----- On Apr 24, 2019, at 1:49 PM, samba samba at lists.samba.org wrote:> On Wed, 24 Apr 2019 12:36:15 -0500 (CDT) > Mike Ray via samba <samba at lists.samba.org> wrote: > >> [global] >> dns forwarder = 192.168.2.101 192.168.2.102 > > What are the dns forwarders ? > By this I mean, are they dns servers outside the AD dns domain, no > nothing about the AD domain, but do know about the internet. >These DNS forwarders are other internal servers. They provide connectivity to non-domain systems and the internet.>> idmap_ldb:use rfc2307 = yes >> ldap server require strong auth = no >> netbios name = dc5 >> ntp signd socket directory = /var/run/samba/ntp_signd > > Is the above different from the output of: > samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}' ># samba -b | grep NTP_SIGND_SOCKET_DIR NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd> If it isn't, you can remove that line, if it is, why ?When getting NTP working on the DCs, I found a blog post (https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain.html) that used the following command to figure out where the socket was: netstat -xpln | grep signd On my DCs, that returns: # netstat -xpln | grep signd unix 2 [ ACC ] STREAM LISTENING 28320 972/samba /var/run/samba/ntp_signd/socket I set it to allow NTP to function.> >> realm = REALM.COM >> server role = active directory domain controller >> workgroup = REALM >> acl:search = no > > That is a blast from the past, or to put it another way, it is very > doubtful you need itThis is indeed a carry-over from our original DCs. I'll talk to the guy who put it in to have him review it.> >> load printers = no >> ntp signd socket directory = /var/run/samba/ntp_signd > > So good, you have it twice ;-)Oops :)> > >> > >> > acl allow execute always New False >> > password level Removed >> > set directory Removed >> > use ntdb >> > New No >> >> None of these options are set. > > Just because they are not there, doesn't mean they are not set. If a > parameter has a default value, then if a parameter isn't set, the > default value is used, this might not be what you want in your setup.You are right -- I should have clarified that we are not setting this values, so the defaults are in use. Curiously, only one of those seems to exist in 4.9.6: # testparm -v | grep -E "acl allow execute always|password level|set directory|use ntdb" rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[netlogon]" Processing section "[sysvol]" Loaded services file OK. Server role: ROLE_ACTIVE_DIRECTORY_DC Press enter to see a dump of your service definitions acl allow execute always = No> >> >> >> > >> > The commands Andrew showed are working. >> > You need to trigger a re-index and that should work. >> > >> > Before you do that, run on all servers: >> > samba-tool dbcheck --cross-ncs >> > ( to fix errors, run it again , add --fix (--yes) >> >> This command runs nightly. I ran it manually and confirmed no issues. >> >> >> > >> > samba-tool dbcheck --reindex >> > You need to run it once on every server. >> >> I ran this and it said "re-index OK" (or similar). >> >> The only weird thing here was that if I ran the command again, it had >> the same output. > > This is probably to be expected, I mean that it is hardly likely to > print something like 'The re-index is still OK.' ;-)What I meant is that it prints out 54 lines (that line count is stable for now) of the following: ../lib/ldb/ldb_tdb/ldb_index.c:2362: duplicate attribute value in <object>, duplicate of <object> And even with repeated runs, it returns that same output. I kind of expected this to function like "samba-tool dbcheck --fix" where after it ran, that output would not happen.> >> Roughly -- the big difference here is that our old version was a >> custom compiled piece of junk, so we spun up a new server (with the >> sernet packages) and let the old servers replicate to the new one, >> instead of upgrading in place. > > That should have worked. > >> > And other way to fix this, check all server, push the database from >> > a good server to DC5. >> >> What do you mean "push the database from a good server"? I assume you >> mean something more than just replicate from one DC to another. > > I think he meant what you did above, join a new DC, either that or > running 'samba-tool drs replicate'Replication occurs automatically in the background, correct? I can certainly manually run it, I just don't understand why if "samba-tool drs showrepl" shows no errors -- i.e. it's already getting the database/data, isn't it?> > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Wed, 24 Apr 2019 14:07:37 -0500 (CDT) Mike Ray <mray at xes-inc.com> wrote:> >> idmap_ldb:use rfc2307 = yes > >> ldap server require strong auth = no > >> netbios name = dc5 > >> ntp signd socket directory = /var/run/samba/ntp_signd > > > > Is the above different from the output of: > > samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}' > > > > # samba -b | grep NTP_SIGND_SOCKET_DIR > NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd > > > > If it isn't, you can remove that line, if it is, why ? > > When getting NTP working on the DCs, I found a blog post > (https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain.html) > that used the following command to figure out where the socket was: > netstat -xpln | grep signd > > On my DCs, that returns: > # netstat -xpln | grep signd > unix 2 [ ACC ] STREAM LISTENING 28320 > 972/samba /var/run/samba/ntp_signd/socket > > > I set it to allow NTP to function.Not sure I understand this, 'samba -b' shows it expects '/var/lib/samba/ntp_signed' but your netstat command shows '/var/run/samba/ntp_signd'. I have to ask, why is this ? I also have to ask why you didn't read the Samba wiki ?> > > > > >> realm = REALM.COM > >> server role = active directory domain controller > >> workgroup = REALM > >> acl:search = no > > > > That is a blast from the past, or to put it another way, it is very > > doubtful you need it > > This is indeed a carry-over from our original DCs. I'll talk to the > guy who put it in to have him review it.Initially (we are are talking Samba 4.0.x here) there where problems that required the line, I see no reason to have it now.> > This is probably to be expected, I mean that it is hardly likely to > > print something like 'The re-index is still OK.' ;-) > > What I meant is that it prints out 54 lines (that line count is > stable for now) of the > following: ../lib/ldb/ldb_tdb/ldb_index.c:2362: duplicate attribute > value in <object>, duplicate of <object> > > And even with repeated runs, it returns that same output. > > I kind of expected this to function like "samba-tool dbcheck --fix" > where after it ran, that output would not happen.Do the letters 'DEL' occur in the lines and are they in the 'Deleted Objects' container ? If so, they are actually tombstones and dbcheck will not fix them. Can you share the output with me ? I may see something you have missed. You can send them to me offlist if required.> > I think he meant what you did above, join a new DC, either that or > > running 'samba-tool drs replicate' > > Replication occurs automatically in the background, correct?It is supposed to, but sometimes it doesn't work that way ;-)> > I can certainly manually run it, I just don't understand why if > "samba-tool drs showrepl" shows no errors -- i.e. it's already > getting the database/data, isn't it?You can double check with 'samba-tool ldapcmp' Rowland
----- On Apr 24, 2019, at 2:35 PM, samba samba at lists.samba.org wrote:> On Wed, 24 Apr 2019 14:07:37 -0500 (CDT) > Mike Ray <mray at xes-inc.com> wrote: > >> >> idmap_ldb:use rfc2307 = yes >> >> ldap server require strong auth = no >> >> netbios name = dc5 >> >> ntp signd socket directory = /var/run/samba/ntp_signd >> > >> > Is the above different from the output of: >> > samba -b | grep 'NTP_SIGND_SOCKET_DIR' | awk '{print $NF}' >> > >> >> # samba -b | grep NTP_SIGND_SOCKET_DIR >> NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd >> >> >> > If it isn't, you can remove that line, if it is, why ? >> >> When getting NTP working on the DCs, I found a blog post >> (https://blog.svedr.in/posts/configuring-ntpd-for-a-samba-4-domain.html) >> that used the following command to figure out where the socket was: >> netstat -xpln | grep signd >> >> On my DCs, that returns: >> # netstat -xpln | grep signd >> unix 2 [ ACC ] STREAM LISTENING 28320 >> 972/samba /var/run/samba/ntp_signd/socket >> >> >> I set it to allow NTP to function. > > Not sure I understand this, 'samba -b' shows it expects > '/var/lib/samba/ntp_signed' but your netstat command shows > '/var/run/samba/ntp_signd'. I have to ask, why is this ? > I also have to ask why you didn't read the Samba wiki ? >I used both the wiki and that blog post. In the wiki, one of the first lines reads: Verify the socket permissions on your domain controller (DC). The time daemon must have read permissions in the ntp_signed directory. To list the permissions, enter: # ls -ld /usr/local/samba/var/lib/ntp_signd/ drwxr-x--- 2 root ntp 4096 1. May 09:30 /usr/local/samba/var/lib/ntp_signd/ My configuration is not rooted under /usr/local/samba but uses the file system directly (e.g. /var/lib/samba). However, instead of just blindly using /var/lib/samba/ntp_signd, I decided I should verify the proper directory (as there was a bunch of other cruft from the old DCs -- and still is as you have seen). That's when I went searching, found the blog and found that it was using /var/run/samba/ntp_signd/. It's probably worth noting that I do not believe I set anything to force it to use that directory -- in fact I changed the option in smb.conf to that value away from /var/lib/samba/ntp_signd AFTER I found it with netstat.>> >> >> > >> >> realm = REALM.COM >> >> server role = active directory domain controller >> >> workgroup = REALM >> >> acl:search = no >> > >> > That is a blast from the past, or to put it another way, it is very >> > doubtful you need it >> >> This is indeed a carry-over from our original DCs. I'll talk to the >> guy who put it in to have him review it. > > Initially (we are are talking Samba 4.0.x here) there where problems > that required the line, I see no reason to have it now. >Noted -- thanks!>> > This is probably to be expected, I mean that it is hardly likely to >> > print something like 'The re-index is still OK.' ;-) >> >> What I meant is that it prints out 54 lines (that line count is >> stable for now) of the >> following: ../lib/ldb/ldb_tdb/ldb_index.c:2362: duplicate attribute >> value in <object>, duplicate of <object> >> >> And even with repeated runs, it returns that same output. >> >> I kind of expected this to function like "samba-tool dbcheck --fix" >> where after it ran, that output would not happen. > > Do the letters 'DEL' occur in the lines and are they in the 'Deleted > Objects' container ? > > If so, they are actually tombstones and dbcheck will not fix them.No, these do not appear to be related to tombstones, but valid and active objects.> > Can you share the output with me ? I may see something you have missed. > You can send them to me offlist if required.I'll send it to you offlist.> >> > I think he meant what you did above, join a new DC, either that or >> > running 'samba-tool drs replicate' >> >> Replication occurs automatically in the background, correct? > > It is supposed to, but sometimes it doesn't work that way ;-) >> >> I can certainly manually run it, I just don't understand why if >> "samba-tool drs showrepl" shows no errors -- i.e. it's already >> getting the database/data, isn't it? > > You can double check with 'samba-tool ldapcmp'This also runs nightly and has not yet noted any errors since the upgrade (~12 days).> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba