samba - Oct 2015 - PATCH: Fix example of server role parameter in smb.conf manpage (WAS: invalid value 'netbios backup domain controller')

On Sun, 2015-10-11 at 19:17 +0100, Rowland Penny wrote:
> On 11/10/15 19:01, Ken Bass wrote:
> > On 10/11/2015 01:02 PM, Rowland Penny wrote:
> > > On 11/10/15 17:10, Ken Bass wrote:
> > > > I have been having issues with my Centos 7 Samba4 setup. Not
> > > > sure if 
> > > > it is related to a recent samba package/version update, but
> > > > things 
> > > > are no longer very stable.
> > > > While looking at the logs, I see the following message on my
> > > > BDC.
> > > > 
> > > > WARNING: Ignoring invalid value 'netbios backup domain
> > > > controller' 
> > > > for parameter 'server role'
> > > > This worked before and is consistent with the man page for
the
> > > > smb.conf file, so I am confused.
And rightfully so.  I do apologise for the incorrect documentation, the
correct string is: "classic backup domain controller"

Sadly the description of 'samba3 style' or 'nt4-like' domain
controllers as 'classic' really didn't catch on in our community.
> > > > My PDC is listed as 'classic primary domain
controller' which
> > > > does 
> > > > not generate an error message.
> > > > 
> > > 
> > > Does it work if you remove or comment out the line?
> > 
> > It appears it works both with and without the line. I was just
> > unsure 
> > why it is reporting a warning when the manual says it is valid.
> > My security is set to 'user' (rather than domain).
> > 
> > As far as my comment about things not as being very stable, I have
> > a 
> > script that was modifying smb.conf and restarting the smb/nmb tasks
> > every night. It seems like sometimes the restart would work, other 
> > times it fails (with BACKTRACE and core dumps). While looking at
> > the 
> > logs, I saw the WARNING.
> > 
> > 
> 
> back on-list
> 
> So, it works if the line isn't there, but it still works if the line
> is 
> there and it throws an error
> 
> Pretty obvious cure, don't have the line in smb.conf, you do not need
> it. The only place it is required is on an AD DC and the smb.conf for
> this is created for you.
> 
> I am also intrigued, why are you modifying smb.conf and restarting
> samba 
> every night? most people set it once and then leave it alone.
> 
> This is for Andrew Bartlett:
> 
> This is the second time something like this has come up, are you now 
> prepared to accept the patch to remove the mention of 'server role'
> from 
> the example smb.conf, because I would now like to propose a patch for
> the smb.conf manpage, something along the lines of 'Do not set server
> role manually, it is not required and could cause problems'
The issue here is incorrect documentation.  We should accept the
options described in the documentation, and we should encouage users to
configure Samba with the server role parameter.  The old combination of
'security, domain logons and domain master' while pervasive is even
more confusing.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

On 11/10/15 22:34, Andrew Bartlett wrote:
> On Sun, 2015-10-11 at 19:17 +0100, Rowland Penny wrote:
>> On 11/10/15 19:01, Ken Bass wrote:
>>> On 10/11/2015 01:02 PM, Rowland Penny wrote:
>>>> On 11/10/15 17:10, Ken Bass wrote:
>>>>> I have been having issues with my Centos 7 Samba4 setup.
Not
>>>>> sure if
>>>>> it is related to a recent samba package/version update, but
>>>>> things
>>>>> are no longer very stable.
>>>>> While looking at the logs, I see the following message on
my
>>>>> BDC.
>>>>>
>>>>> WARNING: Ignoring invalid value 'netbios backup domain
>>>>> controller'
>>>>> for parameter 'server role'
>>>>> This worked before and is consistent with the man page for
the
>>>>> smb.conf file, so I am confused.
> And rightfully so.  I do apologise for the incorrect documentation, the
> correct string is: "classic backup domain controller"
>
> Sadly the description of 'samba3 style' or 'nt4-like'
domain
> controllers as 'classic' really didn't catch on in our
community.
>
>>>>> My PDC is listed as 'classic primary domain
controller' which
>>>>> does
>>>>> not generate an error message.
>>>>>
>>>> Does it work if you remove or comment out the line?
>>> It appears it works both with and without the line. I was just
>>> unsure
>>> why it is reporting a warning when the manual says it is valid.
>>> My security is set to 'user' (rather than domain).
>>>
>>> As far as my comment about things not as being very stable, I have
>>> a
>>> script that was modifying smb.conf and restarting the smb/nmb tasks
>>> every night. It seems like sometimes the restart would work, other
>>> times it fails (with BACKTRACE and core dumps). While looking at
>>> the
>>> logs, I saw the WARNING.
>>>
>>>
>> back on-list
>>
>> So, it works if the line isn't there, but it still works if the
line
>> is
>> there and it throws an error
>>
>> Pretty obvious cure, don't have the line in smb.conf, you do not
need
>> it. The only place it is required is on an AD DC and the smb.conf for
>> this is created for you.
>>
>> I am also intrigued, why are you modifying smb.conf and restarting
>> samba
>> every night? most people set it once and then leave it alone.
>>
>> This is for Andrew Bartlett:
>>
>> This is the second time something like this has come up, are you now
>> prepared to accept the patch to remove the mention of 'server
role'
>> from
>> the example smb.conf, because I would now like to propose a patch for
>> the smb.conf manpage, something along the lines of 'Do not set
server
>> role manually, it is not required and could cause problems'
> The issue here is incorrect documentation.  We should accept the
> options described in the documentation, and we should encouage users to
> configure Samba with the server role parameter.  The old combination of
> 'security, domain logons and domain master' while pervasive is even
> more confusing.
>
> Andrew Bartlett
>
OK Andrew, the smb.conf manpage is wrong, but adding the server role 
anywhere but on a DC (where it is added for you) isn't really needed and 
it seems to be causing more problems than it helps.
Just because you think using the 'old' way is confusing doesn't make
it
so, with all those howtos out there, to now start telling people to 
start using the server role line and not use the 'old' way will cause 
nothing but confusion.
I am not saying that samba should stop using the server role, what I am 
saying is that samba should stop going out of its way to make sysadmins 
use it.

Rowland

On 12/10/15 09:05, Rowland Penny wrote:
> On 11/10/15 22:34, Andrew Bartlett wrote:
>> On Sun, 2015-10-11 at 19:17 +0100, Rowland Penny wrote:
>>> On 11/10/15 19:01, Ken Bass wrote:
>>>> On 10/11/2015 01:02 PM, Rowland Penny wrote:
>>>>> On 11/10/15 17:10, Ken Bass wrote:
>>>>>> I have been having issues with my Centos 7 Samba4
setup. Not
>>>>>> sure if
>>>>>> it is related to a recent samba package/version update,
but
>>>>>> things
>>>>>> are no longer very stable.
>>>>>> While looking at the logs, I see the following message
on my
>>>>>> BDC.
>>>>>>
>>>>>> WARNING: Ignoring invalid value 'netbios backup
domain
>>>>>> controller'
>>>>>> for parameter 'server role'
>>>>>> This worked before and is consistent with the man page
for the
>>>>>> smb.conf file, so I am confused.
>> And rightfully so.  I do apologise for the incorrect documentation, the
>> correct string is: "classic backup domain controller"
>>
>> Sadly the description of 'samba3 style' or 'nt4-like'
domain
>> controllers as 'classic' really didn't catch on in our
community.
>>
>>>>>> My PDC is listed as 'classic primary domain
controller' which
>>>>>> does
>>>>>> not generate an error message.
>>>>>>
>>>>> Does it work if you remove or comment out the line?
>>>> It appears it works both with and without the line. I was just
>>>> unsure
>>>> why it is reporting a warning when the manual says it is valid.
>>>> My security is set to 'user' (rather than domain).
>>>>
>>>> As far as my comment about things not as being very stable, I
have
>>>> a
>>>> script that was modifying smb.conf and restarting the smb/nmb
tasks
>>>> every night. It seems like sometimes the restart would work,
other
>>>> times it fails (with BACKTRACE and core dumps). While looking
at
>>>> the
>>>> logs, I saw the WARNING.
>>>>
>>>>
>>> back on-list
>>>
>>> So, it works if the line isn't there, but it still works if the
line
>>> is
>>> there and it throws an error
>>>
>>> Pretty obvious cure, don't have the line in smb.conf, you do
not need
>>> it. The only place it is required is on an AD DC and the smb.conf
for
>>> this is created for you.
>>>
>>> I am also intrigued, why are you modifying smb.conf and restarting
>>> samba
>>> every night? most people set it once and then leave it alone.
>>>
>>> This is for Andrew Bartlett:
>>>
>>> This is the second time something like this has come up, are you
now
>>> prepared to accept the patch to remove the mention of 'server
role'
>>> from
>>> the example smb.conf, because I would now like to propose a patch
for
>>> the smb.conf manpage, something along the lines of 'Do not set
server
>>> role manually, it is not required and could cause problems'
>> The issue here is incorrect documentation.  We should accept the
>> options described in the documentation, and we should encouage users to
>> configure Samba with the server role parameter.  The old combination of
>> 'security, domain logons and domain mast er' while pervasive is
even
>> more confusing.
>>
>> Andrew Bartlett
>>
>
> OK Andrew, the smb.conf manpage is wrong, but adding the server role 
> anywhere but on a DC (where it is added for you) isn't really needed 
> and it seems to be causing more problems than it helps.
> Just because you think using the 'old' way is confusing doesn't
make
> it so, with all those howtos out there, to now start telling people to 
> start using the server role line and not use the 'old' way will
cause
> nothing but confusion.
> I am not saying that samba should stop using the server role, what I 
> am saying is that samba should stop going out of its way to make 
> sysadmins use it.
>
> Rowland
>
>
So you are recommending lowering the clarity of samba configuration?. 
You wish to keep looking at the smb.conf which users post here guess 
that which they wish to achieve?

Hello Andrew,

while reading your and Rowlands discussion about recommending or not the
'server role' parameter on other machines than DCs, I saw, that the
smb.conf manpage example says
> Example: server role = DOMAIN CONTROLLER
However, correct is
> Example: server role = ACTIVE DIRECTORY DOMAIN CONTROLLER

Attached a fix. Please review and push, if OK.
Thanks.


Regards,
Marc

On 12/10/15 20:12, Marc Muehlfeld wrote:
> Hello Andrew,
>
> while reading your and Rowlands discussion about recommending or not the
> 'server role' parameter on other machines than DCs, I saw, that the
> smb.conf manpage example says
>
>> Example: server role = DOMAIN CONTROLLER
> However, correct is
>
>> Example: server role = ACTIVE DIRECTORY DOMAIN CONTROLLER
>
> Attached a fix. Please review and push, if OK.
> Thanks.
>
>
> Regards,
> Marc
Er, you missed the main one, 'netbios backup domain controller' is 
really 'classic backup domain controller', according to Andrew

Rowland

Am 12.10.2015 um 22:11 schrieb Rowland Penny:
> Er, you missed the main one, 'netbios backup domain controller' is
> really 'classic backup domain controller', according to Andrew
New patch attached.


Regards,
Marc
-------------- next part --------------