Web lists-archives.com

Re: [Samba] Samba AD - Issue with winbindd: Could not write result




Please see inline comments.

On Fri, 23 Jun 2017 07:09:47 +0200
Marco Coli <marco.coli@xxxxxxxxxxxxxxx> wrote:

> cat /etc/resolv.conf
> # Generated by NetworkManager
> search niccolai.local
> nameserver 10.0.0.253

Only thing wrong there is that you may be using the '.local' domain
(unless it is has been changed to hide the real domain). If it is the
real domain, remove Avahi if it is installed.

> ----
> [root@nic-mail ~]# cat /etc/hostname
> nic-mail
> ----
> [root@nic-mail ~]# cat /etc/hosts
> 10.0.0.253      nic-mail mail.niccolaitrafile.it nic-server-mail 
> nic-mail.niccolai.local nic-server-mail.niccolai.local 
> sogo.niccolaitrafile.it
> 127.0.0.1   localhost localhost.localdomain localhost4 
> localhost4.localdomain4
> ::1         localhost localhost.localdomain localhost6 
> localhost6.localdomain6

Why does red-hat do things the wrong way round to other OS's ?

I would change it to this:

10.0.0.253 nic-mail.niccolai.local nic-mail
10.0.0.? mail.niccolaitrafile.it mail
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

Create a virtual network interface for the '10.0.0.?' address and
assign a 'IP'. Create a CNAME record for nic-server-mail to
nic-mail.niccolai.local, create a CNAME record for sogo to
'mail.niccolaitrafile.it'

> ____
> 
> [root@nic-mail ~]# cat /etc/named.conf
> include "/etc/rndc.key";
> # include "/var/lib/samba/private/named.conf";
> include "/etc/named.conf.samba";
> 
> //
> // named.conf for Red Hat caching-nameserver
> //
> 
> options {
>          directory "/var/named";
>          dump-file "/var/named/data/cache_dump.db";
>          statistics-file "/var/named/data/named_stats.txt";
>          /*
>           * If there is a firewall between you and nameservers you
> want
>           * to talk to, you might need to uncomment the query-source
>           * directive below.  Previous versions of BIND always asked
>           * questions using port 53, but BIND 8.1 uses an unprivileged
>           * port by default.
>           */
>          tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>           // query-source address * port 53;
> //        forward first;
> //        forwarders {
> //              8.8.8.8;
> //              8.8.4.4;
> #                151.99.125.2;
> #               151.99.250.2;
> #                213.92.5.54;
> #                194.185.88.5;
> #                151.99.125.3;
>   //               };
> 
> };
> 

Uncomment the 'forwarders' lines, I would just use the Google ones.
 
> //
> // a caching only nameserver config
> //
> controls {
>          inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
> };
> 
> zone "." IN {
>          type hint;
>          file "named.ca";
> };
> 
> zone "localdomain" IN {
>          type master;
>          file "localdomain.zone";
>          allow-update { none; };
> };
> 
> zone "localhost" IN {
>          type master;
>          file "localhost.zone";
>          allow-update { none; };
> };
> 
> zone "0.0.127.in-addr.arpa" IN {
>          type master;
>          file "named.local";
>          allow-update { none; };
> };
> 
> zone 
> "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" 
> IN {
>          type master;
>          file "named.ip6.local";
>          allow-update { none; };
> };
> 
> //zone "255.in-addr.arpa" IN {
> //      type master;
> //      file "named.broadcast";
> //      allow-update { none; };
> // };
> 
> //zone "0.in-addr.arpa" IN {
> //      type master;
> //      file "named.zero";
> //      allow-update { none; };
> //};
> 
> #zone "niccolai" IN {
> #        type master;
> #        file "niccolai";
> #        allow-update { key "rndckey" ; };
> ##        allow-transfer { 10.0.0.19; };
> ##        notify yes;
> #};
> #zone "10.in-addr.arpa" IN {
> #        type master;
> #        file "10.in-addr.arpa";
> #        allow-update { key "rndckey" ; };
> ##        allow-transfer { 10.0.0.19; };
> ##        notify yes;
> #};
> 
> zone "niccolai.homelinux.org" IN {
>         type master;
>          file "homelinux";
>          allow-update { none; };
> #        allow-transfer { 10.0.0.19; };
>          notify yes;
> };

Remove the above zone, you do not seem to be using it.

> 
> zone "niccolaitrafile.it" IN {
>         type master;
>          file "niccolaitrafile.it";
>          allow-update { none; };
> #        allow-transfer { 10.0.0.19; };
> #        notify yes;
> };
> --------
> [root@nic-mail ~]# cat /etc/named.conf.
> named.conf.DISTRIB  named.conf.rpmnew   named.conf.samba
> [root@nic-mail ~]# cat /etc/named.conf.samba
> # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen
> support. #
> # This file should be included in your main BIND configuration file
> #
> # For example with
> # include "/var/lib/samba4/private/named.conf";
> 
> #
> # This configures dynamically loadable zones (DLZ) from AD schema
> # Uncomment only single database line, depending on your BIND version
> #
> dlz "AD DNS Zone" {
> #dlz "niccolai.local" {
>      # For BIND 9.8.0
>      # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";
> 
>      # For BIND 9.9.0
>       database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
> };
> 
> ----
> 
> [root@nic-mail ~]# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>          workgroup = NICCOLAI
>          realm = niccolai.local
>          netbios name = NIC-MAIL
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbind, ntp_signd, kcc, dnsupdate
> #       idmap_ldb:use rfc2307 = yes

Uncomment the above line, you need it.

>          interfaces = 127.0.0.1 10.0.0.253
>          bind interfaces only = yes
>          unix extensions = yes
>          allow insecure wide links = Yes
>          # Inseriti per evitare blocco per troppi files aperti
> #       deadtime = 20
> #       max open files = 490000
>          socket options = TCP_NODELAY SO_KEEPALIVE TCP_KEEPIDLE=120 
> TCP_KEEPINTVL=10 TCP_KEEPCNT=5

You should let Samba set the above line for you.

>          ldap server require strong auth = no
> # Aggiunto da TT 13/6
> ##        client use spnego = no
> ##       client ntlmv2 auth = no
> ##        client ipc max protocol = NT1
> # Aggiunto da TT 19/6
> ##      client ldap sasl wrapping = plain
> 
> [netlogon]
>          path = /var/lib/samba/sysvol/niccolai.local/scripts
>          read only = No
> 
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> 
> [profiles]
>          path = /archivi/samba/profiles
>          read only = no
> 
> [dati]
>          comment = Directory di lavoro
>          path = /archivi/samba/dati
>          read only = no
>          wide links = yes
> 
> [Com]
>          comment= Commesse
>          path = /archivi/samba/dbcommesse
>          read only = No
>          public = yes
>          wide links = yes
> 
> [Scambio]
>          comment= Scambio
>          path = /archivi/samba/scambio
>          read only = No
>          writeable = yes
> 
> [Acquisti]
>          path = /archivi/samba/acquisti
>          read only = No
>          wide links = yes
> 
> [Commerciale]
>          path = /archivi/samba/commerciale
>          read only = no
>          wide links = yes
> 
> [Contabilita]
>          path = /archivi/samba/contabilita
>          read only = no
> 
> [Tecnico]
>          path = /archivi/samba/tecnico
>          read only = no
> 
> [Amministrazione]
>          path = /archivi/samba/amministrazione
>          read only = no
> 
> [Info$]
>          path = /archivi/samba/informatica
>          read only = no
>          wide links = yes
> 
> [manuali]
>          path = /archivi/samba/manuali
>          read only = no
>          wide links = yes
> 
> [officina]
>          path = /archivi/samba/officina
>          read only = no
> 
> [magazzino_inserti]
>          path = /archivi/samba/MAGAZZINO_INSERTI
>          read only = no
> 
> [Foto]
>          path = /archivi/samba/foto
>          read only = no
>          wide links = yes
> 
> [Contenit]
>          path = /archivi/samba/contenitori
>          read only = no
>          wide links = yes
> 
> #[Backup]
> #        path = /BACKUP
> #        browseable = yes
> #       read only = no
> #        read only = yes
> #       vfs objects = acl_xattr
> 
> [Collaudo]
>          path = /archivi/samba/collaudo
>          read only = no
> #       vfs objects = acl_xattr
> 
> [Certificati_conformita]
>          path = /archivi/samba/certificati_conformita
>          read only = no
> 
> [Manuali_Macchine]
>          path = /archivi/samba/MANUALI_MACCHINE
>          read only = no
>          wide links = yes
> 
> [Deployment]
>          path = /archivi/samba/DEPLOYMENT
>          read only = no
>          guest ok = yes
> 
> -----
> [root@nic-mail ~]# cat /etc/krb5.conf
> [libdefaults]
>          default_realm = NICCOLAI.LOCAL
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
> 
> 
> After some hours the services are down,  the output of wbinfo -u
> becomes empty, and some weird login/share problems begin.
> If I restart the services (systemctl restart sernet-samba-ad ) all is
> ok.
> 
> It worked flawlessy for years, until 15 days ago... The server is 
> updated with latest kernel and latest samba:
> [root@nic-mail ~]# uname -a
> Linux nic-mail 3.10.0-514.21.2.el7.x86_64 #1 SMP Sun May 28 17:08:21
> EDT 2017 x86_64 x86_64 x86_64 GNU/Linux
> [root@nic-mail ~]# rpm -qa |grep samba
> sernet-samba-libsmbclient0-4.6.5-8.el7.x86_64
> sernet-samba-4.6.5-8.el7.x86_64
> sernet-samba-libs-4.6.5-8.el7.x86_64
> sernet-samba-common-4.6.5-8.el7.x86_64
> sernet-samba-client-4.6.5-8.el7.x86_64
> sernet-samba-ad-4.6.5-8.el7.x86_64
> sernet-samba-winbind-4.6.5-8.el7.x86_64
> 
> Thank you!

I no longer use the Sernet packages, but can you check if there are any
other Sernet Samba packages available (Debian has one called
samba-dsdb-modules) and install them.

I am not saying that the changes I suggest will cure your problem, but
the should not make anything worse either.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba