samba - Jul 2017 - Samba ADS-member-server: FQDNs in /etc/hosts

Am 2017-07-11 um 14:40 schrieb Rowland Penny:
>> Restarted winbind, did "killall -HUP" on smbd and nmbd.
>>
>> still can't login to DM via smbclient and that mentioned user.
>>
>> I assume I need to restart all the smbd daemons ... ?
> 
> Well, you wouldn't be able to, would you, what with having this in
> smb.conf:
> 
> template shell = /usr/sbin/nologin
> 
> The bit on the end sort of gives it away ;-)
> 
> Try changing it to this:
> 
> template shell = /bin/bash
oh my, ok (that was from samba.wiki or so!)

Doesn't change a thing, after restart winbind, and HUP s|nmbd

->


# smbclient \\\\server\\daten -Usgw%PW
session setup failed: NT_STATUS_UNSUCCESSFUL

On Tue, 11 Jul 2017 14:47:50 +0200
"Stefan G. Weichinger" <lists at xunil.at> wrote:
> Am 2017-07-11 um 14:40 schrieb Rowland Penny:
> 
> >> Restarted winbind, did "killall -HUP" on smbd and nmbd.
> >>
> >> still can't login to DM via smbclient and that mentioned user.
> >>
> >> I assume I need to restart all the smbd daemons ... ?
> > 
> > Well, you wouldn't be able to, would you, what with having this in
> > smb.conf:
> > 
> > template shell = /usr/sbin/nologin
> > 
> > The bit on the end sort of gives it away ;-)
> > 
> > Try changing it to this:
> > 
> > template shell = /bin/bash
> 
> oh my, ok (that was from samba.wiki or so!)
OK, I will look into that.
> 
> Doesn't change a thing, after restart winbind, and HUP s|nmbd
> 
> ->
> 
> 
> # smbclient \\\\server\\daten -Usgw%PW
> session setup failed: NT_STATUS_UNSUCCESSFUL
> 
> 
> 
Restart all the Samba binaries on the DM

Then check that the OS knows your user with:

getent passwd sgw

Rowland

Am 2017-07-11 um 14:57 schrieb Rowland Penny:
> Restart all the Samba binaries on the DM
I have to wait for about one hour or so to do so.
> Then check that the OS knows your user with:
> 
> getent passwd sgw
it is right now

Am 2017-07-11 um 14:57 schrieb Rowland Penny:
> On Tue, 11 Jul 2017 14:47:50 +0200
> "Stefan G. Weichinger" <lists at xunil.at> wrote:
> 
>> Am 2017-07-11 um 14:40 schrieb Rowland Penny:
>>
>>>> Restarted winbind, did "killall -HUP" on smbd and
nmbd.
>>>>
>>>> still can't login to DM via smbclient and that mentioned
user.
>>>>
>>>> I assume I need to restart all the smbd daemons ... ?
>>>
>>> Well, you wouldn't be able to, would you, what with having this
in
>>> smb.conf:
>>>
>>> template shell = /usr/sbin/nologin
>>>
>>> The bit on the end sort of gives it away ;-)
>>>
>>> Try changing it to this:
>>>
>>> template shell = /bin/bash
>>
>> oh my, ok (that was from samba.wiki or so!)
> 
> OK, I will look into that.
> 
>>
>> Doesn't change a thing, after restart winbind, and HUP s|nmbd
>>
>> ->
>>
>>
>> # smbclient \\\\server\\daten -Usgw%PW
>> session setup failed: NT_STATUS_UNSUCCESSFUL
>>
>>
>>
> 
> Restart all the Samba binaries on the DM
> 
> Then check that the OS knows your user with:
> 
> getent passwd sgw
DM restarted, no change.


[global]
	netbios name = SERVER
	realm = SECRET.AT
	workgroup = BUERO
	logon home = ""
	logon path = ""
	load printers = No
	printcap name = /dev/null
	dedicated keytab file = /etc/krb5.keytab
	kerberos method = secrets and keytab
	map to guest = Bad User
	map untrusted to domain = Yes
	security = ADS
	username map = /etc/samba/smbusers
	template homedir = /mnt/samba/Daten/%U
	template shell = /bin/bash
	winbind enum groups = Yes
	winbind enum users = Yes
	winbind refresh tickets = Yes
	winbind use default domain = Yes
	idmap config buero:range = 10000-99999
	idmap config buero:backend = rid
	idmap config *:range = 2000-9999
	idmap config * : backend = tdb
	printing = bsd


# smbclient \\\\server\\daten -Usgw%pw
session setup failed: NT_STATUS_UNSUCCESSFUL

root at pre01svdeb01:~# getent passwd sgw
sgw:x:1000:1000:Stefan G. Weichinger,,,:/home/sgw:/bin/bash

root at pre01svdeb01:~# wbinfo -i sgw
sgw:*:11041:10513::/mnt/samba/Daten/sgw:/bin/bash

Am 2017-07-11 um 14:57 schrieb Rowland Penny:
>> # smbclient \\\\server\\daten -Usgw%PW
>> session setup failed: NT_STATUS_UNSUCCESSFUL
> 
> Restart all the Samba binaries on the DM
> 
> Then check that the OS knows your user with:
> 
> getent passwd sgw
libnss_winbind was missing!

Now both results are the same

user-names in /etc/passwd ... rmed now

I was 100% sure to have had that fixed. My fault. I AM SORRY.

-

After several restarts of winbind/smbd/nmbd I now have a better overall
picture, but not fully happy.

One user gets displayed as "administrator" in smbstatus although he is
named differently. Other users on other PCs are mapped correctly and
files are created correctly (= get correct owner and group in linux fs).

For the PC with the problematic issue I see on the DC:

Jul 11 17:16:25 pre01svdeb02 samba[4657]: [2017/07/11 17:16:25.913628,
0]
../source4/rpc_server/drsuapi/writespn.c:235(dcesrv_drsuapi_DsWriteAccountSpn)
Jul 11 17:16:25 pre01svdeb02 samba[4657]:   Failed to modify SPNs on
CN=PC-2016-03,OU=secret-Computer,DC=secret,DC=at: acl: spn validation
failed for spn[TERMSRV/PC-2016-03.secret.at] uac[0x1000]
account[PC-2016-03$] hostname[PC-2016-03.BUERO] nbname[BUERO]
ntds[(null)] forest[secret.at] domain[secret.at]

Could that be related?

On another PC that user works correctly.

We try a rejoin now ...

Everything else *seems* to look good now ...

Am 2017-07-11 um 14:57 schrieb Rowland Penny:
> Then check that the OS knows your user with:
> 
> getent passwd sgw
for the mailing list archives and other searching souls:

I think this looks OK now ;-)

root at pre01svdeb01:~# getent passwd sgw
sgw:*:11041:10513::/mnt/samba/Daten/sgw:/bin/bash

root at pre01svdeb01:~# wbinfo -i sgw
sgw:*:11041:10513::/mnt/samba/Daten/sgw:/bin/bash

(identical output, on the DM)