[Samba] Question about splitting AD and fileserving (and tons of other stuff)

Jason MacChesney jason.macchesney at ecacs16.ab.ca
Tue Feb 11 10:44:04 MST 2014 

Hello, I am wondering if this is preferred at this iteration in
development. If so, what would be the best way to continue? To build a VM
server and have that do file serving, then migrate file serving from the
old ad, then join the new VM to the ad server? Vice versa?

My reasoning; running sernet (Version 4.0.12-SerNet-Ubuntu-8.precise) with
Ubuntu 12.0.2 and since deployment in three different environments (the
biggest one with 50 workstations/users in fairly consistent use and maybe
over an additional hundred stations/500 users with sporadic use, heavily
reliant on roaming profiles/redirection). samba runs on its own SSD, and
all folder redirection/roaming profiles are on an LVM (/home, at 500G). we
generally use pfsense for routing, vlans...

For the permissions, the folder redirection folder has CREATOR OWNER,
SYSTEM, Domain Admins all have full control; Authenticated Users settings
are more limited, and apply only to the folder.

Roaming profiles are similar to all of those, but with full permissions set.

some quirks have me back to reading the mailing list ( it's only really
been 3 months since I regularly read it), and I've caught some mention that
having samba do both ad, and folder redirection/roaming profiles, or
fileserving, is an issue. Is anyone able to share the issues that come with
doing both, as that might give me some peace of mind for what I've been
seeing.

quirks I've noted:

>when I try to log in as domain administrator, on some workstations, "The
group policy client service failed the logon. Access is denied"

>i can't shake the feeling windows clients are not grabbing NTP from the DC
but I think that might be firewall related (event viewer squawks about
being unable to set time peer as a time source as a duplicate error exists.)

>The event viewer is complaining quite a bit about none of the DNS servers
responding, which is new.. (Windows shows that Samba is set as the DNS
server..) The only things that look useful in the syslog:

Feb 11 09:17:56 nicodemus smbd[19364]: [2014/02/11 09:17:56.765432,  0]
../source3/smbd/service.c:784(make_connection_snum)

Feb 11 09:17:56 nicodemus smbd[19364]:   canonicalize_connect_path failed
for service netlogon, path /var/lib/samba/sysvol/
samba4.bss.ecacs16.ab.ca/scripts

Feb 11 09:17:56 nicodemus smbd[19364]: [2014/02/11 09:17:56.768871,  0]
../source3/smbd/service.c:784(make_connection_snum)

Feb 11 09:17:56 nicodemus smbd[19364]:   canonicalize_connect_path failed
for service netlogon, path /var/lib/samba/sysvol/
samba4.bss.ecacs16.ab.ca/scripts

Feb 11 09:24:35 nicodemus smbd[19543]: [2014/02/11 09:24:35.604347,  0]
../source3/printing/print_cups.c:151(cups_connect)

Feb 11 09:24:35 nicodemus smbd[19543]:   Unable to connect to CUPS server
localhost:631 - Connection refused

Feb 11 09:24:35 nicodemus smbd[1543]: [2014/02/11 09:24:35.604922,  0]
../source3/printing/print_cups.c:528(cups_async_callback)

Feb 11 09:24:35 nicodemus smbd[1543]:   failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL

Feb 11 09:26:07 nicodemus samba[1538]: [2014/02/11 09:26:07.583256,  0]
../source4/dns_server/dns_update.c:413(handle_one_update)

Feb 11 09:26:07 nicodemus samba[1538]:   Can't handle updates of type 255
yet

Feb 11 09:26:13 nicodemus samba[1538]: [2014/02/11 09:26:13.709095,  0]
../source4/dns_server/dns_update.c:413(handle_one_update)

Feb 11 09:26:13 nicodemus samba[1538]:   Can't handle updates of type 255
yet

Feb 11 09:26:47 nicodemus samba[1537]: [2014/02/11 09:26:47.882065,  0]
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)

Feb 11 09:26:47 nicodemus samba[1537]:
../source4/dsdb/dns/dns_update.c:294: Failed DNS update -
NT_STATUS_IO_TIMEOUT

Feb 11 09:35:50 nicodemus samba[1538]: [2014/02/11 09:35:50.390243,  0]
../source4/dns_server/dns_update.c:413(handle_one_update)

Feb 11 09:35:50 nicodemus samba[1538]:   Can't handle updates of type 255
yet

Feb 11 09:35:51 nicodemus samba[1538]: [2014/02/11 09:35:51.569570,  0]
../source4/dns_server/dns_update.c:413(handle_one_update)

Feb 11 09:35:51 nicodemus samba[1538]:   Can't handle updates of type 255
yet

>some users are only logged in with a temporary profile, but their settings
may persist and access to their data on the server is usually fine. What
happens though is their C:/Users drive gets loaded with dozens of temp
profiles (even though there's a GPO that's supposed to wipe them after a
day)

>Some users have a lot of trouble changing their password, even though we
run these commands on every install. I think it's a time frame issue
(they're trying too many changes too soon. not sure though.):

 samba-tool domain passwordsettings set --complexity=off
   samba-tool domain passwordsettings set --history-length=0
   samba-tool domain passwordsettings set --min-pwd-age=0
   samba-tool domain passwordsettings set --max-pwd-age=0

>Adobe reader alternatives seems unstable.

>windows pinned items inexplicably vanish, along with desktop shortcuts

>GPO's don't apply sometimes; usually package installations, and it
generally seems to be a permission issue. Is there a best practice for
this? (been storing the installers in sysvol...)

>general web browser problems, flash was a big issue on firefox and chrome
for users trying to watch the olympics on cbc.ca: is there an officially
recommended web browser?

>we've had users that simply could not log in... for thirty minutes
(oversized profiles weren't the cause). The solution was to create a new
account, which had me wondering what the best practice is for user
deletion. Samba-tool or the MMC snap-in? Does it matter? I thought I read
that improper user removal can screw up the guid ordering? Does that sound
right? Can I run a diagnostic for that?

>Sometimes roaming profiles don't seem to click (I'll see the roaming
profile folder loaded with all the usual window redirected folders). Should
I wait for group policy to correct this? Anyone have experience deleting
profiles and letting them rebuild themselves in S4? I know that worked well
in Samba3...

>at one site we forward DNS to another site, but DNS is super shakey for
our users (websites frequently need to be refreshed). I used this command

samba-tool dns add 192.168.32.2 samba4.bso.ecacs16.ab.ca
galactacus.co.ecacs16.ab.ca A 192.168.0.2 -U administrator

however, in the DNS snap-in, it garbled up the realms like so,
galactacus.samba4.bso.ecacs16.ab.ca.

Any suggestions?

>one user has reported super slow internet, and since samba's the DC, doing
DNS, that's as far as I've gotten. But general internet dampening seems
strange. I'd like a solution for creating a new account and transferring
all necessary permissions, to at least verify that a corrupt user profile
was the cause. I've had mixed success with getfacl | setfacl. Any help
there would be appreciated.

Also, is CUPS the best way to integrate printers into an AD? We've been
rolling printer configs into our Windows 7 images

And, what's the deal with the sernet expiry date? Should I worry about it?
root at ubuntu:/# gpg --fingerprint XXXXXX
pub   1024D/F4428B1A 2008-03-11 [expires: 2014-02-15]

This might also be a long shot. We have non-IT staff interested in changing
the password for user accounts. How reliable is the snap-in for this?
Alternatively, has anyone drummed up a batch script for this purpose?

More information about the samba mailing list