Rowland Penny
2018-Aug-24 19:31 UTC
[Samba] Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
On Fri, 24 Aug 2018 21:07:54 +0200 Waishon via samba <samba at lists.samba.org> wrote:> If it's imported here's the DC-Provision log too: > > service-samba-dc | Looking up IPv4 addresses > service-samba-dc | More than one IPv4 address > found. Using 192.168.188.2 > service-samba-dc | Looking up IPv6 addresses > service-samba-dc | No IPv6 address will be > assigned service-samba-dc | Setting up share.ldb > service-samba-dc | Setting up secrets.ldb > service-samba-dc | Setting up the registry > service-samba-dc | Setting up the privileges > database service-samba-dc | Setting up idmap db > service-samba-dc | Setting up SAM db > service-samba-dc | Setting up sam.ldb partitions > and settings > service-samba-dc | Setting up sam.ldb rootDSE > service-samba-dc | Pre-loading the Samba 4 and > AD schema service-samba-dc | Unable to determine > the DomainSID, can not enforce uniqueness constraint on local > domainSIDs service-samba-dc | > service-samba-dc | Adding DomainDN: > DC=subdomain,DC=domain,DC=de > service-samba-dc | Adding configuration container > service-samba-dc | Setting up sam.ldb schema > service-samba-dc | Setting up sam.ldb > configuration data service-samba-dc | Setting up > display specifiers service-samba-dc | Modifying > display specifiers and extended rights > service-samba-dc | Adding users container > service-samba-dc | Modifying users container > service-samba-dc | Adding computers container > service-samba-dc | Modifying computers container > service-samba-dc | Setting up sam.ldb data > service-samba-dc | Setting up well known security > principals > service-samba-dc | Setting up sam.ldb users and > groups service-samba-dc | Setting up self join > service-samba-dc | Adding DNS accounts > service-samba-dc | Creating > CN=MicrosoftDNS,CN=System,DC=subdomain,DC=domain,DC=de > service-samba-dc | Creating DomainDnsZones and > ForestDnsZones partitions > service-samba-dc | Populating DomainDnsZones and > ForestDnsZones partitions > service-samba-dc | Setting up sam.ldb rootDSE > marking as synchronized > service-samba-dc | Fixing provision GUIDs > service-samba-dc | A Kerberos configuration > suitable for Samba AD has been generated at > /var/lib/samba/private/krb5.conf > service-samba-dc | Merge the contents of this > file with your system krb5.conf or replace it with this one. Do not > create a symlink! > service-samba-dc | Setting up fake yp server > settings service-samba-dc | Once the above files > are installed, your Samba AD server will be ready to use > service-samba-dc | Server Role: active > directory domain controller > service-samba-dc | Hostname: DC-1 > service-samba-dc | NetBIOS Domain: REALM > service-samba-dc | DNS Domain: > subdomain.domain.de > service-samba-dc | DOMAIN SID: > S-1-5-21-2386618402-376715021-633914752 > > > 2018-08-24 20:54 GMT+02:00, Waishon <waishon009 at gmail.com>: > > Hello, > > > > I'm trying to join a samba-fileserver to a 4.8.4 Domain Controller. > > Both are installed from the Debian Unstable Sources. > > I've setup some scripts that allows me to provision the latest > > samba-version for testing purposes on two VMs. The following > > configs where working absolutly fine when provisioning a Samba-DC > > version 4.7.3 and I was able to do profile roaming, but since the > > DC is version 4.8.4 the following error occours: > > > > After provisioning the samba-dc as described in the Samba-Wiki I > > installed the samba-fileserver on a seperate VM and tried to join > > it to the DC using "net ads join <REALM>". That works absolutly > > fine and wbinfo --ping-dc is able to reach the DC. The SID -> UID > > Mapping using nsswitch also works without any problems. > > > > [global] > > security = ADS > > workgroup = schule > > realm = subdomain.domain.de > > log file = /var/log/samba/%m.log > > log level = 1 > > idmap config * : backend = tdb > > idmap config * : range = 3000-7999 > > idmap config schule : backend = rid > > idmap config schule : range = 100000-200000 > > winbind nss info = template > > template shell = /bin/bash > > template homedir = /home/%U > > username map = /etc/samba/user.map > > > > Now I set up a Share for Windows Profile Roaming: > > [Profiles] > > comment = User profiles > > path = /srv/profiles > > read only = no > > store dos attributes = Yes > > guest ok = no > > browseable = Yes > > create mask = 0600 > > directory mask = 0700 > > csc policy = disable > > valid users = @"Realm\Domain Users" > > oplocks = no > >Try this, instead of yours: [Profiles] comment = User profiles path = /srv/profiles read only = no store dos attributes = Yes create mask = 0600 directory mask = 0700 csc policy = disable valid users = @"SCHULE\Domain Users" oplocks = no
Waishon
2018-Aug-24 20:06 UTC
[Samba] Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
Hi, thanks for your suggestions. Do you think this is causes the stacktrace above? . I just added "REALM" as a placeholder and it worked on a DC that was provisioned using Samba 4.7.3 and upgraded afterwards to Samba 4.8.4 absolutely fine with this config and the command "samba-tool ntacl get /srv/profiles" returns the correct ACLs of this directory. When I interprete this correctly it seems that the Fileserver is unable to find the DomainSID. Normally the command "ntacl get" should return the ACLs and not that stacktrace, should'nt it :). Thanks in advance! Am Freitag, 24. August 2018 schrieb Rowland Penny via samba :> On Fri, 24 Aug 2018 21:07:54 +0200 > Waishon via samba <samba at lists.samba.org> wrote: > > > If it's imported here's the DC-Provision log too: > > > > service-samba-dc | Looking up IPv4 addresses > > service-samba-dc | More than one IPv4 address > > found. Using 192.168.188.2 > > service-samba-dc | Looking up IPv6 addresses > > service-samba-dc | No IPv6 address will be > > assigned service-samba-dc | Setting up share.ldb > > service-samba-dc | Setting up secrets.ldb > > service-samba-dc | Setting up the registry > > service-samba-dc | Setting up the privileges > > database service-samba-dc | Setting up idmap db > > service-samba-dc | Setting up SAM db > > service-samba-dc | Setting up sam.ldb partitions > > and settings > > service-samba-dc | Setting up sam.ldb rootDSE > > service-samba-dc | Pre-loading the Samba 4 and > > AD schema service-samba-dc | Unable to determine > > the DomainSID, can not enforce uniqueness constraint on local > > domainSIDs service-samba-dc | > > service-samba-dc | Adding DomainDN: > > DC=subdomain,DC=domain,DC=de > > service-samba-dc | Adding configuration container > > service-samba-dc | Setting up sam.ldb schema > > service-samba-dc | Setting up sam.ldb > > configuration data service-samba-dc | Setting up > > display specifiers service-samba-dc | Modifying > > display specifiers and extended rights > > service-samba-dc | Adding users container > > service-samba-dc | Modifying users container > > service-samba-dc | Adding computers container > > service-samba-dc | Modifying computers container > > service-samba-dc | Setting up sam.ldb data > > service-samba-dc | Setting up well known security > > principals > > service-samba-dc | Setting up sam.ldb users and > > groups service-samba-dc | Setting up self join > > service-samba-dc | Adding DNS accounts > > service-samba-dc | Creating > > CN=MicrosoftDNS,CN=System,DC=subdomain,DC=domain,DC=de > > service-samba-dc | Creating DomainDnsZones and > > ForestDnsZones partitions > > service-samba-dc | Populating DomainDnsZones and > > ForestDnsZones partitions > > service-samba-dc | Setting up sam.ldb rootDSE > > marking as synchronized > > service-samba-dc | Fixing provision GUIDs > > service-samba-dc | A Kerberos configuration > > suitable for Samba AD has been generated at > > /var/lib/samba/private/krb5.conf > > service-samba-dc | Merge the contents of this > > file with your system krb5.conf or replace it with this one. Do not > > create a symlink! > > service-samba-dc | Setting up fake yp server > > settings service-samba-dc | Once the above files > > are installed, your Samba AD server will be ready to use > > service-samba-dc | Server Role: active > > directory domain controller > > service-samba-dc | Hostname: DC-1 > > service-samba-dc | NetBIOS Domain: REALM > > service-samba-dc | DNS Domain: > > subdomain.domain.de > > service-samba-dc | DOMAIN SID: > > S-1-5-21-2386618402-376715021-633914752 > > > > > > 2018-08-24 20:54 GMT+02:00, Waishon <waishon009 at gmail.com>: > > > Hello, > > > > > > I'm trying to join a samba-fileserver to a 4.8.4 Domain Controller. > > > Both are installed from the Debian Unstable Sources. > > > I've setup some scripts that allows me to provision the latest > > > samba-version for testing purposes on two VMs. The following > > > configs where working absolutly fine when provisioning a Samba-DC > > > version 4.7.3 and I was able to do profile roaming, but since the > > > DC is version 4.8.4 the following error occours: > > > > > > After provisioning the samba-dc as described in the Samba-Wiki I > > > installed the samba-fileserver on a seperate VM and tried to join > > > it to the DC using "net ads join <REALM>". That works absolutly > > > fine and wbinfo --ping-dc is able to reach the DC. The SID -> UID > > > Mapping using nsswitch also works without any problems. > > > > > > [global] > > > security = ADS > > > workgroup = schule > > > realm = subdomain.domain.de > > > log file = /var/log/samba/%m.log > > > log level = 1 > > > idmap config * : backend = tdb > > > idmap config * : range = 3000-7999 > > > idmap config schule : backend = rid > > > idmap config schule : range = 100000-200000 > > > winbind nss info = template > > > template shell = /bin/bash > > > template homedir = /home/%U > > > username map = /etc/samba/user.map > > > > > > Now I set up a Share for Windows Profile Roaming: > > > [Profiles] > > > comment = User profiles > > > path = /srv/profiles > > > read only = no > > > store dos attributes = Yes > > > guest ok = no > > > browseable = Yes > > > create mask = 0600 > > > directory mask = 0700 > > > csc policy = disable > > > valid users = @"Realm\Domain Users" > > > oplocks = no > > > > > Try this, instead of yours: > > [Profiles] > comment = User profiles > path = /srv/profiles > read only = no > store dos attributes = Yes > create mask = 0600 > directory mask = 0700 > csc policy = disable > valid users = @"SCHULE\Domain Users" > oplocks = no > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2018-Aug-24 20:31 UTC
[Samba] Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
On Fri, 24 Aug 2018 22:06:01 +0200 Waishon <waishon009 at gmail.com> wrote:> Hi, > > thanks for your suggestions. Do you think this is causes the > stacktrace above? . I just added "REALM" as a placeholder and it > worked on a DC that was provisioned using Samba 4.7.3 and upgraded > afterwards to Samba 4.8.4 absolutely fine with this config and the > command "samba-tool ntacl get /srv/profiles" returns the correct ACLs > of this directory. > > When I interprete this correctly it seems that the Fileserver is > unable to find the DomainSID. Normally the command "ntacl get" should > return the ACLs and not that stacktrace, should'nt it :). >Does 'wbinfo -D SAMDOM' Return something like this: Name : SAMDOM Alt_Name : samdom.example.com SID : S-1-5-21-1768301897-3342589593-1064908849 Active Directory : Yes Native : Yes Primary : Yes Also have you read this: https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles Rowland
Possibly Parallel Threads
- Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
- Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
- Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
- Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC
- Samba fileserver member corrupt smb.ldb after joining 4.8.4 Samba DC