[Samba] Various AD issues; summary
L.P.H. van Belle
belle at bazuin.nl
Thu May 23 10:19:35 UTC 2019
Ok, just dont forget the last points, where is more todo..
As in smb.conf fixes, these are important also..
> -----Oorspronkelijk bericht-----
> Van: Sven Schwedas [mailto:sven.schwedas at tao.at]
> Verzonden: donderdag 23 mei 2019 11:56
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: Various AD issues; summary
>
> Well, everything seems to work now, so I'll have to pull away to other
> projects soon-ish, and hope I'll have time for a proper update soon.
>
> On 23.05.19 11:11, L.P.H. van Belle wrote:
> > https://up.tao.at/u/samba/graz-file.info2.txt
> >
> > Checking file: /etc/nsswitch.conf
> >
> > passwd: files winbind winbind
> > group: files winbind winbind
> > shadow: files winbind
> >
> > Uhmm.. If your using puppet or ansible, then i suggest go
> over these files once manualy.
>
> I think some Debian automatism is fucking with the file. Fixed it
> manually, /again/, let's see how long it lives.
>
> > https://up.tao.at/u/samba/graz-mail.info2.txt
> > Missing packages. : apt install acl samba-dsdb-modules
> samba-vfs-modules
> > Yes, its possible to run without these, but for a domain
> member better to install them.
>
> That machine is only a domain member as a work around so
> Cyrus and a few
> scripts can use nested winbind groups – I'd rather fix those
> to properly
> use LDAP and drop the mail servers from the domain.
>
> > 192.168.17.58 database.local
> > 192.168.16.209 mail.villach.tao.at
> >
> > Now the last 2 entries, if you resolving is correct, then
> the last too lines should not be needed.
> > But, its not wrong, as long as the resolves also on the
> other servers where its needed.
>
> These are local, server-specific overrides which aren't
> easily solved in
> DNS.
>
> > https://up.tao.at/u/samba/graz-dc-sem.info2.txt
> > You are probley having a good reason for it.
> > template shell = /bin/zsh
> > Your (some) other server have template shell = /bin/bash
>
> Should be harmless, we have zsh and bash on all servers anyway, and
> nobody should be logging into DCs anyway. Will resolve that together
> with the general update.
>
> > https://up.tao.at/u/samba/graz-dc-1b.info2.txt
> >
> > Debian 9.8 the others are at 9.9 ( apt dist-upgrade)
> >
> > # /etc/nsswitch.conf
> > passwd: files winbind
> > group: files winbind
> > shadow: files winbind << ?? You
> missed this one.
> > gshadow: files
> >
> >
> > https://up.tao.at/u/samba/villach-dc-1a.info2.txt
> > This computer is running Debian 9.0 .. You missed a lot of
> upgrades here.
> > Missing acl package
>
> Guess we'll need to monitor automated updates, too.
>
> > Well, it looks much better already.
> >
> > Now once all above is done, then next is.
> > Compair your installed packages, you can do yourself.
> >
> > Now, this is a diff of you packages installed on the DC's.
> > What do you see here... I see alot of differences.
>
> Yeah, some of them had unattended-updates not working, that's
> fixed now.
>
> > For all DCs you need to fix/align the packages.
> > apt-get install samba samba-libs samba-vfs-modules
> samba-dsdb-modules winbind ldb-tools acl attr
> >
> > Optional but adviced: (sso) ssh logins: apt-get install
> libnss-winbind libpam-winbind libpam-krb5
> > Optional but adviced: Client tools: apt-get install smbclient
>
> A meta package containing all these and the debug script
> would probably
> be useful to have in your repo, if you don't already.
Yeah, that is on my todo list but im pretty bussy with office thinks atm.
but creating meta packages, for specific installs yeah, that will help a lot.
>
> > And your probely are missing this file on most of your servers.
> > one i can add also to my script.
> >
> > /usr/share/pam-configs/winbind
>
> That exists on all servers, with that same contents, and winbind is
> enabled everywhere.
>
> > And enable/disable it with: pam-auth-update
> > If needed, and you probely need it for ssh logins,
> select/enable winbind.
>
> Already enabled.
>
> > After this is done on all the DC's then i have 2 more things.
> >
> > How are you replication sysvol?
>
> lsyncd-triggered `rsync --archive --acls --xattrs` from the FSMO role
> holder to everyone else.
Lsyncd ? Can you share how you use it? Might be usefull to put it also on the wiki.
>
> > How are you syncing the time between all DC'.s ( and again
> need to add that also to the script. )
>
> NTP, using the servers of Austria's Federal Office of Metrology and
> Surveying. Can't complain about their accuracy, deviation between
> servers is <1ms.
>
> > What i now suggest, you have these files, as in these
> :XXXXX.info2.txt for all servers.
> > Use these and diff between the servers.
> >
> > Now beside the above changes which need to be done first.
> > Next will be.
> >
> > More standardization of you smb.conf for all servers.
> > Your setup with the includes are good, but the settings are
> a bit off.
> > And with off i mean, not wrong, but different, but this can
> cause problems.
> > SO the more these are the same the less problems.
> > And, keep site/server specific differences in these site
> includes, thats good.
>
> We'll tackle that when we upgrade all the servers to 4.10. Now that
> management has felt the impact of obsolete software versions, that's
> suddenly a lot easier to schedule. :D Should be mid next month.
Thats great, but do remember to fixup the other parts first also.
As i said, its not fully done, Put it on your TODO list.
Because if you upgrade now from 4.5 to 4.10 in one step, you get new problems.
Which you can easely avoid by fixing things before upgrading.
>
> >> DNSMasq is there to provide stuff not related to the samba
> >> domain, which
> >> is mostly needed for client PCs. So switching over DCs and member
> >> servers to using AD DCs directly is easy, but client PCs
> will need to
> >> remain on DNSMasq. From what I've seen, all AD related
> queries resolve
> >> fine with it, too.
> >
> > What you her is fine, but resolv.conf on the DCs need to
> resolve to the DC's.
>
> Already did that.
>
> >> 2 physical sites (192.168.17/24 and 192.168.16/24) in
> >> different subnets,
> >> but they're organized as a single logical site in AD and
> >> VPN'd together via default gateway.
> >
> > I've dont same here.. I have one site but 4 subdomains and
> 6 subnets.
> > Now, that VPN part, keep that in mind, after all things are
> done i have questions about that one also.
> > But lets not do that all at once.
>
> What about it?
Well, think in
- Reduced package sizes..
- Disable Path MTU discovery to prevent packet fragmentation problems.
- prevent IP packet fragmentation itself.
- priotizing of traffic?
Optimizing things like that also helps in stabilizing the network.
>
> >>> Except, i noticed,
> >>> .tao.at = AD.TAO.AT
> >>> tao.at = AD.TAO.AT
> >>> That might need some more explanation why you added it.
> >>> That helps me understanding your setup. SSO login with
> >> users email adresses maybe?
> >>
> >> Legacy setup had our domain on tao.at directly, I think we
> needed that
> >> to smooth over the transition. But that was years ago and
> shouldn't be
> >> needed any more.
> >
> > Good, verify it and if its not needed remove it.
>
> Removed it, didn't seem to break anything.
>
> >>> I noticed also:
> >>> #FIXME: Temporary to fix PHP shit
> >>> ldap server require strong auth = no
> >>>
> >>> # explain this to me, can offlist if needed.
> >>
> >> Some horribly obsolete PHP5 LDAP library breaks with SSL, as a
> >> workaround we're SSH tunneling it until we can kill it. Which
> >> *hopefully* should be sometimes this month anyway, so no
> >> point in fixing it now.
> >
> > Hm, your using debian stretch, then why are you useing
> jessie's php5?
> > Old web app that needed php5?
>
> Yes. It's end of life anyway and will be taken offline in a few weeks'
> time. No point in trying to improve it now.
I agree, now, if its within 2-3 month, keep it, better use the time for new setup.
Well, have a good day on the next project.
Greetz,
Louis
More information about the samba
mailing list