[Samba] Upgrading from 4.1.4 to 4.1.6 on FreeBSD 9.2
Doug Sampson
dougs at dawnsign.com
Fri Mar 21 16:25:59 MDT 2014
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of Rowland Penny
> Sent: Friday, March 21, 2014 2:26 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Upgrading from 4.1.4 to 4.1.6 on FreeBSD 9.2
>
> On 21/03/14 20:04, Doug Sampson wrote:
> >> No, the compilation of the new version is linking against the
> >> installed libraries of the old version rather than the ones it just
> built.
> >>
> >>> I will uninstall Samba 4.1.4 completely before installing 4.1.6.
> >>>
> >
> > Okay, so I completely uninstalled Samba 4.1.4, rebooted and installed
> 4.1.6. The install completed without any warning messages.
> >
> > However, I am unable to join the AD- the login using the administrator's
> account just hangs there without returning to a command prompt. The
> console.log shows:
> >
> > Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1397]:
> [2014/03/21 11:07:33.571552, 0]
> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
> > Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1397]:
> Got sig[15] terminate (is_parent=1)
> > Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1399]:
> [2014/03/21 11:07:33.581594, 0]
> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
> > Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1399]:
> Got sig[15] terminate (is_parent=0)
> > root at P43003:/usr/local/lib #
> >
> > Okay, so winbindd isn't working. Why? wbinfo -u shows expected list of
> AD users. However, getent passwd shows only the local unix user accounts.
> >
> > root at P43003:/usr/local/lib # cat /etc/nsswitch.conf # #
> > nsswitch.conf(5) - name service switch configuration file # $FreeBSD:
> > release/9.2.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $ #
> > group: files winbind
> > group_compat: nis
> > hosts: files dns winbind
> > networks: files
> > passwd: files winbind
> > passwd_compat: nis
> > shells: files
> > services: compat
> > services_compat: nis
> > protocols: files
> > rpc: files
> > root at P43003:/usr/local/lib #
> >
> > Looks good, no?
> >
> > winbind.so does exist in /usr/local/lib:
> >
> > root at P43003:/usr/local/lib # ll *winbind* -rwxr-xr-x 1 root wheel
> > 22832 Mar 20 19:55 nss_winbind.so.1* -rwxr-xr-x 1 root wheel 53098
> > Mar 20 19:55 pam_winbind.so*
> > -rwxr-xr-x 1 root wheel 6026 Mar 20 19:56 winbind_krb5_locator.so*
> > root at P43003:/usr/local/lib #
> >
> > make showconfig:
> >
> > root at P43003:/usr/ports/net/samba41 # make showconfig ===> The
> > following configuration options are available for samba41-4.1.6:
> > ACL_SUPPORT=on: File system ACL support
> > ADS=on: Active Directory support
> > AIO_SUPPORT=on: Asyncronous IO support
> > CUPS=off: CUPS printing system support
> > DEBUG=off: With debug information in the binaries
> > DEVELOPER=off: With development support
> > DNSUPDATE=on: Dynamic DNS update(require ADS)
> > EXP_MODULES=on: Experimental modules
> > FAM_SUPPORT=off: File Alteration Monitor support
> > LDAP=on: LDAP support
> > MANPAGES=off: Build and/or install manual pages
> > PAM_SMBPASS=on: PAM authentication via passdb backends
> > PTHREADPOOL=on: Pthread pool
> > QUOTAS=off: Disk quota support
> > SYSLOG=on: Syslog support
> > UTMP=on: UTMP accounting support ====> Options available for the
> > single DNS: you have to select exactly one of them
> > NSUPDATE=on: Use internal DNS with NSUPDATE utility
> > BIND98=off: Use bind98 as a DNS server frontend
> > BIND99=off: Use bind99 as a DNS server frontend ====> Options
> > available for the radio ZEROCONF: you can only select none or one of
> them
> > AVAHI=off: Zeroconf support via Avahi
> > MDNSRESPONDER=on: Zeroconf support via mDNSResponder ===> Use
> > 'make config' to modify these settings
> > root at P43003:/usr/ports/net/samba41 #
> >
> > testparm:
> >
> > root at P43003:/usr/ports/net/samba41 # testparm Load smb config files
> > from /usr/local/etc/smb4.conf Processing section "[doug]"
> > Processing section "[public]"
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_MEMBER
> > Press enter to see a dump of your service definitions
> >
> > [global]
> > workgroup = EXAMPLE
> > realm = EXAMPLE.COM
> > server string =
> > security = ADS
> > kerberos method = system keytab
> > log file = /var/log/samba4/log.%m
> > smb ports = 445
> > min receivefile size = 16384
> > disable netbios = Yes
> > max mux = 32768
> > name resolve order = lmhosts, hosts, bcast
> > client ldap sasl wrapping = seal
> > socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
> > load printers = No
> > printcap name = /dev/null
> > disable spoolss = Yes
> > local master = No
> > domain master = No
> > template shell = /bin/bash
> > winbind separator = -
> > winbind cache time = 10
> > winbind enum users = Yes
> > winbind enum groups = Yes
> > winbind nss info = rfc2307
> > winbind refresh tickets = Yes
> > winbind offline logon = Yes
> > idmap config *:range = 70001-80000
> > idmap config EXAMPLE:backend = ad
> > idmap config EXAMPLE:schema_mode = rfc2307
> > idmap config EXAMPLE:range = 50001-60000
> > idmap config * : backend = tdb
> > admin users = <<<redacted>>>
> > inherit permissions = Yes
> > inherit acls = Yes
> > hosts allow = 192.168.xxx., 192.168.xxx., 127., 10.8.
> > aio read size = 16384
> > aio write size = 16384
> > aio write behind = true
> > directory name cache size = 0
> > use sendfile = Yes
> > dos filemode = Yes
> >
> > [doug]
> > comment = /usr/home/EXAMPLE/doug
> > path = /usr/home/EXAMPLE/doug
> > valid users = <<<redacted>>>
> > read only = No
> > create mask = 0774
> > directory mask = 0774
> > inherit owner = Yes
> >
> > [public]
> > comment = Public Stuff
> > path = /usr/home/public
> > write list = <<<redacted>>>
> > read only = No
> > create mask = 0774
> > directory mask = 0774
> > force directory mode = 0774
> > guest ok = Yes
> >
> >
> >
> > I am trying to join this machine as a member server of the AD.
> >
> > root at P43003:/usr/ports/net/samba41 # net ads info
> > ads_connect: No logon servers
> > ads_connect: No logon servers
> > Didn't find the ldap server!
> > root at P43003:/usr/ports/net/samba41 # net ads join -U admin Enter
> > admin's password:
> > ^C <<<<<<<<<<<<<<<<<<------------ this is
> after waiting ~15 minutes
> > root at P43003:/usr/ports/net/samba41 # net ads info LDAP server:
> > 192.168.xxx.x LDAP server name: <<<redacted>>>.example.com
> > Realm: EXAMPLE.COM
> > Bind Path: dc=EXAMPLE,dc=COM
> > LDAP port: 389
> > Server time: Fri, 21 Mar 2014 12:59:06 PDT KDC server: 192.168.xxx.x
> > Server time offset: 0
> > root at P43003:/usr/ports/net/samba41 #
> >
> > Still cannot enumerate AD users via getent passwd.
> >
> > What am I doing wrong?
> >
> > ~Doug
> >
> Hi, what do you have in krb5.conf & resolv.conf
>
root at P43003:/usr/home # cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
forwardable = true
# default_tgs_enctypes = rc4-hmac des-cbc-crc
# default_tkt_enctypes = rc4-hmac des-cbc-crc
default_keytab_name = FILE:/etc/krb5.keytab
[appdefaults]
default_realm = EXAMPLE.COM
pam = {
forwardable = true
krb4_convert = false
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
}
[realms]
EXAMPLE.COM = {
kdc = <<<redacted>>>.example.com:88
kdc = <<<redacted>>>.example.com:88
kdc = <<<redacted>>>.example.com:88
admin_server = <<<redacted>>>.example.com:749
kpasswd_server = <<<redacted>>>.example.com:464
kpasswd_protocol = SET_CHANGE
default_domain = example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
.EXAMPLE.COM = EXAMPLE.COM
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
root at P43003:/usr/home # cat /etc/resolv.conf
search example.com
domain example.com
nameserver 192.168.xxx.x
nameserver 192.168.xxx.x
nameserver 192.168.xxx.x
root at P43003:/usr/home #
More information about the samba
mailing list