Ok, im having this : DC's Debian Wheezy 7.9, sernet samba 4.2.8 Member servers. Debian Jessie samba 4.1.17 ( fileserver ) Debian Jessie samba 4.2.7 ( print server ) This one isnt updated yet with latest updates. The following packages have been kept back: samba sernet-samba sernet-samba-client sernet-samba-common sernet-samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind The following packages will be upgraded: krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0 libtiff5 on this one all id's are still correct. Thanks, Daniel Müller, for your addition.. This is really a big problem.. what happend her in the samba code? I've looked at the change log, but cant seen any related to this. So if anyone DEVS ? know what happend here in the samba code. As far as i now know i have to. Re-assign all my uid / gids on all users / groups, with other id's, omg wat a hell... And fix all idmaps on all servers.. pff. ... really no other fix ? There goes my weekend... Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > Verzonden: vrijdag 12 februari 2016 9:06 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Group lost from Winbind > > my os is debian 8.3 > > win bind and samba are in version 4.1.17 > > > > Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>: > > > > Ok, same problem as im having.. > > > > What is your os running? > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner > >> Verzonden: vrijdag 12 februari 2016 8:56 > >> Aan: samba at lists.samba.org > >> Onderwerp: [Samba] AD Group lost from Winbind > >> > >> Hello, > >> > >> the last two days i have problems with my AD group which is defined in > >> share setting valid users > >> > >> Winbind looks to lost mapping of this group and so no user can connect > to > >> this share anymore. > >> > >> When restart winbind service mapping works again until mapping lost > again. > >> > >> > >> ls -lsa shows me in issue this: > >> > >> 2 4 drwxr-x--- 63 root 12001 > >> 4096 Feb 4 23:42 Share > >> > >> After restarting winbind: > >> > >> 2 4 drwxr-x--- 63 root group_intern > >> 4096 Feb 4 23:42 Share > >> > >> > >> My smb.conf looks like > >> > >> > >> [global] > >> netbios name = MEMBER1 > >> security = ADS > >> workgroup = HQ > >> realm = hq.internal > >> > >> log file = /var/log/samba/%m.log > >> log level = 1 > >> > >> dedicated keytab file = /etc/krb5.keytab > >> kerberos method = secrets and keytab > >> winbind refresh tickets = yes > >> > >> winbind trusted domains only = no > >> winbind use default domain = yes > >> winbind enum users = yes > >> winbind enum groups = yes > >> winbind cache time = 300 > >> > >> > >> idmap config *:backend = tdb > >> idmap config *:range = 500-9999 > >> > >> # idmap config for domain HQ > >> idmap config HQ:backend = ad > >> idmap config HQ:schema_mode = rfc2307 > >> idmap config HQ:range = 10000-99999 > >> > >> # Use settings from AD for login shell and home directory > >> winbind nss info = rfc2307 > >> > >> [Share] > >> path = /data/share > >> browseable = yes > >> writeable = yes > >> force group = Group_Intern > >> valid users = @Group_Intern > >> create mask = 0660 > >> directory mask = 0770 > >> #oplocks = 0 > >> vfs objects = full_audit recycle > >> full_audit:prefix = %u > >> full_audit:success = mkdir rename rmdir unlink pwrite > >> full_audit:failure = none > >> full_audit:facility = LOCAL5 > >> full_audit:priority = NOTICE > >> recycle:versions = yes > >> recycle:exclude = .*, ~* > >> > >> > >> > >> Anyone has an idea for this problem? > >> > >> > >> Regards > >> Oliver > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba
On 12/02/16 08:20, L.P.H. van Belle wrote:> Ok, im having this : > > DC's Debian Wheezy 7.9, sernet samba 4.2.8 > > > Member servers.Debian Jessie samba 4.1.17 ( fileserver ) Debian > Jessie samba 4.2.7 ( print server ) This one isnt updated yet with > latest updates. > > The following packages have been kept back: samba sernet-samba > sernet-samba-client sernet-samba-common sernet-samba-libs > sernet-samba-libsmbclient0 sernet-samba-winbind The following > packages will be upgraded: krb5-locales krb5-user libgssapi-krb5-2 > libgssrpc4 libk5crypto3 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 > libkrb5-3 libkrb5support0 libtiff5 > > on this one all id's are still correct. > > Thanks, Daniel Müller, for your addition.. > > This is really a big problem.. what happend her in the samba code? > I've looked at the change log, but cant seen any related to this. > > So if anyone DEVS ? know what happend here in the samba code. As far > as i now know i have to. Re-assign all my uid / gids on all users / > groups, with other id's, omg wat a hell... And fix all idmaps on all > servers.. pff. ... really no other fix ? > > There goes my weekend... > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- Van: Oliver Werner >> [mailto:oliver.werner at kontrast.de] Verzonden: vrijdag 12 februari >> 2016 9:06 Aan: L.P.H. van Belle CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] AD Group lost from Winbind >> >> my os is debian 8.3 >> >> win bind and samba are in version 4.1.17 >> >> >>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle >>> <belle at bazuin.nl>: >>> >>> Ok, same problem as im having.. >>> >>> What is your os running? >>> >>> >>>> -----Oorspronkelijk bericht----- Van: samba >>>> [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner >>>> Verzonden: vrijdag 12 februari 2016 8:56 Aan: >>>> samba at lists.samba.org Onderwerp: [Samba] AD Group lost from >>>> Winbind >>>> >>>> Hello, >>>> >>>> the last two days i have problems with my AD group which is >>>> defined in share setting valid users >>>> >>>> Winbind looks to lost mapping of this group and so no user can >>>> connect >> to >>>> this share anymore. >>>> >>>> When restart winbind service mapping works again until mapping >>>> lost >> again. >>>> >>>> >>>> ls -lsa shows me in issue this: >>>> >>>> 2 4 drwxr-x--- 63 root 12001 4096 Feb 4 >>>> 23:42 Share >>>> >>>> After restarting winbind: >>>> >>>> 2 4 drwxr-x--- 63 root group_intern 4096 >>>> Feb 4 23:42 Share >>>> >>>> >>>> My smb.conf looks like >>>> >>>> >>>> [global] netbios name = MEMBER1 security = ADS workgroup = HQ >>>> realm = hq.internal >>>> >>>> log file = /var/log/samba/%m.log log level = 1 >>>> >>>> dedicated keytab file = /etc/krb5.keytab kerberos method = >>>> secrets and keytab winbind refresh tickets = yes >>>> >>>> winbind trusted domains only = no winbind use default domain = >>>> yes winbind enum users = yes winbind enum groups = yes winbind >>>> cache time = 300 >>>> >>>> >>>> idmap config *:backend = tdb idmap config *:range = 500-9999 >>>> >>>> # idmap config for domain HQ idmap config HQ:backend = ad idmap >>>> config HQ:schema_mode = rfc2307 idmap config HQ:range = >>>> 10000-99999 >>>> >>>> # Use settings from AD for login shell and home directory >>>> winbind nss info = rfc2307 >>>> >>>> [Share] path = /data/share browseable = yes writeable = yes >>>> force group = Group_Intern valid users = @Group_Intern create >>>> mask = 0660 directory mask = 0770 #oplocks = 0 vfs objects = >>>> full_audit recycle full_audit:prefix = %u full_audit:success = >>>> mkdir rename rmdir unlink pwrite full_audit:failure = none >>>> full_audit:facility = LOCAL5 full_audit:priority = NOTICE >>>> recycle:versions = yes recycle:exclude = .*, ~* >>>> >>>> >>>> >>>> Anyone has an idea for this problem? >>>> >>>> >>>> Regards Oliver -- To unsubscribe from this list go to the >>>> following URL and read the instructions: >>>> https://lists.samba.org/mailman/options/samba >>> >>> >>> -- To unsubscribe from this list go to the following URL and read >>> the instructions: https://lists.samba.org/mailman/options/samba > > > Well, I did say that I could never get the lines you add to smb.conf on a DC to work :-) Lets see if I understand the situation correctly. Users & groups have been given a uidNumber or gidNumber attribute. You are now getting different results on different DCs. You used to get the same results and all that has changed is the version of Samba. If the above is correct, I think you need to log a bug report, it might help if you can supply a level 10 log from asking for 'getent group Domain\ Users' on both DCs Rowland
In my Situation i don’t use DCs for Shares (only for sysvol) So my Member is has the problems.> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>: > > Ok, im having this : > > DC's > Debian Wheezy 7.9, sernet samba 4.2.8 > > > Member servers. > Debian Jessie samba 4.1.17 ( fileserver ) > Debian Jessie samba 4.2.7 ( print server ) > This one isnt updated yet with latest updates. > > The following packages have been kept back: > samba sernet-samba sernet-samba-client sernet-samba-common sernet-samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind > The following packages will be upgraded: > krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0 libtiff5 > > on this one all id's are still correct. > > Thanks, Daniel Müller, for your addition.. > > This is really a big problem.. what happend her in the samba code? > I've looked at the change log, but cant seen any related to this. > > So if anyone DEVS ? know what happend here in the samba code. > As far as i now know i have to. > Re-assign all my uid / gids on all users / groups, with other id's, omg wat a hell... > And fix all idmaps on all servers.. pff. ... really no other fix ? > > There goes my weekend... > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >> Verzonden: vrijdag 12 februari 2016 9:06 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] AD Group lost from Winbind >> >> my os is debian 8.3 >> >> win bind and samba are in version 4.1.17 >> >> >>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>> >>> Ok, same problem as im having.. >>> >>> What is your os running? >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner >>>> Verzonden: vrijdag 12 februari 2016 8:56 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: [Samba] AD Group lost from Winbind >>>> >>>> Hello, >>>> >>>> the last two days i have problems with my AD group which is defined in >>>> share setting valid users >>>> >>>> Winbind looks to lost mapping of this group and so no user can connect >> to >>>> this share anymore. >>>> >>>> When restart winbind service mapping works again until mapping lost >> again. >>>> >>>> >>>> ls -lsa shows me in issue this: >>>> >>>> 2 4 drwxr-x--- 63 root 12001 >>>> 4096 Feb 4 23:42 Share >>>> >>>> After restarting winbind: >>>> >>>> 2 4 drwxr-x--- 63 root group_intern >>>> 4096 Feb 4 23:42 Share >>>> >>>> >>>> My smb.conf looks like >>>> >>>> >>>> [global] >>>> netbios name = MEMBER1 >>>> security = ADS >>>> workgroup = HQ >>>> realm = hq.internal >>>> >>>> log file = /var/log/samba/%m.log >>>> log level = 1 >>>> >>>> dedicated keytab file = /etc/krb5.keytab >>>> kerberos method = secrets and keytab >>>> winbind refresh tickets = yes >>>> >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind enum users = yes >>>> winbind enum groups = yes >>>> winbind cache time = 300 >>>> >>>> >>>> idmap config *:backend = tdb >>>> idmap config *:range = 500-9999 >>>> >>>> # idmap config for domain HQ >>>> idmap config HQ:backend = ad >>>> idmap config HQ:schema_mode = rfc2307 >>>> idmap config HQ:range = 10000-99999 >>>> >>>> # Use settings from AD for login shell and home directory >>>> winbind nss info = rfc2307 >>>> >>>> [Share] >>>> path = /data/share >>>> browseable = yes >>>> writeable = yes >>>> force group = Group_Intern >>>> valid users = @Group_Intern >>>> create mask = 0660 >>>> directory mask = 0770 >>>> #oplocks = 0 >>>> vfs objects = full_audit recycle >>>> full_audit:prefix = %u >>>> full_audit:success = mkdir rename rmdir unlink pwrite >>>> full_audit:failure = none >>>> full_audit:facility = LOCAL5 >>>> full_audit:priority = NOTICE >>>> recycle:versions = yes >>>> recycle:exclude = .*, ~* >>>> >>>> >>>> >>>> Anyone has an idea for this problem? >>>> >>>> >>>> Regards >>>> Oliver >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.samba.org/pipermail/samba/attachments/20160212/6e6adff5/signature.sig>
