[Samba] Books of Samba 4

Tony Hain tony at tndh.net
Tue Mar 4 13:26:29 MST 2014


Rowland Penny wrote:
> On 03/03/14 20:02, Marc Muehlfeld wrote:
> > Hello Tony,
> >> .....snip
> >>
> >> I did
> >> samba-tool domain provision --server-role= member \
> >>          --domain=EXAMPLE --realm=EXAMPLE.LOCAL and the resulting
> >> system failed to join the AD. ...
> >
> > I think you looked at a different HowTo.
> > You don't do the provisioning for a member. You simply join the
> > machine to the domain like you did in the past. See the HowTo I
> > mentioned above. This one is also linked at the Wiki user
> > documentation page.
> >
> > Can you give me the link to the Member Server HowTo in the Wiki you
> > used? I'll have a look at it.
> >

http://www.dd-wrt.com/wiki/index.php/Samba3
http://www.nslu2-linux.org/wiki/Optware/Samba
http://forums.freebsd.org/viewtopic.php?f=43&t=36137&start=50

> >
> >
> >
> >>> And how you get a
> >>> working DC or member server where you can put this on top, there are
> >>> other HowTos in the Wiki. Each topic has it's own HowTo. But of
> >>> course they can be combined. Or what do you mean in this section?
> >>
> >> It is clear that the focus of samba development is to be a functional
> >> replacement for all services that a MSFT PDC might have. That is
> >> fine, but in a security conscience operational world, not all
> >> services are wanted on every instance, and there is nothing on the
> >> wiki about how to turn services off in a constructive way that will
> >> not impact other services.
> >
> > The services that are enabled on a DC in "server services" are all
> > required and can't be omitted.

I don’t want a DC !!! I simply want a member server WITHOUT printing. All this box is supposed to do from a samba perspective is provide file share access to a couple of directories for domain accounts. Nothing more; but getting samba 4 to stop trying to be the center of the universe is proving to be more trouble than it is worth.

> >
> > Andrew answered this:
> > http://www.spinics.net/lists/samba/msg113742.html
> >
> > Do you know a good place to write this down in the Wiki?
> >
> >
> >
> >
> >>> What services do you want to turn off?
> >>
> >> Printing is the primary point at the moment, because it is spewing
> >> into the log files. This instance is not, and will not be associated
> >> with any printing process, so there are no printers defined or
> >> drivers installed. The core OS is fine with that, but at least samba
> >> 4.1 goes berserk and ignores [global] load printers = no printing =
> >> bsd printcap name = /dev/null disable spoolss = yes
> >>
> >> with or without ::
> >> [printers]
> >> browsable = no
> >> printable = no
> >>
> >>
> >> every 13 minutes :::
> >> Mar  3 10:44:29 arabian smbd[89010]: [2014/03/03 10:44:29.650775,  0]
> >> ../source3/printing/print_cups.c:151(cups_connect)
> >> Mar  3 10:44:29 arabian smbd[89010]:   Unable to connect to CUPS server
> >> localhost:631 - Connection refused
> >> Mar  3 10:44:29 arabian smbd[1323]: [2014/03/03 10:44:29.663580,  0]
> >> ../source3/printing/print_cups.c:528(cups_async_callback)
> >> Mar  3 10:44:29 arabian smbd[1323]:   failed to retrieve printer list:
> >> NT_STATUS_UNSUCCESSFUL
> >
> > What you have in your [global] section is the same that I have here on
> > my Fedora workstation that runs a standalone Samba instance. I don't
> > see this in my logfiles. What log level are you using?

log level = 2

As I recall, you likely have cups installed as part of your OS distro.

> >
> >
> >
> >
> >
> >> While I think you hit the problem, that brings up another point of
> >> frustration which seemed an unnecessary change, the current file is
> >> smb4.conf ...  I don't know if that is a FreeBSD port specific issue,
> >> but I don't see why that would get changed from the distribution
> >> because it would be a lot of work to maintain. The only obvious
> >> reason I can see for changing the name of the conf file is that there
> >> are fundamental differences in the syntax where the only way to
> >> assure the 4.x code base that someone had taken the time to look at
> >> that was to change the file name. If that is true, the wiki should be
> >> VERY clear about the point and what the syntax changes are.
> >> If it is not, the file name change was pointless wherever it occurred.
> >
> > I don't have a smb4.conf here on my production DCs and test systems
> > (all RH 6.5 and Scientific Linux 6.5 self compiled).
> >
> >
> >
> >
> >>>> Just as an exercise, try to walk through setting up a fresh 4.1 as
> >>>> a file-share-only member server in an existing AD, using the
> >>>> current documentation, and see how far you get.
> >>>
> >>> I'm not sure what you mean here. What do you think is missing in the
> >>> Member Server HowTo that prevents a working setup?
> >>> https://wiki.samba.org/index.php/Samba/Domain_Member
> >>
> >> That is the page I started from ...
> >>
> >> "table ... This is just very a basic example that will make your
> >> member server part of your Active Directory."
> >> None of that was in the conf file after the samba-tool provisioning
> >> step.
> >
> > Where in this HowTo do you read that you have to run a provision on a
> > member server?

There was no smb.conf file of any kind on the freshly installed system. There was a comment found on google about needing to create an smb4.conf file (which I will have to take up with the port maintainer if the' 4' is a FreeBSD-only thing). Since the name was different I assumed an existing samba 3 file syntax was problematic but didn't see any clear discussion about what changes would be a problem. I looked at that wiki page and there was no discussion about version, so I assumed it was samba 3, and with no discussion about problems in 4 this lead me to keep looking. Somewhere along the line I ran across a discussion about samba-tool for samba 4 configuration. See the next point ...

> 
> Marc, I cannot point you to an HowTo, but perhaps you, or anybody, can
> explain this:
> 
> If you run 'samba-tool  domain provision --help', amongst everything else is
> this:
> 
>    --server-role=ROLE    The server role (domain controller | dc | member
>                          server | member | standalone). Default is dc.
> 

Which is exactly what I did when trying to figure out how to create an smb4.conf file for a blank samba 4 system. It may seem weird to you, but to me the obvious choice was to run samba-tool with --server-role=member server.

> Now, I thought that a member server is a computer that belongs to a domain
> and is not a domain controller, it does not process account logons, participate
> in Active Directory replication, or store domain security policy information. I
> also thought that the only thing that you provisioned was a DC, so why is
> there this option????, it can only confuse people who do not know better.

pro·vi·sion noun \prə-ˈvi-zhən\
: the act or process of supplying or providing something

Creating a conf file is the act of "provisioning" for any role. Any lame redefinition of the word to focus only on DC status is more confusing than any errant text in the help response. That said, the text was pretty clear that samba-tool could create a file for a member server, and it did. The only problem was the file it created was incomplete or inaccurate. See below:

> 
> Rowland
> 
> >
> > Simply following this HowTo should give you a working member server in
> > an AD.
> >
> >
> >
> >
> >> "If you use different UID/GID ranges in your AD, you have to adapt
> >> them."
> >> No indication about how to find out what ranges your AD is using.
> >
> > Most admins know what they ranges they have configured. :-) But you
> > are right. I can add a note about that.

If they install SBS, they didn't create the ranges; it defaults to what is  apparently the values in the wiki.

> >
> >
> >
> >
> >> "# net ads join -U administrator"
> >> No commentary ... just assumes it works. When it doesn't, there is
> >> nothing on the wiki anywhere that I could find about where to look to
> >> deal with it.
> >
> > The HowTo describes often the perfect way. But when we find typical
> > problems that often user are hitting, we of course add them to the wiki.
> >
> > The problem is: When I write a HowTo, I try to mention typical
> > pitfalls. But if I never had one and can't imagine big problems about
> > it, I don't write about them. :-)
> >
> > Let me know what typical problems you have with the join and I can add
> > them.

If I had planned to add to the wiki I would have documented as I went along. Unfortunately my focus is on a completely unrelated service this machine is supposed to provide, and samba was supposed to be a time-saver addition. 

> >
> >
> >
> >
> > Regards,
> > Marc


> -----Original Message-----
> From: Rowland Penny [mailto:rowlandpenny at googlemail.com]
> Sent: Monday, March 03, 2014 2:04 PM
> To: Marc Muehlfeld; Tony Hain; samba at lists.samba.org
> Subject: Re: [Samba] Books of Samba 4
> 
> On 03/03/14 21:36, Marc Muehlfeld wrote:
> > Hello Rowland,
> >
> > Am 03.03.2014 21:38, schrieb Rowland Penny:
> >> Marc, I cannot point you to an HowTo, but perhaps you, or anybody,
> >> can explain this:
> >>
> >> If you run 'samba-tool  domain provision --help', amongst everything
> >> else is this:
> >>
> >>    --server-role=ROLE    The server role (domain controller | dc |
> >> member
> >>                          server | member | standalone). Default is dc.
> >
> >
> > The 4.0.0 release notes
> > (https://www.samba.org/samba/history/samba-4.0.0.html) said:
> >
> > "Domain member support in the 'samba' binary is in its infancy, and is
> > not comparable to the support found in winbindd.  As such, do not use
> > the 'samba' binary (provided for the AD server) on a member server."

What does the use of any particular binary for the service have to do with how a .conf file gets created????? If there are *unstated assumptions* about which tools are used with which binaries, you can expect lots of confusion. If there is a reason for restricting a tool to a particular binary, state that on the wiki. Otherwise get your head out of DC land and think through the problem of creating a .conf file for a member server, beyond pasting 15 year old text into a service that has clearly changed the context or syntax for many configuration options, but it not clear which ones have changed or how.

> >
> >
> > I can't say if it's still 100% correct in 4.1, but I haven't heard
> > anything different yet.
> >
> > And at least joining on the old way works like in the past. So I think
> > this is still the preferred way.
> >
> >
> > Regards,
> > Marc
> Hi Marc, I think that you are missing the point here, if we take what samba-
> tool domain provision --help gives us:
> 
> --server-role=ROLE    The server role (domain controller | dc | member
>                           server | member | standalone). Default is dc.
> 
> domain controller & dc are the same thing and this is also the the only thing
> that you would/can provision, anything else would involve running the smbd
> & nmbd daemons and also possibly the winbind daemon.

See above about redefining the word 'provision'. Creating a .conf file is the act of 'provisioning', no matter the role.

> 
> It is possible that in the future, we will be able run samba-tool and get an
> automatically created smb.conf for a member server or a standalone
> machine, but much will have to be done before this can happen. 

That is not as obvious as you make it seem. The file that resulted from 
       --server-role=member server
was missing a 'security='  statement, and whatever of the wiki member HowTo that is actually required for a Samba 4 member server. It joined with just the 'security=' statement, so I can't tell what else is really required, or if 'passdb backend=' or 'dns forwarder=' can safely be removed. Why is it so hard to add the missing pieces to the existing tool if they are as clear as Marc seems to think they are???

> So given this
> and the total lack of documentation for samba-tool, I think this option should
> be hidden or removed, if not something should be put on the wiki about
> using it only to provision a DC.

Removing functionality is not the answer if the eventual goal is to have a common tool that creates a .conf file for any role, and I can't see why it wouldn't be. If a canned response like 'paste from the wiki' is appropriate, why can't samba-tool do that and substitute for the realm and servername provided? It sounds like people are making this too hard because they are so focused on being the center of the universe that they can't see the simple things out at the edge.

Another approach I would have found helpful, and would have avoided most of the searching, was to have a .conf.sample as part of the distro (and again maybe it was dropped so is something I would need to take up with the FreeBSD port maintainer). I actually expected one for a member server would be there, but found nothing. If the wiki member HowTo is a complete functional member server conf, why not distribute it as a sample with some comments about how to run samba-tool for other roles? Since the wiki doesn't include 'netbios name=' or 'server role=' statements, it would appear to be incomplete, but maybe those are irrelevant cruft that are ignored anyway. Clearly the 'server role=' statement is ignored without a 'security=' statement, so given the lack of it on the wiki as far as I can tell it is always ignored and derived from the context of other statements. 

At the end of the day, someone that knows what the service code is actually looking for and not ignoring, needs to fix the tool to create that .conf file, and document those expectations. I can provide feedback about what does or doesn't work, but I am not in a position to state what should be included or can safely be left out.

Tony

> 
> Rowland





More information about the samba mailing list