Anantha Raghava
2018-Jun-30 09:21 UTC
[Samba] Developed an issue with Samba File Server integrated with Samba-AD
Hi, We have been using Samba File Server (Version 4.3.11 Ubuntu 14.04 LTS) for quite sometime now. We recently installed Samba-AD (Samba AD Version 4.7.6) and made the file server a member of the Domain. Everything was fine till around 11:15 am yesterday. We just added one more share folder and gave access to three users and restarted Samba File Server services - smbd, nmbd and winbindd - services and we lost the file server. None of the domain user is able to login to file server and access their shares. If we access the shares from a non-domain member PC, shares are accessible. File server when accessed asks for user name & password. Once the user feeds his credentials, the login fails and again the file server will ask for user credentials. This is really surprising. We enabled log level 3 on both samba servers (File & AD Server) and we see nothing with respect to this error. Our smb.conf (samba file server) and Samba-AD (AD-smb.conf) are attached. I am aware that Samba file server is very old and it's time to upgrade. However, getting it back live is now critical for us. Look forward for any guidance. Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. -------------- next part -------------- # Global parameters [global] netbios name = PDC realm = XXXX.COM server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = XXXX idmap_ldb:use rfc2307 = yes ldap server require strong auth = No # Logs and events eventlog list = Security log level = 3 log file = /var/log/samba/dc1.%T.log max log size = 1000000 [netlogon] path = /usr/local/samba/var/locks/sysvol/exza.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No -------------- next part -------------- [gdlobal] workgroup = CSAEROTHERM server string = Samba Server Version %v security = ads realm = CSAEROTHERM.COM # socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=131072 SO_SNDBUF=131072 use sendfile = true idmap config * : backend = tdb idmap config * : range = 100000-299999 idmap config CSAEROTHERM : schema_mode = rfc2307 idmap config CSAEROTHERM : backend = rid idmap config CSAEROTHERM : range = 10000-99999 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = yes restrict anonymous = 2 log file = /var/log/samba/log.%m max log size = 50 logon script = Set-ADPicture.vbs ## min protocol = SMB2 ## Share definitions [homes] comment = Home Directories path = /home/%U read only = No inherit permissions = Yes browseable = No veto files ="/*.mp3/*.mov/*.jpeg/*.png/*.mp4/*.jfif/*.ppm/*.pgm/*.tiff/*.bmp/*.dwg/" vfs objects = recycle recycle:repository = /home/.recycle/%U recycle:keeptree = Yes recycle:touch = Yes recycle:versions = Yes recycle:maxsixe = 0 recycle:exclude = *.tmp [Share] read list = %U, administrator,suresh path = /storage/CSfiles/pubshare write list = %U,administrator,suresh recycle:touch = Yes recycle:maxsixe = 0 recycle:repository = /storage/CSfiles/pubshare/.recycle/%U comment = Public Share vfs objects = recycle browseable = No recycle:exclude = *.tmp directory mask = 0700 inherit permissions = Yes # revalidate = yes veto files = "/*.mp3/*.mov/*.dwg/*.dwx/*.mpg/" recycle:keeptree = Yes user = administrator,%U,suresh public = yes recycle:versions = Yes [cscloudvendor] read list = %U, administrator, pranavjairam path = /storage/CSfiles/cscloud/vendor valid users = %U, pranavjairam, administrator write list = %U,administrator recycle:touch = Yes recycle:maxsixe = 0 recycle:repository = /storage/CSfiles/cscloud/vendor/.recycle/%U usershare allow guests = yes comment = cscloud vendor drawing Share vfs objects = recycle browseable = Yes recycle:exclude = *.tmp directory mask = 0700 #inherit permissions = Yes # revalidate = yes veto files = "/*.mp3/*.mov/*.dwg/*.dwx/*.mpg/" recycle:keeptree = Yes user = administrator,%U, pranavjairam public = yes recycle:versions = Yes [cscloudvideo] read list = %U, administrator path = /storage/CSfiles/cscloud/video write list = %U,administrator recycle:touch = Yes recycle:maxsixe = 0 recycle:repository = /storage/CSfiles/cscloud/video/.recycle/%U comment = Cscloud videos Share vfs objects = recycle browseable = No recycle:exclude = *.tmp directory mask = 0700 inherit permissions = Yes # revalidate = yes veto files = "/*.mp3/*.mov/*.dwg/*.dwx/*.mpg/" recycle:keeptree = Yes user = administrator,%U public = yes recycle:versions = Yes [profiles] recycle:keeptree = Yes path = /storage/profiles` recycle:touch = Yes directory mask = 0700 recycle:versions = Yes browsable = No vfs objects = recycle comment = User profiles profile acls = Yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/ veto files = /*.mp3/*.avi/*.mov/" write list = recycle:repository = /storage/profiles/.recycle/%U users = recycle:exclude = *.tmp store dos attributes = Yes writable = yes read list = create mask = 0600 recycle:maxsixe = 0 [netlogon] recycle:keeptree = Yes path = /var/lib/netlogon recycle:touch = Yes directory mask = 0700 recycle:versions = Yes browsable = No vfs objects = recycle comment = netlogon profile acls = Yes hide files = /desktop.ini/ntuser.ini/NTUSER.*/ veto files = /*.mp3/*.avi/*.mov/" write list recycle:repository = /var/lib/netlogon/.recycle/%U users recycle:exclude = *.tmp store dos attributes = Yes writable = yes read list create mask = 0600 recycle:maxsixe = 0 [Design] recycle:maxsixe = 0 read list = suresh,manjunathsingh,senthil,roopesh,arjunsagar,prabhu inherit acls = Yes recycle:exclude = *.tmp inherit permissions = Yes valid users = administrator,suresh,manjunathsingh,senthil,roopesh,arjunsagar,prabhu recycle:repository = /storage/CSfiles/Design/.recycle/%U write list = pranavjairam,manjunathsingh,arjunsagar,prabhu veto files = /*.mp3/*.avi/*.mov/" public = yes comment = Design Documents vfs objects = recycle recycle:versions = Yes recycle:touch = Yes browseable = no path = /storage/CSfiles/Design recycle:keeptree = Yes writeable = yes [test123] comment = test123 path = /home/ inherit acls = Yes inherit permissions = Yes valid users = harikumar read list = harikumar write list = harikumar veto files = /*.mp3/*.avi/*.mov/" public = yes writeable = yes browseable = no [Materials] recycle:keeptree = Yes writeable = yes path = /storage/CSfiles/materials recycle:versions = Yes browseable = no recycle:touch = Yes comment = Materials vfs objects = recycle veto files = /*.mp3/*.avi/*.mov/" recycle:repository = /storage/CSfiles/materials/.recycle/%U valid users = suresh,senthil,sangeetha,prakash write list = suresh,senthil,sangeetha,prakash inherit permissions = Yes recycle:exclude = *.tmp recycle:maxsixe = 0 [Accounts] public = yes veto files = /*.mp3/*.avi/*.mov/" write list = administrator,lokesh,harishkumar,devaraju,shivanagouda,vijaya valid users = administrator,lokesh,harishkumar,devaraju,shivanagouda,vijaya recycle:repository = /storage/CSfiles/accounting/.recycle/%U recycle:exclude = *.tmp inherit permissions = Yes inherit acls = Yes create mask = 0600 read list = administrator,lokesh,harishkumar,devaraju,shivanagouda,vijaya recycle:maxsixe = 0 recycle:keeptree = Yes writeable = yes path = /storage/CSfiles/accounting recycle:touch = Yes browseable = no recycle:versions = Yes directory mask = 0700 vfs objects = recycle comment = Accounts [Software] recycle:exclude = *.tmp recycle:maxsixe = 0 read list = administrator,pranavjairam,harikumar,suresh recycle:repository = /storage/CSfiles/software/.recycle/%U valid users = administrator,pranavjairam,harikumar,suresh write list = administrator,pranavjairam,harikumar,suresh recycle:versions = Yes recycle:touch = Yes comment = Software vfs objects = recycle writeable = yes recycle:keeptree = Yes path = /storage/CSfiles/software [Production] path = /storage/CSfiles/production writeable = yes recycle:keeptree = Yes comment = Production vfs objects = recycle user = @Production, at Management recycle:versions = Yes browseable = no recycle:touch = Yes recycle:repository = /storage/CSfiles/production/.recycle/%U valid users = administrator,senthil,manjunathsingh,manjunathmk,rajeshbabu,prabhu,arjunsagar,karthik,kishor,ganeshbabu,vijayakumar,vinodkolar,basavaraj,harikumar write list = administrator,manjunathsingh, at Production,prabhu,arjunsagar,karthik,kishor,vijayakumar,vinodkolar,basavaraj,harikumar