[Samba] Samba4.2rc4 with winbindd in config cannot start samba process
Rowland Penny
rowlandpenny at googlemail.com
Wed Jan 21 02:53:17 MST 2015
On 21/01/15 06:00, Kelvin Yip wrote:
> Hi all,
>
>
>
> I have tried to migrate a domain from Samba3 to Samba4 Ad and now using
> samba RC4. Referring to release note document, I should use winbindd instead
> of winbind. However, I cannot start samba4 daemon when using winbindd
> parameters, but can start using winbind parameters.
>
>
>
> Would you please help. Thanks. Below is the current config file:
>
> [global]
>
> # workgroup = NT-Domain-Name or Workgroup-Name
>
> workgroup = ICS
>
> realm = icshk.local
>
> netbios name = LINUX01
>
> server role = active directory domain controller
>
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
>
> idmap_ldb:use rfc2307 = yes
>
>
>
>
>
> # server string is the equivalent of the NT Description field
>
> server string = %h
>
>
>
> #domain admin group = root
>
> #hosts allow = 192.168.188. 127.
>
> #socket address = 192.168.188.1
>
> #interfaces = eth0 192.168.188.1
>
> #interfaces = eth0 192.168.188.0/24
>
> interfaces = lo bond0
>
> #interfaces = lo bond0 em1 em2 em3 em4
>
> #interfaces = 192.168.188.0/24
>
> bind interfaces only = yes
>
>
>
> load printers = yes
>
> #printing = lprng
>
> #printcap name = /etc/printcap
>
> printcap name = cups
>
> printing = cups
>
> cups options = raw
>
> use client driver = Yes
>
>
>
> log file = /var/log/samba/samba.log
>
> max log size = 3000
>
> log level = 3
>
> debug level = 0
>
> # log level = 10
>
> # debug level = 10
>
> pid directory = /var/run/samba
>
> eventlog list = Application Security System
>
>
>
> use sendfile=yes
>
> #write cache size = 262144
>
> #large readwrite = yes
>
> #read raw = yes
>
> #write raw = yes
>
> # In order to store outlook pst in share drive, seems kernel oplocks
> cannot be turn on
>
> #kernel oplocks = yes
>
> #max xmit = 65535
>
> #dead time = 15
>
> #getwd cache = yes
>
>
>
> guest account = winguest
>
> #security = user
>
> encrypt passwords = yes
>
> #smb passwd file = /etc/samba/smbpasswd
>
> #username map = /etc/samba/smbusers
>
> unix password sync = Yes
>
> #pam password change = No
>
> #obey pam restrictions = Yes
>
> #passwd program = /usr/bin/passwd %u
>
> passwd program = /usr/local/sbin/change_passwd.sh %u
>
> passwd chat = *Enter*new*password* %n\n *Re-type*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> ; passwd chat = *New*password* %n\n *ReType*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> # Modified for LDAP
>
> #passdb backend = tdbsam, smbpasswd
>
> #passdb backend = ldapsam:ldap://127.0.0.1/
>
> #ldap passwd sync = No
>
> #ldap suffix = dc=ics,dc=hk
>
> #ldap admin dn = cn=ldapadmin,dc=ics,dc=hk
>
> #ldap ssl =start tls
>
> #ldap ssl = off
>
> #ldap group suffix = ou=Groups
>
> #ldap user suffix = ou=Users
>
> #ldap machine suffix = ou=Computers
>
> #ldap idmap suffix = ou=Users
>
>
>
> #idmap config * : backend = tdb
>
> #idmap config * : range = 1000000-1999999
>
>
>
> #Note that password level 20 means compare passwords, CASE INSENSITIVE, for
> the first 20 characters. This eliminates problems with Windows converting
> everything to caps.
>
> #password level = 20
>
> check password script=/usr/local/sbin/crackcheck -l 2
>
>
>
> # Most people will find that this option gives better performance.
>
> # See speed.txt and the manual pages for details
>
> #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> IPTOS_LOWDELAY
>
> #socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
> IPTOS_LOWDELAY
>
> #socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=16384
> SO_SNDBUF=16384 IPTOS_LOWDELAY
>
>
>
> local master = yes
>
>
>
> # OS Level determines the precedence of this server in master browser
>
> # elections. The default value should be reasonable
>
> os level = 64
>
>
>
> domain master = yes
>
> preferred master = yes
>
> domain logons = yes
>
>
>
> logon script = %G.bat
>
> add user script = /usr/sbin/useradd -g users -s /bin/false %u
>
> add group script = /usr/sbin/groupadd %g
>
> add user to group script = /usr/sbin/usermod -G %g %u
>
> add machine script = /usr/sbin/useradd -n -g machines -c Machines -d
> /dev/null -s /bin/false %u
>
> delete user script = /usr/sbin/userdel %u
>
> delete user from group script = /usr/local/sbin/delUserfromGroup %u %g
>
> delete group script = /usr/sbin/groupdel %g
>
> set primary group script = /usr/sbin/usermod -g %g %u
>
>
>
> # Modified for LDAP
>
> #add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes
>
> #add group script = /usr/sbin/smbldap-groupadd -p "%g"
>
> #add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>
> #delete user script = /usr/sbin/smbldap-userdel "%u"
>
> #add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
> #delete group script = /usr/sbin/smbldap-groupdel "%g"
>
> #delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>
> #set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
>
>
> # Where to store roving profiles (only for Win95 and WinNT)
>
> # %L substitutes for this servers netbios name, %U is username
>
> # You must uncomment the [Profiles] share below
>
> ; logon path = \\%L\Profiles\%U
>
>
>
> #name resolve order = wins lmhosts bcast
>
> name resolve order = lmhosts wins host bcast
>
>
>
> # wins support = yes
>
> wins proxy = no
>
> dns proxy = no
>
>
>
> msdfs root = yes
>
> host msdfs = yes
>
> # Case Preservation can be handy - system default is _no_
>
> # NOTE: These can be set on a per share basis
>
> ; preserve case = no
>
> ; short preserve case = no
>
> # Default case is normally upper case for all DOS files
>
> default case = lower
>
> # Be very careful with case sensitivity - it can break things!
>
> ; case sensitive = no
>
>
>
> # hide files = /desktop.ini/ntuser.ini/NTUSER.*/
>
> # hide dot files = No
>
> # veto files = /lost+found/
>
> # hide unreadable = Yes
>
> # Traditonal Chinese code page
>
> # client code page = 950
>
> dos charset = BIG5
>
>
>
> #client lanman auth = Yes
>
> #client plaintext auth = Yes
>
> #lanman auth = Yes
>
>
>
> utmp = Yes
>
> #deadtime = 0
>
> keepalive = 0
>
>
>
> logon drive = x:
>
> logon home = \\%L\%U
>
> template homedir = /home/%U
>
>
>
> #root preexec = /usr/local/sbin/smb_global_preexec.sh %U %m
>
> #root postexec = /usr/local/sbin/smb_global_postexec.sh %U %m
>
>
>
> #max protocol = SMB2
>
> #nt acl support = Yes
>
> #acl group control = Yes
>
> #client NTLMv2 auth=Yes
>
> time server=Yes
>
> #enable privileges = yes
>
> ea support = yes
>
> restrict anonymous = 2
>
> #restrict anonymous = 1
>
> #server signing = mandatory
>
> #server signing = auto
>
> client signing = auto
>
> client schannel = Auto
>
> server schannel = Auto
>
> client use spnego = yes
>
>
>
> tls enabled = Yes
>
> tls keyfile = tls/samba_linux01.icshk.local.key
>
> tls certfile = tls/samba_linux01.icshk.local.pem
>
> tls cafile =
>
>
>
> #============================ UFS Logging ==============================
>
>
>
> vfs objects = full_audit
>
> full_audit:prefix = %u|%I|%m|%S
>
> #full_audit:failure = connect
>
> #full_audit:success = connect disconnect opendir mkdir rmdir closedir open
> close read pread write pwrite sendfile rename unlink chmod
>
> #full_audit:success = rename unlink rmdir pwrite
>
> full_audit:success = rename unlink rmdir
>
> full_audit:failure = none
>
> full_audit:facility = local6
>
> full_audit:priority = notice
>
Never having migrated an S3 domain to an S4 AD domain, I am not sure
that you get a new smb.conf created for you, but I would be very
surprised if you don't.
Go back to the smb.conf that the upgrade provided, you do not need and
shouldn't add about 90% of what you added, the major mistake you made
was this: 'vfs objects = full_audit', YOU HAVE TURNED OFF THE DEFAULTS!!!!
Rowland
More information about the samba
mailing list