----- On Apr 24, 2019, at 1:42 AM, samba samba at lists.samba.org wrote:> Hai > > I would suggest first. > > Whats the OS?Linux 18.04> And sharing your smb.conf might help.[global] dns forwarder = 192.168.2.101 192.168.2.102 idmap_ldb:use rfc2307 = yes ldap server require strong auth = no netbios name = dc5 ntp signd socket directory = /var/run/samba/ntp_signd realm = REALM.COM server role = active directory domain controller workgroup = REALM acl:search = no load printers = no ntp signd socket directory = /var/run/samba/ntp_signd printcap name = /dev/null printing = bsd [netlogon] path = /var/lib/samba/sysvol/realm.com/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No> > Now, i suggest have a look here, > http://downloads.van-belle.nl/samba4/Upgrade-info.txt > Its only missing the step from 4.0 to 4.1 ) > ( this part ) > The important change you need to know is : > Parameter Name Description Default > -------------- ----------- ------- > > acl allow execute always New False > password level Removed > set directory Removed > use ntdb New No >None of these options are set.> > The commands Andrew showed are working. > You need to trigger a re-index and that should work. > > Before you do that, run on all servers: > samba-tool dbcheck --cross-ncs > ( to fix errors, run it again , add --fix (--yes)This command runs nightly. I ran it manually and confirmed no issues.> > samba-tool dbcheck --reindex > You need to run it once on every server.I ran this and it said "re-index OK" (or similar). The only weird thing here was that if I ran the command again, it had the same output.> > I think personaly, something is off on DC5. thats why i want to see the smb.conf > and want to know the os. >>> "ERROR(<type 'exceptions.IndexError'>): uncaught exception - list index out of >>> range". > > And you did all needed steps as shown in: > https://wiki.samba.org/index.php/Updating_Samba ?Roughly -- the big difference here is that our old version was a custom compiled piece of junk, so we spun up a new server (with the sernet packages) and let the old servers replicate to the new one, instead of upgrading in place.> > And other way to fix this, check all server, push the database from a good > server to DC5.What do you mean "push the database from a good server"? I assume you mean something more than just replicate from one DC to another.> But try above first. > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland Penny via samba >> Verzonden: dinsdag 23 april 2019 19:54 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Odd behavior since upgrading to 4.9.6 >> >> On Tue, 23 Apr 2019 11:51:48 -0500 (CDT) >> Mike Ray <mray at xes-inc.com> wrote: >> >> > > I wonder if you are hitting this bug: >> > > >> > > https://bugzilla.samba.org/show_bug.cgi?id=13760 >> > > >> > > I know it is supposed to be fixed, but I wonder ?? >> > >> > It looks like Andrew suggests a number of commands can be run to fix >> > it. Think there is any chance that simply running them now may work? >> > Or danger? >> >> You will not be any worse off trying the commands, so give it a try. >> I am not 100% sure the bug is your problem, but it sounds likely. >> >> > > >> > > Is there anyway you can downgrade again, then walk your way up the >> > > versions ? >> > >> > Is there a builtin way to downgrade or official >> documentation on that >> > process? >> >> No, the easiest way would be to set up Samba 4.7.x in a VM and join >> this to the domain. If this works, I would transfer the FSMO roles to >> this VM and then demote the other DC's. You could could then reinstall >> Samba 4.7.x on these and rejoin them to the domain, then upgrade each >> to 4.8.x, restart Samba on each. Once all your old DC's are running >> 4.8.x correctly, you could then transfer the FSMO roles, then >> demote and >> remove the VM. >> >> I would also suggest you get good backups before doing anything. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
> ----- On Apr 24, 2019, at 1:42 AM, samba samba at lists.samba.org wrote: > >> Hai >> >> I would suggest first. >> >> Whats the OS? > > Linux 18.04Whoops -- this should read "Ubuntu 18.04"
On Wed, 24 Apr 2019 12:36:15 -0500 (CDT) Mike Ray via samba <samba at lists.samba.org> wrote:> [global] > dns forwarder = 192.168.2.101 192.168.2.102What are the dns forwarders ? By this I mean, are they dns servers outside the AD dns domain, no nothing about the AD domain, but do know about the internet.> idmap_ldb:use rfc2307 = yes > ldap server require strong auth = no > netbios name = dc5 > ntp signd socket directory = /var/run/samba/ntp_signdIs the above different from the output of: samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}' If it isn't, you can remove that line, if it is, why ?> realm = REALM.COM > server role = active directory domain controller > workgroup = REALM > acl:search = noThat is a blast from the past, or to put it another way, it is very doubtful you need it> load printers = no > ntp signd socket directory = /var/run/samba/ntp_signdSo good, you have it twice ;-)> > > > acl allow execute always New False > > password level Removed > > set directory Removed > > use ntdb > > New No > > None of these options are set.Just because they are not there, doesn't mean they are not set. If a parameter has a default value, then if a parameter isn't set, the default value is used, this might not be what you want in your setup.> > > > > > The commands Andrew showed are working. > > You need to trigger a re-index and that should work. > > > > Before you do that, run on all servers: > > samba-tool dbcheck --cross-ncs > > ( to fix errors, run it again , add --fix (--yes) > > This command runs nightly. I ran it manually and confirmed no issues. > > > > > > samba-tool dbcheck --reindex > > You need to run it once on every server. > > I ran this and it said "re-index OK" (or similar). > > The only weird thing here was that if I ran the command again, it had > the same output.This is probably to be expected, I mean that it is hardly likely to print something like 'The re-index is still OK.' ;-)> Roughly -- the big difference here is that our old version was a > custom compiled piece of junk, so we spun up a new server (with the > sernet packages) and let the old servers replicate to the new one, > instead of upgrading in place.That should have worked.> > And other way to fix this, check all server, push the database from > > a good server to DC5. > > What do you mean "push the database from a good server"? I assume you > mean something more than just replicate from one DC to another.I think he meant what you did above, join a new DC, either that or running 'samba-tool drs replicate' Rowland
----- On Apr 24, 2019, at 1:49 PM, samba samba at lists.samba.org wrote:> On Wed, 24 Apr 2019 12:36:15 -0500 (CDT) > Mike Ray via samba <samba at lists.samba.org> wrote: > >> [global] >> dns forwarder = 192.168.2.101 192.168.2.102 > > What are the dns forwarders ? > By this I mean, are they dns servers outside the AD dns domain, no > nothing about the AD domain, but do know about the internet. >These DNS forwarders are other internal servers. They provide connectivity to non-domain systems and the internet.>> idmap_ldb:use rfc2307 = yes >> ldap server require strong auth = no >> netbios name = dc5 >> ntp signd socket directory = /var/run/samba/ntp_signd > > Is the above different from the output of: > samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}' ># samba -b | grep NTP_SIGND_SOCKET_DIR NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd> If it isn't, you can remove that line, if it is, why ?When getting NTP working on the DCs, I found a blog post (https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain.html) that used the following command to figure out where the socket was: netstat -xpln | grep signd On my DCs, that returns: # netstat -xpln | grep signd unix 2 [ ACC ] STREAM LISTENING 28320 972/samba /var/run/samba/ntp_signd/socket I set it to allow NTP to function.> >> realm = REALM.COM >> server role = active directory domain controller >> workgroup = REALM >> acl:search = no > > That is a blast from the past, or to put it another way, it is very > doubtful you need itThis is indeed a carry-over from our original DCs. I'll talk to the guy who put it in to have him review it.> >> load printers = no >> ntp signd socket directory = /var/run/samba/ntp_signd > > So good, you have it twice ;-)Oops :)> > >> > >> > acl allow execute always New False >> > password level Removed >> > set directory Removed >> > use ntdb >> > New No >> >> None of these options are set. > > Just because they are not there, doesn't mean they are not set. If a > parameter has a default value, then if a parameter isn't set, the > default value is used, this might not be what you want in your setup.You are right -- I should have clarified that we are not setting this values, so the defaults are in use. Curiously, only one of those seems to exist in 4.9.6: # testparm -v | grep -E "acl allow execute always|password level|set directory|use ntdb" rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[netlogon]" Processing section "[sysvol]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions acl allow execute always = No> >> >> >> > >> > The commands Andrew showed are working. >> > You need to trigger a re-index and that should work. >> > >> > Before you do that, run on all servers: >> > samba-tool dbcheck --cross-ncs >> > ( to fix errors, run it again , add --fix (--yes) >> >> This command runs nightly. I ran it manually and confirmed no issues. >> >> >> > >> > samba-tool dbcheck --reindex >> > You need to run it once on every server. >> >> I ran this and it said "re-index OK" (or similar). >> >> The only weird thing here was that if I ran the command again, it had >> the same output. > > This is probably to be expected, I mean that it is hardly likely to > print something like 'The re-index is still OK.' ;-)What I meant is that it prints out 54 lines (that line count is stable for now) of the following: ../lib/ldb/ldb_tdb/ldb_index.c:2362: duplicate attribute value in <object>, duplicate of <object> And even with repeated runs, it returns that same output. I kind of expected this to function like "samba-tool dbcheck --fix" where after it ran, that output would not happen.> >> Roughly -- the big difference here is that our old version was a >> custom compiled piece of junk, so we spun up a new server (with the >> sernet packages) and let the old servers replicate to the new one, >> instead of upgrading in place. > > That should have worked. > >> > And other way to fix this, check all server, push the database from >> > a good server to DC5. >> >> What do you mean "push the database from a good server"? I assume you >> mean something more than just replicate from one DC to another. > > I think he meant what you did above, join a new DC, either that or > running 'samba-tool drs replicate'Replication occurs automatically in the background, correct? I can certainly manually run it, I just don't understand why if "samba-tool drs showrepl" shows no errors -- i.e. it's already getting the database/data, isn't it?> > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba