Rowland, These are all VMs I am working on. I have tried it on several different "test" VMs. Blew away VMs and created new ones, still does not work. It takes me a little time to type the info from the directories because I cannot copy/past due to network separation. Contents below: /etc/hostname testadmin /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 :1 localhost localhost.localdomain localhost6 localhost6.localdomain6 IPADDR testadmin.mydomain.com testadmin IPADDR DC1.mydomain.com DC1 /etc/resolv.conf search mydomain.com nameserver "ipaddress for DC1" nameserver "ipaddress for DC2" /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE: /var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24hr renew_lifetime = 7d forwardable = true rdsn = false # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} default_realm = MYDOMAIN.COM [realms] #EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com #} MYDOMAIN.COM = { kdc = dc1.MYDOMAIN.COM } MYDOMAIN.COM kdc = dc1.MYDOMAIN.COM } [domain_realm] #.example.com = EXAMPLE.COM #example.com = EXAMPLE.COM mydomain.com = MYDOMAIN.COM .mydomain.com = MYDOMAIN.COM /etc/samba/smb.conf workgroup = mydomain> realm = mydomain.com > security = ads > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config MYDOMAIN : backend = rid > idmap config MYDOMAIN : range = 10000-19999 > allow trusted domain = no > template shell = /bin/bash > winbind refresh tickets = yes > restrict anonymous = 2/etc/nsswitch.conf passwd: files winbind shadow: files group: files winbind #initgroups : files hosts: files dns myhostname bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus On Thu, Mar 14, 2019 at 5:20 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 14 Mar 2019 14:07:33 -0400 > Tyrus Shivers <tyrus.shivers at bestgateeng.com> wrote: > > > Yes global is there. > > > > testparm output shows everything is ok, no error. ROLE_DOMAIN_Member > > > > Then I can press enter and see a dump. > > > > yes, wbinfo produces output of mydomain\user > > > > I left the domain, rejoined, and still no such user. wbinfo outputs > > users and groups on command. > > > > OK, I remembered that I had a Centos 7 VM, so I started it and checked > if 'id user' worked and it did. Samba was 4.7.x at this point. Ran 'yum > update' and Samba was updated to 4.8.3, tested 'id user' again and it > still worked. Rebooted and tried again, it still worked. > > So, it looks like it is possibly a problem on your Computer. > > Can you post the following files (you may have already posted some of > them already, but please post them again, so they are all in one place): > > /etc/hostname > /etc/hosts > /etc/resolv.conf > /etc/krb5.conf > /etc/samba/smb.conf > /etc/nsswitch.conf > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- V/R Tyrus Shivers Bestgate Engineering LLC Direct: (410) 872-2457 tyrus.shivers at bestgateeng.com <tyrus.shivers at bestgateeng.com> This e-mail transmission and any documents, files or previous e-mail messages attached to it, may be privileged and confidential and is intended only for the use of the intended recipient of this message. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any review, disclosure, retention, copying, dissemination, distribution or use of any of the information contained in, or attached to this e-mail transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by return e-mail or by telephone at the above number and delete this e-mail message and its attachments.
