sirhc4022
Goto Top

CentOS 7 als Datengrab in Windows-Domäne (SBS2011) geht auf einmal nicht mehr

Hallo CentOS-Freaks,

bis vor Kurzem war ich ja von CentOS ziemlich begeistert. Ich bastle ab und zu eher mit Debian rum, da ist CentOS doch ein bisschen Neuland face-wink
Ich hänge grad in einer Windows-Domäne. Hier möchte ich einen SBS2011 via Acronis als Image sichern. Was heißt möchte. Hab ich; so die letzten 8 Wochen ging das echt gut. Acronis läuft auf dem SBS und erstellt ein (1,5TB großes) Image vom SBS auf der CentOS-Dose.
Seit ein paar Tagen geht nix mehr. Zum Jahreswechsel ist nach einem "yum update" sowie "yum upgrade" die Freigabe in der Domäne, in der das Image abgelegt wurde, nicht mehr erreichbar. Beim Upgrade war eigentlich nichts passiert, wenn ich mich nicht verguckt hatte.
Ich kann mich mit meinem Domänen-Account auf der CentOS-Kiste anmelden. Das ging ja schöner Weise gleich nach der Installation. Ich kann in der Konsole auf dem CentOS den SBS anpingen, der Name wird richtig aufgelöst und ich kann mich von einem anderen Computer per SSH mit meinem Domänen-Konto am CentOS-Rechner anmelden. Für mich scheint damit Samba das Problem zu sein. Aber da hat sich nix geändert. Die smb.conf ist, so wie ich es nach x100 Anleitungen sagen kann, richtig (falls ich nichts übersehen habe). Es ging ja auch bis vor ein paar Tagen (der typische Satz [in] einer Problembeschreibung face-wink)
Irgendwelche Ideen? Ich bin ziemlich ratlos. Was braucht ihr für Infos um die Glaskugel im Schrank stehen lassen zu können?

Grüße

sirhc

Content-ID: 325685

Url: https://administrator.de/contentid/325685

Printed on: October 4, 2024 at 05:10 o'clock

Lochkartenstanzer
Lochkartenstanzer Jan 06, 2017 at 10:14:59 (UTC)
Goto Top
Moin,

Hast Du auch mal smbd und nmbd mal frisch durchgestartet? Manchmal hängen die einfach.

Schönen Feiertag noch,

lks
sirhc4022
sirhc4022 Jan 06, 2017 at 10:24:20 (UTC)
Goto Top
Moin lks,

jap. Da die CentOS-Kiste keine weiteren Dienste im Netz bereitstellt hab ich das Ding komplett neu gestartet. Mehrfach sogar. Ich muss dazu sagen, dass ich den Rechner, auf dem das CentOS läuft reparieren musste (das MB hat die Grätsche gemacht). Allerdings hatte die Freigabe schon vor dem Mainboard-Defekt schon die Arbeit eingestellt.

Entspannten Freitag face-wink

sirhc
Gersen
Gersen Jan 06, 2017 at 10:27:18 (UTC)
Goto Top
Hallo,

sieht anhand der Zeiträume so aus, als hättest Du beim "yum update/upgrade" CentOS auf Version 7.3 gehoben.

Darin sind relativ umfangreiche Änderungen an Samba erfolgt. Einzelheiten hier.

Nur mal so die Richtung...

Gruß,
Gersen
sirhc4022
sirhc4022 Jan 06, 2017 at 10:31:59 (UTC)
Goto Top
Hey Gersen,

ach shit. Sowas Fieses hatte ich schon fast geahnt. Eine kleine Stimme hat im Moment des Drückens der "Enter"-Taste auch laut "Neeeiiiiiin" geschrien. Das hab ich gekonnt ignoriert. Aber es ist ja kein kritisches System, sondern genau für solche Sachen grad noch da. Danke für den Link. Ich schau da mal rein und schreib hier dann noch mal.

Grüße
119944
119944 Jan 06, 2017 at 10:47:02 (UTC)
Goto Top
Führe doch mal "testparm" aus und poste deine smb.conf hier.
Wir haben inzwischen alle Server auf CentOS 7.3 geupdatet und nur kleine Probleme weil WINS nicht mehr funktioniert.

VG
Val
sirhc4022
sirhc4022 Jan 06, 2017 at 11:05:39 (UTC)
Goto Top
Hallo Valexus,

bei euch hat das so geklappt?! Das gibt mir Hoffnung. Testparm hab ich ausgeführt. Das kam bei rum:

Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[Horreum_Freigaben]"  
Loaded services file OK.
WARNING: You have some share names that are longer than 12 characters.
These may not be accessible to some older clients.
(Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
Server role: ROLE_DOMAIN_MEMBER

Press enter to see a dump of your service definitions

# Global parameters
[global]
	interfaces = lo enp4s0 192.168.xxx.xxx/24
	realm = MEINEDOMAENE.LOCAL
	server string = Samba Server Version %v
	workgroup = MEINEDOMAENE
	log file = /var/log/samba/log.%m
	max log size = 50
	security = ADS
	idmap config * : backend = tdb
	cups options = raw
	hosts allow = 127. 192.168.xxx.


[Horreum_Freigaben]
	comment = Freigaben auf Kleombrotos. Hier werden nur Backups gesichert!
	path = /mnt/525bcc55-6040-4956-8b56-e474e4e6211b/Freigaben
	guest ok = Yes
	read only = No

*

Die komplette smb.conf:
# This is the main Samba configuration file. For detailed information about the
# options listed here, refer to the smb.conf(5) manual page. Samba has a huge
# number of configurable options, most of which are not shown in this example.
#
# The Official Samba 3.2.x HOWTO and Reference Guide contains step-by-step
# guides for installing, configuring, and using Samba:
# http://www.samba.org/samba/docs/Samba-HOWTO-Collection.pdf
#
# The Samba-3 by Example guide has working examples for smb.conf. This guide is
# generated daily: http://www.samba.org/samba/docs/Samba-Guide.pdf
#
# In this file, lines starting with a semicolon (;) or a hash (#) are
# comments and are ignored. This file uses hashes to denote commentary and
# semicolons for parts of the file you may wish to configure.
#
# Note: Run the "testparm" command after modifying this file to check for basic  
# syntax errors.
#
#---------------
# Security-Enhanced Linux (SELinux) Notes:
#
# Turn the samba_domain_controller Boolean on to allow Samba to use the useradd
# and groupadd family of binaries. Run the following command as the root user to
# turn this Boolean on:
# setsebool -P samba_domain_controller on
#
# Turn the samba_enable_home_dirs Boolean on if you want to share home
# directories via Samba. Run the following command as the root user to turn this
# Boolean on:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory, such as a new top-level directory, label it
# with samba_share_t so that SELinux allows Samba to read and write to it. Do
# not label system directories, such as /etc/ and /home/, with samba_share_t, as
# such directories should already have an SELinux label.
#
# Run the "ls -ldZ /path/to/directory" command to view the current SELinux  
# label for a given directory.
#
# Set SELinux labels only on files and directories you have created. Use the
# chcon command to temporarily change a label:
# chcon -t samba_share_t /path/to/directory
#
# Changes made via chcon are lost when the file system is relabeled or commands
# such as restorecon are run.
#
# Use the samba_export_all_ro or samba_export_all_rw Boolean to share system
# directories. To share such directories and only allow read-only permissions:
# setsebool -P samba_export_all_ro on
# To share such directories and allow read and write permissions:
# setsebool -P samba_export_all_rw on
#
# To run scripts (preexec/root prexec/print command/...), copy them to the
# /var/lib/samba/scripts/ directory so that SELinux will allow smbd to run them.
# Note that if you move the scripts to /var/lib/samba/scripts/, they retain
# their existing SELinux labels, which may be labels that SELinux does not allow
# smbd to run. Copying the scripts will result in the correct SELinux labels.
# Run the "restorecon -R -v /var/lib/samba/scripts" command as the root user to  
# apply the correct SELinux labels to these files.
#
#--------------
#
#======================= Global Settings =====================================

[global]

# ----------------------- Network-Related Options -------------------------
#
# workgroup = the Windows NT domain name or workgroup name, for example, MYGROUP.
#
# server string = the equivalent of the Windows NT Description field.
#
# netbios name = used to specify a server name that is not tied to the hostname.
#
# interfaces = used to configure Samba to listen on multiple network interfaces.
# If you have multiple interfaces, you can use the "interfaces =" option to  
# configure which of those interfaces Samba listens on. Never omit the localhost
# interface (lo).
#
# hosts allow = the hosts allowed to connect. This option can also be used on a
# per-share basis.
#
# hosts deny = the hosts not allowed to connect. This option can also be used on
# a per-share basis.
#
# max protocol = used to define the supported protocol. The default is NT1. You
# can set it to SMB2 if you want experimental SMB2 support.
#
	workgroup = MEINEDOMAENE
	server string = Samba Server Version %v

	netbios name = KLEOMBROTOS

	interfaces = lo enp4s0 192.168.xxx.xxx/24 
	hosts allow = 127. 192.168.xxx.

;	max protocol = SMB2

# --------------------------- Logging Options -----------------------------
#
# log file = specify where log files are written to and how they are split.
#
# max log size = specify the maximum size log files are allowed to reach. Log
# files are rotated when they reach the size specified with "max log size".  
#

	# log files split per-machine:
	log file = /var/log/samba/log.%m
	# maximum size of 50KB per log file, then rotate:
	max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# security = the mode Samba runs in. This can be set to user, share
# (deprecated), or server (deprecated).
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards  
# compatibility.
#

#	security = user
#	passdb backend = tdbsam


# ----------------------- Domain Members Options ------------------------
#
# security = must be set to domain or ads.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards  
# compatibility.
#
# realm = only use the realm option when the "security = ads" option is set.  
# The realm option specifies the Active Directory realm the host is a part of.
#
# password server = only use this option when the "security = server"  
# option is set, or if you cannot use DNS to locate a Domain Controller. The
# argument list can include My_PDC_Name, [My_BDC_Name], and [My_Next_BDC_Name]:
#
# password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
#
# Use "password server = *" to automatically locate Domain Controllers.  

	security = ADS
	passdb backend = tdbsam
	encrypt passwords = yes
	realm = MEINEDOMAENE.LOCAL

;	password server = leonidas.meinedomaene.local

# ----------------------- Domain Controller Options ------------------------
#
# security = must be set to user for domain controllers.
#
# passdb backend = the backend used to store user information in. New
# installations should use either tdbsam or ldapsam. No additional configuration
# is required for tdbsam. The "smbpasswd" utility is available for backwards  
# compatibility.
#
# domain master = specifies Samba to be the Domain Master Browser, allowing
# Samba to collate browse lists between subnets. Do not use the "domain master"  
# option if you already have a Windows NT domain controller performing this task.
#
# domain logons = allows Samba to provide a network logon service for Windows
# workstations.
#
# logon script = specifies a script to run at login time on the client. These
# scripts must be provided in a share named NETLOGON.
#
# logon path = specifies (with a UNC path) where user profiles are stored.
#
#
;	security = user
;	passdb backend = tdbsam

;	domain master = yes
;	domain logons = yes

	# the following login script name is determined by the machine name
	# (%m):
;	logon script = %m.bat
	# the following login script name is determined by the UNIX user used:
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# use an empty path to disable profile support:
;	logon path =

	# various scripts can be used on a domain controller or a stand-alone
	# machine to add or delete corresponding UNIX accounts:

;	add user script = /usr/sbin/useradd "%u" -n -g users  
;	add group script = /usr/sbin/groupadd "%g"  
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"  
;	delete user script = /usr/sbin/userdel "%u"  
;	delete user from group script = /usr/sbin/userdel "%u" "%g"  
;	delete group script = /usr/sbin/groupdel "%g"  


# ----------------------- Browser Control Options ----------------------------
#
# local master = when set to no, Samba does not become the master browser on
# your network. When set to yes, normal election rules apply.
#
# os level = determines the precedence the server has in master browser
# elections. The default value should be reasonable.
#
# preferred master = when set to yes, Samba forces a local browser election at
# start up (and gives itself a slightly higher chance of winning the election).
#
;	local master = no
;	os level = 33
;	preferred master = yes

#----------------------------- Name Resolution -------------------------------
#
# This section details the support for the Windows Internet Name Service (WINS).
#
# Note: Samba can be either a WINS server or a WINS client, but not both.
#
# wins support = when set to yes, the NMBD component of Samba enables its WINS
# server.
#
# wins server = tells the NMBD component of Samba to be a WINS client.
#
# wins proxy = when set to yes, Samba answers name resolution queries on behalf
# of a non WINS capable client. For this to work, there must be at least one
# WINS server on the network. The default is no.
#
# dns proxy = when set to yes, Samba attempts to resolve NetBIOS names via DNS
# nslookups.

;	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes

;	dns proxy = yes

# --------------------------- Printing Options -----------------------------
#
# The options in this section allow you to configure a non-default printing
# system.
#
# load printers = when set you yes, the list of printers is automatically
# loaded, rather than setting them up individually.
#
# cups options = allows you to pass options to the CUPS library. Setting this
# option to raw, for example, allows you to use drivers on your Windows clients.
#
# printcap name = used to specify an alternative printcap file.
#

	load printers = yes
	cups options = raw

;	printcap name = /etc/printcap
	# obtain a list of printers automatically on UNIX System V systems:
;	printcap name = lpstat
;	printing = cups

# --------------------------- File System Options ---------------------------
#
# The options in this section can be un-commented if the file system supports
# extended attributes, and those attributes are enabled (usually via the
# "user_xattr" mount option). These options allow the administrator to specify  
# that DOS attributes are stored in extended attributes and also make sure that
# Samba does not change the permission bits.
#
# Note: These options can be used on a per-share basis. Setting them globally
# (in the [global] section) makes them the default for all shares.

;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes


#============================ Share Definitions ==============================
[Horreum_Freigaben]
	comment = Freigaben auf Kleombrotos. Hier werden nur Backups gesichert!
	browseable = yes
	writable = yes
	guest ok = yes
	path = /mnt/525bcc55-6040-4956-8b56-e474e4e6211b/Freigaben
	
;[homes]
;	comment = Home Directories
;	browseable = no
;	writable = yes
;	valid users = %S
;	valid users = MEINEDOMAENE.LOCAL\%S

;[printers]
;	comment = All Printers
;	path = /var/spool/samba
;	browseable = no
;	guest ok = no
;	writable = no
;	printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons:
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no

# Un-comment the following to provide a specific roving profile share.
# The default is to use the user's home directory:  
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes

# A publicly accessible directory that is read only, except for users in the
# "staff" group (which have write permissions):  
;	[public]
;	comment = Public Stuff
;	path = /home/samba
;	public = yes
;	writable = yes
;	printable = no
;	write list = +staff

leonidas = SBS2011
kleombrotos = CentOS
119944
Solution 119944 Jan 06, 2017 at 11:31:35 (UTC)
Goto Top
An deiner Stelle würde ich mit einer leeren smb.conf starten, bei dir blickt ja keiner durch...
interfaces = lo enp4s0 192.168.xxx.xxx/24
hosts allow = 127. 192.168.xxx.
Die beiden Punkte würde ich außerdem raus lassen und dem Subnetz über Firewallregeln Zugriff gewähren.

Ich würde außerdem den Server über "authconfig" konfigurieren, das legt dir auch deine smb.conf usw. richtig an.

authconfig --enablewinbind --enablewins --enablewinbindauth --smbsecurity ads --smbworkgroup=DOMAIN --smbrealm DOMAIN.LOCAL --smbservers=fqdn-von-leonidas --krb5realm=DOMAIN.LOCAL --enablewinbindoffline --enablewinbindkrb5 --winbindtemplateshell=/bin/sh --winbindjoin=admin --update --enablelocauthorize --savebackup=/backups

smb.conf:
#======================= Global Settings =====================================

[global]
#--authconfig--start-line--

# Generated by authconfig on 2015/06/17 16:23:16
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

   workgroup = DOMAIN
   password server = fqdn-von-leonidas
   realm = DOMAIN.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template shell = /bin/sh
   kerberos method = secrets and keytab
   winbind use default domain = false
   winbind offline logon = true

#--authconfig--end-line--

        server string = Samba Server Version %v
        log file = /var/log/samba/log.%m
        log level = 2
        max log size = 50
        load printers = no
        cups options = raw
        printcap name = /dev/null

#============================ Share Definitions ==============================
[home$]
path = /srv/samba/home
read only = no

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = DOMAIN.LOCAL
[realms]
 DOMAIN.LOCAL = {
  kdc = fqdn-von-leonidas
 }

[domain_realm]
 domain.local = DOMAIN.LOCAL
 .domain.local = DOMAIN.LOCAL

Die Punkte "DOMAIN" und "fqdn-von-leonidas" solltest du natürlich an deine Umgebung anpassen.
Spiel am besten in einer VM und teste dort erstmal rum.

VG Val
Vision2015
Solution Vision2015 Jan 06, 2017 at 12:12:25 (UTC)
Goto Top
Zitat von @Lochkartenstanzer:

Moin,

Hast Du auch mal smbd und nmbd mal frisch durchgestartet? Manchmal hängen die einfach.

Schönen Feiertag noch,
wie Feiertag ? Wo ?

lks
Frank
sirhc4022
sirhc4022 Jan 06, 2017 at 12:43:35 (UTC)
Goto Top
Saubere Sache. Jetzt läufts. Perfekt!

Auf den ersten Blick sieht deine Config genauso aus wie meine. Die
interfaces = lo enp4s0 192.168.xxx.xxx/24
hosts allow = 127. 192.168.xxx.

hab ich rausgenommen und die authconfig ausgeführt. Leider hat der keine smb.conf erzeugt. Musste ich per Hand machen. Die, die ich hatte war ja aus der Vorlage (smb.conf.example) genommen. Für mich wäre es jetzt nur noch zum Verständnis wichtig, wo es gehangen hat... ich mag ja nicht nur dass das Zeug geht, sondern auch wie es geht. :D

Danke dir erstmal Val! Riiichtig gut.
119944
119944 Jan 06, 2017 at 13:53:23 (UTC)
Goto Top
Mhh wenn ich so genau nachdenke legt er die datei glaub ich nur an sobald du authconfig ohne "--savebackup=/backups" ausführst. Dabei werden aber die vorhandenen Dateien überschrieben.

Gute Frage woran es jetzt gelegen hat aber schön wenns funktioniert face-wink
Lochkartenstanzer
Lochkartenstanzer Jan 06, 2017 at 15:53:28 (UTC)
Goto Top
Zitat von @Vision2015:

Zitat von @Lochkartenstanzer:

Schönen Feiertag noch,
wie Feiertag ? Wo ?


Hierzulande im Süden Deutschlands.

lks
117471
117471 Jan 08, 2017 at 00:28:55 (UTC)
Goto Top
Hey,

warum installierst Du auf dem CentOS nicht auch Acronis und erstellst dort ein zentrales Depot?

Ansonsten funkt bei CentOS gerne mal SELinux dazwischen.

Gruß,
Jörg