yeah> /var/lib/samba/sysvol/hq.kontrast/scriptswas i typo hq.internal was correct. uidNumber and gidNumber is set for our own users and group, but not Administrator or Administrators. Today it was an issue again on a member so i test command wbinfo --group-info=group_intern and got the error failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for group group_intern After restart windbag on domain member all looks ok again.> Am 22.02.2016 um 10:21 schrieb Rowland penny <rpenny at samba.org>: > > On 22/02/16 08:32, Oliver Werner wrote: >> hi, >> >> we have tested last week our problem with change parameter >> >> server services = -winbindd +winbind >> >> but our member server get also the issue that the winbind lost user and group mapping for valid users. >> >> so for the test i have changed on our three DCs the parameter above. >> >> May i need to set this parameter on member server also? >> >> >> Oliver >> >> >> > > OK, I have been rereading this thread and I think Louis may have been sending you off on a wild goose chase here, if the problem occurs on a domain member, it very probably has nothing to do with how smb.conf is setup on the DC. > > What I did notice (and it is probably a typo) is this: > > In domain member smb.conf: realm = hq.internal > > In DC smb.conf: > [netlogon] > path = /var/lib/samba/sysvol/hq.kontrast/scripts > > Which is it ? 'hq.internal' or 'hq.kontrast' > > You should also add these lines to the smb.conf on the domain member: > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > Have you given a uidNumber attribute to users in AD and if you have, does this include Administrator ? > Have you given a gidNumber attribute to groups in AD and if you have, does this include groups such as Administrators ? > > To be honest it sounds like the kerberos ticket could be expiring and not getting renewed. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.samba.org/pipermail/samba/attachments/20160222/2efc84e5/signature.sig>
On 22/02/16 10:53, Oliver Werner wrote:> yeah > >> /var/lib/samba/sysvol/hq.kontrast/scripts > was i typo > > hq.internal was correct. > > > uidNumber and gidNumber is set for our own users and group, but not Administrator or Administrators. > > Today it was an issue again on a member so i test command > > wbinfo --group-info=group_intern > > and got the error > > failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND > Could not get info for group group_intern > > > After restart windbag on domain member all looks ok again. > > >This is sounding more and more like the kerberos ticket expiring and not getting renewed, try turning Samba logging up and see if anything pops up. You could also try leaving and rejoining the domain. Rowland
Hm, so i think i have another problem with my DCs… also my users sometimes can’t login to windows clients and need a restart. So this can be the same thing. i will try to set logging up and will check found out more details.> Am 22.02.2016 um 14:00 schrieb Rowland penny <rpenny at samba.org>: > > On 22/02/16 10:53, Oliver Werner wrote: >> yeah >> >>> /var/lib/samba/sysvol/hq.kontrast/scripts >> was i typo >> >> hq.internal was correct. >> >> >> uidNumber and gidNumber is set for our own users and group, but not Administrator or Administrators. >> >> Today it was an issue again on a member so i test command >> >> wbinfo --group-info=group_intern >> >> and got the error >> >> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND >> Could not get info for group group_intern >> >> >> After restart windbag on domain member all looks ok again. >> >> >> > > This is sounding more and more like the kerberos ticket expiring and not getting renewed, try turning Samba logging up and see if anything pops up. You could also try leaving and rejoining the domain. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.samba.org/pipermail/samba/attachments/20160222/bce204cc/signature.sig>
hi again, i have test now with high log level. On Member i found: [2016/02/29 17:49:34.478685, 1] ../source3/rpc_client/cli_pipe.c:482(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:482: RPC fault code WERR_BADFUNC received from host dc1.hq.internal! [2016/02/29 17:49:34.478817, 1] ../source3/winbindd/winbindd_ads.c:1297(lookup_groupmem) lsa_lookupsids call failed with NT_STATUS_RPC_CALL_FAILED - retrying... [2016/02/29 17:49:34.482185, 1] ../source3/rpc_client/cli_pipe.c:482(cli_pipe_validate_current_pdu) ../source3/rpc_client/cli_pipe.c:482: RPC fault code WERR_BADFUNC received from host dc1.hq.internal! Also on member i have tested the parameter: winbind refresh tickets = yes but has no effect. i have also the problem on windows machines there are running all days without restart.> Am 22.02.2016 um 14:00 schrieb Rowland penny <rpenny at samba.org>: > > On 22/02/16 10:53, Oliver Werner wrote: >> yeah >> >>> /var/lib/samba/sysvol/hq.kontrast/scripts >> was i typo >> >> hq.internal was correct. >> >> >> uidNumber and gidNumber is set for our own users and group, but not Administrator or Administrators. >> >> Today it was an issue again on a member so i test command >> >> wbinfo --group-info=group_intern >> >> and got the error >> >> failed to call wbcGetgrnam: WBC_ERR_DOMAIN_NOT_FOUND >> Could not get info for group group_intern >> >> >> After restart windbag on domain member all looks ok again. >> >> >> > > This is sounding more and more like the kerberos ticket expiring and not getting renewed, try turning Samba logging up and see if anything pops up. You could also try leaving and rejoining the domain. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba <https://lists.samba.org/mailman/options/samba>-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.samba.org/pipermail/samba/attachments/20160301/a9199e15/signature.sig>