Mason Schmitt
2019-Apr-25 17:34 UTC
[Samba] Windows clients require reboot once a day in order to access mapped drives
> > > Forgot to mention, are sure your time sync over AD is working correctly. > One to add to you list, check times of server and clients, (* yes again, > if needed just to be sure). >Yes, I have double check that time is correctly being synced. FYI, Rowland, the process outlined in the wiki for using chronyd does not work on Ubuntu 18.04 (my AD DC is on Ubuntu, but my file server is CentOS). I can only successfully sync windows clients with ntpd running on the DC. Also, if using apparmor, the default apparmor rules don't work. Here's what I had to do to get windows clients to successfully sync with my Ubuntu DC. # Install ntp (if chrony is installed, this will disable and mask chrony in systemd) apt install ntp # First comment out the default NTP ACLs sed -i 's/^restrict -/#restrict -/g' /etc/ntp.conf # Then add some samba specific settings to /etc/ntp.conf cat << EOF >> /etc/ntp.conf # Use AD for authenticanting Windows NTP clients ntpsigndsocket /var/lib/samba/ntp_signd # Acess control # Default restriction: Allow clients to only query the time restrict -4 default kod notrap nomodify nopeer noquery mssntp restrict -6 default kod notrap nomodify nopeer noquery mssntp # We're running in a VM, so we need to protect ntpd from waking up # in a panic, in a situation where a VM has been shutdown for an # extended period of time tinker panic 0 EOF # There is a bug in Ubuntu's apparmor config for ntp, so this fixes it sed -i /ntp_signd/c'\ /var/lib/samba/ntp_signd/socket rw,' /etc/apparmor.d/usr.sbin.ntpd apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd # Set the necessary permissions on the ntp signed socket chmod 750 /var/lib/samba/ntp_signd chown root:ntp /var/lib/samba/ntp_signd systemctl enable ntp.service systemctl restart ntp.service # Test to make sure NTP is working ntpq -p -- Mason
Rowland Penny
2019-Apr-25 18:08 UTC
[Samba] Windows clients require reboot once a day in order to access mapped drives
On Thu, 25 Apr 2019 10:34:24 -0700 Mason Schmitt <mason at ftlcomputing.com> wrote:> > > > > > Forgot to mention, are sure your time sync over AD is working > > correctly. One to add to you list, check times of server and > > clients, (* yes again, if needed just to be sure). > > > > Yes, I have double check that time is correctly being synced. > > FYI, Rowland, the process outlined in the wiki for using chronyd does > not work on Ubuntu 18.04 (my AD DC is on Ubuntu, but my file server is > CentOS). I can only successfully sync windows clients with ntpd > running on the DC. Also, if using apparmor, the default apparmor > rules don't work. Here's what I had to do to get windows clients to > successfully sync with my Ubuntu DC. > > # Install ntp (if chrony is installed, this will disable and mask > chrony in systemd) > apt install ntp > > # First comment out the default NTP ACLs > sed -i 's/^restrict -/#restrict -/g' /etc/ntp.conf > > # Then add some samba specific settings to /etc/ntp.conf > cat << EOF >> /etc/ntp.conf > > # Use AD for authenticanting Windows NTP clients > ntpsigndsocket /var/lib/samba/ntp_signd > > # Acess control > # Default restriction: Allow clients to only query the time > restrict -4 default kod notrap nomodify nopeer noquery mssntp > restrict -6 default kod notrap nomodify nopeer noquery mssntp > > # We're running in a VM, so we need to protect ntpd from waking up > # in a panic, in a situation where a VM has been shutdown for an > # extended period of time > tinker panic 0 > EOF > > # There is a bug in Ubuntu's apparmor config for ntp, so this fixes it > sed -i /ntp_signd/c'\ /var/lib/samba/ntp_signd/socket rw,' > /etc/apparmor.d/usr.sbin.ntpd > apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd > > # Set the necessary permissions on the ntp signed socket > chmod 750 /var/lib/samba/ntp_signd > chown root:ntp /var/lib/samba/ntp_signd > systemctl enable ntp.service > systemctl restart ntp.service > > > # Test to make sure NTP is working > ntpq -pLouis, you use Ubuntu 18.04, can you confirm this ? (note to Mason: I do not disbelieve you, I just need confirmation before changing the wiki, I do not use Ubuntu so cannot confirm the changes) Rowland
L.P.H. van Belle
2019-Apr-26 06:33 UTC
[Samba] Windows clients require reboot once a day in order to access mapped drives
I'll fire up the ubuntu test vm.. Report back later.. I.. Need... More... Cofee.....First ;-) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Rowland Penny [mailto:rpenny at samba.org] > Verzonden: donderdag 25 april 2019 20:08 > Aan: samba at lists.samba.org > CC: L.P.H. van Belle > Onderwerp: Re: [Samba] Windows clients require reboot once a > day in order to access mapped drives > > On Thu, 25 Apr 2019 10:34:24 -0700 > Mason Schmitt <mason at ftlcomputing.com> wrote: > > > > > > > > > > Forgot to mention, are sure your time sync over AD is working > > > correctly. One to add to you list, check times of server and > > > clients, (* yes again, if needed just to be sure). > > > > > > > Yes, I have double check that time is correctly being synced. > > > > FYI, Rowland, the process outlined in the wiki for using > chronyd does > > not work on Ubuntu 18.04 (my AD DC is on Ubuntu, but my > file server is > > CentOS). I can only successfully sync windows clients with ntpd > > running on the DC. Also, if using apparmor, the default apparmor > > rules don't work. Here's what I had to do to get windows clients to > > successfully sync with my Ubuntu DC. > > > > # Install ntp (if chrony is installed, this will disable and mask > > chrony in systemd) > > apt install ntp > > > > # First comment out the default NTP ACLs > > sed -i 's/^restrict -/#restrict -/g' /etc/ntp.conf > > > > # Then add some samba specific settings to /etc/ntp.conf > > cat << EOF >> /etc/ntp.conf > > > > # Use AD for authenticanting Windows NTP clients > > ntpsigndsocket /var/lib/samba/ntp_signd > > > > # Acess control > > # Default restriction: Allow clients to only query the time > > restrict -4 default kod notrap nomodify nopeer noquery mssntp > > restrict -6 default kod notrap nomodify nopeer noquery mssntp > > > > # We're running in a VM, so we need to protect ntpd from waking up > > # in a panic, in a situation where a VM has been shutdown for an > > # extended period of time > > tinker panic 0 > > EOF > > > > # There is a bug in Ubuntu's apparmor config for ntp, so > this fixes it > > sed -i /ntp_signd/c'\ /var/lib/samba/ntp_signd/socket rw,' > > /etc/apparmor.d/usr.sbin.ntpd > > apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd > > > > # Set the necessary permissions on the ntp signed socket > > chmod 750 /var/lib/samba/ntp_signd > > chown root:ntp /var/lib/samba/ntp_signd > > systemctl enable ntp.service > > systemctl restart ntp.service > > > > > > # Test to make sure NTP is working > > ntpq -p > > Louis, you use Ubuntu 18.04, can you confirm this ? (note to Mason: I > do not disbelieve you, I just need confirmation before changing the > wiki, I do not use Ubuntu so cannot confirm the changes) > > Rowland > >
Hai Rowland and all happy campers on the samba list ofcourse ;-)
Can you/someone verify this?
Just read it. no need to setup ubuntu.
I think its ok, you see what i mean, below the 2x winbind part in apparmor.
(samba -b the needed part)
WINBINDD_SOCKET_DIR: /var/run/samba/winbindd
NTP_SIGND_SOCKET_DIR: /var/lib/samba/ntp_signd
After some checking i notice (posible) problems in both packages.
And take note of how i make this change.!
The NTP part (apt install ntp)
And Yes, we have an apparmor bug in NTPD and Chrony.
# samba4 ntp signing socket
/{,var/}run/samba/ntp_signd/socket rw, << incorrect path.
# samba4 winbindd pipe
/run/samba/winbindd/pipe rw, < can better.. But not wrong.
For Chrony. (apt install chrony)
# To sign replies to MS-SNTP clients by the smbd daemon
/var/lib/samba/ntp_signd r,
/var/lib/samba/ntp_signd/{,*} rw,
Thats missing the winbindd pipe part.
Im only questioning, /var/lib/samba/winbindd_privileged/ and/or
/var/run/samba/winbindd/pipe ?
Since im not sure here, i've added the winbindd_privileged also.
I suggest this, should be easy and quick fix.
First we enble the LOCAL file to include our personal settings.
# enable the local file part for ntpd.
sed -i 's[#include <local/usr.sbin.ntpd>[include
<local/usr.sbin.ntpd>[g' /etc/apparmor.d/usr.sbin.ntpd
# NTPD fix.
echo "
# To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
/var/lib/samba/ntp_signd r,
/var/lib/samba/ntp_signd/{,*} rw,
# samba4 winbindd pipe
/{,var/}run/samba/winbindd r,
/{,var/}run/samba/winbindd/pipe rw,
# samba4 winbindd privileged pipe ? Needed?
/var/lib/samba/winbindd r,
/var/lib/samba/winbindd/pipe rw,
" >> /etc/apparmor.d/local/usr.sbin.ntpd
# Chrony fix
sed -i 's[#include <local/usr.sbin.chronyd>[include
<local/usr.sbin.chronyd>[g' /etc/apparmor.d/usr.sbin.chronyd
echo "
# To sign replies to MS-SNTP clients by the smbd daemon /var/lib/samba
/var/lib/samba/ntp_signd r,
/var/lib/samba/ntp_signd/{,*} rw,
# samba4 winbindd pipe
/{,var/}run/samba/winbindd r,
/{,var/}run/samba/winbindd/pipe rw,
# samba4 winbindd privileged pipe ? Needed?
/var/lib/samba/winbindd r,
/var/lib/samba/winbindd/pipe rw,
" >> /etc/apparmor.d/local/usr.sbin.chronyd
Now both should work fine again, but someone needs to verify this.
I dont use apparmor myself on my servers.
Personaly, I advice to use NTPD for the AD-DCs only.
Why, ntp supports all operating modes from RFC 5905, including broadcast,
multicast, and manycast server/client.
But if you dont need that, then chrony should be fine also.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: vrijdag 26 april 2019 8:33
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Windows clients require reboot once a
> day in order to access mapped drives
>
> I'll fire up the ubuntu test vm..
> Report back later..
> I.. Need... More... Cofee.....First ;-)
>
> Greetz,
>
> Louis
>
>
>
> > -----Oorspronkelijk bericht-----
> > Van: Rowland Penny [mailto:rpenny at samba.org]
> > Verzonden: donderdag 25 april 2019 20:08
> > Aan: samba at lists.samba.org
> > CC: L.P.H. van Belle
> > Onderwerp: Re: [Samba] Windows clients require reboot once a
> > day in order to access mapped drives
> >
> > On Thu, 25 Apr 2019 10:34:24 -0700
> > Mason Schmitt <mason at ftlcomputing.com> wrote:
> >
> > > >
> > > >
> > > > Forgot to mention, are sure your time sync over AD is
working
> > > > correctly. One to add to you list, check times of server and
> > > > clients, (* yes again, if needed just to be sure).
> > > >
> > >
> > > Yes, I have double check that time is correctly being synced.
> > >
> > > FYI, Rowland, the process outlined in the wiki for using
> > chronyd does
> > > not work on Ubuntu 18.04 (my AD DC is on Ubuntu, but my
> > file server is
> > > CentOS). I can only successfully sync windows clients with ntpd
> > > running on the DC. Also, if using apparmor, the default apparmor
> > > rules don't work. Here's what I had to do to get windows
> clients to
> > > successfully sync with my Ubuntu DC.
> > >
> > > # Install ntp (if chrony is installed, this will disable and mask
> > > chrony in systemd)
> > > apt install ntp
> > >
> > > # First comment out the default NTP ACLs
> > > sed -i 's/^restrict -/#restrict -/g' /etc/ntp.conf
> > >
> > > # Then add some samba specific settings to /etc/ntp.conf
> > > cat << EOF >> /etc/ntp.conf
> > >
> > > # Use AD for authenticanting Windows NTP clients
> > > ntpsigndsocket /var/lib/samba/ntp_signd
> > >
> > > # Acess control
> > > # Default restriction: Allow clients to only query the time
> > > restrict -4 default kod notrap nomodify nopeer noquery mssntp
> > > restrict -6 default kod notrap nomodify nopeer noquery mssntp
> > >
> > > # We're running in a VM, so we need to protect ntpd from
waking up
> > > # in a panic, in a situation where a VM has been shutdown for an
> > > # extended period of time
> > > tinker panic 0
> > > EOF
> > >
> > > # There is a bug in Ubuntu's apparmor config for ntp, so
> > this fixes it
> > > sed -i /ntp_signd/c'\ /var/lib/samba/ntp_signd/socket
rw,'
> > > /etc/apparmor.d/usr.sbin.ntpd
> > > apparmor_parser --replace /etc/apparmor.d/usr.sbin.ntpd
> > >
> > > # Set the necessary permissions on the ntp signed socket
> > > chmod 750 /var/lib/samba/ntp_signd
> > > chown root:ntp /var/lib/samba/ntp_signd
> > > systemctl enable ntp.service
> > > systemctl restart ntp.service
> > >
> > >
> > > # Test to make sure NTP is working
> > > ntpq -p
> >
> > Louis, you use Ubuntu 18.04, can you confirm this ? (note
> to Mason: I
> > do not disbelieve you, I just need confirmation before changing the
> > wiki, I do not use Ubuntu so cannot confirm the changes)
> >
> > Rowland
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>