Web lists-archives.com

Re: [Samba] Samba 4.3.13 logon oddity on Solaris 10




Lacking further ideas I spent another hour to build 4.5.16 which seems
to have cured the problem that it takes two attempts to connect to a
samba share. Same smb.conf as before. All locally stored stuff
untouched and without rejoing the domain and not even net cache flush:

root.niihau /opt/samba4/var/log # net ads testjoin
Join is OK
root.niihau /opt/samba4/var/log # wbinfo -P
checking the NETLOGON for domain[MD-DZNE] dc connection to "md-svr-001-bsd.magdeburg.dzne.ds" succeeded
root.niihau /opt/samba4/var/log # wbinfo --own-domain   
MD-DZNE
root.niihau /opt/samba4/var/log # wbinfo --online-status 
BUILTIN : online
NIIHAU : online
MD-DZNE : online
root.niihau /opt/samba4/var/log # wbinfo -n markgrafb
S-1-5-21-823329394-1231227920-234269439-1202 SID_USER (1)
root.niihau /opt/samba4/var/log # wbinfo -S S-1-5-21-823329394-1231227920-234269439-1202
10058
root.niihau /opt/samba4/var/log # wbinfo -i markgrafb
markgrafb:*:10058:10001::/home/markgrafb:/usr/bin/tcsh

Heureka! 
System logins do not work using winbind though. But honestly I couldn't
care less as long as LDAP just works.
With winbind set as nameservice for passwd and group in nsswitch.conf
getent passwd only lists users from the local passwd file. 
getent passwd markgraf and getent passwd 10058 do show that user
though. But finger markgrafb fails as do logins to the machine itself
as that user.
winbindd.log shows
[2018/07/06 10:49:02.226110,  0]
../source3/winbindd/winbindd_group.c:45(fill_grent)
  Failed to find domain 'Unix Group'. Check connection to trusted
domains!
as only thing suspicious.

Again, as long as LDAP works as expected I don't care about winbind not
working.
Thanks to whoever fixed this in between 4.3.13 and 4.5.16 ;-)

  Bernd


On Mon, 2018-07-02 at 11:55 +0100, Rowland Penny via samba wrote:
> On Mon, 02 Jul 2018 12:38:54 +0200
> Bernd Markgraf <bernd.markgraf@xxxxxxxxxxx> wrote:
> 
> > On Mon, 2018-07-02 at 11:30 +0100, Rowland Penny via samba wrote:
> > 
> > > Provided that your users have a uidNumber attribute containing a
> > > unique number inside the '10000-999999' range AND Domain Users
> > > has a
> > > gidNumber attribute containing a number inside the same range,
> > > then,
> > > yes it is a valid smb.conf. These attributes are not added
> > > automatically, you must add them manually.
> > 
> > Yes all UID/GID numbers stored in the AD user objects are unique
> > and
> > start at 10000. Both attributes are set for all users.
> > 
> > > There are lines I would remove though:
> > > 
> > > encrypt passwords = yes # This a default setting
> > > 
> > > winbind enum users = Yes
> > > winbind enum groups = Yes # These are not required and can slow
> > > things
> > > down.
> > 
> > Thanks, I removed them now.
> > 
> > > kerberos method = system keytab # you shouldn't really have this.
> > 
> > Removed too. What's wrong with that line? My understanding was that
> > it
> > tells samba to use the system's global keytab. I don't see much
> > harm
> > in that?
> 
> Because you should be using the default 'secrets.tdb', your setting
> had
> turned this off. You only need a separate keytab if there is
> something
> that needs it and, if so, you should use 'kerberos method = secrets
> and
> keytab'
> 
> > 
> > So now that I have a valid smb.conf - the initial problem persists.
> > How do I proceed to resolve this issue?
> 
> Is there a firewall or similar getting in the way ?
> Is the output of 'net ads testjoin' 'Join is OK' ?
>  
> Rowland
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba