samba - Sep 2019 - testparm comaprison

Hi,

Recently we have added 4.10.7 as additional dc, to our existing 4.4.5
samba AD DC, comparing output testparm I have detected that 4.4.5 has
        map readonly = no
        store dos attributes = Yes

but 4.10.7 doesn't have

Also compared smb.conf and both has the same configuration.

Is this correct? Are required this configurations on 4.10.7?
In a few day I want to upgrade this 4.4.5 with rejoin, but I'm not
sure what I have to do with this two differences

Thanks

On 23/09/2019 09:46, Trenta sis via samba wrote:
> Hi,
>
> Recently we have added 4.10.7 as additional dc, to our existing 4.4.5
> samba AD DC, comparing output testparm I have detected that 4.4.5 has
>          map readonly = no
>          store dos attributes = Yes
Are you using 'testparm' or 'samba-tool testparm' ?

You should be using the latter.

Do you really have:

         map readonly = no
         store dos attributes = Yes

in your DC smb.conf ?

If so, you shouldn't.

Can you post the DC's smb.conf (the output of cat /etc/samba/smb.conf)

Rowland

Hi,

I have used testparm.

smb.conf from dc1 4.4.5
# Global parameters
[global]

        bind interfaces only = Yes
        interfaces = lo eth0 eth0:0
        netbios name = server1
        realm = DOMAIN.COM
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = DOMAIN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        comment 
        winbind enum users = yes
        winbind enum groups = yes

        tls enabled = yes
        tls keyfile = tls/server1.pem.key
        tls certfile = tls/server1.pem.crt
        tls cafile = tls/ca.pem.crt


        tls verify peer = ca_and_name

        ldap server require strong auth = no


[netlogon]
        path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


smb.conf dc2 4.10.7
# Global parameters
[global]
        bind interfaces only = Yes
        interfaces = lo eth0 eth0:0
        netbios name = server2
        realm = DOMAIN.COM
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = DOMAIN
        idmap_ldb:use rfc2307  = yes

        winbind enum users = yes
        winbind enum groups = yes

        tls enabled = yes
        tls keyfile = tls/server2.pem.key
        tls certfile = tls/server2.pem.crt
        tls cafile = tls/ca.pem.crt


        tls verify peer = ca_and_name

        ldap server require strong auth = no

       # tmp lan
       ntlm auth = yes


[netlogon]
        path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

It seems that samba-tool testparm doesn't show
        map readonly = no
        store dos attributes = Yes

Our actual config is good?
Next step is demote and rejoin 4.4.5, and then I'll suspect that this
attributes will be removed with 4.10.7, but not sure if this can have
any impact to our infraestructure

thanks


Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 23 de set.
2019 a les 10:46:
>
> Hi,
>
> Recently we have added 4.10.7 as additional dc, to our existing 4.4.5
> samba AD DC, comparing output testparm I have detected that 4.4.5 has
>         map readonly = no
>         store dos attributes = Yes
>
> but 4.10.7 doesn't have
>
> Also compared smb.conf and both has the same configuration.
>
> Is this correct? Are required this configurations on 4.10.7?
> In a few day I want to upgrade this 4.4.5 with rejoin, but I'm not
> sure what I have to do with this two differences
>
> Thanks

On 23/09/2019 10:22, Trenta sis via samba wrote:
> Hi,
>
> I have used testparm.
I would suggest you only use 'samba-tool testparm' on a
DC.
>
> smb.conf from dc1 4.4.5
> # Global parameters
> [global]
>
>          bind interfaces only = Yes
>          interfaces = lo eth0 eth0:0
>          netbios name = server1
>          realm = DOMAIN.COM
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = DOMAIN
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>          comment >
>          winbind enum users = yes
>          winbind enum groups = yes
>
>          tls enabled = yes
>          tls keyfile = tls/server1.pem.key
>          tls certfile = tls/server1.pem.crt
>          tls cafile = tls/ca.pem.crt
>          tls verify peer = ca_and_name
>          ldap server require strong auth = no
>
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
Apart from the 'comment' and 'winbind enum' lines (hint, remove
them),
nothing wrong there.
> smb.conf dc2 4.10.7
> # Global parameters
> [global]
>          bind interfaces only = Yes
>          interfaces = lo eth0 eth0:0
>          netbios name = server2
>          realm = DOMAIN.COM
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>          workgroup = DOMAIN
>          idmap_ldb:use rfc2307  = yes
>
>          winbind enum users = yes
>          winbind enum groups = yes
>
>          tls enabled = yes
>          tls keyfile = tls/server2.pem.key
>          tls certfile = tls/server2.pem.crt
>          tls cafile = tls/ca.pem.crt
>          tls verify peer = ca_and_name
>
>          ldap server require strong auth = no
>
>         # tmp lan
>         ntlm auth = yes
>
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> It seems that samba-tool testparm doesn't show
>          map readonly = no
>          store dos attributes = Yes
>
> Our actual config is good?
Yes, apart from the 'winbind enum' lines and do you really need the 
'ntlm auth = yes' line ?
> Next step is demote and rejoin 4.4.5, and then I'll suspect that this
> attributes will be removed with 4.10.7, but not sure if this can have
> any impact to our infraestructure
>
It will have no impact, at least one of the parameters is now the 
default and been removed as a settable parameter.

Rowland

Hi,

Thanks, Well winbind enum is needed, and ntlm auth is required by some
applications, seems that samba has disabled by default but windows has
enabled, we have to migrate some old applications

I understand taht is OK with yout comments

thanks

Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 23 de set.
2019 a les 11:22:
>
> Hi,
>
> I have used testparm.
>
> smb.conf from dc1 4.4.5
> # Global parameters
> [global]
>
>         bind interfaces only = Yes
>         interfaces = lo eth0 eth0:0
>         netbios name = server1
>         realm = DOMAIN.COM
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = DOMAIN
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         comment >
>         winbind enum users = yes
>         winbind enum groups = yes
>
>         tls enabled = yes
>         tls keyfile = tls/server1.pem.key
>         tls certfile = tls/server1.pem.crt
>         tls cafile = tls/ca.pem.crt
>
>
>         tls verify peer = ca_and_name
>
>         ldap server require strong auth = no
>
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>
> smb.conf dc2 4.10.7
> # Global parameters
> [global]
>         bind interfaces only = Yes
>         interfaces = lo eth0 eth0:0
>         netbios name = server2
>         realm = DOMAIN.COM
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = DOMAIN
>         idmap_ldb:use rfc2307  = yes
>
>         winbind enum users = yes
>         winbind enum groups = yes
>
>         tls enabled = yes
>         tls keyfile = tls/server2.pem.key
>         tls certfile = tls/server2.pem.crt
>         tls cafile = tls/ca.pem.crt
>
>
>         tls verify peer = ca_and_name
>
>         ldap server require strong auth = no
>
>        # tmp lan
>        ntlm auth = yes
>
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
> It seems that samba-tool testparm doesn't show
>         map readonly = no
>         store dos attributes = Yes
>
> Our actual config is good?
> Next step is demote and rejoin 4.4.5, and then I'll suspect that this
> attributes will be removed with 4.10.7, but not sure if this can have
> any impact to our infraestructure
>
> thanks
>
>
> Missatge de Trenta sis <trenta.sis at gmail.com> del dia dl., 23 de
set.
> 2019 a les 10:46:
> >
> > Hi,
> >
> > Recently we have added 4.10.7 as additional dc, to our existing 4.4.5
> > samba AD DC, comparing output testparm I have detected that 4.4.5 has
> >         map readonly = no
> >         store dos attributes = Yes
> >
> > but 4.10.7 doesn't have
> >
> > Also compared smb.conf and both has the same configuration.
> >
> > Is this correct? Are required this configurations on 4.10.7?
> > In a few day I want to upgrade this 4.4.5 with rejoin, but I'm not
> > sure what I have to do with this two differences
> >
> > Thanks