hasm> Seems I cut off my smb.conf short. I do have these two hasm> lines that may be winbind related: hasm> idmap config * : backend = tdb hasm> idmap config * : range = 1000-199999 rpenny> then can I refer you to my previous comment, go back rpenny> to the Samba wiki page and click on one of the rpenny> links. A little rewind here. My smb.conf hasn't changed (much) in ages, and it works/worked fine for whatever "I do with it". Maybe it needs tuning, maybe not. Maybe I don't need to run winbin at all, that's not the point. It's when my company bought some other company and the internal IT did something to integrate their domain into ours, that winbind started spitting those lines. Maybe the AD is misconfigured, but if it is I can't do anything about it (rather than point it out to them, maybe). rpenny> You don't have to use sssd, but fedora probably expects rpenny> you to do so, you can use winbind instead. I stop as many new things that fedora throws at us as long as possible. Sssd will now be off until something breaks. rpenny> Is firewalld running ? No, I use iptables/ip6tables. -- HASM
On 01/02/16 19:19, HASM wrote:> hasm> Seems I cut off my smb.conf short. I do have these two > hasm> lines that may be winbind related: > hasm> idmap config * : backend = tdb > hasm> idmap config * : range = 1000-199999 > > rpenny> then can I refer you to my previous comment, go back > rpenny> to the Samba wiki page and click on one of the > rpenny> links. > > A little rewind here. My smb.conf hasn't changed (much) in > ages, and it works/worked fine for whatever "I do with it". > Maybe it needs tuning, maybe not. Maybe I don't need to run > winbin at all, that's not the point. > > It's when my company bought some other company and the > internal IT did something to integrate their domain into > ours, that winbind started spitting those lines. Maybe the > AD is misconfigured, but if it is I can't do anything about > it (rather than point it out to them, maybe). > > rpenny> You don't have to use sssd, but fedora probably expects > rpenny> you to do so, you can use winbind instead. > > I stop as many new things that fedora throws at us as long > as possible. Sssd will now be off until something breaks. > > rpenny> Is firewalld running ? > > No, I use iptables/ip6tables. > > -- HASM >One) Your smb.conf appears to be incorrectly set up, this will not help. two) You are using a firewall, what it is called is neither here nor there, you are using a firewall and are *all* the required ports open ? could it be that you are now connecting to a later windows DC that uses ports that are not open on your domain member. Rowland Rowland
rpenny> One) Your smb.conf appears to be incorrectly set up, this
rpenny> will not help.
Maybe, but I don't think that's a problem in this case
rpenny> two) You are using a firewall, what it is called is neither
rpenny> here nor there, you are using a firewall and are *all* the
rpenny> required ports open ?
Again, don't think this is a problem. I went ahead stopped
iptables and ip6tables, restarted winbind. Problem
persists.
I think I know what is wrong. After adding domains for
BUILTIN, HOSTNAME and COMPANY.COM domains, which seems to go
fine:
Added domain BUILTIN (null) S-ID-1
Added domain HOSTNAME (null) S-ID-2
Added domain COMPANY COMPANY.COM S-ID-3
STATUS=daemon 'winbindd'finished starting up and
ready to serve connections
winbind does:
Added domain DOMAIN_01 ACQUIRED.COM S-ID-4
...
ads_find_dc: name resolution for realm 'acquired.com'
(domain 'DOMAIN_01') failed: NT_STATUS_NO_LOGON_SERVERS
where DOMAIN_O1 and ACQUIRED.COM are associated with the
company we purchased.
Turns out my DNS resolves ACQUIRED.COM to 192.168.xxx.yyy
where all other addresses of the main COMPANY.COM are of the
form 10.xxx.yyy.zzz, but I don't think there's a route for
192.168/16.
I'll try to handle this with IT (wish me luck:-)) but is
there a way to exclude that realm from winbindd searches?
Otherwise winbindd goes looking for it every few minutes,
using 100% of one of the cores, and fills up the log.
-- HASM