[Samba] samba4 AD - winbind Could not write result

mathias dufresne infractory at gmail.com
Mon May 23 15:58:05 UTC 2016 

As lot of things would quickly rely on AD, AD mustn't fail. To avoid
failure, we set up AD with several DC in a way we have more DC than needed
to be able to lost some of them without lowering the service quality. At
least that's how I see it.

According to that why not prepare another DC on some VM (VM because easy to
add, destroy, etc.) with newer Samba version? You keep your 2 [almost]
working DC, you just get another on which client can connect and so you can
check if the issue exist also with that new version.
If the issue is not existing on new version you have 3 DC when 2 seem to be
enough so you can gently upgrade one of them, then you'll be able to
upgrade the last one.

Once finished you can remove the third DC or leave it, as you want.

That way (more servers than needed, use some of them to play with when
needed, have a plan to reinstall the DC you were playing with in case you
destroy it for some reason) seems to me a nice way to manage Samba as AD.
We do follow that way to upgrade our DC for months and we tried almost all
last versions during last year, without service interruption.

To be sure your playground-DC is not used during you play with you can deal
with AD site (at least one site with DCs to answer clients auth requests,
this site must be linked to CIDR network address(es) and another one with
no CIDR network address link to. You put your playground-DC into that
second site without CIDR associated and no client should try to use it (as
long as you have working DC on the other site and CIDR addresses associated
cover all clients addresses.

My 2 cents :)

2016-05-23 17:36 GMT+02:00 Sam <sr42354 at gmail.com>:

> Le 23/05/2016 à 14:46, Rowland penny a écrit :
>
>> On 23/05/16 12:56, Sam wrote:
>>
>>>
>>>
>> It looks like your problems have nothing to do with dhcp, one problem
>> appears to be related to dnssec:
>>
>> May 23 10:52:27 S4 named[2162]: validating @0x7eff24296b50:
>> choices.truste.com A: no valid signature found
>>
>> If you have 'dnssec-validation yes;' in 'named.conf.options', change it
>> to 'dnssec-validation auto;'
>>
>> Your main problem has been reported before, not sure if a fix was found,
>> can I suggest you upgrade to the latest Sernet 4.2 package (4.2.12), this
>> may contain a fix. If it doesn't, can you post the smb.conf from the DCs,
>> also both resolv.conf files, raise the log level to 10 and see if anything
>> else pops out.
>>
>> Rowland
>>
>> ||
>>
> Hello Rowland,
> in named.conf.options, dnssec-validation is already set to auto.
> Ok I put syslog = 10 in smb.conf and tell if I get more details.
>
> I prefer not trying to upgrade, the servers are in production.
>
> here is the files :
>
> S4bis smb.conf file :
> # Global parameters
> [global]
>         workgroup = ARIANE
>         realm = ariane.intra
>         netbios name = S4BIS
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>
>         ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>         ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>         sdb:schema update allowed = no
>
>         ## Dont forget to set the idmap_ldb on ALL DC's if you use it
>        idmap_ldb:use rfc2307 = yes
>
>         idmap config * :backend = tdb
>         idmap config * :range = 2000-9999
>         idmap config ARIANE : backend = ad
>         idmap config ARIANE : range = 10000-3999999
>
>         #when using idmap backend RID enable these
>          #template shell = /bin/sh
>         template homedir = /home/users/%ACCOUNTNAME%
>
>         winbind nss info = rfc2307
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         winbind max clients = 800
>
>         interfaces = 127.0.0.1 172.20.2.3
>         bind interfaces only = yes
>         time server = yes
>         wins support = yes
>
>         # Disable printing completely
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
>
>  kerberos method = system keytab
>  client ldap sasl wrapping = sign
>  allow dns updates = secure
>  nsupdate command =  /usr/bin/nsupdate -g
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ariane.intra/scripts
>         read only = No
>         acl_xattr:ignore system acl = yes
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>         acl_xattr:ignore system acl = yes
>
> S4bis Resolv.conf file :
> search ariane.intra
> nameserver 172.20.2.2
> nameserver 172.20.2.3
>
> S4 smb.conf file :
> # Global parameters
> [global]
>         workgroup = ARIANE
>         realm = ariane.intra
>         netbios name = S4
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
>
>         ## KEEP THIS OFF !! Only used for modify-ing the AD Schema
>         ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
>         sdb:schema update allowed = no
>
>         ## Dont forget to set the idmap_ldb on ALL DC's if you use it
>        idmap_ldb:use rfc2307 = yes
>
>         idmap config * :backend = tdb
>         idmap config * :range = 2000-9999
>         idmap config ARIANE : backend = ad
>         idmap config ARIANE : range = 10000-3999999
>
>         #when using idmap backend RID enable these
>          #template shell = /bin/sh
>         template homedir = /home/users/%ACCOUNTNAME%
>
>         winbind nss info = rfc2307
>         winbind trusted domains only = no
>         winbind use default domain = yes
>         winbind max clients = 800
>
>         interfaces = 127.0.0.1 172.20.2.2
>         bind interfaces only = yes
>         time server = yes
>         wins support = yes
>
>         # Disable printing completely
>         load printers = no
>         printing = bsd
>         printcap name = /dev/null
>         disable spoolss = yes
>
>  kerberos method = system keytab
>  client ldap sasl wrapping = sign
>  allow dns updates = secure
>  nsupdate command =  /usr/bin/nsupdate -g
>
> syslog = 10
>
> [netlogon]
>         path = /var/lib/samba/sysvol/ariane.intra/scripts
>         read only = No
>         acl_xattr:ignore system acl = yes
>
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>         acl_xattr:ignore system acl = yes
>
> S4bis Resolv.conf file :
> search ariane.intra
> nameserver 172.20.2.3
> nameserver 172.20.2.2
>
> Thank you!
> Sam
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list