On Tue, 2021-11-02 at 12:57 -0400, Jason Keltz via samba
wrote:> On 11/2/2021 10:54 AM, Rowland Penny via samba wrote:
>
> > On Tue, 2021-11-02 at 15:31 +0100, L.P.H. van Belle via samba
> > wrote:
> > > Keep in mind, if you use SSSD with my packages, you MUST
> > > recompile
> > > SSSD
> > >
> > The OP never mentioned sssd.
> > I have just started a Unix domain member that hadn't run since
> > January
> > and it worked for myself.
> > This could be just misconfiguration, so it might help if the OP
> > posted
> > a smb.conf from one of the machines that isn't working.
> >
> > Rowland
> >
> Hi Rowland,
>
> Thanks for clarifying - you are correct that I am not using SSSD at
> all.
>
> I'm more than happy to share my smb.conf with you. I removed
> comments
> to make it smaller. The same file is used by every single Linux
> machine
> in the domain - working and not working, and only the ones that have
> been off for awhile have the problem...
>
> [global]
> workgroup = MYCOMPANY
> security = ADS
> realm = AD.MY.COMPANY.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
> idmap config * : backend = tdb
> idmap config * : range = 1000000-1999999
> idmap config MYCOMPANY : backend = ad
> idmap config MYCOMPANY: schema_mode = rfc2307
> idmap config MYCOMPANY: range = 1000-999999
> idmap config MYCOMPANY: unix_primary_group = yes
> idmap config MYWORKGROUP: unix_nss_info = yes
I do hope that 'MYWORKGROUP' is a typo.
> winbind refresh tickets = yes
> winbind offline logon = yes
> winbind nss info = rfc2307
> winbind use default domain = yes
> winbind enum users = no
> winbind enum groups = no
> vfs objects = acl_xattr
> map acl inherit = yes
> store dos attributes = yes
> template shell = /bin/bash
> template homedir = /eecs/home/%U
> debug timestamp = yes
> debug uid = yes
> debug pid = yes
> debug level = 1
> max log size = 0
>
> ----
>
> Any thoughts on commands I might try to see my domain join status?
That's easy, run 'net ads testjoin' , it should return 'Join is
OK'
> As I
> mentioned, wbinfo -u and wbinfo -g are working
They go direct to AD
> , but getent passwd is
> failing...
They go via linux
>
> (same kerberos config, same /etc/nsswitch.conf, etc. on every host).
This is weird, as I said, I started up a VM that was last started in
January and it worked, the only real difference was that used 'rid' and
you use 'ad'. Could it be that winbind isn't starting early enough,
or
not starting at all ?
Rowland