samba - Jun 2015 - wbinfo fails: Error looking up domain users

Thanks Rowland,

I am trying to setup an AD member server. I followed the wiki 
(https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server). I am 
on Fedora 21.

The domain join succeeded

But wbinfo fails:

$ wbinfo -u
Error looking up domain users

I tried to increase windbind log verbosity to 10, but I can see no trace 
when issuing wbinfo:
/etc/smb.conf
        log level = winbind:10


Here are some more details:
***************************

# net ads testjoin
Join is OK

# wbinfo -u
Error looking up domain users

$ rpm -q samba-winbind
samba-winbind-4.1.17-1.fc21.x86_64

$ cat /etc/hosts
127.0.0.1        localhost.localdomain localhost
::1        localhost6.localdomain6 localhost6
192.168.0.84    linuxmr.studelec-sa.com linuxmr

/etc/samba/smb.conf is here:  http://pastebin.com/gAk6nX0x

$ cat /etc/resolv.conf
search studelec-sa.com
nameserver 192.168.0.250

$ cat /etc/krb5.conf (ALTHOUGH THE WIKI DOES STATE ANY CONFIGURATION IS 
REQUIRED IN THAT FILE)
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  dns_lookup_realm = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true
  rdns = false
# default_realm = EXAMPLE.COM
  # Utile ou pas ?
  default_realm = STUDELEC-SA.COM
  dns_lookup_kdc = true
  default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

On 18/06/15 07:14, Marc Recht? wrote:
> Thanks Rowland,
>
> I am trying to setup an AD member server. I followed the wiki 
> (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server). I 
> am on Fedora 21.
>
> The domain join succeeded
>
> But wbinfo fails:
>
> $ wbinfo -u
> Error looking up domain users
>
> I tried to increase windbind log verbosity to 10, but I can see no 
> trace when issuing wbinfo:
> /etc/smb.conf
>        log level = winbind:10
>
>
> Here are some more details:
> ***************************
>
> # net ads testjoin
> Join is OK
>
> # wbinfo -u
> Error looking up domain users
>
> $ rpm -q samba-winbind
> samba-winbind-4.1.17-1.fc21.x86_64
>
> $ cat /etc/hosts
> 127.0.0.1        localhost.localdomain localhost
> ::1        localhost6.localdomain6 localhost6
> 192.168.0.84    linuxmr.studelec-sa.com linuxmr
>
> /etc/samba/smb.conf is here:  http://pastebin.com/gAk6nX0x
>
> $ cat /etc/resolv.conf
> search studelec-sa.com
> nameserver 192.168.0.250
>
> $ cat /etc/krb5.conf (ALTHOUGH THE WIKI DOES STATE ANY CONFIGURATION 
> IS REQUIRED IN THAT FILE)
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  dns_lookup_realm = false
>  ticket_lifetime = 24h
>  renew_lifetime = 7d
>  forwardable = true
>  rdns = false
> # default_realm = EXAMPLE.COM
>  # Utile ou pas ?
>  default_realm = STUDELEC-SA.COM
>  dns_lookup_kdc = true
>  default_ccache_name = KEYRING:persistent:%{uid}
>
> [realms]
> # EXAMPLE.COM = {
> #  kdc = kerberos.example.com
> #  admin_server = kerberos.example.com
> # }
>
> [domain_realm]
> # .example.com = EXAMPLE.COM
> # example.com = EXAMPLE.COM
OK, there doesn't seem to much wrong with your smb.conf, only thing I 
would change, remove this line:

server role = member server

My /etc/krb5.conf is just this:

[libdefaults]
      default_realm = EXAMPLE.COM
      dns_lookup_realm = false
      dns_lookup_kdc = true

But yours has those lines in it.

So, we fall back to what is usually the problem on redhat when something 
doesn't work, Selinux. Try disabling this and see if this works, failing 
that, is the firewall running ? if it is, try turning it off.

Rowland

Opened a bug on Fedora and solution was given: one must uninstall 
sssd-libwbclient package.

Now let's move to the next problem: nsswitch does not see the domain 
users / groups, but I assume this is out of the scope of this list ?

Thanks

Le 18/06/2015 10:05, Rowland Penny a ?crit :
> On 18/06/15 07:14, Marc Recht? wrote:
>> Thanks Rowland,
>>
>> I am trying to setup an AD member server. I followed the wiki 
>> (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server). I 
>> am on Fedora 21.
>>
>> The domain join succeeded
>>
>> But wbinfo fails:
>>
>> $ wbinfo -u
>> Error looking up domain users
>>
>> I tried to increase windbind log verbosity to 10, but I can see no 
>> trace when issuing wbinfo:
>> /etc/smb.conf
>>        log level = winbind:10
>>
>>
>> Here are some more details:
>> ***************************
>>
>> # net ads testjoin
>> Join is OK
>>
>> # wbinfo -u
>> Error looking up domain users
>>
>> $ rpm -q samba-winbind
>> samba-winbind-4.1.17-1.fc21.x86_64
>>
>> $ cat /etc/hosts
>> 127.0.0.1        localhost.localdomain localhost
>> ::1        localhost6.localdomain6 localhost6
>> 192.168.0.84    linuxmr.studelec-sa.com linuxmr
>>
>> /etc/samba/smb.conf is here:  http://pastebin.com/gAk6nX0x
>>
>> $ cat /etc/resolv.conf
>> search studelec-sa.com
>> nameserver 192.168.0.250
>>
>> $ cat /etc/krb5.conf (ALTHOUGH THE WIKI DOES STATE ANY CONFIGURATION 
>> IS REQUIRED IN THAT FILE)
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>  dns_lookup_realm = false
>>  ticket_lifetime = 24h
>>  renew_lifetime = 7d
>>  forwardable = true
>>  rdns = false
>> # default_realm = EXAMPLE.COM
>>  # Utile ou pas ?
>>  default_realm = STUDELEC-SA.COM
>>  dns_lookup_kdc = true
>>  default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>> # EXAMPLE.COM = {
>> #  kdc = kerberos.example.com
>> #  admin_server = kerberos.example.com
>> # }
>>
>> [domain_realm]
>> # .example.com = EXAMPLE.COM
>> # example.com = EXAMPLE.COM
>

Opened a bug on Fedora and solution was given: one must uninstall 
sssd-libwbclient package.

Now let's move to the next problem: nsswitch does not see the domain 
users / groups, but I assume this is out of the scope of this list ?

Thanks

Le 18/06/2015 10:05, Rowland Penny a ?crit :
> On 18/06/15 07:14, Marc Recht? wrote:
>> Thanks Rowland,
>>
>> I am trying to setup an AD member server. I followed the wiki 
>> (https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server). I 
>> am on Fedora 21.
>>
>> The domain join succeeded
>>
>> But wbinfo fails:
>>
>> $ wbinfo -u
>> Error looking up domain users
>>
>> I tried to increase windbind log verbosity to 10, but I can see no 
>> trace when issuing wbinfo:
>> /etc/smb.conf
>>        log level = winbind:10
>>
>>
>> Here are some more details:
>> ***************************
>>
>> # net ads testjoin
>> Join is OK
>>
>> # wbinfo -u
>> Error looking up domain users
>>
>> $ rpm -q samba-winbind
>> samba-winbind-4.1.17-1.fc21.x86_64
>>
>> $ cat /etc/hosts
>> 127.0.0.1        localhost.localdomain localhost
>> ::1        localhost6.localdomain6 localhost6
>> 192.168.0.84    linuxmr.studelec-sa.com linuxmr
>>
>> /etc/samba/smb.conf is here:  http://pastebin.com/gAk6nX0x
>>
>> $ cat /etc/resolv.conf
>> search studelec-sa.com
>> nameserver 192.168.0.250
>>
>> $ cat /etc/krb5.conf (ALTHOUGH THE WIKI DOES STATE ANY CONFIGURATION 
>> IS REQUIRED IN THAT FILE)
>> [logging]
>>  default = FILE:/var/log/krb5libs.log
>>  kdc = FILE:/var/log/krb5kdc.log
>>  admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>>  dns_lookup_realm = false
>>  ticket_lifetime = 24h
>>  renew_lifetime = 7d
>>  forwardable = true
>>  rdns = false
>> # default_realm = EXAMPLE.COM
>>  # Utile ou pas ?
>>  default_realm = STUDELEC-SA.COM
>>  dns_lookup_kdc = true
>>  default_ccache_name = KEYRING:persistent:%{uid}
>>
>> [realms]
>> # EXAMPLE.COM = {
>> #  kdc = kerberos.example.com
>> #  admin_server = kerberos.example.com
>> # }
>>
>> [domain_realm]
>> # .example.com = EXAMPLE.COM
>> # example.com = EXAMPLE.COM
>