thr3ads.net - samba - [Samba] Problems with winbind cache [Feb 2017]

If this information is useful, please help other people find it:
Share via:

L.P.H. van Belle

2017-Feb-03 13:58 UTC

[Samba] Problems with winbind cache

Try cleaning up your smb.conf also. 

 
>   vfs objects = dfs_samba4, acl_xattr 
Bit lower.
>   vfs objects = recycle full_audit 
Set this as : vfs objects = dfs_samba4, acl_xattr, recycle full_audit

 

Your using : >   winbind nss info = rfc2307 

So remove these lines 
>   idmap config * : backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config LOVATO:backend = ad
>   idmap config LOVATO:schema_mode = rfc2307
>   idmap config LOVATO:range = 500-40000
 

 

2 x : 
>   disable spoolss = yes
>   disable spoolss = yes
 

Etc, so backup your smb.conf and cleanup first. 

 

As example, this is all i have.

 

[global]

        workgroup = NTDOM

        realm = REALM

        # netbios name is not needed, the computer it hostname wil be use, i
think its handy to have it here.

        netbios name = DC1

 

        server role = active directory domain controller

        # if you run bind_dlz and not samba dns, this is sufficent. 

        server services = -dns

 

        # Dont forget to set the idmap_ldb on ALL DC's if you use it

        idmap_ldb:use rfc2307 = yes

 

        winbind nss info = rfc2307

        winbind expand groups = 4

 

        # with rfc2307 this is only needed on the DC. 

        template shell = /bin/bash

        template homedir = /home/users/%U

 

        # disable printing completely, when set empty no error log messages.

        load printers = no

        printing = bsd

        printcap name = /dev/null

        disable spoolss = yes

 

        # disable usershares creating, when set empty no error log messages.

        usershare path 
 

        # Add and Update TLS Key

        tls enabled = yes

        tls keyfile = /........key.pem

        tls certfile = /........cert.pem

        tls cafile = /....... ca.pem

 

[sysvol]

......  

 


Van: Roger Lovato [mailto:rogerlovato at outlook.com] 
Verzonden: vrijdag 3 februari 2017 14:40
Aan: L.P.H. van Belle
Onderwerp: Re: [Samba] Problems with winbind cache


 

Hi,

 

Thanks for your help, but still not updating.. 

 

passwd:     files winbind sss


shadow:     files sss


group:      files winbind sss


 

getent don't get any user or group. 

 

Regards,





De: samba <samba-bounces at lists.samba.org> em nome de L.P.H. van Belle
via samba <samba at lists.samba.org>
Enviado: sexta-feira, 3 de fevereiro de 2017 11:28:48
Para: samba at lists.samba.org
Assunto: Re: [Samba] Problems with winbind cache 

 




Try changing your nsswitch.conf to 

passwd:     files winbind sss
shadow:     files sss
group:      files winbind sss

now do. 

net cache flush

restart winbind 

wbinfo -u
wbinfo -g 
getent passwd username 
getent passwd groupname



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Roger Lovato
via
> samba
> Verzonden: vrijdag 3 februari 2017 14:21
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Problems with winbind cache
> 
> Hi guys!!
> 
> 
> I'm facing problem with Samba 4 + winbind that I spent some days to
solve
> that without success and I'll appreciate any help.
> 
> 
> I self compile samba 4 and apparently everything is working fine. I
> installed samba on six distributed servers at remote branch offices and
> all users, groups, dns and other components are replicating with success.
> 
> 
> But last week I saw that windind cache was not been updated and when I try
> to get users and groups with getent command, new members is not shown.
> 
> 
> I tried some tricks and tips that I found in several websites and forums,
> but nothing is working. Yesterday I tried to flush winbind cache with
> command:
> 
> 
> net cache flush
> 
> 
> All winbind cache has been erased, but is not updated and now I don't
have
> any users and groups when I try to get with getent command.
> 
> 
> I read in the winbind manual that when I restart the daemon, all cache is
> erased and updated, but this not happens. I'm not found where winbind
> saves its cache!
> 
> 
> My wbinfo listing correctly:
> 
> 
> # wbinfo -u
> LOVATO\rafael
> LOVATO\xl.teste
> LOVATO\dns-movd-gcp-007
> LOVATO\dns-movd-mgf-001
> LOVATO\dns-movd-gcp-006
> LOVATO\administrator
> LOVATO\xl.teste1
> LOVATO\squid
> LOVATO\krbtgt
> LOVATO\guest
> LOVATO\roger
> 
> 
> wbinfo -g
> LOVATO\cert publishers
> LOVATO\ras and ias servers
> LOVATO\allowed rodc password replication group
> LOVATO\denied rodc password replication group
> LOVATO\dnsadmins
> LOVATO\enterprise read-only domain controllers
> LOVATO\domain admins
> LOVATO\domain users
> LOVATO\domain guests
> LOVATO\domain computers
> LOVATO\domain controllers
> LOVATO\schema admins
> LOVATO\enterprise admins
> LOVATO\group policy creator owners
> LOVATO\read-only domain controllers
> LOVATO\dnsupdateproxy
> LOVATO\teste
> LOVATO\proxynivel1
> LOVATO\proxynivel2
> LOVATO\proxynivel3
> 
> 
> My smb.conf
> 
> 
> [global]
>   workgroup = LOVATO
>   realm = LOVATO.INTRANET
>   netbios name = LVT-006
>   server role = active directory domain controller
>   passdb backend = samba_dsdb
>   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
>   rpc_server:tcpip = no
>   rpc_daemon:spoolssd = embedded
>   rpc_server:spoolss = embedded
>   rpc_server:winreg = embedded
>   rpc_server:ntsvcs = embedded
>   rpc_server:eventlog = embedded
>   rpc_server:srvsvc = embedded
>   rpc_server:svcctl = embedded
>   rpc_server:default = external
>   #IDMAP
>   idmap_ldb:use rfc2307 = yes
>   idmap config * : backend = tdb
>   idmap config *:range = 70001-80000
>   idmap config LOVATO:backend = ad
>   idmap config LOVATO:schema_mode = rfc2307
>   idmap config LOVATO:range = 500-40000
>   #WINBIND
>   winbind nss info = rfc2307
>   winbind trusted domains only = no
>   winbind use default domain = yes
>   winbind enum users  = yes
>   winbind enum groups = yes
>   winbind cache time = 10
>   winbind refresh tickets = yes
>   map archive = No
>   map readonly = no
>   store dos attributes = Yes
>   vfs objects = dfs_samba4, acl_xattr
>   template shell = /bin/bash
>   #DESABILITANDO AS IMPRESSORAS
>   printcap name = /dev/null
>     printcap name = /dev/null
>   load printers = no
>   disable spoolss = yes
>   disable spoolss = yes
>   printing = bsd
>   ### LOGS
>   log file = /var/log/samba/smbd.log
>   max log size = 50
>   log level = 10
>   vfs objects = recycle full_audit
>   ### LIXEIRA
>   recycle:repository = Lixeira
>   recycle:exclude = *.tmp *.TMP *.temp *.TEMP ~*
>   recycle:keeptree = yes
>   full_audit:success = rmdir mkdir open write rename unlink
>   full_audit:failure = rmdir mkdir open write rename unlink
>   full_audit:prefix = %U|%I|%m|%S
>   full_audit:failure = none
>   full_audit:facility = local5
>   full_audit:priority = notice
>   veto files = /*.mp3/*.wav/*.exe/*.cmd/*.adm/*.inf/*.ini/*.pif
>   delete veto files = yes
>   dos filemode = yes
> 
> [netlogon]
>   path = /usr/local/samba/var/locks/sysvol/lovato.intranet/scripts
>   read only = No
> 
> [sysvol]
>   path = /usr/local/samba/var/locks/sysvol
>   read only = No
> 
> 
> My krb5.conf
> 
> 
> [logging]
>      default = FILE:/var/log/krb5libs.log
>      kdc = FILE:/var/log/krb5kdc.log
>      admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>         default_realm = LOVATO.INTRANET
>         dns_lookup_realm = true
>         dns_lookup_kdc = true
>         ticket_lifetime = 24h
>         forwardable = yes
> 
> [realm]
>         LOVATO.INTRANET = {
>                 kdc = lvt-006.lovato.intranet:88
>                 default_domain = lovato.intranet
> }
> 
> [domain_realm]
>         .lovato.intranet = LOVATO.INTRANET
>         lovato.intranet = LOVATO.INTRANET
> 
> [appdefaults]
>      pam = {
>           debug = false
>           ticket_lifetime = 36000
>           renew_lifetime = 36000
>           forwardable = true
>           krb4_convert = false
>      }
> 
> 
> My nsswitch.conf
> 
> 
> passwd:     files sss winbind
> shadow:     files sss
> group:      files sss winbind
> 
> 
> Processes:
> 
> 
> named      847  0.0  1.8 558900 68924 ?        Ssl  Feb02   0:15
> /usr/sbin/named -u named -4
> root      1543  0.0  1.1 585920 45312 ?        Ss   Feb02   0:00
> /usr/local/samba/sbin/samba -D
> root      1544  0.0  0.8 585920 32304 ?        S    Feb02   0:00  \_
> /usr/local/samba/sbin/samba -D
> root      1557  0.0  1.2 637780 48844 ?        Ss   Feb02   0:00  |   \_
> /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --
> foreground
> root      1561  0.0  0.8 632284 32224 ?        S    Feb02   0:00  |
> \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --
> foreground
> root      1562  0.0  0.8 632308 32204 ?        S    Feb02   0:00  |
> \_ /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --
> foreground
> root      1545  0.3  1.0 592616 38832 ?        S    Feb02   2:41  \_
> /usr/local/samba/sbin/samba -D
> root      1546  0.0  0.8 585920 33624 ?        S    Feb02   0:00  \_
> /usr/local/samba/sbin/samba -D
> root      1547  0.0  0.8 585920 32184 ?        S    Feb02   0:00  \_
> /usr/local/samba/sbin/samba -D
> root      1548  0.0  0.9 585920 34680 ?        S    Feb02   0:01  \_
> /usr/local/samba/sbin/samba -D
> root      1549  0.0  0.8 585920 33852 ?        S    Feb02   0:00  \_
> /usr/local/samba/sbin/samba -D
> root      1550  0.0  0.9 592208 37212 ?        S    Feb02   0:00  \_
> /usr/local/samba/sbin/samba -D
> root      1551  0.1  0.9 594688 37676 ?        S    Feb02   1:01  \_
> /usr/local/samba/sbin/samba -D
> root      1552  0.0  0.8 585920 32304 ?        S    Feb02   0:00  \_
> /usr/local/samba/sbin/samba -D
> root      1553  0.0  1.2 609256 47364 ?        Ss   Feb02   0:02  |   \_
> /usr/local/samba/sbin/winbindd -D --option=server role check:inhibit=yes -
> -foreground
> root      1560  0.0  0.9 616864 35820 ?        S    Feb02   0:32  |
> \_ /usr/local/samba/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> root      1564  0.0  0.9 610668 35372 ?        S    Feb02   0:00  |
> \_ /usr/local/samba/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> root      1569  0.0  0.9 616996 35576 ?        S    Feb02   0:00  |
> \_ /usr/local/samba/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
> root      1554  0.0  0.8 585920 32340 ?        S    Feb02   0:00  \_
> /usr/local/samba/sbin/samba -D
> root      1555  0.0  1.1 585920 42976 ?        S    Feb02   0:00  \_
> /usr/local/samba/sbin/samba -D
> root      1556  0.0  0.8 585920 33328 ?        S    Feb02   0:01  \_
> /usr/local/samba/sbin/samba -D
> 
> 
> Version:
> 
> # samba -V
> Version 4.5.3
> 
> 
> There is anyway to force winbind update?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Rowland Penny

2017-Feb-03 14:10 UTC

head link

[Samba] Problems with winbind cache

On Fri, 3 Feb 2017 14:58:59 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Try cleaning up your smb.conf also. 
> 
>  
> 
> >   vfs objects = dfs_samba4, acl_xattr 
> 
> Bit lower.
> 
> >   vfs objects = recycle full_audit 
> 
> Set this as : vfs objects = dfs_samba4, acl_xattr, recycle full_audit
> 
>  
Do not do this, just remove the first 'vfs objects' line.

Rowland

Rowland Penny

2017-Feb-03 15:11 UTC

head link

[Samba] Problems with winbind cache

On Fri, 3 Feb 2017 14:34:00 +0000
Roger Lovato <rogerlovato at outlook.com> wrote:
> I checked all of my servers and all with the same Symptoms and all
> winbind cache is not updated and with different contents.
> 
> 
> Regards
> 
> ________________________________
> De: Roger Lovato
> Enviado: sexta-feira, 3 de fevereiro de 2017 12:29:57
> Para: Rowland Penny
> Assunto: Re: [Samba] Problems with winbind cache
> 
> 
> Hi,
> 
> 
> I've tried to used your smb.conf. Samba still working but same
> problem to getent. After that I tried to clean cache no users and no
> groups is shown, but with wbinfo is alright.
> 
> 
> I get this log every 5 seconds:
> 
> 
> ==> /var/log/samba/log.wb-LOVATO <=> [2017/02/03 12:25:21.449835,
> 3]
../source3/winbindd/winbindd_misc.c:161(winbindd_dual_list_trusted_domains)
> [ 2014]: list trusted domains [2017/02/03 12:25:21.449907,
> 3] ../source3/winbindd/winbindd_samr.c:293(sam_trusted_domains) samr:
> trusted domains
> 
> ==> /var/log/samba/smbd.log <=> [2017/02/03 12:25:21.454913,
> 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
> Terminating connection - 'dcesrv:
> NT_STATUS_CONNECTION_DISCONNECTED' [2017/02/03 12:25:21.454938,
> 3] ../source4/smbd/process_single.c:114(single_terminate)
> single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
> 
> 
I will say this again, just because 'wbinfo -u' shows the users in AD,
this DOESN'T mean the underlying Unix OS knows who they are.

This is my smb.conf:

[global]
        netbios name = DC1
        realm = SAMDOM.EXAMPLE.COM
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = SAMDOM
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        tls enabled  = yes
        tls keyfile  = tls/DCKey.pem
        tls certfile = tls/DCCert.pem
        tls cafile           template shell = /bin/bash
        template homedir = /home/%U
        winbind enum users = yes
        winbind enum groups = yes
        log level = 0
        ldap server require strong auth = allow_sasl_over_tls

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/samdom.example.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


I use Devuan with a self compiled Samba and these are the links I
create:

ln -s /usr/local/samba/lib/libnss_wins.so.2 /lib/x86_64-linux-gnu/libnss_wins.so
ln -s /usr/local/samba/lib/libnss_wins.so.2
/lib/x86_64-linux-gnu/libnss_wins.so.2

ln -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so
ln -s /usr/local/samba/lib/libnss_winbind.so.2
/lib/x86_64-linux-gnu/libnss_winbind.so.2

ln
-s /usr/local/samba/lib/security/pam_winbind.so
/lib/x86_64-linux-gnu/security/pam_winbind.so

I would also suggest you check how PAM is setup.

Rowland

Rowland Penny

2017-Feb-03 15:57 UTC

head link

[Samba] Problems with winbind cache

On Fri, 3 Feb 2017 15:27:33 +0000
Roger Lovato <rogerlovato at outlook.com> wrote:
> 
> Rowland,
> 
> 
> Thanks for your explanation, but what I wanted to say with wbinfo, is
> that the AD (samba 4 as domain controller) is up and the database ok.
> My problem is focused on winbind that is not able to cache (or
> connect) to use get users on POSIX. Thanks for your setup and I'm
> setting up a new server for tests using your configuration. I'll let
> you know soon if the cache is being updated.
> 
> 
And what I was trying to get across was that even if a Samba AD DC is
working correctly, you will not get the underlying OS to recognise the
users in AD unless the libnss links and PAM are setup correctly.

Rowland

Seemingly Similar Threads

Search for more possibly parallel threads

samba - Feb 2017 - Problems with winbind cache

[Samba] Problems with winbind cache

[Samba] Problems with winbind cache

[Samba] Problems with winbind cache

[Samba] Problems with winbind cache

Seemingly Similar Threads