Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
On 08/10/12 02:56, Matthieu Patou wrote: Steve Hi Rowland Thanks for that. I've now got a security tab back. But still no folder redirection:( Having the security tab back on \\hh1\USERS now gives everyone permission to enter and create files in the share and now Administrator has his Application Data redirected to the share. He has a file under \\hh1\USERS as per the GPO. However, ordinary users, whilst able to read and write the share do not have their Application Data redirected. Still works fine for all users with XP but not W7. Obviously the biggest change between XP and Seven is the fact that seven will use smb 2.x by default when XP can do smb/cifs. So you have to carefully look at the SMB2 trace between your client and the samba server when doing it with an admininistrator (which works if I understood your emails) and a normal user. Most probably our fileserver either deny someting to simple users or didn't answer correctly. For this you'll need to use wireshark. Once you have more information we might be able to help you, providing information + traces (if no sensitive information) might help even more. Matthieu. Hi Mattieu Thanks for the offer of help. Summary: 1. The Folder redirection GPO works fine for all users with XP and with Administrator on W7. 2. The folder redirection GPO dopes not work for ordinary domain users on W7. 3. I have run samba-tool ntacl sysvolreset Here is a screenshot of the GPO: http://dl.dropbox.com/u/45150875/gpo.png Here is smb.conf: [global] workgroup = MARINA realm = hh3.site netbios name = HH1 server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winb dns forwarder = 192.168.1.1 idmap_ldb:use rfc2307 = Yes [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [profiles] path = /home2/profiles read only = No create mask = 0700 [USERS] path = /home2/USERS read only = No Here is the wireshark of Administrator logon and logoff: http://dl.dropbox.com/u/45150875/logonadmin Here is the wireshark of a domain user, steve2, logon and logoff: http://dl.dropbox.com/u/45150875/logonuser In the user trace, there is no reference to the redirected folder on the server and none is created. The user seems unaware of the gpo. TIA for any time you can give. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
On 08/10/12 17:40, m...@matws.net wrote: Ok can you check that this simple user can go in the \\server\sysvol folder and then access all the files under dnsnamedomain/policies and cross check that this gpo is really applied by setting in the same gpo a rule for the wallpaper or something else visible. Hi I set the wallpaper in the same gpo: http://dl.dropbox.com/u/45150875/gpowallpaper.png This popup appears each time Administrator starts the GPO editor: http://dl.dropbox.com/u/45150875/sysvolerror.png Clicking OK gives 'Access is denied'. Same error whether I have run samba-tool ntacl sysvolreset or not. The GPO is created however. Results: 1. Ordinary users can read anything in the sysvol share 2. The wallpaper GPO is ignored both for W7 Administrator and for W7 users. note: The wallpaper GPO doesn't work on XP either but I don't think it was implemented then. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7
On 09/10/12 17:36, steve wrote: On 08/10/12 18:23, steve wrote: On 08/10/12 17:40, m...@matws.net wrote: samba-tool ntacl sysvolreset --use-s3fs Now no user can enter sysvol: getfacl sysvol/ # file: sysvol/ # owner: root # group: wheel # flags: s-- user::rwx user:root:rwx group::r-- group:wheel:r-- group:300:r-- group:301:r-- group:302:r-- mask::rwx other::--- Using wbinfo: 300 BUILTIN\Server Operators 4 301 NT AUTHORITY\SYSTEM 5 302 NT AUTHORITY\Authenticated Users 5 but Authenticated Users do not get read access. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Folder Redirection GPO not working with Windows 7 [SOLVED]
On 09/10/12 21:18, Ludek Finstrle wrote: Hello steve, Tue, Oct 09, 2012 at 05:54:48PM +0200, steve napsal(a): On 09/10/12 17:36, steve wrote: On 08/10/12 18:23, steve wrote: On 08/10/12 17:40, m...@matws.net wrote: samba-tool ntacl sysvolreset --use-s3fs Now no user can enter sysvol: getfacl sysvol/ # file: sysvol/ # owner: root # group: wheel # flags: s-- user::rwx user:root:rwx group::r-- group:wheel:r-- group:300:r-- group:301:r-- group:302:r-- mask::rwx other::--- Using wbinfo: 300 BUILTIN\Server Operators 4 301 NT AUTHORITY\SYSTEM 5 302 NT AUTHORITY\Authenticated Users 5 but Authenticated Users do not get read access. . . maybe I'm wrong but in unix world you need x bit to be able to go into the directory. Luf Hi Luf, hi everyone OK, this was the clue I needed. I set the ACE's to r-x: setfacl -Rm g:300:rx sysvol/ setfacl -Rm g:301:rx sysvol/ setfacl -Rm g:302:rx sysvol/ setfacl -Rm g::rx sysvol/ setfacl -Rm g:wheel:rx sysvol/ and same for the default ACE's: setfacl -d -Rm g:300:rx sysvol/ (...) The ACE's now look like this: getfacl sysvol getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol # owner: root # group: wheel # flags: s-- user::rwx user:root:r-x group::r-x group:wheel:r-x group:300:r-x group:301:r-x group:302:r-x mask::r-x other::r-x default:user::rwx default:group::r-x default:group:301:r-x default:group:302:r-x default:mask::r-x default:other::--- Conclusion: The sysvol ACL's are not set correctly after running: samba-tool ntacl sysvolreset because e.g. authenticated users cannot get into the share to read the GPO's Maybe this is just with my distro, openSUSE as others have not reported any problems. Could a dev have a look at it? I'm sure I've not set the sysvol ACL's correctly but at least now folder redirection works. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ntacl sysvolreset does not create correct ACL's
Hi Version 4.1.0pre1-GIT-957f9fa openSUSE 12.2 After running samba-tool ntaclreset These are the ACE's produced: getfacl sysvol/ # file: sysvol/ # owner: root # group: wheel # flags: s-- user::rwx user:root:rwx group::r-- group:wheel:r-- group:300:r-- group:301:r-- group:302:r-- mask::rwx other::--- I got the group names from wbinfo. The group numbers correspond to: 300 BUILTIN\Server Operators 4 301 NT AUTHORITY\SYSTEM 5 302 NT AUTHORITY\Authenticated Users 5 Problem: GPO's do not work. I think this is due to the r-- only ACE. Users, authenticated or not do not have access to sysvol to be able to read the GPO's because of the r-- I changed the ACL by adding an r-x and rwx after comparing what a working installation on Ubuntu gave: # file: usr/local/samba/var/locks/sysvol/ # owner: root # group: wheel # flags: s-- user::rwx user:root:rwx group::r-x group:wheel:r-x group:300:r-x group:301:rwx group:302:r-x mask::rwx other::r-x default:user::rwx default:group::r-x default:group:300:r-x default:group:301:rwx default:group:302:r-x default:mask::rwx default:other::--- and now the GPO's work again. However, running sysvolreset returns the ACL to the r-- state. I tested this on Ubuntu where sysvolreset works fine, producing r-x and rwx ACE's in the correct place. I think the problem must be distro specific. Works for Ubuntu, not for openSUSE. Is there something in the script which makes it distro dependent? I notice Ubuntu uses different owning groups (adm Ubuntu, wheel, openSUSE)? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 - setting acl rwx but getting r-x
On 11/10/12 20:13, Innocent Yevide wrote: Hello, I am having problem setting permission on shared folder: the folder is datasamba/common and after I set full permission for a user itester (317) and also tester (318), I could see that it is only granting r-x to those users. but I could see from the default permissions that they have rwx. 317 and 318 seem to be a groups. How about: setfacl -m g:317:rwx /datasamba/common Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 - setting acl rwx but getting r-x
On 11/10/12 22:36, Innocent Yevide wrote: Hi again, the situation here is more complicate that for any new folder created within the parent folder, I have run manually the setfacl. It is just not nice. Hi With: default:group:317:rwx any folder you create in the share should also become rwx so you need only run the setfacl once. Isn't that the case? Cheers, Steve Regards, Inno. *De :* Innocent Yevide inye...@yahoo.fr *À :* steve st...@steve-ss.com *Cc :* samba@lists.samba.org samba@lists.samba.org *Envoyé le :* Jeudi 11 octobre 2012 23h37 *Objet :* Re: [Samba] samba4 - setting acl rwx but getting r-x Hi Steve, Thanks for answering. This is what I did for the time being. but it means anytime I will grant write permission to a user on shared folder (from windows), I will have come to Linux and run the below command. I was wondering may be I missed something to configure, or it is a bug. Best Regards, Inno. *De :* steve st...@steve-ss.com *À :* samba@lists.samba.org *Envoyé le :* Jeudi 11 octobre 2012 22h28 *Objet :* Re: [Samba] samba4 - setting acl rwx but getting r-x On 11/10/12 20:13, Innocent Yevide wrote: Hello, I am having problem setting permission on shared folder: the folder is datasamba/common and after I set full permission for a user itester (317) and also tester (318), I could see that it is only granting r-x to those users. but I could see from the default permissions that they have rwx. 317 and 318 seem to be a groups. How about: setfacl -m g:317:rwx /datasamba/common Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Change DNS method?
Is it possible to change from the internal name server to BIND once you've provisioned a domain? I set mine up with the internal since it seemed easier, but then discovered the only way for my DHCP clients to update their names in DNS is via BIND, so I'd rather use that instead. Thanks in advance for any advice! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] rsync sysvol problem
samba --version Version 4.0.0rc3-GIT-293b100 Hi I have a problem backing up my sysvol folder. Here is the acl after running: samba-tool ntacl sysvolreset getfacl /usr/local/samba/var/locks/sysvol/ getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/ # owner: Administrator # group: wheel # flags: s-- user::rwx user:Administrator:rwx group::rwx group:wheel:rwx group:300:r-x group:301:rwx group:302:r-x mask::rwx other::--- I then try to back it up, e.g. rsync -auzv /usr/local/samba/var/locks/sysvol /usr/local But the ACL is not preserved: getfacl /usr/local/sysvol # file: sysvol # owner: Administrator # group: wheel # flags: s-- user::rwx group::rwx other::--- Am I missing an option with rsync -auzv? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] rsync sysvol problem
On 16/10/12 14:57, Rowland Penny wrote: On 16/10/12 13:16, steve wrote: Am I missing an option with rsync -auzv? Hi Steve, how about: -A, --acls preserve ACLs (implies --perms) Hi Rowland Thanks. Works perfectly. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.0.0rc3 Available for Download
On 16/10/12 10:31, Karolin Seeger wrote: Release Announcements - This is the third release candidate of Samba 4.0. Hi I've been updating from the v4-0-test branch and have landed at: Version 4.0.0rc3-GIT-293b100 A git pull tells me that it is Already up to date. To get rc3 do I have to download the tarball and rebuild? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.0.0rc3 Available for Download
On 16/10/12 18:12, Michael Wood wrote: On 16 October 2012 15:10, steve st...@steve-ss.com mailto:st...@steve-ss.com wrote: On 16/10/12 10:31, Karolin Seeger wrote: Release Announcements - This is the third release candidate of Samba 4.0. Hi I've been updating from the v4-0-test branch and have landed at: Version 4.0.0rc3-GIT-293b100 A git pull tells me that it is Already up to date. To get rc3 do I have to download the tarball and rebuild? If you run the following you will see the rc3 tag: $ git tag | grep 4.*rc release-3-4-0rc1 samba-3.4.0rc1 samba-4.0.0rc1 samba-4.0.0rc2 samba-4.0.0rc3 What you can do is create a new local branch pointing at samba-4.0.0rc3 like this: $ git checkout -b v4.0.0rc3 samba-4.0.0rc3 Switched to a new branch 'v4.0.0rc3' That should (unless I am mistaken) be identical to the tarball. If you want to switch back to the v4-0-test branch again later, just do this: $ git checkout v4-0-test Hi I get: git branch master v4-0-test * v4.0.0rc3 and then an error: git pull There is no tracking information for the current branch. Please specify which branch you want to merge with. See git-pull(1) for details git pull remote branch If you wish to set tracking information for this branch you can do so with: git branch --set-upstream v4.0.0rc3 origin/branch I've tried reading man git and man git-pull but it's another project in its own right:( Is there anything simple I can do? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.0.0rc3 Available for Download
On 17/10/12 11:37, steve wrote: On 16/10/12 18:12, Michael Wood wrote: On 16 October 2012 15:10, steve st...@steve-ss.com Also, the v4-0-test branch has disappeared. . . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.0.0rc3 Available for Download
On 16/10/12 15:17, Rowland Penny wrote: On 16/10/12 14:10, steve wrote: To get rc3 do I have to download the tarball and rebuild? Cheers, Steve Hi again Steve, in a nutshell, yes Hi Rowland Where do you get it? I looked here: https://ftp.samba.org/pub/samba/samba4/ but the latest version is beta8 Any ideas? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] mount.cifs: regular freezes with s3fs
cifs-utils-5.6 samba Version 4.0.0rc3 openSUSE 12.2 LAN of XP, w7 and Linux clients under Samba4 DC and s3fs fileserver Hi I am testing the possibility of migrating from nfs to cifs to serve our Linux clients. Currently we mount the samba shares, e.g. the home directory, using nfs. The test setup is that instead of: mount -t nfs hh1:/home2 /home2 -osec=rw,krb5 I changed to: mount -t cifs //hh1/home2 /home2 -osec=rw,sec=krb5,multiuser This works fine for console logins, but is very slow (unusable) for graphical logins to either LXDE or XFCE. The login sometimes works: Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.41:57380 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site Kerberos: No preauth found, returning PREAUTH-REQUIRED -- ste...@hh3.site Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.41:41237 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site Kerberos: ENC-TS Pre-authentication succeeded -- ste...@hh3.site using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2012-10-18T09:57:33 starttime: unset endtime: 2012-10-18T19:57:33 renew till: 2012-10-19T09:55:48 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable, forwardable Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:50790 for host/hh7.hh3.s...@hh3.site [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 2012-10-18T09:57:33 endtime: 2012-10-18T10:02:33 renew till: 2012-10-19T09:55:48 Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:44350 for cifs/h...@hh3.site [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 2012-10-18T09:57:33 endtime: 2012-10-18T19:57:33 renew till: 2012-10-19T09:55:48 But then as soon as we open the file manager (or do anything else) it freezes for as long as 5 minutes, before it makes another cifs request and comes alive for a while: Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:58872 for cifs/h...@hh3.site [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 2012-10-18T09:59:58 endtime: 2012-10-18T19:57:33 renew till: 2012-10-19T09:55:48 It is then OK for a few minutes more until it freezes again until the next cifs request etc etc. . . This sometimes occurs in the samba log but with different files each time: usr/local/samba/sbin/smbd: Oplock break failed for file home/steve3/.cache/openbox/openbox.log -- replying anyway Here is the test smb.conf: # Global parameters [global] workgroup = MARINA realm = hh3.site netbios name = HH1 server role = active directory domain controller dns forwarder = 192.168.1.1 idmap_ldb:use rfc2307 = Yes unix extensions = Yes panic action = /home/steve/samba-master/selftest/gdb_backtrace %d [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home2] path = /home2 read only = No Here is the wireshark of a login and a 'cifs freeze'. https://dl.dropbox.com/u/45150875/cifs-freeze Please note that this works fine for the same user and data with both nfs3 and nfs4. Any help most grateful. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mount.cifs: regular freezes with s3fs
On 18/10/12 11:48, Jeff Layton wrote: On Thu, 18 Oct 2012 10:18:05 +0200 steve st...@steve-ss.com wrote: cifs-utils-5.6 samba Version 4.0.0rc3 openSUSE 12.2 LAN of XP, w7 and Linux clients under Samba4 DC and s3fs fileserver Hi I am testing the possibility of migrating from nfs to cifs to serve our Linux clients. Currently we mount the samba shares, e.g. the home directory, using nfs. The test setup is that instead of: mount -t nfs hh1:/home2 /home2 -osec=rw,krb5 I changed to: mount -t cifs //hh1/home2 /home2 -osec=rw,sec=krb5,multiuser This works fine for console logins, but is very slow (unusable) for graphical logins to either LXDE or XFCE. The login sometimes works: Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.41:57380 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site Kerberos: No preauth found, returning PREAUTH-REQUIRED -- ste...@hh3.site Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.41:41237 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- ste...@hh3.site Kerberos: Looking for ENC-TS pa-data -- ste...@hh3.site Kerberos: ENC-TS Pre-authentication succeeded -- ste...@hh3.site using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2012-10-18T09:57:33 starttime: unset endtime: 2012-10-18T19:57:33 renew till: 2012-10-19T09:55:48 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable, forwardable Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:50790 for host/hh7.hh3.s...@hh3.site [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 2012-10-18T09:57:33 endtime: 2012-10-18T10:02:33 renew till: 2012-10-19T09:55:48 Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:44350 for cifs/h...@hh3.site [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 2012-10-18T09:57:33 endtime: 2012-10-18T19:57:33 renew till: 2012-10-19T09:55:48 But then as soon as we open the file manager (or do anything else) it freezes for as long as 5 minutes, before it makes another cifs request and comes alive for a while: Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Kerberos: TGS-REQ ste...@hh3.site from ipv4:192.168.1.41:58872 for cifs/h...@hh3.site [canonicalize, renewable, forwardable] Kerberos: TGS-REQ authtime: 2012-10-18T09:57:33 starttime: 2012-10-18T09:59:58 endtime: 2012-10-18T19:57:33 renew till: 2012-10-19T09:55:48 It is then OK for a few minutes more until it freezes again until the next cifs request etc etc. . . This sometimes occurs in the samba log but with different files each time: usr/local/samba/sbin/smbd: Oplock break failed for file home/steve3/.cache/openbox/openbox.log -- replying anyway Here is the test smb.conf: # Global parameters [global] workgroup = MARINA realm = hh3.site netbios name = HH1 server role = active directory domain controller dns forwarder = 192.168.1.1 idmap_ldb:use rfc2307 = Yes unix extensions = Yes panic action = /home/steve/samba-master/selftest/gdb_backtrace %d [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home2] path = /home2 read only = No Here is the wireshark of a login and a 'cifs freeze'. https://dl.dropbox.com/u/45150875/cifs-freeze Please note that this works fine for the same user and data with both nfs3 and nfs4. I think you probably want send this sort of thing to linux-c...@vger.kernel.org (cc'ed here), and not to me directly. Sorry, I'll join the list. What kernel is the client running here? 3.4.6-2.10-desktop Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mount.cifs: regular freezes with s3fs
On 18/10/12 14:17, Jeff Layton wrote: On Thu, 18 Oct 2012 13:21:39 +0200 steve st...@steve-ss.com wrote: On 18/10/12 11:48, Jeff Layton wrote: On Thu, 18 Oct 2012 10:18:05 +0200 steve st...@steve-ss.com wrote: The capture is not complete, since it doesn't contain the TCP connection setup. Thus, I can't offer any root causes for the hang... Everything seems to be swimming along just fine until frame 835. At that point the server issues an oplock break for FID 0x8b11 to which the client does not respond. This happens just after a call to unlink /home/steve3/.cache/openbox/openbox.log. Most likely the client had that file open and oplocked so the server issued this prior to allowing the unlink to proceed. The client never responds to that oplock break though and the server eventually gives up. Unfortunately, there is no record of FID 0x8b11 in the capture (the open apparently predates when it was started), so I can't offer much more in the way of explanation. Most likely this is a client bug, so you may want to try a more recent kernel on the client and see if it helps. If it doesn't though, then I'd recommend getting a more complete capture that we can analyze. I'll make one other general recommendation. Consider setting min receivefile size on the server. That allows you to do large POSIX writes which may help performance in general. Hi Jeff It looks as though the error is with s3fs. I set up a separate filesever against the DC with samba3.6.7 and it works perfectly. I also tested an Ubuntu DC with a 3.6.3 fileserver. Also OK. I know it's not recommended to use s3fs for fileserving but maybe the s3fs devs need to know about this? If so, I'll need the correct trace. From what you've said I need to start the trace before the client boots mounts the share (?). One of the problems in getting a trace is that it takes many attempts to get a successful login. It quite often hangs during logon and goes no further. I had a quick look at the min receiverfile size. Numbers vary but values around 16000 seem popular. Any recommendations? Any help you can give me in reporting this to the team would be most gratefully received. Thanks for your time, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mount.cifs: regular freezes with s3fs
On 18/10/12 17:55, steve wrote: On 18/10/12 14:17, Jeff Layton wrote: On Thu, 18 Oct 2012 13:21:39 +0200 steve st...@steve-ss.com wrote: On 18/10/12 11:48, Jeff Layton wrote: On Thu, 18 Oct 2012 10:18:05 +0200 steve st...@steve-ss.com wrote: The capture is not complete, since it doesn't contain the TCP connection setup. Thus, I can't offer any root causes for the hang... Everything seems to be swimming along just fine until frame 835. At that point the server issues an oplock break for FID 0x8b11 to which the client does not respond. This happens just after a call to unlink /home/steve3/.cache/openbox/openbox.log. Most likely the client had that file open and oplocked so the server issued this prior to allowing the unlink to proceed. The client never responds to that oplock break though and the server eventually gives up. Unfortunately, there is no record of FID 0x8b11 in the capture (the open apparently predates when it was started), so I can't offer much more in the way of explanation. Most likely this is a client bug, so you may want to try a more recent kernel on the client and see if it helps. If it doesn't though, then I'd recommend getting a more complete capture that we can analyze. I'll make one other general recommendation. Consider setting min receivefile size on the server. That allows you to do large POSIX writes which may help performance in general. Hi Jeff It looks as though the error is with s3fs. I set up a separate filesever against the DC with samba3.6.7 and it works perfectly. I also tested an Ubuntu DC with a 3.6.3 fileserver. Also OK. I know it's not recommended to use s3fs for fileserving but maybe the s3fs devs need to know about this? If so, I'll need the correct trace. From what you've said I need to start the trace before the client boots mounts the share (?). One of the problems in getting a trace is that it takes many attempts to get a successful login. It quite often hangs during logon and goes no further. I had a quick look at the min receiverfile size. Numbers vary but values around 16000 seem popular. Any recommendations? Any help you can give me in reporting this to the team would be most gratefully received. Hi I managed to get a trace from just before: mount -t cifs //hh1/home2 /home2 -osec=krb5,multiuser,rw through user login, freeze (twice) and user logout until the login prompt returned: https://dl.dropbox.com/u/45150875/cifs-freeze2 Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mount.cifs: regular freezes with s3fs
On 18/10/12 18:28, John Drescher wrote: through user login, freeze (twice) and user logout until the login prompt returned: https://dl.dropbox.com/u/45150875/cifs-freeze2 When I click the above link I get: We can't find the page you're looking for. Check out our Help Center and forums for help, or head back to home. John Sorry, It hadn't synced. It's there now. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mount.cifs: regular freezes with s3fs
On 18/10/12 19:52, Jeff Layton wrote: On Thu, 18 Oct 2012 18:34:07 +0200 steve st...@steve-ss.com wrote: On 18/10/12 18:28, John Drescher wrote: through user login, freeze (twice) and user logout until the login prompt returned: https://dl.dropbox.com/u/45150875/cifs-freeze2 When I click the above link I get: We can't find the page you're looking for. Check out our Help Center and forums for help, or head back to home. John Sorry, It hadn't synced. It's there now. Cheers, Steve In this one, I don't see any issues with oplock breaks. I also don't see any calls that are taking longer than expected. I do see a bunch of page-sized reads in the capture for what appear to be sequential reads. Reads also seem to be serialized, which is makes me think its falling into the readpage codepath. There were some fixes to rsize handling in later kernels, so it's probably worthwhile to test those before you do too much debugging. Hi I'm sure it's not a kernel issue: S4 DC, s3fs file server (s3fs on the DC), kernel 3.4.6 - Freezes S4 DC, 3.6.3 file server, kernel 3.2.0 - works fine S4 DC, 3.6.7 file server, kernel 3.4.6, - works fine Summary: with a separate Samba 3 file server, the same kernel which gives freezes under s3fs, works correctly. The problem is different every time. Sometimes it hangs completely on login, sometimes it logs in and then freezes for long periods. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] mount.cifs: regular freezes with s3fs
On 19/10/12 00:37, Matthieu Patou wrote: On 10/18/2012 11:11 AM, steve wrote: On 18/10/12 19:52, Jeff Layton wrote: On Thu, 18 Oct 2012 18:34:07 +0200 steve st...@steve-ss.com wrote: Hi I'm sure it's not a kernel issue: S4 DC, s3fs file server (s3fs on the DC), kernel 3.4.6 - Freezes S4 DC, 3.6.3 file server, kernel 3.2.0 - works fine S4 DC, 3.6.7 file server, kernel 3.4.6, - works fine Summary: with a separate Samba 3 file server, the same kernel which gives freezes under s3fs, works correctly. Compare apple and apple, are you using the same configuration in 3.6.7 than the one in s3fs (that is generated by Samba AD DC), most probably not. Can you try two tracks: 1) try to make your samba 3.6.7 config looks like the one of s3fs, please note that some defaults have changed in s3fs like vfs_objects that force the use of acl_xattr, also you have to pay attention if there is folder/files in the share that you serve that are owned by users/group of the domain in both cases as you might in one case kick winbindd calls for each and every sid that you have and the other case you won't. 2) try to use a newer kernel with current s3fs to see if it resolves the problem. Matthieu. Hi 2) seems easier so I installed the 3.6.0 kernel on the client. there are still long periods where the session freezes. Samba outputs this: /usr/local/samba/sbin/smbd: Oplock break failed for file home/steve2/.cache/openbox/openbox.log -- replying anyway Here is the trace: https://dl.dropbox.com/u/45150875/cifs-freeze3 Re 1) -Removing acl_xattr makes no difference. -All users who access the share are domain users belonging to the Domain Users group. -To compare apples I would need to sync sysvol to the S3 fileserver and leave just the global section in smb.conf on the DC. Yes? -Will s3fs be able to work better serving cifs at a later date? Maybe this part of it has not been addressed yet. - Perhaps at the moment the best way to do this is to have a S3 VM on the DC to do the file and print serving. Cheers and thanks for your help, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
On 10/23/2012 05:56 PM, Scott Lovenberg wrote: On 10/18/2012 2:07 PM, scott.lovenb...@gmail.com wrote: no one has objected (or really said anything). Can we merge this patch? -- Hi I'm just trying to represent users. Can we take this to user level by giving an example of what will work and what will not work after the patch? For example, the Linux automounter. Currently, we have this map: * -fstype=cifs,rw,sec=krb5 ://myserver/myshare/ Are you talking about the difference between that and this: * -fstype=cifs,rw,sec=krb5 myserver:/myshare/ Question: will I need to change anything due to this patch? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
On 10/23/2012 07:02 PM, Jeff Layton wrote: On Tue, 23 Oct 2012 18:47:37 +0200 steve st...@steve-ss.com wrote: On 10/23/2012 05:56 PM, Scott Lovenberg wrote: Currently, we have this map: * -fstype=cifs,rw,sec=krb5 ://myserver/myshare/ Does that really work? What purpose does the ':' serve there? Yes. They always put a ':' before the mount except for the default NFS. I took a look at the example /etc/auto.misc which comes (commented out) with openSUSE. They always put a ':'. That should probably be removed. I doubt we'd end up breaking that syntax, but I can't be certain. Just to say that this is a seemingly innocuous patch, but one which may lead to confusion. HTH, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
On 10/23/2012 07:27 PM, Scott Lovenberg wrote: On Tue, Oct 23, 2012 at 12:47 PM, steve st...@steve-ss.com wrote: On 10/23/2012 05:56 PM, Scott Lovenberg wrote: On 10/18/2012 2:07 PM, scott.lovenb...@gmail.com wrote: no one has objected (or really said anything). Can we merge this patch? -- Hi I'm just trying to represent users. Can we take this to user level by giving an example of what will work and what will not work after the patch? I should clarify, this patch doesn't change the behavior of the mount utility, it just warns the user that in future releases the syntax that they are using will be removed. The patch to remove the behavior is going to be in a later release. What will work is any path that begins with // or \\ which is a normal UNC. So your normal //server/share path is fine. NFS syntax allows for you to specify the path like server:/share. That syntax will no longer work in cifs-utils 6.0. For example, the Linux automounter. Currently, we have this map: * -fstype=cifs,rw,sec=krb5 ://myserver/myshare/ Are you talking about the difference between that and this: * -fstype=cifs,rw,sec=krb5 myserver:/myshare/ Question: will I need to change anything due to this patch? Quite the opposite, the //myserver/myshare is correct, myserver:/myshare will no longer work. The ':' is part of the automounter's map syntax. It will use the path //myserver/myshare. Hi Scott, hi everyone Yeah, that's fine. Does this clear up the issue with the ':'? I should have made it clearer that I was referring to autofs and not mounting e.g. from fstab. I just tried the automounter on cifs without the ':' and it doesn't work. Would it perhaps help to put a message in the logs when it fails, rather than silence? Or maybe that's more of a question for the autofs guys. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
On 23/10/12 19:36, Jeff Layton wrote: On Tue, 23 Oct 2012 19:22:32 +0200 steve st...@steve-ss.com wrote: On 10/23/2012 07:02 PM, Jeff Layton wrote: On Tue, 23 Oct 2012 18:47:37 +0200 steve st...@steve-ss.com wrote: On 10/23/2012 05:56 PM, Scott Lovenberg wrote: Well, better confusion now than confusion when it breaks. cifs really is just too loose about the syntax of things that it accepts, which sounds great until you have to test all of the different variations... Hi As dev's you have the power to change that. Users need to have it 'just work'. Simply tell us what the syntax is and we'll stick to it gladly. All we need is documentation which says, in plain straightforward English, something like: This is the syntax allowed: (say it in dev terms with all [:\\|//{ sort of stuff if you like) And here are some real examples: mount -t cifs //server/share /mnt etc, etc. Just make it clear and please don't give alternatives. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error
On 24/10/12 11:00, Michael Wood wrote: Hi Andrew On 24 October 2012 10:06, Andrew Bartlett abart...@samba.org wrote: On Tue, 2012-10-23 at 18:16 -0400, sandy.napo...@eccmg.cupet.cu wrote: Since an end-user is unlikely to have changed the ABI or know what that means, perhaps that message would make more sense if reworded? e.g.: Please report this error to ... along with the version of your OS and Samba (and gdb or whatever else you need to know). In the mean time, you can rerun configure with the --abi-check-disable option. Hi Michael, Andrew, Sandy, everyone. It's difficult for users to know what to ask when they have a problem. Perhaps it's easy for those who have worked with the code for the last 10 years or so, but for end users we just want plain English answers such as Michael suggests. It took me a long time to even think about joining samba-technical because I didn't want to interfere with something I know nothing about, viz coding. Would it be possible that replies to _this_ list assume no high level knowledge? Just say it. As in Michael's example, a reply of: example reply Try this: rerun configure with the --abi-check-disable option To do that, you need to type this: ./configure.developer --abi-check-disable /example reply That's all it needs. For the devs it's easy. You know what he has to do. So why be so cryptic? Just tell him. We'll give you all you need. We'll test, break our systems, apply patches. . . anything we can do to help. Also, please don't forget that some of us are not native speakers of English. Much of what is written here I have to translate for my work colleagues. ¡Que sea que me lo haga fácil! Saludos, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error
On 24/10/12 14:11, Michael Wood wrote: Hi Steve O This only came up because the HOWTO recommended using ./configure.developer. Hi Michael. The HOWTO also recommends installation from the 4.1 master branch. Upon your tip, I switched to v4-0-test. Could it be that all the sysvol/dns/gpo problems we see here come from the bleeding edge? Would it perhaps be better to recommend new users to a rc tarball or for the more adventurous the 4.0 test branch and leave master for the developers? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] fotos
Hola hermano. He puesto algunas fotos en nuetra carpeta de Dropbox pare que conozcamos mejor. Se trata de un paseo cotidiano de un domingo cualquiera. La seqía es evidente en las fotos y el clima nos brinda cada mañana con nieblas intensas hasta mediodía. El martes que viene es el cumpleaños de Patricia y tras comparle un par de regalos bonitos estoy pensando en invitarla a ir a cenar a su restaurante favorito. Son Argentinos, es buena gente y tienen coldado en la pared una foto de Ché Guevara. Saludos y abrazos a O y J. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 27/01/13 11:27, kfarrag_992 wrote: OK my proplem is: - I installed Samaba4 - I created a Domain - created users - Windows workstations Joined Domain - DNS is Bind9 Every thing is going OK for windows users. I am a windows administrator who started to convert for Linux lately so please explain a step by step please with examples for examples who did you create the principle for nfs which is a service not a user using the samba-tool command as i couldn't understand what exactly dose that mean you added it as a machine or service and if there is a different. if you can reply with the needed steps to install NFS server and configure it to authenticate using kerberos authentication from Samba4 i would be thankful. -- View this message in context: http://samba.2283325.n4.nabble.com/nfs4-with-Samba-4-tp4335728p4643339.html Sent from the Samba - General mailing list archive at Nabble.com. Hi We were using cifs/smb2 for the windows clients and nfs for our Linux clients. The method is here: http://linuxcostablanca.blogspot.com.es/p/samba-4.html Specifically to answer the nfs question, we made a user for nfs: samba-tool user add nfs.-user then created the machine principal for the fileserver: samba-tool spn add nfs/your.domain nfs-user then stick it in the keytab samba-tool domain exportkeytab /etc/krb5.keytab --principal=nfs/your.domain gss seems to expect some sort of machine principal in the keytab too so samba-tool domain exportkeytab /etc/krb5.keytab --principal=YOURSERVERHOSTNAME$ Don't forget to create the keytab on the clients too. You can do that after you join the domain: net ads join -UAdministrator then net ads keytab create You don't necessarily need a nfs principal on the clients:) HTH, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Wrong acl and permissions on cifs mounted share
Hi everyone I have these shares in smb.conf: [home2] path = /home2 read only = No [home] path = /home2/home read only = No I mount [home] on a Linux client like this: mount -t cifs //hh1/home2 /home2 -osec=krb5,rw,multiuser Here is the output of the mount command: //hh1/home2 on /home2 type cifs (rw,relatime,vers=1.0,sec=krb5,cache=loose,unc=\\hh1\home2,multiuser,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.2,unix,posixpaths,serverino,acl,noperm,rsize=1048576,wsize=65536,actimeo=1) Here are the acl's on therelevant directories: getfacl /home2 getfacl: Removing leading '/' from absolute path names # file: home2 # owner: root # group: root user::rwx group::r-x other::r-x getfacl /home2/home getfacl: Removing leading '/' from absolute path names # file: home2/home # owner: root # group: root user::rwx group::r-x other::r-x getfacl /home2/home/steve2 getfacl: Removing leading '/' from absolute path names # file: home2/home/steve2 # owner: steve2 # group: Domain\040Users user::rwx group::r-x other::r-x Now, if steve2 logs in and creates a file on the cifs mounted share on the client: steve2@hh10:~ touch s2.txt it is created with universal read write access: steve2@hh10:~ ls -l s2.txt -rwxrwxrwx+ 1 steve2 Domain Users 0 Feb 1 12:08 s2.txt getfacl s2.txt # file: s2.txt # owner: steve2 # group: Domain\040Users user::rwx user:steve2:rwx group::rwx group:Domain\040Users:rwx mask::rwx other::rwx If I log into the fileserver as steve2 (I.e. when it's not mounted), it works fine and files are created as expected: -rw-r--r-- 1 steve2 Domain Users0 Feb 1 11:52 s3.txt Question: Why does the cifs mounted share always create files with universal rw? What can I do to correct this? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] cifs: no control over file permissions
Hi everyone This one is driving me crazy. Every file that is created in a cifs mounted share is ALWAYS created 0777: -rwxrwxrwx+ Here is my smb.conf tested with 4.0.3 and 4.1.0pre1-GIT-efd60ae: [global] workgroup = MARINA realm = hh3.site netbios name = HH1 server role = active directory domain controller dns forwarder = 192.168.1.1 idmap_ldb:use rfc2307 = Yes unix extensions = Yes panic action = /home/steve/samba-master/selftest/gdb_backtrace %d [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home2] path = /home2 read only = No I mount [home2] like this: mount -t cifs //server/home2 /mnt -orw,sec=krb5,multiuser Now, any file created under /mnt always has universal rw. Creating a file in the unmounted share works fine. Files are created -rw-r--r-- as expected. Can anyone see what I'm doing wrong? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Re: CIFS Mount Obeying ACLs
Sorry Andrew, I forgot to send to the list. Original Message Subject:Re: [Samba] CIFS Mount Obeying ACLs Date: Wed, 27 Feb 2013 09:32:48 +0100 From: steve st...@steve-ss.com To: Andrew Martin amar...@xes-inc.com On 27/02/13 01:03, Andrew Martin wrote: Hello, I have configured a Samba 3 fileserver (on Ubuntu 12.04) joined to a Samba 4.0.3 (AD) domain. I have configured a number of ACLs for restricting access to directories on the share, which works well when accessing the share from Windows. However, mounting the share from another Linux machine (Ubuntu 12.04) using CIFS does not appear to obey the ACLs (e.g. a user can access files that they should not have permission to access). Checking the kernel, I can see that CONFIG_CIFS_POSIX, CONFIG_CIFS_ACL and CONFIG_CIFS_XATTR are enabled: CONFIG_CIFS=m CONFIG_CIFS_STATS=y # CONFIG_CIFS_STATS2 is not set CONFIG_CIFS_WEAK_PW_HASH=y CONFIG_CIFS_UPCALL=y CONFIG_CIFS_XATTR=y CONFIG_CIFS_POSIX=y # CONFIG_CIFS_DEBUG2 is not set CONFIG_CIFS_DFS_UPCALL=y CONFIG_CIFS_FSCACHE=y CONFIG_CIFS_ACL=y Any ideas on why the CIFS mount will not obey the ACLs? Thanks, Andrew Hi Andrew, hi everyone 4.0.4 git DC and file server I'm tearing my hair out on this one too. No matter what I set in smb.conf or using setfacl on the Linux client, any file created on a cifs mount is _always_ created 0777. I see that the default in smb.conf is: create mode = 0777 but even overriding this with: create mode = 0644 either in [global] or in a separate share, still produces files with 0777 permissions no matter what. I really would like to solve this one. Several threads here, on samba-technical and on my distro list have so far drawn a blank. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] cifs mount creates files with root:root permissions
I mount this share on a client: [users] comment = home folders inherit acls = Yes inherit permissions = Yes path = /home read only = No using this as root on the client: mount -t cifs //192.168.1.2/users /home -o rw,nosetuid I then login as a user on the client authenticated via ldap. No problem. It takes me to the mounted folder and I can see my files. When I create a file it creates it as owner root:root. Not what I want! How can I create files on the mount as user:group no matter who logs in? Thanks. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] opensuse samba3.schema file
Hi I have opensuse 11.4 and have ldap and samba installed. Ldap is working but I'm missing the samba3.schema file. I've installed several packages in the hope of finding it. It's not in /etc/openldap/schema anymore. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] NT_STATUS_ACCESS_DENIED again sorry
Hi. I've tried all the alternatives I cold find. When I attempt to access a share on a linux client I get this error: [2011/10/27 19:33:46.450093, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED I am accessing using kde and dolphin like this: smb://hh1/steve2 hh1 is the domain and steve2 is an ldap user who can authenticate OK from the command line and via kdm. The ldap server has the samba3.schema included. When authenticating via samba, I type the username and password but the same dialogue reappears again and again. Can anyone help? (the reason I'm trying this is because I have a liunx only lan but have some win7 clients coming soon) Opensuse 11.4. Here is smb.conf: [global] add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$ domain logons = Yes domain master = Yes idmap backend = ldap:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=com ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap passwd sync = Yes ldap ssl = No ldap suffix = dc=com ldap timeout = 5 ldap user suffix = ou=people passdb backend = ldapsam:ldap://127.0.0.1 workgroup = hh1 os level = 65 preferred master = Yes [homes] comment = home folders inherit acls = Yes read only = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] win 7 join domain error
Hi i am trying to join a win 7 client to my samba pdc. Authentication is via ldap which is working fine. I have added the two windows 7 registry items: HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 I have a samba root passsword setup when I setup the samba PDC with Yast on opensuse 11.4. On the win 7 machine, I can see the home shares by typing e.g. \\hh1\steve into windows explorer where hh1 is the domain name. When I try to add the machine to the domain get the win 7 error: 'The specified computer could not be found. Contact an administrator to verify if the account is in the domain. . .' Root has a samba password which I specify when joining. Could anyone help here? My smb.conf is: [global] workgroup = HH1 map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1 printcap name = cups add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ logon path = \\%L\profiles\.msprofile logon drive = P: logon home = \\%L\%U\.9xprofile domain logons = Yes os level = 65 preferred master = Yes domain master = Yes ldap admin dn = cn=admin,dc=com ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap passwd sync = yes ldap suffix = dc=com ldap ssl = no ldap timeout = 5 ldap user suffix = ou=people usershare allow guests = Yes idmap backend = ldap:ldap://127.0.0.1 cups options = raw [homes] comment = Home Directories valid users = %S, %D%w%S read only = No inherit acls = Yes browseable = No [profiles] comment = Network Profiles Service path = %H read only = No create mask = 0600 directory mask = 0700 store dos attributes = Yes [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp create mask = 0600 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin, root force group = ntadmin create mask = 0664 directory mask = 0775 [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] win 7 join domain error
On Saturday 05 Nov 2011 11:48:02 you wrote: Please keep CC to the list. From: steve st...@steve-ss.com Date: Sat, 5 Nov 2011 08:33:37 +0100 On Saturday 05 Nov 2011 04:08:49 you wrote: From: steve st...@steve-ss.com Date: Sat, 5 Nov 2011 01:07:58 +0100 Use simple %u instead of %m$, see smb.conf(5) for details. --- TAKAHASHI Motonobu mo...@samba.gr.jp I changed that but no luck. The logs give this: Nov 5 08:27:18 hh1 smbd[7285]: [2011/11/05 08:27:18.540172, 0] passdb/pdb_interface.c:348(pdb_default_create_user) Nov 5 08:27:18 hh1 smbd[7285]: _samr_create_user: Running the command `/usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false steve-pc$' gave 83 Simply running /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false steve-pc$ on your command line is successed? Yes. That works fine. getent shows: steve-PC$:x:1005:100:Machine:/var/lib/nobody:/bin/false If not, arguments for useradd is not good, so it's not a problem for Samba, but for useradd. Also you had better search why useradd returns 83. The only google reference to it is to this thread! I'd expect the machine to be added as an ldap user rather than a local user. I've tried adding the machine to the domain with and without ldap-TLS too. Any ideas? Thanks so much for your patience. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] win 7 no logon servers available error
Hi I have joined a win 7 computer to my samba domain. Logging in gives me: 'There are currently no logon servers available to service the logon request.' The win 7 machine is called S-PC and getent passwd gives me: S-PC$:x:1002:100:Machine:/var/lib/nobody:/bin/false lynn2:*:1001:1001:l:/home/lynn2:/bin/bash lynn2 is an ldap user who can login OK. I see that /var/lib/samba(netlogon is empty. I've been through endless posts trying to sort this out. I have a samba pdc setup with ldap on opensuse 11.4. The logs give this: [2011/11/05 23:45:23.779300, 0] passdb/pdb_get_set.c:212(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for S-PC$ But that doesn't make sense because S-PC$ _does_ have a Unix account. Can anyone help me? smb.conf is: [global] workgroup = hh1 passdb backend = ldapsam:ldap://127.0.0.1 printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = Yes add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %u domain logons = Yes domain master = Yes idmap backend = ldap:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=com ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap passwd sync = Yes ldap ssl = Off ldap suffix = dc=com ldap user suffix = ou=people local master = Yes os level = 65 preferred master = Yes security = user wins server = wins support = No [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] win 7 join domain error
On Saturday 05 Nov 2011 12:59:12 steve wrote: On Saturday 05 Nov 2011 11:48:02 you wrote: Please keep CC to the list. From: steve st...@steve-ss.com Date: Sat, 5 Nov 2011 08:33:37 +0100 On Saturday 05 Nov 2011 04:08:49 you wrote: From: steve st...@steve-ss.com Date: Sat, 5 Nov 2011 01:07:58 +0100 Use simple %u instead of %m$, see smb.conf(5) for details. --- TAKAHASHI Motonobu mo...@samba.gr.jp I changed that but no luck. The logs give this: Nov 5 08:27:18 hh1 smbd[7285]: [2011/11/05 08:27:18.540172, 0] passdb/pdb_interface.c:348(pdb_default_create_user) Nov 5 08:27:18 hh1 smbd[7285]: _samr_create_user: Running the command `/usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false steve-pc$' gave 83 Simply running /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false steve-pc$ on your command line is successed? Yes. That works fine. getent shows: Hi. Have managed to join the machine to the domain by reinstalling w 7 but now have the error 'no logon servers'. I have started another thread. Thanks. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] win 7 no logon servers available error
On Sunday 06 Nov 2011 00:06:17 steve wrote: Hi I have joined a win 7 computer to my samba domain. Logging in gives me: 'There are currently no logon servers available to service the logon request.' The win 7 machine is called S-PC and getent passwd gives me: S-PC$:x:1002:100:Machine:/var/lib/nobody:/bin/false lynn2:*:1001:1001:l:/home/lynn2:/bin/bash lynn2 is an ldap user who can login OK. I see that /var/lib/samba(netlogon is empty. I've been through endless posts trying to sort this out. I have a samba pdc setup with ldap on opensuse 11.4. The logs give this: [2011/11/05 23:45:23.779300, 0] passdb/pdb_get_set.c:212(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for S-PC$ But that doesn't make sense because S-PC$ _does_ have a Unix account. Can anyone help me? smb.conf is: [global] workgroup = hh1 passdb backend = ldapsam:ldap://127.0.0.1 printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = Yes add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %u domain logons = Yes domain master = Yes idmap backend = ldap:ldap://127.0.0.1 ldap admin dn = cn=admin,dc=com ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap passwd sync = Yes ldap ssl = Off ldap suffix = dc=com ldap user suffix = ou=people local master = Yes os level = 65 preferred master = Yes security = user wins server = wins support = No [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root Reinstalled openldap, samba and windows 7, the latter on oracle virtual box. I joined the domain HH1 without problems. I have setup bind on the samba host as a DNS server and stup the win 7 machine with static settings which point to the host with the dns server. No problems. Win 7 can ping out through the gateway and see webpages. But _still_ I get the 'no logon servers available' message when trying to logon to the domain. The users can login at a linux command prompt fine. THey can also see their files when logged into the win 7 box by typing e.g. \\HH1\steve2 So I don't think this is a DNS problem, I don't think it is a Win 7 problem and LDAP is working so it must have something to do with samba. The samba is that shipped with opensuse 11.4 version, 3.5.7 Does anyone have any clue as to where to turn next? THanks so much and sorry to have to bump this one on a Sunday. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] win 7 no logon servers available error
On Sunday 06 Nov 2011 23:08:27 you wrote: -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of steve Sent: Sunday, November 06, 2011 6:55 AM To: samba@lists.samba.org Subject: Re: [Samba] win 7 no logon servers available error On Sunday 06 Nov 2011 00:06:17 steve wrote: Hi I have joined a win 7 computer to my samba domain. Logging in gives me: 'There are currently no logon servers available to service the logon request.' The win 7 machine is called S-PC and getent passwd gives me: S-PC$:x:1002:100:Machine:/var/lib/nobody:/bin/false lynn2:*:1001:1001:l:/home/lynn2:/bin/bash lynn2 is an ldap user who can login OK. I see that /var/lib/samba(netlogon is empty. I've been through endless posts trying to sort this out. I have a samba pdc setup with ldap on opensuse 11.4. The logs give this: [2011/11/05 23:45:23.779300, 0] passdb/pdb_get_set.c:212(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for S-PC$ But that doesn't make sense because S-PC$ _does_ have a Unix account. Can anyone help me? smb.conf is: snip Reinstalled openldap, samba and windows 7, the latter on oracle virtual box. I joined the domain HH1 without problems. I have setup bind on the samba host as a DNS server and stup the win 7 machine with static settings which point to the host with the dns server. No problems. Win 7 can ping out through the gateway and see webpages. But _still_ I get the 'no logon servers available' message when trying to logon to the domain. The users can login at a linux command prompt fine. THey can also see their files when logged into the win 7 box by typing e.g. \\HH1\steve2 So I don't think this is a DNS problem, I don't think it is a Win 7 problem and LDAP is working so it must have something to do with samba. The samba is that shipped with opensuse 11.4 version, 3.5.7 Does anyone have any clue as to where to turn next? THanks so much and sorry to have to bump this one on a Sunday. Steve. snip Steve; The AppArmor profiles for nmbd and smbd prevented smbd and nmbd from running on Opensuse 11.4. If you have not done so already go to YaSTNovell AppArmorAppArmor Control PanelConfigure Profile Modes. Set both user.sbin.[s,n]mbd to complain rather than enforce. If this works you can rewrite the profiles for proper operation or leave them off. PV Hi Yes. I tried with AppArmor to complain and then turned it off. Still no logon servers. Here is what I got when joining the domain for the first time: Nov 7 07:05:14 hh1 smbd[6753]: [2011/11/07 07:05:14.802235, 0] lib/util_sock.c:474(read_fd_with_timeout) Nov 7 07:05:14 hh1 smbd[6753]: [2011/11/07 07:05:14.802429, 0] lib/util_sock.c:1441(get_peer_addr_internal) Nov 7 07:05:14 hh1 smbd[6753]: getpeername failed. Error was Transport endpoint is not connected Nov 7 07:05:14 hh1 smbd[6753]: read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. Nov 7 07:05:27 hh1 pulseaudio[3905]: ratelimit.c: 113 events suppressed Nov 7 07:05:51 hh1 nmbd[6047]: [2011/11/07 07:05:51.005754, 0] nmbd/nmbd_incomingdgrams.c:308(process_local_master_announce) Nov 7 07:05:51 hh1 nmbd[6047]: process_local_master_announce: Server S-PC at IP 192.168.1.4 is announcing itself as a local master browser for worrkgroup HH1 and we think we are master. Forcing election. Nov 7 07:05:51 hh1 nmbd[6047]: [2011/11/07 07:05:51.017996, 0] nmbd/nmbd_become_lmb.c:148(unbecome_local_master_success) Nov 7 07:05:51 hh1 nmbd[6047]: * Nov 7 07:05:51 hh1 nmbd[6047]: Nov 7 07:05:51 hh1 nmbd[6047]: Samba name server HH1 has stopped being a local master browser for workgroup HH1 on subnet 192.168.1.2 Nov 7 07:05:51 hh1 nmbd[6047]: Nov 7 07:05:51 hh1 nmbd[6047]: * Nov 7 07:06:10 hh1 nmbd[6047]: [2011/11/07 07:06:10.957521, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) Nov 7 07:06:10 hh1 nmbd[6047]: * Nov 7 07:06:10 hh1 nmbd[6047]: Nov 7 07:06:10 hh1 nmbd[6047]: Samba name server HH1 is now a local master browser for workgroup HH1 on subnet 192.168.1.2 Nov 7 07:06:10 hh1 nmbd[6047]: Nov 7 07:06:10 hh1 nmbd[6047]: * And here is the result of starting smb and nmb now: Nov 7 07:27:48 hh1 nmbd[7677]: * Nov 7 07:30:00 hh1 smbd[7780]: [2011/11/07 07:30:00.326907, 0] smbd/server.c:501(smbd_open_one_socket) Nov 7 07:30:00 hh1 smbd[7780]: smbd_open_once_socket: open_socket_in: Address already in use Nov 7 07:30:00 hh1 smbd[7780]: [2011/11/07 07:30:00.328619, 0] smbd/server.c:501(smbd_open_one_socket) Nov 7 07:30:00 hh1 smbd[7780]: smbd_open_once_socket: open_socket_in: Address already in use Nov 7 07:30:05 hh1 nmbd[7677]: [2011/11/07 07:30:05.525647, 0] nmbd/nmbd.c:71(terminate) Nov 7 07:30:05 hh1 nmbd[7677
Re: [Samba] win 7 no logon servers available error [SOLVED]
On Monday 07 Nov 2011 07:39:10 steve wrote: On Sunday 06 Nov 2011 23:08:27 you wrote: -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of steve Sent: Sunday, November 06, 2011 6:55 AM To: samba@lists.samba.org Subject: Re: [Samba] win 7 no logon servers available error On Sunday 06 Nov 2011 00:06:17 steve wrote: Hi I have joined a win 7 computer to my samba domain. Logging in gives me: 'There are currently no logon servers available to service the logon request.' Hi After much work I realised that the name of my Linux box was hh1.com and I had chosen HH1 for the Samba domain name. THat seems sensible enough no? But it seems that that is not allowed. I can't find anywhere in the documentation which warns against this. I changed the Samba domain to HH2, removed the old ldap machine objects, unjoined the domain HH1 and rejoined HH2. Everything now works as expected except that at first logon from windows 7, the profile isn't saved. You have to log out and back in again. Then the profile is saved. With XP clients you don't have to relogin. Hope this helps us all toward a single sighn on. It's going to make our lan much more bearable. Thanks to everyone for their time. Steve. For completeness, here is the nmbd log: Nov 7 14:28:58 hh1 nmbd[8308]: [2011/11/07 14:28:58.757742, 0] nmbd/nmbd.c:71(terminate) Nov 7 14:28:58 hh1 nmbd[8308]: Got SIGTERM: going down... Nov 7 14:28:59 hh1 nmbd[9167]: [2011/11/07 14:28:59.350165, 0] nmbd/nmbd_logonnames.c:160(add_logon_names) Nov 7 14:28:59 hh1 nmbd[9167]: add_domain_logon_names: Nov 7 14:28:59 hh1 nmbd[9167]: Attempting to become logon server for workgroup HH2 on subnet 192.168.1.2 Nov 7 14:28:59 hh1 nmbd[9167]: [2011/11/07 14:28:59.351132, 0] nmbd/nmbd_become_dmb.c:292(become_domain_master_browser_bcast) Nov 7 14:28:59 hh1 nmbd[9167]: become_domain_master_browser_bcast: Nov 7 14:28:59 hh1 nmbd[9167]: Attempting to become domain master browser on workgroup HH2 on subnet 192.168.1.2 Nov 7 14:28:59 hh1 nmbd[9167]: [2011/11/07 14:28:59.351253, 0] nmbd/nmbd_become_dmb.c:305(become_domain_master_browser_bcast) Nov 7 14:28:59 hh1 nmbd[9167]: become_domain_master_browser_bcast: querying subnet 192.168.1.2 for domain master browser on workgroup HH2 Nov 7 14:29:03 hh1 nmbd[9167]: [2011/11/07 14:29:03.372639, 0] nmbd/nmbd_logonnames.c:121(become_logon_server_success) Nov 7 14:29:03 hh1 nmbd[9167]: become_logon_server_success: Samba is now a logon server for workgroup HH2 on subnet 192.168.1.2 Nov 7 14:29:05 hh1 smbd[9191]: [2011/11/07 14:29:05.626119, 0] smbd/server.c:501(smbd_open_one_socket) Nov 7 14:29:05 hh1 smbd[9191]: smbd_open_once_socket: open_socket_in: Address already in use Nov 7 14:29:05 hh1 smbd[9191]: [2011/11/07 14:29:05.628884, 0] smbd/server.c:501(smbd_open_one_socket) Nov 7 14:29:05 hh1 smbd[9191]: smbd_open_once_socket: open_socket_in: Address already in use Nov 7 14:29:07 hh1 nmbd[9167]: [2011/11/07 14:29:07.380575, 0] nmbd/nmbd_become_dmb.c:110(become_domain_master_stage2) Nov 7 14:29:07 hh1 nmbd[9167]: * Nov 7 14:29:07 hh1 nmbd[9167]: Nov 7 14:29:07 hh1 nmbd[9167]: Samba server HH1 is now a domain master browser for workgroup HH2 on subnet 192.168.1.2 Nov 7 14:29:07 hh1 nmbd[9167]: Nov 7 14:29:07 hh1 nmbd[9167]: * Nov 7 14:29:22 hh1 nmbd[9167]: [2011/11/07 14:29:22.398976, 0] nmbd/nmbd_become_lmb.c:395(become_local_master_stage2) Nov 7 14:29:22 hh1 nmbd[9167]: * Nov 7 14:29:22 hh1 nmbd[9167]: Nov 7 14:29:22 hh1 nmbd[9167]: Samba name server HH1 is now a local master browser for workgroup HH2 on subnet 192.168.1.2 Nov 7 14:29:22 hh1 nmbd[9167]: Nov 7 14:29:22 hh1 nmbd[9167]: * -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba with ldap+TLS
Hi I know Linux clients need a CA certificate to authenticate via LDAP using TLS. What about win 7 and XP clients using a Samba server? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba StartTLS
Hi Scenario: Lan with opensuse 11.4 Samba and LDAP server. Linux, win-xp and win7 clients. The Linux clients can login fine under TLS: Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 op=0 STARTTLS Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 op=0 RESULT oid= err=0 text= Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 fd=23 TLS established tls_ssf=256 ssf=256 Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 op=1 BIND dn= method=128 - - - lots of lines cut - - - Nov 10 11:31:22 hh1 slapd[1727]: conn=1243 op=3 BIND dn=uid=lynn2,ou=people,dc=site method=128 The windows clients can login but are denied access to their home folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error If smb.conf contains the line: ldap ssl = start tls windows clients can login, but are denied access to their home folders. Uncommenting this line and resarting smb allows windows clients both to login and gain access to their home folder. Summary: Samba without TLS works. Samba with TLS doesn't. Can I confirm: 1. That LDAP is working. 2. That the CA and server certificates (signed by the CA) are correct. 3. The problem is with smb.conf and lastly after much googling and reading, can anyone help me get rid of the samba tls issue? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] remove machines from login list
Hi When adding a windows machine to a Samba domain: add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ The machine name (e.g. computer_1$) now appears in the kdm login list for Linux clients using kde4. This looks a mess and doesn't make sense. Can I add the machine without using 'useradd'? Or some other way to avoid this? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba StartTLS
On 11/11/2011 08:31 AM, steve wrote: Hi Scenario: Lan with opensuse 11.4 Samba and LDAP server. Linux, win-xp and win7 clients. Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error Solved? Adding: TLS_REQCERT never to /etc/openldap/ldap.conf allows windows to connect to the samba domain with TLS. Can anyone comment on the security of this workaround? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba StartTLS
On 11/11/2011 08:23 PM, zoolook wrote: 2011/11/11 stevest...@steve-ss.com: On 11/11/2011 08:31 AM, steve wrote: Hi Scenario: Lan with opensuse 11.4 Samba and LDAP server. Linux, win-xp and win7 clients. Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error Solved? Adding: TLS_REQCERT never to /etc/openldap/ldap.conf allows windows to connect to the samba domain with TLS. Can anyone comment on the security of this workaround? Thanks Or you can copy your servers' CA to your clients, in this case your samba server and use TLS_REQCERT hard Your solution works, but some other machine can impersonate your ldap server and your smb server will never know the difference. Regards, Norberto Hi Thanks for the reply. But then I'm back to the samba not being able to use tls errors as above no? I made the workaround to get rid of the error. But I'll have a go. So, On a win 7 client, where do I put the CA cert? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] remove machines from login list
On 11/11/2011 07:23 PM, Chris Smith wrote: On Fri, Nov 11, 2011 at 3:06 AM, stevest...@steve-ss.com wrote: add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$ The machine name (e.g. computer_1$) now appears in the kdm login list for Linux clients using kde4. This looks a mess and doesn't make sense. Can I add the machine without using 'useradd'? Or some other way to avoid this? Not sure if this will help. I use the following script that's very similar: = add machine script = /usr/sbin/useradd -d /dev/null -g 'nofiles' -c 'Machine Account' -s /bin/false '%u' = I have a group named nofiles and the addition of -g 'nofiles' puts all machines in their own group so their gid is different than that that the users are in. If KDE gets possible user login accounts from a particular gid this may help. Chris Hi Chris That makes sense. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba StartTLS
On 11/12/2011 06:52 PM, zoolook wrote: 2011/11/11 stevest...@steve-ss.com: So, On a win 7 client, where do I put the CA cert? You don't :-) Win will talk to samba. Samba talks to OpenLDAP over a tls conection. From my experience (since -from my pov- it is not clear in the docs), Samba needs: passdb backend = ldapsam:ldaps://ldap.yourdomain.tld ldap ssl = off Or passdb backend = ldapsam:ldap://ldap.yourdomain.tld ldap ssl = start tls BTW, the CN in the certificate must match the ldap uri if smb.conf. In other words, if your certificate was created using CN=ldap.mydomian, and you put ldapsam:ldap://localhost in smb.conf, it won't work. HTH, Norberto Hi Norberto My smb conf looks like this: passdb backend = ldapsam:ldap://hh1.site idmap backend = ldap:ldap://hh1.site ldap ssl = start tls hh1.site is my FQDN and is also the CN for the CA and servercerts. But I'm wondering. Since the samba and ldap servers are both on the same box, is that why TLS isn't working? Because it doesn't make sense to have it? There is no communication between samba and ldap over the network as they are both on the same machine. Would this explain the errors: The windows clients can login but are denied access to their home folder: Nov 10 11:20:16 hh1 smbd[6066]: [2011/11/10 11:20:16.268556, 0] lib/smbldap.c:731(smb_ldap_start_tls) Nov 10 11:20:16 hh1 smbd[6066]: Failed to issue the StartTLS instruction: Connect error However, they can connect with: TLS_REQCERT never in /etc/openldap/ldap.conf Confused! Thanks for your patience. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba StartTLS
On 11/12/2011 06:52 PM, zoolook wrote: 2011/11/11 stevest...@steve-ss.com: So, On a win 7 client, where do I put the CA cert? You don't :-) Win will talk to samba. Samba talks to OpenLDAP over a tls conection. Nearly understood it but I'm missing this: How does the username and password that is typed in on the win client travel over the network to the samba (and in my case also ldap) server? It must be sent as plain text no? Cheers, Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba StartTLS [SOLVED]
On Saturday 12 Nov 2011 21:34:05 you wrote: Hi Steve, 2011/11/12 steve st...@steve-ss.com: My smb conf looks like this: passdb backend = ldapsam:ldap://hh1.site idmap backend = ldap:ldap://hh1.site ldap ssl = start tls Looks right. hh1.site is my FQDN and is also the CN for the CA and servercerts. Good But I'm wondering. Since the samba and ldap servers are both on the same box, is that why TLS isn't working? Nope. But you could disable ssl/tls in that case: ldap ssl = off Because it doesn't make sense to have it? It doesn't make sense to use ssl/tls connections in your case, but it is not the cause your setup is not working. There is no communication between samba and ldap over the network as they are both on the same machine. Would this explain the errors: No However, they can connect with: TLS_REQCERT never in /etc/openldap/ldap.conf Yes, because you're are missing your CA. If you want samba to connect to openldap over tls/ssl, you need something like this: TLS_REQCERT hard TLS_CACERT /path/to/your/ca.crt Confused! Basically you either need to disable tls (ldapsam:ldap:// and ldap ssl = off) or put your CA in your samba server and tell ldap where to find it. Regards, Norberto Noberto, you are magic. I commented out: #TLS_REQCERTnever and added: TLS_REQCERT hard TLS_CACERT /etc/openldap/cacerts/YaST-CA.pem to /etc/openldap/ldap.conf. restarted ldap and samba and it connected with STARTTLS! Thank you so much. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 ldap?
Robert Adam Tauno Williams a écrit : On Thu, 2011-11-17 at 12:34 -0600, John Heim wrote: I am confused... Using an ldap server as a backend for samba4 is not recommended? Not only not recommended, it will not work and is not supported. We are primarily a linux shop. We have an ldap database we use for authentication. I can't use that anymore if I switch to samba4? Nope. Active Directory provides an LDAP service (DSA) but Active Directory is not LDAP. It has very specific provisioning, security, and schema rules. We use samba-ldap mainly for single sign on. I'd like to have a go at Samba 4. I currently have v3 with ldap. Is openldap similar to the ldap in Samba 4 or will I have to relearn it? Would it be possible for folk like me (little or no windows experience) to have some more information on Samba 4? Screenshots of what AD looks like on a Windows server would be great. I know these are available elsewhere but their explanations are ridden with windows jargon and leave Samba admins on Linux out in the cold. Thanks for reading. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow login to Samba domain
On 15/11/11 17:22, Marc Cain wrote: Hi Dermot, Here's a snip from a post I made sometime back. Perhaps it will help. Marc -- Samba 3.4.3 (ldap backend) Windows 7 Enterprise I've experienced the identical symptoms with Windows 7 ENT and found this workaround. When the following local GPO is left in its default setting Samba domain logons are delayed for 30 seconds: Computer Configuration\Administrative Templates\System\User Profiles\Set maximum wait time for the network if the user has a roaming user profile or remote home directory. Enable this and set the value to 0 to work around this timeout. The timeout does not occur when logging into an Active Directory PDC running Server 2008 R2. I have not tested this with w2k8 R2 client. In addition, if the user's desktop is set to a solid background color logons of any kind (local, AD, samba) will be delayed by 30 seconds. Set the background to any .jpg image or apply Microsoft's hotfix to work around this issue. This is a cumulative timeout; that is, if the above timeout is in affect and the solid background color timeout is also in affect the delay is 60 seconds. I also experienced a 30 second timeout when I set the local GPO to Run logon scripts synchronously. This problem has inexplicably vanished and I can't replicate it though I don't see it listed in any Windows 7 updates. Might have been happening to me with Windows 7 PRO. I'll check that if anyone is interested. The fix was to apply an old Vista reg setting. Can be Googled as Vista Run logon scripts synchronously. Hi Same delayed windows 7 login problem here. Sorry, but I can't follow this method (I'm not a windows admin).Where on win 7 do I find: Computer Configuration\Administrative Templates\System\User Profiles\Set maximum wait time for the network if the user has a roaming user profile or remote home directory. Thanks. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow login to Samba domain
On 21/11/11 11:19, Dermot wrote: On 21 November 2011 08:35, stevest...@steve-ss.com wrote: On 15/11/11 17:22, Marc Cain wrote: Sorry, but I can't follow this method (I'm not a windows admin). Where on win 7 do I find: Computer Configuration\Administrative Templates\System\User Profiles\Set maximum wait time for the network if the user has a roaming user profile or remote home directory. You need to run `gpedit.msc`. It's the group policy editor for Windows. I suspect you will need admin rights to the local machine to run gpedit. HTH, Yep. Thanks. _I_ found it;) But: ' In addition, if the user's desktop is set to a solid background color logons of any kind (local, AD, samba) will be delayed by 30 seconds. ' OMG. A system exists where logon speed depends on your desktop background. Unbelievable! Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended Linux Distro and Windows Client
What Linux distro would you recommend to create the server and then put Samba on it? CentOS 6. Straight foward boring server Operating Syste. I'm a complete newbie running a lan with 25 clients. A mix of dual boot ubuntu, opensuse and win-7. Using Yast in openSUSE got me a Samba PDC and LDAP server up and running in 10 minutes. Learn _how_ it works later! HTH and good luck, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] testing samba 4 alongside samba 3
Hi I have the opportunity to test Samba 4 and in particular the possibility of migrating from 3.6 to 4. I have a setup a spare box with 3.6 and ldap running under openSUSE 12.1 with a win 7 client on virtualbox. I had not used windows for over 10 years until I set up our SSO lan last month so I don't know much about AD. I read in the Samba 4 docs that you can drag and drop machines and users onto the AD. 1. Can I run Samba 4 alongside Samba 3 on my test box? 2. Can I migrate users and machines (in my case a few test users and one w7 virtual machine) from Samba 3 to Samba 4? Is there a script? 3. For the 'drag-and-drop-users. . .' bit, will I need a GUI on my openSUSE host? 4. Will I need to administrate Samba 4 from windows? 5. Can anyone give me a one liner which starts with 'AD is. . .' 6. Is my setup OK for testing this? Do I need a separate physical windows client to test it? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with group/user permissions on write
On 24/11/11 20:27, Nataniel Klug wrote: Hello all, I am new to Samba and I am trying to make a configuration that is not working and I am sure that’s me who don’t know what I am doing. So the configuration I need is like this: Groups: cnett, suporte Users on group “cnett”: nata, anger Users on group “suporte” ricardo, ariovaldo So now I have a share on /pub/bkp01 that has this permissions: drwxrwxr-x 3 root suporte 4096 2011-11-24 16:01 bkp01/ Inside I need that users on group “suporte” can WRITE and READ every file but they can only DELETE their own created files/directories. The users on group “cnett” can have admin rights. So I made this configuration on smb.conf: [bkp01] comment = Backup01 path = /pub/bkp01 valid users = @suporte @cnett admin users = @cnett create mask = 0664 directory mask = 0755 writable = yes The problem is every user inside group “suporte” can DELETE files/directories from other users in the same group. How can I solve this? Regards, Nataniel Klug This is pretty ugly but it does what you want I think: [stuff] comment = Shared stuff path = /home/stuff force group = users read only = No create mask = 0660 force create mode = 0660 security mask = 0770 directory mask = 0770 force directory mode = 0770 directory security mask = 0770 Add the users you want. HTH Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 make fails
Hi Samba 4 git from 1 hour ago. openSUSE 12.1 make fails: [ 976/3909] Compiling source4/lib/tls/tls.c ../source4/lib/tls/tls.c: In function ‘tls_init_server’: ../source4/lib/tls/tls.c:508:2: error: implicit declaration of function ‘gnutls_transport_set_lowat’ [-Werror=implicit-function-declaration] ../source4/lib/tls/tls.c: In function ‘tls_init_client’: ../source4/lib/tls/tls.c:569:2: warning: ‘gnutls_certificate_type_set_priority’ is deprecated (declared at /usr/include/gnutls/compat.h:288) [-Wdeprecated-declarations] cc1: some warnings being treated as errors Waf: Leaving directory `/home/steve/samba-master/bin' Build failed: - task failed (err #1): {task: cc tls.c - tls_1.o} make: *** [all] Error 1 openSUSE 12.1 Any ideas? Cheers, Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 make fails
On 28/11/11 11:51, Adam Tauno Williams wrote: On Mon, 2011-11-28 at 11:49 +0100, steve wrote: Samba 4 git from 1 hour ago. openSUSE 12.1 Yep. I updated my test VM to openSUSE 12.1 [Bind 9.8!!!]. And I get the same failure when building. make fails: [ 976/3909] Compiling source4/lib/tls/tls.c ../source4/lib/tls/tls.c: In function ‘tls_init_server’: ../source4/lib/tls/tls.c:508:2: error: implicit declaration of function ‘gnutls_transport_set_lowat’ [-Werror=implicit-function-declaration] ../source4/lib/tls/tls.c: In function ‘tls_init_client’: ../source4/lib/tls/tls.c:569:2: warning: ‘gnutls_certificate_type_set_priority’ is deprecated (declared at /usr/include/gnutls/compat.h:288) [-Wdeprecated-declarations] cc1: some warnings being treated as errors Waf: Leaving directory `/home/steve/samba-master/bin' Build failed: - task failed (err #1): {task: cc tls.c - tls_1.o} make: *** [all] Error 1 Just tried with the samba-4.0.0alpha17 tarball. Same error. Problem with openSUSE 12.1? Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 make fails(openSUSE 12.1)
On 28/11/11 16:23, Adam Tauno Williams wrote: On Mon, 2011-11-28 at 17:16 +0200, Michael Wood wrote: 2011/11/28 Samba-JP ootarib...@samba.gr.jp: On Mon, Nov 28, 2011 at 05:52:55AM -0500, Adam Tauno Williams wrote Yep. I updated my test VM to openSUSE 12.1 [Bind 9.8!!!]. And I get the same failure when building. make fails: [ 976/3909] Compiling source4/lib/tls/tls.c ../source4/lib/tls/tls.c: In function ‘tls_init_server’: ../source4/lib/tls/tls.c:508:2: error: implicit declaration of function ‘gnutls_transport_set_lowat’ [-Werror=implicit-function-declaration] ../source4/lib/tls/tls.c: In function ‘tls_init_client’: ../source4/lib/tls/tls.c:569:2: warning: ‘gnutls_certificate_type_set_priority’ is deprecated (declared at /usr/include/gnutls/compat.h:288) [-Wdeprecated-declarations] cc1: some warnings being treated as errors Waf: Leaving directory `/home/steve/samba-master/bin' Build failed: - task failed (err #1): {task: cc tls.c - tls_1.o} make: *** [all] Error 1 My test server (openSUSE 12.1 x86-64) has no probrem [ 985/3936] Compiling source4/lib/tls/tls.c [ 986/3936] Compiling source4/lib/tls/tlscert.c ../source4/lib/tls/tlscert.c:174:6: warning: no previous prototype for ‘tls_cert_dummy’ [-Wmissing-prototypes] [ 987/3936] Compiling source4/lib/tls/tls_tstream. . Could it have something to do with what packages are installed? e.g. if you don't have the GnuTLS devel package installed it breaks? I don't have an OpenSUSE box to test this theory. I have libgnutls-devel-3.0.3-5.2.1.x86_64 installed. GCC is gcc (SUSE Linux) 4.6.2. I have rpm -q gcc gcc-4.6-15.1.3.i586 rpm -q libgnutls-devel libgnutls-devel-3.0.3-5.1.2.i586 make is ok on ubuntu 11.10 but not with openSUSE 12.1 What are we missing? Any ideas? Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 make fails(openSUSE 12.1)
On 28/11/11 21:14, Adam Tauno Williams wrote: On Mon, 2011-11-28 at 20:16 +0100, steve wrote: On 28/11/11 16:23, Adam Tauno Williams wrote: On Mon, 2011-11-28 at 17:16 +0200, Michael Wood wrote: 2011/11/28 Samba-JP ootarib...@samba.gr.jp: On Mon, Nov 28, 2011 at 05:52:55AM -0500, Adam Tauno Williams wrote Yep. I updated my test VM to openSUSE 12.1 [Bind 9.8!!!]. And I get the same failure when building. make fails: [ 976/3909] Compiling source4/lib/tls/tls.c ../source4/lib/tls/tls.c: In function ‘tls_init_server’: ../source4/lib/tls/tls.c:508:2: error: implicit declaration of function ‘gnutls_transport_set_lowat’ [-Werror=implicit-function-declaration] ../source4/lib/tls/tls.c: In function ‘tls_init_client’: ../source4/lib/tls/tls.c:569:2: warning: ‘gnutls_certificate_type_set_priority’ is deprecated (declared at /usr/include/gnutls/compat.h:288) [-Wdeprecated-declarations] cc1: some warnings being treated as errors Waf: Leaving directory `/home/steve/samba-master/bin' Build failed: - task failed (err #1): {task: cc tls.c - tls_1.o} make: *** [all] Error 1 My test server (openSUSE 12.1 x86-64) has no probrem [ 985/3936] Compiling source4/lib/tls/tls.c [ 986/3936] Compiling source4/lib/tls/tlscert.c ../source4/lib/tls/tlscert.c:174:6: warning: no previous prototype for ‘tls_cert_dummy’ [-Wmissing-prototypes] [ 987/3936] Compiling source4/lib/tls/tls_tstream. . Could it have something to do with what packages are installed? e.g. if you don't have the GnuTLS devel package installed it breaks? I don't have an OpenSUSE box to test this theory. I have libgnutls-devel-3.0.3-5.2.1.x86_64 installed. GCC is gcc (SUSE Linux) 4.6.2. I have rpm -q gcc gcc-4.6-15.1.3.i586 rpm -q libgnutls-devel libgnutls-devel-3.0.3-5.1.2.i586 make is ok on ubuntu 11.10 but not with openSUSE 12.1 What are we missing? Any ideas? Use an older gcc? I pulled down gcc-3.3 using zypper. $ CPP=/usr/bin/cpp-3.3 CC=/usr/bin/gcc-3.3 ./configure.developer --prefix=/opt/s4 Checking for program gcc or cc : /usr/bin/gcc-3.3 Checking for program ar : /usr/bin/ar Checking for program ranlib : /usr/bin/ranlib ... But when it gets down to the TLS stuff it still fails. Waf: Entering directory `/root/samba-master/bin' [ 126/3908] Generating VERSION [ 162/3908] Generating smbd/build_options.c [ 977/3908] Compiling source4/lib/tls/tls.c ../source4/lib/tls/tls.c: In function `tls_init_server': ../source4/lib/tls/tls.c:508: error: implicit declaration of function `gnutls_transport_set_lowat' ../source4/lib/tls/tls.c: In function `tls_init_client': ../source4/lib/tls/tls.c:569: warning: `gnutls_certificate_type_set_priority' is deprecated (declared at /usr/include/gnutls/compat.h:290) Waf: Leaving directory `/root/samba-master/bin' Build failed: - task failed (err #1): {task: cc tls.c - tls_1.o} make: *** [all] Error 1 Got passed the error: In samba-master directory. added:--enable-gnutls \ to config.developer cat configure.developer #!/bin/sh `dirname $0`/configure -C \ --enable-developer \ --enable-socket-wrapper \ --enable-nss-wrapper \ --enable-gnutls \ $@ Then from:http://aur.archlinux.org/packages.php?ID=40043 sed -i -e s/gnutls_transport_set_lowat(tlss-tls_session, 0);// \ source4/lib/tls/tls_tstream.c sed -i -e s/gnutls_transport_set_lowat(tls-session, 0);// \ source4/lib/tls/tls.c Am now at 2503/3909 of the make. The only test box I have is a 512Mb acer laptop running 12.1 from a 16Gb usb stick. Not ideal for code of this size! HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 success on openSUSE 12.1
samba -b Samba version: 4.0.0alpha18-GIT-5c53926 Build environment: Build host: Linux hh3 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux openSUSE 12.1 i586 Hi everyone. After. ./source4/setup/provision --realm=hh3.site --domain=HH1 --adminpass=SOMEPASSWORD --server-role='domain controller' The wiki howto is for DNS seems to be wrong. I had to do this: Copy /usr/local/samba/private/named.conf to /etc/named.conf.samba4 Copy /usr/local/samba/private/dns/hh3.site.zone to /var/lib/named/master edit /etc/named.conf.samba4 to point to /var/lib/named: one hh3.site. IN { type master; file /var/lib/named/master/hh3.site.zone; edit /etc/named.conf to include: include /etc/named.conf.samba4; as the last line in the file. Is this correct? On restarting bind there are still errors: Nov 29 19:54:15 hh3 named[4038]: command channel listening on 127.0.0.1#953 Nov 29 19:54:15 hh3 named[4038]: couldn't add command channel ::1#953: address not available Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loaded serial 0 DNS and Kerberos are working fine. Are these errors to do with Samba4? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Linux users and Samba 4
I have a LAN of linux and win7 clients currently with Samba 3.6 and LDAP. Linux users authenticate against LDAP and are placed in their nfs'd /home folder. The same user can also logon to windows. His roaming profile is stored in his /home folder. (something like .msprofile_v2) How do I transfer my current Linux/Samba 3/LDAP users over to Linux/Samba 4? Thanks. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux users and Samba 4
On 29/11/11 20:20, Adam Tauno Williams wrote: On Tue, 2011-11-29 at 20:09 +0100, steve wrote: I have a LAN of linux and win7 clients currently with Samba 3.6 and LDAP. Linux users authenticate against LDAP and are placed in their nfs'd /home folder. The same user can also logon to windows. His roaming profile is stored in his /home folder. (something like .msprofile_v2) How do I transfer my current Linux/Samba 3/LDAP users over to Linux/Samba 4? Samba4's winbind does not support RFC2307, so doing this is pretty rough. I think you need to either use CIFS + winbind everywhere or somehow maintain an external idmap. Yea, it is horrible. We are staring down the barrell of the same gun. I don't believe it. So with samba 4, we are back to having to have two separate accounts and two passwords. AgghhH!!! So, after all this, I've now found out that Samba 4 only caters for windows clients; it does not provide the single sign on that samba3/LDAP offers. That can't be true can it? Any ideas anyone? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 success on openSUSE 12.1
studied some faqs , this file should be autocreated if the related dir is writable restart bind ( named ) and look if the log shows the failure up again Yep. Still there: Nov 29 20:49:23 hh3 named[5000]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found Nov 29 20:49:23 hh3 named[5000]: managed-keys-zone ./IN: loaded serial 0 Nov 29 20:49:23 hh3 named[4952]: Starting name server BIND ..done Nov 29 20:49:23 hh3 named[5000]: running What is the directory that should be writeable? Cheers Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux users and Samba 4 (bug submitted)
On 29/11/11 20:34, steve wrote: On 29/11/11 20:20, Adam Tauno Williams wrote: On Tue, 2011-11-29 at 20:09 +0100, steve wrote: I have a LAN of linux and win7 clients currently with Samba 3.6 and LDAP. Linux users authenticate against LDAP and are placed in their nfs'd /home folder. The same user can also logon to windows. His roaming profile is stored in his /home folder. (something like .msprofile_v2) How do I transfer my current Linux/Samba 3/LDAP users over to Linux/Samba 4? Samba4's winbind does not support RFC2307, so doing this is pretty rough. I think you need to either use CIFS + winbind everywhere or somehow maintain an external idmap. Yea, it is horrible. We are staring down the barrell of the same gun. I don't believe it. So with samba 4, we are back to having to have two separate accounts and two passwords. AgghhH!!! So, after all this, I've now found out that Samba 4 only caters for windows clients; it does not provide the single sign on that samba3/LDAP offers. That can't be true can it? Any ideas anyone? Thanks Steve. For many this is a Samba 4 show stopper. Just found the bugzilla and signed up: The Samba-Bugzilla – Bug 8635 Submitted Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 home folder
Hi What is the equivalent of a users /home folder on Samba 4? What is the equivalent of the Samba 3 [homes] share? Where are user files stored? Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux users and Samba 4
On 30/11/11 07:50, Michael Wood wrote: On 29 November 2011 21:34, stevest...@steve-ss.com wrote: On 29/11/11 20:20, Adam Tauno Williams wrote: On Tue, 2011-11-29 at 20:09 +0100, steve wrote: I have a LAN of linux and win7 clients currently with Samba 3.6 and LDAP. Linux users authenticate against LDAP and are placed in their nfs'd /home folder. The same user can also logon to windows. His roaming profile is stored in his /home folder. (something like .msprofile_v2) How do I transfer my current Linux/Samba 3/LDAP users over to Linux/Samba 4? Samba4's winbind does not support RFC2307, so doing this is pretty rough. I think you need to either use CIFS + winbind everywhere or somehow maintain an external idmap. Yea, it is horrible. We are staring down the barrell of the same gun. I don't believe it. So with samba 4, we are back to having to have two separate accounts and two passwords. AgghhH!!! So, after all this, I've now found out that Samba 4 only caters for windows clients; it does not provide the single sign on that samba3/LDAP offers. That can't be true can it? Any ideas anyone? Bear in mind that Samba 4 is still alpha. There has not been a production release yet. As Jeremy said, they are discussing what needs to be done before releasing Samba 4.0.0 and how to reconcile Samba 3's winbind and Samba 4's winbind etc., so if something that is critical for you does not currently work, you should file a bug report. Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone with my issue. I think I should be easy to fix now before it goes beta. https://bugzilla.samba.org/show_bug.cgi?id=8635 Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 security
Hi Samba 4 from GIT yesterday. openSUSE 12.2 server and client test setup. Reproducible on an Ubuntu client too. in smb.conf have: [homes] path = /home read only = no On a linux client (eg using konqueror or dolphin or nautilus) I enter smb://hh3/steve where hh3 is the name of the samba server. Samba is not installed on the clients. As a normal user, I can enter everyone else's /home folder and create and delete anything I want! Surely this can't be correct. Anyone else? Cheers Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 and phpldapadmin
Hi Samba 4 tells me that my DN is CN=MicrosoftDNS,CN=System,DC=hh3,DC=site But phpldapadmin will not accept this. Unable to connect to LDAP server Samba4 LDAP Server Error: Invalid credentials (49) for user Failed to Authenticate to server Invalid Username or Password. What is the DN of a standard install after provisioning? /srv/www/htdocs/phpldapadmin/cnfig/config.php $i=0; $servers = new Datastore; $servers-newServer('ldap_pla'); $servers-SetValue('server','name','Samba4 LDAP Server'); $servers-SetValue('server','host','ldapi://%2Fusr%2Flocal%2Fsamba%2Fpriva //$servers-SetValue('server','auth_type','session'); $servers-SetValue('login','attr','dn'); Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and phpldapadmin
Try something like CN=Administrator,CN=Users,DC=hh3,DC=site Yep. That's it Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux users and Samba 4
On 30/11/11 16:40, Matthieu Patou wrote: Matthieu, On 30/11/2011 08:09, steve wrote: Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone with my issue. I think I should be easy to fix now before it goes beta. Certainly true, why not trying to start working on solution on your own, by doing the first move you have much more insurance that someone else will help you to make it good for master tree. Matthieu. Well, I'm no developer and only have an old laptop running from a usb memory stick for testing but I've made a start by adding a home directory attribute to Samba 4 user database using phpldapadmin. But now I'm stuck since I don't know where or how the roaming profiles are stored. In Samba 3 there were stored in the /home of the user. With AD it seems that they are all be saved in a [profiles] share. That bit I think I understand so I think the solution to single sign on with Samba 4 would be linking the roaming profile to a users /home folder. Or make the profiles share subfolder the /home folder for Linux. With Samba3 and LDAP, all this was centralised and easy to administer. In openSUSE, YAST would create an LDAP user for you and give him the Samba attributes he needed. It even created his home folder too. It was simple for a linux user to logon to windows and vica versa. Samba 4 takes away this centralisation. It also has the inconvenience of having to use windows to administer the Samba server. I feel that Samba dev's have forgotten that Linux clients are just as important as windows clients in the network. They seem to think that Linux is only ever used as a server and clients are only ever windows 7! Another bit I don't get is where is a file that is created on a windows client is stored on the Samba server? The documentation is not clear here. As basic as that. Does any of this make sense? Cheers Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 security
On 30/11/11 16:43, Matthieu Patou wrote: On 30/11/2011 10:48, steve wrote: Hi Samba 4 from GIT yesterday. openSUSE 12.2 server and client test setup. Reproducible on an Ubuntu client too. in smb.conf have: [homes] path = /home read only = no On a linux client (eg using konqueror or dolphin or nautilus) I enter smb://hh3/steve where hh3 is the name of the samba server. Samba is not installed on the clients. anyone As a normal user, I can enter everyone else's /home folder and create and delete anything I want! ACLs on subfolder might be wrong. Your script for creating the user and the user dir must take care of giving the correct rights. Matthieu. Each subfolder of /home is username:users. A file which is 0755 steve:users can be deleted by anyone. Samba 4 does not prompt for a username and password when entering any share. This is just a plain install of: samba -V Version 4.0.0alpha18-GIT-5c53926 Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux users and Samba 4
On 30/11/11 17:40, Adam Tauno Williams wrote: On Wed, 2011-11-30 at 17:37 +0100, steve wrote: On 30/11/11 16:40, Matthieu Patou wrote: Matthieu, On 30/11/2011 08:09, steve wrote: Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone with my issue. I think I should be easy to fix now before it goes beta. Certainly true, why not trying to start working on solution on your own, by doing the first move you have much more insurance that someone else will help you to make it good for master tree. Well, I'm no developer and only have an old laptop running from a usb memory stick for testing but I've made a start by adding a home directory attribute to Samba 4 user database using phpldapadmin. But now I'm stuck since I don't know where or how the roaming profiles are stored. In Samba 3 there were stored in the /home of the user. The statement In Samba 3 there were stored in the /home of the user is false. They are stored where they are configured to be stored; we do not store profiles in home directories [and generall i think that is a bad idea]. Samba4 provisions a shared volume for storing a user's roaming profile. Yes. I am wrong. But if the Linux user does not have access to the roaming profile, then how can he edit any of the files stored e.g. on his windows desktop? Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux users and Samba 4
On 30/11/11 17:46, Adam Tauno Williams wrote: On Wed, 2011-11-30 at 17:37 +0100, steve wrote: On 30/11/11 16:40, Matthieu Patou wrote: Matthieu, On 30/11/2011 08:09, steve wrote: Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone with my issue. I think I should be easy to fix now before it goes beta. Certainly true, why not trying to start working on solution on your own, by doing the first move you have much more insurance that someone else will help you to make it good for master tree. Well, I'm no developer and only have an old laptop running from a usb memory stick for testing but I've made a start by adding a home directory attribute to Samba 4 user database using phpldapadmin. But now I'm stuck since I don't know where or how the roaming profiles are stored. In Samba 3 there were stored in the /home of the user. The statement In Samba 3 there were stored in the /home of the user is false. They are stored where they are configured to be stored; we do not store profiles in home directories [and generall i think that is a bad idea]. Samba4 provisions a shared volume for storing a user's roaming profile. By default something like - [profiles] path = /usr/local/samba/var/profiles read only = no Which is very much the same as S3. With AD it seems that they are all be saved in a [profiles] share. Yes, and the nothing changed there. think I understand so I think the solution to single sign on with Samba 4 would be linking the roaming profile to a users /home folder. No. The roaming profile is the roaming profile, the user's home directory is the user's home directory. You can map a drive to their home directory or use folder redirection via policy [just like in Samba3]. the profiles share subfolder the /home folder for Linux. With Samba3 and LDAP, all this was centralised and easy to administer. I don't know about easy. After many years it feels a bit more like cleverly-hacked. :) would create an LDAP user for you and give him the Samba attributes he needed. It even created his home folder too. It was simple for a linux user to logon to windows and vica versa. Samba 4 takes away this centralisation. It also has the inconvenience of having to use windows to administer the Samba server. This loss is temporary until the tool-chain catches up to Samba 4 - which provides Python bindings, command line tools, and [of course] the entire AD RPC approach. I feel that Samba dev's have forgotten that Linux clients are just as important as windows clients in the network. They seem to think that Linux is only ever used as a server and clients are only ever windows 7! Heh, I think the current situation sucks for servers to! :) But nobody has forgotten anything - it is just not there yet. A simple issue of resource constraints. Another bit I don't get is where is a file that is created on a windows client is stored on the Samba server? The documentation is not clear here. As basic as that. That works the same as in Samba 3. Does any of this make sense? The frustration, yes, and it is shared. Getting from S3 to AD has been ugly going so far. But many of your presumptions are incorrect; you are assuming that things configured by your tool-chain are fundamental Samba behaviors. OK I think I'm getting somewhere. I have a Samba 3 user who authenticates against LDAP. He has a /home folder and see his files either from a linux client or from a windows client. If I could get an answer to my next question, I'd be there: Starting from nothing, how would I create a new user under Samba 4 who could see his files on both windows and Linux clients? Under Samba 4 I cannot find where his /home folder comes into the equation! Thanks for your patience. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 security
On 30/11/11 19:20, Matthieu Patou wrote: Hello, Each subfolder of /home is username:users. A file which is 0755 steve:users can be deleted by anyone. Samba 4 does not prompt for a username and password when entering any share. This is just a plain install of: Where is the /home ? on the Samba 4 AD server ? mounted on the client ? How did you created the subfolders ? Can you give a detailed list of action to reproduce your problem ? Matthieu. I've tried both. In this example hh3 is the Samba server 192.168.1.3 smb.conf has: [home] path = /home read only = no /home has 2 users /home folders. /home/steve and /home/lynn both owned by their respective steve:users and lynn:users. Both users were created before Samba 4 was installed. Linux does not allow file creation nor deleting between the 2 folders. so, on hh3: login as steve on konq do smb://hh3 click on the home folder enter the lynn folder create a file (it shouldn't allow you) delete a different file (it shouldn't allow you) Now go over to another client, 192.168.1.4 Login as someone different but not root. repeat above. The user on another physical box can also delete and create files in either the lynn or steve home folders. With Samba 3, the user is asked to authenticate as expected. Samba 4 never asks for authentication. I think that this is because the share tells Samba 4 nothing about user access. Reproducible: Usually. Sometimes, after a reboot of the server, Samba 4 will give access denied popups as expected. The error seems to creep in after a few minutes of uptime. Cheers Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 security
On 01/12/11 00:37, Matthieu Patou wrote: Hello Steve, On 30/11/2011 19:52, steve wrote: On 30/11/11 19:20, Matthieu Patou wrote: Hello, Each subfolder of /home is username:users. A file which is 0755 steve:users can be deleted by anyone. Samba 4 does not prompt for a username and password when entering any share. This is just a plain install of: Where is the /home ? on the Samba 4 AD server ? mounted on the client ? How did you created the subfolders ? Can you give a detailed list of action to reproduce your problem ? Matthieu. I've tried both. In this example hh3 is the Samba server 192.168.1.3 smb.conf has: [home] path = /home read only = no /home has 2 users /home folders. /home/steve and /home/lynn both owned by their respective steve:users and lynn:users. Both users were created before Samba 4 was installed. Linux does not allow file creation nor deleting between the 2 folders. Well this points me already something wrong in what you have done. Because its not because you have user steve and lynn in on the Linux/Unix side, your users created in the active directory will not be the same at all. Then I suspect konq to implicitly use your linux user as the default smb user and if the password match then you won't be prompted for a password. In order to be sure you'd better do the test with smbclient. For me smbclient didn't give me access if I don't put a password: smbclient -L //zeus Enter mat's password: Anonymous login successful Domain=[MATWS] OS=[Unix] Server=[Samba 4.0.0alpha18-DEVELOPERBUILD] Sharename Type Comment - --- home Disk netlogon Disk sysvol Disk IPC$ IPC IPC Service zeus is an IPv6 address -- no workgroup available smbclient //zeus/home Enter mat's password: so, on hh3: login as steve on konq do smb://hh3 click on the home folder enter the lynn folder create a file (it shouldn't allow you) delete a different file (it shouldn't allow you) Now go over to anothersion client, 192.168.1.4 Login as someone different but not root. repeat above. The user on another physical box can also delete and create files in either the lynn or steve home folders. I suggest to make a trace with tcpdump in order to know which user konq is using to authenticate you against the samba 4 server. Apart from this you have to know the current file server for the Samba AD (called samba4 so far) use full NT acls that are usually stored in security.NTACL, in the extended attributes, when this information is not present it uses the the posix acls and posix rights and tries to translate them to their NT acls equivalent. It seems that here you have found a bug in the way the translation is done. Matthieu. Hi Using my setup: smbclient -L //hh3 does not work. It sits there forever. Server: hh3.site, domain HH1. Linux users lynn and steve who are also Samba 4 users. The Linux /home folders is /home/lynn and /home/steve This does: steve@hh3:~ smbclient -L hh3 Password for [HH1\steve]: Sharename Type Comment - --- netlogonDisk sysvol Disk testDisk homes Disk IPC$IPCIPC Service REWRITE: list servers not implemented then, confirming what happens in a GUI: steve@hh3:~ smbclient //hh3/homes Password for [HH1\steve]: smb: \ ls . D0 Wed Nov 30 20:37:48 2011 .. D0 Thu Dec 1 12:03:46 2011 lynnD0 Wed Nov 30 20:50:53 2011 steve D0 Thu Dec 1 12:17:20 2011 29284192 blocks of size 512. 9509912 blocks available smb: \ cd lynn smb: \lynn\ ls . D0 Wed Nov 30 20:50:53 2011 .. D0 Wed Nov 30 20:37:48 2011 d D0 Wed Nov 30 20:50:53 2011 29284192 blocks of size 512. 9509912 blocks available smb: \lynn\ rmdir d smb: \lynn\ ls . D0 Thu Dec 1 12:21:17 2011 .. D0 Wed Nov 30 20:37:48 2011 29284192 blocks of size 512. 9509920 blocks available smb: \lynn\ mkdir hello smb: \lynn\ ls . D0 Thu Dec 1 12:25:22 2011 .. D0 Wed Nov 30 20:37:48 2011 hello D0 Thu Dec 1 12:25:22 2011 29284192 blocks of size 512. 9509888 blocks available It's the same using smbclient or konq. Thanks. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 make fails (openSUSE 12.1) [SOLVED]
On 30/11/11 22:33, Adam Tauno Williams wrote: On Tue, 2011-11-29 at 06:23 +0100, steve wrote: On 28/11/11 21:14, Adam Tauno Williams wrote: On Mon, 2011-11-28 at 20:16 +0100, steve wrote: On 28/11/11 16:23, Adam Tauno Williams wrote: On Mon, 2011-11-28 at 17:16 +0200, Michael Wood wrote: 2011/11/28 Samba-JP ootarib...@samba.gr.jp: On Mon, Nov 28, 2011 at 05:52:55AM -0500, Adam Tauno Williams wrote Yep. I updated my test VM to openSUSE 12.1 [Bind 9.8!!!]. And I get the same failure when building. make fails: [ 976/3909] Compiling source4/lib/tls/tls.c ../source4/lib/tls/tls.c: In function ‘tls_init_server’: ../source4/lib/tls/tls.c:508:2: error: implicit declaration of function ‘gnutls_transport_set_lowat’ [-Werror=implicit-function-declaration] ../source4/lib/tls/tls.c: In function ‘tls_init_client’: ../source4/lib/tls/tls.c:569:2: warning: ‘gnutls_certificate_type_set_priority’ is deprecated (declared at /usr/include/gnutls/compat.h:288) [-Wdeprecated-declarations] cc1: some warnings being treated as errors Waf: Leaving directory `/home/steve/samba-master/bin' Build failed: -task failed (err #1): {task: cc tls.c -tls_1.o} make: *** [all] Error 1 My test server (openSUSE 12.1 x86-64) has no probrem [ 985/3936] Compiling source4/lib/tls/tls.c [ 986/3936] Compiling source4/lib/tls/tlscert.c ../source4/lib/tls/tlscert.c:174:6: warning: no previous prototype for ‘tls_cert_dummy’ [-Wmissing-prototypes] [ 987/3936] Compiling source4/lib/tls/tls_tstream. Then from:http://aur.archlinux.org/packages.php?ID=40043 sed -i -e s/gnutls_transport_set_lowat(tlss-tls_session, 0);// \ source4/lib/tls/tls_tstream.c sed -i -e s/gnutls_transport_set_lowat(tls-session, 0);// \ source4/lib/tls/tls.c Am now at 2503/3909 of the make. The only test box I have is a 512Mb acer laptop running 12.1 from a 16Gb usb stick. Not ideal for code of this size! Getting up to commit 456c69f95e7a672c4cc9a5e6e52fb37e14012304 fixed the issue for me. Samba4 now builds on my openSUSE 12.1 x86_64 box. Hi Sorry, but I don't understand that. I have the stuff from git downloaded as explained in the samba 4 wiki. Monday I think. Has there been a change since then? Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 security
On 02/12/11 12:08, Matthieu Patou wrote: On 01/12/2011 12:35, steve wrote: On 01/12/11 00:37, Matthieu Patou wrote: Hello Steve, On 30/11/2011 19:52, steve wrote: On 30/11/11 19:20, Matthieu Patou wrote: Hello, Each subfolder of /home is username:users. A file which is 0755 steve:users can be deleted by anyone. Samba 4 does not prompt for a username and password when entering any share. This is just a plain install of: Where is the /home ? on the Samba 4 AD server ? mounted on the client ? How did you created the subfolders ? Can you give a detailed list of action to reproduce your problem ? Matthieu. I've tried both. In this example hh3 is the Samba server 192.168.1.3 smb.conf has: [home] path = /home read only = no /home has 2 users /home folders. /home/steve and /home/lynn both owned by their respective steve:users and lynn:users. Both users were created before Samba 4 was installed. Linux does not allow file creation nor deleting between the 2 folders. Well this points me already something wrong in what you have done. Because its not because you have user steve and lynn in on the Linux/Unix side, your users created in the active directory will not be the same at all. Then I suspect konq to implicitly use your linux user as the default smb user and if the password match then you won't be prompted for a password. In order to be sure you'd better do the test with smbclient. For me smbclient didn't give me access if I don't put a password: smbclient -L //zeus Enter mat's password: Anonymous login successful Domain=[MATWS] OS=[Unix] Server=[Samba 4.0.0alpha18-DEVELOPERBUILD] Sharename Type Comment - --- home Disk netlogon Disk sysvol Disk IPC$ IPC IPC Service zeus is an IPv6 address -- no workgroup available smbclient //zeus/home Enter mat's password: so, on hh3: login as steve on konq do smb://hh3 click on the home folder enter the lynn folder create a file (it shouldn't allow you) delete a different file (it shouldn't allow you) Now go over to anothersion client, 192.168.1.4 Login as someone different but not root. repeat above. The user on another physical box can also delete and create files in either the lynn or steve home folders. I suggest to make a trace with tcpdump in order to know which user konq is using to authenticate you against the samba 4 server. Apart from this you have to know the current file server for the Samba AD (called samba4 so far) use full NT acls that are usually stored in security.NTACL, in the extended attributes, when this information is not present it uses the the posix acls and posix rights and tries to translate them to their NT acls equivalent. It seems that here you have found a bug in the way the translation is done. Matthieu. Hi Using my setup: smbclient -L //hh3 does not work. It sits there forever. Server: hh3.site, domain HH1. Linux users lynn and steve who are also Samba 4 users. The Linux /home folders is /home/lynn and /home/steve This does: steve@hh3:~ smbclient -L hh3 Password for [HH1\steve]: Sharename Type Comment - --- netlogon Disk sysvol Disk test Disk homes Disk IPC$ IPC IPC Service REWRITE: list servers not implemented then, confirming what happens in a GUI: So you are prompted for a password right ? steve@hh3:~ smbclient //hh3/homes Password for [HH1\steve]: smb: \ ls . D 0 Wed Nov 30 20:37:48 2011 .. D 0 Thu Dec 1 12:03:46 2011 lynn D 0 Wed Nov 30 20:50:53 2011 steve D 0 Thu Dec 1 12:17:20 2011 29284192 blocks of size 512. 9509912 blocks available smb: \ cd lynn smb: \lynn\ ls . D 0 Wed Nov 30 20:50:53 2011 .. D 0 Wed Nov 30 20:37:48 2011 d D 0 Wed Nov 30 20:50:53 2011 29284192 blocks of size 512. 9509912 blocks available smb: \lynn\ rmdir d smb: \lynn\ ls . D 0 Thu Dec 1 12:21:17 2011 .. D 0 Wed Nov 30 20:37:48 2011 29284192 blocks of size 512. 9509920 blocks available smb: \lynn\ mkdir hello smb: \lynn\ ls . D 0 Thu Dec 1 12:25:22 2011 .. D 0 Wed Nov 30 20:37:48 2011 hello D 0 Thu Dec 1 12:25:22 2011 29284192 blocks of size 512. 9509888 blocks available It's the same using smbclient or konq. Can you refresh, a change has been made to correct a bug. Beware that on your machine where samba 4 DC is running file / folders needs to have guid/uid of your AD users not your linux users. Matthieu. Did a git pull ./configure.developer make and make install about an hour ago. And, well, something has changed. Now neither user can create nor delete files! smbclient //hh3/homes Password for [HH1\steve]: smb: \ ls . D0 Wed Nov 30 20:37:48 2011 .. D0 Fri Dec 2 07:15:17 2011 lynnD0 Thu Dec 1 13:25:45 2011 steve D0 Fri Dec 2 11:50:09 2011 29284192 blocks of size 512. 10550432 blocks available smb: \ cd lynn smb: \lynn\ mkdir h NT_STATUS_ACCESS_DENIED making remote
Re: [Samba] Samba 4 security
On 02/12/11 14:38, Jorell wrote: I thought the answer to file sharing with Samba 4 was to use Samba 3.x. I want a file server and a logon server for both windows and Linux clients. Samba 4 is oh so close to giving us that. All under one roof. C'm on guys. Just one final push for the summit and we're there. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 4 named. dlz_bind9.so not found
Hi everyone openSUSE 12.1 samba Version 4.0.0alpha18-GIT-30d4484 Following the wiki instructions for Samba 4, I added include /usr/local/samba/private/named.conf; to /etc/named.conf (the last line) The logs give: 3 23:52:50 hh3 named[5743]: Loading 'AD DNS Zone' using driver dlopen 3 23:52:50 hh3 named[5743]: dlz_dlopen failed to open library '/usr/local/samba/modules/bind9/dlz_bind9.so' - /usr/local/samba/modules/bind. . .no such file. . . 3 23:52:50 hh3 named[5743]: dlz_dlopen of 'AD DNS Zone' failed 3 23:52:50 hh3 named[5743]: SDLZ driver failed to load. 3 23:52:50 hh3 named[5743]: DLZ driver failed to load. 3 23:52:50 hh3 named[5743]: loading configuration: failure 3 23:52:50 hh3 named[5743]: exiting (due to fatal error) 3 23:52:50 hh3 named[5689]: Starting name server BIND ..failed The file is in the place it should be but named is chrooted and that path is not inside the jail. If that's correct, and the wiki is to stay the same then dlz_bind9.so should be copied to: /var/lib/named/usr/local/samba/modules/bind9/ But if I do that, I now get another error: Dec 4 00:26:12 hh3 named[5968]: Loading 'AD DNS Zone' using driver dlopen Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen failed to open library '/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot open shared object file: No such file. . . Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen of 'AD DNS Zone' failed Ahhgghh! openSUSE makes it difficult to remove the chroot, which I think is the problem. Does anyone know how I can get around this? Thanks. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 named. dlz_bind9.so not found
Hi again I reinstalled Samba 4 and bind from nothing. Following the wiki I now get this: with include /usr/local/samba/private/named.conf; in the options{} section of /etc/named.conf, I get this: Dec 4 08:10:43 hh3 named[5470]: Starting name server BIND /usr/local/samba/private/named.conf:11: unknown option 'dlz' When it is outside the options {} I get this: Dec 4 08:12:58 hh3 named[5597]: Loading 'AD DNS Zone' using driver dlopen Dec 4 08:12:58 hh3 named[5597]: dlz_dlopen failed to open library '/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot open shared object file: No such file or directory Dec 4 08:12:58 hh3 named[5597]: dlz_dlopen of 'AD DNS Zone' failed Dec 4 08:12:58 hh3 named[5597]: SDLZ driver failed to load. Dec 4 08:12:58 hh3 named[5597]: DLZ driver failed to load. Dec 4 08:12:58 hh3 named[5597]: loading configuration: failure Dec 4 08:12:58 hh3 named[5597]: exiting (due to fatal error) Dec 4 08:12:58 hh3 named[5547]: Starting name server BIND ..failed Dec 4 08:12:58 hh3 systemd[1]: named.service: control process exited, code=exited status=1 Dec 4 08:12:58 hh3 systemd[1]: Unit named.service entered failed state. What am I missing? THanks Steve. On 04/12/11 00:40, steve wrote: Hi everyone openSUSE 12.1 samba Version 4.0.0alpha18-GIT-30d4484 Following the wiki instructions for Samba 4, I added include /usr/local/samba/private/named.conf; to /etc/named.conf (the last line) The logs give: 3 23:52:50 hh3 named[5743]: Loading 'AD DNS Zone' using driver dlopen 3 23:52:50 hh3 named[5743]: dlz_dlopen failed to open library '/usr/local/samba/modules/bind9/dlz_bind9.so' - /usr/local/samba/modules/bind. . .no such file. . . 3 23:52:50 hh3 named[5743]: dlz_dlopen of 'AD DNS Zone' failed 3 23:52:50 hh3 named[5743]: SDLZ driver failed to load. 3 23:52:50 hh3 named[5743]: DLZ driver failed to load. 3 23:52:50 hh3 named[5743]: loading configuration: failure 3 23:52:50 hh3 named[5743]: exiting (due to fatal error) 3 23:52:50 hh3 named[5689]: Starting name server BIND ..failed The file is in the place it should be but named is chrooted and that path is not inside the jail. If that's correct, and the wiki is to stay the same then dlz_bind9.so should be copied to: /var/lib/named/usr/local/samba/modules/bind9/ But if I do that, I now get another error: Dec 4 00:26:12 hh3 named[5968]: Loading 'AD DNS Zone' using driver dlopen Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen failed to open library '/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot open shared object file: No such file. . . Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen of 'AD DNS Zone' failed Ahhgghh! openSUSE makes it difficult to remove the chroot, which I think is the problem. Does anyone know how I can get around this? Thanks. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 security
On 03/12/11 17:32, Matthieu Patou wrote: Steve Beware that on your machine where samba 4 DC is running file / folders needs to have guid/uid of your AD users not your linux users. Did you read this ^. Did a git pull ./configure.developer make and make install about an hour ago. And, well, something has changed. Now neither user can create nor delete files! smbclient //hh3/homes Password for [HH1\steve]: smb: \ ls . D 0 Wed Nov 30 20:37:48 2011 .. D 0 Fri Dec 2 07:15:17 2011 lynn D 0 Thu Dec 1 13:25:45 2011 steve D 0 Fri Dec 2 11:50:09 2011 29284192 blocks of size 512. 10550432 blocks available smb: \ cd lynn smb: \lynn\ mkdir h NT_STATUS_ACCESS_DENIED making remote directory \lynn\h smb: \lynn\ cd ../steve smb: \steve\ mkdir h NT_STATUS_ACCESS_DENIED making remote directory \steve\h smb: \steve\ This has something to do with uid/gid no? But wait, both steve and lynn _are_ AD users who just happen to have linux accounts. No there is something that you missunderstand, the thing is that in order to do the file access control samba needs to know on the behalf of which uid/gid the access are done. With series of samba 3.x you have different way of doing this mapping or to create unix users that have the same name as the user declared in Samba (either in the local sam or in the NT domain sam), but most of the time now it's winbind that is used. In Samba AD there is just the winbind solution as other solution didn't have a real interest in the context of an active directory domain. So what winbind does ? it allocate a UID to users and GID to groups in a database it stores the association SID-UID/GID and next time it is asked to translate the same SID to a UID/GID it will use the value in its database. In your particular case, when you connect to the samba AD with smbclient as AD user steve and try to create a dir the server checks the security.NTACL extended attribute, as it didn't exists it knows that it will have to translate posix rights to NT ACLs. At this moment in order to know if you are the owner of the parent directory or in group of the parent directory it will ask its internal winbind to translate user's SID and the SID of user's groups to UID and GID, and it will turn out that the UID of unix user steve is not at all the UID of AD user steve (which is in the 300+ range), as other translated posix rights didn't give any write rights to the AD user the directory creation was not created. How do I change the gid/uid of my linux users to gid/uid AD users? Is there a script? But that shouldn't matter no? Thinking you may want more info I'll leave it as it is for now. The users are the same as they were before the new build. I did not delete and recreate them. Sure this is the expected behavior, before there was a bug in the posix to NT ACLs translation that granted the write right even if you had just the read and execute right you can have the detail by looking at this changeset: d1274f7f6236b47a1c6aa1737b054ed521d31b67 I don't really know your case but I think it's not such a problem at least so far nobody complained, on the DC you don't need to create unix account for the AD users. As you need to create directory for each user there is a couple of solution: 1) change the rights on the directory that is shared as home so that the group has a write right, then change group to be users (that's because we map the domain users group to the user unix group) 2) for each user connect using smbclient and create the directory of this user or For each user, use wbinfo -i ad_user and then create a folder for this user and use the uid obtained with wbinfo to set the owner of the directory. For instance on my test server I have: ./bin/wbinfo -i steve MATWS\steve:*:310:100::/home/MATWS/steve:/bin/false Note: first you have to do a ./bin/wbinfo -u and beware the first time it is _slow_ Matthieu. Hi Matthieu Thanks for your patience. Yes, your clear explanation is excellent. I'm going to try it as soon as I get Samba 4 running again. I reinstalled from nothing to get a clean slate. Now, DNS isn't working. The method of configuring as outlined in the wiki doesn't work anymore. The dns files in /usr/local/samba/private have changed since my first install last week:( I've another thread open on this. Thanks again Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 named. dlz_bind9.so not found
Hi Marcel Thanks for the confirmation. It narrows down the problem. I can confirm: /usr/local/samba/modules/bind9/dlz_bind9.so is there OK. However: hh3:/home/steve # echo $LD_LIBRARY_PATH hh3:/home/steve # export LD_LIBRARY_PATH=/usr/local/samba/modules/bind9/ hh3:/home/steve # echo $LD_LIBRARY_PATH /usr/local/samba/modules/bind9/ hh3:/home/steve # rcnamed restart redirecting to systemctl Job failed. See system logs and 'systemctl status' for details. And the file not found error reappears even with the library path set. In openSUSE named runs chroot (at /var/lib/named). Could that be why it cannot find the library at the given path? Or a combination of the jail and the path? Confused. Any ideas? Cheers Steve. On 04/12/11 09:45, Marcel Ritter wrote: Hi Steve, the last configuration is the correct one. However you may have to set LD_LIBRARY_PATH to the directory containing libsamdb.so.0 (or other libraries it may complain about during startup). Bye, Marcel Von: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org]quot; im Auftrag vonquot;steve [st...@steve-ss.com] Gesendet: Sonntag, 4. Dezember 2011 08:16 Bis: samba@lists.samba.org Betreff: Re: [Samba] samba 4 named. dlz_bind9.so not found Hi again I reinstalled Samba 4 and bind from nothing. Following the wiki I now get this: with include /usr/local/samba/private/named.conf; in the options{} section of /etc/named.conf, I get this: Dec 4 08:10:43 hh3 named[5470]: Starting name server BIND /usr/local/samba/private/named.conf:11: unknown option 'dlz' When it is outside the options {} I get this: Dec 4 08:12:58 hh3 named[5597]: Loading 'AD DNS Zone' using driver dlopen Dec 4 08:12:58 hh3 named[5597]: dlz_dlopen failed to open library '/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot open shared object file: No such file or directory Dec 4 08:12:58 hh3 named[5597]: dlz_dlopen of 'AD DNS Zone' failed Dec 4 08:12:58 hh3 named[5597]: SDLZ driver failed to load. Dec 4 08:12:58 hh3 named[5597]: DLZ driver failed to load. Dec 4 08:12:58 hh3 named[5597]: loading configuration: failure Dec 4 08:12:58 hh3 named[5597]: exiting (due to fatal error) Dec 4 08:12:58 hh3 named[5547]: Starting name server BIND ..failed Dec 4 08:12:58 hh3 systemd[1]: named.service: control process exited, code=exited status=1 Dec 4 08:12:58 hh3 systemd[1]: Unit named.service entered failed state. What am I missing? THanks Steve. On 04/12/11 00:40, steve wrote: Hi everyone openSUSE 12.1 samba Version 4.0.0alpha18-GIT-30d4484 Following the wiki instructions for Samba 4, I added include /usr/local/samba/private/named.conf; to /etc/named.conf (the last line) The logs give: 3 23:52:50 hh3 named[5743]: Loading 'AD DNS Zone' using driver dlopen 3 23:52:50 hh3 named[5743]: dlz_dlopen failed to open library '/usr/local/samba/modules/bind9/dlz_bind9.so' - /usr/local/samba/modules/bind. . .no such file. . . 3 23:52:50 hh3 named[5743]: dlz_dlopen of 'AD DNS Zone' failed 3 23:52:50 hh3 named[5743]: SDLZ driver failed to load. 3 23:52:50 hh3 named[5743]: DLZ driver failed to load. 3 23:52:50 hh3 named[5743]: loading configuration: failure 3 23:52:50 hh3 named[5743]: exiting (due to fatal error) 3 23:52:50 hh3 named[5689]: Starting name server BIND ..failed The file is in the place it should be but named is chrooted and that path is not inside the jail. If that's correct, and the wiki is to stay the same then dlz_bind9.so should be copied to: /var/lib/named/usr/local/samba/modules/bind9/ But if I do that, I now get another error: Dec 4 00:26:12 hh3 named[5968]: Loading 'AD DNS Zone' using driver dlopen Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen failed to open library '/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot open shared object file: No such file. . . Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen of 'AD DNS Zone' failed Ahhgghh! openSUSE makes it difficult to remove the chroot, which I think is the problem. Does anyone know how I can get around this? Thanks. Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] resara frontend for Samba 4
Hi I had a go at resara (resara.org), mainly because it looks like they have written a GUI to manage AD under Linux. I got the source code since I don't have enough resources for their virtual machine. The documentation is poor, but I managed to compile and install from source on Ubuntu 11.10. Now I'm stuck. It doesn't mention anything about Samba 4 integration or where to start unless you go for the virtual machine option. Anyone got it going from source? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 named. dlz_bind9.so not found
On 04/12/11 14:19, Marcel Ritter wrote: Hi Steve, it's quite likely, that bind running in chroot is the cause of the problem. You can easily test it by disabling chroot for named on SuSE systems by editing /etc/sysconfig/named NAMED_RUN_CHROOTED=no If the problem is still there, try running named using strace, and have a look at all stat()/open() calls concerning dlz_bind9.so. This should give some hints about missing files/permissions and may help to narrow down the problem. Bye, Marcel Hi Marcel Progress. Removing the jail worked and named starts. It's getting better. Now I have this: hh3:/home/steve # host -t SRV _ldap._tcp.hh3.site. _ldap._tcp.hh3.site has SRV record 0 100 389 hh3.hh3.site. hh3:/home/steve # host -t SRV _kerberos._udp.hh3.site. _kerberos._udp.hh3.site has SRV record 0 100 88 hh3.hh3.site. hh3:/home/steve # host -t A samba.hh3.site Host samba.hh3.site not found: 3(NXDOMAIN) 2 successes and a 1 failure. (hh3.site is the fqdn) The logs give this: Dec 4 17:04:27 hh3 named[3383]: couldn't add command channel ::1#953: address not available Dec 4 17:04:27 hh3 named[3383]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42 Dec 4 17:04:27 hh3 named[3383]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42 Dec 4 17:04:27 hh3 named[3383]: zone localhost/IN: loaded serial 42 Dec 4 17:04:27 hh3 named[3383]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found Dec 4 17:04:27 hh3 named[3383]: managed-keys-zone ./IN: loaded serial 0 Dec 4 17:04:27 hh3 named[3356]: Starting name server BIND ..done Dec 4 17:04:27 hh3 named[3383]: running Am trying hard to keep calm! I asked about the managed-keys-zone on the openSUSE list a few days ago, but nothing. Any ideas where to turn next? Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 security
On 04/12/11 09:04, steve wrote: On 03/12/11 17:32, Matthieu Patou wrote: Steve Beware that on your machine where samba 4 DC is running file / folders needs to have guid/uid of your AD users not your linux users. Did you read this ^. Did a git pull ./configure.developer make and make install about an hour ago. And, well, something has changed. Now neither user can create nor delete files! smbclient //hh3/homes Password for [HH1\steve]: smb: \ ls . D 0 Wed Nov 30 20:37:48 2011 .. D 0 Fri Dec 2 07:15:17 2011 lynn D 0 Thu Dec 1 13:25:45 2011 steve D 0 Fri Dec 2 11:50:09 2011 29284192 blocks of size 512. 10550432 blocks available smb: \ cd lynn smb: \lynn\ mkdir h NT_STATUS_ACCESS_DENIED making remote directory \lynn\h smb: \lynn\ cd ../steve smb: \steve\ mkdir h NT_STATUS_ACCESS_DENIED making remote directory \steve\h smb: \steve\ This has something to do with uid/gid no? But wait, both steve and lynn _are_ AD users who just happen to have linux accounts. No there is something that you missunderstand, the thing is that in order to do the file access control samba needs to know on the behalf of which uid/gid the access are done. With series of samba 3.x you have different way of doing this mapping or to create unix users that have the same name as the user declared in Samba (either in the local sam or in the NT domain sam), but most of the time now it's winbind that is used. In Samba AD there is just the winbind solution as other solution didn't have a real interest in the context of an active directory domain. So what winbind does ? it allocate a UID to users and GID to groups in a database it stores the association SID-UID/GID and next time it is asked to translate the same SID to a UID/GID it will use the value in its database. In your particular case, when you connect to the samba AD with smbclient as AD user steve and try to create a dir the server checks the security.NTACL extended attribute, as it didn't exists it knows that it will have to translate posix rights to NT ACLs. At this moment in order to know if you are the owner of the parent directory or in group of the parent directory it will ask its internal winbind to translate user's SID and the SID of user's groups to UID and GID, and it will turn out that the UID of unix user steve is not at all the UID of AD user steve (which is in the 300+ range), as other translated posix rights didn't give any write rights to the AD user the directory creation was not created. How do I change the gid/uid of my linux users to gid/uid AD users? Is there a script? But that shouldn't matter no? Thinking you may want more info I'll leave it as it is for now. The users are the same as they were before the new build. I did not delete and recreate them. Sure this is the expected behavior, before there was a bug in the posix to NT ACLs translation that granted the write right even if you had just the read and execute right you can have the detail by looking at this changeset: d1274f7f6236b47a1c6aa1737b054ed521d31b67 I don't really know your case but I think it's not such a problem at least so far nobody complained, on the DC you don't need to create unix account for the AD users. As you need to create directory for each user there is a couple of solution: 1) change the rights on the directory that is shared as home so that the group has a write right, then change group to be users (that's because we map the domain users group to the user unix group) 2) for each user connect using smbclient and create the directory of this user or For each user, use wbinfo -i ad_user and then create a folder for this user and use the uid obtained with wbinfo to set the owner of the directory. For instance on my test server I have: ./bin/wbinfo -i steve MATWS\steve:*:310:100::/home/MATWS/steve:/bin/false Note: first you have to do a ./bin/wbinfo -u and beware the first time it is _slow_ Matthieu. Hi Matthieu Thanks for your patience. Yes, your clear explanation is excellent. I'm going to try it as soon as I get Samba 4 running again. I reinstalled from nothing to get a clean slate. Now, DNS isn't working. The method of configuring as outlined in the wiki doesn't work anymore. The dns files in /usr/local/samba/private have changed since my first install last week:( I've another thread open on this. Thanks again Steve. Almost there at the command line. Permissions are respected. Following your method to create a user and allocate them a home folder: cat /usr/local/samba/etc/smb.conf # Global parameters [global] server role = domain controller workgroup = HH1 realm = hh3.site netbios name = HH3 passdb backend = samba4 [home] path = /home read only = No [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No samba-tool user add lynn 123@456 User 'lynn' created
Re: [Samba] samba 4 named. dlz_bind9.so not found
Hi Marcel re: host -t A samba.hh3.site I think I've understood it now. I took that line from the samba wiki: 'In the following examples we will assume your DNS domain name is 'samdom.example.com' and your short (also known as NT4) domain name is 'samdom'. We will assume that your Samba servers hostname is samba.' In my case, my dns domain name is hh3.site, short NT4 name is HH1 and my samba servers hostname is hh3. so in my case I think that line should have been: host -t A hh3.hh3.site hh3.hh3.site has address 192.168.1.3 which works of course. (Duh. Sunday is usually an non working day for me!) Using your samba only method also works: samba-tool dns query 192.168.1.3 hh3.site hh3 A -U administrator Password for [HH1\administrator]: Name=, Records=1, Children=0 A: 192.168.1.3 (flags=f0, serial=1, ttl=900) I can now logon and create folders using smbclient. But I can't create new fils nor folders using konq or dolphin. Samba 4 does not ask me for a username nor password and tells me 'access denied' when trying. I have this open on another thread. The other thing I can't figure out is how a linux client would use the AD user information to be able to authenticate. Thanks for your patience. Steve. On 04/12/11 20:44, Marcel Ritter wrote: Hi Steve, as 2 of the 3 queries did succeed, are you sure the hostname of your dc was correctly detected during provision? Does hostname -f return samba.hh3.site? You may also try samba-tool / ldbsearch to get info about the DNS entries stored by samba. (Please replace 192.168.1.6 with the IP of your samba4 dc.) The following command will try to do a dns lookup using samba only (no bind) for samba.hh3.site: /opt/samba4/bin/samba-tool dns query 192.168.1.6 hh3.site samba A -U Administrator%password You may also try to list entries via ldbsearch (change path to your sam.ldb.d): /opt/samba4/bin/ldbsearch -H /opt/samba4/var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=HH3\,DC\=SITE.ldb -b dc=domaindnszones,dc=hh3,dc=site name Hope this helps, Marcel Von: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org]quot; im Auftrag vonquot;steve [st...@steve-ss.com] Gesendet: Sonntag, 4. Dezember 2011 17:17 Bis: samba@lists.samba.org Betreff: Re: [Samba] samba 4 named. dlz_bind9.so not found On 04/12/11 14:19, Marcel Ritter wrote: Hi Steve, it's quite likely, that bind running in chroot is the cause of the problem. You can easily test it by disabling chroot for named on SuSE systems by editing /etc/sysconfig/named NAMED_RUN_CHROOTED=no If the problem is still there, try running named using strace, and have a look at all stat()/open() calls concerning dlz_bind9.so. This should give some hints about missing files/permissions and may help to narrow down the problem. Bye, Marcel Hi Marcel Progress. Removing the jail worked and named starts. It's getting better. Now I have this: hh3:/home/steve # host -t SRV _ldap._tcp.hh3.site. _ldap._tcp.hh3.site has SRV record 0 100 389 hh3.hh3.site. hh3:/home/steve # host -t SRV _kerberos._udp.hh3.site. _kerberos._udp.hh3.site has SRV record 0 100 88 hh3.hh3.site. hh3:/home/steve # host -t A samba.hh3.site Host samba.hh3.site not found: 3(NXDOMAIN) 2 successes and a 1 failure. (hh3.site is the fqdn) The logs give this: Dec 4 17:04:27 hh3 named[3383]: couldn't add command channel ::1#953: address not available Dec 4 17:04:27 hh3 named[3383]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42 Dec 4 17:04:27 hh3 named[3383]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42 Dec 4 17:04:27 hh3 named[3383]: zone localhost/IN: loaded serial 42 Dec 4 17:04:27 hh3 named[3383]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found Dec 4 17:04:27 hh3 named[3383]: managed-keys-zone ./IN: loaded serial 0 Dec 4 17:04:27 hh3 named[3356]: Starting name server BIND ..done Dec 4 17:04:27 hh3 named[3383]: running Am trying hard to keep calm! I asked about the managed-keys-zone on the openSUSE list a few days ago, but nothing. Any ideas where to turn next? Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] bind errors for latest samba 4 checkout
Hi everyone openSUSE 12.1 After a recent Samba 4 pull I have these errors: Dec 7 19:53:37 hh3 named[3121]: command channel listening on 127.0.0.1#953 Dec 7 19:53:37 hh3 named[3121]: the working directory is not writable Dec 7 19:53:37 hh3 named[3121]: managed-keys-zone ./IN: loading from master file /var/lib/named/dyn//managed-keys.bind failed: file not found Dec 7 19:53:37 hh3 named[3121]: managed-keys-zone ./IN: loaded serial 0 Dec 7 19:53:37 hh3 named[3093]: Starting name server BIND - Warning: /var/run/named/named.pid exists! ..done Dec 7 19:53:37 hh3 named[3121]: running Bind was recently updated in openSUSE. Setting /var/lib/named to named:named got rid of the first error. Is that OK? But then: rm /var/run/named/named.pid rm: cannot remove `/var/run/named/named.pid': Too many levels of symbolic links rm -r /var/run/named/ and restarting bind gives the same error. I can't find much about the managed keys. I've asked here before abou this and on the openSUSE list. The only change to the /etc/named.conf supplied by the distro is including: /usr/local/samba/private/named.conf Apart from this, bind and kebreros, pass all the tests as specified in the samba 4 howto. If I: touch /var/lib/named/dyn//managed-keys.bind and restart named, it's almost clean: Dec 7 20:23:13 hh3 named[3302]: command channel listening on 127.0.0.1#953 Dec 7 20:23:13 hh3 named[3302]: couldn't add command channel ::1#953: address not available Dec 7 20:23:13 hh3 named[3302]: zone 0.0.127.in-addr.arpa/IN: loaded serial 42 Dec 7 20:23:13 hh3 named[3302]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 42 Dec 7 20:23:13 hh3 named[3302]: zone localhost/IN: loaded serial 42 Dec 7 20:23:13 hh3 named[3302]: managed-keys-zone ./IN: loaded serial 0 Dec 7 20:23:13 hh3 named[3275]: Starting name server BIND - Warning: /var/run/named/named.pid exists! ..done Dec 7 20:23:13 hh3 named[3302]: running Before I can test and draw conclusions about the latest checkout I must know if these errors are significant. Any ideas anyone? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC file server on same machine?
On 08/12/11 00:03, John Heim wrote: How much of a resource hog is a PDC? My understanding is that authentication is done vs a BDC if available. I configured my new file server as the domain PDC because I figured it would already have to run samba. I have two other machines configured as BDCs to serve as logon servers. I'm looking for opinions on whether I'm asking for performance problems by making my file server the PDC. Actually, this machine is already serving as PDC but its not in production yet as a file server. So right now, its just the domain PDC. When I log into the domain and echo %logonserver%, it shows that one of the BDCs was the logon server, not the PDC. It doesn't look like the PDC has to do anything but handle joining machines to the domain. We have to work within a tight budget and can't afford a backup server. We serve 600 home folders and logins to 25 clients from the same box. In an educational environment we experience slow logons which we think is due to everyone logging on at once. Windows 7 logons are particularly bad. Looking at top you can see slapd and nmbd throw a fit for a minute or so. With files it's OK unless we have a group working with gimp and photoshop. Usually it's when everyone is doing the same thing at the same time e.g. when a teacher has given an instruction to do something. On a normal lan I don't think you'd have these situations. HTH Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4: Changing DC's IP address (Bind 9.8.x) for testing
On 07/12/11 21:37, Gémes Géza wrote: 2011-12-07 15:41 keltezéssel, Adam Tauno Williams írta: I upgraded by S3 domain to S4 using the upgrade script. To do that i had to have the S4 test box connected to the production network. Now I want to take it to the test network. But the Bind 9.8.x instance using the DLZ still has the old address... dynamic dns update doesn't work because the tool can't find the KDC because DNS returns the wrong IP address. Can I modify the DNS zone using an ldb tool [ldbmodify]? To change the IP of the DC (the only address in DNS at this point, everything seems to CNAME back to the address). Under the older Bind config I just changed the one or two lines in the text zone file when I moved the VM from production to testing. samba-tool dns is your friend here. Geza Adam: where is the upgrade script you mention? Thanks S L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC file server on same machine?
On 08/12/11 12:15, Adam Tauno Williams wrote: On Wed, 2011-12-07 at 17:03 -0600, John Heim wrote: How much of a resource hog is a PDC? My understanding is that authentication is done vs a BDC if available. I configured my new file server as the domain PDC because I figured it would already have to run samba. I have two other machines configured as BDCs to serve as logon servers I'm looking for opinions on whether I'm asking for performance problems by making my file server the PDC. Actually, this machine is already serving as PDC but its not in production yet as a file server. So right now, its just the domain PDC. When I log into the domain and echo %logonserver%, it shows that one of the BDCs was the logon server, not the PDC. It doesn't look like the PDC has to do anything but handle joining machines to the domain. There really isn't an answer for your question. The load implied by being a DC depends on the number of clients and how heavily they are used. If you have only a hundred or so clients, in my experience, the load is pretty mild [for modern hardware/networks]. With Samba3 domain control there isn't really a BDC/PDC distinction. Every box is a PDC that operates in parallel with the other DCs. That is a bit different than a true NT4 domain. Maybe what the OP is asking here is for examples. I realise that for security reasons admins may not be allowed to reveal their setup but it would be helpful to give some concrete figures of hardware, clients and servers that works for us. Cheers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] bind errors for latest samba 4 checkout
Hi Dale, hi everyone. Thanks. I now have the managed keys cleared: Dec 9 06:57:33 hh3 named[3125]: managed-keys-zone ./IN: loaded serial 0 Stop bind and see if /var/run/named/named.pid remains. You may have a stale pid that needs removing manually. I had a go at that: rm /var/run/named/named.pid rm: cannot remove `/var/run/named/named.pid': Too many levels of symbolic links I have: lrwxrwxrwx 1 root root14 Dec 9 05:36 named - /var/run/named Removing /var/run/named clears the error but it returns on restarting named. Also the: Dec 9 06:57:33 hh3 named[3125]: command channel listening on 127.0.0.1#953 Dec 9 06:57:33 hh3 named[3125]: couldn't add command channel ::1#953: address not available remains As I say, dns is working fine. I'd just like to clear the errors. Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4, can't logon
Hi everyone I have Samba 4 running with this: smb.conf [global] server role = domain controller workgroup = HH3SITE realm = hh3.hh1.site netbios name = HH3 passdb backend = samba4 [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.hh1.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] path = /home/HH3SITE read only = No I created a Samba 4 user called lynn: wbinfo -i lynn HH3SITE\lynn:*:309:100::/home/HH3SITE/lynn:/bin/false I created the directory 309:100 /home/HH3SITE/lynn Samba can see the shares: smbclient -L hh3 -Uadministrator Password for [HH3SITE\administrator]: Sharename Type Comment - --- netlogonDisk sysvol Disk homeDisk IPC$IPCIPC Service REWRITE: list servers not implemented But lynn can't logon: smbclient //localhost/home -Ulynn Password for [HH3SITE\lynn]: Connection to \\localhost\home failed - NT_STATUS_INTERNAL_ERROR The administrator can't logon either: smbclient //localhost/netlogon -Uadministrator Password for [HH3SITE\administrator]: Connection to \\localhost\netlogon failed - NT_STATUS_INTERNAL_ERROR I tried changing permissions to 0777: ls -la /home/HH3SITE total 12 drwxrwxrwx 3 rootroot 4096 Dec 11 17:42 . drwxr-xr-x 4 rootroot 4096 Dec 12 11:01 .. drwxrwxrwx 2 309 users 4096 Dec 11 17:42 lynn But still no logon. What am I doing wrong? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] bind errors for latest samba 4 checkout
On 12/09/2011 07:38 PM, Dale Schroeder wrote: On 12/09/2011 12:05 AM, steve wrote: Hi Dale, hi everyone. Thanks. I now have the managed keys cleared: Dec 9 06:57:33 hh3 named[3125]: managed-keys-zone ./IN: loaded serial 0 Stop bind and see if /var/run/named/named.pid remains. You may have a stale pid that needs removing manually. I had a go at that: rm /var/run/named/named.pid rm: cannot remove `/var/run/named/named.pid': Too many levels of symbolic links This looks promising http://www.whitemiceconsulting.com/2011_10_01_archive.html Yeah, that set me going in the right direction. Thanks. In fact I had to remove /var/run/named which was a link to a directory, /var/run/named which didn't exist. I stopped named, did a mkdir /var/run/named and restarted named. Now I can see /var/run/named/named.pid correctly and the error has gone. I have: lrwxrwxrwx 1 root root14 Dec 9 05:36 named - /var/run/named Removing /var/run/named clears the error but it returns on restarting named. Also the: Dec 9 06:57:33 hh3 named[3125]: command channel listening on 127.0.0.1#953 Dec 9 06:57:33 hh3 named[3125]: couldn't add command channel ::1#953: address not available See if this is applicable to your situation. https://lists.isc.org/pipermail/bind-users/2005-March/055877.html Dale Yes, that seems to explain it. I have listen-on-v6 { any; }; in /etc/named.conf I think that this should be commented (#) as I don't have any ip6 addresses. remains As I say, dns is working fine. I'd just like to clear the errors. Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA - YAST
On 12/14/2011 02:01 PM, anna-karin.bur...@bjurholm.se wrote: Hi, I am new with SAMBA so please be patient if the questions are silly. I have a network with some 100 computers and 150 users. How can I add new users to the system? I know I have to add them both to Samba and Linux. The YAST GUI is no problem, it's more when I come to Samba. I think I am logged in as root in the Linux prompt and try to add users, but am not successful. Is there something I should think of? Thanks in advance! /Anna-Karin Hi In YAST, the Linux user, Windows user, password, roaming profile and home directory are all done for you. With this tutorial: http://www.youtube.com/watch?v=LdLwuIrW1jw you can be up in an hour. The slowest bit of the setup for us (25 computers, 300 users) was joining windows 7 boxes to the domain. There is a regedit to do. Good luck and I know the feeling;) Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA - YAST [correction]
On 12/14/2011 02:41 PM, steve wrote: On 12/14/2011 02:01 PM, anna-karin.bur...@bjurholm.se wrote: Hi, I am new with SAMBA so please be patient if the questions are silly. I have a network with some 100 computers and 150 users. How can I add new users to the system? I know I have to add them both to Samba and Linux. The YAST GUI is no problem, it's more when I come to Samba. I think I am logged in as root in the Linux prompt and try to add users, but am not successful. Is there something I should think of? Thanks in advance! /Anna-Karin Hi In YAST, the Linux user, Windows user, password, roaming profile and home directory are all done for you. With this tutorial: http://www.youtube.com/watch?v=LdLwuIrW1jw you can be up in an hour. Hi Forgot 2 say, the video is for openSUSE 11.2. In openSUSE 11.4 and 12.1, create the user via YAST using 'Add LDAP User' and not 'Add User'. Skip the bit where he talks about smbpasswd -a. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] bind errors for latest samba 4 checkout [solved]
On 12/14/2011 09:12 AM, steve wrote: On 12/09/2011 07:38 PM, Dale Schroeder wrote: Yes, that seems to explain it. I have listen-on-v6 { any; }; in /etc/named.conf I think that this should be commented (#) as I don't have any ip6 addresses. Can confirm that commenting the line removes the error. I now have a squeaky clean bind:) For a default openSUSE 12.1 with Samba 4 git from today, /etc/named.conf looks like this: options { directory /var/lib/named; managed-keys-directory /var/lib/named/dyn/; dump-file /var/log/named_dump.db; statistics-file /var/log/named.stats; notify no; disable-empty-zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA; include /etc/named.d/forwarders.conf; }; zone . in { type hint; file root.hint; }; zone localhost in { type master; file localhost.zone; }; zone 0.0.127.in-addr.arpa in { type master; file 127.0.0.zone; }; zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa in { type master; file 127.0.0.zone; }; include /etc/named.conf.include; include /usr/local/samba/private/named.conf; Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] join Samba 4 domain using likewise
Hi I successfully joined a win 7 vm to a Samba 4 domain. I can log fine. I'm now trying to add the server itself to the domain using likewise. It does not let me. The errors are: Error code: ERROR_GEN_FAILURE (0x001f) Backtrace: /builder/src-buildserver/BT-Platform-6.1/src/linux/domainjoin/domainjoin-gui/gtk/main.c:347 /builder/src-buildserver/BT-Platform-6.1/src/linux/domainjoin/libdomainjoin/src/djmodule.c:339 /builder/src-buildserver/BT-Platform-6.1/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:858 /builder/src-buildserver/BT-Platform-6.1/src/linux/domainjoin/libdomainjoin/src/djauthinfo.c:1241 Is it possible to join the server to the domain? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 WBC_ERR_DOMAIN_NOT_FOUND
Hi everyone Ubuntu 11.10 Version 4.0.0alpha18-GIT-23a0343 Added a user called steve2. The first time I used winbind, no problems: wbinfo -i steve2 gave me the info I needed for user and group. But now it doesn't work: wbinfo -i steve2 failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user steve2 I can logon OK: smbclient //localhost/home -Usteve2 Password for [SITE\steve2]: smb: \ Looking through the archives I found this: Workaround: 1. Run sudo dpkg-reconfigure -plow libpam-runtime 2. Deselect Winbind NT/Active Directory authentication 3. Select OK but I only have this: PAM profiles to enable: │ │ │ │ [*] Unix authentication │ │ [*] Likewise Open │ │ [*] GNOME Keyring Daemon - Login keyring management │ │ [*] ConsoleKit Session Management │ │ [*] Inheritable Capabilities Management IOW I can't do the workaround. Any ideas anyone? Thanks Steve. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba