[Samba] Upgrading from 4.1.4 to 4.1.6 on FreeBSD 9.2
Rowland Penny
rowlandpenny at googlemail.com
Sat Mar 22 04:20:41 MDT 2014
On 21/03/14 22:25, Doug Sampson wrote:
>> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
>> On Behalf Of Rowland Penny
>> Sent: Friday, March 21, 2014 2:26 PM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Upgrading from 4.1.4 to 4.1.6 on FreeBSD 9.2
>>
>> On 21/03/14 20:04, Doug Sampson wrote:
>>>> No, the compilation of the new version is linking against the
>>>> installed libraries of the old version rather than the ones it just
>> built.
>>>>> I will uninstall Samba 4.1.4 completely before installing 4.1.6.
>>>>>
>>> Okay, so I completely uninstalled Samba 4.1.4, rebooted and installed
>> 4.1.6. The install completed without any warning messages.
>>> However, I am unable to join the AD- the login using the administrator's
>> account just hangs there without returning to a command prompt. The
>> console.log shows:
>>> Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1397]:
>> [2014/03/21 11:07:33.571552, 0]
>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>>> Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1397]:
>> Got sig[15] terminate (is_parent=1)
>>> Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1399]:
>> [2014/03/21 11:07:33.581594, 0]
>> ../source3/winbindd/winbindd.c:234(winbindd_sig_term_handler)
>>> Mar 21 11:07:33 P43003 kernel: Mar 21 11:07:33 P43003 winbindd[1399]:
>> Got sig[15] terminate (is_parent=0)
>>> root at P43003:/usr/local/lib #
>>>
>>> Okay, so winbindd isn't working. Why? wbinfo -u shows expected list of
>> AD users. However, getent passwd shows only the local unix user accounts.
>>> root at P43003:/usr/local/lib # cat /etc/nsswitch.conf # #
>>> nsswitch.conf(5) - name service switch configuration file # $FreeBSD:
>>> release/9.2.0/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $ #
>>> group: files winbind
>>> group_compat: nis
>>> hosts: files dns winbind
>>> networks: files
>>> passwd: files winbind
>>> passwd_compat: nis
>>> shells: files
>>> services: compat
>>> services_compat: nis
>>> protocols: files
>>> rpc: files
>>> root at P43003:/usr/local/lib #
>>>
>>> Looks good, no?
>>>
>>> winbind.so does exist in /usr/local/lib:
>>>
>>> root at P43003:/usr/local/lib # ll *winbind* -rwxr-xr-x 1 root wheel
>>> 22832 Mar 20 19:55 nss_winbind.so.1* -rwxr-xr-x 1 root wheel 53098
>>> Mar 20 19:55 pam_winbind.so*
>>> -rwxr-xr-x 1 root wheel 6026 Mar 20 19:56 winbind_krb5_locator.so*
>>> root at P43003:/usr/local/lib #
>>>
>>> make showconfig:
>>>
>>> root at P43003:/usr/ports/net/samba41 # make showconfig ===> The
>>> following configuration options are available for samba41-4.1.6:
>>> ACL_SUPPORT=on: File system ACL support
>>> ADS=on: Active Directory support
>>> AIO_SUPPORT=on: Asyncronous IO support
>>> CUPS=off: CUPS printing system support
>>> DEBUG=off: With debug information in the binaries
>>> DEVELOPER=off: With development support
>>> DNSUPDATE=on: Dynamic DNS update(require ADS)
>>> EXP_MODULES=on: Experimental modules
>>> FAM_SUPPORT=off: File Alteration Monitor support
>>> LDAP=on: LDAP support
>>> MANPAGES=off: Build and/or install manual pages
>>> PAM_SMBPASS=on: PAM authentication via passdb backends
>>> PTHREADPOOL=on: Pthread pool
>>> QUOTAS=off: Disk quota support
>>> SYSLOG=on: Syslog support
>>> UTMP=on: UTMP accounting support ====> Options available for the
>>> single DNS: you have to select exactly one of them
>>> NSUPDATE=on: Use internal DNS with NSUPDATE utility
>>> BIND98=off: Use bind98 as a DNS server frontend
>>> BIND99=off: Use bind99 as a DNS server frontend ====> Options
>>> available for the radio ZEROCONF: you can only select none or one of
>> them
>>> AVAHI=off: Zeroconf support via Avahi
>>> MDNSRESPONDER=on: Zeroconf support via mDNSResponder ===> Use
>>> 'make config' to modify these settings
>>> root at P43003:/usr/ports/net/samba41 #
>>>
>>> testparm:
>>>
>>> root at P43003:/usr/ports/net/samba41 # testparm Load smb config files
>>> from /usr/local/etc/smb4.conf Processing section "[doug]"
>>> Processing section "[public]"
>>> Loaded services file OK.
>>> Server role: ROLE_DOMAIN_MEMBER
>>> Press enter to see a dump of your service definitions
>>>
>>> [global]
>>> workgroup = EXAMPLE
>>> realm = EXAMPLE.COM
>>> server string =
>>> security = ADS
>>> kerberos method = system keytab
>>> log file = /var/log/samba4/log.%m
>>> smb ports = 445
>>> min receivefile size = 16384
>>> disable netbios = Yes
>>> max mux = 32768
>>> name resolve order = lmhosts, hosts, bcast
>>> client ldap sasl wrapping = seal
>>> socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
>>> load printers = No
>>> printcap name = /dev/null
>>> disable spoolss = Yes
>>> local master = No
>>> domain master = No
>>> template shell = /bin/bash
>>> winbind separator = -
>>> winbind cache time = 10
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind nss info = rfc2307
>>> winbind refresh tickets = Yes
>>> winbind offline logon = Yes
>>> idmap config *:range = 70001-80000
>>> idmap config EXAMPLE:backend = ad
>>> idmap config EXAMPLE:schema_mode = rfc2307
>>> idmap config EXAMPLE:range = 50001-60000
>>> idmap config * : backend = tdb
>>> admin users = <<<redacted>>>
>>> inherit permissions = Yes
>>> inherit acls = Yes
>>> hosts allow = 192.168.xxx., 192.168.xxx., 127., 10.8.
>>> aio read size = 16384
>>> aio write size = 16384
>>> aio write behind = true
>>> directory name cache size = 0
>>> use sendfile = Yes
>>> dos filemode = Yes
>>>
>>> [doug]
>>> comment = /usr/home/EXAMPLE/doug
>>> path = /usr/home/EXAMPLE/doug
>>> valid users = <<<redacted>>>
>>> read only = No
>>> create mask = 0774
>>> directory mask = 0774
>>> inherit owner = Yes
>>>
>>> [public]
>>> comment = Public Stuff
>>> path = /usr/home/public
>>> write list = <<<redacted>>>
>>> read only = No
>>> create mask = 0774
>>> directory mask = 0774
>>> force directory mode = 0774
>>> guest ok = Yes
>>>
>>>
>>>
>>> I am trying to join this machine as a member server of the AD.
>>>
>>> root at P43003:/usr/ports/net/samba41 # net ads info
>>> ads_connect: No logon servers
>>> ads_connect: No logon servers
>>> Didn't find the ldap server!
>>> root at P43003:/usr/ports/net/samba41 # net ads join -U admin Enter
>>> admin's password:
>>> ^C <<<<<<<<<<<<<<<<<<------------ this is
>> after waiting ~15 minutes
>>> root at P43003:/usr/ports/net/samba41 # net ads info LDAP server:
>>> 192.168.xxx.x LDAP server name: <<<redacted>>>.example.com
>>> Realm: EXAMPLE.COM
>>> Bind Path: dc=EXAMPLE,dc=COM
>>> LDAP port: 389
>>> Server time: Fri, 21 Mar 2014 12:59:06 PDT KDC server: 192.168.xxx.x
>>> Server time offset: 0
>>> root at P43003:/usr/ports/net/samba41 #
>>>
>>> Still cannot enumerate AD users via getent passwd.
>>>
>>> What am I doing wrong?
>>>
>>> ~Doug
>>>
>> Hi, what do you have in krb5.conf & resolv.conf
>>
> root at P43003:/usr/home # cat /etc/krb5.conf
> [libdefaults]
> default_realm = EXAMPLE.COM
> forwardable = true
> # default_tgs_enctypes = rc4-hmac des-cbc-crc
> # default_tkt_enctypes = rc4-hmac des-cbc-crc
> default_keytab_name = FILE:/etc/krb5.keytab
>
> [appdefaults]
> default_realm = EXAMPLE.COM
> pam = {
> forwardable = true
> krb4_convert = false
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> }
>
> [realms]
> EXAMPLE.COM = {
> kdc = <<<redacted>>>.example.com:88
> kdc = <<<redacted>>>.example.com:88
> kdc = <<<redacted>>>.example.com:88
> admin_server = <<<redacted>>>.example.com:749
> kpasswd_server = <<<redacted>>>.example.com:464
> kpasswd_protocol = SET_CHANGE
> default_domain = example.com
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
> .EXAMPLE.COM = EXAMPLE.COM
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> root at P43003:/usr/home # cat /etc/resolv.conf
> search example.com
> domain example.com
> nameserver 192.168.xxx.x
> nameserver 192.168.xxx.x
> nameserver 192.168.xxx.x
>
> root at P43003:/usr/home #
>
OK, this is what I use on a Linux Mint 15 client against a samba 4.1.4
AD server:
krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
forwardable = yes
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
resolv.conf:
nameserver 192.168.0.2
search example.com
The above works for me.
Rowland
More information about the samba
mailing list