Neil Price
2019-Apr-25 13:39 UTC
[Samba] AD member server, some users suddenly can only connect to shares via ip address
On 2019/04/25 14:44, Rowland Penny via samba wrote:> OK, post your smb.confThanks for help.... remember this has been working up to now and only a few users have the password prompt.. (btw "gibb.local" is a trusted samba3 domain used for migration, connecting as a gibb.local user does work) getent passwd returns expected results, as does wbinfo -u # Global parameters [global] netbios name = PTA-CLUSTER realm = AD.GIBB.CO.ZA server string = Pretoria Cluster workgroup = GIBB ldap connection timeout = 20 ldap timeout = 60 log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . passwd program = /usr/bin/passwd %u security = ADS server role = member server unix password sync = Yes username map = /etc/samba/user.map template homedir = /home/gibb/%U winbind enum groups = Yes winbind enum users = Yes winbind refresh tickets = Yes winbind request timeout = 120 dns proxy = No wins server = 192.168.112.94 192.168.104.2 idmap config gibb.local : range = 1600000-1999999 idmap config gibb.local : backend = rid idmap config gibb : range = 1000000-1599999 idmap config gibb : backend = rid idmap config * : range = 3000-7999 idmap config * : backend = tdb [homes] comment = Home Directories path = /home/gibb/%U browseable = No root preexec = /usr/local/sbin/mkhomedir.sh %U create mask = 0750 directory mask = 0750 read only = No valid users = %S GIBB.LOCAL\%S GIBB\%S [projects] comment = Pretoria projects path = /home/shares/projects inherit permissions = Yes read only = No valid users = @domusers "@GIBB.LOCAL\Domain Users" "@GIBB\Domain Users" user.map: !root = GIBB\Administrator
Rowland Penny
2019-Apr-25 14:24 UTC
[Samba] AD member server, some users suddenly can only connect to shares via ip address
On Thu, 25 Apr 2019 15:39:21 +0200 Neil Price via samba <samba at lists.samba.org> wrote:> On 2019/04/25 14:44, Rowland Penny via samba wrote: > > OK, post your smb.conf > > Thanks for help.... remember this has been working up to now and only > a few users have the password prompt.. (btw "gibb.local" is a > trusted samba3 domain used for migration, connecting as a gibb.local > user does work) > > getent passwd returns expected results, as does wbinfo -u > > # Global parameters > [global] > netbios name = PTA-CLUSTER > realm = AD.GIBB.CO.ZA > server string = Pretoria Cluster > workgroup = GIBB > ldap connection timeout = 20You should remove the above, you do not use ldap with an AD Unix domain member> ldap timeout = 60as above> log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > map to guest = Bad User > obey pam restrictions = Yes > pam password change = Yes > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . > passwd program = /usr/bin/passwd %u > security = ADS > server role = member server > unix password sync = YesYou shouldn't have any Unix users that are in AD in /etc/passwd, so you do not need the above line.> username map = /etc/samba/user.map > template homedir = /home/gibb/%U > winbind enum groups = Yes > winbind enum users = Yes > winbind refresh tickets = Yes > winbind request timeout = 120 > dns proxy = No > wins server = 192.168.112.94 192.168.104.2You do not use 'wins' with AD> idmap config gibb.local : range = 1600000-1999999 > idmap config gibb.local : backend = ridYou said above that 'gibb.local' is a trusted domain that was used for migration. Two questions about this, is 'gibb.local' the workgroup name, if so, why does it have a dot in it ? Secondly, you mentioned 'migrate', do you mean you migrated 'gibb.local' (a PDC domain) to the 'GIBB' AD domain ? if so, you should immediately turn off 'gibb.local', it will have the same SID as 'GIBB' If this isn't the case, can you explain further what you mean by 'migrate' ?> idmap config gibb : range = 1000000-1599999 > idmap config gibb : backend = rid > idmap config * : range = 3000-7999 > idmap config * : backend = tdbRowland
Neil Price
2019-Apr-26 07:59 UTC
[Samba] AD member server, some users suddenly can only connect to shares via ip address
On 2019/04/25 16:24, Rowland Penny via samba wrote: (.. lots of helpful stuff) Thanks for advice on smb.conf.. Today people who could not access it yesterday can, and some people who could access it can't and even one who cannot access it via the ip address, so you know what I'll be doing this weekend.> You said above that 'gibb.local' is a trusted domain that was used for > migration. Two questions about this, is 'gibb.local' the workgroup > name, if so, why does it have a dot in it ? Secondly, you mentioned > 'migrate', do you mean you migrated 'gibb.local' (a PDC domain) to the > 'GIBB' AD domain ? if so, you should immediately turn off 'gibb.local', > it will have the same SID as 'GIBB' > If this isn't the case, can you explain further what you mean by > 'migrate' ?I did not use the samba migration tools so the SIDs are different. I used the trust because we could migrate people and machines at leisure and without downtime. It has not caused problems (but will be removed shortly). We did try the migration tools but it puked on our ldap.
Possibly Parallel Threads
- AD member server, some users suddenly can only connect to shares via ip address
- AD member server, some users suddenly can only connect to shares via ip address
- AD member server, some users suddenly can only connect to shares via ip address
- AD member server, some users suddenly can only connect to shares via ip address
- member server idmap config (auto)rid