[Samba] Debian Upgrade to 3.5.5

Dale Schroeder dale at BriannasSaladDressing.com
Fri Sep 24 10:02:00 MDT 2010 

  On 09/24/2010 12:13 AM, Christian PERRIER wrote:
> Quoting Dale Schroeder (dale at BriannasSaladDressing.com):
>>
>> After today's Squeeze upgrade from 3.4.8 to 3.5.5, domain logons were initially broken.
>> I was fortunate to find Thomas Burkholder's workaround from last June, i.e. turn off
>> server signing.
>>
>> Can anyone explain why "server signing = auto" no longer works in 3.5.x?
>
> Uh, I'm worried about this. As you saw, we (Debian packagers) finally
> decided to go for 3.5 in squeeze instead of 3.4. That was a tough
> decision, which we made quite late in squeeze freeze process.
>
> So, any regression experienced by our users is worrying....and maybe
> worth being mentioned in the release notes (even squeeze release
> notes).
>
> Could you describe in more details what happened to you and do you
> think that would be a regression for users who are upgrading from
> 3.2.5 (what we have, officially, in lenny)?
>
I don't have much to offer beyond what Thomas 
<http://lists.samba.org/archive/samba/2010-June/156237.html> supplied in 
June.  I have essentially the same errors in the logs.
There would be a notice of an "Unclean shutdown of pid xxxx", followed 
by a "remove_child_pid", then the following:

Scheduled cleanup of brl and lock database after unclean shutdown


Before I found the workaround, I tried things like restarting nscd and 
invoking smbpasswd -W, none of which helped.
testjoin showed the join to be good, so I did not attempt a rejoin to 
the domain.

Both Thomas and I were using ldap for authentication.  His distribution 
was also Debian-based (Ubuntu).

I found it interesting that clicking on the domain name in Windows 
Explorer would produce an error message, and no domain
hosts would be shown, but entering \\hostname in the address bar for any 
of the domain hosts caused the host and all its shares
to suddenly appear beneath the domain name.  Using "map untrusted to 
domain = Yes", I was able to test this from a
non-domain client, as domain logons were impossible until making the 
server signing change.

As you suggest, definitely worth mentioning in the release notes.

As for as a regression is concerned, the lack of comments from June 
forward concerning this problem, seems
to indicate that not too many people change from the default "No" for 
server signing.  I don't find any mention of
this problem for other distros either, making me wonder if this is 
Debian specific.

My smb.conf [global] follows.

Thanks Christian.

Dale

[global]
	workgroup = DOMAIN.COM
	server string = Samba PDC
	map untrusted to domain = Yes #allow testing from production domain
	map to guest = Bad User
	obey pam restrictions = Yes
	passdb backend = ldapsam:"ldap://127.0.0.1 ldap://hostname.domain.com"
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat =*Enter\snew\s*\spassword:* %n\n*Retype\snew\s*\spassword:* %n\n*password\supdated\ssuccessfully*  .
	log level = 3
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	announce version = 5.9 #stop master browser election wars
	name resolve order = wins host bcast
	time server = Yes
	#server signing = auto #does not work in 3.5.x
	#server signing = No #default
	add user script = /usr/sbin/smbldap-useradd -a -m '%u'
	delete user script = /usr/sbin/smbldap-userdel '%u'
	add group script = /usr/sbin/smbldap-groupadd -p '%g'
	delete group script = /usr/sbin/smbldap-groupdel '%g'
	add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
	delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
	set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
	add machine script = /usr/sbin/smbldap-useradd -i -W '%u'
	logon script = %U.bat
	logon path = ""
	logon drive = U:
	domain logons = Yes
	os level = 65
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	wins server = 192.168.xxx.yyy
	ldap admin dn = cn=admin,dc=domain,dc=com
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Computers
	ldap passwd sync = Yes
	ldap suffix = dc=domain,dc=com
	ldap ssl = no
	ldap user suffix = ou=Users
	panic action = /usr/share/samba/panic-action %d
	ea support = Yes

More information about the samba mailing list