Re: [Samba] Samba 4.0.6 update - login issues

[Andrew Bartlett]

On Wed, 2013-06-05 at 23:49 -0500, Kristofer Pettijohn wrote:
> I updated all 14 of our Domain Controllers to 4.0.6, and now I am having 
> random authentication issues.

What version did you upgrade from?

> Our radius server uses ntlm_auth to authenticate users.  Every morning
> at 3AM since the update, ntlm_auth fails to authenticate.  If I
> restart Samba 4 on the domain controller that the radius server
> connects to, then authentication works again.
> 
> In addition, I am running Samba 3.5.10-125.el6 with winbind on all of
> our file servers.  Users randomly become unable to authenticate and
> connect to file shares.  If I restart Samba 4 on the domain controller
> closest to the file server, they are able to authenticate again.
> Simply restarting winbind doesn't resolve it.  I need to restart the
> samba daemons on the domain controller.
> 
> What might be causing this?

I would need logs and network traces to investigate this further. 

Could it be a kerberos ticket expiring?

Does it still happen if you upgrade a test member server to 3.6 or 4.0
(so we can narrow down the issue)?

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4.0.6 Ubuntu Package Available

[Andrew Martin]

- Original Message -
> From: "Andrew Bartlett" 
> To: "Mike Ray" 
> Cc: samba@lists.samba.org
> Sent: Friday, June 7, 2013 5:07:12 PM
> Subject: Re: [Samba] Samba 4.0.6 Ubuntu Package Available
> 
> On Fri, 2013-06-07 at 16:10 -0500, Mike Ray wrote:
> > Hello everyone-
> > 
> > Just a quick little blurb to anyone interested: I've spend some
> > time packaging Samba4 for Ubuntu 12.04 and I believe it is finally
> > "ready".
> > 
> > A couple of notes about the package:
> > 
> > - it is compiled from the 4.0.6 tarball available from Samba
> > - it has packages for amd64 and i386* class machines
> > - it requires various other non-stable class packages
> > - it uses the file system hierarchy
> > - BIND9_DLZ as a dns-backend has issues with replication between
> > DCs due to a TKEY error that I have not figured out* *
> > - it contains 2 totally unofficial, handcrafted patches -- very
> > briefly one fixed an issue with environment variable substitution
> > and the the other adds some flexibility to samba_dnsupdate to skip
> > IP addresses
> > 
> > 
> > If anyone wants to give it a try, all the necessary packages are
> > available from here: ppa:xespackages/samba4
> > Though if you are not going to use bind, you can omit the
> > "bind9-upstart" package.
> > 
> > 
> > I'm going to be testing with it before it goes live at my place;
> > however, any feedback -- either on the package itself or on the
> > functionality of the resulting Samba install -- is greatly
> > appreciated.
> > 
> > 
> > A huge shout-out to the Samba Team for developing this software .
> > A personal shout-out to Jelmer for his help in packaging matters .
> 
> Just wondering, are you basing it around the Debian experimental
> packages I've been working with the debian packaging team on?
> 
> http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=shortlog;h=refs/heads/samba_4.0
> 
> git://anonscm.debian.org/pkg-samba/samba.git
> 
> (The reason I ask is that we need help finishing the work, and I'm
> trying to avoid double-work and get a finished package ready for
> everyone).
> 
> Thanks,
> 
> Andrew Bartlett
> 
> --
> Andrew Bartlett
>http://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

Andrew,

We (Mike Ray and I) started with the samba4_4.0.3+dfsg1-0.1.debian.tar.gz from 
Debian Experimental here (probably more outdated than the git repo you linked):
http://packages.debian.org/experimental/samba4

We then updated debian/rules - removing things that appeared to no longer be 
necessary and working to get the package to build, install, and run 
successfully.

Thanks,

Andrew
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Certificates stop working after password change

[Andrew Bartlett]

On Thu, 2013-06-06 at 20:41 +, Joaquin Cabrera wrote:
> Hi,
> 
> 
> We found the following problem when working with personal certificates.
> 
> We have a system in java using certificates at the time of signing, the 
> certificates stop working when the user performs a password change.
> 
> Customers are connected to the domain Samba4, mainly are pc with windows 7 or 
> vista. This error does not happen with certificates if the equipment is in a 
> workgroup.
> 
> We also found that if the user change back to the previous password can sign 
> correctly.
> 
> Reinstall Cetificates whenever the user changes their password is not an 
> option, because we want to implement a policy requiring change passwords 
> every three months.
> 
> The samba versión is 4.0.3 

That is very odd.  X.509 certificates presented to our KDC for PK-INIT are not 
checked against a password in any way - it is entirely up to the validity of 
the certificate.  

Can you show the error shown on the KDC when the certificate is
rejected?

Or are you referring to some other certificate system?

Andrew Bartlett
  

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4.0.6 Ubuntu Package Available

[Andrew Bartlett]

On Fri, 2013-06-07 at 17:44 -0500, Andrew Martin wrote:
> - Original Message -
> > From: "Andrew Bartlett" 
> > To: "Mike Ray" 
> > Cc: samba@lists.samba.org
> > Sent: Friday, June 7, 2013 5:07:12 PM
> > Subject: Re: [Samba] Samba 4.0.6 Ubuntu Package Available
> > 
> > On Fri, 2013-06-07 at 16:10 -0500, Mike Ray wrote:
> > > Hello everyone-
> > > 
> > > Just a quick little blurb to anyone interested: I've spend some
> > > time packaging Samba4 for Ubuntu 12.04 and I believe it is finally
> > > "ready".
> > > 
> > > A couple of notes about the package:
> > > 
> > > - it is compiled from the 4.0.6 tarball available from Samba
> > > - it has packages for amd64 and i386* class machines
> > > - it requires various other non-stable class packages
> > > - it uses the file system hierarchy
> > > - BIND9_DLZ as a dns-backend has issues with replication between
> > > DCs due to a TKEY error that I have not figured out* *
> > > - it contains 2 totally unofficial, handcrafted patches -- very
> > > briefly one fixed an issue with environment variable substitution
> > > and the the other adds some flexibility to samba_dnsupdate to skip
> > > IP addresses
> > > 
> > > 
> > > If anyone wants to give it a try, all the necessary packages are
> > > available from here: ppa:xespackages/samba4
> > > Though if you are not going to use bind, you can omit the
> > > "bind9-upstart" package.
> > > 
> > > 
> > > I'm going to be testing with it before it goes live at my place;
> > > however, any feedback -- either on the package itself or on the
> > > functionality of the resulting Samba install -- is greatly
> > > appreciated.
> > > 
> > > 
> > > A huge shout-out to the Samba Team for developing this software .
> > > A personal shout-out to Jelmer for his help in packaging matters .
> > 
> > Just wondering, are you basing it around the Debian experimental
> > packages I've been working with the debian packaging team on?
> > 
> > http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=shortlog;h=refs/heads/samba_4.0
> > 
> > git://anonscm.debian.org/pkg-samba/samba.git
> > 
> > (The reason I ask is that we need help finishing the work, and I'm
> > trying to avoid double-work and get a finished package ready for
> > everyone).
> > 
> > Thanks,
> > 
> > Andrew Bartlett
> > 
> > --
> > Andrew Bartlett
> >http://samba.org/~abartlet/
> > Authentication Developer, Samba Team   http://samba.org
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> 
> Andrew,
> 
> We (Mike Ray and I) started with the samba4_4.0.3+dfsg1-0.1.debian.tar.gz 
> from 
> Debian Experimental here (probably more outdated than the git repo you 
> linked):
> http://packages.debian.org/experimental/samba4
> 
> We then updated debian/rules - removing things that appeared to no longer be 
> necessary and working to get the package to build, install, and run 
> successfully.

Yes, there has been significant work since then.  I'm sorry to hear you
have had to duplicate that.  Your assistance with the new package for
jesse would be most valuable. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] %S Macro seems broken in default service

[Ty! Boyack]

That's great info -- thanks.  I will start following that bug report 
with great interest.


I can see where the issue is and how this could be a serious problem.  
It will be good to see how it is fixed.


One suggestion that I'll make both  here and over there (I don't know if 
you have any pull on this), is that this "feature" is documented in the 
4.0 man pages.  In smb.conf(5) it says:


"Also note that the apparent service name will be changed to equal that 
of the requested service, this is very useful as it allows you to use 
macros like %S to make a wildcard service."


I'd like to see the feature available again (maybe with an understanding 
of risk that it can entail), but if not then that description should 
probably be struck from the documentation.


Thanks for the spot-on tip of where the bug is and the issues 
surrounding it!


-Ty!



On 06/07/2013 04:02 PM, Andrew Bartlett wrote:

On Fri, 2013-06-07 at 14:37 -0600, Ty! Boyack wrote:


Does anyone know if this is intentional, or a bug?  I don't see any
references to others having the problem, so I'm wondering if I've missed
something in the transition to 4.0 that needs to be done.

It's a bit of both.  See
https://bugzilla.samba.org/show_bug.cgi?id=8935

That is, it wasn't anticipated that folks would use %S in this way, and
the change avoids clients being able to consume memory as we
re-interpret the service for each incoming name.

Andrew Bartlett



--
-===-
  Ty Boyack
  NREL Senior IT Engineer
  ty.boy...@colostate.edu
  (970) 491-1186
-===-

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with AD users and groups

[Marc Muehlfeld]

Hello Marcelo,

Am 07.06.2013 03:30, schrieb Marcelo Ruriani:

Thank you for the reply. To answer your questions. I am using the
internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on)
plus host -t SRV _kerberos (and so on) return with a "not found" error.
The A record test works fine.


Can you run

# samba_dnsupdate --verbose|grep "Failed nsupdate"

Entries that aren't found, can't be updated by that command, but let you 
know which are missing, like the SRV for _ldap._tcp.samdom.example.com:


# samba_dnsupdate --verbose|grep "Failed nsupdate"
Failed nsupdate: SRV _ldap._tcp.samdom.example.com 
dc1.samdom.example.com 389 : [Errno 2] No such file or directory



Then add the missing entries manually again:

# samba-tool dns add localhost samdom.example.com 
_ldap._tcp.samdom.example.com SRV "dc1.samdom.example.com 389 0 100"


Here's my test environment zone. There you can see the values for the 
SRV records you have to re-add. http://cpaste.org/1914/


! Create a backup of your samba directory before you do that !


After you have added the records, they should be resolvable again, of 
course.


Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] netlogon & homes with Samba4 DC

[Andrew Bartlett]

On Mon, 2013-06-03 at 08:33 +0200, Daniel Müller wrote:
> It is not "homes" anymore within samba4 it calls "home".

Huh?

We haven't (intentionally) changed anything of the sort.

What may have changed is practices around ADUC creating home
directories, which won't work if you use the magic [homes] (because you
can't make the home directory for the share to link to). 

Andrew Bartlett
-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4.0.6 Ubuntu Package Available

[Andrew Bartlett]

On Fri, 2013-06-07 at 16:10 -0500, Mike Ray wrote:
> Hello everyone- 
> 
> Just a quick little blurb to anyone interested: I've spend some time 
> packaging Samba4 for Ubuntu 12.04 and I believe it is finally "ready". 
> 
> A couple of notes about the package: 
> 
> - it is compiled from the 4.0.6 tarball available from Samba 
> - it has packages for amd64 and i386* class machines 
> - it requires various other non-stable class packages 
> - it uses the file system hierarchy 
> - BIND9_DLZ as a dns-backend has issues with replication between DCs due to a 
> TKEY error that I have not figured out* * 
> - it contains 2 totally unofficial, handcrafted patches -- very briefly one 
> fixed an issue with environment variable substitution and the the other adds 
> some flexibility to samba_dnsupdate to skip IP addresses 
> 
> 
> If anyone wants to give it a try, all the necessary packages are available 
> from here: ppa:xespackages/samba4 
> Though if you are not going to use bind, you can omit the "bind9-upstart" 
> package. 
> 
> 
> I'm going to be testing with it before it goes live at my place; however, any 
> feedback -- either on the package itself or on the functionality of the 
> resulting Samba install -- is greatly appreciated. 
> 
> 
> A huge shout-out to the Samba Team for developing this software . 
> A personal shout-out to Jelmer for his help in packaging matters . 

Just wondering, are you basing it around the Debian experimental
packages I've been working with the debian packaging team on?

http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=shortlog;h=refs/heads/samba_4.0

git://anonscm.debian.org/pkg-samba/samba.git

(The reason I ask is that we need help finishing the work, and I'm
trying to avoid double-work and get a finished package ready for
everyone).

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] %S Macro seems broken in default service

[Andrew Bartlett]

On Fri, 2013-06-07 at 14:37 -0600, Ty! Boyack wrote:

> Does anyone know if this is intentional, or a bug?  I don't see any 
> references to others having the problem, so I'm wondering if I've missed 
> something in the transition to 4.0 that needs to be done.

It's a bit of both.  See 
https://bugzilla.samba.org/show_bug.cgi?id=8935

That is, it wasn't anticipated that folks would use %S in this way, and
the change avoids clients being able to consume memory as we
re-interpret the service for each incoming name.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4.0.6 Ubuntu Package Available

[Mike Ray]

Hello everyone- 

Just a quick little blurb to anyone interested: I've spend some time packaging 
Samba4 for Ubuntu 12.04 and I believe it is finally "ready". 

A couple of notes about the package: 

- it is compiled from the 4.0.6 tarball available from Samba 
- it has packages for amd64 and i386* class machines 
- it requires various other non-stable class packages 
- it uses the file system hierarchy 
- BIND9_DLZ as a dns-backend has issues with replication between DCs due to a 
TKEY error that I have not figured out* * 
- it contains 2 totally unofficial, handcrafted patches -- very briefly one 
fixed an issue with environment variable substitution and the the other adds 
some flexibility to samba_dnsupdate to skip IP addresses 


If anyone wants to give it a try, all the necessary packages are available from 
here: ppa:xespackages/samba4 
Though if you are not going to use bind, you can omit the "bind9-upstart" 
package. 


I'm going to be testing with it before it goes live at my place; however, any 
feedback -- either on the package itself or on the functionality of the 
resulting Samba install -- is greatly appreciated. 


A huge shout-out to the Samba Team for developing this software . 
A personal shout-out to Jelmer for his help in packaging matters . 


Have a good one, 
Mike Ray 


*I've only tested amd64 versions 
**these issues were also present for me in the source tarball so I am unsure as 
to whether or not this is a package issue or a Samba bug 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] %S Macro seems broken in default service

[Ty! Boyack]

I am having trouble with the %S Macro being expanded to an unexpected 
value.  We have a section of disk where each directory under that 
directory is to be it's own share.  This looks like:

/export/
/export/share1
/export/share2
.
.
/export/shareN


Rather than listing each share uniquely in the smb.conf, we put this in 
the global section:


default service = export
along with all of our defaults and settings.  Then we have the "export" 
service the "default service" refers to:


[export]
   path = /export/%S
   writeable = yes
   browseable = no


On previous samba versions (3.4.7 is one that I checked), it works fine. 
 Now on 4.0.5 and 4.0.6 on Fedora 18, it no longer works.


Before -- if a user asked for \\server\share1, %S would be set to 
"share1" and Samba would look for /export/share1.  Now, it appears that 
%S contains "export" since the logs give errors that it cannot find the 
path /export/export.  It's almost like the requested service is being 
changed to "export" (like you would want default service to do), but the 
name that the user supplied is also being overwritten, so that I can't 
see what share the user wanted.


Does anyone know if this is intentional, or a bug?  I don't see any 
references to others having the problem, so I'm wondering if I've missed 
something in the transition to 4.0 that needs to be done.


Note that IF I list each share in the smb.conf file as
[share1]
  path = /export/share1
  writeable = yes
  browsable = no

then everything works fine, so I think it's just the macro expansion 
that is giving me fits.


Thanks for any help,

-Ty

--
-===-
  Ty Boyack
  NREL Senior IT Engineer
  ty.boy...@colostate.edu
  (970) 491-1186
-===-

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] netlogon & homes with Samba4 DC

[spamvoll]

hmm, Ive changed it to [home] but that doesnt change anything :(

Ive created the homedir manually, does not help.

Here are my logs:

http://pastebin.com/J7ij9P4Z
client log:
http://pastebin.com/vHV9CZiu

[2013/06/07 21:14:00.778318,  3]
../source3/smbd/password.c:138(register_homes_share)
  No home directory defined for user 'MYDOM\PC$'

Why a homedirectory for a Computer ?

[2013/06/07 21:14:00.779581,  3]
../source3/smbd/service.c:612(make_connection_snum)
  Connect path is '/tmp' for service [IPC$]

Why defining /tmp as share ?

[2013/06/07 21:14:02.996959,  3]
../source3/smbd/password.c:138(register_homes_share)
  No home directory defined for user 'MYDOM\hpeter'

Why not ? Should Samba create that for me ?

this is at "log level 3"
Ive seen nothing that reports why homedirs for user does not work and there
is nothing in it about the netlogon scripts :(

Attached a picture on how the profiles are configured in AD

ls -al /usr/local/samba/var/locks/sysvol/mydom.de/scripts
total 20
drwxrwx---+ 2 root 300 4096 Jun  1 20:57 .
drwxrwx---+ 4 root 300 4096 Jun  1 15:27 ..
-rwxrwxrwx+ 1 root root  29 Jun  1 20:57 hpeter.bat

