Discussion:
[Samba] Samba domain member and rfc2307 user IDs
Kevin Davidson
2016-07-25 15:02:46 UTC
Permalink
Having problems with rfc2307 user ids. This was working briefly and now it’s not.

samba and winbind v 2.4.2.10+dfs

wbinfo -u lists all the domain users
wbinfo -g lists all the domain groups

getent group lists all the local groups and the AD domain groups that have a UNIX gid set
getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t access any shares being shared from the server.

The domain user UNIX user IDs are all in the range 1001 - 2000 and need to match up with other servers using the same UIDs.

This is from smb.conf on the domain server:

[global]

netbios name = TERRA
workgroup = DOMAIN
security = ADS
realm = OFFICE.DOMAIN.COM
encrypt passwords = yes

idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1001-60000
idmap config DOMAIN:default = yes
idmap config *:backend = tdb
idmap config *:range = 60001-9999999

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

What have I done wrong?

Kevin Davidson
Apple Certified System Administrator
Technical Director

t 01506 668674
m 07813 149620
w www.indigospring.co.uk

indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US

Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>

http://www.indigospring.co.uk/terms-and-conditions
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kevin Davidson
2016-07-25 18:32:07 UTC
Permalink
Post by Kevin Davidson
Having problems with rfc2307 user ids. This was working briefly and now it’s not.
samba and winbind v 2.4.2.10+dfs
[…]
What have I done wrong?
You haven't done anything wrong.
The version you are using was released after the badlock patches were released, your version includes a regression patch and should really be 4.2.11. There have been a few releases since then, these include patches for regressions caused by the badlock patches, so is there anyway you can upgrade Samba ?
It’s the version you get from the Debian 8.5 Jessie repository. Installing from source starts to get harder to maintain when you’re looking after large numbers of systems and you want to be able to apt-get upgrade to catch all the latest security updates. What would you consider best practice?



Kevin Davidson
Apple Certified System Administrator
Technical Director

t 01506 668674
m 07813 149620
w www.indigospring.co.uk

indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US

Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>

http://www.indigospring.co.uk/terms-and-conditions
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kevin Davidson
2016-07-28 23:09:26 UTC
Permalink
Post by Kevin Davidson
Post by Kevin Davidson
Having problems with rfc2307 user ids. This was working briefly and now it’s not.
samba and winbind v 2.4.2.10+dfs
[…]
What have I done wrong?
You haven't done anything wrong.
The version you are using was released after the badlock patches were released, your version includes a regression patch and should really be 4.2.11. There have been a few releases since then, these include patches for regressions caused by the badlock patches, so is there anyway you can upgrade Samba ?
It’s the version you get from the Debian 8.5 Jessie repository. Installing from source starts to get harder to maintain when you’re looking after large numbers of systems and you want to be able to apt-get upgrade to catch all the latest security updates. What would you consider best practice?
I personally think it would be best practise for debian to release a later version that has the regression patches. As for what you do, your choices are a bit limited. You could use the free Sernet packages or if you can afford it, the paid for Sernet packages. You could compile Samba yourself, this way you could get the latest 4.4.x version or you could contact Louis van Belle (he posts on here frequently), he has a way of creating debian Samba debs using later Samba versions, or you could just wait until debian releases a new version, hopefully this will be sooner rather than later, as the 4.2.x series will go EOL when 4.5.0 comes out in about 6 weeks.
So Louis has released his new deb packages of Samba 4.4.5. I’ve installed them (not entirely smoothly as apt-get still wanted to install winbind 4.2.10 and then failed on all the dependencies)

***@terra:~# apt-cache policy samba
samba:
Installed: 2:4.4.5+dfsg-2~bpo8+1
Candidate: 2:4.4.5+dfsg-2~bpo8+1
Version table:
*** 2:4.4.5+dfsg-2~bpo8+1 0
500 file:/var/www/html/debian/ jessie/ Packages
100 /var/lib/dpkg/status
2:4.2.10+dfsg-0+deb8u3 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
2:4.1.17+dfsg-2+deb8u2 0
500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
***@terra:~# apt-cache policy winbind
winbind:
Installed: (none)
Candidate: 2:4.2.10+dfsg-0+deb8u3
Version table:
2:4.2.10+dfsg-0+deb8u3 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
100 /var/lib/dpkg/status
2:4.1.17+dfsg-2+deb8u2 0
500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages

And I’m still seeing the exact same behaviour. wbinfo -u shows all AD users, wbinfo -g shows all the groups. getent group lists local groups and the ones I’ve added RFC2307 GID data for. getent passwd lists only local users. Nobody can access file shares.

Which logs should I be looking in to see what’s going wrong?

I can see this in /var/log/samba/log.winbindd-idmap

[2016/07/28 23:48:52.614025, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.623870, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.632863, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.641460, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX
[2016/07/28 23:48:52.650196, 1] ../source3/winbindd/idmap_ad.c:523(idmap_ad_sids_to_unixids)
Could not get unix ID for SID S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-XXX

And that coincides with the attempts at getent passwd. The SIDs listed do not have any RFC2307 data (they’re the Administrator account, the Samba created dns account, Domain Users group etc).

And log.smbd has this for an attempted SMB connection

[2016/07/29 00:02:16.338378, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/29 00:02:16.338563, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2016/07/29 00:02:16.338671, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 73 (0 toread)
[2016/07/29 00:02:16.338736, 3] ../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 1029) conn 0x0
[2016/07/29 00:02:16.340138, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [NT LM 0.12]
[2016/07/29 00:02:16.340202, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.002]
[2016/07/29 00:02:16.340230, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.???]
[2016/07/29 00:02:16.340435, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2016/07/29 00:02:16.432338, 3] ../source3/smbd/negprot.c:711(reply_negprot)
Selected protocol SMB 2.???
[2016/07/29 00:02:16.471838, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB3_02
[2016/07/29 00:02:16.624918, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/29 00:02:16.711303, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-CLIENT] len1=24 len2=270
[2016/07/29 00:02:16.711450, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/29 00:02:16.711567, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/29 00:02:16.711741, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/29 00:02:16.712184, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/29 00:02:16.712273, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/29 00:02:16.712409, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/29 00:02:16.713201, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-CLIENT] with the new password interface
[2016/07/29 00:02:16.713251, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-CLIENT]
[2016/07/29 00:02:16.725937, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/29 00:02:16.726003, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.726057, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.726136, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/29 00:02:16.772344, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/29 00:02:16.814492, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-CLIENT] len1=24 len2=270
[2016/07/29 00:02:16.814595, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/29 00:02:16.814676, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/29 00:02:16.814868, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/29 00:02:16.815357, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/29 00:02:16.815460, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/29 00:02:16.815617, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/29 00:02:16.815893, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-CLIENT] with the new password interface
[2016/07/29 00:02:16.815940, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-CLIENT]
[2016/07/29 00:02:16.827000, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/29 00:02:16.827064, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.827139, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/29 00:02:16.827205, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/29 00:02:28.359747, 2] ../source3/smbd/server.c:576(remove_child_pid)
Could not find child 1032 -- ignoring


Kevin Davidson
Apple Certified System Administrator
Technical Director

t 01506 668674
m 07813 149620
w www.indigospring.co.uk

indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US

Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>

http://www.indigospring.co.uk/terms-and-conditions
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Kevin Davidson
2016-07-31 22:58:56 UTC
Permalink
Post by Kevin Davidson
So Louis has released his new deb packages of Samba 4.4.5. I’ve installed them (not entirely smoothly as apt-get still wanted to install winbind 4.2.10 and then failed on all the dependencies)
Installed: 2:4.4.5+dfsg-2~bpo8+1
Candidate: 2:4.4.5+dfsg-2~bpo8+1
*** 2:4.4.5+dfsg-2~bpo8+1 0
500 file:/var/www/html/debian/ jessie/ Packages
100 /var/lib/dpkg/status
2:4.2.10+dfsg-0+deb8u3 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
2:4.1.17+dfsg-2+deb8u2 0
500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
Installed: (none)
Candidate: 2:4.2.10+dfsg-0+deb8u3
2:4.2.10+dfsg-0+deb8u3 0
500 http://security.debian.org/ jessie/updates/main amd64 Packages
100 /var/lib/dpkg/status
2:4.1.17+dfsg-2+deb8u2 0
500 http://ftp.uk.debian.org/debian/ jessie/main amd64 Packages
And I’m still seeing the exact same behaviour. wbinfo -u shows all AD users, wbinfo -g shows all the groups. getent group lists local groups and the ones I’ve added RFC2307 GID data for. getent passwd lists only local users. Nobody can access file shares.
You don't mention adding a uidNumber attribute to the users, have you done this ?
In an earlier message, yes.
To get the winbind 'ad' backend to work on a domain member, you need to give each AD user a unique uidNumber attribute, you must also give Domain Users a gidNumber attribute.
This last part has solved one problem. Giving Domain Users a gid has fixed the problems with getent passwd. And an ls -l of shared directories now shows the proper ownership of files.

But SMB connections to shares are still failing with NT_STATUS_NO_SUCH_USER

[2016/07/31 23:53:55.102317, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/31 23:53:55.102509, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2016/07/31 23:53:55.102839, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (failed to receive smb request)
[2016/07/31 23:53:55.107288, 3] ../source3/lib/util_procid.c:54(pid_to_procid)
pid_to_procid: messaging_dgm_get_unique failed: No such file or directory
[2016/07/31 23:53:55.152956, 3] ../source3/lib/access.c:338(allow_access)
Allowed connection from 192.168.103.28 (192.168.103.28)
[2016/07/31 23:53:55.153156, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2016/07/31 23:53:55.153255, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 73 (0 toread)
[2016/07/31 23:53:55.153298, 3] ../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 934) conn 0x0
[2016/07/31 23:53:55.154569, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [NT LM 0.12]
[2016/07/31 23:53:55.154636, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.002]
[2016/07/31 23:53:55.154658, 3] ../source3/smbd/negprot.c:601(reply_negprot)
Requested protocol [SMB 2.???]
[2016/07/31 23:53:55.154824, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2016/07/31 23:53:55.246565, 3] ../source3/smbd/negprot.c:711(reply_negprot)
Selected protocol SMB 2.???
[2016/07/31 23:53:55.285751, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB3_02
[2016/07/31 23:54:06.780444, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/31 23:54:06.823840, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-PC] len1=24 len2=270
[2016/07/31 23:54:06.823991, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/31 23:54:06.824171, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/31 23:54:06.824400, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/31 23:54:06.824854, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/31 23:54:06.824948, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/31 23:54:06.825113, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/31 23:54:06.825943, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-PC] with the new password interface
[2016/07/31 23:54:06.825990, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
[2016/07/31 23:54:06.860006, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/31 23:54:06.860082, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.860136, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.860214, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2016/07/31 23:54:06.906727, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62888215
[2016/07/31 23:54:06.952704, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[Administrator] domain=[DOMAIN] workstation=[TEST-PC] len1=24 len2=270
[2016/07/31 23:54:06.952816, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2016/07/31 23:54:06.952907, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2016/07/31 23:54:06.953062, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2016/07/31 23:54:06.953547, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Shared Items]"
[2016/07/31 23:54:06.953637, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[Archives]"
[2016/07/31 23:54:06.953771, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2016/07/31 23:54:06.954021, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [DOMAIN]\[Administrator]@[TEST-PC] with the new password interface
[2016/07/31 23:54:06.954101, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [DOMAIN]\[Administrator]@[TEST-PC]
[2016/07/31 23:54:06.965389, 3] ../source3/auth/auth_util.c:1229(check_account)
Failed to find authenticated user DOMAIN\administrator via getpwnam(), denying access.
[2016/07/31 23:54:06.965457, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [Administrator] -> [Administrator] FAILED with error NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.965485, 2] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_NO_SUCH_USER
[2016/07/31 23:54:06.965553, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_LOGON_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134


Kevin Davidson
Apple Certified System Administrator
Technical Director

t 01506 668674
m 07813 149620
w www.indigospring.co.uk

indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US

Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>

http://www.indigospring.co.uk/terms-and-conditions
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Blindauer Emmanuel
2016-07-25 21:22:54 UTC
Permalink
Post by Kevin Davidson
Having problems with rfc2307 user ids. This was working briefly and now it’s not.
samba and winbind v 2.4.2.10+dfs
wbinfo -u lists all the domain users
wbinfo -g lists all the domain groups
getent group lists all the local groups and the AD domain groups that have a UNIX gid set
getent passwd lists only the local users, then pauses for a moment, then nothing. AD users can’t log in and can’t access any shares being shared from the server.
The domain user UNIX user IDs are all in the range 1001 - 2000 and need to match up with other servers using the same UIDs.
[global]
netbios name = TERRA
workgroup = DOMAIN
security = ADS
realm = OFFICE.DOMAIN.COM
encrypt passwords = yes
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1001-60000
idmap config DOMAIN:default = yes
idmap config *:backend = tdb
idmap config *:range = 60001-9999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
What have I done wrong?
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
I'm facing the same problem, except that wbinfo -u never returned users
(wbinfo -g works).
wbinfo -i user returned the correct value for some days, and stopped
working.

same packages from jessie, but I have also tested the sernet packages
for 4.2.14 without more success.

I have also some errors showing up with a high level of debug for winbind:

[2016/07/25 23:15:24.221239, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2016/07/25 23:15:24.263941, 5]
../source3/librpc/crypto/gse.c:265(gse_init_client)
gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were
supplied, or the credentials were unavailable or inaccessible.: unknown
mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a
kinit.
[2016/07/25 23:15:24.264068, 4]
../auth/gensec/gensec_start.c:679(gensec_start_mech)
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR

My config file:

[global]
workgroup = AD
realm=AD.UNISTRA.FR
log file = /var/log/samba/log.%m
max log size = 100000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = member server
obey pam restrictions = yes
map to guest = bad user

kerberos method = secrets and keytab
idmap config * : backend = tdb2
idmap config * : range = 3000-4000
idmap config AD : backend = ad
idmap config AD : default = yes
idmap config AD : range = 10000-1000000
idmap config AD : schema_mode = rfc2307
idmap config PSI : schema_mode = rfc2307
idmap config PSI : range = 5000-9998

winbind nss info = rfc2307
winbind separator = +
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Emmanuel Blindauer
2016-07-26 07:33:33 UTC
Permalink
I need tout correct, i had a typo, with sernet packages, winbind works ,
and faster. Still doesnt get wbinfo -u to return users, but i think wbinfo
timeout before getting all 140k users,WB logs still sho retrieving users

Emmanuel
Post by Blindauer Emmanuel
Post by Kevin Davidson
Having problems with rfc2307 user ids. This was working briefly and now it’s not.
samba and winbind v 2.4.2.10+dfs
wbinfo -u lists all the domain users
wbinfo -g lists all the domain groups
getent group lists all the local groups and the AD domain groups that have a UNIX gid set
getent passwd lists only the local users, then pauses for a moment, then
nothing. AD users can’t log in and can’t access any shares being shared
from the server.
The domain user UNIX user IDs are all in the range 1001 - 2000 and need
to match up with other servers using the same UIDs.
[global]
netbios name = TERRA
workgroup = DOMAIN
security = ADS
realm = OFFICE.DOMAIN.COM
encrypt passwords = yes
idmap config DOMAIN:backend = ad
idmap config DOMAIN:schema_mode = rfc2307
idmap config DOMAIN:range = 1001-60000
idmap config DOMAIN:default = yes
idmap config *:backend = tdb
idmap config *:range = 60001-9999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
What have I done wrong?
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <
http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <
http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
I'm facing the same problem, except that wbinfo -u never returned users
(wbinfo -g works).
wbinfo -i user returned the correct value for some days, and stopped
working.
same packages from jessie, but I have also tested the sernet packages for
4.2.14 without more success.
[2016/07/25 23:15:24.221239, 5]
../auth/gensec/gensec_start.c:672(gensec_start_mech)
Starting GENSEC submechanism gse_krb5
[2016/07/25 23:15:24.263941, 5]
../source3/librpc/crypto/gse.c:265(gse_init_client)
gss_acquire_creds failed for GSS_C_NO_NAME with [ No credentials were
supplied, or the credentials were unavailable or inaccessible.: unknown
mech-code 0 for mech 1 2 840 113554 1 2 2] -the caller may retry after a
kinit.
[2016/07/25 23:15:24.264068, 4]
../auth/gensec/gensec_start.c:679(gensec_start_mech)
Failed to start GENSEC client mech gse_krb5: NT_STATUS_INTERNAL_ERROR
[global]
workgroup = AD
realm=AD.UNISTRA.FR
log file = /var/log/samba/log.%m
max log size = 100000
syslog = 0
panic action = /usr/share/samba/panic-action %d
server role = member server
obey pam restrictions = yes
map to guest = bad user
kerberos method = secrets and keytab
idmap config * : backend = tdb2
idmap config * : range = 3000-4000
idmap config AD : backend = ad
idmap config AD : default = yes
idmap config AD : range = 10000-1000000
idmap config AD : schema_mode = rfc2307
idmap config PSI : schema_mode = rfc2307
idmap config PSI : range = 5000-9998
winbind nss info = rfc2307
winbind separator = +
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-07-29 08:31:50 UTC
Permalink
Hai,

 

I’ve added some extra info on the upgrade problem.

The full info can be found here.:

https://downloads.van-belle.nl/samba4/upgrade-problems.txt

i’ve added the outputs of one of my server upgrades so people can exact see what happens.

 

And im missing one mail on the list so a summary of the depend thing.

( same is in the upgrade-problems.txt )

 

The error is due to :

trying to overwrite '/usr/share/man/man8/vfs_glusterfs.8.gz'

 

 

You have 2 options.

 

1) remove samba and reinstall the 4.4.5 ( but without data lose or config losses )

apt-get remove samba winbind

for x in `dpkg -l | grep samba` ; do apt-get remove $x ; done.

apt-get install samba winbind

 

 

or

2) Just upgrade, and do this simple fix.

 

apt-get upgrade

Now it fails at :

Errors were encountered while processing:

 /var/cache/apt/archives/samba-vfs-modules_2%3a4.4.5+dfsg-2~bpo8+1_i386.deb

E: Sub-process /usr/bin/dpkg returned an error code (1)

 

Fix :

dpkg –i –force-all  /var/cache/apt/archives/samba-vfs-modules_2%3a4.4.5+dfsg-2~bpo8+1_i386.deb

 

apt-get –f install   ( or again apt-get upgrade )

 

done,

 

You now have a good working samba 4.4.5 on debian.

 

 

Greetz,

 

Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...