[Samba] Debugging Samba is a total PITA and this needs to improve

Sven Schwedas sven.schwedas at tao.at
Tue May 21 14:43:56 UTC 2019


On 21.05.19 16:15, L.P.H. van Belle via samba wrote:
>> Since Cyrus IMAPD cannot query LDAP for group memberships, we 
>> need this to make shared folders work with groups on our mail servers. 
>> Useless on this machine, yes, but w/e, we're not seeing any performance issues.
> Huh... Doesn't this work something like : you can put this in idmap.conf 

It should work that way, but the current release has a few bugs related
to it, and we still need to have working group ACLs until that's working.

>>> You see this note from the script: 
>>> Running as Unix domain member and no user.map detected. 
>>>
>>> Where is you user mapping? You dont use SePrivileges? 
>>> Now its not wrong and possible to run it without, but it is 
>> much more work to setup correctly for this. 
>>
>> Where's this documented?
> https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting

No, I mean SePrivileges in general. What would I want them for?

>>> Windows and it updates are moving fast
>>
>> Sure, but not really relevant here, since the member server broke
>> authentication for all client OSes, not just Windows clients. 
>> `smbclient
>> -L //localhost` and `wbinfo -a` are just as broken on that 
>> member server.
> 
> smbclient -L //localhost ????  Come on...  

It has the same results as Windows Explorer and wbinfo -a.

> I'm always amazed how a "localhost" test is compaired with a client (remote) test. 
> Again , localhost =! Hostname 
> 
> smbclient -L //hostname.fdqn 
> smbclient -L //hostname

Same results: Some users work, some don't. Same users affected.

>> Given that DRS replication and DNS are so broken, what'd be the best
>> approach for that? Nuke all DCs except the FSMO role holder, 
>> update that
>> one, then add new DCs? Or just export all LDAP data and start 
>> over from  a clean 4.10 setup?
> 
> I dont think its broken, i think its functioning wrong due to wrong settings. 

Yes, you always think that. ;)

> Yes, clean setup is nice but not needed really. 
> 
> Make sure you review and have smb.conf adjusted to the version of samba your willing to run. 
> Review: https://wiki.samba.org/index.php/Updating_Samba 

Sure, that says:

>      Verify that the directory replication between all DCs is working correctly:

That's already broken before the update:

https://up.tao.at/u/samba/graz-dc-sem.txt (FSMO role holder)
https://up.tao.at/u/samba/graz-dc-1b.txt
https://up.tao.at/u/samba/villach-dc-1a.txt
https://up.tao.at/u/samba/villach-dc-bis.txt

Similarly, if I do "samba-tool dbcheck --cross-ncs" without yet
upgrading, to see in what state the DBs are:

https://up.tao.at/u/samba/graz-dc-sem-dbcheck.txt
https://up.tao.at/u/samba/graz-dc-1b-dbcheck.txt
https://up.tao.at/u/samba/villach-dc-1a-dbcheck.txt
https://up.tao.at/u/samba/villach-dc-bis-dbcheck.txt

Doesn't look particularly healthy to me.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190521/e0da54d3/signature.sig>


More information about the samba mailing list