Fernando Favero
2016-Feb-15 17:22 UTC
[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1
My smb.conf files. The OS is a CentOS 7 DC Server 1 ------------------------------- [global] workgroup = EXAMPLE.COM realm = campus.example.com netbios name = DC-SERVER1 server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder = 8.8.8.8 dsdb:schema update allowed = true winbind max clients = 2000 bind interfaces only = yes interfaces = eth0 log file = /var/log/samba/%m.log log level = 1 [netlogon] path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No DC Server 2 ------------------------------- [global] workgroup = EXAMPLE.COM realm = campus.example.com netbios name = DC-SERVER2 server role = active directory domain controller idmap_ldb:use rfc2307 = yes dns forwarder = 8.8.8.8 dsdb:schema update allowed = true winbind max clients = 2000 bind interfaces only = yes interfaces = eth0 log file = /var/log/samba/%m.log log level = 1 [netlogon] path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No FileServer1 ------------------------------- [global] netbios name = FileServer1 server string = FileServer1 security = ADS workgroup = EXAMPLE.COM realm = CAMPUS.EXAMPLE.COM bind interfaces only = yes interfaces = lo eth0 winbind request timeout = 90 log file = /var/log/samba/%m.log log level = 1 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = yes winbind max clients = 2000 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes idmap config *:backend = tdb idmap config *:range = 1000-50000 vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes acl allow execute always = true FileServer2 ------------------------------- [global] netbios name = FileServer2 server string = FileServer2 security = ADS workgroup = EXAMPLE.COM realm = CAMPUS.EXAMPLE.COM bind interfaces only = yes interfaces = lo eth0 winbind request timeout = 90 log file = /var/log/samba/%m.log log level = 1 dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind refresh tickets = yes winbind max clients = 2000 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes idmap config *:backend = tdb idmap config *:range = 1000-50000 vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes acl allow execute always = true On Mon, Feb 15, 2016 at 11:13 AM, Rowland penny <rpenny at samba.org> wrote:> On 15/02/16 12:40, Fernando Favero wrote: > >> Hello, >> >> >> 3 months ago, I migrated my domain from samba 3.5.2 (NT4 with LDAP) to >> samba 4.3.1 (compiled from source) following classic upgrade instructions >> on wiki page. The samba 4.3.1 is using Samba Internal DNS. >> >> 20.000 users and 2.800 computers were migrated. >> >> After the migration process, I joined 1 new DC server and 2 File Servers >> to >> domain. >> >> All users can login on domain, but we have some issues. >> >> >> 1 – “wbinfo -u” doesn't show users, but “wbinfo -g” show groups normally >> >> 2 – On DC servers, samba process listen ports 135 and 1024 is using 100% >> of >> CPU >> >> 3 – On DC servers, samba process listen ports 464 and 88 are using ~ 50% >> of >> CPU >> >> 4 – On File Servers, run a “ls -l” on directories with user/groups >> permissions from domain is very slow >> >> 5 – Sometimes, file servers lost connections to winbind process. >> >> wbinfo -t >> >> checking the trust secret for domain UEL.BR via RPC calls failed >> >> failed to call wbcCheckTrustCredentials: WBC_ERR_WINBIND_NOT_AVAILABLE >> >> Could not check secret >> >> >> I have tried to find wath is wrong, but not found the solution yet. >> >> >> Can someone help me ? >> > > We can certainly try, but it will probably help if you can post your > smb.conf files from the various Samba machines. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland penny
2016-Feb-15 18:43 UTC
[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1
On 15/02/16 17:22, Fernando Favero wrote:> My smb.conf files. > The OS is a CentOS 7 > > DC Server 1 > ------------------------------- > [global] > workgroup = EXAMPLE.COM > realm = campus.example.com > netbios name = DC-SERVER1 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 8.8.8.8 > dsdb:schema update allowed = true > winbind max clients = 2000 > bind interfaces only = yes > interfaces = eth0 > > log file = /var/log/samba/%m.log > log level = 1 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > DC Server 2 > ------------------------------- > [global] > workgroup = EXAMPLE.COM > realm = campus.example.com > netbios name = DC-SERVER2 > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 8.8.8.8 > dsdb:schema update allowed = true > winbind max clients = 2000 > bind interfaces only = yes > interfaces = eth0 > > log file = /var/log/samba/%m.log > log level = 1 > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/campus.example.com/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > FileServer1 > ------------------------------- > [global] > netbios name = FileServer1 > server string = FileServer1 > security = ADS > workgroup = EXAMPLE.COM > realm = CAMPUS.EXAMPLE.COM > bind interfaces only = yes > interfaces = lo eth0 > winbind request timeout = 90 > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > winbind max clients = 2000 > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config *:backend = tdb > idmap config *:range = 1000-50000 > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > acl allow execute always = true > > > FileServer2 > ------------------------------- > [global] > netbios name = FileServer2 > server string = FileServer2 > security = ADS > workgroup = EXAMPLE.COM > realm = CAMPUS.EXAMPLE.COM > bind interfaces only = yes > interfaces = lo eth0 > winbind request timeout = 90 > > log file = /var/log/samba/%m.log > log level = 1 > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > winbind refresh tickets = yes > winbind max clients = 2000 > > > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > idmap config *:backend = tdb > idmap config *:range = 1000-50000 > > vfs objects = acl_xattr > map acl inherit = yes > store dos attributes = yes > acl allow execute always = true > > >OK, two things jump out at me, I wouldn't use 'EXAMPLE.COM' for the workgroup name, I would have just used 'EXAMPLE' i.e. no dot in the name. Your idmap config stack is incorrect, you only have settings for the builtin users & groups, see here for how you should set it up: https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member Follow the links on that page for the correct settings. Rowland
Fernando Favero
2016-Feb-16 13:46 UTC
[Samba] Problems after migration from samba 3.5.2 to samba 4.3.1
Hi Rowland> OK, two things jump out at me, I wouldn't use 'EXAMPLE.COM' for the > workgroup name, I would have just used 'EXAMPLE' i.e. no dot in the name. > >I understand, but, change the workgroup involves migrate domain, right ?? Or can I simply change workgroup and restart samba ??> Your idmap config stack is incorrect, you only have settings for the > builtin users & groups, see here for how you should set it up: > > https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > > Follow the links on that page for the correct settings. > >ldconfig -v | grep winbind shows "libnss_winbind.so.2 -> libnss_winbind.so.2" nsswitch.conf: passwd: files winbind shadow: files winbind group: files winbind I changed smb.conf in a test environment with same problem with the following parameters. idmap config *:backend = tdb idmap config *:range = 1000-1999 idmap config EXAMPLE.COM:range = 2000-50000 idmap config EXAMPLE.COM:backend = ad idmap config EXAMPLE.COM:schema_mode = rfc2307 getent passwd show local users only getent group show all groups (loca and domain) wbinfo -u show nothing wbinfo -g show all groups (local and domain) winbindd.log show the following lines when debug level = 10, Running "wbinfo -g" . . . [2016/02/16 11:29:26.185376, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name) [31101]: request domain name [2016/02/16 11:29:26.185431, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31101:DOMAIN_NAME]: delivered response to client [2016/02/16 11:29:26.185540, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:758(process_request) process_request: request fn DOMAIN_INFO [2016/02/16 11:29:26.185610, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) [31101]: domain_info [EXAMPLE.COM] [2016/02/16 11:29:26.185710, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31101:DOMAIN_INFO]: delivered response to client [2016/02/16 11:29:26.185825, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:731(process_request) process_request: Handling async request 31101:LIST_GROUPS [2016/02/16 11:29:26.185866, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_groups.c:58(winbindd_list_groups_send) list_groups EXAMPLE.COM [2016/02/16 11:29:26.185920, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryGroupList: struct wbint_QueryGroupList in: struct wbint_QueryGroupList [2016/02/16 11:29:26.593525, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryGroupList: struct wbint_QueryGroupList out: struct wbint_QueryGroupList groups : * groups: struct wbint_Principals num_principals : 562 principals: ARRAY(562) principals: struct wbint_Principal sid : S-1-5-21-1479197986-680052183-3269973696-571 type : SID_NAME_DOM_GRP (2) name : * name : 'Allowed RODC Password Replication Group' principals: struct wbint_Principal sid : S-1-5-21-1479197986-680052183-3269973696-498 type : SID_NAME_DOM_GRP (2) name : * name : 'Enterprise Read-Only Domain Controllers' . . . Running "wbinfo -u" . . . [2016/02/16 11:30:07.352308, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:405(winbindd_domain_name) [31117]: request domain name [2016/02/16 11:30:07.352368, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31117:DOMAIN_NAME]: delivered response to client [2016/02/16 11:30:07.352428, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:758(process_request) process_request: request fn DOMAIN_INFO [2016/02/16 11:30:07.352452, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_misc.c:237(winbindd_domain_info) [31117]: domain_info [EXAMPLE.COM] [2016/02/16 11:30:07.352526, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31117:DOMAIN_INFO]: delivered response to client [2016/02/16 11:30:07.352648, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:731(process_request) process_request: Handling async request 31117:LIST_USERS [2016/02/16 11:30:07.352697, 3, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:58(winbindd_list_users_send) list_users EXAMPLE.COM [2016/02/16 11:30:07.352740, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryUserList: struct wbint_QueryUserList in: struct wbint_QueryUserList [2016/02/16 11:30:17.465320, 5, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:1132(remove_timed_out_clients) Idle client timed out, shutting down sock 33, pid 31053 [2016/02/16 11:31:07.763617, 10, pid=31022, effective(0, 0), real(0, 0)] ../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv) imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40c [2016/02/16 11:31:07.763671, 10, pid=31022, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:254(messaging_recv_cb) messaging_recv_cb: Received message 0x40c len 7 (num_fds:0) from 31026 [2016/02/16 11:31:07.763691, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:365(winbind_msg_domain_offline) Domain EXAMPLE.COM is marked as offline now. [2016/02/16 11:31:07.764062, 1, pid=31022, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug) wbint_QueryUserList: struct wbint_QueryUserList out: struct wbint_QueryUserList users : * users: struct wbint_userinfos num_userinfos : 0x00000000 (0) userinfos: ARRAY(0) result : NT_STATUS_IO_TIMEOUT [2016/02/16 11:31:07.764138, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:128(winbindd_list_users_done) Domain EXAMPLE.COM returned 0 users [2016/02/16 11:31:07.764152, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_list_users.c:134(winbindd_list_users_done) List_users for domain EXAMPLE.COM failed [2016/02/16 11:31:07.764167, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:793(wb_request_done) wb_request_done[31117:LIST_USERS]: NT_STATUS_OK [2016/02/16 11:31:07.764222, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written) winbind_client_response_written[31117:LIST_USERS]: delivered response to client [2016/02/16 11:31:07.764940, 6, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:965(winbind_client_request_read) closing socket 35, client exited [2016/02/16 11:31:07.873705, 10, pid=31022, effective(0, 0), real(0, 0)] ../source4/lib/messaging/messaging.c:417(imessaging_dgm_recv) imessaging_dgm_recv: dst 31022 matches my id: 31022, type=0x40b [2016/02/16 11:31:07.873752, 10, pid=31022, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:254(messaging_recv_cb) messaging_recv_cb: Received message 0x40b len 7 (num_fds:0) from 31026 [2016/02/16 11:31:07.873775, 10, pid=31022, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:385(winbind_msg_domain_online) Domain EXAMPLE.COM is marked as online now.
Apparently Analagous Threads
- Problems after migration from samba 3.5.2 to samba 4.3.1
- Problems after migration from samba 3.5.2 to samba 4.3.1
- Ubuntu 14.04 samba update
- wbinfo -u, wbinfo -g not working after samba update from 4.2.3 to 4.2.10
- FW: Domain member seems to work, wbinfo -u not (update4)