[Samba] Debian Upgrade to 3.5.5
Dale Schroeder
dale at BriannasSaladDressing.com
Fri Sep 24 10:02:00 MDT 2010
On 09/24/2010 12:13 AM, Christian PERRIER wrote:
> Quoting Dale Schroeder (dale at BriannasSaladDressing.com):
>>
>> After today's Squeeze upgrade from 3.4.8 to 3.5.5, domain logons were initially broken.
>> I was fortunate to find Thomas Burkholder's workaround from last June, i.e. turn off
>> server signing.
>>
>> Can anyone explain why "server signing = auto" no longer works in 3.5.x?
>
> Uh, I'm worried about this. As you saw, we (Debian packagers) finally
> decided to go for 3.5 in squeeze instead of 3.4. That was a tough
> decision, which we made quite late in squeeze freeze process.
>
> So, any regression experienced by our users is worrying....and maybe
> worth being mentioned in the release notes (even squeeze release
> notes).
>
> Could you describe in more details what happened to you and do you
> think that would be a regression for users who are upgrading from
> 3.2.5 (what we have, officially, in lenny)?
>
I don't have much to offer beyond what Thomas
<http://lists.samba.org/archive/samba/2010-June/156237.html> supplied in
June. I have essentially the same errors in the logs.
There would be a notice of an "Unclean shutdown of pid xxxx", followed
by a "remove_child_pid", then the following:
Scheduled cleanup of brl and lock database after unclean shutdown
Before I found the workaround, I tried things like restarting nscd and
invoking smbpasswd -W, none of which helped.
testjoin showed the join to be good, so I did not attempt a rejoin to
the domain.
Both Thomas and I were using ldap for authentication. His distribution
was also Debian-based (Ubuntu).
I found it interesting that clicking on the domain name in Windows
Explorer would produce an error message, and no domain
hosts would be shown, but entering \\hostname in the address bar for any
of the domain hosts caused the host and all its shares
to suddenly appear beneath the domain name. Using "map untrusted to
domain = Yes", I was able to test this from a
non-domain client, as domain logons were impossible until making the
server signing change.
As you suggest, definitely worth mentioning in the release notes.
As for as a regression is concerned, the lack of comments from June
forward concerning this problem, seems
to indicate that not too many people change from the default "No" for
server signing. I don't find any mention of
this problem for other distros either, making me wonder if this is
Debian specific.
My smb.conf [global] follows.
Thanks Christian.
Dale
[global]
workgroup = DOMAIN.COM
server string = Samba PDC
map untrusted to domain = Yes #allow testing from production domain
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:"ldap://127.0.0.1 ldap://hostname.domain.com"
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat =*Enter\snew\s*\spassword:* %n\n*Retype\snew\s*\spassword:* %n\n*password\supdated\ssuccessfully* .
log level = 3
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
announce version = 5.9 #stop master browser election wars
name resolve order = wins host bcast
time server = Yes
#server signing = auto #does not work in 3.5.x
#server signing = No #default
add user script = /usr/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -i -W '%u'
logon script = %U.bat
logon path = ""
logon drive = U:
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins server = 192.168.xxx.yyy
ldap admin dn = cn=admin,dc=domain,dc=com
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=domain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
ea support = Yes
More information about the samba
mailing list