[Samba] Debugging Samba is a total PITA and this needs to improve

Sven Schwedas sven.schwedas at tao.at
Tue May 21 13:03:45 UTC 2019 

On 21.05.19 14:37, L.P.H. van Belle via samba wrote:
> winbind enum users = yes
> winbind enum groups = yes
> Better no, works the same, but your server is faster. 

Since Cyrus IMAPD cannot query LDAP for group memberships, we need this
to make shared folders work with groups on our mail servers. Useless on
this machine, yes, but w/e, we're not seeing any performance issues.

> You see this note from the script: 
> Running as Unix domain member and no user.map detected. 
> 
> Where is you user mapping? You dont use SePrivileges? 
> Now its not wrong and possible to run it without, but it is much more work to setup correctly for this. 

Where's this documented?

> And.. You still on 4.5.16, yes, possible, but why do you think i make newer packages. 

If updating Samba didn't have a tendency to lead to breakages, I'd just
chuck it into the daily auto updates. But since debugging breakages is
just too painful, I'd rather not touch it.

> Windows and it updates are moving fast

Sure, but not really relevant here, since the member server broke
authentication for all client OSes, not just Windows clients. `smbclient
-L //localhost` and `wbinfo -a` are just as broken on that member server.

Didn't notice that until after my first email, since it just so happened
that the user /accounts/ affected were all using Windows PCs when they
noticed the problem.

> Now, last question, on the pc with the "unable to authenticate", any windows event id's with warning/errors? 
> You probley looked at that already?? Or not? 

No error message other than that. Network logons to DCs work fine too,
as do logons to other member servers.

> man smb.conf /log level   ( + hit 5x n ) and your at the log level point.  ;-) 
> That shows this example : 
> log level = 1 full_audit:1@/var/log/audit.log

full_audit doesn't exist for 4.5. ;)

> Date: Tue, 22 May 2018 15:44:36 +0000
> - Dynamic DNS updates with GSS-TSIG against Microsoft or samba DNS servers are not working and fails with the following error: ; TSIG error ...
> https://bugzilla.samba.org/show_bug.cgi?id=13019  samba 4.7 and lower. 
> 
> You really want to try my packages.. ;-) 
> And in your case, update steps, 4.8, and stay there if you want to switch to Buster then 4.9.5 

Given that DRS replication and DNS are so broken, what'd be the best
approach for that? Nuke all DCs except the FSMO role holder, update that
one, then add new DCs? Or just export all LDAP data and start over from
a clean 4.10 setup?

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190521/58de100c/signature.sig>

More information about the samba mailing list