> > I don't see where exactly the ways differ. I already played with idmap settings and keytab. It makes no difference. > > BTW the wiki entry does not explain how to create the keytab, so the setting is not really useful if you just follow that page. > > With the 'old system' you just have one range, this is now depreciated > and you should use the new 'idmap config' . The old system could be removed. > > The wiki entry does explain how to create the keytab: > > net ads join -U administrator > > The keytab will created for you during the join. > > Does 'Sure' mean you are running winbindd ? > Are you also using 'sssd' ?Already tried the idmap config and it does not make a difference. Will keep it. Indeed the join creates that file. Since I already was in domain I had to create it. Rejoined domain, keytab gets created. Still no difference. Everything works. wbinfo -u not. Yes I use winbind and no to sssd. I see other comments on how the latest updates broke domain authentication to some users (debian-list, centos7 forum etc.). I fear that there is a deeper problem with that patch.
On 15/04/16 12:05, Oktay Akbal wrote:>>> I don't see where exactly the ways differ. I already played with idmap settings and keytab. It makes no difference. >>> BTW the wiki entry does not explain how to create the keytab, so the setting is not really useful if you just follow that page. >> With the 'old system' you just have one range, this is now depreciated >> and you should use the new 'idmap config' . The old system could be removed. >> >> The wiki entry does explain how to create the keytab: >> >> net ads join -U administrator >> >> The keytab will created for you during the join. >> >> Does 'Sure' mean you are running winbindd ? >> Are you also using 'sssd' ? > > Already tried the idmap config and it does not make a difference. Will keep it. > > Indeed the join creates that file. Since I already was in domain I had to create it. > Rejoined domain, keytab gets created. Still no difference. Everything works. wbinfo -u not. > Yes I use winbind and no to sssd. > > I see other comments on how the latest updates broke domain authentication to some users (debian-list, centos7 forum etc.). I fear that there is a deeper problem with that patch. > >OK, so your smb.conf is similar to the one on the wiki page, which idmap backend did you use ? If it was the 'rid' backend then everything should work. If it was the 'ad' backend, do your users have a unique 'uidNumber' attribute in AD and does 'Domain Users' have a 'gidNumber' attribute ? Lets rule everything else out first, before pointing the finger at the update. Rowland
> OK, so your smb.conf is similar to the one on the wiki page, which idmap > backend did you use ? > If it was the 'rid' backend then everything should work. > If it was the 'ad' backend, do your users have a unique 'uidNumber' > attribute in AD and does 'Domain Users' have a 'gidNumber' attribute ? >Thanks for your support. I tried the rid backup since i did not want to mess the ad. rid and tdb backend behave the same. no wbinfo -u.
Ok, i have tested a bit more also.
Now i have this problem also on some other servers with D. Jessie.
The sernet 4.2.11 debian wheezy works fine as far i can see now.
All my member servers have these settings ( see below),.
Versies used are
4.1.17 (all ok) ( debian jessie packages )
4.2.20 (fail wbinfo -u) ( debian jessie packages )
4.2.11 (all ok) ( debian wheezy sernet packages )
4.3.6 (all ok) ( debian sid recompiled to jessie package )
4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package )
2 servers, now both on 4.2.10
On both work :
id username
getent username
wbinfo -g
And both not wbinfo -u
disable-ing tls didnt help.
Setting : ldap server require strong auth = no, yes or allow_sasl_over_tls didnt
help.
Rebooted the server also.
DC's setup.
Backend AD.
All users have UID and needed groups also.
Config member server.
[global]
workgroup = NTDOM
security = ADS
realm = INTERNAL.DOMAIN.TLD
netbios name = memberserver10
domain master = no
host msdfs = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
client signing = if_required
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config NTDOM:backend = ad
idmap config NTDOM:schema_mode = rfc2307
idmap config NTDOM:range = 10000-3999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind expand groups = 4
wins server = 192.168.0.1, 192.168.0.2
username map = /etc/samba/samba_usermapping
usershare path
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
unix extensions = no
wide links = no
reset on zero vc = yes
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
load printers = Yes
printing = cups
printcap name = cups
tls enabled = yes
tls keyfile = ....
tls certfile = ....
tls cafile = ....
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: vrijdag 15 april 2016 13:50
> Aan: sambalist
> Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not
>
> On 15/04/16 12:05, Oktay Akbal wrote:
> >>> I don't see where exactly the ways differ. I already
played with idmap
> settings and keytab. It makes no difference.
> >>> BTW the wiki entry does not explain how to create the keytab,
so the
> setting is not really useful if you just follow that page.
> >> With the 'old system' you just have one range, this is now
depreciated
> >> and you should use the new 'idmap config' . The old system
could be
> removed.
> >>
> >> The wiki entry does explain how to create the keytab:
> >>
> >> net ads join -U administrator
> >>
> >> The keytab will created for you during the join.
> >>
> >> Does 'Sure' mean you are running winbindd ?
> >> Are you also using 'sssd' ?
> >
> > Already tried the idmap config and it does not make a difference. Will
> keep it.
> >
> > Indeed the join creates that file. Since I already was in domain I had
> to create it.
> > Rejoined domain, keytab gets created. Still no difference. Everything
> works. wbinfo -u not.
> > Yes I use winbind and no to sssd.
> >
> > I see other comments on how the latest updates broke domain
> authentication to some users (debian-list, centos7 forum etc.). I fear
> that there is a deeper problem with that patch.
> >
> >
>
> OK, so your smb.conf is similar to the one on the wiki page, which idmap
> backend did you use ?
> If it was the 'rid' backend then everything should work.
> If it was the 'ad' backend, do your users have a unique
'uidNumber'
> attribute in AD and does 'Domain Users' have a 'gidNumber'
attribute ?
>
> Lets rule everything else out first, before pointing the finger at the
> update.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
On 15/04/16 13:43, L.P.H. van Belle wrote:> Ok, i have tested a bit more also. > > Now i have this problem also on some other servers with D. Jessie. > > The sernet 4.2.11 debian wheezy works fine as far i can see now. > > All my member servers have these settings ( see below),. > Versies used are > 4.1.17 (all ok) ( debian jessie packages ) > 4.2.20 (fail wbinfo -u) ( debian jessie packages ) > 4.2.11 (all ok) ( debian wheezy sernet packages ) > 4.3.6 (all ok) ( debian sid recompiled to jessie package ) > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) > > 2 servers, now both on 4.2.10 > On both work : > id username > getent username > wbinfo -g > > And both not wbinfo -u > disable-ing tls didnt help. > > Setting : ldap server require strong auth = no, yes or allow_sasl_over_tls didnt help. > > Rebooted the server also. > > DC's setup. > Backend AD. > All users have UID and needed groups also. > > Config member server. > [global] > workgroup = NTDOM > security = ADS > realm = INTERNAL.DOMAIN.TLD > > netbios name = memberserver10 > domain master = no > host msdfs = no > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > client signing = if_required > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config NTDOM:backend = ad > idmap config NTDOM:schema_mode = rfc2307 > idmap config NTDOM:range = 10000-3999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > winbind refresh tickets = yes > winbind offline logon = yes > winbind expand groups = 4 > > wins server = 192.168.0.1, 192.168.0.2 > > username map = /etc/samba/samba_usermapping > > usershare path > > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > unix extensions = no > wide links = no > reset on zero vc = yes > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > hide unreadable = yes > > load printers = Yes > printing = cups > printcap name = cups > > tls enabled = yes > tls keyfile = .... > tls certfile = .... > tls cafile = .... > > > >OK, this is strange, getent works but 'wbinfo -u' doesn't, it is usually the other way round :-) Louis, you probably already have cranked the log level up to 10, but if you haven't, can you and then see if anything pops up. As for your list of versions: 4.1.17 (all ok) ( debian jessie packages ) You really need to upgrade 4.2.20 (fail wbinfo -u) ( debian jessie packages ) Where did this come from, highest Samba 4.2 version: 4.2.11 4.2.11 (all ok) ( debian wheezy sernet packages ) 4.3.6 (all ok) ( debian sid recompiled to jessie package ) 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) Do not use, use 4.3.8 Rowland
Yeah, i have an output of log level 10 while i do a wbinfo -u. As for the packages below. 4.1.17, yes, im upgrading these as we speak, but now on hold due to this problem. 4.2.20 .. error typo, is Version 4.2.10-Debian 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package version debian used for the latest CVE fixes. Im waiting until 4.4.2 is out of experimental so i can create a new package. As far i can see, it only happens with the jessie patched packages. Still testing.. What i also see it that when i do the "wbinfo -u" i see a slow down. Looks like it getting info but not displaying. I see for example : log.winbindd: validate_ns: NS/NTDOM/USERNAME ok ( all my users are there like this ) But im not good at debugging the samba log.. :-( there to many in there.. Still looking... Tried a third server, same problem. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: vrijdag 15 april 2016 15:08 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not > > On 15/04/16 13:43, L.P.H. van Belle wrote: > > Ok, i have tested a bit more also. > > > > Now i have this problem also on some other servers with D. Jessie. > > > > The sernet 4.2.11 debian wheezy works fine as far i can see now. > > > > All my member servers have these settings ( see below),. > > Versies used are > > 4.1.17 (all ok) ( debian jessie packages ) > > 4.2.20 (fail wbinfo -u) ( debian jessie packages ) > > 4.2.11 (all ok) ( debian wheezy sernet packages ) > > 4.3.6 (all ok) ( debian sid recompiled to jessie package ) > > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) > > > > 2 servers, now both on 4.2.10 > > On both work : > > id username > > getent username > > wbinfo -g > > > > And both not wbinfo -u > > disable-ing tls didnt help. > > > > Setting : ldap server require strong auth = no, yes or > allow_sasl_over_tls didnt help. > > > > Rebooted the server also. > > > > DC's setup. > > Backend AD. > > All users have UID and needed groups also. > > > > Config member server. > > [global] > > workgroup = NTDOM > > security = ADS > > realm = INTERNAL.DOMAIN.TLD > > > > netbios name = memberserver10 > > domain master = no > > host msdfs = no > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > client signing = if_required > > > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > idmap config NTDOM:backend = ad > > idmap config NTDOM:schema_mode = rfc2307 > > idmap config NTDOM:range = 10000-3999999 > > > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = yes > > winbind offline logon = yes > > winbind expand groups = 4 > > > > wins server = 192.168.0.1, 192.168.0.2 > > > > username map = /etc/samba/samba_usermapping > > > > usershare path > > > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > unix extensions = no > > wide links = no > > reset on zero vc = yes > > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > > hide unreadable = yes > > > > load printers = Yes > > printing = cups > > printcap name = cups > > > > tls enabled = yes > > tls keyfile = .... > > tls certfile = .... > > tls cafile = .... > > > > > > > > > > OK, this is strange, getent works but 'wbinfo -u' doesn't, it is usually > the other way round :-) > > Louis, you probably already have cranked the log level up to 10, but if > you haven't, can you and then see if anything pops up. > > As for your list of versions: > > 4.1.17 (all ok) ( debian jessie packages ) You really > need to upgrade > 4.2.20 (fail wbinfo -u) ( debian jessie packages ) Where did this come > from, highest Samba 4.2 version: 4.2.11 > 4.2.11 (all ok) ( debian wheezy sernet packages ) > 4.3.6 (all ok) ( debian sid recompiled to jessie package ) > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) Do > not use, use 4.3.8 > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba