Vladimir Levijev
2013-Feb-04 19:38 UTC
[Samba] Security: ads - "net ads user" works, "wbinfo -u" does not
Hi, I have Debian Squeeze running Samba being a member of the domain (PDC and BDC are Windows servers) and it's users are authenticated against AD using winbind for years. Now there is a need to setup another virtual Debian box exactly like that. So the name of the first is STUDENT, I named the virtual STUDENT2. I'm trying to set up the virtual box exactly the same, using exactly the same configs (smb.conf, krb5.conf) as on the working box, but this is what I get: STUDENT2, I can: - create kerberos tickets (kinit Administrator at FOO.LOCAL) - list kerberos tickets (klist) - join the domain (net ads join -U Administrator) Here I get next output: Using short domain name -- FOO Joined 'STUDENT2' to realm 'FOO.Local' DNS update failed! But as I understand the last message is not something to worry about. - (here I start samba, then winbind) And at this point strange thing happen. I cannot get domain users using wbinfo (wbinfo -u returns nothing) but I get them all using "net ads user -U Administrator". Of course, "getent passwd" lists only local users too. I believe my winbind is not working properly. Here are the questions: 1). How to effectively debug why wbinfo is acting this way? 2). Could the problem be because of 2 machines conflicting because of one letter difference (STUDENT vs STUDENT2)? I can't delete the first box from domain in order to test it as it's in production. STUDENT2 details: - Debian Squeeze up-to-date (6.0.6) - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii ii samba 2:3.5.6~dfsg-3squeeze9 ii samba-common 2:3.5.6~dfsg-3squeeze9 ii samba-common-bin 2:3.5.6~dfsg-3squeeze9 ii winbind 2:3.5.6~dfsg-3squeeze9 - # wbinfo -p Ping to winbindd succeeded PDC and BDCs are running Windows Server 2008 R2. I can post the configs in case it helps. However I feel like I have tried all the possible variations of the configs (from so many good howto's) with no effect at all. P. S. One more (possibly important) detail. When I was playing with different configs I sometimes was getting different output from 'wbinfo -u', which looked like this: STUDENT2+joe STUDENT2+nobody This looked very strange to me as my domain is 'FOO.LOCAL', not 'STUDENT2' (the latter is a hostname of the new box) and these 2 users are local users. Thanks in advance, dimir
Vladimir Levijev
2013-Feb-05 23:24 UTC
[Samba] Security: ads - "net ads user" works, "wbinfo -u" does not
On 4 February 2013 21:38, Vladimir Levijev <vladimir.levijev at gmail.com> wrote:> I have Debian Squeeze running Samba being a member of the domain (PDC > and BDC are Windows servers) and it's users are authenticated against > AD using winbind for years. > > Now there is a need to setup another virtual Debian box exactly like > that. So the name of the first is STUDENT, I named the virtual > STUDENT2. I'm trying to set up the virtual box exactly the same, using > exactly the same configs (smb.conf, krb5.conf) as on the working box, > but this is what I get: > > STUDENT2, I can: > - create kerberos tickets (kinit Administrator at FOO.LOCAL) > - list kerberos tickets (klist) > - join the domain (net ads join -U Administrator) > Here I get next output: > Using short domain name -- FOO > Joined 'STUDENT2' to realm 'FOO.Local' > DNS update failed! > But as I understand the last message is not something to worry about. > - (here I start samba, then winbind) > > And at this point strange thing happen. I cannot get domain users > using wbinfo (wbinfo -u returns nothing) but I get them all using "net > ads user -U Administrator". Of course, "getent passwd" lists only > local users too. > > I believe my winbind is not working properly. Here are the questions: > > 1). How to effectively debug why wbinfo is acting this way? > 2). Could the problem be because of 2 machines conflicting because of > one letter difference (STUDENT vs STUDENT2)? > > I can't delete the first box from domain in order to test it as it's > in production. > > STUDENT2 details: > - Debian Squeeze up-to-date (6.0.6) > - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii > ii samba 2:3.5.6~dfsg-3squeeze9 > ii samba-common 2:3.5.6~dfsg-3squeeze9 > ii samba-common-bin 2:3.5.6~dfsg-3squeeze9 > ii winbind 2:3.5.6~dfsg-3squeeze9 > - # wbinfo -p > Ping to winbindd succeeded > > PDC and BDCs are running Windows Server 2008 R2. > > I can post the configs in case it helps. However I feel like I have > tried all the possible variations of the configs (from so many good > howto's) with no effect at all.More info. STUDENT: # wbinfo -D foo Name : FOO Alt_Name : FOO.Local SID : S-1-5-21-831812219-1424057545-2139100090 Active Directory : Yes Native : Yes Primary : Yes STUDENT2: # wbinfo -D foo Name : FOO Alt_Name : FOO.LOCAL SID : S-1-5-21-831812219-1424057545-2139100090 Active Directory : No Native : No Primary : Yes Firstly, why is Alt_Name different (both boxes have identical configs) and where does it come from exactly? And secondly, what do "Active Directory", "Native" and "Primary" mean? Cheers, dimir
Possibly Parallel Threads
- Multiple winbindd processes
- samba-3.0.0 and Active Directory
- Winbind - wbinfo -u works, getent passwd only gives local users
- Is there a function to interdigitate two columns?
- different logon path for different users - local profiles for a few users only - how?