Hello everyone, any ideas on why a newly installed domain member (w2k8 domain) might seem to work fine in every test (wbinfo -g, wbinfo -t, getent group, wbinfo -n username, getent passwd user, share-access.., ) but only enumeration of users with wbinfo -u and getent passwd fail? wbinfo -u just returns without any output and getent passwd just shows the default centos7 users. Even with debugging the only strange thing might be that the log.wb-DOMAIN seems to state an immediate (!!!) timeout on wbinfo -u [2016/04/14 12:17:26.558350, 3, pid=2873, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:2502(kerberos_get_principal_from_service_hostname) kerberos_get_principal_from_service_hostname: cannot get realm from, desthost host.domain.de or default ccache. Using default smb.conf realm DOMAIN.DE [2016/04/14 12:17:26.591090, 3, pid=2873, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:904(ads_do_paged_search_args) ads_do_paged_search_args: ldap_search_with_timeout((objectCategory=user)) -> Time limit exceeded [2016/04/14 12:17:26.591143, 1, pid=2873, effective(0, 0), real(0, 0)] ../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal) ads reopen failed after error Time limit exceeded [2016/04/14 12:17:26.591154, 1, pid=2873, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:319(query_user_list) query_user_list ads_search: Time limit exceeded [2016/04/14 12:17:26.591165, 3, pid=2873, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:1519(query_user_list) query_user_list: returned 0xc00000b5, retrying wbinfo -g instead shows [2016/04/14 12:19:10.877696, 3, pid=2873, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:2502(kerberos_get_principal_from_service_hostname) kerberos_get_principal_from_service_hostname: cannot get realm from, desthost host.domain.de or default ccache. Using default smb.conf realm DOMAIN.DE [2016/04/14 12:19:10.883354, 5, pid=2873, effective(0, 0), real(0, 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal) Search for (&(objectCategory=group)(&(groupType:dn:1.2.840.113556.1.4.803:=-2147483648)(!(groupType:dn:1.2.840.113556.1.4.803:=1)))) in <dc=DOMAIN,dc=DE> gave 31 replies There are only about 100 users, latest samba 4.2.10-rpm from centos7. winbind enum users is set to yes. Thanks for help
On 15/04/16 09:55, Oktay Akbal wrote:> Hello everyone, > > any ideas on why a newly installed domain member (w2k8 domain) might seem to work fine in every test (wbinfo -g, wbinfo -t, getent group, wbinfo -n username, getent passwd user, share-access.., ) but only enumeration of users with wbinfo -u and getent passwd fail? > wbinfo -u just returns without any output and getent passwd just shows the default centos7 users. > > Even with debugging the only strange thing might be that the log.wb-DOMAIN seems to state an immediate (!!!) timeout on wbinfo -u > > > [2016/04/14 12:17:26.558350, 3, pid=2873, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:2502(kerberos_get_principal_from_service_hostname) > kerberos_get_principal_from_service_hostname: cannot get realm from, desthost host.domain.de or default ccache. Using default smb.conf realm DOMAIN.DE > [2016/04/14 12:17:26.591090, 3, pid=2873, effective(0, 0), real(0, 0)] ../source3/libads/ldap.c:904(ads_do_paged_search_args) > ads_do_paged_search_args: ldap_search_with_timeout((objectCategory=user)) -> Time limit exceeded > [2016/04/14 12:17:26.591143, 1, pid=2873, effective(0, 0), real(0, 0)] ../source3/libads/ldap_utils.c:135(ads_do_search_retry_internal) > ads reopen failed after error Time limit exceeded > [2016/04/14 12:17:26.591154, 1, pid=2873, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_ads.c:319(query_user_list) > query_user_list ads_search: Time limit exceeded > [2016/04/14 12:17:26.591165, 3, pid=2873, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:1519(query_user_list) > query_user_list: returned 0xc00000b5, retrying > > wbinfo -g instead shows > > > [2016/04/14 12:19:10.877696, 3, pid=2873, effective(0, 0), real(0, 0)] ../lib/krb5_wrap/krb5_samba.c:2502(kerberos_get_principal_from_service_hostname) > kerberos_get_principal_from_service_hostname: cannot get realm from, desthost host.domain.de or default ccache. Using default smb.conf realm DOMAIN.DE > [2016/04/14 12:19:10.883354, 5, pid=2873, effective(0, 0), real(0, 0)] ../source3/libads/ldap_utils.c:81(ads_do_search_retry_internal) > Search for (&(objectCategory=group)(&(groupType:dn:1.2.840.113556.1.4.803:=-2147483648)(!(groupType:dn:1.2.840.113556.1.4.803:=1)))) in <dc=DOMAIN,dc=DE> gave 31 replies > > There are only about 100 users, latest samba 4.2.10-rpm from centos7. > winbind enum users is set to yes. > > Thanks for help >Can you please post your smb.conf Rowland
On 15/04/16 10:33, Oktay Akbal wrote:> [global] > workgroup = DOMAIN > realm = DOMAIN.DE > netbios name = HOST > server string = HOST > security = ADS > encrypt passwords = Yes > map to guest = Bad User > password server = * > log level = 3 vfs:0 > log file = /var/log/samba/log.%U > max log size = 2000 > syslog = 0 > time server = Yes > unix extensions = Yes > os level = 2 > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > # template homedir = /raid1/fileserver/homes/%U > winbind separator = / > printing = cups > printcap name = cups > cups server = other.domain.de > veto files = /*.{*}/ > lanman auth = No > client lanman auth = No > cups options ="raw" > create mask = 0775 > force create mode = 0775 > username map = /etc/samba/smbusers > > > The config should not be the problem. > The Problem seems to be related to the badlock-patch. See samba-technical post of Hansjoerg Maurer. > It seems that downgrading to older rpm works. But on Centos7 that means to downgrade from 4.2.10 to 4.2.3. > > > >I beg to differ, your config is using the old depreciated setup, see here for the the latest setup: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Are you running the 'winbindd' deamon ? Rowland
> On 15/04/16 10:33, Oktay Akbal wrote: > > [global] > > workgroup = DOMAIN > > realm = DOMAIN.DE > > netbios name = HOST > > server string = HOST > > security = ADS > > encrypt passwords = Yes > > map to guest = Bad User > > password server = * > > log level = 3 vfs:0 > > log file = /var/log/samba/log.%U > > max log size = 2000 > > syslog = 0 > > time server = Yes > > unix extensions = Yes > > os level = 2 > > winbind uid = 10000-20000 > > winbind gid = 10000-20000 > > winbind enum users = yes > > winbind enum groups = yes > > # template homedir = /raid1/fileserver/homes/%U > > winbind separator = / > > printing = cups > > printcap name = cups > > cups server = other.domain.de > > veto files = /*.{*}/ > > lanman auth = No > > client lanman auth = No > > cups options ="raw" > > create mask = 0775 > > force create mode = 0775 > > username map = /etc/samba/smbusers > > > > > > The config should not be the problem. > > The Problem seems to be related to the badlock-patch. See samba-technical post of Hansjoerg Maurer. > > It seems that downgrading to older rpm works. But on Centos7 that means to downgrade from 4.2.10 to 4.2.3. > > > > > > > > > > I beg to differ, your config is using the old depreciated setup, see > here for the the latest setup: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > Are you running the 'winbindd' deamon ? >Sure. I don't see where exactly the ways differ. I already played with idmap settings and keytab. It makes no difference. BTW the wiki entry does not explain how to create the keytab, so the setting is not really useful if you just follow that page.