samba - Aug 2011 - PDC forgot it was part of domain... "official" (ha!) samba hack around to fix...

Among various problems since I upgraded to 3.6 (none of which got answered
really, -- so I backgraded to 3.5.10 and started debugging from there,
considering 3.6.0 too unstable/too incompatible for 'whatever' reason...

One of the probs I had was 'root' couldn't use "net rpc"
<anything> --
kept getting auth failures.

Wasn't the passwd, -- could reset it via smbpasswd, no prob, and my
normal UID could do an rpc user, but didn't have the auth to the
local files to read them (so got no results back).


Steps...
1) add self to group root
2) in /var/lib/samba and /etc/samba:
find . -gid 0 -print0|xargs -0 chmod g+rw
find . -gid 0 -type d|xargs -0 chmod g+xs

Then I noted that my 'user' could no longer auth either!
Bonus!

turned on -d10 on net rpc cmd,
Noted, it was trying to look up '*' for a pw server,

'*' doesn't resolve so well on my DNS server.

My domain name does, but it was trying to contact '*' for
a pw server instead of using itself  (this used to work before
I tried upgrading to 3.6, FWIW)...

Anyway, explicit hackaround:

added:
     passwd server=localhost

to my smb.conf.

Now the PDC is smart enough to know to look up passwords on
itself rather than going out and looking for '*', which
"wbinfo" REALLY didn't like --

lots of "*" not found messages from wbinfo...

Along with the idmap tdb format becoming incompat, (or maybe that's
the only one involved), apparently during the 'upgrade'[sic],
I didn't get the benefit of '*' added to my wbinfo...

Of course, as noted earlier, my wbinfo also doesn't seem to know about
builtin SID's either .. so am having to add them...


(writing script ...)

</tmp/domsid perl -e 'while (<>) {
printf "net groupmap add %s",$_;
}
'
/tmp/domsid:
"Administrators" sid="S-1-5-32-544" type=builtin
"Users" sid="S-1-5-32-545" type=builtin
"Domain Controllers" sid="S-1-5-32-516" type=builtin
"Guests" sid="S-1-5-32-546" type=builtin
"Power Users" sid="S-1-5-32-547" type=builtin
"Account Operators" sid="S-1-5-32-552" type=builtin
....

For some reason part of the refrain to the theme from Gilligan's Island
just popped into my head...
	"As primitive as can be...."

You'd think there'd be a better way, but ...C'est la vie...

linda
(always winning friends and influencing people...*cough* (To do what?)...)

Hi

On 3 August 2011 08:59, Linda Walsh <samba at tlinx.org>
wrote:
> Among various problems since I upgraded to 3.6 (none of which got answered
> really, -- so I backgraded to 3.5.10 and started debugging from there,
> considering 3.6.0 too unstable/too incompatible for 'whatever'
reason...
>
> One of the probs I had was 'root' couldn't use "net
rpc" <anything> --
> kept getting auth failures.
Was this with 3.6.0 or after you downgraded again to 3.5.10?
> Wasn't the passwd, -- could reset it via smbpasswd, no prob, and my
> normal UID could do an rpc user, but didn't have the auth to the
> local files to read them (so got no results back).
>
>
> Steps...
> 1) add self to group root
> 2) in /var/lib/samba and /etc/samba:
> find . -gid 0 -print0|xargs -0 chmod g+rw
> find . -gid 0 -type d|xargs -0 chmod g+xs
You're missing a -print0 on the second one there, but I assume that's
just a copy/paste error or something.
> Then I noted that my 'user' could no longer auth either!
> Bonus!
>
> turned on -d10 on net rpc cmd,
> Noted, it was trying to look up '*' for a pw server,
>
> '*' doesn't resolve so well on my DNS server.
What was the actual log message?  Did you find out where this '*' was
coming from?
> My domain name does, but it was trying to contact '*' for
> a pw server instead of using itself ?(this used to work before
> I tried upgrading to 3.6, FWIW)...
>
> Anyway, explicit hackaround:
>
> added:
> ? ?passwd server=localhost
>
> to my smb.conf.
>
> Now the PDC is smart enough to know to look up passwords on
> itself rather than going out and looking for '*', which
> "wbinfo" REALLY didn't like --
>
> lots of "*" not found messages from wbinfo...
>
> Along with the idmap tdb format becoming incompat, (or maybe that's
> the only one involved), apparently during the 'upgrade'[sic],
I'm (obviously) not one of the Samba developers, but it seems unlikely
to me that they would have made the idmap tdb in 3.6 incompatible with
the one in 3.5 unless perhaps there was an automatic upgrade when you
run 3.6.  I haven't read the release notes carefully enough, but I
don't remember something like that being mentioned.  It would be nice
if one of the Samba developers could clarify this, though :)
> I didn't get the benefit of '*' added to my wbinfo...
I don't understand what you mean by this.
> Of course, as noted earlier, my wbinfo also doesn't seem to know about
> builtin SID's either .. so am having to add them...
That's really weird.
> (writing script ...)
>
> </tmp/domsid perl -e 'while (<>) {
> printf "net groupmap add %s",$_;
> }
> '
It seems to me that finding out why there are no builtin SIDs might
have been a better idea than manually adding them.  But I suppose if
your idmap tdb was suspect then maybe this was indeed the best thing
to do.
> /tmp/domsid:
> "Administrators" sid="S-1-5-32-544" type=builtin
> "Users" sid="S-1-5-32-545" type=builtin
> "Domain Controllers" sid="S-1-5-32-516" type=builtin
> "Guests" sid="S-1-5-32-546" type=builtin
> "Power Users" sid="S-1-5-32-547" type=builtin
> "Account Operators" sid="S-1-5-32-552" type=builtin
> ....
Regards,
Michael

-- 
Michael Wood <esiotrot at gmail.com>