@Id:1i1n1BDwtO6 @Revision:19.05.2020 19:04:30|Initial|mh @Author:mh @Title:HelloRecover an USBStick reported as not accessible / writable!! @Abstract: Über dieses Blog und die Software @Access:PUBLIC @Topics:#HELLO|#BLOG|#LINUX|#NETCORE|#BLAZOR [vs-img]: hello-world/vs.jpg # About this blog This blog software was created as a demo project by me using C# and the blazor framework on asp.net core. Developed with Visual Studio Communuty Edition. Hosted on a linux machine running Gentoo Linux. As being a progressive webapp you can install this page on your mobile phone a run it and view the articles offline ``` source code ``` inline `source code` asd # Samba-Update + Migration For problems that could be arise and multi-instance Samba also see my "tales" further below. ## General advice for updates: - Ensure resolv.conf points to correct dns-server, so AD-SVR records are resolvable - Don't skip major versions on update, always go from 4.4 -> 4.5 -> 4.6 -> ... to prevent problems with database- or schema updates. - See READMEs for breaking changes or extra instruction - Before an update make a backup. See also `samba_backup` - If installing from source remove the with `rm /opt/samba/lib/*` (NOT `-rf`, the `private` sub dir seems not affected) before `make install` to prevent LD-Linker-Errors at runtime - Before a downgrade ensure if `samba_downgrade_db` is required (->Samba-Wiki) - After an upgrade, check if the path for the bind9-named.conf.include has changed (e.g. after ~4.6), if using Bind9-DLZ. Also see if .../samba/bind-dns/named.txt exists and carefull follow instructions. - When diagnosing problems the log level with `log level = 5` seems to be a good setting. - Before samba-start after an upgrade run ``` samba-tool dbcheck --cross-ncs samba_upgradedns --dns-backend=BIND9_DLZ # when using DLZ, then restart bind # Test DNS: samba_dnsupdate --all-names --verbose ``` ## Tales from an update from Samba 4.4 to 4.12 of an old installation An update of an old Samba-AD proved difficult, due to the following factors: - AD was created long ago with probably 4.0alphas - A multi-instance setup was used with one installation-dir for the AD-Server, and another installation-dir for multiple Member-Servers - Winbindd was not used to date, because a very simple but robust method for handling file-permissions was used on the site. But now winbindd is mandatory for Samba-AD-member-servers - The setup was moved from a Gentoo-VM to a Debian-LXD-Container ### Following problems appeared after the update: #### Problems at the AD-Server instance: **0 DNS-test failed** When testing DNS-Bind9-DLZ updates with `samba_dnsupdate --all-names --verbose` the error `; TSIG error with server: tsig verify failure` appeared, although DNS-queries and getting kerberos tickets (`Successfully obtained Kerberos ticket to DNS/...`) worked . Turned out `minimal-responses yes;` was missing in `named.conf`. This directive should be placed near the `tkey-gssapi-keytab "/opt/samba/bind-dns/dns.keytab";` line. **1 Samba crashes on user connect** When trying a test-connect to the sysvol share samba crashed with the error `PANIC () sys_setgroups failed`. This turned out a problem with running within a LXD-Container (with `security.idmap.isolated==true`) resulting in the UID-range being limited to 65535 which is far to low for Samba-AD. Solution: Increase the LXD-UID range (/etc/subuid and /etc/subgid 1[6 zeros]:*1[9 zeros]) and assign more UIDs to the container itself with `security.idmap.size=5000000` (6 zeros)) **2 Connect still failed** Now in the Samba log a new error appeared: `Unsupported encryption type 3` This was a bug with Samba, probably caused by DES-keys created with early versions of Samba 4. This should be fixed with 4.12.6. A patch for 4.12.5 is available. For more see: https://bugzilla.samba.org/show_bug.cgi?id=14354 **3 Access problems with the sysvol-dir** The permissions of the sysvol-dir were incorrect: The xattr-Attributes were missing (when doing `ls -l sysvol` a '+' should be visible on the permissions column). This happend probably due to an admin-error while copying the setup in the test-env. Running `net sysvolreset` to fix the permissions solved this problem. **4 LD-Linker errors on running samba-tools at runtime** Seems to be a problem with installing from source to an /opt - directory: Cleaning out the old samba-libs (with /opt/... sth. like this: `rm /opt/samba/lib/*`, NOT `-rf`, the `private` sub dir seems not be affected), and rerunning `make install` solved the problem. **5 Winbind is now reqired** Winbindd was disabled in the smb.conf, Remove _-winbind_ from 'server services = ' Also some stray `idmap config =` entries were removed. After solving these problems connect to \\\\ADSERVER\sysvol using win10 and smbclient was working again. #### Problems at the Member-Server instances: Winbind was here the main problem: Winbind was not required on the side, but is now mandatory for running a AD-member-server. Enabling winbind proved proved a lot more difficult than expected because of the multi-instance setup on this host. Running winbindd with strace proved helpful in one case, were the logs were unspecific. When winbindd was running but not working correcly a typical error in then smbd log was `get_user_from_kerberos_info: Username DOM\xxx is invalid on this system` when trying to connect to a share. When building from source see _4 LD-Linker errors..._ of the previous section! For multi-instance-setup: For each member-instance a spearate installation-dir is needed, see _5_ below. **1 No access to the files share, complaints abount non-running winbind in log** In `smb.conf`: - remove `-winbind` from the `server services = ` - add this: ``` winbind refresh tickets = yes idmap config * : backend = tdb idmap config * : range = 200000-299999 idmap config MYDOM : backend = rid idmap config MYDOM : range = 300000-399999 ``` Two entries are required, on for the default-domain "*" and one for the actual (MYDOM) domain. Be sure not to use `tdb` as backend for the actual domain (see below!) With this setup now UIDs from 200000-299999 are assigned to a SID and store in a tbd file, whenever a map for the SID is it requested the first time. For the MYDOM domain UIDs from 300000-399999 to are assigned in predictable way, which should be identical on all member server (as long the range is the same) Then start the winbindd-daemons (see _5_ for multi-instance-setups!) **2 Winbind crashes on start, error about not finding a specific SID/GetSid failed seen with strace** This error could be resolved be rejoining the domain with 'net ads join -U DOMAIN\Administrator'. **3 In Debug/Foreground mode Winbind does not react do requests** When running `winbind -d 5 -F` also '-i' seems to be required so it actually works **4 Winbind does not resolve, Error 'Refusing allocation of a new unixid' in the log** First I was using ´tbd´ as the idmap backend for the MYDOM domain. But this resulted in ``` idmap_tdb_common_get_new_id: Refusing allocation of a new unixid for domain'sd'. Currently only supported for the default domain "*". Could not allocate id: NT_STATUS_NOT_IMPLEMENTED ``` when trying to connect to a share. Only some docs mention that the tdb-backend is only usable for the default domain (*). Changed to the rid-backend (see config sample above) **5 Winbind does not react to requests, or samba(AD) itself denies requests from winbind because of one member requesting with tokens of another member server** Turned to be out `winbindd` can't be used for multiple instances with a shared install-dir. See article [Setting up multiple Samba-instances on a single hosts with winbindd](/viewer/1i1n1CHpUYh) **6 Winbind seems to work but can't find SIDs for UserIDs** In smb.conf in `valid users =` user name were defined without Domains. This no longer seems to working, but adding the domain resolved this: ``` Old: valid user=user New: valid user="MYDOM\user" ``` After this finally smbclient, getent passwd and the win10-testvm could connect again. Yaaay :) ![VSLogo][vs-img] [Test-Dl](/PublicDl/test.txt)