Apps_MH
/
blog3000
1
1
Fork 0
Code Pull Requests Releases Activity
blog3000/Blog3000/Server/app_data/posts/mh/hello-world.md

8.1 KiB
Raw Blame History

@Id:1i1n1BDwtO6 @Revision:19.05.2020 19:04:30|Initial|mh @Author:mh @Title:HelloRecover an USBStick reported as not accessible / writable!! @Abstract: Über dieses Blog und die Software @Access:PUBLIC @Topics:#HELLO|#BLOG|#LINUX|#NETCORE|#BLAZOR [vs-img]: hello-world/vs.jpg

About this blog

This blog software was created as a demo project by me using C# and the blazor framework on asp.net core.

Developed with Visual Studio Communuty Edition. Hosted on a linux machine running Gentoo Linux.

As being a progressive webapp you can install this page on your mobile phone a run it and view the articles offline

source code

inline source code asd

Samba-Update + Migration

For problems that could be arise and multi-instance Samba also see my "tales" further below.

General advice for updates:

  • Ensure resolv.conf points to correct dns-server, so AD-SVR records are resolvable

  • Don't skip major versions on update, always go from 4.4 -> 4.5 -> 4.6 -> ... to prevent problems with database- or schema updates.

  • See READMEs for breaking changes or extra instruction

  • Before an update make a backup. See also samba_backup

  • If installing from source remove the with rm /opt/samba/lib/* (NOT -rf, the private sub dir seems not affected) before make install to prevent LD-Linker-Errors at runtime

  • Before a downgrade ensure if samba_downgrade_db is required (->Samba-Wiki)

  • After an upgrade, check if the path for the bind9-named.conf.include has changed (e.g. after ~4.6), if using Bind9-DLZ.

    Also see if .../samba/bind-dns/named.txt exists and carefull follow instructions.

  • When diagnosing problems the log level with log level = 5 seems to be a good setting.

  • Before samba-start after an upgrade run

samba-tool dbcheck --cross-ncs

samba_upgradedns --dns-backend=BIND9_DLZ # when using DLZ, then restart bind

# Test DNS:
samba_dnsupdate --all-names --verbose

Tales from an update from Samba 4.4 to 4.12 of an old installation

An update of an old Samba-AD proved difficult, due to the following factors:

  • AD was created long ago with probably 4.0alphas
  • A multi-instance setup was used with one installation-dir for the AD-Server, and another installation-dir for multiple Member-Servers
  • Winbindd was not used to date, because a very simple but robust method for handling file-permissions was used on the site. But now winbindd is mandatory for Samba-AD-member-servers
  • The setup was moved from a Gentoo-VM to a Debian-LXD-Container

Following problems appeared after the update:

Problems at the AD-Server instance:

0 DNS-test failed

When testing DNS-Bind9-DLZ updates with samba_dnsupdate --all-names --verbose the error

; TSIG error with server: tsig verify failure

appeared, although DNS-queries and getting kerberos tickets

(Successfully obtained Kerberos ticket to DNS/...)

worked .

Turned out minimal-responses yes; was missing in named.conf.

This directive should be placed near the

tkey-gssapi-keytab "/opt/samba/bind-dns/dns.keytab";

line.

1 Samba crashes on user connect

When trying a test-connect to the sysvol share samba crashed with the error PANIC () sys_setgroups failed.

This turned out a problem with running within a LXD-Container (with security.idmap.isolated==true) resulting in the UID-range being limited to 65535 which is far to low for Samba-AD.

Solution: Increase the LXD-UID range (/etc/subuid and /etc/subgid 1[6 zeros]:*1[9 zeros]) and assign more UIDs to the container itself with security.idmap.size=5000000 (6 zeros))

2 Connect still failed

Now in the Samba log a new error appeared: Unsupported encryption type 3

This was a bug with Samba, probably caused by DES-keys created with early versions of Samba 4.

This should be fixed with 4.12.6. A patch for 4.12.5 is available.

For more see: https://bugzilla.samba.org/show_bug.cgi?id=14354

3 Access problems with the sysvol-dir

The permissions of the sysvol-dir were incorrect: The xattr-Attributes were missing (when doing ls -l sysvol a '+' should be visible on the permissions column). This happend probably due to an admin-error while copying the setup in the test-env.

Running net sysvolreset to fix the permissions solved this problem.

4 LD-Linker errors on running samba-tools at runtime

Seems to be a problem with installing from source to an /opt - directory:

Cleaning out the old samba-libs (with /opt/... sth. like this: rm /opt/samba/lib/*, NOT -rf, the private sub dir seems not be affected), and rerunning make install solved the problem.

5 Winbind is now reqired

Winbindd was disabled in the smb.conf, Remove -winbind from 'server services = ' Also some stray idmap config = entries were removed.

After solving these problems connect to \\ADSERVER\sysvol using win10 and smbclient was working again.

Problems at the Member-Server instances:

Winbind was here the main problem: Winbind was not required on the side, but is now mandatory for running a AD-member-server.

Enabling winbind proved proved a lot more difficult than expected because of the multi-instance setup on this host.

Running winbindd with strace proved helpful in one case, were the logs were unspecific.

When winbindd was running but not working correcly a typical error in then smbd log was get_user_from_kerberos_info: Username DOM\xxx is invalid on this system when trying to connect to a share.

When building from source see 4 LD-Linker errors... of the previous section!

For multi-instance-setup: For each member-instance a spearate installation-dir is needed, see 5 below.

1 No access to the files share, complaints abount non-running winbind in log

In smb.conf:

  • remove -winbind from the server services =
  • add this:
winbind refresh tickets = yes

idmap config * : backend    = tdb
idmap config * : range      = 200000-299999

idmap config MYDOM : backend   = rid
idmap config MYDOM : range     = 300000-399999

Two entries are required, on for the default-domain "*" and one for the actual (MYDOM) domain. Be sure not to use tdb as backend for the actual domain (see below!)

With this setup now UIDs from 200000-299999 are assigned to a SID and store in a tbd file, whenever a map for the SID is it requested the first time.

For the MYDOM domain UIDs from 300000-399999 to are assigned in predictable way, which should be identical on all member server (as long the range is the same)

Then start the winbindd-daemons (see 5 for multi-instance-setups!)

2 Winbind crashes on start, error about not finding a specific SID/GetSid failed seen with strace

This error could be resolved be rejoining the domain with 'net ads join -U DOMAIN\Administrator'.

3 In Debug/Foreground mode Winbind does not react do requests

When running winbind -d 5 -F also '-i' seems to be required so it actually works

4 Winbind does not resolve, Error 'Refusing allocation of a new unixid' in the log

First I was using ´tbd´ as the idmap backend for the MYDOM domain. But this resulted in

 idmap_tdb_common_get_new_id: 
    Refusing allocation of a new unixid for domain'sd'. 
	Currently only supported for the default domain "*".
Could not allocate id: NT_STATUS_NOT_IMPLEMENTED

when trying to connect to a share.

Only some docs mention that the tdb-backend is only usable for the default domain (*). Changed to the rid-backend (see config sample above)

5 Winbind does not react to requests, or samba(AD) itself denies requests from winbind because of one member requesting with tokens of another member server

Turned to be out winbindd can't be used for multiple instances with a shared install-dir.
See article Setting up multiple Samba-instances on a single hosts with winbindd

6 Winbind seems to work but can't find SIDs for UserIDs

In smb.conf in valid users = user name were defined without Domains. This no longer seems to working, but adding the domain resolved this:

Old: 
valid user=user

New:
valid user="MYDOM\user"

After this finally smbclient, getent passwd and the win10-testvm could connect again. Yaaay :)

![VSLogo][vs-img]

Test-Dl