> />/ [2015/05/15 12:28:38.558905, 10]
> />/ winbindd/winbindd.c:768(winbind_client_response_written)
> />/ winbind_client_response_written[2718:INTERFACE_VERSION]:
delivered
> />/ response to client
> />/ [2015/05/15 12:28:38.559251, 10]
winbindd/winbindd.c:672(process_request)
> />/ process_request: request fn WINBINDD_PRIV_PIPE_DIR
> />/ [2015/05/15 12:28:38.559482, 3]
> />/ winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
> />/ [ 2718]: request location of privileged pipe
> />/ [2015/05/15 12:28:38.559999, 10]
> />/ winbindd/winbindd.c:768(winbind_client_response_written)
> />/ winbind_client_response_written[2718:WINBINDD_PRIV_PIPE_DIR]:
delivered
> />/ response to client
> />/ [2015/05/15 12:28:38.560401, 6]
winbindd/winbindd.c:822(new_connection)
> />/ accepted socket 30
> />/ [2015/05/15 12:28:38.560682, 6]
> />/ winbindd/winbindd.c:870(winbind_client_request_read)
> />/ closing socket 23, client exited
> />/ [2015/05/15 12:28:38.560948, 10]
winbindd/winbindd.c:645(process_request)
> />/ process_request: Handling async request 2718:GETGRNAM
> />/ [2015/05/15 12:28:38.561267, 3]
> />/ winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send)
> />/ getgrnam GSD-it
> />/ [2015/05/15 12:28:38.561509, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_LookupName: struct wbint_LookupName
> />/ in: struct wbint_LookupName
> />/ domain : *
> />/ domain : 'GSDAD'
> />/ name : *
> />/ name : 'GSD-IT'
> />/ flags : 0x00000000 (0)
> />/ [2015/05/15 12:28:38.562552, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_LookupName: struct wbint_LookupName
> />/ out: struct wbint_LookupName
> />/ type : *
> />/ type : SID_NAME_DOM_GRP (2)
> />/ sid : *
> />/ sid :
> />/ S-1-5-21-678467049-2606551726-923385481-1113
> />/ result : NT_STATUS_OK
> />/ [2015/05/15 12:28:38.563484, 10]
> />/ winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
> />/
find_lookup_domain_from_sid(S-1-5-21-678467049-2606551726-923385481-1113)
> />/ [2015/05/15 12:28:38.563779, 10]
> />/ winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
> />/ calling find_our_domain
> />/ [2015/05/15 12:28:38.564038, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_LookupSid: struct wbint_LookupSid
> />/ in: struct wbint_LookupSid
> />/ sid : *
> />/ sid :
> />/ S-1-5-21-678467049-2606551726-923385481-1113
> />/ [2015/05/15 12:28:38.564524, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_LookupSid: struct wbint_LookupSid
> />/ out: struct wbint_LookupSid
> />/ type : *
> />/ type : SID_NAME_DOM_GRP (2)
> />/ domain : *
> />/ domain : *
> />/ domain : 'GSD-IT'
> />/ name : *
> />/ name : *
> />/ name : ''
> />/ result : NT_STATUS_OK
> />/ [2015/05/15 12:28:38.565800, 10]
lib/gencache.c:183(gencache_set_data_blob)
> />/ Adding cache entry with key > />/
IDMAP/SID2GID/S-1-5-21-678467049-2606551726-923385481-1113 and timeout >
/>/ Thu Jan 1 01:00:00 1970
> />/ (-1431685718 seconds in the past)
> />/ [2015/05/15 12:28:38.566636, 10]
> />/ winbindd/winbindd_util.c:787(find_lookup_domain_from_sid)
> />/
find_lookup_domain_from_sid(S-1-5-21-678467049-2606551726-923385481-1113)
> />/ [2015/05/15 12:28:38.566880, 10]
> />/ winbindd/winbindd_util.c:797(find_lookup_domain_from_sid)
> />/ calling find_our_domain
> />/ [2015/05/15 12:28:38.567127, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_LookupSid: struct wbint_LookupSid
> />/ in: struct wbint_LookupSid
> />/ sid : *
> />/ sid :
> />/ S-1-5-21-678467049-2606551726-923385481-1113
> />/ [2015/05/15 12:28:38.567677, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_LookupSid: struct wbint_LookupSid
