getent/Winbind issues

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

getent/Winbind issues

Samba - General mailing list
Hi all,
having a bit of a nuisance here. Hope you can help. Let's see.

A) I have a Dell Poweredge running a (mostly) vanilla Debian Jessie and
Samba 4.5.0 as a AD-DC using internall DNS. All works as expected including
winbind, wbinfo and getent. Against samba team recommendations the DC is
also a fileserver.

B) On a similar machine (that's where the problem lies), I installed Debian
Stretch and Samba 4.5.0. Copied the database from the first machine and
upgraded to samba 4.6.5. Followed (as much as I can tell) the samba wiki on
all steps (samba install, database backup and recovery and samba upgrade
and also sysvol replication). The process went rather seamlessly. The basic
idea is to get an upgraded version of the original machine
Now:
1) As far as I can tell the domain works correctly; I can add users and
machines, login and logout, and access shares
2) wbinfo works correctly
3) getent does not. getent passwd correctly returns local users plus a
message stating "error writing passwd entry: Invalid argument" instead of
each domain user's name. getent group gives similar results
4) Can't find anything relevant in the logs (up to level 4) but I probably
overlooked something
5) testparm complains about idmap range not being specified which I believe
is a benign error message
6) Passed all tests on samba wiki's basic troobleshooting. samba and
winbind are running
7) Thinking it might be a permissions error on the database restore, I did
a samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix which didn't
fix anything
8) removing the winbind links or the entries form nsswitch returns getent
to it's normal behaviour of only returning local users
9) smb.conf is mosty vanilla (omitted the shares part):
[global]
        netbios name = EHSERVER
        realm = EUROHIDRA.LOCAL
        workgroup = EUROHIDRA
        netbios name = EHSERVER
        interfaces = lo br0
        bind interfaces only = Yes
        dns forwarder = 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        log level = 4
        log file = /var/log/samba/samba.log

        passwd program = /usr/bin/passwd %u
        time server =yes
        unix password sync = yes
        name resolve order =  bcast host lmhosts wins
        winbind refresh tickets = Yes
        winbind separator = :
        winbind enum users = yes
        winbind enum groups = yes


It seems a winbind permissions problem. I checked database file permissions
against the original machine and look the same.
 Any clues? I'm kindda stuck here. I could reinstall everything again but
that's silly... Even hints of what to troubleshoot are highly appreciated.
Best regards
Carlos
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent/Winbind issues

Samba - General mailing list
On Sat, 15 Jul 2017 15:20:14 +0100
Carlos Jesus via samba <[hidden email]> wrote:

> Hi all,
> having a bit of a nuisance here. Hope you can help. Let's see.
>
> A) I have a Dell Poweredge running a (mostly) vanilla Debian Jessie
> and Samba 4.5.0 as a AD-DC using internall DNS. All works as expected
> including winbind, wbinfo and getent. Against samba team
> recommendations the DC is also a fileserver.

You can use the DC as a fileserver, you just have to be aware of the
limitations ;-)

>
> B) On a similar machine (that's where the problem lies), I installed
> Debian Stretch and Samba 4.5.0.
> Copied the database from the first machine and upgraded to samba
> 4.6.5.

What 'database' did you copy ?
If you are referring to 'sam.ldb', then you will undoubtedly have
problems.
You should have created a new DC by joining the computer as a new DC,
transfer FSMO roles from the old DC and then demote the old DC.

> [global]
>         netbios name = EHSERVER
>         realm = EUROHIDRA.LOCAL
>         workgroup = EUROHIDRA
>         netbios name = EHSERVER
>         interfaces = lo br0
>         bind interfaces only = Yes
>         dns forwarder = 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         log level = 4
>         log file = /var/log/samba/samba.log
>
>         passwd program = /usr/bin/passwd %u
>         time server =yes
>         unix password sync = yes
>         name resolve order =  bcast host lmhosts wins
>         winbind refresh tickets = Yes
>         winbind separator = :
>         winbind enum users = yes
>         winbind enum groups = yes

I would remove the above 8 lines, apart from the last two, they either
shouldn't be in a DC smb.conf or don't do anything. You should only
add the last two whilst testing.
 
Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: getent/Winbind issues

Samba - General mailing list
On Sat, 15 Jul 2017 16:55:07 +0100
Carlos Jesus <[hidden email]> wrote:

> > What 'database' did you copy ?
> > If you are referring to 'sam.ldb', then you will undoubtedly have
> > problems.
> > You should have created a new DC by joining the computer as a new
> > DC, transfer FSMO roles from the old DC and then demote the old DC.
> >
> >
> I performed a backup/restore as per
> https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC
> that's why I first installed samba 4.5.0 and only then upgraded to
> 4.6.5. It has worked in the past and allows me to do it independently
> of the (remote) server that is in production.
>

You can upgrade samba by just stopping Samba and then upgrading the
Samba version on the same machine, there is no need to do what you have
been doing and it is safer.

If you want to upgrade the OS, then joining another DC on the new OS is
safer.

Basically, it boils down to the fact you should only use a backup if
you have no working DCs.

It sounds like you may have some problems in your AD, do you still have
the original DC ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...