This is something in your setup. Can you run this one and post the output. https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh If needed, anonymize where needed. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Joachim Lindenberg via samba > Verzonden: dinsdag 26 oktober 2021 8:45 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member? > > Hello Rowland, > I read > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_ > Member, and I specifically read "If your users will only use > the Samba AD DC for authentication and will not store data on > it or log into it, you can use the the winbind 'rid' backend, > this calculates the user and group IDs from the Windows RID, > if you use the same [global] section of the smb.conf on every > Unix domain member, you will get the same IDs." - that?s the > reason I started with a smb.conf of a DC and removed stuff > that was apparently irrelevant. Is this section of > documentation also wrong? > > > sudo dpkg -l winbind > Desired=Unknown/Install/Remove/Purge/Hold > | > Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-a > Wait/Trig-pend > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > ||/ Name Version Architecture Description > +++-==============-=======================-============-=====> =======================================> > ii winbind 2:4.14.8+dfsg-0.1focal1 amd64 > service to resolve user and group information> > > in fact winbind is running after yet another system restart, > i.e. it looks like some initialization issue during or after > installation. However it reports: > Oct 26 06:25:46 le winbindd[832]: [2021/10/26 > 06:25:46.806438, 0] > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > Oct 26 06:25:46 le winbindd[832]: > gse_get_client_auth_token: gss_init_sec_context failed with [ > Miscellaneous failure (see text): Client (L> > Oct 26 06:25:52 le winbindd[832]: [2021/10/26 > 06:25:52.951201, 0] > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > Oct 26 06:25:52 le winbindd[832]: > gse_get_client_auth_token: gss_init_sec_context failed with [ > Miscellaneous failure (see text): Client (L> > Oct 26 06:26:32 le winbindd[832]: [2021/10/26 > 06:26:32.079056, 0] > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > Oct 26 06:26:32 le winbindd[832]: > gse_get_client_auth_token: gss_init_sec_context failed with [ > Miscellaneous failure (see text): Client (L> > Oct 26 06:26:38 le winbindd[832]: [2021/10/26 > 06:26:38.202614, 0] > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > > On the right: gse_get_client_auth_token: gss_init_sec_context > failed with [ Miscellaneous failure (see text): Client > (LE$@SAMBA.LINDENBERG.ONE) unknown] > > I searched for that error, but only M$ or ancient stuff.. > Thanks, Joachim > > > -----Urspr?ngliche Nachricht----- > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von > Rowland Penny via samba > Gesendet: Monday, 25 October 2021 22:28 > An: samba at lists.samba.org > Betreff: Re: [Samba] Domain member? > > On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via samba wrote: > > > How did you join the domain ? > > I joined using net ads join -U Joachim (which happens to be domain > > admin). No error (after fixing a hostname setup issue). > > OK. > > > > > > The line above is only used on a DC > > I excerpted this from an existing DC. Removed it. No change. > > Is there a consistency check I can run? > > Yes, but you probably don't need it (more on this later) > > > > > > Are you using sssd ? > > I don?t (yet) know what sssd is about. > > As this is Ubuntu, you may have it installed. > You can check with: > sudo dpkg -l winbind > > The last line will look like this if it isn't installed: > > un sssd <none> <none> (no description > available) > > > > > > Have you installed winbind ? > > I followed > > > https://wiki.samba.org/index.php/Distribution-specific_Package_Install > > ation#Ubuntu > > , and yes, winbind is installed. > > > > > You have only stopped Samba using nmbd, you need to stop > it and then > > > disable it. > > I didn?t enable it at all. Some magic? If smb.conf asks for no > > netbios, shouldn?t the process exit? > > Debian based distros start packages when they are installed, > so no magic is involved. > > I suggest you go and read this: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > and one of these: > https://wiki.samba.org/index.php/Idmap_config_ad > https://wiki.samba.org/index.php/Idmap_config_rid > https://wiki.samba.org/index.php/Idmap_config_autorid > > You need to add 'idmap config' lines to your smb.conf (if you > don't know what they are, you will once you have read the > above wiki pages). > You also need to find out why 'systemctl start winbind' doesn't work. > > Rowland > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hello Louis,
sure. I know I configured /etc/resolv.conf during join, pointing to a DC
manually. Is the local resolver the culprit?
Thanks,
Joachim
root at le:/tmp# cat samba-debug-info.txt
Collected config --- 2021-10-26-09:12 -----------
Hostname: le
DNS Domain: samba.lindenberg.one
FQDN: le.samba.lindenberg.one
ipaddress: 192.168.176.9
-----------
Kerberos SRV _kerberos._tcp.samba.lindenberg.one record verified ok, sample
output:
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
_kerberos._tcp.samba.lindenberg.one service = 0 100 88
boa.samba.lindenberg.one.
_kerberos._tcp.samba.lindenberg.one service = 0 100 88
mamba.samba.lindenberg.one.
_kerberos._tcp.samba.lindenberg.one service = 0 100 88
cobra.samba.lindenberg.one.
Authoritative answers can be found from:
Samba is running as a Unix domain member
Checking file: /etc/os-release
NAME="Ubuntu"
VERSION="20.04.3 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.3 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
-----------
This computer is running Ubuntu 20.04.3 LTS x86_64
-----------
running command : ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq state UP
group default qlen 1000
link/ether 00:15:5d:b1:0c:70 brd ff:ff:ff:ff:ff:ff
inet 192.168.176.9/24 brd 192.168.176.255 scope global eth0
inet6 fe80::215:5dff:feb1:c70/64 scope link
-----------
Checking file: /etc/hosts
127.0.0.1 localhost
# The following lines are desirable for IPv6 capable hosts
192.168.176.9 le.samba.lindenberg.one le
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
-----------
Checking file: /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search samba.lindenberg.one
-----------
systemd stub resolver detected, running command : systemd-resolve --status
-----------
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
DNSSEC NTA: 10.in-addr.arpa
16.172.in-addr.arpa
168.192.in-addr.arpa
17.172.in-addr.arpa
18.172.in-addr.arpa
19.172.in-addr.arpa
20.172.in-addr.arpa
21.172.in-addr.arpa
22.172.in-addr.arpa
23.172.in-addr.arpa
24.172.in-addr.arpa
25.172.in-addr.arpa
26.172.in-addr.arpa
27.172.in-addr.arpa
28.172.in-addr.arpa
29.172.in-addr.arpa
30.172.in-addr.arpa
31.172.in-addr.arpa
corp
d.f.ip6.arpa
home
internal
intranet
lan
local
private
test
Link 2 (eth0)
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.168.177.19
DNS Servers: 192.168.177.18
192.168.177.19
DNS Domain: samba.lindenberg.one
-------resolv.conf end----
Checking file: /etc/krb5.conf
[libdefaults]
default_realm = SAMBA.LINDENBERG.ONE
dns_lookup_realm = false
dns_lookup_kdc = true
-----------
Checking file: /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: files systemd winbind
group: files systemd winbind
shadow: files
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
-----------
Checking file: /etc/samba/smb.conf
# Global parameters
[global]
netbios name = LE
realm = SAMBA.LINDENBERG.ONE
workgroup = SAMBA
security = ADS
# dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
# idmap_ldb:use rfc2307 = yes
disable netbios = yes
smb encrypt = mandatory
kerberos method = secrets and keytab
# winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%U
winbind use default domain = yes
-----------
Running as Unix domain member and no user.map detected.
This is possible with an auth-only setup, checking also for NFS parts
-----------
Warning, /etc/idmapd.conf does not exist
-----------
Installed packages:
ii acl 2.2.53-6
amd64 access control list - utilities
ii attr 1:2.4.48-5
amd64 utilities for manipulating filesystem extended attributes
ii krb5-config 2.6ubuntu1
all Configuration files for Kerberos Version 5
ii krb5-locales 1.17-6ubuntu4.1
all internationalization support for MIT Kerberos
ii krb5-user 1.17-6ubuntu4.1
amd64 basic programs to authenticate using MIT Kerberos
ii libacl1:amd64 2.2.53-6
amd64 access control list - shared library
ii libattr1:amd64 1:2.4.48-5
amd64 extended attribute handling - shared library
ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1
amd64 Heimdal Kerberos - libraries
ii libkrb5-3:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries
ii libkrb5support0:amd64 1.17-6ubuntu4.1
amd64 MIT Kerberos runtime libraries - Support library
ii libnss-winbind:amd64 2:4.14.8+dfsg-0.1focal1
amd64 Samba nameservice integration plugins
ii libpam-krb5:amd64 4.8-2ubuntu1
amd64 PAM module for MIT Kerberos
ii libpam-winbind:amd64 2:4.14.8+dfsg-0.1focal1
amd64 Windows domain authentication integration plugin
ii libwbclient0:amd64 2:4.14.8+dfsg-0.1focal1
amd64 Samba winbind client library
ii python3-attr 19.3.0-2
all Attributes without boilerplate (Python 3)
ii python3-nacl 1.3.0-5
amd64 Python bindings to libsodium (Python 3)
ii python3-samba 2:4.14.8+dfsg-0.1focal1
amd64 Python 3 bindings for Samba
ii samba 2:4.14.8+dfsg-0.1focal1
amd64 SMB/CIFS file, print, and login server for Unix
ii samba-common 2:4.14.8+dfsg-0.1focal1
all common files used by both the Samba server and client
ii samba-common-bin 2:4.14.8+dfsg-0.1focal1
amd64 Samba common files used by both the server and the client
ii samba-dsdb-modules:amd64 2:4.14.8+dfsg-0.1focal1
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.14.8+dfsg-0.1focal1
amd64 Samba core libraries
ii samba-vfs-modules:amd64 2:4.14.8+dfsg-0.1focal1
amd64 Samba Virtual FileSystem plugins
ii winbind 2:4.14.8+dfsg-0.1focal1
amd64 service to resolve user and group information from Windows NT
servers
-----------
-----Urspr?ngliche Nachricht-----
Von: samba <samba-bounces at lists.samba.org> Im Auftrag von L.P.H. van
Belle via samba
Gesendet: Tuesday, 26 October 2021 09:37
An: samba at lists.samba.org
Betreff: Re: [Samba] Domain member?
This is something in your setup.
Can you run this one and post the output.
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh
If needed, anonymize where needed.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Joachim
> Lindenberg via samba
> Verzonden: dinsdag 26 oktober 2021 8:45
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member?
>
> Hello Rowland,
> I read
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_
> Member, and I specifically read "If your users will only use the Samba
> AD DC for authentication and will not store data on it or log into it,
> you can use the the winbind 'rid' backend, this calculates the user
> and group IDs from the Windows RID, if you use the same [global]
> section of the smb.conf on every Unix domain member, you will get the
> same IDs." - that?s the reason I started with a smb.conf of a DC and
> removed stuff that was apparently irrelevant. Is this section of
> documentation also wrong?
>
> > sudo dpkg -l winbind
> Desired=Unknown/Install/Remove/Purge/Hold
> |
> Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-a
> Wait/Trig-pend
> |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
> ||/ Name Version Architecture Description
> +++-==============-=======================-============-=====>
=======================================>
> ii winbind 2:4.14.8+dfsg-0.1focal1 amd64
> service to resolve user and group information>
>
> in fact winbind is running after yet another system restart, i.e. it
> looks like some initialization issue during or after installation.
> However it reports:
> Oct 26 06:25:46 le winbindd[832]: [2021/10/26 06:25:46.806438, 0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> Oct 26 06:25:46 le winbindd[832]:
> gse_get_client_auth_token: gss_init_sec_context failed with [
> Miscellaneous failure (see text): Client (L> Oct 26 06:25:52 le
> winbindd[832]: [2021/10/26 06:25:52.951201, 0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> Oct 26 06:25:52 le winbindd[832]:
> gse_get_client_auth_token: gss_init_sec_context failed with [
> Miscellaneous failure (see text): Client (L> Oct 26 06:26:32 le
> winbindd[832]: [2021/10/26 06:26:32.079056, 0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
> Oct 26 06:26:32 le winbindd[832]:
> gse_get_client_auth_token: gss_init_sec_context failed with [
> Miscellaneous failure (see text): Client (L> Oct 26 06:26:38 le
> winbindd[832]: [2021/10/26 06:26:38.202614, 0]
> ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token)
>
> On the right: gse_get_client_auth_token: gss_init_sec_context failed
> with [ Miscellaneous failure (see text): Client
> (LE$@SAMBA.LINDENBERG.ONE) unknown]
>
> I searched for that error, but only M$ or ancient stuff..
> Thanks, Joachim
>
>
> -----Urspr?ngliche Nachricht-----
> Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland
> Penny via samba
> Gesendet: Monday, 25 October 2021 22:28
> An: samba at lists.samba.org
> Betreff: Re: [Samba] Domain member?
>
> On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via samba wrote:
> > > How did you join the domain ?
> > I joined using net ads join -U Joachim (which happens to be domain
> > admin). No error (after fixing a hostname setup issue).
>
> OK.
>
> >
> > > The line above is only used on a DC
> > I excerpted this from an existing DC. Removed it. No change.
> > Is there a consistency check I can run?
>
> Yes, but you probably don't need it (more on this later)
>
> >
> > > Are you using sssd ?
> > I don?t (yet) know what sssd is about.
>
> As this is Ubuntu, you may have it installed.
> You can check with:
> sudo dpkg -l winbind
>
> The last line will look like this if it isn't installed:
>
> un sssd <none> <none> (no description
> available)
>
> >
> > > Have you installed winbind ?
> > I followed
> >
> https://wiki.samba.org/index.php/Distribution-specific_Package_Install
> > ation#Ubuntu
> > , and yes, winbind is installed.
> >
> > > You have only stopped Samba using nmbd, you need to stop
> it and then
> > > disable it.
> > I didn?t enable it at all. Some magic? If smb.conf asks for no
> > netbios, shouldn?t the process exit?
>
> Debian based distros start packages when they are installed, so no
> magic is involved.
>
> I suggest you go and read this:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> and one of these:
> https://wiki.samba.org/index.php/Idmap_config_ad
> https://wiki.samba.org/index.php/Idmap_config_rid
> https://wiki.samba.org/index.php/Idmap_config_autorid
>
> You need to add 'idmap config' lines to your smb.conf (if you
don't
> know what they are, you will once you have read the above wiki pages).
> You also need to find out why 'systemctl start winbind' doesn't
work.
>
> Rowland
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
This looks good to me, only few small pointers. On the resolv.conf question, reboot, are you changes still there.. -> yes, fine, keep as is. -> no, configure it "conform" how ubuntu wants.>> no user.map detected.In smb.conf add : # user Administrator workaround, without it you are unable to set privileges username map = /etc/samba/samba_usermapping And add in the file: !root = SAMBA\Administrator SAMBA\administrator It looks like you copied the samba-ad-dc its smb.conf. Thats missing still some parts. Read and You must set one of these https://wiki.samba.org/index.php/Idmap_config_ad https://wiki.samba.org/index.php/Idmap_config_rid Basicly your here : https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member At : Setting up a Basic smb.conf File .. + what Rowland posted ;-) Remember, in the smb.conf file, less is better in general. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Joachim Lindenberg via samba > Verzonden: dinsdag 26 oktober 2021 11:59 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member? > > Hello Louis, > sure. I know I configured /etc/resolv.conf during join, > pointing to a DC manually. Is the local resolver the culprit? > Thanks, > Joachim > > root at le:/tmp# cat samba-debug-info.txt > Collected config --- 2021-10-26-09:12 ----------- > > Hostname: le > DNS Domain: samba.lindenberg.one > FQDN: le.samba.lindenberg.one > ipaddress: 192.168.176.9 > > ----------- > > Kerberos SRV _kerberos._tcp.samba.lindenberg.one record > verified ok, sample output: > Server: 127.0.0.53 > Address: 127.0.0.53#53 > > Non-authoritative answer: > _kerberos._tcp.samba.lindenberg.one service = 0 100 88 > boa.samba.lindenberg.one. > _kerberos._tcp.samba.lindenberg.one service = 0 100 88 > mamba.samba.lindenberg.one. > _kerberos._tcp.samba.lindenberg.one service = 0 100 88 > cobra.samba.lindenberg.one. > > Authoritative answers can be found from: > Samba is running as a Unix domain member > Checking file: /etc/os-release > > NAME="Ubuntu" > VERSION="20.04.3 LTS (Focal Fossa)" > ID=ubuntu > ID_LIKE=debian > PRETTY_NAME="Ubuntu 20.04.3 LTS" > VERSION_ID="20.04" > HOME_URL="https://www.ubuntu.com/" > SUPPORT_URL="https://help.ubuntu.com/" > BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" > PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-pol > icies/privacy-policy" > VERSION_CODENAME=focal > UBUNTU_CODENAME=focal > > ----------- > > > This computer is running Ubuntu 20.04.3 LTS x86_64 > > ----------- > running command : ip a > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state > UNKNOWN group default qlen 1000 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > inet6 ::1/128 scope host > 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1420 qdisc mq > state UP group default qlen 1000 > link/ether 00:15:5d:b1:0c:70 brd ff:ff:ff:ff:ff:ff > inet 192.168.176.9/24 brd 192.168.176.255 scope global eth0 > inet6 fe80::215:5dff:feb1:c70/64 scope link > > ----------- > Checking file: /etc/hosts > > 127.0.0.1 localhost > > # The following lines are desirable for IPv6 capable hosts > 192.168.176.9 le.samba.lindenberg.one le > ::1 ip6-localhost ip6-loopback > fe00::0 ip6-localnet > ff00::0 ip6-mcastprefix > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > ----------- > > Checking file: /etc/resolv.conf > > # This file is managed by man:systemd-resolved(8). Do not edit. > # > # This is a dynamic resolv.conf file for connecting local > clients to the > # internal DNS stub resolver of systemd-resolved. This file lists all > # configured search domains. > # > # Run "resolvectl status" to see details about the uplink DNS servers > # currently in use. > # > # Third party programs must not access this file directly, > but only through the > # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) > in a different way, > # replace this symlink by a static file or a different symlink. > # > # See man:systemd-resolved.service(8) for details about the > supported modes of > # operation for /etc/resolv.conf. > > nameserver 127.0.0.53 > options edns0 trust-ad > search samba.lindenberg.one > > ----------- > > systemd stub resolver detected, running command : > systemd-resolve --status > ----------- > Global > LLMNR setting: no > MulticastDNS setting: no > DNSOverTLS setting: no > DNSSEC setting: no > DNSSEC supported: no > DNSSEC NTA: 10.in-addr.arpa > 16.172.in-addr.arpa > 168.192.in-addr.arpa > 17.172.in-addr.arpa > 18.172.in-addr.arpa > 19.172.in-addr.arpa > 20.172.in-addr.arpa > 21.172.in-addr.arpa > 22.172.in-addr.arpa > 23.172.in-addr.arpa > 24.172.in-addr.arpa > 25.172.in-addr.arpa > 26.172.in-addr.arpa > 27.172.in-addr.arpa > 28.172.in-addr.arpa > 29.172.in-addr.arpa > 30.172.in-addr.arpa > 31.172.in-addr.arpa > corp > d.f.ip6.arpa > home > internal > intranet > lan > local > private > test > > Link 2 (eth0) > Current Scopes: DNS > DefaultRoute setting: yes > LLMNR setting: yes > MulticastDNS setting: no > DNSOverTLS setting: no > DNSSEC setting: no > DNSSEC supported: no > Current DNS Server: 192.168.177.19 > DNS Servers: 192.168.177.18 > 192.168.177.19 > DNS Domain: samba.lindenberg.one > > -------resolv.conf end---- > > Checking file: /etc/krb5.conf > > [libdefaults] > default_realm = SAMBA.LINDENBERG.ONE > dns_lookup_realm = false > dns_lookup_kdc = true > > ----------- > > Checking file: /etc/nsswitch.conf > > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages > installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: files systemd winbind > group: files systemd winbind > shadow: files > gshadow: files > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files > > netgroup: nis > > ----------- > > Checking file: /etc/samba/smb.conf > > # Global parameters > [global] > netbios name = LE > realm = SAMBA.LINDENBERG.ONE > workgroup = SAMBA > security = ADS > # dns update command = /usr/sbin/samba_dnsupdate > --use-samba-tool > # idmap_ldb:use rfc2307 = yes > disable netbios = yes > smb encrypt = mandatory > kerberos method = secrets and keytab > # winbind refresh tickets = yes > template shell = /bin/bash > template homedir = /home/%U > winbind use default domain = yes > > ----------- > > Running as Unix domain member and no user.map detected. > This is possible with an auth-only setup, checking also for NFS parts > ----------- > Warning, /etc/idmapd.conf does not exist > > ----------- > > > Installed packages: > ii acl 2.2.53-6 > amd64 access control list - utilities > ii attr 1:2.4.48-5 > amd64 utilities for manipulating > filesystem extended attributes > ii krb5-config 2.6ubuntu1 > all Configuration files for > Kerberos Version 5 > ii krb5-locales 1.17-6ubuntu4.1 > all internationalization support > for MIT Kerberos > ii krb5-user 1.17-6ubuntu4.1 > amd64 basic programs to authenticate > using MIT Kerberos > ii libacl1:amd64 2.2.53-6 > amd64 access control list - shared library > ii libattr1:amd64 1:2.4.48-5 > amd64 extended attribute handling - > shared library > ii libgssapi-krb5-2:amd64 1.17-6ubuntu4.1 > amd64 MIT Kerberos runtime libraries > - krb5 GSS-API Mechanism > ii libkrb5-26-heimdal:amd64 7.7.0+dfsg-1ubuntu1 > amd64 Heimdal Kerberos - libraries > ii libkrb5-3:amd64 1.17-6ubuntu4.1 > amd64 MIT Kerberos runtime libraries > ii libkrb5support0:amd64 1.17-6ubuntu4.1 > amd64 MIT Kerberos runtime libraries > - Support library > ii libnss-winbind:amd64 > 2:4.14.8+dfsg-0.1focal1 amd64 Samba > nameservice integration plugins > ii libpam-krb5:amd64 4.8-2ubuntu1 > amd64 PAM module for MIT Kerberos > ii libpam-winbind:amd64 > 2:4.14.8+dfsg-0.1focal1 amd64 Windows > domain authentication integration plugin > ii libwbclient0:amd64 > 2:4.14.8+dfsg-0.1focal1 amd64 Samba > winbind client library > ii python3-attr 19.3.0-2 > all Attributes without boilerplate > (Python 3) > ii python3-nacl 1.3.0-5 > amd64 Python bindings to libsodium (Python 3) > ii python3-samba > 2:4.14.8+dfsg-0.1focal1 amd64 Python 3 > bindings for Samba > ii samba > 2:4.14.8+dfsg-0.1focal1 amd64 SMB/CIFS > file, print, and login server for Unix > ii samba-common > 2:4.14.8+dfsg-0.1focal1 all common > files used by both the Samba server and client > ii samba-common-bin > 2:4.14.8+dfsg-0.1focal1 amd64 Samba > common files used by both the server and the client > ii samba-dsdb-modules:amd64 > 2:4.14.8+dfsg-0.1focal1 amd64 Samba > Directory Services Database > ii samba-libs:amd64 > 2:4.14.8+dfsg-0.1focal1 amd64 Samba core > libraries > ii samba-vfs-modules:amd64 > 2:4.14.8+dfsg-0.1focal1 amd64 Samba > Virtual FileSystem plugins > ii winbind > 2:4.14.8+dfsg-0.1focal1 amd64 service to > resolve user and group information from Windows NT servers > > ----------- > > > > > -----Urspr?ngliche Nachricht----- > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von > L.P.H. van Belle via samba > Gesendet: Tuesday, 26 October 2021 09:37 > An: samba at lists.samba.org > Betreff: Re: [Samba] Domain member? > > This is something in your setup. > > Can you run this one and post the output. > https://raw.githubusercontent.com/thctlo/samba4/master/samba-c > ollect-debug-info.sh > > If needed, anonymize where needed. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Joachim > > Lindenberg via samba > > Verzonden: dinsdag 26 oktober 2021 8:45 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] Domain member? > > > > Hello Rowland, > > I read > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_ > > Member, and I specifically read "If your users will only > use the Samba > > AD DC for authentication and will not store data on it or > log into it, > > you can use the the winbind 'rid' backend, this calculates the user > > and group IDs from the Windows RID, if you use the same [global] > > section of the smb.conf on every Unix domain member, you > will get the > > same IDs." - that?s the reason I started with a smb.conf of > a DC and > > removed stuff that was apparently irrelevant. Is this section of > > documentation also wrong? > > > > > sudo dpkg -l winbind > > Desired=Unknown/Install/Remove/Purge/Hold > > | > > Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-a > > Wait/Trig-pend > > |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) > > ||/ Name Version Architecture Description > > +++-==============-=======================-============-=====> > =======================================> > > ii winbind 2:4.14.8+dfsg-0.1focal1 amd64 > > service to resolve user and group information> > > > > in fact winbind is running after yet another system > restart, i.e. it > > looks like some initialization issue during or after installation. > > However it reports: > > Oct 26 06:25:46 le winbindd[832]: [2021/10/26 06:25:46.806438, 0] > > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > > Oct 26 06:25:46 le winbindd[832]: > > gse_get_client_auth_token: gss_init_sec_context failed with [ > > Miscellaneous failure (see text): Client (L> Oct 26 06:25:52 le > > winbindd[832]: [2021/10/26 06:25:52.951201, 0] > > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > > Oct 26 06:25:52 le winbindd[832]: > > gse_get_client_auth_token: gss_init_sec_context failed with [ > > Miscellaneous failure (see text): Client (L> Oct 26 06:26:32 le > > winbindd[832]: [2021/10/26 06:26:32.079056, 0] > > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > > Oct 26 06:26:32 le winbindd[832]: > > gse_get_client_auth_token: gss_init_sec_context failed with [ > > Miscellaneous failure (see text): Client (L> Oct 26 06:26:38 le > > winbindd[832]: [2021/10/26 06:26:38.202614, 0] > > ../../source3/librpc/crypto/gse.c:547(gse_get_client_auth_token) > > > > On the right: gse_get_client_auth_token: > gss_init_sec_context failed > > with [ Miscellaneous failure (see text): Client > > (LE$@SAMBA.LINDENBERG.ONE) unknown] > > > > I searched for that error, but only M$ or ancient stuff.. > > Thanks, Joachim > > > > > > -----Urspr?ngliche Nachricht----- > > Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Rowland > > Penny via samba > > Gesendet: Monday, 25 October 2021 22:28 > > An: samba at lists.samba.org > > Betreff: Re: [Samba] Domain member? > > > > On Mon, 2021-10-25 at 22:06 +0200, Joachim Lindenberg via > samba wrote: > > > > How did you join the domain ? > > > I joined using net ads join -U Joachim (which happens to > be domain > > > admin). No error (after fixing a hostname setup issue). > > > > OK. > > > > > > > > > The line above is only used on a DC > > > I excerpted this from an existing DC. Removed it. No change. > > > Is there a consistency check I can run? > > > > Yes, but you probably don't need it (more on this later) > > > > > > > > > Are you using sssd ? > > > I don?t (yet) know what sssd is about. > > > > As this is Ubuntu, you may have it installed. > > You can check with: > > sudo dpkg -l winbind > > > > The last line will look like this if it isn't installed: > > > > un sssd <none> <none> (no description > > available) > > > > > > > > > Have you installed winbind ? > > > I followed > > > > > > https://wiki.samba.org/index.php/Distribution-specific_Package_Install > > > ation#Ubuntu > > > , and yes, winbind is installed. > > > > > > > You have only stopped Samba using nmbd, you need to stop > > it and then > > > > disable it. > > > I didn?t enable it at all. Some magic? If smb.conf asks for no > > > netbios, shouldn?t the process exit? > > > > Debian based distros start packages when they are installed, so no > > magic is involved. > > > > I suggest you go and read this: > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > and one of these: > > https://wiki.samba.org/index.php/Idmap_config_ad > > https://wiki.samba.org/index.php/Idmap_config_rid > > https://wiki.samba.org/index.php/Idmap_config_autorid > > > > You need to add 'idmap config' lines to your smb.conf (if you don't > > know what they are, you will once you have read the above > wiki pages). > > You also need to find out why 'systemctl start winbind' > doesn't work. > > > > Rowland > > > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >