Rowland Penny
2024-Nov-13 20:54 UTC
[Samba] Very strange: Samba is unable to access one of its own files
On Wed, 13 Nov 2024 15:19:22 -0500 "John R. Graham via samba" <samba at lists.samba.org> wrote:> > On 11/12/24 09:35, Rowland Penny via samba wrote: > > > If you are using Debian, just install the libpam-winbind and > > libnss-winbind packages, open /etc/nsswitch.conf in your favourite > > editor and ensure that the passwd & group lines contain 'winbind'. > > > > Rowland > > It's Gentoo so I'm setting it up myself, which is fine, but I've > messed up something apparently. This is an AD/DC setup, by the way.It has been years since I last used Gentoo, I gave up on it because, even though it gives you total control, it also requires everything being built and I found that turned into taking more time than actually using the OS, but everyone is different.> In the process of setting up winbind,How have you set up winbind, did you do something similar to this: https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC#Libnss_winbind_Links> I've created a situation that > I don't know how to get out of. Lots of (but not all) routine > samba-tool commands are throwing fatal errors now. For instance, > > ceres ~ # samba-tool dns query ceres samdom.example.com @ ALL > dos charset 'CP850' unavailable - using ASCIIIt looks like you do not have whatever supplies 'CP850' on Gentoo installed.> convert_string_talloc: Conversion not supported. > ndr_pull_charset: ndr_pull_error(Character Conversion Error): Bad > character conversion at ../../librpc/ndr/ndr_string.c:703 > Failed to bind to uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa for > ncacn_ip_tcp:192.168.123.250[135,target_hostname=ceres,abstract_syntax=e1af8308-5d1f-11c9-91a4-08002b14a0fa/0x00000003,localaddress=192.168.123.250] > NT_STATUS_INVALID_PARAMETER > > I get the CP850 warning whether or not the nls_cp580 module is loaded.When you built Samba, did you read these wiki pages : https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba/Building_Samba_on_Gentoo> > Simultaneously, the $(wbinfo -u) command is reporting no users, which > is causing trouble for the dhcp-dyndns.sh script.That isn't good, wbinfo should work without the winbind links, it goes direct to AD.> > My /etc/nsswitch.conf looks like: > > # In alphabetical order. Re-order as required to optimize performance. > aliases:??? files > ethers:???? files > group:????? files winbind > gshadow:??? files > hosts:????? files dns > # Allow initgroups to default to the setting for group. > # initgroups: files > netgroup:?? files > networks:?? files dns > passwd:???? files winbind > protocols:? files > publickey:? files > rpc:??????? files > shadow:???? files > services:?? files >That should work, provided the winbind links are set up correctly.> My /etc/samba/smb.conf looks like: > > # Global parametersunix charset > [global] > ??? dns forwarder = 8.8.8.8 75.75.75.75 > ??? netbios name = CERES > ??? realm = SAMDOM.EXAMPLE.COM > ??? server role = active directory domain controller > ??? workgroup = SAMDOM > ??? idmap_ldb:use rfc2307 = yes > ??? kerberos method = secrets and keytab > ??? winbind refresh tickets = yes > ??? ldap server require strong auth = no > ??? unix charset = LOCALEFix the CP850 problem and you will not require the 'unix charset' line.> ??? # username map = /etc/samba/smbusersIt is good that the username map line is commented out, it is never used on a DC.> ??? log level = 1 > > ??? # dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool > > ??? # Winbindd setup for shares: > ??? # template shell = /bin/bash > ??? # template homedir = /home/%U > > ??? # idmap_nss plugin setup: > ??? idmap config * : backend = tdb > ??? idmap config * : range = 1000000-3999999 > > ??? idmap config SAMBA : backend? = nss > ??? idmap config SAMBA : range = 1000-999999You should remove the 'idmap config' lines, they should never be set on a DC.> > [sysvol] > ??? path = /var/lib/samba/sysvol > ??? read only = No > > [netlogon] > ??? path = /var/lib/samba/sysvol/samdom.example.com/scripts > ??? read only = No > > Does any of this look familiar?Yes, but the only things missing are: The contents of /etc/krb5.conf What kdc you used, hopefully Heimdal. Rowland
John R. Graham
2024-Nov-13 21:45 UTC
[Samba] Very strange: Samba is unable to access one of its own files
On 11/13/24 15:54, Rowland Penny via samba wrote:> [A lot of stuff, and...] Yes, but the only things missing are: > > The contents of /etc/krb5.conf > What kdc you used, hopefully Heimdal. > > Rowland >Thank you! That give me a /lot/ to look into. Meanwhile, /etc/krb5.conf is: [libdefaults] ??? default_realm = SAMDOM.EXAMPLE.COM ??? dns_lookup_realm = false ??? dns_lookup_kdc = true ??? forwardable = true ??? proxyable = true ??? default_keytab_name = FILE:/etc/krb5.keytab And the Gentoo build for Samba by default uses the included Heimdal. I have not been brave/foolish enough to mess with that default. - John
John R. Graham
2024-Nov-14 14:52 UTC
[Samba] Very strange: Samba is unable to access one of its own files
On 11/13/24 15:54, Rowland Penny via samba wrote:>> ??? log level = 1 >> >> ??? # dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool >> >> ??? # Winbindd setup for shares: >> ??? # template shell = /bin/bash >> ??? # template homedir = /home/%U >> >> ??? # idmap_nss plugin setup: >> ??? idmap config * : backend = tdb >> ??? idmap config * : range = 1000000-3999999 >> >> ??? idmap config SAMBA : backend? = nss >> ??? idmap config SAMBA : range = 1000-999999 > You should remove the 'idmap config' lines, they should never be set on > a DC.Thanks again! As soon as the idmap lines were removed--and Samba was restarted--sanity was restored. I also uncommented these lines: ??? template shell = /bin/bash ??? template homedir = /home/%U I do get an unexpected result from retrieving my domain user's passwd line: ? ?? # getent passwd SAMDOM\\jgraham ???? SAMDOM\jgraham:*:10000:100::/home/SAMDOM/jgraham:/bin/false It appears that somehow the defaults from smb.conf are being ignored...or is it that the defaults were in place when the domain account was created? But, hmm, running ???? samba-tool user show -U Administrator jgraham gets me, among other things: ???? loginShell: /bin/bash ???? unixHomeDirectory: /home/jgraham Is the information that getent retrieves sourced somewhere else? - John