[Samba] AD DC lost sub.conf

Callum MacEwan callum at pegasusnz.com
Sat Dec 3 09:59:43 UTC 2022

Is this looking better?

#samba-tool provision configs
dns forwarder =
netbios name = CAPSICUM
server role = active directory domain controller
workgroup = BALEWAN
idmap_ldb:use rfc2307 = yes

#local config
vfs objects = dfs_samba4 acl_xattr recycle
template shell = /bin/bash
#temporary test configs

#System Volumes and logon
path = /var/lib/samba/sysvol
read only = No
browse = No

path = /var/lib/samba/sysvol/balewan.pegasusnz.com/scripts
read only = No
browse = No

> On 3/12/2022, at 10:09 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
> On 02/12/2022 20:14, Callum MacEwan via samba wrote:
>>>> On 3/12/2022, at 1:10 AM, Rowland Penny via samba <samba at lists.samba.org> wrote:
>>>> On 02/12/2022 11:15, Callum MacEwan via samba wrote:
>>>>>> On 2/12/2022, at 8:26 PM, Rowland Penny via samba <samba at lists.samba.org> wrote:
>>>>>> On 30/11/2022 20:57, Callum MacEwan via samba wrote:
>>>>>> I have checked all my smb.conf on the AD DC and Dom member
>>>>>> On the AD DC
>>>>>> wbinfo -u and -g respond normally with users and groups prefixed with Domain
>>>>>> Starting samba with -i -d 4 reveals no obvious error it chats to DOM members
>>>>>> The only error I saw was invalid SID (not sure if that is an error or warning )
>>>>>> On Dom Member
>>>>>> wbinfo -u returns nothing but Wbinfo -g returns domain\groups as expected
>>>>>> I have started all modules with -i -d 4 and don’t see any obvious errors
>>>>>> wbinfo -p pings winbindd successfully
>>>>>> wbinfo -P returns an error
>>>>>>> checking the NETLOGON for domain[SAND] dc connection to "" failed
>>>>>>> failed to call wbcPingDc: WBC_ERR_DOMAIN_NOT_FOUND
>>>>>> All the DNS test are good
>>>>>> Any guidance on what to do next appreciated
>>>>> Would you like to answer the question I asked:
>>>> Sorry Rowland with all the restarts the mail server had a meltdown
>>>>> Can you clarify where you where getting those numbers.
>>>> Initially on the DC
>>>> It changed mapping to 3000017 and 100
>>> From looking at your smb.conf files below, this is what I would expect on a DC, unless you added uidNumber & gidNumer attributes.
>>>> The domain controller is also my web server so I login with my domain account and mount the file server so I don’t have permission issues this had been working perfectly for 5 weeks +
>>> It is not really a good idea to use a Samba DC (or any DC for that matter) for anything other than authentication.
>>>>> I suppose I should also have asked, how you are getting those numbers ?
>>>> I have remote cameras capturing frames and saving to the server via ftp they started failing with permission issues
>>> Which server ?
>> They ftp into the AD DC
> I would suggest that you do not use the DC for anything but authentication.
I agree will get a dedicated box soon
>>>>> I think you need to post the smb.conf from the DC and the Unix domain member.
>>>> AD DC sub.conf minus two system volume mounts
>>>> These configs might not be exactly what the working confs were I lost some lines due to a sticky keyboard and lag
>>>> [global]
>>>> bind interfaces only = Yes
>>>> dns forwarder =
>>>> interfaces =
>>>> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>>>> netbios name = SAND
>>>> workgroup = BEACH
>>>> server role = active directory domain controller
>>>> apply group policies = yes
>>>> template shell = /bin/bash
>>>> winbind enum users = yes
>>>> winbind enum groups = yes
>>> I keep telling people this, but nobody seems to listen, you only need the 'winbind enum' lines for testing purposes, Samba works perfectly well without them.
>> I only added them when my trouble began they are commented out
>>>> log level = 4
>>>> Dom Member
>>>> [global]
>>>> bind interfaces only = Yes
>>>> interfaces = lo
>>>> netbios name = DUNE
>>>> workgroup = BEACH
>>>> server role = member server
>>>> security = ADS
>>>> #kerberos method = secrets and keytab
>>>> #dedicated keytab file = /etc/krb5.keytab
>>>> #winbind refresh tickets = Yes
>>>> log file - /var/log/samba/%m.log
>>>> log level = 4
>>>> idmap config *: backend = autorid
>>>> idmap config *: range = 100000-2999999
>>>> idmap config BEACH : backend = rid
>>>> idmap config BEACH : range =10000-99999
>>>> #idmap config BEACH : unix_nss_info = yes
>>> If you are going to use the 'autorid' idmap backend, you only use the 'autorid' idmap backend, the other 'rid' lines should be removed (I take it you have set up a two trust to BALEWAN), also, you only use 'unix nss info' with the 'ad' idmap backend. To put it bluntly, you couldn't have got it more wrong.
>> Sorry to upset you!
>> BALEWAN was actually BEACH
> Doesn't really matter, the 'autorid' idmap backend is meant for multiple domains, you do not use it with any other idmap backend. You should either change 'autorid' to 'tdb' (or remove the entire line, tdb is the default), or remove the 'idmap config BEACH' lines. This will of course probably change all the user & group ID's.
Okay I will remove them all

>>>> template shell = /bin/bash
>>>> #template homedir = /media/home/%U
>>>> username map = /usr/local/samba/etc/user.map
>>> I take that you you used to compile Samba yourself.
>> No I used the Debian package
>> When I use a windows box to look at the Domain Controller it does not find the domain controller if I select manually the DC it status changes from pending to online but the DC column is blank?
> Are the Windows machines using a DC for their nameserver ?
The windows boxes do use the DC for nameserver but they are not used very often

The only thing that is not working at them moment is the domain member on Debian
Net commands error NT_STATUS_NO_LOGON_SERVERS…

Thank you for your guidance much appreciated 

> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list