Rowland Penny
2015-Apr-03 20:54 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 03/04/15 21:29, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>>>>>> I'm trying to get the former PDC back into domain after performing a >>>>>>> classic >>>>>>>> migration. >>>>>>>> AD DC is running fine... if you can call it that. >>>>>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article, >>>>>>> and >>>>>>>> rejoined the domain. Went fine apart from failed DNS update with local >>>>>>> zone. >>>>>>> >>>>>>>> # net ads testjoin >>>>>>>> Join is OK >>>>>>>> But there's no data in getent, and domain users are unable to >>>>>>> authenticate on >>>>>>>> the server. >>>>>>>> So, where do I start looking? >>>>>> Please check your /etc/nsswitch.conf file, it should look contains this, >>>>>> passwd: compat winbind >>>>>> group: compat winbind >>>>>> For more information, please go through Samba Wiki first, >>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>>> Please read the message - I explicitly stated that nsswitch.conf is amended as >>>>> suggested on the wiki. >>>>> >>>>> >>>> OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain >>>> classicupgrade', this should have given you users with uidNumber >>>> attributes and groups with gidNumber attributes. >>>> If,as you said, you used the smb.conf from the member server wiki page, >>>> you will have something like this in your smb.conf: >>>> idmap config *:backend = tdb >>>> idmap config *:range = 2000-9999 >>>> idmap config SAMDOM:backend = ad >>>> idmap config SAMDOM:schema_mode = rfc2307 >>>> idmap config SAMDOM:range = 10000-99999 >>>> Two questions: >>>> Did you change 'SAMDOM' to your workgroup name ? >>>> Are your users & groups uidNumber & gidNumber attributes inside the >>>> '10000=99999' range ? >>> It was a little more complicated process, than that. >>> >>> Host: Ubuntu 12.04 running Samba 3.6.3->4.1.11 and LXC 1.0.7 stable. >>> >>> On host, I've set up container DC1, copied over the 3.6.3 TDB's from host and >>> performed classicupgrade with hostname change. After initial failure and a >>> month of head cracking, it somehow worked out on April 1st. >>> >>> The container runs as it could, resolving uids to domain names within itself, >>> at least. >>> >>> Now, I need to get the same resolution on the host. >>> The Samba 3 configuration files were moved away on the host before Samba >>> upgrade, so that I could have one more backup copy of the configuration, if >>> things go wrong. >>> >>> After upgrading Samba, I've edited {smb,nsswitch}.conf as outlined on the >>> Wiki, and then commanded to join the AD. >>> Join went fine except for a notice "unable to update DNS record for >>> userl.ccenter.lan". >>> After that, I removed startup blocks on smbd/nmbd/winbind and rebooted >>> everything. >>> >>> Currently, the situation is as follows: >>> >>> DC1 (AD DC): http://pastebin.com/WncfgLb6 >>> >>> root at dc1:~# smbclient -L dc1 -U domainuser >>> Enter domainuser's password: >>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>> >>> Sharename Type Comment >>> --------- ---- ------- >>> netlogon Disk >>> sysvol Disk >>> IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) >>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>> >>> Server Comment >>> --------- ------- >>> >>> Workgroup Master >>> --------- ------- >>> >>> root at dc1:~# smbclient -L userl -U domainuser >>> Enter domainuser's password: >>> session setup failed: NT_STATUS_LOGON_FAILURE >>> >>> USERL (member server): http://pastebin.com/25Lx6z9v >>> >>> root at userl:~# net ads testjoin >>> Join is OK >>> >>> root at userl:~# smbclient -L dc1 -U domainuser >>> Enter domainuser's password: >>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>> >>> Sharename Type Comment >>> --------- ---- ------- >>> netlogon Disk >>> sysvol Disk >>> IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) >>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>> >>> Server Comment >>> --------- ------- >>> >>> Workgroup Master >>> --------- ------- >>> >>> root at userl:~# smbclient -L userl -U domainuser >>> Enter domainuser's password: >>> session setup failed: NT_STATUS_LOGON_FAILURE >>> >>> Looking at winbind/idmap logs, >>> >>> [2015/04/03 21:16:17.636654, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4446(pack_tdc_domains) >>> pack_tdc_domains: Packing domain CCENTER (ADS.CCENTER.LAN) >>> [2015/04/03 21:16:17.636687, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:230(add_trusted_domain) >>> idmap config CCENTER : range = 1000-50000 >>> [2015/04/03 21:16:17.636720, 2, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:255(add_trusted_domain) >>> Added domain CCENTER ADS.CCENTER.LAN S-1-5-21-1031481445-3291699540-3997755762 >>> [2015/04/03 21:16:17.636766, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:561(set_domain_online_request) >>> set_domain_online_request: called for domain CCENTER >>> [2015/04/03 21:16:17.636803, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:596(set_domain_online_request) >>> set_domain_online_request: domain CCENTER was globally offline. >>> >>> Eh? What the? Why? Google says it may be an issue with DNS, but mine works >>> fine. Especially since a few lines before it successfully contact AD DC. >>> >>> >> I am struggling to understand this setup, you have created a samba AD DC >> running on Ubuntu 12.04 inside a container (docker ??), > docker is a management tool for LXC, which is an isolation solution and have > its own management tools. docker is fine when you need to deploy many similar > instances of an application, but for a single container, it is just not > needed. > For simplicity, you can presume that it is a separate system running elsewhere > on the network. Answering your later question, yes, I have full network > connectivity, I can ping and ssh between both, and browse shares of a DC from > the member server using either credentials. (See above.) > >> you then seem to have altered the AD DCs smb.conf for some reason, can I ask >> why ? > Multiple reasons at first, but at this point, it is a template I could just > copy to a member server and have it run with only a single line edit. The > settings are either sensible, but not necessary, or completely irrelevant for > a DC, as far as I can tell. > >> You then setup a member server, joined it to the domain, but now cannot >> connect to the member server from the DC via smbclient, is this correct ? > I can't connect to a member server using domain user credentials. > This would be more correct statement. > >> what have you got in: >> /etc/resolv.conf >> /etc/krb5.conf > Both give exactly same results: > > # cat /etc/krb5.conf > cat: /etc/krb5.conf: No such file or directory > (Erm, should I have it? What package I'm missing, if yes?)Yes you should, it should contain this: [libdefaults] default_realm = ADS.CCENTER.LAN dns_lookup_realm = false dns_lookup_kdc = true Have you got all of these packages installed: krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user> > # cat /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 127.0.0.1 > search ccenter.lan > >> This on both machines > In case of a member server, 127.0.0.1 point to a local bind9, which is set to > forward ads.ccenter.lan to the DC. The resolution DO works correctly.Just point /etc/resolv.conf at the DC, also ccenter.lan is not ads.ccenter.lan Rowland> 127.0.0.1#35321: query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN IN SRV + (127.0.0.1) > ;; ANSWER SECTION: > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN. 503 IN SRV 0 100 389 dc1.ads.ccenter.lan. > > 127.0.0.1#55300: query: dc1.ads.ccenter.lan IN AAAA + (127.0.0.1) > 127.0.0.1#36282: query: dc1.ads.ccenter.lan.ccenter.lan IN AAAA + (127.0.0.1) > (no answer - IPv6 resolution disabled) > > 127.0.0.1#47102: query: dc1.ads.ccenter.lan IN A + (127.0.0.1) > ;; ANSWER SECTION: > dc1.ads.ccenter.lan. 373 IN A 192.168.17.4 > > 127.0.0.1#58461: query: _kerberos._udp.ADS.CCENTER.LAN IN SRV + (127.0.0.1) > ;; ANSWER SECTION: > _kerberos._udp.ADS.CCENTER.LAN. 324 IN SRV 0 100 88 dc1.ads.ccenter.lan. > >> can you ping from each machine to the other, both by ip and hostname ? >> what does 'host -t SRV _ldap._tcp.ads.ccenter.lan.' show ? > root at dc1:~# host -t SRV _ldap._tcp.ads.ccenter.lan. > _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. > > root at userl:~# host -t SRV _ldap._tcp.ads.ccenter.lan. > _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. > >> does the 'container' have all the required ports open ? > If logs are to be trusted, it even able to list users and groups. > > log.wb-CCENTER > [2015/04/03 22:55:59.314002, 3, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) > get_dc_list: preferred server list: "dc1.ads.ccenter.lan, *" > [2015/04/03 22:55:59.318397, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:680(ads_connect) > Successfully contacted LDAP server 192.168.17.4 > [2015/04/03 22:55:59.320717, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:723(ads_connect) > Connected to LDAP server dc1.ads.ccenter.lan > [2015/04/03 22:55:59.325436, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) > ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 > [2015/04/03 22:55:59.325466, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) > ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 > [2015/04/03 22:55:59.325498, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) > ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 > [2015/04/03 22:55:59.325527, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind) > ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore > [2015/04/03 22:55:59.325655, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req) > ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) > [2015/04/03 22:55:59.333493, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds) > ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Sat, 04 Apr 2015 08:55:59 MSK > [2015/04/03 22:55:59.373034, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:378(query_user_list) > ads query_user_list gave 19 entries > > This is about right. > root at dc1:~# wbinfo -u | wc -l > 19 > > [2015/04/03 22:55:59.374070, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) > Connecting to 192.168.17.4 at port 135 > [2015/04/03 22:55:59.375923, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) > Connecting to 192.168.17.4 at port 1024 > [2015/04/03 22:55:59.516885, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) > msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-513 for domain CCENTER > [2015/04/03 22:56:13.713563, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:403(enum_dom_groups) > ads: enum_dom_groups > [2015/04/03 22:56:13.763644, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:501(enum_dom_groups) > ads enum_dom_groups gave 216 entries > > This is a bit off, but still close. > root at dc1:~# wbinfo -g | wc -l > 211 > > [2015/04/03 22:56:13.765824, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) > msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-571 for domain CCENTER > [2015/04/03 22:59:42.388144, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) > [13765]: list trusted domains > [2015/04/03 22:59:42.388330, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:1419(trusted_domains) > ads: trusted_domains > [2015/04/03 23:00:59.189216, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) > msrpc_name_to_sid: name=CCENTER\DOMAINUSER > [2015/04/03 23:00:59.189271, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) > name_to_sid [rpc] CCENTER\DOMAINUSER for domain CCENTER > [2015/04/03 23:00:59.195301, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:597(query_user) > ads: query_user > > But in the end, it just doesn't work. getent doesn't list anything sensible, > not from explicit request, nor from enumeration. > >
Andrey Repin
2015-Apr-04 02:29 UTC
[Samba] Member server - winbind unable to resolve users/groups
Greetings, Rowland Penny!>>>>>>>>> I'm trying to get the former PDC back into domain after performing a >>>>>>>> classic >>>>>>>>> migration. >>>>>>>>> AD DC is running fine... if you can call it that. >>>>>>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article, >>>>>>>> and >>>>>>>>> rejoined the domain. Went fine apart from failed DNS update with local >>>>>>>> zone. >>>>>>>> >>>>>>>>> # net ads testjoin >>>>>>>>> Join is OK >>>>>>>>> But there's no data in getent, and domain users are unable to >>>>>>>> authenticate on >>>>>>>>> the server. >>>>>>>>> So, where do I start looking? >>>>>>> Please check your /etc/nsswitch.conf file, it should look contains this, >>>>>>> passwd: compat winbind >>>>>>> group: compat winbind >>>>>>> For more information, please go through Samba Wiki first, >>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>>>> Please read the message - I explicitly stated that nsswitch.conf is amended as >>>>>> suggested on the wiki. >>>>>> >>>>>> >>>>> OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain >>>>> classicupgrade', this should have given you users with uidNumber >>>>> attributes and groups with gidNumber attributes. >>>>> If,as you said, you used the smb.conf from the member server wiki page, >>>>> you will have something like this in your smb.conf: >>>>> idmap config *:backend = tdb >>>>> idmap config *:range = 2000-9999 >>>>> idmap config SAMDOM:backend = ad >>>>> idmap config SAMDOM:schema_mode = rfc2307 >>>>> idmap config SAMDOM:range = 10000-99999 >>>>> Two questions: >>>>> Did you change 'SAMDOM' to your workgroup name ? >>>>> Are your users & groups uidNumber & gidNumber attributes inside the >>>>> '10000=99999' range ? >>>> It was a little more complicated process, than that. >>>> >>>> Host: Ubuntu 12.04 running Samba 3.6.3->4.1.11 and LXC 1.0.7 stable. >>>> >>>> On host, I've set up container DC1, copied over the 3.6.3 TDB's from host and >>>> performed classicupgrade with hostname change. After initial failure and a >>>> month of head cracking, it somehow worked out on April 1st. >>>> >>>> The container runs as it could, resolving uids to domain names within itself, >>>> at least. >>>> >>>> Now, I need to get the same resolution on the host. >>>> The Samba 3 configuration files were moved away on the host before Samba >>>> upgrade, so that I could have one more backup copy of the configuration, if >>>> things go wrong. >>>> >>>> After upgrading Samba, I've edited {smb,nsswitch}.conf as outlined on the >>>> Wiki, and then commanded to join the AD. >>>> Join went fine except for a notice "unable to update DNS record for >>>> userl.ccenter.lan". >>>> After that, I removed startup blocks on smbd/nmbd/winbind and rebooted >>>> everything. >>>> >>>> Currently, the situation is as follows: >>>> >>>> DC1 (AD DC): http://pastebin.com/WncfgLb6 >>>> >>>> root at dc1:~# smbclient -L dc1 -U domainuser >>>> Enter domainuser's password: >>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>> >>>> Sharename Type Comment >>>> --------- ---- ------- >>>> netlogon Disk >>>> sysvol Disk >>>> IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) >>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>> >>>> Server Comment >>>> --------- ------- >>>> >>>> Workgroup Master >>>> --------- ------- >>>> >>>> root at dc1:~# smbclient -L userl -U domainuser >>>> Enter domainuser's password: >>>> session setup failed: NT_STATUS_LOGON_FAILURE >>>> >>>> USERL (member server): http://pastebin.com/25Lx6z9v >>>> >>>> root at userl:~# net ads testjoin >>>> Join is OK >>>> >>>> root at userl:~# smbclient -L dc1 -U domainuser >>>> Enter domainuser's password: >>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>> >>>> Sharename Type Comment >>>> --------- ---- ------- >>>> netlogon Disk >>>> sysvol Disk >>>> IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) >>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>> >>>> Server Comment >>>> --------- ------- >>>> >>>> Workgroup Master >>>> --------- ------- >>>> >>>> root at userl:~# smbclient -L userl -U domainuser >>>> Enter domainuser's password: >>>> session setup failed: NT_STATUS_LOGON_FAILURE >>>> >>>> Looking at winbind/idmap logs, >>>> >>>> [2015/04/03 21:16:17.636654, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4446(pack_tdc_domains) >>>> pack_tdc_domains: Packing domain CCENTER (ADS.CCENTER.LAN) >>>> [2015/04/03 21:16:17.636687, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:230(add_trusted_domain) >>>> idmap config CCENTER : range = 1000-50000 >>>> [2015/04/03 21:16:17.636720, 2, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:255(add_trusted_domain) >>>> Added domain CCENTER ADS.CCENTER.LAN S-1-5-21-1031481445-3291699540-3997755762 >>>> [2015/04/03 21:16:17.636766, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:561(set_domain_online_request) >>>> set_domain_online_request: called for domain CCENTER >>>> [2015/04/03 21:16:17.636803, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:596(set_domain_online_request) >>>> set_domain_online_request: domain CCENTER was globally offline. >>>> >>>> Eh? What the? Why? Google says it may be an issue with DNS, but mine works >>>> fine. Especially since a few lines before it successfully contact AD DC. >>>> >>>> >>> I am struggling to understand this setup, you have created a samba AD DC >>> running on Ubuntu 12.04 inside a container (docker ??), >> docker is a management tool for LXC, which is an isolation solution and have >> its own management tools. docker is fine when you need to deploy many similar >> instances of an application, but for a single container, it is just not >> needed. >> For simplicity, you can presume that it is a separate system running elsewhere >> on the network. Answering your later question, yes, I have full network >> connectivity, I can ping and ssh between both, and browse shares of a DC from >> the member server using either credentials. (See above.) >> >>> you then seem to have altered the AD DCs smb.conf for some reason, can I ask >>> why ? >> Multiple reasons at first, but at this point, it is a template I could just >> copy to a member server and have it run with only a single line edit. The >> settings are either sensible, but not necessary, or completely irrelevant for >> a DC, as far as I can tell. >> >>> You then setup a member server, joined it to the domain, but now cannot >>> connect to the member server from the DC via smbclient, is this correct ? >> I can't connect to a member server using domain user credentials. >> This would be more correct statement. >> >>> what have you got in: >>> /etc/resolv.conf >>> /etc/krb5.conf >> Both give exactly same results: >> >> # cat /etc/krb5.conf >> cat: /etc/krb5.conf: No such file or directory >> (Erm, should I have it? What package I'm missing, if yes?)> Yes you should, it should contain this:> [libdefaults] > default_realm = ADS.CCENTER.LAN > dns_lookup_realm = false > dns_lookup_kdc = true> Have you got all of these packages installed:> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user>> >> # cat /etc/resolv.conf >> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) >> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >> nameserver 127.0.0.1 >> search ccenter.lan >> >>> This on both machines >> In case of a member server, 127.0.0.1 point to a local bind9, which is set to >> forward ads.ccenter.lan to the DC. The resolution DO works correctly.> Just point /etc/resolv.conf at the DC,Does that mean winbind is unable to understand plain DNS replies, or what?> also ccenter.lan is not ads.ccenter.lan# cat /etc/resolv.conf nameserver 192.168.17.4 search ads.ccenter.lan # host -t SRV _ldap._tcp.ads.ccenter.lan. _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. # nslookup dc1 Server: 192.168.17.4 Address: 192.168.17.4#53 Name: dc1.ads.ccenter.lan Address: 192.168.17.4 # ping dc1 -c 1 PING dc1.ads.ccenter.lan (192.168.17.4) 56(84) bytes of data. 64 bytes from dc1.ccenter.lan (192.168.17.4): icmp_req=1 ttl=64 time=0.487 ms --- dc1.ads.ccenter.lan ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms root at userl:~# wbinfo -t checking the trust secret for domain CCENTER via RPC calls succeeded root at userl:~# wbinfo -u | wc -l 19 root at userl:~# getent passwd domainuser root at userl:~# smbclient -L localhost -U domainuser Enter domainuser's password: session setup failed: NT_STATUS_LOGON_FAILURE [2015/04/04 05:20:55.239144, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:693(process_request) process_request: Handling async request 2811:GETPWNAM [2015/04/04 05:20:55.239176, 3, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) getpwnam CCENTER\domainuser [2015/04/04 05:20:55.239256, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) SID 0: S-1-5-21-1031481445-3291699540-3997755762-61000 [2015/04/04 05:20:55.239303, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) find_lookup_domain_from_sid(S-1-5-21-1031481445-3291699540-3997755762-513) [2015/04/04 05:20:55.239335, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:801(find_lookup_domain_from_sid) calling find_our_domain [2015/04/04 05:20:55.239381, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) SID 0: S-1-5-21-1031481445-3291699540-3997755762-513 [2015/04/04 05:20:55.239422, 5, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-1031481445-3291699540-3997755762-61000: NT_STATUS_NONE_MAPPED [2015/04/04 05:20:55.239469, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done) wb_request_done[2811:GETPWNAM]: NT_STATUS_NONE_MAPPED [2015/04/04 05:20:55.239510, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:816(winbind_client_response_written) winbind_client_response_written[2811:GETPWNAM]: delivered response to client>> 127.0.0.1#35321: query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >> ;; ANSWER SECTION: >> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN. 503 IN SRV 0 100 389 dc1.ads.ccenter.lan. >> >> 127.0.0.1#55300: query: dc1.ads.ccenter.lan IN AAAA + (127.0.0.1) >> 127.0.0.1#36282: query: dc1.ads.ccenter.lan.ccenter.lan IN AAAA + (127.0.0.1) >> (no answer - IPv6 resolution disabled) >> >> 127.0.0.1#47102: query: dc1.ads.ccenter.lan IN A + (127.0.0.1) >> ;; ANSWER SECTION: >> dc1.ads.ccenter.lan. 373 IN A 192.168.17.4 >> >> 127.0.0.1#58461: query: _kerberos._udp.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >> ;; ANSWER SECTION: >> _kerberos._udp.ADS.CCENTER.LAN. 324 IN SRV 0 100 88 dc1.ads.ccenter.lan. >> >>> can you ping from each machine to the other, both by ip and hostname ? >>> what does 'host -t SRV _ldap._tcp.ads.ccenter.lan.' show ? >> root at dc1:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >> >> root at userl:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >> >>> does the 'container' have all the required ports open ? >> If logs are to be trusted, it even able to list users and groups. >> >> log.wb-CCENTER >> [2015/04/03 22:55:59.314002, 3, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) >> get_dc_list: preferred server list: "dc1.ads.ccenter.lan, *" >> [2015/04/03 22:55:59.318397, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:680(ads_connect) >> Successfully contacted LDAP server 192.168.17.4 >> [2015/04/03 22:55:59.320717, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:723(ads_connect) >> Connected to LDAP server dc1.ads.ccenter.lan >> [2015/04/03 22:55:59.325436, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >> [2015/04/03 22:55:59.325466, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >> [2015/04/03 22:55:59.325498, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >> [2015/04/03 22:55:59.325527, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind) >> ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore >> [2015/04/03 22:55:59.325655, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req) >> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) >> [2015/04/03 22:55:59.333493, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds) >> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Sat, 04 Apr 2015 08:55:59 MSK >> [2015/04/03 22:55:59.373034, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:378(query_user_list) >> ads query_user_list gave 19 entries >> >> This is about right. >> root at dc1:~# wbinfo -u | wc -l >> 19 >> >> [2015/04/03 22:55:59.374070, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >> Connecting to 192.168.17.4 at port 135 >> [2015/04/03 22:55:59.375923, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >> Connecting to 192.168.17.4 at port 1024 >> [2015/04/03 22:55:59.516885, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-513 for domain CCENTER >> [2015/04/03 22:56:13.713563, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:403(enum_dom_groups) >> ads: enum_dom_groups >> [2015/04/03 22:56:13.763644, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:501(enum_dom_groups) >> ads enum_dom_groups gave 216 entries >> >> This is a bit off, but still close. >> root at dc1:~# wbinfo -g | wc -l >> 211 >> >> [2015/04/03 22:56:13.765824, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-571 for domain CCENTER >> [2015/04/03 22:59:42.388144, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >> [13765]: list trusted domains >> [2015/04/03 22:59:42.388330, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:1419(trusted_domains) >> ads: trusted_domains >> [2015/04/03 23:00:59.189216, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) >> msrpc_name_to_sid: name=CCENTER\DOMAINUSER >> [2015/04/03 23:00:59.189271, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) >> name_to_sid [rpc] CCENTER\DOMAINUSER for domain CCENTER >> [2015/04/03 23:00:59.195301, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:597(query_user) >> ads: query_user >> >> But in the end, it just doesn't work. getent doesn't list anything sensible, >> not from explicit request, nor from enumeration. >> >>-- With best regards, Andrey Repin Saturday, April 4, 2015 04:48:35 Sorry for my terrible english...
Rowland Penny
2015-Apr-04 08:41 UTC
[Samba] Member server - winbind unable to resolve users/groups
On 04/04/15 03:29, Andrey Repin wrote:> Greetings, Rowland Penny! > >>>>>>>>>> I'm trying to get the former PDC back into domain after performing a >>>>>>>>> classic >>>>>>>>>> migration. >>>>>>>>>> AD DC is running fine... if you can call it that. >>>>>>>>>> I've edited the smb.conf and nsswitch.conf as suggested in Wiki article, >>>>>>>>> and >>>>>>>>>> rejoined the domain. Went fine apart from failed DNS update with local >>>>>>>>> zone. >>>>>>>>> >>>>>>>>>> # net ads testjoin >>>>>>>>>> Join is OK >>>>>>>>>> But there's no data in getent, and domain users are unable to >>>>>>>>> authenticate on >>>>>>>>>> the server. >>>>>>>>>> So, where do I start looking? >>>>>>>> Please check your /etc/nsswitch.conf file, it should look contains this, >>>>>>>> passwd: compat winbind >>>>>>>> group: compat winbind >>>>>>>> For more information, please go through Samba Wiki first, >>>>>>>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >>>>>>> Please read the message - I explicitly stated that nsswitch.conf is amended as >>>>>>> suggested on the wiki. >>>>>>> >>>>>>> >>>>>> OK, so you upgraded an NT-4 style PDC to AD with 'samba-tool domain >>>>>> classicupgrade', this should have given you users with uidNumber >>>>>> attributes and groups with gidNumber attributes. >>>>>> If,as you said, you used the smb.conf from the member server wiki page, >>>>>> you will have something like this in your smb.conf: >>>>>> idmap config *:backend = tdb >>>>>> idmap config *:range = 2000-9999 >>>>>> idmap config SAMDOM:backend = ad >>>>>> idmap config SAMDOM:schema_mode = rfc2307 >>>>>> idmap config SAMDOM:range = 10000-99999 >>>>>> Two questions: >>>>>> Did you change 'SAMDOM' to your workgroup name ? >>>>>> Are your users & groups uidNumber & gidNumber attributes inside the >>>>>> '10000=99999' range ? >>>>> It was a little more complicated process, than that. >>>>> >>>>> Host: Ubuntu 12.04 running Samba 3.6.3->4.1.11 and LXC 1.0.7 stable. >>>>> >>>>> On host, I've set up container DC1, copied over the 3.6.3 TDB's from host and >>>>> performed classicupgrade with hostname change. After initial failure and a >>>>> month of head cracking, it somehow worked out on April 1st. >>>>> >>>>> The container runs as it could, resolving uids to domain names within itself, >>>>> at least. >>>>> >>>>> Now, I need to get the same resolution on the host. >>>>> The Samba 3 configuration files were moved away on the host before Samba >>>>> upgrade, so that I could have one more backup copy of the configuration, if >>>>> things go wrong. >>>>> >>>>> After upgrading Samba, I've edited {smb,nsswitch}.conf as outlined on the >>>>> Wiki, and then commanded to join the AD. >>>>> Join went fine except for a notice "unable to update DNS record for >>>>> userl.ccenter.lan". >>>>> After that, I removed startup blocks on smbd/nmbd/winbind and rebooted >>>>> everything. >>>>> >>>>> Currently, the situation is as follows: >>>>> >>>>> DC1 (AD DC): http://pastebin.com/WncfgLb6 >>>>> >>>>> root at dc1:~# smbclient -L dc1 -U domainuser >>>>> Enter domainuser's password: >>>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>>> >>>>> Sharename Type Comment >>>>> --------- ---- ------- >>>>> netlogon Disk >>>>> sysvol Disk >>>>> IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) >>>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>>> >>>>> Server Comment >>>>> --------- ------- >>>>> >>>>> Workgroup Master >>>>> --------- ------- >>>>> >>>>> root at dc1:~# smbclient -L userl -U domainuser >>>>> Enter domainuser's password: >>>>> session setup failed: NT_STATUS_LOGON_FAILURE >>>>> >>>>> USERL (member server): http://pastebin.com/25Lx6z9v >>>>> >>>>> root at userl:~# net ads testjoin >>>>> Join is OK >>>>> >>>>> root at userl:~# smbclient -L dc1 -U domainuser >>>>> Enter domainuser's password: >>>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>>> >>>>> Sharename Type Comment >>>>> --------- ---- ------- >>>>> netlogon Disk >>>>> sysvol Disk >>>>> IPC$ IPC IPC Service (Samba 4.1.11-Ubuntu) >>>>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu] >>>>> >>>>> Server Comment >>>>> --------- ------- >>>>> >>>>> Workgroup Master >>>>> --------- ------- >>>>> >>>>> root at userl:~# smbclient -L userl -U domainuser >>>>> Enter domainuser's password: >>>>> session setup failed: NT_STATUS_LOGON_FAILURE >>>>> >>>>> Looking at winbind/idmap logs, >>>>> >>>>> [2015/04/03 21:16:17.636654, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4446(pack_tdc_domains) >>>>> pack_tdc_domains: Packing domain CCENTER (ADS.CCENTER.LAN) >>>>> [2015/04/03 21:16:17.636687, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:230(add_trusted_domain) >>>>> idmap config CCENTER : range = 1000-50000 >>>>> [2015/04/03 21:16:17.636720, 2, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:255(add_trusted_domain) >>>>> Added domain CCENTER ADS.CCENTER.LAN S-1-5-21-1031481445-3291699540-3997755762 >>>>> [2015/04/03 21:16:17.636766, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:561(set_domain_online_request) >>>>> set_domain_online_request: called for domain CCENTER >>>>> [2015/04/03 21:16:17.636803, 10, pid=8618, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:596(set_domain_online_request) >>>>> set_domain_online_request: domain CCENTER was globally offline. >>>>> >>>>> Eh? What the? Why? Google says it may be an issue with DNS, but mine works >>>>> fine. Especially since a few lines before it successfully contact AD DC. >>>>> >>>>> >>>> I am struggling to understand this setup, you have created a samba AD DC >>>> running on Ubuntu 12.04 inside a container (docker ??), >>> docker is a management tool for LXC, which is an isolation solution and have >>> its own management tools. docker is fine when you need to deploy many similar >>> instances of an application, but for a single container, it is just not >>> needed. >>> For simplicity, you can presume that it is a separate system running elsewhere >>> on the network. Answering your later question, yes, I have full network >>> connectivity, I can ping and ssh between both, and browse shares of a DC from >>> the member server using either credentials. (See above.) >>> >>>> you then seem to have altered the AD DCs smb.conf for some reason, can I ask >>>> why ? >>> Multiple reasons at first, but at this point, it is a template I could just >>> copy to a member server and have it run with only a single line edit. The >>> settings are either sensible, but not necessary, or completely irrelevant for >>> a DC, as far as I can tell. >>> >>>> You then setup a member server, joined it to the domain, but now cannot >>>> connect to the member server from the DC via smbclient, is this correct ? >>> I can't connect to a member server using domain user credentials. >>> This would be more correct statement. >>> >>>> what have you got in: >>>> /etc/resolv.conf >>>> /etc/krb5.conf >>> Both give exactly same results: >>> >>> # cat /etc/krb5.conf >>> cat: /etc/krb5.conf: No such file or directory >>> (Erm, should I have it? What package I'm missing, if yes?) >> Yes you should, it should contain this: >> [libdefaults] >> default_realm = ADS.CCENTER.LAN >> dns_lookup_realm = false >> dns_lookup_kdc = true >> Have you got all of these packages installed: >> krb5-config libnss-winbind libpam-winbind libpam-krb5 krb5-user >>> # cat /etc/resolv.conf >>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) >>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN >>> nameserver 127.0.0.1 >>> search ccenter.lan >>> >>>> This on both machines >>> In case of a member server, 127.0.0.1 point to a local bind9, which is set to >>> forward ads.ccenter.lan to the DC. The resolution DO works correctly. >> Just point /etc/resolv.conf at the DC, > Does that mean winbind is unable to understand plain DNS replies, or what? > >> also ccenter.lan is not ads.ccenter.lan > # cat /etc/resolv.conf > nameserver 192.168.17.4 > search ads.ccenter.lan > > # host -t SRV _ldap._tcp.ads.ccenter.lan. > _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. > > # nslookup dc1 > Server: 192.168.17.4 > Address: 192.168.17.4#53 > > Name: dc1.ads.ccenter.lan > Address: 192.168.17.4 > > # ping dc1 -c 1 > PING dc1.ads.ccenter.lan (192.168.17.4) 56(84) bytes of data. > 64 bytes from dc1.ccenter.lan (192.168.17.4): icmp_req=1 ttl=64 time=0.487 ms > > --- dc1.ads.ccenter.lan ping statistics --- > 1 packets transmitted, 1 received, 0% packet loss, time 0ms > rtt min/avg/max/mdev = 0.487/0.487/0.487/0.000 ms > > root at userl:~# wbinfo -t > checking the trust secret for domain CCENTER via RPC calls succeeded > root at userl:~# wbinfo -u | wc -l > 19 > root at userl:~# getent passwd domainuser > root at userl:~# smbclient -L localhost -U domainuser > Enter domainuser's password: > session setup failed: NT_STATUS_LOGON_FAILURE > > [2015/04/04 05:20:55.239144, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:693(process_request) > process_request: Handling async request 2811:GETPWNAM > [2015/04/04 05:20:55.239176, 3, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:56(winbindd_getpwnam_send) > getpwnam CCENTER\domainuser > [2015/04/04 05:20:55.239256, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) > SID 0: S-1-5-21-1031481445-3291699540-3997755762-61000 > [2015/04/04 05:20:55.239303, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:791(find_lookup_domain_from_sid) > find_lookup_domain_from_sid(S-1-5-21-1031481445-3291699540-3997755762-513) > [2015/04/04 05:20:55.239335, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:801(find_lookup_domain_from_sid) > calling find_our_domain > [2015/04/04 05:20:55.239381, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/wb_sids2xids.c:95(wb_sids2xids_send) > SID 0: S-1-5-21-1031481445-3291699540-3997755762-513 > [2015/04/04 05:20:55.239422, 5, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_getpwnam.c:137(winbindd_getpwnam_recv) > Could not convert sid S-1-5-21-1031481445-3291699540-3997755762-61000: NT_STATUS_NONE_MAPPED > [2015/04/04 05:20:55.239469, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:755(wb_request_done) > wb_request_done[2811:GETPWNAM]: NT_STATUS_NONE_MAPPED > [2015/04/04 05:20:55.239510, 10, pid=1179, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:816(winbind_client_response_written) > winbind_client_response_written[2811:GETPWNAM]: delivered response to client > >>> 127.0.0.1#35321: query: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >>> ;; ANSWER SECTION: >>> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ADS.CCENTER.LAN. 503 IN SRV 0 100 389 dc1.ads.ccenter.lan. >>> >>> 127.0.0.1#55300: query: dc1.ads.ccenter.lan IN AAAA + (127.0.0.1) >>> 127.0.0.1#36282: query: dc1.ads.ccenter.lan.ccenter.lan IN AAAA + (127.0.0.1) >>> (no answer - IPv6 resolution disabled) >>> >>> 127.0.0.1#47102: query: dc1.ads.ccenter.lan IN A + (127.0.0.1) >>> ;; ANSWER SECTION: >>> dc1.ads.ccenter.lan. 373 IN A 192.168.17.4 >>> >>> 127.0.0.1#58461: query: _kerberos._udp.ADS.CCENTER.LAN IN SRV + (127.0.0.1) >>> ;; ANSWER SECTION: >>> _kerberos._udp.ADS.CCENTER.LAN. 324 IN SRV 0 100 88 dc1.ads.ccenter.lan. >>> >>>> can you ping from each machine to the other, both by ip and hostname ? >>>> what does 'host -t SRV _ldap._tcp.ads.ccenter.lan.' show ? >>> root at dc1:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >>> >>> root at userl:~# host -t SRV _ldap._tcp.ads.ccenter.lan. >>> _ldap._tcp.ads.ccenter.lan has SRV record 0 100 389 dc1.ads.ccenter.lan. >>> >>>> does the 'container' have all the required ports open ? >>> If logs are to be trusted, it even able to list users and groups. >>> >>> log.wb-CCENTER >>> [2015/04/03 22:55:59.314002, 3, effective(0, 0), real(0, 0)] ../source3/libsmb/namequery.c:3102(get_dc_list) >>> get_dc_list: preferred server list: "dc1.ads.ccenter.lan, *" >>> [2015/04/03 22:55:59.318397, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:680(ads_connect) >>> Successfully contacted LDAP server 192.168.17.4 >>> [2015/04/03 22:55:59.320717, 3, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:723(ads_connect) >>> Connected to LDAP server dc1.ads.ccenter.lan >>> [2015/04/03 22:55:59.325436, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>> ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2 >>> [2015/04/03 22:55:59.325466, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>> ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2 >>> [2015/04/03 22:55:59.325498, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:955(ads_sasl_spnego_bind) >>> ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10 >>> [2015/04/03 22:55:59.325527, 3, effective(0, 0), real(0, 0)] ../source3/libads/sasl.c:964(ads_sasl_spnego_bind) >>> ads_sasl_spnego_bind: got server principal name = not_defined_in_RFC4178 at please_ignore >>> [2015/04/03 22:55:59.325655, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:499(ads_krb5_mk_req) >>> ads_krb5_mk_req: krb5_cc_get_principal failed (No such file or directory) >>> [2015/04/03 22:55:59.333493, 3, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:266(ads_cleanup_expired_creds) >>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache] expiration Sat, 04 Apr 2015 08:55:59 MSK >>> [2015/04/03 22:55:59.373034, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:378(query_user_list) >>> ads query_user_list gave 19 entries >>> >>> This is about right. >>> root at dc1:~# wbinfo -u | wc -l >>> 19 >>> >>> [2015/04/03 22:55:59.374070, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >>> Connecting to 192.168.17.4 at port 135 >>> [2015/04/03 22:55:59.375923, 3, effective(0, 0), real(0, 0)] ../source3/lib/util_sock.c:585(open_socket_out_send) >>> Connecting to 192.168.17.4 at port 1024 >>> [2015/04/03 22:55:59.516885, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-513 for domain CCENTER >>> [2015/04/03 22:56:13.713563, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:403(enum_dom_groups) >>> ads: enum_dom_groups >>> [2015/04/03 22:56:13.763644, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:501(enum_dom_groups) >>> ads enum_dom_groups gave 216 entries >>> >>> This is a bit off, but still close. >>> root at dc1:~# wbinfo -g | wc -l >>> 211 >>> >>> [2015/04/03 22:56:13.765824, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:300(msrpc_sid_to_name) >>> msrpc_sid_to_name: S-1-5-21-1031481445-3291699540-3997755762-571 for domain CCENTER >>> [2015/04/03 22:59:42.388144, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains) >>> [13765]: list trusted domains >>> [2015/04/03 22:59:42.388330, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:1419(trusted_domains) >>> ads: trusted_domains >>> [2015/04/03 23:00:59.189216, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) >>> msrpc_name_to_sid: name=CCENTER\DOMAINUSER >>> [2015/04/03 23:00:59.189271, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) >>> name_to_sid [rpc] CCENTER\DOMAINUSER for domain CCENTER >>> [2015/04/03 23:00:59.195301, 3, effective(0, 0), real(0, 0)] ../source3/winbindd/winbindd_ads.c:597(query_user) >>> ads: query_user >>> >>> But in the end, it just doesn't work. getent doesn't list anything sensible, >>> not from explicit request, nor from enumeration. >>> >>> > >OK, what does running this command on the DC show: ldbsearch -H /var/lib/samba/private/sam.ldb '(objectSID=S-1-5-21-1031481445-3291699540-3997755762-61000)' | grep 'uidNumber' This relies on ldb-tools being installed and sam.ldb being in '/var/lib/samba/private' if yours is somewhere else, change the path. Rowland
Possibly Parallel Threads
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups
- Member server - winbind unable to resolve users/groups