Rowland Penny
2015-Apr-04 08:41 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 04/04/15 03:29, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>>>>>>>> I'm trying to get the former PDC back into domain after performing a >>>>>>>>> classic >>>>>>>>>> migration. >>>>>>>>>> AD DC is running fine... if you can call it that. >>>>>>>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article, >>>>>>>>> and >>>>>>>>>> rejoined the domain. Went fine apart from failed DNS update with local >>>>>>>>> zone. >>>>>>>>> >>>>>>>>>> # net ads testjoin >>>>>>>>>> Join is OK >>>>>>>>>> But there's no data in getent, and domain users are unable to >>>>>>>>> authenticate on >>>>>>>>>> the server. >>>>>>>>>> So, where do I start looking? >>>>>>>> Please check your /etc/nsswitch.conf file, it should look contains this, >>>>>>>> passwd: compat winbind >>>>>>>> group: compat winbind >>>>>>>> For more information, please go through Samba Wiki first, >>>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>>>>> Please read the message - I explicitly stated that nsswitch.conf is amended as >>>>>>> suggested on the wiki. >>>>>>> >>>>>>> >>>>>> OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain >>>>>> classicupgrade', this should have given you users with uidNumber >>>>>> attributes and groups with gidNumber attributes. >>>>>> If,as you said, you used the smb.conf from the member server wiki page, >>>>>> you will have something like this in your smb.conf: >>>>>> idmap config *:backend = tdb >>>>>> idmap config *:range = 2000-9999 >>>>>> idmap config SAMDOM:backend = ad >>>>>> idmap config SAMDOM:schema_mode = rfc2307 >>>>>> idmap config SAMDOM:range = 10000-99999 >>>>>> Two questions: >>>>>> Did you change 'SAMDOM' to your workgroup name ? >>>>>> Are your users & groups uidNumber & gidNumber attributes inside the >>>>>> '10000=99999' range ? >>>>> It was a little more complicated process, than that. >>>>> >>>>> Host: Ubuntu 12.04 running Samba 3.6.3->4.1.11 and LXC 1.0.7 stable. >>>>> >>>>> On host, I've set up container DC1, copied over the 3.6.3 TDB's from host and >>>>> performed classicupgrade with hostname change. After initial failure and a >>>>> month of head cracking, it somehow worked out on April 1st. >>>>> >>>>> The container runs as it could, resolving uids to domain names within itself, >>>>> at least. >>>>> >>>>> Now, I need to get the same resolution on the host. >>>>> The Samba 3 configuration files were moved away on the host before Samba >>>>> upgrade, so that I could have one more backup copy of the configuration, if >>>>> things go wrong. >>>>> >>>>> After upgrading Samba, I've edited {smb,nsswitch}.conf as outlined on the >>>>> Wiki, and then commanded to join the AD. >>>>> Join went fine except for a notice "unable to update DNS record for >>>>> userl.ccenter.lan". >>>>> After that, I removed startup blocks on smbd/nmbd/winbind and rebooted >>>>> everything. >>>>> >>>>> Currently, the situation is as follows: >>>>> >>>>> DC1 (AD DC): http://pastebin.com/WncfgLb6 >>>>> >>>>> root at dc1:~# smbclient -L dc1 -U domainuser >>>>> Enter domainuser's password: >>>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>>> >>>>> Sharename Type Comment >>>>> --------- ---- ------- >>>>> netlogon Disk >>>>> sysvol Disk >>>>> IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) >>>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>>> >>>>> Server Comment >>>>> --------- ------- >>>>> >>>>> Workgroup Master >>>>> --------- ------- >>>>> >>>>> root at dc1:~# smbclient -L userl -U domainuser >>>>> Enter domainuser's password: >>>>> session setup failed: NT_STATUS_LOGON_FAILURE >>>>> >>>>> USERL (member server): http://pastebin.com/25Lx6z9v >>>>> >>>>> root at userl:~# net ads testjoin >>>>> Join is OK >>>>> >>>>> root at userl:~# smbclient -L dc1 -U domainuser >>>>> Enter domainuser's password: >>>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>>> >>>>> Sharename Type Comment >>>>> --------- ---- ------- >>>>> netlogon Disk >>>>> sysvol Disk >>>>> IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) >>>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>>> >>>>> Server Comment >>>>> --------- ------- >>>>> >>>>> Workgroup Master >>>>> --------- ------- >>>>> >>>>> root at userl:~# smbclient -L userl -U domainuser >>>>> Enter domainuser's password: >>>>> session setup failed: NT_STATUS_LOGON_FAILURE >>>>> >>>>> Looking at winbind/idmap logs, >>>>> >>>>> [2015/04/03 21:16:17.636654, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4446(pack_tdc_domains) >>>>> pack_tdc_domains: Packing domain CCENTER (ADS.CCENTER.LAN) >>>>> [2015/04/03 21:16:17.636687, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:230(add_trusted_domain) >>>>> idmap config CCENTER : range = 1000-50000 >>>>> [2015/04/03 21:16:17.636720, 2, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:255(add_trusted_domain) >>>>> Added domain CCENTER ADS.CCENTER.LAN S-1-5-21-1031481445-3291699540-3997755762 >>>>> [2015/04/03 21:16:17.636766, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:561(set_domain_online_request) >>>>> set_domain_online_request: called for domain CCENTER >>>>> [2015/04/03 21:16:17.636803, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:596(set_domain_online_request) >>>>> set_domain_online_request: domain CCENTER was globally offline. >>>>> >>>>> Eh? What the? Why? Google says it may be an issue with DNS, but mine works >>>>> fine. Especially since a few lines before it successfully contact AD DC. >>>>> >>>>> >>>> I am struggling to understand this setup, you have created a samba AD DC >>>> running on Ubuntu 12.04 inside a container (docker ??), >>> docker is a management tool for LXC, which is an isolation solution and have >>> its own management tools. docker is fine when you need to deploy many similar >>> instances of an application, but for a single container, it is just not >>> needed. >>> For simplicity, you can presume that it is a separate system running elsewhere >>> on the network. Answering your later question, yes, I have full network >>> connectivity, I can ping and ssh between both, and browse shares of a DC from >>> the member server using either credentials. (See above.) >>> >>>> you then seem to have altered the AD DCs smb.conf for some reason, can I ask >>>> why ? >>> Multiple reasons at first, but at this point, it is a template I could just >>> copy to a member server and have it run with only a single line edit. The >>> settings are either sensible, but not necessary, or completely irrelevant for >>> a DC, as far as I can tell. >>> >>>> You then setup a member server, joined it to the domain, but now cannot >>>> connect to the member server from the DC via smbclient, is this correct ? >>> I can't connect to a member server using domain user credentials. >>> This would be more correct statement. >>> >>>> what have you got in: >>>> /etc/resolv.conf >>>> /etc/krb5.conf >>> Both give exactly same results: >>> >>> # cat /etc/krb5.conf >>> cat: /etc/krb5.conf: No such file or directory >>> (Erm, should I have it? What package I'm missing, if yes?) >> Yes you should, it should contain this: >> [libdefaults] >> default_realm = ADS.CCENTER.LAN >> dns_lookup_realm = false >> dns_lookup_kdc = true >> Have you got all of these packages installed: >> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user >>> # cat /etc/resolv.conf >>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) >>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >>> nameserver 127.0.0.1 >>> search ccenter.lan >>> >>>> This on both machines >>> In case of a member server, 127.0.0.1 point to a local bind9, which is set to >>> forward ads.ccenter.lan to the DC. The resolution DO works correctly. >> Just point /etc/resolv.conf at the DC, > Does that mean winbind is unable to understand plain DNS replies, or what? > >> also ccenter.lan is not ads.ccenter.lan > # cat /etc/resolv.conf > nameserver 192.168.17.4 > search ads.ccenter.lan > > # host -t SRV _ldap._tcp.ads.ccenter.lan. > _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. > > # nslookup dc1 > Server: 192.168.17.4 > Address: 192.168.17.4#53 > > Name: dc1.ads.ccenter.lan > Address: 192.168.17.4 > > # ping dc1 -c 1 > PING dc1.ads.ccenter.lan (192.168.17.4) 56(84) bytes of data. > 64 bytes from dc1.ccenter.lan (192.168.17.4): icmp_req=1 ttl=64 time=0.487 ms > > --- dc1.ads.ccenter.lan ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms > > root at userl:~# wbinfo -t > checking the trust secret for domain CCENTER via RPC calls succeeded > root at userl:~# wbinfo -u | wc -l > 19 > root at userl:~# getent passwd domainuser > root at userl:~# smbclient -L localhost -U domainuser > Enter domainuser's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > [2015/04/04 05:20:55.239144, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:693(process_request) > process_request: Handling async request 2811:GETPWNAM > [2015/04/04 05:20:55.239176, 3, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam CCENTER\domainuser > [2015/04/04 05:20:55.239256, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) > SID 0: S-1-5-21-1031481445-3291699540-3997755762-61000 > [2015/04/04 05:20:55.239303, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) > find_lookup_domain_from_sid(S-1-5-21-1031481445-3291699540-3997755762-513) > [2015/04/04 05:20:55.239335, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:801(find_lookup_domain_from_sid) > calling find_our_domain > [2015/04/04 05:20:55.239381, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) > SID 0: S-1-5-21-1031481445-3291699540-3997755762-513 > [2015/04/04 05:20:55.239422, 5, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) > Could not convert sid S-1-5-21-1031481445-3291699540-3997755762-61000: NT_STATUS_NONE_MAPPED > [2015/04/04 05:20:55.239469, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done) > wb_request_done[2811:GETPWNAM]: NT_STATUS_NONE_MAPPED > [2015/04/04 05:20:55.239510, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:816(winbind_client_response_written) > winbind_client_response_written[2811:GETPWNAM]: delivered response to client > >>> 127.0.0.1#35321: query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >>> ;; ANSWER SECTION: >>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN. 503 IN SRV 0 100 389 dc1.ads.ccenter.lan. >>> >>> 127.0.0.1#55300: query: dc1.ads.ccenter.lan IN AAAA + (127.0.0.1) >>> 127.0.0.1#36282: query: dc1.ads.ccenter.lan.ccenter.lan IN AAAA + (127.0.0.1) >>> (no answer - IPv6 resolution disabled) >>> >>> 127.0.0.1#47102: query: dc1.ads.ccenter.lan IN A + (127.0.0.1) >>> ;; ANSWER SECTION: >>> dc1.ads.ccenter.lan. 373 IN A 192.168.17.4 >>> >>> 127.0.0.1#58461: query: _kerberos._udp.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >>> ;; ANSWER SECTION: >>> _kerberos._udp.ADS.CCENTER.LAN. 324 IN SRV 0 100 88 dc1.ads.ccenter.lan. >>> >>>> can you ping from each machine to the other, both by ip and hostname ? >>>> what does 'host -t SRV _ldap._tcp.ads.ccenter.lan.' show ? >>> root at dc1:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >>> >>> root at userl:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >>> >>>> does the 'container' have all the required ports open ? >>> If logs are to be trusted, it even able to list users and groups. >>> >>> log.wb-CCENTER >>> [2015/04/03 22:55:59.314002, 3, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) >>> get_dc_list: preferred server list: "dc1.ads.ccenter.lan, *" >>> [2015/04/03 22:55:59.318397, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:680(ads_connect) >>> Successfully contacted LDAP server 192.168.17.4 >>> [2015/04/03 22:55:59.320717, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:723(ads_connect) >>> Connected to LDAP server dc1.ads.ccenter.lan >>> [2015/04/03 22:55:59.325436, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >>> [2015/04/03 22:55:59.325466, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >>> [2015/04/03 22:55:59.325498, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >>> [2015/04/03 22:55:59.325527, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind) >>> ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore >>> [2015/04/03 22:55:59.325655, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req) >>> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) >>> [2015/04/03 22:55:59.333493, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds) >>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Sat, 04 Apr 2015 08:55:59 MSK >>> [2015/04/03 22:55:59.373034, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:378(query_user_list) >>> ads query_user_list gave 19 entries >>> >>> This is about right. >>> root at dc1:~# wbinfo -u | wc -l >>> 19 >>> >>> [2015/04/03 22:55:59.374070, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >>> Connecting to 192.168.17.4 at port 135 >>> [2015/04/03 22:55:59.375923, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >>> Connecting to 192.168.17.4 at port 1024 >>> [2015/04/03 22:55:59.516885, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-513 for domain CCENTER >>> [2015/04/03 22:56:13.713563, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:403(enum_dom_groups) >>> ads: enum_dom_groups >>> [2015/04/03 22:56:13.763644, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:501(enum_dom_groups) >>> ads enum_dom_groups gave 216 entries >>> >>> This is a bit off, but still close. >>> root at dc1:~# wbinfo -g | wc -l >>> 211 >>> >>> [2015/04/03 22:56:13.765824, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-571 for domain CCENTER >>> [2015/04/03 22:59:42.388144, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>> [13765]: list trusted domains >>> [2015/04/03 22:59:42.388330, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:1419(trusted_domains) >>> ads: trusted_domains >>> [2015/04/03 23:00:59.189216, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) >>> msrpc_name_to_sid: name=CCENTER\DOMAINUSER >>> [2015/04/03 23:00:59.189271, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) >>> name_to_sid [rpc] CCENTER\DOMAINUSER for domain CCENTER >>> [2015/04/03 23:00:59.195301, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:597(query_user) >>> ads: query_user >>> >>> But in the end, it just doesn't work. getent doesn't list anything sensible, >>> not from explicit request, nor from enumeration. >>> >>> > >OK, what does running this command on the DC show: ldbsearch -H /var/lib/samba/private/sam.ldb '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep 'uidNumber' This relies on ldb-tools being installed and sam.ldb being in '/var/lib/samba/private' if yours is somewhere else, change the path. Rowland
Andrey Repin
2015-Apr-04 17:28 UTC
[Samba] Member server - winbind unable to resolve users/groups
Greetings, Rowland Penny!>> # cat /etc/resolv.conf >> nameserver 192.168.17.4 >> search ads.ccenter.lan >> >> # host -t SRV _ldap._tcp.ads.ccenter.lan. >> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >> >> # nslookup dc1 >> Server: 192.168.17.4 >> Address: 192.168.17.4#53 >> >> Name: dc1.ads.ccenter.lan >> Address: 192.168.17.4 >> >> # ping dc1 -c 1 >> PING dc1.ads.ccenter.lan (192.168.17.4) 56(84) bytes of data. >> 64 bytes from dc1.ccenter.lan (192.168.17.4): icmp_req=1 ttl=64 time=0.487 ms >> >> --- dc1.ads.ccenter.lan ping statistics --- >> 1 packets transmitted, 1 received, 0% packet loss, time 0ms >> rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms >> >> root at userl:~# wbinfo -t >> checking the trust secret for domain CCENTER via RPC calls succeeded >> root at userl:~# wbinfo -u | wc -l >> 19 >> root at userl:~# getent passwd domainuser >> root at userl:~# smbclient -L localhost -U domainuser >> Enter domainuser's password: >> session setup failed: NT_STATUS_LOGON_FAILURE >> >> [2015/04/04 05:20:55.239144, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:693(process_request) >> process_request: Handling async request 2811:GETPWNAM >> [2015/04/04 05:20:55.239176, 3, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) >> getpwnam CCENTER\domainuser >> [2015/04/04 05:20:55.239256, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) >> SID 0: S-1-5-21-1031481445-3291699540-3997755762-61000 >> [2015/04/04 05:20:55.239303, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) >> find_lookup_domain_from_sid(S-1-5-21-1031481445-3291699540-3997755762-513) >> [2015/04/04 05:20:55.239335, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:801(find_lookup_domain_from_sid) >> calling find_our_domain >> [2015/04/04 05:20:55.239381, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) >> SID 0: S-1-5-21-1031481445-3291699540-3997755762-513 >> [2015/04/04 05:20:55.239422, 5, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) >> Could not convert sid S-1-5-21-1031481445-3291699540-3997755762-61000: NT_STATUS_NONE_MAPPED >> [2015/04/04 05:20:55.239469, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done) >> wb_request_done[2811:GETPWNAM]: NT_STATUS_NONE_MAPPED >> [2015/04/04 05:20:55.239510, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:816(winbind_client_response_written) >> winbind_client_response_written[2811:GETPWNAM]: delivered response to client >> >>>> 127.0.0.1#35321: query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >>>> ;; ANSWER SECTION: >>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN. 503 IN SRV 0 100 389 dc1.ads.ccenter.lan. >>>> >>>> 127.0.0.1#55300: query: dc1.ads.ccenter.lan IN AAAA + (127.0.0.1) >>>> 127.0.0.1#36282: query: dc1.ads.ccenter.lan.ccenter.lan IN AAAA + (127.0.0.1) >>>> (no answer - IPv6 resolution disabled) >>>> >>>> 127.0.0.1#47102: query: dc1.ads.ccenter.lan IN A + (127.0.0.1) >>>> ;; ANSWER SECTION: >>>> dc1.ads.ccenter.lan. 373 IN A 192.168.17.4 >>>> >>>> 127.0.0.1#58461: query: _kerberos._udp.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >>>> ;; ANSWER SECTION: >>>> _kerberos._udp.ADS.CCENTER.LAN. 324 IN SRV 0 100 88 dc1.ads.ccenter.lan. >>>> >>>>> can you ping from each machine to the other, both by ip and hostname ? >>>>> what does 'host -t SRV _ldap._tcp.ads.ccenter.lan.' show ? >>>> root at dc1:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >>>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >>>> >>>> root at userl:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >>>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >>>> >>>>> does the 'container' have all the required ports open ? >>>> If logs are to be trusted, it even able to list users and groups. >>>> >>>> log.wb-CCENTER >>>> [2015/04/03 22:55:59.314002, 3, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) >>>> get_dc_list: preferred server list: "dc1.ads.ccenter.lan, *" >>>> [2015/04/03 22:55:59.318397, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:680(ads_connect) >>>> Successfully contacted LDAP server 192.168.17.4 >>>> [2015/04/03 22:55:59.320717, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:723(ads_connect) >>>> Connected to LDAP server dc1.ads.ccenter.lan >>>> [2015/04/03 22:55:59.325436, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >>>> [2015/04/03 22:55:59.325466, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >>>> [2015/04/03 22:55:59.325498, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >>>> [2015/04/03 22:55:59.325527, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind) >>>> ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore >>>> [2015/04/03 22:55:59.325655, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req) >>>> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) >>>> [2015/04/03 22:55:59.333493, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds) >>>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Sat, 04 Apr 2015 08:55:59 MSK >>>> [2015/04/03 22:55:59.373034, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:378(query_user_list) >>>> ads query_user_list gave 19 entries >>>> >>>> This is about right. >>>> root at dc1:~# wbinfo -u | wc -l >>>> 19 >>>> >>>> [2015/04/03 22:55:59.374070, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >>>> Connecting to 192.168.17.4 at port 135 >>>> [2015/04/03 22:55:59.375923, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >>>> Connecting to 192.168.17.4 at port 1024 >>>> [2015/04/03 22:55:59.516885, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>>> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-513 for domain CCENTER >>>> [2015/04/03 22:56:13.713563, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:403(enum_dom_groups) >>>> ads: enum_dom_groups >>>> [2015/04/03 22:56:13.763644, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:501(enum_dom_groups) >>>> ads enum_dom_groups gave 216 entries >>>> >>>> This is a bit off, but still close. >>>> root at dc1:~# wbinfo -g | wc -l >>>> 211 >>>> >>>> [2015/04/03 22:56:13.765824, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>>> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-571 for domain CCENTER >>>> [2015/04/03 22:59:42.388144, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>>> [13765]: list trusted domains >>>> [2015/04/03 22:59:42.388330, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:1419(trusted_domains) >>>> ads: trusted_domains >>>> [2015/04/03 23:00:59.189216, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) >>>> msrpc_name_to_sid: name=CCENTER\DOMAINUSER >>>> [2015/04/03 23:00:59.189271, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) >>>> name_to_sid [rpc] CCENTER\DOMAINUSER for domain CCENTER >>>> [2015/04/03 23:00:59.195301, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:597(query_user) >>>> ads: query_user >>>> >>>> But in the end, it just doesn't work. getent doesn't list anything sensible, >>>> not from explicit request, nor from enumeration. >>>> >>>> >> >>> OK, what does running this command on the DC show:> ldbsearch -H /var/lib/samba/private/sam.ldb > '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep > 'uidNumber'> This relies on ldb-tools being installed and sam.ldb being in > '/var/lib/samba/private' if yours is somewhere else, change the path.I have the urge to say "nothing" before even checking first, as I have no RID's that high. But it appears the RID's were all changed after migration. ldbsearch -H /var/lib/samba/private/sam.ldb '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' uidNumber # record 1 dn: CN=domainuser,CN=Users,DC=ads,DC=ccenter,DC=lan uidNumber: 30000 Before migration, all users had RID=uidNumber, except one. Why they have been changed? -- With best regards, Andrey Repin Saturday, April 4, 2015 20:19:29 Sorry for my terrible english...
Rowland Penny
2015-Apr-04 20:17 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 04/04/15 18:28, Andrey Repin wrote:> Greetings, Rowland Penny! > >>> # cat /etc/resolv.conf >>> nameserver 192.168.17.4 >>> search ads.ccenter.lan >>> >>> # host -t SRV _ldap._tcp.ads.ccenter.lan. >>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >>> >>> # nslookup dc1 >>> Server: 192.168.17.4 >>> Address: 192.168.17.4#53 >>> >>> Name: dc1.ads.ccenter.lan >>> Address: 192.168.17.4 >>> >>> # ping dc1 -c 1 >>> PING dc1.ads.ccenter.lan (192.168.17.4) 56(84) bytes of data. >>> 64 bytes from dc1.ccenter.lan (192.168.17.4): icmp_req=1 ttl=64 time=0.487 ms >>> >>> --- dc1.ads.ccenter.lan ping statistics --- >>> 1 packets transmitted, 1 received, 0% packet loss, time 0ms >>> rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms >>> >>> root at userl:~# wbinfo -t >>> checking the trust secret for domain CCENTER via RPC calls succeeded >>> root at userl:~# wbinfo -u | wc -l >>> 19 >>> root at userl:~# getent passwd domainuser >>> root at userl:~# smbclient -L localhost -U domainuser >>> Enter domainuser's password: >>> session setup failed: NT_STATUS_LOGON_FAILURE >>> >>> [2015/04/04 05:20:55.239144, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:693(process_request) >>> process_request: Handling async request 2811:GETPWNAM >>> [2015/04/04 05:20:55.239176, 3, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) >>> getpwnam CCENTER\domainuser >>> [2015/04/04 05:20:55.239256, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) >>> SID 0: S-1-5-21-1031481445-3291699540-3997755762-61000 >>> [2015/04/04 05:20:55.239303, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) >>> find_lookup_domain_from_sid(S-1-5-21-1031481445-3291699540-3997755762-513) >>> [2015/04/04 05:20:55.239335, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:801(find_lookup_domain_from_sid) >>> calling find_our_domain >>> [2015/04/04 05:20:55.239381, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) >>> SID 0: S-1-5-21-1031481445-3291699540-3997755762-513 >>> [2015/04/04 05:20:55.239422, 5, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) >>> Could not convert sid S-1-5-21-1031481445-3291699540-3997755762-61000: NT_STATUS_NONE_MAPPED >>> [2015/04/04 05:20:55.239469, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done) >>> wb_request_done[2811:GETPWNAM]: NT_STATUS_NONE_MAPPED >>> [2015/04/04 05:20:55.239510, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:816(winbind_client_response_written) >>> winbind_client_response_written[2811:GETPWNAM]: delivered response to client >>> >>>>> 127.0.0.1#35321: query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >>>>> ;; ANSWER SECTION: >>>>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN. 503 IN SRV 0 100 389 dc1.ads.ccenter.lan. >>>>> >>>>> 127.0.0.1#55300: query: dc1.ads.ccenter.lan IN AAAA + (127.0.0.1) >>>>> 127.0.0.1#36282: query: dc1.ads.ccenter.lan.ccenter.lan IN AAAA + (127.0.0.1) >>>>> (no answer - IPv6 resolution disabled) >>>>> >>>>> 127.0.0.1#47102: query: dc1.ads.ccenter.lan IN A + (127.0.0.1) >>>>> ;; ANSWER SECTION: >>>>> dc1.ads.ccenter.lan. 373 IN A 192.168.17.4 >>>>> >>>>> 127.0.0.1#58461: query: _kerberos._udp.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >>>>> ;; ANSWER SECTION: >>>>> _kerberos._udp.ADS.CCENTER.LAN. 324 IN SRV 0 100 88 dc1.ads.ccenter.lan. >>>>> >>>>>> can you ping from each machine to the other, both by ip and hostname ? >>>>>> what does 'host -t SRV _ldap._tcp.ads.ccenter.lan.' show ? >>>>> root at dc1:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >>>>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >>>>> >>>>> root at userl:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >>>>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >>>>> >>>>>> does the 'container' have all the required ports open ? >>>>> If logs are to be trusted, it even able to list users and groups. >>>>> >>>>> log.wb-CCENTER >>>>> [2015/04/03 22:55:59.314002, 3, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) >>>>> get_dc_list: preferred server list: "dc1.ads.ccenter.lan, *" >>>>> [2015/04/03 22:55:59.318397, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:680(ads_connect) >>>>> Successfully contacted LDAP server 192.168.17.4 >>>>> [2015/04/03 22:55:59.320717, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:723(ads_connect) >>>>> Connected to LDAP server dc1.ads.ccenter.lan >>>>> [2015/04/03 22:55:59.325436, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>>>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >>>>> [2015/04/03 22:55:59.325466, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>>>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >>>>> [2015/04/03 22:55:59.325498, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>>>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >>>>> [2015/04/03 22:55:59.325527, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind) >>>>> ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore >>>>> [2015/04/03 22:55:59.325655, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req) >>>>> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) >>>>> [2015/04/03 22:55:59.333493, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds) >>>>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Sat, 04 Apr 2015 08:55:59 MSK >>>>> [2015/04/03 22:55:59.373034, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:378(query_user_list) >>>>> ads query_user_list gave 19 entries >>>>> >>>>> This is about right. >>>>> root at dc1:~# wbinfo -u | wc -l >>>>> 19 >>>>> >>>>> [2015/04/03 22:55:59.374070, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >>>>> Connecting to 192.168.17.4 at port 135 >>>>> [2015/04/03 22:55:59.375923, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >>>>> Connecting to 192.168.17.4 at port 1024 >>>>> [2015/04/03 22:55:59.516885, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>>>> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-513 for domain CCENTER >>>>> [2015/04/03 22:56:13.713563, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:403(enum_dom_groups) >>>>> ads: enum_dom_groups >>>>> [2015/04/03 22:56:13.763644, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:501(enum_dom_groups) >>>>> ads enum_dom_groups gave 216 entries >>>>> >>>>> This is a bit off, but still close. >>>>> root at dc1:~# wbinfo -g | wc -l >>>>> 211 >>>>> >>>>> [2015/04/03 22:56:13.765824, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>>>> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-571 for domain CCENTER >>>>> [2015/04/03 22:59:42.388144, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>>>> [13765]: list trusted domains >>>>> [2015/04/03 22:59:42.388330, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:1419(trusted_domains) >>>>> ads: trusted_domains >>>>> [2015/04/03 23:00:59.189216, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) >>>>> msrpc_name_to_sid: name=CCENTER\DOMAINUSER >>>>> [2015/04/03 23:00:59.189271, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) >>>>> name_to_sid [rpc] CCENTER\DOMAINUSER for domain CCENTER >>>>> [2015/04/03 23:00:59.195301, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:597(query_user) >>>>> ads: query_user >>>>> >>>>> But in the end, it just doesn't work. getent doesn't list anything sensible, >>>>> not from explicit request, nor from enumeration. >>>>> >>>>> >>> >> OK, what does running this command on the DC show: >> ldbsearch -H /var/lib/samba/private/sam.ldb >> '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep >> 'uidNumber' >> This relies on ldb-tools being installed and sam.ldb being in >> '/var/lib/samba/private' if yours is somewhere else, change the path. > I have the urge to say "nothing" before even checking first, as I have no > RID's that high. But it appears the RID's were all changed after migration. > > ldbsearch -H /var/lib/samba/private/sam.ldb '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' uidNumber > > # record 1 > dn: CN=domainuser,CN=Users,DC=ads,DC=ccenter,DC=lan > uidNumber: 30000 > > Before migration, all users had RID=uidNumber, except one. > Why they have been changed? > >I have no idea why they have changed, but it is there and it is inside the range set in your member server smb.conf, so getent should fetch the users info. Have you got the winbind links in the correct place, see the member server wiki page do you have 'winbind' in the 'passwd' & 'group' lines in /etc/nsswitch.conf Can you check that Domain Users has a 'gidNumber' Rowland
Maybe Matching Threads
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups