Re: [Samba] problem with linux server as domain member in samba pdc
Be sure your ldap-client with getent group and getent passwd is working for your ldap server on the member server. Remove your member server again from your ldap-tree. Stop samba on your member server. Delete your secrets.tdb in /etc/samba. My config of my member server: Security=domain Preferred master=no Local master=no Domain master=no Wins server=your.domain.server #to be shure Ldap admin dn=cn=youradmin,dc=your,dc=domain Ldap suffix=dc=your,dc=domain Ldap group suffix= ou=yourgoups Ldap user suffix=ou=youusers Ldap machine suffix= ou=yourmachines Ldap idmap suffix= ou=Idmap Idmap backend=ldap:ldap://yourldapserver Idmap uid=1-2 Idmap gid=1-2 Then smbpasswd -a -e root ; must be the same password as for your samba pdc /usr/bin/net rpc join -S PDC-host-name -Uadminuid%adminpass Then service smb start Working for me on any member server Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Allen Chen Gesendet: Dienstag, 5. April 2011 23:28 An: Hervé Hénoch Cc: samba@lists.samba.org Betreff: Re: [Samba] problem with linux server as domain member in samba pdc Hervé Hénoch wrote: > Hello, > > My problem is the following : I've a domain controller under linux > Samba 3.5.5 with LDAP. > I want to include a Linux Samba as domain member but I've the > following error : > > _netr_ServerAuthenticate2: failed to get machine password for account > SSCFICHIERS$: NT_STATUS_ACCESS_DENIED > > I've put the following in smb.conf : > > workgroup = > wins server = > password server = > security = domain > > I've too configured nsswitch.conf / libnss and pam so getent > passwd/group/shadow so is connected too the underlying ldap : this is > ok. > > net rpc join is successful and I can see the entry in my ldap tree and > the secrets.tdb file is created in /var/lib/samba. > > So i've don't understand where is the problem ... I have a similar installation, but works fine. PDC: samba 3.4.5 ( use source) and ldap member server: samba-3.0.28 (comes with RHEL 5.2) On member server, I did this: # /usr/bin/net rpc join -S PDC-host-name -Uadminuid%adminpass # service smb start Can you make sure 1. there is no ldap config in smb.conf on the member server; 2. getent passwd / getent group show you the same results on PDC and member server. Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8 from alinux machine!!
If your windows server is ADS, and has DNS, then make the ADS servers dns to
trust the dns of bind,
and allow zone transferts from you windows to linux machine. This is done
with on the ADS DNS.
Louis
>-Oorspronkelijk bericht-
>Van: muel...@tropenklinik.de
>[mailto:samba-boun...@lists.samba.org] Namens Daniel Müller
>Verzonden: 2011-04-06 08:06
>Aan: 'Rick Gates'; 'Andrew Masterson'; samba@lists.samba.org;
>gaiseric.van...@gmail.com; mo...@monyo.com
>Onderwerp: Re: [Samba] Unable to join to Windows 2003 PDC
>using samba 3.5.8 from alinux machine!!
>
>For windows ads to work you need a correct DNS-Server on your
>W2003 to work.
>And your samba as dns client should be able
>to resolve your windows ads correctly. With windows ads you
>can forget wins.
>Wins is the best solution for a old domain without ads.
>
>---
>EDV Daniel Müller
>
>Leitung EDV
>Tropenklinik Paul-Lechler-Krankenhaus
>Paul-Lechler-Str. 24
>72076 Tübingen
>
>Tel.: 07071/206-463, Fax: 07071/206-499
>eMail: muel...@tropenklinik.de
>Internet: www.tropenklinik.de
>---
>-Ursprüngliche Nachricht-
>Von: samba-boun...@lists.samba.org
>[mailto:samba-boun...@lists.samba.org] Im
>Auftrag von Rick Gates
>Gesendet: Dienstag, 5. April 2011 21:03
>An: Andrew Masterson; samba@lists.samba.org; gaiseric.van...@gmail.com;
>mo...@monyo.com
>Betreff: Re: [Samba] Unable to join to Windows 2003 PDC using
>samba 3.5.8
>from alinux machine!!
>
>Hi Takahashi and all those in the list,
>
>>>Sometimes AD specific configuration is needed to krb5.conf.
>
>What kind of "AD specific configuration" are you talking about.
>Can you kindly elaborate?
>It may be helpful for me.
>
>>>Have you set DNS server to 10.25.66.71 and ABCDOM.PQR.COM to the
>search or domain directive in your /etc/resolv.conf?
>Can you resolve correct SRV record of the domain on your Samba server?
>
>10.25.66.71 is not my DNS server.
>In fact 10.25.66.71 is my WINS server.
>I have therefore included it in smb.conf:
>
># /usr/local/samba/bin/testparm -sv | grep -i wins
>Load smb config files from /usr/local/samba/lib/smb.conf
>rlimit_max: increasing rlimit_max (1024) to minimum Windows
>limit (16384)
>Processing section "[homes]"
>Processing section "[printers]"
>Processing section "[Linux]"
>Loaded services file OK.
>Server role: ROLE_DOMAIN_MEMBER
>name resolve order = wins host lmhost bcast
>max wins ttl = 518400
>min wins ttl = 21600
>wins proxy = No
>*wins server = 10.25.66.71*
>wins support = No
>wins hook =
>#
>
>However, I cannot resolve ABCDOM.PQR.COM.
>It should be taken care by WINS, right?
>
>(However, I tried defining ABCDOM.PQR.COM in /etc/hosts file.
>and also tried setting /etc/nsswitch.conf file with the entry of:
>hosts: files dns
>But, nslookup would always first try DNS and return.
>Had resolved similar issues with above steps successful on
>unix machine ...
>but I am now working on a RHEL machine and I have not yet
>found a successful
>way to do this)
>
>Any suggestions are welcome.
>
>Regard,
>Rick
>
>On Tue, Apr 5, 2011 at 11:59 PM, Rick Gates
> wrote:
>
>> Hi all,
>>
>> I was on a bit extended weekend .. so got delayed in responding ...
>>
>> To answer some of the questions:
>>
>>
>> >>Is the ADS domain in "NT4 compatibility" mode or "windows
>2003 native"
>> mode?I think that "NT4" machines can still join ADS
>domains even if
>the
>> ADS domains are in 2000/2003 mode.
>>
>> I am not sure about this.
>> How can I find this out?
>> I still will have to do some googling on this front.
>>
>>
>> >> Also check
>>testparm -v | grep resolve
>> think it is better to have hosts and wins first.
>>
>> I have now set the value of "name resolve order" to:
>>
>> # /usr/local/samba/bin/testparm -sv | grep -i resolve
>>
>> Load smb config files from /usr/local/samba/lib/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows
>limit (16384)
>> Processing section "[homes]"
>> Processing section "[printers]"
>> Processing section "[Linux]"
>> Loaded services file OK.
>> Server role: ROLE_DOMAIN_MEMBER
>> name resolve order = wins host lmhost bcast
>> #
>>
>> I set it to WINS first because, my ADS server is a WINS server.
>> But, the above modificatiosn did not work.
>>
>>
>> >>Is the ADS server your DNS server? Is the samba server
>using the ADS
>> server as the DNS server? DNS should include "resource
>records" to help
>> locate an ADS DC. I don't think you can have lmhosts entry
>for an ADS
>> server.
>>
>> My ADS server is a WINS server, not a DNS server.
>>
>>
>> >>What does your krb5.conf look like? I suspect it's having trouble
>> finding a kdc.
>>
>> My krb5.conf is as follows:
>>
>> # cat /etc/krb5.conf
>> [libdefaults]
>> default_realm = ABCDOM.PQR.COM
>> default_tkt_enctypes = rc4-hmac
>> default_tgs_enctypes = rc4-hmac
>>
>> [realms]
>> ABCDOM.PQR.COM = {
>> kdc = 10.25.66.
Re: [Samba] researching options need advice
You need the group-policy functions served by ads? Samba4 can do that for you and emulate a real ads(w2008). --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Aaron E. Gesendet: Dienstag, 5. April 2011 19:07 An: samba@lists.samba.org Betreff: Re: [Samba] researching options need advice Another Idea I was thinking was to migrate to Windows AD then Migrate to Samba4 but this seems like a long process.. Thoughts? On 04/05/2011 11:58 AM, Aaron E. wrote: > Our current infrastructure is Openldap back end with samba3 pdc. With > 2003 terminal servers Using poledit.exe with policies.. > > We are in need of upgrade of our terminal servers. I cannot get the old > way of policies to lock the server down as I need to function on Windows > Server 2008. > > What are other people doing? I can't be the first one to run across this > and can't seem to find anything substantial in googling. > > Advice Greatly appriciated. > > Aaron > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ctdb clustering with ldap backend?
My both ldap server run in multi master replication mode. So I think everything should be the same on both servers all the time? So it could work anyway? --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: jmcdo...@gmail.com [mailto:jmcdo...@gmail.com] Im Auftrag von Jim McDonough Gesendet: Dienstag, 5. April 2011 19:01 An: muel...@tropenklinik.de Cc: samba@lists.samba.org Betreff: Re: [Samba] samba ctdb clustering with ldap backend? On Tue, Apr 5, 2011 at 3:35 AM, Daniel Müller wrote: > I have two samba servers auth agains ldap, so I use: > idmap backend = ldap:ldap://127.0.0.1 > > Is it possible to setup ctdb to run with a ldap backend? I don't see why not. The point of tdb2 was to not get different uids/gids on different nodes. However, you'd need to have only one ldap server that they all use. Your current setup would not work. > I know ctdb uses: > idmap backend = tdb2 > -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8 from alinux machine!!
For windows ads to work you need a correct DNS-Server on your W2003 to work.
And your samba as dns client should be able
to resolve your windows ads correctly. With windows ads you can forget wins.
Wins is the best solution for a old domain without ads.
---
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Rick Gates
Gesendet: Dienstag, 5. April 2011 21:03
An: Andrew Masterson; samba@lists.samba.org; gaiseric.van...@gmail.com;
mo...@monyo.com
Betreff: Re: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8
from alinux machine!!
Hi Takahashi and all those in the list,
>>Sometimes AD specific configuration is needed to krb5.conf.
What kind of "AD specific configuration" are you talking about.
Can you kindly elaborate?
It may be helpful for me.
>>Have you set DNS server to 10.25.66.71 and ABCDOM.PQR.COM to the
search or domain directive in your /etc/resolv.conf?
Can you resolve correct SRV record of the domain on your Samba server?
10.25.66.71 is not my DNS server.
In fact 10.25.66.71 is my WINS server.
I have therefore included it in smb.conf:
# /usr/local/samba/bin/testparm -sv | grep -i wins
Load smb config files from /usr/local/samba/lib/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Linux]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
name resolve order = wins host lmhost bcast
max wins ttl = 518400
min wins ttl = 21600
wins proxy = No
*wins server = 10.25.66.71*
wins support = No
wins hook =
#
However, I cannot resolve ABCDOM.PQR.COM.
It should be taken care by WINS, right?
(However, I tried defining ABCDOM.PQR.COM in /etc/hosts file.
and also tried setting /etc/nsswitch.conf file with the entry of:
hosts: files dns
But, nslookup would always first try DNS and return.
Had resolved similar issues with above steps successful on unix machine ...
but I am now working on a RHEL machine and I have not yet found a successful
way to do this)
Any suggestions are welcome.
Regard,
Rick
On Tue, Apr 5, 2011 at 11:59 PM, Rick Gates wrote:
> Hi all,
>
> I was on a bit extended weekend .. so got delayed in responding ...
>
> To answer some of the questions:
>
>
> >>Is the ADS domain in "NT4 compatibility" mode or "windows 2003 native"
> mode?I think that "NT4" machines can still join ADS domains even if
the
> ADS domains are in 2000/2003 mode.
>
> I am not sure about this.
> How can I find this out?
> I still will have to do some googling on this front.
>
>
> >> Also check
>testparm -v | grep resolve
> think it is better to have hosts and wins first.
>
> I have now set the value of "name resolve order" to:
>
> # /usr/local/samba/bin/testparm -sv | grep -i resolve
>
> Load smb config files from /usr/local/samba/lib/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[printers]"
> Processing section "[Linux]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> name resolve order = wins host lmhost bcast
> #
>
> I set it to WINS first because, my ADS server is a WINS server.
> But, the above modificatiosn did not work.
>
>
> >>Is the ADS server your DNS server? Is the samba server using the ADS
> server as the DNS server? DNS should include "resource records" to help
> locate an ADS DC. I don't think you can have lmhosts entry for an ADS
> server.
>
> My ADS server is a WINS server, not a DNS server.
>
>
> >>What does your krb5.conf look like? I suspect it's having trouble
> finding a kdc.
>
> My krb5.conf is as follows:
>
> # cat /etc/krb5.conf
> [libdefaults]
> default_realm = ABCDOM.PQR.COM
> default_tkt_enctypes = rc4-hmac
> default_tgs_enctypes = rc4-hmac
>
> [realms]
> ABCDOM.PQR.COM = {
> kdc = 10.25.66.71 :88
> admin_server = 10.25.66.71
> default_domain = abcdom.pqr.com
> }
>
> [domain_realm]
> .abcdom.pqr.com = ABCDOM.PQR.COM
>
> #
>
> Regards,
> Rick
>
>
>
> On Sat, Apr 2, 2011 at 3:22 AM, Andrew Masterson <
> andrew.master...@nuvistaenergy.com> wrote:
>
>>
>> > -Original Message-
>> > From: samba-boun...@lists.samba.org
>> [mailto:samba-boun...@lists.samba.org]
>> > On Behalf Of Rick Gates
>> > Sent: Friday, April 01, 2011 10:00 AM
>> > To: samba@lists.samba.org
>> > Subject: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8
>> from
>> > alinux machine!!
>> >
>> > Hi all,
>> >
>> > I am using samba 3.5.8 on a linux machine.
>> > I am not able to join the domain of a windows 2003 server in ADS mode.
>> >
>
Re: [Samba] acl_xattr access denied when adding permissions for another user
On Tue, Apr 05, 2011 at 12:40:12PM +0200, Thomas Nau wrote: > Dear all > We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the > impression that the VFS module acl_xattr provides the best way > of keeping Windows ACLs. We don't have concurrent NFS or local users > so it's Windows only. > > The clients as well as the Samba server are members of an AD domain. > Creating files/directories works as expected and also manipulating > permissions for the initial user/group does not raise any problem. > Trying to add permissions for an additional user (looked up in AD) > fails with the Windows XP client side "permission denied" pop-up box. If you're using ZFS (which has native NFSv4 ACLs) why not use the vfs_zfsacl module ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem with linux server as domain member in samba pdc
Hervé Hénoch wrote: Hello, My problem is the following : I've a domain controller under linux Samba 3.5.5 with LDAP. I want to include a Linux Samba as domain member but I've the following error : _netr_ServerAuthenticate2: failed to get machine password for account SSCFICHIERS$: NT_STATUS_ACCESS_DENIED I've put the following in smb.conf : workgroup = wins server = password server = security = domain I've too configured nsswitch.conf / libnss and pam so getent passwd/group/shadow so is connected too the underlying ldap : this is ok. net rpc join is successful and I can see the entry in my ldap tree and the secrets.tdb file is created in /var/lib/samba. So i've don't understand where is the problem ... I have a similar installation, but works fine. PDC: samba 3.4.5 ( use source) and ldap member server: samba-3.0.28 (comes with RHEL 5.2) On member server, I did this: # /usr/bin/net rpc join -S PDC-host-name -Uadminuid%adminpass # service smb start Can you make sure 1. there is no ldap config in smb.conf on the member server; 2. getent passwd / getent group show you the same results on PDC and member server. Allen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mac OS X status
On Sun, Apr 03, 2011 at 05:56:53PM +0200, Volker Lendecke wrote: > On Mon, Apr 04, 2011 at 12:05:22AM +0900, TAKAHASHI Motonobu wrote: > > H, maybe no one compiled Samba on Mac OS X recently... > > That's very obvious from your findings :-) > > But now that according to the rumors Apple is about to drop > Samba, we might revitalize the effort to create a nice > package on OS/X. I agree. Fix up what bugs we have and ensure we have a working package with SMB2 on MacOSX for 3.6.0. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mac OS X status
> Does anyone actually use self-compiled Samba on Mac OS X ?? Better question: does anybody actually use Mac OSX for server work? If so, they're crazy IMO. -=Andrew -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8 from alinux machine!!
Hi Takahashi and all those in the list,
>>Sometimes AD specific configuration is needed to krb5.conf.
What kind of "AD specific configuration" are you talking about.
Can you kindly elaborate?
It may be helpful for me.
>>Have you set DNS server to 10.25.66.71 and ABCDOM.PQR.COM to the
search or domain directive in your /etc/resolv.conf?
Can you resolve correct SRV record of the domain on your Samba server?
10.25.66.71 is not my DNS server.
In fact 10.25.66.71 is my WINS server.
I have therefore included it in smb.conf:
# /usr/local/samba/bin/testparm -sv | grep -i wins
Load smb config files from /usr/local/samba/lib/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Linux]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
name resolve order = wins host lmhost bcast
max wins ttl = 518400
min wins ttl = 21600
wins proxy = No
*wins server = 10.25.66.71*
wins support = No
wins hook =
#
However, I cannot resolve ABCDOM.PQR.COM.
It should be taken care by WINS, right?
(However, I tried defining ABCDOM.PQR.COM in /etc/hosts file.
and also tried setting /etc/nsswitch.conf file with the entry of:
hosts: files dns
But, nslookup would always first try DNS and return.
Had resolved similar issues with above steps successful on unix machine ...
but I am now working on a RHEL machine and I have not yet found a successful
way to do this)
Any suggestions are welcome.
Regard,
Rick
On Tue, Apr 5, 2011 at 11:59 PM, Rick Gates wrote:
> Hi all,
>
> I was on a bit extended weekend .. so got delayed in responding ...
>
> To answer some of the questions:
>
>
> >>Is the ADS domain in "NT4 compatibility" mode or "windows 2003 native"
> mode?I think that "NT4" machines can still join ADS domains even if the
> ADS domains are in 2000/2003 mode.
>
> I am not sure about this.
> How can I find this out?
> I still will have to do some googling on this front.
>
>
> >> Also check
>testparm -v | grep resolve
> think it is better to have hosts and wins first.
>
> I have now set the value of "name resolve order" to:
>
> # /usr/local/samba/bin/testparm -sv | grep -i resolve
>
> Load smb config files from /usr/local/samba/lib/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[homes]"
> Processing section "[printers]"
> Processing section "[Linux]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> name resolve order = wins host lmhost bcast
> #
>
> I set it to WINS first because, my ADS server is a WINS server.
> But, the above modificatiosn did not work.
>
>
> >>Is the ADS server your DNS server? Is the samba server using the ADS
> server as the DNS server? DNS should include "resource records" to help
> locate an ADS DC. I don't think you can have lmhosts entry for an ADS
> server.
>
> My ADS server is a WINS server, not a DNS server.
>
>
> >>What does your krb5.conf look like? I suspect it's having trouble
> finding a kdc.
>
> My krb5.conf is as follows:
>
> # cat /etc/krb5.conf
> [libdefaults]
> default_realm = ABCDOM.PQR.COM
> default_tkt_enctypes = rc4-hmac
> default_tgs_enctypes = rc4-hmac
>
> [realms]
> ABCDOM.PQR.COM = {
> kdc = 10.25.66.71 :88
> admin_server = 10.25.66.71
> default_domain = abcdom.pqr.com
> }
>
> [domain_realm]
> .abcdom.pqr.com = ABCDOM.PQR.COM
>
> #
>
> Regards,
> Rick
>
>
>
> On Sat, Apr 2, 2011 at 3:22 AM, Andrew Masterson <
> andrew.master...@nuvistaenergy.com> wrote:
>
>>
>> > -Original Message-
>> > From: samba-boun...@lists.samba.org
>> [mailto:samba-boun...@lists.samba.org]
>> > On Behalf Of Rick Gates
>> > Sent: Friday, April 01, 2011 10:00 AM
>> > To: samba@lists.samba.org
>> > Subject: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8
>> from
>> > alinux machine!!
>> >
>> > Hi all,
>> >
>> > I am using samba 3.5.8 on a linux machine.
>> > I am not able to join the domain of a windows 2003 server in ADS mode.
>> >
>> > I am getting the following error message:
>> >
>> > # /usr/local/samba/bin/net ads join -U Administrator%password -I
>> 10.25.66.71
>> >
>> > Failed to join domain: failed to find DC for domain ABCDOM.PQR.COM
>> > #
>> >
>> > I am not sure what the issue here.
>> > It works absolutely fine when I try to join the domain in rpc mode.
>> >
>> > # /usr/local/samba/bin/net rpc join -U Administrator%password
>> > Joined domain ABCDOM.
>> > #
>> >
>> > The smb.conf used is:
>> >
>> > # /usr/local/samba/bin/testparm
>> > Load smb config files from /usr/local/samba/lib/smb.conf
>> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384)
>> > Processing section "[homes]"
>> > Processing section "[printers]"
>> > Processing section "[Linux]"
>> > Loaded services file OK.
>> > Server role: ROLE_DOMAIN_MEMBER
>> > Press enter to see a dump of your service definitions
>> >
>> > [global]
>> >
Re: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8 from alinux machine!!
Hi all,
I was on a bit extended weekend .. so got delayed in responding ...
To answer some of the questions:
>>Is the ADS domain in "NT4 compatibility" mode or "windows 2003 native"
mode?I think that "NT4" machines can still join ADS domains even if the
ADS domains are in 2000/2003 mode.
I am not sure about this.
How can I find this out?
I still will have to do some googling on this front.
>> Also check
testparm -v | grep resolve
think it is better to have hosts and wins first.
I have now set the value of "name resolve order" to:
# /usr/local/samba/bin/testparm -sv | grep -i resolve
Load smb config files from /usr/local/samba/lib/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]"
Processing section "[printers]"
Processing section "[Linux]"
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
name resolve order = wins host lmhost bcast
#
I set it to WINS first because, my ADS server is a WINS server.
But, the above modificatiosn did not work.
>>Is the ADS server your DNS server? Is the samba server using the ADS
server as the DNS server? DNS should include "resource records" to help
locate an ADS DC. I don't think you can have lmhosts entry for an ADS
server.
My ADS server is a WINS server, not a DNS server.
>>What does your krb5.conf look like? I suspect it's having trouble
finding a kdc.
My krb5.conf is as follows:
# cat /etc/krb5.conf
[libdefaults]
default_realm = ABCDOM.PQR.COM
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
ABCDOM.PQR.COM = {
kdc = 10.25.66.71 :88
admin_server = 10.25.66.71
default_domain = abcdom.pqr.com
}
[domain_realm]
.abcdom.pqr.com = ABCDOM.PQR.COM
#
Regards,
Rick
On Sat, Apr 2, 2011 at 3:22 AM, Andrew Masterson <
andrew.master...@nuvistaenergy.com> wrote:
>
> > -Original Message-
> > From: samba-boun...@lists.samba.org
> [mailto:samba-boun...@lists.samba.org]
> > On Behalf Of Rick Gates
> > Sent: Friday, April 01, 2011 10:00 AM
> > To: samba@lists.samba.org
> > Subject: [Samba] Unable to join to Windows 2003 PDC using samba 3.5.8
> from
> > alinux machine!!
> >
> > Hi all,
> >
> > I am using samba 3.5.8 on a linux machine.
> > I am not able to join the domain of a windows 2003 server in ADS mode.
> >
> > I am getting the following error message:
> >
> > # /usr/local/samba/bin/net ads join -U Administrator%password -I
> 10.25.66.71
> >
> > Failed to join domain: failed to find DC for domain ABCDOM.PQR.COM
> > #
> >
> > I am not sure what the issue here.
> > It works absolutely fine when I try to join the domain in rpc mode.
> >
> > # /usr/local/samba/bin/net rpc join -U Administrator%password
> > Joined domain ABCDOM.
> > #
> >
> > The smb.conf used is:
> >
> > # /usr/local/samba/bin/testparm
> > Load smb config files from /usr/local/samba/lib/smb.conf
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> > Processing section "[homes]"
> > Processing section "[printers]"
> > Processing section "[Linux]"
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_MEMBER
> > Press enter to see a dump of your service definitions
> >
> > [global]
> > workgroup = ABCDOM
> > realm = ABCDOM.PQR.COM
> > server string = Samba Server - Research
> > security = ADS
> > password server = 10.25.66.71
> > log level = 10
> > log file = /var/log/samba/%m.log
> > max log size = 50
> > add user script = /usr/sbin/useradd %u
> > delete user script = /usr/sbin/userdel %u
> > add group script = /usr/sbin/groupadd %g
> > delete group script = /usr/sbin/groupdel %g
> > add user to group script = /usr/sbin/usermod -a -G %g %u
> > delete user from group script = /usr/sbin/deluser %u %g
> > add machine script = /usr/sbin/adduser -n -g machines -c
> Machine -d
> > /dev/null -s /bin/false %u
> > domain master = No
> > dns proxy = No
> > wins server = 10.25.66.71
> > idmap uid = 200-12
> > idmap gid = 200-12
> > admin users = root
> > cups options = raw
> >
> > [homes]
> > comment = Home Directories
> > read only = No
> > browseable = No
> >
> > [printers]
> > comment = All Printers
> > path = /usr/spool/samba
> > printable = Yes
> > browseable = No
> >
> > [Linux]
> > comment = Share on this linux machine
> > path = /tmp/linux
> > read only = No
> > #
> >
> > NOTE: 10.25.66.71 is the IP of my 2003 windows server.
> >
> > My lmhosts file is:
> >
> > # cat lmhosts.
> > 10.25.66.71 ABC3
> > 10.25.66.71 ABCDOM#1b
> > 10.25.66.71 ABCDOM#1c
> >
> > #
> >
> > It would be great, if any one can tell me if there is anything wrong
> here
> > and probably help me sort out this issue.
> > Thanks in advance!!
>
>
> What does your krb5.conf look like? I suspect it's having trouble
> finding a kdc.
>
> -
Re: [Samba] Can't get 'dos filemode' to work as expected
On 24.03.2011 10:09, Felix Brack wrote:
Hello,
After an upgrade to samba 3.5.8 (from 3.2.5) the option 'dos filemode'
does not seem to work anymore. If I (as a user) do not own the file I
can't change permissions.
I am user 'felix' and member of supplementary group 'Development'. To
test things I use the following share definition:
[Temp]
path = /srv/samba/file-shares/tmp
browseable = yes
read only = no
invalid users = root administrator
delete readonly = yes
inherit owner = yes
force group = Development
dos filemode = yes
A 'getfacl' on /srv/samba/file-shares/tmp returns:
# file: srv/samba/file-shares/tmp
# owner: root
# group: root
# flags: -s-
user::rwx
group::r-x
group:Development:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:Development:rwx
default:mask::rwx
default:other::---
From the 'smb.conf' man page concerning option 'dos filemode':
...
Enabling this parameter allows a user who has write access to the file
(by whatever means, including an ACL permission) to modify the
permissions (including ACL) on it.
...
My understanding: as a member of group 'Development' I do have write
access to '/srv/samba/file-shares/tmp' by means of the ACL.
Trying to modify permissions on a directory or file I create in that
share does not work and reports access denied, no matter if I use
Windows Explorer or smbclient from an other linux box.
What am I misunderstanding here?
Many thanks, Felix
I finally manged to write some code for my Windows box that shows the error:
#include
#include
#include
// directory name --
// share name |
// server name | |
// | | |
// v v v
const wchar_t strFirName[]= L"JUPITER\\testshare\\test-dir";
int main(void)
{
BOOL bRet;
DWORD dwError;
// create the directory
bRet= CreateDirectory(strFirName, NULL);
if (bRet != TRUE) {
dwError= GetLastError();
return -1;
}
// now set the file attribute of the newly created directory
bRet= SetFileAttributes(strFirName, FILE_ATTRIBUTE_NORMAL);
if (bRet != TRUE) {
// dwError will be 6 (ERROR_INVALID_HANDLE) in case of failure
dwError= GetLastError();
return -1;
}
return 0;
}
That's it! Creating a directory and then manipulating the attributes.
The server path to the share is /srv/samba/file-shares/testshare.
The code above fails while setting the attribute if the user (felix)
connecting to the samba share is _not_ the owner (root) of
/srv/samba/file-shares/testshare.
'getfacl /srv/samba/file-shares/testshare' returns:
# file: srv/samba/file-shares/testshare
# owner: root
# group: root
# flags: -s-
user::rwx
group::rwx
group:Development:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:Development:rwx
default:mask::rwx
default:other::---
If I type 'chown felix:root /srv/samba/file-shares/testshare' on the
samba server and then execute the code above, everything is fine.
'getfacl /srv/samba/file-shares/testshare' returns:
# file: srv/samba/file-shares/testshare
# owner: felix
# group: root
# flags: -s-
user::rwx
group::rwx
group:Development:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:Development:rwx
default:mask::rwx
default:other::---
As already stated 'felix' is member of group 'Development'.
Can somebody confirm that the code above works in case the user
connecting to the share is _not_ owning the share?
Felix
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] researching options need advice
Another Idea I was thinking was to migrate to Windows AD then Migrate to Samba4 but this seems like a long process.. Thoughts? On 04/05/2011 11:58 AM, Aaron E. wrote: Our current infrastructure is Openldap back end with samba3 pdc. With 2003 terminal servers Using poledit.exe with policies.. We are in need of upgrade of our terminal servers. I cannot get the old way of policies to lock the server down as I need to function on Windows Server 2008. What are other people doing? I can't be the first one to run across this and can't seem to find anything substantial in googling. Advice Greatly appriciated. Aaron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba ctdb clustering with ldap backend?
On Tue, Apr 5, 2011 at 3:35 AM, Daniel Müller wrote: > I have two samba servers auth agains ldap, so I use: > idmap backend = ldap:ldap://127.0.0.1 > > Is it possible to setup ctdb to run with a ldap backend? I don't see why not. The point of tdb2 was to not get different uids/gids on different nodes. However, you'd need to have only one ldap server that they all use. Your current setup would not work. > I know ctdb uses: > idmap backend = tdb2 > -- Jim McDonough Samba Team SUSE labs jmcd at samba dot org jmcd at themcdonoughs dot org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] researching options need advice
Our current infrastructure is Openldap back end with samba3 pdc. With 2003 terminal servers Using poledit.exe with policies.. We are in need of upgrade of our terminal servers. I cannot get the old way of policies to lock the server down as I need to function on Windows Server 2008. What are other people doing? I can't be the first one to run across this and can't seem to find anything substantial in googling. Advice Greatly appriciated. Aaron -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
I quick addition: >> Does "acl_xattr : ignore system acls" help? > > acl_xattr: ignore system acls = yes > > > I added > > acl_xattr: ignore system acls = yes > > but it makes things worse as I cannot even grant myself (the authenticated > user) full access anymore even though I already have the full rights inherited Seems that behavior was an artifact. I cleaned out the directories and started from scratch. Now I'm back to the original problem. I can manipulate my own rights but not add another user. Setting "acl_xattr : ignore system acls" doesn't change things Sorry for the confusion Thomsa -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
On 04/05/2011 01:02 PM, Volker Lendecke wrote: > On Tue, Apr 05, 2011 at 12:40:12PM +0200, Thomas Nau wrote: >> We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the >> impression that the VFS module acl_xattr provides the best way >> of keeping Windows ACLs. We don't have concurrent NFS or local users >> so it's Windows only. > > ZFS does NFSv4 ACLs which are quite close, albeit not > perfect. There's a zfs_acl module for Solaris, you might > also give that a try. We use that with another server for quite a while by now. I usually does a great job but in rare cases, reason unknown, either the module or the OS are messing up ACLs. I have to confess this is one of the real old Sun Samba (3.0.3?) versions and I haven't tried the latest. The only hint I got that the problem occurs mostly with moving folders or accesses by Microsoft Office tools >> The clients as well as the Samba server are members of an AD domain. >> Creating files/directories works as expected and also manipulating >> permissions for the initial user/group does not raise any problem. >> Trying to add permissions for an additional user (looked up in AD) >> fails with the Windows XP client side "permission denied" pop-up box. > > Does "acl_xattr : ignore system acls" help? acl_xattr: ignore system acls = yes I added acl_xattr: ignore system acls = yes but it makes things worse as I cannot even grant myself (the authenticated user) full access anymore even though I already have the full rights inherited Is there any additional data I can provide? Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] FW: ACL Lost and unable to set rights from explorer (xp)
Ok, i'm going to try this. are there new settings needed for acl compaired to 3.2.4 and 3.5.6 ? Louis >-Oorspronkelijk bericht- >Van: ac...@integrafin.co.uk >[mailto:samba-boun...@lists.samba.org] Namens Alex Crow >Verzonden: 2011-04-05 14:20 >Aan: samba@lists.samba.org >Onderwerp: Re: [Samba] FW: ACL Lost and unable to set rights >from explorer (xp) > >On 03/04/11 21:28, L.P.H. van Belle wrote: >> Lol, yes the same typo here, but its corrected in my >smb.conf en tested it. >> ( my english is not that good ) >> >> Now only my main problem, why i cant set my rights any more. >> checked everything, fstab is ok, acl and user_xattr, >> rights on folders, checked als from console. >> Im lost in this one. I must fix it because is on my mijn PDC. >> >> so if someone has any idees, please trow them at me. ;-) >> >> Louis >> >> > >I have seen this too. I found the only way to consistently set >ACLs and >avoid this is to do it from the Linux side. You may however >try removing >all the acls (using setfacl -b) and then trying to add them >from Windows >again. > >Cheers > >Alex > >-- >This message is intended only for the addressee and may contain >confidential information. Unless you are that person, you may not >disclose its contents or use it in any way and are requested to delete >the message along with any attachments and notify us immediately. > >"Transact" is operated by Integrated Financial Arrangements plc >Domain House, 5-7 Singer Street, London EC2A 4BQ >Tel: (020) 7608 4900 Fax: (020) 7608 5300 >(Registered office: as above; Registered in England and Wales >under number: 3727592) >Authorised and regulated by the Financial Services Authority >(entered on the FSA Register; number: 190856) > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > > smime.p7s Description: S/MIME cryptographic signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] FW: ACL Lost and unable to set rights from explorer (xp)
On 03/04/11 21:28, L.P.H. van Belle wrote: Lol, yes the same typo here, but its corrected in my smb.conf en tested it. ( my english is not that good ) Now only my main problem, why i cant set my rights any more. checked everything, fstab is ok, acl and user_xattr, rights on folders, checked als from console. Im lost in this one. I must fix it because is on my mijn PDC. so if someone has any idees, please trow them at me. ;-) Louis I have seen this too. I found the only way to consistently set ACLs and avoid this is to do it from the Linux side. You may however try removing all the acls (using setfacl -b) and then trying to add them from Windows again. Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. "Transact" is operated by Integrated Financial Arrangements plc Domain House, 5-7 Singer Street, London EC2A 4BQ Tel: (020) 7608 4900 Fax: (020) 7608 5300 (Registered office: as above; Registered in England and Wales under number: 3727592) Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] problem with linux server as domain member in samba pdc
Hello, My problem is the following : I've a domain controller under linux Samba 3.5.5 with LDAP. I want to include a Linux Samba as domain member but I've the following error : _netr_ServerAuthenticate2: failed to get machine password for account SSCFICHIERS$: NT_STATUS_ACCESS_DENIED I've put the following in smb.conf : workgroup = wins server = password server = security = domain I've too configured nsswitch.conf / libnss and pam so getent passwd/group/shadow so is connected too the underlying ldap : this is ok. net rpc join is successful and I can see the entry in my ldap tree and the secrets.tdb file is created in /var/lib/samba. So i've don't understand where is the problem ... Help appreciate -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 1750, chemin du Lavarin, 84000 Avignon Téléphone : 04.90.27.57.44 Messagerie : h.hen...@isc84.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
On Tue, Apr 05, 2011 at 12:40:12PM +0200, Thomas Nau wrote: > We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the > impression that the VFS module acl_xattr provides the best way > of keeping Windows ACLs. We don't have concurrent NFS or local users > so it's Windows only. ZFS does NFSv4 ACLs which are quite close, albeit not perfect. There's a zfs_acl module for Solaris, you might also give that a try. > The clients as well as the Samba server are members of an AD domain. > Creating files/directories works as expected and also manipulating > permissions for the initial user/group does not raise any problem. > Trying to add permissions for an additional user (looked up in AD) > fails with the Windows XP client side "permission denied" pop-up box. Does "acl_xattr : ignore system acls" help? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] acl_xattr access denied when adding permissions for another user
Dear all We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the impression that the VFS module acl_xattr provides the best way of keeping Windows ACLs. We don't have concurrent NFS or local users so it's Windows only. The clients as well as the Samba server are members of an AD domain. Creating files/directories works as expected and also manipulating permissions for the initial user/group does not raise any problem. Trying to add permissions for an additional user (looked up in AD) fails with the Windows XP client side "permission denied" pop-up box. the share's config: [EA] # public fileserver share path = /smb/X comment= xattr ACL Test public = no writable = yes browseable = yes vfs objects= acl_xattr inherit permissions= yes inherit acls = yes On the server side the relevant parts of the logfile are [2011/04/05 12:18:16.331704, 2] lib/access.c:406(check_access) Allowed connection from (x.x.x.x) [2011/04/05 12:18:16.335694, 3] smbd/vfs.c:97(vfs_init_default) Initialising default vfs hooks [2011/04/05 12:18:16.335737, 5] smbd/vfs.c:87(smb_register_vfs) Successfully added vfs backend '/[Default VFS]/' [2011/04/05 12:18:16.335779, 5] smbd/vfs.c:87(smb_register_vfs) Successfully added vfs backend 'solarisacl' [2011/04/05 12:18:16.335802, 3] smbd/vfs.c:122(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] Successfully loaded vfs module [/[Default VFS]/] with the new modules system [2011/04/05 12:18:16.335838, 3] smbd/vfs.c:122(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2011/04/05 12:18:16.335862, 5] smbd/vfs.c:162(vfs_init_custom) vfs module [acl_xattr] not loaded - trying to load... [2011/04/05 12:18:16.336548, 2] lib/module.c:64(do_smb_load_module) Module '/smb/sw/lib/vfs/acl_xattr.so' loaded [2011/04/05 12:18:16.336591, 5] smbd/vfs.c:87(smb_register_vfs) Successfully added vfs backend 'acl_xattr' Successfully loaded vfs module [acl_xattr] with the new modules system [2011/04/05 12:18:16.336945, 2] modules/vfs_acl_xattr.c:193(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service EA [2011/04/05 12:18:16.337787, 1] smbd/service.c:1070(make_connection_snum) x.x.x.x (x.x.x.x) connect to service EA initially as user nau (uid=1, gid=1) (pid 23491) ... [2011/04/05 12:18:16.348517, 3] smbd/vfs.c:1038(check_reduced_name) check_reduced_name: D reduced to /smb/X/D [2011/04/05 12:18:16.350387, 5] smbd/posix_acls.c:1191(unpack_nt_owners) unpack_nt_owners: validating owner_sids. [2011/04/05 12:18:16.350434, 5] smbd/posix_acls.c:1238(unpack_nt_owners) unpack_nt_owners: owner_sids validated. [2011/04/05 12:18:16.351005, 2] smbd/posix_acls.c:2903(set_canon_ace_list) set_canon_ace_list: sys_acl_set_file type file failed for file D (Operation not applicable). [2011/04/05 12:18:16.351086, 3] smbd/posix_acls.c:3007(convert_canon_ace_to_posix_perms) convert_canon_ace_to_posix_perms: Too many ACE entries for file D to convert to posix perms. [2011/04/05 12:18:16.351114, 3] smbd/posix_acls.c:4109(set_nt_acl) set_nt_acl: failed to convert file acl to posix permissions for file D. [2011/04/05 12:18:20.872901, 1] smbd/service.c:1251(close_cnum) 134.60.1.35 (134.60.1.35) closed connection to service EA So why do I need POSIX ACLs at all? Any hints are greatly appreciated! Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba ctdb clustering with ldap backend?
Dear all, I have two samba servers auth agains ldap, so I use: idmap backend = ldap:ldap://127.0.0.1 Is it possible to setup ctdb to run with a ldap backend? I know ctdb uses: idmap backend = tdb2 Any suggestions? Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [HELP] Samba with myob trouble
Take Off [hfs_acc] oplocks = no locking = no level2 oplocks = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
