samba - Apr 2009 - attempted upgrade this weekend

Morning,

This weekend I attempted an upgrade of my primary samba server from 3.0.24
to 3.3.3. When testing this primary server after the upgrade I had a
few issues, so rolled back the upgrade until I can find solutions. This
server also has the OpenLDAP server local to and co-located with samba.

The two things that initially didn't seem right are that each time I
logged into a windows XP box I was told my password had exprired and
must be changed, and my roaming profile could not be accessed. Even
after changing my password, when I logged out and back in I got the same
password expired message.

I had another event scheduled and couldn't diagnose the issue. I
hope the issue is simply a difference in the configuration (smb.conf)
between 3.0.24 and 3.3.3. I've attached a sanitized version of my config
below. Does anyone see any issues?

Samba is the first of a series of upgrades. After samba is Cyrus then
OpenLDAP.

Samba is compiled locally on this box, so it pulls in the current library
versions, etc.

The output of the smbd-3.0.24 and smbd-3.3.3 (both -b) seem the same
to me.

Thanks for having a look at this. I'll try another upgrade this coming
weekend.

Mike

Fedora Core 5
Samba upgrade from 3.0.24 to 3.3.3
OpenLDAP 2.3.30


---------------------------
# Samba config file created using SWAT
# from 10.1.2.43 (10.1.2.43)
# Date: 2006/08/03 15:11:35

[global]
	security = USER
	client plaintext auth = Yes
	client lanman auth = Yes
	lanman auth = No
	ntlm auth = Yes
	guest account = nobody
	#admin users = manager, root
	admin users = 
	hosts allow = .domain.com, 10.1.2., 10.1.3., 192.168.100.
	cups options = raw
	wins support = yes
	name resolve order = wins lmhosts host bcast
	dns proxy = no
	usershare allow guests = yes
	time server = yes

	workgroup = PWI
	netbios name = elo
	netbios aliases = loghost, mailhost, backuphost, ldaphost
	server string = Samba Server (%h)
	logon drive = H:
	logon home = \\%h\%U
	logon path = \\%h\profiles\%U
	logon script = logon.bat
	ldap delete dn = Yes
	ldap suffix = dc=domain,dc=com
	ldap admin dn = cn=manager,dc=domain,dc=com
	ldap user suffix = ou=people
	ldap group suffix = ou=groups
	ldap machine suffix = ou=machines
	ldap ssl = off
	ldapsam:trusted = Yes
	ldap timeout = 15
	utmp directory = /var/run
	wtmp directory = /var/log
	utmp = Yes

	encrypt passwords = Yes
	password level = 0
	password server = ldaphost.domain.com
	passdb backend = ldapsam:ldap://ldaphost.domain.com
	ldap passwd sync = Yes
	unix password sync = No
	passwd program = /usr/sbin/smbldap-passwd %u
	#pam password change = Yes
	passwd chat = "Changing * password*for*\nNew password*" %n\n
"*Retype new password*" %n\n
	passwd chat debug = Yes
	#client use spnego = No
	#use spnego = No

	os level = 66
	preferred master = Yes
	local master = Yes
	domain master = Yes
	domain logons = Yes
	allow trusted domains = Yes

#	log level = 255
#	log level = 100
#	log level = 4
#	log level = 3 ldap:10 passdb:10 auth:10 winbind:10
#	log level = 3
#	log level = 2
	log level = 1
	log file = /var/log/samba/%m.log
	max log size = 10000

	#socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536
	#socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
	#socket options = TCP_NODELAY
	# trying to make things faster
	#socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=1500

	#add user script = /usr/sbin/smbldap-useradd -m "%u"
	add user script = /usr/sbin/smbldap-useradd -a -A 1 -B 1 -s /bin/bash -c
"%u" -d /home/%u -C "\\\\%h\\%u" -D "H:" -M
"%u@domain.com" %u
	delete user script = /usr/sbin/smbldap-userdel "%u"
	add group script = /usr/sbin/smbldap-groupadd -p "%g"
	delete group script = /usr/sbin/smbldap-groupdel "%g"
	add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
	delete user from group script = /usr/sbin/smbldap-groupmod -x "%g"
"%u"
	set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
	#add machine script = /usr/sbin/smbldap-useradd -w "%u"
	#add machine script = /usr/sbin/smbldap-useradd -w -A 0 -B 0 -s /bin/false -c
"%u machine account" -d /dev/null %u
	#add machine script = /usr/sbin/smbldap-useradd -w -i "%u" -t 5
	#add machine script = /usr/sbin/smbldap-useradd -w -A 0 -B 0 -t 5
"%u"
	#add machine script = /usr/sbin/smbldap-useradd -w -i -A 0 -B 0 -t 5
"%u"

	#max smbd processes = 200
	deadtime = 60

	# trying to get rid of an error in the smb logs by not listening to port 445
	smb ports = 139

[netlogon]
	comment = Network Logon Services
	path = /etc/samba/netlogon
	browseable = No
	writable = No
	read only = Yes
	guest ok = Yes

[profiles]
	comment = Roaming User Profiles
	path = /etc/samba/profiles
	browseable = Yes
	writable = Yes
	read only = No
	guest ok = Yes
	hide files =
/DESKTOP.INI/Desktop.ini/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/
	#store dos attributes = Yes
	create mask = 0600
	directory mask = 0700
	#printable = no
	csc policy = disable
	#force user = %U

[homes]
	comment = Home Directories
	read only = No
	guest ok = No
	browseable = No
	map read only = Permissions
	directory mask = 0755

[printers]
	comment = All Printers
	path = /usr/spool/samba
	printable = Yes
	browseable = No

[Pointwise]
	comment = Pointwise Corporate Files
	path = /opt/domain
	#create mask = 0765
	force create mode = 664
	force group = pwi
	browseable = Yes
	printable = No
	guest ok = No
	writeable = Yes
	read only = No

[Backups]
	comment = Backup files are stored here
	path = /opt/backups
	browseable = Yes
	printable = No

[Data]
	comment = Storage for support and other data.
	path = /opt/data
	browseable = Yes
	printable = No

[tmp]
	comment = temporary files
	path = /tmp
	browseable = Yes
	printable = No
	guest ok = Yes
	guest only = No
	writeable = Yes
	read only = No
	force create mode = 664
---------------------------

>Morning,
>This weekend I attempted an upgrade of my primary samba server from 3.0.24
>to 3.3.3. When testing this primary server after the upgrade I had a
>few issues, so rolled back the upgrade until I can find solutions. This
>server also has the OpenLDAP server local to and co-located with samba.
>The two things that initially didn't seem right are that each time I
>logged into a windows XP box I was told my password had exprired and
>must be changed, and my roaming profile could not be accessed. Even
>after changing my password, when I logged out and back in I got the same
>password expired message.
>I had another event scheduled and couldn't diagnose the issue. I
>hope the issue is simply a difference in the configuration (smb.conf)
>between 3.0.24 and 3.3.3. I've attached a sanitized version of my config
>below. Does anyone see any issues?
>Samba is the first of a series of upgrades. After samba is Cyrus then
>OpenLDAP.
>Samba is compiled locally on this box, so it pulls in the current library
>versions, etc.
>The output of the smbd-3.0.24 and smbd-3.3.3 (both -b) seem the same
>to me.
>Thanks for having a look at this. I'll try another upgrade this coming
>weekend.
>Mike
Did you copy the samba schema file from samba 3.3.3 to the schema dir of
openldap, replacing the old one from samba 3.0.24
I once had the same issue after a upgrade from 3.0.x to 3.3.x, i did not have
the password issue but the roaming profile issue i remember quite well ;-)
After the copy (which is a pretty normal thing, but easy to forget) things where
running as before.

Regards,
Johan Hendriks
Double L Automatisering


No virus found in this outgoing message.
Checked by AVG - www.avg.com=20
Version: 8.5.287 / Virus Database: 270.12.5/2083 - Release Date: 04/27/09
18:00:00

On Mon, 27 Apr 2009, Mike Eggleston might have said:
> Morning,
> 
> This weekend I attempted an upgrade of my primary samba server from 3.0.24
> to 3.3.3. When testing this primary server after the upgrade I had a
> few issues, so rolled back the upgrade until I can find solutions. This
> server also has the OpenLDAP server local to and co-located with samba.
> 
> The two things that initially didn't seem right are that each time I
> logged into a windows XP box I was told my password had exprired and
> must be changed, and my roaming profile could not be accessed. Even
> after changing my password, when I logged out and back in I got the same
> password expired message.
> 
> I had another event scheduled and couldn't diagnose the issue. I
> hope the issue is simply a difference in the configuration (smb.conf)
> between 3.0.24 and 3.3.3. I've attached a sanitized version of my
config
> below. Does anyone see any issues?
> 
> Samba is the first of a series of upgrades. After samba is Cyrus then
> OpenLDAP.
> 
> Samba is compiled locally on this box, so it pulls in the current library
> versions, etc.
> 
> The output of the smbd-3.0.24 and smbd-3.3.3 (both -b) seem the same
> to me.
> 
> Thanks for having a look at this. I'll try another upgrade this coming
> weekend.
> 
> Mike
> 
> Fedora Core 5
> Samba upgrade from 3.0.24 to 3.3.3
> OpenLDAP 2.3.30
> 
> 
> ---------------------------
> # Samba config file created using SWAT
> # from 10.1.2.43 (10.1.2.43)
> # Date: 2006/08/03 15:11:35
> 
> [global]
> 	security = USER
> 	client plaintext auth = Yes
> 	client lanman auth = Yes
> 	lanman auth = No
> 	ntlm auth = Yes
> 	guest account = nobody
> 	#admin users = manager, root
> 	admin users = 
> 	hosts allow = .domain.com, 10.1.2., 10.1.3., 192.168.100.
> 	cups options = raw
> 	wins support = yes
> 	name resolve order = wins lmhosts host bcast
> 	dns proxy = no
> 	usershare allow guests = yes
> 	time server = yes
> 
> 	workgroup = PWI
> 	netbios name = elo
> 	netbios aliases = loghost, mailhost, backuphost, ldaphost
> 	server string = Samba Server (%h)
> 	logon drive = H:
> 	logon home = \\%h\%U
> 	logon path = \\%h\profiles\%U
> 	logon script = logon.bat
> 	ldap delete dn = Yes
> 	ldap suffix = dc=domain,dc=com
> 	ldap admin dn = cn=manager,dc=domain,dc=com
> 	ldap user suffix = ou=people
> 	ldap group suffix = ou=groups
> 	ldap machine suffix = ou=machines
> 	ldap ssl = off
> 	ldapsam:trusted = Yes
> 	ldap timeout = 15
> 	utmp directory = /var/run
> 	wtmp directory = /var/log
> 	utmp = Yes
> 
> 	encrypt passwords = Yes
> 	password level = 0
> 	password server = ldaphost.domain.com
> 	passdb backend = ldapsam:ldap://ldaphost.domain.com
> 	ldap passwd sync = Yes
> 	unix password sync = No
> 	passwd program = /usr/sbin/smbldap-passwd %u
> 	#pam password change = Yes
> 	passwd chat = "Changing * password*for*\nNew password*" %n\n
"*Retype new password*" %n\n
> 	passwd chat debug = Yes
> 	#client use spnego = No
> 	#use spnego = No
> 
> 	os level = 66
> 	preferred master = Yes
> 	local master = Yes
> 	domain master = Yes
> 	domain logons = Yes
> 	allow trusted domains = Yes
> 
> #	log level = 255
> #	log level = 100
> #	log level = 4
> #	log level = 3 ldap:10 passdb:10 auth:10 winbind:10
> #	log level = 3
> #	log level = 2
> 	log level = 1
> 	log file = /var/log/samba/%m.log
> 	max log size = 10000
> 
> 	#socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536
SO_SNDBUF=65536
> 	#socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> 	#socket options = TCP_NODELAY
> 	# trying to make things faster
> 	#socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=1500
> 
> 	#add user script = /usr/sbin/smbldap-useradd -m "%u"
> 	add user script = /usr/sbin/smbldap-useradd -a -A 1 -B 1 -s /bin/bash -c
"%u" -d /home/%u -C "\\\\%h\\%u" -D "H:" -M
"%u@domain.com" %u
> 	delete user script = /usr/sbin/smbldap-userdel "%u"
> 	add group script = /usr/sbin/smbldap-groupadd -p "%g"
> 	delete group script = /usr/sbin/smbldap-groupdel "%g"
> 	add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
> 	delete user from group script = /usr/sbin/smbldap-groupmod -x
"%g" "%u"
> 	set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
> 	#add machine script = /usr/sbin/smbldap-useradd -w "%u"
> 	#add machine script = /usr/sbin/smbldap-useradd -w -A 0 -B 0 -s /bin/false
-c "%u machine account" -d /dev/null %u
> 	#add machine script = /usr/sbin/smbldap-useradd -w -i "%u" -t 5
> 	#add machine script = /usr/sbin/smbldap-useradd -w -A 0 -B 0 -t 5
"%u"
> 	#add machine script = /usr/sbin/smbldap-useradd -w -i -A 0 -B 0 -t 5
"%u"
> 
> 	#max smbd processes = 200
> 	deadtime = 60
> 
> 	# trying to get rid of an error in the smb logs by not listening to port
445
> 	smb ports = 139
> 
> [netlogon]
> 	comment = Network Logon Services
> 	path = /etc/samba/netlogon
> 	browseable = No
> 	writable = No
> 	read only = Yes
> 	guest ok = Yes
> 
> [profiles]
> 	comment = Roaming User Profiles
> 	path = /etc/samba/profiles
> 	browseable = Yes
> 	writable = Yes
> 	read only = No
> 	guest ok = Yes
> 	hide files =
/DESKTOP.INI/Desktop.ini/desktop.ini/ntuser.ini/NTUSER.*/Thumbs.db/
> 	#store dos attributes = Yes
> 	create mask = 0600
> 	directory mask = 0700
> 	#printable = no
> 	csc policy = disable
> 	#force user = %U
> 
> [homes]
> 	comment = Home Directories
> 	read only = No
> 	guest ok = No
> 	browseable = No
> 	map read only = Permissions
> 	directory mask = 0755
> 
> [printers]
> 	comment = All Printers
> 	path = /usr/spool/samba
> 	printable = Yes
> 	browseable = No
> 
> [Pointwise]
> 	comment = Pointwise Corporate Files
> 	path = /opt/domain
> 	#create mask = 0765
> 	force create mode = 664
> 	force group = pwi
> 	browseable = Yes
> 	printable = No
> 	guest ok = No
> 	writeable = Yes
> 	read only = No
> 
> [Backups]
> 	comment = Backup files are stored here
> 	path = /opt/backups
> 	browseable = Yes
> 	printable = No
> 
> [Data]
> 	comment = Storage for support and other data.
> 	path = /opt/data
> 	browseable = Yes
> 	printable = No
> 
> [tmp]
> 	comment = temporary files
> 	path = /tmp
> 	browseable = Yes
> 	printable = No
> 	guest ok = Yes
> 	guest only = No
> 	writeable = Yes
> 	read only = No
> 	force create mode = 664
> ---------------------------
Well, I did the upgrade Sunday, 10 May 09, and version 3.3.3 is now in
production. I did update the OpenLDAP samba.schema file. I'm not sure
that had any effect to letting people log in. What seems to have worked
is adding an 'X' in the OpenLDAP field sambaAcctFlags. I still have an
issue with 'expired passwords' and my roaming profiles don't seem to
be
working right.

Now that v3.3.3 is in production I can work on these two items (and
upgrading OpenLDAP and Cyrus-IMAP).

Mike