Oh, I assumed you meant -d10, since -d0 turns off all debug output, so the output is long, but I get:- . . . GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Timed out smb_krb5 packet Timed out smb_krb5 packet Received smb_krb5 packet of length 234 Timed out smb_krb5 packet Timed out smb_krb5 packet Received smb_krb5 packet of length 108 kinit for HOSTNAME$@DOMAIN.LOCAL succeeded gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically signed $ October 30, 2017 2:10 PM, "A. James Lewis via samba" <samba at lists.samba.org> wrote:> It appears to hang for a very long time (up to 15 minutes) on "kinit for HOSTNAME$@DOMAIN.LOCAL > succeeded" > then it returns nothing. > > I'm somewhat confused! > > James > > October 30, 2017 12:27 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote: > >> On Mon, 30 Oct 2017 12:07:24 +0000 >> "A. James Lewis" <james at fsck.co.uk> wrote: >> >>> I did come up with that option from Google, but wondered if it was >>> only suitable if Samba was the AD controller, since that was always >>> the context it was used in. >>> >>> This is the result I get. >>> >>> root at hostname:~# samba-tool group listmembers groupname >>> ERROR(ldb): Failed to list members of "groupname" group - >>> ldb_search: invalid basedn '(null)' root at hostname:~# >> >> Try something like this: >> >> root at devstation:~# samba-tool group listmembers Unix\ Admins -H ldap://dc3 -d0 >> rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > > -- > A. James Lewis (james at fsck.co.uk) > "Engineering does not require science. Science helps a lot but people > built perfectly good brick walls long before they knew why cement works." > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
On Mon, 30 Oct 2017 14:16:16 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> Oh, I assumed you meant -d10, since -d0 turns off all debug output, > so the output is long, but I get:-Sorry, but no, I added that because I had 'log level = 10' in smb.conf. Please post the info I asked for. Rowland
I must admit I assumed that it was completely hung which is why I looked at your command line to see if there was a typo etc... but here's the output you asked for:- root at hostname:~# time samba-tool group listmembers testgroup -H ldap://adserver -d0 FUNC-UNIX real 11m33.761s <------ LONG TIME! user 0m0.327s sys 0m0.021s I guess they have some nested groups set up... it does appear to be returning something, but obviously not at list of users. However, for example:- root at hostname:~# time wbinfo -g jlewis | grep testgroup testgroup real 0m0.134s user 0m0.019s sys 0m0.005s I don't have any issue logging on, or using the host... James October 30, 2017 2:32 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 30 Oct 2017 14:16:16 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> Oh, I assumed you meant -d10, since -d0 turns off all debug output, >> so the output is long, but I get:- > > Sorry, but no, I added that because I had 'log level = 10' in smb.conf. > Please post the info I asked for. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."
On Mon, 30 Oct 2017 15:51:28 +0000 "A. James Lewis" <james at fsck.co.uk> wrote:> I must admit I assumed that it was completely hung which is why I > looked at your command line to see if there was a typo etc... but > here's the output you asked for:- > > root at hostname:~# time samba-tool group listmembers testgroup -H > ldap://adserver -d0 FUNC-UNIX > > real 11m33.761s <------ LONG TIME! > user 0m0.327s > sys 0m0.021s > > I guess they have some nested groups set up... it does appear to be > returning something, but obviously not at list of users. > > > However, for example:- > > root at hostname:~# time wbinfo -g jlewis | grep testgroup > testgroup > > real 0m0.134s > user 0m0.019s > sys 0m0.005s > > I don't have any issue logging on, or using the host... >Will you please post the info I asked you to post, plus I think you better tell us what OS you are using. Whilst nested groups might slow things down, it shouldn't slow things down to the extent you are seeing. Rowland
Oh, apologies, I thought you were referring to the fact that I had changed your -d0 to -d10 since I was getting no output for 10 minutes... :) smb.conf [global] workgroup = DOMAIN security = ADS realm = DOMAIN.LOCAL idmap config *:backend = tdb idmap config *:range = 95000-99999 idmap config DOMAIN:backend = rid idmap config DOMAIN:range = 100000-999999 winbind trusted domains only = no winbind use default domain = yes winbind refresh tickets = yes template shell = /bin/bash template homedir = /home/%D/%U /etc/resolv.conf search domain.local nameserver 10.x.x.20 nameserver 10.x.x.21 nameserver 10.x.x.11 nameserver 10.x.y.10 nameserver 10.x.y.20 nameserver 10.y.x.90 nameserver 10.y.x.21 nameserver 10.y.x.90 /etc/hosts 127.0.0.1 localhost proxy1 proxy2 printer 127.0.1.1 hostname.dev.domain.local hostname # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters /etc/krb5.conf [libdefaults] default_realm = DOMAIN.LOCAL dns_lookup_realm = false dns_lookup_kdc = true It's running on Ubuntu 17.10. James October 30, 2017 4:20 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote:> On Mon, 30 Oct 2017 15:51:28 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> I must admit I assumed that it was completely hung which is why I >> looked at your command line to see if there was a typo etc... but >> here's the output you asked for:- >> >> root at hostname:~# time samba-tool group listmembers testgroup -H >> ldap://adserver -d0 FUNC-UNIX >> >> real 11m33.761s <------ LONG TIME! >> user 0m0.327s >> sys 0m0.021s >> >> I guess they have some nested groups set up... it does appear to be >> returning something, but obviously not at list of users. >> >> However, for example:- >> >> root at hostname:~# time wbinfo -g jlewis | grep testgroup >> testgroup >> >> real 0m0.134s >> user 0m0.019s >> sys 0m0.005s >> >> I don't have any issue logging on, or using the host... > > Will you please post the info I asked you to post, plus I think you > better tell us what OS you are using. > > Whilst nested groups might slow things down, it shouldn't slow things > down to the extent you are seeing. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- A. James Lewis (james at fsck.co.uk) "Engineering does not require science. Science helps a lot but people built perfectly good brick walls long before they knew why cement works."