Kelvin Yip
2015-Jan-21 06:00 UTC
[Samba] Samba4.2rc4 with winbindd in config cannot start samba process
Hi all, I have tried to migrate a domain from Samba3 to Samba4 Ad and now using samba RC4. Referring to release note document, I should use winbindd instead of winbind. However, I cannot start samba4 daemon when using winbindd parameters, but can start using winbind parameters. Would you please help. Thanks. Below is the current config file: [global] # workgroup = NT-Domain-Name or Workgroup-Name workgroup = ICS realm = icshk.local netbios name = LINUX01 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes # server string is the equivalent of the NT Description field server string = %h #domain admin group = root #hosts allow = 192.168.188. 127. #socket address = 192.168.188.1 #interfaces = eth0 192.168.188.1 #interfaces = eth0 192.168.188.0/24 interfaces = lo bond0 #interfaces = lo bond0 em1 em2 em3 em4 #interfaces = 192.168.188.0/24 bind interfaces only = yes load printers = yes #printing = lprng #printcap name = /etc/printcap printcap name = cups printing = cups cups options = raw use client driver = Yes log file = /var/log/samba/samba.log max log size = 3000 log level = 3 debug level = 0 # log level = 10 # debug level = 10 pid directory = /var/run/samba eventlog list = Application Security System use sendfile=yes #write cache size = 262144 #large readwrite = yes #read raw = yes #write raw = yes # In order to store outlook pst in share drive, seems kernel oplocks cannot be turn on #kernel oplocks = yes #max xmit = 65535 #dead time = 15 #getwd cache = yes guest account = winguest #security = user encrypt passwords = yes #smb passwd file = /etc/samba/smbpasswd #username map = /etc/samba/smbusers unix password sync = Yes #pam password change = No #obey pam restrictions = Yes #passwd program = /usr/bin/passwd %u passwd program = /usr/local/sbin/change_passwd.sh %u passwd chat = *Enter*new*password* %n\n *Re-type*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* ; passwd chat = *New*password* %n\n *ReType*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* # Modified for LDAP #passdb backend = tdbsam, smbpasswd #passdb backend = ldapsam:ldap://127.0.0.1/ #ldap passwd sync = No #ldap suffix = dc=ics,dc=hk #ldap admin dn = cn=ldapadmin,dc=ics,dc=hk #ldap ssl =start tls #ldap ssl = off #ldap group suffix = ou=Groups #ldap user suffix = ou=Users #ldap machine suffix = ou=Computers #ldap idmap suffix = ou=Users #idmap config * : backend = tdb #idmap config * : range = 1000000-1999999 #Note that password level 20 means compare passwords, CASE INSENSITIVE, for the first 20 characters. This eliminates problems with Windows converting everything to caps. #password level = 20 check password script=/usr/local/sbin/crackcheck -l 2 # Most people will find that this option gives better performance. # See speed.txt and the manual pages for details #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 IPTOS_LOWDELAY #socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 IPTOS_LOWDELAY #socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=16384 SO_SNDBUF=16384 IPTOS_LOWDELAY local master = yes # OS Level determines the precedence of this server in master browser # elections. The default value should be reasonable os level = 64 domain master = yes preferred master = yes domain logons = yes logon script = %G.bat add user script = /usr/sbin/useradd -g users -s /bin/false %u add group script = /usr/sbin/groupadd %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -n -g machines -c Machines -d /dev/null -s /bin/false %u delete user script = /usr/sbin/userdel %u delete user from group script = /usr/local/sbin/delUserfromGroup %u %g delete group script = /usr/sbin/groupdel %g set primary group script = /usr/sbin/usermod -g %g %u # Modified for LDAP #add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes #add group script = /usr/sbin/smbldap-groupadd -p "%g" #add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" #delete user script = /usr/sbin/smbldap-userdel "%u" #add machine script = /usr/sbin/smbldap-useradd -w "%u" #delete group script = /usr/sbin/smbldap-groupdel "%g" #delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" #set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" # Where to store roving profiles (only for Win95 and WinNT) # %L substitutes for this servers netbios name, %U is username # You must uncomment the [Profiles] share below ; logon path = \\%L\Profiles\%U #name resolve order = wins lmhosts bcast name resolve order = lmhosts wins host bcast # wins support = yes wins proxy = no dns proxy = no msdfs root = yes host msdfs = yes # Case Preservation can be handy - system default is _no_ # NOTE: These can be set on a per share basis ; preserve case = no ; short preserve case = no # Default case is normally upper case for all DOS files default case = lower # Be very careful with case sensitivity - it can break things! ; case sensitive = no # hide files = /desktop.ini/ntuser.ini/NTUSER.*/ # hide dot files = No # veto files = /lost+found/ # hide unreadable = Yes # Traditonal Chinese code page # client code page = 950 dos charset = BIG5 #client lanman auth = Yes #client plaintext auth = Yes #lanman auth = Yes utmp = Yes #deadtime = 0 keepalive = 0 logon drive = x: logon home = \\%L\%U template homedir = /home/%U #root preexec = /usr/local/sbin/smb_global_preexec.sh %U %m #root postexec = /usr/local/sbin/smb_global_postexec.sh %U %m #max protocol = SMB2 #nt acl support = Yes #acl group control = Yes #client NTLMv2 auth=Yes time server=Yes #enable privileges = yes ea support = yes restrict anonymous = 2 #restrict anonymous = 1 #server signing = mandatory #server signing = auto client signing = auto client schannel = Auto server schannel = Auto client use spnego = yes tls enabled = Yes tls keyfile = tls/samba_linux01.icshk.local.key tls certfile = tls/samba_linux01.icshk.local.pem tls cafile #============================ UFS Logging ============================= vfs objects = full_audit full_audit:prefix = %u|%I|%m|%S #full_audit:failure = connect #full_audit:success = connect disconnect opendir mkdir rmdir closedir open close read pread write pwrite sendfile rename unlink chmod #full_audit:success = rename unlink rmdir pwrite full_audit:success = rename unlink rmdir full_audit:failure = none full_audit:facility = local6 full_audit:priority = notice
Rowland Penny
2015-Jan-21 09:53 UTC
[Samba] Samba4.2rc4 with winbindd in config cannot start samba process
On 21/01/15 06:00, Kelvin Yip wrote:> Hi all, > > > > I have tried to migrate a domain from Samba3 to Samba4 Ad and now using > samba RC4. Referring to release note document, I should use winbindd instead > of winbind. However, I cannot start samba4 daemon when using winbindd > parameters, but can start using winbind parameters. > > > > Would you please help. Thanks. Below is the current config file: > > [global] > > # workgroup = NT-Domain-Name or Workgroup-Name > > workgroup = ICS > > realm = icshk.local > > netbios name = LINUX01 > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate > > idmap_ldb:use rfc2307 = yes > > > > > > # server string is the equivalent of the NT Description field > > server string = %h > > > > #domain admin group = root > > #hosts allow = 192.168.188. 127. > > #socket address = 192.168.188.1 > > #interfaces = eth0 192.168.188.1 > > #interfaces = eth0 192.168.188.0/24 > > interfaces = lo bond0 > > #interfaces = lo bond0 em1 em2 em3 em4 > > #interfaces = 192.168.188.0/24 > > bind interfaces only = yes > > > > load printers = yes > > #printing = lprng > > #printcap name = /etc/printcap > > printcap name = cups > > printing = cups > > cups options = raw > > use client driver = Yes > > > > log file = /var/log/samba/samba.log > > max log size = 3000 > > log level = 3 > > debug level = 0 > > # log level = 10 > > # debug level = 10 > > pid directory = /var/run/samba > > eventlog list = Application Security System > > > > use sendfile=yes > > #write cache size = 262144 > > #large readwrite = yes > > #read raw = yes > > #write raw = yes > > # In order to store outlook pst in share drive, seems kernel oplocks > cannot be turn on > > #kernel oplocks = yes > > #max xmit = 65535 > > #dead time = 15 > > #getwd cache = yes > > > > guest account = winguest > > #security = user > > encrypt passwords = yes > > #smb passwd file = /etc/samba/smbpasswd > > #username map = /etc/samba/smbusers > > unix password sync = Yes > > #pam password change = No > > #obey pam restrictions = Yes > > #passwd program = /usr/bin/passwd %u > > passwd program = /usr/local/sbin/change_passwd.sh %u > > passwd chat = *Enter*new*password* %n\n *Re-type*new*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > > ; passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > > ; passwd chat = *New*password* %n\n *ReType*new*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > > # Modified for LDAP > > #passdb backend = tdbsam, smbpasswd > > #passdb backend = ldapsam:ldap://127.0.0.1/ > > #ldap passwd sync = No > > #ldap suffix = dc=ics,dc=hk > > #ldap admin dn = cn=ldapadmin,dc=ics,dc=hk > > #ldap ssl =start tls > > #ldap ssl = off > > #ldap group suffix = ou=Groups > > #ldap user suffix = ou=Users > > #ldap machine suffix = ou=Computers > > #ldap idmap suffix = ou=Users > > > > #idmap config * : backend = tdb > > #idmap config * : range = 1000000-1999999 > > > > #Note that password level 20 means compare passwords, CASE INSENSITIVE, for > the first 20 characters. This eliminates problems with Windows converting > everything to caps. > > #password level = 20 > > check password script=/usr/local/sbin/crackcheck -l 2 > > > > # Most people will find that this option gives better performance. > > # See speed.txt and the manual pages for details > > #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > IPTOS_LOWDELAY > > #socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535 > IPTOS_LOWDELAY > > #socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=16384 > SO_SNDBUF=16384 IPTOS_LOWDELAY > > > > local master = yes > > > > # OS Level determines the precedence of this server in master browser > > # elections. The default value should be reasonable > > os level = 64 > > > > domain master = yes > > preferred master = yes > > domain logons = yes > > > > logon script = %G.bat > > add user script = /usr/sbin/useradd -g users -s /bin/false %u > > add group script = /usr/sbin/groupadd %g > > add user to group script = /usr/sbin/usermod -G %g %u > > add machine script = /usr/sbin/useradd -n -g machines -c Machines -d > /dev/null -s /bin/false %u > > delete user script = /usr/sbin/userdel %u > > delete user from group script = /usr/local/sbin/delUserfromGroup %u %g > > delete group script = /usr/sbin/groupdel %g > > set primary group script = /usr/sbin/usermod -g %g %u > > > > # Modified for LDAP > > #add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes > > #add group script = /usr/sbin/smbldap-groupadd -p "%g" > > #add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > > #delete user script = /usr/sbin/smbldap-userdel "%u" > > #add machine script = /usr/sbin/smbldap-useradd -w "%u" > > #delete group script = /usr/sbin/smbldap-groupdel "%g" > > #delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" > > #set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > > > > # Where to store roving profiles (only for Win95 and WinNT) > > # %L substitutes for this servers netbios name, %U is username > > # You must uncomment the [Profiles] share below > > ; logon path = \\%L\Profiles\%U > > > > #name resolve order = wins lmhosts bcast > > name resolve order = lmhosts wins host bcast > > > > # wins support = yes > > wins proxy = no > > dns proxy = no > > > > msdfs root = yes > > host msdfs = yes > > # Case Preservation can be handy - system default is _no_ > > # NOTE: These can be set on a per share basis > > ; preserve case = no > > ; short preserve case = no > > # Default case is normally upper case for all DOS files > > default case = lower > > # Be very careful with case sensitivity - it can break things! > > ; case sensitive = no > > > > # hide files = /desktop.ini/ntuser.ini/NTUSER.*/ > > # hide dot files = No > > # veto files = /lost+found/ > > # hide unreadable = Yes > > # Traditonal Chinese code page > > # client code page = 950 > > dos charset = BIG5 > > > > #client lanman auth = Yes > > #client plaintext auth = Yes > > #lanman auth = Yes > > > > utmp = Yes > > #deadtime = 0 > > keepalive = 0 > > > > logon drive = x: > > logon home = \\%L\%U > > template homedir = /home/%U > > > > #root preexec = /usr/local/sbin/smb_global_preexec.sh %U %m > > #root postexec = /usr/local/sbin/smb_global_postexec.sh %U %m > > > > #max protocol = SMB2 > > #nt acl support = Yes > > #acl group control = Yes > > #client NTLMv2 auth=Yes > > time server=Yes > > #enable privileges = yes > > ea support = yes > > restrict anonymous = 2 > > #restrict anonymous = 1 > > #server signing = mandatory > > #server signing = auto > > client signing = auto > > client schannel = Auto > > server schannel = Auto > > client use spnego = yes > > > > tls enabled = Yes > > tls keyfile = tls/samba_linux01.icshk.local.key > > tls certfile = tls/samba_linux01.icshk.local.pem > > tls cafile > > > > #============================ UFS Logging =============================> > > > vfs objects = full_audit > > full_audit:prefix = %u|%I|%m|%S > > #full_audit:failure = connect > > #full_audit:success = connect disconnect opendir mkdir rmdir closedir open > close read pread write pwrite sendfile rename unlink chmod > > #full_audit:success = rename unlink rmdir pwrite > > full_audit:success = rename unlink rmdir > > full_audit:failure = none > > full_audit:facility = local6 > > full_audit:priority = notice >Never having migrated an S3 domain to an S4 AD domain, I am not sure that you get a new smb.conf created for you, but I would be very surprised if you don't. Go back to the smb.conf that the upgrade provided, you do not need and shouldn't add about 90% of what you added, the major mistake you made was this: 'vfs objects = full_audit', YOU HAVE TURNED OFF THE DEFAULTS!!!! Rowland
miguelmedalha at sapo.pt
2015-Jan-21 13:32 UTC
[Samba] Samba4.2rc4 with winbindd in config cannot start samba process
It is always useful to read the release notes ;-) With Samba 4.2, if you want to use the winbind daemon instead of the internal winbind you have to include: server services -winbind winbindd ...
Rowland Penny
2015-Jan-21 13:39 UTC
[Samba] Samba4.2rc4 with winbindd in config cannot start samba process
On 21/01/15 13:32, miguelmedalha at sapo.pt wrote:> It is always useful to read the release notes ;-) > > With Samba 4.2, if you want to use the winbind daemon instead of the > internal winbind you have to include: > > server services -winbind winbindd ... > >That is the least of his problems, he needs to fix his smb.conf *BIG* time, he also needs to understand that when running a samba 4 AD DC you do not add the lines that you would add to an S3 NT4 PDC, for instance 'unix password sync = Yes'. How can you sync passwords to users *YOU CANNOT HAVE!* Rowland
Kelvin Yip
2015-Jan-22 02:14 UTC
[Samba] Samba4.2rc4 with winbindd in config cannot start samba process
Thanks. I think I misunderstanding the release notes. -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of miguelmedalha at sapo.pt Sent: Wednesday, January 21, 2015 9:32 PM To: Kelvin Yip Cc: samba Subject: Re: [Samba] Samba4.2rc4 with winbindd in config cannot start samba process It is always useful to read the release notes ;-) With Samba 4.2, if you want to use the winbind daemon instead of the internal winbind you have to include: server services -winbind winbindd ... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Peter Serbe
2015-Jan-22 09:14 UTC
[Samba] Samba4.2rc4 with winbindd in config cannot start samba process
Kelvin Yip schrieb am 22.01.2015 06:43:> Hello, > > I have tried to configure smb.conf like the following, and none of > them can start samba process.I use the following (on the DC, Bind9-Backend): workgroup = SAMDOM realm = samdom.example.com netbios name = circe server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes dbwrap_tdb_mutexes:* = yes domain master = no # added as per https://wiki.samba.org/index.php/Authenticating_other_services_against_AD kerberos method = secrets and keytab It might also be worthwhile to check both the compilation and the provisioning settings. ./configure --prefix=/usr/local/samba \ --with-piddir=/usr/local/samba/var/run \ --with-syslog \ --with-quotas \ --with-acl-support \ --enable-cups \ --with-ads \ --with-shared-modules=idmap_ad where the last two lines are for a member server. You might not need all the lines, but this might be a good start. Provided You want to set up a new domain, do the provisioning samba-tool domain provision --use-rfc2307 --interactive --use-xattrs=yes Check also the DNS settings. The wiki evolved quite a bit over the last year - it is now very reliable. Be sure to carefully execute all the necessary steps and do all the proposed checks in between. HTH
Kelvin Yip
2015-Jan-22 09:19 UTC
[Samba] Samba4.2rc4 with winbindd in config cannot start samba process
Hi all, I think it is related to this bug. Thanks: https://bugzilla.samba.org/show_bug.cgi?id=10991 -----Original Message----- From: Peter Serbe [mailto:peter at serbe.ch] Sent: Thursday, January 22, 2015 5:14 PM To: samba at lists.samba.org; kelvin at icshk.com Subject: Re: [Samba] Samba4.2rc4 with winbindd in config cannot start samba process Kelvin Yip schrieb am 22.01.2015 06:43:> Hello, > > I have tried to configure smb.conf like the following, and none of > them can start samba process.I use the following (on the DC, Bind9-Backend): workgroup = SAMDOM realm = samdom.example.com netbios name = circe server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate idmap_ldb:use rfc2307 = yes dbwrap_tdb_mutexes:* = yes domain master = no # added as per https://wiki.samba.org/index.php/Authenticating_other_services_against_AD kerberos method = secrets and keytab It might also be worthwhile to check both the compilation and the provisioning settings. ./configure --prefix=/usr/local/samba \ --with-piddir=/usr/local/samba/var/run \ --with-syslog \ --with-quotas \ --with-acl-support \ --enable-cups \ --with-ads \ --with-shared-modules=idmap_ad where the last two lines are for a member server. You might not need all the lines, but this might be a good start. Provided You want to set up a new domain, do the provisioning samba-tool domain provision --use-rfc2307 --interactive --use-xattrs=yes Check also the DNS settings. The wiki evolved quite a bit over the last year - it is now very reliable. Be sure to carefully execute all the necessary steps and do all the proposed checks in between. HTH
Seemingly Similar Threads
- Samba4.2rc4 with winbindd in config cannot start samba process
- Samba4.2rc4 with winbindd in config cannot start samba process
- Samba4.2rc4 with winbindd in config cannot start samba process
- Samba4.2rc4 with winbindd in config cannot start samba process
- Completely Disable NTLM on Samba4