Waishon
2018-Aug-24 18:54 UTC
[Samba] Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
Hello, I'm trying to join a samba-fileserver to a 4.8.4 Domain Controller. Both are installed from the Debian Unstable Sources. I've setup some scripts that allows me to provision the latest samba-version for testing purposes on two VMs. The following configs where working absolutly fine when provisioning a Samba-DC version 4.7.3 and I was able to do profile roaming, but since the DC is version 4.8.4 the following error occours: After provisioning the samba-dc as described in the Samba-Wiki I installed the samba-fileserver on a seperate VM and tried to join it to the DC using "net ads join <REALM>". That works absolutly fine and wbinfo --ping-dc is able to reach the DC. The SID -> UID Mapping using nsswitch also works without any problems. [global] security = ADS workgroup = schule realm = subdomain.domain.de log file = /var/log/samba/%m.log log level = 1 idmap config * : backend = tdb idmap config * : range = 3000-7999 idmap config schule : backend = rid idmap config schule : range = 100000-200000 winbind nss info = template template shell = /bin/bash template homedir = /home/%U username map = /etc/samba/user.map Now I set up a Share for Windows Profile Roaming: [Profiles] comment = User profiles path = /srv/profiles read only = no store dos attributes = Yes guest ok = no browseable = Yes create mask = 0600 directory mask = 0700 csc policy = disable valid users = @"Realm\Domain Users" oplocks = no But when trying to access this share Windows gives a permission denied, altough the permissions are the same as in the working version 4.7.4. I found out that samba-tool ntacl get /srv/profiles gives the following error: pdb backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb did not correctly init (error was NT_STATUS_UNSUCCESSFUL) PANIC (pid 1076): pdb_get_methods: failed to get pdb methods for backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb BACKTRACE: 37 stack frames: #0 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(log_stack_trace+0x1f) [0x7f60a977e42f] #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7f60a578b650] #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7f60a977e50f] #3 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(+0x3eddb) [0x7f60a583addb] #4 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(+0x4122d) [0x7f60a583d22d] #5 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(+0x38277) [0x7f60a5834277] #6 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(uid_to_sid+0x89) [0x7f60a5836519] #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x18a7ba) [0x7f60a4cc57ba] #8 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(posix_get_nt_acl+0x245) [0x7f60a4cc7025] #9 /usr/lib/python2.7/dist-packages/samba/samba3/smbd.x86_64-linux-gnu.so(+0x3ac5) [0x7f60a4e9cac5] #10 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6066) [0x555a1ee43a86] #11 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] #12 /usr/bin/python2.7(PyEval_EvalFrameEx+0x58fe) [0x555a1ee4331e] #13 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] #14 /usr/bin/python2.7(+0x105d58) [0x555a1ee59d58] #15 /usr/bin/python2.7(PyObject_Call+0x36) [0x555a1ee235e6] #16 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2807) [0x555a1ee40227] #17 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] #18 /usr/bin/python2.7(+0x105b99) [0x555a1ee59b99] #19 /usr/bin/python2.7(PyObject_Call+0x36) [0x555a1ee235e6] #20 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2807) [0x555a1ee40227] #21 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] #22 /usr/bin/python2.7(+0x105b99) [0x555a1ee59b99] #23 /usr/bin/python2.7(PyObject_Call+0x36) [0x555a1ee235e6] #24 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2807) [0x555a1ee40227] #25 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] #26 /usr/bin/python2.7(+0x105b99) [0x555a1ee59b99] #27 /usr/bin/python2.7(PyObject_Call+0x36) [0x555a1ee235e6] #28 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2807) [0x555a1ee40227] #29 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] #30 /usr/bin/python2.7(PyEval_EvalCode+0x16) [0x555a1ee3b376] #31 /usr/bin/python2.7(+0x11b54f) [0x555a1ee6f54f] #32 /usr/bin/python2.7(PyRun_FileExFlags+0x84) [0x555a1ee69ec4] #33 /usr/bin/python2.7(PyRun_SimpleFileExFlags+0x177) [0x555a1ee69487] #34 /usr/bin/python2.7(Py_Main+0x56b) [0x555a1ee0d1cb] #35 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) [0x7f60a9f88b17] #36 /usr/bin/python2.7(_start+0x2a) [0x555a1ee0cb8a] Can not dump core: corepath not set up And samba-tool ntacl sysvolcheck gives: ERROR(runtime): uncaught exception - samdb_domain_sid failed File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 265, in run domain_sid = security.dom_sid(samdb.domain_sid) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 583, in get_domain_sid return dsdb._samdb_get_domain_sid(self) Both commands works perfectly on a DC and Fileserver combination which are provisioned with Samba 4.7.3. I also tried to join an older samba 4.6.7 on my notebook, but thereÄs the same error as above. Does anybody have an idea why this happens and how to solve this issue?
Waishon
2018-Aug-24 19:07 UTC
[Samba] Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
If it's imported here's the DC-Provision log too: service-samba-dc | Looking up IPv4 addresses service-samba-dc | More than one IPv4 address found. Using 192.168.188.2 service-samba-dc | Looking up IPv6 addresses service-samba-dc | No IPv6 address will be assigned service-samba-dc | Setting up share.ldb service-samba-dc | Setting up secrets.ldb service-samba-dc | Setting up the registry service-samba-dc | Setting up the privileges database service-samba-dc | Setting up idmap db service-samba-dc | Setting up SAM db service-samba-dc | Setting up sam.ldb partitions and settings service-samba-dc | Setting up sam.ldb rootDSE service-samba-dc | Pre-loading the Samba 4 and AD schema service-samba-dc | Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs service-samba-dc | service-samba-dc | Adding DomainDN: DC=subdomain,DC=domain,DC=de service-samba-dc | Adding configuration container service-samba-dc | Setting up sam.ldb schema service-samba-dc | Setting up sam.ldb configuration data service-samba-dc | Setting up display specifiers service-samba-dc | Modifying display specifiers and extended rights service-samba-dc | Adding users container service-samba-dc | Modifying users container service-samba-dc | Adding computers container service-samba-dc | Modifying computers container service-samba-dc | Setting up sam.ldb data service-samba-dc | Setting up well known security principals service-samba-dc | Setting up sam.ldb users and groups service-samba-dc | Setting up self join service-samba-dc | Adding DNS accounts service-samba-dc | Creating CN=MicrosoftDNS,CN=System,DC=subdomain,DC=domain,DC=de service-samba-dc | Creating DomainDnsZones and ForestDnsZones partitions service-samba-dc | Populating DomainDnsZones and ForestDnsZones partitions service-samba-dc | Setting up sam.ldb rootDSE marking as synchronized service-samba-dc | Fixing provision GUIDs service-samba-dc | A Kerberos configuration suitable for Samba AD has been generated at /var/lib/samba/private/krb5.conf service-samba-dc | Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! service-samba-dc | Setting up fake yp server settings service-samba-dc | Once the above files are installed, your Samba AD server will be ready to use service-samba-dc | Server Role: active directory domain controller service-samba-dc | Hostname: DC-1 service-samba-dc | NetBIOS Domain: REALM service-samba-dc | DNS Domain: subdomain.domain.de service-samba-dc | DOMAIN SID: S-1-5-21-2386618402-376715021-633914752 2018-08-24 20:54 GMT+02:00, Waishon <waishon009 at gmail.com>:> Hello, > > I'm trying to join a samba-fileserver to a 4.8.4 Domain Controller. Both > are installed from the Debian Unstable Sources. > I've setup some scripts that allows me to provision the latest > samba-version for testing purposes on two VMs. The following configs where > working absolutly fine when provisioning a Samba-DC version 4.7.3 and I was > able to do profile roaming, but since the DC is version 4.8.4 the following > error occours: > > After provisioning the samba-dc as described in the Samba-Wiki I installed > the samba-fileserver on a seperate VM and tried to join it to the DC using > "net ads join <REALM>". That works absolutly fine and wbinfo --ping-dc is > able to reach the DC. The SID -> UID Mapping using nsswitch also works > without any problems. > > [global] > security = ADS > workgroup = schule > realm = subdomain.domain.de > log file = /var/log/samba/%m.log > log level = 1 > idmap config * : backend = tdb > idmap config * : range = 3000-7999 > idmap config schule : backend = rid > idmap config schule : range = 100000-200000 > winbind nss info = template > template shell = /bin/bash > template homedir = /home/%U > username map = /etc/samba/user.map > > Now I set up a Share for Windows Profile Roaming: > [Profiles] > comment = User profiles > path = /srv/profiles > read only = no > store dos attributes = Yes > guest ok = no > browseable = Yes > create mask = 0600 > directory mask = 0700 > csc policy = disable > valid users = @"Realm\Domain Users" > oplocks = no > > But when trying to access this share Windows gives a permission denied, > altough the permissions are the same as in the working version 4.7.4. > > I found out that samba-tool ntacl get /srv/profiles gives the following > error: > pdb backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb did not > correctly init (error was NT_STATUS_UNSUCCESSFUL) > PANIC (pid 1076): pdb_get_methods: failed to get pdb methods for backend > samba_dsdb:tdb:///var/lib/samba/private/sam.ldb > > BACKTRACE: 37 stack frames: > #0 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(log_stack_trace+0x1f) > [0x7f60a977e42f] > #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) > [0x7f60a578b650] > #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) > [0x7f60a977e50f] > #3 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(+0x3eddb) > [0x7f60a583addb] > #4 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(+0x4122d) > [0x7f60a583d22d] > #5 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(+0x38277) > [0x7f60a5834277] > #6 /usr/lib/x86_64-linux-gnu/libsamba-passdb.so.0(uid_to_sid+0x89) > [0x7f60a5836519] > #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x18a7ba) > [0x7f60a4cc57ba] > #8 > /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(posix_get_nt_acl+0x245) > [0x7f60a4cc7025] > #9 > /usr/lib/python2.7/dist-packages/samba/samba3/smbd.x86_64-linux-gnu.so(+0x3ac5) > [0x7f60a4e9cac5] > #10 /usr/bin/python2.7(PyEval_EvalFrameEx+0x6066) [0x555a1ee43a86] > #11 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] > #12 /usr/bin/python2.7(PyEval_EvalFrameEx+0x58fe) [0x555a1ee4331e] > #13 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] > #14 /usr/bin/python2.7(+0x105d58) [0x555a1ee59d58] > #15 /usr/bin/python2.7(PyObject_Call+0x36) [0x555a1ee235e6] > #16 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2807) [0x555a1ee40227] > #17 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] > #18 /usr/bin/python2.7(+0x105b99) [0x555a1ee59b99] > #19 /usr/bin/python2.7(PyObject_Call+0x36) [0x555a1ee235e6] > #20 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2807) [0x555a1ee40227] > #21 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] > #22 /usr/bin/python2.7(+0x105b99) [0x555a1ee59b99] > #23 /usr/bin/python2.7(PyObject_Call+0x36) [0x555a1ee235e6] > #24 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2807) [0x555a1ee40227] > #25 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] > #26 /usr/bin/python2.7(+0x105b99) [0x555a1ee59b99] > #27 /usr/bin/python2.7(PyObject_Call+0x36) [0x555a1ee235e6] > #28 /usr/bin/python2.7(PyEval_EvalFrameEx+0x2807) [0x555a1ee40227] > #29 /usr/bin/python2.7(PyEval_EvalCodeEx+0x669) [0x555a1ee3b9e9] > #30 /usr/bin/python2.7(PyEval_EvalCode+0x16) [0x555a1ee3b376] > #31 /usr/bin/python2.7(+0x11b54f) [0x555a1ee6f54f] > #32 /usr/bin/python2.7(PyRun_FileExFlags+0x84) [0x555a1ee69ec4] > #33 /usr/bin/python2.7(PyRun_SimpleFileExFlags+0x177) [0x555a1ee69487] > #34 /usr/bin/python2.7(Py_Main+0x56b) [0x555a1ee0d1cb] > #35 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7) > [0x7f60a9f88b17] > #36 /usr/bin/python2.7(_start+0x2a) [0x555a1ee0cb8a] > Can not dump core: corepath not set up > > And samba-tool ntacl sysvolcheck gives: > ERROR(runtime): uncaught exception - samdb_domain_sid failed > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 265, > in run > domain_sid = security.dom_sid(samdb.domain_sid) > File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 583, in > get_domain_sid > return dsdb._samdb_get_domain_sid(self) > > Both commands works perfectly on a DC and Fileserver combination which are > provisioned with Samba 4.7.3. > > I also tried to join an older samba 4.6.7 on my notebook, but thereÄs the > same error as above. > > Does anybody have an idea why this happens and how to solve this issue? >
Rowland Penny
2018-Aug-24 19:31 UTC
[Samba] Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
On Fri, 24 Aug 2018 21:07:54 +0200 Waishon via samba <samba at lists.samba.org> wrote:> If it's imported here's the DC-Provision log too: > > service-samba-dc | Looking up IPv4 addresses > service-samba-dc | More than one IPv4 address > found. Using 192.168.188.2 > service-samba-dc | Looking up IPv6 addresses > service-samba-dc | No IPv6 address will be > assigned service-samba-dc | Setting up share.ldb > service-samba-dc | Setting up secrets.ldb > service-samba-dc | Setting up the registry > service-samba-dc | Setting up the privileges > database service-samba-dc | Setting up idmap db > service-samba-dc | Setting up SAM db > service-samba-dc | Setting up sam.ldb partitions > and settings > service-samba-dc | Setting up sam.ldb rootDSE > service-samba-dc | Pre-loading the Samba 4 and > AD schema service-samba-dc | Unable to determine > the DomainSID, can not enforce uniqueness constraint on local > domainSIDs service-samba-dc | > service-samba-dc | Adding DomainDN: > DC=subdomain,DC=domain,DC=de > service-samba-dc | Adding configuration container > service-samba-dc | Setting up sam.ldb schema > service-samba-dc | Setting up sam.ldb > configuration data service-samba-dc | Setting up > display specifiers service-samba-dc | Modifying > display specifiers and extended rights > service-samba-dc | Adding users container > service-samba-dc | Modifying users container > service-samba-dc | Adding computers container > service-samba-dc | Modifying computers container > service-samba-dc | Setting up sam.ldb data > service-samba-dc | Setting up well known security > principals > service-samba-dc | Setting up sam.ldb users and > groups service-samba-dc | Setting up self join > service-samba-dc | Adding DNS accounts > service-samba-dc | Creating > CN=MicrosoftDNS,CN=System,DC=subdomain,DC=domain,DC=de > service-samba-dc | Creating DomainDnsZones and > ForestDnsZones partitions > service-samba-dc | Populating DomainDnsZones and > ForestDnsZones partitions > service-samba-dc | Setting up sam.ldb rootDSE > marking as synchronized > service-samba-dc | Fixing provision GUIDs > service-samba-dc | A Kerberos configuration > suitable for Samba AD has been generated at > /var/lib/samba/private/krb5.conf > service-samba-dc | Merge the contents of this > file with your system krb5.conf or replace it with this one. Do not > create a symlink! > service-samba-dc | Setting up fake yp server > settings service-samba-dc | Once the above files > are installed, your Samba AD server will be ready to use > service-samba-dc | Server Role: active > directory domain controller > service-samba-dc | Hostname: DC-1 > service-samba-dc | NetBIOS Domain: REALM > service-samba-dc | DNS Domain: > subdomain.domain.de > service-samba-dc | DOMAIN SID: > S-1-5-21-2386618402-376715021-633914752 > > > 2018-08-24 20:54 GMT+02:00, Waishon <waishon009 at gmail.com>: > > Hello, > > > > I'm trying to join a samba-fileserver to a 4.8.4 Domain Controller. > > Both are installed from the Debian Unstable Sources. > > I've setup some scripts that allows me to provision the latest > > samba-version for testing purposes on two VMs. The following > > configs where working absolutly fine when provisioning a Samba-DC > > version 4.7.3 and I was able to do profile roaming, but since the > > DC is version 4.8.4 the following error occours: > > > > After provisioning the samba-dc as described in the Samba-Wiki I > > installed the samba-fileserver on a seperate VM and tried to join > > it to the DC using "net ads join <REALM>". That works absolutly > > fine and wbinfo --ping-dc is able to reach the DC. The SID -> UID > > Mapping using nsswitch also works without any problems. > > > > [global] > > security = ADS > > workgroup = schule > > realm = subdomain.domain.de > > log file = /var/log/samba/%m.log > > log level = 1 > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config schule : backend = rid > > idmap config schule : range = 100000-200000 > > winbind nss info = template > > template shell = /bin/bash > > template homedir = /home/%U > > username map = /etc/samba/user.map > > > > Now I set up a Share for Windows Profile Roaming: > > [Profiles] > > comment = User profiles > > path = /srv/profiles > > read only = no > > store dos attributes = Yes > > guest ok = no > > browseable = Yes > > create mask = 0600 > > directory mask = 0700 > > csc policy = disable > > valid users = @"Realm\Domain Users" > > oplocks = no > >Try this, instead of yours: [Profiles] comment = User profiles path = /srv/profiles read only = no store dos attributes = Yes create mask = 0600 directory mask = 0700 csc policy = disable valid users = @"SCHULE\Domain Users" oplocks = no
Andrew Bartlett
2018-Aug-25 04:12 UTC
[Samba] Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
On Fri, 2018-08-24 at 20:54 +0200, Waishon via samba wrote:> Hello, > > I'm trying to join a samba-fileserver to a 4.8.4 Domain Controller. Both > are installed from the Debian Unstable Sources. > I've setup some scripts that allows me to provision the latest > samba-version for testing purposes on two VMs. The following configs where > working absolutly fine when provisioning a Samba-DC version 4.7.3 and I was > able to do profile roaming, but since the DC is version 4.8.4 the following > error occours: > > But when trying to access this share Windows gives a permission denied, > altough the permissions are the same as in the working version 4.7.4. > > I found out that samba-tool ntacl get /srv/profiles gives the following > error: > pdb backend samba_dsdb:tdb:///var/lib/samba/private/sam.ldb did not > correctly init (error was NT_STATUS_UNSUCCESSFUL) > PANIC (pid 1076): pdb_get_methods: failed to get pdb methods for backend > samba_dsdb:tdb:///var/lib/samba/private/sam.ldbThese parts of samba-tool were written with the assumption that they are running on an AD DC, so when they are run on the fileserver they get very upset. However, they probably did work in the past before some recent optimisations, so that is a bug. Please file one in bugzilla, I've sent you an invite. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba