Having problems with rfc2307 user ids. This was working briefly and now it’s not. samba and winbind v 2.4.2.10+dfs wbinfo -u lists all the domain users wbinfo -g lists all the domain groups getent group lists all the local groups and the AD domain groups that have a UNIX gid set getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t access any shares being shared from the server. The domain user UNIX user IDs are all in the range 1001 - 2000 and need to match up with other servers using the same UIDs. This is from smb.conf on the domain server: [global] netbios name = TERRA workgroup = DOMAIN security = ADS realm = OFFICE.DOMAIN.COM encrypt passwords = yes idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1001-60000 idmap config DOMAIN:default = yes idmap config *:backend = tdb idmap config *:range = 60001-9999999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes What have I done wrong? Kevin Davidson Apple Certified System Administrator Technical Director t 01506 668674 m 07813 149620 w www.indigospring.co.uk indigospring (Scotland) Ltd Registered in Scotland No. SC398572 Registered office: 103 Oldwood Place, Livingston EH54 6US Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT> Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk> http://www.indigospring.co.uk/terms-and-conditions
On 25/07/16 16:02, Kevin Davidson wrote:> Having problems with rfc2307 user ids. This was working briefly and now it’s not. > > samba and winbind v 2.4.2.10+dfs > > wbinfo -u lists all the domain users > wbinfo -g lists all the domain groups > > getent group lists all the local groups and the AD domain groups that have a UNIX gid set > getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t access any shares being shared from the server. > > The domain user UNIX user IDs are all in the range 1001 - 2000 and need to match up with other servers using the same UIDs. > > This is from smb.conf on the domain server: > > [global] > > netbios name = TERRA > workgroup = DOMAIN > security = ADS > realm = OFFICE.DOMAIN.COM > encrypt passwords = yes > > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 1001-60000 > idmap config DOMAIN:default = yes > idmap config *:backend = tdb > idmap config *:range = 60001-9999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > What have I done wrong? >You haven't done anything wrong. The version you are using was released after the badlock patches were released, your version includes a regression patch and should really be 4.2.11. There have been a few releases since then, these include patches for regressions caused by the badlock patches, so is there anyway you can upgrade Samba ? Rowland
> On 25 Jul 2016, at 16:39, Rowland penny <rpenny at samba.org> wrote: > > On 25/07/16 16:02, Kevin Davidson wrote: >> Having problems with rfc2307 user ids. This was working briefly and now it’s not. >> >> samba and winbind v 2.4.2.10+dfs >> >> […]>> What have I done wrong? >> > > You haven't done anything wrong. > > The version you are using was released after the badlock patches were released, your version includes a regression patch and should really be 4.2.11. There have been a few releases since then, these include patches for regressions caused by the badlock patches, so is there anyway you can upgrade Samba ? >It’s the version you get from the Debian 8.5 Jessie repository. Installing from source starts to get harder to maintain when you’re looking after large numbers of systems and you want to be able to apt-get upgrade to catch all the latest security updates. What would you consider best practice? Kevin Davidson Apple Certified System Administrator Technical Director t 01506 668674 m 07813 149620 w www.indigospring.co.uk indigospring (Scotland) Ltd Registered in Scotland No. SC398572 Registered office: 103 Oldwood Place, Livingston EH54 6US Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT> Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk> http://www.indigospring.co.uk/terms-and-conditions
On 25/07/2016 18:02, Kevin Davidson wrote:> Having problems with rfc2307 user ids. This was working briefly and now it’s not. > > samba and winbind v 2.4.2.10+dfs > > wbinfo -u lists all the domain users > wbinfo -g lists all the domain groups > > getent group lists all the local groups and the AD domain groups that have a UNIX gid set > getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t access any shares being shared from the server. > > The domain user UNIX user IDs are all in the range 1001 - 2000 and need to match up with other servers using the same UIDs. > > This is from smb.conf on the domain server: > > [global] > > netbios name = TERRA > workgroup = DOMAIN > security = ADS > realm = OFFICE.DOMAIN.COM > encrypt passwords = yes > > idmap config DOMAIN:backend = ad > idmap config DOMAIN:schema_mode = rfc2307 > idmap config DOMAIN:range = 1001-60000 > idmap config DOMAIN:default = yes > idmap config *:backend = tdb > idmap config *:range = 60001-9999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > What have I done wrong? > > Kevin Davidson > Apple Certified System Administrator > Technical Director > > t 01506 668674 > m 07813 149620 > w www.indigospring.co.uk > > indigospring (Scotland) Ltd > Registered in Scotland No. SC398572 > Registered office: 103 Oldwood Place, Livingston EH54 6US > > Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT> > Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk> > > http://www.indigospring.co.uk/terms-and-conditions > > > > >I'm facing the same problem, except that wbinfo -u never returned users (wbinfo -g works). wbinfo -i user returned the correct value for some days, and stopped working. same packages from jessie, but I have also tested the sernet packages for 4.2.14 without more success. I have also some errors showing up with a high level of debug for winbind: [2016/07/25 23:15:24.221239, 5] ../auth/gensec/gensec_start.c:672(gensec_start_mech) Starting GENSEC submechanism gse_krb5 [2016/07/25 23:15:24.263941, 5] ../source3/librpc/crypto/gse.c:265(gse_init_client) gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were supplied, or the credentials were unavailable or inaccessible.: unknown mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a kinit. [2016/07/25 23:15:24.264068, 4] ../auth/gensec/gensec_start.c:679(gensec_start_mech) Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR My config file: [global] workgroup = AD realm=AD.UNISTRA.FR log file = /var/log/samba/log.%m max log size = 100000 syslog = 0 panic action = /usr/share/samba/panic-action %d server role = member server obey pam restrictions = yes map to guest = bad user kerberos method = secrets and keytab idmap config * : backend = tdb2 idmap config * : range = 3000-4000 idmap config AD : backend = ad idmap config AD : default = yes idmap config AD : range = 10000-1000000 idmap config AD : schema_mode = rfc2307 idmap config PSI : schema_mode = rfc2307 idmap config PSI : range = 5000-9998 winbind nss info = rfc2307 winbind separator = + winbind use default domain = yes winbind enum users = yes winbind enum groups = yes
I need tout correct, i had a typo, with sernet packages, winbind works , and faster. Still doesnt get wbinfo -u to return users, but i think wbinfo timeout before getting all 140k users,WB logs still sho retrieving users Emmanuel On Tuesday, July 26, 2016, Blindauer Emmanuel <e.blindauer at gmail.com> wrote:> On 25/07/2016 18:02, Kevin Davidson wrote: > >> Having problems with rfc2307 user ids. This was working briefly and now >> it’s not. >> >> samba and winbind v 2.4.2.10+dfs >> >> wbinfo -u lists all the domain users >> wbinfo -g lists all the domain groups >> >> getent group lists all the local groups and the AD domain groups that >> have a UNIX gid set >> getent passwd lists only the local users, then pauses for a moment, then >> nothing. AD users can’t log in and can’t access any shares being shared >> from the server. >> >> The domain user UNIX user IDs are all in the range 1001 - 2000 and need >> to match up with other servers using the same UIDs. >> >> This is from smb.conf on the domain server: >> >> [global] >> >> netbios name = TERRA >> workgroup = DOMAIN >> security = ADS >> realm = OFFICE.DOMAIN.COM >> encrypt passwords = yes >> >> idmap config DOMAIN:backend = ad >> idmap config DOMAIN:schema_mode = rfc2307 >> idmap config DOMAIN:range = 1001-60000 >> idmap config DOMAIN:default = yes >> idmap config *:backend = tdb >> idmap config *:range = 60001-9999999 >> >> winbind nss info = rfc2307 >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind enum users = yes >> winbind enum groups = yes >> >> What have I done wrong? >> >> Kevin Davidson >> Apple Certified System Administrator >> Technical Director >> >> t 01506 668674 >> m 07813 149620 >> w www.indigospring.co.uk >> >> indigospring (Scotland) Ltd >> Registered in Scotland No. SC398572 >> Registered office: 103 Oldwood Place, Livingston EH54 6US >> >> Follow us on Twitter - twitter.com/indigospringIT < >> http://twitter.com/indigospringIT> >> Members of the Apple Consultants Network - consultants.apple.com/uk < >> http://consultants.apple.com/uk> >> >> http://www.indigospring.co.uk/terms-and-conditions >> >> >> >> >> >> > I'm facing the same problem, except that wbinfo -u never returned users > (wbinfo -g works). > wbinfo -i user returned the correct value for some days, and stopped > working. > > same packages from jessie, but I have also tested the sernet packages for > 4.2.14 without more success. > > I have also some errors showing up with a high level of debug for winbind: > > [2016/07/25 23:15:24.221239, 5] > ../auth/gensec/gensec_start.c:672(gensec_start_mech) > Starting GENSEC submechanism gse_krb5 > [2016/07/25 23:15:24.263941, 5] > ../source3/librpc/crypto/gse.c:265(gse_init_client) > gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were > supplied, or the credentials were unavailable or inaccessible.: unknown > mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a > kinit. > [2016/07/25 23:15:24.264068, 4] > ../auth/gensec/gensec_start.c:679(gensec_start_mech) > Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR > > My config file: > > [global] > workgroup = AD > realm=AD.UNISTRA.FR > log file = /var/log/samba/log.%m > max log size = 100000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > server role = member server > obey pam restrictions = yes > map to guest = bad user > > kerberos method = secrets and keytab > idmap config * : backend = tdb2 > idmap config * : range = 3000-4000 > idmap config AD : backend = ad > idmap config AD : default = yes > idmap config AD : range = 10000-1000000 > idmap config AD : schema_mode = rfc2307 > idmap config PSI : schema_mode = rfc2307 > idmap config PSI : range = 5000-9998 > > winbind nss info = rfc2307 > winbind separator = + > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > >