When ubuntu 14.04 went from samba 4.1.6 to 4.3.8 it killed my setup. Before the change I was able to run wbinfo -u and get a list of users. Now when I run wbinfo -u it returns nothing. I tried dis-joining and rejoining the domain with no luck, Here is my complete smb.conf [global] security = ads realm = SUBDOMAIN.DOMAIN.TOP workgroup = SUBDOMAIN idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config SUBDOMAIN:backend = ad idmap config SUBDOMAIN:schema_mode = rfc2307 idmap config SUBDOMAIN:range = 8000-9999999 winbind nss info = rfc2307 winbind use default domain = yes Here is my script to connect to the domain. I call it net_join.sh echo Enter a Machine Name read machine echo $machine > /etc/hostname hostname `cat /etc/hostname` echo Enter a Domain Admin Account ex:Administrator read admin OSNAME="`lsb_release -a|grep "^Distributor ID:"|cut -d: -f2|awk '{print $1}'` joined `date "+%F"`" OSVERSION="`lsb_release -a|grep "^Release:"|cut -d: -f2|awk '{print $1}'`" net ads join -U $admin osName="${OSNAME}" osVersion="${OSVERSION}" Here is my script to leave the domain. I call it net_leave.sh read admin net ads leave -U $admin Here is my script to clear the winbind cache with a change from samba to smb when samba changed. I call it winbind_clear.sh service winbind stop service smbd stop #service samba stop net cache flush rm -f /var/lib/samba/*.tdb rm -f /var/lib/samba/group_mapping.ldb sleep 1 #service samba start service smbd start service winbind start Can anyone point me to why my setup has stopped working? Or maybe some steps I can take to learn why it is failing. Do I need to add something for debugging? I also tried upgrading to the beta version of Ubuntu 16.04 to see if I could get it working with it, no luck.
I was looking at https://www.samba.org/samba/latest_news.html#4.4.2 and added server signing = mandatory ntlm auth = no to smb.conf but that seems to have made it worse. Before adding that I was still able to do wbinfo -g and get a group listing Is there settings to set it back to the untrusted way before the security updates that happened? I'd like to set it up properly but I need to be able to get things working for now. On Wed, Apr 20, 2016 at 7:51 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> When ubuntu 14.04 went from samba 4.1.6 to 4.3.8 it killed my setup. > Before the change I was able to run wbinfo -u and get a list of users. Now > when I run wbinfo -u it returns nothing. I tried dis-joining and rejoining > the domain with no luck, > > Here is my complete smb.conf > [global] > security = ads > realm = SUBDOMAIN.DOMAIN.TOP > workgroup = SUBDOMAIN > idmap config * : backend = tdb > idmap config * : range = 2000-7999 > idmap config SUBDOMAIN:backend = ad > idmap config SUBDOMAIN:schema_mode = rfc2307 > idmap config SUBDOMAIN:range = 8000-9999999 > winbind nss info = rfc2307 > winbind use default domain = yes > > Here is my script to connect to the domain. I call it net_join.sh > > echo Enter a Machine Name > read machine > echo $machine > /etc/hostname > hostname `cat /etc/hostname` > echo Enter a Domain Admin Account ex:Administrator > read admin > OSNAME="`lsb_release -a|grep "^Distributor ID:"|cut -d: -f2|awk '{print > $1}'` joined `date "+%F"`" > OSVERSION="`lsb_release -a|grep "^Release:"|cut -d: -f2|awk '{print $1}'`" > net ads join -U $admin osName="${OSNAME}" osVersion="${OSVERSION}" > > Here is my script to leave the domain. I call it net_leave.sh > > read admin > net ads leave -U $admin > > Here is my script to clear the winbind cache with a change from samba to > smb when samba changed. I call it winbind_clear.sh > > service winbind stop > service smbd stop > #service samba stop > net cache flush > rm -f /var/lib/samba/*.tdb > rm -f /var/lib/samba/group_mapping.ldb > sleep 1 > #service samba start > service smbd start > service winbind start > > Can anyone point me to why my setup has stopped working? Or maybe some > steps I can take to learn why it is failing. Do I need to add something for > debugging? > I also tried upgrading to the beta version of Ubuntu 16.04 to see if I > could get it working with it, no luck. >
I added log level = 10 log file = /var/log/samba/%m.log to my smb.conf in the logs when I run wbinfo -u I get [2016/04/20 08:24:15.864222, 3, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) [19441]: domain_info [SUBDOMAIN] [2016/04/20 08:24:15.864238, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[19441:DOMAIN_INFO]: delivered response to client [2016/04/20 08:24:15.864252, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:731(process_request) process_request: Handling async request 19441:LIST_USERS [2016/04/20 08:24:15.864257, 3, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:58(winbindd_list_users_send) list_users SUBDOMAIN [2016/04/20 08:24:15.864264, 1, pid=19397, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryUserList: struct wbint_QueryUserList in: struct wbint_QueryUserList [2016/04/20 08:24:15.864285, 1, pid=19397, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryUserList: struct wbint_QueryUserList out: struct wbint_QueryUserList users : * users: struct wbint_userinfos num_userinfos : 0x00000000 (0) userinfos: ARRAY(0) result : NT_STATUS_IO_TIMEOUT [2016/04/20 08:24:15.864306, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:128(winbindd_list_users_done) Domain SUBDOMAIN returned 0 users [2016/04/20 08:24:15.864310, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:134(winbindd_list_users_done) List_users for domain SUBDOMAIN failed [2016/04/20 08:24:15.864315, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:793(wb_request_done) wb_request_done[19441:LIST_USERS]: NT_STATUS_OK [2016/04/20 08:24:15.864324, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[19441:LIST_USERS]: delivered response to client [2016/04/20 08:24:15.864390, 6, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:965(winbind_client_request_read) closing socket 28, client exited If I run wbinfo -g I get [2016/04/20 08:28:15.575371, 3, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) [19483]: domain_info [SUBDOMAIN] [2016/04/20 08:28:15.575390, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[19483:DOMAIN_INFO]: delivered response to client [2016/04/20 08:28:15.575432, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:731(process_request) process_request: Handling async request 19483:LIST_GROUPS [2016/04/20 08:28:15.575440, 3, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_groups.c:58(winbindd_list_groups_send) list_groups SUBDOMAIN [2016/04/20 08:28:15.575448, 1, pid=19397, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryGroupList: struct wbint_QueryGroupList in: struct wbint_QueryGroupList [2016/04/20 08:28:15.575537, 1, pid=19397, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryGroupList: struct wbint_QueryGroupList out: struct wbint_QueryGroupList groups : * groups: struct wbint_Principals num_principals : 213 principals: ARRAY(213) principals: struct wbint_Principal sid : S-X-X-X-X-X-X-X type : SID_NAME_DOM_GRP (2) name : * name : 'Domain Users' principals: struct wbint_Principal sid : S-X-X-X-X-X-X-X type : SID_NAME_DOM_GRP (2) name : * name : 'Domain Guests' principals: struct wbint_Principal sid : S-X-X-X-X-X-X-X type : SID_NAME_DOM_GRP (2) name : * name : 'Cert Publishers' ... result : NT_STATUS_OK [2016/04/20 08:28:15.579824, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_groups.c:128(winbindd_list_groups_done) Domain SUBDOMAIN returned 213 groups [2016/04/20 08:28:15.579923, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:793(wb_request_done) wb_request_done[19483:LIST_GROUPS]: NT_STATUS_OK [2016/04/20 08:28:15.579942, 10, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[19483:LIST_GROUPS]: delivered response to client [2016/04/20 08:28:15.580234, 6, pid=19397, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:965(winbind_client_request_read) closing socket 28, client exited On Wed, Apr 20, 2016 at 8:05 AM, Jeff Sadowski <jeff.sadowski at gmail.com> wrote:> I was looking at https://www.samba.org/samba/latest_news.html#4.4.2 > > and added > > server signing = mandatory > ntlm auth = no > > to smb.conf but that seems to have made it worse. Before adding that I was > still able to do wbinfo -g and get a group listing > > Is there settings to set it back to the untrusted way before the security > updates that happened? > I'd like to set it up properly but I need to be able to get things working > for now. > > > On Wed, Apr 20, 2016 at 7:51 AM, Jeff Sadowski <jeff.sadowski at gmail.com> > wrote: > >> When ubuntu 14.04 went from samba 4.1.6 to 4.3.8 it killed my setup. >> Before the change I was able to run wbinfo -u and get a list of users. Now >> when I run wbinfo -u it returns nothing. I tried dis-joining and rejoining >> the domain with no luck, >> >> Here is my complete smb.conf >> [global] >> security = ads >> realm = SUBDOMAIN.DOMAIN.TOP >> workgroup = SUBDOMAIN >> idmap config * : backend = tdb >> idmap config * : range = 2000-7999 >> idmap config SUBDOMAIN:backend = ad >> idmap config SUBDOMAIN:schema_mode = rfc2307 >> idmap config SUBDOMAIN:range = 8000-9999999 >> winbind nss info = rfc2307 >> winbind use default domain = yes >> >> Here is my script to connect to the domain. I call it net_join.sh >> >> echo Enter a Machine Name >> read machine >> echo $machine > /etc/hostname >> hostname `cat /etc/hostname` >> echo Enter a Domain Admin Account ex:Administrator >> read admin >> OSNAME="`lsb_release -a|grep "^Distributor ID:"|cut -d: -f2|awk '{print >> $1}'` joined `date "+%F"`" >> OSVERSION="`lsb_release -a|grep "^Release:"|cut -d: -f2|awk '{print $1}'`" >> net ads join -U $admin osName="${OSNAME}" osVersion="${OSVERSION}" >> >> Here is my script to leave the domain. I call it net_leave.sh >> >> read admin >> net ads leave -U $admin >> >> Here is my script to clear the winbind cache with a change from samba to >> smb when samba changed. I call it winbind_clear.sh >> >> service winbind stop >> service smbd stop >> #service samba stop >> net cache flush >> rm -f /var/lib/samba/*.tdb >> rm -f /var/lib/samba/group_mapping.ldb >> sleep 1 >> #service samba start >> service smbd start >> service winbind start >> >> Can anyone point me to why my setup has stopped working? Or maybe some >> steps I can take to learn why it is failing. Do I need to add something for >> debugging? >> I also tried upgrading to the beta version of Ubuntu 16.04 to see if I >> could get it working with it, no luck. >> > >
Jeff Sadowski wrote:> When ubuntu 14.04 went from samba 4.1.6 to 4.3.8 it killed my setup.I face the same sort of issue with Ubuntu 12.04. The Ubuntu security updates this week have killed the ability to log on to the Samba NT4 style domain from back level Windows clients. Our configuration does not have any LDAP, we run with the smbpasswd passdb backend. Just very simple. Anyway, here is our smb.conf... please suggest what we must change in order to restore logins. [global] workgroup = LDS-SMB netbios name = LDSLNX01 server string = %h server log file = /var/log/samba/log.%m log level = 1 max log size = 1000 ; syslog only = no syslog = 0 panic action = /usr/share/samba/panic-action %d ; obey pam restrictions = yes ; guest account = nobody ; invalid users = root ; unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . ; pam password change = no ########## NT Domain Related ########## ; admin users = @domadmin security = user encrypt passwords = true passdb backend = smbpasswd domain logons = true time server = true enable privileges = true add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false %u logon script = LOGON.BAT logon drive = I: logon path ########## NT Domain Related - Master Browser ########## browse list = true domain master = true local master = true os level = 33 preferred master = true wins support = yes name resolve order = wins host bcast ########## Printing ########## load printers = yes printcap name = CUPS printcap cache time = 180 printing = CUPS use client driver = no ; printer admin = @domadmin ; show add printer wizard = No ######## File Sharing ######## oplocks = no level2 oplocks = no socket options = TCP_NODELAY ; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' & ; idmap uid = 10000-20000 ; idmap gid = 10000-20000 ; template shell = /bin/bash ;New things global to all shares for ACL support... map hidden = no map system = no map archive = no store dos attributes = yes # Added as a test to get correct perms on the Samba server unix extensions = no # Added to test connecting Win98 clients to Samba on Ubuntu 9.04 lanman auth = true ######## File Shares ######## ; <snip here... do not think it the trouble is related to how we set up the many shares> I am thankful, -- Michael Lueck Lueck Data Systems http://www.lueckdatasystems.com/
Michael Lueck wrote:> I face the same sort of issue with Ubuntu 12.04. > > The Ubuntu security updates this week have killed the ability to log on to the Samba NT4 style domain from back level Windows clients. > > Our configuration does not have any LDAP, we run with the smbpasswd passdb backend. Just very simple. Anyway, here is our smb.conf... please suggest what we must change in order to restore logins.I spotted an issue in the log of the new Samba build, so opened a defect report: "Changes to Samba packages for April 12 prevent legacy Windows clients from logging in to NT4 style domain" https://bugs.launchpad.net/bugs/1574228 I am thankful, -- Michael Lueck Lueck Data Systems http://www.lueckdatasystems.com/
Maybe Matching Threads
- Wrong perms on new files/dirs using smbmount
- Wrong perms on new files/dirs using `mount -t cifs`
- Windows client domain member getting incorrect value for LOGONSERVER
- Recent inability to view long filenames stored with scp via samba mount
- Checking effective group membership - Linux side