> />/ out: struct wbint_LookupSid
> />/ type : *
> />/ type : SID_NAME_DOM_GRP (2)
> />/ domain : *
> />/ domain : *
> />/ domain : 'GSD-IT'
> />/ name : *
> />/ name : *
> />/ name : ''
> />/ result : NT_STATUS_OK
> />/ [2015/05/15 12:28:38.568904, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_Sid2Gid: struct wbint_Sid2Gid
> />/ in: struct wbint_Sid2Gid
> />/ dom_name : NULL
> />/ sid : *
> />/ sid :
> />/ S-1-5-21-678467049-2606551726-923385481-1113
> />/ [2015/05/15 12:28:38.575264, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_Sid2Gid: struct wbint_Sid2Gid
> />/ out: struct wbint_Sid2Gid
> />/ gid : *
> />/ gid : 0x0000000001000459
(16778329)
> />/ result : NT_STATUS_OK
> />/ [2015/05/15 12:28:38.575852, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_LookupGroupMembers: struct wbint_LookupGroupMembers
> />/ in: struct wbint_LookupGroupMembers
> />/ sid : *
> />/ sid :
> />/ S-1-5-21-678467049-2606551726-923385481-1113
> />/ type : SID_NAME_DOM_GRP (2)
> />/ [2015/05/15 12:28:38.576075, 1]
> />/ ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> />/ wbint_LookupGroupMembers: struct wbint_LookupGroupMembers
> />/ out: struct wbint_LookupGroupMembers
> />/ members : *
> />/ members: struct wbint_Principals
> />/ num_principals : 4
> />/ principals: ARRAY(4)
> />/ principals: struct wbint_Principal
> />/ sid :
> />/ S-1-5-21-678467049-2606551726-923385481-1613
> />/ type :
SID_NAME_USER (1)
> />/ name : *
> />/ name :
'tnowak'
> />/ principals: struct wbint_Principal
> />/ sid :
> />/ S-1-5-21-678467049-2606551726-923385481-1108
> />/ type :
SID_NAME_USER (1)
> />/ name : *
> />/ name :
'plewandowski'
> />/ principals: struct wbint_Principal
> />/ sid :
> />/ S-1-5-21-678467049-2606551726-923385481-1602
> />/ type :
SID_NAME_USER (1)
> />/ name : *
> />/ name :
'kbet'
> />/ principals: struct wbint_Principal
> />/ sid :
> />/ S-1-5-21-678467049-2606551726-923385481-1625
> />/ type :
SID_NAME_USER (1)
> />/ name : *
> />/ name :
'drukGSD'
> />/ result : NT_STATUS_OK
> />/ [2015/05/15 12:28:38.579554, 0]
winbindd/winbindd_group.c:45(fill_grent)
> />/ Failed to find domain 'GSD-IT'. Check connection to
trusted domains!
> />/ [2015/05/15 12:28:38.580456, 5]
> />/ winbindd/winbindd_getgrnam.c:152(winbindd_getgrnam_recv)
> />/ fill_grent failed
> />/ [2015/05/15 12:28:38.581716, 10]
winbindd/winbindd.c:707(wb_request_done)
> />/ wb_request_done[2718:GETGRNAM]: NT_STATUS_NO_MEMORY
> />/ [2015/05/15 12:28:38.589246, 10]
> />/ winbindd/winbindd.c:768(winbind_client_response_written)
> />/ winbind_client_response_written[2718:GETGRNAM]: delivered
response to
> />/ client
> />/ [2015/05/15 12:28:38.589653, 6]
> />/ winbindd/winbindd.c:870(winbind_client_request_read)
> />/ closing socket 30, client exited
> />/
> />/ ----------
> />/
> />/
> />/
> />/ Any ideas anyone?
> />/ Cheers,
> />/ Tom
> /
> Know problem, does 'getent group <a domain group>' work ?
>
> Rowland
OK, I only scanned your post before, I have now had a good look at your
smb.conf, I would suggest you change it as follows:
Change:
idmap config * : backend = rid
idmap config * : range = 16777216-33554431
To:
idmap config * : backend = tdb
idmap config * : range = 2000-9999
idmap config GSDAD : backend = rid
idmap config GSDAD : range = 16777216-33554431
At the moment, all your users & groups (BUILTIN & domain) are being put
into the same database.
Remove this line:
socket options = TCP_NODELAY IPTOS_THROUGHPUT
It is not really required, could be making things worse and is, as a
certain Jeremy Allison said, 'Voodoo'
Rowland