On Fri, 30 Dec 2016 14:26:01 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba: > > Is this the smb.conf you got when you ran the classicupgrade ? > > I don't think it is, can I suggest you remove any and all lines you > > have added and restart samba > > that was the output of testparmAh, can I introduce you to 'samba-tool testparm'> > smb.conf on DC: > > > [global] > workgroup = ARBEITSGRUPPE > realm = arbeitsgruppe.secret.tld > netbios name = BACKUP > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 10.0.0.254 > > [netlogon] > path = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > -- > > root at backup:/etc/samba# cat /etc/resolv.conf > search arbeitsgruppe.secret.tld > nameserver 10.0.0.224 > > root at backup:/etc/samba# cat /etc/krb5.conf > [libdefaults] > default_realm = ARBEITSGRUPPE.SECRET.TLD > dns_lookup_realm = false > dns_lookup_kdc = true > > -- > > editing the resolv.conf(s) helped in stabilizing RSAT editing > > winbindd on member still fails, I left and rejoined ... > > -- > > although I see users and GPOs on the member, etc (via net ads) > > # net ads info > LDAP server: 10.0.0.224 > LDAP server name: backup.arbeitsgruppe.secret.tld > Realm: ARBEITSGRUPPE.SECRET.TLD > Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD > LDAP port: 389 > Server time: Fr, 30 Dez 2016 14:24:25 CET > KDC server: 10.0.0.224 > Server time offset: 0 > > >What this shows is that your dns domain is 'arbeitsgruppe.secret.tld' and your domain member should also be using this dns domain. Your earlier posts seem to suggest you are using 'secret.tld' on the domain member, this must be changed. Rowland
We will try after the pizza! Am 30. Dezember 2016 14:44:38 MEZ schrieb Rowland Penny via samba <samba at lists.samba.org>:>On Fri, 30 Dec 2016 14:26:01 +0100 >"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba: >> > Is this the smb.conf you got when you ran the classicupgrade ? >> > I don't think it is, can I suggest you remove any and all lines you >> > have added and restart samba >> >> that was the output of testparm > >Ah, can I introduce you to 'samba-tool testparm' > >> >> smb.conf on DC: >> >> >> [global] >> workgroup = ARBEITSGRUPPE >> realm = arbeitsgruppe.secret.tld >> netbios name = BACKUP >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 10.0.0.254 >> >> [netlogon] >> path = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> -- >> >> root at backup:/etc/samba# cat /etc/resolv.conf >> search arbeitsgruppe.secret.tld >> nameserver 10.0.0.224 >> >> root at backup:/etc/samba# cat /etc/krb5.conf >> [libdefaults] >> default_realm = ARBEITSGRUPPE.SECRET.TLD >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> -- >> >> editing the resolv.conf(s) helped in stabilizing RSAT editing >> >> winbindd on member still fails, I left and rejoined ... >> >> -- >> >> although I see users and GPOs on the member, etc (via net ads) >> >> # net ads info >> LDAP server: 10.0.0.224 >> LDAP server name: backup.arbeitsgruppe.secret.tld >> Realm: ARBEITSGRUPPE.SECRET.TLD >> Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD >> LDAP port: 389 >> Server time: Fr, 30 Dez 2016 14:24:25 CET >> KDC server: 10.0.0.224 >> Server time offset: 0 >> >> >> > >What this shows is that your dns domain is 'arbeitsgruppe.secret.tld' >and your domain member should also be using this dns domain. Your >earlier posts seem to suggest you are using 'secret.tld' on the domain >member, this must be changed. > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba-- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet.
Am 2016-12-30 um 14:44 schrieb Rowland Penny via samba:> On Fri, 30 Dec 2016 14:26:01 +0100 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba: >>> Is this the smb.conf you got when you ran the classicupgrade ? >>> I don't think it is, can I suggest you remove any and all lines you >>> have added and restart samba >> >> that was the output of testparm > > Ah, can I introduce you to 'samba-tool testparm' > >> >> smb.conf on DC: >> >> >> [global] >> workgroup = ARBEITSGRUPPE >> realm = arbeitsgruppe.secret.tld >> netbios name = BACKUP >> server role = active directory domain controller >> idmap_ldb:use rfc2307 = yes >> dns forwarder = 10.0.0.254 >> >> [netlogon] >> path = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts >> read only = No >> >> [sysvol] >> path = /var/lib/samba/sysvol >> read only = No >> >> -- >> >> root at backup:/etc/samba# cat /etc/resolv.conf >> search arbeitsgruppe.secret.tld >> nameserver 10.0.0.224 >> >> root at backup:/etc/samba# cat /etc/krb5.conf >> [libdefaults] >> default_realm = ARBEITSGRUPPE.SECRET.TLD >> dns_lookup_realm = false >> dns_lookup_kdc = true >> >> -- >> >> editing the resolv.conf(s) helped in stabilizing RSAT editing >> >> winbindd on member still fails, I left and rejoined ... >> >> -- >> >> although I see users and GPOs on the member, etc (via net ads) >> >> # net ads info >> LDAP server: 10.0.0.224 >> LDAP server name: backup.arbeitsgruppe.secret.tld >> Realm: ARBEITSGRUPPE.SECRET.TLD >> Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD >> LDAP port: 389 >> Server time: Fr, 30 Dez 2016 14:24:25 CET >> KDC server: 10.0.0.224 >> Server time offset: 0 >> >> >> > > What this shows is that your dns domain is 'arbeitsgruppe.secret.tld' > and your domain member should also be using this dns domain. Your > earlier posts seem to suggest you are using 'secret.tld' on the domain > member, this must be changed.so you suggest to edit the hostname (did so via hostnamectl set-hostname) ? did that, left domain and rejoined (on member server, sure), winbindd fails again [2016/12/30 15:44:55.762270, 10, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:232(add_trusted_domain) idmap config BUILTIN : range = not defined [2016/12/30 15:44:55.762307, 2, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:257(add_trusted_domain) Added domain BUILTIN (null) S-1-5-32 [2016/12/30 15:44:55.762326, 10, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4663(wcache_tdc_add_domain) wcache_tdc_add_domain: Adding domain MAIN ((null)), SID S-1-5-21-2777655458-4002997014-749295002, flags = 0x0, attributes = 0x0, type = 0x0 [2016/12/30 15:44:55.762348, 10, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4466(pack_tdc_domains) pack_tdc_domains: Packing 2 trusted domains [2016/12/30 15:44:55.762360, 10, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4485(pack_tdc_domains) pack_tdc_domains: Packing domain BUILTIN (UNKNOWN) [2016/12/30 15:44:55.762370, 10, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cache.c:4485(pack_tdc_domains) pack_tdc_domains: Packing domain MAIN (UNKNOWN) [2016/12/30 15:44:55.762391, 10, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:232(add_trusted_domain) idmap config MAIN : range = not defined [2016/12/30 15:44:55.762406, 2, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_util.c:257(add_trusted_domain) Added domain MAIN (null) S-1-5-21-2777655458-4002997014-749295002 [2016/12/30 15:44:55.762426, 10, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:565(set_domain_online_request) set_domain_online_request: called for domain MAIN [2016/12/30 15:44:55.762436, 10, pid=9066, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:575(set_domain_online_request) set_domain_online_request: Internal domains are always online [2016/12/30 15:44:55.762649, 0, pid=9066, effective(0, 0), real(0, 0)] ../lib/util/become_daemon.c:124(daemon_ready) STATUS=daemon 'winbindd' finished starting up and ready to serve connections [2016/12/30 15:44:55.762671, 0, pid=9066, effective(0, 0), real(0, 0)] ../source3/lib/util.c:788(smb_panic_s3) PANIC (pid 9066): Could not find our domain [2016/12/30 15:44:55.762942, 0, pid=9066, effective(0, 0), real(0, 0)] ../source3/lib/util.c:899(log_stack_trace) BACKTRACE: 12 stack frames: #0 /usr/lib64/libsmbconf.so.0(log_stack_trace+0x1a) [0x7f907b4247aa] #1 /usr/lib64/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f907b424890] #2 /usr/lib64/libsamba-util.so.0(smb_panic+0x2f) [0x7f907e0ce0df] #3 winbindd(+0x36623) [0x564b39618623] #4 winbindd(rescan_trusted_domains+0x1d) [0x564b3961864d] #5 /usr/lib64/libtevent.so.0(tevent_common_loop_timer_delay+0xcd) [0x7f90785e2b0d] #6 /usr/lib64/libtevent.so.0(+0x9b0a) [0x7f90785e3b0a] #7 /usr/lib64/libtevent.so.0(+0x8227) [0x7f90785e2227] #8 /usr/lib64/libtevent.so.0(_tevent_loop_once+0x8d) [0x7f90785de46d] #9 winbindd(main+0xb7c) [0x564b396074cc] #10 /lib64/libc.so.6(__libc_start_main+0xf0) [0x7f9078014620] #11 winbindd(_start+0x29) [0x564b39607b59] [2016/12/30 15:44:55.762995, 0, pid=9066, effective(0, 0), real(0, 0)] ../source3/lib/dumpcore.c:318(dump_core) dumping core in /var/log/samba/cores/winbindd - interestingly old users work: my understanding is that as the upcoming *member* server is the old NT4-PDC -> it has the old domain users in /etc/passwd and so logins work without winbind, correct? - as I see in the logs above, winbind contacts *other* domains, and not "ARBEITSGRUPPE" ... why that? pls note that my "idmap *" lines for the member server are just cut and paste mainly, maybe the ranges are bogus or something else. I will now reply to Louis and provide configs.
On Fri, 30 Dec 2016 15:52:33 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2016-12-30 um 14:44 schrieb Rowland Penny via samba: > > On Fri, 30 Dec 2016 14:26:01 +0100 > > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > > > >> Am 2016-12-30 um 14:07 schrieb Rowland Penny via samba: > >>> Is this the smb.conf you got when you ran the classicupgrade ? > >>> I don't think it is, can I suggest you remove any and all lines > >>> you have added and restart samba > >> > >> that was the output of testparm > > > > Ah, can I introduce you to 'samba-tool testparm' > > > >> > >> smb.conf on DC: > >> > >> > >> [global] > >> workgroup = ARBEITSGRUPPE > >> realm = arbeitsgruppe.secret.tld > >> netbios name = BACKUP > >> server role = active directory domain controller > >> idmap_ldb:use rfc2307 = yes > >> dns forwarder = 10.0.0.254 > >> > >> [netlogon] > >> path > >> = /var/lib/samba/sysvol/arbeitsgruppe.secret.tld/scripts read only > >> = No > >> > >> [sysvol] > >> path = /var/lib/samba/sysvol > >> read only = No > >> > >> -- > >> > >> root at backup:/etc/samba# cat /etc/resolv.conf > >> search arbeitsgruppe.secret.tld > >> nameserver 10.0.0.224 > >> > >> root at backup:/etc/samba# cat /etc/krb5.conf > >> [libdefaults] > >> default_realm = ARBEITSGRUPPE.SECRET.TLD > >> dns_lookup_realm = false > >> dns_lookup_kdc = true > >> > >> -- > >> > >> editing the resolv.conf(s) helped in stabilizing RSAT editing > >> > >> winbindd on member still fails, I left and rejoined ... > >> > >> -- > >> > >> although I see users and GPOs on the member, etc (via net ads) > >> > >> # net ads info > >> LDAP server: 10.0.0.224 > >> LDAP server name: backup.arbeitsgruppe.secret.tld > >> Realm: ARBEITSGRUPPE.SECRET.TLD > >> Bind Path: dc=ARBEITSGRUPPE,dc=SECRET,dc=TLD > >> LDAP port: 389 > >> Server time: Fr, 30 Dez 2016 14:24:25 CET > >> KDC server: 10.0.0.224 > >> Server time offset: 0 > >> > >> > >> > > > > What this shows is that your dns domain is > > 'arbeitsgruppe.secret.tld' and your domain member should also be > > using this dns domain. Your earlier posts seem to suggest you are > > using 'secret.tld' on the domain member, this must be changed. > > so you suggest to edit the hostname (did so via hostnamectl > set-hostname) ? > > did that, left domain and rejoined (on member server, sure), winbindd > fails againNo, not the hostname, the domain name, what does 'hostname -s', 'hostname -d' and 'hostname -f' show ? Rowland