[Samba] smbclient broken after update

[Rowland Penny]

On 03/03/14 09:44, Peter Serbe wrote:
> Dear all,
>
> Desite of being pretty reluctant to reinstall something broken,
> I took the hard way, and did reinstall the machine from ground
> up. Even with all the information on the wiki and on the list
> here, it was not exactly an easy undertaking. Hence I will share
> my observations. Hopefully it may helf others...
>
> The first pitfall was the installation of lxde. The server is
> at the time of the writing my only *nix machine. It is a pretty
> powerful one, and hence I wanted to have the graphical surface
> on it. At least on Debian (here: Jessie) some crap is being
> installed with lxde. Therefore the first step should be:
>
> apt-get remove network-manager

No need to remove this, just use it to set the ipv4 settings to manual 
and enter your static settings.

> apt-get remove avahi

This is because you use .local for your realm name

> apt-get install acpi-support
>
> While the first is obvious, the second is a big trap. It seems
> to break the DNS update mechanism from Samba4 AD to Bind9. It
> took me hours to find out... The acpi-support package is not
> related to Samba, but might be helpful anyway. *)
>
> First I installed Bind 9.9.5 from the sources. The wiki
> information on how to do that is quite good. I run bind in an
> restriced user account "named". Later a bit of fiddling is
> necessary to find all the files and directories in
> /usr/local/samba, where one needs to add access for the
> user "named". It would have loved to give the exact locations,
> but by that time it was about 3am, and after so many hours
> of hacking my notes got a bit sparse... :-( It would be
> great to have the exact requirements in the wiki however.

Fairly easy to compile and install bind9 yourself on debian:

Install all required dependencies
install bind9 with apt-get
remove bind9 with apt-get
this will leave you with all the required configuration files!

Get the bind tarball from ftp://ftp.isc.org/isc
Untar said tarball
Now compile it using this configure line:

./configure --prefix=/usr --mandir=/usr/share/man 
--infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var 
--enable-threads --enable-largefile --with-libtool --enable-shared 
--enable-static --with-openssl=/usr --with-gssapi=/usr  
--with-dlopen=yes --with-gnu-ld --enable-ipv6 
CFLAGS='-fno-strict-aliasing -DDIG_SIGCHASE -O2' 
LDFLAGS='-Wl,-Bsymbolic-functions -Wl,-z,relro' 
CPPFLAGS='-D_FORTIFY_SOURCE=2'

>
> Once bind works perfectly it is time to install all the
> samba and its requirements. First I used the restored git
> repository from my first samba installation. All the
> configure/make/make install seems to run smoth, but the
> provisioning failed while filling the internal database.
> There was no error message, just a note on an unhandled
> exception in one of the many Python scripts. It turned
> out that it was necessary to start over with the git
> repository, too. I did the installation more or less
> according to the wiki:
>
> git clone git://git.samba.org/samba.git samba-master
> git tag -l | grep samba-4.
> git checkout tags/samba-4.1.5
>
> But most likely it is better to download the tarball.

Unless you want to live on the bleeding edge and maybe end up with 
something that may not work, then yes use the latest tarball.

> Anyway, from now on (and after removing avahi) everything
> worked like it should. Mostly at least... It took me quite
> a bit of time, to find out the correct principal, which
> Bind9 uses in the DLZ update process. I think the successful
> try was this:
>
> samba-tool domain exportkeytab /usr/local/samba/private/dns.keytab
>   --principal=DNS/server.samdom
>
> This is also not very well documented in the wiki.

There is a good reason why this is not documented in the wiki, the 
keytab that you refer to, should be created automatically when you 
provision.

> And
> at least for a *nix novice it was not exactly obvious.
> I think, it would be a wise step to check the keytab
> file by
>
> klist -k /usr/local/samba/private/dns.keytab
>
> and to verify, that the necessary prinicipal is there.
> Maybe it would be good to put this in the wiki, too.
>
> I spend some more hours trying to make sssd working.
> But without success. I will do a new installation within
> an virtual machine some time later, and then ask a
> precise question about it by then. For the next few
> days I refuse to deal with sssd**). :-!

Sorry, I cannot comment on sssd, except to say that it works for me.

>
> Eventually I gave up and went back to pam_winbind.
> Within less than ten minutes I did see the
> SOMEDOM\Administrator in getent passwd.
> I don't know whether the sssd approach would
> give some performance increase (e.g. when transfering
> lots of very small files on the server), but frankly,
> my personaly experience with sssd is a nightmare
> compared to pam_winbind.
>
> Best regards
> Peter
>
>
>
> *) The package acpi-support fixes an shutdown issue on the
> Asus P8P67-pro (only every second shutdown succeeds, the other
> one results in a reboot).
> Furthermore the installation of lxde breaks the wake-on-lan
> functionality. I ended up with a small shell script, which
> uses ethtool to apply the correct parameter during the boot
> process.
>
> **) First I tried 1.11.3, i.e. the plain Jessie packet.
> Then I compiled 1.11.4 - a lengthy undertaking on Debian,
> as one has to find a lengthy amount of required packages...
>
> apt-get install libtalloc-dev tdb-dev libtevent-dev \
>   libldb-dev  libdhash-dev libcollection-dev libini-config-dev \
>   libpcre3-dev libc-ares-dev samba-dev libglib2.0-dev \
>   libdconf-dbus-1-dev xsltproc libxml2-utils libselinux1-dev \
>   libsemanage1-dev libnss3-dev libsasl2-dev
>
> But the issues apparently weren't related to the version
> of sssd.
>