Thats strange, my members dont show this the problem, only my DC's Can you post your smb.conf of the DC and one of your member servers. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > Verzonden: vrijdag 12 februari 2016 10:16 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Group lost from Winbind > > In my Situation i don?t use DCs for Shares (only for sysvol) > > > So my Member is has the problems. > > > > Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>: > > > > Ok, im having this : > > > > DC's > > Debian Wheezy 7.9, sernet samba 4.2.8 > > > > > > Member servers. > > Debian Jessie samba 4.1.17 ( fileserver ) > > Debian Jessie samba 4.2.7 ( print server ) > > This one isnt updated yet with latest updates. > > > > The following packages have been kept back: > > samba sernet-samba sernet-samba-client sernet-samba-common sernet- > samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind > > The following packages will be upgraded: > > krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 > libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0 > libtiff5 > > > > on this one all id's are still correct. > > > > Thanks, Daniel Müller, for your addition.. > > > > This is really a big problem.. what happend her in the samba code? > > I've looked at the change log, but cant seen any related to this. > > > > So if anyone DEVS ? know what happend here in the samba code. > > As far as i now know i have to. > > Re-assign all my uid / gids on all users / groups, with other id's, omg > wat a hell... > > And fix all idmaps on all servers.. pff. ... really no other fix ? > > > > There goes my weekend... > > > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > >> Verzonden: vrijdag 12 februari 2016 9:06 > >> Aan: L.P.H. van Belle > >> CC: samba at lists.samba.org > >> Onderwerp: Re: [Samba] AD Group lost from Winbind > >> > >> my os is debian 8.3 > >> > >> win bind and samba are in version 4.1.17 > >> > >> > >>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>: > >>> > >>> Ok, same problem as im having.. > >>> > >>> What is your os running? > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver > Werner > >>>> Verzonden: vrijdag 12 februari 2016 8:56 > >>>> Aan: samba at lists.samba.org > >>>> Onderwerp: [Samba] AD Group lost from Winbind > >>>> > >>>> Hello, > >>>> > >>>> the last two days i have problems with my AD group which is defined > in > >>>> share setting valid users > >>>> > >>>> Winbind looks to lost mapping of this group and so no user can > connect > >> to > >>>> this share anymore. > >>>> > >>>> When restart winbind service mapping works again until mapping lost > >> again. > >>>> > >>>> > >>>> ls -lsa shows me in issue this: > >>>> > >>>> 2 4 drwxr-x--- 63 root 12001 > >>>> 4096 Feb 4 23:42 Share > >>>> > >>>> After restarting winbind: > >>>> > >>>> 2 4 drwxr-x--- 63 root group_intern > >>>> 4096 Feb 4 23:42 Share > >>>> > >>>> > >>>> My smb.conf looks like > >>>> > >>>> > >>>> [global] > >>>> netbios name = MEMBER1 > >>>> security = ADS > >>>> workgroup = HQ > >>>> realm = hq.internal > >>>> > >>>> log file = /var/log/samba/%m.log > >>>> log level = 1 > >>>> > >>>> dedicated keytab file = /etc/krb5.keytab > >>>> kerberos method = secrets and keytab > >>>> winbind refresh tickets = yes > >>>> > >>>> winbind trusted domains only = no > >>>> winbind use default domain = yes > >>>> winbind enum users = yes > >>>> winbind enum groups = yes > >>>> winbind cache time = 300 > >>>> > >>>> > >>>> idmap config *:backend = tdb > >>>> idmap config *:range = 500-9999 > >>>> > >>>> # idmap config for domain HQ > >>>> idmap config HQ:backend = ad > >>>> idmap config HQ:schema_mode = rfc2307 > >>>> idmap config HQ:range = 10000-99999 > >>>> > >>>> # Use settings from AD for login shell and home directory > >>>> winbind nss info = rfc2307 > >>>> > >>>> [Share] > >>>> path = /data/share > >>>> browseable = yes > >>>> writeable = yes > >>>> force group = Group_Intern > >>>> valid users = @Group_Intern > >>>> create mask = 0660 > >>>> directory mask = 0770 > >>>> #oplocks = 0 > >>>> vfs objects = full_audit recycle > >>>> full_audit:prefix = %u > >>>> full_audit:success = mkdir rename rmdir unlink pwrite > >>>> full_audit:failure = none > >>>> full_audit:facility = LOCAL5 > >>>> full_audit:priority = NOTICE > >>>> recycle:versions = yes > >>>> recycle:exclude = .*, ~* > >>>> > >>>> > >>>> > >>>> Anyone has an idea for this problem? > >>>> > >>>> > >>>> Regards > >>>> Oliver > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba
Yeah.. but why this sudden change in winbindd code.. Its not in the change logs, or did i miss something.> Well, I did say that I could never get the lines you add to smb.conf on > a DC to work :-) > > Lets see if I understand the situation correctly. > > Users & groups have been given a uidNumber or gidNumber attribute. > > You are now getting different results on different DCs. > You used to get the same results and all that has changed is the version > of Samba. > > If the above is correct, I think you need to log a bug report, it might > help if you can supply a level 10 log from asking for 'getent group > Domain\ Users' on both DCs > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
This is DC: # Global parameters [global] workgroup = HQ realm = HQ.INTERNAL netbios name = DC1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes interfaces=eth0 bind interfaces only=yes tls enabled = yes tls keyfile = /var/lib/samba/private/tls/key.pem tls certfile = /var/lib/samba/private/tls/cert.pem tls cafile = /var/lib/samba/private/tls/ca.pem [netlogon] path = /var/lib/samba/sysvol/hq.kontrast/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No member config was shown in my first e-mail> Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>: > > Thats strange, my members dont show this the problem, only my DC's > > Can you post your smb.conf of the DC and one of your member servers. > > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >> Verzonden: vrijdag 12 februari 2016 10:16 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] AD Group lost from Winbind >> >> In my Situation i don?t use DCs for Shares (only for sysvol) >> >> >> So my Member is has the problems. >> >> >>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>> >>> Ok, im having this : >>> >>> DC's >>> Debian Wheezy 7.9, sernet samba 4.2.8 >>> >>> >>> Member servers. >>> Debian Jessie samba 4.1.17 ( fileserver ) >>> Debian Jessie samba 4.2.7 ( print server ) >>> This one isnt updated yet with latest updates. >>> >>> The following packages have been kept back: >>> samba sernet-samba sernet-samba-client sernet-samba-common sernet- >> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind >>> The following packages will be upgraded: >>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 >> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0 >> libtiff5 >>> >>> on this one all id's are still correct. >>> >>> Thanks, Daniel Müller, for your addition.. >>> >>> This is really a big problem.. what happend her in the samba code? >>> I've looked at the change log, but cant seen any related to this. >>> >>> So if anyone DEVS ? know what happend here in the samba code. >>> As far as i now know i have to. >>> Re-assign all my uid / gids on all users / groups, with other id's, omg >> wat a hell... >>> And fix all idmaps on all servers.. pff. ... really no other fix ? >>> >>> There goes my weekend... >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >>>> Verzonden: vrijdag 12 februari 2016 9:06 >>>> Aan: L.P.H. van Belle >>>> CC: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] AD Group lost from Winbind >>>> >>>> my os is debian 8.3 >>>> >>>> win bind and samba are in version 4.1.17 >>>> >>>> >>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>>>> >>>>> Ok, same problem as im having.. >>>>> >>>>> What is your os running? >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver >> Werner >>>>>> Verzonden: vrijdag 12 februari 2016 8:56 >>>>>> Aan: samba at lists.samba.org >>>>>> Onderwerp: [Samba] AD Group lost from Winbind >>>>>> >>>>>> Hello, >>>>>> >>>>>> the last two days i have problems with my AD group which is defined >> in >>>>>> share setting valid users >>>>>> >>>>>> Winbind looks to lost mapping of this group and so no user can >> connect >>>> to >>>>>> this share anymore. >>>>>> >>>>>> When restart winbind service mapping works again until mapping lost >>>> again. >>>>>> >>>>>> >>>>>> ls -lsa shows me in issue this: >>>>>> >>>>>> 2 4 drwxr-x--- 63 root 12001 >>>>>> 4096 Feb 4 23:42 Share >>>>>> >>>>>> After restarting winbind: >>>>>> >>>>>> 2 4 drwxr-x--- 63 root group_intern >>>>>> 4096 Feb 4 23:42 Share >>>>>> >>>>>> >>>>>> My smb.conf looks like >>>>>> >>>>>> >>>>>> [global] >>>>>> netbios name = MEMBER1 >>>>>> security = ADS >>>>>> workgroup = HQ >>>>>> realm = hq.internal >>>>>> >>>>>> log file = /var/log/samba/%m.log >>>>>> log level = 1 >>>>>> >>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>> kerberos method = secrets and keytab >>>>>> winbind refresh tickets = yes >>>>>> >>>>>> winbind trusted domains only = no >>>>>> winbind use default domain = yes >>>>>> winbind enum users = yes >>>>>> winbind enum groups = yes >>>>>> winbind cache time = 300 >>>>>> >>>>>> >>>>>> idmap config *:backend = tdb >>>>>> idmap config *:range = 500-9999 >>>>>> >>>>>> # idmap config for domain HQ >>>>>> idmap config HQ:backend = ad >>>>>> idmap config HQ:schema_mode = rfc2307 >>>>>> idmap config HQ:range = 10000-99999 >>>>>> >>>>>> # Use settings from AD for login shell and home directory >>>>>> winbind nss info = rfc2307 >>>>>> >>>>>> [Share] >>>>>> path = /data/share >>>>>> browseable = yes >>>>>> writeable = yes >>>>>> force group = Group_Intern >>>>>> valid users = @Group_Intern >>>>>> create mask = 0660 >>>>>> directory mask = 0770 >>>>>> #oplocks = 0 >>>>>> vfs objects = full_audit recycle >>>>>> full_audit:prefix = %u >>>>>> full_audit:success = mkdir rename rmdir unlink pwrite >>>>>> full_audit:failure = none >>>>>> full_audit:facility = LOCAL5 >>>>>> full_audit:priority = NOTICE >>>>>> recycle:versions = yes >>>>>> recycle:exclude = .*, ~* >>>>>> >>>>>> >>>>>> >>>>>> Anyone has an idea for this problem? >>>>>> >>>>>> >>>>>> Regards >>>>>> Oliver >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.samba.org/pipermail/samba/attachments/20160212/e14b561a/signature.sig>
This looks all good to me but the problem lays in the DC winbind code, not the member. You can try to witch back ( temperarly ) to winbind ( on the DC ) As i did, al least you get the correct id's back. ( for now ) For you this the change you need on the DC. server services = -winbindd +winbind Im recompiling the samba 4.3.3 from sid now atm, so ill test them out what happpens. I'll report back here. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > Verzonden: vrijdag 12 februari 2016 10:54 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Group lost from Winbind > > This is DC: > # Global parameters > [global] > workgroup = HQ > realm = HQ.INTERNAL > netbios name = DC1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > interfaces=eth0 > bind interfaces only=yes > tls enabled = yes > tls keyfile = /var/lib/samba/private/tls/key.pem > tls certfile = /var/lib/samba/private/tls/cert.pem > tls cafile = /var/lib/samba/private/tls/ca.pem > > [netlogon] > path = /var/lib/samba/sysvol/hq.kontrast/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > member config was shown in my first e-mail > > > > > > > > Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>: > > > > Thats strange, my members dont show this the problem, only my DC's > > > > Can you post your smb.conf of the DC and one of your member servers. > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > >> Verzonden: vrijdag 12 februari 2016 10:16 > >> Aan: L.P.H. van Belle > >> CC: samba at lists.samba.org > >> Onderwerp: Re: [Samba] AD Group lost from Winbind > >> > >> In my Situation i don?t use DCs for Shares (only for sysvol) > >> > >> > >> So my Member is has the problems. > >> > >> > >>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>: > >>> > >>> Ok, im having this : > >>> > >>> DC's > >>> Debian Wheezy 7.9, sernet samba 4.2.8 > >>> > >>> > >>> Member servers. > >>> Debian Jessie samba 4.1.17 ( fileserver ) > >>> Debian Jessie samba 4.2.7 ( print server ) > >>> This one isnt updated yet with latest updates. > >>> > >>> The following packages have been kept back: > >>> samba sernet-samba sernet-samba-client sernet-samba-common