Re: [Samba] Cross-subnet browsing with LMBs + remote browse sync + samba4WINS

[vagy]

On Tue, 26 Feb 2013 02:15:33 +0200, TAKAHASHI Motonobu   
wrote:



From: vagy 
Date: Mon, 25 Feb 2013 23:20:31 +0200


On Mon, 25 Feb 2013 17:40:32 +0200, TAKAHASHI Motonobu 
wrote:

looking the SAMBA docs[1] i realized that remote browse sync
means that an LMB will sync its browse list with another
LMB. Thus this "trick" will allow two LMBs to find out
the lists of each other. There is no DMB mentioned in
this process.


At first I believed that was true...


Btw how did you examine it? Did you setup a test lab
that implements the setup as i described it?


- Setup 2 subnets connected via a router
- Setup 2 Samba box in each subnet, each smb.conf is like

-
[global]
  workgroup = SAMBAxx
  domain master = yes
  wins support = yes
  remote browse sync = x.x.x.x
--

- x.x.x.x means the IP address of another peer.
- SAMBAxx means the unique workgroup name (for example SAMBA01 and  
SAMBA02)


Then, each Samba box exchanges its browse list.

---
TAKAHASHI Motonobu  / @damemonyo
   facebook.com/takahashi.motonobu


Hi Takahashi,

thats very interesting and is a fallback scenario in case
samba4WINS doesn't work. Maybe the need for a DMB comes
from the fact that you used two different workgroups?
What if workgroup=SAME in both smb.conf?

Cheers,
- vagy
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 MX Record Entry

[Amitay Isaacs]

Hi Vijay,

On Mon, Feb 18, 2013 at 5:23 PM, Vijay Thakur  wrote:

> Hi Samba Experts,
>
> I want to configure my Zimbra server with samba4 DNS Server and
> authentication. When i am trying to
> add MX record for my E-mail server (zimbra), i getting the below mentioned
> error:
>
> [root@sso bin]# ./samba-tool dns add dc loop.os zimbra MX 'zimbra.loop.os
> 10'
> ERROR(runtime): uncaught exception - (-1073741772,
> 'NT_STATUS_OBJECT_NAME_NOT_FOUND')
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/dns.py",
> line 1042, in run
> dns_conn = dns_connect(server, self.lp, self.creds)
>   File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/dns.py",
> line 37, in dns_connect
> dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
>
>
> Is there something wrong with my Samba4 AD DC setup.
> Kindly help me.
>

Do you really want to add MX record for zimbra.loop.os pointing to itself?
Usually you would add MX record for the domain (e.g. loop.os) and point to
zimbra.loop.os.


Amitay.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] dns zone type (primary,ad integrated)

[Amitay Isaacs]

Hi Peter,

On Mon, Feb 25, 2013 at 9:53 PM, Peter Beck  wrote:

> hi guys,
>
> is there a possibility to change dns zone options with samba-tool ?
>
> if I create a zone with samba-tool on the Windows Dc, I need to set
> "--client-version=w2k", otherwise the command fails. But with that
> option I get a primary zone (not ad integrated) on the Windows server.
> I know it's possible to change that manually, but if there is an option
> to fix that with samba-tool, i would prefer samba-tool to manage.
>

What windows version are you running on windows DC? Depending on the
windows version you will have to choose the --client-version.


> The same command (without --client-version) against the samba-server
> works and creates an Active-Directory-integrated zone. Is this by design ?
>

The default method for creating DNS zone for samba4 is in AD (using DNS
partitions).  Also Samba can understand various --client-version levels.


> Or in other words:
> does it matter if the zone is created on the samba server ?
> as it is ad-integrated it gets replicated anyway, or am I wrong ?
>
> I am using samba-internal dns.
>

Samba-tool dns command is used to manipulate DNS zones in AD and those
zones will be replicated to other DCs.



> Regards
> Peter
>
>
Amitay.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Cross-subnet browsing with LMBs + remote browse sync + samba4WINS

[TAKAHASHI Motonobu]

From: vagy 
Date: Mon, 25 Feb 2013 23:20:31 +0200

> On Mon, 25 Feb 2013 17:40:32 +0200, TAKAHASHI Motonobu 
> wrote:
> 
> looking the SAMBA docs[1] i realized that remote browse sync
> means that an LMB will sync its browse list with another
> LMB. Thus this "trick" will allow two LMBs to find out
> the lists of each other. There is no DMB mentioned in
> this process.

At first I believed that was true...

> Btw how did you examine it? Did you setup a test lab
> that implements the setup as i described it?

- Setup 2 subnets connected via a router
- Setup 2 Samba box in each subnet, each smb.conf is like

-
[global]
  workgroup = SAMBAxx
  domain master = yes
  wins support = yes
  remote browse sync = x.x.x.x
--

- x.x.x.x means the IP address of another peer.
- SAMBAxx means the unique workgroup name (for example SAMBA01 and SAMBA02)

Then, each Samba box exchanges its browse list.

---
TAKAHASHI Motonobu  / @damemonyo
   facebook.com/takahashi.motonobu
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4, DHCP and Bind

[Scott Whitten]

Hi All,

I'm trying to integrate Samba 4 DHCPD and Bind 9.9 into a complete solution.

I'm using the BIND/Samba 4 DLZ plugin.

DHCP by itself works and hands out IP addresses.

What I would like to have happen is the following:
- PC is joined to the Samba 4 domain (this works)
- PC gets an IP via DHCPD
- DHCP or the PC registers the IP in BIND

Network PC's should resolve cleanly when pinging pc01.office.local

My logs are full of messges aalong the lines of:
Feb 25 14:36:24 knottypine named[22655]: samba_dlz: starting transaction on
zone office.local
Feb 25 14:36:24 knottypine named[22655]: client 192.168.65.101#57781:
update 'office.local/IN' denied
Feb 25 14:36:24 knottypine named[22655]: samba_dlz: cancelling transaction
on zone office.local

Clearly I'm missing something but not sure what exactly.

Thanks for any suggestions you might have.

For reference... here are my various config files:
==
smb.conf
---
# Global parameters
[global]
server role = active directory domain controller
workgroup = OFFICE
interfaces = eth0
bind interfaces only = yes
realm = office.local
netbios name = KNOTTYPINE
passdb backend = samba4
idmap_ldb:use rfc2307 = yes
allow dns updates = True

[netlogon]
path = /usr/local/samba/var/locks/sysvol/office.local/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[IPC$]
path = /tmp
read only = No

[Data]
path = /u0/sambashares/data
read only = no
==
ddns-update-style ad-hoc;
allow unknown-clients;

subnet 192.168.65.0 netmask 255.255.255.0 {

# --- default gateway
option routers  192.168.65.1;
option subnet-mask  255.255.255.0;

option domain-name  "office.local";
option domain-name-servers  192.168.65.2;

option netbios-name-servers 192.168.65.2;
option netbios-node-type 2;

default-lease-time 21600;
max-lease-time 43200;
allow unknown-clients;

range 192.168.65.100 192.168.65.150;
}
==

//
// sample BIND configuration file
//
acl mynet {
192.168.65.0/24;
127.0.0.1;
};

options {
  listen-on { 127.0.0.1; 192.168.65.0/24; };
  allow-query { 192.168.65.0/24; localhost; };
  allow-recursion { 192.168.65.0/24; localhost; };
  tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
  forwarders {8.8.8.8;};
};

// Where the localhost hostname is defined
zone "localhost" IN {
  type master;
  file "/etc/namedb/zone.localhost";
  allow-update { none; };
};

// Where the 127.0.0.0 network is defined
zone "0.0.127.in-addr.arpa" IN {
  type master;
  file "/etc/namedb/revp.127.0.0";
  allow-update { none; };
};

zone "65.168.192.in-addr.arpa" {
type master;
file "/etc/namedb/192.168.65.0.rev";
allow-query {
mynet;
};
allow-transfer {
mynet;
};
allow-update {
mynet;
};
};

include "/usr/local/samba/private/named.conf";
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Print Support Samba4

[Mike Ray]

Hey all, 

One of that last pieces to be put in place before my site goes live on Samba4 
as AD is printer support. Now I've seen 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Step_13:_Setup_a_Printer_share
 and at one point had Group Policy that was deploying a printer on CUPS using 
AD authentication/Samba shares. However, we found out that when Windows 
machines printed to this printer, it was bypassing CUPS, i.e. jobs weren't in 
CUPS logs, and in fact, CUPS could be off and it would still print. Since it 
appeared these machines were printing directly to the printer, we are worried 
about what happens when a bad/large job is sent and the printer becomes 
unresponsive -- without the machines going through CUPS we fear we won't be 
able to manage/maintain the printer. 

So to anyone who has said up printers with Samba4, what method/route did you 
elect? Additionally, a pointer to documentation (I haven't found anything 
great) would be most appreciated. 

Thanks much, 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Cross-subnet browsing with LMBs + remote browse sync + samba4WINS

[vagy]

On Mon, 25 Feb 2013 17:40:32 +0200, TAKAHASHI Motonobu   
wrote:



From: vagy 
Date: Sun, 24 Feb 2013 18:28:03 +0200


On Sun, 24 Feb 2013 17:36:56 +0200, TAKAHASHI Motonobu 
wrote:


From: vagy 
Date: Sun, 24 Feb 2013 13:34:37 +0200


i am about to implement cross subnet browsing/sharing
and I was wondering if the following configuration
would do it, so i would like your opinion:

1. There are two subnets separated by a simple router (no firewalls)

2. Each subnet will have a mixture of Win7/WinXP and Linux hosts.

3. Each subnet will have its own Samba3 LMB (but not DMB)
and its own samba4WINS server. Each client host in each subnet
will be DHCP configured with their respective WINS server.
The LMB will also be configured to use the samba4WINS server.

4. The two samba3 LMB servers will "remote browse sync" with each  
other.

Thats how the browse lists will be exchanged.

5. The two samba4WINS servers will replicate with each other.
Thats how the host names will be exchanged.

Do you think that will turn out to be a working configuration?


As far as I examined, "remote browse sync" did not work as I expected.
Sample smb.conf that I examined the behavior is:

-
[global]
  workgroup = SAMBAxx
  domain master = yes
  wins support = yes
  remote browse sync = x.x.x.x
-

Samba has to be WINS server and DMB.


I don't have much experience with these settings myself.
Nevertheless, i think "domain master = yes" and "remote browse sync"
shouldn't be used together.


The smb.conf above is the only one which works well as far as I examined.
"domain master = yes" is needed because "remote browse sync = yes" uses
master browser announcement to search another peer.

Of course, I think this implementation is a bit curious...

---
TAKAHASHI Motonobu  / @damemonyo
   facebook.com/takahashi.motonobu



Hi Takahashi,

looking the SAMBA docs[1] i realized that remote browse sync
means that an LMB will sync its browse list with another
LMB. Thus this "trick" will allow two LMBs to find out
the lists of each other. There is no DMB mentioned in
this process.
Btw how did you examine it? Did you setup a test lab
that implements the setup as i described it?

Cheers,
-vagy

[1]  
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html

(search for "Use of the Remote Browse Sync Parameter")
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Cross-subnet browsing with LMBs + remote browse sync + samba4WINS

[vagy]

On Mon, 25 Feb 2013 09:06:50 +0200, Daniel Müller
 wrote:


NO, you do not need remote browse sync if you have samba4wins working.
And you need only following to make it work in your LMB smb.conf
wins server = your.samba4wins.host
If your smaba4wins is on the same host as your LMB, put this is your
samba4wins
Samba4wins.conf:
bind interfaces only=yes
interfaces=your.samba4wins.ip (suggestion use a virt ip not used by  
samba)

ntpd:disable_broadcast=yes
wins server=your.samba4wins.ip

In your windows clients network configuration  set wins1 your first
samba4wins and wins2 the second samba4wins.


---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org  
[mailto:samba-boun...@lists.samba.org] Im

Auftrag von TAKAHASHI Motonobu
Gesendet: Sonntag, 24. Februar 2013 16:37
An: v...@freemail.gr
Cc: samba@lists.samba.org
Betreff: Re: [Samba] Cross-subnet browsing with LMBs + remote browse  
sync +

samba4WINS

From: vagy 
Date: Sun, 24 Feb 2013 13:34:37 +0200


i am about to implement cross subnet browsing/sharing and I was
wondering if the following configuration would do it, so i would like
your opinion:

1. There are two subnets separated by a simple router (no firewalls)

2. Each subnet will have a mixture of Win7/WinXP and Linux hosts.

3. Each subnet will have its own Samba3 LMB (but not DMB) and its own
samba4WINS server. Each client host in each subnet will be DHCP
configured with their respective WINS server.
The LMB will also be configured to use the samba4WINS server.

4. The two samba3 LMB servers will "remote browse sync" with each other.
Thats how the browse lists will be exchanged.

5. The two samba4WINS servers will replicate with each other.
Thats how the host names will be exchanged.

Do you think that will turn out to be a working configuration?


As far as I examined, "remote browse sync" did not work as I expected.
Sample smb.conf that I examined the behavior is:

-
[global]
  workgroup = SAMBAxx
  domain master = yes
  wins support = yes
  remote browse sync = x.x.x.x
-

Samba has to be WINS server and DMB.

---
TAKAHASHI Motonobu  / @damemonyo
   facebook.com/takahashi.motonobu

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



Hi Daniel,

do you mean that since there is gonna
be a samba4WINS in each subnet, the browse lists
  from each subnet will get exchanged
between the two samba4WINS, so there is no need
for the two LMBs (my 4. point) to "remote browse sync"
between them? I had the impression that WINS servers
just map NETBIOS names to IP addresses and that WINS
clients just resolve names through them, at least according to
http://technet.microsoft.com/en-us/library/cc775524(v=ws.10).aspx ,
there is no mention there about the browse lists.
Can you please elaborate?

Cheers,
- vagy
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba AD DC with BIND DNS on separate server

[Gregory Sloop]

LL> I see from the documentation that it is possible to use BIND9 as
LL> a drop-in replacement for the internal SAMBA4 DNS service...

LL> However, I would like to know if I can keep the BIND9 DNS server
LL> on a seperate server from de one that SAMBA4 is running on (AD DC).

LL> If this is possible, how would one go about achieving this?

LL> I've got an existing DNS infrastructure that I do not necessarily change in 
a big way...

LL> Thank You!

A thought. How about creating your domain as a subdomain of your
current DNS domain. Something like samba.some-domain.com - where
some-domain.com is the main domain you've got in BIND9.

Then, delegate only that subdomain to Samba4 and have the Samba server
forward queries for anything outside samba.some-domain.com to the
BIND9 server.

This gives you most of what you want: Not having to change the BIND9
server, as well as leave the internal namesever in Samba4. [They're
both happy and all works fine (I think)]

I know that doesn't answer your direct question, but perhaps it
offers a fuller view of what the options that might work are.

-Greg

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba AD DC with BIND DNS on separate server

[Luc Lalonde]

Hello Folks,

I see from the documentation that it is possible to use BIND9 as a drop-in 
replacement for the internal SAMBA4 DNS service...

However, I would like to know if I can keep the BIND9 DNS server on a seperate 
server from de one that SAMBA4 is running on (AD DC).

If this is possible, how would one go about achieving this?

I've got an existing DNS infrastructure that I do not necessarily change in a 
big way... 

Thank You!

-- 
Luc Lalonde, analyste
-
Département de génie informatique:
École polytechnique de Montréal
(514) 340-4711 x5049
luc.lalo...@polymtl.ca
-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb2 vs. NT1

[Papp Tamas]

On 02/25/2013 07:29 PM, Jeremy Allison wrote:


On Mon, Feb 25, 2013 at 09:38:51AM +0100, Papp Tamas wrote:

hi All,


We have a glusterfs cluster with 5 nodes on Ubuntu 12.04 amd64.
We use this smb.conf:

[global]
socket options =  IPTOS_THROUGHPUT TCP_NODELAY IPTOS_LOWDELAY 
SO_SNDBUF=131072 SO_RCVBUF=131072


Remove the above line. It's pure voodoo. Don't second
guess the kernel w.r.t. socket options.


It seems, you're right. However in this case the documentation in default 
smb.conf is wrong.

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
#   socket options = TCP_NODELAY


Now this is the config:

[global]
read raw = yes
server string = %h
write raw = yes
max xmit = 131072
dead time = 15
getwd cache = yes
use sendfile=yes
block size = 131072
load printers = no
wins support = no
local master = no
wins server = 192.168.3.7
veto files = /.AppleDouble/
delete veto files = yes
hide dot files = yes
printing = BSD
max protocol = SMB2
min protocol = SMB2

[projects]
path = /W/Projects
browseable = yes
public = yes
guest ok = yes
read only = no
force user = user
force group = user


And it's much better now:)


That will be due to the async requests that the Windows SMB2
redirector uses much more than the SMB1 redirector.


This is from man page:

NT1: Current up to date version of the protocol. Used by Windows NT. Known as 
CIFS.
SMB2: Re-implementation of the SMB protocol. Used by Windows Vista
and newer. The Samba implementation of SMB2 is currently marked
experimental!


SMB2 in Samba is fully supported from Samba 3.6.0 onwards.
It was "experimental" (read, didn't really work :-) in
3.5.x and below.


OK, thanks for the answer and thanks so much for the tuning tips.
Every single samba tuning guide starts with that options!


Cheers,
tamas
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Share permission problem

[felix]

I have a samba 3.5.6 joined to my samba AD.

I set this share:


[Nodo$]
path = /media/almacen/Admin/Windows/
read only = yes
valid users = @EPEPM + epepm_nodo


>From Windows XP only users from this group epepm_nodo are allowed. But
when I try from Windows 7 any user is granted access to this share.

Any help will be really appreciated.

Felix.




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb2 vs. NT1

[Jeremy Allison]

On Mon, Feb 25, 2013 at 09:38:51AM +0100, Papp Tamas wrote:
> hi All,
> 
> 
> We have a glusterfs cluster with 5 nodes on Ubuntu 12.04 amd64.
> We use this smb.conf:
> 
> [global]
>   socket options =  IPTOS_THROUGHPUT TCP_NODELAY IPTOS_LOWDELAY 
> SO_SNDBUF=131072 SO_RCVBUF=131072

Remove the above line. It's pure voodoo. Don't second
guess the kernel w.r.t. socket options.

>   read raw = yes
>   server string = %h
>   write raw = yes
>   #oplocks = yes
>   max xmit = 131072
>   dead time = 15
>   getwd cache = yes
>   use sendfile=yes
>   block size = 131072
>   load printers = no
>   aio read size = 16384
>   aio write size = 16384
>   aio write behind = /*.*/
>   wins support = no
>   local master = no
>   wins server = 192.168.3.7
>   veto files = /.AppleDouble/
>   delete veto files = yes
>   hide dot files = yes
>   printing = BSD
>   max protocol = SMB2
>   min protocol = SMB2
> 
> [projects]
>   path = /W/Projects
>   browseable = yes
>   public = yes
>   guest ok = yes
>   read only = no
>   force user = user
>   force group = user
> 
> 
> 
> The speed is fine with this configuration, around 100Mbyte/s. If I
> change protocol to NT1, the speed drops to around 50Mbyte/s.

That will be due to the async requests that the Windows SMB2
redirector uses much more than the SMB1 redirector.

> This is from man page:
> 
> NT1: Current up to date version of the protocol. Used by Windows NT. Known as 
> CIFS.
> SMB2: Re-implementation of the SMB protocol. Used by Windows Vista
> and newer. The Samba implementation of SMB2 is currently marked
> experimental!

SMB2 in Samba is fully supported from Samba 3.6.0 onwards.
It was "experimental" (read, didn't really work :-) in
3.5.x and below.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba + nfs locking doesn't work

[Vincenzo De Sanctis]

is CTDB the solution?

2013/2/25 Vincenzo De Sanctis :
> this is the case:
>
> serverA [ CentOs 5.6 kernel 2.6.18-238.12.1.el5.centos.plus, Samba ver. 
> 3.5.21 ]
> serverB [ CentOS 5.6 kernel 2.6.18-348.1.1.el5.centos.plus, Samba ver.
> 3.6.6-0.129.el5 ]
> clientA [ WindowsXP ]
> clientB [ WindowsXP ]
>
>
> The serverA shares via Samba the resource [test]
>
>
> [global]
>
>workgroup = DMIT
>netbios name = SAMBA
>server string = DMIT domain server
>interfaces = eth0
>smb ports = 445
>encrypt passwords = yes
> smb passwd file = /etc/samba/smbpasswd
>passdb backend = smbpasswd
>username map = /etc/samba/smbusers
>log file = /var/log/samba/pc/%m.log
>time server = Yes
>logon script = logon.bat
>logon path =
>logon drive = M:
>logon home = \\%L\%U
>domain logons = yes
>os level = 33
>preferred master = yes
>domain master = yes
>local master = yes
>printjob username = %M\%U
>hide dot files = No[netlogon]
>path = /etc/samba/netlogon
> ;   max protocol = smb2
>
>
> [test]
>comment = test
>path = /test
>read only = no
>writable = yes
>create mode = 0775
>force create mode = 0775
>directory mode = 02775
>force directory mode = 02775
>public = no
>oplocks = no
>
>
> the serverB mounts through nfs the /test resource (mount
> serverA:/test /test)
> This is a very simple serverB smb.conf configuration:
>
> [global]
>
>workgroup = DMIT
>domain master = no
>domain logons = no
>encrypt passwords = yes
>security = server
>password server = serverA
>interfaces = eth0
>smb ports = 445
>
> [test]
>comment = test
>path = /test
>read only = no
>writable = yes
>create mode = 0775
>force create mode = 0775
>directory mode = 02775
>force directory mode = 02775
>public = no
>oplocks = no
>
>
>
> Now on the clientA I open an excel2003 file from \\serverA\test and on
> clientB i open the same file but from \\serverB\test (consider that
> test is the same directory mounter from serverA via nfs)
>
>
> This is what happens:
>
> 1) I can open without problem the file on clientA from \\serverA\test,
> instead I have problem to open the the same file from \\serverB\test
> (after 5min later it goes in timeout)
>
>
> 2) If I add "posix locking = no" on serverA and on serverB both
> excel2003 files open without the locking mechanism.
>
> 3) I tried various combinations changing kernel oplocks, oplocks,
> level2 oplocks, posix locking, locking, strict locking, nt acl support
> but nothing changed.
>
>
> 4) I tried to open the same file from the same serverA (from clientA
> and from clientB) without nfs and now the locking works well (both
> from \\serverA\test)
>
>
> The strange thing is that on my company newtwork there are many old
> samba servers (samba 2.3) and they works well within nfs.
> The proper way to use samba like a cluser is DFS insead of NFS, but
> now I can not consider a migration or an upgrade to all the newtork,
> so the best way at the moment is to use nfs, like the prevoiis
> sysadmin did.
>
>
> Have you had experience about this strange case?
> Are there known bugs regarding the new samba versions + nfs ?
>
>
>
> --
> Vincenzo De Sanctis



-- 
Vincenzo De Sanctis
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [SOLVED] replace Windows 2003 dc

[Sérgio Henrique]

Solved.

I have sucessfully migrated a windows 2008R2 domain to samba4 and then
create a new samba domain as a replica.

A lot of steps i had to introduce.


1- Working on DNS
add samba dc to forest and domain dns _ldap values
change DNS SOA to samba4 and add samba4 as NS

2- Working on fsmo
run script fixfsmo.vbs
samba-tool transfer all roles
run adsedit and change samba dc fsMORoleOwner to samba dc

working on Global Catalog
remove windows domain as GC
reboot

working on DC removal
force windows dcpromo removal

working on DNS to remove old values
delete old dns windows dc values, kerberos, NS ... etc

working on cleaning old DC values from AD
run adsedit
bind credencials to samba dc
remove old DC
remove old Default-First-Site-Name DC reference

remove dns and AD roles left on windows DC


Join samba4 replica

and thats it.

windows DC replicate do samba4 dc2 and new samba4 added as a replica dc4

root@dc4:~# /opt/samba/bin/samba-tool drs showrepl
Default-First-Site-Name\DC4
DSA Options: 0x0001
DSA object GUID: c5581b86-4ce8-44bc-a55e-3b89db29f553
DSA invocationId: b76275bb-267b-4b79-a4ae-7deba1a13709

 INBOUND NEIGHBORS 

CN=Configuration,DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ Mon Feb 25 17:22:48 2013 CET was successful
0 consecutive failure(s).
Last success @ Mon Feb 25 17:22:48 2013 CET

DC=DomainDnsZones,DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ Mon Feb 25 17:22:48 2013 CET was successful
0 consecutive failure(s).
Last success @ Mon Feb 25 17:22:48 2013 CET

CN=Schema,CN=Configuration,DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ Mon Feb 25 17:22:48 2013 CET was successful
0 consecutive failure(s).
Last success @ Mon Feb 25 17:22:48 2013 CET

DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ Mon Feb 25 17:22:49 2013 CET was successful
0 consecutive failure(s).
Last success @ Mon Feb 25 17:22:49 2013 CET

DC=ForestDnsZones,DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ Mon Feb 25 17:22:48 2013 CET was successful
0 consecutive failure(s).
Last success @ Mon Feb 25 17:22:48 2013 CET

 OUTBOUND NEIGHBORS 

CN=Configuration,DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=DomainDnsZones,DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

DC=ForestDnsZones,DC=lisboa,DC=local
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b
Last attempt @ NTTIME(0) was successful
0 consecutive failure(s).
Last success @ NTTIME(0)

 KCC CONNECTION OBJECTS 

Connection --
Connection name: d7dde7b1-46eb-4d8f-869b-b84922b6588c
Enabled: TRUE
Server DNS name : DC2.lisboa.local
Server DN name  : CN=NTDS
Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lisboa,DC=local
TransportType: RPC
options: 0x0001
Warning: No NC replicated for Connection!











On Mon, Feb 25, 2013 at 1:56 PM, Sérgio Henrique  wrote:

> Well i am guessing that the problem may be on the fsMORoleOwner..
> http://support.microsoft.com/kb/949257 ...
>
>
>
> On Mon, Feb 25, 2013 at 11:37 AM, Sérgio Henrique wrote:
>
>> Hi Peter,
>>
>> I am using 2008R2 domain, i get alway

Re: [Samba] Cross-subnet browsing with LMBs + remote browse sync + samba4WINS

[TAKAHASHI Motonobu]

From: vagy 
Date: Sun, 24 Feb 2013 18:28:03 +0200

> On Sun, 24 Feb 2013 17:36:56 +0200, TAKAHASHI Motonobu 
> wrote:
> 
>> From: vagy 
>> Date: Sun, 24 Feb 2013 13:34:37 +0200
>>
>>> i am about to implement cross subnet browsing/sharing
>>> and I was wondering if the following configuration
>>> would do it, so i would like your opinion:
>>>
>>> 1. There are two subnets separated by a simple router (no firewalls)
>>>
>>> 2. Each subnet will have a mixture of Win7/WinXP and Linux hosts.
>>>
>>> 3. Each subnet will have its own Samba3 LMB (but not DMB)
>>> and its own samba4WINS server. Each client host in each subnet
>>> will be DHCP configured with their respective WINS server.
>>> The LMB will also be configured to use the samba4WINS server.
>>>
>>> 4. The two samba3 LMB servers will "remote browse sync" with each other.
>>> Thats how the browse lists will be exchanged.
>>>
>>> 5. The two samba4WINS servers will replicate with each other.
>>> Thats how the host names will be exchanged.
>>>
>>> Do you think that will turn out to be a working configuration?
>>
>> As far as I examined, "remote browse sync" did not work as I expected.
>> Sample smb.conf that I examined the behavior is:
>>
>> -
>> [global]
>>   workgroup = SAMBAxx
>>   domain master = yes
>>   wins support = yes
>>   remote browse sync = x.x.x.x
>> -
>>
>> Samba has to be WINS server and DMB.
> 
> I don't have much experience with these settings myself.
> Nevertheless, i think "domain master = yes" and "remote browse sync"
> shouldn't be used together.

The smb.conf above is the only one which works well as far as I examined.
"domain master = yes" is needed because "remote browse sync = yes" uses
master browser announcement to search another peer.

Of course, I think this implementation is a bit curious...

---
TAKAHASHI Motonobu  / @damemonyo 
   facebook.com/takahashi.motonobu

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba + nfs locking doesn't work

[Vincenzo De Sanctis]

this is the case:

serverA [ CentOs 5.6 kernel 2.6.18-238.12.1.el5.centos.plus, Samba ver. 3.5.21 ]
serverB [ CentOS 5.6 kernel 2.6.18-348.1.1.el5.centos.plus, Samba ver.
3.6.6-0.129.el5 ]
clientA [ WindowsXP ]
clientB [ WindowsXP ]


The serverA shares via Samba the resource [test]


[global]

   workgroup = DMIT
   netbios name = SAMBA
   server string = DMIT domain server
   interfaces = eth0
   smb ports = 445
   encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
   passdb backend = smbpasswd
   username map = /etc/samba/smbusers
   log file = /var/log/samba/pc/%m.log
   time server = Yes
   logon script = logon.bat
   logon path =
   logon drive = M:
   logon home = \\%L\%U
   domain logons = yes
   os level = 33
   preferred master = yes
   domain master = yes
   local master = yes
   printjob username = %M\%U
   hide dot files = No[netlogon]
   path = /etc/samba/netlogon
;   max protocol = smb2


[test]
   comment = test
   path = /test
   read only = no
   writable = yes
   create mode = 0775
   force create mode = 0775
   directory mode = 02775
   force directory mode = 02775
   public = no
   oplocks = no


il serverB monta tramite client nfs la risorsa /test  (mount
serverA:/test /test)
Queta e' il semplicissimo file di configurazione smb.conf di serverB:

[global]

   workgroup = DMIT
   domain master = no
   domain logons = no
   encrypt passwords = yes
   security = server
   password server = serverA
   interfaces = eth0
   smb ports = 445

[test]
   comment = test
   path = /test
   read only = no
   writable = yes
   create mode = 0775
   force create mode = 0775
   directory mode = 02775
   force directory mode = 02775
   public = no
   oplocks = no



Now on the clientA I open an excel2003 file from \\serverA\test and on
clientB i open the same file but from \\serverB\test (consider that
test is the same directory mounter from serverA via nfs)


This is what happens:

1) I can open without problem the file on clientA from \\serverA\test,
instead I have problem to open the the same file from \\serverB\test
(after 5min later it goes in timeout)


2) If I add "posix locking = no" on serverA and on serverB both
excel2003 files open without the locking mechanism.

3) I tried various combinations changing kernel oplocks, oplocks,
level2 oplocks, posix locking, locking, strict locking, nt acl support
but nothing changed.


4) I tried to open the same file from the same serverA (from clientA
and from clientB) without nfs and now the locking works well (both
from \\serverA\test)


The strange thing is that on my company newtwork there are many old
samba servers (samba 2.3) and they works well within nfs.
The proper way to use samba like a cluser is DFS insead of NFS, but
now I can not consider a migration or an upgrade to all the newtork,
so the best way at the moment is to use nfs, like the prevoiis
sysadmin did.


Have you had experience about this strange case?
Are there known bugs regarding the new samba versions + nfs ?



-- 
Vincenzo De Sanctis
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 as a classic DC

[TAKAHASHI Motonobu]

From: Mario Codeniera 
Date: Mon, 25 Feb 2013 17:07:49 +1300

> I just curious if it is possible to make Samba4 as a classic domain
> controller behaving as a Samba3 DC? I successfully migrated all the data
> from Samba3, but because trust relationship is not yet supported I want to
> retain as DC hoping it is still supported, isn't it?

As far as I examined, smbd/nmbd of Samba4 can act as a classic domain
controller.

---
TAKAHASHI Motonobu  / @damemonyo 
   facebook.com/takahashi.motonobu

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [SOLVED] replace Windows 2003 dc

[Sérgio Henrique]

Well i am guessing that the problem may be on the fsMORoleOwner..
http://support.microsoft.com/kb/949257 ...



On Mon, Feb 25, 2013 at 11:37 AM, Sérgio Henrique  wrote:

> Hi Peter,
>
> I am using 2008R2 domain, i get always the following message:
> http://tinypic.com/r/a1e8y/6
>
> Thank you in advanced
>
>
> On Mon, Feb 25, 2013 at 11:14 AM, Peter Beck wrote:
>
>> Sérgio Henrique  quatschte am Mon, Feb 25, 2013 at
>> 10:27:17AM +:
>> > Hi Peter,
>> >
>> > I am unable to demote windows DC, i get always error when demoting
>> windows
>> > AD on ForestDNSzones and DomainDNSzones, i have tried a lot of things.
>> >
>> > Raise forest level, keep at 2003, add samba to nameservers,etc...
>>
>> Hi Sérgio,
>>
>> do you get this message: http://tinypic.com/view.php?pic=140itd4&s=6 ?
>> This message is also shown in my test environment each time I run
>> dcpromo to demote the Windows server. As far as I have seen it's no
>> issue, if the replication is up to date.
>>
>> I had issues if the operation levels were lower than 2003 and Samba was
>> already joined to the domain. Then the only change that was possible for
>> me was to raise to Windows 2000 native, but not 2003 anymore.
>>
>> What I am doing after joining Samba to the domain:
>>
>> * check the operation levels (before joining)
>> * check all the SRV records (usually added automatically)
>> * create a reverse zone if not already there
>> * add ns record for samba to all zones
>> * drink some coffee to ensure everything gets replicated
>> * check everything again, drink some more coffee
>> * again ;-)
>> * disable GC on the win server, running dcpromo
>>
>> but I am still testing the whole migration, no long term experience,
>> most of the time I reset my virtual machine and try again to ensure it
>> still works...
>>
>> > What i can see is that if i create a new samba4 as primary root domain
>> and
>> > then add windows AD i have no problems.
>> >
>> > But my objective is to migrate current windows domain to samba4 and not
>> > the opposite.
>>
>> I am sure that is working very good, but the problem is, our customers
>> usually already have a working Windows environment (I think a lot of us
>> have
>> exactly this problem) and we need to takeover these domainsand do not
>> want
>> to create everything from scratch ;-)
>>
>> Regards
>> Peter
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> Cumprimentos,
> Sérgio Machado
>



-- 
Cumprimentos,
Sérgio Machado
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

Hiya Michael,

 

Many thanks for the quick and helpful response.

 

Yes, I can certainly try a packet capture; I think I'll go with your other
suggestion first though, that of using "git bisect" to track down the
problematic version.

I'm sorry, that should have occurred to me .

Once I've identified the problematic version, I can post that information
and then start capturing packets if necessary.  Who knows - finding where
the break occurred might make someone such as yourself slap your forehead in
a Homer Simpson like way ("Doh!") and say "Of *course*, that's what will
have done it ." :-).

 

It's not in a test environment; we don't run one here (the development work
we do doesn't require a separate test network), so this is on our production
network.  However I have considerable freedom in taking servers out of
service so long as it's not during the most active times, so I'm quite happy
to bounce versions around (and perform any other tests required).

 

As for what was common between the original and the re-created user - the
username.  That's it.  I didn't even bother setting up the description
information.   However I also tried renaming the account and the problem
still occurred, so I'm not at all sure exactly what is causing it.

I did originally set the password to be the same, but have since reset it
several times (to varying lengths; I know that shouldn't affect this sort of
problem but by then I was running out of ideas .).

 

You're also quite correct in that Samba shouldn't core dump.  However I
think I'll get to the bottom of this problem and then perhaps start a
separate thread on that, rather than obfuscating this one with multiple
problems.  So thanks for the thought - I'll raise a new problem for that
once this has been sorted.

 

I can't take that server down just at the moment - middle of the working day
here.  However I'll see whether I can switch versions around until I can
find the problem hopefully later on this-evening.

 

Once again, many thanks for the most helpful suggestions.  Watch this space
for the responses.

 

Tris.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] how to dynamic update or refresh vfs_fn_pointers and ntvfs_ops stacks

[Liujun (A)]

When review vfs plugin architecture, the vfs hander or ntvfs hander is initial 
by tree connect, but when dynamic change the the share configure, how to change 
or update the already constructed handler .
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Michael Wood]

Hi

You might try getting a packet capture.

By the way, what's common between the user before you deleted the
account and the one you created later, besides the username?  The
password?  Can you replicate this in a test environment?

If you can replicate this in a test environment and you know more or
less when the problem started, perhaps you could use git bisect to
find exactly when it happened.

e.g. roll back samba to a version from 3 months ago.  If it works
there, tell git bisect that that is the last good version you know of.
 Then tell it that your current version is bad and let it choose the
versions for you to compile and test.  You keep telling it that the
version you've just tested is either good or bad and it will
eventually tell you which commit broke it.

Then you can post that information to the list.  (I suspect
samba-technical would be a better list for this sort of thing.)

Also, I'm pretty sure Samba should never core dump, so you might want
to post stack traces etc. when that happens.

On 25 February 2013 13:51, Tris Mabbs  wrote:
> Hello,
>
>
>
> We're having a problem with "Samba 4" joined to a "Server 2008 R2" domain
> (at "Server 2008" functional level across the forest).
>
> The interesting thing is that this only affects a single user - all other
> accounts work without problems.
>
>
>
> When accessing our main server using that account, "smbd" always reports
> "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL".  This has come from
> "../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", trying to use
> NDR to pull a blob from the Kerberos ticket (that's reported as
> "ndr_pull_error(11): Pull bytes 34  (../librpc/ndr/ndr_string.c:591)").
>
>
>
> I can't see any reason for the error affecting this one specific user.
>
> As the Kerberos PAC is mainly concerned with information such as
> supplemental groups, I've altered the group membership for the user.  I've
> removed the user from all groups.  I've even completely deleted and
> re-created the user (so a different SID, in case there was any corrupted
> cached information anywhere).  Nothing makes any difference - that one user
> consistently gets this error, and no others do.  I've even tried changing
> the Kerberos encryption types in case that had any effect (was it the result
> of a decryption problem?) but again, no difference.
>
> It's not a client problem either, as I've tried accessing the Samba shares
> from various different platforms (even including an embedded Linux based
> network media player - "Dune HD Max" - I happened to have on the network) -
> everything attempting to access as that user causes exactly the same
> problem.
>
>
>
> As this is happening in a call to the "NDR_PULL_NEED_BYTES()" macro, I
> modified that slightly to print out a bit more information.  That resulted
> in "ndr_pull_error(11): Pull bytes 34, data_size=88, offset=58,
> unlikely(34)=1 (../librpc/ndr/ndr_string.c:591)", so it's quite right -
> pulling 34 bytes from 88 of data at an offset of 58 will exceed the size of
> the contents in the data buffer.
>
>
>
> So the question is either why is it trying to pull 34 bytes from offset 58
> of 88 data bytes (is that number 34 correct or has that been mis-decoded?),
> why is the existing offset 58 (has something caused this to be set too far
> into the data buffer already?) or why is the data size 88 bytes (has this
> been decoded incorrectly somehow and should there be more?).
>
>
>
> At this point, my knowledge of the internals of Samba and Kerberos stopped
> me and I felt I had to ask people who know somewhat more than me - that
> would be the readers of this list!
>
>
>
> Incidentally, this used to work.
>
> We've been running "Samba 4" for quite a while; we're not using its' AD
> server facilities, but found it considerably easier to get the version 4
> codebase to compile up and run on this server (running "OpenSolaris") - the
> version 3 codebase gets very fiddly to persuade to work with the
> "OpenSolaris" LDAP and Kerberos whereas the version 4 correctly figures it
> all out for itself very nicely thank you .
>
> We also periodically update the code as we have (since first moving to
> version 4) experienced occasional core-dumps.  They don't cause a major
> problem, they're just a minor inconvenience, but it would be nice to lose
> that inconvenience and I trust the Samba developers to have beta code that's
> vastly more stable than most vendor's release code, so I don't mind
> periodically updating the code straight from the current source snapshot
> (via "git").
>
> This user used not to have any problems, then about (from memory) 3 months
> ago a code update caused this problem.  Unfortunately I don't know the
> precise version numbers at which it was working and at which it broke - pity
> as that would doubtless make it considerably easier to work out what might
> have caused the problem :-(.
>
> In poking around with "Google", I did find a single reference to a change in
> whic

[Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

Hello,

 

We're having a problem with "Samba 4" joined to a "Server 2008 R2" domain
(at "Server 2008" functional level across the forest).

The interesting thing is that this only affects a single user - all other
accounts work without problems.

 

When accessing our main server using that account, "smbd" always reports
"can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL".  This has come from
"../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", trying to use
NDR to pull a blob from the Kerberos ticket (that's reported as
"ndr_pull_error(11): Pull bytes 34  (../librpc/ndr/ndr_string.c:591)").

 

I can't see any reason for the error affecting this one specific user.

As the Kerberos PAC is mainly concerned with information such as
supplemental groups, I've altered the group membership for the user.  I've
removed the user from all groups.  I've even completely deleted and
re-created the user (so a different SID, in case there was any corrupted
cached information anywhere).  Nothing makes any difference - that one user
consistently gets this error, and no others do.  I've even tried changing
the Kerberos encryption types in case that had any effect (was it the result
of a decryption problem?) but again, no difference.

It's not a client problem either, as I've tried accessing the Samba shares
from various different platforms (even including an embedded Linux based
network media player - "Dune HD Max" - I happened to have on the network) -
everything attempting to access as that user causes exactly the same
problem.

 

As this is happening in a call to the "NDR_PULL_NEED_BYTES()" macro, I
modified that slightly to print out a bit more information.  That resulted
in "ndr_pull_error(11): Pull bytes 34, data_size=88, offset=58,
unlikely(34)=1 (../librpc/ndr/ndr_string.c:591)", so it's quite right -
pulling 34 bytes from 88 of data at an offset of 58 will exceed the size of
the contents in the data buffer.

 

So the question is either why is it trying to pull 34 bytes from offset 58
of 88 data bytes (is that number 34 correct or has that been mis-decoded?),
why is the existing offset 58 (has something caused this to be set too far
into the data buffer already?) or why is the data size 88 bytes (has this
been decoded incorrectly somehow and should there be more?).

 

At this point, my knowledge of the internals of Samba and Kerberos stopped
me and I felt I had to ask people who know somewhat more than me - that
would be the readers of this list!

 

Incidentally, this used to work.

We've been running "Samba 4" for quite a while; we're not using its' AD
server facilities, but found it considerably easier to get the version 4
codebase to compile up and run on this server (running "OpenSolaris") - the
version 3 codebase gets very fiddly to persuade to work with the
"OpenSolaris" LDAP and Kerberos whereas the version 4 correctly figures it
all out for itself very nicely thank you .

We also periodically update the code as we have (since first moving to
version 4) experienced occasional core-dumps.  They don't cause a major
problem, they're just a minor inconvenience, but it would be nice to lose
that inconvenience and I trust the Samba developers to have beta code that's
vastly more stable than most vendor's release code, so I don't mind
periodically updating the code straight from the current source snapshot
(via "git").

This user used not to have any problems, then about (from memory) 3 months
ago a code update caused this problem.  Unfortunately I don't know the
precise version numbers at which it was working and at which it broke - pity
as that would doubtless make it considerably easier to work out what might
have caused the problem :-(.

In poking around with "Google", I did find a single reference to a change in
which the submitter said they had found exactly this error, again on just a
single account, but unfortunately I can't locate the post again (despite
searching my "Chrome" history).  As I recall, the code change was committed
anyway as it was just a single account which had experienced the problem and
the change author didn't consider it to be significant.

 

There's obviously a whole lot more information I could attach; "smb.conf"
file, full debug traces, the fact that "wbinfo -u"/"wbinfo -g" etc. all work
correctly, . but there didn't seem any point attaching any of that unless it
would actually be useful.

What might be useful info. is that "smbd -V" reports "Version
4.1.0pre1-GIT-3e5acc1"; "testparm" is happy, as is "net ads testjoin" (and
"net rpc testjoin", for that matter).

 

I'm not at all averse to going into the source code and adding debug code to
dig this problem out - with over 30 years 'C' experience (including working
as a kernel/system developer on "mainstream" Unix) I'm quite happy to dive
in and add code to the source tree, if that would contribute any useful
information.

 

So can anyone suggest any way forward to resolve this please?  It would
appear that something is in

Re: [Samba] [SOLVED] replace Windows 2003 dc

[Sérgio Henrique]

Hi Peter,

I am using 2008R2 domain, i get always the following message:
http://tinypic.com/r/a1e8y/6

Thank you in advanced


On Mon, Feb 25, 2013 at 11:14 AM, Peter Beck  wrote:

> Sérgio Henrique  quatschte am Mon, Feb 25, 2013 at
> 10:27:17AM +:
> > Hi Peter,
> >
> > I am unable to demote windows DC, i get always error when demoting
> windows
> > AD on ForestDNSzones and DomainDNSzones, i have tried a lot of things.
> >
> > Raise forest level, keep at 2003, add samba to nameservers,etc...
>
> Hi Sérgio,
>
> do you get this message: http://tinypic.com/view.php?pic=140itd4&s=6 ?
> This message is also shown in my test environment each time I run
> dcpromo to demote the Windows server. As far as I have seen it's no
> issue, if the replication is up to date.
>
> I had issues if the operation levels were lower than 2003 and Samba was
> already joined to the domain. Then the only change that was possible for
> me was to raise to Windows 2000 native, but not 2003 anymore.
>
> What I am doing after joining Samba to the domain:
>
> * check the operation levels (before joining)
> * check all the SRV records (usually added automatically)
> * create a reverse zone if not already there
> * add ns record for samba to all zones
> * drink some coffee to ensure everything gets replicated
> * check everything again, drink some more coffee
> * again ;-)
> * disable GC on the win server, running dcpromo
>
> but I am still testing the whole migration, no long term experience,
> most of the time I reset my virtual machine and try again to ensure it
> still works...
>
> > What i can see is that if i create a new samba4 as primary root domain
> and
> > then add windows AD i have no problems.
> >
> > But my objective is to migrate current windows domain to samba4 and not
> > the opposite.
>
> I am sure that is working very good, but the problem is, our customers
> usually already have a working Windows environment (I think a lot of us
> have
> exactly this problem) and we need to takeover these domainsand do not
> want
> to create everything from scratch ;-)
>
> Regards
> Peter
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Cumprimentos,
Sérgio Machado
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [SOLVED] replace Windows 2003 dc

[Peter Beck]

Sérgio Henrique  quatschte am Mon, Feb 25, 2013 at 10:27:17AM 
+:
> Hi Peter,
> 
> I am unable to demote windows DC, i get always error when demoting windows
> AD on ForestDNSzones and DomainDNSzones, i have tried a lot of things.
> 
> Raise forest level, keep at 2003, add samba to nameservers,etc...

Hi Sérgio,

do you get this message: http://tinypic.com/view.php?pic=140itd4&s=6 ?
This message is also shown in my test environment each time I run
dcpromo to demote the Windows server. As far as I have seen it's no
issue, if the replication is up to date.

I had issues if the operation levels were lower than 2003 and Samba was
already joined to the domain. Then the only change that was possible for
me was to raise to Windows 2000 native, but not 2003 anymore.

What I am doing after joining Samba to the domain:

* check the operation levels (before joining)
* check all the SRV records (usually added automatically)
* create a reverse zone if not already there
* add ns record for samba to all zones
* drink some coffee to ensure everything gets replicated
* check everything again, drink some more coffee
* again ;-)
* disable GC on the win server, running dcpromo

but I am still testing the whole migration, no long term experience,
most of the time I reset my virtual machine and try again to ensure it
still works...

> What i can see is that if i create a new samba4 as primary root domain and
> then add windows AD i have no problems.
> 
> But my objective is to migrate current windows domain to samba4 and not
> the opposite.

I am sure that is working very good, but the problem is, our customers
usually already have a working Windows environment (I think a lot of us have
exactly this problem) and we need to takeover these domainsand do not want 
to create everything from scratch ;-)

Regards
Peter
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] dns zone type (primary,ad integrated)

[Peter Beck]

hi guys,

is there a possibility to change dns zone options with samba-tool ?

if I create a zone with samba-tool on the Windows Dc, I need to set
"--client-version=w2k", otherwise the command fails. But with that
option I get a primary zone (not ad integrated) on the Windows server.
I know it's possible to change that manually, but if there is an option
to fix that with samba-tool, i would prefer samba-tool to manage.

The same command (without --client-version) against the samba-server 
works and creates an Active-Directory-integrated zone. Is this by design ?

Or in other words: 
does it matter if the zone is created on the samba server ? 
as it is ad-integrated it gets replicated anyway, or am I wrong ?

I am using samba-internal dns.

Regards
Peter
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [SOLVED] replace Windows 2003 dc

[Sérgio Henrique]

Hi Peter,

I am unable to demote windows DC, i get always error when demoting windows
AD on ForestDNSzones and DomainDNSzones, i have tried a lot of things.

Raise forest level, keep at 2003, add samba to nameservers,etc...

What i can see is that if i create a new samba4 as primary root domain and
then add windows AD i have no problems.

But my objective is to migrate current windows domain to samba4 and not
the opposite.




On Sat, Feb 23, 2013 at 8:49 PM, Peter Beck  wrote:

> Hi guys,
>
> I did some more testing:
>
> --- Scenario 1:
>
> Server 2003 with Forest Operation Level 'Windows 2000' and domain
> operation Level 'Windows 2000 mixed' (which seems to be the default when
> setting up Server 2003):
>
> After joining Samba4 to the domain I was unable to raise the level.
> Samba-tool just had an error, when trying to showing the levels:
>
> ERROR: Could not retrieve the actual domain, forest level and/or
> lowest DC function level!
>
> And on the Windows DC the only change that was possible was to raise up
> the domain operating level to "Windows 2000 native". No other changes
> were possible [cannot raise ...because this domain includes domain
> controllers that are not running the appropriate version of Windows]
>
> I also got issues with replicate:
>
> samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local
> ERROR(): DsReplicaSync failed -
> drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC')
> File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line 331, in
> run
> drs_utils.sendDsReplicaSync(self.drsuapi,
> self.drsuapi_handle,source_dsa_guid, NC, req_options)
> File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 83, in
> sendDsReplicaSync
> raise drsException("DsReplicaSync failed %s" % estr)
>
> with option --local:
> samba-tool drs replicate lab07 lab03
> dc=domaindnszones,dc=adlab,dc=local --local
> Partition[dc=domaindnszones,dc=adlab,dc=local] objects[26]
> linked_values[0]
>
> the same behaviour with forestdnszones.
>
> --- Scenario 2:
>
> Then the same setup again, but _before_ joining Samba, the Domain
> and Forest level were raised up to 2003. After joining the samba server,
> the levels were shown without issues:
>
> samba-tool was able to list the levels:
>
> Domain and forest function level for domain 'DC=adlab,DC=local'
> Forest function level: (Windows) 2003
> Domain function level: (Windows) 2003
> Lowest function level of a DC: (Windows) 2003
>
> Also replicating seems (after restart of samba) to work successfull
> (with all its options like full-sync, local,etc):
>
> samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local
> Replicate from lab03 to lab07 was successful.
> samba-tool drs replicate lab07 lab03 dc=forestdnszones,dc=adlab,dc=local
> Replicate from lab03 to lab07 was successful.
>
> I was able do demote the Windows server like the times before.
>
> My conclusion is to ensure the forest and domain operating levels
> _before_ joining the Samba server to the domain and do not hurry with
> replacing to ensure the replication was done completely prevents from
> lots of issues and headache...
>
> I think the next test will be with Server 2008...
>
> Regards
> Peter
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Cumprimentos,
Sérgio Machado
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] posixAccount objectClass

[Hansjoerg Maurer]

Hi

there was a thread 
" Samba 4, Winbind & RFC2307" at 26.12.2012 on this list
which covers that issue, including a patch from andrew and another  fix
I provided

Regrads

Hansjörg

 




-- 
Dr. Hansjörg Maurer
itsystems Deutschland AG
Linprunstraße 10
80335 München
Tel:   +49-89-52 04 68-41
Fax:   +49-89-52 04 68-59
E-Mail: hansjoerg.mau...@itsd.de   
 >
Web:http://www.itsd.de    
 ;

Amtsgericht München HRB 132146
USt-IdNr. DE 812991301
Steuer-Nr. 143/100/81575

Aufsichtsratsvorsitzender:
Stefan Adam
Vorstand:
Dr. Michael Krocka
Dr. Hansjörg Maurer

 
 
-Ursprüngliche Nachricht-
> Von:Andreas Gaiser/L mailto:i...@multifake.net> >
> Gesendet: Sam 23 Februar 2013 18:52
> An: Samba Mailing List mailto:samba@lists.samba.org> >
> Betreff: Re: [Samba] posixAccount objectClass
> 
> Hi Thomas, greeting to all readers,
> 
> > Is there something I miss or is this to be considered a bug?
> > 
> > If this is the problem I am thinking of, I originally noticed it in
> > 4.0.0. I believe Andrew provided a patch, however I don't need this in
> > my production environment and only stumbled onto the issue while testing
> > something else, so I don't know if what I'm referring to was fixed in
> > later releases. I'll see if I can find the thread and bug shortly.
> > 
> 
> I remember a thread which was about winbind ignoring objects without
> posixAccount/posixGroup OCs. The conclusion was to change winbind to not
> ignore them. But, actually, shouldn't S4 in DC mode really add them? Or
> is ADUC the culprit here?
> 
> I didn't check out yet how recent Samba 3.6 winbind behaves as a member
> here. When I tried against 4.0.0 I ended up using Wireshark to analyse
> LDAP traffic and figured RFC2307 attrs weren't returned by the LDAP
> server although requested by winbind, whereas they WERE returned to
> Apache Directory Studio at the same time - logged in as
> administra...@sub.domain.tld  ; a 
> permission issue I guess. Is this a
> known issue? I blamed it to poor provisioning (without RFC2307 in the
> beginning) that day. Will try again this part later this weekend.
> 
> At the moment, I'm working on a script that adds Unix Attributes
> automatically to all relevant users (i.e. all that winbind shows on a
> member. Btw. I would love to have a way to filter them, because most
> groups I won't ever need and they're gonna make things look complicated
> on the Unix side. Does anybody know anything about this?).
> 
> 
> Andreas
> -- 
> Andreas Gaiser, Berlin, Germany
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


  itsystems Deutschland 
AG 
Sorglos und leise. So geht IT.  
Kontakt: i...@itsd.de  | F: +49 89 520468 40 | Linprunstr. 
10 | 80335 München

Amtsgericht München HRB 132146 | USt-IdNr. DE 812991301 | Steuer-Nr. 
143/100/81575
i Aufsichtsratsvorsitzender: Stefan Adam | Vorstand: Dr. Hansjörg Maurer 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] smb2 vs. NT1

[Papp Tamas]

hi All,


We have a glusterfs cluster with 5 nodes on Ubuntu 12.04 amd64.
We use this smb.conf:

[global]
socket options =  IPTOS_THROUGHPUT TCP_NODELAY IPTOS_LOWDELAY 
SO_SNDBUF=131072 SO_RCVBUF=131072
read raw = yes
server string = %h
write raw = yes
#oplocks = yes
max xmit = 131072
dead time = 15
getwd cache = yes
use sendfile=yes
block size = 131072
load printers = no
aio read size = 16384
aio write size = 16384
aio write behind = /*.*/
wins support = no
local master = no
wins server = 192.168.3.7
veto files = /.AppleDouble/
delete veto files = yes
hide dot files = yes
printing = BSD
max protocol = SMB2
min protocol = SMB2

[projects]
path = /W/Projects
browseable = yes
public = yes
guest ok = yes
read only = no
force user = user
force group = user



The speed is fine with this configuration, around 100Mbyte/s. If I change protocol to NT1, the speed 
drops to around 50Mbyte/s.


This is from man page:

NT1: Current up to date version of the protocol. Used by Windows NT. Known as 
CIFS.
SMB2: Re-implementation of the SMB protocol. Used by Windows Vista and newer. The Samba 
implementation of SMB2 is currently marked experimental!



Why is it still experimental? What does it mean exactly? Is there anything I should avoid it, like 
file corruption or so?

Why NT1 is _much_ slower then SMB2?




Thank you,
tamas
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 and Google Apps Password Sync

[Johan Johansson]

Hi there!

I'm trying to sync password changes made in Samba4 to Google Apps. Has
anyone manage to to this?

Thank you

-- 
Best regards
Johan Johansson
Director
Phone: 0704-745209
Email: johan@ baboons.se
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba