samba - Feb 2016 - AD Group lost from Winbind

Hello,

the last two days i have problems with my AD group which is defined in share
setting valid users

Winbind looks to lost mapping of this group and so no user can connect to this
share anymore.

When restart winbind service mapping works again until mapping lost again.


ls -lsa shows me in issue this:

        2      4 drwxr-x---  63 root               12001                        
4096 Feb  4 23:42 Share

After restarting winbind:

        2      4 drwxr-x---  63 root               group_intern                 
4096 Feb  4 23:42 Share


My smb.conf looks like


[global]
       netbios name = MEMBER1
       security = ADS
       workgroup = HQ
       realm = hq.internal

       log file = /var/log/samba/%m.log
       log level = 1

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab
       winbind refresh tickets = yes

       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes
	winbind cache time = 300


       idmap config *:backend = tdb
       idmap config *:range = 500-9999

       # idmap config for domain HQ
       idmap config HQ:backend = ad
       idmap config HQ:schema_mode = rfc2307
       idmap config HQ:range = 10000-99999

       # Use settings from AD for login shell and home directory
       winbind nss info = rfc2307

[Share]
   path = /data/share
   browseable = yes
   writeable = yes
   force group = Group_Intern
   valid users = @Group_Intern
   create mask = 0660
   directory mask = 0770
   #oplocks = 0
   vfs objects = full_audit recycle
   full_audit:prefix = %u
   full_audit:success = mkdir rename rmdir unlink pwrite
   full_audit:failure = none
   full_audit:facility = LOCAL5
   full_audit:priority = NOTICE
   recycle:versions = yes
   recycle:exclude = .*, ~*



Anyone has an idea for this problem?


Regards
Oliver
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160212/9a24340c/signature.sig>

Ok, same problem as im having.. 

What is your os running? 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
> Verzonden: vrijdag 12 februari 2016 8:56
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] AD Group lost from Winbind
> 
> Hello,
> 
> the last two days i have problems with my AD group which is defined in
> share setting valid users
> 
> Winbind looks to lost mapping of this group and so no user can connect to
> this share anymore.
> 
> When restart winbind service mapping works again until mapping lost again.
> 
> 
> ls -lsa shows me in issue this:
> 
>         2      4 drwxr-x---  63 root               12001
> 4096 Feb  4 23:42 Share
> 
> After restarting winbind:
> 
>         2      4 drwxr-x---  63 root               group_intern
> 4096 Feb  4 23:42 Share
> 
> 
> My smb.conf looks like
> 
> 
> [global]
>        netbios name = MEMBER1
>        security = ADS
>        workgroup = HQ
>        realm = hq.internal
> 
>        log file = /var/log/samba/%m.log
>        log level = 1
> 
>        dedicated keytab file = /etc/krb5.keytab
>        kerberos method = secrets and keytab
>        winbind refresh tickets = yes
> 
>        winbind trusted domains only = no
>        winbind use default domain = yes
>        winbind enum users  = yes
>        winbind enum groups = yes
> 	winbind cache time = 300
> 
> 
>        idmap config *:backend = tdb
>        idmap config *:range = 500-9999
> 
>        # idmap config for domain HQ
>        idmap config HQ:backend = ad
>        idmap config HQ:schema_mode = rfc2307
>        idmap config HQ:range = 10000-99999
> 
>        # Use settings from AD for login shell and home directory
>        winbind nss info = rfc2307
> 
> [Share]
>    path = /data/share
>    browseable = yes
>    writeable = yes
>    force group = Group_Intern
>    valid users = @Group_Intern
>    create mask = 0660
>    directory mask = 0770
>    #oplocks = 0
>    vfs objects = full_audit recycle
>    full_audit:prefix = %u
>    full_audit:success = mkdir rename rmdir unlink pwrite
>    full_audit:failure = none
>    full_audit:facility = LOCAL5
>    full_audit:priority = NOTICE
>    recycle:versions = yes
>    recycle:exclude = .*, ~*
> 
> 
> 
> Anyone has an idea for this problem?
> 
> 
> Regards
> Oliver
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

my os is debian 8.3

win bind and samba are in version 4.1.17

> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>:
> 
> Ok, same problem as im having..
> 
> What is your os running?
> 
> 
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
Werner
>> Verzonden: vrijdag 12 februari 2016 8:56
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] AD Group lost from Winbind
>> 
>> Hello,
>> 
>> the last two days i have problems with my AD group which is defined in
>> share setting valid users
>> 
>> Winbind looks to lost mapping of this group and so no user can connect
to
>> this share anymore.
>> 
>> When restart winbind service mapping works again until mapping lost
again.
>> 
>> 
>> ls -lsa shows me in issue this:
>> 
>>        2      4 drwxr-x---  63 root               12001
>> 4096 Feb  4 23:42 Share
>> 
>> After restarting winbind:
>> 
>>        2      4 drwxr-x---  63 root               group_intern
>> 4096 Feb  4 23:42 Share
>> 
>> 
>> My smb.conf looks like
>> 
>> 
>> [global]
>>       netbios name = MEMBER1
>>       security = ADS
>>       workgroup = HQ
>>       realm = hq.internal
>> 
>>       log file = /var/log/samba/%m.log
>>       log level = 1
>> 
>>       dedicated keytab file = /etc/krb5.keytab
>>       kerberos method = secrets and keytab
>>       winbind refresh tickets = yes
>> 
>>       winbind trusted domains only = no
>>       winbind use default domain = yes
>>       winbind enum users  = yes
>>       winbind enum groups = yes
>> 	winbind cache time = 300
>> 
>> 
>>       idmap config *:backend = tdb
>>       idmap config *:range = 500-9999
>> 
>>       # idmap config for domain HQ
>>       idmap config HQ:backend = ad
>>       idmap config HQ:schema_mode = rfc2307
>>       idmap config HQ:range = 10000-99999
>> 
>>       # Use settings from AD for login shell and home directory
>>       winbind nss info = rfc2307
>> 
>> [Share]
>>   path = /data/share
>>   browseable = yes
>>   writeable = yes
>>   force group = Group_Intern
>>   valid users = @Group_Intern
>>   create mask = 0660
>>   directory mask = 0770
>>   #oplocks = 0
>>   vfs objects = full_audit recycle
>>   full_audit:prefix = %u
>>   full_audit:success = mkdir rename rmdir unlink pwrite
>>   full_audit:failure = none
>>   full_audit:facility = LOCAL5
>>   full_audit:priority = NOTICE
>>   recycle:versions = yes
>>   recycle:exclude = .*, ~*
>> 
>> 
>> 
>> Anyone has an idea for this problem?
>> 
>> 
>> Regards
>> Oliver
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160212/b769f93a/signature.sig>

Ok, im having this : 

DC's 
Debian Wheezy 7.9, sernet samba 4.2.8 


Member servers. 
Debian Jessie samba 4.1.17 ( fileserver ) 
Debian Jessie samba 4.2.7  ( print server ) 
	This one isnt updated yet with latest updates. 

The following packages have been kept back:
  samba sernet-samba sernet-samba-client sernet-samba-common sernet-samba-libs
sernet-samba-libsmbclient0 sernet-samba-winbind
The following packages will be upgraded:
  krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3
libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0 libtiff5

on this one all id's are still correct. 

Thanks, Daniel Müller, for your addition..

This is really a big problem.. what happend her in the samba code? 
I've looked at the change log, but cant seen any related to this. 

So if anyone DEVS ? know what happend here in the samba code. 
As far as i now know i have to. 
Re-assign all my  uid / gids on all users / groups, with other id's, omg wat
a hell...
And fix all idmaps on all servers.. pff. ... really no other fix ? 

There goes my weekend...  


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
> Verzonden: vrijdag 12 februari 2016 9:06
> Aan: L.P.H. van Belle
> CC: samba at lists.samba.org
> Onderwerp: Re: [Samba] AD Group lost from Winbind
> 
> my os is debian 8.3
> 
> win bind and samba are in version 4.1.17
> 
> 
> > Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at
bazuin.nl>:
> >
> > Ok, same problem as im having..
> >
> > What is your os running?
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
Werner
> >> Verzonden: vrijdag 12 februari 2016 8:56
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] AD Group lost from Winbind
> >>
> >> Hello,
> >>
> >> the last two days i have problems with my AD group which is
defined in
> >> share setting valid users
> >>
> >> Winbind looks to lost mapping of this group and so no user can
connect
> to
> >> this share anymore.
> >>
> >> When restart winbind service mapping works again until mapping
lost
> again.
> >>
> >>
> >> ls -lsa shows me in issue this:
> >>
> >>        2      4 drwxr-x---  63 root               12001
> >> 4096 Feb  4 23:42 Share
> >>
> >> After restarting winbind:
> >>
> >>        2      4 drwxr-x---  63 root               group_intern
> >> 4096 Feb  4 23:42 Share
> >>
> >>
> >> My smb.conf looks like
> >>
> >>
> >> [global]
> >>       netbios name = MEMBER1
> >>       security = ADS
> >>       workgroup = HQ
> >>       realm = hq.internal
> >>
> >>       log file = /var/log/samba/%m.log
> >>       log level = 1
> >>
> >>       dedicated keytab file = /etc/krb5.keytab
> >>       kerberos method = secrets and keytab
> >>       winbind refresh tickets = yes
> >>
> >>       winbind trusted domains only = no
> >>       winbind use default domain = yes
> >>       winbind enum users  = yes
> >>       winbind enum groups = yes
> >> 	winbind cache time = 300
> >>
> >>
> >>       idmap config *:backend = tdb
> >>       idmap config *:range = 500-9999
> >>
> >>       # idmap config for domain HQ
> >>       idmap config HQ:backend = ad
> >>       idmap config HQ:schema_mode = rfc2307
> >>       idmap config HQ:range = 10000-99999
> >>
> >>       # Use settings from AD for login shell and home directory
> >>       winbind nss info = rfc2307
> >>
> >> [Share]
> >>   path = /data/share
> >>   browseable = yes
> >>   writeable = yes
> >>   force group = Group_Intern
> >>   valid users = @Group_Intern
> >>   create mask = 0660
> >>   directory mask = 0770
> >>   #oplocks = 0
> >>   vfs objects = full_audit recycle
> >>   full_audit:prefix = %u
> >>   full_audit:success = mkdir rename rmdir unlink pwrite
> >>   full_audit:failure = none
> >>   full_audit:facility = LOCAL5
> >>   full_audit:priority = NOTICE
> >>   recycle:versions = yes
> >>   recycle:exclude = .*, ~*
> >>
> >>
> >>
> >> Anyone has an idea for this problem?
> >>
> >>
> >> Regards
> >> Oliver
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba