On 2023-03-29 15:50, Rowland Penny via samba wrote:> > > On 29/03/2023 20:06, Gary Dale via samba wrote: >>> >> Following the advice of >> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation, >> below the installation report after I did a more thorough purging of >> Samba-related stuff. I took the further advice and changed the realm >> to HOME.RAHIM-DALE-ORG. The DC remains TheLibrarian. >> >> # apt install acl attr samba samba-dsdb-modules samba-vfs-modules >> winbind libpam-winbind libnss-win bind krb5-config krb5-user dnsutils > > I have updated that list. > >> >> Creating config file /etc/samba/smb.conf with new version > > This is why you need to remove the smb.conf, the package install > creates one for a standalone server. > >> >> >> The reported errors seem to be due to further configuration being >> needed for a DC. >> >> Next I continued with the wiki at >> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > > I have updated that wikipage slightly. > >> >> First I verified that /etc/resolv.conf was correct then I updated >> /etc/hosts to reflect the new realm name. >> >> Next I ran: samba-tool domain provision --use-rfc2307 --interactive >> >> This failed with an error: >> >> ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed >> - ProvisioningError: guess_names: 'realm =' was not specified in >> supplied /etc/samba/smb.conf.? Please remove the smb.conf file and >> let provision generate it > > I moved the deletion on the wikipage, from where it was, it sounded > like you only had to remove the smb.conf if the provision had run > successfully. > >> >> So I removed the smb.conf and ran it again. This time I got: >> >> INFO 2023-03-29 15:01:07,831 pid:17352 >> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2122: >> Looking up IPv4 addresses >> INFO 2023-03-29 15:01:07,832 pid:17352 >> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2139: >> Looking up IPv6 addresses >> WARNING 2023-03-29 15:01:07,833 pid:17352 >> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2146: No >> IPv6 address will be assigned >> Error: Unable to parse dn >> 'CN=Schema,CN=Configuration,DC=home,DC=rahim-dale,DC=org,' > > I know you updated /etc/hosts, but did the computer pick this up, does > it think it is in the home.rahim-dale.org dns domain ?The computer should query /etc/hosts each time. The actual problem was a typo in the file - I put a comma in when it only allows spaces to separate the names.> >> I'm not sure what is causing this error. The only samba log is named >> log.%m and it has nothing from the time of running samba-tool either >> time. > > There wouldn't be anything in the logs at this point, Samba hasn't > started, though thinking about it, did you stop any running Samba > processes before the provision. > > I can assure this does work, to test it, I setup Debian 11 in a VM and > created a new domain, the only real difference is that I used Samba > from backports. > > I really suggest you use backports, even the Debian Samba maintainer > (Michael Tokarev) is telling you to use backports.Baokports are for people who need something that the stable version doesn't provide. That's not me. I run Debian/Stable on my servers for a reason. I run Testing on my workstation because I want to help test things. And I run it my new laptop because it requires drivers that aren't available in Stable. Debian does update stable when a serious issue is found that can't be patched. However that is a vector for breakage - it wasn't that long ago that an update to ghostscript broke a lot programs in Stable that used it to produce PDFs. We had to choose between a security flaw or a lack of functionality. I'll wait until Bookworm becomes Stable to get the Samba upgrade.> > If it helps I can send you my notes. > > Rowland >BTW: After I fixed /etc/hosts, removed the /etc/samba/smb.conf and re-ran provisioning, I was able to start samba. I connected my VM to the new domain and I have almost everything working (for some reason I've lost the E: drive letter for network mapping). Thanks for your help! Greatly appreciated.
On 30/03/2023 04:28, Gary Dale via samba wrote:> > Baokports are for people who need something that the stable version > doesn't provide. That's not me. I run Debian/Stable on my servers for a > reason. I run Testing on my workstation because I want to help test > things. And I run it my new laptop because it requires drivers that > aren't available in Stable. > > Debian does update stable when a serious issue is found that can't be > patched. However that is a vector for breakage - it wasn't that long ago > that an update to ghostscript broke a lot programs in Stable that used > it to produce PDFs. We had to choose between a security flaw or a lack > of functionality. > > I'll wait until Bookworm becomes Stable to get the Samba upgrade.Samba is a rapidly evolving thing, blink and you miss something, in my opinion you need to keep up to date. Debian does, like most distros, backport Samba patches, but it doesn't backport everything. There was a large change at Samba 4.16.0, the entire Heimdal was replaced with a very newer version and if you have any Windows 11 or up to date Windows 10 machines, you are going to need it. I do not think that Debian has backported that change to the 4.13.x series it provides in the standard Debian 11 repo, but it is in the 4.17.6 version from backports (which, as far as I understand, is exactly the same version that Debian 12 will supply) It is your computer and you get to decide what you run on it, but when the Debian Samba maintainer and a member of the Samba team are both advising using backports, then you may want to wonder why. Rowland
On 2023-03-29 23:28, Gary Dale via samba wrote:> On 2023-03-29 15:50, Rowland Penny via samba wrote: >> >> >> On 29/03/2023 20:06, Gary Dale via samba wrote: >>>> >>> Following the advice of >>> https://wiki.samba.org/index.php/Distribution-specific_Package_Installation, >>> below the installation report after I did a more thorough purging of >>> Samba-related stuff. I took the further advice and changed the realm >>> to HOME.RAHIM-DALE-ORG. The DC remains TheLibrarian. >>> >>> # apt install acl attr samba samba-dsdb-modules samba-vfs-modules >>> winbind libpam-winbind libnss-win bind krb5-config krb5-user dnsutils >> >> I have updated that list. >> >>> >>> Creating config file /etc/samba/smb.conf with new version >> >> This is why you need to remove the smb.conf, the package install >> creates one for a standalone server. >> >>> >>> >>> The reported errors seem to be due to further configuration being >>> needed for a DC. >>> >>> Next I continued with the wiki at >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller >> >> I have updated that wikipage slightly. >> >>> >>> First I verified that /etc/resolv.conf was correct then I updated >>> /etc/hosts to reflect the new realm name. >>> >>> Next I ran: samba-tool domain provision --use-rfc2307 --interactive >>> >>> This failed with an error: >>> >>> ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed >>> - ProvisioningError: guess_names: 'realm =' was not specified in >>> supplied /etc/samba/smb.conf.? Please remove the smb.conf file and >>> let provision generate it >> >> I moved the deletion on the wikipage, from where it was, it sounded >> like you only had to remove the smb.conf if the provision had run >> successfully. >> >>> >>> So I removed the smb.conf and ran it again. This time I got: >>> >>> INFO 2023-03-29 15:01:07,831 pid:17352 >>> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2122: >>> Looking up IPv4 addresses >>> INFO 2023-03-29 15:01:07,832 pid:17352 >>> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2139: >>> Looking up IPv6 addresses >>> WARNING 2023-03-29 15:01:07,833 pid:17352 >>> /usr/lib/python3/dist-packages/samba/provision/__init__.py #2146: No >>> IPv6 address will be assigned >>> Error: Unable to parse dn >>> 'CN=Schema,CN=Configuration,DC=home,DC=rahim-dale,DC=org,' >> >> I know you updated /etc/hosts, but did the computer pick this up, >> does it think it is in the home.rahim-dale.org dns domain ? > > The computer should query /etc/hosts each time. The actual problem was > a typo in the file - I put a comma in when it only allows spaces to > separate the names. > > >> >>> I'm not sure what is causing this error. The only samba log is named >>> log.%m and it has nothing from the time of running samba-tool either >>> time. >> >> There wouldn't be anything in the logs at this point, Samba hasn't >> started, though thinking about it, did you stop any running Samba >> processes before the provision. >> >> I can assure this does work, to test it, I setup Debian 11 in a VM >> and created a new domain, the only real difference is that I used >> Samba from backports. >> >> I really suggest you use backports, even the Debian Samba maintainer >> (Michael Tokarev) is telling you to use backports. > > Baokports are for people who need something that the stable version > doesn't provide. That's not me. I run Debian/Stable on my servers for > a reason. I run Testing on my workstation because I want to help test > things. And I run it my new laptop because it requires drivers that > aren't available in Stable. > > Debian does update stable when a serious issue is found that can't be > patched. However that is a vector for breakage - it wasn't that long > ago that an update to ghostscript broke a lot programs in Stable that > used it to produce PDFs. We had to choose between a security flaw or a > lack of functionality. > > I'll wait until Bookworm becomes Stable to get the Samba upgrade. > >> >> If it helps I can send you my notes. >> >> Rowland >> > BTW: After I fixed /etc/hosts, removed the /etc/samba/smb.conf and > re-ran provisioning, I was able to start samba. I connected my VM to > the new domain and I have almost everything working (for some reason > I've lost the E: drive letter for network mapping). > > Thanks for your help! Greatly appreciated. >Actually, I was probably a little optimistic in assessment. My network shares are problematic. I tried using https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs to get the shares working but that let me down a rabbithole The basic problem is my Linux computers use NSF to connect to network shares, If I set up the shares as described in the wiki, my Linux computers lose access - there doesn't appear to be a mapping between, for example, "Domain Users" and users. If I don't set up all the file ownerships to use "Domain Users", my Windows users can't use them (except for the domain Administrator). And even going into the security tab on files or folders properties usually crashes the window - even when I'm logged in as the domain Administrator. My first attempt to fix this was to upgrade to the backports version of Samba since you indicated it might be necessary for an up-to-date Windows 10 machine. The upgrade had no impact - the problems remain the same. In the past this was resolvable by manually mapping the Windows groups to the Linux ones - and this was working on my server until recently. However I gather that some change to either Windows or Samba caused that to stop working. Any advice on how to proceed? Thanks.