On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via samba wrote:> > How did you join the domain ? > I joined using net ads join -U Joachim (which happens to be domain > admin). No error (after fixing a hostname setup issue).OK.> > > The line above is only used on a DC > I excerpted this from an existing DC. Removed it. No change. > Is there a consistency check I can run?Yes, but you probably don't need it (more on this later)> > > Are you using sssd ? > I don?t (yet) know what sssd is about.As this is Ubuntu, you may have it installed. You can check with: sudo dpkg -l winbind The last line will look like this if it isn't installed: un sssd <none> <none> (no description available)> > > Have you installed winbind ? > I followed > https://wiki.samba.org/index.php/Distribution-specific_Package_Installation#Ubuntu > , and yes, winbind is installed. > > > You have only stopped Samba using nmbd, you need to stop it and > > then disable it. > I didn?t enable it at all. Some magic? If smb.conf asks for no > netbios, shouldn?t the process exit?Debian based distros start packages when they are installed, so no magic is involved. I suggest you go and read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and one of these: https://wiki.samba.org/index.php/Idmap_config_ad https://wiki.samba.org/index.php/Idmap_config_rid https://wiki.samba.org/index.php/Idmap_config_autorid You need to add 'idmap config' lines to your smb.conf (if you don't know what they are, you will once you have read the above wiki pages). You also need to find out why 'systemctl start winbind' doesn't work. Rowland
Hello Rowland, I read https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, and I specifically read "If your users will only use the Samba AD DC for authentication and will not store data on it or log into it, you can use the the winbind 'rid' backend, this calculates the user and group IDs from the Windows RID, if you use the same [global] section of the smb.conf on every Unix domain member, you will get the same IDs." - that?s the reason I started with a smb.conf of a DC and removed stuff that was apparently irrelevant. Is this section of documentation also wrong?> sudo dpkg -l winbindDesired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==============-=======================-============-=============================================> ii winbind 2:4.14.8+dfsg-0.1focal1 amd64 service to resolve user and group information> in fact winbind is running after yet another system restart, i.e. it looks like some initialization issue during or after installation. However it reports: Oct 26 06:25:46 le winbindd[832]: [2021/10/26 06:25:46.806438, 0] ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) Oct 26 06:25:46 le winbindd[832]: gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Client (L> Oct 26 06:25:52 le winbindd[832]: [2021/10/26 06:25:52.951201, 0] ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) Oct 26 06:25:52 le winbindd[832]: gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Client (L> Oct 26 06:26:32 le winbindd[832]: [2021/10/26 06:26:32.079056, 0] ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) Oct 26 06:26:32 le winbindd[832]: gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Client (L> Oct 26 06:26:38 le winbindd[832]: [2021/10/26 06:26:38.202614, 0] ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) On the right: gse_get_client_auth_token: gss_init_sec_context failed with [ Miscellaneous failure (see text): Client (LE$@SAMBA.LINDENBERG.ONE) unknown] I searched for that error, but only M$ or ancient stuff.. Thanks, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland Penny via samba Gesendet: Monday, 25 October 2021 22:28 An: samba at lists.samba.org Betreff: Re: [Samba] Domain member? On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via samba wrote:> > How did you join the domain ? > I joined using net ads join -U Joachim (which happens to be domain > admin). No error (after fixing a hostname setup issue).OK.> > > The line above is only used on a DC > I excerpted this from an existing DC. Removed it. No change. > Is there a consistency check I can run?Yes, but you probably don't need it (more on this later)> > > Are you using sssd ? > I don?t (yet) know what sssd is about.As this is Ubuntu, you may have it installed. You can check with: sudo dpkg -l winbind The last line will look like this if it isn't installed: un sssd <none> <none> (no description available)> > > Have you installed winbind ? > I followed > https://wiki.samba.org/index.php/Distribution-specific_Package_Install > ation#Ubuntu > , and yes, winbind is installed. > > > You have only stopped Samba using nmbd, you need to stop it and then > > disable it. > I didn?t enable it at all. Some magic? If smb.conf asks for no > netbios, shouldn?t the process exit?Debian based distros start packages when they are installed, so no magic is involved. I suggest you go and read this: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member and one of these: https://wiki.samba.org/index.php/Idmap_config_ad https://wiki.samba.org/index.php/Idmap_config_rid https://wiki.samba.org/index.php/Idmap_config_autorid You need to add 'idmap config' lines to your smb.conf (if you don't know what they are, you will once you have read the above wiki pages). You also need to find out why 'systemctl start winbind' doesn't work. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
This is something in your setup. Can you run this one and post the output. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh If needed, anonymize where needed. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Joachim Lindenberg via samba > Verzonden: dinsdag 26 oktober 2021 8:45 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member? > > Hello Rowland, > I read > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_ > Member, and I specifically read "If your users will only use > the Samba AD DC for authentication and will not store data on > it or log into it, you can use the the winbind 'rid' backend, > this calculates the user and group IDs from the Windows RID, > if you use the same [global] section of the smb.conf on every > Unix domain member, you will get the same IDs." - that?s the > reason I started with a smb.conf of a DC and removed stuff > that was apparently irrelevant. Is this section of > documentation also wrong? > > > sudo dpkg -l winbind > Desired=Unknown/Install/Remove/Purge/Hold > | > Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-a > Wait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ Name Version Architecture Description > +++-==============-=======================-============-=====> =======================================> > ii winbind 2:4.14.8+dfsg-0.1focal1 amd64 > service to resolve user and group information> > > in fact winbind is running after yet another system restart, > i.e. it looks like some initialization issue during or after > installation. However it reports: > Oct 26 06:25:46 le winbindd[832]: [2021/10/26 > 06:25:46.806438, 0] > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > Oct 26 06:25:46 le winbindd[832]: > gse_get_client_auth_token: gss_init_sec_context failed with [ > Miscellaneous failure (see text): Client (L> > Oct 26 06:25:52 le winbindd[832]: [2021/10/26 > 06:25:52.951201, 0] > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > Oct 26 06:25:52 le winbindd[832]: > gse_get_client_auth_token: gss_init_sec_context failed with [ > Miscellaneous failure (see text): Client (L> > Oct 26 06:26:32 le winbindd[832]: [2021/10/26 > 06:26:32.079056, 0] > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > Oct 26 06:26:32 le winbindd[832]: > gse_get_client_auth_token: gss_init_sec_context failed with [ > Miscellaneous failure (see text): Client (L> > Oct 26 06:26:38 le winbindd[832]: [2021/10/26 > 06:26:38.202614, 0] > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > > On the right: gse_get_client_auth_token: gss_init_sec_context > failed with [ Miscellaneous failure (see text): Client > (LE$@SAMBA.LINDENBERG.ONE) unknown] > > I searched for that error, but only M$ or ancient stuff.. > Thanks, Joachim > > > -----Urspr?ngliche Nachricht----- > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von > Rowland Penny via samba > Gesendet: Monday, 25 October 2021 22:28 > An: samba at lists.samba.org > Betreff: Re: [Samba] Domain member? > > On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via samba wrote: > > > How did you join the domain ? > > I joined using net ads join -U Joachim (which happens to be domain > > admin). No error (after fixing a hostname setup issue). > > OK. > > > > > > The line above is only used on a DC > > I excerpted this from an existing DC. Removed it. No change. > > Is there a consistency check I can run? > > Yes, but you probably don't need it (more on this later) > > > > > > Are you using sssd ? > > I don?t (yet) know what sssd is about. > > As this is Ubuntu, you may have it installed. > You can check with: > sudo dpkg -l winbind > > The last line will look like this if it isn't installed: > > un sssd <none> <none> (no description > available) > > > > > > Have you installed winbind ? > > I followed > > > https://wiki.samba.org/index.php/Distribution-specific_Package_Install > > ation#Ubuntu > > , and yes, winbind is installed. > > > > > You have only stopped Samba using nmbd, you need to stop > it and then > > > disable it. > > I didn?t enable it at all. Some magic? If smb.conf asks for no > > netbios, shouldn?t the process exit? > > Debian based distros start packages when they are installed, > so no magic is involved. > > I suggest you go and read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > and one of these: > https://wiki.samba.org/index.php/Idmap_config_ad > https://wiki.samba.org/index.php/Idmap_config_rid > https://wiki.samba.org/index.php/Idmap_config_autorid > > You need to add 'idmap config' lines to your smb.conf (if you > don't know what they are, you will once you have read the > above wiki pages). > You also need to find out why 'systemctl start winbind' doesn't work. > > Rowland > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >