similar to: AD Group update lag / cache, firewall related?

August 25, 2017 3:12 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote: > On Fri, 25 Aug 2017 13:54:21 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> It's not offline.... and groups do usually filter through... >> sometimes immediately, sometimes never... but usually with a >> significant delay... >>

That seems to count out the kernel ... I guess the 128 number could be a co-incidence... Actually I made a mistake below... I used "wbinfo -g user", where I should have used "wbinfo -r user"..... In fact wbinfo fails to show the group membership I expect... where I said before that it succeeded. wbinfo shows that the group exists, but not that the user is a member of

It's not offline.... and groups do usually filter through... sometimes immediately, sometimes never... but usually with a significant delay... I originally put this down to the ancient version of Samba or Winbind that was shipped with the OS, but it seems I was wrong... Winbind can see the group, and even the group membership... and the group is passed on to the OS, but not the group

# wbinfo -n working-group | awk '{print $1}' | awk -F '-' '{print $8}' 69153 # wbinfo -n problem-group | awk '{print $1}' | awk -F '-' '{print $8}' 136399 The OS can use that group:- # chgrp problem-group test.txt # ls -asl test.txt 0 -rw-r--r-- 1 root problem-group 0 Aug 25 17:55 test.txt # It's not a case that the group is unavailable...

All, I wonder if someone can give me an idea what the file "netsamlogon_cache.tdb" contains... as I have noticed that I can be added to a group, and access will not appear on the Unix side for a good deal of time... but if I stop Winbind, remove the file "netsamlogon_cache.tdb", and re-start everything, it will then work. Can anyone tell me what the purpose of this file is,

Hi, Ive been trying to work out how to get wbinfo to list members of a specific AD group, rather than list groups a specific user is in. So far I have had no luck... In fact im not sure its possible with wbinfo. Is there another tool which could do this? James -- Sent using Dekko from my Ubuntu device

Also, I see the following repeated in syslog:- ==> syslog <== Aug 21 15:25:41 hostname01 winbindd[691]: [2017/08/21 15:25:41.438959, 0] ../source3/libsmb/cliconnect.c:1895(cli_session_setup_spnego_send) Aug 21 15:25:41 hostname01 winbindd[691]: Kinit for HOSTNAME01$@DOMAIN.LOCAL to access cifs/LOCAL_AD02.domain.local at DOMAIN.LOCAL failed: Cannot contact any KDC for requested realm

Hey, I have 2 trusted domains to deal with, "DEV" and "TODEV", and I have configured smb.conf like this:- [global] workgroup = MAIN security = ADS realm = MAIN.DOMAIN.LOCAL idmap config *:backend = tdb idmap config *:range = 95000-99999 idmap config MAIN:backend = rid idmap config MAIN:range = 100000-999999 idmap config DEV:backend = rid idmap config DEV:range =

On Tue, 22 Aug 2017 12:01:20 +0000 "A. James Lewis via samba" <samba at lists.samba.org> wrote: > Indeed!... you are correct... this does appear to be the kerberos > issue uncovered by Rowlands pointing out that I should not need to be > manually defining "kdc =", in my krb5.conf.... so with that resolved, > I'm hoping we can also find the cause of my

Hi all, A slightly hypothetical one here... but after Samba (Winbind actually)... looks up the list of AD server for a doman from DNS... what method does it use to decide which is the correct (most local?) domain controller to connect to/log in to? What will it's behaviour be if it connects to one, or two which don't have connectivity. -- A. James Lewis (james at fsck.co.uk

Hi! Indeed!, this sounds like good advice... there are certainly bugs, I had to get the 7.04.5 package from "proposed" to get resolve a PAM library issue!... although I suppose that's a packaging problem. What is the best way to get an updated Samba package here, I'm trying to make this system reproduceable, I have a single script that builds the entire container, and sets up

I have krb5-config krb5-user, but not libpam-krb5... I'm slightly fuzzy about how this works, but I thought the interaction with kerberos was implemented via winbind, so I wasn't expecting this package to be installed... certainly there is no dependency that has pulled it in. James August 22, 2017 1:15 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote: >

Oh, I assumed you meant -d10, since -d0 turns off all debug output, so the output is long, but I get:- . . . GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system'

August 21, 2017 5:34 PM, "Rowland Penny via samba" <samba at lists.samba.org> wrote: > On Mon, 21 Aug 2017 15:37:03 +0000 > "A. James Lewis" <james at fsck.co.uk> wrote: > >> OK, obviously I am slightly sanitising the output here, but I'm >> preserving the case, and just replacing local names with generic ones >> as I did for the

Hi all, I've just been following a series of guides to set up "winbind" authentication on a container build I'm working on, but I'm seeing some strange behaviour.... After the "net ads join -k", some users can log in, but others cannot (pam says their account does not exist)... although they can all authenticate with kinit! If someone has an idea why this might

Hi, I hope it's not a stupid question, but I'm mainly a Linux admin, and I'm really looking at Samba because of winbind, but there's something I don't really understand.... People keep talking about computer accounts and joining the domain, but the guide I followed required "net ads join -k", which doesn't appear to require authentication, and so cannot have

I have to confess here, that on trying again, to get the error... I restarted everything to ensure there were no errant messages, and now installing libpam-krb5 does not cause a problem... the users are assigned a kerberos ticket when logging in which is nice too... I must thank you and Rowland both, since I have learned a lot about how Kerberos works in this process, and debugged some issues

Hi, I've never been a Windows user, but I'm curious to see how the AD integration works in Linux, since it looks like we may need to have one or two Windows desktops and I don't realy want to start setting up Windows infrastructure. If I can have Samba as a domain controller that makes things a lot simpler. I have one question tho, the documentation suggests using the Microsoft

Hi all, I know this is a little off topic (although it might not be because I'm sure there's a solution involving Samba!)... but I hope one of you fine people can advise me on the best approach to achieving an integrated directory supporting Unix/Linux as a first class citizen, storing autofs maps, as well as uid, gid and home folders for each user... and how would that be managed. I see

Yes indeed.... I know a lot about the Linux side, but Windows is a bit of a mystery to me... and I have to confess to not knowing exactly how nss links various directory services into the system.... hence my comment earlier with "Password file entry" in quotes... I know it's not in the password file, and is amalgamated into the password "map", via nss, but I'm not sure