Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - nickpiggott

Pages: [1] 2
@Daniel I think we picked this up on the github issue (

for others - the problem was a failed upgrade script, which didn't create the symlink. Have a look at the discussion on github, but it seems that re-running the upgrade script again from the command line may resolve these issues.

After a very difficult upgrade from 6.2 to 7.0, I was facing a problem where Bind and Samba were not properly connected, so DNS updates between them failed (and ultimated disrupted replication between DCs because they DNS zones became incorrectly populated). Restarting the dns module and/or the samba module failed with errors.

I noted several things I need to check and fix, so I'll list them here to help anyone who comes down with the same problems.

A lot of the problems are because the user "bind" cannot access the "dns.keytab", but this is silently failing. You just see "TKEY is unacceptable" errors or "Update: REFUSED" errors.

Check the reference to the dns.key tab shown in /etc/bind/named.conf.options. It should be pointing to /var/lib/samba/private/dns.keytab
Check the access rights to the /var/lib/samba/private folder. It must be readable by "bind" (or "named") - you may have to
Code: [Select]
chmod o=rx /var/lib/samba/privateCheck that the /var/lib/samba/private/dns.keytab file is set to group "bind" (or "named") and with permissions r-x. Permissions for other users should be --- (not allowed access)

If that doesn't fix your problem, you can recreate the DNS update user, but you must follow all these steps

If there is a /var/lib/samba/private/dns.keytab file, delete it
use samba-tool to to delete any existing DNS update user -
Code: [Select]
sudo samba-tool user delete dns-{domain controller name}follow this guide to recreate the user and keytab -
add the newly created user to the DnsAdmins group -
Code: [Select]
sudo samba-tool group addmembers "DnsAdmins" dns-{domain controller name}as above, check that dns.keytab is readable by the bind user

Finally, if you're seeing errors relating to "nsupdate -l -t10 {filename}" check that you
  • Have disabled IPv6 on the machine OR
  • Have enabled bind to respond on IPv6. You'll need to copy /usr/share/zentyal/stubs/dns/bind9.mas to /etc/zentyal/stubs/bind9.mas and then edit that file to remove the "-4" from the OPTIONS line
(this last issue is because nsupdate -l tries to contact locahost, which if IPv6 is enabled, tries :::53, not

Then you can check that things are working with
Code: [Select]
sudo samba_dnsupdate --verboseand
Code: [Select]
sudo nsupdate -lthen type "help" and "quit" to make sure it's connected

I hope this saves someone a day or so trying to work out why the DNS module is throwing errors in Zentyal.

I had a similar problem after a upgrade from 6.2 to 7.0 aborted during the upgrade of Ubuntu from 18.04 to 20.04.

As a result, the release-upgrade script did not complete. That script has a line that creates a symlink between /bin/bash and /usr/bin/bash

I started to see this error in the Web Admin console when trying to access any of the Domain menu options.

The error was reported in /var/log/zental/zental.log as

Code: [Select] EBox::Ldap::safeConnect - FATAL: Could not connect to samba LDAP server: connect: Permission denied at FATAL: Could not connect to samba LDAP server: connect: Permission denied at /usr/share/perl5/EBox/ line 219

After a great deal of debugging, I found this solution.

  • Zentyal makes its LDAP connection through a pipe at /var/lib/samba/private/ldapi_priv/ldapi
  • The modules run as user ebox
  • ldapi_priv is group "ebox"
  • ldapi_priv/ldapi is a pipe, so read/writeable by all
  • /var/lib/samba has permissions allowing any user to access
  • in my situation, /var/lib/samba/private was owned root:root and only accessible by root
  • therefore it seemed that user ebox could not access the ldapi pipe (defined in /usr/share/perl5/EBox/
I changed the permissions of the private folder
Code: [Select]
sudo chgrp ebox private
sudo chown g=rwx private

That fixed my problem

Recent upgrade from 6.2.7 to 7.0 on Ubutnu

After upgrading I noticed that my iptables were blank and I had no routing through the server. Looking at the log, I could see that the firewall module was trying to manipulate iptables by referencing /sbin/iptables.

There wasn't an /sbin/iptables on my installation - its /usr/sbin/iptables

I "fixed" the problem by creating a symbolic link from /sbin/iptables to /usr/sbin/iptables and restarted the firewall. iptables then populated correctly and traffic flowed through the server.

Posting this so future readers can see the problem and the fix.

Samba 4.7.6 ignores the setting for "winbind use default domain" on the machine running the AD-DC.

That means all usernames are now in the format "DOMAIN\username" on the AD-DC machine - you'll also notice this logging into the Zentyal webadmin. This cannot be changed.

The fix I had to put in place:

Copy the postfix configuration stub into /etc/zentyal/stubs/mail if it doesn't already exist there.
Code: [Select]
mkdir /etc/zentyal/stubs/mail
cp /usr/share/zental/stubs/mail/ /etc/zentyal/stubs/mail/

Edit /etc/zentyal/stubs/mail/ to add this line
Code: [Select]
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
Create a file /etc/postfile/sender_canoncial with the content
Code: [Select]
# remove DOMAIN segment of DOMAIN\username sender
/([A-Z]+)\\(.*)/ $2

Restart Zentyal Mail
Code: [Select]
sudo zs mail restart
This re-writes outbound usernames as "username", stripping the DOMAIN section.

You also have to create symlinks in /mail/var. For each mailbox "username", create a hard symlink to DOMAIN\username
Code: [Select]
cd /mail/var
sudo ln  username "DOMAIN\username"
otherwise the mail command won't work for you users.

Running Zentyal 6.2, Samba Active Directory enabled.

In smb.conf, these values are set
Code: [Select]
workgroup = mydomain  (in lower case)
realm =

From the Linux command line on the server running Zentyal,

Code: [Select]
MYDOMAIN\myuser@dc:\home\myuser$ mail
Subject: Test Email
Test Email

The mail is rejected by GMail with this error

Code: [Select]
: host[] said: 553-5.1.7 The sender address <MYDOMAIN\> is not a valid 553 5.1.7 RFC-5321 address.
If I send an email myself, I see TWO mailboxes in /var/mail

Code: [Select]

When I open mail to read mail, it says there is no mail for MYDOMAIN\myuser
If I cat the file of mydomain\myuser I can see the email

Looking in /var/log/mail.log I can see
Code: [Select]
postfix/pickup[29633]: 0532F1403E4: uid=1000 from=<MYDOMAIN\myuser>

So it seems that post fix is doing two things:
  • Not removing the MYDOMAIN part of my username from the outbound "from address"

  • Changing the reply back to all lowercase (including the mydomain section)

Any thoughts what I can do to resolve this?

I'm having the same problem.

Why was this behaviour changed?

I don't want to have to renumber my users as presumably I'll have to change all their file ownership permissions in Linux to match the new numbers?

That fixed the problem, thank you.

On my Backup Domain Control (BDC) - also running Zentyal 5.1, I additionally had to run

Code: [Select]
sudo net cache flush
sudo smbcontrol winbind reload-config

to get the users within the group to be visible.

I'm running Zentyal 5.1 with Samba 4.6.7 on Ubuntu 16.04.6 LTS

I have users and groups populated in Active Directory. I can use the Zentyal GUI to add a user to the "Domain Admins" group.

However querying the Domain Admin groups shows it as being empty:
Code: [Select]
> getent group
DOMAIN\domain admins:x:2512:
> wbinfo --group-info="Domain Admins"
DOMAIN\domain admins:x:2512:

Using samba-tool provides the correct answer:
Code: [Select]
> sudo samba-tool group listmembers "Domain Admins"
ldb_wrap open of secrets.ldb

My uid is 1000 (a legacy ID). The administrator uid is 2500. The zental-mail-dc2 uid is 3000031.

My smb.conf is autogenerated by Zentyal. There are no apparent errors in /var/log/samba/samba.log. I'm using only winbind (sssd is not installed on this box).

What can I do to correct this? It's stopping important functionality (like adding "Domain Admins" to the sudoers file) from working.

I'm trying to create a harmonised experience for my users across a mixture of Microsoft Windows and Linux (Ubuntu) machines.

Using SMB to access files on the file server is a good experience in Windows (with automatic drive mapping at logon), but a poor experience on Linux. I'm preferring to use NFS for Linux workstations, using exports and mounting them natively, but to do that, the user and group ID numbers must be aligned across the whole network.

This configuration of SSSD on the workstations means the user id and group ids are the same on the workstation as the server, so access control is correctly applied across the NFS shares (and consistently in line with accessing the same files using SMB).

As a user, I don't notice any significant different between accessing my files using mapped drives in Windows or mounted in folders in Linux, which is my ambition.

I have found the solution.

1. Add in these lines into the relevant [domain] section of /etc/sssd/sssd.conf
Code: [Select]
id_provider = ad
access_provider = ad
ldap_id_mapping = false
enumerate = true
2. Stop SSSD with
Code: [Select]
sudo systemctl stop sssd3. Clear the SSSD cache with
Code: [Select]
sudo rm -rf /var/lib/sss/db/*4. Start SSSD again
Code: [Select]
sudo systemctl start sssd5. Verify that the native uidNumber and gidNumber are showing
Code: [Select]
getent passwd
getent group
6. If the native ids are showing, edit the /etc/sssd/sssd.conf file to remove the enumerate = true line, and stop/start SSSD again.

You should not need to make any reference to winbind in smb.conf or idmap config in sssd.conf

I am running Zentyal 5.1, providing an Active Directory service. I can successfully join machines to the domain, and I have a number of users in the domain. They all have uidNumber and gidNumber entries in their LDAP records, and these are correctly mapped to the user ID and group IDs when the user logs into any of the Domain Controllers.

The server smb.conf contains
Code: [Select]
    idmap_ldb:use rfc2307 = yes

    winbind enum users = yes
    winbind enum groups = yes
    template shell = /bin/bash
    template homedir = /home/%U

Problem: The user and group IDs that are allocated to users and groups are different when the user logs into a (non Domain Controller) machine joined to the domain.

Can anyone advise what I need to install and configure for the idmapping on the client machine to correctly use the uidNumber and gidNumber in the Active Directory?

I've followed a number of guides for enabling SSO with AD, and the official Samba guidance for idmap config ad. I can't find much documentation on how to use the idmap_ldb configuration on the client machine.


I've noticed that this question has been asked before, but apparently there isn't a solution yet?

I'm using Zentyal 5.1, configured to provide an Active Directory.

That requires that I have a DNS server authoritative for my domain ( running on the Zentyal server. This is populated with the required DNS records for the domain controller (

The true authoritative DNS server for the domain is hosted externally. All new DNS records for the domain are added to this external DNS server. For example, the A record for is hosted externally.

When I query DNS for locally, the request is passed to the DNS server running on Zentyal. The believes that it is the authoritative DNS server for the domain, and because there is no A record configured for on that DNS server, it returns an NX (not found) result.

Is there a way I can configure Zentyal / Samba / bind to forward requests for that zone to the specific external Authoritative nameserver for


Pages: [1] 2