[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389

Tue Sep 27 20:11:37 UTC 2022

On Tue, 2022-09-27 at 19:03 +0100, Rowland Penny via samba wrote:
> 
> On 27/09/2022 18:49, Andrew Bartlett wrote:
> > On Tue, 2022-09-27 at 14:31 +0100, Rowland Penny via samba wrote:
> > > On 27/09/2022 13:52, Alexander Harm || ApfelQ wrote:
> > > > I was able to make some progress on the issue and I have the
> > > > following
> > > > things working now:
> > > > 
> > > > - "pdbedit -v -u username" works fine now
> > > > - “pdbedit -L” works as well
> > > > - “getent passwd username” works
> > > > - "wbinfo -g" works
> > > > - joining and leaving the domain works fine as well
> > > > 
> > > > I’m still stuck on
> > > > 
> > > > - "wbinfo -u" does not return any users (is this important?)
> > > 
> > > Yes
> > 
> > I'm not sure this is relevant on an NT4 domain (as nsswitch is the
> > authority for users in this case), but I would have expected this
> > to
> > work.
> 
> Well yes, but doesn't it ultimately as winbind ?

No, the fundemental difference with the NT4 DC (think of it more as the
standalone server with domain access) is that the OS, not Samba is the
authority for users. 

It was quite a change when in the AD DC we decided that Samba alone
would be the authority, and users would be provided to the OS via
winbindd almost only as a courtesy.  (You can run the AD DC quite fine
without nsswtich set up at all, admins just see files owned by
numbers). 

> > > > - login from Windows machines fails with error 7519 which
> > > > indicates
> > > > a
> > > > problem with RPC
> > > > - “net rpc join -U administrator” fails with “Failed to join
> > > > domain:
> > > > failed to lookup DC info for domain 'DLAN' over rpc: {Device
> > > > Timeout}
> > > > The specified I/O operation on %hs was not completed before the
> > > > time-out
> > > > period expired.”
> > 
> > is nmbd running?
> > 
> > > > - port 135 also does not seem to be open on the machine
> > > 
> > > It looks like the rpc service isn't running.
> > 
> > Port 135 is not normally used on an NT4 DC.
> 
> Then why does the Samba wiki list port 135 as being required on an 
> NT4-style domain PDC ?

Not sure, there are many things said in our wiki but traditionally NT4
(and Samba when I was developing the NT4-style classic DC) never
answered on 135, that came with AD.  

The ability to answer on 135 has more to do with the work supporting
FreeIPA, which uses the source3 codebase to emulate AD.

> > > > - "testparm --suppress-prompt -v | grep '[s]erver services’”
> > > > seems
> > > > to
> > > > return the correct list though “server services = s3fs, rpc,
> > > > nbt,
> > > > wrepl,
> > > > ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate,
> > > > dns"
> > > 
> > > Have you upgraded to AD, if not then you can ignore that, it is
> > > only
> > > used by AD.
> > 
> > Correct.
> > 
> > > > Anymore ideas?
> > > 
> > > No, a bit lost now, it has been years since I ran an NT4-style
> > > domain.
> > > 
> > > Rowland
> > 
> > I'm thinking missing nmbd.
> 
> Possibly, I believe that smbd, nmbd and winbind should all be
> running.
> As I said, it has been a long time since I ran an NT4 PDC, AD is so
> much 
> easier, once you get your head around the 'idmap config' lines.

That was the intention, folks wrote whole books on setting up a Samba
DC backed by LDAP, the Samba4 project started with the concept that
rather than a 'kit of parts', the AD DC would be a product, eg work out
of the box.  

This is a big part of why 'samba-tool provision' does so much. 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions