[Samba] Very strange: Samba is unable to access one of its own files

Wed Nov 13 20:19:22 UTC 2024

On 11/12/24 09:35, Rowland Penny via samba wrote:

> If you are using Debian, just install the libpam-winbind and
> libnss-winbind packages, open /etc/nsswitch.conf in your favourite
> editor and ensure that the passwd & group lines contain 'winbind'.
>
> Rowland

It's Gentoo so I'm setting it up myself, which is fine, but I've messed 
up something apparently. This is an AD/DC setup, by the way. In the 
process of setting up winbind, I've created a situation that I don't 
know how to get out of. Lots of (but not all) routine samba-tool 
commands are throwing fatal errors now. For instance,

ceres ~ # samba-tool dns query ceres samdom.example.com @ ALL
dos charset 'CP850' unavailable - using ASCII
convert_string_talloc: Conversion not supported.
ndr_pull_charset: ndr_pull_error(Character Conversion Error): Bad 
character conversion at ../../librpc/ndr/ndr_string.c:703
Failed to bind to uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa for 
ncacn_ip_tcp:192.168.123.250[135,target_hostname=ceres,abstract_syntax=e1af8308-5d1f-11c9-91a4-08002b14a0fa/0x00000003,localaddress=192.168.123.250] 
NT_STATUS_INVALID_PARAMETER

I get the CP850 warning whether or not the nls_cp580 module is loaded.

Simultaneously, the $(wbinfo -u) command is reporting no users, which is 
causing trouble for the dhcp-dyndns.sh script.

My /etc/nsswitch.conf looks like:

# In alphabetical order. Re-order as required to optimize performance.
aliases:    files
ethers:     files
group:      files winbind
gshadow:    files
hosts:      files dns
# Allow initgroups to default to the setting for group.
# initgroups: files
netgroup:   files
networks:   files dns
passwd:     files winbind
protocols:  files
publickey:  files
rpc:        files
shadow:     files
services:   files

My /etc/samba/smb.conf looks like:

# Global parameters
[global]
     dns forwarder = 8.8.8.8 75.75.75.75
     netbios name = CERES
     realm = SAMDOM.EXAMPLE.COM
     server role = active directory domain controller
     workgroup = SAMDOM
     idmap_ldb:use rfc2307 = yes
     kerberos method = secrets and keytab
     winbind refresh tickets = yes
     ldap server require strong auth = no
     unix charset = LOCALE
     # username map = /etc/samba/smbusers
     log level = 1

     # dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

     # Winbindd setup for shares:
     # template shell = /bin/bash
     # template homedir = /home/%U

     # idmap_nss plugin setup:
     idmap config * : backend = tdb
     idmap config * : range = 1000000-3999999

     idmap config SAMBA : backend  = nss
     idmap config SAMBA : range = 1000-999999

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

[netlogon]
     path = /var/lib/samba/sysvol/samdom.example.com/scripts
     read only = No

Does any of this look familiar?

- John