[Samba] smbclient broken after update

[Peter Serbe]

Dear all, 

Desite of being pretty reluctant to reinstall something broken, 
I took the hard way, and did reinstall the machine from ground 
up. Even with all the information on the wiki and on the list 
here, it was not exactly an easy undertaking. Hence I will share 
my observations. Hopefully it may helf others... 

The first pitfall was the installation of lxde. The server is 
at the time of the writing my only *nix machine. It is a pretty 
powerful one, and hence I wanted to have the graphical surface
on it. At least on Debian (here: Jessie) some crap is being 
installed with lxde. Therefore the first step should be: 

apt-get remove network-manager
apt-get remove avahi
apt-get install acpi-support

While the first is obvious, the second is a big trap. It seems 
to break the DNS update mechanism from Samba4 AD to Bind9. It 
took me hours to find out... The acpi-support package is not 
related to Samba, but might be helpful anyway. *)

First I installed Bind 9.9.5 from the sources. The wiki 
information on how to do that is quite good. I run bind in an 
restriced user account "named". Later a bit of fiddling is 
necessary to find all the files and directories in 
/usr/local/samba, where one needs to add access for the 
user "named". It would have loved to give the exact locations, 
but by that time it was about 3am, and after so many hours 
of hacking my notes got a bit sparse... :-( It would be 
great to have the exact requirements in the wiki however.

Once bind works perfectly it is time to install all the 
samba and its requirements. First I used the restored git 
repository from my first samba installation. All the 
configure/make/make install seems to run smoth, but the 
provisioning failed while filling the internal database. 
There was no error message, just a note on an unhandled 
exception in one of the many Python scripts. It turned 
out that it was necessary to start over with the git 
repository, too. I did the installation more or less 
according to the wiki: 

git clone git://git.samba.org/samba.git samba-master
git tag -l | grep samba-4.
git checkout tags/samba-4.1.5

But most likely it is better to download the tarball.
Anyway, from now on (and after removing avahi) everything 
worked like it should. Mostly at least... It took me quite 
a bit of time, to find out the correct principal, which 
Bind9 uses in the DLZ update process. I think the successful 
try was this: 

samba-tool domain exportkeytab /usr/local/samba/private/dns.keytab 
 --principal=DNS/server.samdom

This is also not very well documented in the wiki. And 
at least for a *nix novice it was not exactly obvious. 
I think, it would be a wise step to check the keytab 
file by 

klist -k /usr/local/samba/private/dns.keytab

and to verify, that the necessary prinicipal is there. 
Maybe it would be good to put this in the wiki, too. 

I spend some more hours trying to make sssd working. 
But without success. I will do a new installation within 
an virtual machine some time later, and then ask a 
precise question about it by then. For the next few 
days I refuse to deal with sssd**). :-!

Eventually I gave up and went back to pam_winbind. 
Within less than ten minutes I did see the 
SOMEDOM\Administrator in getent passwd. 
I don't know whether the sssd approach would 
give some performance increase (e.g. when transfering 
lots of very small files on the server), but frankly, 
my personaly experience with sssd is a nightmare 
compared to pam_winbind. 

Best regards
Peter



*) The package acpi-support fixes an shutdown issue on the 
Asus P8P67-pro (only every second shutdown succeeds, the other 
one results in a reboot). 
Furthermore the installation of lxde breaks the wake-on-lan 
functionality. I ended up with a small shell script, which 
uses ethtool to apply the correct parameter during the boot 
process. 

**) First I tried 1.11.3, i.e. the plain Jessie packet. 
Then I compiled 1.11.4 - a lengthy undertaking on Debian, 
as one has to find a lengthy amount of required packages...

apt-get install libtalloc-dev tdb-dev libtevent-dev \
 libldb-dev  libdhash-dev libcollection-dev libini-config-dev \
 libpcre3-dev libc-ares-dev samba-dev libglib2.0-dev \
 libdconf-dbus-1-dev xsltproc libxml2-utils libselinux1-dev \
 libsemanage1-dev libnss3-dev libsasl2-dev

But the issues apparently weren't related to the version 
of sssd.