Hi,
i have a permanent problem with my samba members. there lost after some times
his connections to DCs and i need to restart winbind.
Also same problem with winds client that running 24x7. After few days i can not
logged in.
i think thats a problem with kerberos tickets.
i have checks samba logs and found that samba member and windows client ask for
new tickets and get new expiration.
in my DCs i have set
kdc:service ticket lifetime = 1
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 120
and Master krb5.conf looks
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 1d
renew_lifetime = 5d
[realms]
HQ.KONTRAST = {
kdc = vl0227.hq.kontrast
kdc = vl0230.hq.kontrast
kdc = pl0231.hq.kontrast
master_kdc = vl0227.hq.kontrast
admin_server = vl0227.hq.kontrast
}
[domain_realm]
.hq.kontrast = HQ.KONTRAST
hq.kontrast = HQ.KONTRAST
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/var/log/kadmind.log
So what i saw was GPOs are default empty. i need for winbind configure Kerberos
Policy?
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs>
<http://instagram.com/kontrast_de>
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message is not
the intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Please consider the environment and only print this if required.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160311/747b2f95/signature.sig>
Please Post your member smb.conf. But probely your missing. winbind refresh tickets = yes and/or dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner > Verzonden: vrijdag 11 maart 2016 8:55 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Problem with Winbind and Windows Clients > > Hi, > > i have a permanent problem with my samba members. there lost after some > times his connections to DCs and i need to restart winbind. > > Also same problem with winds client that running 24x7. After few days i > can not logged in. > > i think thats a problem with kerberos tickets. > > i have checks samba logs and found that samba member and windows client > ask for new tickets and get new expiration. > > in my DCs i have set > > kdc:service ticket lifetime = 1 > kdc:user ticket lifetime = 24 > kdc:renewal lifetime = 120 > > and Master krb5.conf looks > > [libdefaults] > default_realm = HQ.KONTRAST > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 1d > renew_lifetime = 5d > > [realms] > HQ.KONTRAST = { > kdc = vl0227.hq.kontrast > kdc = vl0230.hq.kontrast > kdc = pl0231.hq.kontrast > master_kdc = vl0227.hq.kontrast > admin_server = vl0227.hq.kontrast > } > > [domain_realm] > .hq.kontrast = HQ.KONTRAST > hq.kontrast = HQ.KONTRAST > > [logging] > kdc = SYSLOG:INFO:DAEMON > admin_server = FILE:/var/log/kadmind.log > > > So what i saw was GPOs are default empty. i need for winbind configure > Kerberos Policy? > > kind regards > OLIVER WERNER > System-Administrator > > > > > > Kontrast Communication Services GmbH > Grafenberger Allee 100, 40237 Düsseldorf, Germany > > Fon +49-211-91505-500 > Fax +49-211-91505-530 > www.kontrast.de <http://www.kontrast.de/> > > Amtsgericht Düsseldorf: HRB 26934 > Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der > Vlist > > <https://www.facebook.com/kontrast.communication> > <https://twitter.com/KONTRAST_de> > <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> > <http://www.linkedin.com/company/kontrast-communication-services-gmbh> > <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de> > > Note: The information contained in this message may be privileged and > confidential and protected from disclosure. If the reader of this message > is not the intended recipient, or an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify us immediately by replying to the message and deleting it > from your computer. > > Please consider the environment and only print this if required. > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Here is smb.conf
[global]
netbios name = VL0173
security = ADS
workgroup = HQKONTRAST
realm = hq.kontrast
log file = /var/log/samba/%m.log
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind refresh tickets = yes
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 500-1023
# idmap config for domain HQKONTRAST
idmap config HQKONTRAST:backend = ad
idmap config HQKONTRAST:schema_mode = rfc2307
idmap config HQKONTRAST:range = 1024-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs>
<http://instagram.com/kontrast_de>
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message is not
the intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Please consider the environment and only print this if required.
> Am 11.03.2016 um 09:01 schrieb L.P.H. van Belle <belle at bazuin.nl>:
>
> Please Post your member smb.conf.
>
> But probely your missing.
> winbind refresh tickets = yes
> and/or
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
>
> greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver
Werner
>> Verzonden: vrijdag 11 maart 2016 8:55
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Problem with Winbind and Windows Clients
>>
>> Hi,
>>
>> i have a permanent problem with my samba members. there lost after some
>> times his connections to DCs and i need to restart winbind.
>>
>> Also same problem with winds client that running 24x7. After few days i
>> can not logged in.
