[Samba] Various AD issues; summary

Sven Schwedas sven.schwedas at tao.at
Thu May 23 09:56:03 UTC 2019 

Well, everything seems to work now, so I'll have to pull away to other
projects soon-ish, and hope I'll have time for a proper update soon.

On 23.05.19 11:11, L.P.H. van Belle wrote:
> https://up.tao.at/u/samba/graz-file.info2.txt 
> 
>        Checking file: /etc/nsswitch.conf
> 
> passwd:         files winbind winbind
> group:          files winbind winbind
> shadow:         files winbind
> 
> Uhmm..  If your using puppet or ansible, then i suggest go over these files once manualy. 

I think some Debian automatism is fucking with the file. Fixed it
manually, /again/, let's see how long it lives.

> https://up.tao.at/u/samba/graz-mail.info2.txt
> Missing packages. :  apt install acl samba-dsdb-modules  samba-vfs-modules 
> Yes, its possible to run without these, but for a domain member better to install them. 

That machine is only a domain member as a work around so Cyrus and a few
scripts can use nested winbind groups – I'd rather fix those to properly
use LDAP and drop the mail servers from the domain.

> 192.168.17.58  database.local
> 192.168.16.209 mail.villach.tao.at
> 
> Now the last 2 entries, if you resolving is correct, then the last too lines should not be needed. 
> But, its not wrong, as long as the resolves also on the other servers where its needed. 

These are local, server-specific overrides which aren't easily solved in
DNS.

> https://up.tao.at/u/samba/graz-dc-sem.info2.txt
> You are probley having a good reason for it. 
> 	template shell = /bin/zsh 
> Your (some) other server have template shell = /bin/bash 

Should be harmless, we have zsh and bash on all servers anyway, and
nobody should be logging into DCs anyway. Will resolve that together
with the general update.

> https://up.tao.at/u/samba/graz-dc-1b.info2.txt
> 
> Debian 9.8 the others are at 9.9 ( apt dist-upgrade) 
> 
> # /etc/nsswitch.conf
> passwd:         files winbind
> group:          files winbind
> shadow:         files winbind		<<  ?? You missed this one. 
> gshadow:        files
> 
> 
> https://up.tao.at/u/samba/villach-dc-1a.info2.txt
> This computer is running Debian 9.0 .. You missed a lot of upgrades here. 
> Missing acl package 

Guess we'll need to monitor automated updates, too.

> Well, it looks much better already. 
> 
> Now once all above is done, then next is. 
> Compair your installed packages, you can do yourself. 
> 
> Now, this is a diff of you packages installed on the DC's. 
> What do you see here... I see alot of differences. 

Yeah, some of them had unattended-updates not working, that's fixed now.

> For all DCs you need to fix/align the packages.
> apt-get install samba samba-libs samba-vfs-modules samba-dsdb-modules winbind ldb-tools acl attr
> 
> Optional but adviced: (sso) ssh logins: apt-get install libnss-winbind libpam-winbind libpam-krb5
> Optional but adviced:  Client tools: apt-get install smbclient 

A meta package containing all these and the debug script would probably
be useful to have in your repo, if you don't already.

> And your probely are missing this file on most of your servers.
> one i can add also to my script. 
> 
> /usr/share/pam-configs/winbind

That exists on all servers, with that same contents, and winbind is
enabled everywhere.

> And enable/disable it with: pam-auth-update
> If needed, and you probely need it for ssh logins, select/enable winbind.

Already enabled.

> After this is done on all the DC's then i have 2 more things. 
> 
> How are you replication sysvol? 

lsyncd-triggered `rsync --archive --acls --xattrs` from the FSMO role
holder to everyone else.

> How are you syncing the time between all DC'.s  ( and again need to add that also to the script. ) 

NTP, using the servers of Austria's Federal Office of Metrology and
Surveying. Can't complain about their accuracy, deviation between
servers is <1ms.

> What i now suggest, you have these files, as in these :XXXXX.info2.txt  for all servers.  
> Use these and diff between the servers. 
> 
> Now beside the above changes which need to be done first. 
> Next will be.
> 
> More standardization of you smb.conf for all servers. 
> Your setup with the includes are good, but the settings are a bit off. 
> And with off i mean, not wrong, but different, but this can cause problems. 
> SO the more these are the same the less problems.
> And, keep site/server specific differences in these site includes, thats good. 

We'll tackle that when we upgrade all the servers to 4.10. Now that
management has felt the impact of obsolete software versions, that's
suddenly a lot easier to schedule. :D Should be mid next month.

>> DNSMasq is there to provide stuff not related to the samba 
>> domain, which
>> is mostly needed for client PCs. So switching over DCs and member
>> servers to using AD DCs directly is easy, but client PCs will need to
>> remain on DNSMasq. From what I've seen, all AD related queries resolve
>> fine with it, too.
> 
> What you her is fine, but resolv.conf on the DCs need to resolve to the DC's. 

Already did that.

>> 2 physical sites (192.168.17/24 and 192.168.16/24) in 
>> different subnets,
>> but they're organized as a single logical site in AD and 
>> VPN'd together via default gateway.
> 
> I've dont same here..  I have one site but 4 subdomains and 6 subnets. 
> Now, that VPN part, keep that in mind, after all things are done i have questions about that one also.
> But lets not do that all at once. 

What about it?

>>> Except, i noticed, 
>>> 	.tao.at = AD.TAO.AT
>>> 	tao.at = AD.TAO.AT
>>> That might need some more explanation why you added it.
>>> That helps me understanding your setup. SSO login with 
>> users email adresses maybe? 
>>
>> Legacy setup had our domain on tao.at directly, I think we needed that
>> to smooth over the transition. But that was years ago and shouldn't be
>> needed any more.
> 
> Good, verify it and if its not needed remove it.

Removed it, didn't seem to break anything.

>>> I noticed also: 
>>> 	#FIXME: Temporary to fix PHP shit
>>> 	ldap server require strong auth = no
>>>
>>> # explain this to me, can offlist if needed. 
>>
>> Some horribly obsolete PHP5 LDAP library breaks with SSL, as a
>> workaround we're SSH tunneling it until we can kill it. Which
>> *hopefully* should be sometimes this month anyway, so no 
>> point in fixing it now.
> 
> Hm, your using debian stretch, then why are you useing jessie's php5? 
> Old web app that needed php5? 

Yes. It's end of life anyway and will be taken offline in a few weeks'
time. No point in trying to improve it now.


-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20190523/160cf1ba/signature.sig>

More information about the samba mailing list