[Samba] Odd behavior since upgrading to 4.9.6
Mike Ray
mray at xes-inc.com
Wed Apr 24 19:53:39 UTC 2019
----- On Apr 24, 2019, at 2:35 PM, samba samba at lists.samba.org wrote:
> On Wed, 24 Apr 2019 14:07:37 -0500 (CDT)
> Mike Ray <mray at xes-inc.com> wrote:
>
>> >> idmap_ldb:use rfc2307 = yes
>> >> ldap server require strong auth = no
>> >> netbios name = dc5
>> >> ntp signd socket directory = /var/run/samba/ntp_signd
>> >
>> > Is the above different from the output of:
>> > samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}'
>> >
>>
>> # samba -b | grep NTP_SIGND_SOCKET_DIR
>> NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
>>
>>
>> > If it isn't, you can remove that line, if it is, why ?
>>
>> When getting NTP working on the DCs, I found a blog post
>> (https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain.html)
>> that used the following command to figure out where the socket was:
>> netstat -xpln | grep signd
>>
>> On my DCs, that returns:
>> # netstat -xpln | grep signd
>> unix 2 [ ACC ] STREAM LISTENING 28320
>> 972/samba /var/run/samba/ntp_signd/socket
>>
>>
>> I set it to allow NTP to function.
>
> Not sure I understand this, 'samba -b' shows it expects
> '/var/lib/samba/ntp_signed' but your netstat command shows
> '/var/run/samba/ntp_signd'. I have to ask, why is this ?
> I also have to ask why you didn't read the Samba wiki ?
>
I used both the wiki and that blog post. In the wiki, one of the first lines reads:
Verify the socket permissions on your domain controller (DC). The time daemon must have read permissions in the ntp_signed directory. To list the permissions, enter:
# ls -ld /usr/local/samba/var/lib/ntp_signd/
drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/
My configuration is not rooted under /usr/local/samba but uses the file system directly (e.g. /var/lib/samba). However, instead of just blindly using /var/lib/samba/ntp_signd, I decided I should verify the proper directory (as there was a bunch of other cruft from the old DCs -- and still is as you have seen). That's when I went searching, found the blog and found that it was using /var/run/samba/ntp_signd/. It's probably worth noting that I do not believe I set anything to force it to use that directory -- in fact I changed the option in smb.conf to that value away from /var/lib/samba/ntp_signd AFTER I found it with netstat.
>>
>>
>> >
>> >> realm = REALM.COM
>> >> server role = active directory domain controller
>> >> workgroup = REALM
>> >> acl:search = no
>> >
>> > That is a blast from the past, or to put it another way, it is very
>> > doubtful you need it
>>
>> This is indeed a carry-over from our original DCs. I'll talk to the
>> guy who put it in to have him review it.
>
> Initially (we are are talking Samba 4.0.x here) there where problems
> that required the line, I see no reason to have it now.
>
Noted -- thanks!
>> > This is probably to be expected, I mean that it is hardly likely to
>> > print something like 'The re-index is still OK.' ;-)
>>
>> What I meant is that it prints out 54 lines (that line count is
>> stable for now) of the
>> following: ../lib/ldb/ldb_tdb/ldb_index.c:2362: duplicate attribute
>> value in <object>, duplicate of <object>
>>
>> And even with repeated runs, it returns that same output.
>>
>> I kind of expected this to function like "samba-tool dbcheck --fix"
>> where after it ran, that output would not happen.
>
> Do the letters 'DEL' occur in the lines and are they in the 'Deleted
> Objects' container ?
>
> If so, they are actually tombstones and dbcheck will not fix them.
No, these do not appear to be related to tombstones, but valid and active objects.
>
> Can you share the output with me ? I may see something you have missed.
> You can send them to me offlist if required.
I'll send it to you offlist.
>
>> > I think he meant what you did above, join a new DC, either that or
>> > running 'samba-tool drs replicate'
>>
>> Replication occurs automatically in the background, correct?
>
> It is supposed to, but sometimes it doesn't work that way ;-)
>>
>> I can certainly manually run it, I just don't understand why if
>> "samba-tool drs showrepl" shows no errors -- i.e. it's already
>> getting the database/data, isn't it?
>
> You can double check with 'samba-tool ldapcmp'
This also runs nightly and has not yet noted any errors since the upgrade (~12 days).
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list