L.P.H. van Belle
2016-Apr-20 09:05 UTC
[Samba] FW: FW: Domain member seems to work, wbinfo -u not (update10)
Hai again. Today i did some new test. The trick below ( previous e-mail), works sometime with 4.2.10 and 4.3.8 The trick works always with 4.4.2 My own deb build not installed from source and tested now on 3 servers. All same result. I checked out the server i did yesterday, still working without any problems. So im wondering whats the difference between 4.2.10 4.3.8 4.4.1. in the debian packages and my debian build of 4.4.2 The 4.4.2 build i made was the source from samba.org. I took the "debian" folder from 4.4.1 and added this in the source samba 4.4.2. i removed only one patch, since that is in 4.4.2 from source. Patch: security-2016-04-12-prerequisite-v4-4-regression-fixes.metze01.txt I did rebuild tevent ldb tdb talloc etc from debian sid. And now i cant make it fail again undepended of the settings. I hope this helps someone. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van Belle> Verzonden: dinsdag 19 april 2016 15:11> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not> (update8)( solved maybe?)>> Ok.> New test, debian samba 4.2.10 ( all stock debian packages )>> So others with 4.2.10 stock debian packages, please test also if below> works.>>> The file server on which (wbinfo -u) worked saterday, and not on Sunday> until now.>>> None of these three settings below are in the config and wbinfo -u fails.>>> Now adding these settings !! one at the time !!> And i reloaded samba and restarted winbind every time.>>>> client ldap sasl wrapping = plain> client ldap sasl wrapping = seal> client ldap sasl wrapping = sign>> Result in the end.>>> I started with plain, wbinfo -u works, but first time a long delay before> i see the output, ( long is +4-5 sec)>> Changed it to seal, wbinfo -u works>>> And back to the samba default "sign" which now also works.> So seems fixed now. Strange..>>>> Removed the client ldap sasl wrapping from the config.> All still works.>>>> I'll check this server tomorrow again.>>>>>> Greetz,>>>> Louis>>>>>> > -----Oorspronkelijk bericht----->> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van> Belle>> > Verzonden: dinsdag 19 april 2016 12:48>> > Aan: samba at lists.samba.org>> > Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not>> > (update7)>> >>> > @Patrick Thanks, that helped.>> > @Mathias, only 10.000 objects.>> >>> > >> client ldap sasl wrapping = plain <<>> >>> > I've tested that on my members.>> > 4.2.10>> > 4.3.8>> > 4.4.1>> > 4.4.2>> > wbinfo -u now work.>> >>> > Ok tested all 3 options of that settings.>> > Tested als in the order, plain seal sign>> >>> > Samba 4.2.10 (debian stable)>> > client ldap sasl wrapping = plain wbinfo -u works.>> > client ldap sasl wrapping = seal wbinfo -u fails>> > client ldap sasl wrapping = sign wbinfo -u fails>> > only plain works, en keeps working.>> >>> >>> > Other server.>> > Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 )>> > Default it fails, now the funny part.>> > ( default samba setting is sign )>> > We start with a NOT working wbinfo -u.>> >>> > Test with following changes.>> > Try1) client ldap sasl wrapping = plain wbinfo -u works.>> > Try2) client ldap sasl wrapping = seal wbinfo -u also works now.>> > Try3) client ldap sasl wrapping = sign wbinfo -u also works now.>> >>> > Only the 4.4.2 now keeps working independed of the setting.>> > Lunch first, i'll test the 4.3.8 also.>> >>> >>> > Greetz,>> >>> > Louis>> >>> >>> >>> > > -----Oorspronkelijk bericht----->> > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Patrick G.>> > > Stoesser>> > > Verzonden: dinsdag 19 april 2016 12:21>> > > Aan: samba at lists.samba.org>> > > Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as> member>> > > server / No user and goup resolution>> > >>> > > Hello,>> > >>> > > a reply in debianforum.de led me to:>> > >>> > > client ldap sasl wrapping = plain>> > >>> > > and with that setting at least wbinfo works.>> > >>> > > But still my problems are not completely gone: On the filesystem> level,>> > > AD users and groups are still not resolved. "Invalid user". But kinit>> > > "USER" works. Still have to try...>> > >>> > > Regards, pgs>> > >>> > >>> > > Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser:>> > > > Hello everybody,>> > > >>> > > > I've bin running Samba as a AD member server for ages (Debian> stable).>> > > > After the last update to 4.2, I just can't get it to work.>> > > >>> > > > Symptoms: unable to map AD user / groups.>> > > >>> > > > After two days of successlessly fiddling (and moving all data to>> > another>> > > > server with still Samba 3.6, which I will definitely NOT update at> the>> > > > moment), I decided to purge my Installation and start over again> like>> > > > described in>> > > >> <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member>>> > > >>> > > > So now my setup is (all names and IPs are masked, but are correct>> > here):>> > > >>> > > > ********************************************************************>> > > > smb.conf>> > > > ********************************************************************>> > > > [global]>> > > >>> > > > netbios name = test-fileserver3>> > > > security = ADS>> > > > workgroup = AD>> > > > realm = AD.test.loc>> > > >>> > > > log file = /var/log/samba/%m.log>> > > > log level = 3>> > > >>> > > > dedicated keytab file = /etc/krb5.keytab>> > > > kerberos method = secrets and keytab>> > > > winbind refresh tickets = yes>> > > >>> > > > winbind trusted domains only = no>> > > > winbind use default domain = yes>> > > > winbind enum users = yes>> > > > winbind enum groups = yes>> > > >>> > > > idmap config *:backend = tdb>> > > > idmap config *:range = 2000-9999>> > > >>> > > > idmap config AD:backend = ad>> > > > idmap config AD:schema_mode = rfc2307>> > > > idmap config AD:range = 10000-95000>> > > >>> > > > winbind nss info = template>> > > > # template shell = /sbin/nologin>> > > > # template homedir = /home/%U>> > > > ********************************************************************>> > > >>> > > >>> > > >>> > > > ********************************************************************>> > > > nsswitch.conf>> > > > ********************************************************************>> > > > passwd: files winbind>> > > > group: files winbind>> > > > hosts: files dns.>> > > > shadow: files winbind>> > > >>> > > > networks: files>> > > >>> > > > protocols: db files>> > > > services: db files>> > > > ethers: db files>> > > > rpc: db files>> > > >>> > > > netgroup: nis>> > > > ********************************************************************>> > > >>> > > >>> > > >>> > > > My krb5.keytab has been generated correctly. I also have a> krb5.conf:>> > > >>> > > > ********************************************************************>> > > > krb5.conf>> > > > ********************************************************************>> > > >>> > > > [libdefaults]>> > > > default_realm = AD.TEST.LOC>> > > > clockskew = 900>> > > >>> > > > # The following libdefaults parameters are only for Heimdal> Kerberos.>> > > > v4_instance_resolve = false>> > > > v4_name_convert = {>> > > > host = {>> > > > rcmd = host>> > > > ftp = ftp>> > > > }>> > > > plain = {>> > > > something = something-else>> > > > }>> > > > }>> > > > fcc-mit-ticketflags = true>> > > >>> > > > [realms]>> > > > TEST.TEST.LOC = {>> > > > kdc = dc.ad.test.loc>> > > > kdc = dc1.ad.test.loc>> > > > kdc = dc2.ad.test.loc>> > > > kdc = dc3.ad.test.loc>> > > > admin_server = dc.test.loc>> > > > }>> > > >>> > > > [domain_realm]>> > > > .test.loc = AD.TEST.LOC>> > > >>> > > > [login]>> > > > krb4_convert = true>> > > > krb4_get_tickets = false>> > > >>> > > > [logging]>> > > > kdc = FILE:/var/log/krb5/krb5kdc.log>> > > > admin_server = FILE:/var/log/krb5/kadmind.log>> > > > default = SYSLOG:NOTICE:DAEMON>> > > > ********************************************************************>> > > >>> > > > libpam.winbind and libnss.winbind are installed.>> > > >>> > > >>> > > > Name resolution works (as before...):>> > > >>> > > > host -t A dc.ad.test.loc>> > > > dc.ad.test.loc has address 123.456.789.208>> > > >>> > > > getent hosts>> > > > 127.0.0.1 localhost>> > > > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3>> > > >>> > > > Time is synchronized (as before...)>> > > >>> > > > net join ads -U "Domainadmin" worked.>> > > >>> > > > smbd, nmbd, winbind start sucessfully.>> > > > wbinfo -t and -p are successful.>> > > >>> > > > But still no resolution. wbinfo -g and -u give no result. Also,> getent>> > > > passwd delivers only local accounts.>> > > >>> > > > Log says (as expected) "Username AD\ps-15-16 is invalid on this> system>> > > > [2016/04/16 18:52:45.713298, 3]>> > > > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac)>> > > > Failed to map kerberos principal to system user>> > > > (NT_STATUS_LOGON_FAILURE)">> > > >>> > > > I tried, as read in the list, to change idmap config AD:backend = ad>> > to>> > > > rid. No change in results.>> > > >>> > > > Anyone any idea? I'm momentarily at the end of mine.>> > > >>> > > >>> > > >>> > > >>> > > >>> > > >>> > >>> > >>> > > -->> > > To unsubscribe from this list go to the following URL and read the>> > > instructions: https://lists.samba.org/mailman/options/samba>> >>> >>> >>> > -->> > To unsubscribe from this list go to the following URL and read the>> > instructions: https://lists.samba.org/mailman/options/samba>>>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
- After Update to 4.2, Samba is unusuable as member server / No user and goup resolution
- Domain member seems to work, wbinfo -u not (update3)
- Domain member seems to work, wbinfo -u not (update2)
- Domain member seems to work, wbinfo -u not
Wisdom of the Ancients
