Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] Problem with Winbind and Windows Clients

1,138 views
Skip to first unread message

Oliver Werner

unread,
Mar 11, 2016, 3:00:04 AM3/11/16
to
Hi,

i have a permanent problem with my samba members. there lost after some times his connections to DCs and i need to restart winbind.

Also same problem with winds client that running 24x7. After few days i can not logged in.

i think thats a problem with kerberos tickets.

i have checks samba logs and found that samba member and windows client ask for new tickets and get new expiration.

in my DCs i have set

kdc:service ticket lifetime = 1
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 120

and Master krb5.conf looks

[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 1d
renew_lifetime = 5d

[realms]
HQ.KONTRAST = {
kdc = vl0227.hq.kontrast
kdc = vl0230.hq.kontrast
kdc = pl0231.hq.kontrast
master_kdc = vl0227.hq.kontrast
admin_server = vl0227.hq.kontrast
}

[domain_realm]
.hq.kontrast = HQ.KONTRAST
hq.kontrast = HQ.KONTRAST

[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = FILE:/var/log/kadmind.log


So what i saw was GPOs are default empty. i need for winbind configure Kerberos Policy?

kind regards
OLIVER WERNER
System-Administrator





Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Please consider the environment and only print this if required.


signature.asc

Oliver Werner

unread,
Mar 11, 2016, 3:10:03 AM3/11/16
to
Here is smb.conf

[global]
netbios name = VL0173
security = ADS
workgroup = HQKONTRAST
realm = hq.kontrast

log file = /var/log/samba/%m.log
log level = 3

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes

winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
winbind refresh tickets = yes


# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 500-1023

# idmap config for domain HQKONTRAST
idmap config HQKONTRAST:backend = ad
idmap config HQKONTRAST:schema_mode = rfc2307
idmap config HQKONTRAST:range = 1024-99999

# Use settings from AD for login shell and home directory
winbind nss info = rfc2307


OLIVER WERNER
System-Administrator





Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Please consider the environment and only print this if required.


> Am 11.03.2016 um 09:01 schrieb L.P.H. van Belle <be...@bazuin.nl>:
>
> Please Post your member smb.conf.
>
> But probely your missing.
> winbind refresh tickets = yes
> and/or
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
>
> greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-...@lists.samba.org] Namens Oliver Werner
>> Verzonden: vrijdag 11 maart 2016 8:55
>> Aan: sa...@lists.samba.org
>> Onderwerp: [Samba] Problem with Winbind and Windows Clients
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

signature.asc

L.P.H. van Belle

unread,
Mar 11, 2016, 3:10:03 AM3/11/16
to
Please Post your member smb.conf.

But probely your missing.
winbind refresh tickets = yes
and/or
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab


greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Oliver Werner
> Verzonden: vrijdag 11 maart 2016 8:55
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] Problem with Winbind and Windows Clients
>

L.P.H. van Belle

unread,
Mar 11, 2016, 3:20:03 AM3/11/16
to
Beside 2 x    winbind refresh tickets = yes

This looks good.

 

In what ?interval? is this happing

 

Every day, every week. Is it consistent?

 

This if often a time sync problem, but i do recall a previous message of you.

Your time is in sync ?  servers and pc?s and you use a pool ntp. But a stratum 1 or 2 ntp.

Pools can case out of syncs.

 

Other option is to set the GPO for kerberos, but since this is normaly not needed.

Other question, is this a ?cloned? windows, and did you sysprep.  ( must ask sorry )

 

Last, what is the windows even log telling you when your trying to login, can be very usefull.

 

Im asking all above because im have also multple pc?s always on and i dont see this problem here.

 

im using for the DC 4.2.9 sernet samba.

Members vary between 4.1.17 upto 4.3.4, dependes on there function/servcies there running.

 

 

Greetz,

 

Louis
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist 

                        

Rowland penny

unread,
Mar 11, 2016, 4:00:06 AM3/11/16
to
I think you may be over-thinking kerberos, where did you get:

kdc:service ticket lifetime = 1
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 120

Also where did you set it ?

You have this in krb5.conf:

dns_lookup_kdc = true

and this:

[realms]
HQ.KONTRAST = {
kdc = vl0227.hq.kontrast
kdc = vl0230.hq.kontrast
kdc = pl0231.hq.kontrast
master_kdc = vl0227.hq.kontrast
admin_server = vl0227.hq.kontrast
}

man krb5.conf contains this:

dns_lookup_kdc
Indicate whether DNS SRV records should be used to locate the KDCs
and other servers for a realm, if they are not listed in the information
for the realm. The default is to use these records.

You seem to be overriding the defaults, I would reset krb5.conf (on all
samba machines) to just this:

[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true

Rowland

Oliver Werner

unread,
Mar 11, 2016, 4:10:02 AM3/11/16
to
Hi Rowland,

Also change on DCs to

[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true

?

I was used wiki article and there was listed for DC.

the config i have post was only für vl0227 (my Master DC)

all other Maschines have the config you prefer.
OLIVER WERNER
System-Administrator





Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Please consider the environment and only print this if required.


signature.asc

Rowland penny

unread,
Mar 11, 2016, 4:20:03 AM3/11/16
to
On 11/03/16 09:04, Oliver Werner wrote:
> Hi Rowland,
>
> Also change on DCs to
>
> [libdefaults]
> default_realm = HQ.KONTRAST
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> ?

Yes, this is the default, created by the provision.

>
> I was used wiki article and there was listed for DC.

What Samba wiki page did you find this on ?

>
> the config i have post was only für vl0227 (my Master DC)
>
> all other Maschines have the config you prefer.
>

Where did you find the 'kdc' lines:

kdc:service ticket lifetime = 1
kdc:user ticket lifetime = 24
kdc:renewal lifetime = 120


Oliver Werner

unread,
Mar 11, 2016, 4:30:03 AM3/11/16
to
Ok so maybe i have misunderstood the part with krb5.conf

So i will test that one.

the kdc lines i have found here:

https://wiki.samba.org/index.php/Samba_KDC_Settings <https://wiki.samba.org/index.php/Samba_KDC_Settings>


OLIVER WERNER
System-Administrator





Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Please consider the environment and only print this if required.


signature.asc

L.P.H. van Belle

unread,
Mar 11, 2016, 4:40:03 AM3/11/16
to
Ah..

 

So every 5 days this happens, correct ?

Solution, reboot your pc every 4.99999999 days. 

 

This way its gets a new ticket and isnt the old reused.

 

As it stats on the site,.

" tickets can be renewed for a maximum of 5 days from the date of original issue."

 

 

Greetz,

 

Louis

 

 

 

> -----Oorspronkelijk bericht-----

> Van: samba [mailto:samba-...@lists.samba.org] Namens Oliver Werner

> Verzonden: vrijdag 11 maart 2016 10:22

> Aan: Rowland penny

> CC: sa...@lists.samba.org

> Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients

>

Rowland penny

unread,
Mar 11, 2016, 4:50:05 AM3/11/16
to
On 11/03/16 09:40, Oliver Werner wrote:
> Haha, really? :D
>
> It should be possible without reboot not?
>
> OLIVER WERNER
> System-Administrator
>
>
>
>
>
>

Yes, remove the kdc lines :-D

L.P.H. van Belle

unread,
Mar 11, 2016, 4:50:05 AM3/11/16
to
Yes, thats possible also, but i dont know if thats possible with the KDC settings from samba.

I dont use them, If you want, you can set things like in GPO, but normaly not needed imo.

 

So i suggest, remove the KDC settings, restart the DC?s, reboot the computer and wait what happpens.

 

Maybe Rowland or an other samba Dev can tell more about the KDC setting, but i can, just dont know, havent tried them yet. 

 

Greetz,

 

Louis

 

 

 


Van: Oliver Werner [mailto:oliver...@kontrast.de]
Verzonden: vrijdag 11 maart 2016 10:41
Aan: L.P.H. van Belle
CC: sa...@lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients


 

Haha, really? :D

 


It should be possible without reboot not?


 

OLIVER WERNER
System-Administrator



 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax  +49-211-91505-530
www.kontrast.de

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist 

                        

Oliver Werner

unread,
Mar 11, 2016, 4:50:05 AM3/11/16
to
Haha, really? :D

It should be possible without reboot not?

OLIVER WERNER
System-Administrator





Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Please consider the environment and only print this if required.


> Am 11.03.2016 um 10:33 schrieb L.P.H. van Belle <be...@bazuin.nl>:
>
signature.asc

Rowland penny

unread,
Mar 11, 2016, 5:00:02 AM3/11/16
to
On 11/03/16 09:45, L.P.H. van Belle wrote:
> Yes, thats possible also, but i dont know if thats possible with the KDC settings from samba.
>
> I dont use them, If you want, you can set things like in GPO, but normaly not needed imo.
>
>
>
> So i suggest, remove the KDC settings, restart the DC?s, reboot the computer and wait what happpens.
>
>
>
> Maybe Rowland or an other samba Dev can tell more about the KDC setting, but i can, just dont know, havent tried them yet.
>
>
>
> Greetz,
>
>
>
> Louis
>

I personally didn't know about these settings, there is nothing in 'man
smb.conf' about them. The wiki page was written by somebody called
'Damien Dye' in January 2014. I will dive into Samba git and see if I
can find when they went in, then ask why they are only documented on the
wikipage.

L.P.H. van Belle

unread,
Mar 11, 2016, 5:00:04 AM3/11/16
to
Forgot to mention.

 

 

For the GPO settings,

Here are the settings you can play with, but again, normaly not needed.

https://technet.microsoft.com/en-us/library/dn751050.aspx

 

I have 3 windows 7 (64bit), they only reboot for windows security updates. ( this is automaticly done )

And im running with default settings and these work fine here.

 

 

Greetz.

 

Louis

 


Van: Oliver Werner [mailto:oliver...@kontrast.de]
Verzonden: vrijdag 11 maart 2016 10:41
Aan: L.P.H. van Belle
CC: sa...@lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients


 

Haha, really? :D

 


It should be possible without reboot not?


 

OLIVER WERNER
System-Administrator



 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax  +49-211-91505-530
www.kontrast.de

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist 

                        

Oliver Werner

unread,
Mar 11, 2016, 5:00:04 AM3/11/16
to
Ok, now my smb.con on DCs looks

[global]
workgroup = HQKONTRAST
realm = HQ.KONTRAST
netbios name = VL0227
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
interfaces = eth0:35
bind interfaces only=yes
log level = 3

tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile = /var/lib/samba/private/tls/ca.pem


on Member smb.conf
[global]
netbios name = VL0173
security = ADS
workgroup = HQKONTRAST
realm = hq.kontrast

log file = /var/log/samba/%m.log
log level = 3

dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes

winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300


# Default idmap config used for BUILTIN and local accounts/groups
idmap config *:backend = tdb
idmap config *:range = 500-1023

# idmap config for domain HQKONTRAST
idmap config HQKONTRAST:backend = ad
idmap config HQKONTRAST:schema_mode = rfc2307
idmap config HQKONTRAST:range = 1024-99999

# Use settings from AD for login shell and home directory
winbind nss info = rfc2307

and on all machines krb5.conf
[libdefaults]
default_realm = HQ.KONTRAST
dns_lookup_realm = false
dns_lookup_kdc = true

I will test it next days.

Thanks for help right now :D

kind regards
OLIVER WERNER
System-Administrator





Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Please consider the environment and only print this if required.


signature.asc

L.P.H. van Belle

unread,
Mar 11, 2016, 5:10:04 AM3/11/16
to
In my believe this was this still experimental since the devs are still working on this.
But i can find/remember where i did see this, i thing the bugs site or some change log.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland penny
> Verzonden: vrijdag 11 maart 2016 10:55
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
>

Rowland penny

unread,
Mar 11, 2016, 7:10:04 AM3/11/16
to
On 11/03/16 10:02, L.P.H. van Belle wrote:
> In my believe this was this still experimental since the devs are still working on this.
> But i can find/remember where i did see this, i thing the bugs site or some change log.
>
> Greetz,
>
> Louis
>
>
>

Hi Louis, I think you might be mixing 'kdc' up with 'kcc', the later is,
as far as I am aware, the one that is still being worked on.

Anyway, your mention of a bug report sent me searching there (I cannot
find anything in git) and I found there is a bug report for this:
https://bugzilla.samba.org/show_bug.cgi?id=10461

So it looks as if the lines are valid, but I cannot find out any more
than this.

Oliver Werner

unread,
Mar 15, 2016, 5:50:03 AM3/15/16
to
Hi,

So now i have same Problem with Logins.

On Linux AD member i need to restart win bind again and again for working samba shares.
On Windows clients i need to restart machine completely

so now i don’t have any idea

kind regards

OLIVER WERNER
System-Administrator




Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

signature.asc

L.P.H. van Belle

unread,
Mar 15, 2016, 6:20:02 AM3/15/16
to
Ok, next test.

Change :
kerberos method = secrets and keytab
to
kerberos method = secrets

and wait again.

I'll explain by giving this link.
http://changelogs.ubuntu.com/changelogs/pool/main/s/samba/samba_4.3.6+dfsg-1ubuntu1/changelog

Look at the last line bugfix in this change log of 4.3.6.
Im testing here also, because this looks like its also involves the kerberos changes, now, i forgot what you was running, but this is an easy test.

Is ntp installed on this machine, if not, install it and point it to the DC.
Just to be sure.
On the DC's, make sure your DC dont use any pool ntp servers.
Point it to a stable ntp. ( preffered in germany, like, ntps1-0.eecsit.tu-berlin.de (130.149.17.21) )


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Oliver Werner
> Verzonden: dinsdag 15 maart 2016 10:43
> Aan: Rowland penny
> CC: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients
>
> Hi,
>
> So now i have same Problem with Logins.
>
> On Linux AD member i need to restart win bind again and again for working
> samba shares.
> On Windows clients i need to restart machine completely
>
> so now i don?t have any idea

Oliver Werner

unread,
Mar 17, 2016, 8:10:05 AM3/17/16
to
Hi Louis,

I will try it today.

So i saw in Logs some error like this.

[2016/03/17 11:44:16.406677, 3] ../source3/winbindd/winbindd_rpc.c:303(rpc_name_to_sid)
name_to_sid: UNIX GROUP\KONTRAST_INTERN for domain UNIX GROUP
[2016/03/17 11:44:16.406857, 2] ../source3/winbindd/winbindd_rpc.c:320(rpc_name_to_sid)
name_to_sid: failed to lookup name: NT_STATUS_NONE_MAPPED



Any Idea?

Greetz,
Oliver



OLIVER WERNER
System-Administrator




Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

signature.asc

Oliver Werner

unread,
Mar 18, 2016, 4:20:03 AM3/18/16
to
Hi,

Next test is failed.

My Windows Clients lost everytime AD Authentication so i need to reboot.
On Samba i need also to restart winbind service since some hours…

here my samba and wind bind Versions

Samba: Version 4.1.17-Debian
Winbind: Version 4.1.17-Debian


Greetz

OLIVER WERNER
System-Administrator




Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

> Am 15.03.2016 um 11:10 schrieb L.P.H. van Belle <be...@bazuin.nl>:
>
signature.asc

L.P.H. van Belle

unread,
Mar 18, 2016, 4:40:04 AM3/18/16
to
Ok,

 

Its still every 5 days? 

 

Change krb5.conf to  on DC and Member servers to

 

[libdefaults]

    default_realm = HQ.KONTRAST

    dns_lookup_kdc = true

    dns_lookup_realm = false

    ticket_lifetime = 24h

    ccache_type = 4

    forwardable = true

    proxiable = true

 

Now Reboot DC and Member  and pc.

This is how im run my config and i have multiple pc?s always logged in.

 

My last option. :-/  you configs are good, so im getting out of options.

 

Optionaly you can also try to recreate you keytab file. ( backup old )

But thats normaly not needed, i do that if i changes for example ?password expires ? on a service account user.

 

Greetz,

 

Louis

 

 

 

 

 


Van: Oliver Werner [mailto:oliver...@kontrast.de]
Verzonden: vrijdag 18 maart 2016 9:11
Aan: L.P.H. van Belle
CC: sa...@lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients


 

Hi,

 


Next test is failed.


 


My Windows Clients lost everytime AD Authentication so i need to reboot.


On Samba i need also to restart winbind service since some hours?


 


here my samba and wind bind Versions


 


Samba: Version 4.1.17-Debian


Winbind: Version 4.1.17-Debian


 


 


Greetz


 

OLIVER WERNER
System-Administrator


 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist



                        




 

L.P.H. van Belle

unread,
Mar 22, 2016, 6:20:04 AM3/22/16
to
Any errors atm in

syslog and/or messages

and the samba logs.

 

And the interval of the problem, still 5 days?

 

 

 

Gr.

 

Louis

 

 

 


Van: Oliver Werner [mailto:oliver...@kontrast.de]
Verzonden: dinsdag 22 maart 2016 11:00
Aan: L.P.H. van Belle
CC: sa...@lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients


 

Hi,

 

now i have tested again with libdefaults and same problems again? :(


 


So maybe we can found next tests with this informations:


 


1. 


 


the problem looks only happen on systems where much users will login.


 


i have an archivesystem as samba member where ~10 users login => here we not have the issue.


 


Also i have windows clients where only 3 persons can login => also not happen


 


 


BUT:


 


Samba Member where ~80-100 Users login over a day => problem will happen


 


Also i have an windows client where ~80-100 Users login that will also happen


 


2.


I?m using Samba 4.1.17 Debian Pkg.


 


 


 


kind regards


 


OLIVER WERNER
System-Administrator


 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist



                        




 

Am 18.03.2016 um 09:47 schrieb Oliver Werner <oliver...@kontrast.de>:


 

Ok i will test it.

 

 


So i have one more information that can maybe help?


 


the problem looks only happen on systems where much users will login.


 


i have an archive system as samba member where ~10 users login => here we not have the issue.


 


Also i have windows clients where only 3 persons can login => also not happen


 


 


BUT:


 


Samba Member where ~80-100 Users login over a day => problem will happen


 


Also i have an windows client where ~80-100 Users login that will also happen


 


 


that can help for more ideas :)?

Oliver Werner

unread,
Mar 22, 2016, 6:30:04 AM3/22/16
to
My Logs looks like ok i can’t found errors…

my last restart of Samba and Winbind was 2 days before.

Now after restart winbind (not samba) works again for next…

Linux knows the ID of group (used with force user in share) but lost wbinfo -g


Here is an config of my share where happen.

[Kundendaten]
path = /daten/kundendaten
browseable = yes
writeable = yes
force group = Kontrast_Intern
valid users = @Kontrast_Intern
create mask = 0660
directory mask = 0770
#oplocks = 0
vfs objects = full_audit recycle
full_audit:prefix = %u
full_audit:success = mkdir rename rmdir unlink pwrite
full_audit:failure = none
full_audit:facility = LOCAL5
full_audit:priority = NOTICE
recycle:versions = yes
recycle:exclude = .*, ~*


Next Information:
Our DCs are in other VLAN as member and WinClients so there is maybe a problem?

Multi-/Anycast?



kind regards


OLIVER WERNER
System-Administrator




Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>

signature.asc

L.P.H. van Belle

unread,
Mar 22, 2016, 7:20:06 AM3/22/16
to
Only thing i can think of now is enable higher log levels in the problem member server so we can have a better look in to the problem.
im out of options, you config looks good, and dont think its the vlanning.

 

Add in smb.conf something like :

log level = 3 passdb:5 auth:10 winbind:10

 

and wait again untill the problem exists.

You may need to increase the max log size.

 

Rowland, you any suggestions?

 

 

 

Greetz,

 

Louis

 

 

 

 

 


Van: Oliver Werner [mailto:oliver...@kontrast.de]
Verzonden: dinsdag 22 maart 2016 11:24
Aan: L.P.H. van Belle
CC: sa...@lists.samba.org
Onderwerp: Re: [Samba] Problem with Winbind and Windows Clients


 

My Logs looks like ok i can?t found errors?

 


my last restart of Samba and Winbind was 2 days before.


 


Now after restart winbind (not samba) works again for next?
0 new messages