[Samba] attempted upgrade this weekend

Mike Eggleston mikeegg1 at mac.com
Mon May 11 19:44:10 GMT 2009 

On Mon, 27 Apr 2009, Mike Eggleston might have said:

> Morning,
> 
> This weekend I attempted an upgrade of my primary samba server from 3.0.24
> to 3.3.3. When testing this primary server after the upgrade I had a
> few issues, so rolled back the upgrade until I can find solutions. This
> server also has the OpenLDAP server local to and co-located with samba.
> 
> The two things that initially didn't seem right are that each time I
> logged into a windows XP box I was told my password had exprired and
> must be changed, and my roaming profile could not be accessed. Even
> after changing my password, when I logged out and back in I got the same
> password expired message.
> 
> I had another event scheduled and couldn't diagnose the issue. I
> hope the issue is simply a difference in the configuration (smb.conf)
> between 3.0.24 and 3.3.3. I've attached a sanitized version of my config
> below. Does anyone see any issues?
> 
> Samba is the first of a series of upgrades. After samba is Cyrus then
> OpenLDAP.
> 
> Samba is compiled locally on this box, so it pulls in the current library
> versions, etc.
> 
> The output of the smbd-3.0.24 and smbd-3.3.3 (both -b) seem the same
> to me.
> 
> Thanks for having a look at this. I'll try another upgrade this coming
> weekend.
> 
> Mike
> 
> Fedora Core 5
> Samba upgrade from 3.0.24 to 3.3.3
> OpenLDAP 2.3.30
> 
> 
> ---------------------------
> # Samba config file created using SWAT
> # from 10.1.2.43 (10.1.2.43)
> # Date: 2006/08/03 15:11:35
> 
> [global]
> 	security = USER
> 	client plaintext auth = Yes
> 	client lanman auth = Yes
> 	lanman auth = No
> 	ntlm auth = Yes
> 	guest account = nobody
> 	#admin users = manager, root
> 	admin users = 
> 	hosts allow = .domain.com, 10.1.2., 10.1.3., 192.168.100.
> 	cups options = raw
> 	wins support = yes
> 	name resolve order = wins lmhosts host bcast
> 	dns proxy = no
> 	usershare allow guests = yes
> 	time server = yes
> 
> 	workgroup = PWI
> 	netbios name = elo
> 	netbios aliases = loghost, mailhost, backuphost, ldaphost
> 	server string = Samba Server (%h)
> 	logon drive = H:
> 	logon home = \\%h\%U
> 	logon path = \\%h\profiles\%U
> 	logon script = logon.bat
> 	ldap delete dn = Yes
> 	ldap suffix = dc=domain,dc=com
> 	ldap admin dn = cn=manager,dc=domain,dc=com
> 	ldap user suffix = ou=people
> 	ldap group suffix = ou=groups
> 	ldap machine suffix = ou=machines
> 	ldap ssl = off
> 	ldapsam:trusted = Yes
> 	ldap timeout = 15
> 	utmp directory = /var/run
> 	wtmp directory = /var/log
> 	utmp = Yes
> 
> 	encrypt passwords = Yes
> 	password level = 0
> 	password server = ldaphost.domain.com
> 	passdb backend = ldapsam:ldap://ldaphost.domain.com
> 	ldap passwd sync = Yes
> 	unix password sync = No
> 	passwd program = /usr/sbin/smbldap-passwd %u
> 	#pam password change = Yes
> 	passwd chat = "Changing * password*for*\nNew password*" %n\n "*Retype new password*" %n\n
> 	passwd chat debug = Yes
> 	#client use spnego = No
> 	#use spnego = No
> 
> 	os level = 66
> 	preferred master = Yes
> 	local master = Yes
> 	domain master = Yes
> 	domain logons = Yes
> 	allow trusted domains = Yes
> 
> #	log level = 255
> #	log level = 100
> #	log level = 4
> #	log level = 3 ldap:10 passdb:10 auth:10 winbind:10
> #	log level = 3
> #	log level = 2
> 	log level = 1
> 	log file = /var/log/samba/%m.log
> 	max log size = 10000
> 
> 	#socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536
> 	#socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> 	#socket options = TCP_NODELAY
> 	# trying to make things faster
> 	#socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=1500
> 
> 	#add user script = /usr/sbin/smbldap-useradd -m "%u"
> 	add user script = /usr/sbin/smbldap-useradd -a -A 1 -B 1 -s /bin/bash -c "%u" -d /home/%u -C "\\\\%h\\%u" -D "H:" -M "%u at domain.com" %u
> 	delete user script = /usr/sbin/smbldap-userdel "%u"
> 	add group script = /usr/sbin/smbldap-groupadd -p "%g"
> 	delete group script = /usr/sbin/smbldap-groupdel "%g"
> 	add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> 	delete user from group script = /usr/sbin/smbldap-groupmod -x "%g" "%u"
> 	set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> 	#add machine script = /usr/sbin/smbldap-useradd -w "%u"
> 	#add machine script = /usr/sbin/smbldap-useradd -w -A 0 -B 0 -s /bin/false -c "%u machine account" -d /dev/null %u
> 	#add machine script = /usr/sbin/smbldap-useradd -w -i "%u" -t 5
> 	#add machine script = /usr/sbin/smbldap-useradd -w -A 0 -B 0 -t 5 "%u"
> 	#add machine script = /usr/sbin/smbldap-useradd -w -i -A 0 -B 0 -t 5 "%u"
> 
> 	#max smbd processes = 200
> 	deadtime = 60
> 
> 	# trying to get rid of an error in the smb logs by not listening to port 445
> 	smb ports = 139
> 
> [netlogon]
> 	comment = Network Logon Services
> 	path = /etc/samba/netlogon
> 	browseable = No
> 	writable = No
> 	read only = Yes
> 	guest ok = Yes
> 
> [profiles]
> 	comment = Roaming User Profiles
> 	path = /etc/samba/profiles
> 	browseable = Yes
> 	writable = Yes
> 	read only = No
> 	guest ok = Yes
> 	hide files = /DESKTOP.INI/Desktop.ini/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/
> 	#store dos attributes = Yes
> 	create mask = 0600
> 	directory mask = 0700
> 	#printable = no
> 	csc policy = disable
> 	#force user = %U
> 
> [homes]
> 	comment = Home Directories
> 	read only = No
> 	guest ok = No
> 	browseable = No
> 	map read only = Permissions
> 	directory mask = 0755
> 
> [printers]
> 	comment = All Printers
> 	path = /usr/spool/samba
> 	printable = Yes
> 	browseable = No
> 
> [Pointwise]
> 	comment = Pointwise Corporate Files
> 	path = /opt/domain
> 	#create mask = 0765
> 	force create mode = 664
> 	force group = pwi
> 	browseable = Yes
> 	printable = No
> 	guest ok = No
> 	writeable = Yes
> 	read only = No
> 
> [Backups]
> 	comment = Backup files are stored here
> 	path = /opt/backups
> 	browseable = Yes
> 	printable = No
> 
> [Data]
> 	comment = Storage for support and other data.
> 	path = /opt/data
> 	browseable = Yes
> 	printable = No
> 
> [tmp]
> 	comment = temporary files
> 	path = /tmp
> 	browseable = Yes
> 	printable = No
> 	guest ok = Yes
> 	guest only = No
> 	writeable = Yes
> 	read only = No
> 	force create mode = 664
> ---------------------------

Well, I did the upgrade Sunday, 10 May 09, and version 3.3.3 is now in
production. I did update the OpenLDAP samba.schema file. I'm not sure
that had any effect to letting people log in. What seems to have worked
is adding an 'X' in the OpenLDAP field sambaAcctFlags. I still have an
issue with 'expired passwords' and my roaming profiles don't seem to be
working right.

Now that v3.3.3 is in production I can work on these two items (and
upgrading OpenLDAP and Cyrus-IMAP).

Mike

More information about the samba mailing list