[Samba] Odd behavior since upgrading to 4.9.6
Mike Ray
mray at xes-inc.com
Wed Apr 24 19:07:37 UTC 2019
----- On Apr 24, 2019, at 1:49 PM, samba samba at lists.samba.org wrote:
> On Wed, 24 Apr 2019 12:36:15 -0500 (CDT)
> Mike Ray via samba <samba at lists.samba.org> wrote:
>
>> [global]
>> dns forwarder = 192.168.2.101 192.168.2.102
>
> What are the dns forwarders ?
> By this I mean, are they dns servers outside the AD dns domain, no
> nothing about the AD domain, but do know about the internet.
>
These DNS forwarders are other internal servers. They provide connectivity to non-domain systems and the internet.
>> idmap_ldb:use rfc2307 = yes
>> ldap server require strong auth = no
>> netbios name = dc5
>> ntp signd socket directory = /var/run/samba/ntp_signd
>
> Is the above different from the output of:
> samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}'
>
# samba -b | grep NTP_SIGND_SOCKET_DIR
NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> If it isn't, you can remove that line, if it is, why ?
When getting NTP working on the DCs, I found a blog post (https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain.html) that used the following command to figure out where the socket was:
netstat -xpln | grep signd
On my DCs, that returns:
# netstat -xpln | grep signd
unix 2 [ ACC ] STREAM LISTENING 28320 972/samba /var/run/samba/ntp_signd/socket
I set it to allow NTP to function.
>
>> realm = REALM.COM
>> server role = active directory domain controller
>> workgroup = REALM
>> acl:search = no
>
> That is a blast from the past, or to put it another way, it is very
> doubtful you need it
This is indeed a carry-over from our original DCs. I'll talk to the guy who put it in to have him review it.
>
>> load printers = no
>> ntp signd socket directory = /var/run/samba/ntp_signd
>
> So good, you have it twice ;-)
Oops :)
>
>
>> >
>> > acl allow execute always New False
>> > password level Removed
>> > set directory Removed
>> > use ntdb
>> > New No
>>
>> None of these options are set.
>
> Just because they are not there, doesn't mean they are not set. If a
> parameter has a default value, then if a parameter isn't set, the
> default value is used, this might not be what you want in your setup.
You are right -- I should have clarified that we are not setting this values, so the defaults are in use.
Curiously, only one of those seems to exist in 4.9.6:
# testparm -v | grep -E "acl allow execute always|password level|set directory|use ntdb"
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
acl allow execute always = No
>
>>
>>
>> >
>> > The commands Andrew showed are working.
>> > You need to trigger a re-index and that should work.
>> >
>> > Before you do that, run on all servers:
>> > samba-tool dbcheck --cross-ncs
>> > ( to fix errors, run it again , add --fix (--yes)
>>
>> This command runs nightly. I ran it manually and confirmed no issues.
>>
>>
>> >
>> > samba-tool dbcheck --reindex
>> > You need to run it once on every server.
>>
>> I ran this and it said "re-index OK" (or similar).
>>
>> The only weird thing here was that if I ran the command again, it had
>> the same output.
>
> This is probably to be expected, I mean that it is hardly likely to
> print something like 'The re-index is still OK.' ;-)
What I meant is that it prints out 54 lines (that line count is stable for now) of the following:
../lib/ldb/ldb_tdb/ldb_index.c:2362: duplicate attribute value in <object>, duplicate of <object>
And even with repeated runs, it returns that same output.
I kind of expected this to function like "samba-tool dbcheck --fix" where after it ran, that output would not happen.
>
>> Roughly -- the big difference here is that our old version was a
>> custom compiled piece of junk, so we spun up a new server (with the
>> sernet packages) and let the old servers replicate to the new one,
>> instead of upgrading in place.
>
> That should have worked.
>
>> > And other way to fix this, check all server, push the database from
>> > a good server to DC5.
>>
>> What do you mean "push the database from a good server"? I assume you
>> mean something more than just replicate from one DC to another.
>
> I think he meant what you did above, join a new DC, either that or
> running 'samba-tool drs replicate'
Replication occurs automatically in the background, correct?
I can certainly manually run it, I just don't understand why if "samba-tool drs showrepl" shows no errors -- i.e. it's already getting the database/data, isn't it?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list