On Fri, 20 Oct 2017, Rowland Penny via samba wrote:> On Fri, 20 Oct 2017 17:00:01 -0400 (EDT) > me at tdiehl.org wrote: > >> On Mon, 16 Oct 2017, Rowland Penny via samba wrote: >>> It seems to be treating computers as users (I could be barking up >>> the wrong tree here), can you post the contents >>> of /etc/hosts, /etc/hostname, /etc/resolv.conf >>> and /etc/nsswitch.conf from the domain member >> >> Here you go: >> >> # cat /etc/resolv.conf >> search kmg.mydomain.com mydomain.com >> nameserver 172.30.0.7 >> nameserver 10.224.135.7 >> > > I would remove 'mydomain.com' from the search line.Done> I also take it that '10.224.135.7' is a DC in the 'kmg.mydomain.com', > if it isn't, remove this nameserver.Yes, 10.224.135.7 is a DC.> >> >> The 2 name server ip addresses are the 2 dc's. >> >> # cat /etc/hosts >> >> 127.0.0.1 localhost localhost.localdomain >> 172.30.0.8 vfs1.kmg.mydomain.com vfs1 > > I would remove 'localhost.localdomain', there is no such thing as > 'localdomain'Done> >> >> >> # cat /etc/hostname >> vfs1.kmg.mydomain.com > > The hostname should just be 'vfs1', it shouldn't be the FQDN. > >> >> # cat /etc/nsswitch.conf >> passwd: files winbind >> shadow: files >> group: files winbind >> >> hosts: files dns myhostname > > I would remove 'myhostname'Done> >> >> bootparams: nisplus [NOTFOUND=return] files >> ethers: files >> netmasks: files >> networks: files >> protocols: files >> rpc: files >> services: files sss >> >> netgroup: files sss >> >> publickey: nisplus >> >> automount: files >> aliases: files nisplus >> > > I would remove the two 'sss' instancesDone I did net cache flush and rebooted. No change. Still getting the kerberos errors and winbind not going to sleep when no one is in the office. I am wondering if I were to remove the member server from the domain, delete the tdb and ldb databases and then rejoin the domain if that would help. Is there a db that tracks the kerberos information that I could reset? Besides the added work and the downtime, is there a down side to doing this? If I understand correctly all of the important information is stored in the DC's. Is this correct? I have the following in the smb.conf on the member servers: idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config KMG:backend = ad idmap config KMG:schema_mode = rfc2307 idmap config KMG:unix_nss_info = yes idmap config KMG:range = 10000-999999 Any other suggestions? Regards, -- Tom me at tdiehl.org
On Mon, 23 Oct 2017 13:56:27 -0400 (EDT) me at tdiehl.org wrote:> On Fri, 20 Oct 2017, Rowland Penny via samba wrote: > > > On Fri, 20 Oct 2017 17:00:01 -0400 (EDT) > > me at tdiehl.org wrote: > > > >> On Mon, 16 Oct 2017, Rowland Penny via samba wrote: > >>> It seems to be treating computers as users (I could be barking up > >>> the wrong tree here), can you post the contents > >>> of /etc/hosts, /etc/hostname, /etc/resolv.conf > >>> and /etc/nsswitch.conf from the domain member > >> > >> Here you go: > >> > >> # cat /etc/resolv.conf > >> search kmg.mydomain.com mydomain.com > >> nameserver 172.30.0.7 > >> nameserver 10.224.135.7 > >> > > > > I would remove 'mydomain.com' from the search line. > > Done > > > I also take it that '10.224.135.7' is a DC in the > > 'kmg.mydomain.com', if it isn't, remove this nameserver. > > Yes, 10.224.135.7 is a DC. > > > > >> > >> The 2 name server ip addresses are the 2 dc's. > >> > >> # cat /etc/hosts > >> > >> 127.0.0.1 localhost localhost.localdomain > >> 172.30.0.8 vfs1.kmg.mydomain.com vfs1 > > > > I would remove 'localhost.localdomain', there is no such thing as > > 'localdomain' > > Done > > > > >> > >> > >> # cat /etc/hostname > >> vfs1.kmg.mydomain.com > > > > The hostname should just be 'vfs1', it shouldn't be the FQDN. > > > >> > >> # cat /etc/nsswitch.conf > >> passwd: files winbind > >> shadow: files > >> group: files winbind > >> > >> hosts: files dns myhostname > > > > I would remove 'myhostname' > > Done > > > > >> > >> bootparams: nisplus [NOTFOUND=return] files > >> ethers: files > >> netmasks: files > >> networks: files > >> protocols: files > >> rpc: files > >> services: files sss > >> > >> netgroup: files sss > >> > >> publickey: nisplus > >> > >> automount: files > >> aliases: files nisplus > >> > > > > I would remove the two 'sss' instances > > Done > > I did net cache flush and rebooted. No change. Still getting the > kerberos errors and winbind not going to sleep when no one is in the > office. > > I am wondering if I were to remove the member server from the domain, > delete the tdb and ldb databases and then rejoin the domain if that > would help. > > Is there a db that tracks the kerberos information that I could reset? > > Besides the added work and the downtime, is there a down side to > doing this? If I understand correctly all of the important > information is stored in the DC's. Is this correct? > > I have the following in the smb.conf on the member servers: > > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > > idmap config KMG:backend = ad > idmap config KMG:schema_mode = rfc2307 > idmap config KMG:unix_nss_info = yes > idmap config KMG:range = 10000-999999 > > Any other suggestions? > > Regards, >Unless I missed it, you have never said what OS this is. How did you get to 4.6.2, did you install it directly or was it an upgrade from a previous Samba version. You said this is the only Unix domain member exhibiting this problem, so you could try the windows fix, wipe the OS and start again ;-) Provided you use the same smb.conf as on the other Unix domain members, you should have no problems. Just back everything up and leave the domain: net ads leave -U Administrator Rowland
On Mon, 23 Oct 2017, Rowland Penny via samba wrote:> On Mon, 23 Oct 2017 13:56:27 -0400 (EDT) > me at tdiehl.org wrote: > >> On Fri, 20 Oct 2017, Rowland Penny via samba wrote: >> >>> On Fri, 20 Oct 2017 17:00:01 -0400 (EDT) >>> me at tdiehl.org wrote: >>> >>>> On Mon, 16 Oct 2017, Rowland Penny via samba wrote: >>>>> It seems to be treating computers as users (I could be barking up >>>>> the wrong tree here), can you post the contents >>>>> of /etc/hosts, /etc/hostname, /etc/resolv.conf >>>>> and /etc/nsswitch.conf from the domain member >>>> >>>> Here you go: >>>> >>>> # cat /etc/resolv.conf >>>> search kmg.mydomain.com mydomain.com >>>> nameserver 172.30.0.7 >>>> nameserver 10.224.135.7 >>>> >>> >>> I would remove 'mydomain.com' from the search line. >> >> Done >> >>> I also take it that '10.224.135.7' is a DC in the >>> 'kmg.mydomain.com', if it isn't, remove this nameserver. >> >> Yes, 10.224.135.7 is a DC. >> >>> >>>> >>>> The 2 name server ip addresses are the 2 dc's. >>>> >>>> # cat /etc/hosts >>>> >>>> 127.0.0.1 localhost localhost.localdomain >>>> 172.30.0.8 vfs1.kmg.mydomain.com vfs1 >>> >>> I would remove 'localhost.localdomain', there is no such thing as >>> 'localdomain' >> >> Done >> >>> >>>> >>>> >>>> # cat /etc/hostname >>>> vfs1.kmg.mydomain.com >>> >>> The hostname should just be 'vfs1', it shouldn't be the FQDN. >>> >>>> >>>> # cat /etc/nsswitch.conf >>>> passwd: files winbind >>>> shadow: files >>>> group: files winbind >>>> >>>> hosts: files dns myhostname >>> >>> I would remove 'myhostname' >> >> Done >> >>> >>>> >>>> bootparams: nisplus [NOTFOUND=return] files >>>> ethers: files >>>> netmasks: files >>>> networks: files >>>> protocols: files >>>> rpc: files >>>> services: files sss >>>> >>>> netgroup: files sss >>>> >>>> publickey: nisplus >>>> >>>> automount: files >>>> aliases: files nisplus >>>> >>> >>> I would remove the two 'sss' instances >> >> Done >> >> I did net cache flush and rebooted. No change. Still getting the >> kerberos errors and winbind not going to sleep when no one is in the >> office. >> >> I am wondering if I were to remove the member server from the domain, >> delete the tdb and ldb databases and then rejoin the domain if that >> would help. >> >> Is there a db that tracks the kerberos information that I could reset? >> >> Besides the added work and the downtime, is there a down side to >> doing this? If I understand correctly all of the important >> information is stored in the DC's. Is this correct? >> >> I have the following in the smb.conf on the member servers: >> >> idmap config * : backend = tdb >> idmap config * : range = 3000-7999 >> >> idmap config KMG:backend = ad >> idmap config KMG:schema_mode = rfc2307 >> idmap config KMG:unix_nss_info = yes >> idmap config KMG:range = 10000-999999 > > Unless I missed it, you have never said what OS this is.It is Centos 7.4. They are VM's running on a vmware hypervisor. In case it matters, There are 2 physical hosts. 1 DC and 1 Fileserver on each physical hosts. When we are done the migration we will have total of about 150 users split fairly evenly across the 2 physical hosts.> How did you get to 4.6.2, did you install it directly or was it an > upgrade from a previous Samba version.This is a new domain. 2 self compiled 4.7.0 DC's and 2 member servers built using the latest 4.6.2 rpms supplied with Centos 7.4 and configured as file servers. All were fresh installs. Data is being migrated from a 10 year old samba 3.6 NT4 domain. We chose to remove all of the windows 7 machines from the old NT4 domain and join them to the new AD domain. All of the data is being rsync'd from the old machines to the new file servers and permissions reset as necessary. We did this to avoid problems associated with a classic upgrade and with the exception of this problem it has gone well.> You said this is the only Unix domain member exhibiting this problem, > so you could try the windows fix, wipe the OS and start again ;-)Well I think it is operating normally. There are 2 identical member servers but only the server with the problem has data and users on it at this time. The other one is currently in a different building and awaiting a move to a new facility. Once it is in place, it is slated to go into production. Light testing seems to show it is operating normally but given this issue, I am not sure what it will do once I start transferring data to it and loading it up.> Provided you use the same smb.conf as on the other Unix domain members, > you should have no problems.Modulo the shares the smb.conf files are the same.> Just back everything up and leave the domain: > net ads leave -U AdministratorThat is what I thought. Thanks for confirming that. Regards, -- Tom me at tdiehl.org
Hi, On Mon, 23 Oct 2017, Rowland Penny via samba wrote:> Unless I missed it, you have never said what OS this is.Centos 7.4> You said this is the only Unix domain member exhibiting this problem, > so you could try the windows fix, wipe the OS and start again ;-) > > Provided you use the same smb.conf as on the other Unix domain members, > you should have no problems. > Just back everything up and leave the domain: > net ads leave -U AdministratorOK, so I removed the machine from the domain, uninstalled all of the samba packages, cleaned up all of the tdb and ldb, etc. re-installed the samba packages and joined the domain. I am using the smb.conf I posted previously in this thread. That seems to have gotten rid of the original error and winbind now goes to sleep. However I now have a new error: ==> samba/172.30.0.114.log <=[2017/10/26 00:24:12.116588, 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token) gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/vfs1.kmg.mydomain.com at KMG.MYDOMAIN.COM not found in keytab (ticket kvno 2)] The above is showing up in the various samba logs for the machines that connect to the server. Given that there is no keytab on the machine, this error does not make any sense to me. Is there supposed to be a keytab? I do not see anything about a keytab in https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member that talks about a keytab. Does anyone know how to fix this? I am still looking but so far Google has not been helpful. Regards, -- Tom me at tdiehl.org