veto files = /*.mp3/*.avi/*.mov/" recycle:maxsixe = 0 read list = administrator,senthil,manjunathsingh,manjunathmk,rajeshbabu, at Production, at Management,prabhu,arjunsagar,karthik,kishor,ganeshbabu,vijayakumar,vinodkolar,basavaraj,harikumar inherit permissions = Yes recycle:exclude = *.tmp [Management] writeable = yes recycle:keeptree = Yes path = /storage/management recycle:versions = Yes browseable = no recycle:touch = Yes comment = Management vfs objects = recycle user = @Management recycle:repository = /storage/CSfiles/management/.recycle/%U valid users = administrator write list = administrator, at Management inherit permissions = Yes recycle:exclude = *.tmp recycle:maxsixe = 0 read list = administrator, at Management [Marketing] recycle:maxsixe = 0 comment = Marketing Files vfs objects = recycle read list = administrator,kavitha,kokila recycle:versions = Yes recycle:touch = Yes browseable = no recycle:exclude = *.tmp valid users = administrator,kavitha,kokila recycle:repository = /storage/CSfiles/marketing/.recycle/%U path = /storage/CSfiles/marketing write list = administrator,kavitha,kokila veto files = "*.mp3/*.avi/*.mov/" recycle:keeptree = Yes [Productoin Bakery Equipment] recycle:exclude = *.tmp inherit permissions = Yes read list = administrator, at Production, at Management, at materials recycle:maxsixe = 0 veto files = /*.mp3/*.avi/*.mov/" write list = administrator, at Production, at Management valid users = administrator recycle:repository = /storage/production-BE/.recycle/%U browseable = no recycle:touch = Yes recycle:versions = Yes user = @Production, at Management, at materials vfs objects = recycle comment = Production Bakery Equipment recycle:keeptree = Yes writeable = yes path = /production-BE [QMS] recycle:maxsixe = 0 read list = administrator,senthil,suresh inherit permissions = Yes recycle:exclude = *.tmp recycle:repository = /storage/qms/.recycle/%U valid users = administrator,senthil,suresh write list = administrator,senthil,suresh veto files = /*.mp3/*.avi/*.mov/" comment = QMS Files vfs objects = recycle recycle:versions = Yes browseable = no recycle:touch = Yes path = /storage/CSfiles/qms recycle:keeptree = Yes writeable = yes [HR] recycle:maxsixe = 0 read only = No read list = administrator,vijaya,suresh,rajeshwari,harikumar inherit acls = Yes inherit permissions = Yes recycle:exclude = *.tmp recycle:repository = /storage/CSfiles/HR/.recycle/%U valid users = administrator,vijaya,suresh,rajeshwari,harikumar write list = administrator,vijaya,suresh,rajeshwari,harikumar veto files = /*.mp3/*.avi/*.mov/" comment = HR Documents vfs objects = recycle recycle:versions = Yes browseable = no recycle:touch = Yes path = /storage/CSfiles/HR/ writeable = yes recycle:keeptree = Yes [storagebox] comment = Entire CSA files read list = suresh inherit acls = Yes inherit permissions = Yes valid users = suresh write list = suresh path = /storage/ veto files = /*.mp3/*.avi/*.mov/ recycle:repository = /storage/.recycle/%U recycle:maxsixe = 0 recycle:exclude = *.tmp recycle:keeptree = Yes recycle:versions = Yes recycle:touch = Yes [revent] valid users = administrator,prabhu,pranavjairam,roopesh,vinodkolar recycle:repository = /storage/CSfiles/revent/.recycle/%U write list = administrator,pranavjairam, at management,prabhu,roopesh,vinodkolar public = yes recycle:maxsixe = 0 read list = administrator,pranavjairam,prabhu, at management,roopesh,vinodkolar inherit acls = Yes recycle:exclude = *.tmp inherit permissions = Yes path = /storage/CSfiles/revent recycle:keeptree = Yes writeable = yes comment = revent vfs objects = recycle user = @management recycle:versions = Yes recycle:touch = Yes browseable = no # only user = Yes [csvideo] write list = administrator,pranavjairam,manjunathsingh,suresh,harikumar,harsha,ram, at management valid users = administrator,suresh,%U recycle:repository = /storage/CSfiles/csaplvideos/.recycle/%U public = yes read list = administrator,%U,satheeshkumar, at management recycle:maxsixe = 0 recycle:exclude = *.tmp inherit permissions = Yes inherit acls = Yes path = /storage/CSfiles/csaplvideos writeable = yes recycle:keeptree = Yes user = @management vfs objects = recycle comment = csaplvideo recycle:touch = Yes recycle:versions = Yes [ABL] read list = administrator,pranavjairam,manjunathsingh, at management,prabhu,arjunsagar,vijayakumar recycle:maxsixe = 0 recycle:exclude = *.tmp inherit permissions = Yes inherit acls = Yes write list = administrator,pranavjairam,manjunathsingh, at management,prabhu,arjunsagar,vijayakumar valid users = administrator,pranavjairam,manjunathsingh,prabhu,arjunsagar,vijayakumar recycle:repository = /storage/CSfiles/ABL/.recycle/%U public = yes veto files = /*.mp3/*.avi/*.mov/" user = @management vfs objects = recycle comment = Automatic Bread Line Project recycle:touch = Yes browseable = no recycle:versions = Yes path = /storage/CSfiles/ABL writeable = yes recycle:keeptree = Yes [automation] path = /storage/CSfiles/automation writeable = yes recycle:keeptree = Yes comment = Automation - PLC vfs objects = recycle recycle:versions = Yes browseable = no recycle:touch = Yes recycle:repository = /storage/CSfiles/automation/.recycle/%U valid users = pranavjairam,amir,electrical,anilm,yogeshkumar write list = pranavjairam,amir,anilm,yogeshkumar veto files = /*.mp3/*.avi/*.mov/" public = yes recycle:maxsixe = 0 read list = pranavjairam,amir,electrical,anilm,yogeshkumar inherit acls = Yes inherit permissions = Yes recycle:exclude = *.tmp [inventory] path = /storage/CSfiles/Inventory writeable = yes recycle:keeptree = Yes comment = Automation - PLC vfs objects = recycle recycle:versions = Yes browseable = no recycle:touch = Yes recycle:repository = /storage/CSfiles/Inventory/.recycle/%U valid users = pranavjairam,suresh,harikumar write list = pranavjairam,suresh,harikumar veto files = /*.mp3/*.avi/*.mov/" public = yes recycle:maxsixe = 0 read list = suresh,pranavjairam,harikumar inherit acls = Yes inherit permissions = Yes recycle:exclude = *.tmp [rackoven] veto files = /*.mp3/*.avi/*.mov/" public = yes recycle:repository = /storage/CSfiles/Design/.recycle/%U valid users = roopesh write list = maheshbabu,prabath inherit acls = Yes inherit permissions = Yes recycle:exclude = *.tmp recycle:maxsixe = 0 read list = roopesh recycle:keeptree = Yes writeable = yes path = /storage/CSfiles/Design/Rackovens-oct2010 recycle:versions = Yes recycle:touch = Yes comment = Rack Ovens vfs objects = recycle [rack1] recycle:maxsixe = 0 read list = rajeshbabu,arjunsagar,prabhu,vijayasullad,vinodkolar,basavaraj inherit acls = Yes recycle:exclude = *.tmp inherit permissions = Yes valid users = roopesh,rajeshbabu,arjunsagar,prabhu,vijayasullad,vinodkolar,basavaraj recycle:repository = /storage/CSfiles/Design/.recycle/%U write list = arjunsagar,prabhu,vijayasullad,vinodkolar,basavaraj veto files = /*.mp3/*.avi/*.mov/" public = yes comment = Rack Ovens( New on created by Mr.Mukund) vfs objects = recycle recycle:versions = Yes recycle:touch = Yes path = /storage/CSfiles/Design/RACK writeable = yes recycle:keeptree = Yes [edshare] write list = pranavjairam,suresh,manjunathsingh,prabhu,arjunsagar,kishor,basavaraj,vinodkolar,vijayakumar recycle:repository = /storage/CSfiles/Design/.recycle/%U valid users = manjunathsingh,pranavjairam,suresh,prabhu,arjunsagar,kishor,basavaraj,vinodkolar,vijayakumar public = yes read list = manjunathsingh,pranavjairam,suresh,prabhu,arjunsagar,kishor,basavaraj,vinodkolar,vijayakumar recycle:maxsixe = 0 inherit permissions = Yes recycle:exclude = *.txt inherit acls = Yes path = /storage/CSfiles/Design/EDShare writeable = yes recycle:keeptree = Yes vfs objects = recycle comment = Engineering Drwaing for Sharing Design Department recycle:touch = Yes recycle:versions = Yes [B1900] write list = senthil recycle:repository = /storage/CSfiles/Design/.recycle/%U valid users = senthil public = yes veto files = /*.mp3/*.avi/*.mov/" read list = senthil recycle:maxsixe = 0 inherit permissions = Yes recycle:exclude = *.tmp inherit acls = Yes path = /storage/CSfiles/Design/EDShare/Rack_ovens/India_231211(14.02.2012)/B-1900(New14.02.2012) recycle:keeptree = Yes writeable = yes vfs objects = recycle comment = Engineering Drwaing for B1900 recycle:touch = Yes recycle:versions = Yes [egostol] comment = Gostol Documents ; read list = administrator inherit acls = Yes inherit permissions = Yes valid users = administrator write list = administrator path = /storage/Design/Gostol Documents ; veto files = /*.mp3/*.avi/*.mov/" ; public = yes writeable = yes # only user = No [gostol] recycle:versions = Yes recycle:touch = Yes comment = Gostol Gopan vfs objects = recycle writeable = yes recycle:keeptree = Yes path = /storage/CSfiles/Gostol inherit acls = Yes inherit permissions = Yes recycle:exclude = *.tmp recycle:maxsixe = 0 read list = hrjairam veto files = /*.mp3/*.avi/*.mov/" public = yes recycle:repository = /storage/CSfiles/Gostol/.recycle/%U valid users = hrjairam write list = hrjairam [financial] recycle:versions = Yes recycle:touch = Yes comment = Financial Statements vfs objects = recycle writeable = yes recycle:keeptree = Yes path = /storage/CSfiles/Financial inherit acls = Yes recycle:exclude = *.tmp inherit permissions = Yes recycle:maxsixe = 0 veto files = /*.mp3/*.avi/*.mov/" public = yes valid users = vijaya,hrjairam recycle:repository = /storage/CSfiles/Financial/.recycle/%U write list = vijaya,hrjairam [csinfo] recycle:maxsixe = 0 inherit permissions = Yes recycle:exclude = *.tmp inherit acls = Yes write list = pranavjairam,hrjairam,vijaya recycle:repository = /storage/CSfiles/CSAPLInfo/.recycle/%U valid users = pranavjairam,hrjairam,vijaya public = yes veto files = /*.mp3/*.avi/*.mov/" vfs objects = recycle comment = CS Aerotherm Pvt. Ltd. Information recycle:touch = Yes recycle:versions = Yes path = /storage/CSfiles/CSAPLInfo recycle:keeptree = Yes writeable = yes [service] comment = Service Office Files (K.R.Road -- Through VPN) vfs objects = recycle recycle:versions = Yes recycle:touch = Yes path = /storage/CSfiles/Service recycle:keeptree = Yes writeable = yes recycle:maxsixe = 0 read list = suresh,nirmala,balaji,archana,manjunathmk,devaraju,padminisharma inherit acls = Yes recycle:exclude = *.tmp inherit permissions = Yes valid users = suresh,nirmala,balaji,archana,manjunathmk,devaraju,padminisharma recycle:repository = /storage/CSfiles/Service/.recycle/%U write list = suresh,nirmala,balaji,archana,manjunath,devaraju,padminisharma veto files = /*.mp3/*.avi/*.mov/" public = yes [goinfo] recycle:keeptree = Yes writeable = yes path = /opt/sqlanywhere12/gosoft recycle:touch = Yes recycle:versions = Yes vfs objects = recycle comment = Gosoft public = yes veto files = /*.mp3/*.avi/*.mov/" write list = pranavjairam,manjunath recycle:repository = /opt/sqlanywhere12/gosoft/.recycle/%U valid users = pranavjairam,manjunath inherit permissions = Yes recycle:exclude = *.tmp inherit acls = Yes read list = pranavjairam,manjunath recycle:maxsixe = 0 [ISO] read list = administrator,senthil,suresh,nirmala,manjunathsingh,rajeshbabu,lokesh.vijaya,pranavjairam,harsha,prakash,kokila,roopesh recycle:maxsixe = 0 inherit permissions = Yes recycle:exclude = *.tmp inherit acls = Yes write list = administrator,senthil,suresh,nirmala,manjunathsingh,rajeshbabu,lokesh.vijaya,pranavjairam,harsha,prakash,kokila,roopesh recycle:repository = /storage/CSfiles/iso_2015/.recycle/%U valid users = administrator,senthil,suresh,nirmala,manjunathsingh,rajeshbabu,lokesh.vijaya,pranavjairam,harsha,prakash,kokila,roopesh public = yes veto files = /*.mp3/*.avi/*.mov/" vfs objects = recycle comment = ISO Files browseable = no recycle:touch = Yes recycle:versions = Yes path = /storage/CSfiles/ISO_2015/ writeable = yes recycle:keeptree = Yes
Andrew Bartlett
2018-Jun-30 10:10 UTC
[Samba] Developed an issue with Samba File Server integrated with Samba-AD
On Sat, 2018-06-30 at 14:51 +0530, Anantha Raghava via samba wrote:> Hi, > > We have been using Samba File Server (Version 4.3.11 Ubuntu 14.04 LTS) > for quite sometime now. We recently installed Samba-AD (Samba AD Version > 4.7.6) and made the file server a member of the Domain. Everything was > fine till around 11:15 am yesterday. We just added one more share folder > and gave access to three users and restarted Samba File Server services > - smbd, nmbd and winbindd - services and we lost the file server. None > of the domain user is able to login to file server and access their > shares. If we access the shares from a non-domain member PC, shares are > accessible. > > File server when accessed asks for user name & password. Once the user > feeds his credentials, the login fails and again the file server will > ask for user credentials. This is really surprising. > > We enabled log level 3 on both samba servers (File & AD Server) and we > see nothing with respect to this error.Given the serious nature of things, I would just keep turning up the logs until something becomes clear. Is winbindd still talking to the domain, eg 'wbinfo -P'? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Anantha Raghava
2018-Jun-30 10:47 UTC
[Samba] Developed an issue with Samba File Server integrated with Samba-AD
Hello Andrew, Thanks for quick response. It looks like winbindd is not connecting to domain. wbinfo -P results in a failure. The actual result is: checking the NETLOGON for domain[WORKGROUP] dc connection to "" failed failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND -- Thanks & Regards, Anantha Raghava Do not print this e-mail unless required. Save Paper & trees. On 30/06/18 3:40 PM, Andrew Bartlett wrote:> On Sat, 2018-06-30 at 14:51 +0530, Anantha Raghava via samba wrote: >> Hi, >> >> We have been using Samba File Server (Version 4.3.11 Ubuntu 14.04 LTS) >> for quite sometime now. We recently installed Samba-AD (Samba AD Version >> 4.7.6) and made the file server a member of the Domain. Everything was >> fine till around 11:15 am yesterday. We just added one more share folder >> and gave access to three users and restarted Samba File Server services >> - smbd, nmbd and winbindd - services and we lost the file server. None >> of the domain user is able to login to file server and access their >> shares. If we access the shares from a non-domain member PC, shares are >> accessible. >> >> File server when accessed asks for user name & password. Once the user >> feeds his credentials, the login fails and again the file server will >> ask for user credentials. This is really surprising. >> >> We enabled log level 3 on both samba servers (File & AD Server) and we >> see nothing with respect to this error. > Given the serious nature of things, I would just keep turning up the > logs until something becomes clear. > > Is winbindd still talking to the domain, eg 'wbinfo -P'? > > Thanks, > > Andrew Bartlett >
Rowland Penny
2018-Jun-30 11:43 UTC
[Samba] Developed an issue with Samba File Server integrated with Samba-AD
On Sat, 30 Jun 2018 14:51:48 +0530 Anantha Raghava via samba <samba at lists.samba.org> wrote:> Hi, > > We have been using Samba File Server (Version 4.3.11 Ubuntu 14.04 > LTS) for quite sometime now. We recently installed Samba-AD (Samba AD > Version 4.7.6) and made the file server a member of the Domain. > Everything was fine till around 11:15 am yesterday. We just added one > more share folder and gave access to three users and restarted Samba > File Server services > - smbd, nmbd and winbindd - services and we lost the file server. > None of the domain user is able to login to file server and access > their shares. If we access the shares from a non-domain member PC, > shares are accessible. > > File server when accessed asks for user name & password. Once the > user feeds his credentials, the login fails and again the file server > will ask for user credentials. This is really surprising. > > We enabled log level 3 on both samba servers (File & AD Server) and > we see nothing with respect to this error. > > Our smb.conf (samba file server) and Samba-AD (AD-smb.conf) are > attached. > > I am aware that Samba file server is very old and it's time to > upgrade. However, getting it back live is now critical for us. > > Look forward for any guidance. > > > Thanks & Regards, > > > Anantha Raghava > > > Do not print this e-mail unless required. Save Paper & trees. >There doesn't seen to be anything really wrong with the Unix domain member smb.conf, apart from it having a netlogon share (this in my opinion should only be on a PDC or DC). I would leave the domain, remove the netlogon share, remove all Samba .ldb and .tdb files (usually in /var/lib/samba), then rejoin the domain and restart the samba deamons (nmbd, smbd and winbindd), this will recreate all the Samba databases. If this doesn't work, add 'log level = 10' to smb.conf on the Unix domain member and see if anything pops out. I have however noticed this: DC smb.conf: realm = XXXX.COM workgroup = XXXX [netlogon] path = /usr/local/samba/var/locks/sysvol/exza.com/scripts Unix domain member smb.conf: workgroup = CSAEROTHERM realm = CSAEROTHERM.COM On the DC, the realm appears to actually be 'exza.com' but on the Unix domain member it is set to 'CSAEROTHERM.COM', these must match, yours don't. Rowland
Anantha Raghava
2018-Jun-30 15:39 UTC
[Samba] Developed an issue with Samba File Server integrated with Samba-AD
Hello Rowland,> On Sat, 30 Jun 2018 14:51:48 +0530 > Anantha Raghava via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> We have been using Samba File Server (Version 4.3.11 Ubuntu 14.04 >> LTS) for quite sometime now. We recently installed Samba-AD (Samba AD >> Version 4.7.6) and made the file server a member of the Domain. >> Everything was fine till around 11:15 am yesterday. We just added one >> more share folder and gave access to three users and restarted Samba >> File Server services >> - smbd, nmbd and winbindd - services and we lost the file server. >> None of the domain user is able to login to file server and access >> their shares. If we access the shares from a non-domain member PC, >> shares are accessible. >> >> File server when accessed asks for user name & password. Once the >> user feeds his credentials, the login fails and again the file server >> will ask for user credentials. This is really surprising. >> >> We enabled log level 3 on both samba servers (File & AD Server) and >> we see nothing with respect to this error. >> >> Our smb.conf (samba file server) and Samba-AD (AD-smb.conf) are >> attached. >> >> I am aware that Samba file server is very old and it's time to >> upgrade. However, getting it back live is now critical for us. >> >> Look forward for any guidance. >> >> >> Thanks & Regards, >> >> >> Anantha Raghava >> >> >> Do not print this e-mail unless required. Save Paper & trees. >> > There doesn't seen to be anything really wrong with the Unix domain > member smb.conf, apart from it having a netlogon share (this in my > opinion should only be on a PDC or DC). I would leave the domain, > remove the netlogon share, remove all Samba .ldb and .tdb files > (usually in /var/lib/samba), then rejoin the domain and restart the > samba deamons (nmbd, smbd and winbindd), this will recreate all the > Samba databases. > > If this doesn't work, add 'log level = 10' to smb.conf on the Unix > domain member and see if anything pops out. > > I have however noticed this: > > DC smb.conf: > > realm = XXXX.COM > workgroup = XXXX > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/exza.com/scripts > > Unix domain member smb.conf: > > workgroup = CSAEROTHERM > realm = CSAEROTHERM.COM > > On the DC, the realm appears to actually be 'exza.com' but on the Unix > domain member it is set to 'CSAEROTHERM.COM', these must match, yours > don't.This is matching. I was just comparing the smb.conf of AD DC on exza.com server with that of CSAEROTHERM.COM. Since it was same, I just copied smb.conf from exza.com server and attached to the mail. I tried the your suggestion. I attempted to leave domain. it resulted in: root at samba-64:/var/lib/samba# net ads leave -U administrator No realm set, are we joined ? & If I try to join the domain, it results in : root at samba-64:/var/lib/samba# net ads join -U administrator Host is not configured as a member server. Invalid configuration. Exiting.... Failed to join domain: This operation is only allowed for the PDC of the domain.> > Rowland >Regards, Anantha Raghava
Reasonably Related Threads
- Developed an issue with Samba File Server integrated with Samba-AD
- Developed an issue with Samba File Server integrated with Samba-AD
- Developed an issue with Samba File Server integrated with Samba-AD
- Developed an issue with Samba File Server integrated with Samba-AD
- Upgrading BIND DNS Backend