[Samba] Unable to browse system shares of a newly migrated AD DC

Andrey Repin anrdaemon at yandex.ru
Fri Mar 27 16:47:16 MDT 2015 

Greetings, Rowland Penny!

>> I'm trying final steps of my long upgrade process, but I've got hit by the
>> unexpected.
>>
>> When everything seemingly run fine in the end, I'm unable to browse the local
>> shares of the DC.
>>
>> # smbclient -L localhost -U%
>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>>
>>          Sharename       Type      Comment
>>          ---------       ----      -------
>> Error returning browse list: NT_STATUS_ACCESS_DENIED
>> Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]
>>
>>          Server               Comment
>>          ---------            -------
>>
>>          Workgroup            Master
>>          ---------            -------
>>
>> At the same time,
>>
>> # wbinfo -t
>> checking the trust secret for domain CCENTER via RPC calls succeeded
>>
>> and `wbinfo -u' correctly listing the domain members.
>>
>> I've tried to instal libnss-winbind, but that seems to not have helped.
>>
>> # ls -ld /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
>> drwxrwx---+ 2 30001 544 4096 Mar 27 21:41 /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
>>
>> # testparm -s
>> Load smb config files from /etc/samba/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>> [global]
>>          workgroup = CCENTER
>>          realm = ads.ccenter.lan
>>          interfaces = lo, 192.168.17.0/24
>>          server role = active directory domain controller
>>          passdb backend = samba_dsdb
>>          rpc_server:tcpip = no
>>          rpc_daemon:spoolssd = embedded
>>          rpc_server:spoolss = embedded
>>          rpc_server:winreg = embedded
>>          rpc_server:ntsvcs = embedded
>>          rpc_server:eventlog = embedded
>>          rpc_server:srvsvc = embedded
>>          rpc_server:svcctl = embedded
>>          rpc_server:default = external
>>          idmap config CCENTER:range = 1000 - 50000
>>          idmap config CCENTER:backend = ad
>>          idmap config *:range = 100000 - 999999
>>          idmap_ldb:use rfc2307 = yes
>>          idmap config * : backend = tdb
>>          map archive = No
>>          map readonly = no
>>          store dos attributes = Yes
>>          vfs objects = dfs_samba4, acl_xattr
>>
>> [netlogon]
>>          path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
>>          read only = No
>>
>> [sysvol]
>>          path = /var/lib/samba/sysvol
>>          read only = No
>>
>> Anything I can try to resolve the problem? Or should I try upgrade with
>> different options?
>> Upgrade log attached.
>> (This is a test installation, so don't be concerned with passwords. I'd
>> likely restart it several more times before I get the process all straight.)
>>
>>
>>
>>

> OK, remove most of the lines you have added, so you smb.conf looks 
> something like this:

I tried with that config initially, with same results, but ok. I'll try again.

> [global]
>          workgroup = CCENTER
>          realm = ads.ccenter.lan
>          netbios name = DC_NAME
>          server role = active directory domain controller
>          forwarder = 8.8.8.8
>          idmap_ldb:use rfc2307 = yes
>          interfaces = lo, 192.168.17.0/24

> [netlogon]
>          path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
>          read only = No

> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No


> Check that you have these packages are installed: libnss-winbind 
> libpam-winbind

Um. Missed! x.x

> libpam-krb5

No such package. Is it known by any other name? Ubuntu 12.04 here, if that
matters. Samba from ppa:9v-shaun-42/samba4.

> check that the passwd & group lines in /etc/nsswitch.conf have 'winbind' 
> added to them.

I've added

passwd:         compat winbind
group:          compat winbind

and restarted the migration one more time.
Something... happened.

# ls -ld /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
drwxrwx---+ 2 CCENTER\Administrator 544 4096 Mar 28 01:33 /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
# ls -lnd /var/lib/samba/sysvol/ads.ccenter.lan/scripts/
drwxrwx---+ 2 30001 544 4096 Mar 28 01:33 /var/lib/samba/sysvol/ads.ccenter.lan/scripts/

But

# smbclient -L localhost -U%
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]

        Sharename       Type      Comment
        ---------       ----      -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Domain=[CCENTER] OS=[Unix] Server=[Samba 4.1.11-Ubuntu]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

# samba-tool testparm --suppress-prompt
# Global parameters
[global]
        workgroup = CCENTER
        realm = ads.ccenter.lan
        netbios name = DC1
        interfaces = lo, 192.168.17.0/24
        server role = active directory domain controller
        dns forwarder = 192.168.17.1
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /var/lib/samba/sysvol/ads.ccenter.lan/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No


--
WBR,
Andrey Repin (anrdaemon at yandex.ru) 28.03.2015, <01:20>

Sorry for my terrible english...

More information about the samba mailing list