sernet- > >> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind > >>> The following packages will be upgraded: > >>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 > >> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0 > >> libtiff5 > >>> > >>> on this one all id's are still correct. > >>> > >>> Thanks, Daniel Müller, for your addition.. > >>> > >>> This is really a big problem.. what happend her in the samba code? > >>> I've looked at the change log, but cant seen any related to this. > >>> > >>> So if anyone DEVS ? know what happend here in the samba code. > >>> As far as i now know i have to. > >>> Re-assign all my uid / gids on all users / groups, with other id's, > omg > >> wat a hell... > >>> And fix all idmaps on all servers.. pff. ... really no other fix ? > >>> > >>> There goes my weekend... > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > >>>> Verzonden: vrijdag 12 februari 2016 9:06 > >>>> Aan: L.P.H. van Belle > >>>> CC: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] AD Group lost from Winbind > >>>> > >>>> my os is debian 8.3 > >>>> > >>>> win bind and samba are in version 4.1.17 > >>>> > >>>> > >>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>: > >>>>> > >>>>> Ok, same problem as im having.. > >>>>> > >>>>> What is your os running? > >>>>> > >>>>> > >>>>>> -----Oorspronkelijk bericht----- > >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver > >> Werner > >>>>>> Verzonden: vrijdag 12 februari 2016 8:56 > >>>>>> Aan: samba at lists.samba.org > >>>>>> Onderwerp: [Samba] AD Group lost from Winbind > >>>>>> > >>>>>> Hello, > >>>>>> > >>>>>> the last two days i have problems with my AD group which is defined > >> in > >>>>>> share setting valid users > >>>>>> > >>>>>> Winbind looks to lost mapping of this group and so no user can > >> connect > >>>> to > >>>>>> this share anymore. > >>>>>> > >>>>>> When restart winbind service mapping works again until mapping lost > >>>> again. > >>>>>> > >>>>>> > >>>>>> ls -lsa shows me in issue this: > >>>>>> > >>>>>> 2 4 drwxr-x--- 63 root 12001 > >>>>>> 4096 Feb 4 23:42 Share > >>>>>> > >>>>>> After restarting winbind: > >>>>>> > >>>>>> 2 4 drwxr-x--- 63 root group_intern > >>>>>> 4096 Feb 4 23:42 Share > >>>>>> > >>>>>> > >>>>>> My smb.conf looks like > >>>>>> > >>>>>> > >>>>>> [global] > >>>>>> netbios name = MEMBER1 > >>>>>> security = ADS > >>>>>> workgroup = HQ > >>>>>> realm = hq.internal > >>>>>> > >>>>>> log file = /var/log/samba/%m.log > >>>>>> log level = 1 > >>>>>> > >>>>>> dedicated keytab file = /etc/krb5.keytab > >>>>>> kerberos method = secrets and keytab > >>>>>> winbind refresh tickets = yes > >>>>>> > >>>>>> winbind trusted domains only = no > >>>>>> winbind use default domain = yes > >>>>>> winbind enum users = yes > >>>>>> winbind enum groups = yes > >>>>>> winbind cache time = 300 > >>>>>> > >>>>>> > >>>>>> idmap config *:backend = tdb > >>>>>> idmap config *:range = 500-9999 > >>>>>> > >>>>>> # idmap config for domain HQ > >>>>>> idmap config HQ:backend = ad > >>>>>> idmap config HQ:schema_mode = rfc2307 > >>>>>> idmap config HQ:range = 10000-99999 > >>>>>> > >>>>>> # Use settings from AD for login shell and home directory > >>>>>> winbind nss info = rfc2307 > >>>>>> > >>>>>> [Share] > >>>>>> path = /data/share > >>>>>> browseable = yes > >>>>>> writeable = yes > >>>>>> force group = Group_Intern > >>>>>> valid users = @Group_Intern > >>>>>> create mask = 0660 > >>>>>> directory mask = 0770 > >>>>>> #oplocks = 0 > >>>>>> vfs objects = full_audit recycle > >>>>>> full_audit:prefix = %u > >>>>>> full_audit:success = mkdir rename rmdir unlink pwrite > >>>>>> full_audit:failure = none > >>>>>> full_audit:facility = LOCAL5 > >>>>>> full_audit:priority = NOTICE > >>>>>> recycle:versions = yes > >>>>>> recycle:exclude = .*, ~* > >>>>>> > >>>>>> > >>>>>> > >>>>>> Anyone has an idea for this problem? > >>>>>> > >>>>>> > >>>>>> Regards > >>>>>> Oliver > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>> > >>>>> > >>>>> -- > >>>>> To unsubscribe from this list go to the following URL and read the > >>>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba