Yeah, i have an output of log level 10 while i do a wbinfo -u. As for the packages below. 4.1.17, yes, im upgrading these as we speak, but now on hold due to this problem. 4.2.20 .. error typo, is Version 4.2.10-Debian 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package version debian used for the latest CVE fixes. Im waiting until 4.4.2 is out of experimental so i can create a new package. As far i can see, it only happens with the jessie patched packages. Still testing.. What i also see it that when i do the "wbinfo -u" i see a slow down. Looks like it getting info but not displaying. I see for example : log.winbindd: validate_ns: NS/NTDOM/USERNAME ok ( all my users are there like this ) But im not good at debugging the samba log.. :-( there to many in there.. Still looking... Tried a third server, same problem. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: vrijdag 15 april 2016 15:08 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not > > On 15/04/16 13:43, L.P.H. van Belle wrote: > > Ok, i have tested a bit more also. > > > > Now i have this problem also on some other servers with D. Jessie. > > > > The sernet 4.2.11 debian wheezy works fine as far i can see now. > > > > All my member servers have these settings ( see below),. > > Versies used are > > 4.1.17 (all ok) ( debian jessie packages ) > > 4.2.20 (fail wbinfo -u) ( debian jessie packages ) > > 4.2.11 (all ok) ( debian wheezy sernet packages ) > > 4.3.6 (all ok) ( debian sid recompiled to jessie package ) > > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) > > > > 2 servers, now both on 4.2.10 > > On both work : > > id username > > getent username > > wbinfo -g > > > > And both not wbinfo -u > > disable-ing tls didnt help. > > > > Setting : ldap server require strong auth = no, yes or > allow_sasl_over_tls didnt help. > > > > Rebooted the server also. > > > > DC's setup. > > Backend AD. > > All users have UID and needed groups also. > > > > Config member server. > > [global] > > workgroup = NTDOM > > security = ADS > > realm = INTERNAL.DOMAIN.TLD > > > > netbios name = memberserver10 > > domain master = no > > host msdfs = no > > > > dedicated keytab file = /etc/krb5.keytab > > kerberos method = secrets and keytab > > client signing = if_required > > > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > idmap config NTDOM:backend = ad > > idmap config NTDOM:schema_mode = rfc2307 > > idmap config NTDOM:range = 10000-3999999 > > > > winbind nss info = rfc2307 > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind refresh tickets = yes > > winbind offline logon = yes > > winbind expand groups = 4 > > > > wins server = 192.168.0.1, 192.168.0.2 > > > > username map = /etc/samba/samba_usermapping > > > > usershare path > > > > vfs objects = acl_xattr > > map acl inherit = Yes > > store dos attributes = Yes > > > > unix extensions = no > > wide links = no > > reset on zero vc = yes > > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ > > hide unreadable = yes > > > > load printers = Yes > > printing = cups > > printcap name = cups > > > > tls enabled = yes > > tls keyfile = .... > > tls certfile = .... > > tls cafile = .... > > > > > > > > > > OK, this is strange, getent works but 'wbinfo -u' doesn't, it is usually > the other way round :-) > > Louis, you probably already have cranked the log level up to 10, but if > you haven't, can you and then see if anything pops up. > > As for your list of versions: > > 4.1.17 (all ok) ( debian jessie packages ) You really > need to upgrade > 4.2.20 (fail wbinfo -u) ( debian jessie packages ) Where did this come > from, highest Samba 4.2 version: 4.2.11 > 4.2.11 (all ok) ( debian wheezy sernet packages ) > 4.3.6 (all ok) ( debian sid recompiled to jessie package ) > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) Do > not use, use 4.3.8 > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 15/04/16 14:54, L.P.H. van Belle wrote:> Yeah, i have an output of log level 10 while i do a wbinfo -u. > > As for the packages below. > 4.1.17, yes, im upgrading these as we speak, but now on hold due to this problem. > > 4.2.20 .. error typo, is Version 4.2.10-Debian > > 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package version debian used for the latest CVE fixes.OK, just who in Debian cannot read ??? :-D If you look here: https://www.samba.org/samba/history/ It clearly says 'samba-4.3.7 (do not use)' . Not to say this is the problem, but it cannot be helping. Rowland> > Im waiting until 4.4.2 is out of experimental so i can create a new package. > > As far i can see, it only happens with the jessie patched packages. > > Still testing.. > What i also see it that when i do the "wbinfo -u" i see a slow down. > Looks like it getting info but not displaying. > > I see for example : > log.winbindd: validate_ns: NS/NTDOM/USERNAME ok > ( all my users are there like this ) > > But im not good at debugging the samba log.. :-( there to many in there.. > Still looking... Tried a third server, same problem. > > Greetz, > > Louis > >
On Fri, 2016-04-15 at 15:54 +0200, L.P.H. van Belle wrote:> Im waiting until 4.4.2 is out of experimental so i can create a new > package.I won't be packaging 4.4.2 for experimental, as it is the same as what we already packaged as 4.4.1 (see the changelog, we already included the regression patch). Depending entirely on time constraints, when we release 4.4.3 I'll package that for experimental. I'll probably wait until we get one more 4.3 package done and migrated to testing, and then I'll push 4.4.3 to unstable. I would love someone to take on building a backported jessie package for 4.4 in backports.debian.net Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrew Bartlett
2016-Apr-15 20:06 UTC
[Samba] Debian release version numbers for the April 2016 sec release
On Fri, 2016-04-15 at 15:31 +0100, Rowland penny wrote:> On 15/04/16 14:54, L.P.H. van Belle wrote: > > Yeah, i have an output of log level 10 while i do a wbinfo -u. > > > > As for the packages below. > > 4.1.17, yes, im upgrading these as we speak, but now on hold due to > > this problem. > > > > 4.2.20 .. error typo, is Version 4.2.10-Debian > > > > 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package > > version debian used for the latest CVE fixes. > > OK, just who in Debian cannot read ??? :-DRowland, please take more care in your statements.> If you look here: https://www.samba.org/samba/history/ > > It clearly says 'samba-4.3.7 (do not use)' . > > Not to say this is the problem, but it cannot be helping.This is entirely and totally unrelated. The regression fixed in the 4.3.8 package is in a patch already included in Debian's 4.3.7, as they were substantially prepared before the new tarballs were provided. Given deadlines and workload before a fixed embargo release time, the of the *eight* packages released (including backports of tdb, talloc, ldb and tevent), the three Samba package for which a late re-release was made were deliberately not re -made with the new version number. I hope this clarifies things. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
L.P.H. van Belle
2016-Apr-16 20:09 UTC
[Samba] Domain member seems to work, wbinfo -u not (update2)
New update. I now have done about 6 machines. 2 with samba 4.2.10 work fine, 2 not. 1 with samba 4.3.7 works fine, 1 not. I saw Jelmer updated the samba to 4.3.8 in sid, so i recompiled these to jessie. I upgraded the 4.3.7 to 4.3.8 Same result. Wbinfo -g works, -u not. For both servers. I notice one strange thing here. I have 2 servers, both samba 4.2.10, all stock debian packages. My file server and my print server, both installed with the same script. Only the name changed here in the script. One works ok, one not. I notice some difference between these 2. The file server, "wbinfo -u" works, and "getent passwd" works. The print server, "wbinfo -u" does not work, and "getent passwd" works not, but "getent passwd username" works. Also the output is bit different. File server shows : username:*:10002:10000:U. username:/home/users/username:/bin/bash Print server shows : username:*:10002:10000::/home/users/username:/bin/bash So anyone an idea where to look from here. But ^^^ must be a clue.. What did i check if settings are the same on both servers. Samba smb.conf, beside hostnames ip shares used, all same. Resolv.conf checked. Nsswitch.conf checked. Added the TLS parameters, ssl, checked. Idmap.conf checked. ( needed for the nfs kerberized things ) UID/GID all there where its needed. And example of my config. [global] workgroup = NTDOM security = ADS realm = REALM.DOM netbios name = PRINT1 domain master = no host msdfs = no dns proxy = yes kerberos method = secrets and keytab dedicated keytab file = /etc/krb5.keytab client signing = if_required ## map id's outside to domain to tdb files. idmap config *: backend = tdb idmap config *: range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config NTDOM: backend = ad idmap config NTDOM: schema_mode = rfc2307 idmap config NTDOM: range = 10000-3999999 # Use home directory and shell information from AD winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind expand groups = 4 winbind enum users = yes winbind enum groups = yes # offline login and refresh keytab (tickets) winbind refresh tickets = yes winbind offline logon = yes # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes #Add and Update TLS Key tls enabled = yes tls keyfile = /etc/ssl/private/SOMEFILEk.pem tls certfile = /etc/ssl/certs/SOMEFILEc.pem tls cafile = /etc/ssl/certs/COMPANY-ca.pem Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle> Verzonden: zaterdag 16 april 2016 14:27> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not> (update1)>> Ok, an update on this.>>>> My setup was :>> DC's : Debian wheezy, sernet samba 4.2.11>> Members: Debian jessie, ( different versions samba, show below )>>>> Now i saw also some strang thing in my setup, which must be a inherretance> of the install few years ago.>>>> What i did.>> I remove my DC2 from the domain with --demote.>> Checked, and Removed all other DC2 references in AD and DNS.>>>> I upgraded my DC1 from wheezy to jessie, still sernet samba 4.2.11.>> After the complete upgrade of the os, i rechecked my dns and ad, all ok> now.>>>> I upgraded my DC2 from wheezy to jessie, also sernet samba 4.2.11>> I rejoined the domain.>>>> I saw a few things.>> 1) if the resolv.conf is set ad advices, i got auth fails, and i got> errors with sambadns_upgrade.>> Solution, set both server its resolv.conf to first there selfs.>> Sambadns updates works fine now, change it back when all is done.>>>> 2) after the DC2 join im still missing a right on> /var/lib/samba/private/dns.keytab>> Solution, chgrp bind /var/lib/samba/private/dns.keytab && chmod 640> /var/lib/samba/private/dns.keytab>>>> I gave my servers now some time to sync, to soon check results in errors,> so give it some time.>> Checked my status of both servers, all ok.>>>> Now i logged in on one of the failing (wbinfo –u) servers.>> So i tested 2 server for now.>> Both exact same setup, ( all my setups are the same, because of the> scripted installes ),>> The only diffence is where i use them for.>> So my print server, Debian samba 4.3.7 , wbinfo –u , not working, but> everything works,>> And i see the delay where i normaly see the output.>> My mail server, Debian samba 4.2.10 , wbinfo –u works now, without> changing everything.>>>> Im not done yet, but this is a head up.>>>> When i find more, i’ll post some extra info.>>>> Greetz,>>>> Louis>>>>>>>> > -----Oorspronkelijk bericht----->> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van> Belle>> > Verzonden: vrijdag 15 april 2016 15:55>> > Aan: samba at lists.samba.org>> > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not>> >>> > Yeah, i have an output of log level 10 while i do a wbinfo -u.>> >>> > As for the packages below.>> > 4.1.17, yes, im upgrading these as we speak, but now on hold due to this>> > problem.>> >>> > 4.2.20 .. error typo, is Version 4.2.10-Debian>> >>> > 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package> version>> > debian used for the latest CVE fixes.>> >>> > Im waiting until 4.4.2 is out of experimental so i can create a new>> > package.>> >>> > As far i can see, it only happens with the jessie patched packages.>> >>> > Still testing..>> > What i also see it that when i do the "wbinfo -u" i see a slow down.>> > Looks like it getting info but not displaying.>> >>> > I see for example :>> > log.winbindd: validate_ns: NS/NTDOM/USERNAME ok>> > ( all my users are there like this )>> >>> > But im not good at debugging the samba log.. :-( there to many in> there..>> > Still looking... Tried a third server, same problem.>> >>> > Greetz,>> >>> > Louis>> >>> > > -----Oorspronkelijk bericht----->> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny>> > > Verzonden: vrijdag 15 april 2016 15:08>> > > Aan: samba at lists.samba.org>> > > Onderwerp: Re: [Samba] Domain member seems to work, wbinfo -u not>> > >>> > > On 15/04/16 13:43, L.P.H. van Belle wrote:>> > > > Ok, i have tested a bit more also.>> > > >>> > > > Now i have this problem also on some other servers with D. Jessie.>> > > >>> > > > The sernet 4.2.11 debian wheezy works fine as far i can see now.>> > > >>> > > > All my member servers have these settings ( see below),.>> > > > Versies used are>> > > > 4.1.17 (all ok) ( debian jessie packages )>> > > > 4.2.20 (fail wbinfo -u) ( debian jessie packages )>> > > > 4.2.11 (all ok) ( debian wheezy sernet packages )>> > > > 4.3.6 (all ok) ( debian sid recompiled to jessie package )>> > > > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package )>> > > >>> > > > 2 servers, now both on 4.2.10>> > > > On both work :>> > > > id username>> > > > getent username>> > > > wbinfo -g>> > > >>> > > > And both not wbinfo -u>> > > > disable-ing tls didnt help.>> > > >>> > > > Setting : ldap server require strong auth = no, yes or>> > > allow_sasl_over_tls didnt help.>> > > >>> > > > Rebooted the server also.>> > > >>> > > > DC's setup.>> > > > Backend AD.>> > > > All users have UID and needed groups also.>> > > >>> > > > Config member server.>> > > > [global]>> > > > workgroup = NTDOM>> > > > security = ADS>> > > > realm = INTERNAL.DOMAIN.TLD>> > > >>> > > > netbios name = memberserver10>> > > > domain master = no>> > > > host msdfs = no>> > > >>> > > > dedicated keytab file = /etc/krb5.keytab>> > > > kerberos method = secrets and keytab>> > > > client signing = if_required>> > > >>> > > > idmap config *:backend = tdb>> > > > idmap config *:range = 2000-9999>> > > > idmap config NTDOM:backend = ad>> > > > idmap config NTDOM:schema_mode = rfc2307>> > > > idmap config NTDOM:range = 10000-3999999>> > > >>> > > > winbind nss info = rfc2307>> > > > winbind trusted domains only = no>> > > > winbind use default domain = yes>> > > > winbind enum users = yes>> > > > winbind enum groups = yes>> > > > winbind refresh tickets = yes>> > > > winbind offline logon = yes>> > > > winbind expand groups = 4>> > > >>> > > > wins server = 192.168.0.1, 192.168.0.2>> > > >>> > > > username map = /etc/samba/samba_usermapping>> > > >>> > > > usershare path >> > > >>> > > > vfs objects = acl_xattr>> > > > map acl inherit = Yes>> > > > store dos attributes = Yes>> > > >>> > > > unix extensions = no>> > > > wide links = no>> > > > reset on zero vc = yes>> > > > veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/>> > > > hide unreadable = yes>> > > >>> > > > load printers = Yes>> > > > printing = cups>> > > > printcap name = cups>> > > >>> > > > tls enabled = yes>> > > > tls keyfile = ....>> > > > tls certfile = ....>> > > > tls cafile = ....>> > > >>> > > >>> > > >>> > > >>> > >>> > > OK, this is strange, getent works but 'wbinfo -u' doesn't, it is> usually>> > > the other way round :-)>> > >>> > > Louis, you probably already have cranked the log level up to 10, but> if>> > > you haven't, can you and then see if anything pops up.>> > >>> > > As for your list of versions:>> > >>> > > 4.1.17 (all ok) ( debian jessie packages ) You really>> > > need to upgrade>> > > 4.2.20 (fail wbinfo -u) ( debian jessie packages ) Where did this come>> > > from, highest Samba 4.2 version: 4.2.11>> > > 4.2.11 (all ok) ( debian wheezy sernet packages )>> > > 4.3.6 (all ok) ( debian sid recompiled to jessie package )>> > > 4.3.7 (fail wbinfo -u) ( debian sid recompiled to jessie package ) Do>> > > not use, use 4.3.8>> > >>> > > Rowland>> > >>> > >>> > >>> > > -->> > > To unsubscribe from this list go to the following URL and read the>> > > instructions: https://lists.samba.org/mailman/options/samba>> >>> >>> >>> > -->> > To unsubscribe from this list go to the following URL and read the>> > instructions: https://lists.samba.org/mailman/options/samba>>>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
2016-Apr-16 20:31 UTC
[Samba] Domain member seems to work, wbinfo -u not (update2)
On 16/04/16 21:09, L.P.H. van Belle wrote:> New update. > > > > I now have done about 6 machines. > > 2 with samba 4.2.10 work fine, 2 not. > > 1 with samba 4.3.7 works fine, 1 not. > > > > I saw Jelmer updated the samba to 4.3.8 in sid, so i recompiled these to jessie. > > I upgraded the 4.3.7 to 4.3.8Hi Louis, debian 4.2.10 is the same as Samba 4.2.11 and debian 4.3.7 is the same as 4.3.8. There was a regression and this was fixed with a patch, the debian packages install the patch separately, the later Samba tarballs include the patch. This confused the hell out of me, until it was explained.> > Same result. Wbinfo -g works, -u not. For both servers. > > > > I notice one strange thing here. > > I have 2 servers, both samba 4.2.10, all stock debian packages. > > My file server and my print server, both installed with the same script. > > Only the name changed here in the script. One works ok, one not. > > > > I notice some difference between these 2. > > > > The file server, "wbinfo -u" works, and "getent passwd" works. > > The print server, "wbinfo -u" does not work, and "getent passwd" works not, > > but "getent passwd username" works. > > > > Also the output is bit different. > > File server shows : username:*:10002:10000:U. username:/home/users/username:/bin/bash > > Print server shows : username:*:10002:10000::/home/users/username:/bin/bash > > > > So anyone an idea where to look from here. But ^^^ must be a clue.. > > > > > > What did i check if settings are the same on both servers. > > Samba smb.conf, beside hostnames ip shares used, all same. > > Resolv.conf checked. > > Nsswitch.conf checked. > > Added the TLS parameters, ssl, checked. > > Idmap.conf checked. ( needed for the nfs kerberized things ) > > UID/GID all there where its needed. > > > > And example of my config. > > > > [global] > > workgroup = NTDOM > > security = ADS > > realm = REALM.DOM > > netbios name = PRINT1 > > domain master = no > > host msdfs = no > > dns proxy = yes > > > > kerberos method = secrets and keytab > > dedicated keytab file = /etc/krb5.keytab > > client signing = if_required > > > > ## map id's outside to domain to tdb files. > > idmap config *: backend = tdb > > idmap config *: range = 2000-9999 > > ## map ids from the domain and (*) the range may not overlap ! > > idmap config NTDOM: backend = ad > > idmap config NTDOM: schema_mode = rfc2307 > > idmap config NTDOM: range = 10000-3999999 > > > > # Use home directory and shell information from AD > > winbind nss info = rfc2307 > > > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind expand groups = 4 > > winbind enum users = yes > > winbind enum groups = yes > > # offline login and refresh keytab (tickets) > > winbind refresh tickets = yes > > winbind offline logon = yes > > > > # disable printing completely > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > #Add and Update TLS Key > > tls enabled = yes > > tls keyfile = /etc/ssl/private/SOMEFILEk.pem > > tls certfile = /etc/ssl/certs/SOMEFILEc.pem > > tls cafile = /etc/ssl/certs/COMPANY-ca.pem > > > > > > Greetz, > > > > Louis > > > >I am now updating my DC's and I will set up a new domain member (in a VM) using a self compiled 4.4.2, I will report back later. Rowland