samba suggestions (and whislist, a test with 4.7rc4 on debianstretch )

L.P.H. van Belle belle at bazuin.nl
Thu Aug 17 09:47:59 UTC 2017 

Hai, 
 
When samba is installed with distro packages, it always started with a default config.
so few suggestions, which i encountered with my new 4.7rc4 debian packages. 
some parts are not only for debian improvable. 
 
For example i did these steps. 
 
make sure /etc/hosts is setup correct. 
 
# test install samba 4.7rc4, AD DC with bind9_DLZ
apt-get install samba winbind krb5-kdc ntp bind9
 
# after the install, disable and stop services. 
systemctl disable smbd.service nmbd.service winbind.service
systemctl stop smbd.service nmbd.service winbind.service  
# provision 
Results in an ugly message, which should not be needed, ihmo. 
I also suggest, to change the order of the first 3 questions. 
I would use this order in provisioning. 
 
1) Server Role (dc, member, standalone) [dc]: 
2) realm 
3) domain
 
based on server role you can exit the samba-tool script sooner. 
 
samba-tool domain provision --interactive 
Realm [TEST.EXAMPLE.COM]:
 Domain [TEST]: TEST
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_DLZ
Administrator password:
Retype password:
ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: guess_names: 'realm =' was not specified in supplied /etc/samba/smb.conf.  Please remove the smb.conf file and let provision generate it
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 474, in run
    nosync=ldap_backend_nosync, ldap_dryrun_mode=ldap_dryrun_mode)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 2028, in provision
    sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS))
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 608, in guess_names
    raise ProvisioningError("guess_names: 'realm =' was not specified in supplied %s.  Please remove the smb.conf file and let provision generate it" % lp.configfile)
 
now, the solution to me looks simple, i just cant code this in python. 
 
if : samba-tool domain provision is called, 
check if /etc/samba/smb.conf exist, report it, ask question to move or delete, ( i suggest,) move to smb.conf.before-provisioning. 
 
If this is done, ask, clear the samba data from old config file ( STATEDIR: /var/lib/samba ).  imo this helps in preventing unneeded and old/incorrect data in the samba data files.
I may also prevent corruptions, better safe then sorry  and same as above, mv /var/lib/samba{,.before-provisioning} 
 
now we always start clean without any old data in var/lib/samba , if the parameter  --interactive  is used, you get the questions, if without, do all needed changes, and report it at the end. 
 
And now start provisioning, without problems and resulting in ....   
 
The Kerberos KDC configuration for Samba AD is located at /var/lib/samba/private/kdc.conf
A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf
Once the above files are installed, your Samba AD server will be ready to use
Server Role:           active directory domain controller
Hostname:              ossec
NetBIOS Domain:        TEST
DNS Domain:            test.example.com
DOMAIN SID:            S-1-5-21-2596934827-1870062432-3111992188

so this looks good. 
 
now setup bind. 
(https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End)  
 
here it says : Verify that your /etc/krb5.conf Kerberos client configuration file is readable ... 
Now by default it its, but the by samba created is in  /var/lib/samba/private/krb5.conf  
 
krb5.conf ( in case of a debian install) the default is correct for samba. )
the samba version contains. 
[libdefaults]
        default_realm = TEST.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true

now the default_realm, is also in the default settings, from package install in debian. 
and these, even if not defined are the defaults. 
        dns_lookup_realm = false
        dns_lookup_kdc = true

so im wondering, is creating /var/lib/samba/private/krb5.conf  really needed? 
The provisioning can also check if       
  default_realm = TEST.EXAMPLE.COM is already defined in /etc/krb5.conf, 
if its not existing, create the samba version, if it exist, the samba version is(maybe) not needed.
 
Achter changing/adding  the needed bind settings. 
systemctl unmask bind9 
systemctl enable bind9 
systemctl restart bind9 
 
* NOTE1 ( see below, i forgot the resolv.conf change.. ) 
that should happen at this point. 

 
and enableing samba.
systemctl unmask samba-ad-dc 
systemctl enable samba-ad-dc 

systemctl start samba-ad-dc 

 
and result is a successfull install and start of a (debianized)  4.7.0RC4.   
 
* NOTE1 
if you see this. your resolv.conf is faulty.  ( mine was ) 
A few log observations.  ( about 29 x this part ) 
[2017/08/17 11:07:11.920124,  0] ../lib/util/util_runcmd.c:323(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate: ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
[2017/08/17 11:07:11.920233,  0] ../lib/util/util_runcmd.c:323(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
[2017/08/17 11:07:11.920264,  0] ../lib/util/util_runcmd.c:323(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     return self.run(*args, **kwargs)
[2017/08/17 11:07:11.920289,  0] ../lib/util/util_runcmd.c:323(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 939, in run
[2017/08/17 11:07:11.920523,  0] ../lib/util/util_runcmd.c:323(samba_runcmd_io_handler)
  /usr/sbin/samba_dnsupdate:     raise e

ending with :  
[2017/08/17 11:07:12.326093,  0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
  ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 29
[2017/08/17 11:07:13.327764,  0] ../source4/lib/tls/tlscert.c:167(tls_cert_generate)
  TLS self-signed keys generated OK

after a resolv.conf change, i did run:  
samba_dnsupdate --all-names
with result : No DNS updates needed 



( keep in mind, i try not to touch original debian files where possible. ) 
I did add in /etc/krb5.conf 
default_keytab_name = /var/lib/samba/private/secrets.keytab
 
Last, i cleared all logs, rebooted the server, that showed.
[.....]  A stop job is runnin for Samba AD Daemon..  for few min. 
 
I think this has todo with the same thing ( i saw the technical threads about logrotate and child processes ) 
thats someing i'll have an extra look at. 
 
Just some observations. 



 
the Debian Packages info, wil be posted on the list in few min. 
 
 
Greetz, 
 
Louis
 
 
 
 

More information about the samba-technical mailing list