Fernando Favero
2016-Feb-15 17:22 UTC
[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1
My smb.conf files.
The OS is a CentOS 7
DC Server 1
-------------------------------
[global]
workgroup = EXAMPLE.COM
realm = campus.example.com
netbios name = DC-SERVER1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 8.8.8.8
dsdb:schema update allowed = true
winbind max clients = 2000
bind interfaces only = yes
interfaces = eth0
log file = /var/log/samba/%m.log
log level = 1
[netlogon]
path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
DC Server 2
-------------------------------
[global]
workgroup = EXAMPLE.COM
realm = campus.example.com
netbios name = DC-SERVER2
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 8.8.8.8
dsdb:schema update allowed = true
winbind max clients = 2000
bind interfaces only = yes
interfaces = eth0
log file = /var/log/samba/%m.log
log level = 1
[netlogon]
path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
FileServer1
-------------------------------
[global]
netbios name = FileServer1
server string = FileServer1
security = ADS
workgroup = EXAMPLE.COM
realm = CAMPUS.EXAMPLE.COM
bind interfaces only = yes
interfaces = lo eth0
winbind request timeout = 90
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind max clients = 2000
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap config *:backend = tdb
idmap config *:range = 1000-50000
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
acl allow execute always = true
FileServer2
-------------------------------
[global]
netbios name = FileServer2
server string = FileServer2
security = ADS
workgroup = EXAMPLE.COM
realm = CAMPUS.EXAMPLE.COM
bind interfaces only = yes
interfaces = lo eth0
winbind request timeout = 90
log file = /var/log/samba/%m.log
log level = 1
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind refresh tickets = yes
winbind max clients = 2000
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
idmap config *:backend = tdb
idmap config *:range = 1000-50000
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
acl allow execute always = true
On Mon, Feb 15, 2016 at 11:13 AM, Rowland penny <rpenny at samba.org>
wrote:
> On 15/02/16 12:40, Fernando Favero wrote:
>
>> Hello,
>>
>>
>> 3 months ago, I migrated my domain from samba 3.5.2 (NT4 with LDAP) to
>> samba 4.3.1 (compiled from source) following classic upgrade
instructions
>> on wiki page. The samba 4.3.1 is using Samba Internal DNS.
>>
>> 20.000 users and 2.800 computers were migrated.
>>
>> After the migration process, I joined 1 new DC server and 2 File
Servers
>> to
>> domain.
>>
>> All users can login on domain, but we have some issues.
>>
>>
>> 1 – “wbinfo -u” doesn't show users, but “wbinfo -g” show groups
normally
>>
>> 2 – On DC servers, samba process listen ports 135 and 1024 is using
100%
>> of
>> CPU
>>
>> 3 – On DC servers, samba process listen ports 464 and 88 are using ~
50%
>> of
>> CPU
>>
>> 4 – On File Servers, run a “ls -l” on directories with user/groups
>> permissions from domain is very slow
>>
>> 5 – Sometimes, file servers lost connections to winbind process.
>>
>> wbinfo -t
>>
>> checking the trust secret for domain UEL.BR via RPC calls failed
>>
>> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE
>>
>> Could not check secret
>>
>>
>> I have tried to find wath is wrong, but not found the solution yet.
>>
>>
>> Can someone help me ?
>>
>
> We can certainly try, but it will probably help if you can post your
> smb.conf files from the various Samba machines.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Rowland penny
2016-Feb-15 18:43 UTC
[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1
On 15/02/16 17:22, Fernando Favero wrote:> My smb.conf files. > The OS is a CentOS 7 > > DC Server 1 > ------------------------------- > [global] > workgroup = EXAMPLE.COM > realm = campus.example.com > netbios name = DC-SERVER1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 8.8.8.8 > dsdb:schema update allowed = true > winbind max clients = 2000 > bind interfaces only = yes > interfaces = eth0 > > log file = /var/log/samba/%m.log > log level = 1 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > DC Server 2 > ------------------------------- > [global] > workgroup = EXAMPLE.COM > realm = campus.example.com > netbios name = DC-SERVER2 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 8.8.8.8 > dsdb:schema update allowed = true > winbind max clients = 2000 > bind interfaces only = yes > interfaces = eth0 > > log file = /var/log/samba/%m.log > log level = 1 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > FileServer1 > ------------------------------- > [global] > netbios name = FileServer1 > server string = FileServer1 > security = ADS > workgroup = EXAMPLE.COM > realm = CAMPUS.EXAMPLE.COM > bind interfaces only = yes > interfaces = lo eth0 > winbind request timeout = 90 > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > winbind max clients = 2000 > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config *:backend = tdb > idmap config *:range = 1000-50000 > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > acl allow execute always = true > > > FileServer2 > ------------------------------- > [global] > netbios name = FileServer2 > server string = FileServer2 > security = ADS > workgroup = EXAMPLE.COM > realm = CAMPUS.EXAMPLE.COM > bind interfaces only = yes > interfaces = lo eth0 > winbind request timeout = 90 > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > winbind max clients = 2000 > > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config *:backend = tdb > idmap config *:range = 1000-50000 > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > acl allow execute always = true > > >OK, two things jump out at me, I wouldn't use 'EXAMPLE.COM' for the workgroup name, I would have just used 'EXAMPLE' i.e. no dot in the name. Your idmap config stack is incorrect, you only have settings for the builtin users & groups, see here for how you should set it up: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Follow the links on that page for the correct settings. Rowland
Fernando Favero
2016-Feb-16 13:46 UTC
[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1
Hi Rowland> OK, two things jump out at me, I wouldn't use 'EXAMPLE.COM' for the > workgroup name, I would have just used 'EXAMPLE' i.e. no dot in the name. > >I understand, but, change the workgroup involves migrate domain, right ?? Or can I simply change workgroup and restart samba ??> Your idmap config stack is incorrect, you only have settings for the > builtin users & groups, see here for how you should set it up: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > Follow the links on that page for the correct settings. > >ldconfig -v | grep winbind shows "libnss_winbind.so.2 -> libnss_winbind.so.2" nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind I changed smb.conf in a test environment with same problem with the following parameters. idmap config *:backend = tdb idmap config *:range = 1000-1999 idmap config EXAMPLE.COM:range = 2000-50000 idmap config EXAMPLE.COM:backend = ad idmap config EXAMPLE.COM:schema_mode = rfc2307 getent passwd show local users only getent group show all groups (loca and domain) wbinfo -u show nothing wbinfo -g show all groups (local and domain) winbindd.log show the following lines when debug level = 10, Running "wbinfo -g" . . . [2016/02/16 11:29:26.185376, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name) [31101]: request domain name [2016/02/16 11:29:26.185431, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31101:DOMAIN_NAME]: delivered response to client [2016/02/16 11:29:26.185540, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:758(process_request) process_request: request fn DOMAIN_INFO [2016/02/16 11:29:26.185610, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) [31101]: domain_info [EXAMPLE.COM] [2016/02/16 11:29:26.185710, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31101:DOMAIN_INFO]: delivered response to client [2016/02/16 11:29:26.185825, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:731(process_request) process_request: Handling async request 31101:LIST_GROUPS [2016/02/16 11:29:26.185866, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_groups.c:58(winbindd_list_groups_send) list_groups EXAMPLE.COM [2016/02/16 11:29:26.185920, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryGroupList: struct wbint_QueryGroupList in: struct wbint_QueryGroupList [2016/02/16 11:29:26.593525, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryGroupList: struct wbint_QueryGroupList out: struct wbint_QueryGroupList groups : * groups: struct wbint_Principals num_principals : 562 principals: ARRAY(562) principals: struct wbint_Principal sid : S-1-5-21-1479197986-680052183-3269973696-571 type : SID_NAME_DOM_GRP (2) name : * name : 'Allowed RODC Password Replication Group' principals: struct wbint_Principal sid : S-1-5-21-1479197986-680052183-3269973696-498 type : SID_NAME_DOM_GRP (2) name : * name : 'Enterprise Read-Only Domain Controllers' . . . Running "wbinfo -u" . . . [2016/02/16 11:30:07.352308, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name) [31117]: request domain name [2016/02/16 11:30:07.352368, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31117:DOMAIN_NAME]: delivered response to client [2016/02/16 11:30:07.352428, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:758(process_request) process_request: request fn DOMAIN_INFO [2016/02/16 11:30:07.352452, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) [31117]: domain_info [EXAMPLE.COM] [2016/02/16 11:30:07.352526, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31117:DOMAIN_INFO]: delivered response to client [2016/02/16 11:30:07.352648, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:731(process_request) process_request: Handling async request 31117:LIST_USERS [2016/02/16 11:30:07.352697, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:58(winbindd_list_users_send) list_users EXAMPLE.COM [2016/02/16 11:30:07.352740, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryUserList: struct wbint_QueryUserList in: struct wbint_QueryUserList [2016/02/16 11:30:17.465320, 5, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:1132(remove_timed_out_clients) Idle client timed out, shutting down sock 33, pid 31053 [2016/02/16 11:31:07.763617, 10, pid=31022, effective(0, 0), real(0, 0)] ../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv) imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40c [2016/02/16 11:31:07.763671, 10, pid=31022, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:254(messaging_recv_cb) messaging_recv_cb: Received message 0x40c len 7 (num_fds:0) from 31026 [2016/02/16 11:31:07.763691, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:365(winbind_msg_domain_offline) Domain EXAMPLE.COM is marked as offline now. [2016/02/16 11:31:07.764062, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryUserList: struct wbint_QueryUserList out: struct wbint_QueryUserList users : * users: struct wbint_userinfos num_userinfos : 0x00000000 (0) userinfos: ARRAY(0) result : NT_STATUS_IO_TIMEOUT [2016/02/16 11:31:07.764138, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:128(winbindd_list_users_done) Domain EXAMPLE.COM returned 0 users [2016/02/16 11:31:07.764152, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:134(winbindd_list_users_done) List_users for domain EXAMPLE.COM failed [2016/02/16 11:31:07.764167, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:793(wb_request_done) wb_request_done[31117:LIST_USERS]: NT_STATUS_OK [2016/02/16 11:31:07.764222, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31117:LIST_USERS]: delivered response to client [2016/02/16 11:31:07.764940, 6, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:965(winbind_client_request_read) closing socket 35, client exited [2016/02/16 11:31:07.873705, 10, pid=31022, effective(0, 0), real(0, 0)] ../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv) imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40b [2016/02/16 11:31:07.873752, 10, pid=31022, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:254(messaging_recv_cb) messaging_recv_cb: Received message 0x40b len 7 (num_fds:0) from 31026 [2016/02/16 11:31:07.873775, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:385(winbind_msg_domain_online) Domain EXAMPLE.COM is marked as online now.
Maybe Matching Threads
- Problems after migration from samba 3.5.2 to samba 4.3.1
- Problems after migration from samba 3.5.2 to samba 4.3.1
- Ubuntu 14.04 samba update
- wbinfo -u, wbinfo -g not working after samba update from 4.2.3 to 4.2.10
- FW: Domain member seems to work, wbinfo -u not (update4)