Web lists-archives.com

Re: [Samba] Debugging Samba is a total PITA and this needs to improve




Hai, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens Sven 
> Schwedas via samba
> Verzonden: dinsdag 21 mei 2019 15:04
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] Debugging Samba is a total PITA and 
> this needs to improve
> 
> On 21.05.19 14:37, L.P.H. van Belle via samba wrote:
> > winbind enum users = yes
> > winbind enum groups = yes
> > Better no, works the same, but your server is faster. 
> 
> Since Cyrus IMAPD cannot query LDAP for group memberships, we 
> need this to make shared folders work with groups on our mail servers. 
> Useless on this machine, yes, but w/e, we're not seeing any performance issues.
Huh... Doesn't this work something like : you can put this in idmap.conf 

https://www.cyrusimap.org/imap/reference/manpages/configs/imapd.conf.html

ldap_group_base: dc=example,dc=com
ldap_group_filter: (&(cn=%u)(objectclass=WhatYOUneed)(objectclass=Someother))
ldap_group_scope: sub
ldap_member_method: attribute
ldap_member_attribute: mail


> 
> > You see this note from the script: 
> > Running as Unix domain member and no user.map detected. 
> > 
> > Where is you user mapping? You dont use SePrivileges? 
> > Now its not wrong and possible to run it without, but it is 
> much more work to setup correctly for this. 
> 
> Where's this documented?
https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting


> 
> > And.. You still on 4.5.16, yes, possible, but why do you 
> think i make newer packages. 
> 
> If updating Samba didn't have a tendency to lead to breakages, I'd just
> chuck it into the daily auto updates. But since debugging breakages is
> just too painful, I'd rather not touch it.

Do you believe if i say that i run unattended upgrades on 90% of my servers including kernels and automated reboots. 
Only 2 servers not both database servers, i do these manualy. 

If you keep you smb.conf clean, autoupgrades are much better, and latest versions of samba ignore wrong/predicated settings. 
Which helps also. Really, once your in samba 4.8 4.9 or 4.10 your life gets easier.

> 
> > Windows and it updates are moving fast
> 
> Sure, but not really relevant here, since the member server broke
> authentication for all client OSes, not just Windows clients. 
> `smbclient
> -L //localhost` and `wbinfo -a` are just as broken on that 
> member server.

smbclient -L //localhost ????  Come on...  
I'm always amazed how a "localhost" test is compaired with a client (remote) test. 
Again , localhost =! Hostname 

smbclient -L //hostname.fdqn 
smbclient -L //hostname

Thats a test...  Again what did i say in the previous mail. 

It all begins with correct resolving..    
smbclient -L //localhost << works yes..  But correct, in my optinion not. 

> 
> Didn't notice that until after my first email, since it just  so happened
> that the user /accounts/ affected were all using Windows PCs when they
> noticed the problem.
> 
> > Now, last question, on the pc with the "unable to authenticate", any windows event id's with warning/errors? 
> > You probley looked at that already?? Or not? 
> 
> No error message other than that. Network logons to DCs work fine too,
> as do logons to other member servers.
> 
> > man smb.conf /log level   ( + hit 5x n ) and your at the 
> log level point.  ;-) 
> > That shows this example : 
> > log level = 1 full_audit:1@/var/log/audit.log
> 
> full_audit doesn't exist for 4.5. ;)

Ah yeah.. this also make it harder for us to help. 
Now i suggest, upgrade, your using an "by samba" unsupported version. 
See: https://wiki.samba.org/index.php/Samba_Release_Planning 

> 
> > Date: Tue, 22 May 2018 15:44:36 +0000
> > - Dynamic DNS updates with GSS-TSIG against Microsoft or 
> samba DNS servers are not working and fails with the 
> following error: ; TSIG error ...
> > https://bugzilla.samba.org/show_bug.cgi?id=13019  samba 4.7 
> and lower. 
> > 
> > You really want to try my packages.. ;-) 
> > And in your case, update steps, 4.8, and stay there if you 
> want to switch to Buster then 4.9.5 
> 
> Given that DRS replication and DNS are so broken, what'd be the best
> approach for that? Nuke all DCs except the FSMO role holder, 
> update that
> one, then add new DCs? Or just export all LDAP data and start 
> over from  a clean 4.10 setup?

I dont think its broken, i think its functioning wrong due to wrong settings. 
Yes, clean setup is nice but not needed really. 

Make sure you review and have smb.conf adjusted to the version of samba your willing to run. 
Review: https://wiki.samba.org/index.php/Updating_Samba 


Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba