Hi guys, we're testing the domain join of a Debian Wheezy machine to an Samba 4.17 AD with BIND9 backend (Debian Jessie). I can join the domain with "net ads join" alright, but "wbinfo -u" delivers nothing, cause winbind is not able to start. /etc/init.d/winbind status tells me it is not running. If I try winbindd -S -F I receive: initialize_winbindd_cache: clearing cache and re-creating with version number 2 create_local_token failed: NT_STATUS_NO_SUCH_USER Is it possibly a rights issue? Some additional information: - the machine was on squeezy before and we did a dist-upgrade to wheezy - pam-auth-update lists kerberos and windows-nt/active directory authentication as possible auth methods. - windows machines can join the domain and communicate fine with the ad dc. Samba Version 3.6.6. Following the configs of the domain member to be (wheezy), they worked for a fresh wheezy install for the same domain: *smb.conf:* [global] netbios name = WheezyTest workgroup = MAYWEG.NET security = ADS realm = INTRANET.MAYWEG.NET dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config MAYWEG.NET:backend = ad idmap config MAYWEG.NET:schema_mode = rfc2307 idmap config MAYWEG.NET:range = 10000-99999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes template homedir = /home/%U template shell = /bin/bash *nsswitch.conf:* passwd: compat winbind group: compat winbind shadow: compat hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis *krb5.conf:* [libdefaults] default_realm = INTRANET.MAYWEG.NET dns_lookup_realm = false dns_lookup_kdc = true *hosts:* nameserver 192.168.111.90 search intranet.mayweg.net As usual, I'm happy for every pointer or help I can get. Googling mostly returned smbd not being able to start with this error, but that's running. Greetings, Timo
On 11/04/15 13:01, Timo Altun wrote:> Hi guys, > > we're testing the domain join of a Debian Wheezy machine to an Samba 4.17 > AD with BIND9 backend (Debian Jessie). I can join the domain with "net ads > join" alright, but "wbinfo -u" delivers nothing, cause winbind is not able > to start. > > /etc/init.d/winbind status tells me it is not running. > > If I try winbindd -S -F I receive: > > initialize_winbindd_cache: clearing cache and re-creating with version > number 2 > create_local_token failed: NT_STATUS_NO_SUCH_USER > > Is it possibly a rights issue? Some additional information: > - the machine was on squeezy before and we did a dist-upgrade to wheezy > - pam-auth-update lists kerberos and windows-nt/active directory > authentication as possible auth methods. > - windows machines can join the domain and communicate fine with the ad dc. > Samba Version 3.6.6. > Following the configs of the domain member to be (wheezy), they worked for > a fresh wheezy install for the same domain: > > > *smb.conf:* > [global] > > netbios name = WheezyTest > workgroup = MAYWEG.NET > security = ADS > realm = INTRANET.MAYWEG.NET > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config MAYWEG.NET:backend = ad > idmap config MAYWEG.NET:schema_mode = rfc2307 > idmap config MAYWEG.NET:range = 10000-99999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = Yes > > template homedir = /home/%U > template shell = /bin/bash > > *nsswitch.conf:* > > passwd: compat winbind > group: compat winbind > shadow: compat > > hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > > *krb5.conf:* > [libdefaults] > default_realm = INTRANET.MAYWEG.NET > dns_lookup_realm = false > dns_lookup_kdc = true > > *hosts:* > nameserver 192.168.111.90 > search intranet.mayweg.net > > As usual, I'm happy for every pointer or help I can get. Googling mostly > returned smbd not being able to start with this error, but that's running. > > Greetings, > TimoYou seem to be using the realm name for the workgroup, what is in the smb.conf on the Samba AD DC ? If you are updating to wheezy then you might as well use samba from backports, this will give you a version that isn't EOL. Rowland
Hi Rowland, first and foremost thanks for the answer...on a saturday! Since I wrote I got it running! Did a complete purge of packages samba libnss-winbind libpam-winbind krb5-user krb5-config libpam-krb5 and reinstalled. Stopped smbd, nmbd and winbind and joined the domain. Started the services again and winbind could start as well. Thanks! Fyi, the smb.conf on AD (got a bit of a strange naming convention for workgroup/realm, but this way windows machines do not notice the change from NT4 domain to AD): # Global parameters [global] workgroup = MAYWEG.NET realm = INTRANET.MAYWEG.NET netbios name = SERVER06 interfaces = lo, eth0 bind interfaces only = Yes server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No On 11 April 2015 at 14:52, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 11/04/15 13:01, Timo Altun wrote: > >> Hi guys, >> >> we're testing the domain join of a Debian Wheezy machine to an Samba 4.17 >> AD with BIND9 backend (Debian Jessie). I can join the domain with "net ads >> join" alright, but "wbinfo -u" delivers nothing, cause winbind is not able >> to start. >> >> /etc/init.d/winbind status tells me it is not running. >> >> If I try winbindd -S -F I receive: >> >> initialize_winbindd_cache: clearing cache and re-creating with version >> number 2 >> create_local_token failed: NT_STATUS_NO_SUCH_USER >> >> Is it possibly a rights issue? Some additional information: >> - the machine was on squeezy before and we did a dist-upgrade to wheezy >> - pam-auth-update lists kerberos and windows-nt/active directory >> authentication as possible auth methods. >> - windows machines can join the domain and communicate fine with the ad >> dc. >> Samba Version 3.6.6. >> Following the configs of the domain member to be (wheezy), they worked for >> a fresh wheezy install for the same domain: >> >> >> *smb.conf:* >> [global] >> >> netbios name = WheezyTest >> workgroup = MAYWEG.NET >> security = ADS >> realm = INTRANET.MAYWEG.NET >> dedicated keytab file = /etc/krb5.keytab >> kerberos method = secrets and keytab >> >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config MAYWEG.NET:backend = ad >> idmap config MAYWEG.NET:schema_mode = rfc2307 >> idmap config MAYWEG.NET:range = 10000-99999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> winbind refresh tickets = Yes >> >> template homedir = /home/%U >> template shell = /bin/bash >> >> *nsswitch.conf:* >> >> passwd: compat winbind >> group: compat winbind >> shadow: compat >> >> hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 >> networks: files >> >> protocols: db files >> services: db files >> ethers: db files >> rpc: db files >> >> netgroup: nis >> >> >> *krb5.conf:* >> [libdefaults] >> default_realm = INTRANET.MAYWEG.NET >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> *hosts:* >> nameserver 192.168.111.90 >> search intranet.mayweg.net >> >> As usual, I'm happy for every pointer or help I can get. Googling mostly >> returned smbd not being able to start with this error, but that's running. >> >> Greetings, >> Timo >> > > You seem to be using the realm name for the workgroup, what is in the > smb.conf on the Samba AD DC ? > > If you are updating to wheezy then you might as well use samba from > backports, this will give you a version that isn't EOL. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >