[Samba] Odd behavior since upgrading to 4.9.6

Mike Ray mray at xes-inc.com
Wed Apr 24 19:07:37 UTC 2019 

----- On Apr 24, 2019, at 1:49 PM, samba samba at lists.samba.org wrote:

> On Wed, 24 Apr 2019 12:36:15 -0500 (CDT)
> Mike Ray via samba <samba at lists.samba.org> wrote:
> 
>> [global]
>>         dns forwarder = 192.168.2.101 192.168.2.102
> 
> What are the dns forwarders ?
> By this I mean, are they dns servers outside the AD dns domain, no
> nothing about the AD domain, but do know about the internet.
> 

These DNS forwarders are other internal servers. They provide connectivity to non-domain systems and the internet.


>>         idmap_ldb:use rfc2307 = yes
>>         ldap server require strong auth = no
>>         netbios name = dc5
>>         ntp signd socket directory = /var/run/samba/ntp_signd
> 
> Is the above different from the output of:
> samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}'
> 

 # samba -b | grep NTP_SIGND_SOCKET_DIR
   NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd


> If it isn't, you can remove that line, if it is, why ?

When getting NTP working on the DCs, I found a blog post (https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain.html) that used the following command to figure out where the socket was:
netstat -xpln | grep signd

On my DCs, that returns:
 # netstat -xpln | grep signd
unix  2      [ ACC ]     STREAM     LISTENING     28320    972/samba            /var/run/samba/ntp_signd/socket


I set it to allow NTP to function.


> 
>>         realm = REALM.COM
>>         server role = active directory domain controller
>>         workgroup = REALM
>>         acl:search = no
> 
> That is a blast from the past, or to put it another way, it is very
> doubtful you need it

This is indeed a carry-over from our original DCs. I'll talk to the guy who put it in to have him review it.


> 
>>         load printers = no
>>         ntp signd socket directory = /var/run/samba/ntp_signd
> 
> So good, you have it twice ;-)

Oops :)


> 
> 
>> > 
>> >   acl allow execute always		New		False
>> >   password level				Removed
>> >   set directory				Removed
>> >   use ntdb
>> > New		No
>> 
>> None of these options are set.
> 
> Just because they are not there, doesn't mean they are not set. If a
> parameter has a default value, then if a parameter isn't set, the
> default value is used, this might not be what you want in your setup.

You are right -- I should have clarified that we are not setting this values, so the defaults are in use.

Curiously, only one of those seems to exist in 4.9.6:

 # testparm -v | grep -E "acl allow execute always|password level|set directory|use ntdb"
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

        acl allow execute always = No

> 
>> 
>> 
>> > 
>> > The commands Andrew showed are working.
>> > You need to trigger a re-index and that should work.
>> > 
>> > Before you do that, run on all servers:
>> > samba-tool dbcheck --cross-ncs
>> > ( to fix errors, run it again , add --fix (--yes)
>> 
>> This command runs nightly. I ran it manually and confirmed no issues.
>> 
>> 
>> > 
>> > samba-tool dbcheck --reindex
>> > You need to run it once on every server.
>> 
>> I ran this and it said "re-index OK" (or similar).
>> 
>> The only weird thing here was that if I ran the command again, it had
>> the same output.
> 
> This is probably to be expected, I mean that it is hardly likely to
> print something like 'The re-index is still OK.' ;-)

What I meant is that it prints out 54 lines (that line count is stable for now) of the following:
../lib/ldb/ldb_tdb/ldb_index.c:2362: duplicate attribute value in <object>, duplicate of <object>

And even with repeated runs, it returns that same output.

I kind of expected this to function like "samba-tool dbcheck --fix" where after it ran, that output would not happen.


> 
>> Roughly -- the big difference here is that our old version was a
>> custom compiled piece of junk, so we spun up a new server (with the
>> sernet packages) and let the old servers replicate to the new one,
>> instead of upgrading in place.
> 
> That should have worked.
> 
>> > And other way to fix this, check all server, push the database from
>> > a good server to DC5.
>> 
>> What do you mean "push the database from a good server"? I assume you
>> mean something more than just replicate from one DC to another.
> 
> I think he meant what you did above, join a new DC, either that or
> running 'samba-tool drs replicate'

Replication occurs automatically in the background, correct?

I can certainly manually run it, I just don't understand why if "samba-tool drs showrepl" shows no errors -- i.e. it's already getting the database/data, isn't it?


> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list