Hai, That bond0 interface, you might want to change that the interface name to bond1 Depending on the bonding settings, you might have hit a reserved name. I lots my docu on that but i know i configured a bond1 because bond0 didn work right. And then check these. wbinfo -pPt ( or wbinfo -p && wbinfo -P && wbinfo -t ) wbinfo --sids-to-unix-ids S-1-22-2-10513 wbinfo -D ARBEITSGRUPPE wbinfo --all-domains My bonding setup.. cat /etc/systemd/network/30-bond1* # /etc/systemd/network/30-bond1-dev1.network [Match] MACAddress=78:2b:xx:xx:xx:xx [Network] Bond=bond1 # /etc/systemd/network/30-bond1-dev2.network [Match] MACAddress=78:2b:xx:xx:xx:xx [Network] Bond=bond1 # /etc/systemd/network/30-bond1.netdev [NetDev] Name=bond1 Kind=bond [Bond] Mode=802.3ad MIIMonitorSec=1s #LACPTransmitRate=fast #UpDelaySec=2s #DownDelaySec=8s #TransmitHashPolicy=layer2 #TransmitHashPolicy=layer3+4 # /etc/systemd/network/30-bond1.network [Match] Name=bond1 [Network] DNS=192.168.1.2 DNS=192.168.1.1 Domains=internal.domain.tld NTP=ntp1.internal.domain.tld NTP=ntp2.internal.domain.tld # ntp1 and 2 are CNAMES to DC1 DC2. [Address] Address=192.168.1.11/24 [Route] Destination=0.0.0.0/0 Gateway=192.168.1.252 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: vrijdag 22 februari 2019 14:55 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Debian 9.8 and vanbelle-repos > > Am 22.02.19 um 14:51 schrieb Rowland Penny via samba: > > > Not good, can you post the smb.conf ? > > > > Rowland > > > > [global] > security = ADS > workgroup = ARBEITSGRUPPE > realm = arbeitsgruppe.MYDOMAIN.at > log file = /var/log/samba/%m.log > #log level = 5 > > log level = 5 auth:5 winbind:8 > > idmap config * : backend = tdb > idmap config * : range = 2000-3999 > > idmap config ARBEITSGRUPPE:backend = ad > idmap config ARBEITSGRUPPE:range = 10000-9999999 > > idmap config ARBEITSGRUPPE:unix_nss_info = yes > > idmap config arbeitsgruppe : schema_mode = rfc2307 > > username map = /etc/samba/user.map > > winbind use default domain = Yes > winbind refresh tickets = Yes > > load printers = No > printcap name = /dev/null > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > > interfaces = bond0 > > #hosts allow = 10.0.0.22,10.0.0.50 > > [Daten] > comment = Daten > path = /mnt/daten > #valid users = @"ARBEITSGRUPPE\\domain users" > #force group = users > read only = No > #create mask = 0660 > #directory mask = 0770 > create mask = 3660 > directory mask = 3770 > > [Scans_Plotter] > comment = Scans vom Plotter > path = /mnt/daten/Allgemeines/_Scans/Plotter > #valid users = @"ARBEITSGRUPPE\\domain users" > read only = No > #create mask = 0660 > #directory mask = 0770 > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
I added the 2 kerberos lines and restarted winbind ... people work there, so ... Am 22.02.19 um 15:03 schrieb L.P.H. van Belle:> Hai, > > That bond0 interface, you might want to change that the interface name to bond1 > Depending on the bonding settings, you might have hit a reserved name. > I lots my docu on that but i know i configured a bond1 because bond0 didn work right.aha ... hm. Worked so far without problems.> And then check these. > > wbinfo -pPt ( or wbinfo -p && wbinfo -P && wbinfo -t ) > > wbinfo --sids-to-unix-ids S-1-22-2-10513 > wbinfo -D ARBEITSGRUPPE > wbinfo --all-domains# wbinfo -pPt Ping to winbindd succeeded checking the NETLOGON for domain[ARBEITSGRUPPE] dc connection to "backup.arbeitsgruppe.MYDOM.at" succeeded checking the trust secret for domain ARBEITSGRUPPE via RPC calls succeeded root at main:/etc/samba# wbinfo --sids-to-unix-ids S-1-22-2-10513 S-1-22-2-10513 -> gid 10513 root at main:/etc/samba# wbinfo -D ARBEITSGRUPPE Name : ARBEITSGRUPPE Alt_Name : arbeitsgruppe.MYDOM.at SID : S-1-5-21-2777655458-4002997014-749295002 Active Directory : Yes Native : Yes Primary : Yes root at main:/etc/samba# wbinfo --all-domains BUILTIN MAIN ARBEITSGRUPPE That bond-issue: later ... Observation for backups: if docker is running on the fileserver I can't do backups via amanda, although I run docker with "--iptables=false" and flushed the iptables. But the chains exist: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (0 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-1 (0 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-2 (0 references) target prot opt source destination Chain DOCKER-USER (0 references) target prot opt source destination Maybe (a) something hangs around still (until reboot or so) and (b) also blocks samba-related communications
On Fri, 22 Feb 2019 15:03:37 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > That bond0 interface, you might want to change that the interface > name to bond1 Depending on the bonding settings, you might have hit a > reserved name. I lots my docu on that but i know i configured a bond1 > because bond0 didn work right. > > And then check these. > > wbinfo -pPt ( or wbinfo -p && wbinfo -P && wbinfo -t ) > > wbinfo --sids-to-unix-ids S-1-22-2-10513 > wbinfo -D ARBEITSGRUPPE > wbinfo --all-domains > >S-1-22-1 is an unmapped group, so where has the correct SID gone ? Is 10513 the uidNumber for Domain Users ? I suggest you check the AD database, if only to rule it out. Try running this: rpcclient localhost -U'arbeitsgruppe\administrator%xxxxxxxxxx' -c 'lookupnames "ARBEITSGRUPPE\Domain Users"' Rowland
Am 22.02.19 um 15:16 schrieb Rowland Penny via samba:> On Fri, 22 Feb 2019 15:03:37 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> Hai, >> >> That bond0 interface, you might want to change that the interface >> name to bond1 Depending on the bonding settings, you might have hit a >> reserved name. I lots my docu on that but i know i configured a bond1 >> because bond0 didn work right. >> >> And then check these. >> >> wbinfo -pPt ( or wbinfo -p && wbinfo -P && wbinfo -t ) >> >> wbinfo --sids-to-unix-ids S-1-22-2-10513 >> wbinfo -D ARBEITSGRUPPE >> wbinfo --all-domains >> >> > > S-1-22-1 is an unmapped group, so where has the correct SID gone ? > Is 10513 the uidNumber for Domain Users ? > > I suggest you check the AD database, if only to rule it out. > > Try running this: > > rpcclient localhost -U'arbeitsgruppe\administrator%xxxxxxxxxx' > -c 'lookupnames "ARBEITSGRUPPE\Domain Users"'gives me: ARBEITSGRUPPE\Domain Users S-1-5-21-2777655458-4002997014-749295002-513 (Domain Group: 2) in the meantime I reset iptables with (from ubuntu wiki ...): iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT hmm
Stefan, If everythig works now. Then keep it as is. Most probly it was the firewall that caused the problem. @Rowland, good point. Im everytime amazed with all the commands you know.. :-) And SID: S-1-5-21domain-513 = domain users. These are "Samba Sids" S-1-22-[1-2] 1 useres 2 groups And thats corect with wbinfo -g 10513 shows all groups. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stefan G. Weichinger via samba > Verzonden: vrijdag 22 februari 2019 15:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Debian 9.8 and vanbelle-repos > > Am 22.02.19 um 15:16 schrieb Rowland Penny via samba: > > On Fri, 22 Feb 2019 15:03:37 +0100 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > >> Hai, > >> > >> That bond0 interface, you might want to change that the interface > >> name to bond1 Depending on the bonding settings, you might > have hit a > >> reserved name. I lots my docu on that but i know i > configured a bond1 > >> because bond0 didn work right. > >> > >> And then check these. > >> > >> wbinfo -pPt ( or wbinfo -p && wbinfo -P && wbinfo -t ) > >> > >> wbinfo --sids-to-unix-ids S-1-22-2-10513 > >> wbinfo -D ARBEITSGRUPPE > >> wbinfo --all-domains > >> > >> > > > > S-1-22-1 is an unmapped group, so where has the correct SID gone ? > > Is 10513 the uidNumber for Domain Users ? > > > > I suggest you check the AD database, if only to rule it out. > > > > Try running this: > > > > rpcclient localhost -U'arbeitsgruppe\administrator%xxxxxxxxxx' > > -c 'lookupnames "ARBEITSGRUPPE\Domain Users"' > > gives me: > > ARBEITSGRUPPE\Domain Users > S-1-5-21-2777655458-4002997014-749295002-513 > (Domain Group: 2) > > in the meantime I reset iptables with (from ubuntu wiki ...): > > iptables -F > iptables -X > iptables -t nat -F > iptables -t nat -X > iptables -t mangle -F > iptables -t mangle -X > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > > hmm > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >