[Samba] Odd behavior since upgrading to 4.9.6

Rowland Penny rpenny at samba.org
Wed Apr 24 19:35:32 UTC 2019 

On Wed, 24 Apr 2019 14:07:37 -0500 (CDT)
Mike Ray <mray at xes-inc.com> wrote:

> >>         idmap_ldb:use rfc2307 = yes
> >>         ldap server require strong auth = no
> >>         netbios name = dc5
> >>         ntp signd socket directory = /var/run/samba/ntp_signd  
> > 
> > Is the above different from the output of:
> > samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}'
> >   
> 
>  # samba -b | grep NTP_SIGND_SOCKET_DIR
>    NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
> 
> 
> > If it isn't, you can remove that line, if it is, why ?  
> 
> When getting NTP working on the DCs, I found a blog post
> (https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain.html)
> that used the following command to figure out where the socket was:
> netstat -xpln | grep signd
> 
> On my DCs, that returns:
>  # netstat -xpln | grep signd
> unix  2      [ ACC ]     STREAM     LISTENING     28320
> 972/samba            /var/run/samba/ntp_signd/socket
> 
> 
> I set it to allow NTP to function.

Not sure I understand this, 'samba -b' shows it expects
'/var/lib/samba/ntp_signed' but your netstat command shows
'/var/run/samba/ntp_signd'. I have to ask, why is this ?
I also have to ask why you didn't read the Samba wiki ?

> 
> 
> >   
> >>         realm = REALM.COM
> >>         server role = active directory domain controller
> >>         workgroup = REALM
> >>         acl:search = no  
> > 
> > That is a blast from the past, or to put it another way, it is very
> > doubtful you need it  
> 
> This is indeed a carry-over from our original DCs. I'll talk to the
> guy who put it in to have him review it.

Initially (we are are talking Samba 4.0.x here) there where problems
that required the line, I see no reason to have it now.
 
> > This is probably to be expected, I mean that it is hardly likely to
> > print something like 'The re-index is still OK.' ;-)  
> 
> What I meant is that it prints out 54 lines (that line count is
> stable for now) of the
> following: ../lib/ldb/ldb_tdb/ldb_index.c:2362: duplicate attribute
> value in <object>, duplicate of <object>
> 
> And even with repeated runs, it returns that same output.
> 
> I kind of expected this to function like "samba-tool dbcheck --fix"
> where after it ran, that output would not happen.

Do the letters 'DEL' occur in the lines and are they in the 'Deleted
Objects' container ?

If so, they are actually tombstones and dbcheck will not fix them.

Can you share the output with me ? I may see something you have missed.
You can send them to me offlist if required.

> > I think he meant what you did above, join a new DC, either that or
> > running 'samba-tool drs replicate'  
> 
> Replication occurs automatically in the background, correct?

It is supposed to, but sometimes it doesn't work that way ;-)
> 
> I can certainly manually run it, I just don't understand why if
> "samba-tool drs showrepl" shows no errors -- i.e. it's already
> getting the database/data, isn't it?

You can double check with 'samba-tool ldapcmp' 

Rowland

More information about the samba mailing list