Bug#967972: [Pkg-samba-maint] Bug#967972: cifs-utils: fails to mount filesystem when keyutils is not installed

[L . P . H . van Belle]

That is already set 
See closed bug in cifs-utils, bugnr.: #986867  

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
ebian.net] Namens Jonathon Reinhart
> Verzonden: maandag 7 juni 2021 6:33
> Aan: 967...@bugs.debian.org
> Onderwerp: [Pkg-samba-maint] Bug#967972: cifs-utils: fails to 
> mount filesystem when keyutils is not installed
> 
> Some sources incorrectly indicate that keyutils is only needed with
> DFS, but keyutils is also needed when using CIFS w/ Kerberos
> authentication.
> 
> When trying to mount a CIFS share using kerberos (sec=krb5), the
> kernel invokes /sbin/request-key to request a key from userspace. Then
> cifs.upcall (from cifs-utils) is executed to handle the SPNEGO
> authentication.
> 
> If keyutils is not installed, then /sbin/request-key is absent, and
> the kernel is completely silent about this.
> 
> [  +0.497021] CIFS VFS: Send error in SessSetup = -2
> [  +0.000992] CIFS VFS: cifs_mount failed w/return code = -2
> 
> Thus, I strongly agree with the proposal for cifs-utils to *Recommend*
> keyutils, rather than merely *Suggesting* it.
> 
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint
> 
> 

Bug#964165: small fix.

[L . P . H . van Belle]

The fix : Temp-fix-is-is-litteral.patch

>From David Disseldorp via samba-technical
 
See https://bugs.python.org/issue34850
  the "is" and "is not" operator sometimes is used with string and
  numerical literals. This code "works" on CPython by accident, because
  of caching on different levels (small integers and strings caches,
  interned strings, deduplicating constants at compile time). But it
  shouldn't work on other implementations, and can not work even on
  early or future CPython versions.
 
It can be ignored, but we should probably fix all such cases in future.
--- a/python/samba/emulate/traffic_packets.py
+++ b/python/samba/emulate/traffic_packets.py
@@ -336,7 +336,7 @@
 
 # try to guess the search expression (don't bother for base searches, as
 # they're only looking up a single object)
-if (filter is None or filter is '') and scope != SCOPE_BASE:
+if (filter is None or filter == '') and scope != SCOPE_BASE:
 filter = context.guess_search_filter(attrs, dn_sig, dn)
 
 samdb.search(dn,

 

Bug#942433: [Pkg-samba-maint] Bug#942433: samba: Cannot mount share on samba3 server from samba4 client: protocol negotiation failed

[L . P . H . van Belle]

Hai, 

Please read : https://www.samba.org/samba/history/samba-4.11.0.html 
Which states: 
SMB1 is disabled by default  
---

The defaults of 'client min protocol' and 'server min protocol'
have been changed to SMB2_02.

This means clients without support for SMB2 or SMB3 are no longer
able to connect to smbd (by default).

It also means client tools like smbclient and other,
as well as applications making use of libsmbclient are no longer
able to connect to servers without SMB2 or SMB3 support (by default).

It's still possible to allow SMB1 dialects, e.g. NT1, LANMAN2
and LANMAN1 for client and server, as well as CORE and COREPLUS on
the client.

Note that most commandline tools e.g. smbclient, smbcacls and others
also support the '--option' argument to overwrite smb.conf options,
e.g. --option='client min protocol=NT1' might be useful.

As Microsoft no longer installs SMB1 support in recent releases
or uninstalls it after 30 days without usage, the Samba Team
tries to get remove the SMB1 usage as much as possible.

SMB1 is officially deprecated and might be removed step by step
in the following years. If you have a strong requirement for SMB1
(except for supporting old Linux Kernels), please file a bug
at https://bugzilla.samba.org and let us know about the details.




Regards, 

Louis




> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
> ebian.net] Namens Igor Liferenko
> Verzonden: woensdag 16 oktober 2019 11:17
> Aan: Debian Bug Tracking System
> Onderwerp: [Pkg-samba-maint] Bug#942433: samba: Cannot mount 
> share on samba3 server from samba4 client: protocol negotiation failed
> 
> Package: samba
> Version: 2:4.11.0+dfsg-10
> Severity: important
> 
> Dear Maintainer,
> 
> After upgrade from samba 4.9.13 to 4.11.0, mounting shares 
> from samba3 server stopped working.
> 
> Here is the output of "GVFS_DEBUG=1 /usr/lib/gvfs/gvfsd 
> --replace" from
> "gio mount smb://x.x.x.x/doc/":
> 
> smb: g_vfs_backend_smb_init: default workgroup = 'NULL'
> smb: Added new job source 0x55c74aa13080 (GVfsBackendSmb)
> smb: Queued new job 0x55c74aa15140 (GVfsJobMount)
> smb: do_mount - URI = smb://x.x.x.x/doc
> smb: do_mount - try #0 
> smb: auth_callback - kerberos pass
> smb: auth_callback - out: last_user = 'user', last_domain = 'XGROUP'
> smb: do_mount - [smb://x.x.x.x/doc; 0] res = -1, cancelled = 
> 0, errno = [103] 'Software caused connection abort' 
> smb: do_mount - (errno != EPERM && errno != EACCES), 
> cancelled = 0, breaking
> smb: send_reply(0x55c74aa15140), failed=1 (Failed to mount 
> Windows share: Software caused connection abort)
> 
> 
> 
> Wireshark shows only one packet from client after connecting 
> to server:
>"Protocol" header in wireshark is "SMB2" and "Info" header 
> is "Negotiate Protocol Request"
> and then server closes connection.
> 
> 
> 
> Here is config of samba3 server:
> 
> [global]
>   dos charset = 866
>   unix charset = UTF8
>   workgroup = USVGROUP
>   server string = %h server
>   interfaces = 127.0.0.0/8, x.x.x.x/24
>   security = SHARE
>   obey pam restrictions = Yes
>   pam password change = Yes
>   passwd program = /usr/bin/passwd %u
>   passwd chat = *Enter\snew\s*\spassword:* %n\n 
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>   unix password sync = Yes
>   syslog = 0
>   log file = /var/log/samba/log.%m
>   max log size = 1000
>   dns proxy = No
>   panic action = /usr/share/samba/panic-action %d
>   veto files = /lost+found/
> [doc]
>   path = /home/doc/
>   read only = No
>   guest ok = Yes
> 
> 
> 
> 
> *** Reporter, please consider answering these questions, 
> where appropriate ***
> 
>* What led up to the situation?
>* What exactly did you do (or not do) that was effective (or
>  ineffective)?
>* What was the outcome of this action?
>* What outcome did you expect instead?
> 
> *** End of the template - remove these template lines ***
> 
> 
> -- Package-specific info:
> * /etc/samba/smb.conf present, and attached
> * /var/lib/samba/dhcp.conf not present
> 
> -- System Information:
> Debian Release: bullseye/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 
> (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages samba depends on:
> ii  adduser  3.118
> ii  dpkg 1.19.7
> ii  init-system-helpers  1.57
> ii  libbsd0  0.10.0-1
> ii  libc62.29-2
> ii  libgnutls30  3.6.9-5
> ii  libldb2  2:2.0.7-3
> ii  libpam-modules   1.3.1-5
> ii  libpam-runtime   1.3.1-5
> ii  libpopt0 

Bug#931688: [Pkg-samba-maint] Bug#931688: smbclient: Unable to initialize messaging context

[L . P . H . van Belle]

I got a quick update from the samba list. 

Is it a bug in the smbclient?
Yes, Its a confirmed bug. 

Just found upstream bug report: 
https://bugzilla.samba.org/show_bug.cgi?id=13925 


Regards, 

Louis



> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
> ebian.net] Namens L. van Belle
> Verzonden: woensdag 18 september 2019 10:56
> Aan: 931...@bugs.debian.org
> Onderwerp: [Pkg-samba-maint] Bug#931688: smbclient: Unable to 
> initialize messaging context
> 
> Hai, 
>  
> Can you install `libsmbclient` first and try again. 
>  
> And can you share you smb.conf ( anonimize where needed ) 
> It looks like your using old settings: WARNING: The "syslog" option is
> deprecated
> 
> 
> Regards, 
> Louis
>  
> 
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint
> 

Bug#930540: [Pkg-samba-maint] Bug#930540: samba-vfs-modules: /usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so No such file or directory

[L . P . H . van Belle]

Hai, 

That is correct the modules is not in the debian builds. 
if you want to use the vfs_nfs4acl_xattr module you need to recompile samba.
Or use and other repo which already have this builtin. 

Rebuilding it. 
For the build install : nfs-common 
apt get source samba 
cd samba-... 

Edit debian/rules 
Add in the line at the end --with-shared-modules=
be added : ,vfs_nfs4acl_xattr

And change the debian/changelog and debian/control files 

And rebuild it.
cd ..
apt get source samba -b 


Greetz, 

Louis

 

> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
> ebian.net] Namens Gary Richards
> Verzonden: vrijdag 14 juni 2019 22:03
> Aan: Debian Bug Tracking System
> Onderwerp: [Pkg-samba-maint] Bug#930540: samba-vfs-modules: 
> /usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so No such 
> file or directory
> 
> Package: samba-vfs-modules
> Version: 4.9.5+dfsg-4
> Severity: normal
> 
> Dear Maintainer,
> 
> I have been attempting to build a samba ad dc in a buster 
> container to run on a
> platform where /var/lib/samba will be an NFSv4 mount. When 
> trying to provision
> the domain with samba-tool I receive an error:
> 
> ERROR(): Provision failed -
> ProvisioningError: Your filesystem or build does not support 
> posix ACLs, which
> s3fs requires.  Try the mounting the filesystem with the 'acl' option
> 
> Which I believe is because NFSv4 has its own ACL concept, 
> which isn't posix
> ACLs.
> 
> Further digging has suggested that I probably want to enable 
> the nfs4acl_xattr
> vfs module. I tried this as an argument to my samba-tool 
> provision command:
> 
> samba-tool domain provision --use-rfc2307 --domain=${SAMBA_DOMAIN}
> --realm=${SAMBA_REALM} --server-role=dc --dns-backend=BIND9_DLZ
> --adminpass=${SAMBA_DOMAIN_PASSWORD} --option "bind 
> interfaces only = yes"
> --option "interfaces = lo net1" --option "vfs objects = nfs4acl_xattr"
> 
> But it results in a new error:
> 
> Error loading module 
> '/usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so':
> /usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so: cannot 
> open shared object
> file: No such file or directory
> 
> I believe this would be expected to come from 
> samba-vfs-modules, but that file
> is not in that package. Or any other package as far as I can tell.
> Interestingly samba-vfs-modules does seem to contain the 
> following file:
> 
> /usr/share/man/man8/vfs_nfs4acl_xattr.8.gz
> 
> Which I guess is the man page for the module that i'm trying 
> to use. But the
> module isn't there.
> 
> Thanks
> 
> Gary
> 
> 
> 
> -- System Information:
> Debian Release: 10.0
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
> Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, 
> TAINT_UNSIGNED_MODULE
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 
> (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages samba-vfs-modules depends on:
> ii  libbsd0 0.9.1-2
> ii  libc6   2.28-10
> ii  libtalloc2  2.1.14-2
> ii  libtdb1 1.3.16-2+b1
> ii  libtevent0  0.9.37-1
> ii  samba-libs  2:4.9.5+dfsg-4
> 
> Versions of packages samba-vfs-modules recommends:
> pn  libcephfs2   
> ii  libdbus-1-3  1.12.12-1
> pn  libgfapi0
> 
> samba-vfs-modules suggests no packages.
> 
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint
> 

Bug#927747: [Pkg-samba-maint] Bug#927747: bind9_dlz backend is entirely broken in Debian

[L . P . H . van Belle]

Hai, 
 
> > 3.Patching "named.conf" template to load the correct bind9 module (i.e 9.11)
> I _think_ samba_dnsupgradedns writes a new config fragment.
No you need adjustments in bind as shown below. 
 
after the 4 points, im missing the following. 
 
Addding point 5. 
 
The end result should look like this: 
ls -al /var/lib/samba/bind-dns/

total 28
drwxrwx---  3 root bind 4096 Apr 24 08:17 .
drwxr-xr-x 10 root root 4096 Apr  8 15:03 ..
drwxrwx---  3 root bind 4096 Feb 27 16:38 dns
-rw-r-  2 root bind  877 Apr 28  2015 dns.keytab
-rw-r--r--  1 root root  781 Feb 27 16:38 named.conf
-r--r--r--  1 root root  312 Feb 27 16:41 named.conf.update
-rw-r--r--  1 root root 2092 Feb 27 16:38 named.txt

Take note that dns.keytab isnt moved by default but should be moved. 
This is one i did manualy.
 
After that change you need to adjust : /etc/bind/named.conf.options. 
 
    // https://wiki.samba.org/index.php/Dns-backend_bind
    // DNS dynamic updates via Kerberos (optional, but recommended)
   // old path //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

and in : /etc/bind/named.conf.local. change
    // adding the dlopen ( Bind DLZ ) module for samba,
    include "/var/lib/samba/bind-dns/named.conf";

Now bind9 restart then samba restart. 
 
to make sure the restart order is correct and it always works. 
 
systemctl edit samba-ad-dc.service
 
# /etc/systemd/system/samba-ad-dc.service.d/override.conf
[Unit]
After=network.target network-online.target bind9.service

Maybe its an option to add it as default that samba always starts after bind9 
started. 
 
 
 
Greetz, 
 
Louis
 

Bug#912193: samba: Ignores UNIX groups

[L . P . H . van Belle]

Hai, 

Last week something related to this is detected/confirmed as bug. 

And no Paul, we dont tell you to use the latest, we first look at it on the 
samba list. 
We are nice there, a quick look at you smb.conf shows multiple (incorrect) 
things..  ( a lot ..sorry.. ) 

For an AD DC, a resulting smb.conf is about this, this is my production config 
of one of my AD-DC'.s 
AD-DC server with bind9 DNS and without printing. 
So compaired to you smb.conf there is a lot todo. 

[global]

log level = 0

workgroup = NTDOM
realm = YOUR.REALM.TLD
netbios name = HOSTNAME

server role = active directory domain controller

  # -dns = disable internal dns, assign bind9 dns.
  # -spoolss, disable printing.
server services = -dns -spoolss

interfaces = 192.168.0.1 127.0.0.1
bind interfaces only = yes

# Dont forget to set the idmap_ldb on ALL DC's if you use it
idmap_ldb:use rfc2307 = yes

# Since we cant use : winbind nss info = rfc2307 : on the DC's.
template shell = /bin/bash
template homedir = /home/users/%U

# Disable printing completely, when this is set, no unneeded log error 
messages.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# Disable usershares creating, when this is set, no unneeded log error 
messages.
usershare path =

[sysvol]
   path = /var/lib/samba/sysvol
   read only = No

[netlogon]
path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
read only = No


Because or your smb.conf and so many setting that we(I) normaly dont see, tells 
me, you've mixed member settings with AD-DC settings. 
Why im asking to post it on the samba list, is because, my Samba team member 
Rowland, is much better in analyzing your smb.conf. 
Your config also shows the comment, 

# We do not have xattr,  Not ? Sure you have. Maybe not on wheezy.. But stretch 
and jessie not problems here. 
apt-get install attr   (xattr is'nt working.. ) 

I suspect this is an attempt to upgrade an NT4 Domain to AD..? Correct 

So resume, yes, we can assign this as a bug but not based on you config, 
because i know its a bug. 
I just cant find the correct one in samba's bugzilla. 
Would be upstream bugnr https://bugzilla.samba.org/show_bug.cgi?id=13371 
Or https://bugzilla.samba.org/show_bug.cgi?id=11362

Best assumption here, its bug 11371, but please check that Mattieu. 
This affects samba 4.5 upto 4.9 as far i know. 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
> ebian.net] Namens Mathieu Parent
> Verzonden: donderdag 21 februari 2019 21:43
> Aan: Paul Szabo; 912...@bugs.debian.org
> Onderwerp: [Pkg-samba-maint] Bug#912193: Post message upstream
> 
> Hello,
> 
> As Louis said (in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912193#25), please
> ask on the samba mailing list, and add a pointer here.
> 
> Regards
> 
> -- 
> Mathieu Parent
> 
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint
> 

Bug#918141: [Pkg-samba-maint] Bug#918141: samba-common: samba-tool domain provision fails due to missing ad-schema files

[L . P . H . van Belle]

Hai, 

Can you verify that the packages "samba" is installed.

https://packages.debian.org/search?suite=buster=any=exactfilename=contents=Attributes_for_AD_DS__Windows_Server_2008_R2.ldf
 

Package samba contains : 
/usr/share/samba/setup/ad-schema/Attributes_for_AD_DS__Windows_Server_2008_R2.ldf
  


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
> ebian.net] Namens Bowland
> Verzonden: donderdag 3 januari 2019 20:31
> Aan: Debian Bug Tracking System
> Onderwerp: [Pkg-samba-maint] Bug#918141: samba-common: 
> samba-tool domain provision fails due to missing ad-schema files
> 
> Package: samba-common
> Version: 2:4.9.4+dfsg-1
> Severity: normal
> 
> xxx@laptop:/usr/share/samba# samba-tool domain provision
> Realm:  domain.de
> Domain [domain]:  
> Server Role (dc, member, standalone) [dc]:  
> DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) 
> [SAMBA_INTERNAL]:  
> DNS forwarder IP address (write 'none' to disable forwarding) 
> [192.168.188.1]:  
> Administrator password: 
> Retype password: 
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> ERROR(): uncaught exception - 
> [Errno 2] No such file or directory: 
> '/usr/share/samba/setup/ad-schema/Attributes_for_AD_DS__Window
> s_Server_2008_R2.ldf'
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 177, in _run
> return self.run(*args, **kwargs)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", 
> line 538, in run
> backend_store=backend_store)
>   File 
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 2218, in provision
> schemadn=names.schemadn, base_schema=base_schema)
>   File "/usr/lib/python2.7/dist-packages/samba/schema.py", 
> line 110, in __init__
> setup_path('ad-schema/%s' % Schema.base_schemas[base_schema][1]))
>   File "/usr/lib/python2.7/dist-packages/samba/ms_schema.py", 
> line 308, in read_ms_schema
> attr_ldif =  __parse_schema_file(attr_file, "attributeSchema")
>   File "/usr/lib/python2.7/dist-packages/samba/ms_schema.py", 
> line 294, in __parse_schema_file
> f = open(filename, "rU")
> 
> 
> -- Package-specific info:
> * /etc/samba/smb.conf present, and attached
> * /var/lib/samba/dhcp.conf present, and attached
> 
> -- System Information:
> Debian Release: buster/sid
>   APT prefers testing
>   APT policy: (1001, 'testing')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.18.0-3-amd64 (SMP w/4 CPU cores)
> Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 
> (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
> 
> Versions of packages samba-common depends on:
> ii  debconf [debconf-2.0]  1.5.69
> ii  dpkg   1.19.2
> ii  ucf3.0038+nmu1
> 
> Versions of packages samba-common recommends:
> ii  samba-common-bin  2:4.9.4+dfsg-1
> 
> samba-common suggests no packages.
> 
> -- debconf information:
>   samba-common/do_debconf: true
>   samba-common/title:
>   samba-common/workgroup: WORKGROUP
> * samba-common/dhcp: false
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint
> 

Bug#908805: kopano-server: Backporting kopano-server needs php7.0

[L . P . H . van Belle]

Hai Carsten,

> -Oorspronkelijk bericht-
> > To detect the php-dev version. 
> > PHP_VERSION=$(dpkg -s php-dev | grep -i version | cut -d":" 
> -f3 |awk -F"+" '{ print $1}')
> 
> we took a slightly different approach here in one of the 
> recent changes
> to kopanocore, but the thing is the same in the end. Unfortunately it  has 
> taken this long time.

Yes i did see that, i did see kopanocore (8.6.90-1)  and now also kopanocore 
(8.6.91-1)  
Great work.. I'll have a good look next year :-) 

..
> > 
> > My goal is here is a stable kopano server on debian stretch 
> with backported packages. 
> > If you want build logs, let me know, i'll put them online if wanted.
> 
> We never had the time to do any backporting of the Kopano related
> packages as at least in my impression we simply don't have reached a
> quality state we would need to provide backported packages. Some
> additional kopano-webapp packages (e.g. smime) are also 
> needed to get a  complete suite of packages.

Yes, i noticed, same, on my todo for next year. 

> 
> Buster is just some months to go so we wont do anything for backporting the 
> current state to Stretch.
> 
> If you want to step as a package maintainer for missing kopano-webapp 
> packages e.g. 
> please join the mailing lists. We are happy to get new members into the team!

I'll think about it, i'll at least will join the mailing list.
And i'll have a quick look if im able to package these. Because im not a coder, 
just in system adminstrator. 

> 
> -- 
> Regards
> Carsten Schoenert
> 
> 

Best regards, 

Louis

Bug#909465: Fix available

[L . P . H . van Belle]

hai, 
 
I've just updated my 4.9.4 package including the fix from the bugzilla report 
and tested the patch
Solved it for me. 
 
link patch: https://attachments.samba.org/attachment.cgi?id=14752 
 
 
 
Greetz, 
 
Louis
 
 
 
 

Bug#912193: [Pkg-samba-maint] Bug#912193: Bug#912193: samba: Ignores UNIX groups

[L . P . H . van Belle]

Hai Paul, 


> I had tried to build Samba 4.9.1 the "Debian way", following 
> the method
> in the "experimental" packages, but failed on my "stretch" machine due
> to some version incompatibility issues.

Post your problem/question on the samba list and we will analize this problem.
And if you want a samba 4.9.1 on stretch, you can use the build i make for the 
samba list users.
Of the my changes for a stretch build and build it yourself. 
Instructions can be found at http://apt.van-belle.nl 

And have you seen the list of changes between 4.5 and 4.9 its enormus. 
Smb.conf did also change a lot and without smb.conf there is nothing check if 
your setup is ok.
I really suggest you also have look at 
https://wiki.samba.org/index.php/User_Documentation 
For the upgrade from 4.5 to 4.9. 
So a summerized version of all smb.conf changes : 
https://downloads.van-belle.nl/samba4/Upgrade-info.txt 
As of 4.1 upto 4.9.

My first guess,, your idmap config setup is wrong. 
Or post you smb.conf here and i'll have a look, or post it to the samba list, 
it a very active list.


Best regards, 

Louis


> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
> ebian.net] Namens Paul Szabo
> Verzonden: dinsdag 30 oktober 2018 0:24
> Aan: Mathieu Parent; 912...@bugs.debian.org
> Onderwerp: [Pkg-samba-maint] Bug#912193: Bug#912193: samba: 
> Ignores UNIX groups
> 
> Dear Mathieu,
> 
> > Why your UNIX groups don't match your Windows groups? This 
> is usually the case, with nss_winbind.
> My site is mainly Linux; we have secondary groups in the /etc/group
> file. I am trying to move from Samba3 to the Debian Samba4, setting up
> Samba as an AD DC (for Windows10). I have the libnss-winbind package.
> Still, Samba (winbidd?) seems to create separate 
> "Domain\user" entities,
> and does seem to add those to the groups that the Linux user 
> belongs to.
> 
> > Alternatively, you can reverse the logic with idmap_nss.
> 
> I tried that, did not seem to help.
> 
> >> (Seems to me that Samba4.9 suffers from the same issue.)
> > Have you tried it? ...
> 
> I had tried to build Samba 4.9.1 the "Debian way", following 
> the method
> in the "experimental" packages, but failed on my "stretch" machine due
> to some version incompatibility issues. (Did not try the "native way"
> with configure/make, thought it would be best to follow Debian.)
It is, but you need more then the package on stretch. 

> 
> > ... This part of the code has changed a lot.
> 
> The file source3/auth/auth_util.c did not change that much between
> 4.5.12 and 4.9.1, the "essence" of my patch still seems to apply
> (though not the patch file I posted).
> 
> > Also please note that we don't accept patches that are not merged
> > upstream first.
> > Additionnaly, this patch target stable while it's not a security or
> > stability patch.
> 
> Understood. I have been using my own Samba for years, can keep doing
> that.
> 
> Cheers, Paul
> -- 
> Paul Szabo   p...@maths.usyd.edu.au   
> http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of Sydney   
>  Australia
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint
> 

Bug#909465: Upgrade samba fails if winbind is install with default config

[L . P . H . van Belle]

Hai, 
 
I have an update on this and created working package without startup problems.
 
i've added in the samba-common.postinst the following part at the end just 
before #DEBHELPER# 
 
# Test server role and change smb.conf to enable idmap * by default.
SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | 
tail -1`

# Enable idmap config * by default. Only match untouched configs.
if [ "$SERVER_ROLE" = "standalone server" ] || [ "$SERVER_ROLE" = "auto" ]; then
sed -i \
-e 's/;   idmap config \* :  backend = tdb/idmap config * : 
 backend = tdb/g' \
-e 's/;   idmap config \* :  range   = 3000-7999/idmap 
config * :  range   = 3000-7999/g' \
"$CONFIG"
fi

 
The sed command might need some improvement here, but this allow a flawless 
install. 
Upgrade from a 4.8.5 also worked fine for me, its tested by users off the 
sambalist now. 
 
Thoughts of this are. 
 
- a new install used the smb.conf and the change is applied.
and all services are starting as they should 
- a old install with the defaults intact gets the changes also.
and all services are starting as they should 
- any modified smb.conf where idmap is already enabled isnt applied. 
you must manual change smb.conf. 
- it only applies to the standalone server

 
This is imo a good workaround until this bug is fixed in samba for the 
new/upgrade installations
As posted in the previous message. the other is 
net groupmap add sid=S-1-5-32-546 unixgroup=nogroup type=builtin
 Note, the previous mesasge had nobody as group, should be nogroup.
 
 
Greetz, 
 
Louis
 

Bug#909465: samba: Upgrade samba fails if winbind is install with default config

[L . P . H . van Belle]

Hai, 
 
We have found the following. 
This only happings with the standalone install if you setup for a ADDC or 
Member server, you get past this bug.
 
It happens due to systemd smbd.service 
# /lib/systemd/system/smbd.service
[Unit]
Description=Samba SMB Daemon
Documentation=man:smbd(8) man:samba(7) man:smb.conf(5)
Wants=network-online.target
After=network.target network-online.target nmbd.service winbind.service

The "After .. winbind.service" shows the bug in question and this causes smbd 
to fail at boot. 
 
I have a few workarounds to make it work. 
 
install a stand-alone server.
apt-get install samba 
 
To avoid the problem run : 
net groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin 
 
or define the idmap in smb.conf

idmap config * : backend = tdb
idmap config * : range = 3000-7999 

Now you can install winbind also, if you dont need winbind, then the bug does 
not show.

Greetz, 


 
Louis
 

Bug#909465: samba: Upgrade samba fails if winbind is install with default config

[L . P . H . van Belle]

Hai, 
?
i've done some extra testing.
Thank you Mathieu for the quick upgrade to 4.9.1 in experimental. 
?
The server in the previous post is a vm, i snaphoted it before i installed 
samba. 
Now i've?upgraded to Debian buster, rebooted reboot.
?
BUSTER, samba 4.8.5? ( all fine ) 
apt-get install samba winbind
?
Setting up samba-common-bin (2:4.8.5+dfsg-1) ...
Checking smb.conf with testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
?
Done
Setting up samba-dsdb-modules:amd64 (2:4.8.5+dfsg-1) ...
Setting up winbind (2:4.8.5+dfsg-1) ...
mkdir: created directory '/var/lib/samba/winbindd_privileged'
changed group of '/var/lib/samba/winbindd_privileged' from root to winbindd_priv
mode of '/var/lib/samba/winbindd_privileged' changed from 0755 (rwxr-xr-x) to 
0750 (rwxr-x---)
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service → 
/lib/systemd/system/winbind.service.
Setting up samba (2:4.8.5+dfsg-1) ...
Samba is not being run as an AD Domain Controller: Masking samba-ad-dc.service
Please ignore the following error about deb-systemd-helper not finding those 
services.
(samba-ad-dc.service masked)
Created symlink /etc/systemd/system/multi-user.target.wants/nmbd.service → 
/lib/systemd/system/nmbd.service.
Failed to preset unit: Unit file /etc/systemd/system/samba-ad-dc.service is 
masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on 
samba-ad-dc.service: No such file or directory
Created symlink /etc/systemd/system/multi-user.target.wants/smbd.service → 
/lib/systemd/system/smbd.service.
Processing triggers for libc-bin (2.27-6) ...
Processing triggers for initramfs-tools (0.132) ...
update-initramfs: Generating /boot/initrd.img-4.18.0-1-amd64
Processing triggers for systemd (239-9) ...
?
ps fax 
?6128  Ss 0:00 /usr/sbin/winbindd --foreground --no-process-group
?6130  S? 0:00? \_ winbindd: domain child [DEBIAN9TEST]
?6242  S? 0:00? \_ winbindd: idmap child
?6243  S? 0:00? \_ winbindd: domain child [BUILTIN]
?6238  Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
?6240  S? 0:00? \_ /usr/sbin/smbd --foreground --no-process-group
?6241  S? 0:00? \_ /usr/sbin/smbd --foreground --no-process-group
?6244  S? 0:00? \_ /usr/sbin/smbd --foreground --no-process-group
?6279  Ss 0:00 /usr/sbin/nmbd --foreground --no-process-group
?
?
i've now added :? deb http://ftp.nl.debian.org/debian/ experimental main 
non-free contrib
to apt/sources.list 
?
And installing samba with : apt-get install -t experimental samba winbind

This files, screen outputs are shown here. 
?
BUSTER, Upgrade to 4.9.1
Setting up samba-common-bin (2:4.9.1+dfsg-1) ...
Checking smb.conf with testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE
?
Done
Setting up samba-dsdb-modules:amd64 (2:4.9.1+dfsg-1) ...
Setting up winbind (2:4.9.1+dfsg-1) ...
Setting up samba (2:4.9.1+dfsg-1) ...
Samba is not being run as an AD Domain Controller: Masking samba-ad-dc.service
Please ignore the following error about deb-systemd-helper not finding those 
services.
(samba-ad-dc.service already masked)
Job for smbd.service failed because the control process exited with error code.
See "systemctl status smbd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript smbd, action "restart" failed.
● smbd.service - Samba SMB Daemon
?? Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: 
enabled)
?? Active: failed (Result: exit-code) since Tue 2018-09-25 09:53:30 CEST; 8ms 
ago
 Docs: man:smbd(8)
?? man:samba(7)
?? man:smb.conf(5)
? Process: 8904 ExecStart=/usr/sbin/smbd --foreground --no-process-group 
$SMBDOPTIONS (code=exited, status=255)
?Main PID: 8904 (code=exited, status=255)
?
Sep 25 09:53:30 debian9test systemd[1]: Starting Samba SMB Daemon...
Sep 25 09:53:30 debian9test systemd[1]: smbd.service: Main process exited, 
code=exited, status=255/n/a
Sep 25 09:53:30 debian9test systemd[1]: smbd.service: Failed with result 
'exit-code'.
Sep 25 09:53:30 debian9test systemd[1]: Failed to start Samba SMB Daemon.
dpkg: error processing package samba (--configure):
?installed samba package post-installation script subprocess returned error 
exit status 1
Processing triggers for libc-bin (2.27-6) ...
Errors were encountered while processing:
?samba
E: Sub-process /usr/bin/dpkg returned an error code (1)
?
apt-get remove winbind
The following packages will be REMOVED:
? winbind
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 2,008 kB disk space will be freed.
Do you want to continue? [Y/n]
(Reading database ... 45774 files and directories currently installed.)
Removing winbind (2:4.9.1+dfsg-1) ...
Processing triggers for libc-bin (2.27-6) ...
Processing triggers for man-db (2.8.4-2) ...
Setting up 

Bug#909465: (samba: Upgrade samba fails if winbind is install with default config)

[L . P . H . van Belle]

Hai, 
Few steps to see whats happening with some output. 
Below is shown with 4.9.1 *(own package) but it also happens with 4.9.0. ( 
exact the same. ) 

On a clean new installed debian (stretch) server.
apt-get install samba winbind 
.
.
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_STANDALONE

Done
Setting up samba-dsdb-modules:amd64 (2:4.9.1+nmu-1~deb9) ...
Setting up winbind (2:4.9.1+nmu-1~deb9) ...
mkdir: created directory '/var/lib/samba/winbindd_privileged'
changed group of '/var/lib/samba/winbindd_privileged' from root to winbindd_priv
mode of '/var/lib/samba/winbindd_privileged' changed from 0755 (rwxr-xr-x) to 
0750 (rwxr-x---)
Created symlink /etc/systemd/system/multi-user.target.wants/winbind.service ?¨ 
/lib/systemd/system/winbind.service.
Setting up samba (2:4.9.1+nmu-1~deb9) ...
Samba is not being run as an AD Domain Controller: Masking samba-ad-dc.service
Please ignore the following error about deb-systemd-helper not finding those 
services.
(samba-ad-dc.service masked)
Job for smbd.service failed because the control process exited with error code.
See "systemctl status smbd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript smbd, action "start" failed.
?? smbd.service - Samba SMB Daemon
   Loaded: loaded (/lib/systemd/system/smbd.service; disabled; vendor preset: 
enabled)
   Active: failed (Result: exit-code) since Mon 2018-09-24 13:23:24 CEST; 7ms 
ago
 Docs: man:smbd(8)
   man:samba(7)
   man:smb.conf(5)
  Process: 12594 ExecStart=/usr/sbin/smbd --foreground --no-process-group 
$SMBDOPTIONS (code=exited, status=255)
 Main PID: 12594 (code=exited, status=255)

Sep 24 13:23:24 debian9test systemd[1]: Starting Samba SMB Daemon...
Sep 24 13:23:24 debian9test systemd[1]: smbd.service: Main process exited, 
code=exited, status=255/n/a
Sep 24 13:23:24 debian9test systemd[1]: Failed to start Samba SMB Daemon.
Sep 24 13:23:24 debian9test systemd[1]: smbd.service: Unit entered failed state.
Sep 24 13:23:24 debian9test systemd[1]: smbd.service: Failed with result 
'exit-code'.
dpkg: error processing package samba (--configure):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for libc-bin (2.24-11+deb9u3) ...
Processing triggers for systemd (232-25+deb9u4) ...
Errors were encountered while processing:
 samba
E: Sub-process /usr/bin/dpkg returned an error code (1)


Test: 
systemctl stop winbind
apt-get -f install
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
1 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up samba (2:4.9.1+nmu-1~deb9) ...
Samba is not being run as an AD Domain Controller: Masking samba-ad-dc.service
Please ignore the following error about deb-systemd-helper not finding those 
services.
(samba-ad-dc.service already masked)
Created symlink /etc/systemd/system/multi-user.target.wants/nmbd.service ?¨ 
/lib/systemd/system/nmbd.service.
Failed to preset unit: Unit file /etc/systemd/system/samba-ad-dc.service is 
masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on 
samba-ad-dc.service: No such file or directory
Created symlink /etc/systemd/system/multi-user.target.wants/smbd.service ?¨ 
/lib/systemd/system/smbd.service.
Processing triggers for libc-bin (2.24-11+deb9u3) ...
W: APT had planned for dpkg to do more than it reported back (0 vs 4).
   Affected packages: samba:amd64

Results in ps fax : 
15173 ?Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
15175 ?S  0:00  \_ /usr/sbin/smbd --foreground --no-process-group
15176 ?S  0:00  \_ /usr/sbin/smbd --foreground --no-process-group
15178 ?S  0:00  \_ /usr/sbin/smbd --foreground --no-process-group
15211 ?Ss 0:00 /usr/sbin/nmbd --foreground --no-process-group

The only error ( with the default smb.conf settings ) 
Logs show : 
[2018/09/24 14:06:01.620243,  0] 
../source3/auth/auth_util.c:1382(make_new_session_info_guest)
  create_local_token failed: NT_STATUS_ACCESS_DENIED
[2018/09/24 14:06:01.620284,  0] ../source3/smbd/server.c:2000(main)
  ERROR: failed to setup guest info.
[2018/09/24 14:06:34.850213,  0] ../lib/util/become_daemon.c:138(daemon_ready)
  daemon_ready: STATUS=daemon 'smbd' finished starting up and ready to serve 
connections

systemctl start winbind
ps fax
15173 ?Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
15175 ?S  0:00  \_ /usr/sbin/smbd --foreground --no-process-group
15176 ?S  0:00  \_ /usr/sbin/smbd --foreground --no-process-group
15178 ?S  0:00  \_ /usr/sbin/smbd --foreground --no-process-group
15211 ?Ss 0:00 /usr/sbin/nmbd --foreground --no-process-group
15289 ?Ss 0:00 /usr/sbin/winbindd --foreground --no-process-group
15291 ?S  0:00  \_ 

Bug#907396: kopano-server: Tools all fail with: MAPI error 80040111 (MAPI_E_LOGON_FAILED)

[L . P . H . van Belle]

Hai, 
 
I did have a look at this and this report is missing a lot what we need to 
determin the problem. 
 
The installed packages does not show mariadb-server installed. 
Is this kopano setup connecting to a remote store when you tested? 
 
from the server.cfg
# drop privileges and run the process as this user
run_as_user = kopano
 
# drop privileges and run the process as this group
run_as_group = kopano
These are the default and is not needed to enable it. 
 
 
After removing kopano there are some left overs, after upgrading from 8.5 to 
8.6 a simular problem. ( with the kopano community packages ). 
https://forum.kopano.io/topic/1305/crash-kopano-core-upgrade-from-8-5-81-288-0-53-1-to-8-6-80-645-0-68-1/12
 
https://jira.kopano.io/browse/KC-1138   shows fixed in 8.6.2 and 8.7.0 
 
If it was an upgrade, remove and purge kopano, check for left overs, remove 
them and install again. 
 
My test showed. 
dpkg: warning: while removing python-kopano, directory 
'/usr/lib/python2.7/dist-packages/kopano' not empty so not removed
 
ls -al /usr/lib/python2.7/dist-packages/kopano
total 60
drwxr-xr-x 2 root root 4096 Sep 14 09:48 .
drwxr-xr-x 5 root root 4096 Sep 14 09:48 ..
-rw-r--r-- 1 root root 6422 Sep 14 09:45 compat.pyc
-rw-r--r-- 1 root root 7498 Sep 14 09:45 config.pyc
-rw-r--r-- 1 root root 1757 Sep 14 09:45 errors.pyc
-rw-r--r-- 1 root root 5537 Sep 14 09:45 __init__.pyc
-rw-r--r-- 1 root root 5958 Sep 14 09:45 lru_cache.pyc
-rw-r--r-- 1 root root 8407 Sep 14 09:45 utils.pyc
-rw-r--r-- 1 root root  169 Sep 14 09:45 version.pyc

dpkg: warning: while removing python-mapi, directory 
'/usr/lib/python2.7/dist-packages/MAPI' not empty so not removed
 
ls -al /usr/lib/python2.7/dist-packages/MAPI
total 12
drwxr-xr-x 2 root root 4096 Sep 14 09:48 .
drwxr-xr-x 5 root root 4096 Sep 14 09:48 ..
-rw-r--r-- 1 root root  361 Sep 14 09:45 __init__.pyc


I have a deeper look into this and try to help finding the problem. 
Kopano in debian is what i wanted for a long time so i'll help out what i can. 
im not a coder, but im working with kopano (zarafa) since 4.x. 
 
 
Greetz, 
 
Louis
 

 
 

Bug#883939: smbclient failing to connect with default protocol SMB3_11

[L . P . H . van Belle]

Only thing i can suggest atm for this one is post your problem on the samba 
list.

If you do, post the windows server version your using also. 
And preffered also the linux os and smb.conf ( if needed anonymized ). 

This might be a regression or a "still" not fixed bug. 

Best regards, 

Louis


> -Oorspronkelijk bericht-
> Van: Matthew Foulkes [mailto:m.foul...@blueyonder.co.uk] 
> Verzonden: vrijdag 24 augustus 2018 13:56
> Aan: 883...@bugs.debian.org; L.P.H. van Belle
> Onderwerp: Re: smbclient failing to connect with default 
> protocol SMB3_11
> 
> Hi Louis,
> 
> Thanks for your help, but this bug does not seem to be quite 
> the same as 
> any of the ones you listed. I can connect when I specify "client max 
> protocol" values of SMB3_10, SMB3_02, SMB2, or NT1, but not 
> with SMB3 or 
> SMB3_11.
> 
> Best wishes, Matthew
> 
> -- 
> **
>   email: m.foul...@blueyonder.co.uk
>   phone: (020) 8286 9910
> **
> 
> 

Bug#883939: smbclient failing to connect with default protocol SMB3_11

[L . P . H . van Belle]

Hai, 
 
The cause of these "bugs" are security updates and windows removeing/disabling 
smb1. 
Samba/Windows are disabling SMB1 and changing the defaults for smbclient from 
smb1 to smb3. 
 
Take also note of this: 
Every windows 10 1709 and up please note that.. 
If you dont use your windows 10 for 2 weeks, SMB1 is automaticly removed. 
After you reinstall it, it wont be removed anymore. 
 
 
Some related bugs:
This is your problem. 
https://bugzilla.samba.org/show_bug.cgi?id=12895
 
i believe this one is also related to this problem. 
https://bugzilla.samba.org/show_bug.cgi?id=12876 
 
one to watch out. 
https://bugzilla.samba.org/show_bug.cgi?id=13360 
Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
 
( fixed, but reopened ) 
https://bugzilla.samba.org/show_bug.cgi?id=13328 
 
samba 4.7 is where the default setting changed.
client max protocol Effective SMB3_11 default changed
 
Based on what i've seen on the samba (bug) list, i dont think this is fully 
fixed. 
 
I hope this info helps out a bit.
 
 
Best regards, 
 
Louis
 

Bug#903165: On boot squid.service starts but doesn't work

[L . P . H . van Belle]

Hai, 
 
i've tested startup change, that works fine. Thank for the notice Amos. 
 
The upstream patch. 
https://github.com/squid-cache/squid/pull/264/commits/90218ea99bb5c79b9be594777963ca91667f5fa2
  
 
I've also added bind to Wants, if bind is running i preffer to start bind 
before any other service that uses dns. 
Wants=bind9.service
 
 
Best regards, 
 
Louis
 
 
 

Bug#899269: [Pkg-samba-maint] Bug#899269: Bug#899269: changes to 4.8

[L . P . H . van Belle]

Hai Mathieu, 

The user got also reply on the list now but Rowland ( from samba devs ) pointed 
a good thing out. 

Linux user nobody : uid 65534 
That wil conflic with the defaults used for the domain id ranges. 

Quote from Rowland:
So, what I recommend is, use '1000-2999' for local Unix users &
groups, '3000-7999' for the 'Well known SIDS' and anything outside the
Domain and start the main AD DOMAIN at '1' (which is, incidentally,
the number Microsoft chose).

This leads to lines such as these in smb.conf:

idmap config *:backend = tdb
idmap config *:range = 3000-7999
idmap config SAMDOM : backend = rid
idmap config SAMDOM : range = 1-99


Now, for Debian that would be
idmap config SAMDOM : range = 1-65533
But that is a small range or debian should advice 
idmap config SAMDOM : range = 10-99
Anything from/above 100.000 for samba AD. 

So imo, the debian setup the README.Debian should mention something about this. 


Best regards, 

Louis


> -Oorspronkelijk bericht-
> Van: Mathieu Parent [mailto:math.par...@gmail.com] 
> Verzonden: woensdag 20 juni 2018 15:08
> Aan: Louis; 899...@bugs.debian.org
> CC: Chad William Seys
> Onderwerp: Re: Bug#899269: [Pkg-samba-maint] Bug#899269: 
> Bug#899269: changes to 4.8
> 
> Le mer. 20 juin 2018 à 12:39, L.P.H. van Belle 
>  a écrit :
> >
> > No, dont try below.
> >
> > Thats wrong ( sorry Mathieu )
> 
> Yes. This was copied from manpage, then (few minutes) later corrected.
> (I removed the ad backend, because it requires SFU to be enabled and
> other requirements.)
> 
> The idea Chad William Seys, is that specifying the idmap 
> range is mandatory.
> 
> 
> Regards
> 
> -- 
> Mathieu Parent
> 
> 

Bug#899269: [Pkg-samba-maint] Bug#899269: Bug#899269: changes to 4.8

[L . P . H . van Belle]

No, dont try below. 

Thats wrong ( sorry Mathieu ) 

> idmap config * : backend = tdb
> idmap config * : range = 100-199
> 
> idmap config PHYSICS : backend  = ad
> idmap config PHYSICS : range = 1000-99
The first configured user in debian has uid???  Yes 1000. 
There for this example isnt correct. 

Better is. 
Your normal linux users start as of  : 1000 - . ? Unknown. 

The BUILIN range is added above the normal linux range. 
Something like this 
> idmap config * : backend = tdb
> idmap config * : range = 4000-

Samba AD started default with 1 
> idmap config PHYSICS : backend  = ad
> idmap config PHYSICS : range = 1-9
I really advice to start as of that point. 

You can change any range but dont overlap any.
I also suggest you to read : 
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 

And cleanup you config. 
You config is not for a member server as it is now. 
I can ask Rowland on the list if he could advice you on some setttings. 
I for example dont use any "fruit" vfs things. 

ps, sometimes people are very buzy on the samba list and havent replied yet.. 


Best regards, 

Louis



> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
ebian.net] Namens Mathieu Parent
> Verzonden: woensdag 20 juni 2018 11:47
> Aan: Chad William Seys; 899...@bugs.debian.org
> Onderwerp: [Pkg-samba-maint] Bug#899269: Bug#899269: changes to 4.8
> 
> Le mar. 19 juin 2018 à 00:39, Chad William Seys
>  a écrit :
> [...]
> > I've posted to the samba mailing list about this:
> > https://lists.samba.org/archive/samba/2018-June/216447.html
> 
> Your problem looks different. Your idmap config is wrong.
> 
> Try somehting like this:
> 
> idmap config * : backend = tdb
> idmap config * : range = 100-199
> 
> idmap config PHYSICS : backend  = ad
> idmap config PHYSICS : range = 1000-99
> 
> Regards
> -- 
> Mathieu Parent
> 
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
amba-maint
> 

Bug#900908: [Pkg-samba-maint] Bug#900908: Bug#900908: Missing bug URLs

[L . P . H . van Belle]

If i may say, just saw the posts, 

The netbios name in 15 characters and uppercase. 
This makes it more consistant when you join networks, it prevents problems. 
I was thinking of the following.

When we are packaging, set a pre-defined hostname in smb.conf
netbios name = PRE-HOSTNAME

sed -i '/global/a \ \ \ netbios name = PRE-HOSTNAME' smb.conf


In samba-common-bin.postinst 
This part, thank you Wolfgang, but now add this at the beginning for the 
script. 

+if [ $(hostname|wc -m) -le 15 ] ; then
+echo "Removing PRE-HOSTNAME after netbios hostname check from smb.conf"
+sed '/netbios name = PRE-HOSTNAME/d'
+# test for a correct smb.conf
+samba-tool testparm -d1 --suppress-prompt > /dev/null
+else
+echo "WARNING: The hostname is too long or invalid to serve as netbios 
name."
+echo "Please set a valid netbios name, see man (5) smb.conf for details."
+echo "When done run : dpkg-reconfigure -a, and continue the install."
+exit 1
+fi
 echo "Done"

At least, the change and check, should be done before samba/winbind is started.
This prevents possible caching problem and other (possible) tdb/ldb file 
problems.

Last, if we want to do this right, then we should check for the full mounty : 
https://support.microsoft.com/nl-nl/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and
 
Important one NetBIOS computer names: Check for Allowed characters and 
Disallowed characters.
Uppercase to keep things more clear. 

And as you see in the link, there is more we can check to make sure the 
netbiosname and dns names wont confict. 

Just sharing some of my ideas for this one. 


Best regards, 

Louis



> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
> ebian.net] Namens Mathieu Parent
> Verzonden: donderdag 7 juni 2018 11:19
> Aan: w.schw...@gmx.de
> CC: 900...@bugs.debian.org
> Onderwerp: [Pkg-samba-maint] Bug#900908: Bug#900908: Missing bug URLs
> 
> Le jeu. 7 juin 2018 à 11:08, Wolfgang Schweer 
>  a écrit :
> >
> > On Thu, Jun 07, 2018 at 10:53:55AM +0200, Mathieu Parent wrote:
> > > I still think that failing the installation is correct (the admin
> > > should change the hostname before install or provide a 
> smb.conf with
> > > "netbios name" properly set).
> >
> > Tried this as well: Providing smb.conf with valid netbios 
> name _before_
> > installing samba-common-bin triggers a debconf prompt... So this
> > possibility doesn't allow automatic installations (like 
> used with Debian
> > Edu);
> 
> The prompt can be preseeded (with debconf-set-selections).
> 
> > 'netbios name' isn't preseedable, too. Please correct me if I'm
> > wrong.
> 
> Confirmed. This is probably where the fix should go (but it's hard,
> because this needs some more sed magic touching smb.conf).
> 
> Regards
> -- 
> Mathieu Parent
> 
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint
> 

Bug#900396: manpage 'usershare max shares' default value is wrong.

[L . P . H . van Belle]

Package: samba
Version: all versions

Reported by samba community. 
Upstream report is : https://bugzilla.samba.org/show_bug.cgi?id=13456 

Debian change the usershared max shares from 0 (disabled) to 100 but forgot the 
man page. 

But im question this also because of the following. 

With the user share path enabled: usershare path = /var/lib/samba/usershares 
And usershared max shares = 100 

You get messages in your logs which only clotters the logs. 

Fix options are; 
-Revert the usershared max shared back to 0 and not need to fix the man page.
-Set usershare path = (empty) which also disables the usershares and prevents 
log clottering. 

Seen on wheezy jessie stretch and up. 


Greetz, 

Louis

Bug#897269: [Pkg-samba-maint] Bug#897269: Bug#897269: samba: build against system heimdal instead of outdated embedded code copy

[L . P . H . van Belle]

Hai, 

Now im not a Debian Maintainer, but i must say the following. 

Personaly, i think its not wize to switch MIT at this moment.
I dont know the exact status of the roadmap, was updated 5 months ago. 
https://wiki.samba.org/index.php/Roadmap  
Note this : 
Active Directory Server
WIP: S4U2Self, S4U2Proxy, PKINIT and RODC support with MIT Kerberos - Work is 
currently stalled (Andreas, Günther)
^^^

I must keep the heimdal version working for myself, no problem for me but i am 
not alone here.
Atm i have about 250 uniq ips, using my packages also, so these are safe if i 
keep following the samba sources. 

I cant use the MIT version myself due to : S4U2Self PKINIT  S4U2Proxy ( i dont 
use RODC ).

@Paul, you are speaking of crashes of samba. 
I dont see any crashes of samba on any of my servers, this is with my own 
packages,
but these are heavily based on the debian packages and i use a bit more updated 
sources atm on my Stretch packages.

Can you tell more about these crashes, so i can test this a bit if i can make 
my samba crash. 
Or can you try to simulate this with my packages? 4.7.7 is my latest production 
version. 

You can get them here. 
echo "deb http://apt.van-belle.nl/debian stretch-unstable main contrib 
non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list
wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add -

Note, the stretch-unstable is not unstable, a wrong choice in nameing here, 
i use the 4.7.7 on all my production machines atm and im very happy with these.

I've made an debian stretch package of 4.8.1, which is getting updated now. 
ldb change to 1.3.3 and testing the "corruption" fix, Samba bug 13335

But i do agree to keep debian clean of embedded sources. 

Switch to MIT, yes, but only if S4U2Self, S4U2Proxy, PKINIT and RODC is 
supported in MIT.
This is a major behavior change which Debian should avoid ( for now imo. ) 
Just expressing my concerns here if debian is going for MIT to early.


Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@alioth-lists.d
> ebian.net] Namens Mathieu Parent
> Verzonden: dinsdag 1 mei 2018 21:46
> Aan: Paul Wise; 897...@bugs.debian.org
> CC: Andrew Bartlett
> Onderwerp: [Pkg-samba-maint] Bug#897269: Bug#897269: samba: 
> build against system heimdal instead of outdated embedded code copy
> 
> Control: tag -1 + upstream
> 
> 2018-05-01 7:36 GMT+02:00 Paul Wise :
> > Source: samba
> > Severity: wishlist
> > Usertags: embed
> > Forwarded: https://bugzilla.samba.org/show_bug.cgi?id=12976
> 
> Hello Paul,
> 
> Thanks for your report
> 
> > As noted in samba upstream bug #12505, the embedded copy of 
> heimdal in
> > samba is outdated, at least in respect to the krb5_storage_free
> > function and this seems to cause some crashes in samba at times.
> > There are probably other bugs in samba's copy of heimdal that were
> > fixed in heimdal upstream.
> >
> > 
> https://git.samba.org/?p=samba.git;a=blob;f=source4/heimdal/li
> b/krb5/store.c;hb=HEAD#l270
> > https://github.com/heimdal/heimdal/blob/master/lib/krb5/store.c#L289
> > https://bugzilla.samba.org/show_bug.cgi?id=11824
> > https://bugzilla.samba.org/show_bug.cgi?id=12505
> > https://www.spinics.net/lists/samba/msg133243.html
> >
> > I asked samba upstream last year to either remove or update the
> > embedded code copy but there was no response to my bug report.
> >
> > https://bugzilla.samba.org/show_bug.cgi?id=12976
> >
> > Until samba upstream reaches a decision on this, I think that Debian
> > should patch samba so that our builds use the system 
> version of heimdal
> > instead of the outdated embedded code copy.
> >
> > See also Debian Policy 4.13 and the corresponding wiki page:
> >
> > https://www.debian.org/doc/debian-policy/#convenience-copies-of-code
> > https://wiki.debian.org/EmbeddedCodeCopies
> 
> 
> Currently there is no way to build using system Heimdal, the embedded
> copy has diverged too much from upstream I believe.
> 
> Maybe a fix would be to switch to MIT Kerberos, see #726459. I'm
> hesitant to do this given the risk of this big change (and some people
> probably use Debian for the features that don't have parity yet).
> 
> Andrew, is there any chance to sync Heimdal code with upstream? Or
> should we switch to MIT?
> 
> Regards
> 
> -- 
> Mathieu Parent
> 
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-s
> amba-maint
> 

Bug#881239: Panic on opening file on samba share with Microsoft Project

[L . P . H . van Belle]

>From the reply from samba.org bugzilla. 
Response: Volker Lendecke 2017-11-10 07:45:25 UTC 

WONTFIX might sound harsh, but the fix is not to ship aio_linux in debian. 

Linux AIO is not suiteable for samba's file access requirements. 
It only works on O_DIRECT for page-aligned accesses, something Samba does not 
do.
The fix is to just say "aio write size = 1" and "aio read size = 1" without any 
vfs objects. 
This activates the threaded implementation for async I/O that is implemented in 
core Samba.
Please transfer this info to the debian package maintainer (if you are not the 
one yourself :-) 
and close the debian bug with the same statement. 

Please remove aio_linux from the debian package.

Best regards, 

Louis

Bug#581199: libnfsidmap: Virtual domains/users handling with at sign in idmap

[L . P . H . van Belle]

Thank you, 
 
i was looking long time for my nfs kerberized problems..  ( resulting in 
nobody/nogroup/root [g;u]id's ) 
I'll go try this patch i hope that this solves it finaly. 
 
ps. this started around jessie/stretch, cant recall exact when anymore. (sorry)
 
But Thanks!! for the patch. 
 
 
Best regards, 
 
Louis
 

Bug#744768: libnfsidmap2 fails to obtain username which results in failed translation

[L . P . H . van Belle]

Hai, 
 
Even its long time after the initial report. 
You might be right. this "old" bug recently got updated. 
 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=581199 
(snap)
Idmap looks for the first occurrence of and @ sign in the name string
and assumes that the @ sign is the one of user@virtual_domain rather than
using the one of username@idmap_domain (user@virtual_domain@idmap_domain).

As a result, the UIDs / GIDs cannot be resolved and the ownerships are
reported as 'nobody'.


 
Best regards, 
 
Louis
 
 
 
 

Bug#878163: [Pkg-samba-maint] Bug#878163: samba: Samba updates from Windows 10 fail because "Size on Disk" miscalculated

[L . P . H . van Belle]

Hello Harrison, 
 
Its may be samba bug, not rulling it out. 
I did believe this was fixed already. ( 4.6.7+ if i recall correct ) 
I do recall there was some miscalulation of size but there are some options to 
check if thats the case. 
 
 
If you use any VFS modules ( beside the defaults ) turn it off. 
stop and start samba. 
 
Next, share the disk content from within a subfolder not the disk root. 
That may fix it also, if thats the case. 
 
If you share looks like \\server\share 
And share = for example /mnt/disk1  ( samba path = /mnt/disk1 ) 
Then setup like this  /mnt/disk1/media and share the folder media. 
 
Last, If you use quota's, turn them off. 
One of these or a combination of my trigger you problem. 
 
Open a dos box. 
Type dir \\server\share\folder
 
Now, is the size correct in the dos box? 
 
Can try these steps one at a time and report back. 
 
 

 
Best regards, 
 
Louis

Bug#863285: [Pkg-samba-maint] Bug#863285: [winbind] Install/Updates Fail When Samba Running as samba 4 Domain

[L . P . H . van Belle]

Hai Roberto, 

First of all, nice to see good config. 
That helps, so thats clear, no config errors.

The locations for samba (systemd) files is by default.
/lib/systemd/system/
This is all correct, so no worries. 

Also, since systemd is new for you, as of debian stretch, you can use the 
command
systemctl edit your.service
This creates a new file ( overrides to the default settings) in somewhere 
/etc/systemd/.. 
A good thing to know is when you use : systemctl edit --full your.service
The makes a full copy of the original and places it in /etc/systemd. 
In case of the samba-ad-dc.service,  

I dont see the "bug" here. 

If server_role is not "active dir. " 
if [ "$SERVER_ROLE" != "active directory domain controller" ] \

And while true, echo server_service | grep silently and dont show smb.
> && ( echo "$SERVER_SERVICES" | grep -qv '\(^\|, \)smb\(,\|$\)' ) \

Thats what im reading, but im not a coder.. 
The smb, why thats there, i dont know. It probly has to do with removing ntvfs 
and adding s3fs as default. 

But for this report, i can confirm this is a bug.


Bug in /var/lib/dpkg/info/winbind.postinst
Missing AD DC, detection, and if ADDC is running, dont restart winbind.
See example, samba.postinst


Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@lists.alioth.d
> ebian.org] Namens Roberto C. Sánchez
> Verzonden: maandag 31 juli 2017 16:57
> Aan: 863...@bugs.debian.org
> Onderwerp: [Pkg-samba-maint] Bug#863285: [winbind] 
> Install/Updates Fail When Samba Running as samba 4 Domain
> 
> Hi Louis,
> 
> On Mon, Jul 31, 2017 at 02:02:52PM +0200, L.P.H. van Belle wrote:
> > Hai Roberto,
> > 
> > Thank you for your insight also.
> > Can you post you complete (anonimized where needed) smb.conf. 
> > And the running version you have and the version your upgrading to.
> > This way we have most of the needed info. 
> > 
> Here is the smb.conf:
> 
> # Global parameters
> [global]
> workgroup = EXAMPLE
> realm = EXAMPLE.COM
> netbios name = SAMBA-ADDC1
> server role = active directory domain controller
> server services = -dns
> idmap_ldb:use rfc2307 = yes
> printing = CUPS
> printcap name = /dev/null
> kerberos method = secrets and keytab
> #ldap server require strong auth = allow_sasl_over_tls
> ldap server require strong auth = no
> 
> map to guest = bad user
> 
> tls enabled = yes
> tls keyfile = 
> /etc/ssl/samba-addc1.example.com/samba-addc1.example.com.key
> tls certfile = 
> /etc/ssl/samba-addc1.example.com/samba-addc1.example.com.pem
> tls cafile = /etc/ssl/cacert.pem
> 
> idmap config *:backend = tdb
> idmap config *:range = 70001-8
> idmap config EXAMPLE:backend = ad
> idmap config EXAMPLE:schema_mode = rfc2307
> idmap config EXAMPLE:range = 1-2
> 
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> 
> log level = 2
> syslog = 3
> 
> [netlogon]
> path = /var/lib/samba/sysvol/example.com/scripts
> read only = No
> 
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
> 
> The server was initially installed with wheezy, using the 
> Samba 4 backport packages (this was around the end of 2014), 
> then upgraded to jessie when it became the stable release.
> 
> The currently installed version of Samba is: 2:4.2.14+dfsg-0+deb8u7+b1
> 
> The version I am trying to install (as part of the dist-upgrade to
> stretch) is: 2:4.5.8+dfsg-2+deb9u1+b1
> 
> I have read through all of the upstream release notes and 
> changelogs, as well as the NEWS file in the Debian package to 
> make sure that I don't have anything in the configuration 
> that will cause problems.  After reviewing, there is nothing 
> in my configuration that makes me think I need to change it 
> prior to upgrading.
> 
> > In general.
> > For samba ( standalone/members ) systemd uses one or more : 
> smbd nmbd 
> > winbind For samba ( AD DC ) systemd uses samba-ad-dc
> > 
> Yes, and that is how it appears to be with the systems on my network.
> 
> > The change to samba AD DC with systemd is: 
> > 
> > systemctl disable smbd nmbd winbind
> > systemctl mask smbd nmbd winbind
> > systemctl stop smbd nmbd winbind
> > 
> > systemctl enable samba-ad-dc
> > systemctl unmask samba-ad-dc
> > systemctl start samba-ad-dc
> > 
> 
> Interestingly, I never had to do anything with systemctl when 
> upgrading from wheezy to jessie.  On the jessie system (prior 
> to upgrade) here is what the systemd setup looks like:
> 
> systemctl list-units |egrep 'samba|nmbd|smbd|winbind'
> nmbd.service  
> loaded active exited   

Bug#863285: [winbind] Install/Updates Fail When Samba Running as samba 4 Domain

[L . P . H . van Belle]

Hai Roberto,

Thank you for your insight also.
Can you post you complete (anonimized where needed) smb.conf. 
And the running version you have and the version your upgrading to.
This way we have most of the needed info. 

In general.
For samba ( standalone/members ) systemd uses one or more : smbd nmbd winbind
For samba ( AD DC ) systemd uses samba-ad-dc

The change to samba AD DC with systemd is: 

systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
systemctl stop smbd nmbd winbind

systemctl enable samba-ad-dc
systemctl unmask samba-ad-dc
systemctl start samba-ad-dc


But, this wont help on the upgrade. 
/var/lib/dpkg/info/winbind.postinst should detect the "AD DC" server.
The same way /var/lib/dpkg/info/samba.postinst is doing. 


Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: Roberto C. Sánchez [mailto:robe...@connexer.com] 
> Verzonden: maandag 31 juli 2017 13:23
> Aan: L.P.H. van Belle; 863...@bugs.debian.org
> Onderwerp: Re: Bug#863285: [winbind] Install/Updates Fail 
> When Samba Running as samba 4 Domain
> 
> On Mon, Jul 31, 2017 at 09:51:25AM +0200, L.P.H. van Belle wrote:
> >Hai, this is know.
> > 
> >Did you check and did you correct your smb.conf before 
> you started
> >upgrading.
> >You posted a partial smb.conf, that did not help, can 
> you post your
> >complete smb.conf ( anonimized if needed. ).
> > 
> I know that I am not the original submitter, but I too have 
> encountered the problem reported in this bug.
> 
> >There are 2 known things when upgrade winbind.
> >1) A failty smb.conf, prevents/failes upgrading.
> > 
> >The fix :  correct the smb.conf  and run dpkg --reconfigure -a
> > 
> I have confirmed that my smb.conf is correct and not faulty 
> and the upgrade still fails.
> 
> >2) possible problem with nsswitch.conf
> >if you have winbind before compat, switch them and run 
> dpkg --reconfigure
> >-a
> > 
> I have compat first in nsswitch.conf on my systems.
> 
> In my case, the solution was to mask the winbind and smbd 
> units in systemd.  I also masked nmbd to be safe, though the 
> documentation indicates that nmbd does not run when Samba is 
> configured as an AD DC.
> 
> I will be upgrading all of my systems soon, but I am 
> retaining a pre-upgrade snapshot of one of the VMs that runs 
> as an AD DC.  If I can help with resolving this, please let me know.
> 
> Regards,
> 
> -Roberto
> 
> --
> Roberto C. Sánchez
> 
> 

Bug#464035: 464035 [Pkg-samba-maint] Bug#464035: samba: Cannot connect user

[L . P . H . van Belle]

Hai,
 
I agree with Steve, this is not a bug but fix below ( for windows ) 
even that the pdbedit -L fixed this for Peter, im adding this for historical 
lookups. 
 
You see this mainly with windows XP.  
 
When attempting to join a domain, you receive the following error message:
"Computer Name Changes: The following error occurred attempting to join the
domain MYDOMAIN: The specified network password is not correct".

Additionally, your Samba logfile (at debug level 1) reveals:
"smbd/service.c:make_connection(): Can't become connected user!". 
 
This is usually caused by improper registry settings in the client. 
 
Use Window's Group Policy Editor (gpedit.msc) to make the following changes in 
the :
 "Local Computer Policy\Computer Configuration\Windows Settings\Security 
Settings\Local Policies\Security Options" 

Disable: Domain member: Digitally encrypt or sign secure channel data
Disable: Domain member: Digitally sign secure channel data (when possible)

Please, close bug. 

 
Greetz, 
 
Louis

Bug#849146: [Pkg-samba-maint] Bug#849146: samba: empty client domain is not mapped to standalone server domain when user name contains @

[L . P . H . van Belle]

This is samba bug :
https://bugzilla.samba.org/show_bug.cgi?id=12375   ( fixed in 4.5.2 ) 
 
https://bugzilla.samba.org/show_bug.cgi?id=12492 ( undecided/failty 
config/setup )  ( i agree with this one. )
 
Now whats really allowed... 
Active Directory user and group names can contain all Unicode characters except 
for the following characters:
*   Forward slash (/) 
*   Backward slash (\) 
*   Left square bracket ([) 
*   Right square bracket (]) 
*   Colon (:) 
*   Semicolon (;) 
*   Vertical bar (|) 
*   Equal sign (=) 
*   Plus sign (+) 
*   Asterisk (*) 
*   Question mark (?) 
*   Left angle bracket (<) 
*   Right angle bracket (>) 
*   Double quote (") 
*   At symbol (@) An "at" symbol (@) is not allowed unless it is used to 
specify the domain. 
For example, 
u...@mydomain.com is allowed.
user@n...@mydomain.com is not allowed. 
 
resulting in username@ is not allowed. 
 
Because its username@UPN  
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx
The @ is seen as separator.
 
 
@André Janna 
You can deploy AD, and in some time you "sort of" have to. 
 
NT4.0 domain support wont last forever, and sorry, but the sooner the better. 
 
I suggest have a look here :
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
 
 
but beware, if you username@ as usernames you wil end up with some errors. 
 
Setup a test environment and try. 
If you run in to problems, join the samba list and ask you question there. 
 
IMO, not a bug, error in setup. 
 
I suggest, close bug. 
 
 
Greetz, 
 
Louis
 
 
 
 
 
 
 

Bug#759592: winbind dumps core on startup, fails to resolve

[L . P . H . van Belle]

This done in the "testing" release. 
So version mismatches can happen. 
 
This one is missing a lot of info, like: 
smb.conf
AD DC or member server. 
nsswitch.conf
 
since 4.1.11 isnt released and this is not reproducable.
 
I suggest close bug, not reproducable. 
 
Greetz, 
 
Louis
 
 
 

Bug#739768: winbind: Non-kerberos logins fails on winbind 4.X when krb5_auth is configured in PAM (default)

[L . P . H . van Belle]

Hai, 
 
You log are right.
 
You are mssing this setting in smb.conf 
 
dedicated keytab file = /etc/krb5.keytab
 
by default the keytab goes to /var/lib/samba/private/krb5.keytab but ssh uses 
/etc/krb5.keytab. 
realm = ad.proikt.com
change that to : 
realm = AD.PROIKT.COM
 
add : 
dedicated keytab file = /etc/krb5.keytab 
 
run : pam-auth-update 
restart winbind
 
now enable these in sshd_config
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

 
restart ssh, now try again. 
 
If this does not work, export the keytab for you server again. 
https://wiki.samba.org/index.php/Generating_Keytabs 
 
This works fine as of samba 4.1.17 Debian jessie  up to 4.5.8 Debian packages ( 
and my own package 4.5.10/4.6.5 ) 
if you want a good base for you setup. Go here , skip untill you see: Setup 
Jessie. ( that should work also on stretch ) 
https://lists.samba.org/archive/samba/2017-March/207452.html 
 
Review you setup based on whats there. 
I use that setup for the following. 
- file server
- print server
- proxy server
- webserver. 
The main difference between file/print and proxy/web.
The file and print have shares, my proxy/web servers not but all use sso 
kerberos auth with user dirs on NFSv4.  
! If you use SSH with kerberos and SSO, dont forget to give you users a 
uid/gid. 
 
IMHO, bug report is not a bug but configuration error. 
 

 
Greetz, 
 
Louis
 
 

Bug#721514: [Pkg-samba-maint] Bug#721514: Bug#721514: winbind: Winbind authentication also broken after upgrade from from Jessie to Stretch

[L . P . H . van Belle]

Thanks for the logs and smb.conf

You have multiple problems in the setup. 

The first, ( no uid/gid/ users with getentpasswd ) 

On a AD DC you must use : getent passwd username
On a member you can use : getent passwd and getent passwd username

But for the DC, you must have this also. 

winbind enum users  = yes
winbind enum groups = yes
But beware if you have a big AD, this will slow down you AD DC server. 

And your users/groups have a UID/GID. 
Then yes you will see the id, if you configured The DC shows: 

getent passwd username
NTDOM\username:*:10002:1::/home/users/username:/bin/bash
(The home path uid and gid can differ )

Beware of : 
realm = SBOCLDEMO.LOCAL

If you have avahi-daemon installed, check you nsswitch.conf 
Make sure you have setup : compat winbind 
mDNS can be a problem and .local domains are not adviced to use. 
If you see: 
hosts: files mdns4_minimal dns  
Change that to 
hosts: files dns mdns4_minimal

I suggest also you have a read here. 
https://wiki.samba.org/index.php/User_Documentation 


For the second problem..
Windows ??  If its XP, try it with these. 
This reg key. 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"lmcompatibilitylevel"=dword:0005

These smb.conf settings, now your XP compable, but you still have a secure 
samba. 
   lm announce = no
   lanman auth = no
   ntlm auth = no
   client lanman auth = no
   client ntlmv2 auth = yes

Try not to sacrifice server configs for old clients.
Try this and report back. 


Greetz, 

Louis



 

> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@lists.alioth.d
> ebian.org] Namens richman1...@gmail.com
> Verzonden: dinsdag 27 juni 2017 12:02
> Aan: Mathieu Parent; 721...@bugs.debian.org
> Onderwerp: [Pkg-samba-maint] Bug#721514: Bug#721514: winbind: 
> Winbind authentication also broken after upgrade from from 
> Jessie to Stretch
> 
> Hi!
> 
> Then I've created new server to check if it is working with 
> domain without out of box.
> The following command worked properly:  "kinit" ; "wbinfo -u 
> ";"wbinfo -g".
> But "getent passwd", "getent group" return only local data.
> And I cannot open shared folder from windows machines using 
> AD credentials.
> 
> Testing config and log files it attachment.
> Thank you!
> 
> On 27.06.2017 15:40, Mathieu Parent wrote:
> > Hello,
> >
> > Have you more info? The package split was in jessie, there 
> is no such 
> > thing in stretch.
> >
> > Regards
> >
> > Mathieu Parent
> 
> ___
> Pkg-samba-maint mailing list
> pkg-samba-ma...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-sa
> mba-maint
> 

Bug#600116: samba: debconf integration for AD DC setup or upgrade

[L . P . H . van Belle]

Hai, 
 
This is an old bug report, but the subject says it all. 
 
Due to the may configuration changes in smb.conf now and comming its really 
suggested to make an upgrade patch for samba.
 
for example now. 
 
samba => upgrade => fails due to failty smb.conf, error dpkg .. etc., now this 
looks like packaging errors, but its not. 
 
I would suggest, 
samba => upgrade( start with replace/use other smb.conf for a correct one), 
upgrade, ( place smb.conf back  => now upgrading never fails. 

but now samba/winbind fails to start do to failty smb.conf. 
 
so i would suggest, if samba/winbind fails to start point users to ( as of 
samba 4.6.x , running samba-tool testparm ) 
this at least check idmappings settings. 
 
All samba upgrades to 4.5.x must check and correct smb.conf. 
After checking/correcting smb.conf run : net cache flush
 
Few of the things i encountered. 
 
Greetz, 
 
Louis
 
 
 
 
 

 

Bug#862793: samba: Upgrade to 2:4.5+ breaks win7 support

[L . P . H . van Belle]

Hai, 
 
Please provide smb.conf
 
and if you have in smb.conf : 
security = share

Change that to : 
security = user 
map to guest = Bad User 

(security = share is remove in samba some time ago. ) 
 
This is not a bug, but a configuration error in smb.conf 
 
 
Greetz, 
 
Louis
 

Bug#727560: samba: Overwrite /etc/samba/smb.conf without warnings

[L . P . H . van Belle]

Hai, 
 
Since its over 2 year the summitter replied and after the last question of 
jelmer he did not reply. 
 
This is not seen anymore as of samba 4.1 on debian, where is fixe i cant 
recall, but its not seen as of 4.1.17 and up to 4.6.5 
 
I suggest, close bug.
 
Greetz, 
 
Louis
 
 
 

Bug#859526: samba: unable to install/run samba package in IPv6 only host.

[L . P . H . van Belle]

oeps. 
Differences in IPv6 Windows Networks
  IPv4 IPv6   ( switched the ipv4/6 ) sorry. 

NBT/NetBIOS Yes  No 
WINS Yes  No 
NT Domains    Yes  No 
 
 
Greetz, 
 
Louis
 


Van: L.P.H. van Belle [mailto:be...@bazuin.nl] 
Verzonden: dinsdag 27 juni 2017 11:46
Aan: '859...@bugs.debian.org'
Onderwerp: RE: samba: unable to install/run samba package in IPv6 only host.



Hai, 
 
Please think also about the following: 
Differences in IPv6 Windows Networks
  IPv6 IPv4 
NBT/NetBIOS Yes  No 
WINS Yes  No 
NT Domains    Yes  No 
 
And please provide smb.conf before we start investigate. 
 
This is mainly because is see:
dpkg: error processing package samba (--configure):
 
Which main cause is a failty smb.conf.
 
A good read is this thread : 
[Samba] Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode... 
http://lists-archives.com/samba/threads.html#106047
 
@Mathieu  
main solution is to "prevent" failures on upgrade due to failty smb.conf in the 
upgrade path. 
A suggestion can be, use a temp smb.conf with correct settings for the apt-get 
upgrade.
other suggestion but much more complex, test smb.conf for failty settting, and 
stop upgrade before it started witha message about the smb.conf. 
 
 
but without smb.conf we can not fix/check this. 
 
 
Greetz, 
 
Louis
 
 

Bug#721514: [Pkg-samba-maint] Bug#721514: Bug#721514: winbind: Winbind authentication also broken after upgrade from from Jessie to Stretch

[L . P . H . van Belle]

@Richman 

Please tell if this asumption is correct. 
You encounterd a error while upgrading jessie stretch with winbind. 
You forced an install of winbind ( dpkg -i .. .deb) , and resulted in this 
error? 

We really need smb.conf to check this out. 
( and provide /etc/nsswitch.conf ) 


Greetz, 

Louis

Bug#859526: samba: unable to install/run samba package in IPv6 only host.

[L . P . H . van Belle]

Hai, 
 
Please think also about the following: 
Differences in IPv6 Windows Networks
  IPv6 IPv4 
NBT/NetBIOS Yes  No 
WINS Yes  No 
NT Domains    Yes  No 
 
And please provide smb.conf before we start investigate. 
 
This is mainly because is see:
dpkg: error processing package samba (--configure):
 
Which main cause is a failty smb.conf.
 
A good read is this thread : 
[Samba] Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode... 
http://lists-archives.com/samba/threads.html#106047
 
@Mathieu  
main solution is to "prevent" failures on upgrade due to failty smb.conf in the 
upgrade path. 
A suggestion can be, use a temp smb.conf with correct settings for the apt-get 
upgrade.
other suggestion but much more complex, test smb.conf for failty settting, and 
stop upgrade before it started witha message about the smb.conf. 
 
 
but without smb.conf we can not fix/check this. 
 
 
Greetz, 
 
Louis
 
 

Bug#833657: Samba: Segmentation fault with /usr/sbin/nmbd and smbpasswd, related to libnettle.so.4.7

[L . P . H . van Belle]

Hai, 
 
With out smb.conf we can not determin if this is a samba bug or a config error. 
 
Please provide the smb.conf  or tell if we can close this report. 
 
i've only seen this "libnettle" message with a failty configuration (smb.conf) 
or with a mismatch in packages depends. 
Samba 4.4.5 isnt in debian anymore, so i suggest, close if smb.conf is not 
proviced. 
 
 
Greetz, 
 
Louis
 
 

Bug#837679: samba: Start fails for Samba as 'active directory domain controller'

[L . P . H . van Belle]

With any setup of samba, or  the newer samba is (version wize ) 
The harder.. you may not have config errors! 
 
2 x : 
 dns forwarder = 141.51.x.x
 dns forwarder = 141.51.x.x

wins support = yes 
should not be on a DC, because a DC is not running NMBD. 
 
same for remote announce. 
 
server services = +web
man smb.conf does not show +web anymore. 
 
password sync = yes, should not be in smb.conf on an AD DC. 
 
 
IMO, 
not a bug, but config errors in smb.conf resulting in a not starting samba.
 
 
Greetz, 
 
Louis
 

Bug#855918: [Pkg-samba-maint] Bug#855918: samba: connection refused after reboot, fixable by systemctl restart smbd

[L . P . H . van Belle]

Hai, 
 
This bug is related to these to settings. 
 
    bind interfaces only = Yes  
   
    interfaces = lo eth0
 
As tested by the user, remove these, and you done have start problems. 
 
The other fix is : 
 
    bind interfaces only = Yes  
   
    interfaces = 127.0.0.1 YOUR_IP_HERE
 
Related to systemd startup, maybe, but ive seen this as of samba 3.6.x  4.1.x  
4.5.8  ( on debian, not tested on ubuntu ) 
I've not tested 4.6.5 packages from unstable on this yet.
 
imo, its related to the "network interface resolving" and/or startup of debian, 
not samba itself.
but i've never found they why and where.
I hops this helps you guys. 
 
 
 
Greetz, 
 
Louis
 
 
    

Bug#736953: Debian Jessie domain controller & domain member, winbind not working correctly

[L . P . H . van Belle]

IMHO, yes close, not a bug.

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: Mathieu Parent [mailto:math.par...@gmail.com] 
> Verzonden: dinsdag 27 juni 2017 10:32
> Aan: L.P.H. van Belle; 736...@bugs.debian.org
> Onderwerp: Re: Bug#736953: Debian Jessie domain controller & 
> domain member, winbind not working correctly
> 
> 2017-06-21 9:36 GMT+02:00 L.P.H. van Belle :
> [...]
> > In my opinion errors in config and not in samba.
> 
> Should we close this bug then?
> 
> Regards
> --
> Mathieu Parent
> 
> 

Bug#736953: Debian Jessie domain controller & domain member, winbind not working correctly

[L . P . H . van Belle]

Hai, 
 
this is an older report but i'll update this. 
 
Must whats in the report is correct but not all. .
 
 
the line :  passdb backend = samba4
should not be in the smb.conf 
 
this is ok on a AD DC.
 
root@pdc:~# wbinfo -u | grep Administrator
Administrator
root@pdc:~# id Administrator
uid=0(root) gid=100(users) groups=0(root),100(users),304(EXAMPLE\Group

 
for the member: 
 winbind uid = 1-2
 winbind gid = 1-2
should not be in smb.conf
 
 
 
Kerberos keytab is generated with (samba-tool gives segfault):
net rpc vampire keytab /etc/krb5.keytab -I[pdc_ip] -UAdministrator%passwd

The join is normaly done on the members with : net ads
(newer version as of 4.5.x can use samba-tool ) 
 
 
wbinfo -u | grep Administrator
Administrator

*THEN* Winbind is working (see previous step), but id or getent (or other
resolving stuff) aren't:
root@workstation:~# id Administrator
id: Administrator: no such user
root@workstation:~# getent passwd Administrator
[nothing]

This is correct on a member server you done see UID=0 for Administrator. 
 
and you NEVER assing uid=0 to Administrator. 
you need to define username map = /etc/samba/samba_usermapping
with content: !root = NTDOM\Administrator NTDOM\administrator
and setup your SePrivileges for "Domain Admins"  
 
In my opinion errors in config and not in samba. 
 
 
Thanks,
 
Louis
 

 

Bug#742177: [Pkg-samba-maint] Bug#742177: samba_backup missed in samba packages

[L . P . H . van Belle]

Yes, please do include the samba_backup script in the debian builds. 
Its mature, im using a modified version, and its good to have it included. 
It would be very nice to have it  in 4.6.5 
 
 
Thanks! 
 
Louis
 
 
 
 

Bug#865406: DNS Root servers outdated ( patch included)

[L . P . H . van Belle]

Package: samba
Version : 2:4.6.5+dfsg-2
 
hai, 
 
During provisioning of a samba ADDC old root servers are used. 
The following patch was picked up from samba technical.
 
 
From 6d0f09930884d13952f922e96c46f5c2c34aec4a Mon Sep 17 00:00:00 2001
From: Amitay Isaacs 
Date: Thu, 8 Jun 2017 22:59:56 +1000
Subject: [PATCH] provision: Update root DNS servers list
 
Signed-off-by: Amitay Isaacs 
---
 python/samba/provision/sambadns.py | 14 +++---
 1 file changed, 11 insertions(+), 3 deletions(-)
 
diff --git a/python/samba/provision/sambadns.py 
b/python/samba/provision/sambadns.py
index 2c69dd4..961f37e 100644
--- a/python/samba/provision/sambadns.py
+++ b/python/samba/provision/sambadns.py
@@ -317,15 +317,16 @@ def add_dns_container(samdb, domaindn, prefix, 
domain_sid, dnsadmins_sid, forest
 
 
 def add_rootservers(samdb, domaindn, prefix):
+    # https://www.internic.net/zones/named.root
 rootservers = {}
 rootservers["a.root-servers.net"] = "198.41.0.4"
 rootservers["b.root-servers.net"] = "192.228.79.201"
 rootservers["c.root-servers.net"] = "192.33.4.12"
-    rootservers["d.root-servers.net"] = "128.8.10.90"
+    rootservers["d.root-servers.net"] = "199.7.91.13"
 rootservers["e.root-servers.net"] = "192.203.230.10"
 rootservers["f.root-servers.net"] = "192.5.5.241"
 rootservers["g.root-servers.net"] = "192.112.36.4"
-    rootservers["h.root-servers.net"] = "128.63.2.53"
+    rootservers["h.root-servers.net"] = "198.97.190.53"
 rootservers["i.root-servers.net"] = "192.36.148.17"
 rootservers["j.root-servers.net"] = "192.58.128.30"
 rootservers["k.root-servers.net"] = "193.0.14.129"
@@ -334,10 +335,17 @@ def add_rootservers(samdb, domaindn, prefix):
 
 rootservers_v6 = {}
 rootservers_v6["a.root-servers.net"] = "2001:503:ba3e::2:30"
+    rootservers_v6["b.root-servers.net"] = "2001:500:84::b"
+    rootservers_v6["c.root-servers.net"] = "2001:500:2::c"
+    rootservers_v6["d.root-servers.net"] = "2001:500:2d::d"
+    rootservers_v6["e.root-servers.net"] = "2001:500:a8::e"
 rootservers_v6["f.root-servers.net"] = "2001:500:2f::f"
-    rootservers_v6["h.root-servers.net"] = "2001:500:1::803f:235"
+    rootservers_v6["g.root-servers.net"] = "2001:500:12::d0d"
+    rootservers_v6["h.root-servers.net"] = "2001:500:1::53"
+    rootservers_v6["i.root-servers.net"] = "2001:7fe::53"
 rootservers_v6["j.root-servers.net"] = "2001:503:c27::2:30"
 rootservers_v6["k.root-servers.net"] = "2001:7fd::1"
+    rootservers_v6["l.root-servers.net"] = "2001:500:9f::42"
 rootservers_v6["m.root-servers.net"] = "2001:dc3::35"
 
 container_dn = "DC=RootDNSServers,CN=MicrosoftDNS,%s,%s" % (prefix, 
domaindn)
-- 
2.9.4
 
 
 
 

Bug#862580: [Pkg-samba-maint] Bug#862580: Bug #862580: Winbind crashes on ssh login of a domain user.

[L . P . H . van Belle]

Cleanup the mail a bit, so its more readable.

> 
> Hello Louis,
> 
> > 1) $ cat /etc/hosts
> >> 127.0.0.1  localhost
> >You did setup with DHCP, so you remove 127.0.1.1 sambawb, is 
> possible, 
> >but better is.
> This is because
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> tells: "On debian related systems you wil see 127.0.1.1 
> hostname also in /etc/hosts remove it before you install samba."
> 
> >172.16.0.209 sambawb.work.company sambawb
> I had it in /etc/hosts before and removed it following wiki.samba.org.
> I will put it back.
Yes, the wiki show a few other things then whats i.m.o. preffered for a good 
samba setup. 
With the hostname correct defince, you rely less for that server on dns and is 
safer this way.
So every server has the correct ip's base on hostnames even when there is no 
network. 
Its not incorrect but this way you are avoiding more (possible) problems.

> 
> > ( recommended turn of dhcp, use static ips for the servers )
> I will think about it.
> But just to be clear: what exactly do you mean with 'server'? 
> My debian machines are only 'domain members' and are not 
> providing any shares or printers to the network. I think 
> 'server' is samba terminology meaning that it is providing 
> services e.g. to PAM on the local machine. Right?
With the server i did mean the member server itself. 
This is not incorrect but again, to avoid problems set it to static ip, or 
Lock the ip's by mac adres in the dhcp pool. 

> 
No comment on the remove part all ok.


> 
> Okay, I think that is the point:
> When it fails I see:
> Jun 10 22:21:50 COMPUTERXY sshd[3207]: Invalid user domainuser from
> 172.16.0.235
> Jun 10 22:21:50 COMPUTERXY sshd[3207]: 
> input_userauth_request: invalid user domainuser [preauth] Jun 
> 10 22:21:52 COMPUTERXY sshd[3207]: pam_krb5(sshd:auth):
> authentication failure; logname=domainuser uid=0 euid=0 
> tty=ssh ruser= rhost=computer.work.company
> 
> and on success it is (same machine, same user, just some time 
> later, e.g. after a local user logged in):
> Jun 10 23:23:22 COMPUTERXY sshd[9459]: pam_krb5(sshd:auth): 
> user domainuser authenticated as domainuser@WORK.COMPANY Jun 
> 10 23:23:22 COMPUTERXY pam-script[9459]: can not stat 
> /usr/share/libpam-script/pam_script_acct
> Jun 10 23:23:22 COMPUTERXY sshd[9459]: Accepted password for 
> domainuser from 172.16.0.1 port 43841 ssh2
> 
> I will have a look at it with changed username mapping.
Ok, for this, you could test also without that script since it errors also 

> Jun 10 23:23:22 COMPUTERXY pam-script[9459]: can not stat 
> /usr/share/libpam-script/pam_script_acct


> 
> 
> > Now where did it go wrong. You have a few options to check. 
> > First, check the time sync on the DC's and the member servers. 
> > A common problem with login problems. Check this first. 
> # net ads info -P
> LDAP server: 172.16.0.2
> LDAP server name: ADDC.WORK.company
> Realm: WORK.COMPANY
> Bind Path: dc=WORK,dc=COMPANY
> LDAP port: 389
> Server time: Sa, 10 Jun 2017 23:37:11 CEST KDC server: 
> 172.16.0.2 Server time offset: 0

Login on the DC's and members
Start with a DC, run : ntpdate Your.timeserer
Now do the members : ntpdate your.DOMAINCONTROLLER. 

> 
> # grep server /etc/ntp.conf
> server 172.16.0.2 iburst
Again for a AD DC, point to a close (or stratum 1) ntp server for a stable time 
source.
For the members, point to you DC's. 
If you have more DC, just put them in there.

> 
> # grep GSS /etc/ssh/sshd_config
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
> 
> I will change it to:
> GSSAPIAuthentication yes
> GSSAPICleanupCredentials yes
> 
> > And if you use groups member checks in sshd_conf, test if all these
> groups have GID. 
> # grep -i group /etc/ssh/sshd_config
> 
Ok so no group restrictions in sshd_config, possible yet. 

Test also with,
getent passwd username
getent passwd "Group Name"
id username 
wbinfo -u 
wbinfo -g


> 
> 
> >> I also noticed that in this cases 'wbinfo -u' or 'kinit 
> domainuser' 
> >> succeeds, but 'getent passwd' only shows local users.
> >> And yes, libpam-winbind and libnss-winbind are installed and 
> >> nsswitch.conf has 'passwd: compat winbind'
> > Yes, this is confusing..  ;-)
> > wbinfo -u shows all you users. 
> >getent passwd not, but `getent passwd username`, should show your user. 

> No, it isn't. 'getent passwd' shows domainusers, too, but I 
> tested 'getent passwd domainuser' as well:
> I'm logged in as root and testing 'getent passwd' or 'getent 
> passwd domainuser'.
> When 'getent passwd' (or 'getent passwd domainuser') shows 
> 'domainuser'
> then I can log in as domainuser, too.
> When 'getent passwd' (or 'getent passwd domainuser') does not 
> show 'domainuser' then I can't log in as domainuser.


> When 'getent passwd' (or 'getent passwd domainuser') shows 
> 'domainuser'
> then I can log in as domainuser, too.
^so if you user has an UID you can login, if not not, thats totaly correct. 


A 

Bug#862580: [Pkg-samba-maint] Bug#862580: Bug #862580: Winbind crashes on ssh login of a domain user.

[L . P . H . van Belle]

Hai, Christian, 

This looks good, but few small things. Lots of tekst, but i tried to make it as 
clear as possible.

1) 
> $ cat /etc/hosts
> 127.0.0.1 localhost
You did setup with DHCP, so you remove 127.0.1.1 sambawb, is possible, but 
better is. 
127.0.0.1   localhost
172.16.0.209sambawb.work.company sambawb

Be very consistant with this on every server and/or turn of dhcp. 
( recommended turn of dhcp, use static ips for the servers )

2)
Setup and enable the username map.
username map = /etc/samba/samba_usermapping
( needs content : !root = WORK\Administrator WORK\administrator )

Now here its interresting, this tell me something.

Jun 07 21:33:18 sambawb sshd[502]: pam_krb5(sshd:auth): authentication failure; 
logname=domainuser uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.1 
^^ correctly rejected, uid < 1000 (  pam_krb5.so minimum_uid=1000 )

Jun 07 21:33:18 sambawb sshd[502]: pam_unix(sshd:auth): authentication failure; 
logname= uid=0 euid=0 tty=ssh ruser= rhost=172.16.0.1 user=domainuser 
^^ Guessing, also correctly rejected, if you did not give root a password at 
install or your sshd_config has : PermitRootLogin no (or without-password)

Most interresting part.
Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth): getting password 
(0x0388) 
Jun 07 21:33:18 sambawb sshd[502]: pam_winbind(sshd:auth): pam_get_item 
returned a password 
Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): request wbcLogonUser 
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), 
NTSTATUS_LOGON_FAILURE, Error message was: Logon failure 
Jun 07 21:33:19 sambawb sshd[502]: pam_winbind(sshd:auth): user 'domainuser' 
denied access (incorrect password or invalid membership) 
Jun 07 21:33:20 sambawb sshd[502]: Failed password for invalid user domainuser 
from 172.16.0.1 port 54474 ssh2

Are you are loggin in as user "root" (id=0) or as "Administrator" here? 
Or you created a users and assigned id 0, in all cases, this is in my opinion 
wrong to do.

I recommend not enabling root logins on ssh, but thats your choice.

You can not, never ever, assign user Administrator an uid, especialy user 
Adminsitrator. 
Uid 0 = root and only root, now this is why you need the username mapping.

Pam setup should be good, if you did not changed anything after pam-auth-update

But if you need logins as root, maybe need to change the minimum_uid.
Above log is correct. Uid 0 (that users trying, is correctly rejected. 
(pam_krb5(sshd:auth): authentication failure; logname=domainuser uid=0) 
Now remember,  pam_krb5.so minimum_uid=1000   


So, beside the few small things, this is all correct. 

Now where did it go wrong. You have a few options to check. 
First, check the time sync on the DC's and the member servers. 
A common problem with login problems. Check this first. 

NTP TIP: 
If the DC's are using the default time servers, lLike : server 
0.debian.pool.ntp.org iburst 
Then this can be a problem. Change all the DC's time servers to a close time 
server.
I look them up here : 
http://support.ntp.org/bin/view/Servers/StratumOneTimeServers 
Take a close one in you country. If if you isp has one use that one.

Next, 
In you sshd_config, enable these 2 of not done. You should preffer kerberos 
auth where is possible.
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

And if you use groups member checks in sshd_conf, test if all these groups have 
GID. 
Then you can mix local unix groups and windows groups, like : AllowGroups 
unix-ssh windows-ssh
( getent group "the_windows group" )


To be sure, run : net cache flush
And reboot the member server, and login. ( with a user with uid 1000+ ) 
But your using RID backend so that should be handled.

> > # setup the SePrivileges then reboot the server. 
> I tried to but I didn't really understand. So I think for my  problem its not 
> neccessary.
Correct, for you problem not needed, but you need it to setup shares and set 
rights.
To understand that better, read : 
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege
 


> I also noticed that in this cases 'wbinfo -u' or 'kinit 
> domainuser' succeeds, but 'getent passwd' only shows local users.
> And yes, libpam-winbind and libnss-winbind are installed and 
> nsswitch.conf has 'passwd: compat winbind'
Yes, this is confusing..  ;-) 
wbinfo -u shows all you users. 
getent passwd not, but `getent passwd username`, should show your user. 
Same for getent group.

>From smb.conf, does this path exist. 
/home/%D/%U   ( /home/WORK/username )
If not configure pam mk_homedir in pam or share the users over nfs/cifs etc. 
( ps. Even with the homedir you should be able to login ) 

Now lots of info, but try again and let me know the result. 


Greetz, 

Louis



> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@lists.alioth.d
> ebian.org] Namens Christian Meyer

Bug#862580: [Pkg-samba-maint] Bug#862580: Bug #862580: Winbind crashes on ssh login of a domain user.

[L . P . H . van Belle]

Hai, 

Ok, you used the "wrong" info for configuring smb.conf.
Mail got longer then expected, but read through it. 
Run samba-tool testparm ( not testparm , these results can differ. )

The debian wiki is a bit out detect when it comes to samba 4.x.
A quick test with 4.5.9 is possible, i can share my packages if needed, 
but for what i read, this is not your problem. 
Im running the same on jessie en i dont see this beheavor.

I suggest, you have a look at this link after you did read this completely 
first.
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Now below is a samba member setup, a basic one. I left out the shares setup, 
but added usefull tips on the setup on debian systems. 

Review your setup base on this.
I suggest start here, this is setup is very well tested. 

Setup jessie: 
# Choose expert install, and at taskselect choose only ssh server. ( optional 
and the standard package, but i setup really minimal ) 
# install WITH static ip from the start, ( best ) or install with dhcp ip and 
change /etc/hosts /etc/resolv.conf /etc/network/interfaces.

# Check all these. 
hostname -s 
hostname -d 
hostname -f 
hostname -i

# install samba winbind and needed extras. 
apt-get install samba smbclient samba-dsdb-modules samba-vfs-modules winbind 
libpam-winbind libnss-winbind krb5-user ntp bind9-host libpam-krb5

When questions come, fill in :
# AD DC ipnumbers at ntp questions 
# krb5-user fill in your REALM in CAPS.  ! CAPS YES ! 
# keep all other defaults.

# stop samba en winbind
systemctl stop samba
systemctl stop winbind

# Change your /etc/nsswitch.conf
cp /etc/nsswitch.conf{,.backup}
sed -i 's]passwd: compat]passwd: compat winbind]g' 
/etc/nsswitch.conf
sed -i 's]group:  compat]group:  compat winbind]g' 
/etc/nsswitch.conf


now if you didnt change anything else, you should be ready.. ;-) , yes ready. 
Test:  kinit administrator
( should respond with administrator@REALM and login )  

Setup a "correct smb.conf" like this one. 
This is how i would have exected to how your smb.conf would/should look like. 
I'll add some comment to it. 
## -- START AD MEMBER SMB.CONF - ## 
workgroup = WORK
security = ADS
realm = WORK.COMPANY
   # The netbiosname if empty/not in config, this will use the server hostname.
netbios name = SERVERNAME

   # only one server should be the master browser. 
   # ( ! Samba AD cannot be master browserver, never, no nmbd that starts ) 
preferred master = no
domain master = no
host msdfs = no
   # speeds up name resolving, (WINS), through dns.
dns proxy = yes

   # I preffer to define the ip. 
   # and if you use bind interfaces, also define the interfaces. 
bind interfaces only = yes
interfaces = IP_OR_ETH 127.0.0.1

   # I've added these, mustly same as the defaults, but this explains things 
for others 
   # if they have auth problems. 
   # mandatory will still require SMB2 clients to use signing
server signing = mandatory

   #  if ntlm and lanman auth are both disabled, then only NTLMv2 logins will 
be permited
ntlm auth = no
lanman auth = no

   # Add and Update TLS Key, change/update these to your windows 2008R2 domain. 
   # ( read: 
https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ ) 
   # and setup your keys correctly, the depends on you u use this server. 
   # ! SSO with proxy (kerberos auth), the ROOT CA of you DC should be in this 
config file defined.
   # I deployed my own CA Root for this. 


###--# this part, id ranges may not overlap. 
###  id setup shown is samba default. 
   # These match samba AD preffered settings, you can play with these but 2 
tings. 
   # 1) try to keep the "*" to local/other domain below . 
## map id's outside to domain to tdb files.
idmap config *: backend = tdb
idmap config *: range = 2000-

  # https://wiki.samba.org/index.php/Idmap_config_rid
  # idmap config for the WORK domain.
idmap config WORK : backend = rid
idmap config WORK : range = 1-99
###--#

# Template settings for login shell and home directory (RID backend) 
winbind nss info = template
template shell = /bin/bash
template homedir = /home/%U

kerberos method = secrets and keytab
dedicated keytab file = /etc/krb5.keytab

# renew the kerberos ticket
winbind refresh tickets = yes

winbind trusted domains only = no
# use default domain, preffered no. 
# wbinfo -u shows (default domain no) : NTODOM\username
# wbinfo -u shows (default domain yes) : username
winbind use default domain = no

# If you dont need uid/gid of groups set to no, speeds up samba. 
# if you login local the server, you may need it, depends on use of server.
winbind enum users  = yes
winbind enum groups = yes

# Enable offline logins, if needed. 
winbind offline logon = yes

# If winbind offline logon is set to Yes, then only 

Bug#849921: Info received ([pkg-samba-maint] Bug#849921: problem with locking in samba 4.2.14)

[L . P . H . van Belle]

And i was searching for this one. 

http://samba.2283325.n4.nabble.com/strange-problem-foxpro-run-exe-on-win-10-td4716299.html
 

Where its solved with in smb.conf : server max protocol = NT1 
And reported that it fixed in 4.5.8. 

If i recall good, this bug impacts 3 ways. 
1) windows clients . ( which need : server max protocol = NT1 ) 
2) recent kernel changes (cifs) and oplocking but can recall the subject on 
this.
3) samba changes due to badlock, and some regressions. 

I which i could help more but this one and last mail should help you guys in 
the right direction.


Best regards, 

Louis



> -Oorspronkelijk bericht-
> Van: ow...@bugs.debian.org [mailto:ow...@bugs.debian.org] 
> Verzonden: vrijdag 19 mei 2017 14:21
> Aan: L.P.H. van Belle
> Onderwerp: Bug#849921: Info received ([pkg-samba-maint] 
> Bug#849921: problem with locking in samba 4.2.14)
> 
> Thank you for the additional information you have supplied 
> regarding this Bug report.
> 
> This is an automatically generated reply to let you know your 
> message has been received.
> 
> Your message is being forwarded to the package maintainers 
> and other interested parties for their attention; they will 
> reply in due course.
> 
> Your message has been sent to the package maintainer(s):
>  Debian Samba Maintainers 
> 
> If you wish to submit further information on this problem, 
> please send it to 849...@bugs.debian.org.
> 
> Please do not send mail to ow...@bugs.debian.org unless you 
> wish to report a problem with the Bug-tracking system.
> 
> --
> 849921: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849921
> Debian Bug Tracking System
> Contact ow...@bugs.debian.org with problems
> 
> 

Bug#849921: [pkg-samba-maint] Bug#849921: problem with locking in samba 4.2.14

[L . P . H . van Belle]

To the bug reporter, can you test the following. 
 
1) test again, but without the vfs objects = full_audit.  
There are some known bugs in the vfs objects, i can find the exact one but try 
it please.
Does that help?  if not, step 2. ( ! again please test without  the 
vfs_full_audit. ) 
(based on https://bugzilla.samba.org/show_bug.cgi?id=4 )
 
2) 
open the file with the unc path \\servername\share\... etc.. 
and try again with \\ipnumber\share\... etc. 
optional test: 
you can use "net use driveletter..  \\servername\share  
and "net use driveletter..  \\IPnumber\share  
 
based on : https://bugzilla.samba.org/show_bug.cgi?id=8722#c8 
but current bugreport does not tell which windows version is used. 
 
3) ms did make some changes also, but this is over my head. 
So have a look at what they write at libreoffice about a similar locking 
problem. 
https://bugs.documentfoundation.org/show_bug.cgi?id=67534 
 
@mattie
last, i found these bug fixes in 4.3 which are locking related, but again, a 
developer should read that.
https://bugzilla.samba.org/show_bug.cgi?id=12139
https://bugzilla.samba.org/show_bug.cgi?id=11400
https://bugzilla.samba.org/show_bug.cgi?id=11549
 
I found a port of samba and for recital and  foxpro, 
https://www.recitalsoftware.com/blogs/205-howto-configure-samba-for-recital-and-foxpro
 
 
and very last, you can try i narrow down the problem and test with some windows 
paramter changes. 
read :   
https://support.microsoft.com/en-us/help/296264/configuring-opportunistic-locking-in-windows
 
I hope this helps a bit in finding the source problem. 
 
 
Greetz, 
 
Louis
 

Bug#862580: [Pkg-samba-maint] Bug#862580: Winbind crashes on ssh login of a domain user.

[L . P . H . van Belle]

Which samba version was this?  

Im running 4.5.8 (rebuild from stretch) never seen this. 

Can you post your full smb.conf? Yours is incorrect/incomplet 
And is this a member server or AD DC? 
Because looks to me this is a misconfiguation of samba. 

These are fixed in latest samba 4.5.9.  ( already fixed in the 4.6.x tree) 
   * BUG 12725: winbindd: Fix password policy for pam authentication
   * BUG 12747: Wrong use of getgroups causes buffer overflow.
   * BUG 12727: Lookup-domain for well-known SIDs on a DC.
   * BUG 12728: winbindd: Fix error handling in rpc_lookup_sids().
   * BUG 12757: idmap_rfc2307: Fix lookup of more than two SIDs.
   * BUG 12725: pam_winbind: no longer use wbcUserPasswordPolicyInfo when
 authenticating.

I suspect you did hit samba bug 12747, due to misconfiguration of smb.conf

This is incomplete. 
>idmap config * : backend = tdb
>idmap config * : range = 11000-2
>winbind enum groups = yes
>winbind enum users = yes
>winbind use default domain = yes
>winbind refresh tickets = yes

Samba 4.6.x wil detect these "configuration mistakes". 
Anyhow, samba 4.6.x has more then 100 winbind fixes. 

Debian should really move to 4.6 that wil help a lot in bug reports that are no 
bugs, but configuration problems.
>From the samba change logs: 
>https://www.samba.org/samba/history/samba-4.6.0.html 
ID Mapping
--
We discovered that the majority of users have an invalid or incorrect
ID mapping configuration. We implemented checks in the 'testparm' tool to
validate the ID mapping configuration. You should run it and check if it prints
any warnings or errors after upgrading! If it does you should fix them. See the
'IDENTITY MAPPING CONSIDERATIONS' section in the smb.conf manpage.
There are some ID mapping backends which are not allowed to be used for the
default backend. Winbind will no longer start if an invalid backend is
configured as the default backend.

To avoid problems in future we advise all users to run 'testparm' after
changing the smb.conf file!



Greetz, 

Louis




> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint 
> [mailto:pkg-samba-maint-bounces+belle=bazuin.nl@lists.alioth.d
ebian.org] Namens Christian Meyer
> Verzonden: donderdag 18 mei 2017 23:32
> Aan: 862...@bugs.debian.org
> Onderwerp: [Pkg-samba-maint] Bug#862580: Winbind crashes on 
> ssh login of a domain user.
> 
> Okay, since it's a winbind bug, some more winbind related information:
> This is a reproducible bug and a regression from jessie to stretch.
> Please fix it before the release of stretch.
> 
> As a "workaround": After login as a local user you can 
> successfull login as a domain user for some time. When you 
> wait too long winbind crashes again on login.
> 
> I'm using
>idmap config * : backend = tdb
>idmap config * : range = 11000-2
>winbind enum groups = yes
>winbind enum users = yes
>winbind use default domain = yes
>winbind refresh tickets = yes
> 
> and my "log level = 2 winbind:3" log reports a 
> winbindd_sig_term for a failed ssh-login.
> The log says:
> 
> [2017/05/18 10:22:54.102583,
> 3] ../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
> [2017/05/18 10:22:54.102670,
> 3] ../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
> [2017/05/18 10:22:54.102796,
> 3] 
> ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
> [2017/05/18 10:22:54.243679,
> 3] ../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
> [2017/05/18 10:22:54.243765,
> 3] ../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
> [2017/05/18 10:22:54.243851,
> 3] 
> ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
> [2017/05/18 10:22:54.288895,
> 3] ../source3/winbindd/winbindd_misc.c:396(winbindd_interface_version)
> [2017/05/18 10:22:54.289037,
> 3] ../source3/winbindd/winbindd_misc.c:429(winbindd_priv_pipe_dir)
> [2017/05/18 10:22:54.289157,
> 3] 
> ../source3/winbindd/winbindd_getgroups.c:60(winbindd_getgroups_send)
> [2017/05/18 10:22:54.365699,
> 0] ../source3/winbindd/winbindd.c:279(winbindd_sig_term_handler)
> [2017/05/18 13:22:54.031839,
> 0] ../source3/winbindd/winbindd.c:279(winbindd_sig_term_handler)
> [2017/05/18 13:22:54.090085,
> 2] ../source3/param/loadparm.c:314(max_open_files)
> [2017/05/18 13:22:54.090436,
> 2] ../source3/lib/interface.c:345(add_interface)
> [2017/05/18 13:22:54.090511,
> 2] ../source3/lib/interface.c:345(add_interface)
> [2017/05/18 13:22:54.093370,
> 0] 
> ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
> [2017/05/18 13:22:54.096237,
> 2] 
> ../source3/winbindd/winbindd_util.c:288(add_trusted_domain_from_tdc)
> [2017/05/18 13:22:54.096281,
> 2] 
> ../source3/winbindd/winbindd_util.c:288(add_trusted_domain_from_tdc)
> [2017/05/18 13:22:54.096374,
> 2] 
> ../source3/winbindd/winbindd_util.c:288(add_trusted_domain_from_tdc)
> [2017/05/18 13:22:54.096426,
> 2] ../source3/lib/tallocmsg.c:56(register_msg_pool_usage)

Bug#860024: apache2-bin: jessie-backports available

[L . P . H . van Belle]

Is reply to 

> Thank you for the notice, that is because the debian/control is wrong,
> it does not declare such dependency:
> 
>    apache/apache2.git/tree/debian/control?h=debian/2.4.25-
> 3=4f79d48a8a5458eb0186a5a992c73a0699924900#n8>
> 
>   Build-Depends: debhelper (>= 9.20131213~), lsb-release, dpkg-dev (>=
> 1.16.1~),
>libaprutil1-dev (>= 1.5.0), libapr1-dev (>= 1.5.0), libpcre3-dev,
> zlib1g-dev,
>libnghttp2-dev, libssl1.0-dev | libssl-dev (<< 1.1), perl,
>liblua5.2-dev, libxml2-dev, autotools-dev, gawk | awk,
>dh-systemd
> 
Hmm, strange yes the stretch package it does. 
https://packages.debian.org/stretch/apache2-bin 
dep: libssl1.0.2 (>= 1.0.2d)


Greetz, 

Louis

Bug#860024: apache2-bin: jessie-backports available

[L . P . H . van Belle]

Hi Luca, 

Yes, sorry about that, i'll post to the bug report. 
> You mean, Apache or OpenSSL?

I've had a 2.4.18 apache2 with http2 ( and ssl 1.0.2f) , fully tested. 

You need to compile apache with openssl 1.0.2f+ libs. 
So get the debian stretch openssl source, compile that, install the needed 
packages and then apache. 


Best regards, 

Louis van Belle
GPG KeyID: EB7A89CF


> -Oorspronkelijk bericht-
> Van: Luca Capello [mailto:luca.cape...@infomaniak.com]
> Verzonden: dinsdag 11 april 2017 10:59
> Aan: L.P.H. van Belle
> Onderwerp: Re: Bug#860024: apache2-bin: jessie-backports available
> 
> Hi Louis,
> 
> On Mon, 10 Apr 2017 14:57:19 +0200, L.P.H. van Belle wrote:
> > You missed the update of ssl to 1.0.2f.
> >
> > > ii  libssl1.0.0  1.0.1t-1+deb8u6
> >
> > You need minimal 1.0.2f+ for ALPN to work and now the option:
> SSLOpenSSLConfCmd  wont work.
> 
> Thank you for the notice, that is because the debian/control is wrong,
> it does not declare such dependency:
> 
>    apache/apache2.git/tree/debian/control?h=debian/2.4.25-
> 3=4f79d48a8a5458eb0186a5a992c73a0699924900#n8>
> 
>   Build-Depends: debhelper (>= 9.20131213~), lsb-release, dpkg-dev (>=
> 1.16.1~),
>libaprutil1-dev (>= 1.5.0), libapr1-dev (>= 1.5.0), libpcre3-dev,
> zlib1g-dev,
>libnghttp2-dev, libssl1.0-dev | libssl-dev (<< 1.1), perl,
>liblua5.2-dev, libxml2-dev, autotools-dev, gawk | awk,
>dh-systemd
> 
> Would you mind posting the same to the BTS, so we can continue in
> public?
> 
> > At least thats the last i know, i did this with 2.4.18 already.
> > But nobody wanted the upload to BPO.
> 
> You mean, Apache or OpenSSL?
> 
> I would like to avoid to keep backports "hidden", the more we use them
> the more we are sure they work correctly.
> 
> Best,
> Luca
> 
> --
> Luca Capello
> Administrateur GNU/Linux
> 
> Infomaniak Network SA

Bug#859390: beware upstream bug report : Bug 12685 - REGRESSION: net ads keytabhandling is broken

[L . P . H . van Belle]

Hai, 

 

Before packageing 4.6.x please take notice the upstream bug report.

https://bugzilla.samba.org/show_bug.cgi?id=12685 

 

 

 

Greetz, 

 

Louis

 

 

Bug#858564: confirmed workarounds.

[L . P . H . van Belle]

Hai, 

 

 

or set it explicit to "follow symlinks = yes" 

and smbd must be restarted and not reloaded. 

 

Also reported at redhat. 

https://bugzilla.redhat.com/show_bug.cgi?id=1436145 

 

 

 

Greetz, 

 

Louis

 

 

 

Bug#858601:

[L . P . H . van Belle]

Please supply smb.conf 

 

Check you idmap config, sample 

 

# Default idmap config used for BUILTIN and local accounts/groups

idmap config *:backend = tdb

idmap config *:range = 2000-

 

# idmap config for domain SAMDOM

idmap config SAMDOM:backend = rid

idmap config SAMDOM:range = 1-9

 

Please not that the ID ranges may not overlap. 

 

Greetz, 

 

Louis

 

Bug#858564: [Pkg-samba-maint] Bug#858564: samba: Since 8u4, Samba does not allow files not in root directory of share

[L . P . H . van Belle]

What happens if  you add: 

read only = No  ( or writeable = yes ) 
to your share, and not in the global settings. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: Pkg-samba-maint [mailto:pkg-samba-maint-
> bounces+belle=bazuin...@lists.alioth.debian.org] Namens James Bellinger
> Verzonden: donderdag 23 maart 2017 17:41
> Aan: Debian Bug Tracking System
> Onderwerp: [Pkg-samba-maint] Bug#858564: samba: Since 8u4, Samba does not
> allow files not in root directory of share
> 
> Package: samba
> Version: 2:4.2.14+dfsg-0+deb8u2
> Severity: grave
> Justification: renders package unusable
> 
> Dear Maintainer,
> 
> *** Reporter, please consider answering these questions, where appropriate
> ***
> 
>* What led up to the situation?
>   I upgraded to 8u4 through unattended upgrades.
>* What exactly did you do (or not do) that was effective (or
>  ineffective)?
>   (1) I attempt to create a file not in the root directory of the
> share.
>   (2) I try to write to files not in the root directory of the share.
>* What was the outcome of this action?
>   (1) Windows Explorer freezes entirely until I end task it.
>   (2) It says permission denied.
>* What outcome did you expect instead?
>   (1) Normally I can create files.
>   (2) Normally I can access files.
> 
> I have reverted back to 8u2 and am no longer experiencing problems.
> Access to the root directory of the share works fine.
> 
> My smb.conf is as follows:
> (start)
> [global]
> server string = Server
> workgroup = WORKGROUP
> log level = 1
> 
> interfaces = eth0 eth0:0 eth0:1 eth0:2 eth0:3
> bind interfaces only = yes
> socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=65536 SO_RCVBUF=65536
> 
> server role = standalone server
> disable netbios = yes
> disable spoolss = yes
> csc policy = disable
> oplocks = no
> server min protocol = NT1
> 
> passdb backend = tdbsam
> encrypt passwords = yes
> invalid users = root fsadmin
> disable netbios = yes
> disable spoolss = yes
> csc policy = disable
> oplocks = no
> server min protocol = NT1
> 
> passdb backend = tdbsam
> encrypt passwords = yes
> invalid users = root fsadmin
> 
> follow symlinks = no
> hide dot files = no
> wide links = no
> 
> create mask = 660
> directory mask = 770
> 
> vfs objects = acl_xattr streams_xattr full_audit
> full_audit:prefix = %S|%u|%I
> follow symlinks = no
> hide dot files = no
> wide links = no
> 
> create mask = 660
> directory mask = 770
> 
> vfs objects = acl_xattr streams_xattr full_audit
> full_audit:prefix = %S|%u|%I
> full_audit:success = mkdir open opendir rename rmdir unlink
> full_audit:failure = all !getxattr !removexattr !is_offline !readdir_att$
> full_audit:facility = LOCAL7
> full_audit:priority = ALERT
> 
> map acl inherit = yes
> store dos attributes = yes
> 
> browseable = no
> writeable = yes
> 
> include = /etc/samba/smb.conf.%i
> (end)
> 
> As an example of the IP-address specific file, here's one:
> (start)
> [hr$]
> comment = HR Server
> path = /mnt/data/hr
> force group = +AccessHR
> valid users = @AccessHR
> (end)
> 
> Permissions are absolutely fine. They are essentially 770.
> AppArmor is enabled, but I disabled it and the problem still exists in
> 8u4.
> It does not exist in 8u2.
> 
> *** End of the template - remove these template lines ***
> 
> 
> -- System Information:
> Debian Release: 8.7
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages samba depends on:
> ii  adduser  3.113+nmu3
> ii  dpkg 1.17.27
> ii  libbsd0  0.7.0-2
> ii  libc62.19-18+deb8u7
> ii  libhdb9-heimdal [heimdal-hdb-api-8]  1.6~rc2+dfsg-9
> ii  libldb1  2:1.1.20-0+deb8u1
> ii  libpam-modules   1.1.8-3.1+deb8u2
> ii  libpam-runtime   1.1.8-3.1+deb8u2
> ii  libpopt0 1.16-10
> ii  libpython2.7 2.7.9-2+deb8u1
> ii  libtalloc2   2.1.2-0+deb8u1
> ii  libtdb1  1.3.6-0+deb8u1
> ii  libtevent0   0.9.28-0+deb8u1
> ii  lsb-base 4.1+Debian13+nmu1
> ii  multiarch-support2.19-18+deb8u7
> ii  procps   2:3.3.9-9
> ii  python   2.7.9-1
> ii  python-dnspython 1.12.0-1
> ii  python-ntdb  1.0-5
> ii  python-samba 2:4.2.14+dfsg-0+deb8u2
> pn  python2.7:any
> ii  samba-common 2:4.2.14+dfsg-0+deb8u2
> ii  samba-common-bin 

Bug#738817: updated..

[L . P . H . van Belle]

I updated this bug on samba.org. 

https://bugzilla.samba.org/show_bug.cgi?id=10455 

 

Did nobody notice the overlapping idmappings in the suplied config.

 

idmap config DOMINIOCSA : range = 1-25000

idmap config DOMINIOCSA : backend = rid

idmap config * : range = 1-25000

idmap config * : backend = tdb 

 

I suggest first fix the errors in smb.conf first.

 

I can confirm that offline logons work fine on debian jessie. 

samba 4.4.5 ( a rebuild from Debian stretch )

 

If one if affected by it. ( on debian ) 

try running : pam-auth-update and select.

 [*] Winbind NT/Active Directory authentication

 

 

content of that file is : 

cat /usr/share/pam-configs/winbind

Name: Winbind NT/Active Directory authentication

Default: yes

Priority: 192

Auth-Type: Primary

Auth:

    [success=end default=ignore]    pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login try_first_pass

Auth-Initial:

    [success=end default=ignore]    pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login

Account-Type: Primary

Account:

    [success=end new_authtok_reqd=done default=ignore]  pam_winbind.so

Password-Type: Primary

Password:

    [success=end default=ignore]    pam_winbind.so use_authtok 
try_first_pass

Password-Initial:

    [success=end default=ignore]    pam_winbind.so

Session-Type: Additional

Session:

    optional    pam_winbind.so

 

 

from the wiki: 

https://wiki.samba.org/index.php/PAM_Offline_Authentication

my smb.conf has : "winbind offline logon = yes" 

 

i did NOT set /etc/security/pam_winbind.conf 

 

# Test result. 

# wbinfo -K NTDOM\\username -p

Enter NTDOM\username's password:

plaintext kerberos password authentication for [NTDOM\username] succeeded 
(requesting cctype: FILE)

credentials were put in: FILE:/tmp/krb5cc_0

Ping to winbindd succeeded

# smbcontrol winbind offline

# wbinfo -K NTDOM\\username -p

Enter NTDOM\username's password:

plaintext kerberos password authentication for [NTDOM\username] succeeded 
(requesting cctype: FILE)

user_flgs: NETLOGON_CACHED_ACCOUNT

credentials were put in: FILE:/tmp/krb5cc_0

Ping to winbindd succeeded

 

 

Greetz, 

 

Louis

 

Bug#180886: OpenSSL layer of GNUTLS

[L . P . H . van Belle]

Hai, 

 

Squid 3.5 does provide the option to use gnutls. 

 

Which should fix : 

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641944 

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=180886 

 

if squid can be updated also to 3.5.22 that would be great. 

Then its up2date before the freeze of Stretch. 

 

Greetz, 

 

Louis

 

 

Bug#686589: samba: init script reload action does not signal all processes

[L . P . H . van Belle]

Hai 

 

Samba 3.5.6/squeeze is not maintained anymore. 

 

But I’ve tested and i’ve not seen this bug anymore in versions : 

 

2:3.6.6-6+deb7u10

 

2:4.1.17+dfsg-1~bpo70+1

 

2:4.2.10+dfsg-0+deb8u3

 

2:4.4.5+dfsg-2 

 

Restarting samba now does open the logfile and if it does not exist its 
recreated as it should. 

 

 

 

Greetz, 

 

Louis

 

 

 

 

Bug#799059: /etc/cron.daily/logrotate: gzip: stdin: file size changed while zipping

[L . P . H . van Belle]

Cool thanx, but please report back, if you dont see it again. 
Then the maintainers can close this bugreport as fixed.

Thanks! 


> -Oorspronkelijk bericht-
> Van: ? Dan Jacobson [mailto:jida...@jidanni.org]
> Verzonden: maandag 1 augustus 2016 15:51
> Aan: L.P.H. van Belle
> CC: 799...@bugs.debian.org
> Onderwerp: Re: /etc/cron.daily/logrotate: gzip: stdin: file size changed
> while zipping
> 
> I think this kind of bug is hard to reproduce so instead I'll just post
> another bug report if I see it again... given that the involved packages
> are autoinstalled and not installed by me anyway.
> 
> >>>>> "LPHvB" == L P H van Belle <be...@bazuin.nl> writes:
> 
> LPHvB> Hai Dan,
> 
> LPHvB> Is this still happening with the current 4.2.10 version?
> 
> LPHvB> If this occurs, it often happens when the log.nmbd already exists
> and samba cant write to it.
> 
> LPHvB> When the log rotated now happens, samba keeps writing in the .1
> file.
> 
> LPHvB> Can you check with the latest (stable) version.
> 
> LPHvB> And if needed to be sure, clear the /var/log/samba folder and
> restart samba again.
> 
> LPHvB> This make sure all files have the correct rights.
> 
> LPHvB> Best regards,
> 
> LPHvB> Louis

Bug#799059: /etc/cron.daily/logrotate: gzip: stdin: file size changed while zipping

[L . P . H . van Belle]

Hai Dan, 

 

Is this still happening with the current 4.2.10 version?

 

If this occurs, it often happens when the log.nmbd already exists and samba 
cant write to it. 

When the log rotated now happens, samba keeps writing in the .1 file. 

 

Can you check with the latest (stable) version. 

And if needed to be sure, clear the /var/log/samba folder and restart samba 
again. 

This make sure all files have the correct rights. 

 

 

Best regards, 

 

Louis

 

Bug#825511: [Pkg-samba-maint] Bug#825511: smbcontrol manpage refers to

[L . P . H . van Belle]

Reported version : 2:4.2.10+dfsg-0+deb8u2 

Wheezy backported samba : 2:4.1.17+dfsg-1~bpo70+1
Reports :  Samba 4.0   02/24/2015    SMBCONTROL(1)

Current samba : 2:4.2.10+dfsg-0+deb8u3 : 
Reports : Samba 4.2 06/01/2016 SMBCONTROL(1)

Strechts samba : 
Samba 4.4    05/09/2016      SMBCONTROL(1)

Please close this bug its fixed already in latest : 2:4.2.10+dfsg-0+deb8u3 and 
higer. 

Gr. 

Louis

 

 

 

On Sat, 28 May 2016 19:45:40 +1200 Andrew Bartlett  wrote: 
> On Fri, 2016-05-27 at 12:51 +0200, Yvan Masson wrote: 
> > Package: samba 
> > Version: 2:4.2.10+dfsg-0+deb8u2 
> > Severity: minor 
> > 
> > Dear maintainers, 
> > 
> > It is written in smbcontrol manpage that it refers to Samba 3 suite 
> > (see section 
> > "VERSION" at the bottom). 
> > 
> > If this manpage is correct for Samba 4, could you write instead that 
> > it refers to 
> > Samba 4 suite ? 
> 
> Any chance you can prepare such a patch for upstream? 
> 
> Ideally it would automatically embed the version, but just fixing any 
> remaining such issues in Samba git master would be a good start. 
> 
> Thanks, 
> 
> Andrew Bartlett 
> 
> -- 
> Andrew Bartlett   http://samba.org/~abartlet/ 
> Authentication Developer, Samba Team  http://samba.org 
> Samba Developer, Catalyst IT  http://catalyst.net.nz/services/samba 
> 
> 
> 
> 
> 

Bug#772154: process_usershare_file: stat of /var/lib/samba/usershares/netlogo failed. No such file or directory

[L . P . H . van Belle]

This is not a bug but a feature. 

 

The samba 3.6.x has as default: 

usershare path = /var/lib/samba/usershares 

 

if a user enters a wrong path somewhere it falls back to the usershares and 
this share cannot be found there.

 

To get rid of this message do the following. 

 

Define the following and disable usershares. in smb.conf (global)

usershare path = 

 

 

Please tag : not a bug

 

 

Greetz, 

 

Louis

 

Bug#832880: please review this bug. incorrect tag (unreproducible )

[L . P . H . van Belle]

Hai, 

 

Please review this bug and remove : Tags: unreproducible 

There are mulple errors made in packaging samba in Debian Jessie.

 

Multple vfs manual files are in package samba and not samba-vfs-modules  

 

The files are not listed when you search on the debian packages site but get 
the deb files and have a look your self. 

And when searching on packages site dont find anything. 

 

In detailed explained and reproducible. 

 

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832880#29 

 

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832880#34 

 

And this is also tested on NON backported packages. 

 

 

 

Best regards, 

 

Louis

 

 

 

Bug#832880: FW: [Pkg-samba-maint] Bug#832880: samba: Upgrade jessie => stretch

[L . P . H . van Belle]

And.. sorry but in addition. 

 

When i search for samba.8.gz 

https://packages.debian.org/search?mode=filename=jessie=all=any=contents=samba.8.gz
 

results in package samba. 

 

But in that same folder in the deb file i shown.

 

Missing on the debian site ( search like above ) 

vfs_ceph.8.gz

vfs_snapper.8.gz

vfs_glusterfs.8.gz

vfs_fruit.8.gz

vfs_worm.8.gz

 

 

 

 


Van: L.P.H. van Belle [mailto:be...@bazuin.nl] 
Verzonden: vrijdag 29 juli 2016 14:29
Aan: '832...@bugs.debian.org'
Onderwerp: RE: [Pkg-samba-maint] Bug#832880: samba: Upgrade jessie => stretch


 

Hai Jelmer, 

 

I see what you mean but im really not crazy.  ;-) 

I dont want to be annoying... but please read on.  (and sorry but im right in 
this case.) 

You can check it out yourself.

 

This is a clean server. Used for testing only.

Its a clean virtual machine jessie only ssh installed, so i can quick revert 
back to a clean server. 

I did reset to my first snapshot of the os. 

 

I checked the following. 

 

cat /etc/apt/sources.list

#

# deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 NETINST Binary-1 
20160123-18:59]/ jessie main

#deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 NETINST Binary-1 
20160123-18:59]/ jessie main

 

deb http://ftp.nl.debian.org/debian/ jessie main

deb-src http://ftp.nl.debian.org/debian/ jessie main

 

deb http://security.debian.org/ jessie/updates main

deb-src http://security.debian.org/ jessie/updates main

 

# jessie-updates, previously known as 'volatile'

deb http://ftp.nl.debian.org/debian/ jessie-updates main

deb-src http://ftp.nl.debian.org/debian/ jessie-updates main

 

 

Looked at the sources location so i didnt mis something. 

ls -al /var/lib/apt/lists/

total 90680

drwxr-xr-x 3 root root    12288 Jul 15 12:06 .

drwxr-xr-x 5 root root 4096 Jul 29 13:43 ..

-rw-r--r-- 1 root root 33803318 Jun  4 15:15 
ftp.nl.debian.org_debian_dists_jessie_main_binary-amd64_Packages

-rw-r--r-- 1 root root 22301906 Jun  4 15:14 
ftp.nl.debian.org_debian_dists_jessie_main_i18n_Translation-en

-rw-r--r-- 1 root root 32650635 Jun  4 15:14 
ftp.nl.debian.org_debian_dists_jessie_main_source_Sources

-rw-r--r-- 1 root root   148217 Jun  4 15:26 
ftp.nl.debian.org_debian_dists_jessie_Release

-rw-r--r-- 1 root root 2373 Jun  4 15:37 
ftp.nl.debian.org_debian_dists_jessie_Release.gpg

-rw-r--r-- 1 root root   142490 Jul 15 05:21 
ftp.nl.debian.org_debian_dists_jessie-updates_InRelease

-rw-r--r-- 1 root root    71169 Jul 12 23:01 
ftp.nl.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages

-rw-r--r-- 1 root root 5440 Jul 12 23:01 
ftp.nl.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.IndexDiff

-rw-r--r-- 1 root root    70543 Jun 20 04:34 
ftp.nl.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en

-rw-r--r-- 1 root root 2704 Jun 12 17:25 
ftp.nl.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en.IndexDiff

-rw-r--r-- 1 root root   161123 Jul 15 04:31 
ftp.nl.debian.org_debian_dists_jessie-updates_main_source_Sources

-rw-r- 1 root root    0 May 27 14:34 lock

drwxr-xr-x 2 root root 4096 Jul 15 12:06 partial

-rw-r--r-- 1 root root    63063 Jul 15 10:01 
security.debian.org_dists_jessie_updates_InRelease

-rw-r--r-- 1 root root  1544358 Jul 15 10:01 
security.debian.org_dists_jessie_updates_main_binary-amd64_Packages

-rw-r--r-- 1 root root   934634 Jul 15 10:01 
security.debian.org_dists_jessie_updates_main_i18n_Translation-en

-rw-r--r-- 1 root root   900436 Jul 15 10:01 
security.debian.org_dists_jessie_updates_main_source_Sources

 

And Jessie still reports. 

dpkg -S /usr/share/man/man8/vfs_glusterfs.8.gz

samba: /usr/share/man/man8/vfs_glusterfs.8.gz

 

so .. 

ls -al /usr/share/man/man8/ | grep gluster

-rw-r--r--  1 root root  1935 Jun  5 11:33 vfs_glusterfs.8.gz

 

 

And stretch

> > Stretch

> > dpkg -S /usr/share/man/man8/vfs_glusterfs.8.gz

> > samba-vfs-modules: /usr/share/man/man8/vfs_glusterfs.8.gz

 

smbd -V

Version 4.2.10-Debian

 

So yes there is an :  vfs_glusterfs.8.gz file in jessie only its not listed 
anywhere. 

 

But i’ve seen it, when you look in the file : 

 

samba_2%3a4.2.10+dfsg-0+deb8u3_amd64.deb 

You wil see the vfs_glusterfs.8.gz 

 

 

 

Greetz, 

 

Louis

 

 

 

 

 

> -Oorspronkelijk bericht-

> Van: Jelmer Vernoo?? [mailto:jel...@debian.org]

> Verzonden: vrijdag 29 juli 2016 14:03

> Aan: louis van belle; 832...@bugs.debian.org

> Onderwerp: Re: [Pkg-samba-maint] Bug#832880: samba: Upgrade jessie =>

> stretch

> 

> On Fri, Jul 29, 2016 at 01:52:24PM +0200, louis van belle wrote:

> > Package: samba

> > Followup-For: Bug #832880

> >

> >

> >

> > -- System Information:

> > Debian Release: 8.5

> >   APT prefers stable-updates

> >   APT policy: (500, 'stable-updates'), (500, 'stable')

> > Architecture: amd64 (x86_64)

> >

> > Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)

> > Locale: LANG=en_US.UTF-8, 

Bug#832880: [Pkg-samba-maint] Bug#832880: samba: Upgrade jessie => stretch

[L . P . H . van Belle]

Hai Jelmer, 

 

I see what you mean but im really not crazy.  ;-) 

I dont want to be annoying... but please read on.  (and sorry but im right in 
this case.) 

You can check it out yourself.

 

This is a clean server. Used for testing only.

Its a clean virtual machine jessie only ssh installed, so i can quick revert 
back to a clean server. 

I did reset to my first snapshot of the os. 

 

I checked the following. 

 

cat /etc/apt/sources.list

#

# deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 NETINST Binary-1 
20160123-18:59]/ jessie main

#deb cdrom:[Debian GNU/Linux 8.3.0 _Jessie_ - Official amd64 NETINST Binary-1 
20160123-18:59]/ jessie main

 

deb http://ftp.nl.debian.org/debian/ jessie main

deb-src http://ftp.nl.debian.org/debian/ jessie main

 

deb http://security.debian.org/ jessie/updates main

deb-src http://security.debian.org/ jessie/updates main

 

# jessie-updates, previously known as 'volatile'

deb http://ftp.nl.debian.org/debian/ jessie-updates main

deb-src http://ftp.nl.debian.org/debian/ jessie-updates main

 

 

Looked at the sources location so i didnt mis something. 

ls -al /var/lib/apt/lists/

total 90680

drwxr-xr-x 3 root root    12288 Jul 15 12:06 .

drwxr-xr-x 5 root root 4096 Jul 29 13:43 ..

-rw-r--r-- 1 root root 33803318 Jun  4 15:15 
ftp.nl.debian.org_debian_dists_jessie_main_binary-amd64_Packages

-rw-r--r-- 1 root root 22301906 Jun  4 15:14 
ftp.nl.debian.org_debian_dists_jessie_main_i18n_Translation-en

-rw-r--r-- 1 root root 32650635 Jun  4 15:14 
ftp.nl.debian.org_debian_dists_jessie_main_source_Sources

-rw-r--r-- 1 root root   148217 Jun  4 15:26 
ftp.nl.debian.org_debian_dists_jessie_Release

-rw-r--r-- 1 root root 2373 Jun  4 15:37 
ftp.nl.debian.org_debian_dists_jessie_Release.gpg

-rw-r--r-- 1 root root   142490 Jul 15 05:21 
ftp.nl.debian.org_debian_dists_jessie-updates_InRelease

-rw-r--r-- 1 root root    71169 Jul 12 23:01 
ftp.nl.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages

-rw-r--r-- 1 root root 5440 Jul 12 23:01 
ftp.nl.debian.org_debian_dists_jessie-updates_main_binary-amd64_Packages.IndexDiff

-rw-r--r-- 1 root root    70543 Jun 20 04:34 
ftp.nl.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en

-rw-r--r-- 1 root root 2704 Jun 12 17:25 
ftp.nl.debian.org_debian_dists_jessie-updates_main_i18n_Translation-en.IndexDiff

-rw-r--r-- 1 root root   161123 Jul 15 04:31 
ftp.nl.debian.org_debian_dists_jessie-updates_main_source_Sources

-rw-r- 1 root root    0 May 27 14:34 lock

drwxr-xr-x 2 root root 4096 Jul 15 12:06 partial

-rw-r--r-- 1 root root    63063 Jul 15 10:01 
security.debian.org_dists_jessie_updates_InRelease

-rw-r--r-- 1 root root  1544358 Jul 15 10:01 
security.debian.org_dists_jessie_updates_main_binary-amd64_Packages

-rw-r--r-- 1 root root   934634 Jul 15 10:01 
security.debian.org_dists_jessie_updates_main_i18n_Translation-en

-rw-r--r-- 1 root root   900436 Jul 15 10:01 
security.debian.org_dists_jessie_updates_main_source_Sources

 

And Jessie still reports. 

dpkg -S /usr/share/man/man8/vfs_glusterfs.8.gz

samba: /usr/share/man/man8/vfs_glusterfs.8.gz

 

so .. 

ls -al /usr/share/man/man8/ | grep gluster

-rw-r--r--  1 root root  1935 Jun  5 11:33 vfs_glusterfs.8.gz

 

 

And stretch

> > Stretch

> > dpkg -S /usr/share/man/man8/vfs_glusterfs.8.gz

> > samba-vfs-modules: /usr/share/man/man8/vfs_glusterfs.8.gz

 

smbd -V

Version 4.2.10-Debian

 

So yes there is an :  vfs_glusterfs.8.gz file in jessie only its not listed 
anywhere. 

 

But i’ve seen it, when you look in the file : 

 

samba_2%3a4.2.10+dfsg-0+deb8u3_amd64.deb 

You wil see the vfs_glusterfs.8.gz 

 

 

 

Greetz, 

 

Louis

 

 

 

 

 

> -Oorspronkelijk bericht-

> Van: Jelmer Vernoo?? [mailto:jel...@debian.org]

> Verzonden: vrijdag 29 juli 2016 14:03

> Aan: louis van belle; 832...@bugs.debian.org

> Onderwerp: Re: [Pkg-samba-maint] Bug#832880: samba: Upgrade jessie =>

> stretch

> 

> On Fri, Jul 29, 2016 at 01:52:24PM +0200, louis van belle wrote:

> > Package: samba

> > Followup-For: Bug #832880

> >

> >

> >

> > -- System Information:

> > Debian Release: 8.5

> >   APT prefers stable-updates

> >   APT policy: (500, 'stable-updates'), (500, 'stable')

> > Architecture: amd64 (x86_64)

> >

> > Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)

> > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

> > Shell: /bin/sh linked to /bin/dash

> > Init: systemd (via /run/systemd/system)

> >

> > Versions of packages samba depends on:

> > ii  adduser  3.113+nmu3

> > ii  dpkg     1.17.27

> > ii  libbsd0  0.7.0-2

> > ii  libc6    2.19-18+deb8u4

> > ii  libhdb9-heimdal [heimdal-hdb-api-8]  1.6~rc2+dfsg-9

> > ii  libldb1  2:1.1.20-0+deb8u1

> > ii  libpam-modules   1.1.8-3.1+deb8u1+b1

> > 

Bug#825437: talloc fails building on very clean system. +1

[L . P . H . van Belle]

Hai, 

 

Found one extra. 

( already reported ) 

talloc :

/bin/sh: 1: pyversions: not found

sudo apt-get install python-minimal --no-install-recommends

 

 

new, but same. 

.. the following message. 

dpkg-checkbuilddeps: Unmet build dependencies: docbook-xml docbook-xsl xsltproc 
dh-exec libpopt-dev python-dev (>= 2.6.6-3) python3-dev

W: Unmet build-dependency in source

dpkg-buildpackage: source package talloc

dpkg-buildpackage: source version 2.1.6-1~bpo8+1

dpkg-buildpackage: source distribution jessie-backports

dpkg-buildpackage: source changed by Louis van Belle 

 dpkg-source --before-build talloc-2.1.6

dpkg-checkbuilddeps: Unmet build dependencies: docbook-xml docbook-xsl xsltproc 
dh-exec libpopt-dev python-dev (>= 2.6.6-3) python3-dev

dpkg-buildpackage: warning: build dependencies/conflicts unsatisfied; aborting

dpkg-buildpackage: warning: (Use -d flag to override.)

dpkg-buildpackage: warning: this is currently a non-fatal warning with -S, but 
will probably become fatal in the future

 fakeroot debian/rules clean

dh clean --parallel --with python2

dh: unable to load addon python2: Can't locate 
Debian/Debhelper/Sequence/python2.pm in @INC (you may need to install the 
Debian::Debhelper::Sequence::python2 module) (@INC contains: /etc/perl 
/usr/local/lib/x86_64-linux-gnu/perl/5.20.2 /usr/local/share/perl/5.20.2 
/usr/lib/x86_64-linux-gnu/perl5/5.20 /usr/share/perl5 
/usr/lib/x86_64-linux-gnu/perl/5.20 /usr/share/perl/5.20 
/usr/local/lib/site_perl .) at (eval 11) line 2.

BEGIN failed--compilation aborted at (eval 11) line 2.

 

debian/rules:24: recipe for target 'clean' failed

make: *** [clean] Error 2

dpkg-buildpackage: error: fakeroot debian/rules clean gave error exit status 2

Build error : libtalloc-dev

 

 

Package python supplies : Debian/Debhelper/Sequence/python2.pm 

sudo apt-get install python --no-install-recommends

 

So the source is missing also build depends 

python or python3

 

in totaal , pre build needed sources 

 

sudo apt-get install python-minimal --no-install-recommends

sudo apt-get install python --no-install-recommends

and/or 

sudo apt-get install python3-minimal --no-install-recommends

sudo apt-get install python3 --no-install-recommends

 

Now i installed python-minimal and python and building in the pbuilder env 
works fine now. 

 

Bug#741492: FW: Bug#741492: samba: all process have same title (setproctitle not working)

[L . P . H . van Belle]

 

Small updated. 

 

I just rebuilded : samba  2:4.4.3+dfsg-4  

And this one is ok again, the setproctitle is gone. 

 

 

Greetz. 

 

Louis

 

 

 

 

 


Van: L.P.H. van Belle [mailto:be...@bazuin.nl] 
Verzonden: vrijdag 6 mei 2016 14:50
Aan: '741...@bugs.debian.org'
Onderwerp: Bug#741492: samba: all process have same title (setproctitle not 
working)


 

Hai, 

 

Im rebuilded samba 4.4.3 from debian sid to debian Jessie. 

 

Using these sources from debian sid, which are needed as dependecies. 

 

cmocka-1.0.1

ldb-1.1.26

nss-wrapper-1.1.2

resolv-wrapper-1.1.3

samba-4.4.3+dfsg

socket-wrapper-1.1.6

talloc-2.1.6

tdb-1.3.9

tevent-0.9.28

uid-wrapper-1.2.0+dfsg1

db-defaults-5.3.0

 

I did the same with 4.4.1 and 4.4.2 as of the 4.4.3 im seeing :

 

samba: setproctitle not initialized, please either call setproctitle_init() or 
link against libbsd-ctor. 

 

In the logs again. 

 

But it looks like verything is working correctly, any insights here? 

 

 

 

Greetz, 

 

Louis

 

Bug#741492: samba: all process have same title (setproctitle not working)

[L . P . H . van Belle]

Hai, 

 

Im rebuilded samba 4.4.3 from debian sid to debian Jessie. 

 

Using these sources from debian sid, which are needed as dependecies. 

 

cmocka-1.0.1

ldb-1.1.26

nss-wrapper-1.1.2

resolv-wrapper-1.1.3

samba-4.4.3+dfsg

socket-wrapper-1.1.6

talloc-2.1.6

tdb-1.3.9

tevent-0.9.28

uid-wrapper-1.2.0+dfsg1

db-defaults-5.3.0

 

I did the same with 4.4.1 and 4.4.2 as of the 4.4.3 im seeing :

 

samba: setproctitle not initialized, please either call setproctitle_init() or 
link against libbsd-ctor. 

 

In the logs again. 

 

But it looks like verything is working correctly, any insights here? 

 

 

 

Greetz, 

 

Louis

 

Bug#821183: FW: [Samba] FW: Domain member seems to work, wbinfo -u not (update10)

[L . P . H . van Belle]

Hai again. 


Today i did some new test. 
The trick below ( previous e-mail), works sometime with 4.2.10 and 4.3.8 

The trick works always with 4.4.2

 

My own deb build not installed from source and tested now on 3 servers. 

All same result. 

I checked out the server i did yesterday, still working without any problems. 

 

So im wondering whats the difference between 4.2.10 4.3.8 4.4.1. 

in the debian packages and my debian build of 4.4.2 

 

The 4.4.2 build i made was the source from samba.org. 

I took the "debian" folder from 4.4.1 and added this in the source samba 4.4.2. 

i removed only one patch, since that is in 4.4.2 from source.

Patch:  security-2016-04-12-prerequisite-v4-4-regression-fixes.metze01.txt 

 

I did rebuild tevent ldb tdb talloc etc from debian sid. 

 

And now i cant make it fail again undepended of the settings. 

 

I hope this helps someone. 

 

Greetz, 

 

Louis

 

 

> -Oorspronkelijk bericht-

> Van: samba [mailto:samba-boun...@lists.samba.org] Namens L.P.H. van Belle

> Verzonden: dinsdag 19 april 2016 15:11

> Aan: sa...@lists.samba.org

> Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not

> (update8)( solved maybe?)

> 

> Ok.

> New test, debian samba 4.2.10 ( all stock debian packages )

> 

> So others with 4.2.10 stock debian packages, please test also if below

> works.

> 

> 

> The file server on which (wbinfo -u) worked saterday, and not on Sunday

> until now.

> 

> 

> None of these three settings below are in the config and wbinfo -u fails.

> 

> 

> Now adding these settings !! one at the time !!

> And i reloaded samba and restarted winbind every time.

> 

> 

> 

>     client ldap sasl wrapping = plain

>     client ldap sasl wrapping = seal

>     client ldap sasl wrapping = sign

> 

> Result in the end.

> 

> 

> I started with plain, wbinfo -u works, but first time a long delay before

> i see the output, ( long is +4-5 sec)

> 

> Changed it to seal, wbinfo -u works

> 

> 

> And back to the samba default "sign" which now also works.

> So seems fixed now. Strange..

> 

> 

> 

> Removed the client ldap sasl wrapping from the config.

> All still works.

> 

> 

> 

> I'll check this server tomorrow again.

> 

> 

> 

> 

> 

> Greetz,

> 

> 

> 

> Louis

> 

> 

> 

> 

> 

> > -Oorspronkelijk bericht-

> 

> > Van: samba [mailto:samba-boun...@lists.samba.org] Namens L.P.H. van

> Belle

> 

> > Verzonden: dinsdag 19 april 2016 12:48

> 

> > Aan: sa...@lists.samba.org

> 

> > Onderwerp: Re: [Samba] FW: Domain member seems to work, wbinfo -u not

> 

> > (update7)

> 

> >

> 

> > @Patrick Thanks, that helped.

> 

> > @Mathias, only 10.000 objects.

> 

> >

> 

> > >>  client ldap sasl wrapping = plain  <<

> 

> >

> 

> > I've tested that on my members.

> 

> > 4.2.10

> 

> > 4.3.8

> 

> > 4.4.1

> 

> > 4.4.2

> 

> > wbinfo -u now work.

> 

> >

> 

> > Ok tested all 3 options of that settings.

> 

> > Tested als in the order, plain seal sign

> 

> >

> 

> > Samba 4.2.10 (debian stable)

> 

> >    client ldap sasl wrapping = plain   wbinfo -u works.

> 

> >    client ldap sasl wrapping = seal  wbinfo -u fails

> 

> >    client ldap sasl wrapping = sign  wbinfo -u fails

> 

> > only plain works, en keeps working.

> 

> >

> 

> >

> 

> > Other server.

> 

> > Version 4.4.2-LvB ( samba.org packages, own deb, based on debian 4.4.1 )

> 

> > Default it fails, now the funny part.

> 

> > ( default samba setting is sign )

> 

> > We start with a NOT working wbinfo -u.

> 

> >

> 

> > Test with following changes.

> 

> > Try1) client ldap sasl wrapping = plain  wbinfo -u works.

> 

> > Try2) client ldap sasl wrapping = seal wbinfo -u also works now.

> 

> > Try3) client ldap sasl wrapping = sign wbinfo -u also works now.

> 

> >

> 

> > Only the 4.4.2 now keeps working independed of the setting.

> 

> > Lunch first, i'll test the 4.3.8 also.

> 

> >

> 

> >

> 

> > Greetz,

> 

> >

> 

> > Louis

> 

> >

> 

> >

> 

> >

> 

> > > -Oorspronkelijk bericht-

> 

> > > Van: samba [mailto:samba-boun...@lists.samba.org] Namens Patrick G.

> 

> > > Stoesser

> 

> > > Verzonden: dinsdag 19 april 2016 12:21

> 

> > > Aan: sa...@lists.samba.org

> 

> > > Onderwerp: Re: [Samba] After Update to 4.2, Samba is unusuable as

> member

> 

> > > server / No user and goup resolution

> 

> > >

> 

> > > Hello,

> 

> > >

> 

> > > a reply in debianforum.de led me to:

> 

> > >

> 

> > > client ldap sasl wrapping = plain

> 

> > >

> 

> > > and with that setting at least wbinfo works.

> 

> > >

> 

> > > But still my problems are not completely gone: On the filesystem

> level,

> 

> > > AD users and groups are still not resolved. "Invalid user". But kinit

> 

> > > "USER" works. Still have to try...

> 

> > >

> 

> > > Regards, pgs

> 

> > >

> 

> > >

> 

> > > Am 16.04.2016 um 19:08 schrieb Patrick G. Stoesser:

> 

> > > > Hello 

Bug#821183: 821183: winbind: wbinfo -u is empty, wbinfo -g works

[L . P . H . van Belle]

I can confirm above as John. I’ve tested. 

 

DC’s running : Version 4.2.11-SerNet-Debian-9.jessie  

All works ok. 

 

Member servers. 

Samba 4.1.17 ( everything works ok ) 

Samba 4.3.6 ( everything works ok )  ( recompiled version from sid ) 

 

Samba 4.2.10   ( wbinfo –g works, -u not ) 

Samba 4.3.7 ( wbinfo –g works, -u not ) ( recompiled version from sid )

 

Samba 4.3.8 ( wbinfo –g works, -u not ) ( recompiled version from sid )

Samba 4.4.1 ( wbinfo –g works, -u not ) ( recompiled version from 
experimental )

Samba 4.4.2 ( wbinfo –g works, -u not ) ( recompiled version from samba 
source  )

    Added the debian folder and removed unneeded patches. 

 

All other testes like :  work ok. 

wbinfo --domain-info=NTDOMAIN

wbinfo –p

wbinfo -P

wbinfo –g   

wbinfo –s SID 

wbinfo –n Name

wbinfo –g

 

 

Rowland tested an install from source only (4.4.2), on Debian Jessie. this 
works.  

So im thinking maybe its related to teven talloc ldb tdb something like that. 

Based on the Samba 4.4.2 packages i created and Rowlands install, thats the 
only difference i found.

 

See also the samba treath: [Samba] FW: Domain member seems to work, wbinfo -u 
not

 

Part of the debug log.

Wbinfino –g success

[2016/04/18 13:25:38.723377,  1, pid=14148, effective(0, 0), real(0, 

 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)

 wbint_QueryGroupList: struct wbint_QueryGroupList

    out: struct wbint_QueryGroupList

    groups   : *

    groups: struct wbint_Principals

    num_principals   : 74

    principals: ARRAY(74)

    principals: struct wbint_Principal

    sid  : 
S-1-5-21-2934682428-2610421433-476865461-571

    type : SID_NAME_DOM_GRP (2)

    name : *

    name : 'Allowed RODC 
Password Replication Group'

 .. etc etc. 74 groups shown.

 

 

Wbinfo –u fail  

 

[2016/04/18 16:56:38.145224, 10, pid=27010, effective(0, 0), real(0, 0)] 
../auth/kerberos/gssapi_helper.c:303(gssapi_unseal_packet)

  Unsealed 32 bytes, with 76 bytes header/signature.

[2016/04/18 16:56:38.145236, 10, pid=27010, effective(0, 0), real(0, 0), 
class=rpc_cli] 
../source3/rpc_client/cli_pipe.c:525(cli_pipe_validate_current_pdu)

  Got pdu len 140, data_len 24

[2016/04/18 16:56:38.145249, 10, pid=27010, effective(0, 0), real(0, 0), 
class=rpc_cli] ../source3/rpc_client/cli_pipe.c:975(rpc_api_pipe_got_pdu)

  rpc_api_pipe: got frag len of 140 at offset 0: NT_STATUS_OK

[2016/04/18 16:56:38.145261, 10, pid=27010, effective(0, 0), real(0, 0), 
class=rpc_cli] ../source3/rpc_client/cli_pipe.c:1075(rpc_api_pipe_got_pdu)

  rpc_api_pipe: host dc2.internal.domain.tld returned 24 bytes.

[2016/04/18 16:56:38.145279,  1, pid=27010, effective(0, 0), real(0, 0)] 
../librpc/ndr/ndr.c:439(ndr_print_function_debug)

   samr_Close: struct samr_Close

  out: struct samr_Close

  handle   : *

  handle: struct policy_handle

  handle_type  : 0x (0)

  uuid : 
----

  result   : NT_STATUS_OK

[2016/04/18 16:56:38.145362,  5, pid=27010, effective(0, 0), real(0, 0)] 
../libcli/smb/smb2_signing.c:93(smb2_signing_sign_pdu)

  signed SMB2 message

[2016/04/18 16:56:38.145697,  1, pid=27010, effective(0, 0), real(0, 0)] 
../librpc/ndr/ndr.c:439(ndr_print_function_debug)

   wbint_QueryUserList: struct wbint_QueryUserList

  out: struct wbint_QueryUserList

  users    : *

  users: struct wbint_userinfos

  num_userinfos    : 0x (0)

  userinfos: ARRAY(0)

  result   : NT_STATUS_IO_TIMEOUT

[2016/04/18 16:56:38.145769,  4, pid=27010, effective(0, 0), real(0, 0), 
class=winbind] ../source3/winbindd/winbindd_dual.c:1397(child_handler)

  Finished processing child request 59

 

 

Greetz, 

 

Louis

 

Bug#767353: 767353: clamav: ERROR: Can't save PID to file /var/run/clamav/freshclam.pid:

[L . P . H . van Belle]

Hai, 
 
Sorry to say, and i cant see in the bug report on the site if this is fixed 
already.. 
 
I just upgraded my debian wheezy to debian Jessie. 
 
Clamav version :  0.98.7+dfsg-0+deb8u1
 
cat clamav.log
Fri Jun  5 16:30:02 2015 - ERROR: Can't unlink the pid file 
/var/run/clamav/clamd.pid
Fri Jun  5 16:30:14 2015 - ERROR: Can't save PID in file 
/var/run/clamav/clamd.pid

cat freshclam.log
Fri Jun  5 16:18:01 2015 - ERROR: Can't save PID to file 
/var/run/clamav/freshclam.pid: No such file or directory

Do i need to wait for the next version of clamav ? 
 
Greetz, 
 
Louis
 

Bug#777150: FW: Bug#777150: Acknowledgement (ufw: Hi, adde a custom rule with geoip iptables modules wont load from ufw.)

[L . P . H . van Belle]

I forgot to mention.. 
 
I tried to add these line in multiple places in /etc/ufw/before.rules. 
I does not matter where these are in the file. 
 
-A ufw-before-input -m geoip --src-cc KR,CN,IN,RU,TR,VN,UA,BR,VE,JP -m limit 
--limit 3/minute -j LOG --log-level 4 --log-prefix '[UFW COUNTRY BLOCK] '
-A ufw-before-input -m geoip --src-cc KR,CN,IN,RU,TR,VN,UA,BR,VE,JP -j DROP

 
after that i do : ufw disable  ufw enable 

the exact error message is : 
ERROR: problem running ufw-init 
( all other rules are proccessed ok. ) 



if i do add the iptables lines on commandline then they show up as they should 
and work ok.
Chain ufw-before-input (1 references)
target prot opt source   destination
ufw-user-input  all  --  0.0.0.0/0    0.0.0.0/0
LOG    all  --  0.0.0.0/0    0.0.0.0/0    Source countries: 
KR,CN,IN,RU,TR,VN,UA,BR,VE,JP  limit: avg 3/min burst 5 LOG flags 0 level 4 
prefix [UFW COUNTRY BLOCK] 
DROP   all  --  0.0.0.0/0    0.0.0.0/0    Source countries: 
KR,CN,IN,RU,TR,VN,UA,BR,VE,JP
 
All my custom  messages are now also in /var/log/ufw.log  
 
 
 If you need more info, just ask. 
 
Thanks 
 
Louis
 

Bug#771778: Acknowledgement (squid3: Pinger segfault with libc)

[L . P . H . van Belle]

Hai Luigi, 

Thank you for having a loot. 

Your close.  I didnt change any dependecies to other librarys. 
What i did, get every package squid3 depended on and recompiled these also back 
to wheezy.
the total bundle of packages needed by squid3 was used.  ( so about the same as 
a backported package ) 
I didnt change anything in any file. 
just by :
apt-get build-dep squid3 
apt-get build-dep libecap2
apt-get source squid3 -b
apt-get source libecap2 -b 


But thank you for providing the backported packages, i did a rebuild just 
because there wasnt any squid3 backported packages. 
I'll go test this out. I'll report back.

Greetz, 

Louis





-Oorspronkelijk bericht-
Van: Luigi Gangitano [mailto:lu...@debian.org] 
Verzonden: vrijdag 12 december 2014 18:46
Aan: L.P.H. van Belle; 771...@bugs.debian.org
CC: cont...@bugs.debian.org; pkg-squid-de...@lists.alioth.debian.org
Onderwerp: Re: Bug#771778: Acknowledgement (squid3: Pinger 
segfault with libc)

notfound 771778 3.4.8-2
severity 771778 normal
tags 771778 +unreproducible +wontfix
thanks

 This is on debian wheezy, squid recompiled from jesse with 
icap and i did rebuild to a deb : squidclamav 6.11 
 bug 760303, which looks like it. 

Hi,

If I read correctly, you took the jessie sources and 
recompiled it on wheezy, changing dependencies to another 
library. Then you filed a Release-Criticl bug on the jessie 
version because your custom built package does not work.

I’ve just downgraded your bug and tagged it as unreproducible 
(we don’t have a copy of your package to test) and wontfix (we 
don’t provide supporto to packages not provided by Debian 
build infrastructure).

Since this segfault may still affect the backport version od 
3.4.8-4 that I just uploaded, I’m keeping this bug report 
open. Please install that package from back ports (it uses 
libecap, just like the jessie version) and test if the bug is 
still there.

Best regards,

L

--
Luigi Gangitano -- lu...@debian.org -- gangit...@lugroma3.org
GPG: 1024D/924C0C26: 12F8 9C03 89D3 DB4A 9972  C24A F19B A618 924C 0C26
GPG: 4096R/2BA97CED: 8D48 5A35 FF1E 6EB7 90E5  0F6D 0284 F20C 2BA9 7CED




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#771778: Info received (Bug#771778: Acknowledgement (squid3: Pinger segfault with libc))

[L . P . H . van Belle]

Hai Luigi, 

Sorry to ask, but are you in the position to create an amd64 packages. 
im only having amd64 machines.. 
( sorry ) 

Greetz, 

Louis





-Oorspronkelijk bericht-
Van: ow...@bugs.debian.org [mailto:ow...@bugs.debian.org] 
Verzonden: maandag 15 december 2014 9:21
Aan: L.P.H. van Belle
Onderwerp: Bug#771778: Info received (Bug#771778: 
Acknowledgement (squid3: Pinger segfault with libc))

Thank you for the additional information you have supplied regarding
this Bug report.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 Luigi Gangitano lu...@debian.org

If you wish to submit further information on this problem, please
send it to 771...@bugs.debian.org.

Please do not send mail to ow...@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.

-- 
771778: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=771778
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#771778: Acknowledgement (squid3: Pinger segfault with libc)

[L . P . H . van Belle]

extra info. 

This is on debian wheezy, squid recompiled from jesse with icap and i did 
rebuild to a deb : squidclamav 6.11 
bug 760303, which looks like it. 

The bugcheck is : 

2014/12/02 06:00:10 kid1| NETDB state saved; 633 entries, 2 msec
2014/12/02 06:25:04 kid1| Closing Pinger socket on FD 26
2014/12/02 06:25:18| Pinger exiting.
*** glibc detected *** (pinger): free(): invalid next size (normal): 
0x7fb19ba45df0 ***
=== Backtrace: =
/lib/x86_64-linux-gnu/libc.so.6(+0x76a16)[0x7fb1987b6a16]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x6c)[0x7fb1987bb7bc]
/usr/lib/x86_64-linux-gnu/libstdc++.so.6(_ZNSt19basic_ostringstreamIcSt11char_traitsIcESaIcEED0Ev+0xa6)[0x7fb19900dae6]
(pinger)(+0x8d99)[0x7fb19a108d99]
(pinger)(+0x59c5)[0x7fb19a1059c5]
(pinger)(main+0x2a0)[0x7fb19a104550]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd)[0x7fb19875eead]
(pinger)(+0x50a9)[0x7fb19a1050a9]
=== Memory map: 
7fb19400-7fb194021000 rw-p  00:00 0
7fb194021000-7fb19800 ---p  00:00 0
7fb19811-7fb198116000 r-xp  ca:01 134270 
/usr/lib/libnfnetlink.so.0.2.0
7fb198116000-7fb198315000 ---p 6000 ca:01 134270 
/usr/lib/libnfnetlink.so.0.2.0
7fb198315000-7fb198316000 rw-p 5000 ca:01 134270 
/usr/lib/libnfnetlink.so.0.2.0
7fb198318000-7fb19831c000 r-xp  ca:01 44 
/lib/x86_64-linux-gnu/libattr.so.1.1.0
7fb19831c000-7fb19851b000 ---p 4000 ca:01 44 
/lib/x86_64-linux-gnu/libattr.so.1.1.0
7fb19851b000-7fb19851c000 r--p 3000 ca:01 44 
/lib/x86_64-linux-gnu/libattr.so.1.1.0
7fb19851c000-7fb19851d000 rw-p 4000 ca:01 44 
/lib/x86_64-linux-gnu/libattr.so.1.1.0
7fb19852-7fb198537000 r-xp  ca:01 64 
/lib/x86_64-linux-gnu/libpthread-2.13.so
7fb198537000-7fb198736000 ---p 00017000 ca:01 64 
/lib/x86_64-linux-gnu/libpthread-2.13.so
7fb198736000-7fb198737000 r--p 00016000 ca:01 64 
/lib/x86_64-linux-gnu/libpthread-2.13.so
7fb198737000-7fb198738000 rw-p 00017000 ca:01 64 
/lib/x86_64-linux-gnu/libpthread-2.13.so
7fb198738000-7fb19873c000 rw-p  00:00 0
7fb19873f000-7fb19874 rw-p  00:00 0
7fb19874-7fb1988c2000 r-xp  ca:01 3330   
/lib/x86_64-linux-gnu/libc-2.13.so
7fb1988c2000-7fb198ac2000 ---p 00182000 ca:01 3330   
/lib/x86_64-linux-gnu/libc-2.13.so
7fb198ac2000-7fb198ac6000 r--p 00182000 ca:01 3330   
/lib/x86_64-linux-gnu/libc-2.13.so
7fb198ac6000-7fb198ac7000 rw-p 00186000 ca:01 3330   
/lib/x86_64-linux-gnu/libc-2.13.so
7fb198ac7000-7fb198acc000 rw-p  00:00 0
7fb198ad-7fb198ae5000 r-xp  ca:01 15 
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fb198ae5000-7fb198ce5000 ---p 00015000 ca:01 15 
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fb198ce5000-7fb198ce6000 rw-p 00015000 ca:01 15 
/lib/x86_64-linux-gnu/libgcc_s.so.1
7fb198ce8000-7fb198d69000 r-xp  ca:01 3335   
/lib/x86_64-linux-gnu/libm-2.13.so
7fb198d69000-7fb198f68000 ---p 00081000 ca:01 3335   
/lib/x86_64-linux-gnu/libm-2.13.so
7fb198f68000-7fb198f69000 r--p 0008 ca:01 3335   
/lib/x86_64-linux-gnu/libm-2.13.so
7fb198f69000-7fb198f6a000 rw-p 00081000 ca:01 3335   
/lib/x86_64-linux-gnu/libm-2.13.so
7fb198f7-7fb199058000 r-xp  ca:01 133196 
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7fb199058000-7fb199258000 ---p 000e8000 ca:01 133196 
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7fb199258000-7fb19926 r--p 000e8000 ca:01 133196 
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7fb19926-7fb199262000 rw-p 000f ca:01 133196 
/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17
7fb199262000-7fb199277000 rw-p  00:00 0
7fb199278000-7fb19927a000 r-xp  ca:01    
/lib/x86_64-linux-gnu/libdl-2.13.so
7fb19927a000-7fb19947a000 ---p 2000 ca:01    
/lib/x86_64-linux-gnu/libdl-2.13.so
7fb19947a000-7fb19947b000 r--p 2000 ca:01    
/lib/x86_64-linux-gnu/libdl-2.13.so
7fb19947b000-7fb19947c000 rw-p 3000 ca:01    
/lib/x86_64-linux-gnu/libdl-2.13.so
7fb19948-7fb199487000 r-xp  ca:01 3348   
/lib/x86_64-linux-gnu/librt-2.13.so
7fb199487000-7fb199686000 ---p 7000 ca:01 3348   
/lib/x86_64-linux-gnu/librt-2.13.so
7fb199686000-7fb199687000 r--p 6000 ca:01 3348   
/lib/x86_64-linux-gnu/librt-2.13.so
7fb199687000-7fb199688000 rw-p 7000 ca:01 3348   

Bug#751484: FW: Bug#751484: Acknowledgement (c-icap: installing a recompiled c-icap on debian wheezy ends in a broken system)

[L . P . H . van Belle]

Hai, 

I tested also the previous version c-icap-0.3.2-1 from ubuntu trusty. 
compiled and installed ok no errors works as expected. 

I got the previous version from ubuntu trusty. 
i wget them, extraxted them and compiled them. 

So imo or bugfix 743202 is causing this or the upstream release 0.3.3-1 ( and 
up ) 


Best regards, 

Louis


-Oorspronkelijk bericht-
Van: Debian BTS [mailto:debb...@buxtehude.debian.org] Namens 
ow...@bugs.debian.org
Verzonden: vrijdag 13 juni 2014 14:21
Aan: Louis
Onderwerp: Bug#751484: Acknowledgement (c-icap: installing a recompiled c-icap 
on debian wheezy ends in a broken system)

Thank you for filing a new Bug report with Debian.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 Tim Weippert we...@weiti.org

If you wish to submit further information on this problem, please
send it to 751...@bugs.debian.org.

Please do not send mail to ow...@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.

-- 
751484: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751484
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#630905: bley not starting

[L . P . H . van Belle]

Hai, 
 
Im seeing the bug report on bley not starting. 
 
the supplied fix on the bug site didnt fix it. 
 
Dependecy booting on wheezy puts bley before loading the database server. 
 
raceback (most recent call last):
  File /usr/bin/bley, line 221, in module
    bley_start()
  File /usr/bin/bley, line 164, in bley_start
    db = settings.database.connect(**settings.dbsettings)
  File /usr/lib/python2.7/dist-packages/psycopg2/__init__.py, line 179, in 
connect
    connection_factory=connection_factory, async=async)
psycopg2.OperationalError: could not connect to server: Connection refused
Is the server running on host localhost (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host localhost (127.0.0.1) and accepting
TCP/IP connections on port 5432?
 
Best regards, 
 
Louis
 

Bug#630905: Info received (bley not starting)

[L . P . H . van Belle]

extra info, fixed it with : 
adding : 
/etc/insserv.conf.d/postgresql
$postgresql postgresql 

/etc/insserv/overrides/bley
### BEGIN INIT INFO
# Provides:  bley
# Required-Start:$remote_fs $syslog postgresql
# Required-Stop: $remote_fs $syslog postgresql
# Default-Start: 2 3 4 5
# Default-Stop:  0 1 6
# Short-Description: bley initscript
# Description:   intelligent greylisting daemon for Postfix.
### END INIT INFO

and i did run: 
insserv -r bley 
insserv bley 

checked the /etc/rc2.d 
now bley is starting after postgresql 

best regards, 


-Oorspronkelijk bericht-
Van: Debian BTS [mailto:debb...@buxtehude.debian.org] Namens 
ow...@bugs.debian.org
Verzonden: vrijdag 24 januari 2014 12:15
Aan: L.P.H. van Belle
Onderwerp: Bug#630905: Info received (bley not starting)

Thank you for the additional information you have supplied regarding
this Bug report.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 Evgeni Golov evg...@debian.org

If you wish to submit further information on this problem, please
send it to 630...@bugs.debian.org.

Please do not send mail to ow...@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.

-- 
630905: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=630905
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org