On Fri, 15 Mar 2019 09:17:34 -0400 Tyrus Shivers <tyrus.shivers at bestgateeng.com> wrote:> Rowland, > > These are all VMs I am working on. I have tried it on several > different "test" VMs. Blew away VMs and created new ones, still does > not work.This is very, very, strange. You are joining the domain with: net ads join -U Administrator Once joined, what does this produce: net ads testjoin> > It takes me a little time to type the info from the directories > because I cannot copy/past due to network separation.Can you explain 'network separation' ?> > Contents below: > > /etc/hostname > testadminNothing wrong there.> > /etc/hosts > 127.0.0.1 localhost localhost.localdomain localhost4 > localhost4.localdomain4 :1 localhost localhost.localdomain localhost6 > localhost6.localdomain6 IPADDR testadmin.mydomain.com testadmin > IPADDR DC1.mydomain.com DC1Again. nothing really wrong, but you don't (or is that shouldn't) need the DC info.> > /etc/resolv.conf > search mydomain.com > nameserver "ipaddress for DC1" > nameserver "ipaddress for DC2"Nothing wrong there.> > /etc/krb5.conf > includedir /var/lib/sss/pubconf/krb5.include.d/ > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE: /var/log/kadmind.log > > [libdefaults] > dns_lookup_realm = false > ticket_lifetime = 24hr > renew_lifetime = 7d > forwardable = true > rdsn = false > # default_realm = EXAMPLE.COM > default_ccache_name = KEYRING:persistent:%{uid} > > default_realm = MYDOMAIN.COM > [realms] > #EXAMPLE.COM = { > # kdc = kerberos.example.com > # admin_server = kerberos.example.com > #} > > MYDOMAIN.COM = { > kdc = dc1.MYDOMAIN.COM > } > > MYDOMAIN.COM > kdc = dc1.MYDOMAIN.COM > } > > [domain_realm] > #.example.com = EXAMPLE.COM > #example.com = EXAMPLE.COM > mydomain.com = MYDOMAIN.COM > .mydomain.com = MYDOMAIN.COM >My is: [libdefaults] default_realm = SAMDOM.EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = true But yours should work.> > /etc/samba/smb.conf > workgroup = mydomain > > realm = mydomain.com > > security = ads > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config MYDOMAIN : backend = rid > > idmap config MYDOMAIN : range = 10000-19999 > > allow trusted domain = no > > template shell = /bin/bash > > winbind refresh tickets = yes > > restrict anonymous = 2 >About the only real difference between yours and mine is this line in mine: winbind use default domain = yes and that only turns off the domain name in user & group searches i.e. 'DOMAIN\username' just becomes 'username'> > /etc/nsswitch.conf > passwd: files winbind > shadow: files > group: files winbind > #initgroups : files > > hosts: files dns myhostname > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > > netgroup: files > publickey: nisplus > > automount: files > aliases: files nisplus >Again nothing wrong. But I get: [root at cen7member ~]# getent passwd rowland rowland:*:11107:10513::/home/rowland:/bin/bash [root at cen7member ~]# id rowland uid=11107(rowland) gid=10513(domain users) ............. I wonder if this is a 'time' problem, is the time the same on the DC and this Unix domain member ? Rowland
Yes for joining the domain. Running testjoin I get: Join is OK. The network is separated and does not access the open internet so I have to come on another network to email you all :) getent passwd returns nothing for me. id returns no such user. Question: The original SMB.conf that was on the system when I inherited it running 7.3 and Samba 4.4 did not have mydomain lines and just had the * and the backend was rid. It worked. You said that was incorrect setup. workgroup = mydomain password server = hostname.mydomain.com realm = mydomain.com security = ads idmap config * : range = 10000-19999 idmap config * : backend = rid Why on 4.4 does the above work and not on 4.8? Since changing to the tdb backend it shows no such user. If I remove those line and go back to the original it will not start. If I add my domain and keep the * lines it gives me a user, but the wrong UIDs. The ranges do overlap in that case though which I know is not correct. Is there something specific that I need to setup with a tdb backend? Other configurations that I am missing? On Fri, Mar 15, 2019 at 9:59 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 15 Mar 2019 09:17:34 -0400 > Tyrus Shivers <tyrus.shivers at bestgateeng.com> wrote: > > > Rowland, > > > > These are all VMs I am working on. I have tried it on several > > different "test" VMs. Blew away VMs and created new ones, still does > > not work. > > This is very, very, strange. > You are joining the domain with: > > net ads join -U Administrator > > Once joined, what does this produce: > > net ads testjoin > > > > > It takes me a little time to type the info from the directories > > because I cannot copy/past due to network separation. > > Can you explain 'network separation' ? > > > > > Contents below: > > > > /etc/hostname > > testadmin > > Nothing wrong there. > > > > > /etc/hosts > > 127.0.0.1 localhost localhost.localdomain localhost4 > > localhost4.localdomain4 :1 localhost localhost.localdomain localhost6 > > localhost6.localdomain6 IPADDR testadmin.mydomain.com testadmin > > IPADDR DC1.mydomain.com DC1 > > Again. nothing really wrong, but you don't (or is that shouldn't) need > the DC info. > > > > > /etc/resolv.conf > > search mydomain.com > > nameserver "ipaddress for DC1" > > nameserver "ipaddress for DC2" > > Nothing wrong there. > > > > > /etc/krb5.conf > > includedir /var/lib/sss/pubconf/krb5.include.d/ > > [logging] > > default = FILE:/var/log/krb5libs.log > > kdc = FILE: /var/log/kadmind.log > > > > [libdefaults] > > dns_lookup_realm = false > > ticket_lifetime = 24hr > > renew_lifetime = 7d > > forwardable = true > > rdsn = false > > # default_realm = EXAMPLE.COM > > default_ccache_name = KEYRING:persistent:%{uid} > > > > default_realm = MYDOMAIN.COM > > [realms] > > #EXAMPLE.COM = { > > # kdc = kerberos.example.com > > # admin_server = kerberos.example.com > > #} > > > > MYDOMAIN.COM = { > > kdc = dc1.MYDOMAIN.COM > > } > > > > MYDOMAIN.COM > > kdc = dc1.MYDOMAIN.COM > > } > > > > [domain_realm] > > #.example.com = EXAMPLE.COM > > #example.com = EXAMPLE.COM > > mydomain.com = MYDOMAIN.COM > > .mydomain.com = MYDOMAIN.COM > > > > My is: > > [libdefaults] > default_realm = SAMDOM.EXAMPLE.COM > dns_lookup_realm = false > dns_lookup_kdc = true > > But yours should work. > > > > > /etc/samba/smb.conf > > workgroup = mydomain > > > realm = mydomain.com > > > security = ads > > > idmap config * : backend = tdb > > > idmap config * : range = 3000-7999 > > > idmap config MYDOMAIN : backend = rid > > > idmap config MYDOMAIN : range = 10000-19999 > > > allow trusted domain = no > > > template shell = /bin/bash > > > winbind refresh tickets = yes > > > restrict anonymous = 2 > > > > About the only real difference between yours and mine is this line in > mine: > > winbind use default domain = yes > > and that only turns off the domain name in user & group searches i.e. > 'DOMAIN\username' just becomes 'username' > > > > > /etc/nsswitch.conf > > passwd: files winbind > > shadow: files > > group: files winbind > > #initgroups : files > > > > hosts: files dns myhostname > > > > bootparams: nisplus [NOTFOUND=return] files > > > > ethers: files > > netmasks: files > > networks: files > > protocols: files > > rpc: files > > services: files > > > > netgroup: files > > publickey: nisplus > > > > automount: files > > aliases: files nisplus > > > > Again nothing wrong. > > But I get: > > [root at cen7member ~]# getent passwd rowland > rowland:*:11107:10513::/home/rowland:/bin/bash > [root at cen7member ~]# id rowland > uid=11107(rowland) gid=10513(domain users) ............. > > I wonder if this is a 'time' problem, is the time the same on the DC > and this Unix domain member ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- V/R Tyrus Shivers Bestgate Engineering LLC Direct: (410) 872-2457 tyrus.shivers at bestgateeng.com <tyrus.shivers at bestgateeng.com> This e-mail transmission and any documents, files or previous e-mail messages attached to it, may be privileged and confidential and is intended only for the use of the intended recipient of this message. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any review, disclosure, retention, copying, dissemination, distribution or use of any of the information contained in, or attached to this e-mail transmission is strictly prohibited. If you have received this transmission in error, please immediately notify the sender by return e-mail or by telephone at the above number and delete this e-mail message and its attachments.