[Samba] Successes an failures with Samba 4.3.9 and FreeBSD-10.3

David STIEVENARD stievenard.david at gmail.com
Tue Jul 12 01:00:28 UTC 2016 

Hi

On 07/11/2016 04:10 PM, Rowland penny wrote:
>
> See inline comments
>
> On 11/07/16 06:32, Zaphod Beeblebrox wrote:
>> So... I've been running Samba 3.6 for too long and I upgraded.  I did 
>> save
>> my packages for 3.6, but I don't _think_ I'm going back.
>>
>> Points for the group:
>>
>>     - Samba 4.4.x is broken on FreeBSD.  I forget exactly, but it 
>> seems to
>>     be a known problem (tm), so I'll move on.
>
> What is wrong with Samba 4.4.x on FreeBSD ?

Here's the info I collected

I added this bug, with the package version of 4.4.3_1 on FreeBSD 10.3, 
the domain provisioning fails
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209787

There is also this bug
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209707

There are in total 38 bugs in the list, and it seems that the port 
maintainer is quite busy with all of this.
>
>>     - Whether I use BIND9_DLZ or I use SAMBA_INTERNAL, samba_dnsupdate
>>     complains.  Strange thing, tho: all the domains seem to lookup 
>> fine.  I
>>     can't exactly find the problem here.
>
>
> I understand this is a known problem and can possibly be 'fixed' by 
> adding 'allow dns updates = nonsecure and secure' to smb.conf on the DC.
I confirm, this information made my test work
>
>>     - BIG ONE: wbinfo isn't working and (related, for me) idmap isn't 
>> either.
>>
>> ... so on that last one, wbinfo -u or -g print nothing (not even 
>> errors).
>> wbinfo -D HOME or -t are fine.  wbinfo -i adminsitrator prints out the
>> unhelpful
>
> This is regression from the 'badlock' patches and should have been 
> fixed in 4.4.3, see release notes here:
>
> https://www.samba.org/samba/history/samba-4.4.3.html
>
>>
>> [2:282:582]root at vr:/var/log/samba4> wbinfo -i administrator
>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
>> Could not get info for user administrator
>>
>> ... which aparently WBC_ERR_DOMAIN_NOT_FOUND is just the default 
>> error (or
>> that's what I read in one place).
>>
>> Now... this is pretty bupkis, because ldbsearch finds the SID for
>> administrator _and_ for my login just fine.  In addition, ldbedit 
>> lets me
>> change my xidNumber.  I did so.  when I re-ldbedit... it's changed.
>
> And this where lots of people make the same mistake, don't change the 
> 'xidNumber' attribute in idmap.ldb, add a 'uidNumber' attribute to the 
> users object in sam.ldb.
>
> Rowland
>
>>
>> ... but this doesn't change the uid that files are created with.  Sigh.
>> More reading said that there's another SID ... the SID for the "group of
>> me" ... and I have instructions for wbinfo to find that SID so I can
>> ldbedit it.  But you see my problem: wbinfo for finding SIDs is broke.
>>
>> Now... I've put my time into this.  I've broken out ktrace and log 
>> level =
>> 10.  I've put a whole afternoon into this.  Log stuff is a _bit_
>> interesting.  When I wbinfo -i zbeeble, I get:
>>
>> [2016/07/11 01:10:37.408526,  1, pid=24476, effective(0, 0), real(0, 0)]
>> ../librpc/ndr/ndr.c:439(ndr_print_function_debu
>> g)
>>         wbint_LookupName: struct wbint_LookupName
>>            in: struct wbint_LookupName
>>                domain                   : *
>>                    domain                   : 'HOME'
>>                name                     : *
>>                    name                     : 'ZBEEBLE'
>>                flags                    : 0x00000008 (8)
>> [2016/07/11 01:10:37.414175,  1, pid=24476, effective(0, 0), real(0, 0)]
>> ../librpc/ndr/ndr.c:439(ndr_print_function_debug)
>>         wbint_LookupName: struct wbint_LookupName
>>            out: struct wbint_LookupName
>>                type                     : *
>>                    type                     : SID_NAME_USE_NONE (0)
>>                sid                      : *
>>                    sid                      : S-0-0
>>                result                   : NT_STATUS_UNSUCCESSFUL
>>
>> but further on in the file (probably coming from a random SMB file 
>> access)
>> I see:
>>
>>    Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3505373935-2275348003-3197909400-1104]:
>> value=[3000016:B]
>> [2016/07/11 01:10:56.209343, 10, pid=24476, effective(0, 0), real(0, 0)]
>> ../source3/lib/idmap_cache.c:75(idmap_cache_find_sid2unixid)
>>    Parsing value for key
>> [IDMAP/SID2XID/S-1-5-21-3505373935-2275348003-3197909400-1104]:
>> id=[3000016], endptr=[:B]
>> [2016/07/11 01:10:56.209352, 10, pid=24476, effective(0, 0), real(0, 0),
>> class=winbind] ../source3/winbindd/wb_sids2xids.c:106(wb_sids2xids_send)
>>    SID 1: S-1-5-21-3505373935-2275348003-3197909400-513
>>
>> ... which is curious because 3000016 is the wrong, old or automatically
>> assigned UID and the SID there is my SID.
>>
>>
>> ... all very frustrating.
>>
>>
>> At least my Shield TV talks to the box.  Sigh.
>
>

Unfortunatly I'm facing another problem : freenas 9.10 has a problem to 
join a samba 4.3.9 domain on freebsd 10.3
https://forums.freenas.org/index.php?threads/ad-auth-fails-after-upgrade.42836/#post-279550
https://bugs.freenas.org/issues/15823

this post seems to have the solution : 
https://forums.freenas.org/index.php?threads/ad-auth-fails-after-upgrade.42836/#post-279550 
but I didn't get it yet.

More information about the samba mailing list