Fernando Favero
2016-Feb-16 13:46 UTC
[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1
Hi Rowland> OK, two things jump out at me, I wouldn't use 'EXAMPLE.COM' for the > workgroup name, I would have just used 'EXAMPLE' i.e. no dot in the name. > >I understand, but, change the workgroup involves migrate domain, right ?? Or can I simply change workgroup and restart samba ??> Your idmap config stack is incorrect, you only have settings for the > builtin users & groups, see here for how you should set it up: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > Follow the links on that page for the correct settings. > >ldconfig -v | grep winbind shows "libnss_winbind.so.2 -> libnss_winbind.so.2" nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind I changed smb.conf in a test environment with same problem with the following parameters. idmap config *:backend = tdb idmap config *:range = 1000-1999 idmap config EXAMPLE.COM:range = 2000-50000 idmap config EXAMPLE.COM:backend = ad idmap config EXAMPLE.COM:schema_mode = rfc2307 getent passwd show local users only getent group show all groups (loca and domain) wbinfo -u show nothing wbinfo -g show all groups (local and domain) winbindd.log show the following lines when debug level = 10, Running "wbinfo -g" . . . [2016/02/16 11:29:26.185376, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name) [31101]: request domain name [2016/02/16 11:29:26.185431, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31101:DOMAIN_NAME]: delivered response to client [2016/02/16 11:29:26.185540, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:758(process_request) process_request: request fn DOMAIN_INFO [2016/02/16 11:29:26.185610, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) [31101]: domain_info [EXAMPLE.COM] [2016/02/16 11:29:26.185710, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31101:DOMAIN_INFO]: delivered response to client [2016/02/16 11:29:26.185825, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:731(process_request) process_request: Handling async request 31101:LIST_GROUPS [2016/02/16 11:29:26.185866, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_groups.c:58(winbindd_list_groups_send) list_groups EXAMPLE.COM [2016/02/16 11:29:26.185920, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryGroupList: struct wbint_QueryGroupList in: struct wbint_QueryGroupList [2016/02/16 11:29:26.593525, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryGroupList: struct wbint_QueryGroupList out: struct wbint_QueryGroupList groups : * groups: struct wbint_Principals num_principals : 562 principals: ARRAY(562) principals: struct wbint_Principal sid : S-1-5-21-1479197986-680052183-3269973696-571 type : SID_NAME_DOM_GRP (2) name : * name : 'Allowed RODC Password Replication Group' principals: struct wbint_Principal sid : S-1-5-21-1479197986-680052183-3269973696-498 type : SID_NAME_DOM_GRP (2) name : * name : 'Enterprise Read-Only Domain Controllers' . . . Running "wbinfo -u" . . . [2016/02/16 11:30:07.352308, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name) [31117]: request domain name [2016/02/16 11:30:07.352368, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31117:DOMAIN_NAME]: delivered response to client [2016/02/16 11:30:07.352428, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:758(process_request) process_request: request fn DOMAIN_INFO [2016/02/16 11:30:07.352452, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) [31117]: domain_info [EXAMPLE.COM] [2016/02/16 11:30:07.352526, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31117:DOMAIN_INFO]: delivered response to client [2016/02/16 11:30:07.352648, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:731(process_request) process_request: Handling async request 31117:LIST_USERS [2016/02/16 11:30:07.352697, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:58(winbindd_list_users_send) list_users EXAMPLE.COM [2016/02/16 11:30:07.352740, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryUserList: struct wbint_QueryUserList in: struct wbint_QueryUserList [2016/02/16 11:30:17.465320, 5, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:1132(remove_timed_out_clients) Idle client timed out, shutting down sock 33, pid 31053 [2016/02/16 11:31:07.763617, 10, pid=31022, effective(0, 0), real(0, 0)] ../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv) imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40c [2016/02/16 11:31:07.763671, 10, pid=31022, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:254(messaging_recv_cb) messaging_recv_cb: Received message 0x40c len 7 (num_fds:0) from 31026 [2016/02/16 11:31:07.763691, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:365(winbind_msg_domain_offline) Domain EXAMPLE.COM is marked as offline now. [2016/02/16 11:31:07.764062, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryUserList: struct wbint_QueryUserList out: struct wbint_QueryUserList users : * users: struct wbint_userinfos num_userinfos : 0x00000000 (0) userinfos: ARRAY(0) result : NT_STATUS_IO_TIMEOUT [2016/02/16 11:31:07.764138, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:128(winbindd_list_users_done) Domain EXAMPLE.COM returned 0 users [2016/02/16 11:31:07.764152, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:134(winbindd_list_users_done) List_users for domain EXAMPLE.COM failed [2016/02/16 11:31:07.764167, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:793(wb_request_done) wb_request_done[31117:LIST_USERS]: NT_STATUS_OK [2016/02/16 11:31:07.764222, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31117:LIST_USERS]: delivered response to client [2016/02/16 11:31:07.764940, 6, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:965(winbind_client_request_read) closing socket 35, client exited [2016/02/16 11:31:07.873705, 10, pid=31022, effective(0, 0), real(0, 0)] ../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv) imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40b [2016/02/16 11:31:07.873752, 10, pid=31022, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:254(messaging_recv_cb) messaging_recv_cb: Received message 0x40b len 7 (num_fds:0) from 31026 [2016/02/16 11:31:07.873775, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:385(winbind_msg_domain_online) Domain EXAMPLE.COM is marked as online now.
Fernando Favero
2016-Feb-17 18:10 UTC
[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1
Well.... I know that this problem is very weird, but, does anyone know how to identify where the problem is?? My domain controler shows only groups... not users, and smbclient shows: Samba version 4.3.1 PID Username Group Machine Protocol Version ------------------------------------------------------------------------------ 13570 -1 -1 u183848 (ipv4:10.90.35.221:62129) SMB2_02 13557 -1 -1 10.90.74.154 (ipv4:10.90.74.154:51183) SMB2_10 13993 -1 -1 10.90.78.109 (ipv4:10.90.78.109:50260) SMB2_10 13746 -1 -1 10.90.76.136 (ipv4:10.90.76.136:50233) SMB2_10 13517 -1 -1 10.90.68.77 (ipv4:10.90.68.77:56510) SMB2_10 14322 -1 -1 10.90.11.221 (ipv4:10.90.11.221:58934) SMB2_10 14312 -1 -1 10.90.12.114 (ipv4:10.90.12.114:49750) SMB3_02 13521 -1 -1 u225158 (ipv4:10.90.13.122:51219) SMB2_10 14350 -1 -1 10.90.22.91 (ipv4:10.90.22.91:59956) SMB2_10 13573 -1 -1 10.90.52.213 (ipv4:10.90.52.213:57004) SMB2_10 13510 nobody 3000010 u225158 (ipv4:10.90.13.122:51217) SMB2_10 14117 -1 -1 10.90.21.62 (ipv4:10.90.21.62:2250) NT1 Thanks On Tue, Feb 16, 2016 at 11:46 AM, Fernando Favero <favero.fernando at gmail.com> wrote:> Hi Rowland > > > > >> OK, two things jump out at me, I wouldn't use 'EXAMPLE.COM' for the >> workgroup name, I would have just used 'EXAMPLE' i.e. no dot in the name. >> >> > I understand, but, change the workgroup involves migrate domain, right ?? > Or can I simply change workgroup and restart samba ?? > > >> Your idmap config stack is incorrect, you only have settings for the >> builtin users & groups, see here for how you should set it up: >> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >> >> Follow the links on that page for the correct settings. >> >> > ldconfig -v | grep winbind shows "libnss_winbind.so.2 -> > libnss_winbind.so.2" > > nsswitch.conf: > passwd: files winbind > shadow: files winbind > group: files winbind > > > I changed smb.conf in a test environment with same problem with the > following parameters. > idmap config *:backend = tdb > idmap config *:range = 1000-1999 > idmap config EXAMPLE.COM:range = 2000-50000 > idmap config EXAMPLE.COM:backend = ad > idmap config EXAMPLE.COM:schema_mode = rfc2307 > > getent passwd show local users only > getent group show all groups (loca and domain) > wbinfo -u show nothing > wbinfo -g show all groups (local and domain) > > winbindd.log show the following lines when debug level = 10, > > Running "wbinfo -g" > . > . > . > [2016/02/16 11:29:26.185376, 3, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name) > [31101]: request domain name > [2016/02/16 11:29:26.185431, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd.c:861(winbind_client_response_written) > winbind_client_response_written[31101:DOMAIN_NAME]: delivered response > to client > [2016/02/16 11:29:26.185540, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd.c:758(process_request) > process_request: request fn DOMAIN_INFO > [2016/02/16 11:29:26.185610, 3, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) > [31101]: domain_info [EXAMPLE.COM] > [2016/02/16 11:29:26.185710, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd.c:861(winbind_client_response_written) > winbind_client_response_written[31101:DOMAIN_INFO]: delivered response > to client > [2016/02/16 11:29:26.185825, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd.c:731(process_request) > process_request: Handling async request 31101:LIST_GROUPS > [2016/02/16 11:29:26.185866, 3, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_list_groups.c:58(winbindd_list_groups_send) > list_groups EXAMPLE.COM > [2016/02/16 11:29:26.185920, 1, pid=31022, effective(0, 0), real(0, 0)] > ../librpc/ndr/ndr.c:439(ndr_print_function_debug) > wbint_QueryGroupList: struct wbint_QueryGroupList > in: struct wbint_QueryGroupList > [2016/02/16 11:29:26.593525, 1, pid=31022, effective(0, 0), real(0, 0)] > ../librpc/ndr/ndr.c:439(ndr_print_function_debug) > wbint_QueryGroupList: struct wbint_QueryGroupList > out: struct wbint_QueryGroupList > groups : * > groups: struct wbint_Principals > num_principals : 562 > principals: ARRAY(562) > principals: struct wbint_Principal > sid : > S-1-5-21-1479197986-680052183-3269973696-571 > type : SID_NAME_DOM_GRP > (2) > name : * > name : 'Allowed RODC > Password Replication Group' > principals: struct wbint_Principal > sid : > S-1-5-21-1479197986-680052183-3269973696-498 > type : SID_NAME_DOM_GRP > (2) > name : * > name : 'Enterprise > Read-Only Domain Controllers' > . > . > . > > > > Running "wbinfo -u" > > . > . > . > [2016/02/16 11:30:07.352308, 3, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name) > [31117]: request domain name > [2016/02/16 11:30:07.352368, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd.c:861(winbind_client_response_written) > winbind_client_response_written[31117:DOMAIN_NAME]: delivered response > to client > [2016/02/16 11:30:07.352428, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd.c:758(process_request) > process_request: request fn DOMAIN_INFO > [2016/02/16 11:30:07.352452, 3, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) > [31117]: domain_info [EXAMPLE.COM] > [2016/02/16 11:30:07.352526, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd.c:861(winbind_client_response_written) > winbind_client_response_written[31117:DOMAIN_INFO]: delivered response > to client > [2016/02/16 11:30:07.352648, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd.c:731(process_request) > process_request: Handling async request 31117:LIST_USERS > [2016/02/16 11:30:07.352697, 3, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_list_users.c:58(winbindd_list_users_send) > list_users EXAMPLE.COM > [2016/02/16 11:30:07.352740, 1, pid=31022, effective(0, 0), real(0, 0)] > ../librpc/ndr/ndr.c:439(ndr_print_function_debug) > wbint_QueryUserList: struct wbint_QueryUserList > in: struct wbint_QueryUserList > [2016/02/16 11:30:17.465320, 5, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd.c:1132(remove_timed_out_clients) > Idle client timed out, shutting down sock 33, pid 31053 > [2016/02/16 11:31:07.763617, 10, pid=31022, effective(0, 0), real(0, 0)] > ../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv) > imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40c > [2016/02/16 11:31:07.763671, 10, pid=31022, effective(0, 0), real(0, 0)] > ../source3/lib/messages.c:254(messaging_recv_cb) > messaging_recv_cb: Received message 0x40c len 7 (num_fds:0) from 31026 > [2016/02/16 11:31:07.763691, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_cm.c:365(winbind_msg_domain_offline) > Domain EXAMPLE.COM is marked as offline now. > [2016/02/16 11:31:07.764062, 1, pid=31022, effective(0, 0), real(0, 0)] > ../librpc/ndr/ndr.c:439(ndr_print_function_debug) > wbint_QueryUserList: struct wbint_QueryUserList > out: struct wbint_QueryUserList > users : * > users: struct wbint_userinfos > num_userinfos : 0x00000000 (0) > userinfos: ARRAY(0) > result : NT_STATUS_IO_TIMEOUT > [2016/02/16 11:31:07.764138, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_list_users.c:128(winbindd_list_users_done) > Domain EXAMPLE.COM returned 0 users > [2016/02/16 11:31:07.764152, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_list_users.c:134(winbindd_list_users_done) > List_users for domain EXAMPLE.COM failed > [2016/02/16 11:31:07.764167, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] ../source3/winbindd/winbindd.c:793(wb_request_done) > wb_request_done[31117:LIST_USERS]: NT_STATUS_OK > [2016/02/16 11:31:07.764222, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd.c:861(winbind_client_response_written) > winbind_client_response_written[31117:LIST_USERS]: delivered response to > client > [2016/02/16 11:31:07.764940, 6, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd.c:965(winbind_client_request_read) > closing socket 35, client exited > [2016/02/16 11:31:07.873705, 10, pid=31022, effective(0, 0), real(0, 0)] > ../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv) > imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40b > [2016/02/16 11:31:07.873752, 10, pid=31022, effective(0, 0), real(0, 0)] > ../source3/lib/messages.c:254(messaging_recv_cb) > messaging_recv_cb: Received message 0x40b len 7 (num_fds:0) from 31026 > [2016/02/16 11:31:07.873775, 10, pid=31022, effective(0, 0), real(0, 0), > class=winbind] > ../source3/winbindd/winbindd_cm.c:385(winbind_msg_domain_online) > Domain EXAMPLE.COM is marked as online now. >
Rowland penny
2016-Feb-17 18:43 UTC
[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1
On 17/02/16 18:10, Fernando Favero wrote:> Well.... I know that this problem is very weird, but, does anyone know how > to identify where the problem is?? > My domain controler shows only groups... not users, and smbclient shows: > >OK, whilst I cannot understand why 'wbinfo -u' doesn't show your users, I see that you are now using the winbind 'ad' backend, have you given all your users a unique uidNumber inside the range you have set in smb.conf on the fileservers (2000-50000) ??? You will also need to give 'Domain Users' a gidNumber attribute, again inside the range set in smb.conf. Rowland
Maybe Matching Threads
- Problems after migration from samba 3.5.2 to samba 4.3.1
- Problems after migration from samba 3.5.2 to samba 4.3.1
- Problems after migration from samba 3.5.2 to samba 4.3.1
- Problems after migration from samba 3.5.2 to samba 4.3.1
- Problems after migration from samba 3.5.2 to samba 4.3.1