[Samba] Clients unable to get group policy...

Rowland Penny rowlandpenny241155 at gmail.com
Thu Jul 2 16:26:03 UTC 2015 

On 02/07/15 16:55, Ryan Ashley wrote:
> Rowland, here is what I found in the ldb.
>
> # record 68
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
> # record 70
> dn: CN=S-1-5-32-549
> cn: S-1-5-32-549
> objectClass: sidMap
> objectSid: S-1-5-32-549
> type: ID_TYPE_BOTH
> xidNumber: 3000001
> distinguishedName: CN=S-1-5-32-549
>
> # record 73
> dn: CN=S-1-5-18
> cn: S-1-5-18
> objectClass: sidMap
> objectSid: S-1-5-18
> type: ID_TYPE_BOTH
> xidNumber: 3000002
> distinguishedName: CN=S-1-5-18
>
> # record 16
> dn: CN=S-1-5-11
> cn: S-1-5-11
> objectClass: sidMap
> objectSid: S-1-5-11
> type: ID_TYPE_BOTH
> xidNumber: 3000003
> distinguishedName: CN=S-1-5-11
>
> It appears as though they're in my database, but clients still cannot
> update group policy. It randomly works once or twice, then goes back to
> not working. Due to this, some workstations can hang for 20min trying to
> update all of their GPOs upon first boot. I have wbinfo working, but
> 'id' and 'getent' still do not work for domain users and groups. PAM is
> setup and is pasted below to save you from asking for it, should you be
> so inclined.
>
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
>
> passwd:         compat winbind
> group:          compat winbind
> shadow:         compat
>
> hosts:          files dns wins
> networks:       files
>
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
>
> netgroup:       nis
>
> If you have any suggestions, I am all ears. If you say we must upgrade
> to Gentoo, I have to bite the bullet and do it.
>
> One more thing. I discovered that Samba4 cannot be a master browser. Due
> to this, workstations are randomly being elected as the master browser.
> When that system sleeps because the client doesn't turn it off, shares
> become inaccessible. I have a Buffalo NAS that can be a master browser
> (Samba3 on it), but Buffalo apparently locked me out of SSH access!
> Could this be related?
>
> Lead IT/IS Specialist
> Reach Technology FP, Inc
>
> On 06/30/2015 03:50 PM, Rowland Penny wrote:
>> On 30/06/15 17:18, Ryan Ashley wrote:
>>> I hate to revive this, but before I push my client through an upgrade, I
>>> have to be sure my issue is with ACLs not being supported, as suggested.
>>> Squeeze does have ACL support.
>>>
>>> root at dc01:/samba/var/locks# getfacl sysvol
>>> # file: sysvol
>>> # owner: root
>>> # group: 3000000
>>> user::rwx
>>> user:root:rwx
>>> user:3000000:rwx
>>> user:3000001:r-x
>>> user:3000002:rwx
>>> user:3000003:r-x
>>> group::rwx
>>> group:3000000:rwx
>>> group:3000001:r-x
>>> group:3000002:rwx
>>> group:3000003:r-x
>>> mask::rwx
>>> other::rwx
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:3000000:rwx
>>> default:user:3000001:r-x
>>> default:user:3000002:rwx
>>> default:user:3000003:r-x
>>> default:group::---
>>> default:group:3000000:rwx
>>> default:group:3000001:r-x
>>> default:group:3000002:rwx
>>> default:group:3000003:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> root at dc01:/samba/var/locks# uname -r
>>> 2.6.32-5-amd64
>>>
>>> With this information, are we absolutely sure that my issue is somehow
>>> related to ACL's in Squeeze? The client is against upgrading unless we
>>> have no other option, but now the problem has spread and is affecting a
>>> large number, but not all PCs at their location.
>>>
>>> Lead IT/IS Specialist
>>> Reach Technology FP, Inc
>>>
>>> On 06/15/2015 09:59 AM, Ryan Ashley wrote:
>>>> Well, here is my plan of action. I will migrate the VMs on the
>>>> secondary
>>>> server to the primary one. Then I will zero the RAID10 array, install
>>>> the latest XenServer, and load a Gentoo VM to build the needed binary
>>>> packages. I can then create a new DC, promote it to the primary server,
>>>> move the Windows VMs back to the secondary server, and then wipe and
>>>> reload the primary box. This way I have an evolving OS which shouldn't
>>>> be left behind, no systemd, and my problems with Samba should go away.
>>>> Oh, and I am not blaming Samba for the issues. It has evolved and
>>>> become
>>>> better. Debian 6 (Squeeze) has NOT, due to being oldstable and now
>>>> obsolete.
>>>>
>>>> Hey, it will be a learning experience for my assistant. Besides, if I
>>>> screw something up I can get great help on this list and worst case
>>>> scenario is I get to build a new domain. Thanks for the help, Rowland
>>>> and Louis.
>>>>
>>>> Lead IT/IS Specialist
>>>> Reach Technology FP, Inc
>>>>
>>>> On 06/12/2015 11:03 AM, Rowland Penny wrote:
>>>>> On 12/06/15 15:54, L.P.H. van Belle wrote:
>>>>>> Ok, so if i understand right,
>>>>>> your sysvol is on a shared folder which is a debian squeeze server.
>>>>>> i think you problem is that the needed acl cant be set on the queeze
>>>>>> server.
>>>>> You are probably right Louis.
>>>>>
>>>>>> and why not systemd, since gentoo also does systemd
>>>>>> https://wiki.gentoo.org/wiki/Systemd
>>>>> Ah but Gentoo only does systemd if you want to, systemd is a cure
>>>>> looking for a problem, or to put it another way, it is like using a
>>>>> sledgehammer to crack a nut.
>>>>>
>>>>>> and if you really want, just run your install with
>>>>>>
>>>>>> preseed/late_command="in-target apt-get install -y sysvinit-core"
>>>>>> ( see https://wiki.debian.org/systemd#Installing_without_systemd  )
>>>>> :-D :-D :-D ROFL ROFL
>>>>>
>>>>> Have you tried NOT using systemd on Jessie!
>>>>>
>>>>>> I've a running debian jessie as fileserver, proxy server and mail
>>>>>> server and im really happy with it. ( yes, with systemd )
>>>>>> much faster boot, well much faster whole os.. ;-) but thats not on
>>>>>> debated here..
>>>>>> choose what you like.
>>>>> 99% of your speed gain has nothing to do with systemd.
>>>>>
>>>>> Rowland
>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: ryana at reachtechfp.com
>>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>>>> Verzonden: vrijdag 12 juni 2015 16:17
>>>>>>> Aan: samba at lists.samba.org
>>>>>>> Onderwerp: Re: [Samba] Clients unable to get group policy...
>>>>>>>
>>>>>>> Louis, 4.2.2 (git clone method for 4-2-stable branch) is what I am
>>>>>>> running. I will NOT be using Debian 8 due to systemd. If I have
>>>>>>> to do
>>>>>>> this, we're going to plan a down-time for the client, zero
>>>>>>> everything,
>>>>>>> do a fresh XenServer install and install Gentoo 64bit under XS.
>>>>>>> If that
>>>>>>> is what must be done, so be it. I can do that. I'll simply have
>>>>>>> one VM
>>>>>>> on each physical server which builds the source packages into binary
>>>>>>> ones for the others to pull. This way Gentoo doesn't bog things down
>>>>>>> during business hours with compiling updates.
>>>>>>>
>>>>>>> Lead IT/IS Specialist
>>>>>>> Reach Technology FP, Inc
>>>>>>>
>>>>>>> On 06/12/2015 09:14 AM, L.P.H. van Belle wrote:
>>>>>>>> Or upgrade you xen servers and a tip for a jessie install on
>>>>>>> xen 6.2 choose other linux
>>>>>>>> or upgrade to Xen 6.5. for jessie support.
>>>>>>>>
>>>>>>>> or you can try upgradeing to latest 3.6 version on squeeze.
>>>>>>> ( 3.6.25 )
>>>>>>>> http://www.enterprisesamba.com/samba-packages/debian-linux/squeeze/
>>>>>>>> or even better move up to 4.2.2. ( i advice a wheezy install
>>>>>>> with sernet samba )
>>>>>>>> and member servers can be debian jessie with 4.1.17. thats
>>>>>>> what you want.
>>>>>>>> which samba are you using on squeeze. 3.5.x of the
>>>>>>> backported 3.6.6 ?
>>>>>>>> Greetz,
>>>>>>>>
>>>>>>>> Louis
>>>>>>>>
>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>> Van: ryana at reachtechfp.com
>>>>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>>>>>> Verzonden: vrijdag 12 juni 2015 14:47
>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>> Onderwerp: Re: [Samba] Clients unable to get group policy...
>>>>>>>>>
>>>>>>>>> Anybody? Is my problem that this client is still on Debian 6?
>>>>>>>>>
>>>>>>>>> Lead IT/IS Specialist
>>>>>>>>> Reach Technology FP, Inc
>>>>>>>>>
>>>>>>>>> On 06/08/2015 11:25 AM, Ryan Ashley wrote:
>>>>>>>>>> Rowland, you are correct. I remember now. When we started using
>>>>>>>>>> XenServer, Wheezy would not work under it. This is a Squeeze
>>>>>>>>>> installation, not Wheezy. Will Samba no longer work with
>>>>>>>>> Squeeze? If so
>>>>>>>>>> it may be an excuse to upgrade the domain after all these years.
>>>>>>>>>>
>>>>>>>>>> On 06/05/2015 11:23 AM, Rowland Penny wrote:
>>>>>>>>>>> On 05/06/15 16:07, Ryan Ashley wrote:
>>>>>>>>>>>> I noticed something different on the page you linked. It
>>>>>>>>>>>> must be
>>>>>>>>>>>> outdated or maybe it is setup for a different version of
>>>>>>>>> Debian. The
>>>>>>>>>>>> system runs Debian Wheezy AMD64. The paths referenced do
>>>>>>>>> not exist. I
>>>>>>>>>>>> also checked several other Debian systems and NONE have the
>>>>>>>>>>>> "x86_64-linux-gnu" directories.
>>>>>>>>>>>>
>>>>>>>>>>>> root at dc01:~# uname -r
>>>>>>>>>>>> 2.6.32-5-amd64
>>>>>>>>>>>> root at dc01:~# l /lib | grep x86
>>>>>>>>>>>> lrwxrwxrwx  1 root root      12 Dec 27  2012
>>>>>>>>> ld-linux-x86-64.so.2 ->
>>>>>>>>>>>> ld-2.11.3.so
>>>>>>>>>>>> root at dc01:~# l /usr/lib | grep x86
>>>>>>>>>>>> root at dc01:~#
>>>>>>>>>>>>
>>>>>>>>>>>> Is this the problem? What version of Debian is the guide
>>>>>>>>> for? I believe
>>>>>>>>>>>> Debian 8 was released recently but cannot be sure since it
>>>>>>>>> is a systemd
>>>>>>>>>>>> distro I now use Gentoo. If the guide is for 8, maybe we
>>>>>>>>> need one for 7
>>>>>>>>>>>> since it is supported until the release of 9.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>> Are you sure it is running wheezy ?
>>>>>>>>>>>
>>>>>>>>>>> On my DC:
>>>>>>>>>>>
>>>>>>>>>>> root at dc01:~# cat /etc/os-release
>>>>>>>>>>> PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
>>>>>>>>>>> NAME="Debian GNU/Linux"
>>>>>>>>>>> VERSION_ID="7"
>>>>>>>>>>> VERSION="7 (wheezy)"
>>>>>>>>>>> ID=debian
>>>>>>>>>>> ANSI_COLOR="1;31"
>>>>>>>>>>> HOME_URL="http://www.debian.org/"
>>>>>>>>>>> SUPPORT_URL="http://www.debian.org/support/"
>>>>>>>>>>> BUG_REPORT_URL="http://bugs.debian.org/"
>>>>>>>>>>>
>>>>>>>>>>> root at dc01:~# uname -r
>>>>>>>>>>> 3.2.0-4-amd64
>>>>>>>>>>>
>>>>>>>>>>> root at dc01:~# ls /lib | grep x86
>>>>>>>>>>> x86_64-linux-gnu
>>>>>>>>>>>
>>>>>>>>>>> Rowland
>>>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>>
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>> Sorry about this, but I think we are going to have to start again, I
>> cannot remember just exactly what your problem is.
>>
>> This is the result of running 'getfacl /var/lib/samba/sysvol' on my
>> second DC:
>>
>> root at dc03:~# getfacl /var/lib/samba/sysvol/
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol/
>> # owner: root
>> # group: 3000000 --> dn: CN=S-1-5-32-544
>> user::rwx
>> user:root:rwx
>> user:3000000:rwx --> dn: CN=S-1-5-32-544
>> user:3000009:r-x --> dn: CN=S-1-5-11
>> user:3000016:r-x --> dn: CN=S-1-5-32-549
>> user:3000017:rwx --> dn: CN=S-1-5-18
>> group::rwx
>> group:3000000:rwx --> dn: CN=S-1-5-32-544
>> group:3000009:r-x --> dn: CN=S-1-5-11
>> group:3000016:r-x --> dn: CN=S-1-5-32-549
>> group:3000017:rwx --> dn: CN=S-1-5-18
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000000:rwx --> dn: CN=S-1-5-32-544
>> default:user:3000009:r-x --> dn: CN=S-1-5-11
>> default:user:3000016:r-x --> dn: CN=S-1-5-32-549
>> default:user:3000017:rwx --> dn: CN=S-1-5-18
>> default:group::---
>> default:group:3000000:rwx --> dn: CN=S-1-5-32-544
>> default:group:3000009:r-x --> dn: CN=S-1-5-11
>> default:group:3000016:r-x --> dn: CN=S-1-5-32-549
>> default:group:3000017:rwx --> dn: CN=S-1-5-18
>> default:mask::rwx
>> default:other::---
>>
>> As you can see, I have added some extra info, this is what the
>> xidNumbers are mapped from, so if your xidNumbers map to the same
>> 'well known SIDs' , then there doesn't seem to be much wrong.
>>
>> You can check your 'idmap.ldb' file with: ldbedit -e nano -H
>> /var/lib/samba/private/idmap.ldb
>>
>> Rowland
>>

The only difference between your sysvol 'getfacl' output and mine is this:

other::rwx

Mine is:

other::---

But this will probably just be down to yours having unix permissions 
'777' on /var/lib/samba/sysvol whilst mine is '770'

If you do not have *any* Unix clients then when connecting to the DC 
from a windows client, id & getent don't need to work. wbinfo works 
differently from id & getent and as it shows your users & groups means 
this is working ok. Is there anything in the event logs on the clients, 
I 'think' this could just be a lack of communication between the client 
& DC, or the GPOs are in the wrong place or something stupid like this. 
How do the clients get their dns info ? Is it a time problem ?

Rowland

More information about the samba mailing list