samba - Feb 2018 - Migration from 3.6.25-0ubuntu0.12.04.10 to 4.x with passdb backend = ldapsam

Sure.

```
[global]

   workgroup = EXAMPLE
   server string    dns proxy = no

   interfaces = eth0
   bind interfaces only = yes

   log file = /var/log/samba/log.%m
   max log size = 1000

# new options
   log level = 5
   netbios name = FILES
   #panic action = /usr/share/samba/panic-action %d
   server role = STANDALONE SERVER

   local master = no

   security = user
   encrypt passwords = true

   #passdb backend = tdbsam
   #obey pam restrictions = yes
   passdb backend = ldapsam:"ldap://ldap/"
   ldapsam:trusted=yes
   ldapsam:editposix=yes

   # Don't forget to update ldap admin password
   # use smbpasswd -w
   ldap admin dn = cn=smbadmadmin,ou=users,dc=example,dc=in
   ldap group suffix = ou=groups
   ldap idmap suffix = ou=idmap
   ldap machine suffix = ou=computers
   ldap user suffix = ou=users
   ldap suffix = dc=example,dc=in

# One of the general params!!!
   ldap ssl = no
   #ldap debug level = 1
   #ldap debug level = 10

   idmap config FILES : backend  = ldap
   idmap config FILES : range = 5000-999999


# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

   load printers = no
   printing = bsd
   printcap name = /dev/null
   disable spoolss = yes

# TODO
# Add some performance

   socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
   use sendfile = true

# For work with mac clients same as linux/windows clients (as permissions
forcing by smb server)
# ISSUE #1564
   unix extensions = no

[public]
 comment = Internal share for file exchange
 path = /public
 browseable = yes
 read only = no
 valid users = @"all", @"dirs"
 read list  write list = @"all"
 admin users = @"dirs"
 force create mode = 0660
 force directory mode = 0660

 # for mac users and if sgid bit is ommited somewhere at older folder
 force group = all

 # for access markup folder outside of common
 follow symlinks = yes
 wide links = yes
```

When I am commented this  `#panic action`. It's decreased number of
segfaults processes to one process.

Now smbd exits on the following step:

```
Primary group is 0 and contains 0 supplementary groups
smbldap_search_ext: base => [sambaDomainName=FILES,dc=example,dc=in],
filter => [(objectClass=sambaDomain)], scope => [0]
smbldap_modify: dn => [sambaDomainName=FILES,dc=example,dc=in]
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
==============================================================INTERNAL ERROR:
Signal 11 in pid 9974 (4.7.5)
Please read the Trouble-Shooting section of the Samba HOWTO
==============================================================PANIC (pid 9974):
internal error
BACKTRACE: 49 stack frames:
 #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f)
[0x7f0dc796a64b]
 #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6d) [0x7f0dc796a49c]
 #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f0dc9e1139f]
 #3 /usr/local/samba/lib/libsamba-util.so.0(+0x2107d) [0x7f0dc9e1107d]
 #4 /usr/local/samba/lib/libsamba-util.so.0(+0x21092) [0x7f0dc9e11092]
```

I also tried stracing smbd. There is some trace log:

```
fcntl(22, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=28064,
l_len=1}) = 0
fcntl(22, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=28064,
l_len=1}) = 0
clock_gettime(CLOCK_BOOTTIME, {84255, 473048526}) = 0
write(1, "smbldap_search_ext: base => [sam"..., 123) = 123
clock_gettime(CLOCK_BOOTTIME, {84255, 473252973}) = 0
rt_sigaction(SIGALRM, {0x7f0dbfabd4ee, [ALRM], SA_RESTORER,
0x7f0dca289390}, {SIG_IGN, [ALRM], SA_RESTORER, 0x7f0dca289390}, 8) = 0
alarm(16)                               = 0
clock_gettime(CLOCK_BOOTTIME, {84255, 473497017}) = 0
clock_gettime(CLOCK_BOOTTIME, {84255, 473578560}) = 0
write(13, "0r\2\1\21cm\4'sambaDomainName=EXAMPLE,d"..., 116) = 116
poll([{fd=13, events=POLLIN|POLLPRI}], 1, 15000) = 1 ([{fd=13,
revents=POLLIN}])
read(13, "00\2\1\21d+\4", 8)            = 8
read(13, "'sambaDomainName=EXAMPLE,dc=exampl"..., 42) = 42
poll([{fd=13, events=POLLIN|POLLPRI}], 1, 14999) = 1 ([{fd=13,
revents=POLLIN}])
read(13, "0\f\2\1\21e\7\n", 8)          = 8
read(13, "\1\0\4\0\4\0", 6)             = 6
alarm(0)                                = 16
rt_sigaction(SIGALRM, {SIG_IGN, [ALRM], SA_RESTORER, 0x7f0dca289390},
{0x7f0dbfabd4ee, [ALRM], SA_RESTORER, 0x7f0dca289390}, 8) = 0
clock_gettime(CLOCK_BOOTTIME, {84255, 474889992}) = 0
write(1, "smbldap_modify: dn => [sambaDoma"..., 64) = 64
clock_gettime(CLOCK_BOOTTIME, {84255, 475117112}) = 0
rt_sigaction(SIGALRM, {0x7f0dbfabd4ee, [ALRM], SA_RESTORER,
0x7f0dca289390}, {SIG_IGN, [ALRM], SA_RESTORER, 0x7f0dca289390}, 8) = 0
alarm(16)                               = 0
clock_gettime(CLOCK_BOOTTIME, {84255, 475357737}) = 0
clock_gettime(CLOCK_BOOTTIME, {84255, 475443054}) = 0
write(13, "0S\2\1\22fN\4'sambaDomainName=EXAMPLE,d"..., 85) = 85
poll([{fd=13, events=POLLIN|POLLPRI}], 1, -1) = 1 ([{fd=13,
revents=POLLIN}])
read(13, "0\f\2\1\22g\7\n", 8)          = 8
read(13, "\0012\4\0\4\0", 6)            = 6
alarm(0)                                = 16
rt_sigaction(SIGALRM, {SIG_IGN, [ALRM], SA_RESTORER, 0x7f0dca289390},
{0x7f0dbfabd4ee, [ALRM], SA_RESTORER, 0x7f0dca289390}, 8) = 0
geteuid()                               = 0
getegid()                               = 0
setgroups(0, [])                        = 0
setresgid(-1, 0, -1)                    = 0
getegid()                               = 0
setresuid(0, 0, -1)                     = 0
geteuid()                               = 0
getegid()                               = 0
geteuid()                               = 0
write(1, "pop_sec_ctx (0, 0) - sec_ctx_sta"..., 43) = 43
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
write(1, "================================"..., 64) = 64
write(1, "INTERNAL ERROR: Signal 11 in pid"..., 46) = 46
write(1, "Please read the Trouble-Shooting"..., 60) = 60
write(1, "================================"..., 64) = 64
write(1, "PANIC (pid 9974): internal error"..., 33) = 33
```

Hope this can help.

2018-02-19 15:04 GMT+03:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Mon, 19 Feb 2018 14:49:48 +0300
> Vladimir Skubriev via samba <samba at lists.samba.org> wrote:
>
> > Migration from 3.6.25-0ubuntu0.12.04.10 to 4.x with passdb backend
> > ldapsam
> >
> > Hi.
> >
> > I tried to migrate my storage(smb) server to more newer version, but
> > faced with 'segfaults", after(in progress) client
authenticating,
> > when samba tries to start a new smbd instance (as i understand). I
> > saw client authentication success, which interrupts in following
> > places:
> >
> > In case with 4.3.11+dfsg-0ubuntu0.16.04.12 from ubuntu xenial there is
> > error in
> > `/usr/lib/x86_64-linux-gnu/samba/libsmbregistry.so.0(log_
> stack_trace+0x1a)
> > [0x7f2bc30a17aa]`
> >
> > In case with 4.7.5-1 from .../stable/samba-4.7.5.tar.gz there is
> > error in `/usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f)
> > [0x7f111922a64b]`
> >
> > What should be my further actions?
> >
> > As described in logs: "Please read the Trouble-Shooting section
of the
> > Samba HOWTO". I would like to avoid a deep debugging.
> >
> > I would like to solve the problem more easily than to do an in-depth
> > analysis.
> >
> > Thank you for your help.
> >
>
> Bit hard to say what the problem could be from what you have posted,
> can you post your smb.conf?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Faithfully yours,

CVision Lab System Administrator
Vladimir Skubriev

I got more information ,after enable log_level to 10:

```
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 3
push_conn_ctx(0) : conn_ctx_stack_ndx = 2
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 3
Security token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
Adding cache entry with key=[ACCT_POL/password history] and timeout=[Thu
Jan  1 03:00:00 AM 1970 MSK] (-1519122085 seconds in the past)
ldapsam_get_account_policy_from_ldap
smbldap_search_ext: base => [sambaDomainName=EXAMPLE,dc=example,dc=in],
filter => [(objectClass=sambaDomain)], scope => [0]
ldapsam_get_account_policy: failed to retrieve from ldap
ldapsam_set_account_policy_in_ldap
smbldap_modify: dn => [sambaDomainName=EXAMPLE,dc=example,dc=in]
Failed to modify dn: sambaDomainName=EXAMPLE,dc=example,dc=in, error: 50
(Insufficient access) (unknown)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
attribute sambaBadPasswordCount does not exist
attribute sambaBadPasswordTime does not exist
attribute sambaLogonHours does not exist
attribute gecos does not exist
==============================================================INTERNAL ERROR:
Signal 11 in pid 10426 (4.7.5)
Please read the Trouble-Shooting section of the Samba HOWTO
==============================================================PANIC (pid 10426):
internal error
BACKTRACE: 49 stack frames:
 #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f)
[0x7f478e94264b]
 #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6d) [0x7f478e94249c]
 #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28) [0x7f4790de939f]
 #3 /usr/local/samba/lib/libsamba-util.so.0(+0x2107d) [0x7f4790de907d]
```

2018-02-20 9:19 GMT+03:00 Vladimir Skubriev <skubriev at cvisionlab.com>:
> Sure.
>
> ```
> [global]
>
>    workgroup = EXAMPLE
>    server string >    dns proxy = no
>
>    interfaces = eth0
>    bind interfaces only = yes
>
>    log file = /var/log/samba/log.%m
>    max log size = 1000
>
> # new options
>    log level = 5
>    netbios name = FILES
>    #panic action = /usr/share/samba/panic-action %d
>    server role = STANDALONE SERVER
>
>    local master = no
>
>    security = user
>    encrypt passwords = true
>
>    #passdb backend = tdbsam
>    #obey pam restrictions = yes
>    passdb backend = ldapsam:"ldap://ldap/"
>    ldapsam:trusted=yes
>    ldapsam:editposix=yes
>
>    # Don't forget to update ldap admin password
>    # use smbpasswd -w
>    ldap admin dn = cn=smbadmadmin,ou=users,dc=example,dc=in
>    ldap group suffix = ou=groups
>    ldap idmap suffix = ou=idmap
>    ldap machine suffix = ou=computers
>    ldap user suffix = ou=users
>    ldap suffix = dc=example,dc=in
>
> # One of the general params!!!
>    ldap ssl = no
>    #ldap debug level = 1
>    #ldap debug level = 10
>
>    idmap config FILES : backend  = ldap
>    idmap config FILES : range = 5000-999999
>
>
> # This option controls how unsuccessful authentication attempts are mapped
> # to anonymous connections
>    map to guest = bad user
>
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
>
> # TODO
> # Add some performance
>
>    socket options = TCP_NODELAY SO_RCVBUF=131072 SO_SNDBUF=131072
>    use sendfile = true
>
> # For work with mac clients same as linux/windows clients (as permissions
> forcing by smb server)
> # ISSUE #1564
>    unix extensions = no
>
> [public]
>  comment = Internal share for file exchange
>  path = /public
>  browseable = yes
>  read only = no
>  valid users = @"all", @"dirs"
>  read list >  write list = @"all"
>  admin users = @"dirs"
>  force create mode = 0660
>  force directory mode = 0660
>
>  # for mac users and if sgid bit is ommited somewhere at older folder
>  force group = all
>
>  # for access markup folder outside of common
>  follow symlinks = yes
>  wide links = yes
> ```
>
> When I am commented this  `#panic action`. It's decreased number of
> segfaults processes to one process.
>
> Now smbd exits on the following step:
>
> ```
> Primary group is 0 and contains 0 supplementary groups
> smbldap_search_ext: base => [sambaDomainName=FILES,dc=example,dc=in],
> filter => [(objectClass=sambaDomain)], scope => [0]
> smbldap_modify: dn => [sambaDomainName=FILES,dc=example,dc=in]
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 2
> ==============================================================> INTERNAL
ERROR: Signal 11 in pid 9974 (4.7.5)
> Please read the Trouble-Shooting section of the Samba HOWTO
> ==============================================================> PANIC
(pid 9974): internal error
> BACKTRACE: 49 stack frames:
>  #0 /usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f)
> [0x7f0dc796a64b]
>  #1 /usr/local/samba/lib/libsmbconf.so.0(smb_panic_s3+0x6d)
> [0x7f0dc796a49c]
>  #2 /usr/local/samba/lib/libsamba-util.so.0(smb_panic+0x28)
> [0x7f0dc9e1139f]
>  #3 /usr/local/samba/lib/libsamba-util.so.0(+0x2107d) [0x7f0dc9e1107d]
>  #4 /usr/local/samba/lib/libsamba-util.so.0(+0x21092) [0x7f0dc9e11092]
> ```
>
> I also tried stracing smbd. There is some trace log:
>
> ```
> fcntl(22, F_SETLKW, {l_type=F_RDLCK, l_whence=SEEK_SET, l_start=28064,
> l_len=1}) = 0
> fcntl(22, F_SETLKW, {l_type=F_UNLCK, l_whence=SEEK_SET, l_start=28064,
> l_len=1}) = 0
> clock_gettime(CLOCK_BOOTTIME, {84255, 473048526}) = 0
> write(1, "smbldap_search_ext: base => [sam"..., 123) = 123
> clock_gettime(CLOCK_BOOTTIME, {84255, 473252973}) = 0
> rt_sigaction(SIGALRM, {0x7f0dbfabd4ee, [ALRM], SA_RESTORER,
> 0x7f0dca289390}, {SIG_IGN, [ALRM], SA_RESTORER, 0x7f0dca289390}, 8) = 0
> alarm(16)                               = 0
> clock_gettime(CLOCK_BOOTTIME, {84255, 473497017}) = 0
> clock_gettime(CLOCK_BOOTTIME, {84255, 473578560}) = 0
> write(13, "0r\2\1\21cm\4'sambaDomainName=EXAMPLE,d"..., 116)
= 116
> poll([{fd=13, events=POLLIN|POLLPRI}], 1, 15000) = 1 ([{fd=13,
> revents=POLLIN}])
> read(13, "00\2\1\21d+\4", 8)            = 8
> read(13, "'sambaDomainName=EXAMPLE,dc=exampl"..., 42) = 42
> poll([{fd=13, events=POLLIN|POLLPRI}], 1, 14999) = 1 ([{fd=13,
> revents=POLLIN}])
> read(13, "0\f\2\1\21e\7\n", 8)          = 8
> read(13, "\1\0\4\0\4\0", 6)             = 6
> alarm(0)                                = 16
> rt_sigaction(SIGALRM, {SIG_IGN, [ALRM], SA_RESTORER, 0x7f0dca289390},
> {0x7f0dbfabd4ee, [ALRM], SA_RESTORER, 0x7f0dca289390}, 8) = 0
> clock_gettime(CLOCK_BOOTTIME, {84255, 474889992}) = 0
> write(1, "smbldap_modify: dn => [sambaDoma"..., 64) = 64
> clock_gettime(CLOCK_BOOTTIME, {84255, 475117112}) = 0
> rt_sigaction(SIGALRM, {0x7f0dbfabd4ee, [ALRM], SA_RESTORER,
> 0x7f0dca289390}, {SIG_IGN, [ALRM], SA_RESTORER, 0x7f0dca289390}, 8) = 0
> alarm(16)                               = 0
> clock_gettime(CLOCK_BOOTTIME, {84255, 475357737}) = 0
> clock_gettime(CLOCK_BOOTTIME, {84255, 475443054}) = 0
> write(13, "0S\2\1\22fN\4'sambaDomainName=EXAMPLE,d"..., 85) =
85
> poll([{fd=13, events=POLLIN|POLLPRI}], 1, -1) = 1 ([{fd=13,
> revents=POLLIN}])
> read(13, "0\f\2\1\22g\7\n", 8)          = 8
> read(13, "\0012\4\0\4\0", 6)            = 6
> alarm(0)                                = 16
> rt_sigaction(SIGALRM, {SIG_IGN, [ALRM], SA_RESTORER, 0x7f0dca289390},
> {0x7f0dbfabd4ee, [ALRM], SA_RESTORER, 0x7f0dca289390}, 8) = 0
> geteuid()                               = 0
> getegid()                               = 0
> setgroups(0, [])                        = 0
> setresgid(-1, 0, -1)                    = 0
> getegid()                               = 0
> setresuid(0, 0, -1)                     = 0
> geteuid()                               = 0
> getegid()                               = 0
> geteuid()                               = 0
> write(1, "pop_sec_ctx (0, 0) - sec_ctx_sta"..., 43) = 43
> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0} ---
> write(1, "================================"..., 64) = 64
> write(1, "INTERNAL ERROR: Signal 11 in pid"..., 46) = 46
> write(1, "Please read the Trouble-Shooting"..., 60) = 60
> write(1, "================================"..., 64) = 64
> write(1, "PANIC (pid 9974): internal error"..., 33) = 33
> ```
>
> Hope this can help.
>
> 2018-02-19 15:04 GMT+03:00 Rowland Penny via samba <samba at
lists.samba.org>
> :
>
>> On Mon, 19 Feb 2018 14:49:48 +0300
>> Vladimir Skubriev via samba <samba at lists.samba.org> wrote:
>>
>> > Migration from 3.6.25-0ubuntu0.12.04.10 to 4.x with passdb backend
>> > ldapsam
>> >
>> > Hi.
>> >
>> > I tried to migrate my storage(smb) server to more newer version,
but
>> > faced with 'segfaults", after(in progress) client
authenticating,
>> > when samba tries to start a new smbd instance (as i understand). I
>> > saw client authentication success, which interrupts in following
>> > places:
>> >
>> > In case with 4.3.11+dfsg-0ubuntu0.16.04.12 from ubuntu xenial
there is
>> > error in
>> > `/usr/lib/x86_64-linux-gnu/samba/libsmbregistry.so.0(log_sta
>> ck_trace+0x1a)
>> > [0x7f2bc30a17aa]`
>> >
>> > In case with 4.7.5-1 from .../stable/samba-4.7.5.tar.gz there is
>> > error in
`/usr/local/samba/lib/libsmbconf.so.0(log_stack_trace+0x1f)
>> > [0x7f111922a64b]`
>> >
>> > What should be my further actions?
>> >
>> > As described in logs: "Please read the Trouble-Shooting
section of the
>> > Samba HOWTO". I would like to avoid a deep debugging.
>> >
>> > I would like to solve the problem more easily than to do an
in-depth
>> > analysis.
>> >
>> > Thank you for your help.
>> >
>>
>> Bit hard to say what the problem could be from what you have posted,
>> can you post your smb.conf?
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> Faithfully yours,
>
> CVision Lab System Administrator
> Vladimir Skubriev
>
>

-- 
Faithfully yours,

CVision Lab System Administrator
Vladimir Skubriev

On Tue, 20 Feb 2018 13:29:56 +0300
Vladimir Skubriev via samba <samba at lists.samba.org> wrote:
> > ```
> > [global]
> >
> >    workgroup = EXAMPLE
> >    server string > >    dns proxy = no
> >
> >    interfaces = eth0
> >    bind interfaces only = yes
> >
> >    log file = /var/log/samba/log.%m
> >    max log size = 1000
> >
> > # new options
> >    log level = 5
> >    netbios name = FILES
> >    #panic action = /usr/share/samba/panic-action %d
> >    server role = STANDALONE SERVER
> >
> >    local master = no
> >
> >    security = user
> >    encrypt passwords = true
> >
> >    #passdb backend = tdbsam
> >    #obey pam restrictions = yes
> >    passdb backend = ldapsam:"ldap://ldap/"
> >    ldapsam:trusted=yes
> >    ldapsam:editposix=yes
> >
OK, took a bit of time, but I think I understand what your problem is,
you want a standalone server with an ldap backend, BUT you have these
lines in smb.conf:

  ldapsam:editposix = yes
  ldapsam:trusted = yes

These lines make Samba expect ldap to be set up as a PDC, it expects
'Domain Users' etc to exist, which they wont be on a standalone server.

see here for an ldap/standalone server:
http://lapsz.eu/blog/2013/09/04/standalone-samba-server-with-ldap-authentication/

Rowland