Sven Schwedas
2017-Nov-13 10:02 UTC
[Samba] Winbind error "Could not fetch our SID - did we join?"
We did, in fact, join mere seconds ago, but for some reason, winbind still can't find itself. ADUC etc meanwhile have no trouble finding the newly added computer account. Wiping /var/{lib,cache}/samba/ (and the computer account) makes no difference, the error persists. How do I proceed? -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167 -------------- next part -------------- INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 Processing section "[global]" Processing section "[homes]" Processing section "[1_TAO_VISION_und_VERWALTUNG]" Processing section "[2_TAO_GESCHAEFTSFELDINFOS]" Processing section "[3_TAO_DENK_und_WERKZEUGE_TOOLS]" Processing section "[4_TAO_PROJEKTE]" Processing section "[5_TAO_ARCHIV]" Processing section "[Bilder]" Processing section "[buchhaltung]" Processing section "[DBS]" Processing section "[DSC_Scanner]" Processing section "[public-villach]" Processing section "[Videos]" Processing section "[printers]" Processing section "[print$]" pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain ad.tao.at finddcs: looking for SRV records for _ldap._tcp.ad.tao.at resolve_lmhosts: Attempting lmhosts lookup for name _ldap._tcp.ad.tao.at<0x0> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory ads_dns_lookup_srv: 4 records returned in the answer section. finddcs: DNS SRV response 0 at '192.168.17.65' finddcs: DNS SRV response 1 at '192.168.16.213' finddcs: DNS SRV response 2 at '192.168.17.66' finddcs: DNS SRV response 3 at '192.168.16.211' finddcs: performing CLDAP query on 192.168.17.65 finddcs: Found matching DC 192.168.17.65 with server_type=0x000003fd Mapped to DCERPC endpoint \pipe\lsarpc added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 Socket options: SO_KEEPALIVE = 0 SO_REUSEADDR = 0 SO_BROADCAST = 0 TCP_NODELAY = 1 TCP_KEEPCNT = 9 TCP_KEEPIDLE = 7200 TCP_KEEPINTVL = 75 IPTOS_LOWDELAY = 0 IPTOS_THROUGHPUT = 0 SO_REUSEPORT = 0 SO_SNDBUF = 46080 SO_RCVBUF = 372480 SO_SNDLOWAT = 1 SO_RCVLOWAT = 1 SO_SNDTIMEO = 0 SO_RCVTIMEO = 0 TCP_QUICKACK = 1 TCP_DEFER_ACCEPT = 0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Password for [AD\sven.schwedas]: Received smb_krb5 packet of length 257 Received smb_krb5 packet of length 1400 gensec_gssapi: NO credentials were delegated GSSAPI Connection will have no cryptographic protection Mapped to DCERPC endpoint 135 added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 Mapped to DCERPC endpoint 1024 added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Received smb_krb5 packet of length 257 Received smb_krb5 packet of length 1400 gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically sealed added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 resolve_lmhosts: Attempting lmhosts lookup for name graz-dc-sem.ad.tao.at<0x20> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error was No such file or directory Starting GENSEC mechanism spnego Starting GENSEC submechanism gssapi_krb5 Received smb_krb5 packet of length 257 Received smb_krb5 packet of length 1392 gensec_gssapi: NO credentials were delegated GSSAPI Connection will be cryptographically signed ldb_wrap open of ldap://graz-dc-sem.ad.tao.at ldb_wrap open of secrets.ldb Joined domain AD (S-1-5-21-3879549028-3895635520-2867903743) -------------- next part -------------- [2017/11/13 10:56:40.771086, 3] ../source3/param/loadparm.c:3739(lp_load_ex) lp_load_ex: refreshing parameters [2017/11/13 10:56:40.771168, 5] ../source3/param/loadparm.c:1312(free_param_opts) Freeing parametrics: [2017/11/13 10:56:40.771236, 3] ../source3/param/loadparm.c:542(init_globals) Initialising global parameters [2017/11/13 10:56:40.771276, 2] ../source3/param/loadparm.c:314(max_open_files) rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) [2017/11/13 10:56:40.771369, 3] ../source3/param/loadparm.c:2668(lp_do_section) Processing section "[global]" doing parameter log level = 5 [2017/11/13 10:56:40.771422, 5] ../lib/util/debug.c:642(debug_dump_status) INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 scavenger: 5 dns: 5 ldb: 5 tevent: 5 doing parameter workgroup = AD doing parameter realm = AD.TAO.AT doing parameter security = ADS doing parameter idmap config * : backend = tdb doing parameter idmap config * : range = 60000-61000 doing parameter idmap config AD : backend = ad doing parameter idmap config AD : range = 4500-50000 doing parameter idmap config AD : schema_mode = rfc2307 doing parameter winbind nss info = rfc2307 doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind use default domain = yes doing parameter winbind offline logon = yes doing parameter winbind max domain connections = 32 doing parameter winbind expand groups = 4 doing parameter winbind refresh tickets = yes doing parameter state directory = /var/cache/samba/ doing parameter cache directory = /var/cache/samba/ doing parameter lock directory = /var/cache/samba/ doing parameter template homedir = /home/%U doing parameter template shell = /bin/bash doing parameter winbind reconnect delay = 5 doing parameter winbind cache time = 30 doing parameter load printers = no doing parameter unix extensions = no doing parameter include = /etc/samba/site.conf [2017/11/13 10:56:40.772409, 3] ../source3/param/loadparm.c:2668(lp_do_section) Processing section "[global]" doing parameter netbios name = VILLACH-FILE doing parameter server string = Netzlaufwerke Villach doing parameter max stat cache size = 4096 doing parameter client max protocol = SMB2 doing parameter deadtime = 2 doing parameter unix extensions = no doing parameter local master = no doing parameter read only = No doing parameter acl group control = Yes doing parameter create mask = 0770 doing parameter force create mode = 0660 doing parameter directory mask = 0770 doing parameter force directory mode = 02770 doing parameter inherit permissions = Yes doing parameter inherit acls = Yes doing parameter inherit owner = Yes doing parameter aio read size = 16384 doing parameter aio write size = 16384 doing parameter map acl inherit = Yes doing parameter block size = 4096 doing parameter use sendfile = Yes doing parameter map archive = No doing parameter map readonly = no doing parameter store dos attributes = Yes doing parameter ldap timeout = 5 doing parameter winbind reconnect delay = 2 doing parameter winbind refresh tickets = yes doing parameter winbind request timeout = 5 doing parameter load printers = yes [2017/11/13 10:56:40.773111, 4] ../source3/param/loadparm.c:3780(lp_load_ex) pm_process() returned Yes [2017/11/13 10:56:40.773303, 2] ../source3/lib/interface.c:345(add_interface) added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 [2017/11/13 10:56:40.773374, 1] ../source3/param/loadparm.c:1039(lp_winbind_max_domain_connections) offline logons active, restricting max domain connections to 1 [2017/11/13 10:56:40.773420, 5] ../source3/lib/util_names.c:152(init_names) Netbios name list:- my_netbios_names[0]="VILLACH-FILE" [2017/11/13 10:56:40.773550, 2] ../source3/lib/interface.c:345(add_interface) added interface host0 ip=192.168.16.214 bcast=192.168.16.255 netmask=255.255.255.0 [2017/11/13 10:56:40.774640, 4] ../source3/lib/time.c:266(TimeInit) TimeInit: Serverzone is -3600 [2017/11/13 10:56:40.775680, 5] ../source3/lib/tdb_validate.c:195(tdb_validate_open) tdb_validate_open called for tdb '/var/cache/samba/winbindd_cache.tdb' [2017/11/13 10:56:40.775777, 5] ../source3/lib/tdb_validate.c:112(tdb_validate) tdb_validate called for tdb '/var/cache/samba/winbindd_cache.tdb' [2017/11/13 10:56:40.779563, 5] ../source3/lib/tdb_validate.c:179(tdb_validate) tdb_validate returning code '0' for tdb '/var/cache/samba/winbindd_cache.tdb' [2017/11/13 10:56:40.779663, 1] ../source3/lib/tdb_validate.c:480(tdb_validate_and_backup) tdb '/var/cache/samba/winbindd_cache.tdb' is valid [2017/11/13 10:56:40.779716, 3] ../source3/lib/tdb_validate.c:379(rename_file_with_suffix) file '/var/cache/samba/winbindd_cache.tdb.bak' does not exist - so not moved [2017/11/13 10:56:40.786847, 1] ../source3/lib/tdb_validate.c:490(tdb_validate_and_backup) Created backup '/var/cache/samba/winbindd_cache.tdb.bak' of tdb '/var/cache/samba/winbindd_cache.tdb' [2017/11/13 10:56:40.787137, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order) check lock order 2 for /var/cache/samba/serverid.tdb [2017/11/13 10:56:40.787283, 5] ../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor) release lock order 2 for /var/cache/samba/serverid.tdb [2017/11/13 10:56:40.787328, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 33 - private_data=(nil) [2017/11/13 10:56:40.787365, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 13 - private_data=(nil) [2017/11/13 10:56:40.787400, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1028 - private_data=(nil) [2017/11/13 10:56:40.787434, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1027 - private_data=(nil) [2017/11/13 10:56:40.787469, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1029 - private_data=(nil) [2017/11/13 10:56:40.787503, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1036 - private_data=(nil) [2017/11/13 10:56:40.787538, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1035 - private_data=(nil) [2017/11/13 10:56:40.787575, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1280 - private_data=(nil) [2017/11/13 10:56:40.787609, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1032 - private_data=(nil) [2017/11/13 10:56:40.787644, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1033 - private_data=(nil) [2017/11/13 10:56:40.787678, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1034 - private_data=(nil) [2017/11/13 10:56:40.787712, 5] ../source3/lib/messages.c:356(messaging_register) Registering messaging pointer for type 1 - private_data=(nil) [2017/11/13 10:56:40.787746, 5] ../source3/lib/messages.c:371(messaging_register) Overriding messaging pointer for type 1 - private_data=(nil) [2017/11/13 10:56:40.787983, 1] ../source3/param/loadparm.c:1039(lp_winbind_max_domain_connections) offline logons active, restricting max domain connections to 1 [2017/11/13 10:56:40.788077, 5] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) tdb(/var/lib/samba/private/secrets.tdb): tdb_transaction_start: nesting 1 [2017/11/13 10:56:40.788117, 5] ../lib/dbwrap/dbwrap.c:159(dbwrap_check_lock_order) check lock order 1 for /var/lib/samba/private/secrets.tdb [2017/11/13 10:56:40.788175, 5] ../lib/dbwrap/dbwrap.c:127(dbwrap_lock_order_state_destructor) release lock order 1 for /var/lib/samba/private/secrets.tdb [2017/11/13 10:56:40.788217, 5] ../lib/tdb_wrap/tdb_wrap.c:64(tdb_wrap_log) tdb(/var/lib/samba/private/secrets.tdb): tdb_transaction_start: nesting 1 [2017/11/13 10:56:40.846132, 1] ../source3/param/loadparm.c:1039(lp_winbind_max_domain_connections) offline logons active, restricting max domain connections to 1 [2017/11/13 10:56:40.846218, 1] ../source3/param/loadparm.c:1039(lp_winbind_max_domain_connections) offline logons active, restricting max domain connections to 1 [2017/11/13 10:56:40.846261, 2] ../source3/winbindd/winbindd_util.c:288(add_trusted_domain_from_tdc) Added domain BUILTIN (null) S-1-5-32 [2017/11/13 10:56:40.846313, 5] ../source3/passdb/pdb_interface.c:79(smb_register_passdb) Attempting to register passdb backend smbpasswd [2017/11/13 10:56:40.846360, 5] ../source3/passdb/pdb_interface.c:92(smb_register_passdb) Successfully added passdb backend 'smbpasswd' [2017/11/13 10:56:40.846397, 5] ../source3/passdb/pdb_interface.c:79(smb_register_passdb) Attempting to register passdb backend tdbsam [2017/11/13 10:56:40.846433, 5] ../source3/passdb/pdb_interface.c:92(smb_register_passdb) Successfully added passdb backend 'tdbsam' [2017/11/13 10:56:40.846469, 5] ../source3/passdb/pdb_interface.c:79(smb_register_passdb) Attempting to register passdb backend wbc_sam [2017/11/13 10:56:40.846505, 5] ../source3/passdb/pdb_interface.c:92(smb_register_passdb) Successfully added passdb backend 'wbc_sam' [2017/11/13 10:56:40.846540, 5] ../source3/passdb/pdb_interface.c:79(smb_register_passdb) Attempting to register passdb backend samba_dsdb [2017/11/13 10:56:40.846576, 5] ../source3/passdb/pdb_interface.c:92(smb_register_passdb) Successfully added passdb backend 'samba_dsdb' [2017/11/13 10:56:40.846611, 5] ../source3/passdb/pdb_interface.c:79(smb_register_passdb) Attempting to register passdb backend samba4 [2017/11/13 10:56:40.846649, 5] ../source3/passdb/pdb_interface.c:92(smb_register_passdb) Successfully added passdb backend 'samba4' [2017/11/13 10:56:40.846685, 5] ../source3/passdb/pdb_interface.c:79(smb_register_passdb) Attempting to register passdb backend ldapsam [2017/11/13 10:56:40.846721, 5] ../source3/passdb/pdb_interface.c:92(smb_register_passdb) Successfully added passdb backend 'ldapsam' [2017/11/13 10:56:40.846756, 5] ../source3/passdb/pdb_interface.c:79(smb_register_passdb) Attempting to register passdb backend NDS_ldapsam [2017/11/13 10:56:40.846792, 5] ../source3/passdb/pdb_interface.c:92(smb_register_passdb) Successfully added passdb backend 'NDS_ldapsam' [2017/11/13 10:56:40.846829, 5] ../source3/passdb/pdb_interface.c:79(smb_register_passdb) Attempting to register passdb backend IPA_ldapsam [2017/11/13 10:56:40.846865, 5] ../source3/passdb/pdb_interface.c:92(smb_register_passdb) Successfully added passdb backend 'IPA_ldapsam' [2017/11/13 10:56:40.846902, 5] ../source3/passdb/pdb_interface.c:155(make_pdb_method_name) Attempting to find a passdb backend to match tdbsam (tdbsam) [2017/11/13 10:56:40.846938, 5] ../source3/passdb/pdb_interface.c:176(make_pdb_method_name) Found pdb backend tdbsam [2017/11/13 10:56:40.846980, 5] ../source3/passdb/pdb_interface.c:187(make_pdb_method_name) pdb backend tdbsam has a valid init [2017/11/13 10:56:40.847021, 1] ../source3/param/loadparm.c:1039(lp_winbind_max_domain_connections) offline logons active, restricting max domain connections to 1 [2017/11/13 10:56:40.847092, 1] ../source3/param/loadparm.c:1039(lp_winbind_max_domain_connections) offline logons active, restricting max domain connections to 1 [2017/11/13 10:56:40.847139, 1] ../source3/param/loadparm.c:1039(lp_winbind_max_domain_connections) offline logons active, restricting max domain connections to 1 [2017/11/13 10:56:40.847176, 2] ../source3/winbindd/winbindd_util.c:288(add_trusted_domain_from_tdc) Added domain VILLACH-FILE (null) S-1-5-21-2099295303-2754723936-1384751756 [2017/11/13 10:56:40.847223, 0] ../source3/winbindd/winbindd_util.c:902(init_domain_list) Could not fetch our SID - did we join? [2017/11/13 10:56:40.847319, 0] ../source3/winbindd/winbindd.c:1401(winbindd_register_handlers) unable to initialize domain list -------------- next part -------------- Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions # Global parameters [global] realm = AD.TAO.AT server string = Netzlaufwerke Villach workgroup = AD local master = No max stat cache size = 4096 ldap timeout = 5 cache directory = /var/cache/samba/ lock directory = /var/cache/samba/ state directory = /var/cache/samba/ client max protocol = SMB2 unix extensions = No security = ADS deadtime = 2 template homedir = /home/%U template shell = /bin/bash winbind cache time = 30 winbind enum groups = Yes winbind enum users = Yes winbind expand groups = 4 winbind max domain connections = 32 winbind nss info = rfc2307 winbind offline logon = Yes winbind reconnect delay = 2 winbind refresh tickets = Yes winbind request timeout = 5 winbind use default domain = Yes idmap config ad : schema_mode = rfc2307 idmap config ad : range = 4500-50000 idmap config ad : backend = ad idmap config * : range = 60000-61000 idmap config * : backend = tdb map archive = No map readonly = no store dos attributes = Yes include = /etc/samba/site.conf map acl inherit = Yes acl group control = Yes create mask = 0770 directory mask = 0770 force create mode = 0660 force directory mode = 02770 inherit acls = Yes inherit owner = Yes inherit permissions = Yes read only = No aio read size = 16384 aio write size = 16384 block size = 4096 use sendfile = Yes [homes] comment = ~ volume = nethome -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20171113/e5428cf7/signature.sig>
Rowland Penny
2017-Nov-13 11:01 UTC
[Samba] Winbind error "Could not fetch our SID - did we join?"
On Mon, 13 Nov 2017 11:02:48 +0100 Sven Schwedas via samba <samba at lists.samba.org> wrote:> We did, in fact, join mere seconds ago, but for some reason, winbind > still can't find itself. ADUC etc meanwhile have no trouble finding > the newly added computer account. > > Wiping /var/{lib,cache}/samba/ (and the computer account) makes no > difference, the error persists. > > How do I proceed? >Can you post /etc/hostname /etc/hosts /etc/krb5.conf /etc/resolv.conf Rowland
Sven Schwedas
2017-Nov-13 11:05 UTC
[Samba] Winbind error "Could not fetch our SID - did we join?"
/etc/hostname:villach-file /etc/hosts:# The following lines are desirable for IPv6 capable hosts /etc/hosts:::1 localhost ip6-localhost ip6-loopback /etc/hosts:ff02::1 ip6-allnodes /etc/hosts:ff02::2 ip6-allrouters /etc/hosts:127.0.0.1 localhost /etc/hosts:192.168.16.214 villach-file /etc/krb5.conf:[libdefaults] /etc/krb5.conf: default_realm = AD.TAO.AT /etc/krb5.conf: dns_lookup_realm = true /etc/krb5.conf: dns_lookup_kdc = true /etc/krb5.conf: default_keytab_name = FILE:/etc/krb5.keytab /etc/krb5.conf:[domain_realm] /etc/krb5.conf: .ad.tao.at = AD.TAO.AT /etc/krb5.conf: ad.tao.at = AD.TAO.AT /etc/krb5.conf: .tao.at = AD.TAO.AT /etc/krb5.conf: tao.at = AD.TAO.AT /etc/resolv.conf:nameserver 192.168.16.1 /etc/resolv.conf:domain ad.tao.at On 2017-11-13 12:01, Rowland Penny wrote:> On Mon, 13 Nov 2017 11:02:48 +0100 > Sven Schwedas via samba <samba at lists.samba.org> wrote: > >> We did, in fact, join mere seconds ago, but for some reason, winbind >> still can't find itself. ADUC etc meanwhile have no trouble finding >> the newly added computer account. >> >> Wiping /var/{lib,cache}/samba/ (and the computer account) makes no >> difference, the error persists. >> >> How do I proceed? >> > > Can you post /etc/hostname /etc/hosts /etc/krb5.conf /etc/resolv.conf > > Rowland >-- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20171113/487b3ffd/signature.sig>