[Samba] Upgrading from 4.1.4 to 4.1.6 on FreeBSD 9.2
Doug Sampson
dougs at dawnsign.com
Fri Apr 18 13:40:15 MDT 2014
> On 21/03/14 22:25, Doug Sampson wrote:
> >> From: samba-bounces at lists.samba.org
> >> [mailto:samba-bounces at lists.samba.org]
> >> On Behalf Of Rowland Penny
> >> Sent: Friday, March 21, 2014 2:26 PM
> >> To: samba at lists.samba.org
> >> Subject: Re: [Samba] Upgrading from 4.1.4 to 4.1.6 on FreeBSD 9.2
> >>
> >> On 21/03/14 20:04, Doug Sampson wrote:
> >>>> No, the compilation of the new version is linking against the
> >>>> installed libraries of the old version rather than the ones it just
> >> built.
> >>>>> I will uninstall Samba 4.1.4 completely before installing 4.1.6.
> >>>>>
> >>> Okay, so I completely uninstalled Samba 4.1.4, rebooted and
> >>> installed
> >> 4.1.6. The install completed without any warning messages.
> >>> However, I am unable to join the AD- the login using the
> >>> administrator's
> >> account just hangs there without returning to a command prompt. The
> >> console.log shows:
> >>> Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1397]:
> >> [2014/03/21 11:07:33.571552, 0]
> >> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
> >>> Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1397]:
> >> Got sig[15] terminate (is_parent=1)
> >>> Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1399]:
> >> [2014/03/21 11:07:33.581594, 0]
> >> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
> >>> Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1399]:
> >> Got sig[15] terminate (is_parent=0)
> >>> root at P43003:/usr/local/lib #
> >>>
> >>> Okay, so winbindd isn't working. Why? wbinfo -u shows expected list
> >>> of
> >> AD users. However, getent passwd shows only the local unix user
> accounts.
> >>> root at P43003:/usr/local/lib # cat /etc/nsswitch.conf # #
> >>> nsswitch.conf(5) - name service switch configuration file # $FreeBSD:
> >>> release/9.2.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
> >>> #
> >>> group: files winbind
> >>> group_compat: nis
> >>> hosts: files dns winbind
> >>> networks: files
> >>> passwd: files winbind
> >>> passwd_compat: nis
> >>> shells: files
> >>> services: compat
> >>> services_compat: nis
> >>> protocols: files
> >>> rpc: files
> >>> root at P43003:/usr/local/lib #
> >>>
> >>> Looks good, no?
> >>>
> >>> winbind.so does exist in /usr/local/lib:
> >>>
> >>> root at P43003:/usr/local/lib # ll *winbind* -rwxr-xr-x 1 root wheel
> >>> 22832 Mar 20 19:55 nss_winbind.so.1* -rwxr-xr-x 1 root wheel
> >>> 53098 Mar 20 19:55 pam_winbind.so*
> >>> -rwxr-xr-x 1 root wheel 6026 Mar 20 19:56 winbind_krb5_locator.so*
> >>> root at P43003:/usr/local/lib #
> >>>
> >>> make showconfig:
> >>>
> >>> root at P43003:/usr/ports/net/samba41 # make showconfig ===> The
> >>> following configuration options are available for samba41-4.1.6:
> >>> ACL_SUPPORT=on: File system ACL support
> >>> ADS=on: Active Directory support
> >>> AIO_SUPPORT=on: Asyncronous IO support
> >>> CUPS=off: CUPS printing system support
> >>> DEBUG=off: With debug information in the binaries
> >>> DEVELOPER=off: With development support
> >>> DNSUPDATE=on: Dynamic DNS update(require ADS)
> >>> EXP_MODULES=on: Experimental modules
> >>> FAM_SUPPORT=off: File Alteration Monitor support
> >>> LDAP=on: LDAP support
> >>> MANPAGES=off: Build and/or install manual pages
> >>> PAM_SMBPASS=on: PAM authentication via passdb backends
> >>> PTHREADPOOL=on: Pthread pool
> >>> QUOTAS=off: Disk quota support
> >>> SYSLOG=on: Syslog support
> >>> UTMP=on: UTMP accounting support ====> Options available for
> >>> the single DNS: you have to select exactly one of them
> >>> NSUPDATE=on: Use internal DNS with NSUPDATE utility
> >>> BIND98=off: Use bind98 as a DNS server frontend
> >>> BIND99=off: Use bind99 as a DNS server frontend ====> Options
> >>> available for the radio ZEROCONF: you can only select none or one of
> >> them
> >>> AVAHI=off: Zeroconf support via Avahi
> >>> MDNSRESPONDER=on: Zeroconf support via mDNSResponder ===> Use
> >>> 'make config' to modify these settings
> >>> root at P43003:/usr/ports/net/samba41 #
> >>>
> >>> testparm:
> >>>
> >>> root at P43003:/usr/ports/net/samba41 # testparm Load smb config files
> >>> from /usr/local/etc/smb4.conf Processing section "[doug]"
> >>> Processing section "[public]"
> >>> Loaded services file OK.
> >>> Server role: ROLE_DOMAIN_MEMBER
> >>> Press enter to see a dump of your service definitions
> >>>
> >>> [global]
> >>> workgroup = EXAMPLE
> >>> realm = EXAMPLE.COM
> >>> server string =
> >>> security = ADS
> >>> kerberos method = system keytab
> >>> log file = /var/log/samba4/log.%m
> >>> smb ports = 445
> >>> min receivefile size = 16384
> >>> disable netbios = Yes
> >>> max mux = 32768
> >>> name resolve order = lmhosts, hosts, bcast
> >>> client ldap sasl wrapping = seal
> >>> socket options = TCP_NODELAY SO_RCVBUF=131072
> SO_SNDBUF=131072
> >>> load printers = No
> >>> printcap name = /dev/null
> >>> disable spoolss = Yes
> >>> local master = No
> >>> domain master = No
> >>> template shell = /bin/bash
> >>> winbind separator = -
> >>> winbind cache time = 10
> >>> winbind enum users = Yes
> >>> winbind enum groups = Yes
> >>> winbind nss info = rfc2307
> >>> winbind refresh tickets = Yes
> >>> winbind offline logon = Yes
> >>> idmap config *:range = 70001-80000
> >>> idmap config EXAMPLE:backend = ad
> >>> idmap config EXAMPLE:schema_mode = rfc2307
> >>> idmap config EXAMPLE:range = 50001-60000
> >>> idmap config * : backend = tdb
> >>> admin users = <<<redacted>>>
> >>> inherit permissions = Yes
> >>> inherit acls = Yes
> >>> hosts allow = 192.168.xxx., 192.168.xxx., 127., 10.8.
> >>> aio read size = 16384
> >>> aio write size = 16384
> >>> aio write behind = true
> >>> directory name cache size = 0
> >>> use sendfile = Yes
> >>> dos filemode = Yes
> >>>
> >>> [doug]
> >>> comment = /usr/home/EXAMPLE/doug
> >>> path = /usr/home/EXAMPLE/doug
> >>> valid users = <<<redacted>>>
> >>> read only = No
> >>> create mask = 0774
> >>> directory mask = 0774
> >>> inherit owner = Yes
> >>>
> >>> [public]
> >>> comment = Public Stuff
> >>> path = /usr/home/public
> >>> write list = <<<redacted>>>
> >>> read only = No
> >>> create mask = 0774
> >>> directory mask = 0774
> >>> force directory mode = 0774
> >>> guest ok = Yes
> >>>
> >>>
> >>>
> >>> I am trying to join this machine as a member server of the AD.
> >>>
> >>> root at P43003:/usr/ports/net/samba41 # net ads info
> >>> ads_connect: No logon servers
> >>> ads_connect: No logon servers
> >>> Didn't find the ldap server!
> >>> root at P43003:/usr/ports/net/samba41 # net ads join -U admin Enter
> >>> admin's password:
> >>> ^C <<<<<<<<<<<<<<<<<<------------ this is
> >> after waiting ~15 minutes
> >>> root at P43003:/usr/ports/net/samba41 # net ads info LDAP server:
> >>> 192.168.xxx.x LDAP server name: <<<redacted>>>.example.com
> >>> Realm: EXAMPLE.COM
> >>> Bind Path: dc=EXAMPLE,dc=COM
> >>> LDAP port: 389
> >>> Server time: Fri, 21 Mar 2014 12:59:06 PDT KDC server: 192.168.xxx.x
> >>> Server time offset: 0
> >>> root at P43003:/usr/ports/net/samba41 #
> >>>
> >>> Still cannot enumerate AD users via getent passwd.
> >>>
> >>> What am I doing wrong?
> >>>
> >>> ~Doug
> >>>
> >> Hi, what do you have in krb5.conf & resolv.conf
> >>
> > root at P43003:/usr/home # cat /etc/krb5.conf [libdefaults]
> > default_realm = EXAMPLE.COM
> > forwardable = true
> > # default_tgs_enctypes = rc4-hmac des-cbc-crc
> > # default_tkt_enctypes = rc4-hmac des-cbc-crc
> > default_keytab_name = FILE:/etc/krb5.keytab
> >
> > [appdefaults]
> > default_realm = EXAMPLE.COM
> > pam = {
> > forwardable = true
> > krb4_convert = false
> > debug = false
> > ticket_lifetime = 36000
> > renew_lifetime = 36000
> > }
> >
> > [realms]
> > EXAMPLE.COM = {
> > kdc = <<<redacted>>>.example.com:88
> > kdc = <<<redacted>>>.example.com:88
> > kdc = <<<redacted>>>.example.com:88
> > admin_server = <<<redacted>>>.example.com:749
> > kpasswd_server = <<<redacted>>>.example.com:464
> > kpasswd_protocol = SET_CHANGE
> > default_domain = example.com
> > }
> >
> > [domain_realm]
> > example.com = EXAMPLE.COM
> > .example.com = EXAMPLE.COM
> > .EXAMPLE.COM = EXAMPLE.COM
> >
> > [logging]
> > default = FILE:/var/log/krb5libs.log
> > kdc = FILE:/var/log/krb5kdc.log
> > admin_server = FILE:/var/log/kadmind.log
> >
> > root at P43003:/usr/home # cat /etc/resolv.conf search example.com domain
> > example.com
> > nameserver 192.168.xxx.x
> > nameserver 192.168.xxx.x
> > nameserver 192.168.xxx.x
> >
> > root at P43003:/usr/home #
> >
> OK, this is what I use on a Linux Mint 15 client against a samba 4.1.4 AD
> server:
>
> krb5.conf:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> forwardable = yes
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> }
>
> resolv.conf:
>
> nameserver 192.168.0.2
> search example.com
>
> The above works for me.
>
The only difference I see between your krb5.conf and mine is:
dns_lookup_realm = true
dns_lookup_kdc = true
I added these to my krb5.conf and restarted. Still I am unable to enumerate AD users via the 'getent passwd' command. I still can enumerate AD users via the 'wbinfo -u' and 'wbinfo -g' command. It appeared to me that I may have gotten the idmap setup wrong. Here is what my Samba 3.6 conf looked like:
# ver 3.6
idmap config * : backend = tdb
idmap config * : range = 50001-60000
idmap config EXAMPLE : backend = ad
idmap config EXAMPLE : schema_mode = rfc2307
idmap config EXAMPLE : range = 1000 - 50000
Should version 4.1 be as follows?:
# ver 4.1
idmap config *:backend = tdb
idmap config *:range = 50001-60000
idmap config EXAMPLE:backend = ad
idmap config EXAMPLE:schema_mode = rfc2307
idmap config EXAMPLE:range = 1000-50000
Also each time I restart Samba, I receive the following error in /var/log/winbindd:
[2014/04/18 12:10:43.636697, 0] ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
Got sig[15] terminate (is_parent=0)
(END)
I do not see the same error message in Samba 3.6.
When I open Windows Explorer on a Windows 7 Pro workstation and head straight to Network, I can see the server's name in the list. However, when I double-click on it to enumerate the shares for that server, I am shown the login dialog window. The login dialog window does display the short domain name underneath the password field box although I am unsure as to whether that is supplied by my Windows workstation or by the server to which I am trying to connect.
I refuse to give up so I am going to plug and plug until I get a working setup going! Your assistance would be greatly appreciated!
~Doug
More information about the samba
mailing list