> On 15/04/16 10:33, Oktay Akbal wrote: > > [global] > > workgroup = DOMAIN > > realm = DOMAIN.DE > > netbios name = HOST > > server string = HOST > > security = ADS > > encrypt passwords = Yes > > map to guest = Bad User > > password server = * > > log level = 3 vfs:0 > > log file = /var/log/samba/log.%U > > max log size = 2000 > > syslog = 0 > > time server = Yes > > unix extensions = Yes > > os level = 2 > > winbind uid = 10000-20000 > > winbind gid = 10000-20000 > > winbind enum users = yes > > winbind enum groups = yes > > # template homedir = /raid1/fileserver/homes/%U > > winbind separator = / > > printing = cups > > printcap name = cups > > cups server = other.domain.de > > veto files = /*.{*}/ > > lanman auth = No > > client lanman auth = No > > cups options ="raw" > > create mask = 0775 > > force create mode = 0775 > > username map = /etc/samba/smbusers > > > > > > The config should not be the problem. > > The Problem seems to be related to the badlock-patch. See samba-technical post of Hansjoerg Maurer. > > It seems that downgrading to older rpm works. But on Centos7 that means to downgrade from 4.2.10 to 4.2.3. > > > > > > > > > > I beg to differ, your config is using the old depreciated setup, see > here for the the latest setup: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > Are you running the 'winbindd' deamon ? >Sure. I don't see where exactly the ways differ. I already played with idmap settings and keytab. It makes no difference. BTW the wiki entry does not explain how to create the keytab, so the setting is not really useful if you just follow that page.
On 15/04/16 11:11, Oktay Akbal wrote:>> On 15/04/16 10:33, Oktay Akbal wrote: >>> [global] >>> workgroup = DOMAIN >>> realm = DOMAIN.DE >>> netbios name = HOST >>> server string = HOST >>> security = ADS >>> encrypt passwords = Yes >>> map to guest = Bad User >>> password server = * >>> log level = 3 vfs:0 >>> log file = /var/log/samba/log.%U >>> max log size = 2000 >>> syslog = 0 >>> time server = Yes >>> unix extensions = Yes >>> os level = 2 >>> winbind uid = 10000-20000 >>> winbind gid = 10000-20000 >>> winbind enum users = yes >>> winbind enum groups = yes >>> # template homedir = /raid1/fileserver/homes/%U >>> winbind separator = / >>> printing = cups >>> printcap name = cups >>> cups server = other.domain.de >>> veto files = /*.{*}/ >>> lanman auth = No >>> client lanman auth = No >>> cups options ="raw" >>> create mask = 0775 >>> force create mode = 0775 >>> username map = /etc/samba/smbusers >>> >>> >>> The config should not be the problem. >>> The Problem seems to be related to the badlock-patch. See samba-technical post of Hansjoerg Maurer. >>> It seems that downgrading to older rpm works. But on Centos7 that means to downgrade from 4.2.10 to 4.2.3. >>> >>> >>> >>> >> I beg to differ, your config is using the old depreciated setup, see >> here for the the latest setup: >> >> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >> >> Are you running the 'winbindd' deamon ? >> > Sure. > > I don't see where exactly the ways differ. I already played with idmap settings and keytab. It makes no difference. > BTW the wiki entry does not explain how to create the keytab, so the setting is not really useful if you just follow that page.With the 'old system' you just have one range, this is now depreciated and you should use the new 'idmap config' . The old system could be removed. The wiki entry does explain how to create the keytab: net ads join -U administrator The keytab will created for you during the join. Does 'Sure' mean you are running winbindd ? Are you also using 'sssd' ? Rowland
> > I don't see where exactly the ways differ. I already played with idmap settings and keytab. It makes no difference. > > BTW the wiki entry does not explain how to create the keytab, so the setting is not really useful if you just follow that page. > > With the 'old system' you just have one range, this is now depreciated > and you should use the new 'idmap config' . The old system could be removed. > > The wiki entry does explain how to create the keytab: > > net ads join -U administrator > > The keytab will created for you during the join. > > Does 'Sure' mean you are running winbindd ? > Are you also using 'sssd' ?Already tried the idmap config and it does not make a difference. Will keep it. Indeed the join creates that file. Since I already was in domain I had to create it. Rejoined domain, keytab gets created. Still no difference. Everything works. wbinfo -u not. Yes I use winbind and no to sssd. I see other comments on how the latest updates broke domain authentication to some users (debian-list, centos7 forum etc.). I fear that there is a deeper problem with that patch.
Hai, I can confirm this also for the Debian 4.3.7 packages. My print server works fine, but.. wbinfo -g all groups. wbinfo -u nothing. wbinfo -p success wbinfo -t sucess all i added was the some tls parameters. tls enabled = yes tls keyfile = .... tls certfile = .... tls cafile = .... smbd -V Version 4.3.7-Debian ( recompiled version of debian Sid ) id username works. getent passwd username works. And other server, exact same setup but running : smbd -V Version 4.2.10-Debian With same smb.conf and same modifications works fine. No errors in any log. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Oktay Akbal > Verzonden: vrijdag 15 april 2016 13:05 > Aan: Rowland penny > CC: sambalist > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not > > > > > I don't see where exactly the ways differ. I already played with idmap > settings and keytab. It makes no difference. > > > BTW the wiki entry does not explain how to create the keytab, so the > setting is not really useful if you just follow that page. > > > > With the 'old system' you just have one range, this is now depreciated > > and you should use the new 'idmap config' . The old system could be > removed. > > > > The wiki entry does explain how to create the keytab: > > > > net ads join -U administrator > > > > The keytab will created for you during the join. > > > > Does 'Sure' mean you are running winbindd ? > > Are you also using 'sssd' ? > > > Already tried the idmap config and it does not make a difference. Will > keep it. > > Indeed the join creates that file. Since I already was in domain I had to > create it. > Rejoined domain, keytab gets created. Still no difference. Everything > works. wbinfo -u not. > Yes I use winbind and no to sssd. > > I see other comments on how the latest updates broke domain authentication > to some users (debian-list, centos7 forum etc.). I fear that there is a > deeper problem with that patch. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba