Web lists-archives.com

Re: [Samba] Odd behavior since upgrading to 4.9.6

----- On Apr 24, 2019, at 2:35 PM, samba samba@xxxxxxxxxxxxxxx wrote:

> On Wed, 24 Apr 2019 14:07:37 -0500 (CDT)
> Mike Ray <mray@xxxxxxxxxxx> wrote:
>> >>         idmap_ldb:use rfc2307 = yes
>> >>         ldap server require strong auth = no
>> >>         netbios name = dc5
>> >>         ntp signd socket directory = /var/run/samba/ntp_signd
>> > 
>> > Is the above different from the output of:
>> > samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}'
>> >   
>>  # samba -b | grep NTP_SIGND_SOCKET_DIR
>>    NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
>> > If it isn't, you can remove that line, if it is, why ?
>> When getting NTP working on the DCs, I found a blog post
>> (https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain.html)
>> that used the following command to figure out where the socket was:
>> netstat -xpln | grep signd
>> On my DCs, that returns:
>>  # netstat -xpln | grep signd
>> unix  2      [ ACC ]     STREAM     LISTENING     28320
>> 972/samba            /var/run/samba/ntp_signd/socket
>> I set it to allow NTP to function.
> Not sure I understand this, 'samba -b' shows it expects
> '/var/lib/samba/ntp_signed' but your netstat command shows
> '/var/run/samba/ntp_signd'. I have to ask, why is this ?
> I also have to ask why you didn't read the Samba wiki ?

I used both the wiki and that blog post. In the wiki, one of the first lines reads:

Verify the socket permissions on your domain controller (DC). The time daemon must have read permissions in the ntp_signed directory. To list the permissions, enter:
# ls -ld /usr/local/samba/var/lib/ntp_signd/
drwxr-x--- 2 root ntp 4096  1. May 09:30 /usr/local/samba/var/lib/ntp_signd/

My configuration is not rooted under /usr/local/samba but uses the file system directly (e.g. /var/lib/samba). However, instead of just blindly using /var/lib/samba/ntp_signd, I decided I should verify the proper directory (as there was a bunch of other cruft from the old DCs -- and still is as you have seen). That's when I went searching, found the blog and found that it was using /var/run/samba/ntp_signd/. It's probably worth noting that I do not believe I set anything to force it to use that directory -- in fact I changed the option in smb.conf to that value away from /var/lib/samba/ntp_signd AFTER I found it with netstat.

>> >   
>> >>         realm = REALM.COM
>> >>         server role = active directory domain controller
>> >>         workgroup = REALM
>> >>         acl:search = no
>> > 
>> > That is a blast from the past, or to put it another way, it is very
>> > doubtful you need it
>> This is indeed a carry-over from our original DCs. I'll talk to the
>> guy who put it in to have him review it.
> Initially (we are are talking Samba 4.0.x here) there where problems
> that required the line, I see no reason to have it now.

Noted -- thanks!

>> > This is probably to be expected, I mean that it is hardly likely to
>> > print something like 'The re-index is still OK.' ;-)
>> What I meant is that it prints out 54 lines (that line count is
>> stable for now) of the
>> following: ../lib/ldb/ldb_tdb/ldb_index.c:2362: duplicate attribute
>> value in <object>, duplicate of <object>
>> And even with repeated runs, it returns that same output.
>> I kind of expected this to function like "samba-tool dbcheck --fix"
>> where after it ran, that output would not happen.
> Do the letters 'DEL' occur in the lines and are they in the 'Deleted
> Objects' container ?
> If so, they are actually tombstones and dbcheck will not fix them.

No, these do not appear to be related to tombstones, but valid and active objects.

> Can you share the output with me ? I may see something you have missed.
> You can send them to me offlist if required.

I'll send it to you offlist.

>> > I think he meant what you did above, join a new DC, either that or
>> > running 'samba-tool drs replicate'
>> Replication occurs automatically in the background, correct?
> It is supposed to, but sometimes it doesn't work that way ;-)
>> I can certainly manually run it, I just don't understand why if
>> "samba-tool drs showrepl" shows no errors -- i.e. it's already
>> getting the database/data, isn't it?
> You can double check with 'samba-tool ldapcmp'

This also runs nightly and has not yet noted any errors since the upgrade (~12 days).

> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba