Hello list,
I'm stuck since 2 days and I have no clue how to troubleshoot and solve that
problem. Any help really really appreciated.
Scenario:
========I am using Samba 4.1.12/sernet on DC1 (172.19.100.1) and DC2
(172.19.100.2) with default [netlogon] and [sysvol] share only.
I installed an additional samba4 server with fileserving role which is called
MEMBERSRV1 (172.19.100.3), which is serving the
[profiles], [home] and [printer] stuff shares. For setting up the member server,
I relied on
"https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf".
I also am using NIS extensions on my AD according the wiki tutorials. Through
ADUC tool I modified the security group "Domain Users":
I did choose tab [UNIX Attribute] and there I assigned the NIS domain = MYDOM
and the GID=10000 to that group.
Issue:
=====My membersrv1 (172.19.100.3) fails to resolve mappings! See output below...
----OUTPUT ON
DC1-----------------------------------------------------------------------------------------------------
root at DC1:~$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
[...lots of local accounts here...]
MYDOM\Administrator:*:0:10000::/home/MYDOM/Administrator:/bin/false
MYDOM\Guest:*:3000011:3000012::/home/MYDOM/Guest:/bin/false
MYDOM\krbtgt:*:3000021:10000::/home/MYDOM/krbtgt:/bin/false
MYDOM\john:*:3000020:10000:John Doe:/home/MYDOM/john:/bin/false
MYDOM\george:*:3000022:10000:George Miller:/home/MYDOM/george:/bin/false
MYDOM\richard:*:3000023:10000:Richard Smitty:/home/MYDOM/richard:/bin/false
MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
MYDOM\testuser3:*:3000027:10000:Test User 3:/home/MYDOM/testuser3:/bin/false
MYDOM\testuser2:*:3000032:10000:Test User 2:/home/MYDOM/testuser2:/bin/false
root at DC1:~$ wbinfo -u
Administrator
Guest
krbtgt
john
george
richard
testuser1
testuser3
testuser2
root at DC1:~$ wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy
root at dc1:~$ wbinfo -n testuser1
S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)
root at dc1:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114
3000030
root at dc1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
3000030
root at dc1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
MYDOM\testuser1 1
root at dc1:~$ wbinfo -r testuser1
10000
root at dc1:~$ wbinfo --uid-info=3000030
MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
root at dc1:~$ wbinfo --gid-info=10000
MYDOM\Domain Users:*:10000:
root at dc1:~$ wbinfo -P
checking the NETLOGON dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
root at dc1:~$ samba-tool testparm --suppress-prompt -v |grep winbind
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory =
/var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
----OUTPUT ON
DC2-----------------------------------------------------------------------------------------------------
root at dc2:~$ wbinfo -n testuser1
S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)
root at dc2:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114
3000030
root at dc2:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
3000030
root at dc2:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
MYDOM\testuser1 1
root at dc2:~$ wbinfo -r testuser1
10000
root at dc2:~$ wbinfo --uid-info=3000030
MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false
root at dc2:~$ wbinfo --gid-info=10000
MYDOM\Domain Users:*:10000:
root at dc2:~$ wbinfo -P
checking the NETLOGON dc connection to "" failed
failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
root at dc2:~$ samba-tool testparm --suppress-prompt -v |grep winbind
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = No
winbind enum groups = No
winbind use default domain = No
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory =
/var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
----OUTPUT ON
MEMBERSRV1----------------------------------------------------------------------------------------------
root at membersrv1:~$ wbinfo -n testuser1
S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1)
root at membersrv1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-2040615909-1719611856-576149365-1114 to gid
root at membersrv1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114
MYDOM\testuser1 1
root at membersrv1:~$ wbinfo -r testuser1
10000
70002
root at membersrv1:~$ wbinfo --uid-info=3000030
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000030
root at membersrv1:~$ wbinfo --uid-info=10000
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 10000
root at membersrv1:~$ wbinfo --gid-info=10000
domain users:x:10000:
root at membersrv1:~$ wbinfo -P
checking the NETLOGON dc connection to "dc1.mydom.example.com"
succeeded
root at membersrv1:~$ samba-tool testparm --suppress-prompt -v |grep winbind
winbind separator = \
winbind cache time = 0
winbind reconnect delay = 0
winbind request timeout = 0
winbind max clients = 0
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind trusted domains only = No
winbind nested groups = No
winbind expand groups = 0
winbind nss info = rfc2307
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No
winbind rpc only = No
winbind max domain connections = 0
winbindd socket directory = /var/run/samba/winbindd
winbindd privileged socket directory =
/var/lib/samba/winbindd_privileged
winbind sealed pipes = Yes
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns
root at membersrv1:/lib64$ ls -lh
lrwxrwxrwx 1 root root 32 Aug 26 23:10 ld-linux-x86-64.so.2 ->
/lib/x86_64-linux-gnu/ld-2.13.so
lrwxrwxrwx 1 root root 39 Okt 17 15:11 libnss_winbind.so ->
/lib/x86_64-linux-gnu/libnss_winbind.so
lrwxrwxrwx 1 root root 24 Okt 17 15:11 libnss_winbind.so.2 ->
/lib64/libnss_winbind.so
root at membersrv1:/lib64$ head -n15 /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed,
try:
# `info libc "Name Service Switch"' for information about this
file.
passwd: compat winbind
group: compat winbind
root at membersrv1:~ cat /etc/samba/smb.conf:
[global]
netbios name = MEMBERSRV1
workgroup = MYDOM
security = ADS
realm = MYDOM.EXAMPLE.COM
encrypt passwords = yes
idmap config MYDOM:backend = ad
idmap config MYDOM:schema_mode = rfc2307
idmap config MYDOM:range = 500-40000
idmap config *:backend = tdb
idmap config *:range = 70001-80000
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
[printers]
path = /var/spool/samba
printable = yes
printing = CUPS
[print$]
path = /srv/samba4_data/printer_drivers
comment = Printer Drivers
writeable = yes
[home]
path = /srv/samba4_data/home/
read only = No
[profiles]
path = /srv/samba4_data/profiles/
read only = no
============================================================================
I did modify of course the file membersrv1:/etc/nsswitch.conf and linked the
files on /lib64 on the same way I did for DC1 and DC2
according the wiki tutorial. I joined the member server successfully with
"net ads join -U administrator" to DC1.
I also realized and am confused about the output of "wbinfo -g" on the
member server. The output is not exactly the same as on
DC1 output for example. I also want to add, when I run "getent passwd"
or "getent group" on that member server, I get only displayed my local
account, no AD accounts at all!
Detailled log files, with debug level = 10:
==========================================http://www.file-upload.net/download-9714752/log.wb-MYDOM.html
http://www.file-upload.net/download-9714750/log.winbindd.html
http://www.file-upload.net/download-9714751/log.winbindd-dc-connect.html
http://www.file-upload.net/download-9714753/log.winbindd-idmap.html
Thanks a lot in advance to everyone for assistance.
Mirco
On 20/10/14 15:52, ?icro MEGAS wrote:> Hello list, > > I'm stuck since 2 days and I have no clue how to troubleshoot and solve that problem. Any help really really appreciated. > > Scenario: > ========> I am using Samba 4.1.12/sernet on DC1 (172.19.100.1) and DC2 (172.19.100.2) with default [netlogon] and [sysvol] share only. > I installed an additional samba4 server with fileserving role which is called MEMBERSRV1 (172.19.100.3), which is serving the > [profiles], [home] and [printer] stuff shares. For setting up the member server, I relied on > "https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server#Set_up_a_basic_smb.conf". > I also am using NIS extensions on my AD according the wiki tutorials. Through ADUC tool I modified the security group "Domain Users": > I did choose tab [UNIX Attribute] and there I assigned the NIS domain = MYDOM and the GID=10000 to that group. > > Issue: > =====> My membersrv1 (172.19.100.3) fails to resolve mappings! See output below... > > ----OUTPUT ON DC1----------------------------------------------------------------------------------------------------- > root at DC1:~$ getent passwd > > root:x:0:0:root:/root:/bin/bash > daemon:x:1:1:daemon:/usr/sbin:/bin/sh > [...lots of local accounts here...] > MYDOM\Administrator:*:0:10000::/home/MYDOM/Administrator:/bin/false > MYDOM\Guest:*:3000011:3000012::/home/MYDOM/Guest:/bin/false > MYDOM\krbtgt:*:3000021:10000::/home/MYDOM/krbtgt:/bin/false > MYDOM\john:*:3000020:10000:John Doe:/home/MYDOM/john:/bin/false > MYDOM\george:*:3000022:10000:George Miller:/home/MYDOM/george:/bin/false > MYDOM\richard:*:3000023:10000:Richard Smitty:/home/MYDOM/richard:/bin/false > MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false > MYDOM\testuser3:*:3000027:10000:Test User 3:/home/MYDOM/testuser3:/bin/false > MYDOM\testuser2:*:3000032:10000:Test User 2:/home/MYDOM/testuser2:/bin/false > > root at DC1:~$ wbinfo -u > > Administrator > Guest > krbtgt > john > george > richard > testuser1 > testuser3 > testuser2 > > root at DC1:~$ wbinfo -g > Enterprise Read-Only Domain Controllers > Domain Admins > Domain Users > Domain Guests > Domain Computers > Domain Controllers > Schema Admins > Enterprise Admins > Group Policy Creator Owners > Read-Only Domain Controllers > DnsUpdateProxy > > root at dc1:~$ wbinfo -n testuser1 > S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1) > > root at dc1:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114 > 3000030 > > root at dc1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114 > 3000030 > > root at dc1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114 > MYDOM\testuser1 1 > > root at dc1:~$ wbinfo -r testuser1 > 10000 > > root at dc1:~$ wbinfo --uid-info=3000030 > MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false > > root at dc1:~$ wbinfo --gid-info=10000 > MYDOM\Domain Users:*:10000: > > root at dc1:~$ wbinfo -P > checking the NETLOGON dc connection to "" failed > failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND > > root at dc1:~$ samba-tool testparm --suppress-prompt -v |grep winbind > winbind separator = \ > winbind cache time = 0 > winbind reconnect delay = 0 > winbind request timeout = 0 > winbind max clients = 0 > winbind enum users = No > winbind enum groups = No > winbind use default domain = No > winbind trusted domains only = No > winbind nested groups = No > winbind expand groups = 0 > winbind nss info > winbind refresh tickets = No > winbind offline logon = No > winbind normalize names = No > winbind rpc only = No > winbind max domain connections = 0 > winbindd socket directory = /var/run/samba/winbindd > winbindd privileged socket directory = /var/lib/samba/winbindd_privileged > winbind sealed pipes = Yes > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns > > ----OUTPUT ON DC2----------------------------------------------------------------------------------------------------- > > root at dc2:~$ wbinfo -n testuser1 > S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1) > > root at dc2:~$ wbinfo -S S-1-5-21-2040615909-1719611856-576149365-1114 > 3000030 > > root at dc2:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114 > 3000030 > > root at dc2:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114 > MYDOM\testuser1 1 > > root at dc2:~$ wbinfo -r testuser1 > 10000 > > root at dc2:~$ wbinfo --uid-info=3000030 > MYDOM\testuser1:*:3000030:10000:Test User 1:/home/MYDOM/testuser1:/bin/false > > root at dc2:~$ wbinfo --gid-info=10000 > MYDOM\Domain Users:*:10000: > > root at dc2:~$ wbinfo -P > checking the NETLOGON dc connection to "" failed > failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND > > root at dc2:~$ samba-tool testparm --suppress-prompt -v |grep winbind > winbind separator = \ > winbind cache time = 0 > winbind reconnect delay = 0 > winbind request timeout = 0 > winbind max clients = 0 > winbind enum users = No > winbind enum groups = No > winbind use default domain = No > winbind trusted domains only = No > winbind nested groups = No > winbind expand groups = 0 > winbind nss info > winbind refresh tickets = No > winbind offline logon = No > winbind normalize names = No > winbind rpc only = No > winbind max domain connections = 0 > winbindd socket directory = /var/run/samba/winbindd > winbindd privileged socket directory = /var/lib/samba/winbindd_privileged > winbind sealed pipes = Yes > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns > > ----OUTPUT ON MEMBERSRV1---------------------------------------------------------------------------------------------- > > root at membersrv1:~$ wbinfo -n testuser1 > S-1-5-21-2040615909-1719611856-576149365-1114 SID_USER (1) > > root at membersrv1:~$ wbinfo -Y S-1-5-21-2040615909-1719611856-576149365-1114 > failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND > Could not convert sid S-1-5-21-2040615909-1719611856-576149365-1114 to gid > > root at membersrv1:~$ wbinfo -s S-1-5-21-2040615909-1719611856-576149365-1114 > MYDOM\testuser1 1 > > root at membersrv1:~$ wbinfo -r testuser1 > 10000 > 70002 > > root at membersrv1:~$ wbinfo --uid-info=3000030 > failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for uid 3000030 > > root at membersrv1:~$ wbinfo --uid-info=10000 > failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for uid 10000 > > root at membersrv1:~$ wbinfo --gid-info=10000 > domain users:x:10000: > > root at membersrv1:~$ wbinfo -P > checking the NETLOGON dc connection to "dc1.mydom.example.com" succeeded > > root at membersrv1:~$ samba-tool testparm --suppress-prompt -v |grep winbind > winbind separator = \ > winbind cache time = 0 > winbind reconnect delay = 0 > winbind request timeout = 0 > winbind max clients = 0 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > winbind trusted domains only = No > winbind nested groups = No > winbind expand groups = 0 > winbind nss info = rfc2307 > winbind refresh tickets = No > winbind offline logon = No > winbind normalize names = No > winbind rpc only = No > winbind max domain connections = 0 > winbindd socket directory = /var/run/samba/winbindd > winbindd privileged socket directory = /var/lib/samba/winbindd_privileged > winbind sealed pipes = Yes > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns > > root at membersrv1:/lib64$ ls -lh > > lrwxrwxrwx 1 root root 32 Aug 26 23:10 ld-linux-x86-64.so.2 -> /lib/x86_64-linux-gnu/ld-2.13.so > lrwxrwxrwx 1 root root 39 Okt 17 15:11 libnss_winbind.so -> /lib/x86_64-linux-gnu/libnss_winbind.so > lrwxrwxrwx 1 root root 24 Okt 17 15:11 libnss_winbind.so.2 -> /lib64/libnss_winbind.so > > root at membersrv1:/lib64$ head -n15 /etc/nsswitch.conf > # /etc/nsswitch.conf > # > # Example configuration of GNU Name Service Switch functionality. > # If you have the `glibc-doc-reference' and `info' packages installed, try: > # `info libc "Name Service Switch"' for information about this file. > > passwd: compat winbind > group: compat winbind > > root at membersrv1:~ cat /etc/samba/smb.conf: > > [global] > netbios name = MEMBERSRV1 > workgroup = MYDOM > security = ADS > realm = MYDOM.EXAMPLE.COM > encrypt passwords = yes > > idmap config MYDOM:backend = ad > idmap config MYDOM:schema_mode = rfc2307 > idmap config MYDOM:range = 500-40000 > > idmap config *:backend = tdb > idmap config *:range = 70001-80000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > rpc_server:spoolss = external > rpc_daemon:spoolssd = fork > > [printers] > path = /var/spool/samba > printable = yes > printing = CUPS > > [print$] > path = /srv/samba4_data/printer_drivers > comment = Printer Drivers > writeable = yes > > [home] > path = /srv/samba4_data/home/ > read only = No > > [profiles] > path = /srv/samba4_data/profiles/ > read only = no > > ============================================================================> > I did modify of course the file membersrv1:/etc/nsswitch.conf and linked the files on /lib64 on the same way I did for DC1 and DC2 > according the wiki tutorial. I joined the member server successfully with "net ads join -U administrator" to DC1. > > I also realized and am confused about the output of "wbinfo -g" on the member server. The output is not exactly the same as on > DC1 output for example. I also want to add, when I run "getent passwd" or "getent group" on that member server, I get only displayed my local account, no AD accounts at all! > > Detailled log files, with debug level = 10: > ==========================================> http://www.file-upload.net/download-9714752/log.wb-MYDOM.html > http://www.file-upload.net/download-9714750/log.winbindd.html > http://www.file-upload.net/download-9714751/log.winbindd-dc-connect.html > http://www.file-upload.net/download-9714753/log.winbindd-idmap.html > > Thanks a lot in advance to everyone for assistance. > > MircoHi, I think that you are falling into the 'winbind on the DC != winbind on the client' problem. On the DC, winbind is built into the samba daemon and does not have the same capabilities of the separate winbind daemon that is in use on your member server. This is the main reason that it is not recommended to use the DC for anything other than authentication. Rowland
Reasonably Related Threads
- Samba4: "MYDOM\Administrator" quite useless on a member server?
- Allow Samba4/AD group "MYDOM\Domain Admins" to login through SSH on linux hosts
- Samba4: Setting up share/security permissions for shares on member server
- 3rd-party tool for creating users as alternative to ADUC
- Centos 7 member server login fails