samba - Nov 2022 - several offices: home dirs, local resources, ...

On 22-11-2022 17:07, Michael Tokarev via samba wrote:
> 22.11.2022 17:52, Rowland Penny via samba wrote:
>>
>>
>> On 22/11/2022 14:20, Michael Tokarev wrote:
>>>>>>
>>>>
>>>> In another post, you mentioned 'unbound', are you aware
that your
>>>> choices for a dns server in relation to a Samba AD DC are just
two
>>>> ? Samba's internal dns server or the Bind9 dns server. Yes
you can
>>>> use a different dns server, but only as a forwarder, anything
for
>>>> the AD dns domain must be forwarded to an AD DC, any AD DC,
they
>>>> are all authoritative for the AD dns domain.
>>>
>>> This is a bit too broad. Samba does not require its nameservers to 
>>> be autoritative
>>> for the zone.
>>
>> Sorry, but yes they do.
>
> Even microsoft does not have this requiriment, - that dns must be hosted
> by the AD.? And they allow static DNS configuration too (without dynamic
> DNS updates), as far as I can see.
>
> Where this requirement comes from?
>
>>> ??It requires (actually AD requires as you correctly
>>> mentioned) certain
>>> DNS records to be present and maintained.? The list of records
samba
>>> register in
>>> DNS is available in /var/lib/samba/private/dns_update_cache 
>>> ((re)generated by
>>> samba_dnsupdate from ../dns_update_list).? These names don't
change
>>> with time, -
>>> once put into DNS they can stay there, there's no need to
update them.
>>>
>>> All the names listed in there are registered in our DNS.
>>
>> There have been numerous others that have thought like yourself, they 
>> have all had problems.
>
> I don't know that. And I'm asking for particular reasons, just like
with
> using DC as a file server, -- only after countless attempts to ask why
> this is so, Kees van Vloten finally gave some light there: the fileserver
> operations in source4 is not implemented completely.? But it took several
> dozens of emails and questions, before such a simple answer has been 
> given.
>
>> Why do you think Samba went to all the trouble of writing their own 
>> dns server and also writing the code (along with Bind) to connect the 
>> Bind9 server to Samba AD ?
>
> Because for many people adding dns records required for AD is difficult,
> it is much better for small setups if things can work out of the box.
>
>>> Samba only support 2 nameservers (named and samba internal) for 
>>> registering names
>>> *automatically*. But it is not mandatory to *use* one of these 2 
>>> nameservers,
>>> provided all the names are in the DNS.
>>
>> Yes it is and you can use multiple nameservers in bind9
>
> Yes it is what?
>
> Once data is in Bind or in Samba internal DNS, it can be fetched from 
> there
> and managed by other nameservers. Or is this data so specific to samba
> that no other standard DNS servers can handle it? If so, what is the 
> problem,
> what is so non-standard in that data which makes it unsuitable for other
> nameservers?
>
>>>> You also mention above 'maybe samba should not do
that', well you
>>>> could write that as 'maybe Active Directory should not do
that'.
>>>
>>> I was referring to Kees's statement.? Samba registers itself as
a
>>> FILE server for
>>> a domain (with sysvol).? If the file server is non-functional,
samba
>>> should not do
>>> that, instead, another samba server (which *is* able to work as a 
>>> file server)
>>> should take these functions.
>>
>> You can use a Samba DC as a fileserver, you just have to be aware of 
>> the limitations, one of which is that you must set the permissions 
>> from Windows.
>
> Which permissions I have to set for a read-only DFS-root share which 
> serves
> only 2 folder referrals?? Why it works out of the box without setting any
> permissions, what I'm doing wrong?
>
>>>> Active directory is built on three things, DNS, Kerberos and
LDAP.
>>>> The last two depend on the first.
>>>
>>> Yes. Working DNS is a must.? Here I'm 100% sure DNS works
correctly.
>>
>> Not from my perspective, but you do it your way and I will stick to 
>> mine.
>
> What do you think I'm missing?? I even dumped the content of the
internal
> samba dns server, - it matches exactly the stuff which I've added 
> manually.
> Which other magic non-standard entries are there which I don't see and
> which cause other nameservers to be unable to serve this zone? Please
> tell me, I'm confused, I really am.
>
>>> Unlike with all
>>> the issues people reporting all around the globe, - I do know how 
>>> things work and
>>> that there's no hidden movement behind my back which breaks
stuff.
>>>
>>>> I have never used systemd containers, do they allow
'root' to
>>>> operate exactly as if it was a full blown computer ? If they
don't,
>>>> then that could be your problem.
>>>
>>> "Exactly" is again a too broad term. For example, root
user in a
>>> container usually is
>>> not allowed to change host clock or reboot host.
>>>
>>> Which problem you're talking about, exactly? 
>>
>> The ability for root to have the same capabilities as if it was a 
>> totally separate OS.
>
> This is never the case in any container, including lxc and anything 
> else. Root in
> a container can have a set of necessary privileges (eg, full control 
> over container-
> specific network stack) but not all which is available on the host. I 
> highly doubt
> samba uses every capability a regular root on the host has, - it does 
> not use lots
> of syscalls for which their own special capabilities are needed.
>
> But still, which _problem_ you're talking about?? You said:
>
> ?I have never used systemd containers, do they allow 'root' to
operate
> exactly
> ?as if it was a full blown computer ? If they don't, then that could 
> be your problem.
>
> I don't see any problem with running samba in a container.? All 
> problems I see is
> due to lack of information about samba which I ask again and again and 
> again from
> different angles but still unable to get.
>
>>> Inability to register the same SPN for
>>> another server? 
>>
>> That is an Active directory thing, all SPN's must be unique.
>>
>>> Or samba DC not working as a file server?
>>
>> As I said, you can use A Samba AD DC as a fileserver, it just isn't
a
>> good idea.
>
> In this case why samba4 uses iself as a file server? Where is the 
> logic, if it
> is not a good idea, it should delegate its sysvol thing to something 
> which
> *is* good as a fileserver, no?
>
>>>> Have you investigated using a GPO for your profiles problem ?
>>>
>>> Yes. It doesn't work either, at least I can't find a way to
do that.
>>>
>>> There are 2 problems: a) having the same "fs" name for a
*local*
>>> fileserver, its own
>>> in every site/office.? and b) having user profiles stored in a 
>>> site-specific (not
>>> user-specific) file server. Solving a) will automatically solve b).
>>>
>>> I can't find a way to solve a) with GPO.
>>>
>>> Attempt to solve at least b): I can set GPO for a client machine to
>>> always require
>>> user profiles to be stored on a certain server. But this breaks 
>>> local adminsitrator
>>> account (in case of emergency needs) - since it can't find this
>>> profile on the
>>> "forced" server.? Or I can configure profile path
per-user - but it
>>> must be per-site.
>>
>> Your problem isn't a Samba problem per se, it is an Active
Directory
>> problem, you would have the same problem if you were using Windows
DC's.
>
> Sure. And I'm trying to solve it somehow.? If it were samba's
internal
> DNS (or windows dns for that matter) it were unsolvable.? Now I do have
> a working solution finally, it seems, - with site-specific CNAME records
> overriding commonly-used names like "fs", - it finally appears to
work.
>
> But I still really wish to understand:
>
> 1. which magic invisible DNS records are there which are required by 
> Samba which
> ? I can't see in its internal DNS, and
>
> 2. why samba4 offers SYSVOL *file* share when using it as a file 
> server is not
> ?a good idea, why not use reglar non-dc samba server for it?
SYSVOL is a special share which must be on the DC (and so is the 
netlogon share). You should take care of replications of the files 
yourself, the DC replication does not handle. The wiki describes 
multiple solutions to get it done (I am using the osync method with 
works well for my situation). Permissions on the SYSVOL share are very 
critical, if not exactly right Windows will not be able to pick up GPOs 
properly for example.

samba-tool can reset the permissions in case they got messed up.
>
> 3. what problem we're talking about?
>
> Thanks,
>
> /mjt
>

22.11.2022 19:46, Kees van Vloten via samba wrote:
>> 2. why samba4 offers SYSVOL *file* share when using it as a file server
is not
>> ?a good idea, why not use reglar non-dc samba server for it?
> 
> SYSVOL is a special share which must be on the DC (and so is the netlogon
share). You should take care of replications of the files yourself, the DC
> replication does not handle. The wiki describes multiple solutions to get
it done (I am using the osync method with works well for my situation).
> Permissions on the SYSVOL share are very critical, if not exactly right
Windows will not be able to pick up GPOs properly for example.
> 
> samba-tool can reset the permissions in case they got messed up.
Sometimes I don't understand which language we're using.

I do know full well that the sysvol replication is not implemented and should
be done externally (got that yesterday when, after adding a new DC, users
complained their usual drive letters wern't mapped because I forgot to
replicate
GPO in sysvol).  I know what wiki describes, I corrected quite some data there
already and have other corrections too.  I know about permissions of SYSVOL,
and I know more: permissions of SYSVOL (actually ACLs) should match *local*
idmap.db file, which should be replicated too but it is not mentioned in
the wiki.  I know well about sysvolreset and sysvolcheck too, -- found it
the hard way, used them many times.

But how it all is related to my question?

I asked why, if a source4 fileserver is not operational, why it is used for
sysvol share instead of some other fileserver?  And if, despite all the claims
by you and Rowland in this thread (you both claimed using a fileserver in
source4 is not a good idea), it is actually is good enough to serve SYSVOL
share, why it is ALSO not good enough to serve single read-only MSDFS-root
share with 2 files within?

How all the sysvol permission and replication stuff answers to this question?

And now I really wonder: am I asking something fantastically stupid, illogical,
random, or maybe I'm phrasing my question in somehow difficult to understand
form, - why my question can't be understood, how *else* can I rephrase it?

And now, for fun side, once you mention sysvolcheck and sysvolreset stuff,
here's another twist:

svdcp:/# samba-tool ntacl sysvolcheck
svdcp:/# samba-tool ntacl sysvolreset
svdcp:/# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/tls.msk.ru/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line 186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
443, in run
     provision.checksysvolacl(samdb, netlogon, sysvol,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1876, in checksysvolacl
     check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1826, in check_gpos_acl
     check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1769, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access), path,
fsacl_sddl, acl))

(This is a "second" DC).  So the permissions WERE okay after an rsync
from
"primary" DC.  And sysvolcheck reported no errors. So one might thing
sysvolreset will be a no-op - nope. After sysvolreset, sysvolcheck reports
errors, and no other sysvolreset fixes them. Only after another resync from
primary (which transfers ACLs too) sysvolcheck is quiet again.  This is
one more thing for me to debug, maybe it's idmap.tdb again (mentioned above
already), maybe something else, - it's not important by now.  Just another
fun data point in the new context you mentioned..

Thanks,

/mjt

>
>
> (I tried to hack DNS for this, with unbound, - it turned out their
> local-data override does not provide CNAMEs; when I asked about
> this, they told to use AD-provided functionality for this, - which
> I'm trying to implement, so far unsuccessfully).

Unbound should be able to functionally do this with local-data overrides,
though I may not have the proper syntax for it.  (I use it on pfSense, with
only a few "custom options" specified to override a target's A
record.
Perhaps this is the difference in syntax, and why they do not provide true
CNAMEs.).  DNSMasq will do it as well, and is super easy to configure, but
much less capable.

I mean, site1 already have FS name registred. I also want site2 to
register
> this name (in their location). But this fails, when adding
> ServicePrincipalName
> due to unique constraint.  Without adding an SPN for "fs", the
member
> server
> fails to autenticate:

I've never inspected client tickets when doing this.  I always considered
"\\<shortname>" and "\\<cname>" would be the
same, eventually resolving to
"\\<ip-address>".  Doing a bit of further reading, MS clients
would (used
to?) default to NTLM when mounting SMB shares via IP address.

But I think the problem is that "fs" is probably already a registered
SPN
(and a Computer record) in your directory?  Is that the correct hostname?
I have unique hostnames, but "fs" (or "shares" in my case)
is already and
_only_ a CNAME, with no SPNs created.  Apparently, MS doesn't use SPNs for
CNAMEs, but does require a registration for the A record behind it.
https://serverfault.com/a/1050818


Kris Lou
klou at themusiclink.net
>
>