samba - Jan 2017 - ADS domain member: winbind fails [SOLVED]

On Sat, 31 Dec 2016 12:28:02 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2016-12-31 um 12:08 schrieb Rowland Penny via samba:
> 
> > Samba should recreate the files required, what is the exact command
> > you are running to join the domain ?
> >
> > Who owns /var/lib/samba and what are the permissions set to ?
> 
> SOLVED -> what a journey ;-)
> 
> rebuilt several packages on the member server today, perl, mit-krb5, 
> samba etc
> 
> But what did the change was the clearing of /var/lib/samba, that
> seems to have been the issue since beginning.
> 
> I stopped smbd nmbd winbindd
> 
> # net ads leave -U Administrator
> 
> after successful leave I rm-ed /var/lib/samba (I only left the subdir 
> private there) then rejoined the ADS domain.
> 
> Now winbindd -i -d10 looks very different ;-)
> 
> "wbinfo -u" brings users now.
Next step, does 'getent passwd a_username' show anything ?
> 
> *phew*
> 
> Thanks all for the help so far, could have thought of doing so
> earlier (well, I did, but did it wrong ...)
> 
> I test things now.
> 
> Thanks again @ Rowland, Louis, etc
No problem
> 
> -
> 
> Maybe I come back with another issue later, we saw permission
> problems at editing GPOs. "sysvolreset" and
"sysvolcheck" done OK
> already.
> 
> 
What problem are you having ?

Rowland

Am 2016-12-31 um 13:14 schrieb Rowland Penny via samba:
>> "wbinfo -u" brings users now.
> 
> Next step, does 'getent passwd a_username' show anything ?
yes! On the member server:

main ~ # grep ads1 /etc/passwd

main ~ # getent passwd ads1
ads1:*:13112:10513::/home/ARBEITSGRUPPE/ads1:/bin/false

This is a newly created user in the AD.

As mentioned old users are in /etc/passwd on the member server from the
time when it was the NT4-PDC. I might/should remove them from that file now?
>> Maybe I come back with another issue later, we saw permission
>> problems at editing GPOs. "sysvolreset" and
"sysvolcheck" done OK
>> already.
> 
> What problem are you having ?
I have to re-test that onsite in the next days, I am currently at home
and have no RSAT-tools at hand. When we edited group policy objects we
got some "access denied", I can't remember the specific
"path" now. We
will test that in the next days and I report back.

Aside from that it looks to me as if that migration (NT4 domain -> AD
domain) is pretty much done?

-- have a happy new year everyone!

Stefan

On Sun, 1 Jan 2017 11:51:26 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 2016-12-31 um 13:14 schrieb Rowland Penny via samba:
> 
> >> "wbinfo -u" brings users now.
> > 
> > Next step, does 'getent passwd a_username' show anything ?
> 
> yes! On the member server:
> 
> main ~ # grep ads1 /etc/passwd
> 
> main ~ # getent passwd ads1
> ads1:*:13112:10513::/home/ARBEITSGRUPPE/ads1:/bin/false
Are these the numbers you want to use ?
I ask this because you are using the 'rid' backend, but will probably
also have uidNumber & gidNumber attributes in AD.
> 
> This is a newly created user in the AD.
> 
> As mentioned old users are in /etc/passwd on the member server from
> the time when it was the NT4-PDC. I might/should remove them from
> that file now?
Oh definitely 'should' ;-)

if you look in /etc/nsswitch.conf, the passwd line will be something
like this:

passwd:         compat winbind

This means that /etc/passwd will be checked first and any users found
there will be used instead of from AD, also you should not be able to
create new users in AD if they already exist in /etc/passwd. You only
need users and groups stored in one place and that is AD.
> 
> >> Maybe I come back with another issue later, we saw permission
> >> problems at editing GPOs. "sysvolreset" and
"sysvolcheck" done OK
> >> already.
> > 
> > What problem are you having ?
> 
> I have to re-test that onsite in the next days, I am currently at home
> and have no RSAT-tools at hand. When we edited group policy objects we
> got some "access denied", I can't remember the specific
"path" now. We
> will test that in the next days and I report back.
You will probably need to give Domain Admins the disk operator
privilege:

net rpc rights grant DOMAIN\\"Domain Admins"
SeDiskOperatorPrivilege -UAdministrator 
> 
> Aside from that it looks to me as if that migration (NT4 domain -> AD
> domain) is pretty much done?
> 
> -- have a happy new year everyone!
> 
> Stefan
> 
> 
May I echo that sentiment, may the new year bring you everything you
wish for .

Rowland