Andrew Bartlett
2022-Sep-27 20:11 UTC
[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389
On Tue, 2022-09-27 at 19:03 +0100, Rowland Penny via samba wrote:> > On 27/09/2022 18:49, Andrew Bartlett wrote: > > On Tue, 2022-09-27 at 14:31 +0100, Rowland Penny via samba wrote: > > > On 27/09/2022 13:52, Alexander Harm || ApfelQ wrote: > > > > I was able to make some progress on the issue and I have the > > > > following > > > > things working now: > > > > > > > > - "pdbedit -v -u username" works fine now > > > > - ?pdbedit -L? works as well > > > > - ?getent passwd username? works > > > > - "wbinfo -g" works > > > > - joining and leaving the domain works fine as well > > > > > > > > I?m still stuck on > > > > > > > > - "wbinfo -u" does not return any users (is this important?) > > > > > > Yes > > > > I'm not sure this is relevant on an NT4 domain (as nsswitch is the > > authority for users in this case), but I would have expected this > > to > > work. > > Well yes, but doesn't it ultimately as winbind ?No, the fundemental difference with the NT4 DC (think of it more as the standalone server with domain access) is that the OS, not Samba is the authority for users. It was quite a change when in the AD DC we decided that Samba alone would be the authority, and users would be provided to the OS via winbindd almost only as a courtesy. (You can run the AD DC quite fine without nsswtich set up at all, admins just see files owned by numbers).> > > > - login from Windows machines fails with error 7519 which > > > > indicates > > > > a > > > > problem with RPC > > > > - ?net rpc join -U administrator? fails with ?Failed to join > > > > domain: > > > > failed to lookup DC info for domain 'DLAN' over rpc: {Device > > > > Timeout} > > > > The specified I/O operation on %hs was not completed before the > > > > time-out > > > > period expired.? > > > > is nmbd running? > > > > > > - port 135 also does not seem to be open on the machine > > > > > > It looks like the rpc service isn't running. > > > > Port 135 is not normally used on an NT4 DC. > > Then why does the Samba wiki list port 135 as being required on an > NT4-style domain PDC ?Not sure, there are many things said in our wiki but traditionally NT4 (and Samba when I was developing the NT4-style classic DC) never answered on 135, that came with AD. The ability to answer on 135 has more to do with the work supporting FreeIPA, which uses the source3 codebase to emulate AD.> > > > - "testparm --suppress-prompt -v | grep '[s]erver services?? > > > > seems > > > > to > > > > return the correct list though ?server services = s3fs, rpc, > > > > nbt, > > > > wrepl, > > > > ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, > > > > dns" > > > > > > Have you upgraded to AD, if not then you can ignore that, it is > > > only > > > used by AD. > > > > Correct. > > > > > > Anymore ideas? > > > > > > No, a bit lost now, it has been years since I ran an NT4-style > > > domain. > > > > > > Rowland > > > > I'm thinking missing nmbd. > > Possibly, I believe that smbd, nmbd and winbind should all be > running. > As I said, it has been a long time since I ran an NT4 PDC, AD is so > much > easier, once you get your head around the 'idmap config' lines.That was the intention, folks wrote whole books on setting up a Samba DC backed by LDAP, the Samba4 project started with the concept that rather than a 'kit of parts', the AD DC would be a product, eg work out of the box. This is a big part of why 'samba-tool provision' does so much. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Rowland Penny
2022-Sep-27 20:33 UTC
[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389
On 27/09/2022 21:11, Andrew Bartlett wrote:> On Tue, 2022-09-27 at 19:03 +0100, Rowland Penny via samba wrote: >> >> On 27/09/2022 18:49, Andrew Bartlett wrote: >>> On Tue, 2022-09-27 at 14:31 +0100, Rowland Penny via samba wrote: >>>> On 27/09/2022 13:52, Alexander Harm || ApfelQ wrote: >>>>> I was able to make some progress on the issue and I have the >>>>> following >>>>> things working now: >>>>> >>>>> - "pdbedit -v -u username" works fine now >>>>> - ?pdbedit -L? works as well >>>>> - ?getent passwd username? works >>>>> - "wbinfo -g" works >>>>> - joining and leaving the domain works fine as well >>>>> >>>>> I?m still stuck on >>>>> >>>>> - "wbinfo -u" does not return any users (is this important?) >>>> >>>> Yes >>> >>> I'm not sure this is relevant on an NT4 domain (as nsswitch is the >>> authority for users in this case), but I would have expected this >>> to >>> work. >> >> Well yes, but doesn't it ultimately as winbind ? > > No, the fundemental difference with the NT4 DC (think of it more as the > standalone server with domain access) is that the OS, not Samba is the > authority for users.Funny, I always thought of a standalone server with an ldap backend as a PDC, which I suppose is the same thing. But one thing I remember is that you could run a PDC or domain member without local users & groups, so how could the OS be the authority for users ?> > It was quite a change when in the AD DC we decided that Samba alone > would be the authority, and users would be provided to the OS via > winbindd almost only as a courtesy. (You can run the AD DC quite fine > without nsswtich set up at all, admins just see files owned by > numbers).Yes, provided that you do not use a Samba AD DC as a fileserver, you do not need to touch nsswitch.conf> >>>>> - login from Windows machines fails with error 7519 which >>>>> indicates >>>>> a >>>>> problem with RPC >>>>> - ?net rpc join -U administrator? fails with ?Failed to join >>>>> domain: >>>>> failed to lookup DC info for domain 'DLAN' over rpc: {Device >>>>> Timeout} >>>>> The specified I/O operation on %hs was not completed before the >>>>> time-out >>>>> period expired.? >>> >>> is nmbd running? >>> >>>>> - port 135 also does not seem to be open on the machine >>>> >>>> It looks like the rpc service isn't running. >>> >>> Port 135 is not normally used on an NT4 DC. >> >> Then why does the Samba wiki list port 135 as being required on an >> NT4-style domain PDC ? > > Not sure, there are many things said in our wiki but traditionally NT4 > (and Samba when I was developing the NT4-style classic DC) never > answered on 135, that came with AD.So, from what you are saying, port 135 should be removed from this wiki page: https://wiki.samba.org/index.php/Samba_NT4_PDC_Port_Usage> > The ability to answer on 135 has more to do with the work supporting > FreeIPA, which uses the source3 codebase to emulate AD.> >>>>> - "testparm --suppress-prompt -v | grep '[s]erver services?? >>>>> seems >>>>> to >>>>> return the correct list though ?server services = s3fs, rpc, >>>>> nbt, >>>>> wrepl, >>>>> ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate, >>>>> dns" >>>> >>>> Have you upgraded to AD, if not then you can ignore that, it is >>>> only >>>> used by AD. >>> >>> Correct. >>> >>>>> Anymore ideas? >>>> >>>> No, a bit lost now, it has been years since I ran an NT4-style >>>> domain. >>>> >>>> Rowland >>> >>> I'm thinking missing nmbd. >> >> Possibly, I believe that smbd, nmbd and winbind should all be >> running. >> As I said, it has been a long time since I ran an NT4 PDC, AD is so >> much >> easier, once you get your head around the 'idmap config' lines. > > That was the intention, folks wrote whole books on setting up a Samba > DC backed by LDAP, the Samba4 project started with the concept that > rather than a 'kit of parts', the AD DC would be a product, eg work out > of the box.Well it certainly does that, the problem is that people will try to disassemble it back to the kit of parts, e.g. use dnsmasq instead of the internal or Bind9 dns server.> > This is a big part of why 'samba-tool provision' does so much.And thankfully it does it so well. Rowland> > Andrew Bartlett >