Henrik Johansson
2017-Mar-18 16:49 UTC
[Samba] AD integration not working after move/version
Hi Rowland and thanks for your reply,> On 18 Mar 2017, at 16:54, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Sat, 18 Mar 2017 16:06:28 +0100 > Henrik Johansson via samba <samba at lists.samba.org> wrote: > >> Hi! >> >> I am in a bit of trouble, I have moved a samba installation from one >> virtual host to another keeping the configuration files and >> filesystems. But during the transition something broke, now windows >> users are no longer able to access their shares. I think it has to do >> with the AD integration. I do not know it it because some state is >> missing on this host related to the AD integration or if something >> has changed since the version of samba is higher on the new host. We >> have the same set of private files also (passed.tbd and secrets.tbd). >> >> Old version was 3.5.8 and the new version on the virtual host that >> does not work is 3.6.25. > > What OS is this on ? > Can you upgrade to a Samba version that is not EOL ?Short summary; this is on a old Solaris 10 system, the virtual host is a Solaris zone, or two instance of the zone on two hosts for failover. The config is years old and I had no part in this, but we needed to upgrade Solaris Oracle has only managed to release 3.5.8 or something close to that as patches. I could of course compile my own version or something but Samba was not the scope for this operation, it just stopped working which is a huge problem, and it can be because we needed to switch to the other zone or because the config did not work with this slightly newer version.> >> >> Any ides on how to debug this is helpful, I know very little about AD >> integration, perhaps the virtual host needs to join the domain again >> and authenticate, can I check the status of the integration in any >> way? > > You will probably need to join the new domain member again.I’m trying, and getting: kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database Failed to join domain: failed to connect to AD: Server not found in Kerberos database> > >> # Global parameters >> [global] >> log file = /var/samba/log/clientlog.%m >> dns proxy = No >> acl check permissions = False >> netbios aliases = string1 >> server string = string1 >> name resolve order = hosts bcast >> realm = DOMAIN.NET >> password server = server3.string1.net sever4.string1.net >> # wins server = x.x.x.x >> local master = no >> workgroup = WGNAME >> os level = 0 >> domain master = no >> encrypt passwords = yes >> security = DOMAIN > > Try changing 'security = DOMAIN' to 'security = ADS' > > Are you running winbind or are you using something else for > authentication ?I am under the impression that it’s kerberos.> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Sat, 18 Mar 2017 17:49:31 +0100 Henrik Johansson <henrikj at henkis.net> wrote:> Hi Rowland and thanks for your reply, >> > Short summary; this is on a old Solaris 10 system, the virtual host > is a Solaris zone, or two instance of the zone on two hosts for > failover. The config is years old and I had no part in this, but we > needed to upgrade Solaris Oracle has only managed to release 3.5.8 or > something close to that as patches. I could of course compile my own > version or something but Samba was not the scope for this operation, > it just stopped working which is a huge problem, and it can be > because we needed to switch to the other zone or because the config > did not work with this slightly newer version. >OK, I wonder if you are running into the result of the badlock patches ?> > kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not > found in Kerberos database Failed to join domain: failed to connect > to AD: Server not found in Kerberos databaseWhat is the DC ? What have you got in /etc/krb5.conf (or wherever it is) Does /etc/resolv.conf use the DC as the first nameserver> > I am under the impression that it’s kerberos. >Samba uses winbind to talk to AD, so your first step will probably need to be, adding the idmap config lines as suggested by Marc. Rowland
Henrik Johansson
2017-Mar-18 18:55 UTC
[Samba] AD integration not working after move/version
>> >> Short summary; this is on a old Solaris 10 system, the virtual host >> is a Solaris zone, or two instance of the zone on two hosts for >> failover. The config is years old and I had no part in this, but we >> needed to upgrade Solaris Oracle has only managed to release 3.5.8 or >> something close to that as patches. I could of course compile my own >> version or something but Samba was not the scope for this operation, >> it just stopped working which is a huge problem, and it can be >> because we needed to switch to the other zone or because the config >> did not work with this slightly newer version. >> > > OK, I wonder if you are running into the result of the badlock patches ? >Yes I am having badluck! Thank you so much, I solved it not buy upgrading but downgrading below 3.6.25, so without backlock for the time being. Solved the urgen problem but we need to have a plan to go to a later version but under well tested conditions. Tanks again! Regards Henrik