Re: [Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails
Rob LaRose wrote: Hi Mark, Mind if I ask how you're doing ssh against your Windows AD? I'm trying to do this now. I've got a script that joins me to the domain and makes SSH work but not samba. Then I can do net ads join and samba works but not ssh. Gotta find the happy medium! Are you somehow using samba to auth ssh too? --Rob LaRose Imaginary Forces On Mar 19, 2009, at 3:19 PM, Mark Casey wrote: Hello all, As the subject says, as far as I can tell everything works on my ads integrated samba server. Domain accounts can be used for ssh, and accessing shares, I just can't leave the domain. Here is a successful join command followed by an unsuccessful leave command at debug level 4. Any ideas? TIA, Mark u...@dordal:~$ sudo net ads join -U administra...@mydomain.com -d 4 [2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063) lp_load: refreshing parameters [2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448) Initialising global parameters [2009/03/19 14:00:07, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802) Processing section "[global]" doing parameter workgroup = MYDOMAIN doing parameter realm = MYDOMAIN.COM doing parameter security = ADS doing parameter password server = dal-dc1.mydomain.com, den-dc1.mydomain.com doing parameter client schannel = Yes doing parameter server schannel = Yes doing parameter username map = /etc/samba/smbusers doing parameter obey pam restrictions = Yes doing parameter enable privileges = Yes doing parameter restrict anonymous = 2 doing parameter allow trusted domains = No doing parameter lanman auth = No doing parameter ntlm auth = No doing parameter client NTLMv2 auth = Yes doing parameter log level = 1 doing parameter syslog = 0 doing parameter min protocol = NT1 doing parameter client signing = Yes doing parameter server signing = Yes doing parameter load printers = No doing parameter preferred master = No doing parameter local master = No doing parameter domain master = No doing parameter dns proxy = No doing parameter ldap ssl = no doing parameter host msdfs = No doing parameter idmap domains = MYDOMAIN doing parameter idmap alloc backend = ldap doing parameter template shell = /bin/false doing parameter winbind enum users = Yes doing parameter winbind enum groups = Yes doing parameter winbind use default domain = Yes doing parameter winbind refresh tickets = Yes doing parameter idmap alloc config:range = 10 - 50 doing parameter idmap alloc config:ldap_url = ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com doing parameter idmap alloc config:ldap_user_dn = cn=idmapmgr,cn=users,dc=mydomain,dc=com doing parameter idmap alloc config:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:range = 10 - 50 doing parameter idmap config MYDOMAIN:ldap_url = ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com doing parameter idmap config MYDOMAIN:ldap_user_dn = cn=idmapmgr,cn=users,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:backend = ldap doing parameter idmap config MYDOMAIN:default = yes doing parameter hosts allow = 10.0.0.0/255.255.254.0 10.1.0.0/255.255.254.0 doing parameter map acl inherit = No doing parameter hide special files = Yes doing parameter map archive = No doing parameter map readonly = No doing parameter map system = No doing parameter map hidden = No doing parameter ea support = No doing parameter store dos attributes = No doing parameter wide links = No doing parameter follow symlinks = No doing parameter dos filemode = No doing parameter add share command = /etc/samba/command.pl doing parameter delete share command = /etc/samba/command.pl doing parameter change share command = /etc/samba/command.pl [2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094) pm_process() returned Yes [2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81) added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0 [2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73) ads_dc_name: domain=MYDOMAIN [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com" [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.0.1.30:389 10.1.1.30:389 [2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.0.1.30 [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com" [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an order
[Samba] Can join ADS domain, all accounts/auth work fine, but leaving domain fails
Hello all, As the subject says, as far as I can tell everything works on my ads integrated samba server. Domain accounts can be used for ssh, and accessing shares, I just can't leave the domain. Here is a successful join command followed by an unsuccessful leave command at debug level 4. Any ideas? TIA, Mark u...@dordal:~$ sudo net ads join -U administra...@mydomain.com -d 4 [2009/03/19 14:00:07, 3] param/loadparm.c:lp_load(5063) lp_load: refreshing parameters [2009/03/19 14:00:07, 3] param/loadparm.c:init_globals(1448) Initialising global parameters [2009/03/19 14:00:07, 3] param/params.c:pm_process(572) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2009/03/19 14:00:07, 3] param/loadparm.c:do_section(3802) Processing section "[global]" doing parameter workgroup = MYDOMAIN doing parameter realm = MYDOMAIN.COM doing parameter security = ADS doing parameter password server = dal-dc1.mydomain.com, den-dc1.mydomain.com doing parameter client schannel = Yes doing parameter server schannel = Yes doing parameter username map = /etc/samba/smbusers doing parameter obey pam restrictions = Yes doing parameter enable privileges = Yes doing parameter restrict anonymous = 2 doing parameter allow trusted domains = No doing parameter lanman auth = No doing parameter ntlm auth = No doing parameter client NTLMv2 auth = Yes doing parameter log level = 1 doing parameter syslog = 0 doing parameter min protocol = NT1 doing parameter client signing = Yes doing parameter server signing = Yes doing parameter load printers = No doing parameter preferred master = No doing parameter local master = No doing parameter domain master = No doing parameter dns proxy = No doing parameter ldap ssl = no doing parameter host msdfs = No doing parameter idmap domains = MYDOMAIN doing parameter idmap alloc backend = ldap doing parameter template shell = /bin/false doing parameter winbind enum users = Yes doing parameter winbind enum groups = Yes doing parameter winbind use default domain = Yes doing parameter winbind refresh tickets = Yes doing parameter idmap alloc config:range = 10 - 50 doing parameter idmap alloc config:ldap_url = ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com doing parameter idmap alloc config:ldap_user_dn = cn=idmapmgr,cn=users,dc=mydomain,dc=com doing parameter idmap alloc config:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:range = 10 - 50 doing parameter idmap config MYDOMAIN:ldap_url = ldap://dal-dc1.mydomain.com ldap://den-dc1.mydomain.com doing parameter idmap config MYDOMAIN:ldap_user_dn = cn=idmapmgr,cn=users,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:ldap_base_dn = ou=idmap,dc=sambaidmap,dc=mydomain,dc=com doing parameter idmap config MYDOMAIN:backend = ldap doing parameter idmap config MYDOMAIN:default = yes doing parameter hosts allow = 10.0.0.0/255.255.254.0 10.1.0.0/255.255.254.0 doing parameter map acl inherit = No doing parameter hide special files = Yes doing parameter map archive = No doing parameter map readonly = No doing parameter map system = No doing parameter map hidden = No doing parameter ea support = No doing parameter store dos attributes = No doing parameter wide links = No doing parameter follow symlinks = No doing parameter dos filemode = No doing parameter add share command = /etc/samba/command.pl doing parameter delete share command = /etc/samba/command.pl doing parameter change share command = /etc/samba/command.pl [2009/03/19 14:00:07, 4] param/loadparm.c:lp_load(5094) pm_process() returned Yes [2009/03/19 14:00:07, 2] lib/interface.c:add_interface(81) added interface ip=10.0.1.35 bcast=10.0.1.255 nmask=255.255.254.0 [2009/03/19 14:00:07, 4] libsmb/namequery_dc.c:ads_dc_name(73) ads_dc_name: domain=MYDOMAIN [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com" [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.0.1.30:389 10.1.1.30:389 [2009/03/19 14:00:07, 3] libads/ldap.c:ads_connect(394) Connected to LDAP server 10.0.1.30 [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com" [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip addresses in an ordered list [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1600) get_dc_list: 10.0.1.30:389 10.1.1.30:389 [2009/03/19 14:00:07, 3] libsmb/namequery.c:get_dc_list(1489) get_dc_list: preferred server list: "10.0.1.30, dal-dc1.mydomain.com, den-dc1.mydomain.com" [2009/03/19 14:00:07, 4] libsmb/namequery.c:get_dc_list(1599) get_dc_list: returning 2 ip