Am 2016-12-30 um 12:10 schrieb Rowland Penny via samba:> Was Samba running before the join ?I can't tell that anymore as I did hundreds of things inbetween.> Remove this line from your smb.conf: > > idmap config ARBEITSGRUPPE:schema_mode = rfc2307 > > It is not required as you are using the winbind 'rid' backend."rid" was just a try as "ad" didn't work and I had no more ideas ... I 'd maybe prefer "ad" ?> Try stopping all Samba processes, then leave the domain and join again. > Now start smbd, nmbd and winbind.Did so. leave and join: at first try, nice. winbindd crashes immediately again.> If this doesn't fix it, can you tell us what OS you are using, What is > the AD DC and post your /etc/hosts, /etc/krb5.conf and /etc/resolv.confThe DC "backup" is latest debian. Converted from NT4 today (you remember the lengthy thread!) ... The member server "main" is gentoo linux. Both run samba-4.2.14. We can access shares on "main" ! even without winbindd running ... - # MEMBER SERVER (-> file services) # cat /etc/hosts # IPv4 and IPv6 localhost aliases 127.0.0.1 localhost ::1 localhost 10.0.0.221 main.secret.tld main 10.0.0.224 backup.secret.tld backup # cat /etc/krb5.conf [libdefaults] default_realm = ARBEITSGRUPPE.SECRET.TLD dns_lookup_realm = false dns_lookup_kdc = true # cat /etc/samba/smb.conf [global] security = ADS workgroup = ARBEITSGRUPPE realm = ARBEITSGRUPPE.SECRET.TLD map to guest = Bad User log file = /var/log/samba/%m.log log level = 3 idmap config * : backend = tdb idmap config * : range = 3000-7999 ## idmap config for the ARBEITSGRUPPE domain idmap config ARBEITSGRUPPE:backend = rid idmap config ARBEITSGRUPPE:range = 10000-999999 username map = /etc/samba/user.map winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes - and we had an issue joining a win7 client, I provide details on this later ... Thank you!
On Fri, 30 Dec 2016 12:37:33 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2016-12-30 um 12:10 schrieb Rowland Penny via samba: > > > Was Samba running before the join ? > > I can't tell that anymore as I did hundreds of things inbetween. > > > Remove this line from your smb.conf: > > > > idmap config ARBEITSGRUPPE:schema_mode = rfc2307 > > > > It is not required as you are using the winbind 'rid' backend. > > "rid" was just a try as "ad" didn't work and I had no more ideas ... > I 'd maybe prefer "ad" ? > > > Try stopping all Samba processes, then leave the domain and join > > again. Now start smbd, nmbd and winbind. > > Did so. > > leave and join: at first try, nice. > > winbindd crashes immediately again. > > > If this doesn't fix it, can you tell us what OS you are using, What > > is the AD DC and post your /etc/hosts, /etc/krb5.conf > > and /etc/resolv.conf > > The DC "backup" is latest debian. Converted from NT4 today (you > remember the lengthy thread!) ... > > The member server "main" is gentoo linux. > > Both run samba-4.2.14. > > We can access shares on "main" ! even without winbindd running ... > > - > > # MEMBER SERVER (-> file services) > # cat /etc/hosts > > # IPv4 and IPv6 localhost aliases > 127.0.0.1 localhost > ::1 localhost > > 10.0.0.221 main.secret.tld main > 10.0.0.224 backup.secret.tld backup > > # cat /etc/krb5.conf > [libdefaults] > default_realm = ARBEITSGRUPPE.SECRET.TLD > dns_lookup_realm = false > dns_lookup_kdc = trueOK, if your domain members short host is 'main', this makes its domain name 'secret.tld', yet the realm is 'ARBEITSGRUPPE.SECRET.TLD' ignoring case, 'secret.tld' != 'ARBEITSGRUPPE.SECRET.TLD' and it should. Rowland
Am 2016-12-30 um 13:09 schrieb Rowland Penny via samba:> On Fri, 30 Dec 2016 12:37:33 +0100 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> Am 2016-12-30 um 12:10 schrieb Rowland Penny via samba: >> >>> Was Samba running before the join ? >> >> I can't tell that anymore as I did hundreds of things inbetween. >> >>> Remove this line from your smb.conf: >>> >>> idmap config ARBEITSGRUPPE:schema_mode = rfc2307 >>> >>> It is not required as you are using the winbind 'rid' backend. >> >> "rid" was just a try as "ad" didn't work and I had no more ideas ... >> I 'd maybe prefer "ad" ? >> >>> Try stopping all Samba processes, then leave the domain and join >>> again. Now start smbd, nmbd and winbind. >> >> Did so. >> >> leave and join: at first try, nice. >> >> winbindd crashes immediately again. >> >>> If this doesn't fix it, can you tell us what OS you are using, What >>> is the AD DC and post your /etc/hosts, /etc/krb5.conf >>> and /etc/resolv.conf >> >> The DC "backup" is latest debian. Converted from NT4 today (you >> remember the lengthy thread!) ... >> >> The member server "main" is gentoo linux. >> >> Both run samba-4.2.14. >> >> We can access shares on "main" ! even without winbindd running ... >> >> - >> >> # MEMBER SERVER (-> file services) >> # cat /etc/hosts >> >> # IPv4 and IPv6 localhost aliases >> 127.0.0.1 localhost >> ::1 localhost >> >> 10.0.0.221 main.secret.tld main >> 10.0.0.224 backup.secret.tld backup >> >> # cat /etc/krb5.conf >> [libdefaults] >> default_realm = ARBEITSGRUPPE.SECRET.TLD >> dns_lookup_realm = false >> dns_lookup_kdc = true > > > OK, if your domain members short host is 'main', this makes its domain > name 'secret.tld', yet the realm is 'ARBEITSGRUPPE.SECRET.TLD' > > ignoring case, 'secret.tld' != 'ARBEITSGRUPPE.SECRET.TLD' and it should.I am confused what to change now!?