Alexander van der Leun
2006-Sep-30 17:25 UTC
[Samba] wbinfo -u not working against Windows 2003 DC
Hello all, This is my first post on this list, so please bear with me. :-) I'm managing a couple of Samba servers located at our customers. Since a couple of weeks we have a problem with winbind on one of our samba servers. It runs in a mixed Windows/Samba environment where a W2k3 server is the PDC. As far as I know it runs in mixed mode. Is there any way I can check this (WINS is running btw)? Until today we used samba 3.0.3 on a Fedora Core 2 server, but I have upgraded this to 3.0.23c using a SRPM. The problem as of two weeks is that it no longer looks up domain users from the PDC. Users are no longer of the form DOMAIN\User, but looked like a local account: user, when running smbstatus. The gid is now nobody instead of DOMAIN\Domain Users. I have now upgraded to version 3.0.23c and now it won't let domain users logon to the samba server. Samba had joined the domain and net rpc testjoin returns ok. I've added winbind to /etc/nsswitch.conf: passwd: files winbind shadow: files group: files winbind And libnss_winbind.so exists in /lib: -rwxr-xr-x 1 root root 17972 Sep 29 18:23 /lib/libnss_winbind.so lrwxrwxrwx 1 root root 17 Sep 30 15:42 /lib/libnss_winbind.so.2 -> libnss_winbind.so When running winbindd -d 2 -i I get: winbindd version 3.0.23c started. Copyright The Samba Team 2000-2004 Processing section "[sas]" Processing section "[printers]" added interface ip=172.17.0.247 bcast=172.17.0.255 nmask=255.255.255.0 added interface ip=172.17.0.247 bcast=172.17.0.255 nmask=255.255.255.0 Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Added domain SOLINES S-1-5-21-2535601797-1986373083-18572363 Added domain SOLSAMBA S-1-5-21-1760014737-3532484745-1612504851 Added domain BUILTIN S-1-5-32 ads_dns_lookup_srv: Failed to resolve _ldap._tcp.dc._msdcs.solines (Success) ads_connect for domain SOLINES failed: Operations error My question is: when W2K3 is running in mixed mode can I run samba with security=domain, or must I use security=ads? The above situation has always worked. Can anyone give me some advice or is there something I've overlooked?? Best regards, Alexander van der Leun
Doug VanLeuven
2006-Sep-30 21:36 UTC
[Samba] wbinfo -u not working against Windows 2003 DC
Alexander van der Leun wrote:> Hello all, > > This is my first post on this list, so please bear with me. :-) > > I'm managing a couple of Samba servers located at our customers. Since > a couple of weeks we have a problem with winbind on one of our samba > servers. It runs in a mixed Windows/Samba environment where a W2k3 > server is the PDC. As far as I know it runs in mixed mode. Is there > any way I can check this (WINS is running btw)? Until today we used > samba 3.0.3 on a Fedora Core 2 server, but I have upgraded this to > 3.0.23c using a SRPM. > > The problem as of two weeks is that it no longer looks up domain users > from the PDC. Users are no longer of the form DOMAIN\User, but looked > like a local account: user, when running smbstatus. The gid is now > nobody instead of DOMAIN\Domain Users. > > I have now upgraded to version 3.0.23c and now it won't let domain > users logon to the samba server. Samba had joined the domain and net > rpc testjoin returns ok. I've added winbind to /etc/nsswitch.conf: > > passwd: files winbind > shadow: files > group: files winbind > > And libnss_winbind.so exists in /lib: > -rwxr-xr-x 1 root root 17972 Sep 29 18:23 /lib/libnss_winbind.so > lrwxrwxrwx 1 root root 17 Sep 30 15:42 /lib/libnss_winbind.so.2 -> > libnss_winbind.so > > When running winbindd -d 2 -i I get: > winbindd version 3.0.23c started. > Copyright The Samba Team 2000-2004 > Processing section "[sas]" > Processing section "[printers]" > added interface ip=172.17.0.247 bcast=172.17.0.255 nmask=255.255.255.0 > added interface ip=172.17.0.247 bcast=172.17.0.255 nmask=255.255.255.0 > Registered MSG_REQ_POOL_USAGE > Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED > Added domain SOLINES S-1-5-21-2535601797-1986373083-18572363 > Added domain SOLSAMBA S-1-5-21-1760014737-3532484745-1612504851 > Added domain BUILTIN S-1-5-32 > ads_dns_lookup_srv: Failed to resolve _ldap._tcp.dc._msdcs.solines > (Success) > ads_connect for domain SOLINES failed: Operations error > > My question is: when W2K3 is running in mixed mode can I run samba > with security=domain, or must I use security=ads? The above situation > has always worked. > > Can anyone give me some advice or is there something I've overlooked??As far as the users go, I'm seeing the same situation in security=ads mode and idmap backend=ad, and have previously posted but gotten no resolution. As a workaround, I can get users logged on with file access by individually mapping the domain members to the local accounts using usermap. But for your situation, you need to post at least the security, realm, winbind, and idmap backend options you are using to make sense of this. If your Realm is MY.REALM.COM, the DNS record should be _ldap._tcp.dc._msdcs.my.realm.com it's an SRV record that contains the address of the DC. Samba thinks your realm is the domain name right now, maybe because you don't have a realm option in smb.conf. Regards, Doug