from:"Tobias Hennerich"

Re: [Samba] samba not using nearest ADS server

2009-04-06 Thread Tobias Hennerich

Hello James,

sorry for the long delay...

> I had problems with trusted domains when I migrated to Samba 3.2.  We
> ended up just deleting the trusts, as they weren't necessary for us but
> in your case I don't think that's possible.

No, in fact this is no solution for us :-)

> Do you get the delay when a German user who is only a member of global
> groups for the DE domain logs in?

The reason for my long delay was to get such an user for testing:

Even the group "Domain Users" is member of other universal groups and
(surprise!) one of these groups in located in the UK and another one is
located in the US.

So I have now an reason why the samba is connecting to the US and to UK -
but sill no explanation:

There exists an Global Catalog Server in germany, which should replicate 
the information locally. Why is samba not connecting to that machine?

Best regardsTobias




> If you set up a test box with "Allow Trusted Domains = No" do you still
> see the delay?
> 
> James ZuelowCBJ MIS (907)586-0236
> Network Specialist...Registered Linux User No. 186591 

On Tue, Mar 24, 2009 at 12:48:25PM -0800, James Zuelow wrote:
> 
> 
> > -Original Message-
> > From: 
> > samba-bounces+james_zuelow=ci.juneau.ak...@lists.samba.org 
> > [mailto:samba-bounces+james_zuelow=ci.juneau.ak...@lists.samba
> .org] On Behalf Of Tobias Hennerich
> > Sent: Tuesday, 24 March, 2009 11:23
> > To: Mark Casey
> > Cc: samba@lists.samba.org
> > Subject: Re: [Samba] samba not using nearest ADS server
> > 
> > Hello Mark,
> > 
> > thank you for your reply!
> > 
> > > First, I am assuming from your message that this network 
> > trace was from 
> > > one ssh attempt, is that correct? 
> > 
> > Yes, that is one login. It doesn't matter if we use ssh or another
> > process who needs information about a user. I think we get the same
> > result if we just switch to a user from root via "su - user".
> > 
> > > I also gather you are in the germany site? 
> > 
> > Yes, the login was a german user to the german server. That user is in
> > some universal ADS groups, which are located in germany, too.
> > 
> I had problems with trusted domains when I migrated to Samba 3.2.  We
> ended up just deleting the trusts, as they weren't necessary for us but
> in your case I don't think that's possible.
> 
> Do you get the delay when a German user who is only a member of global
> groups for the DE domain logs in?
> 
> If you set up a test box with "Allow Trusted Domains = No" do you still
> see the delay?
> 
> James ZuelowCBJ MIS (907)586-0236
> Network Specialist...Registered Linux User No. 186591 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba not using nearest ADS server

2009-03-24 Thread Tobias Hennerich

Hello Mark,

thank you for your reply!

> First, I am assuming from your message that this network trace was from 
> one ssh attempt, is that correct? 

Yes, that is one login. It doesn't matter if we use ssh or another
process who needs information about a user. I think we get the same
result if we just switch to a user from root via "su - user".

> I also gather you are in the germany site? 

Yes, the login was a german user to the german server. That user is in
some universal ADS groups, which are located in germany, too.

> So it looks like the auth attempts went to UK and US first before 
> using your local DC? Please correct me if this is not right.

That is correct, the samba connected first to UK and US, then to the
german AD.

> Also, I'm not quite up to speed with ADS topologies... so is this a 
> single domain with various sites set up with "AD Sites and Services"? or 
> is it multiple domains that trust? 

Each site has it's own ADS domain which trust each other.

> or perhaps one domain in a default 
> site just with routers/mpls handling the jump between subnets?

I didn't understand that part of your question completly :-( Each site
has an class-b network, (germany: 10.49.0.0/16, uk: 10.44.0.0/16 ...) and
the machines have a default route to the next local MPLS-router (more
or less).

Best regardsTobias


On Tue, Mar 24, 2009 at 01:33:23PM -0500, Mark Casey wrote:
> Tobias Hennerich wrote:
> > Hello,
> >
> > up to now no response to this mail :-(
> >
> > Is no one using samba in a wide area network or has no one ever noticed
> > such a problem as we are doing?
> >
> > Tobias
> >
> >
> > On Thu, Mar 19, 2009 at 05:40:46PM +0100, Tobias Hennerich wrote:
> >   
> >> Hello,
> >>
> >> we integrated an samba v3.2.8 into a bigger ADS environment which is
> >> connected via MPLS world wide. Everything works as expected, but the login
> >> via SSH is slow:
> >>
> >> After entering the login name in ssh we can see via tcpdump network
> >> traffic to different ADS controllers:
> >>
> >> First a connection from Germany to UK:
> >>
> >> 17:16:43.867219 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.092774 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:44.092785 IP 10.49.x.y.37722 > 10.44.x.y.389: .
> >> 17:16:44.093054 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.265776 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:44.265987 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.647671 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.693567 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:44.693840 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:44.922527 IP 10.44.x.y.389 > 10.49.x.y.37722: .
> >> 17:16:44.997865 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:44.998074 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:45.314621 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:45.314831 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:45.577894 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:45.578100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:45.791494 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:45.791702 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:45.982034 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:45.982240 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:46.189828 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:46.190037 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:46.365426 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:46.365633 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:46.596653 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:46.596900 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:46.802280 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:46.802487 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.006571 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.006783 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.325662 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.325868 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.577930 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.578140 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.775371 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.775577 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> >> 17:16:47.971495 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> >> 17:16:47.971704 IP 10.49.x.y.37722 >

Re: [Samba] samba not using nearest ADS server

2009-03-24 Thread Tobias Hennerich

Hello,

up to now no response to this mail :-(

Is no one using samba in a wide area network or has no one ever noticed
such a problem as we are doing?

Tobias


On Thu, Mar 19, 2009 at 05:40:46PM +0100, Tobias Hennerich wrote:
> Hello,
> 
> we integrated an samba v3.2.8 into a bigger ADS environment which is
> connected via MPLS world wide. Everything works as expected, but the login
> via SSH is slow:
> 
> After entering the login name in ssh we can see via tcpdump network
> traffic to different ADS controllers:
> 
> First a connection from Germany to UK:
> 
> 17:16:43.867219 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.092774 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:44.092785 IP 10.49.x.y.37722 > 10.44.x.y.389: .
> 17:16:44.093054 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.265776 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:44.265987 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.647671 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.693567 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:44.693840 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:44.922527 IP 10.44.x.y.389 > 10.49.x.y.37722: .
> 17:16:44.997865 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:44.998074 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:45.314621 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:45.314831 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:45.577894 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:45.578100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:45.791494 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:45.791702 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:45.982034 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:45.982240 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:46.189828 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:46.190037 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:46.365426 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:46.365633 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:46.596653 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:46.596900 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:46.802280 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:46.802487 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.006571 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.006783 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.325662 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.325868 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.577930 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.578140 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.775371 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.775577 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:47.971495 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:47.971704 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:48.186311 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:48.186521 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:48.430837 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:48.431043 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:48.622070 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:48.622274 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:48.816862 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:48.817100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:49.061838 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:49.062951 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:49.268437 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:49.268634 IP 10.49.x.y.37722 > 10.44.x.y.389: P
> 17:16:49.426980 IP 10.44.x.y.389 > 10.49.x.y.37722: P
> 17:16:49.466643 IP 10.49.x.y.37722 > 10.44.x.y.389: .
> 
> then a connection from Germany to the United States:
> 
> 17:16:49.547138 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:49.693649 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:49.693662 IP 10.49.x.y.37731 > 10.3.x.y.389: .
> 17:16:49.693849 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:49.843729 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:49.843918 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:49.992361 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:49.992553 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.129522 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.129715 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.298217 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.298406 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.447220 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.447408 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.589299 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.589487 IP 10.49.x.y.37731 > 10.3.x.y.389: P
> 17:16:50.748952 IP 10.3.x.y.389 > 10.49.x.y.37731: P
> 17:16:50.749139 IP 10.49.x.y.37731 > 10.3.x.y.389: P
>

[Samba] samba not using nearest ADS server

2009-03-19 Thread Tobias Hennerich

Hello,

we integrated an samba v3.2.8 into a bigger ADS environment which is
connected via MPLS world wide. Everything works as expected, but the login
via SSH is slow:

After entering the login name in ssh we can see via tcpdump network
traffic to different ADS controllers:

First a connection from Germany to UK:

17:16:43.867219 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.092774 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.092785 IP 10.49.x.y.37722 > 10.44.x.y.389: .
17:16:44.093054 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.265776 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.265987 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.647671 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.693567 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.693840 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:44.922527 IP 10.44.x.y.389 > 10.49.x.y.37722: .
17:16:44.997865 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:44.998074 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.314621 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.314831 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.577894 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.578100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.791494 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.791702 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:45.982034 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:45.982240 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.189828 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.190037 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.365426 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.365633 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.596653 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.596900 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:46.802280 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:46.802487 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.006571 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.006783 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.325662 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.325868 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.577930 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.578140 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.775371 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.775577 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:47.971495 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:47.971704 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.186311 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.186521 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.430837 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.431043 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.622070 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.622274 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:48.816862 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:48.817100 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:49.061838 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:49.062951 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:49.268437 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:49.268634 IP 10.49.x.y.37722 > 10.44.x.y.389: P
17:16:49.426980 IP 10.44.x.y.389 > 10.49.x.y.37722: P
17:16:49.466643 IP 10.49.x.y.37722 > 10.44.x.y.389: .

then a connection from Germany to the United States:

17:16:49.547138 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:49.693649 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:49.693662 IP 10.49.x.y.37731 > 10.3.x.y.389: .
17:16:49.693849 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:49.843729 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:49.843918 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:49.992361 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:49.992553 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.129522 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.129715 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.298217 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.298406 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.447220 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.447408 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.589299 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.589487 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.748952 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.749139 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:50.902596 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:50.902787 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.048477 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.048669 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.16 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.200183 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.343439 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.343626 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.509961 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.510146 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.666507 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.96 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.809460 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.809759 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:51.950416 IP 10.3.x.y.389 > 10.49.x.y.37731: P
17:16:51.950732 IP 10.49.x.y.37731 > 10.3.x.y.389: P
17:16:52.097813 I

[Samba] Strange problems with ADS-groups and winbindd

2009-01-19 Thread Tobias Hennerich

Hello,

we experience some strange problems with group memberships of ADS users
using samba v3.2.4 on SLES-9. An upgrade to v3.2.7 didn't help.

Changes to the membership of users in ADS universal groups doesn't take
effect at all or take long time (1 day) to be seen on the linux side.

For example the command "net" shows the following GIDs of a user:

# for i in $(net ads user info thenneri -U xxx)
  do
getent group $i | awk -F : '{ print $3 }'
  done | sort
Enter xxx's password:
10006
10007
10008
10009
10011
10374

The wbinfo shows the following GIDs of the same user:

# wbinfo -r thenneri | sort
10003
10005
10006
10007
10008
10009
10010
10011

10005 is "domain users" - seems to be ok.
10003 is "BUILTIN\users" - I have no idea, how I get into that group.

The group 10010 is wrong! The group 10374 is missing!

After deleting some cache files from winbind, the output of wbinfo looks
more like the net command:

# /etc/init.d/winbind stop
Shutting down Samba WINBIND daemon done

# cd /var/lib/samba
# mv netsamlogon_cache.tdb netsamlogon_cache.tdb.OLD
# mv winbindd_cache.tdb winbindd_cache.tdb.OLD

# /etc/init.d/winbind start
Starting Samba WINBIND daemon done

# wbinfo -r thenneri | sort
10003
10005
10006
10007
10008
10009
10010
10011
10374

The group 10010 is still wrong, but now the missing group 10374 is shown
with both commands.

This output doesn't change for the next few hours until we restart the
nmb-daemon (?!? - restarting winbind or smb doesn't have any effect) :

# /etc/init.d/nmb restart
Shutting down Samba NMB daemon done
Starting Samba NMB daemon done

# wbinfo -r thenneri | sort
10003
10005
10006
10007
10008
10009
10010
10011

Now the group 10374 is missing again! 

Our smb.conf looks like this:

[global]
workgroup = XX
realm = xx..com
security = ADS
encrypt passwords = yes
preferred master = no

idmap uid = 1-5
idmap gid = 1-5

winbind use default domain = yes
template shell = /bin/bash
winbind refresh tickets = true
client use spnego = yes

use kerberos keytab = true

winbind cache time = 30

[share]
comment = sharing directory
browseable = yes
available = yes
path = /data/share/
guest ok = no
printable = no
writeable = yes

Has someone any idea how to debug this?

Thank you for your help!

Best regards   Tobias

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba not using nearest ADS server

Re: [Samba] samba not using nearest ADS server

Re: [Samba] samba not using nearest ADS server

[Samba] samba not using nearest ADS server

[Samba] Strange problems with ADS-groups and winbindd

5 matches

Site Navigation

Mail list logo

Footer information