samba - Dec 2016 - ADS domain member: winbind fails

On Fri, 30 Dec 2016 13:54:42 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2016-12-30 um 13:20 schrieb L.P.H. van Belle via samba:
> > And in addition to Rowlands comments..
> >
> >  Correct you hosts file to
> > /etc/hosts
> > 127.0.0.1       localhost
> > # The following lines are desirable for IPv6 capable hosts
> > ::1     localhost ip6-localhost ip6-loopback
> > ff02::1 ip6-allnodes
> > ff02::2 ip6-allrouters
> >
> > # This server name and ip.
> > 10.0.0.221 main.arbeitsgruppe.secret.tld main
> > 10.0.0.224 backup.arbeitsgruppe.secret.tld backup
> >
> >
> > Second. Post you resolv.conf that was asked already.
> > That should contain something like:
> > search arbeitsgruppe.secret.tld
> > Server IP_of_DC
> >
> >
> > Remove
> > map to guest = Bad User
> > from you smb.conf the default is ok.
> 
> did all that
> restarted the 3 services smbd nmbd winbind
> 
> winbindd fails immediately:
> 
> Dez 30 13:43:48 main systemd[1]: winbindd.service: Main process
> exited, code=killed, status=6/ABRT
> Dez 30 13:43:48 main systemd[1]: winbindd.service: Unit entered
> failed state.
> Dez 30 13:43:48 main systemd[1]: winbindd.service: Failed with result 
> 'signal'.
> 
> 
> ---
> 
> but maybe I have to row back anyway:
> 
> editing GPOs via RSAT always kicks us off after a few minutes.
> Seems that my DC isn't working correctly yet.
> 
> [global]
> 	workgroup = ARBEITSGRUPPE
> 	realm = arbeitsgruppe.secret.tld
> 	server role = active directory domain controller
> 	passdb backend = samba_dsdb
> 	dns forwarder = 10.0.0.254
> 	rpc_server:tcpip = no
> 	rpc_daemon:spoolssd = embedded
> 	rpc_server:spoolss = embedded
> 	rpc_server:winreg = embedded
> 	rpc_server:ntsvcs = embedded
> 	rpc_server:eventlog = embedded
> 	rpc_server:srvsvc = embedded
> 	rpc_server:svcctl = embedded
> 	rpc_server:default = external
> 	winbindd:use external pipes = true
> 	idmap_ldb:use rfc2307 = yes
> 	idmap config * : backend = tdb
> 	map archive = No
> 	map readonly = no
> 	store dos attributes = Yes
> 	vfs objects = dfs_samba4 acl_xattr
> 
> 
Is this the smb.conf you got when you ran the classicupgrade ?
I don't think it is, can I suggest you remove any and all lines you
have added and restart samba

Rowland

Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba:
> Is this the smb.conf you got when you ran the classicupgrade ?
> I don't think it is, can I suggest you remove any and all lines you
> have added and restart samba
that was the output of testparm

smb.conf on DC:


[global]
	workgroup = ARBEITSGRUPPE
	realm = arbeitsgruppe.secret.tld
	netbios name = BACKUP
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
     dns forwarder = 10.0.0.254

[netlogon]
	path = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

--

root at backup:/etc/samba# cat /etc/resolv.conf
search arbeitsgruppe.secret.tld
nameserver 10.0.0.224

root at backup:/etc/samba# cat /etc/krb5.conf
[libdefaults]
	default_realm = ARBEITSGRUPPE.SECRET.TLD
	dns_lookup_realm = false
	dns_lookup_kdc = true

--

editing the resolv.conf(s) helped in stabilizing RSAT editing

winbindd on member still fails, I left and rejoined ...

--

although I see users and GPOs on the member, etc (via net ads)

# net ads info
LDAP server: 10.0.0.224
LDAP server name: backup.arbeitsgruppe.secret.tld
Realm: ARBEITSGRUPPE.SECRET.TLD
Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD
LDAP port: 389
Server time: Fr, 30 Dez 2016 14:24:25 CET
KDC server: 10.0.0.224
Server time offset: 0

On Fri, 30 Dec 2016 14:26:01 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba:
> > Is this the smb.conf you got when you ran the classicupgrade ?
> > I don't think it is, can I suggest you remove any and all lines
you
> > have added and restart samba
> 
> that was the output of testparm
Ah, can I introduce you to 'samba-tool testparm'
> 
> smb.conf on DC:
> 
> 
> [global]
> 	workgroup = ARBEITSGRUPPE
> 	realm = arbeitsgruppe.secret.tld
> 	netbios name = BACKUP
> 	server role = active directory domain controller
> 	idmap_ldb:use rfc2307 = yes
>      dns forwarder = 10.0.0.254
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
> 
> --
> 
> root at backup:/etc/samba# cat /etc/resolv.conf
> search arbeitsgruppe.secret.tld
> nameserver 10.0.0.224
> 
> root at backup:/etc/samba# cat /etc/krb5.conf
> [libdefaults]
> 	default_realm = ARBEITSGRUPPE.SECRET.TLD
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> --
> 
> editing the resolv.conf(s) helped in stabilizing RSAT editing
> 
> winbindd on member still fails, I left and rejoined ...
> 
> --
> 
> although I see users and GPOs on the member, etc (via net ads)
> 
> # net ads info
> LDAP server: 10.0.0.224
> LDAP server name: backup.arbeitsgruppe.secret.tld
> Realm: ARBEITSGRUPPE.SECRET.TLD
> Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD
> LDAP port: 389
> Server time: Fr, 30 Dez 2016 14:24:25 CET
> KDC server: 10.0.0.224
> Server time offset: 0
> 
> 
> 
What this shows is that your dns domain is 'arbeitsgruppe.secret.tld'
and your domain member should also be using this dns domain. Your
earlier posts seem to suggest you are using 'secret.tld' on the domain
member, this must be changed.

Rowland

I think we are mixing 2 things now. 

You corrected DC, thats good. 

 

And the debian server member is the member? 

 

Did you add in /etc/ldap/ldap.conf

TLS_REQCERT allow

 

Now, this part i didnt test, but should work since losts of users are missing
the correct TLS settings/certificates.

 

This is a DEBIAN ( or Ubuntu ) setup. 

 

apt-get install ca-certificates

 

echo “TLS_REQCERT allow” > /etc/ldap/ldap.conf

 

Locate you SAMBA CA root. 

ln -s path_to_samba_TLS-CA-ROOT /usr/local/share/ca-certificates/samba-ca.crt

 

update-ca-certificates

 

done, thats it. 

 

Do that on the debian server, reboot it and after reboot type wbinfo –u

 

And post /etc/hosts /etc/resolv.conf /etc/samba/smb.conf of that server.

 

 

Greetz, 

 

Louis

 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan G.
> Weichinger via samba
> Verzonden: vrijdag 30 december 2016 14:26
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] ADS domain member: winbind fails
> 
> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba:
> > Is this the smb.conf you got when you ran the classicupgrade ?
> > I don't think it is, can I suggest you remove any and all lines
you
> > have added and restart samba
> 
> that was the output of testparm
> 
> smb.conf on DC:
> 
> 
> [global]
>     workgroup = ARBEITSGRUPPE
>     realm = arbeitsgruppe.secret.tld
>     netbios name = BACKUP
>     server role = active directory domain controller
>     idmap_ldb:use rfc2307 = yes
>      dns forwarder = 10.0.0.254
> 
> [netlogon]
>     path = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts
>     read only = No
> 
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
> 
> --
> 
> root at backup:/etc/samba# cat /etc/resolv.conf
> search arbeitsgruppe.secret.tld
> nameserver 10.0.0.224
> 
> root at backup:/etc/samba# cat /etc/krb5.conf
> [libdefaults]
>     default_realm = ARBEITSGRUPPE.SECRET.TLD
>     dns_lookup_realm = false
>     dns_lookup_kdc = true
> 
> --
> 
> editing the resolv.conf(s) helped in stabilizing RSAT editing
> 
> winbindd on member still fails, I left and rejoined ...
> 
> --
> 
> although I see users and GPOs on the member, etc (via net ads)
> 
> # net ads info
> LDAP server: 10.0.0.224
> LDAP server name: backup.arbeitsgruppe.secret.tld
> Realm: ARBEITSGRUPPE.SECRET.TLD
> Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD
> LDAP port: 389
> Server time: Fr, 30 Dez 2016 14:24:25 CET
> KDC server: 10.0.0.224
> Server time offset: 0
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Am 2016-12-30 um 14:49 schrieb L.P.H. van Belle via
samba:
> I think we are mixing 2 things now.
>
> You corrected DC, thats good.
>
>
>
> And the debian server member is the member?
No:

debian = DC

gentoo = former NT4-PDC, upcoming member server / fileserver
>
> Did you add in /etc/ldap/ldap.conf
>
> TLS_REQCERT allow
on the member?
Did that right now.
> apt-get install ca-certificates
> echo “TLS_REQCERT allow” > /etc/ldap/ldap.conf
>
>
>
> Locate you SAMBA CA root.
>
> ln -s path_to_samba_TLS-CA-ROOT
/usr/local/share/ca-certificates/samba-ca.crt
will dig that up on gentoo now ...
> Do that on the debian server, reboot it and after reboot type wbinfo –u
> And post /etc/hosts /etc/resolv.conf /etc/samba/smb.conf of that server.
you speak of the member server?

main samba # cat /etc/hosts

# IPv4 and IPv6 localhost aliases
127.0.0.1	localhost
::1		localhost
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

10.0.0.221 main.secret.tld main
10.0.0.222 samba.secret.tld samba
10.0.0.224 backup.secret.tld backup
10.0.0.225 vmware.secret.tld vmware

main samba # cat /etc/resolv.conf
# Generated by net-scripts for interface eth0
search arbeitsgruppe.secret.tld
nameserver 10.0.0.224


main samba # cat /etc/samba/smb.conf
[global]
	security = ADS
	workgroup = ARBEITSGRUPPE
	realm = arbeitsgruppe.secret.tld
	log file = /var/log/samba/%m.log
	log level = 3
	
	idmap config * : backend = tdb
	idmap config * : range = 3000-7999

	## idmap config for the ARBEITSGRUPPE domain
	idmap config ARBEITSGRUPPE:backend = rid
	idmap config ARBEITSGRUPPE:range = 10000-999999

	username map = /etc/samba/user.map

	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind refresh tickets = Yes

[Daten]
	comment = Daten
	path = /mnt/daten
	#valid users = @users
	force group = users
	read only = No
	create mask = 0660
	directory mask = 0770

On Fri, 30 Dec 2016 16:42:46 +0100
L.P.H. van Belle <belle at bazuin.nl> wrote:
> Hai Rowland, 
> 
> Oeps.. wrong one, but now he knows.  :-/ 
> See below. 
> 
OK, check and alter where required the following files:

/etc/hosts

# IPv4 and IPv6 localhost aliases
127.0.0.1	localhost
::1		localhost
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

10.0.0.221 main.arbeitsgruppe.secret.tld main

That is all it should contain, provided 10.0.0.221 is the ipaddress of
main.arbeitsgruppe.secret.tld

/etc/hostname

This should just contain the short hostname 'main'

/etc/resolv.conf

search arbeitsgruppe.secret.tld
nameserver 10.0.0.224

This is provided 10.0.0.224 is the ipaddress of an AD DC running a dns
server.

/etc/krb5.conf

[libdefaults]
	default_realm = ARBEITSGRUPPE.SECRET.TLD
	dns_lookup_realm = false
	dns_lookup_kdc = true

If everything is setup as above you should be able to join the gentoo
domain member to the domain and then start the nmbd, smbd and winbind
deamons.

Rowland

Am 2016-12-30 um 17:01 schrieb Rowland Penny via samba:
> On Fri, 30 Dec 2016 16:42:46 +0100
> L.P.H. van Belle <belle at bazuin.nl> wrote:
>
>> Hai Rowland,
>>
>> Oeps.. wrong one, but now he knows.  :-/
>> See below.
>>
>
> OK, check and alter where required the following files:
>
> /etc/hosts
>
> # IPv4 and IPv6 localhost aliases
> 127.0.0.1	localhost
> ::1		localhost
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> 10.0.0.221 main.arbeitsgruppe.secret.tld main
>
> That is all it should contain, provided 10.0.0.221 is the ipaddress of
> main.arbeitsgruppe.secret.tld
>
> /etc/hostname
>
> This should just contain the short hostname 'main'
>
> /etc/resolv.conf
>
> search arbeitsgruppe.secret.tld
> nameserver 10.0.0.224
>
> This is provided 10.0.0.224 is the ipaddress of an AD DC running a dns
> server.
>
> /etc/krb5.conf
>
> [libdefaults]
> 	default_realm = ARBEITSGRUPPE.SECRET.TLD
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
>
> If everything is setup as above you should be able to join the gentoo
> domain member to the domain and then start the nmbd, smbd and winbind
> deamons.
everything checked and set up as mentioned

Waiting for samba to *recompile* here, I wonder if the updated 
tevent-package makes a difference.

I will stop the 3 daemons, leave and rejoins, then start the 3.
Particular order?

Am 2016-12-30 um 17:01 schrieb Rowland Penny via samba:
> If everything is setup as above you should be able to join the gentoo
> domain member to the domain and then start the nmbd, smbd and winbind
> deamons.
sad to say:

leave and join works without a problem, but then ->

  winbindd.service - Samba Winbind daemon
    Loaded: loaded (/usr/lib64/systemd/system/winbindd.service; 
disabled; vendor preset: enabled)
    Active: failed (Result: signal) since Fr 2016-12-30 17:22:46 CET; 5s ago
   Process: 2540 ExecStart=/usr/sbin/winbindd -D (code=exited, 
status=0/SUCCESS)
  Main PID: 2543 (code=killed, signal=ABRT)

Dez 30 17:22:46 main.arbeitsgruppe.secret.tld systemd[1]: Starting Samba 
Winbind daemon...
Dez 30 17:22:46 main.arbeitsgruppe.secret.tld systemd[1]: Started Samba 
Winbind daemon.
Dez 30 17:22:46 main.arbeitsgruppe.secret.tld systemd[1]: 
winbindd.service: Main process exited, code=killed, status=6/ABRT
Dez 30 17:22:46 main.arbeitsgruppe.secret.tld systemd[1]: 
winbindd.service: Unit entered failed state.
Dez 30 17:22:46 main.arbeitsgruppe.secret.tld systemd[1]: 
winbindd.service: Failed with result 'signal'.


->

main samba # wbinfo -u
could not obtain winbind interface details: WBC_ERR_WINBIND_NOT_AVAILABLE
could not obtain winbind domain name!
Error looking up domain users

---