Sven Schwedas
2019-May-21 12:29 UTC
[Samba] Debugging Samba is a total PITA and this needs to improve
On 21.05.19 14:16, Rowland penny via samba wrote:> You need to investigate your DB problems Great, but how?> I see no reason to have different smb.conf files for different Unix > domain members, just don't have 'netbios name' in any smb.conf.There's also share definitions in the files which I omitted, which are the actual meat of the config files.> You will also be better better off having 'vfs objects = acl_xattr' in > your smb.conf and setting the permissions from Windows.Will that work when half the clients aren't Windows to begin with, and ACLs still need to work when people can SSH into the server?> What is the point of this: > > winbind max domain connections = 32 > > If you also have: > > winbind offline logon = yesWill it hurt?> Finally and what could be contributing to your problem: > > This could be set too high: > winbind expand groups = 4Why would that suddenly break after working for years, when the deepest nesting we actually see is 1? And going by smb.conf, at most it could lead to timeouts, which is not the problem we're seeing? This is *exactly* what I meant with bike shedding. "This has nothing to do with your problem, but let's waste days on this anyway, it's not *our* prod environment that's offline in the meantime" is really not a great attitude. -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator ✉ sven.schwedas at tao.at | ☎ +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190521/a3590862/signature.sig>
Rowland penny
2019-May-21 13:12 UTC
[Samba] Debugging Samba is a total PITA and this needs to improve
On 21/05/2019 13:29, Sven Schwedas via samba wrote:> On 21.05.19 14:16, Rowland penny via samba wrote:> You need to > investigate your DB problems > > Great, but how? > >> I see no reason to have different smb.conf files for different Unix >> domain members, just don't have 'netbios name' in any smb.conf. > There's also share definitions in the files which I omitted, which are > the actual meat of the config files.Fair enough for different shares on different clients, but I wouldn't use includes for anything else.> >> You will also be better better off having 'vfs objects = acl_xattr' in >> your smb.conf and setting the permissions from Windows. > Will that work when half the clients aren't Windows to begin with, and > ACLs still need to work when people can SSH into the server?Yes> >> What is the point of this: >> >> winbind max domain connections = 32 >> >> If you also have: >> >> winbind offline logon = yes > Will it hurt?No, but the '32' will be ignored if offline logon is set to 'yes'> >> Finally and what could be contributing to your problem: >> >> This could be set too high: >> winbind expand groups = 4 > Why would that suddenly break after working for years, when the deepest > nesting we actually see is 1? > > And going by smb.conf, at most it could lead to timeouts, which is not > the problem we're seeing?Try reading 'man smb.conf' where you will find this under 'winbind expand groups': Be aware that a high value for this parameter can result in system slowdown as the main parent winbindd daemon must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time. This is possibly why you are having your problem.> > This is *exactly* what I meant with bike shedding. "This has nothing to > do with your problem, but let's waste days on this anyway, it's not > *our* prod environment that's offline in the meantime" is really not a > great attitude. >We are nowhere near your computers, so can only ask questions and offer advice, if you do not like this, have a read here: https://www.samba.org/samba/support/ Find someone near you and pay for support. Rowland
Sven Schwedas
2019-May-21 14:01 UTC
[Samba] Debugging Samba is a total PITA and this needs to improve
On 21.05.19 15:12, Rowland penny via samba wrote:> Try reading 'man smb.conf' where you will find this under 'winbind expand groups': > > Be aware that a high value for this parameter can result in system slowdown as the main parent winbindd daemon must perform the group unrolling and will be unable to answer incoming NSS or authentication requests during this time. > > This is possibly why you are having your problem.I did read it, and seeing that we weren't running into timeouts, asked why it would be relevant. Unsurprisingly, it's not relevant, changing the setting makes no difference.> We are nowhere near your computers, so can only ask questions and offer > advice, if you do not like this, have a read here:If the advice was anywhere *remotely* related to the actual problem symptoms I'm describing, that'd be *very* nice. To reiterate: • Authentication on one member server is broken for some users, no matter the source (Windows Explorer, wbinfo -a, smbclient) • DRS replication to one DC seems to be broken for whatever reason • A *different* DC doesn't show up in some DNS queries Ignoring all the "but your smb.conf could have problems that you don't have" chattering, that one member server seems to always use the same DC for wbinfo -P pings, and apparently also all other requests (why does Winbind only use *one* DC anyway, to the point of breaking when that single DC is offline?). That happens to be the DC that's having replication issues. Looking further, this is the only member server that uses that DC for winbind. The authentication problem can also be reproduced on the DC in question (and only that one). Seems like that's broken, hard. So, could somebody maybe help with the NT_STATUS_INTERNAL_DB_CORRUPTION / DRS replication issue? Or will it be easier to just demote the DC and provision a new one? -- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator ✉ sven.schwedas at tao.at | ☎ +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190521/8b4a584c/signature.sig>
L.P.H. van Belle
2019-May-21 14:23 UTC
[Samba] Debugging Samba is a total PITA and this needs to improve
Sven, Fist fix the smb.conf as i suggested, cap and non caps where it should be. Resolving settings based on the script output looks ok. Fix krb5.conf Then how many DC's are you having?> So, could somebody maybe help with the NT_STATUS_INTERNAL_DB_CORRUPTION > / DRS replication issue? Or will it be easier to just demote > the DC and provision a new one?Are all DC's having problem, if the DC with FSMO does not have problems. https://wiki.samba.org/index.php/Manually_Replicating_Directory_Partitions Replicate good to a bad server. Ps, i have about 30 min for this, i have to move some furnature later on. But that should be enough. If you reply quickly, so pm me in the message, But keep it in list so everybody can learn from it. Greetz, Louis
Possibly Parallel Threads
- Debugging Samba is a total PITA and this needs to improve
- Debugging Samba is a total PITA and this needs to improve
- Debugging Samba is a total PITA and this needs to improve
- Debugging Samba is a total PITA and this needs to improve
- Debugging Samba is a total PITA and this needs to improve