samba - Jun 2015 - samba member file server failer

I have setup samba 4.2.x as an AD DC in a linux container. This is an
privileged container. I am using the brdging interface and have bound samba
to the specific interface I want.

As an ADDC it is working great.

Now I go to the linux host, and created a samba 4.2 file server. I was able
to join it to the domain. I followed the member server instructions at
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server .

There were a couple of things that were confusing. Since I am installing an
an ubuntu 14 LTS server I followed the debian side of the instructions.

Instructions for starting the daemons are given at
https://wiki.samba.org/index.php/Samba4/InitScript.  Towards the end of the
wiki we were given instructions for both an init.d script and an upstart
configuration file. I have grabbed the init.d/ script, made the
modfications to point things to /usr/local/samba installation -- and when I
run it, nothing happens.. So I start samba using sbin/samba and the deamons
start.

However at the tail end of my log file I see

[2015/06/09 19:22:16.752250,  0]
../source4/smbd/server.c:475(binary_smbd_main)
  At this time the 'samba' binary should only be used for either:
  'server role = active directory domain controller' or to access the
ntvfs
file server with 'server services = +smb' or the rpc proxy with
'dcerpc
endpoint servers = remote'
  You should start smbd/nmbd/winbindd instead for domain member and
standalone file server tasks
[2015/06/09 19:22:16.752314,  0]
../lib/util/become_daemon.c:111(exit_daemon)
  STATUS=daemon failed to start: Samba detected misconfigured 'server
role'
and exited. Check logs for details, error code 22

since I followed the member server how to -- I am wondering if something
there is left out?

Here's my smb.conf

/usr/local/samba# less etc/smb.conf
[global]

netbios name = srv1
workgroup = INTERNAL
security = ADS
realm = INTNERAL.XCITY.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config IN:backend = ad
idmap config IN:schema_mode = rfc2307
idmap config IN:range = 10000-99999

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes

bind interfaces only = yes
interfaces = em1
log level = 5
log file = /usr/local/samba/var/log.%m


----
which matches the how to.

So there seems to be something missing from the how to .

Any suggestions ?
Also the %m macro expansion fails for the log file. It actually calls the
log vile %m...

On 10/06/15 03:26, David Bear wrote:
> I have setup samba 4.2.x as an AD DC in a linux container. This is an
> privileged container. I am using the brdging interface and have bound samba
> to the specific interface I want.
>
> As an ADDC it is working great.
>
> Now I go to the linux host, and created a samba 4.2 file server. I was able
> to join it to the domain. I followed the member server instructions at
> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server .
>
> There were a couple of things that were confusing. Since I am installing an
> an ubuntu 14 LTS server I followed the debian side of the instructions.
>
> Instructions for starting the daemons are given at
> https://wiki.samba.org/index.php/Samba4/InitScript.  Towards the end of the
> wiki we were given instructions for both an init.d script and an upstart
> configuration file. I have grabbed the init.d/ script, made the
> modfications to point things to /usr/local/samba installation -- and when I
> run it, nothing happens.. So I start samba using sbin/samba and the deamons
> start.
>
> However at the tail end of my log file I see
>
> [2015/06/09 19:22:16.752250,  0]
> ../source4/smbd/server.c:475(binary_smbd_main)
>    At this time the 'samba' binary should only be used for either:
>    'server role = active directory domain controller' or to access
the ntvfs
> file server with 'server services = +smb' or the rpc proxy with
'dcerpc
> endpoint servers = remote'
>    You should start smbd/nmbd/winbindd instead for domain member and
> standalone file server tasks
> [2015/06/09 19:22:16.752314,  0]
> ../lib/util/become_daemon.c:111(exit_daemon)
>    STATUS=daemon failed to start: Samba detected misconfigured 'server
role'
> and exited. Check logs for details, error code 22
>
> since I followed the member server how to -- I am wondering if something
> there is left out?
>
> Here's my smb.conf
>
> /usr/local/samba# less etc/smb.conf
> [global]
>
> netbios name = srv1
> workgroup = INTERNAL
> security = ADS
> realm = INTNERAL.XCITY.COM
> dedicated keytab file = /etc/krb5.keytab
> kerberos method = secrets and keytab
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config IN:backend = ad
> idmap config IN:schema_mode = rfc2307
> idmap config IN:range = 10000-99999
>
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
>
> bind interfaces only = yes
> interfaces = em1
> log level = 5
> log file = /usr/local/samba/var/log.%m
>
>
> ----
> which matches the how to.
>
> So there seems to be something missing from the how to .
>
> Any suggestions ?
> Also the %m macro expansion fails for the log file. It actually calls the
> log vile %m...
Nope, there is nothing missing from the member server howto, it tells 
you what samba processes to start, (smbd, nmbd and winbind). You should 
only start the samba process on an AD DC.

The problem seems to be that the wiki init script page only seems to 
have a script to start smbd & nmbd (it's at the bottom of the page) and 
there isn't one for winbind.

The easiest way to get the required init scripts is to download the 
samba package with 'apt-get download samba', unpack it (the easiest way 
is to browse to the deb and right click it and select 'Extract here'). 
Now browse into the directory that will be created 
~/samba_2%3a4.1.6+dfsg-1ubuntu2.14.04.7_amd64/etc/init.d
You should find 4 files, you want 3 of them, the one you don't want is 
'samba-ad-dc'
Open each of the required files in your favourite editor and change the 
paths to point to your samba binaries, save the file and then move it to 
/etc/init.d/

Rowland

Thanks Rowland -- will attempt to pull the startup script from the deb
package.

Just to clarify, When starting samba as an AD DC, we use the samba-ad-dc
 script, when starting samba as a file server only, we need a script that
only starts smbd, nmbd, and winbind.  ?


On Wed, Jun 10, 2015 at 12:59 AM, Rowland Penny <rowlandpenny at
googlemail.com
> wrote:
> On 10/06/15 03:26, David Bear wrote:
>
>> I have setup samba 4.2.x as an AD DC in a linux container. This is an
>> privileged container. I am using the brdging interface and have bound
>> samba
>> to the specific interface I want.
>>
>> As an ADDC it is working great.
>>
>> Now I go to the linux host, and created a samba 4.2 file server. I was
>> able
>> to join it to the domain. I followed the member server instructions at
>> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server .
>>
>> There were a couple of things that were confusing. Since I am
installing
>> an
>> an ubuntu 14 LTS server I followed the debian side of the instructions.
>>
>> Instructions for starting the daemons are given at
>> https://wiki.samba.org/index.php/Samba4/InitScript.  Towards the end of
>> the
>> wiki we were given instructions for both an init.d script and an
upstart
>> configuration file. I have grabbed the init.d/ script, made the
>> modfications to point things to /usr/local/samba installation -- and
when
>> I
>> run it, nothing happens.. So I start samba using sbin/samba and the
>> deamons
>> start.
>>
>> However at the tail end of my log file I see
>>
>> [2015/06/09 19:22:16.752250,  0]
>> ../source4/smbd/server.c:475(binary_smbd_main)
>>    At this time the 'samba' binary should only be used for
either:
>>    'server role = active directory domain controller' or to
access the
>> ntvfs
>> file server with 'server services = +smb' or the rpc proxy with
'dcerpc
>> endpoint servers = remote'
>>    You should start smbd/nmbd/winbindd instead for domain member and
>> standalone file server tasks
>> [2015/06/09 19:22:16.752314,  0]
>> ../lib/util/become_daemon.c:111(exit_daemon)
>>    STATUS=daemon failed to start: Samba detected misconfigured
'server
>> role'
>> and exited. Check logs for details, error code 22
>>
>> since I followed the member server how to -- I am wondering if
something
>> there is left out?
>>
>> Here's my smb.conf
>>
>> /usr/local/samba# less etc/smb.conf
>> [global]
>>
>> netbios name = srv1
>> workgroup = INTERNAL
>> security = ADS
>> realm = INTNERAL.XCITY.COM
>> dedicated keytab file = /etc/krb5.keytab
>> kerberos method = secrets and keytab
>>
>> idmap config *:backend = tdb
>> idmap config *:range = 2000-9999
>> idmap config IN:backend = ad
>> idmap config IN:schema_mode = rfc2307
>> idmap config IN:range = 10000-99999
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind refresh tickets = yes
>>
>> bind interfaces only = yes
>> interfaces = em1
>> log level = 5
>> log file = /usr/local/samba/var/log.%m
>>
>>
>> ----
>> which matches the how to.
>>
>> So there seems to be something missing from the how to .
>>
>> Any suggestions ?
>> Also the %m macro expansion fails for the log file. It actually calls
the
>> log vile %m...
>>
>
> Nope, there is nothing missing from the member server howto, it tells you
> what samba processes to start, (smbd, nmbd and winbind). You should only
> start the samba process on an AD DC.
>
> The problem seems to be that the wiki init script page only seems to have
> a script to start smbd & nmbd (it's at the bottom of the page) and
there
> isn't one for winbind.
>
> The easiest way to get the required init scripts is to download the samba
> package with 'apt-get download samba', unpack it (the easiest way
is to
> browse to the deb and right click it and select 'Extract here').
Now browse
> into the directory that will be created
> ~/samba_2%3a4.1.6+dfsg-1ubuntu2.14.04.7_amd64/etc/init.d
> You should find 4 files, you want 3 of them, the one you don't want is
> 'samba-ad-dc'
> Open each of the required files in your favourite editor and change the
> paths to point to your samba binaries, save the file and then move it to
> /etc/init.d/
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
David Bear
mobile: (602) 903-6476