samba - Oct 2015 - invalid value 'netbios backup domain controller'

I have been having issues with my Centos 7 Samba4 setup. Not sure if it 
is related to a recent samba package/version update, but things are no 
longer very stable.
While looking at the logs, I see the following message on my BDC.

WARNING: Ignoring invalid value 'netbios backup domain controller' for 
parameter 'server role'

This worked before and is consistent with the man page for the smb.conf 
file, so I am confused.

My PDC is listed as 'classic primary domain controller' which does not 
generate an error message.

On 11/10/15 17:10, Ken Bass wrote:
> I have been having issues with my Centos 7 Samba4 setup. Not sure if 
> it is related to a recent samba package/version update, but things are 
> no longer very stable.
> While looking at the logs, I see the following message on my BDC.
>
> WARNING: Ignoring invalid value 'netbios backup domain controller'
for
> parameter 'server role'
>
> This worked before and is consistent with the man page for the 
> smb.conf file, so I am confused.
>
> My PDC is listed as 'classic primary domain controller' which does
not
> generate an error message.
>
Does it work if you remove or comment out the line?

Rowland

Hello Ken,

Am 11.10.2015 um 18:10 schrieb Ken Bass:
> I have been having issues with my Centos 7 Samba4 setup. Not sure if it
> is related to a recent samba package/version update, but things are no
> longer very stable.
> While looking at the logs, I see the following message on my BDC.
> 
> WARNING: Ignoring invalid value 'netbios backup domain controller'
for
> parameter 'server role'
If you're running an NT4 domain, you shouln't have a "server
role"
parameter in your smb.conf. Only AD DC use this parameter at the moment.


Regards,
Marc

On 11/10/15 19:01, Ken Bass wrote:
> On 10/11/2015 01:02 PM, Rowland Penny wrote:
>> On 11/10/15 17:10, Ken Bass wrote:
>>> I have been having issues with my Centos 7 Samba4 setup. Not sure
if
>>> it is related to a recent samba package/version update, but things 
>>> are no longer very stable.
>>> While looking at the logs, I see the following message on my BDC.
>>>
>>> WARNING: Ignoring invalid value 'netbios backup domain
controller'
>>> for parameter 'server role'
>>>
>>> This worked before and is consistent with the man page for the 
>>> smb.conf file, so I am confused.
>>>
>>> My PDC is listed as 'classic primary domain controller'
which does
>>> not generate an error message.
>>>
>>
>> Does it work if you remove or comment out the line?
>
> It appears it works both with and without the line. I was just unsure 
> why it is reporting a warning when the manual says it is valid.
> My security is set to 'user' (rather than domain).
>
> As far as my comment about things not as being very stable, I have a 
> script that was modifying smb.conf and restarting the smb/nmb tasks 
> every night. It seems like sometimes the restart would work, other 
> times it fails (with BACKTRACE and core dumps). While looking at the 
> logs, I saw the WARNING.
>
>
back on-list

So, it works if the line isn't there, but it still works if the line is 
there and it throws an error

Pretty obvious cure, don't have the line in smb.conf, you do not need 
it. The only place it is required is on an AD DC and the smb.conf for 
this is created for you.

I am also intrigued, why are you modifying smb.conf and restarting samba 
every night? most people set it once and then leave it alone.

This is for Andrew Bartlett:

This is the second time something like this has come up, are you now 
prepared to accept the patch to remove the mention of 'server role' from
the example smb.conf, because I would now like to propose a patch for 
the smb.conf manpage, something along the lines of 'Do not set server 
role manually, it is not required and could cause problems'

Rowland

On 10/11/2015 02:17 PM, Rowland Penny wrote:
> So, it works if the line isn't there, but it still works if the line
> is there and it throws an error
>
> Pretty obvious cure, don't have the line in smb.conf, you do not need
> it. The only place it is required is on an AD DC and the smb.conf for
> this is created for you.
When I manually upgraded my Samba3 configuration to Samba4, I went 
through the man page. The man page says:

       server role (G)

            This option determines the basic operating mode of a Samba 
server and is one of the most important settings in the smb.conf file.

When the documentation calls something out as 'ONE OF THE MOST IMPORTANT 
SETTINGS', I figure I better pay attention.
And the description says:

"SERVER ROLE = CLASSIC PRIMARY DOMAIN CONTROLLER

            This mode of operation runs a classic Samba primary domain 
controller, providing domain logon services to Windows and Samba clients 
of an NT4-like domain. Clients must be joined to the
            domain to create a secure, trusted path across the network. 
There must be only one PDC per NetBIOS scope (typcially a broadcast 
network or clients served by a single WINS server).

Something similar for BACKUP.

Since I am running both a primary and backup domain setup to provide 
logon services of an NT4-like domain, this seemed like exactly what is 
required.
Did I misunderstand something?


>
> I am also intrigued, why are you modifying smb.conf and restarting
> samba every night? most people set it once and then leave it alone.
Comcast ISP sometimes changes the IPv6 address/prefix assigned to my 
network. Since most clients on my network prefer IPv6 over IPv4 and I 
have a 'hosts allow' in my smb.conf, whenever the IPv6 is changed, 
client no longer have permission to connect to the samba servers. My 
solution was to create a script that is executed whenever the the DHCP 
client renews/changes the IPv6 prefix. My initial version of the script 
takes the current IPv6 prefix, uses sed and modifies the hosts allow 
line in the smb.conf, then restarts smb/nmb. I just modified the script 
to only modify and restart if the prefix actually changes. This should 
prevent it from running every 24 hours or so when the DHCP address renews.

On Sun, 2015-10-11 at 19:17 +0100, Rowland Penny wrote:
> On 11/10/15 19:01, Ken Bass wrote:
> > On 10/11/2015 01:02 PM, Rowland Penny wrote:
> > > On 11/10/15 17:10, Ken Bass wrote:
> > > > I have been having issues with my Centos 7 Samba4 setup. Not
> > > > sure if 
> > > > it is related to a recent samba package/version update, but
> > > > things 
> > > > are no longer very stable.
> > > > While looking at the logs, I see the following message on my
> > > > BDC.
> > > > 
> > > > WARNING: Ignoring invalid value 'netbios backup domain
> > > > controller' 
> > > > for parameter 'server role'
> > > > This worked before and is consistent with the man page for
the
> > > > smb.conf file, so I am confused.
And rightfully so.  I do apologise for the incorrect documentation, the
correct string is: "classic backup domain controller"

Sadly the description of 'samba3 style' or 'nt4-like' domain
controllers as 'classic' really didn't catch on in our community.
> > > > My PDC is listed as 'classic primary domain
controller' which
> > > > does 
> > > > not generate an error message.
> > > > 
> > > 
> > > Does it work if you remove or comment out the line?
> > 
> > It appears it works both with and without the line. I was just
> > unsure 
> > why it is reporting a warning when the manual says it is valid.
> > My security is set to 'user' (rather than domain).
> > 
> > As far as my comment about things not as being very stable, I have
> > a 
> > script that was modifying smb.conf and restarting the smb/nmb tasks
> > every night. It seems like sometimes the restart would work, other 
> > times it fails (with BACKTRACE and core dumps). While looking at
> > the 
> > logs, I saw the WARNING.
> > 
> > 
> 
> back on-list
> 
> So, it works if the line isn't there, but it still works if the line
> is 
> there and it throws an error
> 
> Pretty obvious cure, don't have the line in smb.conf, you do not need
> it. The only place it is required is on an AD DC and the smb.conf for
> this is created for you.
> 
> I am also intrigued, why are you modifying smb.conf and restarting
> samba 
> every night? most people set it once and then leave it alone.
> 
> This is for Andrew Bartlett:
> 
> This is the second time something like this has come up, are you now 
> prepared to accept the patch to remove the mention of 'server role'
> from 
> the example smb.conf, because I would now like to propose a patch for
> the smb.conf manpage, something along the lines of 'Do not set server
> role manually, it is not required and could cause problems'
The issue here is incorrect documentation.  We should accept the
options described in the documentation, and we should encouage users to
configure Samba with the server role parameter.  The old combination of
'security, domain logons and domain master' while pervasive is even
more confusing.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba