darkness

I’d like to detail the process I used to “migrate” from a Samba domain controller on my old server to a newer Samba domain controller on my new server. My goal was not to have to remake my Windows profiles, and this was pretty easy to achieve.

A few words on the software versions in play, and a bit about their interactions:

• Fedora Core 5 i386 (I learned my lesson: no more x86-64 for a while)
• Samba 3.0.23a (with a patch that will be in 3.0.23b to make SMB signing work right)
• libuser 0.54.5 (with a patch; see below)
• Fedora Directory Server (henceforth FDS) 1.0.2
• nss_ldap-249-1 (FC5 RPM name-version-release)

Samba is acting as a domain controller, of course, and is using FDS (LDAP) as its passdb backend. The system uses nss_ldap to read users and groups out of LDAP as well. libuser is in there because it turned out to be the nicest and easiest way to manage system users, complete with an interface almost exactly like Fedora’s (and so maybe slightly different from everyone else’s) useradd and friends.

libuser is important for another reason: Samba’s add machine script points to it:

add machine script = LIBUSER_CONF=/etc/libuser.conf.smb-machines
                     /usr/sbin/luseradd -n -g samba-machines -c Machine
                     -M -d /dev/null -s /sbin/nologin %u

(Indentation added to make it more readable.) The command is run with sh -c so setting the LIBUSER_CONF environment variable as I’ve done there works fine. libuser.conf.smb-machines differs from the default libuser.conf in one way: it specifies to make accounts in ou=Computers rather than ou=People. The rest of the stuff should be self explanatory.

One catch: libuser needs the bind password for an LDAP user with privileges to create a new user. By default, it lacks the ability to store this password in the configuration file. This change is the patch I added to libuser. I’m reluctant to distribute this patch because I really didn’t audit it for security, or audit all of libuser to see what impact that change might have, in fact. It seems to work fine, even when regular users go to change their passwords with lpasswd. The patch is nearly entirely trivial, and you can find other people distributing similar patches besides. Just beware that I’m not sure using libuser like that is a good idea. (Don’t forget to make libuser.conf unreadable except by privileged users. It should be safe (I think?) to make luseradd and friends setuid root, so that they can read the configuration file.)

Of course, I could avoid a lot of this trouble by not adding machines automatically. Your choice; I chose automation.

The old Samba server was Samba 2.2. It was also using LDAP, but the LDAP schemas seemed different enough that I didn’t bother to try doing some kind of copy/port of the LDAP data from the old server to the new one. Instead, I created the new domain as specified in the Samba HOWTO. Then I took the old Samba domain SID (I forget how I got this out; it might have required smbpasswd; answer was readily available via Google) and input it into the new domain with net setdomainsid (again, I think that’s how I put it in; either that or I put it in by hand directly in LDAP).

I figured out the SIDs of the (two) users I wanted to copy by looking in the registry: I believe a user’s SID is their key as found in HKEY_USERS when they’re logged in (when their hive is loaded automatically). I found one of the SIDs by manually loading the hive as local Administrator and then looking at the permissions on the hive. Since the SID wasn’t found, it showed me the SID instead of a user name. Adding the users was a matter of calling luseradd to add the system user, then smbpasswd -a to add the Samba object classes to the user object, and finally overwriting the sambasid attribute with the value I got from looking in the registry on one of the client machines. I’ll note that the SID seems to be composed of the domain SID followed by what is (or was?) known as the RID, the RID being a single integer; i.e., everything up to the last hyphen is the domain SID, and the number following the last hyphen is the RID.

To get the computers on the new domain was just a matter of leaving the domain (this seemed harder in XP: I had to reboot before I could rejoin, and it always wanted an Administrator login/password to attempt to remove the (non-existent) account from the domain as I removed the computer from the domain) and then rejoining it. This seemed like the easiest way to get the machine account created in the new LDAP server. Having the machine SID change seems to have caused no adverse effects.

Now, I suppose I could have just created a new domain with a new SID, since I was rejoining the (two) computers anyway. I suppose that the fact that user SIDs change wouldn’t be a huge deal either: theoretically I just modify the ownership and ACLs on their local profile to get the correct SID on the profile. (I don’t know about the case where local users have installed software in system directories; i.e., my girlfriend’s user owns C:Program FilesFoo or something.) “Cloning the SID” didn’t seem very hard at all, though, and it meant me having to deal with Windows less, so I’m happy.

I’m not yet certain about a few things involving passwords. For one thing, changing them from Linux: I haven’t configured a way to change passwords from PAM, I think. It appears that there is no PAM module that can change an SMB password on a remote computer, yet, without lots of configuration. pam_smbpass, which comes with Samba, seems to require you to configure the LDAP passdb backend on each machine you want to use it from, including setting the proper bind password and all that jazz. I don’t believe pam_smb_auth supports password changing of any kind. I wonder if it’s somehow impossible to have a PAM module that, given the user name, password, and domain (that last as part of its configuration), will go out and find a login server for that domain and then perform the proper SMB rituals to change a password. Doing the SMB part itself doesn’t seem like it should be that hard: hopefully parts of Samba could be reused. In fact, smbpasswd -r can already talk SMB to change your password, I believe; it just doesn’t do the “automatically find a login server” bit (which Samba itself does do, I believe). Anyway, that situation of changing SMB passwords from PAM seems ugly. Further, I’m not sure if password expiration can work. My workstations are authenticating from LDAP currently, I believe, not SMB; if I set LDAP restrictions on the password, and have told Samba to obey PAM restrictions, will pam_ldap figure out what the LDAP server is requesting (i.e., a better password, change your password because it has expired, etc.) and will Samba be able to read that information? I think PAM specifies interfaces for this kind of communication (i.e., some constants for “password expired” and things like that).

One final note: when nscd is running I think it does a negative caching of smbd’s first lookup before it decides it needs to create a machine account when adding a machine to the domain. Explained a different way:

1. smbd gets a request to add a machine ‘foo’ to the domain.
2. smbd tries to retrieve the system user ID for ‘foo$’.
3. nscd gets the request, looks it up in LDAP, and comes up empty.
4. nscd caches the negative result before returning it to smbd.
5. smbd creates the account.
6. smbd tries to retrieve the system user ID for ‘foo$’.
7. nscd returns the cached negative result.
8. smbd, unable to get the user ID, bails.

The moral of the story: stop nscd before doing a machine add. This is a bit annoying; perhaps I can tweak negative caching with nscd. Ooh, looks like you can: negative-time-to-live for the passwd map in /etc/nscd.conf. However, setting this to 0 or 1 still seems to make it take at least a couple of seconds before it expires the negative result and tries the lookup again. So despite my attempts to automate, I either have to disable nscd (big performance hit in my experience) or else remember to stop nscd before I add a machine to the domain.

I’ve got Palm Desktop installed on XP running under VMware on my FC5 desktop. USB HotSync to my Tungsten C works if (1) you have focus on the VMware window, and (2) you stop the visor module from loading. Here’s the line that accomplishes (2), from /etc/modprobe.conf:

install visor /bin/true

Maybe not the absolute cleanest way; if someone knows a cleaner way to disable a module from loading automatically, let me know.

I was helping someone get Starcraft working in this environment earlier. Here’s a rough account of problems we hit, and how we fixed (or worked around) them:

• freetype support is on by default. Install cabextract, then install the MS fonts like:

  CABEXTRACT_PATH=`which cabextract` 
  /usr/lib/transgaming_cedega/transgaming_fontinstaller/tg-font-install
  

  Run this as a regular user. (I ran everything about Cedega as his regular user, except for the installation of the RPM.) This makes ~/.transgaming_global/Fonts. Hopefully you can see this gets linked to the C:WindowsFonts directory inside your Cedega game directory.

  At this point, the installer (which wasn’t working prior to this) should run.

• Don’t forget to switch sound to ALSA. I changed the PCM device to default, turned off mmap, turned on “Full Duplex.”

• Install Starcraft from the CD. The installer exits kind of abruptly, but it seems to work.

• Install the Starcraft 1.13f patch.
• Install Brood Wars. The installer will again abruptly exit.
• If you go look in C:Program FilesStarcraft (~/.cedega/Starcraft/c_drive/Program Files/Starcraft/ for me) you’ll see a Temp directory. mv everything out of the Temp directory into its parent directory, overwriting any existing files.

• We installed the game with a loopback mount of the ISO. To play the game we had to define a drive in Cedega. The only place I found to make this change, and make it stick, was in ~/.cedega/.global.delta, which is almost certainly the wrong place (being global, for one, which I take to mean “applies across all games”). The entries I made looked thusly:

  [Drive G]
  "Type" = "cdrom"
  "Path" = "/mnt/loop0"
  "Label" = "STARCRAFT"
  "FailReadOnly" = "y"
  
  
  ;[Drive G]
  ;"Type" = "cdrom"
  ;"Path" = "/mnt/loop1"
  ;"Label" = "BROODWAR"
  ;"FailReadOnly" = "y"
  

  The semicolons are comment characters, so he has to uncomment whichever game he wants to play.

Inexplicably, this seems to work. The version on the version screen says 1.13f. However, we haven’t tried playing Brood Wars yet. This slightly bizarre set of steps was necessary: I’d usually install SC, install BW, then patch them with the Starcraft Brood Wars 1.13f patch. However, the SC/BW 1.13f patch wouldn’t run on his system, throwing up various errors.

Hopefully both SC and BW will play with other 1.13f clients. We’ll have to give it a test.

I installed Ubuntu on a Linode virtual machine. I’ve got a list of things I do to a new RH/FC box. Here are some notes from trying to execute that list of things on Ubuntu:

• dir_index wasn’t set on my ext3 filesystem. I don’t know if that’s a Linode thing or an Ubuntu thing, but I actually needed to set it and then e2fsck -fD the device to build the indexes. Since the fsck requires the filesystem not be mounted rw, I set SULOGIN=yes in /etc/default/rcS, entered the root password when prompted, and fsck’ed from there.
• I set the host name in /etc/hostname; I hope that’s the right place.
• I didn’t seem to have an MTA installed at all (and this may be Linode’s “fault”). If I have one, I don’t know what it’s called. Sendmail and exim both seem missing.
• You should enable the universe repositories in /etc/apt/sources.list to get… well, it seems like to get all the good stuff.
• vim-enhanced probably isn’t necessary; I had vim by default. samba-client is smbclient in Ubuntu (mostly, at least).
• To turn services on/off, install the sysv-rc-conf package (in the universe repository!) and do sysv-rc-conf <service> on|off. Note that the on action just turns a service on for runlevels 2-5; it does not look at the init script to discover what runlevels that particular script thinks it should be turned on for (at least, as far as I know it doesn’t; correct me if I’m wrong). If you want to edit priorities, use sysv-rc-conf -p apparently.
• Use adduser instead of useradd.
• You may want to set EDITOR=vim in ~root/.bashrc, otherwise you’ll get nano.

• Look at /etc/cron.daily/apt for automatic update stuff. I installed the unattended-upgrades package, then put the following in /etc/apt/apt.conf.d/90local:

  APT::Periodic::Update-Package-Lists 1;
  APT::Periodic::Unattended-Upgrade 1;
  

  I… hope this works.

• rpm -qa becomes dpkg -l, rpm -qf becomes dpkg -S, and rpm -ql becomes dpkg -L.
• I installed ntp-simple to get an /etc/ntp.conf, then put in my favorite servers.
• chmod 755 /etc/cron.daily/find to update the locate database every night.
• There is no standard way to insert iptables rules at startup, from what I’m reading. So I suppose I’ll… try and make the RH script I’m used to using run in Ubuntu. (Here it is: RH iptables init script ported to Ubuntu. Or maybe “ported to LSB”?)

Other miscellaneous notes, relevant to this particular machine:

• When you install the stunnel4 package I swear you get stunnel 3 as /usr/bin/stunnel and stunnel 4 as /usr/bin/stunnel4. I wanted stunnel4.
• The named package on FC is bind9 on Ubuntu. Zones are apparently kept in /etc/bind. caching-nameserver is unnecessary; that configuration seems to be included in the bind9 package and set up as the default. Set the stuff that goes inside options {...} in named.conf.options and the rest of your modifications go in named.conf.local. I guess.
• I guess Apache’s default CGI directory is /usr/lib/cgi-bin.

When you run “Ubuntu server”… is that any different than just running Debian? It doesn’t feel like it, but maybe it’s been too long since I ran Debian. One of the biggest reasons I’d probably run Ubuntu over Debian is because Ubuntu has a newer binary kernel package (I think?). Of course, on Linode I get their own kernel, presumably with UML magic (2.4.29-linode39-1um).

So far I am not seeing anything that makes me think Ubuntu is better than RH/FC. It used to be that Debian (and thus Ubuntu) had a lot more packages than Fedora, but Fedora Extras and third party repositories have really changed that. Managing init scripts with Ubuntu is significantly more painful for me than in RH/FC (chkconfig being a big part of that, obviously) and a lack of an obvious way to insert iptables rules at boot kind of blows (though this is supposed to be fixed in the next release, or… at least documented). I suspect a large part of Ubuntu’s claimed advantage is on the GUI side of things, which I won’t be seeing on this installation.

Client (ordeith):

• Fedora Core 5 x86-64
• Kernel 2.6.17-1.2157_FC5
• VMwareWorkstation-5.5.1-19175, with update 101 (from that weird .cz site) applied
• XP SP2 (32-bit), up to date, running in VMware

Server (verin):

• Fedora Core 5 i386 (though running on an Intel P4 with EM64T)
• Kernel 2.6.17-1.2157_FC5smp
• samba-3.0.23a-1.fc5.1.codefu.1 (patch to fix Samba bug #4003, I believe)

Client is an nForce 4 chipset using forcedeth for its NIC talking to the server. Server is an Intel 1000MT or something like that. These two NICs are crossed over to each other, and bridged to other NICs that go to my 10/100 switch. Spanning tree causes client to send all of its traffic through the server under normal circumstances. All this bridging trickery is to give me gigabit speed between the only two machines on my network that support gigabit (the client and the server in this entry), but to allow things to continue to work if I pull that cable and temporarily connect it to another PC that supports gigabit (like my laptop). VMware had no problem doing bridged networking to lanbr0. (Or is it host networking? If bridged networking works, that’s what I’m using. I’m pretty sure it’s bridged.)

Problem: I start Soulseek. I start downloading, say, two files at reasonable speeds (30-150KB/s each). These files are being downloaded to my Z: drive, which is on my Samba server. Within 5 minutes I begin getting errors like the following:

Event Type: Information
Event Source:   Application Popup
Event Category: None
Event ID:   26
Date:       8/13/2006
Time:       2:02:24 AM
User:       N/A
Computer:   ORDEITH
Description:
Application popup: Windows - Delayed Write Failed : Windows was unable
to save all the data for the file
DeviceWinDfsZ:000000000000e6ddverindarkness