This looks all good to me but the problem lays in the DC winbind code, not the member. You can try to witch back ( temperarly ) to winbind ( on the DC ) As i did, al least you get the correct id's back. ( for now ) For you this the change you need on the DC. server services = -winbindd +winbind Im recompiling the samba 4.3.3 from sid now atm, so ill test them out what happpens. I'll report back here. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > Verzonden: vrijdag 12 februari 2016 10:54 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Group lost from Winbind > > This is DC: > # Global parameters > [global] > workgroup = HQ > realm = HQ.INTERNAL > netbios name = DC1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > interfaces=eth0 > bind interfaces only=yes > tls enabled = yes > tls keyfile = /var/lib/samba/private/tls/key.pem > tls certfile = /var/lib/samba/private/tls/cert.pem > tls cafile = /var/lib/samba/private/tls/ca.pem > > [netlogon] > path = /var/lib/samba/sysvol/hq.kontrast/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > > member config was shown in my first e-mail > > > > > > > > Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>: > > > > Thats strange, my members dont show this the problem, only my DC's > > > > Can you post your smb.conf of the DC and one of your member servers. > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > >> Verzonden: vrijdag 12 februari 2016 10:16 > >> Aan: L.P.H. van Belle > >> CC: samba at lists.samba.org > >> Onderwerp: Re: [Samba] AD Group lost from Winbind > >> > >> In my Situation i don?t use DCs for Shares (only for sysvol) > >> > >> > >> So my Member is has the problems. > >> > >> > >>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>: > >>> > >>> Ok, im having this : > >>> > >>> DC's > >>> Debian Wheezy 7.9, sernet samba 4.2.8 > >>> > >>> > >>> Member servers. > >>> Debian Jessie samba 4.1.17 ( fileserver ) > >>> Debian Jessie samba 4.2.7 ( print server ) > >>> This one isnt updated yet with latest updates. > >>> > >>> The following packages have been kept back: > >>> samba sernet-samba sernet-samba-client sernet-samba-common sernet- > >> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind > >>> The following packages will be upgraded: > >>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 > >> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0 > >> libtiff5 > >>> > >>> on this one all id's are still correct. > >>> > >>> Thanks, Daniel Müller, for your addition.. > >>> > >>> This is really a big problem.. what happend her in the samba code? > >>> I've looked at the change log, but cant seen any related to this. > >>> > >>> So if anyone DEVS ? know what happend here in the samba code. > >>> As far as i now know i have to. > >>> Re-assign all my uid / gids on all users / groups, with other id's, > omg > >> wat a hell... > >>> And fix all idmaps on all servers.. pff. ... really no other fix ? > >>> > >>> There goes my weekend... > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > >>>> Verzonden: vrijdag 12 februari 2016 9:06 > >>>> Aan: L.P.H. van Belle > >>>> CC: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] AD Group lost from Winbind > >>>> > >>>> my os is debian 8.3 > >>>> > >>>> win bind and samba are in version 4.1.17 > >>>> > >>>> > >>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>: > >>>>> > >>>>> Ok, same problem as im having.. > >>>>> > >>>>> What is your os running? > >>>>> > >>>>> > >>>>>> -----Oorspronkelijk bericht----- > >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver > >> Werner > >>>>>> Verzonden: vrijdag 12 februari 2016 8:56 > >>>>>> Aan: samba at lists.samba.org > >>>>>> Onderwerp: [Samba] AD Group lost from Winbind > >>>>>> > >>>>>> Hello, > >>>>>> > >>>>>> the last two days i have problems with my AD group which is defined > >> in > >>>>>> share setting valid users > >>>>>> > >>>>>> Winbind looks to lost mapping of this group and so no user can > >> connect > >>>> to > >>>>>> this share anymore. > >>>>>> > >>>>>> When restart winbind service mapping works again until mapping lost > >>>> again. > >>>>>> > >>>>>> > >>>>>> ls -lsa shows me in issue this: > >>>>>> > >>>>>> 2 4 drwxr-x--- 63 root 12001 > >>>>>> 4096 Feb 4 23:42 Share > >>>>>> > >>>>>> After restarting winbind: > >>>>>> > >>>>>> 2 4 drwxr-x--- 63 root group_intern > >>>>>> 4096 Feb 4 23:42 Share > >>>>>> > >>>>>> > >>>>>> My smb.conf looks like > >>>>>> > >>>>>> > >>>>>> [global] > >>>>>> netbios name = MEMBER1 > >>>>>> security = ADS > >>>>>> workgroup = HQ > >>>>>> realm = hq.internal > >>>>>> > >>>>>> log file = /var/log/samba/%m.log > >>>>>> log level = 1 > >>>>>> > >>>>>> dedicated keytab file = /etc/krb5.keytab > >>>>>> kerberos method = secrets and keytab > >>>>>> winbind refresh tickets = yes > >>>>>> > >>>>>> winbind trusted domains only = no > >>>>>> winbind use default domain = yes > >>>>>> winbind enum users = yes > >>>>>> winbind enum groups = yes > >>>>>> winbind cache time = 300 > >>>>>> > >>>>>> > >>>>>> idmap config *:backend = tdb > >>>>>> idmap config *:range = 500-9999 > >>>>>> > >>>>>> # idmap config for domain HQ > >>>>>> idmap config HQ:backend = ad > >>>>>> idmap config HQ:schema_mode = rfc2307 > >>>>>> idmap config HQ:range = 10000-99999 > >>>>>> > >>>>>> # Use settings from AD for login shell and home directory > >>>>>> winbind nss info = rfc2307 > >>>>>> > >>>>>> [Share] > >>>>>> path = /data/share > >>>>>> browseable = yes > >>>>>> writeable = yes > >>>>>> force group = Group_Intern > >>>>>> valid users = @Group_Intern > >>>>>> create mask = 0660 > >>>>>> directory mask = 0770 > >>>>>> #oplocks = 0 > >>>>>> vfs objects = full_audit recycle > >>>>>> full_audit:prefix = %u > >>>>>> full_audit:success = mkdir rename rmdir unlink pwrite > >>>>>> full_audit:failure = none > >>>>>> full_audit:facility = LOCAL5 > >>>>>> full_audit:priority = NOTICE > >>>>>> recycle:versions = yes > >>>>>> recycle:exclude = .*, ~* > >>>>>> > >>>>>> > >>>>>> > >>>>>> Anyone has an idea for this problem? > >>>>>> > >>>>>> > >>>>>> Regards > >>>>>> Oliver > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>> > >>>>> > >>>>> -- > >>>>> To unsubscribe from this list go to the following URL and read the > >>>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba
i need to change it on all DCs, right? so i need to change some other options on member?> Am 12.02.2016 um 10:59 schrieb L.P.H. van Belle <belle at bazuin.nl>: > > This looks all good to me but the problem lays in the DC winbind code, not the member. > > You can try to witch back ( temperarly ) to winbind ( on the DC ) > As i did, al least you get the correct id's back. ( for now ) > For you this the change you need on the DC. > > server services = -winbindd +winbind > > Im recompiling the samba 4.3.3 from sid now atm, so ill test them out what happpens. > > I'll report back here. > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >> Verzonden: vrijdag 12 februari 2016 10:54 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] AD Group lost from Winbind >> >> This is DC: >> # Global parameters >> [global] >> workgroup = HQ >> realm = HQ.INTERNAL >> netbios name = DC1 >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> interfaces=eth0 >> bind interfaces only=yes >> tls enabled = yes >> tls keyfile = /var/lib/samba/private/tls/key.pem >> tls certfile = /var/lib/samba/private/tls/cert.pem >> tls cafile = /var/lib/samba/private/tls/ca.pem >> >> [netlogon] >> path = /var/lib/samba/sysvol/hq.kontrast/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> >> >> member config was shown in my first e-mail >> >> >> >> >> >> >>> Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>> >>> Thats strange, my members dont show this the problem, only my DC's >>> >>> Can you post your smb.conf of the DC and one of your member servers. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >>>> Verzonden: vrijdag 12 februari 2016 10:16 >>>> Aan: L.P.H. van Belle >>>> CC: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] AD Group lost from Winbind >>>> >>>> In my Situation i don?t use DCs for Shares (only for sysvol) >>>> >>>> >>>> So my Member is has the problems. >>>> >>>> >>>>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>>>> >>>>> Ok, im having this : >>>>> >>>>> DC's >>>>> Debian Wheezy 7.9, sernet samba 4.2.8 >>>>> >>>>> >>>>> Member servers. >>>>> Debian Jessie samba 4.1.17 ( fileserver ) >>>>> Debian Jessie samba 4.2.7 ( print server ) >>>>> This one isnt updated yet with latest updates. >>>>> >>>>> The following packages have been kept back: >>>>> samba sernet-samba sernet-samba-client sernet-samba-common sernet- >>>> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind >>>>> The following packages will be upgraded: >>>>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 >>>> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 libkrb5support0 >>>> libtiff5 >>>>> >>>>> on this one all id's are still correct. >>>>> >>>>> Thanks, Daniel Müller, for your addition.. >>>>> >>>>> This is really a big problem.. what happend her in the samba code? >>>>> I've looked at the change log, but cant seen any related to this. >>>>> >>>>> So if anyone DEVS ? know what happend here in the samba code. >>>>> As far as i now know i have to. >>>>> Re-assign all my uid / gids on all users / groups, with other id's, >> omg >>>> wat a hell... >>>>> And fix all idmaps on all servers.. pff. ... really no other fix ? >>>>> >>>>> There goes my weekend... >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >>>>>> Verzonden: vrijdag 12 februari 2016 9:06 >>>>>> Aan: L.P.H. van Belle >>>>>> CC: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind >>>>>> >>>>>> my os is debian 8.3 >>>>>> >>>>>> win bind and samba are in version 4.1.17 >>>>>> >>>>>> >>>>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>>>>>> >>>>>>> Ok, same problem as im having.. >>>>>>> >>>>>>> What is your os running? >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver >>>> Werner >>>>>>>> Verzonden: vrijdag 12 februari 2016 8:56 >>>>>>>> Aan: samba at lists.samba.org >>>>>>>> Onderwerp: [Samba] AD Group lost from Winbind >>>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> the last two days i have problems with my AD group which is defined >>>> in >>>>>>>> share setting valid users >>>>>>>> >>>>>>>> Winbind looks to lost mapping of this group and so no user can >>>> connect >>>>>> to >>>>>>>> this share anymore. >>>>>>>> >>>>>>>> When restart winbind service mapping works again until mapping lost >>>>>> again. >>>>>>>> >>>>>>>> >>>>>>>> ls -lsa shows me in issue this: >>>>>>>> >>>>>>>> 2 4 drwxr-x--- 63 root 12001 >>>>>>>> 4096 Feb 4 23:42 Share >>>>>>>> >>>>>>>> After restarting winbind: >>>>>>>> >>>>>>>> 2 4 drwxr-x--- 63 root group_intern >>>>>>>> 4096 Feb 4 23:42 Share >>>>>>>> >>>>>>>> >>>>>>>> My smb.conf looks like >>>>>>>> >>>>>>>> >>>>>>>> [global] >>>>>>>> netbios name = MEMBER1 >>>>>>>> security = ADS >>>>>>>> workgroup = HQ >>>>>>>> realm = hq.internal >>>>>>>> >>>>>>>> log file = /var/log/samba/%m.log >>>>>>>> log level = 1 >>>>>>>> >>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>> kerberos method = secrets and keytab >>>>>>>> winbind refresh tickets = yes >>>>>>>> >>>>>>>> winbind trusted domains only = no >>>>>>>> winbind use default domain = yes >>>>>>>> winbind enum users = yes >>>>>>>> winbind enum groups = yes >>>>>>>> winbind cache time = 300 >>>>>>>> >>>>>>>> >>>>>>>> idmap config *:backend = tdb >>>>>>>> idmap config *:range = 500-9999 >>>>>>>> >>>>>>>> # idmap config for domain HQ >>>>>>>> idmap config HQ:backend = ad >>>>>>>> idmap config HQ:schema_mode = rfc2307 >>>>>>>> idmap config HQ:range = 10000-99999 >>>>>>>> >>>>>>>> # Use settings from AD for login shell and home directory >>>>>>>> winbind nss info = rfc2307 >>>>>>>> >>>>>>>> [Share] >>>>>>>> path = /data/share >>>>>>>> browseable = yes >>>>>>>> writeable = yes >>>>>>>> force group = Group_Intern >>>>>>>> valid users = @Group_Intern >>>>>>>> create mask = 0660 >>>>>>>> directory mask = 0770 >>>>>>>> #oplocks = 0 >>>>>>>> vfs objects = full_audit recycle >>>>>>>> full_audit:prefix = %u >>>>>>>> full_audit:success = mkdir rename rmdir unlink pwrite >>>>>>>> full_audit:failure = none >>>>>>>> full_audit:facility = LOCAL5 >>>>>>>> full_audit:priority = NOTICE >>>>>>>> recycle:versions = yes >>>>>>>> recycle:exclude = .*, ~* >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Anyone has an idea for this problem? >>>>>>>> >>>>>>>> >>>>>>>> Regards >>>>>>>> Oliver >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.samba.org/pipermail/samba/attachments/20160212/c6a834de/signature.sig>
Hai, Yes, only the DCs Change one, test and if all ok with you, change the others. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > Verzonden: vrijdag 12 februari 2016 11:24 > Aan: L.P.H. van Belle > CC: samba at lists.samba.org > Onderwerp: Re: [Samba] AD Group lost from Winbind > > i need to change it on all DCs, right? > > so i need to change some other options on member? > > > > Am 12.02.2016 um 10:59 schrieb L.P.H. van Belle <belle at bazuin.nl>: > > > > This looks all good to me but the problem lays in the DC winbind code, > not the member. > > > > You can try to witch back ( temperarly ) to winbind ( on the DC ) > > As i did, al least you get the correct id's back. ( for now ) > > For you this the change you need on the DC. > > > > server services = -winbindd +winbind > > > > Im recompiling the samba 4.3.3 from sid now atm, so ill test them out > what happpens. > > > > I'll report back here. > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > >> Verzonden: vrijdag 12 februari 2016 10:54 > >> Aan: L.P.H. van Belle > >> CC: samba at lists.samba.org > >> Onderwerp: Re: [Samba] AD Group lost from Winbind > >> > >> This is DC: > >> # Global parameters > >> [global] > >> workgroup = HQ > >> realm = HQ.INTERNAL > >> netbios name = DC1 > >> server role = active directory domain controller > >> idmap_ldb:use rfc2307 = yes > >> interfaces=eth0 > >> bind interfaces only=yes > >> tls enabled = yes > >> tls keyfile = /var/lib/samba/private/tls/key.pem > >> tls certfile = /var/lib/samba/private/tls/cert.pem > >> tls cafile = /var/lib/samba/private/tls/ca.pem > >> > >> [netlogon] > >> path = /var/lib/samba/sysvol/hq.kontrast/scripts > >> read only = No > >> > >> [sysvol] > >> path = /var/lib/samba/sysvol > >> read only = No > >> > >> > >> > >> member config was shown in my first e-mail > >> > >> > >> > >> > >> > >> > >>> Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>: > >>> > >>> Thats strange, my members dont show this the problem, only my DC's > >>> > >>> Can you post your smb.conf of the DC and one of your member servers. > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > >>>> Verzonden: vrijdag 12 februari 2016 10:16 > >>>> Aan: L.P.H. van Belle > >>>> CC: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] AD Group lost from Winbind > >>>> > >>>> In my Situation i don?t use DCs for Shares (only for sysvol) > >>>> > >>>> > >>>> So my Member is has the problems. > >>>> > >>>> > >>>>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>: > >>>>> > >>>>> Ok, im having this : > >>>>> > >>>>> DC's > >>>>> Debian Wheezy 7.9, sernet samba 4.2.8 > >>>>> > >>>>> > >>>>> Member servers. > >>>>> Debian Jessie samba 4.1.17 ( fileserver ) > >>>>> Debian Jessie samba 4.2.7 ( print server ) > >>>>> This one isnt updated yet with latest updates. > >>>>> > >>>>> The following packages have been kept back: > >>>>> samba sernet-samba sernet-samba-client sernet-samba-common sernet- > >>>> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind > >>>>> The following packages will be upgraded: > >>>>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 > >>>> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 > libkrb5support0 > >>>> libtiff5 > >>>>> > >>>>> on this one all id's are still correct. > >>>>> > >>>>> Thanks, Daniel Müller, for your addition.. > >>>>> > >>>>> This is really a big problem.. what happend her in the samba code? > >>>>> I've looked at the change log, but cant seen any related to this. > >>>>> > >>>>> So if anyone DEVS ? know what happend here in the samba code. > >>>>> As far as i now know i have to. > >>>>> Re-assign all my uid / gids on all users / groups, with other id's, > >> omg > >>>> wat a hell... > >>>>> And fix all idmaps on all servers.. pff. ... really no other fix ? > >>>>> > >>>>> There goes my weekend... > >>>>> > >>>>> > >>>>> Greetz, > >>>>> > >>>>> Louis > >>>>> > >>>>> > >>>>> > >>>>>> -----Oorspronkelijk bericht----- > >>>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] > >>>>>> Verzonden: vrijdag 12 februari 2016 9:06 > >>>>>> Aan: L.P.H. van Belle > >>>>>> CC: samba at lists.samba.org > >>>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind > >>>>>> > >>>>>> my os is debian 8.3 > >>>>>> > >>>>>> win bind and samba are in version 4.1.17 > >>>>>> > >>>>>> > >>>>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>: > >>>>>>> > >>>>>>> Ok, same problem as im having.. > >>>>>>> > >>>>>>> What is your os running? > >>>>>>> > >>>>>>> > >>>>>>>> -----Oorspronkelijk bericht----- > >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver > >>>> Werner > >>>>>>>> Verzonden: vrijdag 12 februari 2016 8:56 > >>>>>>>> Aan: samba at lists.samba.org > >>>>>>>> Onderwerp: [Samba] AD Group lost from Winbind > >>>>>>>> > >>>>>>>> Hello, > >>>>>>>> > >>>>>>>> the last two days i have problems with my AD group which is > defined > >>>> in > >>>>>>>> share setting valid users > >>>>>>>> > >>>>>>>> Winbind looks to lost mapping of this group and so no user can > >>>> connect > >>>>>> to > >>>>>>>> this share anymore. > >>>>>>>> > >>>>>>>> When restart winbind service mapping works again until mapping > lost > >>>>>> again. > >>>>>>>> > >>>>>>>> > >>>>>>>> ls -lsa shows me in issue this: > >>>>>>>> > >>>>>>>> 2 4 drwxr-x--- 63 root 12001 > >>>>>>>> 4096 Feb 4 23:42 Share > >>>>>>>> > >>>>>>>> After restarting winbind: > >>>>>>>> > >>>>>>>> 2 4 drwxr-x--- 63 root group_intern > >>>>>>>> 4096 Feb 4 23:42 Share > >>>>>>>> > >>>>>>>> > >>>>>>>> My smb.conf looks like > >>>>>>>> > >>>>>>>> > >>>>>>>> [global] > >>>>>>>> netbios name = MEMBER1 > >>>>>>>> security = ADS > >>>>>>>> workgroup = HQ > >>>>>>>> realm = hq.internal > >>>>>>>> > >>>>>>>> log file = /var/log/samba/%m.log > >>>>>>>> log level = 1 > >>>>>>>> > >>>>>>>> dedicated keytab file = /etc/krb5.keytab > >>>>>>>> kerberos method = secrets and keytab > >>>>>>>> winbind refresh tickets = yes > >>>>>>>> > >>>>>>>> winbind trusted domains only = no > >>>>>>>> winbind use default domain = yes > >>>>>>>> winbind enum users = yes > >>>>>>>> winbind enum groups = yes > >>>>>>>> winbind cache time = 300 > >>>>>>>> > >>>>>>>> > >>>>>>>> idmap config *:backend = tdb > >>>>>>>> idmap config *:range = 500-9999 > >>>>>>>> > >>>>>>>> # idmap config for domain HQ > >>>>>>>> idmap config HQ:backend = ad > >>>>>>>> idmap config HQ:schema_mode = rfc2307 > >>>>>>>> idmap config HQ:range = 10000-99999 > >>>>>>>> > >>>>>>>> # Use settings from AD for login shell and home directory > >>>>>>>> winbind nss info = rfc2307 > >>>>>>>> > >>>>>>>> [Share] > >>>>>>>> path = /data/share > >>>>>>>> browseable = yes > >>>>>>>> writeable = yes > >>>>>>>> force group = Group_Intern > >>>>>>>> valid users = @Group_Intern > >>>>>>>> create mask = 0660 > >>>>>>>> directory mask = 0770 > >>>>>>>> #oplocks = 0 > >>>>>>>> vfs objects = full_audit recycle > >>>>>>>> full_audit:prefix = %u > >>>>>>>> full_audit:success = mkdir rename rmdir unlink pwrite > >>>>>>>> full_audit:failure = none > >>>>>>>> full_audit:facility = LOCAL5 > >>>>>>>> full_audit:priority = NOTICE > >>>>>>>> recycle:versions = yes > >>>>>>>> recycle:exclude = .*, ~* > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> Anyone has an idea for this problem? > >>>>>>>> > >>>>>>>> > >>>>>>>> Regards > >>>>>>>> Oliver > >>>>>>>> -- > >>>>>>>> To unsubscribe from this list go to the following URL and read > the > >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>> > >>>>>>> > >>>>>>> -- > >>>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> To unsubscribe from this list go to the following URL and read the > >>>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > >>> > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba
hi, we have tested last week our problem with change parameter server services = -winbindd +winbind but our member server get also the issue that the winbind lost user and group mapping for valid users. so for the test i have changed on our three DCs the parameter above. May i need to set this parameter on member server also? Oliver> Am 12.02.2016 um 11:30 schrieb L.P.H. van Belle <belle at bazuin.nl>: > > Hai, > > Yes, only the DCs > Change one, test and if all ok with you, change the others. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >> Verzonden: vrijdag 12 februari 2016 11:24 >> Aan: L.P.H. van Belle >> CC: samba at lists.samba.org >> Onderwerp: Re: [Samba] AD Group lost from Winbind >> >> i need to change it on all DCs, right? >> >> so i need to change some other options on member? >> >> >>> Am 12.02.2016 um 10:59 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>> >>> This looks all good to me but the problem lays in the DC winbind code, >> not the member. >>> >>> You can try to witch back ( temperarly ) to winbind ( on the DC ) >>> As i did, al least you get the correct id's back. ( for now ) >>> For you this the change you need on the DC. >>> >>> server services = -winbindd +winbind >>> >>> Im recompiling the samba 4.3.3 from sid now atm, so ill test them out >> what happpens. >>> >>> I'll report back here. >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >>>> Verzonden: vrijdag 12 februari 2016 10:54 >>>> Aan: L.P.H. van Belle >>>> CC: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] AD Group lost from Winbind >>>> >>>> This is DC: >>>> # Global parameters >>>> [global] >>>> workgroup = HQ >>>> realm = HQ.INTERNAL >>>> netbios name = DC1 >>>> server role = active directory domain controller >>>> idmap_ldb:use rfc2307 = yes >>>> interfaces=eth0 >>>> bind interfaces only=yes >>>> tls enabled = yes >>>> tls keyfile = /var/lib/samba/private/tls/key.pem >>>> tls certfile = /var/lib/samba/private/tls/cert.pem >>>> tls cafile = /var/lib/samba/private/tls/ca.pem >>>> >>>> [netlogon] >>>> path = /var/lib/samba/sysvol/hq.kontrast/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /var/lib/samba/sysvol >>>> read only = No >>>> >>>> >>>> >>>> member config was shown in my first e-mail >>>> >>>> >>>> >>>> >>>> >>>> >>>>> Am 12.02.2016 um 10:22 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>>>> >>>>> Thats strange, my members dont show this the problem, only my DC's >>>>> >>>>> Can you post your smb.conf of the DC and one of your member servers. >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >>>>>> Verzonden: vrijdag 12 februari 2016 10:16 >>>>>> Aan: L.P.H. van Belle >>>>>> CC: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind >>>>>> >>>>>> In my Situation i don?t use DCs for Shares (only for sysvol) >>>>>> >>>>>> >>>>>> So my Member is has the problems. >>>>>> >>>>>> >>>>>>> Am 12.02.2016 um 09:20 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>>>>>> >>>>>>> Ok, im having this : >>>>>>> >>>>>>> DC's >>>>>>> Debian Wheezy 7.9, sernet samba 4.2.8 >>>>>>> >>>>>>> >>>>>>> Member servers. >>>>>>> Debian Jessie samba 4.1.17 ( fileserver ) >>>>>>> Debian Jessie samba 4.2.7 ( print server ) >>>>>>> This one isnt updated yet with latest updates. >>>>>>> >>>>>>> The following packages have been kept back: >>>>>>> samba sernet-samba sernet-samba-client sernet-samba-common sernet- >>>>>> samba-libs sernet-samba-libsmbclient0 sernet-samba-winbind >>>>>>> The following packages will be upgraded: >>>>>>> krb5-locales krb5-user libgssapi-krb5-2 libgssrpc4 libk5crypto3 >>>>>> libkadm5clnt-mit9 libkadm5srv-mit9 libkdb5-7 libkrb5-3 >> libkrb5support0 >>>>>> libtiff5 >>>>>>> >>>>>>> on this one all id's are still correct. >>>>>>> >>>>>>> Thanks, Daniel Müller, for your addition.. >>>>>>> >>>>>>> This is really a big problem.. what happend her in the samba code? >>>>>>> I've looked at the change log, but cant seen any related to this. >>>>>>> >>>>>>> So if anyone DEVS ? know what happend here in the samba code. >>>>>>> As far as i now know i have to. >>>>>>> Re-assign all my uid / gids on all users / groups, with other id's, >>>> omg >>>>>> wat a hell... >>>>>>> And fix all idmaps on all servers.. pff. ... really no other fix ? >>>>>>> >>>>>>> There goes my weekend... >>>>>>> >>>>>>> >>>>>>> Greetz, >>>>>>> >>>>>>> Louis >>>>>>> >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van: Oliver Werner [mailto:oliver.werner at kontrast.de] >>>>>>>> Verzonden: vrijdag 12 februari 2016 9:06 >>>>>>>> Aan: L.P.H. van Belle >>>>>>>> CC: samba at lists.samba.org >>>>>>>> Onderwerp: Re: [Samba] AD Group lost from Winbind >>>>>>>> >>>>>>>> my os is debian 8.3 >>>>>>>> >>>>>>>> win bind and samba are in version 4.1.17 >>>>>>>> >>>>>>>> >>>>>>>>> Am 12.02.2016 um 08:58 schrieb L.P.H. van Belle <belle at bazuin.nl>: >>>>>>>>> >>>>>>>>> Ok, same problem as im having.. >>>>>>>>> >>>>>>>>> What is your os running? >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver >>>>>> Werner >>>>>>>>>> Verzonden: vrijdag 12 februari 2016 8:56 >>>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>>> Onderwerp: [Samba] AD Group lost from Winbind >>>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> the last two days i have problems with my AD group which is >> defined >>>>>> in >>>>>>>>>> share setting valid users >>>>>>>>>> >>>>>>>>>> Winbind looks to lost mapping of this group and so no user can >>>>>> connect >>>>>>>> to >>>>>>>>>> this share anymore. >>>>>>>>>> >>>>>>>>>> When restart winbind service mapping works again until mapping >> lost >>>>>>>> again. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ls -lsa shows me in issue this: >>>>>>>>>> >>>>>>>>>> 2 4 drwxr-x--- 63 root 12001 >>>>>>>>>> 4096 Feb 4 23:42 Share >>>>>>>>>> >>>>>>>>>> After restarting winbind: >>>>>>>>>> >>>>>>>>>> 2 4 drwxr-x--- 63 root group_intern >>>>>>>>>> 4096 Feb 4 23:42 Share >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> My smb.conf looks like >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> [global] >>>>>>>>>> netbios name = MEMBER1 >>>>>>>>>> security = ADS >>>>>>>>>> workgroup = HQ >>>>>>>>>> realm = hq.internal >>>>>>>>>> >>>>>>>>>> log file = /var/log/samba/%m.log >>>>>>>>>> log level = 1 >>>>>>>>>> >>>>>>>>>> dedicated keytab file = /etc/krb5.keytab >>>>>>>>>> kerberos method = secrets and keytab >>>>>>>>>> winbind refresh tickets = yes >>>>>>>>>> >>>>>>>>>> winbind trusted domains only = no >>>>>>>>>> winbind use default domain = yes >>>>>>>>>> winbind enum users = yes >>>>>>>>>> winbind enum groups = yes >>>>>>>>>> winbind cache time = 300 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> idmap config *:backend = tdb >>>>>>>>>> idmap config *:range = 500-9999 >>>>>>>>>> >>>>>>>>>> # idmap config for domain HQ >>>>>>>>>> idmap config HQ:backend = ad >>>>>>>>>> idmap config HQ:schema_mode = rfc2307 >>>>>>>>>> idmap config HQ:range = 10000-99999 >>>>>>>>>> >>>>>>>>>> # Use settings from AD for login shell and home directory >>>>>>>>>> winbind nss info = rfc2307 >>>>>>>>>> >>>>>>>>>> [Share] >>>>>>>>>> path = /data/share >>>>>>>>>> browseable = yes >>>>>>>>>> writeable = yes >>>>>>>>>> force group = Group_Intern >>>>>>>>>> valid users = @Group_Intern >>>>>>>>>> create mask = 0660 >>>>>>>>>> directory mask = 0770 >>>>>>>>>> #oplocks = 0 >>>>>>>>>> vfs objects = full_audit recycle >>>>>>>>>> full_audit:prefix = %u >>>>>>>>>> full_audit:success = mkdir rename rmdir unlink pwrite >>>>>>>>>> full_audit:failure = none >>>>>>>>>> full_audit:facility = LOCAL5 >>>>>>>>>> full_audit:priority = NOTICE >>>>>>>>>> recycle:versions = yes >>>>>>>>>> recycle:exclude = .*, ~* >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Anyone has an idea for this problem? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Oliver >>>>>>>>>> -- >>>>>>>>>> To unsubscribe from this list go to the following URL and read >> the >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.samba.org/pipermail/samba/attachments/20160222/4937d44d/signature.sig>