Re: [Samba] file share necessary?

2013-04-14 Thread Geoff Crompton

On 15/04/13 14:07, Marc Muehlfeld wrote:

Am 15.04.2013 04:23, schrieb Geoff Crompton:

On
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Setup_a_basic_File_Share

the instructions says

For the server to be useful you, will need to update it to have at
least one share


What do you need a file share for the server to be useful? Isn't a
domain controller 'useful' to authenticate machines and users even if it
doesn't have a file share? I would have thought that this step would be
optional, like the NTP step just above it.


The DC need at least a sysvol and netlogon share.


Regards,
Marc


That makes sense. If you've followed the HOWTO (as I just have) you 
probably already have sysvol and netlogon shares. Does anyone mind if I 
mark the 'Setup a basic File Share' as optional, and add some notes that 
the sysvol and netlogon shares are needed for a domain controller, but 
users should feel free to add their own if they desire?


Cheers,
Geoff
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] file share necessary?

2013-04-14 Thread Gémes Géza

2013-04-15 04:23 keltezéssel, Geoff Crompton írta:
On 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Setup_a_basic_File_Share 
the instructions says


 For the server to be useful you, will need to update it to have at 
least one share



What do you need a file share for the server to be useful? Isn't a 
domain controller 'useful' to authenticate machines and users even if 
it doesn't have a file share? I would have thought that this step 
would be optional, like the NTP step just above it.


Cheers,
Geoff
I agree, the step is completely optional, but the the NTP config is 
highly recommended.


Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] file share necessary?

2013-04-14 Thread Marc Muehlfeld

Am 15.04.2013 04:23, schrieb Geoff Crompton:

On
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Setup_a_basic_File_Share
the instructions says

  For the server to be useful you, will need to update it to have at
least one share


What do you need a file share for the server to be useful? Isn't a
domain controller 'useful' to authenticate machines and users even if it
doesn't have a file share? I would have thought that this step would be
optional, like the NTP step just above it.


The DC need at least a sysvol and netlogon share.


Regards,
Marc



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] tests failing on Debian Squeeze

2013-04-14 Thread Matthieu Patou

On 04/14/2013 03:22 AM, Geoff Crompton wrote:

On 14/04/13 06:48, Matthieu Patou wrote:

On 04/12/2013 05:11 PM, Geoff Crompton wrote:

FAILED (318 failures, 7 errors and 0 unexpected successes in 431
testsuites)

A summary with detailed information can be found in:
./st/summary
ERROR: test failed with exit code 1
make: *** [test] Error 1



How important is it for all the tests to pass? Should I just press on
with a 'sudo make install'?


No it's ok but in the same time if you could file a bug for each failing
test so that we can start to have a look at fixing them.


Hi Matthieu,

Thanks for your response. The summary suggests there are over 300 failed
tests. Do you really want over 300 bug submissions? If so, I'll have to
work out how to automate that (maybe with
https://github.com/LegNeato/bztools).

What kind of extra information is useful along with these bug reports?
I'm assuming on each one you'd want the relevant section of the
./st/summary file, and mention the environment it was run in
(distribution, installed packages and their versions). Is there a script
in the samba tree to extract from the system this summary?

One should be sufficient for the moment, I misread and had the 
impression that you had only 7 errors.


On my debian it's what I had not long time ago (not retired since then).

Matthieu.

--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba4 member of an another « Samba4 » domain

2013-04-14 Thread steve

On 15/04/13 03:17, François Lafont wrote:

Le 14/04/2013 08:00, steve a écrit :


Ok, if I understand, after a provision of a domain with samba-tool and
the "--use-rfc2307" option, samba4 can support posixaccount etc. in
its database, but I have to add the object class and the mandatory
attributes myself.

It can do that whether you provision with --use-rfc2307 or not.

Are you sure? In this case, I won't use this option.
99.99% it's just adding a bit to the schema so that you can add rfc2307 
bits from windows. I always do that from Linux can anyone add the 0.01% 
for us?



I
believe that it adds the possibility of adding the uid:gid from windows.
I've never used windows for this.

Me too. I prefer to manage the AD in the samba server.


If you want to pull uid:gid from AD then you'll need to add uidNumber
and gidNumber for users and gidNumber for groups.

And "memberUid" too for groups, isn't it?
No. AD uses the member attribute. Here is a group called staff where 
steve2 is its only member:


# record 1
dn: CN=staff,CN=Users,DC=hh3,DC=site
cn: staff
instanceType: 4
whenCreated: 20130414144050.0Z
uSNCreated: 3795
name: staff
objectGUID: 5267385f-c466-41f1-be7c-dddcb4640a33
objectSid: S-1-5-21-1555648365-2472922434-3126067274-1118
sAMAccountName: staff
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
objectClass: top
objectClass: posixGroup
objectClass: group
gidNumber: 21118
member: CN=steve2,CN=Users,DC=hh3,DC=site
whenChanged: 20130414144415.0Z
uSNChanged: 3799
distinguishedName: CN=staff,CN=Users,DC=hh3,DC=site

The good news is that all that samba-tool looks after all this for you:
samba-tool group addmembers staff steve2

You can use e.g. sssd to pull the info:
getent group staff
staff:*:21118:steve2





All users which need
to login will need the attributes but there's no need to allocate
gidNumber to al the groups. Many of them have no meaning in Linux. e.g.
To begin with, just allocate a gidNumber to Domain Users. A good way to
decide which gidNumber to allocate is to take the RID of the group and
add, say, 2 to keep it well away from local groups. As the RID of
Domain Users is 513 then our gidNumber becomes 20513.

For users, we allocated our first user uidNumber 332 to avoid
collision with the xidnumbers which have to remain in idmap.

I don't think that 332 is a good uidNumber because idmap seems to use the 
"300-400" range.
No. It doesn't matter. AD knows nothing about idmap.ldb but if you're 
happier, then use an even higher range;)





# getent passwd Guest
CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false

uid=311 although I have done no change in the Guest account.oming
from /ur/

Those uid:gid pairs are coming from idmap. idmap is not part of AD and
confuses the issue for many of us. If you are going to add more DC's,
these uid:gid's  will change depending upon which DC you refer to.
Probably (almost certainly) not what you want.

Absolutely. :)


How choose Samba these uid/gid numbers (e.g 311/312) and how
can I choose my uid/gid numbers in order that there is never conflict
with uid/gid choose automatically by Samba?

That is best answered by looking at:
ldbsearch --url=/usr/local/samba/private/idmap.ldb

Ok, it's a good answer indeed. And I can see:


# ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=config
# record 1
dn: CN=CONFIG
cn: CONFIG
lowerBound: 300
upperBound: 400
xidNumber: 317
distinguishedName: CN=CONFIG


Then, I understand that idmap uses the "300-400" range to assign 
xidNumber to the users and groups.


There, you'll see the sids with the xidnumber that Samba has allocated
to them. This xidnumber becomes the uid or gid depending upon whether
the object is a user, group or both. A basic set of objects has to
remain in idmap so leave it as it is after provision. If you add the
line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the
provision has already done for you) then any new user or group object
that is created will not have an entry in idmap. You are then free to
add the necessary uid/gidNumbers to AD.

Yes, indeed:


# grep 'rfc' /usr/local/samba/etc/smb.conf
idmap_ldb:use rfc2307 = yes

# samba
# samba-tool user add test4 "test4"
User 'test4' created successfully

# ldbsearch --url=/usr/local/samba/private/sam.ldb cn=test4 | grep -i objectsid
objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106

# ldbsearch --url=/usr/local/samba/private/idmap.ldb 
cn=S-1-5-21-3840058276-1254623269-3939424142-1106
# returned 0 records
# 0 entries
# 0 referrals


But after this:


# getent passwd test4
CHEZMOI\test4:*:319:100::/home/CHEZMOI/test4:/bin/false

[Samba] file share necessary?

2013-04-14 Thread Geoff Crompton
On 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Setup_a_basic_File_Share 
the instructions says


 For the server to be useful you, will need to update it to have at 
least one share



What do you need a file share for the server to be useful? Isn't a 
domain controller 'useful' to authenticate machines and users even if it 
doesn't have a file share? I would have thought that this step would be 
optional, like the NTP step just above it.


Cheers,
Geoff
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba4 member of an another « Samba4 » domain

2013-04-14 Thread François Lafont
Le 14/04/2013 08:00, steve a écrit :

>> Ok, if I understand, after a provision of a domain with samba-tool and
>> the "--use-rfc2307" option, samba4 can support posixaccount etc. in
>> its database, but I have to add the object class and the mandatory
>> attributes myself.
> It can do that whether you provision with --use-rfc2307 or not. 

Are you sure? In this case, I won't use this option.

> I
> believe that it adds the possibility of adding the uid:gid from windows.
> I've never used windows for this.

Me too. I prefer to manage the AD in the samba server.

> If you want to pull uid:gid from AD then you'll need to add uidNumber
> and gidNumber for users and gidNumber for groups. 

And "memberUid" too for groups, isn't it? 

> All users which need
> to login will need the attributes but there's no need to allocate
> gidNumber to al the groups. Many of them have no meaning in Linux. e.g.
> To begin with, just allocate a gidNumber to Domain Users. A good way to
> decide which gidNumber to allocate is to take the RID of the group and
> add, say, 2 to keep it well away from local groups. As the RID of
> Domain Users is 513 then our gidNumber becomes 20513.
> 
> For users, we allocated our first user uidNumber 332 to avoid
> collision with the xidnumbers which have to remain in idmap. 

I don't think that 332 is a good uidNumber because idmap seems to use the 
"300-400" range.

>> # getent passwd Guest
>> CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false
>>
>> uid=311 although I have done no change in the Guest account.oming
>> from /ur/
> Those uid:gid pairs are coming from idmap. idmap is not part of AD and
> confuses the issue for many of us. If you are going to add more DC's,
> these uid:gid's  will change depending upon which DC you refer to.
> Probably (almost certainly) not what you want.

Absolutely. :)

>> How choose Samba these uid/gid numbers (e.g 311/312) and how
>> can I choose my uid/gid numbers in order that there is never conflict
>> with uid/gid choose automatically by Samba?
> That is best answered by looking at:
> ldbsearch --url=/usr/local/samba/private/idmap.ldb

Ok, it's a good answer indeed. And I can see:


# ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=config
# record 1
dn: CN=CONFIG
cn: CONFIG
lowerBound: 300
upperBound: 400
xidNumber: 317
distinguishedName: CN=CONFIG


Then, I understand that idmap uses the "300-400" range to assign 
xidNumber to the users and groups.

> There, you'll see the sids with the xidnumber that Samba has allocated
> to them. This xidnumber becomes the uid or gid depending upon whether
> the object is a user, group or both. A basic set of objects has to
> remain in idmap so leave it as it is after provision. If you add the
> line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the
> provision has already done for you) then any new user or group object
> that is created will not have an entry in idmap. You are then free to
> add the necessary uid/gidNumbers to AD.

Yes, indeed:


# grep 'rfc' /usr/local/samba/etc/smb.conf 
idmap_ldb:use rfc2307 = yes

# samba
# samba-tool user add test4 "test4"
User 'test4' created successfully

# ldbsearch --url=/usr/local/samba/private/sam.ldb cn=test4 | grep -i objectsid
objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106

# ldbsearch --url=/usr/local/samba/private/idmap.ldb 
cn=S-1-5-21-3840058276-1254623269-3939424142-1106
# returned 0 records
# 0 entries
# 0 referrals


But after this:


# getent passwd test4
CHEZMOI\test4:*:319:100::/home/CHEZMOI/test4:/bin/false


the idmap entry is automatically created:


# ldbsearch --url=/usr/local/samba/private/idmap.ldb 
cn=S-1-5-21-3840058276-1254623269-3939424142-1106
# record 1
dn: CN=S-1-5-21-3840058276-1254623269-3939424142-1106
cn: S-1-5-21-3840058276-1254623269-3939424142-1106
objectClass: sidMap
objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106
type: ID_TYPE_BOTH
xidNumber: 319
distinguishedName: CN=S-1-5-21-3840058276-1254623269-3939424142-1106


I have noticed that I have exactly the same behavior without the "idmap_ldb:use 
rfc2307 = yes" option. Then, I don't see exactly the meaning of this option...

> Sorry, I can't access the list archive at the moment. The thread is
> called 'Some clarification?'

Ok, I see.

Thanks a lot for yours explanations Steeve. It's become more clean in my mind. 
:)

-- 
François Lafont
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] tests failing on Debian Squeeze

2013-04-14 Thread Geoff Crompton

On 15/04/13 04:59, Andrew Bartlett wrote:

How important is it for all the tests to pass? Should I just press on
with a 'sudo make install'?


It's not good, but without seeing them it's rather hard to say more than
that.  Our tests are highly inter-dependent, so this is probably one or
two tests that really go awry, and 300 tests that fail because the
server process they run against has died.

Andrew Bartlett



I've submitted bug 9793, https://bugzilla.samba.org/show_bug.cgi?id=9793 
so you can have a look at the test results.


Cheers,
Geoff
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


[Samba] Sysvol replication

2013-04-14 Thread Jim Potter
Hi all,

Has anyone actually got sysvol replication working between 2 (or more)
Samba4 DCs? I've tried gluster, inosync, csync and rsync and keep getting
stuck on issues with the extended attributes.

Is there a roadmap or any clues of a date when MSFRS or DFS replication
will be part of Samb4?

thanks again,

Jim
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Python UCS2 vs UCS4 issue on latest git: ImportError: ....undefined symbol: PyUnicodeUCS2_Decode (SOLVED!)

2013-04-14 Thread Phil Quesinberry
OMG... I fixed it.

Since libgnutls.so.26 was in /usr/local/lib and not in /usr/local/samba/lib,
I added a file called gnutls.conf to /etc/ld.conf.d/ with the following
entry:
/usr/local/lib

I then did an ldconfig and now it seems to work!  System programs like yum
which appear to rely on the older version of Python work just fine.

Let me know if you need more info or want me to try any additional testing
to try and extract more detailed information to potentially improve the
installation process or otherwise keep this from happening to other users. 
After this experience, I'm happy to play a small part in helping others
avoid this sort of misery.

Well, I just learned something.  And a word of advice to anyone else reading
this thread... don't mess with your Python installation unless you know what
you're doing.  ..and if you're contemplating messing with your Python
installation... you probably don't.   :)

Many, MANY thanks Andrew for taking your valuable time to try and help me
get this running as well as everyone else who chimed in with comments trying
to help.

Best regards,

- Phil



--
View this message in context: 
http://samba.2283325.n4.nabble.com/Re-Python-UCS2-vs-UCS4-issue-on-latest-git-ImportError-undefined-symbol-PyUnicodeUCS2-Decode-NOT-SOL-tp4646314p4646745.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] sssd getent problem with Samba 4.0

2013-04-14 Thread steve

On 14/04/13 21:22, Eric PEYREMORTE wrote:

Le 14/04/2013 17:37, steve a écrit :
ve even got getent group to list not only the gidNumber, but group 
members too:) I'll test an Ubuntu client tomorrow, but it's looking 
good. Maybe I'll put some



together.
Steve 

Don't you need enumerate = true in sssd.conf ? Just an idea

Hi
Yes we tried that. It works for the first time after the restart but 
then fails upon subsequent attempts. We've tried leaving it running for 
the cache/buffer to fill but still nada. Maybe it's time to get over on 
the sssd list. I'll report back here if I get any progress on it.

Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] sssd getent problem with Samba 4.0

2013-04-14 Thread Eric PEYREMORTE

Le 14/04/2013 17:37, steve a écrit :
ve even got getent group to list not only the gidNumber, but group 
members too:) I'll test an Ubuntu client tomorrow, but it's looking 
good. Maybe I'll put some doco together.
Steve 

Don't you need enumerate = true in sssd.conf ? Just an idea
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] tests failing on Debian Squeeze

2013-04-14 Thread Andrew Bartlett
On Sat, 2013-04-13 at 10:11 +1000, Geoff Crompton wrote:
> Hi,
> 
> I'm trying to get samba4 4.0.5 tarball to run on a Debian Squeeze
> Virtual Machine. I've done a local build, and I've included the
> --enable-debug --enable-selftest switches.
> 
> I've done a 'make test', and I get told there are quite a lot of
> failures. It ends by saying:
> 
> 
> FAILED (318 failures, 7 errors and 0 unexpected successes in 431
> testsuites)
> 
> A summary with detailed information can be found in:
>   ./st/summary
> ERROR: test failed with exit code 1
> make: *** [test] Error 1
> 
> 
> 
> How important is it for all the tests to pass? Should I just press on
> with a 'sudo make install'?

It's not good, but without seeing them it's rather hard to say more than
that.  Our tests are highly inter-dependent, so this is probably one or
two tests that really go awry, and 300 tests that fail because the
server process they run against has died. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] sssd getent problem with Samba 4.0

2013-04-14 Thread steve

G
On 14/04/13 16:09, Rowland Penny wrote:

On 14/04/13 14:28, steve wrote:

On 14/04/13 13:50, Rowland Penny wrote:

On 14/04/13 11:58, steve wrote:

On 14/04/13 10:59, Rowland Penny wrote:

On 14/04/13 09:29, steve wrote:

Version 4.0.6-GIT-4bebda4

Hi
I have sssd up and running. It works fine except that getent only 
returns domain users if I specify the object e.g.

getent passwd
and
getent group
return only local users

but
getent passwd steve2
steve2:*:334:20513:steve2:/home/users/steve2:/bin/bash
and
getent group Domain\ Users
Domain Users:*:20513:
work fine.


This doesn't seem to be a problem.




/etc/nsswitch.conf
passwd: compat sss
group:  compat sss

/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]

[domain/default]
access_provider = simple
#simple_allow_users = myuser
enumerate = false
cache_credentials = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = HH3.SITE
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/
ldap_search_base = dc=hh3,dc=site
ldap_tls_cacertdir = /usr/local/samba/private/tls
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site
ldap_default_authtok = xx
ldap_default_authtok_type = password
ldap_user_object_class = person
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))

I've tried
enumerate = true
and it works as expected but strangely, only for the first time 
after sssd is started. it then returns only local users.


I have never tried it myself, the sssd wiki recommends not setting 
'enumerate = true' until everything else is working and then not 
on a large domain.




Any ideas?
Cheers,
Steve



Here is my sssd.conf

[sssd]
debug_level = 0x0270
config_file_version = 2
sbus_timeout = 30
domains = domain.tld
services = nss, pam

[nss]
debug_level = 0x0270

[pam]
debug_level = 0x0270

[domain/domain.tld]
debug_level = 0x0270
description = AD domain with Samba 4 server
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = server.domain.tld
krb5_kpasswd = server.domain.tld
krb5_realm = DOMAIN.TLD

ldap_referrals = false
# Comment out if not using SASL/GSSAPI to bind
ldap_sasl_mech = GSSAPI

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_search_base = dc=domain,dc=tld
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ldap_group_search_base = dc=domain,dc=tld
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

Rowland



Hi Rowland
Thanks. I can live with the getent thing. The other worry I have is 
that  it seems to work without any sort of authentication. If I 
comment out all this lot:


#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
#ldap_default_bind_dn = cn=steve2,cn=Users,dc=hh3,dc=site
#ldap_default_authtok = s2
#ldap_default_authtok_type = password
#ldap_sasl_mech = GSSAPI

It still works. Users can still log in and getent passwd  
works too! There seems to be no security check made. Is there a 
cache I need to clear? nscd is not running.


I've tried starting and stopping  everything and even rebooted but 
still is works without any authentication.

Worrying. . .
Cheers,
Steve


Hi Steve, I seem to remember reading on the sssd mailing list that 
sssd uses a kerberos cache but the cache is stored in memory. When a 
user logs in they get their own cache in /tmp with the format 
'krb5_uidNumber_XX'

There is another cache in /var/lib/sss/db/

When they get the ad backend to work, you will find that the sssd 
conf gets to be even smaller, you do not need any of the ldap lines.


Rowland



Hi Rowland
Thanks. I deleted user cache's under /tmp which had been created 
during me messing around, whereupon no one could get anywhere near 
it. I then configured gssapi/sasl, and now it's bulletproof without 
any passwords flying around.


I got confused by your sssd.conf file. It has:
ldap_sasl_mech = GSSAPI
but nothing configured.

I used the machine key of the client for the auth_id which is already 
in the default keytab when you join the domain.


I must say that I'm impressed by the simplicity of sssd. Just one 
slower bit I've found is that using gssapi under nss-ldapd, the key 
is cached under /tmp. With sssd, it seems to query for the (in my 
case) machine key for every action it makes. Otherwise, fresh air.

Re: [Samba] sssd getent problem with Samba 4.0

2013-04-14 Thread Rowland Penny

On 14/04/13 14:28, steve wrote:

On 14/04/13 13:50, Rowland Penny wrote:

On 14/04/13 11:58, steve wrote:

On 14/04/13 10:59, Rowland Penny wrote:

On 14/04/13 09:29, steve wrote:

Version 4.0.6-GIT-4bebda4

Hi
I have sssd up and running. It works fine except that getent only 
returns domain users if I specify the object e.g.

getent passwd
and
getent group
return only local users

but
getent passwd steve2
steve2:*:334:20513:steve2:/home/users/steve2:/bin/bash
and
getent group Domain\ Users
Domain Users:*:20513:
work fine.


This doesn't seem to be a problem.




/etc/nsswitch.conf
passwd: compat sss
group:  compat sss

/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]

[domain/default]
access_provider = simple
#simple_allow_users = myuser
enumerate = false
cache_credentials = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = HH3.SITE
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/
ldap_search_base = dc=hh3,dc=site
ldap_tls_cacertdir = /usr/local/samba/private/tls
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site
ldap_default_authtok = xx
ldap_default_authtok_type = password
ldap_user_object_class = person
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))

I've tried
enumerate = true
and it works as expected but strangely, only for the first time 
after sssd is started. it then returns only local users.


I have never tried it myself, the sssd wiki recommends not setting 
'enumerate = true' until everything else is working and then not on 
a large domain.




Any ideas?
Cheers,
Steve



Here is my sssd.conf

[sssd]
debug_level = 0x0270
config_file_version = 2
sbus_timeout = 30
domains = domain.tld
services = nss, pam

[nss]
debug_level = 0x0270

[pam]
debug_level = 0x0270

[domain/domain.tld]
debug_level = 0x0270
description = AD domain with Samba 4 server
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = server.domain.tld
krb5_kpasswd = server.domain.tld
krb5_realm = DOMAIN.TLD

ldap_referrals = false
# Comment out if not using SASL/GSSAPI to bind
ldap_sasl_mech = GSSAPI

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_search_base = dc=domain,dc=tld
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ldap_group_search_base = dc=domain,dc=tld
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

Rowland



Hi Rowland
Thanks. I can live with the getent thing. The other worry I have is 
that  it seems to work without any sort of authentication. If I 
comment out all this lot:


#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
#ldap_default_bind_dn = cn=steve2,cn=Users,dc=hh3,dc=site
#ldap_default_authtok = s2
#ldap_default_authtok_type = password
#ldap_sasl_mech = GSSAPI

It still works. Users can still log in and getent passwd  
works too! There seems to be no security check made. Is there a 
cache I need to clear? nscd is not running.


I've tried starting and stopping  everything and even rebooted but 
still is works without any authentication.

Worrying. . .
Cheers,
Steve


Hi Steve, I seem to remember reading on the sssd mailing list that 
sssd uses a kerberos cache but the cache is stored in memory. When a 
user logs in they get their own cache in /tmp with the format 
'krb5_uidNumber_XX'

There is another cache in /var/lib/sss/db/

When they get the ad backend to work, you will find that the sssd 
conf gets to be even smaller, you do not need any of the ldap lines.


Rowland



Hi Rowland
Thanks. I deleted user cache's under /tmp which had been created 
during me messing around, whereupon no one could get anywhere near it. 
I then configured gssapi/sasl, and now it's bulletproof without any 
passwords flying around.


I got confused by your sssd.conf file. It has:
ldap_sasl_mech = GSSAPI
but nothing configured.

I used the machine key of the client for the auth_id which is already 
in the default keytab when you join the domain.


I must say that I'm impressed by the simplicity of sssd. Just one 
slower bit I've found is that using gssapi under nss-ldapd, the key is 
cached under /tmp. With sssd, it seems to query for the (in my case) 
machine key for every action it makes. Otherwise, fresh air.

Cheers,
Steve


Hi Steve, just a quick que

Re: [Samba] sssd getent problem with Samba 4.0

2013-04-14 Thread steve

On 14/04/13 13:50, Rowland Penny wrote:

On 14/04/13 11:58, steve wrote:

On 14/04/13 10:59, Rowland Penny wrote:

On 14/04/13 09:29, steve wrote:

Version 4.0.6-GIT-4bebda4

Hi
I have sssd up and running. It works fine except that getent only 
returns domain users if I specify the object e.g.

getent passwd
and
getent group
return only local users

but
getent passwd steve2
steve2:*:334:20513:steve2:/home/users/steve2:/bin/bash
and
getent group Domain\ Users
Domain Users:*:20513:
work fine.


This doesn't seem to be a problem.




/etc/nsswitch.conf
passwd: compat sss
group:  compat sss

/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]

[domain/default]
access_provider = simple
#simple_allow_users = myuser
enumerate = false
cache_credentials = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = HH3.SITE
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/
ldap_search_base = dc=hh3,dc=site
ldap_tls_cacertdir = /usr/local/samba/private/tls
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site
ldap_default_authtok = xx
ldap_default_authtok_type = password
ldap_user_object_class = person
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))

I've tried
enumerate = true
and it works as expected but strangely, only for the first time 
after sssd is started. it then returns only local users.


I have never tried it myself, the sssd wiki recommends not setting 
'enumerate = true' until everything else is working and then not on 
a large domain.




Any ideas?
Cheers,
Steve



Here is my sssd.conf

[sssd]
debug_level = 0x0270
config_file_version = 2
sbus_timeout = 30
domains = domain.tld
services = nss, pam

[nss]
debug_level = 0x0270

[pam]
debug_level = 0x0270

[domain/domain.tld]
debug_level = 0x0270
description = AD domain with Samba 4 server
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = server.domain.tld
krb5_kpasswd = server.domain.tld
krb5_realm = DOMAIN.TLD

ldap_referrals = false
# Comment out if not using SASL/GSSAPI to bind
ldap_sasl_mech = GSSAPI

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_search_base = dc=domain,dc=tld
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ldap_group_search_base = dc=domain,dc=tld
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

Rowland



Hi Rowland
Thanks. I can live with the getent thing. The other worry I have is 
that  it seems to work without any sort of authentication. If I 
comment out all this lot:


#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
#ldap_default_bind_dn = cn=steve2,cn=Users,dc=hh3,dc=site
#ldap_default_authtok = s2
#ldap_default_authtok_type = password
#ldap_sasl_mech = GSSAPI

It still works. Users can still log in and getent passwd  works 
too! There seems to be no security check made. Is there a cache I 
need to clear? nscd is not running.


I've tried starting and stopping  everything and even rebooted but 
still is works without any authentication.

Worrying. . .
Cheers,
Steve


Hi Steve, I seem to remember reading on the sssd mailing list that 
sssd uses a kerberos cache but the cache is stored in memory. When a 
user logs in they get their own cache in /tmp with the format 
'krb5_uidNumber_XX'

There is another cache in /var/lib/sss/db/

When they get the ad backend to work, you will find that the sssd conf 
gets to be even smaller, you do not need any of the ldap lines.


Rowland



Hi Rowland
Thanks. I deleted user cache's under /tmp which had been created during 
me messing around, whereupon no one could get anywhere near it. I then 
configured gssapi/sasl, and now it's bulletproof without any passwords 
flying around.


I got confused by your sssd.conf file. It has:
ldap_sasl_mech = GSSAPI
but nothing configured.

I used the machine key of the client for the auth_id which is already in 
the default keytab when you join the domain.


I must say that I'm impressed by the simplicity of sssd. Just one slower 
bit I've found is that using gssapi under nss-ldapd, the key is cached 
under /tmp. With sssd, it seems to query for the (in my case) machine 
key for every action it makes. Otherwise, fresh air.

Cheers,
Steve


--
To unsubscribe from this list go to the following URL an

Re: [Samba] [samba4] crash of winbind after "ls -l /usr/local/samba/var/locks/sysvol"

2013-04-14 Thread François Lafont
Le 14/04/2013 13:49, François Lafont a écrit :

> I'm going to search, meanwhile, here is the ouput of the "samba -i -M single 
> -d 10" command during the "ls -l /usr/local/samba/var/locks/sysvol/" problem.

Ooups! Sorry I have forgotten the url address:
http://sisco.laf.free.fr/codes/samba4_gid_300.log

-- 
François Lafont
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] sssd getent problem with Samba 4.0

2013-04-14 Thread Rowland Penny

On 14/04/13 11:58, steve wrote:

On 14/04/13 10:59, Rowland Penny wrote:

On 14/04/13 09:29, steve wrote:

Version 4.0.6-GIT-4bebda4

Hi
I have sssd up and running. It works fine except that getent only 
returns domain users if I specify the object e.g.

getent passwd
and
getent group
return only local users

but
getent passwd steve2
steve2:*:334:20513:steve2:/home/users/steve2:/bin/bash
and
getent group Domain\ Users
Domain Users:*:20513:
work fine.


This doesn't seem to be a problem.




/etc/nsswitch.conf
passwd: compat sss
group:  compat sss

/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]

[domain/default]
access_provider = simple
#simple_allow_users = myuser
enumerate = false
cache_credentials = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = HH3.SITE
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/
ldap_search_base = dc=hh3,dc=site
ldap_tls_cacertdir = /usr/local/samba/private/tls
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site
ldap_default_authtok = xx
ldap_default_authtok_type = password
ldap_user_object_class = person
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))

I've tried
enumerate = true
and it works as expected but strangely, only for the first time 
after sssd is started. it then returns only local users.


I have never tried it myself, the sssd wiki recommends not setting 
'enumerate = true' until everything else is working and then not on a 
large domain.




Any ideas?
Cheers,
Steve



Here is my sssd.conf

[sssd]
debug_level = 0x0270
config_file_version = 2
sbus_timeout = 30
domains = domain.tld
services = nss, pam

[nss]
debug_level = 0x0270

[pam]
debug_level = 0x0270

[domain/domain.tld]
debug_level = 0x0270
description = AD domain with Samba 4 server
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = server.domain.tld
krb5_kpasswd = server.domain.tld
krb5_realm = DOMAIN.TLD

ldap_referrals = false
# Comment out if not using SASL/GSSAPI to bind
ldap_sasl_mech = GSSAPI

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_search_base = dc=domain,dc=tld
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ldap_group_search_base = dc=domain,dc=tld
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

Rowland



Hi Rowland
Thanks. I can live with the getent thing. The other worry I have is 
that  it seems to work without any sort of authentication. If I 
comment out all this lot:


#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
#ldap_default_bind_dn = cn=steve2,cn=Users,dc=hh3,dc=site
#ldap_default_authtok = s2
#ldap_default_authtok_type = password
#ldap_sasl_mech = GSSAPI

It still works. Users can still log in and getent passwd  works 
too! There seems to be no security check made. Is there a cache I need 
to clear? nscd is not running.


I've tried starting and stopping  everything and even rebooted but 
still is works without any authentication.

Worrying. . .
Cheers,
Steve


Hi Steve, I seem to remember reading on the sssd mailing list that sssd 
uses a kerberos cache but the cache is stored in memory. When a user 
logs in they get their own cache in /tmp with the format 
'krb5_uidNumber_XX'

There is another cache in /var/lib/sss/db/

When they get the ad backend to work, you will find that the sssd conf 
gets to be even smaller, you do not need any of the ldap lines.


Rowland


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] [samba4] crash of winbind after "ls -l /usr/local/samba/var/locks/sysvol"

2013-04-14 Thread François Lafont
Le 14/04/2013 08:30, Andrew Bartlett a écrit :

>> ---
>> # ls -n /usr/local/samba/var/locks/sysvol/
>> total 8
>> drwxrws---+ 4 0 300 4096 Apr 14 01:40 chezmoi.priv
>> ---
>>
>> Which group has the gid 300?
> 
> The files are owned by the domain administrators group.

Do you mean the "CN=Administrators,CN=Builtin,DC=chezmoi,DC=priv" group?

Why don't this group appear with the "wbinfo -g" command?

---
# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
---

> Winbind doesn't
> know how to make up a 'user' record for that group yet.

And it's not a normal behavior, isn't it?

> Can you please try to get a gdb backtrace, or better still run 'samba'
> under valgrind?  We would very much like to fix that. 

Sorry, I don't know how to do that, I'm a samba beginner. I'm going to search, 
meanwhile, here is the ouput of the "samba -i -M single -d 10" command during 
the "ls -l /usr/local/samba/var/locks/sysvol/" problem.

Thanks for your help.


-- 
François Lafont
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] sssd getent problem with Samba 4.0

2013-04-14 Thread steve

On 14/04/13 10:59, Rowland Penny wrote:

On 14/04/13 09:29, steve wrote:

Version 4.0.6-GIT-4bebda4

Hi
I have sssd up and running. It works fine except that getent only 
returns domain users if I specify the object e.g.

getent passwd
and
getent group
return only local users

but
getent passwd steve2
steve2:*:334:20513:steve2:/home/users/steve2:/bin/bash
and
getent group Domain\ Users
Domain Users:*:20513:
work fine.


This doesn't seem to be a problem.




/etc/nsswitch.conf
passwd: compat sss
group:  compat sss

/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]

[domain/default]
access_provider = simple
#simple_allow_users = myuser
enumerate = false
cache_credentials = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = HH3.SITE
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/
ldap_search_base = dc=hh3,dc=site
ldap_tls_cacertdir = /usr/local/samba/private/tls
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site
ldap_default_authtok = xx
ldap_default_authtok_type = password
ldap_user_object_class = person
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))

I've tried
enumerate = true
and it works as expected but strangely, only for the first time after 
sssd is started. it then returns only local users.


I have never tried it myself, the sssd wiki recommends not setting 
'enumerate = true' until everything else is working and then not on a 
large domain.




Any ideas?
Cheers,
Steve



Here is my sssd.conf

[sssd]
debug_level = 0x0270
config_file_version = 2
sbus_timeout = 30
domains = domain.tld
services = nss, pam

[nss]
debug_level = 0x0270

[pam]
debug_level = 0x0270

[domain/domain.tld]
debug_level = 0x0270
description = AD domain with Samba 4 server
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = server.domain.tld
krb5_kpasswd = server.domain.tld
krb5_realm = DOMAIN.TLD

ldap_referrals = false
# Comment out if not using SASL/GSSAPI to bind
ldap_sasl_mech = GSSAPI

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_search_base = dc=domain,dc=tld
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ldap_group_search_base = dc=domain,dc=tld
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

Rowland



Hi Rowland
Thanks. I can live with the getent thing. The other worry I have is 
that  it seems to work without any sort of authentication. If I comment 
out all this lot:


#ldap_tls_cacertdir = /usr/local/samba/private/tls
#ldap_id_use_start_tls = true
#ldap_default_bind_dn = cn=steve2,cn=Users,dc=hh3,dc=site
#ldap_default_authtok = s2
#ldap_default_authtok_type = password
#ldap_sasl_mech = GSSAPI

It still works. Users can still log in and getent passwd  works 
too! There seems to be no security check made. Is there a cache I need 
to clear? nscd is not running.


I've tried starting and stopping  everything and even rebooted but still 
is works without any authentication.

Worrying. . .
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] tests failing on Debian Squeeze

2013-04-14 Thread Geoff Crompton
On 14/04/13 06:48, Matthieu Patou wrote:
> On 04/12/2013 05:11 PM, Geoff Crompton wrote:
>> FAILED (318 failures, 7 errors and 0 unexpected successes in 431
>> testsuites)
>>
>> A summary with detailed information can be found in:
>>./st/summary
>> ERROR: test failed with exit code 1
>> make: *** [test] Error 1
>>
>>
>>
>> How important is it for all the tests to pass? Should I just press on
>> with a 'sudo make install'?
>>
> No it's ok but in the same time if you could file a bug for each failing
> test so that we can start to have a look at fixing them.
> 

Hi Matthieu,

Thanks for your response. The summary suggests there are over 300 failed
tests. Do you really want over 300 bug submissions? If so, I'll have to
work out how to automate that (maybe with
https://github.com/LegNeato/bztools).

What kind of extra information is useful along with these bug reports?
I'm assuming on each one you'd want the relevant section of the
./st/summary file, and mention the environment it was run in
(distribution, installed packages and their versions). Is there a script
in the samba tree to extract from the system this summary?

Cheers,
Geoff

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] sssd getent problem with Samba 4.0

2013-04-14 Thread Rowland Penny

On 14/04/13 09:29, steve wrote:

Version 4.0.6-GIT-4bebda4

Hi
I have sssd up and running. It works fine except that getent only 
returns domain users if I specify the object e.g.

getent passwd
and
getent group
return only local users

but
getent passwd steve2
steve2:*:334:20513:steve2:/home/users/steve2:/bin/bash
and
getent group Domain\ Users
Domain Users:*:20513:
work fine.


This doesn't seem to be a problem.




/etc/nsswitch.conf
passwd: compat sss
group:  compat sss

/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]

[domain/default]
access_provider = simple
#simple_allow_users = myuser
enumerate = false
cache_credentials = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = HH3.SITE
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/
ldap_search_base = dc=hh3,dc=site
ldap_tls_cacertdir = /usr/local/samba/private/tls
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site
ldap_default_authtok = xx
ldap_default_authtok_type = password
ldap_user_object_class = person
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))

I've tried
enumerate = true
and it works as expected but strangely, only for the first time after 
sssd is started. it then returns only local users.


I have never tried it myself, the sssd wiki recommends not setting 
'enumerate = true' until everything else is working and then not on a 
large domain.




Any ideas?
Cheers,
Steve



Here is my sssd.conf

[sssd]
debug_level = 0x0270
config_file_version = 2
sbus_timeout = 30
domains = domain.tld
services = nss, pam

[nss]
debug_level = 0x0270

[pam]
debug_level = 0x0270

[domain/domain.tld]
debug_level = 0x0270
description = AD domain with Samba 4 server
cache_credentials = true

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap

# Uncomment if dns discovery of your AD servers isn't working.
krb5_server = server.domain.tld
krb5_kpasswd = server.domain.tld
krb5_realm = DOMAIN.TLD

ldap_referrals = false
# Comment out if not using SASL/GSSAPI to bind
ldap_sasl_mech = GSSAPI

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true

ldap_user_search_base = dc=domain,dc=tld
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_user_principal = userPrincipalName

ldap_group_search_base = dc=domain,dc=tld
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber

Rowland


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] Samba4 member of an another « Samba4 » domain

2013-04-14 Thread Rowland Penny

On 14/04/13 07:00, steve wrote:

On 14/04/13 01:37, François Lafont wrote:

Hello,

Le 13/04/2013 20:24, steve a écrit :


You still have to add the objects. Yourself!
Ok, if I understand, after a provision of a domain with samba-tool 
and the "--use-rfc2307" option, samba4 can support posixaccount etc. 
in its database, but I have to add the object class and the mandatory 
attributes myself.
It can do that whether you provision with --use-rfc2307 or not. I 
believe that it adds the possibility of adding the uid:gid from 
windows. I've never used windows for this.


But, after this:

---
samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \
 --server-role=dc --dns-backend=SAMBA_INTERNAL 
--adminpass='+toto123' \

 --use-rfc2307

ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2

# I had winbind in nsswitch.conf
sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 
winbind/g' /etc/nsswitch.conf


samba
---

I have a few users and groups which are already created:

# wbinfo -u
Administrator
Guest
krbtgt

# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy

Must I add "objectclass: posixAccount", "uid:...", uidNumber:..." 
etc. entries for each account above?
And must I add "objetclass: posixGroup", "gidNumber: ..." etc. 
entries for each group above?
If you want to pull uid:gid from AD then you'll need to add uidNumber 
and gidNumber for users and gidNumber for groups. All users which need 
to login will need the attributes but there's no need to allocate 
gidNumber to al the groups. Many of them have no meaning in Linux. 
e.g. To begin with, just allocate a gidNumber to Domain Users. A good 
way to decide which gidNumber to allocate is to take the RID of the 
group and add, say, 2 to keep it well away from local groups. As 
the RID of Domain Users is 513 then our gidNumber becomes 20513.


For users, we allocated our first user uidNumber 332 to avoid 
collision with the xidnumbers which have to remain in idmap. Each 
subsequent user increments this value. It's tedious doing this by hand 
but easy to create an ldif which contains the values to add as and 
when a new user is created.


Which uid/gid numbers should I use?

Without "posixAccount" "uid" "uidNumber" etc. entries, the domain 
accounts are automatically already allied to a uid number that I can 
see with "getent passwd":


# getent passwd Guest
CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false

uid=311 although I have done no change in the Guest account.oming 
from /ur/
Those uid:gid pairs are coming from idmap. idmap is not part of AD and 
confuses the issue for many of us. If you are going to add more DC's, 
these uid:gid's  will change depending upon which DC you refer to. 
Probably (almost certainly) not what you want.


How choose Samba these uid/gid numbers (e.g 311/312) and how 
can I choose my uid/gid numbers in order that there is never conflict 
with uid/gid choose automatically by Samba?

That is best answered by looking at:
ldbsearch --url=/usr/local/samba/private/idmap.ldb
There, you'll see the sids with the xidnumber that Samba has allocated 
to them. This xidnumber becomes the uid or gid depending upon whether 
the object is a user, group or both. A basic set of objects has to 
remain in idmap so leave it as it is after provision. If you add the 
line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the 
provision has already done for you) then any new user or group object 
that is created will not have an entry in idmap. You are then free to 
add the necessary uid/gidNumbers to AD.


Another problem: just after provision, the 
/usr/local/samba/var/locks/sysvol/ repository is already created with 
particulary settings regarding the unix rights and the alc (with 
particulary uid/gid numbers). Must I change the (unix/acl) rights of 
this repository too ?



There's another thread
here at the moment about how or how not to do that.
Some of us have given up on winbind for idmapping. There are easier 
ways to get rfc2307 from the database which keep the uid:gid 
consistent independent of which DC is consulted. nss-ldapd is one of 
them and sssd seems to be gaining ground because of its simplicity. 
I'm a strong believer in keeping things as simple as possible. Because 
of this I believe that rfc2307 stuff should always be sourced from AD 
and we should not use an external idmap
Where? I don't see it. Personally, I never succeed in the "rfc2307" 
working, until now.

My purpose is to have the same uid/gid numbers between 2 samba4 servers.

Sorry, I can't access the list archive at the moment. The thread is 
called 'Some clarification?'

[Samba] sssd getent problem with Samba 4.0

2013-04-14 Thread steve

Version 4.0.6-GIT-4bebda4

Hi
I have sssd up and running. It works fine except that getent only 
returns domain users if I specify the object e.g.

getent passwd
and
getent group
return only local users

but
getent passwd steve2
steve2:*:334:20513:steve2:/home/users/steve2:/bin/bash
and
getent group Domain\ Users
Domain Users:*:20513:
work fine.


/etc/nsswitch.conf
passwd: compat sss
group:  compat sss

/etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]

[domain/default]
access_provider = simple
#simple_allow_users = myuser
enumerate = false
cache_credentials = True
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_realm = HH3.SITE
krb5_server = hh16.hh3.site
krb5_kpasswd = hh16.hh3.site
ldap_uri = ldap://hh16.hh3.site/
ldap_search_base = dc=hh3,dc=site
ldap_tls_cacertdir = /usr/local/samba/private/tls
ldap_id_use_start_tls = False
ldap_default_bind_dn = cn=lynn2,cn=Users,dc=hh3,dc=site
ldap_default_authtok = xx
ldap_default_authtok_type = password
ldap_user_object_class = person
ldap_user_name = samAccountName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
ldap_group_object_class = group
#ldap_user_search_filter =(&(objectCategory=User)(uidNumber=*))

I've tried
enumerate = true
and it works as expected but strangely, only for the first time after 
sssd is started. it then returns only local users.


Any ideas?
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


Re: [Samba] [samba4] crash of winbind after "ls -l /usr/local/samba/var/locks/sysvol"

2013-04-14 Thread Rowland Penny

On 14/04/13 07:30, Andrew Bartlett wrote:

On Sun, 2013-04-14 at 02:08 +0200, François Lafont wrote:

Hi,

I used Samba 4.0.5 in Wheezy. Here is that I have done:
But there is something curious with the /usr/local/samba/var/locks/sysvol/ 
directory:

---
# ls -n /usr/local/samba/var/locks/sysvol/
total 8
drwxrws---+ 4 0 300 4096 Apr 14 01:40 chezmoi.priv
---

Which group has the gid 300?

The files are owned by the domain administrators group.  Winbind doesn't
know how to make up a 'user' record for that group yet.


In that case, would you like to explain why, if I add a user to Domain 
Admins and then mount a share as the user from the S4 server via cifs, 
all the files get saved as user 300?


Rowland




---
# wbinfo -g | tr '\n' '\0' | xargs -0 -n 1 wbinfo --group-info
CHEZMOI\Enterprise Read-Only Domain Controllers:*:318:
CHEZMOI\Domain Admins:*:308:
CHEZMOI\Domain Users:*:100:
CHEZMOI\Domain Guests:*:312:
CHEZMOI\Domain Computers:*:319:
CHEZMOI\Domain Controllers:*:320:
CHEZMOI\Schema Admins:*:307:
CHEZMOI\Enterprise Admins:*:306:
CHEZMOI\Group Policy Creator Owners:*:304:
CHEZMOI\Read-Only Domain Controllers:*:321:
CHEZMOI\DnsUpdateProxy:*:322:
---

There is no 300 gid. And, a bit more embarrassing, if I use "ls -l" to 
resolv the gid to a name, winbind is crashing:

Can you please try to get a gdb backtrace, or better still run 'samba'
under valgrind?  We would very much like to fix that.

You could also file these details in a bug, if we don't sort it out
quickly.

Thanks,

Andrew Bartlett




--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 - problems with name resolution on Windows 7 clients

2013-04-14 Thread X-Dimension

Am 10.04.2013 19:15, schrieb Matthieu Patou:

On 04/10/2013 09:48 AM, X-Dimension wrote:
We have a strange name resolution problem on Windows 7 clients. 
(Windows XP clients are working fine!)
If a Windows 7 client is connected more than 7 or 8 hours to our 
Samba 4 active directory server, we can't
do "ping servername" anymore, but "ping servername.domainname" works 
fine.

After logout and login again to the Windows 7 clients everything works!
Can you check what is the ipconfig /all output on windows 7 clients ? 
also you should do a tcpdump/wireshark trace on your client to see 
which DNS request it is doing.
The main problem is, that all Windows clients access the samba shares 
by \\servername\sharename
and not \\servername.domainname\sharename and after 7 or 8 hours our 
users can't access the files

or programs on these shares.
What goes wrong here and what is the best way to fix this? I can 
change some GPOs and set all
shares to \\servername.domainname\sharename, but if there is a better 
solution i would prefer this.

Thx for help! :)


Matthieu.


Here is the output of ipconfig /all:

Windows-IP-Konfiguration

   Hostname  . . . . . . . . . . . . : Client1
   Primäres DNS-Suffix . . . . . . . : mydomain.local
   Knotentyp . . . . . . . . . . . . : Hybrid
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : mydomain.local

Ethernet-Adapter LAN-Verbindung:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physikalische Adresse . . . . . . : xx-xx-xx-xx-xx-xx
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : :::::%xx(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 192.168.1.235(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.1.5
   DNS-Server  . . . . . . . . . . . : 192.168.1.200
   NetBIOS über TCP/IP . . . . . . . : Aktiviert



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba