samba - Nov 2024 - Very strange: Samba is unable to access one of its own files

On 11/12/24 09:35, Rowland Penny via samba wrote:
> If you are using Debian, just install the libpam-winbind and
> libnss-winbind packages, open /etc/nsswitch.conf in your favourite
> editor and ensure that the passwd & group lines contain
'winbind'.
>
> Rowland
It's Gentoo so I'm setting it up myself, which is fine, but I've
messed
up something apparently. This is an AD/DC setup, by the way. In the 
process of setting up winbind, I've created a situation that I don't 
know how to get out of. Lots of (but not all) routine samba-tool 
commands are throwing fatal errors now. For instance,

ceres ~ # samba-tool dns query ceres samdom.example.com @ ALL
dos charset 'CP850' unavailable - using ASCII
convert_string_talloc: Conversion not supported.
ndr_pull_charset: ndr_pull_error(Character Conversion Error): Bad 
character conversion at ../../librpc/ndr/ndr_string.c:703
Failed to bind to uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa for 
ncacn_ip_tcp:192.168.123.250[135,target_hostname=ceres,abstract_syntax=e1af8308-5d1f-11c9-91a4-08002b14a0fa/0x00000003,localaddress=192.168.123.250]
NT_STATUS_INVALID_PARAMETER

I get the CP850 warning whether or not the nls_cp580 module is loaded.

Simultaneously, the $(wbinfo -u) command is reporting no users, which is 
causing trouble for the dhcp-dyndns.sh script.

My /etc/nsswitch.conf looks like:

# In alphabetical order. Re-order as required to optimize performance.
aliases:??? files
ethers:???? files
group:????? files winbind
gshadow:??? files
hosts:????? files dns
# Allow initgroups to default to the setting for group.
# initgroups: files
netgroup:?? files
networks:?? files dns
passwd:???? files winbind
protocols:? files
publickey:? files
rpc:??????? files
shadow:???? files
services:?? files

My /etc/samba/smb.conf looks like:

# Global parameters
[global]
 ??? dns forwarder = 8.8.8.8 75.75.75.75
 ??? netbios name = CERES
 ??? realm = SAMDOM.EXAMPLE.COM
 ??? server role = active directory domain controller
 ??? workgroup = SAMDOM
 ??? idmap_ldb:use rfc2307 = yes
 ??? kerberos method = secrets and keytab
 ??? winbind refresh tickets = yes
 ??? ldap server require strong auth = no
 ??? unix charset = LOCALE
 ??? # username map = /etc/samba/smbusers
 ??? log level = 1

 ??? # dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

 ??? # Winbindd setup for shares:
 ??? # template shell = /bin/bash
 ??? # template homedir = /home/%U

 ??? # idmap_nss plugin setup:
 ??? idmap config * : backend = tdb
 ??? idmap config * : range = 1000000-3999999

 ??? idmap config SAMBA : backend? = nss
 ??? idmap config SAMBA : range = 1000-999999

[sysvol]
 ??? path = /var/lib/samba/sysvol
 ??? read only = No

[netlogon]
 ??? path = /var/lib/samba/sysvol/samdom.example.com/scripts
 ??? read only = No

Does any of this look familiar?

- John

On Wed, 13 Nov 2024 15:19:22 -0500
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> 
> On 11/12/24 09:35, Rowland Penny via samba wrote:
> 
> > If you are using Debian, just install the libpam-winbind and
> > libnss-winbind packages, open /etc/nsswitch.conf in your favourite
> > editor and ensure that the passwd & group lines contain
'winbind'.
> >
> > Rowland
> 
> It's Gentoo so I'm setting it up myself, which is fine, but
I've
> messed up something apparently. This is an AD/DC setup, by the way.
It has been years since I last used Gentoo, I gave up on it because,
even though it gives you total control, it also requires everything
being built and I found that turned into taking more time than actually
using the OS, but everyone is different.
> In the process of setting up winbind, 
How have you set up winbind, did you do something similar to this:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Libnss_winbind_Links
> I've created a situation that
> I don't know how to get out of. Lots of (but not all) routine
> samba-tool commands are throwing fatal errors now. For instance,
> 
> ceres ~ # samba-tool dns query ceres samdom.example.com @ ALL
> dos charset 'CP850' unavailable - using ASCII
It looks like you do not have whatever supplies 'CP850' on Gentoo
installed.
> convert_string_talloc: Conversion not supported.
> ndr_pull_charset: ndr_pull_error(Character Conversion Error): Bad 
> character conversion at ../../librpc/ndr/ndr_string.c:703
> Failed to bind to uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa for 
>
ncacn_ip_tcp:192.168.123.250[135,target_hostname=ceres,abstract_syntax=e1af8308-5d1f-11c9-91a4-08002b14a0fa/0x00000003,localaddress=192.168.123.250]
> NT_STATUS_INVALID_PARAMETER
> 
> I get the CP850 warning whether or not the nls_cp580 module is loaded.
When you built Samba, did you read these wiki pages :

https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba
https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba/Building_Samba_on_Gentoo
> 
> Simultaneously, the $(wbinfo -u) command is reporting no users, which
> is causing trouble for the dhcp-dyndns.sh script.
That isn't good, wbinfo should work without the winbind links, it goes
direct to AD.
> 
> My /etc/nsswitch.conf looks like:
> 
> # In alphabetical order. Re-order as required to optimize performance.
> aliases:??? files
> ethers:???? files
> group:????? files winbind
> gshadow:??? files
> hosts:????? files dns
> # Allow initgroups to default to the setting for group.
> # initgroups: files
> netgroup:?? files
> networks:?? files dns
> passwd:???? files winbind
> protocols:? files
> publickey:? files
> rpc:??????? files
> shadow:???? files
> services:?? files
>
That should work, provided the winbind links are set up correctly.
 
> My /etc/samba/smb.conf looks like:
> 
> # Global parametersunix charset
> [global]
>  ??? dns forwarder = 8.8.8.8 75.75.75.75
>  ??? netbios name = CERES
>  ??? realm = SAMDOM.EXAMPLE.COM
>  ??? server role = active directory domain controller
>  ??? workgroup = SAMDOM
>  ??? idmap_ldb:use rfc2307 = yes
>  ??? kerberos method = secrets and keytab
>  ??? winbind refresh tickets = yes
>  ??? ldap server require strong auth = no
>  ??? unix charset = LOCALE
Fix the CP850 problem and you will not require the 'unix charset' line.
>  ??? # username map = /etc/samba/smbusers
It is good that the username map line is commented out, it is never
used on a DC.
>  ??? log level = 1
> 
>  ??? # dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
> 
>  ??? # Winbindd setup for shares:
>  ??? # template shell = /bin/bash
>  ??? # template homedir = /home/%U
> 
>  ??? # idmap_nss plugin setup:
>  ??? idmap config * : backend = tdb
>  ??? idmap config * : range = 1000000-3999999
> 
>  ??? idmap config SAMBA : backend? = nss
>  ??? idmap config SAMBA : range = 1000-999999
You should remove the 'idmap config' lines, they should never be set on
a DC.
> 
> [sysvol]
>  ??? path = /var/lib/samba/sysvol
>  ??? read only = No
> 
> [netlogon]
>  ??? path = /var/lib/samba/sysvol/samdom.example.com/scripts
>  ??? read only = No
> 
> Does any of this look familiar?
Yes, but the only things missing are:

The contents of /etc/krb5.conf
What kdc you used, hopefully Heimdal.
 
Rowland