samba - Jan 2015 - Samba4.2rc4 with winbindd in config cannot start samba process

Hi all,

 

I have tried to migrate a domain from Samba3 to Samba4 Ad and now using
samba RC4. Referring to release note document, I should use winbindd instead
of winbind. However, I cannot start samba4 daemon when using winbindd
parameters, but can start using winbind parameters.

 

Would you please help. Thanks. Below is the current config file:

[global]

   # workgroup = NT-Domain-Name or Workgroup-Name

   workgroup = ICS

   realm = icshk.local

   netbios name = LINUX01

   server role = active directory domain controller

   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate

   idmap_ldb:use rfc2307 = yes

 

 

# server string is the equivalent of the NT Description field

   server string = %h

 

   #domain admin group = root

   #hosts allow = 192.168.188. 127.

   #socket address = 192.168.188.1

   #interfaces = eth0 192.168.188.1

   #interfaces = eth0 192.168.188.0/24

   interfaces = lo bond0

   #interfaces = lo bond0 em1 em2 em3 em4

   #interfaces = 192.168.188.0/24

   bind interfaces only = yes

 

   load printers = yes

   #printing = lprng

   #printcap name = /etc/printcap

   printcap name = cups

   printing = cups

   cups options = raw

   use client driver = Yes

 

   log file = /var/log/samba/samba.log

   max log size = 3000

   log level = 3

   debug level = 0

#   log level = 10

#   debug level = 10

   pid directory = /var/run/samba

   eventlog list = Application Security System

 

   use sendfile=yes

   #write cache size = 262144

   #large readwrite = yes

   #read raw = yes

   #write raw = yes

   # In order to store outlook pst in share drive, seems kernel oplocks
cannot be turn on

   #kernel oplocks = yes

   #max xmit = 65535

   #dead time = 15

   #getwd cache = yes

 

   guest account = winguest

   #security = user

   encrypt passwords = yes

   #smb passwd file = /etc/samba/smbpasswd

   #username map = /etc/samba/smbusers

   unix password sync = Yes

   #pam password change = No

   #obey pam restrictions = Yes

   #passwd program = /usr/bin/passwd %u

   passwd program = /usr/local/sbin/change_passwd.sh %u

   passwd chat = *Enter*new*password* %n\n *Re-type*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

;  passwd chat = *New*password* %n\n *ReType*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

   # Modified for LDAP

   #passdb backend = tdbsam, smbpasswd

   #passdb backend = ldapsam:ldap://127.0.0.1/

   #ldap passwd sync = No

   #ldap suffix = dc=ics,dc=hk

   #ldap admin dn = cn=ldapadmin,dc=ics,dc=hk

   #ldap ssl =start tls

   #ldap ssl = off

   #ldap group suffix = ou=Groups

   #ldap user suffix = ou=Users

   #ldap machine suffix = ou=Computers

   #ldap idmap suffix = ou=Users

 

   #idmap config * : backend = tdb

   #idmap config * : range = 1000000-1999999

 

#Note that password level 20 means compare passwords, CASE INSENSITIVE, for
the first 20 characters. This eliminates problems with Windows converting
everything to caps.

   #password level = 20

   check password script=/usr/local/sbin/crackcheck -l 2

 

# Most people will find that this option gives better performance.

# See speed.txt and the manual pages for details

   #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
IPTOS_LOWDELAY

   #socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
IPTOS_LOWDELAY

   #socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=16384
SO_SNDBUF=16384 IPTOS_LOWDELAY

 

   local master = yes

 

# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable

   os level = 64

 

   domain master = yes

   preferred master = yes

   domain logons = yes

 

   logon script = %G.bat

   add user script = /usr/sbin/useradd -g users -s /bin/false %u

   add group script = /usr/sbin/groupadd %g

   add user to group script = /usr/sbin/usermod -G %g %u

   add machine script = /usr/sbin/useradd -n -g machines -c Machines -d
/dev/null -s /bin/false %u

   delete user script = /usr/sbin/userdel %u

   delete user from group script = /usr/local/sbin/delUserfromGroup %u %g

   delete group script = /usr/sbin/groupdel %g

   set primary group script = /usr/sbin/usermod -g %g %u

 

   # Modified for LDAP

   #add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn
= Yes

   #add group script = /usr/sbin/smbldap-groupadd -p "%g"

   #add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"

   #delete user script = /usr/sbin/smbldap-userdel "%u"

   #add machine script = /usr/sbin/smbldap-useradd -w "%u"

   #delete group script = /usr/sbin/smbldap-groupdel "%g"

   #delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"

   #set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"

 

# Where to store roving profiles (only for Win95 and WinNT)

#        %L substitutes for this servers netbios name, %U is username

#        You must uncomment the [Profiles] share below

;   logon path = \\%L\Profiles\%U

 

   #name resolve order = wins lmhosts bcast

   name resolve order = lmhosts wins host bcast

 

#   wins support = yes

   wins proxy = no

   dns proxy = no

 

   msdfs root = yes

   host msdfs = yes

# Case Preservation can be handy - system default is _no_

# NOTE: These can be set on a per share basis

;  preserve case = no

;  short preserve case = no

# Default case is normally upper case for all DOS files

  default case = lower

# Be very careful with case sensitivity - it can break things!

;  case sensitive = no

 

#   hide files = /desktop.ini/ntuser.ini/NTUSER.*/

#   hide dot files = No

#   veto files = /lost+found/

#   hide unreadable = Yes

#  Traditonal Chinese code page

#   client code page = 950

   dos charset = BIG5

 

   #client lanman auth = Yes

   #client plaintext auth = Yes

   #lanman auth = Yes

 

   utmp = Yes

   #deadtime = 0

   keepalive = 0

 

   logon drive = x:

   logon home = \\%L\%U

   template homedir = /home/%U

 

   #root preexec = /usr/local/sbin/smb_global_preexec.sh %U %m

   #root postexec = /usr/local/sbin/smb_global_postexec.sh %U %m

 

   #max protocol = SMB2

   #nt acl support = Yes

   #acl group control = Yes

   #client NTLMv2 auth=Yes

   time server=Yes

   #enable privileges = yes

   ea support = yes

   restrict anonymous = 2

   #restrict anonymous = 1

   #server signing = mandatory

   #server signing = auto

   client signing = auto

   client schannel = Auto

   server schannel = Auto

   client use spnego = yes

 

   tls enabled = Yes

   tls keyfile = tls/samba_linux01.icshk.local.key

   tls certfile = tls/samba_linux01.icshk.local.pem

   tls cafile 
 

#============================ UFS Logging =============================
 

vfs objects = full_audit

full_audit:prefix = %u|%I|%m|%S

#full_audit:failure = connect

#full_audit:success = connect disconnect opendir mkdir rmdir closedir open
close read pread write pwrite sendfile rename unlink chmod

#full_audit:success = rename unlink rmdir pwrite

full_audit:success = rename unlink rmdir

full_audit:failure = none

full_audit:facility = local6

full_audit:priority = notice

On 21/01/15 06:00, Kelvin Yip wrote:
> Hi all,
>
>   
>
> I have tried to migrate a domain from Samba3 to Samba4 Ad and now using
> samba RC4. Referring to release note document, I should use winbindd
instead
> of winbind. However, I cannot start samba4 daemon when using winbindd
> parameters, but can start using winbind parameters.
>
>   
>
> Would you please help. Thanks. Below is the current config file:
>
> [global]
>
>     # workgroup = NT-Domain-Name or Workgroup-Name
>
>     workgroup = ICS
>
>     realm = icshk.local
>
>     netbios name = LINUX01
>
>     server role = active directory domain controller
>
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
>
>     idmap_ldb:use rfc2307 = yes
>
>   
>
>   
>
> # server string is the equivalent of the NT Description field
>
>     server string = %h
>
>   
>
>     #domain admin group = root
>
>     #hosts allow = 192.168.188. 127.
>
>     #socket address = 192.168.188.1
>
>     #interfaces = eth0 192.168.188.1
>
>     #interfaces = eth0 192.168.188.0/24
>
>     interfaces = lo bond0
>
>     #interfaces = lo bond0 em1 em2 em3 em4
>
>     #interfaces = 192.168.188.0/24
>
>     bind interfaces only = yes
>
>   
>
>     load printers = yes
>
>     #printing = lprng
>
>     #printcap name = /etc/printcap
>
>     printcap name = cups
>
>     printing = cups
>
>     cups options = raw
>
>     use client driver = Yes
>
>   
>
>     log file = /var/log/samba/samba.log
>
>     max log size = 3000
>
>     log level = 3
>
>     debug level = 0
>
> #   log level = 10
>
> #   debug level = 10
>
>     pid directory = /var/run/samba
>
>     eventlog list = Application Security System
>
>   
>
>     use sendfile=yes
>
>     #write cache size = 262144
>
>     #large readwrite = yes
>
>     #read raw = yes
>
>     #write raw = yes
>
>     # In order to store outlook pst in share drive, seems kernel oplocks
> cannot be turn on
>
>     #kernel oplocks = yes
>
>     #max xmit = 65535
>
>     #dead time = 15
>
>     #getwd cache = yes
>
>   
>
>     guest account = winguest
>
>     #security = user
>
>     encrypt passwords = yes
>
>     #smb passwd file = /etc/samba/smbpasswd
>
>     #username map = /etc/samba/smbusers
>
>     unix password sync = Yes
>
>     #pam password change = No
>
>     #obey pam restrictions = Yes
>
>     #passwd program = /usr/bin/passwd %u
>
>     passwd program = /usr/local/sbin/change_passwd.sh %u
>
>     passwd chat = *Enter*new*password* %n\n *Re-type*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> ;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
> ;  passwd chat = *New*password* %n\n *ReType*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>
>     # Modified for LDAP
>
>     #passdb backend = tdbsam, smbpasswd
>
>     #passdb backend = ldapsam:ldap://127.0.0.1/
>
>     #ldap passwd sync = No
>
>     #ldap suffix = dc=ics,dc=hk
>
>     #ldap admin dn = cn=ldapadmin,dc=ics,dc=hk
>
>     #ldap ssl =start tls
>
>     #ldap ssl = off
>
>     #ldap group suffix = ou=Groups
>
>     #ldap user suffix = ou=Users
>
>     #ldap machine suffix = ou=Computers
>
>     #ldap idmap suffix = ou=Users
>
>   
>
>     #idmap config * : backend = tdb
>
>     #idmap config * : range = 1000000-1999999
>
>   
>
> #Note that password level 20 means compare passwords, CASE INSENSITIVE, for
> the first 20 characters. This eliminates problems with Windows converting
> everything to caps.
>
>     #password level = 20
>
>     check password script=/usr/local/sbin/crackcheck -l 2
>
>   
>
> # Most people will find that this option gives better performance.
>
> # See speed.txt and the manual pages for details
>
>     #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>     #socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> IPTOS_LOWDELAY
>
>     #socket options = TCP_NODELAY SO_RCVBUF=65535 SO_SNDBUF=65535
> IPTOS_LOWDELAY
>
>     #socket options = TCP_NODELAY SO_KEEPALIVE SO_RCVBUF=16384
> SO_SNDBUF=16384 IPTOS_LOWDELAY
>
>   
>
>     local master = yes
>
>   
>
> # OS Level determines the precedence of this server in master browser
>
> # elections. The default value should be reasonable
>
>     os level = 64
>
>   
>
>     domain master = yes
>
>     preferred master = yes
>
>     domain logons = yes
>
>   
>
>     logon script = %G.bat
>
>     add user script = /usr/sbin/useradd -g users -s /bin/false %u
>
>     add group script = /usr/sbin/groupadd %g
>
>     add user to group script = /usr/sbin/usermod -G %g %u
>
>     add machine script = /usr/sbin/useradd -n -g machines -c Machines -d
> /dev/null -s /bin/false %u
>
>     delete user script = /usr/sbin/userdel %u
>
>     delete user from group script = /usr/local/sbin/delUserfromGroup %u %g
>
>     delete group script = /usr/sbin/groupdel %g
>
>     set primary group script = /usr/sbin/usermod -g %g %u
>
>   
>
>     # Modified for LDAP
>
>     #add user script = /usr/sbin/smbldap-useradd -m "%u" ldap
delete dn = Yes
>
>     #add group script = /usr/sbin/smbldap-groupadd -p "%g"
>
>     #add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
>
>     #delete user script = /usr/sbin/smbldap-userdel "%u"
>
>     #add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
>     #delete group script = /usr/sbin/smbldap-groupdel "%g"
>
>     #delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
>
>     #set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
>
>   
>
> # Where to store roving profiles (only for Win95 and WinNT)
>
> #        %L substitutes for this servers netbios name, %U is username
>
> #        You must uncomment the [Profiles] share below
>
> ;   logon path = \\%L\Profiles\%U
>
>   
>
>     #name resolve order = wins lmhosts bcast
>
>     name resolve order = lmhosts wins host bcast
>
>   
>
> #   wins support = yes
>
>     wins proxy = no
>
>     dns proxy = no
>
>   
>
>     msdfs root = yes
>
>     host msdfs = yes
>
> # Case Preservation can be handy - system default is _no_
>
> # NOTE: These can be set on a per share basis
>
> ;  preserve case = no
>
> ;  short preserve case = no
>
> # Default case is normally upper case for all DOS files
>
>    default case = lower
>
> # Be very careful with case sensitivity - it can break things!
>
> ;  case sensitive = no
>
>   
>
> #   hide files = /desktop.ini/ntuser.ini/NTUSER.*/
>
> #   hide dot files = No
>
> #   veto files = /lost+found/
>
> #   hide unreadable = Yes
>
> #  Traditonal Chinese code page
>
> #   client code page = 950
>
>     dos charset = BIG5
>
>   
>
>     #client lanman auth = Yes
>
>     #client plaintext auth = Yes
>
>     #lanman auth = Yes
>
>   
>
>     utmp = Yes
>
>     #deadtime = 0
>
>     keepalive = 0
>
>   
>
>     logon drive = x:
>
>     logon home = \\%L\%U
>
>     template homedir = /home/%U
>
>   
>
>     #root preexec = /usr/local/sbin/smb_global_preexec.sh %U %m
>
>     #root postexec = /usr/local/sbin/smb_global_postexec.sh %U %m
>
>   
>
>     #max protocol = SMB2
>
>     #nt acl support = Yes
>
>     #acl group control = Yes
>
>     #client NTLMv2 auth=Yes
>
>     time server=Yes
>
>     #enable privileges = yes
>
>     ea support = yes
>
>     restrict anonymous = 2
>
>     #restrict anonymous = 1
>
>     #server signing = mandatory
>
>     #server signing = auto
>
>     client signing = auto
>
>     client schannel = Auto
>
>     server schannel = Auto
>
>     client use spnego = yes
>
>   
>
>     tls enabled = Yes
>
>     tls keyfile = tls/samba_linux01.icshk.local.key
>
>     tls certfile = tls/samba_linux01.icshk.local.pem
>
>     tls cafile >
>   
>
> #============================ UFS Logging =============================>
>   
>
> vfs objects = full_audit
>
> full_audit:prefix = %u|%I|%m|%S
>
> #full_audit:failure = connect
>
> #full_audit:success = connect disconnect opendir mkdir rmdir closedir open
> close read pread write pwrite sendfile rename unlink chmod
>
> #full_audit:success = rename unlink rmdir pwrite
>
> full_audit:success = rename unlink rmdir
>
> full_audit:failure = none
>
> full_audit:facility = local6
>
> full_audit:priority = notice
>
Never having migrated an S3 domain to an S4 AD domain, I am not sure 
that you get a new smb.conf created for you, but I would be very 
surprised if you don't.

Go back to the smb.conf that the upgrade provided, you do not need and 
shouldn't add about 90% of what you added, the major mistake you made 
was this: 'vfs objects = full_audit', YOU HAVE TURNED OFF THE
DEFAULTS!!!!

Rowland

It is always useful to read the release notes ;-)

With Samba 4.2, if you want to use the winbind daemon instead of the  
internal winbind  you have to include:

server services -winbind winbindd ...

On 21/01/15 13:32, miguelmedalha at sapo.pt wrote:
> It is always useful to read the release notes ;-)
>
> With Samba 4.2, if you want to use the winbind daemon instead of the 
> internal winbind  you have to include:
>
> server services -winbind winbindd ...
>
>
That is the least of his problems, he needs to fix his smb.conf *BIG* 
time, he also needs to understand that when running a samba 4 AD DC you 
do not add the lines that you would add to an S3 NT4 PDC, for instance 
'unix password sync = Yes'. How can you sync passwords to users *YOU 
CANNOT HAVE!*

Rowland

Thanks. I think I misunderstanding the release notes.

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of miguelmedalha at sapo.pt
Sent: Wednesday, January 21, 2015 9:32 PM
To: Kelvin Yip
Cc: samba
Subject: Re: [Samba] Samba4.2rc4 with winbindd in config cannot start samba
process

It is always useful to read the release notes ;-)

With Samba 4.2, if you want to use the winbind daemon instead of the
internal winbind  you have to include:

server services -winbind winbindd ...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Kelvin Yip schrieb am 22.01.2015 06:43:
> Hello,
> 
> I have tried to configure smb.conf like the following, and none of 
> them can start samba process.
I use the following (on the DC, Bind9-Backend): 

   workgroup = SAMDOM
   realm = samdom.example.com
   netbios name = circe
   server role = active directory domain controller
   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
   idmap_ldb:use rfc2307 = yes
   dbwrap_tdb_mutexes:* = yes
   domain master = no
   # added as per
https://wiki.samba.org/index.php/Authenticating_other_services_against_AD
   kerberos method = secrets and keytab

It might also be worthwhile to check both the compilation and the 
provisioning settings. 

./configure --prefix=/usr/local/samba \
            --with-piddir=/usr/local/samba/var/run \
            --with-syslog \
            --with-quotas \
            --with-acl-support \
            --enable-cups \
            --with-ads \
            --with-shared-modules=idmap_ad

where the last two lines are for a member server.
You might not need all the lines, but this might be a good start.
Provided You want to set up a new domain, do the provisioning

samba-tool domain provision --use-rfc2307 --interactive --use-xattrs=yes

Check also the DNS settings. The wiki evolved quite a bit over the 
last year - it is now very reliable. Be sure to carefully execute 
all the necessary steps and do all the proposed checks in between. 

HTH

Hi all,

I think it is related to this bug. Thanks:
https://bugzilla.samba.org/show_bug.cgi?id=10991

-----Original Message-----
From: Peter Serbe [mailto:peter at serbe.ch] 
Sent: Thursday, January 22, 2015 5:14 PM
To: samba at lists.samba.org; kelvin at icshk.com
Subject: Re: [Samba] Samba4.2rc4 with winbindd in config cannot start samba
process

Kelvin Yip schrieb am 22.01.2015 06:43:
> Hello,
> 
> I have tried to configure smb.conf like the following, and none of 
> them can start samba process.
I use the following (on the DC, Bind9-Backend): 

   workgroup = SAMDOM
   realm = samdom.example.com
   netbios name = circe
   server role = active directory domain controller
   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
   idmap_ldb:use rfc2307 = yes
   dbwrap_tdb_mutexes:* = yes
   domain master = no
   # added as per
https://wiki.samba.org/index.php/Authenticating_other_services_against_AD
   kerberos method = secrets and keytab

It might also be worthwhile to check both the compilation and the
provisioning settings. 

./configure --prefix=/usr/local/samba \
            --with-piddir=/usr/local/samba/var/run \
            --with-syslog \
            --with-quotas \
            --with-acl-support \
            --enable-cups \
            --with-ads \
            --with-shared-modules=idmap_ad

where the last two lines are for a member server.
You might not need all the lines, but this might be a good start.
Provided You want to set up a new domain, do the provisioning

samba-tool domain provision --use-rfc2307 --interactive --use-xattrs=yes

Check also the DNS settings. The wiki evolved quite a bit over the last year
- it is now very reliable. Be sure to carefully execute all the necessary
steps and do all the proposed checks in between. 

HTH