[Samba] Debugging Samba is a total PITA and this needs to improve

L.P.H. van Belle belle at bazuin.nl
Tue May 21 15:04:36 UTC 2019 

Hai, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven 
> Schwedas via samba
> Verzonden: dinsdag 21 mei 2019 16:44
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Debugging Samba is a total PITA and 
> this needs to improve
> 
> On 21.05.19 16:15, L.P.H. van Belle via samba wrote:
> >> Since Cyrus IMAPD cannot query LDAP for group memberships, we 
> >> need this to make shared folders work with groups on our 
> mail servers. 
> >> Useless on this machine, yes, but w/e, we're not seeing 
> any performance issues.
> > Huh... Doesn't this work something like : you can put this 
> in idmap.conf 
> 
> It should work that way, but the current release has a few 
> bugs related
> to it, and we still need to have working group ACLs until 
> that's working.

Ok, that i dont know. So a good reason to use it. 

> 
> >>> You see this note from the script: 
> >>> Running as Unix domain member and no user.map detected. 
> >>>
> >>> Where is you user mapping? You dont use SePrivileges? 
> >>> Now its not wrong and possible to run it without, but it is 
> >> much more work to setup correctly for this. 
> >>
> >> Where's this documented?
> > https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting
> 
> No, I mean SePrivileges in general. What would I want them for?

Old but shows enough: https://www.samba.org/samba/docs/old/Samba3-HOWTO/rights.html 
And  : https://docs.microsoft.com/en-us/windows/desktop/secauthz/privileges 

> 
> >>> Windows and it updates are moving fast
> >>
> >> Sure, but not really relevant here, since the member server broke
> >> authentication for all client OSes, not just Windows clients. 
> >> `smbclient
> >> -L //localhost` and `wbinfo -a` are just as broken on that 
> >> member server.
> > 
> > smbclient -L //localhost ????  Come on...  
> 
> It has the same results as Windows Explorer and wbinfo -a.
Yes, same in what you "see" but not same in how thing go in the background what you dont see.. 

> 
> > I'm always amazed how a "localhost" test is compaired with 
> a client (remote) test. 
> > Again , localhost =! Hostname 
> > 
> > smbclient -L //hostname.fdqn 
> > smbclient -L //hostname
> 
> Same results: Some users work, some don't. Same users affected.

Same users are still only windows clients? 
And how are these logging in with : DOM\user or user at REALM ? 

> 
> >> Given that DRS replication and DNS are so broken, what'd 
> be the best
> >> approach for that? Nuke all DCs except the FSMO role holder, 
> >> update that
> >> one, then add new DCs? Or just export all LDAP data and start 
> >> over from  a clean 4.10 setup?
> > 
> > I dont think its broken, i think its functioning wrong due 
> to wrong settings. 
> 
> Yes, you always think that. ;)

And you dont know how often im right here.. 


> 
> > Yes, clean setup is nice but not needed really. 
> > 
> > Make sure you review and have smb.conf adjusted to the 
> version of samba your willing to run. 
> > Review: https://wiki.samba.org/index.php/Updating_Samba 
> 
> Sure, that says:
> 
> >      Verify that the directory replication between all DCs 
> is working correctly:
> 
> That's already broken before the update:
> 
> https://up.tao.at/u/samba/graz-dc-sem.txt (FSMO role holder)
> https://up.tao.at/u/samba/graz-dc-1b.txt
> https://up.tao.at/u/samba/villach-dc-1a.txt
> https://up.tao.at/u/samba/villach-dc-bis.txt
> 
> Similarly, if I do "samba-tool dbcheck --cross-ncs" without yet
> upgrading, to see in what state the DBs are:
> 
> https://up.tao.at/u/samba/graz-dc-sem-dbcheck.txt
> https://up.tao.at/u/samba/graz-dc-1b-dbcheck.txt
> https://up.tao.at/u/samba/villach-dc-1a-dbcheck.txt
> https://up.tao.at/u/samba/villach-dc-bis-dbcheck.txt
> 
> Doesn't look particularly healthy to me.

No, but its not that bad as far i can see. 

Argg. I have to to thing here now, move workspaces.. 

Sync graz-dc-sem to VILLACH-DC-BIS ( full sync ) 
Reboot: VILLACH-DC-BIS 
Wait 5 min, check again. 

Verify this GUID: e70407fd-019e-42f8-a60d-4504d2df230c 
In zone _msdc. Check it compleet. 

<GUID=e1569c90-50f9-4bb5-bd85-79145e3ff6fd>;CN=NTDS Settings,CN=VILLACH-DC-BIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=tao,DC=at
Not fixing old string component	<< old ... ( keyword ) 
Diffent GUIDs 

I expect that your problem for the sinc is in that area..

I have to go. 
I nobody help you out today, i'll help you tomorrow while i'll build new samba packages..  

Sofar, 

Greetzz, 

Louis

Ps. You should have updated/cleanup you config a bit more since nov 2017. i hardly changed..

More information about the samba mailing list