Hai again.
Today i did some new test. The trick below ( previous e-mail), works sometime with 4.2.10 and 4.3.8 The trick works always with 4.4.2 My own deb build not installed from source and tested now on 3 servers. All same result. I checked out the server i did yesterday, still working without any problems. So im wondering whats the difference between 4.2.10 4.3.8 4.4.1. in the debian packages and my debian build of 4.4.2 The 4.4.2 build i made was the source from samba.org. I took the "debian" folder from 4.4.1 and added this in the source samba 4.4.2. i removed only one patch, since that is in 4.4.2 from source. Patch: security-2016-04-12-prerequisite-v4-4-regression-fixes.metze01.txt I did rebuild tevent ldb tdb talloc etc from debian sid. And now i cant make it fail again undepended of the settings. I hope this helps someone. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:[email protected]] Namens L.P.H. van Belle > Verzonden: dinsdag 19 april 2016 15:11 > Aan: [email protected] > Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not > (update8)( solved maybe?) > > Ok. > New test, debian samba 4.2.10 ( all stock debian packages ) > > So others with 4.2.10 stock debian packages, please test also if below > works. > > > The file server on which (wbinfo -u) worked saterday, and not on Sunday > until now. > > > None of these three settings below are in the config and wbinfo -u fails. > > > Now adding these settings !! one at the time !! > And i reloaded samba and restarted winbind every time. > > > > client ldap sasl wrapping = plain > client ldap sasl wrapping = seal > client ldap sasl wrapping = sign > > Result in the end. > > > I started with plain, wbinfo -u works, but first time a long delay before > i see the output, ( long is +4-5 sec) > > Changed it to seal, wbinfo -u works > > > And back to the samba default "sign" which now also works. > So seems fixed now. Strange.. > > > > Removed the client ldap sasl wrapping from the config. > All still works. > > > > I'll check this server tomorrow again. > > > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:[email protected]] Namens L.P.H. van > Belle > > > Verzonden: dinsdag 19 april 2016 12:48 > > > Aan: [email protected] > > > Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not > > > (update7) > > > > > > @Patrick Thanks, that helped. > > > @Mathias, only 10.000 objects. > > > > > > >> client ldap sasl wrapping = plain << > > > > > > I've tested that on my members. > > > 4.2.10 > > > 4.3.8 > > > 4.4.1 > > > 4.4.2 > > > wbinfo -u now work. > > > > > > Ok tested all 3 options of that settings. > > > Tested als in the order, plain seal sign > > > > > > Samba 4.2.10 (debian stable) > > > client ldap sasl wrapping = plain wbinfo -u works. > > > client ldap sasl wrapping = seal wbinfo -u fails > > > client ldap sasl wrapping = sign wbinfo -u fails > > > only plain works, en keeps working. > > > > > > > > > Other server. > > > Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 ) > > > Default it fails, now the funny part. > > > ( default samba setting is sign ) > > > We start with a NOT working wbinfo -u. > > > > > > Test with following changes. > > > Try1) client ldap sasl wrapping = plain wbinfo -u works. > > > Try2) client ldap sasl wrapping = seal wbinfo -u also works now. > > > Try3) client ldap sasl wrapping = sign wbinfo -u also works now. > > > > > > Only the 4.4.2 now keeps working independed of the setting. > > > Lunch first, i'll test the 4.3.8 also. > > > > > > > > > Greetz, > > > > > > Louis > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: samba [mailto:[email protected]] Namens Patrick G. > > > > Stoesser > > > > Verzonden: dinsdag 19 april 2016 12:21 > > > > Aan: [email protected] > > > > Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as > member > > > > server / No user and goup resolution > > > > > > > > Hello, > > > > > > > > a reply in debianforum.de led me to: > > > > > > > > client ldap sasl wrapping = plain > > > > > > > > and with that setting at least wbinfo works. > > > > > > > > But still my problems are not completely gone: On the filesystem > level, > > > > AD users and groups are still not resolved. "Invalid user". But kinit > > > > "USER" works. Still have to try... > > > > > > > > Regards, pgs > > > > > > > > > > > > Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser: > > > > > Hello everybody, > > > > > > > > > > I've bin running Samba as a AD member server for ages (Debian > stable). > > > > > After the last update to 4.2, I just can't get it to work. > > > > > > > > > > Symptoms: unable to map AD user / groups. > > > > > > > > > > After two days of successlessly fiddling (and moving all data to > > > another > > > > > server with still Samba 3.6, which I will definitely NOT update at > the > > > > > moment), I decided to purge my Installation and start over again > like > > > > > described in > > > > > > <https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member> > > > > > > > > > > So now my setup is (all names and IPs are masked, but are correct > > > here): > > > > > > > > > > ******************************************************************** > > > > > smb.conf > > > > > ******************************************************************** > > > > > [global] > > > > > > > > > > netbios name = test-fileserver3 > > > > > security = ADS > > > > > workgroup = AD > > > > > realm = AD.test.loc > > > > > > > > > > log file = /var/log/samba/%m.log > > > > > log level = 3 > > > > > > > > > > dedicated keytab file = /etc/krb5.keytab > > > > > kerberos method = secrets and keytab > > > > > winbind refresh tickets = yes > > > > > > > > > > winbind trusted domains only = no > > > > > winbind use default domain = yes > > > > > winbind enum users = yes > > > > > winbind enum groups = yes > > > > > > > > > > idmap config *:backend = tdb > > > > > idmap config *:range = 2000-9999 > > > > > > > > > > idmap config AD:backend = ad > > > > > idmap config AD:schema_mode = rfc2307 > > > > > idmap config AD:range = 10000-95000 > > > > > > > > > > winbind nss info = template > > > > > # template shell = /sbin/nologin > > > > > # template homedir = /home/%U > > > > > ******************************************************************** > > > > > > > > > > > > > > > > > > > > ******************************************************************** > > > > > nsswitch.conf > > > > > ******************************************************************** > > > > > passwd: files winbind > > > > > group: files winbind > > > > > hosts: files dns. > > > > > shadow: files winbind > > > > > > > > > > networks: files > > > > > > > > > > protocols: db files > > > > > services: db files > > > > > ethers: db files > > > > > rpc: db files > > > > > > > > > > netgroup: nis > > > > > ******************************************************************** > > > > > > > > > > > > > > > > > > > > My krb5.keytab has been generated correctly. I also have a > krb5.conf: > > > > > > > > > > ******************************************************************** > > > > > krb5.conf > > > > > ******************************************************************** > > > > > > > > > > [libdefaults] > > > > > default_realm = AD.TEST.LOC > > > > > clockskew = 900 > > > > > > > > > > # The following libdefaults parameters are only for Heimdal > Kerberos. > > > > > v4_instance_resolve = false > > > > > v4_name_convert = { > > > > > host = { > > > > > rcmd = host > > > > > ftp = ftp > > > > > } > > > > > plain = { > > > > > something = something-else > > > > > } > > > > > } > > > > > fcc-mit-ticketflags = true > > > > > > > > > > [realms] > > > > > TEST.TEST.LOC = { > > > > > kdc = dc.ad.test.loc > > > > > kdc = dc1.ad.test.loc > > > > > kdc = dc2.ad.test.loc > > > > > kdc = dc3.ad.test.loc > > > > > admin_server = dc.test.loc > > > > > } > > > > > > > > > > [domain_realm] > > > > > .test.loc = AD.TEST.LOC > > > > > > > > > > [login] > > > > > krb4_convert = true > > > > > krb4_get_tickets = false > > > > > > > > > > [logging] > > > > > kdc = FILE:/var/log/krb5/krb5kdc.log > > > > > admin_server = FILE:/var/log/krb5/kadmind.log > > > > > default = SYSLOG:NOTICE:DAEMON > > > > > ******************************************************************** > > > > > > > > > > libpam.winbind and libnss.winbind are installed. > > > > > > > > > > > > > > > Name resolution works (as before...): > > > > > > > > > > host -t A dc.ad.test.loc > > > > > dc.ad.test.loc has address 123.456.789.208 > > > > > > > > > > getent hosts > > > > > 127.0.0.1 localhost > > > > > 123.456.789.244 test-fileserver3.test.test.loc test-fileserver3 > > > > > > > > > > Time is synchronized (as before...) > > > > > > > > > > net join ads -U "Domainadmin" worked. > > > > > > > > > > smbd, nmbd, winbind start sucessfully. > > > > > wbinfo -t and -p are successful. > > > > > > > > > > But still no resolution. wbinfo -g and -u give no result. Also, > getent > > > > > passwd delivers only local accounts. > > > > > > > > > > Log says (as expected) "Username AD\ps-15-16 is invalid on this > system > > > > > [2016/04/16 18:52:45.713298, 3] > > > > > ../source3/auth/auth_generic.c:99(auth3_generate_session_info_pac) > > > > > Failed to map kerberos principal to system user > > > > > (NT_STATUS_LOGON_FAILURE)" > > > > > > > > > > I tried, as read in the list, to change idmap config AD:backend = ad > > > to > > > > > rid. No change in results. > > > > > > > > > > Anyone any idea? I'm momentarily at the end of mine. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
