samba - Dec 2016 - ADS domain member: winbind fails

I am trying to set up winbind on a ADS domain member server.

The join works OK, but winbind simply fails to start.

see config and logs below, I am scratching my head.

Why does it "contact" a domain called "MAIN" ? that is the
hostname of
that server, not the domain name!

would be nice to get a quick reply, I am at the customer and this should 
work asap ....


Thanks!

->


[global]
         security = ADS
         workgroup = ARBEITSGRUPPE
         realm = ARBEITSGRUPPE.MY.TLD
         map to guest = Bad User
         log file = /var/log/samba/%m.log
         log level = 3

         idmap config * : backend = tdb
         idmap config * : range = 3000-7999

         ## idmap config for the ARBEITSGRUPPE domain
         idmap config ARBEITSGRUPPE:backend = rid
         idmap config ARBEITSGRUPPE:schema_mode = rfc2307
         idmap config ARBEITSGRUPPE:range = 10000-999999

         username map = /etc/samba/user.map

         winbind enum users = Yes
         winbind enum groups = Yes
         winbind use default domain = Yes
         winbind refresh tickets = Yes




[2016/12/30 11:38:42.568179, 10, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_util.c:232(add_trusted_domain)
   idmap config BUILTIN : range = not defined
[2016/12/30 11:38:42.568216,  2, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_util.c:257(add_trusted_domain)
   Added domain BUILTIN (null) S-1-5-32
[2016/12/30 11:38:42.568235, 10, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] 
../source3/winbindd/winbindd_cache.c:4663(wcache_tdc_add_domain)
   wcache_tdc_add_domain: Adding domain MAIN ((null)), SID 
S-1-5-21-2777655458-4002997014-749295002, flags = 0x0, attributes = 0x0, 
type = 0x0
[2016/12/30 11:38:42.568257, 10, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_cache.c:4466(pack_tdc_domains)
   pack_tdc_domains: Packing 2 trusted domains
[2016/12/30 11:38:42.568270, 10, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_cache.c:4485(pack_tdc_domains)
   pack_tdc_domains: Packing domain BUILTIN (UNKNOWN)
[2016/12/30 11:38:42.568280, 10, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_cache.c:4485(pack_tdc_domains)
   pack_tdc_domains: Packing domain MAIN (UNKNOWN)
[2016/12/30 11:38:42.568307, 10, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_util.c:232(add_trusted_domain)
   idmap config MAIN : range = not defined
[2016/12/30 11:38:42.568323,  2, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_util.c:257(add_trusted_domain)
   Added domain MAIN (null) S-1-5-21-2777655458-4002997014-749295002
[2016/12/30 11:38:42.568347, 10, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] 
../source3/winbindd/winbindd_cm.c:565(set_domain_online_request)
   set_domain_online_request: called for domain MAIN
[2016/12/30 11:38:42.568358, 10, pid=6560, effective(0, 0), real(0, 0), 
class=winbind] 
../source3/winbindd/winbindd_cm.c:575(set_domain_online_request)
   set_domain_online_request: Internal domains are always online
[2016/12/30 11:38:42.568577,  0, pid=6560, effective(0, 0), real(0, 0)] 
../lib/util/become_daemon.c:124(daemon_ready)
   STATUS=daemon 'winbindd' finished starting up and ready to serve 
connections
[2016/12/30 11:38:42.568602,  0, pid=6560, effective(0, 0), real(0, 0)] 
../source3/lib/util.c:788(smb_panic_s3)
   PANIC (pid 6560): Could not find our domain
[2016/12/30 11:38:42.568879,  0, pid=6560, effective(0, 0), real(0, 0)] 
../source3/lib/util.c:899(log_stack_trace)
   BACKTRACE: 12 stack frames:
    #0 /usr/lib64/libsmbconf.so.0(log_stack_trace+0x1a) [0x7fe0214f080a]
    #1 /usr/lib64/libsmbconf.so.0(smb_panic_s3+0x20) [0x7fe0214f08f0]
    #2 /usr/lib64/libsamba-util.so.0(smb_panic+0x2f) [0x7fe0241990df]
    #3 winbindd(+0x36623) [0x555747980623]
    #4 winbindd(rescan_trusted_domains+0x1d) [0x55574798064d]
    #5 /usr/lib64/libtevent.so.0(tevent_common_loop_timer_delay+0xcd) 
[0x7fe01e6afb0d]
    #6 /usr/lib64/libtevent.so.0(+0x9b0a) [0x7fe01e6b0b0a]
    #7 /usr/lib64/libtevent.so.0(+0x8227) [0x7fe01e6af227]
    #8 /usr/lib64/libtevent.so.0(_tevent_loop_once+0x8d) [0x7fe01e6ab46d]
    #9 winbindd(main+0xb7c) [0x55574796f4cc]
    #10 /lib64/libc.so.6(__libc_start_main+0xf0) [0x7fe01e0e1620]
    #11 winbindd(_start+0x29) [0x55574796fb59]
[2016/12/30 11:38:42.568933,  0, pid=6560, effective(0, 0), real(0, 0)] 
../source3/lib/dumpcore.c:318(dump_core)
   dumping core in /var/log/samba/cores/winbindd

On Fri, 30 Dec 2016 11:42:00 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
> I am trying to set up winbind on a ADS domain member server.
> 
> The join works OK, but winbind simply fails to start.
> 
> see config and logs below, I am scratching my head.
> 
> Why does it "contact" a domain called "MAIN" ? that is
the hostname
> of that server, not the domain name!
> 
> would be nice to get a quick reply, I am at the customer and this
> should work asap ....
> 
> 
> Thanks!
> 
> ->
> 
> 
> [global]
>          security = ADS
>          workgroup = ARBEITSGRUPPE
>          realm = ARBEITSGRUPPE.MY.TLD
>          map to guest = Bad User
>          log file = /var/log/samba/%m.log
>          log level = 3
> 
>          idmap config * : backend = tdb
>          idmap config * : range = 3000-7999
> 
>          ## idmap config for the ARBEITSGRUPPE domain
>          idmap config ARBEITSGRUPPE:backend = rid
>          idmap config ARBEITSGRUPPE:schema_mode = rfc2307
>          idmap config ARBEITSGRUPPE:range = 10000-999999
> 
>          username map = /etc/samba/user.map
> 
>          winbind enum users = Yes
>          winbind enum groups = Yes
>          winbind use default domain = Yes
>          winbind refresh tickets = Yes
> 
> 
> 
> 
Was Samba running before the join ?

Remove this line from your smb.conf:

idmap config ARBEITSGRUPPE:schema_mode = rfc2307

It is not required as you are using the winbind 'rid' backend.

Try stopping all Samba processes, then leave the domain and join again.
Now start smbd, nmbd and winbind.

If this doesn't fix it, can you tell us what OS you are using, What is
the AD DC and post your /etc/hosts, /etc/krb5.conf and /etc/resolv.conf

Rowland

Am 2016-12-30 um 12:10 schrieb Rowland Penny via samba:
> Was Samba running before the join ?
I can't tell that anymore as I did hundreds of things inbetween.
> Remove this line from your smb.conf:
>
> idmap config ARBEITSGRUPPE:schema_mode = rfc2307
>
> It is not required as you are using the winbind 'rid' backend.
"rid" was just a try as "ad" didn't work and I had no
more ideas ...
I 'd maybe prefer "ad" ?
> Try stopping all Samba processes, then leave the domain and join again.
> Now start smbd, nmbd and winbind.
Did so.

leave and join: at first try, nice.

winbindd crashes immediately again.
> If this doesn't fix it, can you tell us what OS you are using, What is
> the AD DC and post your /etc/hosts, /etc/krb5.conf and /etc/resolv.conf
The DC "backup" is latest debian. Converted from NT4 today (you
remember
the lengthy thread!) ...

The member server "main" is gentoo linux.

Both run samba-4.2.14.

We can access shares on "main" ! even without winbindd running ...

-

# MEMBER SERVER (-> file services)
# cat /etc/hosts

# IPv4 and IPv6 localhost aliases
127.0.0.1	localhost
::1		localhost

10.0.0.221 main.secret.tld main
10.0.0.224 backup.secret.tld backup

# cat /etc/krb5.conf
[libdefaults]
	default_realm = ARBEITSGRUPPE.SECRET.TLD
	dns_lookup_realm = false
	dns_lookup_kdc = true

# cat /etc/samba/smb.conf
[global]
	security = ADS
	workgroup = ARBEITSGRUPPE
	realm = ARBEITSGRUPPE.SECRET.TLD
	map to guest = Bad User
	log file = /var/log/samba/%m.log
	log level = 3
	
	idmap config * : backend = tdb
	idmap config * : range = 3000-7999

	## idmap config for the ARBEITSGRUPPE domain
	idmap config ARBEITSGRUPPE:backend = rid
	idmap config ARBEITSGRUPPE:range = 10000-999999

	username map = /etc/samba/user.map

	winbind enum users = Yes
	winbind enum groups = Yes
	winbind use default domain = Yes
	winbind refresh tickets = Yes

- and we had an issue joining a win7 client, I provide details on this 
later ...

Thank you!

And in addition to Rowlands comments.. 

 Correct you hosts file to
/etc/hosts
127.0.0.1       localhost
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

# This server name and ip. 
10.0.0.221 main.arbeitsgruppe.secret.tld main
10.0.0.224 backup.arbeitsgruppe.secret.tld backup


Second. Post you resolv.conf that was asked already. 
That should contain something like: 
search arbeitsgruppe.secret.tld
Server IP_of_DC


Remove 
map to guest = Bad User 
from you smb.conf the default is ok. 

Try that and see what happens. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan G.
> Weichinger via samba
> Verzonden: vrijdag 30 december 2016 12:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] ADS domain member: winbind fails
> 
> Am 2016-12-30 um 12:10 schrieb Rowland Penny via samba:
> 
> > Was Samba running before the join ?
> 
> I can't tell that anymore as I did hundreds of things inbetween.
> 
> > Remove this line from your smb.conf:
> >
> > idmap config ARBEITSGRUPPE:schema_mode = rfc2307
> >
> > It is not required as you are using the winbind 'rid' backend.
> 
> "rid" was just a try as "ad" didn't work and I had
no more ideas ...
> I 'd maybe prefer "ad" ?
> 
> > Try stopping all Samba processes, then leave the domain and join
again.
> > Now start smbd, nmbd and winbind.
> 
> Did so.
> 
> leave and join: at first try, nice.
> 
> winbindd crashes immediately again.
> 
> > If this doesn't fix it, can you tell us what OS you are using,
What is
> > the AD DC and post your /etc/hosts, /etc/krb5.conf and
/etc/resolv.conf
> 
> The DC "backup" is latest debian. Converted from NT4 today (you
remember
> the lengthy thread!) ...
> 
> The member server "main" is gentoo linux.
> 
> Both run samba-4.2.14.
> 
> We can access shares on "main" ! even without winbindd running
...
> 
> -
> 
> # MEMBER SERVER (-> file services)
> # cat /etc/hosts
> 
> # IPv4 and IPv6 localhost aliases
> 127.0.0.1	localhost
> ::1		localhost
> 
> 10.0.0.221 main.secret.tld main
> 10.0.0.224 backup.secret.tld backup
> 
> # cat /etc/krb5.conf
> [libdefaults]
> 	default_realm = ARBEITSGRUPPE.SECRET.TLD
> 	dns_lookup_realm = false
> 	dns_lookup_kdc = true
> 
> # cat /etc/samba/smb.conf
> [global]
> 	security = ADS
> 	workgroup = ARBEITSGRUPPE
> 	realm = ARBEITSGRUPPE.SECRET.TLD
> 	map to guest = Bad User
> 	log file = /var/log/samba/%m.log
> 	log level = 3
> 
> 	idmap config * : backend = tdb
> 	idmap config * : range = 3000-7999
> 
> 	## idmap config for the ARBEITSGRUPPE domain
> 	idmap config ARBEITSGRUPPE:backend = rid
> 	idmap config ARBEITSGRUPPE:range = 10000-999999
> 
> 	username map = /etc/samba/user.map
> 
> 	winbind enum users = Yes
> 	winbind enum groups = Yes
> 	winbind use default domain = Yes
> 	winbind refresh tickets = Yes
> 
> - and we had an issue joining a win7 client, I provide details on this
> later ...
> 
> Thank you!
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba