[Samba] Samba4.2rc4 with winbindd in config cannot start samba process

Rowland Penny rowlandpenny at googlemail.com
Wed Jan 21 02:53:17 MST 2015


On 21/01/15 06:00, Kelvin Yip wrote:
> Hi all,
>
>   
>
> I have tried to migrate a domain from Samba3 to Samba4 Ad and now using
> samba RC4. Referring to release note document, I should use winbindd instead
> of winbind. However, I cannot start samba4 daemon when using winbindd
> parameters, but can start using winbind parameters.
>
>   
>
> Would you please help. Thanks. Below is the current config file:
>
> [global]
>
>     # workgroup = NT-Domain-Name or Workgroup-Name
>
>     workgroup = ICS
>
>     realm = icshk.local
>
>     netbios name = LINUX01
>
>     server role = active directory domain controller
>
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
>
>     idmap_ldb:use rfc2307 = yes
>
>   
>
>   
>
> # server string is the equivalent of the NT Description field
>
>     server string = %h
>
>   
>
>     #domain admin group = root
>
>     #hosts allow = 192.168.188. 127.
>
>     #socket address = 192.168.188.1
>
>     #interfaces = eth0 192.168.188.1
>
>     #interfaces = eth0 192.168.188.0/24
>
>     interfaces = lo bond0
>
>     #interfaces = lo bond0 em1 em2 em3 em4
>
>     #interfaces = 192.168.188.0/24
>
>     bind interfaces only = yes
>
>   
>
>     load printers = yes
>
>     #printing = lprng
>
>     #printcap name = /etc/printcap
>
>     printcap name = cups
>
>     printing = cups
>
>     cups options = raw
>
>     use client driver = Yes
>
>   
>
>     log file = /var/log/samba/samba.log
>
>     max log size = 3000
>
>     log level = 3
>
>     debug level = 0
>
> #   log level = 10
>
> #   debug level = 10
>
>     pid directory = /var/run/samba
>
>     eventlog list = Application Security System
>
>   
>
>     use sendfile=yes
>
>     #write cache size = 262144
>
>     #large readwrite = yes
>
>     #read raw = yes
>
>     #write raw = yes
>
>     # In order to store outlook pst in share drive, seems kernel oplocks
> cannot be turn on
>
>     #kernel oplocks = yes
>
>     #max xmit = 65535
>
>     #dead time = 15
>
>     #getwd cache = yes
>
>   
>
>     guest account = winguest
>
>     #security = user
>
>     encrypt passwords = yes
>
>     #smb passwd file = /etc/samba/smbpasswd
>
>     #username map = /etc/samba/smbusers
>
>     unix password sync = Yes
>
>     #pam password change = No
>
>     #obey pam restrictions = Yes
>
>     #passwd program = /usr/bin/passwd %u
>
>     passwd program = /usr/local/sbin/change_passwd.sh %u
>
>     passwd chat = *Enter*new*password* %n\n *Re-type*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> ;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> ;  passwd chat = *New*password* %n\n *ReType*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
>     # Modified for LDAP
>
>     #passdb backend = tdbsam, smbpasswd
>
>     #passdb backend = ldapsam:ldap://127.0.0.1/
>
>     #ldap passwd sync = No
>
>     #ldap suffix = dc=ics,dc=hk
>
>     #ldap admin dn = cn=ldapadmin,dc=ics,dc=hk
>
>     #ldap ssl =start tls
>
>     #ldap ssl = off
>
>     #ldap group suffix = ou=Groups
>
>     #ldap user suffix = ou=Users
>
>     #ldap machine suffix = ou=Computers
>
>     #ldap idmap suffix = ou=Users
>
>   
>
>     #idmap config * : backend = tdb
>
>     #idmap config * : range = 1000000-1999999
>
>   
>
> #Note that password level 20 means compare passwords, CASE INSENSITIVE, for
> the first 20 characters. This eliminates problems with Windows converting
> everything to caps.
>
>     #password level = 20
>
>     check password script=/usr/local/sbin/crackcheck -l 2
>
>   
>
> # Most people will find that this option gives better performance.
>
> # See speed.txt and the manual pages for details
>
>     #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>     #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> IPTOS_LOWDELAY
>
>     #socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
> IPTOS_LOWDELAY
>
>     #socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=16384
> SO_SNDBUF=16384 IPTOS_LOWDELAY
>
>   
>
>     local master = yes
>
>   
>
> # OS Level determines the precedence of this server in master browser
>
> # elections. The default value should be reasonable
>
>     os level = 64
>
>   
>
>     domain master = yes
>
>     preferred master = yes
>
>     domain logons = yes
>
>   
>
>     logon script = %G.bat
>
>     add user script = /usr/sbin/useradd -g users -s /bin/false %u
>
>     add group script = /usr/sbin/groupadd %g
>
>     add user to group script = /usr/sbin/usermod -G %g %u
>
>     add machine script = /usr/sbin/useradd -n -g machines -c Machines -d
> /dev/null -s /bin/false %u
>
>     delete user script = /usr/sbin/userdel %u
>
>     delete user from group script = /usr/local/sbin/delUserfromGroup %u %g
>
>     delete group script = /usr/sbin/groupdel %g
>
>     set primary group script = /usr/sbin/usermod -g %g %u
>
>   
>
>     # Modified for LDAP
>
>     #add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes
>
>     #add group script = /usr/sbin/smbldap-groupadd -p "%g"
>
>     #add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>
>     #delete user script = /usr/sbin/smbldap-userdel "%u"
>
>     #add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
>     #delete group script = /usr/sbin/smbldap-groupdel "%g"
>
>     #delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>
>     #set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
>   
>
> # Where to store roving profiles (only for Win95 and WinNT)
>
> #        %L substitutes for this servers netbios name, %U is username
>
> #        You must uncomment the [Profiles] share below
>
> ;   logon path = \\%L\Profiles\%U
>
>   
>
>     #name resolve order = wins lmhosts bcast
>
>     name resolve order = lmhosts wins host bcast
>
>   
>
> #   wins support = yes
>
>     wins proxy = no
>
>     dns proxy = no
>
>   
>
>     msdfs root = yes
>
>     host msdfs = yes
>
> # Case Preservation can be handy - system default is _no_
>
> # NOTE: These can be set on a per share basis
>
> ;  preserve case = no
>
> ;  short preserve case = no
>
> # Default case is normally upper case for all DOS files
>
>    default case = lower
>
> # Be very careful with case sensitivity - it can break things!
>
> ;  case sensitive = no
>
>   
>
> #   hide files = /desktop.ini/ntuser.ini/NTUSER.*/
>
> #   hide dot files = No
>
> #   veto files = /lost+found/
>
> #   hide unreadable = Yes
>
> #  Traditonal Chinese code page
>
> #   client code page = 950
>
>     dos charset = BIG5
>
>   
>
>     #client lanman auth = Yes
>
>     #client plaintext auth = Yes
>
>     #lanman auth = Yes
>
>   
>
>     utmp = Yes
>
>     #deadtime = 0
>
>     keepalive = 0
>
>   
>
>     logon drive = x:
>
>     logon home = \\%L\%U
>
>     template homedir = /home/%U
>
>   
>
>     #root preexec = /usr/local/sbin/smb_global_preexec.sh %U %m
>
>     #root postexec = /usr/local/sbin/smb_global_postexec.sh %U %m
>
>   
>
>     #max protocol = SMB2
>
>     #nt acl support = Yes
>
>     #acl group control = Yes
>
>     #client NTLMv2 auth=Yes
>
>     time server=Yes
>
>     #enable privileges = yes
>
>     ea support = yes
>
>     restrict anonymous = 2
>
>     #restrict anonymous = 1
>
>     #server signing = mandatory
>
>     #server signing = auto
>
>     client signing = auto
>
>     client schannel = Auto
>
>     server schannel = Auto
>
>     client use spnego = yes
>
>   
>
>     tls enabled = Yes
>
>     tls keyfile = tls/samba_linux01.icshk.local.key
>
>     tls certfile = tls/samba_linux01.icshk.local.pem
>
>     tls cafile =
>
>   
>
> #============================ UFS Logging ==============================
>
>   
>
> vfs objects = full_audit
>
> full_audit:prefix = %u|%I|%m|%S
>
> #full_audit:failure = connect
>
> #full_audit:success = connect disconnect opendir mkdir rmdir closedir open
> close read pread write pwrite sendfile rename unlink chmod
>
> #full_audit:success = rename unlink rmdir pwrite
>
> full_audit:success = rename unlink rmdir
>
> full_audit:failure = none
>
> full_audit:facility = local6
>
> full_audit:priority = notice
>

Never having migrated an S3 domain to an S4 AD domain, I am not sure 
that you get a new smb.conf created for you, but I would be very 
surprised if you don't.

Go back to the smb.conf that the upgrade provided, you do not need and 
shouldn't add about 90% of what you added, the major mistake you made 
was this: 'vfs objects = full_audit', YOU HAVE TURNED OFF THE DEFAULTS!!!!

Rowland


More information about the samba mailing list