[Samba] Samba, Time Machine, and ADS

Rowland penny rpenny at samba.org
Thu Sep 5 07:33:30 UTC 2019 

On 05/09/2019 00:25, Johan Hattne via samba wrote:
> Dear all;
>
> I’m running smbd 4.9.5-Debian and I’m struggling to get Time Machine support to work.  The server is running Debian Buster, and the client is macOS High Sierra.  I can mount the share just fine on its own, but as soon as I tell Time Machine to “Back Up Now”, it says “Preparing Backup,“ “Looking for Backup Disk,” and then nothing.  The little red exclamation mark tells me that "The network backup disk could not be accessed because there was a problem with the network username or password.”
>
> I’ve been tailing the logs but nothing sticks out to my untrained eyes, except that nowhere does there seem to be any indication of the identity of the authenticating user—thus my suspicion that AD is somehow involved.  What I do get is this:
>
> [2019/09/04 16:16:27.522157,  5] ../libcli/security/security_token.c:53(security_token_debug)
>    Security token: (NULL)
> [2019/09/04 16:16:27.522173,  5] ../source3/auth/token_util.c:866(debug_unix_user_token)
>    UNIX token of user 0
>    Primary group is 0 and contains 0 supplementary groups
> [2019/09/04 16:16:27.522201,  5] ../source3/smbd/uid.c:509(smbd_change_to_root_user)
>    change_to_root_user: now uid=(0,0) gid=(0,0)
> [2019/09/04 16:16:27.522365,  3] ../source3/smbd/server_exit.c:237(exit_server_common)
>    Server exit (NT_STATUS_END_OF_FILE)
>
> And this is the full smb.conf:
>
> [global]
> 	client signing = mandatory
> 	server signing = mandatory
> 	kerberos method = secrets and keytab
> 	load printers = no
> 	realm = AD.EXAMPLE.COM
> 	security = ADS
> 	workgroup = AD
> 	idmap config *:backend = tdb2
> 	idmap config *:range = 1000-9999
> 	idmap config AD:backend = ad
> 	idmap config AD:range = 10000-9999999999
> 	log file = /var/log/samba/log.%m
> 	max log size = 1000
> 	log level = 5
> 	netbios name = MYHOST
> 	server string = Samba %v (%h)
> 	vfs objects = catia fruit streams_xattr
> 	fruit:time machine = yes
> 	fruit:time machine max size = 1024G
> [TimeMachineBackup]
> 	writeable = yes
> 	browsable = yes
> 	path = /var/timemachine
>
> Cluebat, anyone?
>
> // Best wishes; Johan
>
>
Why are you using 'tdb2' for the default domain instead of 'tdb', is 
this machine part of a ctdb cluster ?

You are using the winbind 'ad'  backend , so have you given your users a 
uidNumber attribute containing a unique number inside the 
'10000-9999999999' range and given Domain Users a gidNumber containing a 
number inside the same range ?

Rowland

More information about the samba mailing list