Regards



2013/6/4 Daniel Müller 

> Of course:
>
> # Global parameters
> [global]
> workgroup = TPLECHLER
> realm = tplechler.kkh
> netbios name = LINUX2
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate
> idmap_ldb:use rfc2307 = yes
> log level= 5
> allow dns updates = signed
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/tplechler.kkh/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
> [home]
> path = /home/windows/users  <--- Look at it, it is home--and
> working!!!
> read only = No
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: muel...@tropenklinik.de
> Internet: www.tropenklinik.de
>
> Von: spamv...@googlemail.com [mailto:spamv...@googlemail.com]
> Gesendet: Montag, 3. Juni 2013 20:54
> An: muel...@tropenklinik.de
> Betreff: Re: [Samba] netlogon & homes with Samba4 DC
>
> Hi Daniel,
>
> are you sure ? the included manpages say:
> "There are three special sections, [global], [homes] and [printers], which
> are described under.."
>
> Ill try to change that and see
>
> 2013/6/3 Daniel Müller 
> It is not "homes" anymore within samba4 it calls "home".
> You need to set the rights for your netlogon from your adm windows client
> or
> within ads tool in your user profile
>
> ---
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: muel...@tropenklinik.de
> Internet: www.tropenklinik.de
> ---
> -Ursprüngliche Nachricht-
> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> Im
> Auftrag von Robert Gurdon
> Gesendet: Sonntag, 2. Juni 2013 01:02
> An: spamv...@gmail.com
> Cc: samba@lists.samba.org
> Betreff: Re: [Samba] netlogon & homes with Samba4 DC
>
> Hi,
>
> 1) Windows 7 logs should say something about your netlogon script.
>
> 2) I think you have to create the home directories via RSAT or make a pam
> script and login with the newly created user.
>  I would suggest the second option, since as I discovered when you make
> your home directories with RSAT you will have getfacl and winbind problems.
> Well, if you try to use getfacl on a RSAT made directory samba's winbind
> part dies.
>
> 2013-06-01 22:38 keltezéssel, spamv...@googlemail.com írta:
> > hi all,
> >
> > ive setup Samba4 as DC on Ubuntu Server LTS and have two problems right
> now:
> >
> > 1) netlogon
> >
> > smb.conf
> > [netlogon]
> >  path = /usr/local/samba/var/locks/sysvol/asta-wh.de/scripts
> >  read only = No
> >
> > I can access the folder and execute the script as user, but it gets
> > not executed automaticly
> >
> > Ive added to [netlogon]
> >  preexec = echo %u is in %G >> /tmp/netlogon
> >
> > to see if netlogon is executed, and its not.
> > Client PC is a new installed Windows 7 Pro.
> > And Ive added \\SMB4SRV\netlogon\userf00.bat via M$ AD Tools to the User.
> > Roaming Prifiles are also enabled and working.
> >
> > 2) homes
> >
> > smb.conf
> > [homes]
> >  comment = Home Directories
> >  path = /home/HOME/%S
> >  valid users = %S
> >  read only = No
> >  browseable = Yes
> >
> > Home directorys are not created.
> >
> > Im happy with every hint to the right direction
> >
> > Hans
>
> --
> Kind regards:
>
>  Robert
> --
> To unsubscribe from this list go to the following URL

Re: [Samba] Problem with AD users and groups

[Marc Muehlfeld]

Hello Marcelo,

Am 07.06.2013 16:51, schrieb Ricky Nance:

 by the way, why isn't samba listening on port 88 in
your last mail?


* Can you check, if something else is listening on the kerberos port 88:

# netstat -taunp | grep ":88"



* Please also show us the [global] part of your smb.conf. Expecially the 
"server services =" line. Maybe "kdc" is disabled.




* Does the log say anything, why kdc doesn't listen on :88?



> My questions are if the worst were if I had to re-provision, would
> the re-provision be enough? OR Woul d I have to do the entire
> compile, make, install procedure? Thanks.

How big is your installation? If it's not very small or a test 
environment, I think I would continue searching for the problem, instead 
of setup everything again.




As it sounds like your Samba AD was working before, did anything changed 
on your DC since the last restart of Samba? Maybe required packages have 
been removed, a new compiled Samba version was installed, etc.



Regards,
Marc



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with AD users and groups

[Ricky Nance]

Re provisioning will wipe out your entire samba DB, so I would try to avoid
that if at all possible, figure out if something else is listening on port
88, stop it, and restart samba (its the kerberos stuff).  The smbclient
command isn't all that helpful (sometimes it is, sometimes not), so you may
try it with a higher debug level (-d10) but don't paste that here as it
will get quite lengthy, use a pastebin and give us the link if you don't
mind (if you think its more helpful that is).

Good luck,
Ricky


On Fri, Jun 7, 2013 at 12:56 PM, Marcelo Ruriani <
systemad...@helpinghandsofgreenup.org> wrote:

>  On 6/7/13 10:51 AM, Ricky Nance wrote:
>
> I'd double check on the samba server it self if you can connect to it
> using smbclient... `smbclient //localhost/sysvol -Uadministrator`  if
> that fails try `smbclient //localhost/sysvol -d5 -Uadministrator` and paste
> the output in your reply. If it succeeds then you can pretty much bet on a
> connectivity issue... by the way, why isn't samba listening on port 88 in
> your last mail? It might be worth it to try a `killall samba && sleep 5 &&
> samba -i -M single -d3` and look for any error messages ... anyway those
> are just a couple of my suggestions.
>
>  Ricky
>
>
> On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani <
> systemad...@helpinghandsofgreenup.org> wrote:
>
>> On 6/6/13 5:15 PM, Marc Muehlfeld wrote:
>>
>>> Hello Marcelo,
>>>
>>> Am 06.06.2013 22:47, schrieb Marcelo Ruriani:
>>>
 It seems I locked myself out. I have tried these steps: turn off the
 firewall, ntacl sysvol reset, and dis-join from domain.
 The ntacl sysvol reset returns errors (which I'll post if necessary) the
 dis-join worked fine but I cannot re-join to the domain because it
 doesn't detect our domain and throws up an error "domain could not be
 contacted" and "DNS name doesn't exist".

>>>
>>> * IP connection between the hosts is fine? (ping each other)
>>>
>>> * Do you use the internal DNS or Bind DLZ?
>>>
>>> * Is Samba/Bind listening on port 53? Use 'netstat -taunp', to make
>>> sure, that nothing else is listening on this port and prevent the correct
>>> DNS to start up.
>>>
>>> * Can you check:
>>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>  Dear List & Mark,
>>
>> Thank you for the reply. To answer your questions. I am using the
>> internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on)
>> plus host -t SRV _kerberos (and so on) return with a "not found" error. The
>> A record test works fine.
>>
>> Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135 (and
>> UDP 53)
>> smbd is listening on TCP port 139, 445
>>
>> The clients ping the server (ip and domain name) fine and the server
>> pings the clients fine.
>>
>> My followup question will appear after this reply.
>>
>> Marcelo
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>  To list, Mark, Ricky,
>
> I must admit I am unsure why it isn't listening on port 88! I will do
> that "kill all samba" thing later and reply if that does the trick. On the
> tests you asked me to do, this is my output of terminal: (I apologize for
> formatting)
>
> root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol
> -U%administrator
>
> Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f11e9]
>
> tree connect failed: NT_STATUS_ACCESS_DENIED
>
> root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol -d5
> -U%administrator
>
> INFO: Current debug levels:
>
> all: 5
>
> tdb: 5
>
> printdrivers: 5
>
> lanman: 5
>
> smb: 5
>
> rpc_parse: 5
>
> rpc_srv: 5
>
> rpc_cli: 5
>
> passdb: 5
>
> sam: 5
>
> auth: 5
>
> winbind: 5
>
> vfs: 5
>
> idmap: 5
>
> quota: 5
>
> acls: 5
>
> locking: 5
>
> msdfs: 5
>
> dmapi: 5
>
> registry: 5
>
> lp_load_ex: refreshing parameters
>
> Initialising global parameters
>
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
>
> INFO: Current debug levels:
>
> all: 5
>
> tdb: 5
>
> printdrivers: 5
>
> lanman: 5
>
> smb: 5
>
> rpc_parse: 5
>
> rpc_srv: 5
>
> rpc_cli: 5
>
> passdb: 5
>
> sam: 5
>
> auth: 5
>
> winbind: 5
>
> vfs: 5
>
> idmap: 5
>
> quota: 5
>
> acls: 5
>
> locking: 5
>
> msdfs: 5
>
> dmapi: 5
>
> registry: 5
>
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
>
> Processing section "[global]"
>
> doing parameter workgroup = AD.HHG.COM
>
> doing parameter realm = HHG.COM
>
> doing parameter netbios name = AD
>
> doing parameter server role = active directory domain controller
>
> doing parameter dns forwarder = 192.168.1.1
>
> pm_process() returned Yes
>
> added interface eth0 ip=fe80::222:19ff:fe95:7f31%eth0
> bcast=fe80:::::%eth0 netmask=:::::
>
> added interface eth0 ip=192.168.1.10 bcast=192.168.1.255
> netmask=255.255.255.0
>
> Netbios name list:-
>
> my_netbios_name

Re: [Samba] Problem with AD users and groups

[Marcelo Ruriani]

On 6/7/13 10:51 AM, Ricky Nance wrote:
I'd double check on the samba server it self if you can connect to it 
using smbclient... `smbclient //localhost/sysvol -Uadministrator`  
if that fails try `smbclient //localhost/sysvol -d5 -Uadministrator` 
and paste the output in your reply. If it succeeds then you can pretty 
much bet on a connectivity issue... by the way, why isn't samba 
listening on port 88 in your last mail? It might be worth it to try a 
`killall samba && sleep 5 && samba -i -M single -d3` and look for any 
error messages ... anyway those are just a couple of my suggestions.


Ricky


On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani 
> wrote:


On 6/6/13 5:15 PM, Marc Muehlfeld wrote:

Hello Marcelo,

Am 06.06.2013 22:47, schrieb Marcelo Ruriani:

It seems I locked myself out. I have tried these steps:
turn off the
firewall, ntacl sysvol reset, and dis-join from domain.
The ntacl sysvol reset returns errors (which I'll post if
necessary) the
dis-join worked fine but I cannot re-join to the domain
because it
doesn't detect our domain and throws up an error "domain
could not be
contacted" and "DNS name doesn't exist".


* IP connection between the hosts is fine? (ping each other)

* Do you use the internal DNS or Bind DLZ?

* Is Samba/Bind listening on port 53? Use 'netstat -taunp', to
make sure, that nothing else is listening on this port and
prevent the correct DNS to start up.

* Can you check:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_DNS



Regards,
Marc

Dear List & Mark,

Thank you for the reply. To answer your questions. I am using
the internal DNS. The DNS testing reveals that host -t SRV _ldap
(and so on) plus host -t SRV _kerberos (and so on) return with a
"not found" error. The A record test works fine.

Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135
(and UDP 53)
smbd is listening on TCP port 139, 445

The clients ping the server (ip and domain name) fine and the
server pings the clients fine.

My followup question will appear after this reply.

Marcelo

-- 
To unsubscribe from this list go to the following URL and read the

instructions: https://lists.samba.org/mailman/options/samba



To list, Mark, Ricky,

I must admit I am unsure why it isn't listening on port 88! I will 
do that "kill all samba" thing later and reply if that does the trick. 
On the tests you asked me to do, this is my output of terminal: (I 
apologize for formatting)


root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol 
-U%administrator


Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f11e9]

tree connect failed: NT_STATUS_ACCESS_DENIED

root@ad:/# /usr/local/samba/bin/smbclient //localhost/sysvol -d5 
-U%administrator


INFO: Current debug levels:

all: 5

tdb: 5

printdrivers: 5

lanman: 5

smb: 5

rpc_parse: 5

rpc_srv: 5

rpc_cli: 5

passdb: 5

sam: 5

auth: 5

winbind: 5

vfs: 5

idmap: 5

quota: 5

acls: 5

locking: 5

msdfs: 5

dmapi: 5

registry: 5

lp_load_ex: refreshing parameters

Initialising global parameters

rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)

INFO: Current debug levels:

all: 5

tdb: 5

printdrivers: 5

lanman: 5

smb: 5

rpc_parse: 5

rpc_srv: 5

rpc_cli: 5

passdb: 5

sam: 5

auth: 5

winbind: 5

vfs: 5

idmap: 5

quota: 5

acls: 5

locking: 5

msdfs: 5

dmapi: 5

registry: 5

params.c:pm_process() - Processing configuration file 
"/usr/local/samba/etc/smb.conf"


Processing section "[global]"

doing parameter workgroup = AD.HHG.COM

doing parameter realm = HHG.COM

doing parameter netbios name = AD

doing parameter server role = active directory domain controller

doing parameter dns forwarder = 192.168.1.1

pm_process() returned Yes

added interface eth0 ip=fe80::222:19ff:fe95:7f31%eth0 
bcast=fe80:::::%eth0 netmask=:::::


added interface eth0 ip=192.168.1.10 bcast=192.168.1.255 
netmask=255.255.255.0


Netbios name list:-

my_netbios_names[0]="AD"

Client started (version 4.1.0pre1-GIT-94f11e9).

Opening cache file at /usr/local/samba/var/lock/gencache.tdb

Opening cache file at /usr/local/samba/var/lock/gencache_notrans.tdb

sitename_fetch: No stored sitename for HHG.COM

name localhost#20 found.

Connecting to ::1 at port 445

Socket options:

SO_KEEPALIVE = 0

SO_REUSEADDR = 0

SO_BROADCAST = 0

TCP_NODELAY = 1

TCP_KEEPCNT = 9

TCP_KEEPIDLE = 7200

TCP_KEEPINTVL = 75

IPTOS_LOWDELAY = 0

IPTOS_THROUGHPUT = 0

SO_SNDBUF = 173200

SO_RCVBUF = 87380

SO_SNDLOWAT = 1

SO_RCVLOWAT = 1

SO_SNDTIMEO = 0

SO_RCVTIMEO = 0

TCP_QUICKACK = 1

TCP_DEFER_ACCEPT = 0

session request ok

Domain=[AD.HHG.COM] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-94f

[Samba] chmod g+s not working over cifs

[steve]

Hi
I've had this problem since 3.0.9 an I've now reproduced it on 4.0.6,
4.0.7 git and 4.1.0 pre1

Summary: if I chmod g+s a shared folder, the file created therein are
not group owned.

Here is the original post from March which didn't get a reply:


Version 4.0.5-GIT-9ec44d4
Single DC and fileserver running the samba binary.

Hi
I have a share called shared:
[shared]
 path = /home/shared
 read only = No

I set the ACL:
setfacl -R -m g:staff:rw,d:g:staff:rw /home/shared

This is what it looks like:
getfacl shared
# file: shared
# owner: root
# group: staff
# flags: -s-
user::rwx
group::rwx
group:staff:rw-
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:staff:rw-
default:mask::rwx
default:other::---

The file listing looks OK:
drwxrws---+  3 root  staff  4096 Mar 29 10:05 shared

Problem:
Files created from Linux cifs mounted or W7 clients are group 'Domain 
users', the primary group of the user, not 'staff' as the g+s should 
give. Files created in the share on the DC are correctly assigned to 
group 'staff'.

Question:
How do I get files created in the share 'shared' to be group owned by 
group 'staff'?

Cheers,
Steve.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem with AD users and groups

[Ricky Nance]

I'd double check on the samba server it self if you can connect to it using
smbclient... `smbclient //localhost/sysvol -Uadministrator`  if that
fails try `smbclient //localhost/sysvol -d5 -Uadministrator` and paste the
output in your reply. If it succeeds then you can pretty much bet on a
connectivity issue... by the way, why isn't samba listening on port 88 in
your last mail? It might be worth it to try a `killall samba && sleep 5 &&
samba -i -M single -d3` and look for any error messages ... anyway those
are just a couple of my suggestions.

Ricky


On Thu, Jun 6, 2013 at 8:30 PM, Marcelo Ruriani <
systemad...@helpinghandsofgreenup.org> wrote:

> On 6/6/13 5:15 PM, Marc Muehlfeld wrote:
>
>> Hello Marcelo,
>>
>> Am 06.06.2013 22:47, schrieb Marcelo Ruriani:
>>
>>> It seems I locked myself out. I have tried these steps: turn off the
>>> firewall, ntacl sysvol reset, and dis-join from domain.
>>> The ntacl sysvol reset returns errors (which I'll post if necessary) the
>>> dis-join worked fine but I cannot re-join to the domain because it
>>> doesn't detect our domain and throws up an error "domain could not be
>>> contacted" and "DNS name doesn't exist".
>>>
>>
>> * IP connection between the hosts is fine? (ping each other)
>>
>> * Do you use the internal DNS or Bind DLZ?
>>
>> * Is Samba/Bind listening on port 53? Use 'netstat -taunp', to make sure,
>> that nothing else is listening on this port and prevent the correct DNS to
>> start up.
>>
>> * Can you check: https://wiki.samba.org/index.**
>> php/Samba_AD_DC_HOWTO#Testing_**DNS
>>
>>
>>
>> Regards,
>> Marc
>>
> Dear List & Mark,
>
> Thank you for the reply. To answer your questions. I am using the
> internal DNS. The DNS testing reveals that host -t SRV _ldap (and so on)
> plus host -t SRV _kerberos (and so on) return with a "not found" error. The
> A record test works fine.
>
> Samba is listening on TCP port 53, 636, 1024, 3268, 3269, 389, 135 (and
> UDP 53)
> smbd is listening on TCP port 139, 445
>
> The clients ping the server (ip and domain name) fine and the server pings
> the clients fine.
>
> My followup question will appear after this reply.
>
> Marcelo
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4+bind on centos

[NOC]

On 06/07/2013 03:38 PM, Ludek Finstrle wrote:

Hello NOC,

   you didn't provide any configuration so I'm just guessing using
my new crystal ball.


Hi Ludek

can you tell in your crystal ball whether I'll succeed getting this to 
work? ;-)


The parts I added to my config:

# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.0
database "dlopen /usr/lib64/samba4/modules/bind9/dlz_bind91.so -d 3";

# For BIND 9.9.0
# database "dlopen /usr/lib64/samba4/modules/bind9/dlz_bind9_9.so";
};

options {
...
#samba4 key for dyn.updates
tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab";

}




Fri, Jun 07, 2013 at 02:45:09PM +0200, NOC napsal(a):

Hi all

root@puppettest01 var]# samba_dnsupdate --verbose --all-names
IPs: ['192.168.0.1']
Traceback (most recent call last):
   File "/usr/sbin/samba_dnsupdate", line 506, in 
 get_credentials(lp)
   File "/usr/sbin/samba_dnsupdate", line 119, in get_credentials
 creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for PUPPETTEST01$@NIEUWLAND.NL failed (Cannot
contact any KDC for requested realm)

You have configured kerberos to look for KDC using DNS and DNS
server is not running.


Yes, that's why I figured it was a problem with bind.



When looking at the debug output of bind, it doesn't seem to have
loaded the DLZ module from samba4.

I tried this: named -g -c /etc/bind/named.conf -u named -d3 2>&1
|grep -i dlz
07-Jun-2013 14:18:24.514 built with '--host=x86_64-redhat-linux-gnu'
'--build=x86_64-redhat-linux-gnu' '--program-prefix='
'--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
'--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
'--includedir=/usr/include' '--libdir=/usr/lib64'
'--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
'--mandir=/usr/share/man' '--infodir=/usr/share/info'
'--with-libtool' '--localstatedir=/var' '--enable-threads'
'--enable-ipv6' '--with-pic' '--disable-static'
'--disable-openssl-version-check' '--with-dlopen=yes'
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes'
'--with-dlz-mysql=yes' '--with-dlz-filesystem=yes'
'--with-dlz-stub=yes' '--with-gssapi=yes' '--disable-isc-spnego'
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g' 'CPPFLAGS=
-DDIG_SIGCHASE'
07-Jun-2013 14:18:24.516 Registering DLZ_dlopen driver
07-Jun-2013 14:18:24.516 Registering SDLZ driver 'dlopen'
07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen'


With the freshly compiled bind I now get this output:
named -g -c /etc/bind/named.conf -u named -d3 2>&1 |grep -i dlz
07-Jun-2013 15:52:04.484 built with '--host=x86_64-redhat-linux-gnu' 
'--build=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' 
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' 
'--disable-openssl-version-check' '--with-dlopen=yes' 
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' 
'--with-dlz-filesystem=yes' '--with-gssapi=yes' 
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g' 'CPPFLAGS= 
-DDIG_SIGCHASE'

07-Jun-2013 15:52:04.486 Registering DLZ_dlopen driver
07-Jun-2013 15:52:04.486 Registering SDLZ driver 'dlopen'
07-Jun-2013 15:52:04.486 Registering DLZ driver 'dlopen'



med.conf location is nonstandard, this is handled in
/etc/sysconfig/named).

What about selinux?


selinux is set to permissive


Also giving us only grep of logs are useless. There should be very
interesting lines below:
07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen'


like what? I figured getting a line with the dlz driver loading was the 
first step, that isn't happening...






samba4 was provisioned for NIEUWLAND.NL as dc and BIND9_DLZ

I wonder which steps would be most likely to let bind load the driver
for dlz? Should I suspect all the patches redhat includes in their
source rpm? or is it a configuration issue?

This part is working with plain CentOS named for me.
The problem mentioned with --disable-isc-spnego is only with
Windows client updates to the dns.


Ok, that will happen when we take it in production, so I'll still need 
to remove it for testing as well.





Please give us the named.conf (at least the part you copied
from samba) and also the named output from /var/log/messages
during startup (no debug is needed usually).


named.conf (attached) (I reduced it a bit)

/var/log/messages:

Jun  7 16:11:59 puppettes

Re: [Samba] samba4+bind on centos

[Ludek Finstrle]

Hello NOC,

  you didn't provide any configuration so I'm just guessing using
my new crystal ball.

Fri, Jun 07, 2013 at 02:45:09PM +0200, NOC napsal(a):
> Hi all
> 
> root@puppettest01 var]# samba_dnsupdate --verbose --all-names
> IPs: ['192.168.0.1']
> Traceback (most recent call last):
>   File "/usr/sbin/samba_dnsupdate", line 506, in 
> get_credentials(lp)
>   File "/usr/sbin/samba_dnsupdate", line 119, in get_credentials
> creds.get_named_ccache(lp, ccachename)
> RuntimeError: kinit for PUPPETTEST01$@NIEUWLAND.NL failed (Cannot
> contact any KDC for requested realm)

You have configured kerberos to look for KDC using DNS and DNS
server is not running.

> When looking at the debug output of bind, it doesn't seem to have
> loaded the DLZ module from samba4.
> 
> I tried this: named -g -c /etc/bind/named.conf -u named -d3 2>&1
> |grep -i dlz
> 07-Jun-2013 14:18:24.514 built with '--host=x86_64-redhat-linux-gnu'
> '--build=x86_64-redhat-linux-gnu' '--program-prefix='
> '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin'
> '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share'
> '--includedir=/usr/include' '--libdir=/usr/lib64'
> '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib'
> '--mandir=/usr/share/man' '--infodir=/usr/share/info'
> '--with-libtool' '--localstatedir=/var' '--enable-threads'
> '--enable-ipv6' '--with-pic' '--disable-static'
> '--disable-openssl-version-check' '--with-dlopen=yes'
> '--with-dlz-ldap=yes' '--with-dlz-postgres=yes'
> '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes'
> '--with-dlz-stub=yes' '--with-gssapi=yes' '--disable-isc-spnego'
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets'
> '--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu'
> 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g' 'CPPFLAGS=
> -DDIG_SIGCHASE'
> 07-Jun-2013 14:18:24.516 Registering DLZ_dlopen driver
> 07-Jun-2013 14:18:24.516 Registering SDLZ driver 'dlopen'
> 07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen'
> 
> The packages samba4 (using git master from 2 days ago) and bind are
> self-compiled on another centos 6.4 machine. As you can see, the
> options '--with-gssapi=yes' and '--with-dlopen=yes' are set (this is
> 9.8.2 from the source rpm)
> 
> I followed the instructions on how to include
> /var/lib/samba4/private/named.conf and named.txt, however, that
> didn't work as advertised (cannot read
> /var/lib/samba4/private/named.conf, though it was readable by user
> named???), so I included the stuff in ...private/named.conf
> literally in the /etc/bind/named.conf (as you can see, the
> named.conf location is nonstandard, this is handled in
> /etc/sysconfig/named).

What about selinux?
Also giving us only grep of logs are useless. There should be very
interesting lines below:
07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen'


> samba4 was provisioned for NIEUWLAND.NL as dc and BIND9_DLZ
>
> I wonder which steps would be most likely to let bind load the driver
> for dlz? Should I suspect all the patches redhat includes in their
> source rpm? or is it a configuration issue?

This part is working with plain CentOS named for me.
The problem mentioned with --disable-isc-spnego is only with
Windows client updates to the dns.

Please give us the named.conf (at least the part you copied
from samba) and also the named output from /var/log/messages
during startup (no debug is needed usually).

Best regards,

Luf
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4+bind on centos

[Gary Maurizi]

On Fri, Jun 7, 2013 at 5:45 AM, NOC  wrote:

> '--disable-isc-spnego'


'--disable-isc-spnego'

it will not work with this in the BIND build, see my previous thread on the
mailing list, I just spent roughly 200 man hours working out samba 4 bind
DLZ dynamic updates on centos 6.4 myself and finally got it to work after
removing that from the bind build, changing --with-gssapi=yes to (i believe
it was --with-gssapi=/usr/include/GSSAPI) and adding the with dlopen flag
as well, with these 3 things done bind DLZ work, without these 3 things
done exactly this way it will not. 'gssapi yes' did not work for me, and
you can NOT have disable-isp-spnegu
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4+bind on centos

[NOC]

Hi all

I've given up on the idea that I can make a script to import our 
-zone into samba internal dns with samba-tool as it gets really 
messy with subdomains. Instead I'm now trying to get samba4 to let bind 
handle the -zone as well als dynamic updates and such.


The problem is that once I've started named and samba4 after 
provisioning, I try to test dynamic updates and it oopses with the message:

root@puppettest01 var]# samba_dnsupdate --verbose --all-names
IPs: ['192.168.0.1']
Traceback (most recent call last):
  File "/usr/sbin/samba_dnsupdate", line 506, in 
get_credentials(lp)
  File "/usr/sbin/samba_dnsupdate", line 119, in get_credentials
creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for PUPPETTEST01$@NIEUWLAND.NL failed (Cannot 
contact any KDC for requested realm)


When looking at the debug output of bind, it doesn't seem to have loaded 
the DLZ module from samba4.


I tried this: named -g -c /etc/bind/named.conf -u named -d3 2>&1 |grep 
-i dlz
07-Jun-2013 14:18:24.514 built with '--host=x86_64-redhat-linux-gnu' 
'--build=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' 
'--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' 
'--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' 
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec' 
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' 
'--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' 
'--disable-openssl-version-check' '--with-dlopen=yes' 
'--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' 
'--with-dlz-filesystem=yes' '--with-dlz-stub=yes' '--with-gssapi=yes' 
'--disable-isc-spnego' 
'--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 
'--enable-fixed-rrset' 'build_alias=x86_64-redhat-linux-gnu' 
'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g' 'CPPFLAGS= 
-DDIG_SIGCHASE'

07-Jun-2013 14:18:24.516 Registering DLZ_dlopen driver
07-Jun-2013 14:18:24.516 Registering SDLZ driver 'dlopen'
07-Jun-2013 14:18:24.516 Registering DLZ driver 'dlopen'

The packages samba4 (using git master from 2 days ago) and bind are 
self-compiled on another centos 6.4 machine. As you can see, the options 
'--with-gssapi=yes' and '--with-dlopen=yes' are set (this is 9.8.2 from 
the source rpm)


I followed the instructions on how to include 
/var/lib/samba4/private/named.conf and named.txt, however, that didn't 
work as advertised (cannot read /var/lib/samba4/private/named.conf, 
though it was readable by user named???), so I included the stuff in 
...private/named.conf literally in the /etc/bind/named.conf (as you can 
see, the named.conf location is nonstandard, this is handled in 
/etc/sysconfig/named).


samba4 was provisioned for NIEUWLAND.NL as dc and BIND9_DLZ

I figure the problem lies in not loading the dlopen driver, which should 
probably look like:


03-Jun-2013 14:38:43.370 Loading 'AD DNS Zone' using driver dlopen
03-Jun-2013 14:38:43.371 Loading SDLZ driver.
03-Jun-2013 14:38:47.233 samba_dlz: started for DN DC=intranet01,DC=hom
03-Jun-2013 14:38:47.234 SDLZ driver loaded successfully.
03-Jun-2013 14:38:47.234 DLZ driver loaded successfully.
03-Jun-2013 14:38:47.235 samba_dlz: starting configure
03-Jun-2013 14:38:47.275 zone 200.168.192.in-addr.arpa/NONE: number of nodes in 
database: 0
03-Jun-2013 14:38:47.278 zone 200.168.192.in-addr.arpa/NONE: loaded; checking 
validity
03-Jun-2013 14:38:47.281 zone_settimer: zone 200.168.192.in-addr.arpa/NONE: 
enter
03-Jun-2013 14:38:47.282 samba_dlz: configured writeable zone 
'200.168.192.in-addr.arpa'
03-Jun-2013 14:38:47.284 zone intranet01.hom/NONE: number of nodes in database: 0
03-Jun-2013 14:38:47.286 zone intranet01.hom/NONE: loaded; checking validity

(I saw this in another mail to this list, but there bind was compiled from 
original sources and version 9.9.3)

I wonder which steps would be most likely to let bind load the driver for dlz? 
Should I suspect all the patches redhat includes in their source rpm? or is it 
a configuration issue?

Cheers

Simon





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Microsoft Hyper-V over SMB 3.0

[David Disseldorp]

On Fri, 7 Jun 2013 12:24:29 +0800
Chunbo Song  wrote:

> We have a project about Microsoft Hyper-V by using our storage.  We want to
> use Samba to share our storage to Hyper-V.
> 
> 
> 
> And we know from Microsoft homepage hyper-v(windows 2012) only support
> smb3.0 protocol, but right now the newest version of Samba don’t’ fully
> support SMB3.0 protocol. I tried the version of  Samba4.0.6, Samba3.6.9,
> but both failed to create virtual hosts using Hyper-V.
> 
> 
> 
> So,is it possibly to use Samba to share our storage to Hyper-V?  Any
> suggestion for us?

What error are you seeing?

I did a quick test on my local Samba 4.0 + Hyper-V 2012 setup and see
an access denied error, which appears to be due the following ACL issue:

- Hyper-V connects using the machine account (machine$)
- Hyper-V connects using the login account (admin)
- admin creates VM container directory (vmdir)
- admin sets security descriptor on vmdir:
owner=admin
group=domain admins
acl[0]: machine$(inherit only)=0x001f01ff
acl[1]: machine$=0x0012008f
acl[n]...
- machine$ attempts to open a non-existing "vmdir\Virtual Machines"
  path, which fails at realpath() with EPERM. The ACL on the parent
  does not allow machine$ execute permission, so realpath() is unabled
  to traverse. This step would succeed on Windows, as the "Bypass
  traverse checking" user right is granted by default.

Cheers, David
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba