Re: [Samba] winbind is not taking default domain
Problem solved after leave domain, clear winbind cache, stop winbind caching, and rejoin the domain - all these steps have to do at once. We have extremely large users and groups, and some groups contain hugh number of members, the problem could be related winbind caching. On 31/03/2011, at 9:34 AM, Marco Huang wrote: > Not sure if you import all the users and groups into your /etc/passwd and > /etc/group file respectively, would fix your problem. > > On 29/03/2011, at 11:39 PM, Werner Durgarten wrote: > >> Similar Problem here: Since Upgrading to Sernet Samba 3.5.8 logging in >> without typing in the default domain does not work any more. >> >> >> Original-Nachricht >>> Datum: Mon, 28 Mar 2011 16:34:19 +1300 >>> Von: Marco Huang >>> An: samba@lists.samba.org >>> Betreff: [Samba] winbind is not taking default domain >> >>> Hi, >>> >>> We have been running samba file server about 2 years without this problem. >>> The problem appeared at the same time on our debian and centos servers. >>> Not sure if it's related to any updates on our windows AD servers. >>> >>> Debian Squeeze >>> sernet-samba-3.5.8-27 >>> >>> Centos 5.5 >>> samba3-3.5.5-43.el5 >>> >>> Use Active Directory for user login authentication >>> Use uid/gid from ldap >>> The reason we still want winbind is for managing permissions from client >>> end. >>> >>> Since last week, users failed on login with "valid users = @staff" until I >>> stopped winbind. I found if I change to valid users = @"ABC\staff", users >>> can login, however the change can not resolve the problem of ACLs on the >>> folders/files. Of cause, if I stop winbind, works ok - user can login, and >>> following the current permissions, but we do need winbind for managing >>> permissions from client end. >>> >>> # smb.conf >>> >>> [global] >>> realm = ad.mydomain >>> workgroup = ABC >>> server string = %h server >>> enable privileges = yes >>> dns proxy = no >>> netbios name = linfiles >>> smb ports = 139 445 >>> >>> load printers = no >>> printing = bsd >>> printcap name = /dev/null >>> disable spoolss = yes >>> >>> log file = /var/log/samba/%U.log >>> log level = 10 winbind:10 >>> debug timestamp = yes >>> max log size = 1000 >>> syslog only = no >>> syslog = 2 >>> panic action = /usr/share/samba/panic-action %d >>> >>> security = ADS >>> encrypt passwords = true >>> obey pam restrictions = no >>> invalid users = root >>> >>> unix extensions = no >>> >>> idmap backend = nss >>> idmap config ABC : default = yes >>> idmap config ABC : backend = nss >>> idmap alloc backend = nss >>> idmap cache time = 30 >>> allow trusted domains = no >>> >>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >>> SO_RCVBUF=65536 SO_SNDBUF=65536 >>> locking = yes >>> strict locking = no >>> posix locking = yes >>> kernel oplocks = no >>> oplocks = yes >>> level2 oplocks = yes >>> >>> winbind trusted domains only = yes >>> winbind use default domain = yes >>> winbind enum users = no >>> winbind enum groups = no >>> winbind cache time = 3600 >>> >>> acl compatibility = auto >>> >>> [sit] >>> comment = Shares >>> browseable = yes >>> writable = yes >>> create mask = 0770 >>> directory mask = 0770 >>> acl group control = yes >>> acl check permissions = True >>> nt acl support = yes >>> force directory security mode = 770 >>> inherit permissions = yes >>> inherit acls = yes >>> inherit owner = no >>> map acl inherit = yes >>> path = /mnt/sit >>> valid users = @staff >>> >>> # /etc/nsswitch.conf >>> passwd: files ldap >>> shadow: files >>> group: files ldap >>> >>> # getent group staff returns group members with testuser. >>> >>> # wbinfo --own-domain >>> ABC >>> >>> # Here are some logs from debug mode, winbind just trying to lookup domain >>> LINFILES and Unix Group rather than ABC. >>> >&g
Re: [Samba] winbind is not taking default domain
Not sure if you import all the users and groups into your /etc/passwd and /etc/group file respectively, would fix your problem. On 29/03/2011, at 11:39 PM, Werner Durgarten wrote: > Similar Problem here: Since Upgrading to Sernet Samba 3.5.8 logging in > without typing in the default domain does not work any more. > > > Original-Nachricht >> Datum: Mon, 28 Mar 2011 16:34:19 +1300 >> Von: Marco Huang >> An: samba@lists.samba.org >> Betreff: [Samba] winbind is not taking default domain > >> Hi, >> >> We have been running samba file server about 2 years without this problem. >> The problem appeared at the same time on our debian and centos servers. >> Not sure if it's related to any updates on our windows AD servers. >> >> Debian Squeeze >> sernet-samba-3.5.8-27 >> >> Centos 5.5 >> samba3-3.5.5-43.el5 >> >> Use Active Directory for user login authentication >> Use uid/gid from ldap >> The reason we still want winbind is for managing permissions from client >> end. >> >> Since last week, users failed on login with "valid users = @staff" until I >> stopped winbind. I found if I change to valid users = @"ABC\staff", users >> can login, however the change can not resolve the problem of ACLs on the >> folders/files. Of cause, if I stop winbind, works ok - user can login, and >> following the current permissions, but we do need winbind for managing >> permissions from client end. >> >> # smb.conf >> >> [global] >> realm = ad.mydomain >> workgroup = ABC >> server string = %h server >> enable privileges = yes >> dns proxy = no >> netbios name = linfiles >> smb ports = 139 445 >> >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> log file = /var/log/samba/%U.log >> log level = 10 winbind:10 >> debug timestamp = yes >> max log size = 1000 >> syslog only = no >> syslog = 2 >> panic action = /usr/share/samba/panic-action %d >> >> security = ADS >> encrypt passwords = true >> obey pam restrictions = no >> invalid users = root >> >> unix extensions = no >> >> idmap backend = nss >> idmap config ABC : default = yes >> idmap config ABC : backend = nss >> idmap alloc backend = nss >> idmap cache time = 30 >> allow trusted domains = no >> >> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE >> SO_RCVBUF=65536 SO_SNDBUF=65536 >> locking = yes >> strict locking = no >> posix locking = yes >> kernel oplocks = no >> oplocks = yes >> level2 oplocks = yes >> >> winbind trusted domains only = yes >> winbind use default domain = yes >> winbind enum users = no >> winbind enum groups = no >> winbind cache time = 3600 >> >> acl compatibility = auto >> >> [sit] >> comment = Shares >> browseable = yes >> writable = yes >> create mask = 0770 >> directory mask = 0770 >> acl group control = yes >> acl check permissions = True >> nt acl support = yes >> force directory security mode = 770 >> inherit permissions = yes >> inherit acls = yes >> inherit owner = no >> map acl inherit = yes >> path = /mnt/sit >> valid users = @staff >> >> # /etc/nsswitch.conf >> passwd: files ldap >> shadow: files >> group: files ldap >> >> # getent group staff returns group members with testuser. >> >> # wbinfo --own-domain >> ABC >> >> # Here are some logs from debug mode, winbind just trying to lookup domain >> LINFILES and Unix Group rather than ABC. >> >> [2011/03/25 12:43:50.645636, 3] lib/util_sid.c:228(string_to_sid) >> string_to_sid: Sid @staff does not start with 'S-'. >> [2011/03/25 12:43:50.645683, 5] smbd/password.c:423(user_in_netgroup) >> Unable to get default yp domain, let's try without specifying it >> [2011/03/25 12:43:50.645694, 5] smbd/password.c:430(user_in_netgroup) >> looking for user testuser of domain (ANY) in netgroup staff >> [2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name) >> lookup_name: LINFILES\staff => LINFILES (domain), staff (name) >> [2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name) >> lookup_name: flags = 0x077 >> [2011/03/25 12:43:50.645753, 3] sm
Re: [Samba] winbind is not taking default domain
Similar Problem here: Since Upgrading to Sernet Samba 3.5.8 logging in without typing in the default domain does not work any more. Original-Nachricht > Datum: Mon, 28 Mar 2011 16:34:19 +1300 > Von: Marco Huang > An: samba@lists.samba.org > Betreff: [Samba] winbind is not taking default domain > Hi, > > We have been running samba file server about 2 years without this problem. > The problem appeared at the same time on our debian and centos servers. > Not sure if it's related to any updates on our windows AD servers. > > Debian Squeeze > sernet-samba-3.5.8-27 > > Centos 5.5 > samba3-3.5.5-43.el5 > > Use Active Directory for user login authentication > Use uid/gid from ldap > The reason we still want winbind is for managing permissions from client > end. > > Since last week, users failed on login with "valid users = @staff" until I > stopped winbind. I found if I change to valid users = @"ABC\staff", users > can login, however the change can not resolve the problem of ACLs on the > folders/files. Of cause, if I stop winbind, works ok - user can login, and > following the current permissions, but we do need winbind for managing > permissions from client end. > > # smb.conf > > [global] >realm = ad.mydomain >workgroup = ABC >server string = %h server >enable privileges = yes >dns proxy = no >netbios name = linfiles >smb ports = 139 445 > >load printers = no >printing = bsd >printcap name = /dev/null >disable spoolss = yes > >log file = /var/log/samba/%U.log >log level = 10 winbind:10 >debug timestamp = yes >max log size = 1000 >syslog only = no >syslog = 2 >panic action = /usr/share/samba/panic-action %d > >security = ADS >encrypt passwords = true >obey pam restrictions = no >invalid users = root > >unix extensions = no > >idmap backend = nss >idmap config ABC : default = yes >idmap config ABC : backend = nss >idmap alloc backend = nss >idmap cache time = 30 >allow trusted domains = no > >socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE > SO_RCVBUF=65536 SO_SNDBUF=65536 >locking = yes >strict locking = no >posix locking = yes >kernel oplocks = no >oplocks = yes >level2 oplocks = yes > >winbind trusted domains only = yes >winbind use default domain = yes >winbind enum users = no >winbind enum groups = no >winbind cache time = 3600 > >acl compatibility = auto > > [sit] >comment = Shares >browseable = yes >writable = yes >create mask = 0770 >directory mask = 0770 >acl group control = yes >acl check permissions = True >nt acl support = yes >force directory security mode = 770 >inherit permissions = yes >inherit acls = yes >inherit owner = no >map acl inherit = yes >path = /mnt/sit >valid users = @staff > > # /etc/nsswitch.conf > passwd: files ldap > shadow: files > group: files ldap > > # getent group staff returns group members with testuser. > > # wbinfo --own-domain > ABC > > # Here are some logs from debug mode, winbind just trying to lookup domain > LINFILES and Unix Group rather than ABC. > > [2011/03/25 12:43:50.645636, 3] lib/util_sid.c:228(string_to_sid) > string_to_sid: Sid @staff does not start with 'S-'. > [2011/03/25 12:43:50.645683, 5] smbd/password.c:423(user_in_netgroup) > Unable to get default yp domain, let's try without specifying it > [2011/03/25 12:43:50.645694, 5] smbd/password.c:430(user_in_netgroup) > looking for user testuser of domain (ANY) in netgroup staff > [2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name) > lookup_name: LINFILES\staff => LINFILES (domain), staff (name) > [2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name) > lookup_name: flags = 0x077 > [2011/03/25 12:43:50.645753, 3] smbd/sec_ctx.c:210(push_sec_ctx) > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 > [2011/03/25 12:43:50.645764, 3] smbd/uid.c:429(push_conn_ctx) > push_conn_ctx(0) : conn_ctx_stack_ndx = 0 > [2011/03/25 12:43:50.645773, 3] smbd/sec_ctx.c:310(set_sec_ctx) > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 > [2011/03/25 12:43:50.645783, 5] > auth/token_util.c:525(debug_nt_user_token) > NT user token: (NULL) > [2011/03/25 12:43:50.645792, 5] > auth/token_util.c:551(debug_unix_user_token) > UNIX token of user 0 > Primary group is 0 and contains 0 supplementary groups > [2011/03/25 12:43:50.6
Re: [Samba] winbind is not taking default domain
Quoting Marco Huang (marco.hu...@auckland.ac.nz): > We are using sernet-samba-3.5.8-27, but I've tried samba/winbind packages > from debian squeeze, same result, and the problem appears on centos5.5 as > well. We've been running these file servers for quite a long time, not sure > if there's any recent update on windows AD related which requires some > additional changes on smb.conf. See the trick that the bug submitter posted in the Debian bug (putting "winbind separator" *after* "winbind use default domain" in smb.conf. That may help in your case, toomaybe -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind is not taking default domain
We are using sernet-samba-3.5.8-27, but I've tried samba/winbind packages from debian squeeze, same result, and the problem appears on centos5.5 as well. We've been running these file servers for quite a long time, not sure if there's any recent update on windows AD related which requires some additional changes on smb.conf. On 28/03/2011, at 6:07 PM, Christian PERRIER wrote: > Quoting Marco Huang (marco.hu...@auckland.ac.nz): >> Hi, >> >> We have been running samba file server about 2 years without this problem. >> The problem appeared at the same time on our debian and centos servers. Not >> sure if it's related to any updates on our windows AD servers. > > This seems to be Debian bug #617449, which I forwarded upstream as > #7999. I write "seems" as the bug submitter in Debian was using > "winbind separator" and you aren't. > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind is not taking default domain
Quoting Marco Huang (marco.hu...@auckland.ac.nz): > Hi, > > We have been running samba file server about 2 years without this problem. > The problem appeared at the same time on our debian and centos servers. Not > sure if it's related to any updates on our windows AD servers. This seems to be Debian bug #617449, which I forwarded upstream as #7999. I write "seems" as the bug submitter in Debian was using "winbind separator" and you aren't. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind is not taking default domain
Hi, We have been running samba file server about 2 years without this problem. The problem appeared at the same time on our debian and centos servers. Not sure if it's related to any updates on our windows AD servers. Debian Squeeze sernet-samba-3.5.8-27 Centos 5.5 samba3-3.5.5-43.el5 Use Active Directory for user login authentication Use uid/gid from ldap The reason we still want winbind is for managing permissions from client end. Since last week, users failed on login with "valid users = @staff" until I stopped winbind. I found if I change to valid users = @"ABC\staff", users can login, however the change can not resolve the problem of ACLs on the folders/files. Of cause, if I stop winbind, works ok - user can login, and following the current permissions, but we do need winbind for managing permissions from client end. # smb.conf [global] realm = ad.mydomain workgroup = ABC server string = %h server enable privileges = yes dns proxy = no netbios name = linfiles smb ports = 139 445 load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes log file = /var/log/samba/%U.log log level = 10 winbind:10 debug timestamp = yes max log size = 1000 syslog only = no syslog = 2 panic action = /usr/share/samba/panic-action %d security = ADS encrypt passwords = true obey pam restrictions = no invalid users = root unix extensions = no idmap backend = nss idmap config ABC : default = yes idmap config ABC : backend = nss idmap alloc backend = nss idmap cache time = 30 allow trusted domains = no socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=65536 SO_SNDBUF=65536 locking = yes strict locking = no posix locking = yes kernel oplocks = no oplocks = yes level2 oplocks = yes winbind trusted domains only = yes winbind use default domain = yes winbind enum users = no winbind enum groups = no winbind cache time = 3600 acl compatibility = auto [sit] comment = Shares browseable = yes writable = yes create mask = 0770 directory mask = 0770 acl group control = yes acl check permissions = True nt acl support = yes force directory security mode = 770 inherit permissions = yes inherit acls = yes inherit owner = no map acl inherit = yes path = /mnt/sit valid users = @staff # /etc/nsswitch.conf passwd: files ldap shadow: files group: files ldap # getent group staff returns group members with testuser. # wbinfo --own-domain ABC # Here are some logs from debug mode, winbind just trying to lookup domain LINFILES and Unix Group rather than ABC. [2011/03/25 12:43:50.645636, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @staff does not start with 'S-'. [2011/03/25 12:43:50.645683, 5] smbd/password.c:423(user_in_netgroup) Unable to get default yp domain, let's try without specifying it [2011/03/25 12:43:50.645694, 5] smbd/password.c:430(user_in_netgroup) looking for user testuser of domain (ANY) in netgroup staff [2011/03/25 12:43:50.645733, 10] passdb/lookup_sid.c:69(lookup_name) lookup_name: LINFILES\staff => LINFILES (domain), staff (name) [2011/03/25 12:43:50.645744, 10] passdb/lookup_sid.c:70(lookup_name) lookup_name: flags = 0x077 [2011/03/25 12:43:50.645753, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2011/03/25 12:43:50.645764, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2011/03/25 12:43:50.645773, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2011/03/25 12:43:50.645783, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2011/03/25 12:43:50.645792, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2011/03/25 12:43:50.645825, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/03/25 12:43:50.645837, 10] passdb/lookup_sid.c:69(lookup_name) lookup_name: Unix Group\staff => Unix Group (domain), staff (name) [2011/03/25 12:43:50.645847, 10] passdb/lookup_sid.c:70(lookup_name) lookup_name: flags = 0x077 [2011/03/25 12:43:50.647804, 10] smbd/share_access.c:216(user_ok_token) User testuser not in 'valid users' [2011/03/25 12:43:50.647820, 2] smbd/service.c:598(create_connection_server_info) user 'testuser' (from session setup) not permitted to access this share (sit) [2011/03/25 12:43:50.647832, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED [2011/03/25 12:43:50.647882, 3] smbd/error.c:80(error_packet_set) error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED cheers -- Marco -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/
