samba - Feb 2019 - Debian 9.8 and vanbelle-repos

Hai, 

That bond0 interface, you might want to change that the interface name to bond1
Depending on the bonding settings, you might have hit a reserved name. 
I lots my docu on that but i know i configured a bond1 because bond0 didn work
right.

And then check these. 

wbinfo -pPt  ( or wbinfo -p && wbinfo -P && wbinfo -t ) 

wbinfo --sids-to-unix-ids S-1-22-2-10513
wbinfo -D ARBEITSGRUPPE
wbinfo --all-domains


My bonding setup..
cat /etc/systemd/network/30-bond1*

# /etc/systemd/network/30-bond1-dev1.network
[Match]
MACAddress=78:2b:xx:xx:xx:xx

[Network]
Bond=bond1

# /etc/systemd/network/30-bond1-dev2.network
[Match]
MACAddress=78:2b:xx:xx:xx:xx

[Network]
Bond=bond1

# /etc/systemd/network/30-bond1.netdev
[NetDev]
Name=bond1
Kind=bond

[Bond]
Mode=802.3ad
MIIMonitorSec=1s
#LACPTransmitRate=fast
#UpDelaySec=2s
#DownDelaySec=8s
#TransmitHashPolicy=layer2
#TransmitHashPolicy=layer3+4

# /etc/systemd/network/30-bond1.network
[Match]
Name=bond1

[Network]
DNS=192.168.1.2
DNS=192.168.1.1
Domains=internal.domain.tld
NTP=ntp1.internal.domain.tld
NTP=ntp2.internal.domain.tld
# ntp1 and 2 are CNAMES to DC1 DC2. 

[Address]
Address=192.168.1.11/24

[Route]
Destination=0.0.0.0/0
Gateway=192.168.1.252


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: vrijdag 22 februari 2019 14:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Debian 9.8 and vanbelle-repos
> 
> Am 22.02.19 um 14:51 schrieb Rowland Penny via samba:
> 
> > Not good, can you post the smb.conf ?
> > 
> > Rowland
> > 
> 
> [global]
> 	security = ADS
> 	workgroup = ARBEITSGRUPPE
> 	realm = arbeitsgruppe.MYDOMAIN.at
> 	log file = /var/log/samba/%m.log
> 	#log level = 5
> 
> 	log level = 5 auth:5 winbind:8
> 	
> 	idmap config * : backend = tdb
> 	idmap config * : range = 2000-3999
> 
> 	idmap config ARBEITSGRUPPE:backend = ad
> 	idmap config ARBEITSGRUPPE:range = 10000-9999999
> 
> 	idmap config ARBEITSGRUPPE:unix_nss_info = yes
> 
> 	idmap config arbeitsgruppe : schema_mode = rfc2307
> 
> 	username map = /etc/samba/user.map
> 
> 	winbind use default domain = Yes
> 	winbind refresh tickets = Yes
> 
> 	load printers = No
> 	printcap name = /dev/null
> 	
> 	vfs objects = acl_xattr
> 	map acl inherit = yes
> 	store dos attributes = yes
> 
> 	interfaces = bond0
> 
> 	#hosts allow = 10.0.0.22,10.0.0.50
> 
> [Daten]
> 	comment = Daten
> 	path = /mnt/daten
> 	#valid users = @"ARBEITSGRUPPE\\domain users"
> 	#force group = users
> 	read only = No
> 	#create mask = 0660
> 	#directory mask = 0770
> 	create mask = 3660
> 	directory mask = 3770
> 
> [Scans_Plotter]
> 	comment = Scans vom Plotter
> 	path = /mnt/daten/Allgemeines/_Scans/Plotter
> 	#valid users = @"ARBEITSGRUPPE\\domain users"
> 	read only = No
> 	#create mask = 0660
> 	#directory mask = 0770
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

I added the 2 kerberos lines and restarted winbind ... people work
there, so ...



Am 22.02.19 um 15:03 schrieb L.P.H. van Belle:
> Hai, 
> 
> That bond0 interface, you might want to change that the interface name to
bond1
> Depending on the bonding settings, you might have hit a reserved name. 
> I lots my docu on that but i know i configured a bond1 because bond0 didn
work right.
aha ... hm. Worked so far without problems.
> And then check these. 
> 
> wbinfo -pPt  ( or wbinfo -p && wbinfo -P && wbinfo -t ) 
> 
> wbinfo --sids-to-unix-ids S-1-22-2-10513
> wbinfo -D ARBEITSGRUPPE
> wbinfo --all-domains

# wbinfo -pPt
Ping to winbindd succeeded
checking the NETLOGON for domain[ARBEITSGRUPPE] dc connection to
"backup.arbeitsgruppe.MYDOM.at" succeeded
checking the trust secret for domain ARBEITSGRUPPE via RPC calls succeeded

root at main:/etc/samba# wbinfo --sids-to-unix-ids S-1-22-2-10513
S-1-22-2-10513 -> gid 10513

root at main:/etc/samba# wbinfo -D ARBEITSGRUPPE
Name              : ARBEITSGRUPPE
Alt_Name          : arbeitsgruppe.MYDOM.at
SID               : S-1-5-21-2777655458-4002997014-749295002
Active Directory  : Yes
Native            : Yes
Primary           : Yes

root at main:/etc/samba# wbinfo --all-domains
BUILTIN
MAIN
ARBEITSGRUPPE

That bond-issue: later ...

Observation for backups:

if docker is running on the fileserver I can't do backups via amanda,
although I run docker with "--iptables=false" and flushed the
iptables.

But the chains exist:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (0 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (0 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-2 (0 references)
target     prot opt source               destination

Chain DOCKER-USER (0 references)
target     prot opt source               destination


Maybe (a) something hangs around still (until reboot or so) and (b) also
blocks samba-related communications

On Fri, 22 Feb 2019 15:03:37 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> That bond0 interface, you might want to change that the interface
> name to bond1 Depending on the bonding settings, you might have hit a
> reserved name. I lots my docu on that but i know i configured a bond1
> because bond0 didn work right.
> 
> And then check these. 
> 
> wbinfo -pPt  ( or wbinfo -p && wbinfo -P && wbinfo -t ) 
> 
> wbinfo --sids-to-unix-ids S-1-22-2-10513
> wbinfo -D ARBEITSGRUPPE
> wbinfo --all-domains
> 
> 
S-1-22-1 is an unmapped group, so where has the correct SID gone ?
Is 10513 the uidNumber for Domain Users ?

I suggest you check the AD database, if only to rule it out.

Try running this:

rpcclient localhost -U'arbeitsgruppe\administrator%xxxxxxxxxx'
-c 'lookupnames "ARBEITSGRUPPE\Domain Users"'

Rowland

Am 22.02.19 um 15:16 schrieb Rowland Penny via samba:
> On Fri, 22 Feb 2019 15:03:37 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
>> Hai, 
>>
>> That bond0 interface, you might want to change that the interface
>> name to bond1 Depending on the bonding settings, you might have hit a
>> reserved name. I lots my docu on that but i know i configured a bond1
>> because bond0 didn work right.
>>
>> And then check these. 
>>
>> wbinfo -pPt  ( or wbinfo -p && wbinfo -P && wbinfo -t )
>>
>> wbinfo --sids-to-unix-ids S-1-22-2-10513
>> wbinfo -D ARBEITSGRUPPE
>> wbinfo --all-domains
>>
>>
> 
> S-1-22-1 is an unmapped group, so where has the correct SID gone ?
> Is 10513 the uidNumber for Domain Users ?
> 
> I suggest you check the AD database, if only to rule it out.
> 
> Try running this:
> 
> rpcclient localhost -U'arbeitsgruppe\administrator%xxxxxxxxxx'
> -c 'lookupnames "ARBEITSGRUPPE\Domain Users"'
gives me:

ARBEITSGRUPPE\Domain Users S-1-5-21-2777655458-4002997014-749295002-513
(Domain Group: 2)

in the meantime I reset iptables with (from ubuntu wiki ...):

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

hmm

Stefan, 

If everythig works now. Then keep it as is. 
Most probly it was the firewall that caused the problem. 

@Rowland, good point. Im everytime amazed with all the commands you know.. :-) 
And SID: S-1-5-21domain-513  = domain users. 

These are "Samba Sids"  S-1-22-[1-2] 
1 useres
2 groups

And thats corect with wbinfo -g 10513 shows all groups. 


Greetz, 

Louis 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stefan G. Weichinger via samba
> Verzonden: vrijdag 22 februari 2019 15:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Debian 9.8 and vanbelle-repos
> 
> Am 22.02.19 um 15:16 schrieb Rowland Penny via samba:
> > On Fri, 22 Feb 2019 15:03:37 +0100
> > "L.P.H. van Belle via samba" <samba at
lists.samba.org> wrote:
> > 
> >> Hai, 
> >>
> >> That bond0 interface, you might want to change that the interface
> >> name to bond1 Depending on the bonding settings, you might 
> have hit a
> >> reserved name. I lots my docu on that but i know i 
> configured a bond1
> >> because bond0 didn work right.
> >>
> >> And then check these. 
> >>
> >> wbinfo -pPt  ( or wbinfo -p && wbinfo -P && wbinfo
-t )
> >>
> >> wbinfo --sids-to-unix-ids S-1-22-2-10513
> >> wbinfo -D ARBEITSGRUPPE
> >> wbinfo --all-domains
> >>
> >>
> > 
> > S-1-22-1 is an unmapped group, so where has the correct SID gone ?
> > Is 10513 the uidNumber for Domain Users ?
> > 
> > I suggest you check the AD database, if only to rule it out.
> > 
> > Try running this:
> > 
> > rpcclient localhost -U'arbeitsgruppe\administrator%xxxxxxxxxx'
> > -c 'lookupnames "ARBEITSGRUPPE\Domain Users"'
> 
> gives me:
> 
> ARBEITSGRUPPE\Domain Users 
> S-1-5-21-2777655458-4002997014-749295002-513
> (Domain Group: 2)
> 
> in the meantime I reset iptables with (from ubuntu wiki ...):
> 
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -t mangle -F
> iptables -t mangle -X
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
> 
> hmm
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>