[Samba] Very strange: Samba is unable to access one of its own files
Rowland Penny
rpenny at samba.org
Wed Nov 13 20:54:20 UTC 2024
On Wed, 13 Nov 2024 15:19:22 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
>
> On 11/12/24 09:35, Rowland Penny via samba wrote:
>
> > If you are using Debian, just install the libpam-winbind and
> > libnss-winbind packages, open /etc/nsswitch.conf in your favourite
> > editor and ensure that the passwd & group lines contain 'winbind'.
> >
> > Rowland
>
> It's Gentoo so I'm setting it up myself, which is fine, but I've
> messed up something apparently. This is an AD/DC setup, by the way.
It has been years since I last used Gentoo, I gave up on it because,
even though it gives you total control, it also requires everything
being built and I found that turned into taking more time than actually
using the OS, but everyone is different.
> In the process of setting up winbind,
How have you set up winbind, did you do something similar to this:
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Libnss_winbind_Links
> I've created a situation that
> I don't know how to get out of. Lots of (but not all) routine
> samba-tool commands are throwing fatal errors now. For instance,
>
> ceres ~ # samba-tool dns query ceres samdom.example.com @ ALL
> dos charset 'CP850' unavailable - using ASCII
It looks like you do not have whatever supplies 'CP850' on Gentoo
installed.
> convert_string_talloc: Conversion not supported.
> ndr_pull_charset: ndr_pull_error(Character Conversion Error): Bad
> character conversion at ../../librpc/ndr/ndr_string.c:703
> Failed to bind to uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa for
> ncacn_ip_tcp:192.168.123.250[135,target_hostname=ceres,abstract_syntax=e1af8308-5d1f-11c9-91a4-08002b14a0fa/0x00000003,localaddress=192.168.123.250]
> NT_STATUS_INVALID_PARAMETER
>
> I get the CP850 warning whether or not the nls_cp580 module is loaded.
When you built Samba, did you read these wiki pages :
https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba
https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba/Building_Samba_on_Gentoo
>
> Simultaneously, the $(wbinfo -u) command is reporting no users, which
> is causing trouble for the dhcp-dyndns.sh script.
That isn't good, wbinfo should work without the winbind links, it goes
direct to AD.
>
> My /etc/nsswitch.conf looks like:
>
> # In alphabetical order. Re-order as required to optimize performance.
> aliases: files
> ethers: files
> group: files winbind
> gshadow: files
> hosts: files dns
> # Allow initgroups to default to the setting for group.
> # initgroups: files
> netgroup: files
> networks: files dns
> passwd: files winbind
> protocols: files
> publickey: files
> rpc: files
> shadow: files
> services: files
>
That should work, provided the winbind links are set up correctly.
> My /etc/samba/smb.conf looks like:
>
> # Global parametersunix charset
> [global]
> dns forwarder = 8.8.8.8 75.75.75.75
> netbios name = CERES
> realm = SAMDOM.EXAMPLE.COM
> server role = active directory domain controller
> workgroup = SAMDOM
> idmap_ldb:use rfc2307 = yes
> kerberos method = secrets and keytab
> winbind refresh tickets = yes
> ldap server require strong auth = no
> unix charset = LOCALE
Fix the CP850 problem and you will not require the 'unix charset' line.
> # username map = /etc/samba/smbusers
It is good that the username map line is commented out, it is never
used on a DC.
> log level = 1
>
> # dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>
> # Winbindd setup for shares:
> # template shell = /bin/bash
> # template homedir = /home/%U
>
> # idmap_nss plugin setup:
> idmap config * : backend = tdb
> idmap config * : range = 1000000-3999999
>
> idmap config SAMBA : backend = nss
> idmap config SAMBA : range = 1000-999999
You should remove the 'idmap config' lines, they should never be set on
a DC.
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
> [netlogon]
> path = /var/lib/samba/sysvol/samdom.example.com/scripts
> read only = No
>
> Does any of this look familiar?
Yes, but the only things missing are:
The contents of /etc/krb5.conf
What kdc you used, hopefully Heimdal.
Rowland
More information about the samba
mailing list