Hi!
I am in a bit of trouble, I have moved a samba installation from one
virtual host to another keeping the configuration files and
filesystems. But during the transition something broke, now windows
users are no longer able to access their shares. I think it has to do
with the AD integration. I do not know it it because some state is
missing on this host related to the AD integration or if something
has changed since the version of samba is higher on the new host. We
have the same set of private files also (passed.tbd and secrets.tbd).
Old version was 3.5.8 and the new version on the virtual host that
does not work is 3.6.25.
Any ides on how to debug this is helpful, I know very little about AD integration, perhaps the virtual host needs to join the domain again
and authenticate, can I check the status of the integration in any
way?
# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
unix charset = ISO8859-1
max log size = 50
# Fix for not to do lpstat since we don't use printers in Samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
On 18 Mar 2017, at 16:54, Rowland Penny via samba <samba@lists.samba.org> wrote:
On Sat, 18 Mar 2017 16:06:28 +0100
Henrik Johansson via samba <samba@lists.samba.org> wrote:
Hi!
I am in a bit of trouble, I have moved a samba installation from one
virtual host to another keeping the configuration files and
filesystems. But during the transition something broke, now windows
users are no longer able to access their shares. I think it has to do
with the AD integration. I do not know it it because some state is
missing on this host related to the AD integration or if something
has changed since the version of samba is higher on the new host. We
have the same set of private files also (passed.tbd and secrets.tbd).
Old version was 3.5.8 and the new version on the virtual host that
does not work is 3.6.25.
What OS is this on ?
Can you upgrade to a Samba version that is not EOL ?
Any ides on how to debug this is helpful, I know very little about AD
integration, perhaps the virtual host needs to join the domain again
and authenticate, can I check the status of the integration in any
way?
You will probably need to join the new domain member again.
# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
Try changing 'security = DOMAIN' to 'security = ADS'
Are you running winbind or are you using something else for
authentication ?
Rowland
--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On 18 Mar 2017, at 17:26, Marc Muehlfeld via samba <samba@lists.samba.org> wrote:
Hi Henrik,
Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
That's not really a step forward to a supported Samba version. :-) https://wiki.samba.org/index.php/Samba_Release_Planning
# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
unix charset = ISO8859-1
max log size = 50
# Fix for not to do lpstat since we don't use printers in Samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
First some nitpicks about your smb.conf:
* netbios aliases = string1
Makes no sense to set an alias to exactly the same name
as "server string" :-)
* password server: If there is not reason to only request some
specific servers, I would not limit this. If both are down,
Samba won't talk to other remaining DCs.
* encrypt passwords = yes
This is default since a longer time.
This are just some improvement suggestions, but not related to your problem.
Ok. And now the things that are incorrect for a Samba AD domain member:
* realm = DOMAIN.NET and workgroup = WGNAME
In this case, I would expect that "DOMAIN" is your NetBIOS domain
name ("workgroup" setting), not something different. If this
really matches your AD setup, it should work - but it's not
the recommended way how to set up an AD.
* security = DOMAIN
This setting is for an NT4 domain. Use "security = ADS"
* Your ID mapping configuration is missing completely.
See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
No warranty that this works for 3.6. Our documentation only
covers supported Samba versions.
I recommend the following:
* Update Samba to a supported version (recommended: 4.6.0).
Samba 3.6 was released 2011. A lot of things regarding AD were
improved in later releases.
https://wiki.samba.org/index.php/Updating_Samba
* Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
I recently rewrote the doc and it works for all supported versions.
Hi Henrik,
Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
Old version was 3.5.8 and the new version on the virtual host that
does not work is 3.6.25.
That's not really a step forward to a supported Samba version. :-) https://wiki.samba.org/index.php/Samba_Release_Planning
First some nitpicks about your smb.conf:
* netbios aliases = string1
Makes no sense to set an alias to exactly the same name
as "server string" :-)
* password server: If there is not reason to only request some
specific servers, I would not limit this. If both are down,
Samba won't talk to other remaining DCs.
* encrypt passwords = yes
This is default since a longer time.
Ok. And now the things that are incorrect for a Samba AD domain
member:
* realm = DOMAIN.NET and workgroup = WGNAME
In this case, I would expect that "DOMAIN" is your NetBIOS domain
name ("workgroup" setting), not something different. If this
really matches your AD setup, it should work - but it's not
the recommended way how to set up an AD.
* Your ID mapping configuration is missing completely.
See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
No warranty that this works for 3.6. Our documentation only
covers supported Samba versions.
I recommend the following:
* Update Samba to a supported version (recommended: 4.6.0).
Samba 3.6 was released 2011. A lot of things regarding AD were
improved in later releases.
Hi Rowland and thanks for your reply,
Short summary; this is on a old Solaris 10 system, the virtual host
is a Solaris zone, or two instance of the zone on two hosts for
failover. The config is years old and I had no part in this, but we
needed to upgrade Solaris Oracle has only managed to release 3.5.8 or something close to that as patches. I could of course compile my own
version or something but Samba was not the scope for this operation,
it just stopped working which is a huge problem, and it can be
because we needed to switch to the other zone or because the config
did not work with this slightly newer version.
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not
found in Kerberos database Failed to join domain: failed to connect
to AD: Server not found in Kerberos database
I am under the impression that it’s kerberos.
First some nitpicks about your smb.conf:
* netbios aliases = string1
Makes no sense to set an alias to exactly the same name
as "server string" :-)
Why ?
* encrypt passwords = yes
This is default since a longer time.
It doesn't matter if there or not.
Ok. And now the things that are incorrect for a Samba AD domain
member:
* realm = DOMAIN.NET and workgroup = WGNAME
In this case, I would expect that "DOMAIN" is your NetBIOS domain
name ("workgroup" setting), not something different. If this
really matches your AD setup, it should work - but it's not
the recommended way how to set up an AD.
Well, Microsoft says you can use a netbios domain name that is
different from the left part of the DNS name, so I suppose Samba
should as well.
* Your ID mapping configuration is missing completely.
See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
No warranty that this works for 3.6. Our documentation only
covers supported Samba versions.
I notice it was missing as well, but the OP could be using something
else instead of winbind. 'idmap config' existed on 3.6.0, so it should
work.
I recommend the following:
* Update Samba to a supported version (recommended: 4.6.0).
Samba 3.6 was released 2011. A lot of things regarding AD were
improved in later releases.
Why recommend something, that the OP might not be able to do, without
all the facts.
Short summary; this is on a old Solaris 10 system, the virtual host
is a Solaris zone, or two instance of the zone on two hosts for
failover. The config is years old and I had no part in this, but we
needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
something close to that as patches. I could of course compile my own
version or something but Samba was not the scope for this operation,
it just stopped working which is a huge problem, and it can be
because we needed to switch to the other zone or because the config
did not work with this slightly newer version.
OK, I wonder if you are running into the result of the badlock patches ?
Short summary; this is on a old Solaris 10 system, the virtual host
is a Solaris zone, or two instance of the zone on two hosts for
failover. The config is years old and I had no part in this, but we
needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
something close to that as patches. I could of course compile my own
version or something but Samba was not the scope for this operation,
it just stopped working which is a huge problem, and it can be
because we needed to switch to the other zone or because the config
did not work with this slightly newer version.
OK, I wonder if you are running into the result of the badlock patches ?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 81:03:17 |
Calls: | 6,658 |
Calls today: | 4 |
Files: | 12,203 |
Messages: | 5,333,309 |
Posted today: | 1 |