samba - Feb 2019 - Troubles upgrading jailed DC from 4.8.7 to 4.8.9

On 2/17/19 8:18 PM, Rowland Penny via samba wrote:
> Possible things to check:
> Is the ip for vlan1 10.1.2.34 ?
Sure.
It's the only IP vlan1 has inside the jail; it's shown as an alias on 
the base host.


> Try just setting 'vlan1'
You mean change "interfaces=vlan1 10.1.2.34/24" to just
"interfaces=vlan1"?
It doesn't change anything (still Samba doesn't start unless I disable 
nbt service).


> Is the 'nmbd' binary being started separately
I don't have nmbd running (not before and not after the upgrade).
Isn't this normal on an AD DC?


>> Or a regression?
> 
> Possibly, if it worked before the upgrade, it is normally expected to
> work after the upgrade. There is probably only one exception to this,
> if what was working, wasn't supposed to and had been fixed.
That's what I'd like to know :)
Is my config ok?
Or is there's something wrong in my smb4.conf and I don't see it?

Anything I should report?


> You will not have any network browsing at all, but there is very little
> with a DC anyway.
I'm personally fine with that; not sure about other users, though...



  bye & Thanks
	av.

On Mon, 18 Feb 2019 09:13:45 +0100
Andrea Venturoli <ml at netfence.it> wrote:
> On 2/17/19 8:18 PM, Rowland Penny via samba wrote:
> 
> > Possible things to check:
> > Is the ip for vlan1 10.1.2.34 ?
> 
> Sure.
> It's the only IP vlan1 has inside the jail; it's shown as an alias
on
> the base host.
> 
> 
> 
> > Try just setting 'vlan1'
> 
> You mean change "interfaces=vlan1 10.1.2.34/24" to just
> "interfaces=vlan1"? It doesn't change anything (still Samba
doesn't
> start unless I disable nbt service).
I do not use jails (I do not use Freebsd come to that), but it was
worth trying. My thinking was, is nbt binding to 'vlan1' then trying to
bind to the ip as well.
> 
> 
> 
> > Is the 'nmbd' binary being started separately
> 
> I don't have nmbd running (not before and not after the upgrade).
> Isn't this normal on an AD DC?
Yes it is, but there was always the possibility that something was
trying to start 'nmbd' as well.
> 
> 
> 
> >> Or a regression?
> > 
> > Possibly, if it worked before the upgrade, it is normally expected
> > to work after the upgrade. There is probably only one exception to
> > this, if what was working, wasn't supposed to and had been fixed.
> 
> That's what I'd like to know :)
> Is my config ok?
I cannot see any problems with it
> Or is there's something wrong in my smb4.conf and I don't see it?
> 
> Anything I should report?
Just open a bug report with the data you have posted here, if anything
else is required, you will be asked for it.
> 
> 
> 
> > You will not have any network browsing at all, but there is very
> > little with a DC anyway.
> 
> I'm personally fine with that; not sure about other users, though...
As Windows is moving away from network browsing, they will have to put
up with it ;-)

Rowland

This sounds familiar... 
I suggest you try without the interface names and only ipnumbers. 

Test 1) 
interfaces = 10.1.2.34/24 127.0.0.1
bind interfaces only = yes
nbt client socket address = 127.0.0.1 

Try again. 

In addition to test 1, Test 2. 
>         ntlm auth=YES
Remove that from the smb.conf then try again. 
At least for this test remove it. 


After a web search I found the solution is to add:
 >         server services=-nbt
Not needed really.. The default are fine. 

In addition to 1 and 2. Test 3, 
Block 137,138 from and to the jailed host.

Can you try above and post your findings? 
Im suspecting conflicting settings. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: maandag 18 februari 2019 11:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Troubles upgrading jailed DC from 
> 4.8.7 to 4.8.9
> 
> On Mon, 18 Feb 2019 09:13:45 +0100
> Andrea Venturoli <ml at netfence.it> wrote:
> 
> > On 2/17/19 8:18 PM, Rowland Penny via samba wrote:
> > 
> > > Possible things to check:
> > > Is the ip for vlan1 10.1.2.34 ?
> > 
> > Sure.
> > It's the only IP vlan1 has inside the jail; it's shown as 
> an alias on 
> > the base host.
> > 
> > 
> > 
> > > Try just setting 'vlan1'
> > 
> > You mean change "interfaces=vlan1 10.1.2.34/24" to just
> > "interfaces=vlan1"? It doesn't change anything (still
Samba doesn't
> > start unless I disable nbt service).
> 
> I do not use jails (I do not use Freebsd come to that), but it was
> worth trying. My thinking was, is nbt binding to 'vlan1' then 
> trying to
> bind to the ip as well.
> 
> > 
> > 
> > 
> > > Is the 'nmbd' binary being started separately
> > 
> > I don't have nmbd running (not before and not after the upgrade).
> > Isn't this normal on an AD DC?
> 
> Yes it is, but there was always the possibility that something was
> trying to start 'nmbd' as well.
> 
> > 
> > 
> > 
> > >> Or a regression?
> > > 
> > > Possibly, if it worked before the upgrade, it is normally
expected
> > > to work after the upgrade. There is probably only one exception
to
> > > this, if what was working, wasn't supposed to and had been
fixed.
> > 
> > That's what I'd like to know :)
> > Is my config ok?
> 
> I cannot see any problems with it
> 
> > Or is there's something wrong in my smb4.conf and I don't see
it?
> > 
> > Anything I should report?
> 
> Just open a bug report with the data you have posted here, if anything
> else is required, you will be asked for it.
> 
> > 
> > 
> > 
> > > You will not have any network browsing at all, but there is very
> > > little with a DC anyway.
> > 
> > I'm personally fine with that; not sure about other users,
though...
> 
> As Windows is moving away from network browsing, they will have to put
> up with it ;-)
> 
> Rowland
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 2/18/19 12:07 PM, L.P.H. van Belle via samba wrote:
> This sounds familiar...
> I suggest you try without the interface names and only ipnumbers.
> 
> Test 1)
> interfaces = 10.1.2.34/24 127.0.0.1
> bind interfaces only = yes
> nbt client socket address = 127.0.0.1
> 
> Try again.
Still does not work.
In addition I get:
> WARNING: The "nbt client socket address" option is deprecated
Notice I don't have 127.0.0.1 in this jail, so I also tried "interfaces
= 10.1.2.34/24": still no luck.




> In addition to test 1, Test 2.
>>          ntlm auth=YES
> Remove that from the smb.conf then try again.
> At least for this test remove it.
I fail to understand how this should be related to the above; in any 
case I tried and unfortunately it does not help either.
Why I have NTLM auth enabled, although I know it's "evil", is
another
story :)




> After a web search I found the solution is to add:
>   >         server services=-nbt
> Not needed really.. The default are fine.
Needed actually. It *should* not be needed, but it's the only thing that 
let Samba start presently.




> In addition to 1 and 2. Test 3,
> Block 137,138 from and to the jailed host.
You mean firewalling?
I already have ipfw running and it will not allow port 137 or 138 
from/to anywhere.



  bye & Thanks
	av.

On 2/18/19 11:34 AM, Rowland Penny via samba wrote:
> Just open a bug report with the data you have posted here, if anything
> else is required, you will be asked for it.
Done.




> As Windows is moving away from network browsing, they will have to put
> up with it ;-)
Looking forward to that day <eg>



  bye & Thanks
	av.