Rowland Penny
2015-Apr-03 12:42 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 03/04/15 13:05, Andrey Repin wrote:> Greetings, Ashish Yadav! > >>>> I'm trying to get the former PDC back into domain after performing a >>> classic >>>> migration. >>>> AD DC is running fine... if you can call it that. >>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article, >>> and >>>> rejoined the domain. Went fine apart from failed DNS update with local >>> zone. >>> >>>> # net ads testjoin >>>> Join is OK >>>> But there's no data in getent, and domain users are unable to >>> authenticate on >>>> the server. >>>> So, where do I start looking? >> Please check your /etc/nsswitch.conf file, it should look contains this, >> passwd: compat winbind >> group: compat winbind >> For more information, please go through Samba Wiki first, >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > Please read the message - I explicitly stated that nsswitch.conf is amended as > suggested on the wiki. > >OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain classicupgrade', this should have given you users with uidNumber attributes and groups with gidNumber attributes. If,as you said, you used the smb.conf from the member server wiki page, you will have something like this in your smb.conf: idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-99999 Two questions: Did you change 'SAMDOM' to your workgroup name ? Are your users & groups uidNumber & gidNumber attributes inside the '10000=99999' range ? Rowland
Andrey Repin
2015-Apr-03 18:33 UTC
[Samba] Member server - winbind unable to resolve users/groups
Greetings, Rowland Penny!>>>>> I'm trying to get the former PDC back into domain after performing a >>>> classic >>>>> migration. >>>>> AD DC is running fine... if you can call it that. >>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article, >>>> and >>>>> rejoined the domain. Went fine apart from failed DNS update with local >>>> zone. >>>> >>>>> # net ads testjoin >>>>> Join is OK >>>>> But there's no data in getent, and domain users are unable to >>>> authenticate on >>>>> the server. >>>>> So, where do I start looking? >>> Please check your /etc/nsswitch.conf file, it should look contains this, >>> passwd: compat winbind >>> group: compat winbind >>> For more information, please go through Samba Wiki first, >>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> Please read the message - I explicitly stated that nsswitch.conf is amended as >> suggested on the wiki. >> >>> OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain > classicupgrade', this should have given you users with uidNumber > attributes and groups with gidNumber attributes.> If,as you said, you used the smb.conf from the member server wiki page, > you will have something like this in your smb.conf:> idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999> Two questions: > Did you change 'SAMDOM' to your workgroup name ? > Are your users & groups uidNumber & gidNumber attributes inside the > '10000=99999' range ?It was a little more complicated process, than that. Host: Ubuntu 12.04 running Samba 3.6.3->4.1.11 and LXC 1.0.7 stable. On host, I've set up container DC1, copied over the 3.6.3 TDB's from host and performed classicupgrade with hostname change. After initial failure and a month of head cracking, it somehow worked out on April 1st. The container runs as it could, resolving uids to domain names within itself, at least. Now, I need to get the same resolution on the host. The Samba 3 configuration files were moved away on the host before Samba upgrade, so that I could have one more backup copy of the configuration, if things go wrong. After upgrading Samba, I've edited {smb,nsswitch}.conf as outlined on the Wiki, and then commanded to join the AD. Join went fine except for a notice "unable to update DNS record for userl.ccenter.lan". After that, I removed startup blocks on smbd/nmbd/winbind and rebooted everything. Currently, the situation is as follows: DC1 (AD DC): http://pastebin.com/WncfgLb6 root at dc1:~# smbclient -L dc1 -U domainuser Enter domainuser's password: Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] Server Comment --------- ------- Workgroup Master --------- ------- root at dc1:~# smbclient -L userl -U domainuser Enter domainuser's password: session setup failed: NT_STATUS_LOGON_FAILURE USERL (member server): http://pastebin.com/25Lx6z9v root at userl:~# net ads testjoin Join is OK root at userl:~# smbclient -L dc1 -U domainuser Enter domainuser's password: Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] Server Comment --------- ------- Workgroup Master --------- ------- root at userl:~# smbclient -L userl -U domainuser Enter domainuser's password: session setup failed: NT_STATUS_LOGON_FAILURE Looking at winbind/idmap logs, [2015/04/03 21:16:17.636654, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4446(pack_tdc_domains) pack_tdc_domains: Packing domain CCENTER (ADS.CCENTER.LAN) [2015/04/03 21:16:17.636687, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:230(add_trusted_domain) idmap config CCENTER : range = 1000-50000 [2015/04/03 21:16:17.636720, 2, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:255(add_trusted_domain) Added domain CCENTER ADS.CCENTER.LAN S-1-5-21-1031481445-3291699540-3997755762 [2015/04/03 21:16:17.636766, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:561(set_domain_online_request) set_domain_online_request: called for domain CCENTER [2015/04/03 21:16:17.636803, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:596(set_domain_online_request) set_domain_online_request: domain CCENTER was globally offline. Eh? What the? Why? Google says it may be an issue with DNS, but mine works fine. Especially since a few lines before it successfully contact AD DC. -- With best regards, Andrey Repin Friday, April 3, 2015 16:06:14 Sorry for my terrible english...
Luca Olivetti
2015-Apr-03 18:58 UTC
[Samba] Member server - winbind unable to resolve users/groups
El 03/04/15 a les 20:33, Andrey Repin ha escrit:> Eh? What the? Why? Google says it may be an issue with DNS, but mine works > fine. Especially since a few lines before it successfully contact AD DC.Probably not related, but I had an issue with kerberos and it turns out I had the wrong host name for 127.0.0.1 in /etc/hosts Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007
Rowland Penny
2015-Apr-03 19:15 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 03/04/15 19:33, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>>>> I'm trying to get the former PDC back into domain after performing a >>>>> classic >>>>>> migration. >>>>>> AD DC is running fine... if you can call it that. >>>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article, >>>>> and >>>>>> rejoined the domain. Went fine apart from failed DNS update with local >>>>> zone. >>>>> >>>>>> # net ads testjoin >>>>>> Join is OK >>>>>> But there's no data in getent, and domain users are unable to >>>>> authenticate on >>>>>> the server. >>>>>> So, where do I start looking? >>>> Please check your /etc/nsswitch.conf file, it should look contains this, >>>> passwd: compat winbind >>>> group: compat winbind >>>> For more information, please go through Samba Wiki first, >>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>> Please read the message - I explicitly stated that nsswitch.conf is amended as >>> suggested on the wiki. >>> >>> >> OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain >> classicupgrade', this should have given you users with uidNumber >> attributes and groups with gidNumber attributes. >> If,as you said, you used the smb.conf from the member server wiki page, >> you will have something like this in your smb.conf: >> idmap config *:backend = tdb >> idmap config *:range = 2000-9999 >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:schema_mode = rfc2307 >> idmap config SAMDOM:range = 10000-99999 >> Two questions: >> Did you change 'SAMDOM' to your workgroup name ? >> Are your users & groups uidNumber & gidNumber attributes inside the >> '10000=99999' range ? > It was a little more complicated process, than that. > > Host: Ubuntu 12.04 running Samba 3.6.3->4.1.11 and LXC 1.0.7 stable. > > On host, I've set up container DC1, copied over the 3.6.3 TDB's from host and > performed classicupgrade with hostname change. After initial failure and a > month of head cracking, it somehow worked out on April 1st. > > The container runs as it could, resolving uids to domain names within itself, > at least. > > Now, I need to get the same resolution on the host. > The Samba 3 configuration files were moved away on the host before Samba > upgrade, so that I could have one more backup copy of the configuration, if > things go wrong. > > After upgrading Samba, I've edited {smb,nsswitch}.conf as outlined on the > Wiki, and then commanded to join the AD. > Join went fine except for a notice "unable to update DNS record for > userl.ccenter.lan". > After that, I removed startup blocks on smbd/nmbd/winbind and rebooted > everything. > > Currently, the situation is as follows: > > DC1 (AD DC): http://pastebin.com/WncfgLb6 > > root at dc1:~# smbclient -L dc1 -U domainuser > Enter domainuser's password: > Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) > Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > > root at dc1:~# smbclient -L userl -U domainuser > Enter domainuser's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > USERL (member server): http://pastebin.com/25Lx6z9v > > root at userl:~# net ads testjoin > Join is OK > > root at userl:~# smbclient -L dc1 -U domainuser > Enter domainuser's password: > Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) > Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > > root at userl:~# smbclient -L userl -U domainuser > Enter domainuser's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > Looking at winbind/idmap logs, > > [2015/04/03 21:16:17.636654, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4446(pack_tdc_domains) > pack_tdc_domains: Packing domain CCENTER (ADS.CCENTER.LAN) > [2015/04/03 21:16:17.636687, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:230(add_trusted_domain) > idmap config CCENTER : range = 1000-50000 > [2015/04/03 21:16:17.636720, 2, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:255(add_trusted_domain) > Added domain CCENTER ADS.CCENTER.LAN S-1-5-21-1031481445-3291699540-3997755762 > [2015/04/03 21:16:17.636766, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:561(set_domain_online_request) > set_domain_online_request: called for domain CCENTER > [2015/04/03 21:16:17.636803, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:596(set_domain_online_request) > set_domain_online_request: domain CCENTER was globally offline. > > Eh? What the? Why? Google says it may be an issue with DNS, but mine works > fine. Especially since a few lines before it successfully contact AD DC. > >I am struggling to understand this setup, you have created a samba AD DC running on Ubuntu 12.04 inside a container (docker ??), you then seem to have altered the AD DCs smb.conf for some reason, can I ask why ? You then setup a member server, joined it to the domain, but now cannot connect to the member server from the DC via smbclient, is this correct ? what have you got in: /etc/resolv.conf /etc/krb5.conf This on both machines can you ping from each machine to the other, both by ip and hostname ? what does 'host -t SRV _ldap._tcp.ads.ccenter.lan.' show ? does the 'container' have all the required ports open ? Rowland