samba - Nov 2022 - samba crashes windows explorer (while trying to view file permissions)

On 21/11/2022 06:26, Michael Tokarev via samba wrote:
> 19.11.2022 18:57, Michael Tokarev via samba wrote:
> ..
>> I *think* this is "winbind nss info = rfc2307" setting.??
With this one,
>> I *have* to configure gidNumbers for every group in the AD.? But these
>> groups are *not* propagated into winbindd even after multiple 
>> reload-config and
>> net cache flush, some *time* have to pass...
> 
> So, the problem was with winbind nss info = rfc2307.? And commenting it out
> in smb.conf and doing 'smbcontrol all reload-config' does not
change
> things,
> this is why it took so long to find out.? After restarting whole thing, the
> changes do take effect and becomes visible.
> 
> It looks like quite some things needs to be changed here.
> 
> And it looks like DC mode is significantly different from other modes, 
> where
> many parameters described in the man page work differently, does not 
> work at
> all, or just break other things.
> 
> All these little discrepancies, while not bad when is faced 
> independently, when
> happens all together, makes samba to look like very unreliable thing.
> 
> /mjt
> 
There are numerous problems with using a Samba AD DC as a fileserver, 
one of which is that it uses a totally different idmapping system than 
any other Samba machine. This means that you cannot use any of the 
parameters that you would use on a Unix domain member. I have seen users 
attempt to use the 'idmap config' lines, but they usually have no 
effect, I cannot remember the use of 'winbind nss info' before, but 
again, the winbind  lines mostly have no effect.

The top and bottom of it is, do not use a Samba AD DC as a fileserver, 
but if you do, do not attempt to set it up like a Unix domain member.

I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_.28Optional.29

Rowland

21.11.2022 10:25, Rowland Penny via samba wrote:
..
> There are numerous problems with using a Samba AD DC as a fileserver, one
of which is that it uses a totally different idmapping system than any other
> Samba machine. This means that you cannot use any of the parameters that
you would use on a Unix domain member. I have seen users attempt to use the
> 'idmap config' lines, but they usually have no effect, I cannot
remember the use of 'winbind nss info' before, but again, the winbind?
lines mostly
> have no effect.
This has been repeated a few times, - do not use - but there's no conclusive
reason
given (to me it looks more like "there are bugs in samba which prevent
doing this" -
it's a good reason already but it's not given).
> I suggest you read this:
> 
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_.28Optional.29
I've read this many times in recent days and before as well.

Here, I've a domain which is supposed to go into production,
replacing an old NT4-style domain.  There's just one server
in that office. I created a virtual machine for new samba,
set up the DC on it, and I need to verify if it works.  The
most natural thing to do - to me anyway, since I'm not concerned
yet about all the disadvantages listed on that WIKI page, -
for now it is just a test - when there are just two machines on
the domain, the Samba DC and a Win10 client - is to try to access
a file share from win on the DC.  Because if I install a new
VM with a file server on it, I can screw samba on it when
joining it to this new domain already, so if win doesn't
work with this other file server, it might be due to its own
configuration issue. It is the most natural thing to do to
verify if win works with the DC first, and install new servers
only after it's done.  In other words, it's quite natural to
do one thing after another, not all together at once.

Besides, for a new file server, I'll need to install yet
another VM just for testing, which is a clear and obvious
disadvantage.

I'm not arguing here.  I'm outlining the "why".  And it does
not look like I'm alone there, -- it SEEMS like a very natural
thing to use the DC as a fileserver despite all the "disadvantages"
listed.  Because even just one reason: a need to install a VM -
might be enough to make this idea (running a DC in a VM) to be
rejected entirely.  (It is not a prob for me, but even for me
it required quite some prior research and especially completely
changing network configuration on a remote server without remote
console access - this *is* not easy).

For this reason, maybe it's a good idea to review the issues which
do pop up when one is trying to use Samba DC as a file server, and
document the list, maybe fix some of the things in there (like the
explorer crashing - it is well-known bug,
https://bugzilla.samba.org/show_bug.cgi?id=14213 ).  With this understanding
it will be much easier for anyone to see which actual problems are
expected and whenever he is able to deal with them, and if it really
is worth to install a VM.

/mjt

Hi Rowland,

in my case the DCs are only DCs and the not working shares are located 
on a Synology NAS. The standard shares of the DCs are working as expected...

By the way Michael, I have similar error messages in my log. I'm 
wondering about the "Could not convert sid S-0-0:
NT_STATUS_NONE_MAPPED".

What well-known SID is that. I can't remember such an SID.

Regards
Ingo
https://github.com/WAdama

Rowland Penny via samba schrieb am 21.11.2022 um 08:25:
>
>
> On 21/11/2022 06:26, Michael Tokarev via samba wrote:
>> 19.11.2022 18:57, Michael Tokarev via samba wrote:
>> ..
>>> I *think* this is "winbind nss info = rfc2307" setting.??
With this
>>> one,
>>> I *have* to configure gidNumbers for every group in the AD. But
these
>>> groups are *not* propagated into winbindd even after multiple 
>>> reload-config and
>>> net cache flush, some *time* have to pass...
>>
>> So, the problem was with winbind nss info = rfc2307.? And commenting 
>> it out
>> in smb.conf and doing 'smbcontrol all reload-config' does not
change
>> things,
>> this is why it took so long to find out.? After restarting whole 
>> thing, the
>> changes do take effect and becomes visible.
>>
>> It looks like quite some things needs to be changed here.
>>
>> And it looks like DC mode is significantly different from other 
>> modes, where
>> many parameters described in the man page work differently, does not 
>> work at
>> all, or just break other things.
>>
>> All these little discrepancies, while not bad when is faced 
>> independently, when
>> happens all together, makes samba to look like very unreliable thing.
>>
>> /mjt
>>
>
> There are numerous problems with using a Samba AD DC as a fileserver, 
> one of which is that it uses a totally different idmapping system than 
> any other Samba machine. This means that you cannot use any of the 
> parameters that you would use on a Unix domain member. I have seen 
> users attempt to use the 'idmap config' lines, but they usually
have
> no effect, I cannot remember the use of 'winbind nss info' before,
but
> again, the winbind? lines mostly have no effect.
>
> The top and bottom of it is, do not use a Samba AD DC as a fileserver, 
> but if you do, do not attempt to set it up like a Unix domain member.
>
> I suggest you read this:
>
>
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Using_the_Domain_Controller_as_a_File_Server_.28Optional.29
>
>
> Rowland
>