I have tried to add all of the above to smb4.conf with no luck. I also did a net ads leave, and net ads join. In addition I cleared the contents of /var/db/samba4. Only users who have once been granted access to domain admins will show up. I am becoming more convinced it is something at the Active Directory level. Joe Maloney On Tue, Jan 26, 2016 at 3:17 PM, Rowland penny <rpenny at samba.org> wrote:> On 26/01/16 20:44, Joe Maloney wrote: > >> The DC's are running Windows Server 2012R2. The directory itself has >> RFC2307 attributes. The file servers are running FreeBSD with Samba 4.1. >> These are just member servers not joined as domain controllers. I have >> tried to upgrade to samba 4.2, and samba 4.3 as a test with no difference. >> Here is a peak at the smb4.conf via pastebin. >> >> http://pastebin.com/Ai14LREW >> >> Joe Maloney >> >> > OK, try adding these two lines: > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > It may be that you are having kerberos problems and your tickets are > expiring, check if /etc/krb5.keytab exists, you may have to re-join the > domain member to the server. > > I would also suggest you add these two lines: > > vfs objects = acl_xattr > map acl inherit = yes > > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 26/01/16 21:34, Joe Maloney wrote:> I have tried to add all of the above to smb4.conf with no luck. I > also did a net ads leave, and net ads join. In addition I cleared the > contents of /var/db/samba4. Only users who have once been granted > access to domain admins will show up. I am becoming more convinced it > is something at the Active Directory level. > > Joe Maloney >OK, I think you need to open a bug report on this, please provide level 10 logs from when it happens. Rowland
Nope. It's not a samba bug. It's Windows ACL's. The users that work have an ACL that gives Authenticated Users read. Without that wbinfo -i, id, getent passwd do not pick up the Unix ID's. Even an ldap query will not show it unless the user doing the query is a domain admin. I know some ACL changes were made when it was discovered that leftover cruft from a previous domain migration existed, and it was removed. This coincides with the breakage. Now I have to carefully figure out from a clean environment what the defaults should be from the top down, and correct. That should fix me. Joe Maloney On Tue, Jan 26, 2016 at 3:44 PM, Rowland penny <rpenny at samba.org> wrote:> On 26/01/16 21:34, Joe Maloney wrote: > >> I have tried to add all of the above to smb4.conf with no luck. I also >> did a net ads leave, and net ads join. In addition I cleared the contents >> of /var/db/samba4. Only users who have once been granted access to domain >> admins will show up. I am becoming more convinced it is something at the >> Active Directory level. >> >> Joe Maloney >> >> > OK, I think you need to open a bug report on this, please provide level 10 > logs from when it happens. > > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >