I'm not a sysadmin (so I don't have domain admin skills), I'm just
coming
at this as a user of these (flaky) hosts, but I'll try to answer the
questions.
If autorid is an odd/problematic setting, I can pass that info on to the
sysadmins. I looked at
https://lists.samba.org/archive/samba/2015-May/191544.html (since I don't
really know the difference between these settings), but I don't know how
many back-end AD servers there are. BTW, *is* the autoid setting
potentially problematic?
I'm also not sure how to know is sssd is in use or not, so these are the
things I thought to try:
$ systemctl -a | grep '\(smb\|samba\|sssd\|winbind\)'
winbind.service
loaded active running Samba
Winbind Daemon
$ sssd --help
-bash: sssd: command not found
$ sudo find / -xdev -name 'sssd.conf'
$
On Sat, Sep 1, 2018 at 11:21 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Sat, 1 Sep 2018 10:21:17 -0400
> Jamie Jackson <jamiejaxon at gmail.com> wrote:
>
> > Hi Rowland,
> >
> > Here's the info you asked for.
> >
> > $ cat /etc/redhat-release
> > Red Hat Enterprise Linux Server release 7.5 (Maipo)
> > $ smbcontrol --version
> > Version 4.7.1
> >
> > smb.conf:
> > ------------------------------
> >
> > [global]
> > security = ADS
> > realm = REDACTED.WAN
> > encrypt passwords = true
> > workgroup = REDACTED
> >
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind nested groups = yes
> > winbind use default domain = yes
> > winbind refresh tickets = yes
> > idmap config * : backend = autorid
> > idmap config * : range = 1000000-2999999999
> > template homedir = /home/%D/%U
> > template shell = /bin/bash
> > log level = 1
> > debug pid = true
> > max log size = 0
> > nt acl support = Yes
> > map acl inherit = Yes
> > client use spnego = Yes
> > preferred master = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > ## These came from http://www.howtoforge.com/samba_active_directory
> > # socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> > # os level = 20
> > # dns proxy = no
> > # disable netbios = Yes
> > ## Required by infosec to pass scan. Added 10-18-2011 GLS
> > guest account = nobody
> > restrict anonymous = 1
> >
> > #### Debugging/Accounting ####
> >
> > # This tells Samba to use a separate log file for each machine
> > # that connects
> > log file = /var/log/samba/log.%m
> >
> > # Put a capping on the size of the log files (in Kb).
> > # max log size = 1024
> >
> > # We want Samba to log a minimum amount of information to syslog.
> > Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If
> > you want to log # through syslog you should set the following
> > parameter to something higher. syslog = 0
> >
> > # Do something sensible when Samba crashes: mail the admin a backtrace
> > panic action = /usr/share/samba/panic-action %d
> > ------------------------------
> >
>
> Is there some reason for using the autorid backend ?
> Most people use the 'ad' or 'rid' backend.
> Are you also using sssd ?
>
> You are running Samba as a Unix domain member, so I expect your machine
> is joined to the domain.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On Sat, 1 Sep 2018 12:39:53 -0400 Jamie Jackson <jamiejaxon at gmail.com> wrote:> I'm not a sysadmin (so I don't have domain admin skills), I'm just > coming at this as a user of these (flaky) hosts, but I'll try to > answer the questions. > > If autorid is an odd/problematic setting, I can pass that info on to > the sysadmins. I looked at > https://lists.samba.org/archive/samba/2015-May/191544.html (since I > don't really know the difference between these settings), but I don't > know how many back-end AD servers there are. BTW, *is* the autoid > setting potentially problematic?It shouldn't be a problem, but I have never used it and I think it has more place in a set up with multiple domains. There are a few different backends, but the main ones are 'ad', 'rid' and 'autorid'. The first ('ad') requires adding rfc2307 attributes to AD, The other two don't, they calculate the Unix ID's from domain RID's You can find more info here: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member> > I'm also not sure how to know is sssd is in use or not, so these are > the things I thought to try: > > $ systemctl -a | grep '\(smb\|samba\|sssd\|winbind\)' > winbind.service > loaded active running > Samba Winbind Daemon > $ sssd --help > -bash: sssd: command not found > $ sudo find / -xdev -name 'sssd.conf' > $ >No it looks like sssd isn't installed, which is a good thing as it has its own version of some of the winbind libs and these could have been interfering with winbind. What is the DC(s) ? I think you need to increase the log level in smb.conf, try changing the '0' to '3' and see if anything pops out. Rowland
On Sat, Sep 1, 2018 at 1:06 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Sat, 1 Sep 2018 12:39:53 -0400 > Jamie Jackson <jamiejaxon at gmail.com> wrote: > > > I'm not a sysadmin (so I don't have domain admin skills), I'm just > > coming at this as a user of these (flaky) hosts, but I'll try to > > answer the questions. > > > > If autorid is an odd/problematic setting, I can pass that info on to > > the sysadmins. I looked at > > https://lists.samba.org/archive/samba/2015-May/191544.html (since I > > don't really know the difference between these settings), but I don't > > know how many back-end AD servers there are. BTW, *is* the autoid > > setting potentially problematic? > > It shouldn't be a problem, but I have never used it and I think it has > more place in a set up with multiple domains. > There are a few different backends, but the main ones are 'ad', 'rid' > and 'autorid'. > > The first ('ad') requires adding rfc2307 attributes to AD, > The other two don't, they calculate the Unix ID's from domain RID's > You can find more info here: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > > I'm also not sure how to know is sssd is in use or not, so these are > > the things I thought to try: > > > > $ systemctl -a | grep '\(smb\|samba\|sssd\|winbind\)' > > winbind.service > > loaded active running > > Samba Winbind Daemon > > $ sssd --help > > -bash: sssd: command not found > > $ sudo find / -xdev -name 'sssd.conf' > > $ > > > > No it looks like sssd isn't installed, which is a good thing as it has > its own version of some of the winbind libs and these could have been > interfering with winbind. > > What is the DC(s) ?It (they?) is/are windows active directory, but let me know if you need more info than that. (I'm not sure how to look that up in config files, but I could ask the sysadmins on Monday.)> I think you need to increase the log level in smb.conf, try changing > the '0' to '3' and see if anything pops out. >Would it be preferable to bump up `log level = 1` to 3 or `syslog = 0` to 3?> Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >