info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] AD integration not working after move/version
132 views
Skip to first unread message
Henrik Johansson via samba
Mar 18, 2017, 11:30:02 AM3/18/17
to
Hi!
I am in a bit of trouble, I have moved a samba installation from one virtual host to another keeping the configuration files and filesystems. But during the transition something broke, now windows users are no longer able to access their shares. I think it has to do with the AD integration. I do not know it it because some state is missing on this host related to the AD integration or if something has changed since the version of samba is higher on the new host. We have the same set of private files also (passed.tbd and secrets.tbd).
Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
Any ides on how to debug this is helpful, I know very little about AD integration, perhaps the virtual host needs to join the domain again and authenticate, can I check the status of the integration in any way?
Some error messages I was able to find:
[2017/03/18 15:33:21.544063, 0] auth/auth_domain.c:331(domain_client_validate) domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.554733, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.554814, 0] auth/auth_domain.c:331(domain_client_validate)
domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.565235, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.565330, 0] auth/auth_domain.c:331(domain_client_validate)
domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED
Configuration, with user names and real paths removed, only change otherwise is that we had to change to ISO8859-1 for locale, not the argument “LOCALE” that was not longer supported.
# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
unix charset = ISO8859-1
max log size = 50
# Fix for not to do lpstat since we don't use printers in Samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[homes]
browseable = No
comment = Home Directories
writable = yes
create mode = 775
directory mode = 775
[string2]
user = user1,user2
path = /path/string2
write list = userx,userx
[string3]
path = /string3
read only = Yes
write list = user3,user4,user5
create mask = 0760
force create mode = 0760
[home]
path = /path/home
read only = No
[string4]
path = /path
read only = Yes
write list = user9,user10,user11
[string5]
revalidate = yes
browseable = no
writeable = yes
valid users = @string5,@string6,@string7
path = /path/path
[string11]
path = /path/path2/path3
writeable = yes
valid users = @string9,string9
browseable = no
create mask = 0660
force group = groupx
[string8]
comment = Comment1 here
path = /path/string8
force group = userx
valid users = @string10, @string11
writeable = yes
Thankful for any assistance.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am in a bit of trouble, I have moved a samba installation from one virtual host to another keeping the configuration files and filesystems. But during the transition something broke, now windows users are no longer able to access their shares. I think it has to do with the AD integration. I do not know it it because some state is missing on this host related to the AD integration or if something has changed since the version of samba is higher on the new host. We have the same set of private files also (passed.tbd and secrets.tbd).
Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
Any ides on how to debug this is helpful, I know very little about AD integration, perhaps the virtual host needs to join the domain again and authenticate, can I check the status of the integration in any way?
Some error messages I was able to find:
[2017/03/18 15:33:21.544063, 0] auth/auth_domain.c:331(domain_client_validate) domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.554733, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.554814, 0] auth/auth_domain.c:331(domain_client_validate)
domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED.
[2017/03/18 15:33:21.565235, 0] rpc_client/cli_netlogon.c:459(rpccli_netlogon_sam_network_logon)
rpccli_netlogon_sam_network_logon: credentials chain check failed
[2017/03/18 15:33:21.565330, 0] auth/auth_domain.c:331(domain_client_validate)
domain_client_validate: unable to validate password for user USERX in domain DOMAINX to Domain controller DCHOSTNAME. Error was NT_STATUS_ACCESS_DENIED
Configuration, with user names and real paths removed, only change otherwise is that we had to change to ISO8859-1 for locale, not the argument “LOCALE” that was not longer supported.
# Global parameters
[global]
log file = /var/samba/log/clientlog.%m
dns proxy = No
acl check permissions = False
netbios aliases = string1
server string = string1
name resolve order = hosts bcast
realm = DOMAIN.NET
password server = server3.string1.net sever4.string1.net
# wins server = x.x.x.x
local master = no
workgroup = WGNAME
os level = 0
domain master = no
encrypt passwords = yes
security = DOMAIN
unix charset = ISO8859-1
max log size = 50
# Fix for not to do lpstat since we don't use printers in Samba
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
[homes]
browseable = No
comment = Home Directories
writable = yes
create mode = 775
directory mode = 775
[string2]
user = user1,user2
path = /path/string2
write list = userx,userx
[string3]
path = /string3
read only = Yes
write list = user3,user4,user5
create mask = 0760
force create mode = 0760
[home]
path = /path/home
read only = No
[string4]
path = /path
read only = Yes
write list = user9,user10,user11
[string5]
revalidate = yes
browseable = no
writeable = yes
valid users = @string5,@string6,@string7
path = /path/path
[string11]
path = /path/path2/path3
writeable = yes
valid users = @string9,string9
browseable = no
create mask = 0660
force group = groupx
[string8]
comment = Comment1 here
path = /path/string8
force group = userx
valid users = @string10, @string11
writeable = yes
Thankful for any assistance.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
Mar 18, 2017, 12:00:03 PM3/18/17
to
On Sat, 18 Mar 2017 16:06:28 +0100
Henrik Johansson via samba <sa...@lists.samba.org> wrote:
> Hi!
>
> I am in a bit of trouble, I have moved a samba installation from one
> virtual host to another keeping the configuration files and
> filesystems. But during the transition something broke, now windows
> users are no longer able to access their shares. I think it has to do
> with the AD integration. I do not know it it because some state is
> missing on this host related to the AD integration or if something
> has changed since the version of samba is higher on the new host. We
> have the same set of private files also (passed.tbd and secrets.tbd).
>
> Old version was 3.5.8 and the new version on the virtual host that
> does not work is 3.6.25.
What OS is this on ?
Henrik Johansson via samba <sa...@lists.samba.org> wrote:
> Hi!
>
> I am in a bit of trouble, I have moved a samba installation from one
> virtual host to another keeping the configuration files and
> filesystems. But during the transition something broke, now windows
> users are no longer able to access their shares. I think it has to do
> with the AD integration. I do not know it it because some state is
> missing on this host related to the AD integration or if something
> has changed since the version of samba is higher on the new host. We
> have the same set of private files also (passed.tbd and secrets.tbd).
>
> Old version was 3.5.8 and the new version on the virtual host that
> does not work is 3.6.25.
Can you upgrade to a Samba version that is not EOL ?
>
> Any ides on how to debug this is helpful, I know very little about AD
> integration, perhaps the virtual host needs to join the domain again
> and authenticate, can I check the status of the integration in any
> way?
> # Global parameters
> [global]
> log file = /var/samba/log/clientlog.%m
> dns proxy = No
> acl check permissions = False
> netbios aliases = string1
> server string = string1
> name resolve order = hosts bcast
> realm = DOMAIN.NET
> password server = server3.string1.net sever4.string1.net
> # wins server = x.x.x.x
> local master = no
> workgroup = WGNAME
> os level = 0
> domain master = no
> encrypt passwords = yes
> security = DOMAIN
Are you running winbind or are you using something else for
authentication ?
Rowland
Marc Muehlfeld via samba
Mar 18, 2017, 12:30:03 PM3/18/17
to
Hi Henrik,
Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
> Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
That's not really a step forward to a supported Samba version. :-)
https://wiki.samba.org/index.php/Samba_Release_Planning
> # Global parameters
> [global]
> log file = /var/samba/log/clientlog.%m
> dns proxy = No
> acl check permissions = False
> netbios aliases = string1
> server string = string1
> name resolve order = hosts bcast
> realm = DOMAIN.NET
> password server = server3.string1.net sever4.string1.net
> # wins server = x.x.x.x
> local master = no
> workgroup = WGNAME
> os level = 0
> domain master = no
> encrypt passwords = yes
> security = DOMAIN
> unix charset = ISO8859-1
> max log size = 50
> # Fix for not to do lpstat since we don't use printers in Samba
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
First some nitpicks about your smb.conf:
* netbios aliases = string1
Makes no sense to set an alias to exactly the same name
as "server string" :-)
* password server: If there is not reason to only request some
specific servers, I would not limit this. If both are down,
Samba won't talk to other remaining DCs.
* encrypt passwords = yes
This is default since a longer time.
This are just some improvement suggestions, but not related to your problem.
Ok. And now the things that are incorrect for a Samba AD domain member:
* realm = DOMAIN.NET and workgroup = WGNAME
In this case, I would expect that "DOMAIN" is your NetBIOS domain
name ("workgroup" setting), not something different. If this
really matches your AD setup, it should work - but it's not
the recommended way how to set up an AD.
* security = DOMAIN
This setting is for an NT4 domain. Use "security = ADS"
* Your ID mapping configuration is missing completely.
See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
No warranty that this works for 3.6. Our documentation only
covers supported Samba versions.
I recommend the following:
* Update Samba to a supported version (recommended: 4.6.0).
Samba 3.6 was released 2011. A lot of things regarding AD were
improved in later releases.
https://wiki.samba.org/index.php/Updating_Samba
* Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
I recently rewrote the doc and it works for all supported versions.
Regards,
Marc
Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
> Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
https://wiki.samba.org/index.php/Samba_Release_Planning
> # Global parameters
> [global]
> log file = /var/samba/log/clientlog.%m
> dns proxy = No
> acl check permissions = False
> netbios aliases = string1
> server string = string1
> name resolve order = hosts bcast
> realm = DOMAIN.NET
> password server = server3.string1.net sever4.string1.net
> # wins server = x.x.x.x
> local master = no
> workgroup = WGNAME
> os level = 0
> domain master = no
> encrypt passwords = yes
> security = DOMAIN
> unix charset = ISO8859-1
> max log size = 50
> # Fix for not to do lpstat since we don't use printers in Samba
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
* netbios aliases = string1
Makes no sense to set an alias to exactly the same name
as "server string" :-)
* password server: If there is not reason to only request some
specific servers, I would not limit this. If both are down,
Samba won't talk to other remaining DCs.
* encrypt passwords = yes
This is default since a longer time.
This are just some improvement suggestions, but not related to your problem.
Ok. And now the things that are incorrect for a Samba AD domain member:
* realm = DOMAIN.NET and workgroup = WGNAME
In this case, I would expect that "DOMAIN" is your NetBIOS domain
name ("workgroup" setting), not something different. If this
really matches your AD setup, it should work - but it's not
the recommended way how to set up an AD.
* security = DOMAIN
This setting is for an NT4 domain. Use "security = ADS"
* Your ID mapping configuration is missing completely.
See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
No warranty that this works for 3.6. Our documentation only
covers supported Samba versions.
I recommend the following:
* Update Samba to a supported version (recommended: 4.6.0).
Samba 3.6 was released 2011. A lot of things regarding AD were
improved in later releases.
https://wiki.samba.org/index.php/Updating_Samba
* Read: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
I recently rewrote the doc and it works for all supported versions.
Regards,
Marc
Henrik Johansson via samba
Mar 18, 2017, 1:00:03 PM3/18/17
to
Hi Rowland and thanks for your reply,
> On 18 Mar 2017, at 16:54, Rowland Penny via samba <sa...@lists.samba.org> wrote:
>
> On Sat, 18 Mar 2017 16:06:28 +0100
> Henrik Johansson via samba <sa...@lists.samba.org> wrote:
>
>> Hi!
>>
>> I am in a bit of trouble, I have moved a samba installation from one
>> virtual host to another keeping the configuration files and
>> filesystems. But during the transition something broke, now windows
>> users are no longer able to access their shares. I think it has to do
>> with the AD integration. I do not know it it because some state is
>> missing on this host related to the AD integration or if something
>> has changed since the version of samba is higher on the new host. We
>> have the same set of private files also (passed.tbd and secrets.tbd).
>>
>> Old version was 3.5.8 and the new version on the virtual host that
>> does not work is 3.6.25.
>
> What OS is this on ?
> Can you upgrade to a Samba version that is not EOL ?
Short summary; this is on a old Solaris 10 system, the virtual host is a Solaris zone, or two instance of the zone on two hosts for failover. The config is years old and I had no part in this, but we needed to upgrade Solaris Oracle has only managed to release 3.5.8 or something close to that as patches. I could of course compile my own version or something but Samba was not the scope for this operation, it just stopped working which is a huge problem, and it can be because we needed to switch to the other zone or because the config did not work with this slightly newer version.
>
>>
>> Any ides on how to debug this is helpful, I know very little about AD
>> integration, perhaps the virtual host needs to join the domain again
>> and authenticate, can I check the status of the integration in any
>> way?
>
> You will probably need to join the new domain member again.
I’m trying, and getting:
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos database
>
>
>> # Global parameters
>> [global]
>> log file = /var/samba/log/clientlog.%m
>> dns proxy = No
>> acl check permissions = False
>> netbios aliases = string1
>> server string = string1
>> name resolve order = hosts bcast
>> realm = DOMAIN.NET
>> password server = server3.string1.net sever4.string1.net
>> # wins server = x.x.x.x
>> local master = no
>> workgroup = WGNAME
>> os level = 0
>> domain master = no
>> encrypt passwords = yes
>> security = DOMAIN
>
> Try changing 'security = DOMAIN' to 'security = ADS'
>
> Are you running winbind or are you using something else for
> authentication ?
I am under the impression that it’s kerberos.
> On 18 Mar 2017, at 16:54, Rowland Penny via samba <sa...@lists.samba.org> wrote:
>
> On Sat, 18 Mar 2017 16:06:28 +0100
> Henrik Johansson via samba <sa...@lists.samba.org> wrote:
>
>> Hi!
>>
>> I am in a bit of trouble, I have moved a samba installation from one
>> virtual host to another keeping the configuration files and
>> filesystems. But during the transition something broke, now windows
>> users are no longer able to access their shares. I think it has to do
>> with the AD integration. I do not know it it because some state is
>> missing on this host related to the AD integration or if something
>> has changed since the version of samba is higher on the new host. We
>> have the same set of private files also (passed.tbd and secrets.tbd).
>>
>> Old version was 3.5.8 and the new version on the virtual host that
>> does not work is 3.6.25.
>
> What OS is this on ?
> Can you upgrade to a Samba version that is not EOL ?
>
>>
>> Any ides on how to debug this is helpful, I know very little about AD
>> integration, perhaps the virtual host needs to join the domain again
>> and authenticate, can I check the status of the integration in any
>> way?
>
> You will probably need to join the new domain member again.
kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found in Kerberos database
Failed to join domain: failed to connect to AD: Server not found in Kerberos database
>
>
>> # Global parameters
>> [global]
>> log file = /var/samba/log/clientlog.%m
>> dns proxy = No
>> acl check permissions = False
>> netbios aliases = string1
>> server string = string1
>> name resolve order = hosts bcast
>> realm = DOMAIN.NET
>> password server = server3.string1.net sever4.string1.net
>> # wins server = x.x.x.x
>> local master = no
>> workgroup = WGNAME
>> os level = 0
>> domain master = no
>> encrypt passwords = yes
>> security = DOMAIN
>
> Try changing 'security = DOMAIN' to 'security = ADS'
>
> Are you running winbind or are you using something else for
> authentication ?
Henrik Johansson via samba
Mar 18, 2017, 1:00:03 PM3/18/17
to
Hi marc and thanks for your reply,
> On 18 Mar 2017, at 17:26, Marc Muehlfeld via samba <sa...@lists.samba.org> wrote:
>
> Hi Henrik,
>
> Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
>> Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
>
> That's not really a step forward to a supported Samba version. :-)
> https://wiki.samba.org/index.php/Samba_Release_Planning
>
I just replied the first answer I got, and wrote a bit about the background, it’s Solaris 10 with the provided samba. I will look trough your suggestion and try to create a new config, I wold however like just to get it working as it was before right now and then take care of improvements when it’s not a disturbance for customers ( and not after a long night working in the weekend ;) ). I’ll try to see if I can recreate the “unconfigured” behaviour with id-mapping for now.
Thank you, it looks like I have stumbled on a old configuration that has not been maintained, I’ll do my best to get up to speed on samba and see if I can get a working configuration and/or new versin and get it to work.
Regards
Henrik
> On 18 Mar 2017, at 17:26, Marc Muehlfeld via samba <sa...@lists.samba.org> wrote:
>
> Hi Henrik,
>
> Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
>> Old version was 3.5.8 and the new version on the virtual host that does not work is 3.6.25.
>
> That's not really a step forward to a supported Samba version. :-)
> https://wiki.samba.org/index.php/Samba_Release_Planning
>
Regards
Henrik
Rowland Penny via samba
Mar 18, 2017, 1:40:03 PM3/18/17
to
On Sat, 18 Mar 2017 17:26:11 +0100
without knowing what OS the OP is using, we don't know if they can
upgrade easily.
>
> First some nitpicks about your smb.conf:
> * netbios aliases = string1
> Makes no sense to set an alias to exactly the same name
> as "server string" :-)
Why ?
>
> * password server: If there is not reason to only request some
> specific servers, I would not limit this. If both are down,
> Samba won't talk to other remaining DCs.
That is correct and 'man smb.conf' tells you not to do it this way, but
who reads manpages ;-)
>
> * encrypt passwords = yes
> This is default since a longer time.
It doesn't matter if there or not.
>
> Ok. And now the things that are incorrect for a Samba AD domain
> member:
>
> * realm = DOMAIN.NET and workgroup = WGNAME
> In this case, I would expect that "DOMAIN" is your NetBIOS domain
> name ("workgroup" setting), not something different. If this
> really matches your AD setup, it should work - but it's not
> the recommended way how to set up an AD.
Well, Microsoft says you can use a netbios domain name that is
different from the left part of the DNS name, so I suppose Samba
should as well.
> * Your ID mapping configuration is missing completely.
> See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
> No warranty that this works for 3.6. Our documentation only
> covers supported Samba versions.
I notice it was missing as well, but the OP could be using something
else instead of winbind. 'idmap config' existed on 3.6.0, so it should
work.
> I recommend the following:
>
> * Update Samba to a supported version (recommended: 4.6.0).
> Samba 3.6 was released 2011. A lot of things regarding AD were
> improved in later releases.
Why recommend something, that the OP might not be able to do, without
all the facts.
Rowland
> Hi Henrik,
>
> Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
> > Old version was 3.5.8 and the new version on the virtual host that
> > does not work is 3.6.25.
>
> That's not really a step forward to a supported Samba version. :-)
> https://wiki.samba.org/index.php/Samba_Release_Planning
Some people cannot upgrade, so they have to use what they have, but
>
> Am 18.03.2017 um 16:06 schrieb Henrik Johansson via samba:
> > Old version was 3.5.8 and the new version on the virtual host that
> > does not work is 3.6.25.
>
> That's not really a step forward to a supported Samba version. :-)
> https://wiki.samba.org/index.php/Samba_Release_Planning
without knowing what OS the OP is using, we don't know if they can
upgrade easily.
>
> First some nitpicks about your smb.conf:
> * netbios aliases = string1
> Makes no sense to set an alias to exactly the same name
> as "server string" :-)
>
> * password server: If there is not reason to only request some
> specific servers, I would not limit this. If both are down,
> Samba won't talk to other remaining DCs.
who reads manpages ;-)
>
> * encrypt passwords = yes
> This is default since a longer time.
>
> Ok. And now the things that are incorrect for a Samba AD domain
> member:
>
> * realm = DOMAIN.NET and workgroup = WGNAME
> In this case, I would expect that "DOMAIN" is your NetBIOS domain
> name ("workgroup" setting), not something different. If this
> really matches your AD setup, it should work - but it's not
> the recommended way how to set up an AD.
different from the left part of the DNS name, so I suppose Samba
should as well.
> * Your ID mapping configuration is missing completely.
> See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
> No warranty that this works for 3.6. Our documentation only
> covers supported Samba versions.
else instead of winbind. 'idmap config' existed on 3.6.0, so it should
work.
> I recommend the following:
>
> * Update Samba to a supported version (recommended: 4.6.0).
> Samba 3.6 was released 2011. A lot of things regarding AD were
> improved in later releases.
all the facts.
Rowland
Rowland Penny via samba
Mar 18, 2017, 2:10:03 PM3/18/17
to
On Sat, 18 Mar 2017 17:49:31 +0100
Henrik Johansson <hen...@henkis.net> wrote:
> Hi Rowland and thanks for your reply,
>
>
Henrik Johansson <hen...@henkis.net> wrote:
> Hi Rowland and thanks for your reply,
>
>
> Short summary; this is on a old Solaris 10 system, the virtual host
> is a Solaris zone, or two instance of the zone on two hosts for
> failover. The config is years old and I had no part in this, but we
> needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
> something close to that as patches. I could of course compile my own
> version or something but Samba was not the scope for this operation,
> it just stopped working which is a huge problem, and it can be
> because we needed to switch to the other zone or because the config
> did not work with this slightly newer version.
>
OK, I wonder if you are running into the result of the badlock patches ?
> is a Solaris zone, or two instance of the zone on two hosts for
> failover. The config is years old and I had no part in this, but we
> needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
> something close to that as patches. I could of course compile my own
> version or something but Samba was not the scope for this operation,
> it just stopped working which is a huge problem, and it can be
> because we needed to switch to the other zone or because the config
> did not work with this slightly newer version.
>
>
> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not
> found in Kerberos database Failed to join domain: failed to connect
> to AD: Server not found in Kerberos database
What have you got in /etc/krb5.conf (or wherever it is)
Does /etc/resolv.conf use the DC as the first nameserver
>
> I am under the impression that it’s kerberos.
>
to be, adding the idmap config lines as suggested by Marc.
Marc Muehlfeld via samba
Mar 18, 2017, 2:30:02 PM3/18/17
to
Am 18.03.2017 um 18:27 schrieb Rowland Penny via samba:
>> First some nitpicks about your smb.conf:
>> * netbios aliases = string1
>> Makes no sense to set an alias to exactly the same name
>> as "server string" :-)
>
> Why ?
Sorry, my fault. I mixed "server string", which is just a comment, with
>> First some nitpicks about your smb.conf:
>> * netbios aliases = string1
>> Makes no sense to set an alias to exactly the same name
>> as "server string" :-)
>
> Why ?
"netbios name".
>> * encrypt passwords = yes
>> This is default since a longer time.
>
> It doesn't matter if there or not.
there or not?
>> Ok. And now the things that are incorrect for a Samba AD domain
>> member:
>>
>> * realm = DOMAIN.NET and workgroup = WGNAME
>> In this case, I would expect that "DOMAIN" is your NetBIOS domain
>> name ("workgroup" setting), not something different. If this
>> really matches your AD setup, it should work - but it's not
>> the recommended way how to set up an AD.
>
> Well, Microsoft says you can use a netbios domain name that is
> different from the left part of the DNS name, so I suppose Samba
> should as well.
that it's not working.
>> * Your ID mapping configuration is missing completely.
>> See https://wiki.samba.org/index.php/Identity_Mapping_Back_Ends
>> No warranty that this works for 3.6. Our documentation only
>> covers supported Samba versions.
>
> I notice it was missing as well, but the OP could be using something
> else instead of winbind. 'idmap config' existed on 3.6.0, so it should
> work.
I know we had "idmap config" in 3.6, but it was still new that time.
Mentioning that the Wiki docs for the the latest versions might not work
for the 6 year old 3.6 series seems reasonable to me, because parameters
might have been added/removed and defaults changed.
>> I recommend the following:
>>
>> * Update Samba to a supported version (recommended: 4.6.0).
>> Samba 3.6 was released 2011. A lot of things regarding AD were
>> improved in later releases.
>
> Why recommend something, that the OP might not be able to do, without
> all the facts.
he is not able to update, e. g. because Samba fails to built on his OS,
he will tell us.
Regards,
Marc
Henrik Johansson via samba
Mar 18, 2017, 3:00:03 PM3/18/17
to
>>
>> Short summary; this is on a old Solaris 10 system, the virtual host
>> is a Solaris zone, or two instance of the zone on two hosts for
>> failover. The config is years old and I had no part in this, but we
>> needed to upgrade Solaris Oracle has only managed to release 3.5.8 or
>> something close to that as patches. I could of course compile my own
>> version or something but Samba was not the scope for this operation,
>> it just stopped working which is a huge problem, and it can be
>> because we needed to switch to the other zone or because the config
>> did not work with this slightly newer version.
>>
>
> OK, I wonder if you are running into the result of the badlock patches ?
>
Regards
Henrik
Gaiseric Vandal via samba
Mar 18, 2017, 6:20:03 PM3/18/17
to
Compiling Samba on Solaris 10 is a major pain in the ...
Solaris 11 shipped with Samba 3.x but patches up to samba 4.7.x (You may need a contract to be update to pull the latest version.) There is a little bit of a learning curve with solaris 11. Editing /etc/nsswitch.conf now involves some complicated magic commands. Samba 4.7.x worked AOK.
Solaris 11 shipped with Samba 3.x but patches up to samba 4.7.x (You may need a contract to be update to pull the latest version.) There is a little bit of a learning curve with solaris 11. Editing /etc/nsswitch.conf now involves some complicated magic commands. Samba 4.7.x worked AOK.
0 new messages