>>
>> i think thats a problem with kerberos tickets.
>>
>> i have checks samba logs and found that samba member and windows client
>> ask for new tickets and get new expiration.
>>
>> in my DCs i have set
>>
>> kdc:service ticket lifetime = 1
>> kdc:user ticket lifetime = 24
>> kdc:renewal lifetime = 120
>>
>> and Master krb5.conf looks
>>
>> [libdefaults]
>> default_realm = HQ.KONTRAST
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>> ticket_lifetime = 1d
>> renew_lifetime = 5d
>>
>> [realms]
>> HQ.KONTRAST = {
>> kdc = vl0227.hq.kontrast
>> kdc = vl0230.hq.kontrast
>> kdc = pl0231.hq.kontrast
>> master_kdc = vl0227.hq.kontrast
>> admin_server = vl0227.hq.kontrast
>> }
>>
>> [domain_realm]
>> .hq.kontrast = HQ.KONTRAST
>> hq.kontrast = HQ.KONTRAST
>>
>> [logging]
>> kdc = SYSLOG:INFO:DAEMON
>> admin_server = FILE:/var/log/kadmind.log
>>
>>
>> So what i saw was GPOs are default empty. i need for winbind configure
>> Kerberos Policy?
>>
>> kind regards
>> OLIVER WERNER
>> System-Administrator
>>
>>
>>
>>
>>
>> Kontrast Communication Services GmbH
>> Grafenberger Allee 100, 40237 Düsseldorf, Germany
>>
>> Fon +49-211-91505-500
>> Fax +49-211-91505-530
>> www.kontrast.de <http://www.kontrast.de/>
>>
>> Amtsgericht Düsseldorf: HRB 26934
>> Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
>> Vlist
>>
>> <https://www.facebook.com/kontrast.communication>
>> <https://twitter.com/KONTRAST_de>
>> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
>>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
>> <https://vimeo.com/kontrastcs>
<http://instagram.com/kontrast_de>
>>
>> Note: The information contained in this message may be privileged and
>> confidential and protected from disclosure. If the reader of this
message
>> is not the intended recipient, or an employee or agent responsible for
>> delivering this message to the intended recipient, you are hereby
notified
>> that any dissemination, distribution or copying of this communication
is
>> strictly prohibited. If you have received this communication in error,
>> please notify us immediately by replying to the message and deleting it
>> from your computer.
>>
>> Please consider the environment and only print this if required.
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
<http://lists.samba.org/pipermail/samba/attachments/20160311/d91ca802/signature.sig>
Beside 2 x winbind refresh tickets = yes
This looks good.
In what ?interval? is this happing
Every day, every week. Is it consistent?
This if often a time sync problem, but i do recall a previous message of you.
Your time is in sync ? servers and pc?s and you use a pool ntp. But a stratum 1
or 2 ntp.
Pools can case out of syncs.
Other option is to set the GPO for kerberos, but since this is normaly not
needed.
Other question, is this a ?cloned? windows, and did you sysprep. ( must ask
sorry )
Last, what is the windows even log telling you when your trying to login, can be
very usefull.
Im asking all above because im have also multple pc?s always on and i dont see
this problem here.
im using for the DC 4.2.9 sernet samba.
Members vary between 4.1.17 upto 4.3.4, dependes on there function/servcies
there running.
Greetz,
Louis
Van: Oliver Werner [mailto:oliver.werner at kontrast.de]
Verzonden: vrijdag 11 maart 2016 9:03
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
Here is smb.conf
[global]
netbios name = VL0173
security = ADS
workgroup = HQKONTRAST
realm = hq.kontrast
log file = /var/log/samba/%m.log
log level = 3
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind refresh tickets = yes
# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 500-1023
# idmap config for domain HQKONTRAST
idmap config HQKONTRAST:backend = ad
idmap config HQKONTRAST:schema_mode = rfc2307
idmap config HQKONTRAST:range = 1024-99999
# Use settings from AD for login shell and home directory
winbind nss info = rfc2307
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message is not
the intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.
Please consider the environment and only print this if required.
Am 11.03.2016 um 09:01 schrieb L.P.H. van Belle <belle at bazuin.nl>:
Please Post your member smb.conf.
But probely your missing.
winbind refresh tickets = yes
and/or
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
greetz,
Louis
-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oliver Werner
Verzonden: vrijdag 11 maart 2016 8:55
Aan: samba at lists.samba.org
Onderwerp: [Samba] Problem with Winbind and Windows Clients
Hi,
i have a permanent problem with my samba members. there lost after some
times his connections to DCs and i need to restart winbind.
Also same problem with winds client that running 24x7. After few days i
can not logged in.
i think thats a problem with kerberos tickets.
i have checks samba logs and found that samba member and windows client
ask for new tickets and get new expiration.
in my DCs i have set
kdc:service ticket lifetime = 1
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 120
and Master krb5.conf looks
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 1d
renew_lifetime = 5d
[realms]
HQ.KONTRAST = {
kdc = vl0227.hq.kontrast
kdc = vl0230.hq.kontrast
kdc = pl0231.hq.kontrast
master_kdc = vl0227.hq.kontrast
admin_server = vl0227.hq.kontrast
}
[domain_realm]
.hq.kontrast = HQ.KONTRAST
hq.kontrast = HQ.KONTRAST
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/var/log/kadmind.log
So what i saw was GPOs are default empty. i need for winbind configure
Kerberos Policy?
kind regards
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der
Vlist
<https://www.facebook.com/kontrast.communication>
<https://twitter.com/KONTRAST_de>
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>
<https://vimeo.com/kontrastcs>
<http://instagram.com/kontrast_de>
Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message
is not the intended recipient, or an employee or agent responsible for
delivering this message to the intended recipient, you are hereby notified
that any dissemination, distribution or copying of this communication is
strictly prohibited. If you have received this communication in error,
please notify us immediately by replying to the message and deleting it
from your computer.
Please consider the environment and only print this if required.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On 11/03/16 07:54, Oliver Werner wrote:> Hi, > > i have a permanent problem with my samba members. there lost after some times his connections to DCs and i need to restart winbind. > > Also same problem with winds client that running 24x7. After few days i can not logged in. > > i think thats a problem with kerberos tickets. > > i have checks samba logs and found that samba member and windows client ask for new tickets and get new expiration. > > in my DCs i have set > > kdc:service ticket lifetime = 1 > kdc:user ticket lifetime = 24 > kdc:renewal lifetime = 120 > > and Master krb5.conf looks > > [libdefaults] > default_realm = HQ.KONTRAST > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 1d > renew_lifetime = 5d > > [realms] > HQ.KONTRAST = { > kdc = vl0227.hq.kontrast > kdc = vl0230.hq.kontrast > kdc = pl0231.hq.kontrast > master_kdc = vl0227.hq.kontrast > admin_server = vl0227.hq.kontrast > } > > [domain_realm] > .hq.kontrast = HQ.KONTRAST > hq.kontrast = HQ.KONTRAST > > [logging] > kdc = SYSLOG:INFO:DAEMON > admin_server = FILE:/var/log/kadmind.log > > > So what i saw was GPOs are default empty. i need for winbind configure Kerberos Policy? >I think you may be over-thinking kerberos, where did you get: kdc:service ticket lifetime = 1 kdc:user ticket lifetime = 24 kdc:renewal lifetime = 120 Also where did you set it ? You have this in krb5.conf: dns_lookup_kdc = true and this: [realms] HQ.KONTRAST = { kdc = vl0227.hq.kontrast kdc = vl0230.hq.kontrast kdc = pl0231.hq.kontrast master_kdc = vl0227.hq.kontrast admin_server = vl0227.hq.kontrast } man krb5.conf contains this: dns_lookup_kdc Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the information for the realm. The default is to use these records. You seem to be overriding the defaults, I would reset krb5.conf (on all samba machines) to just this: [libdefaults] default_realm = HQ.KONTRAST dns_lookup_realm = false dns_lookup_kdc = true Rowland
Hi Rowland, Also change on DCs to [libdefaults] default_realm = HQ.KONTRAST dns_lookup_realm = false dns_lookup_kdc = true ? I was used wiki article and there was listed for DC. the config i have post was only für vl0227 (my Master DC) all other Maschines have the config you prefer. OLIVER WERNER System-Administrator Kontrast Communication Services GmbH Grafenberger Allee 100, 40237 Düsseldorf, Germany Fon +49-211-91505-500 Fax +49-211-91505-530 www.kontrast.de <http://www.kontrast.de/> Amtsgericht Düsseldorf: HRB 26934 Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist <https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de> Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Please consider the environment and only print this if required.> Am 11.03.2016 um 09:54 schrieb Rowland penny <rpenny at samba.org>: > > [libdefaults] > default_realm = HQ.KONTRAST > dns_lookup_realm = false > dns_lookup_kdc = true-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.samba.org/pipermail/samba/attachments/20160311/dfdc756a/signature.sig>