Re: [Samba] PDC from 2 to 3, SID headaches
Hi, I had this very same issue and posted this problem many months ago to no avail. Since user profs and envs are critical in my env, what I did was 1) Ensure that a local version of the domain prof exsisted and that it was local vs roaming using the Windows profile tool. 2) I then made the identical user on the local machine account (if your machine is named foo, then your local acc would be foo\user). * login once on foo\user to ensure profile account creation. 3) Using the profile copy tool in Windows, I then copied the domain profile to the local machine account profile. 4) I then logged on as foo\user to ensure the env was as it should be. 5) I then copied the foo\user account to the domain account using the Windows tool and I was then able to migrate to v3 and keep my profs and env for each user. * Be admin when doing the profile migration or atleast another user with admin privs. Ofcourse a tedious thing for 30+ users but it was critical as they are in FX industry and are very picky about there env. Its ultimatly up to you on wether you want to go this extra step but I felt that it was my responability to provide this level of service. Bri- Network Consulting Services -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Le samedi 11 Septembre 2004 15:28, Blindauer Emmanuel a écrit : > have an Aurora sparc with kerberos 1.3.2, samba compiled from sources 3.0.6 > with patch on winbind. My fault, the binaries are 3.0.3pre2 and not 3.0.6 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Sage Problem
> -Original Message- > From: > [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > ba.org] On Behalf Of Terry > Sent: 11 September 2004 17:20 > To: [EMAIL PROTECTED] > Subject: [Samba] Sage Problem > > > Has any one run sage line 50 with samba > As i have setup a samba server to hold the data directory for > sage was > fine for bout week then slowed right down > a samba restart seemed to help but sage still runs rather slow > We are only talking about 5 users at a time the data dir is > about 2gb in > size > Any help would be handy or tweaks for samba > Samba version 2.2.8a > Freebsd 4.9 > 2.4 cpu with 512 ram > 100 mb Nic and switch > Clients running nt4 sp6 > sage version 10. > > Regards Terry > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba > I posted a while back when I did a Sage install (copied below). I was at this site this week and these clients reported exactly the same behaviour. In their case they have been running fine for months and only in the last few weeks have things slowed up. I checked the server and network loadings and all was fine and there have been no OS/Samba updates during this peroid. Alan -Original Message- From: Alan Munday [mailto:[EMAIL PROTECTED] Sent: 19 May 2004 14:09 To: 'Hamish'; 'steve downes' Cc: 'Samba List' Subject: RE: [Samba] SAGE Line 50 I've put Line 50 onto a 3.0.4 build this week. I used the following as a guide. http://www.redhat.com/archives/redhat-list/2003-June/msg01211.html I would be interested if anyone else is using different settings. I would also be interested on the install process followed as an accountant came in and did this install, I had to follow and make it work. regards Alan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: oplock_break failed
"Martin Schmidt" <[EMAIL PROTECTED]> a écrit dans le message de news:[EMAIL PROTECTED] Hi, i posted the same problem 3 weeks ago, I was afraid, I am the only one having this problem. I am glad, that there others thinking about that problem too, so maybe we will get it fixed. One try was also to switch off the oplocks, which is not a really good idea, because several users can work on the same file without noticing it. So they will override each others changes. _ -> oplocks are not file locks. oplocks are about caching files on the client to improve performance. users wont be able to work on the same file siultaneously if you disable oplocks. u should try use sendfile = no. this newsgroup is full with this advice. In those (for me helpless) last three weeks the users complaining about problems to save their files grew more and more, they are only w2k - Clients, I have a lot of w98 clients still, never heard a word from them, it is not only excel causing the trouble, but also word, once I got even with notepad and a text file with only the word "test" as content. Meanwhile I did try to undo all the changes I have made before the problem occured. What I can't easyly undo is the update on the w2k clients, I was pondering changing the linux kernel-update this weekend ( from 2.4.21 back to 2.4.18 I had before the problem existed). I don't like that, and I am glad about the sugesstion checking the switches and NIC's - I never spend a thougth on them - I think the servers NIC, the switch is a 3COM 4400, but I already had one damaged of them to, so maybe 3Com isn't that quality assurance I hoped it to be. Am Donnerstag, 9. September 2004 12:20 schrieb Jeremy Allison: > On Thu, Sep 09, 2004 at 12:08:37PM +0200, ?ric le h?naff wrote: > > hello > > i have "oplock_break failed " in logs, see below. should i consider > > removing oplocks ? > > You could try that, although oplock break failed > messages are often due to local network problems. > Check your switches/hubs/nic cards. > > Jeremy. -- mit freundlichen Grüßen Martin Schmidt Tel: 09843/988095 Fax: 09843/988096 email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: BUG 1717 [was Re: [Samba] Re: Samba 3.0.6 Problems w/AD and Kerberos]
Blindauer Emmanuel wrote:
Le samedi 11 Septembre 2004 00:17, Blindauer Emmanuel a écrit :
attached are log from smbd, krb5.conf and smb.conf
[global]
workgroup = DPTINFO
server string = %h server (Samba %v)
security = ads
realm = DPTINFO.URS.LOCAL
[libdefaults]
default_realm = DPTINFO.URS.LOCAL
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
[realms]
DPTINFO.URS.LOCAL = {
kdc = canard.u-strasbg.fr
admin_server = canard.u-strasbg.fr
}
[domain_realm]
.u-strasbg.fr = DPTINFO.URS.LOCAL
u-strasbg.fr = DPTINFO.URS.LOCAL
Hi,
Your situation looks a lot like mine.
Your realm and DNS names are not equivalent.
See https://bugzilla.samba.org/show_bug.cgi?id=1651
You'll find a workarond in there.
For you and your domain_realm mapping,
it looks like a client machine called hypothetically poem.u-strasbg.fr
in the realm DPTINFO.URS.LOCAL ought to have
a servicePrincipalName of HOST/[EMAIL PROTECTED]
That would comply with your domain_realm mapping.
But if you checked the AD, it would probably have been created by samba
as HOST/[EMAIL PROTECTED]
Attempts to communicate by constructing the long form servicePrincipalName
using the HOST/[EMAIL PROTECTED] will fail.
Although samba mostly works OK because it mostly seems to use the short form
of the service name HOST/[EMAIL PROTECTED] when it builds
servicePrincipalName or CIFS/[EMAIL PROTECTED]
The hardest part of Kerberos AD integration is trying to talk sensibly about
HOST/[EMAIL PROTECTED] and HOST/[EMAIL PROTECTED]
in an environment where REALM and DOMAIN get used interchangably.
Also, I found I had to explicitly state my default enctypes to include
rc4-hmac
or apply the hotfix from MS to allow des-cbc-crc enctypes
Also, if I want to make these log entries go away
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption type
I have to explicitly set the order of the permitted enctypes so the
common case is the first in the list.
During debugging, I just listed every possible enctype in the permitted
list and just haven't cleaned it up.
MS AD uses rc4-hmac (arcfour-hmac-md5). If it's first in the default
list, the first attempt will succeed.
This krb5.conf works with MIT kerberos 3.1.4.
Oh, and you have to add the real dns names in MS AD servicePrincipalName
as HOST and CIFS
[libdefaults]
default_realm = NT.LDXNET.COM
default_keytab_name = FILE:/etc/krb5.keytab
default_keytab_name = /etc/krb5.keytab
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = arcfour-hmac-md5 des-cbc-crc des-cbc-md5
des-cbc-md4 des3-cbc-sha1 des-cbc-md4 ...
[realms]
NT.LDXNET.COM = {
kdc = ranger1.nt.ldxnet.com:88
admin_server = ranger1.nt.ldxnet.com:749
default_domain = nt.ldxnet.com
}
[domain_realm]
.nt.ldxnet.com = NT.LDXNET.COM
nt.ldxnet.com = NT.LDXNET.COM
gate.ldxnet.com = NT.LDXNET.COM
ldxnet.com = NT.LDXNET.COM
.ldxnet.com = NT.LDXNET.COM
Hope it helps.
Regards, Doug
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Here is the document
> See the attached file for details. Unknown command - "SEE". Try HELP. Summary of resource utilization --- CPU time:0.000 secDevice I/O:4 Overhead CPU:0.000 secPaging I/O:0 CPU model: 2-CPU 2.8GHz Xeon 512k (2048M) Job origin: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Le vendredi 10 Septembre 2004 21:39, Gerald (Jerry) Carter a écrit : > I spent some time on this today without any luck > reproducing the problem. My test server was SuSE 9.1 pro > however with heimdal 0.6.1rc3. I've looked more on kerberos: you are using heimdal implementation, other reporter seems to have MIT. looking more on my previous post and googling about the error on the debian computer, "Decrypt integrity check failed": A thread on kerberos ML on june has some issues between heimdal and MIT implementation about decrypting a ticket: http://mailman.mit.edu/pipermail/kerberos/2004-June/005552.html The problem is perhaps related only to MIT implementation, -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Sage Problem
Has any one run sage line 50 with samba As i have setup a samba server to hold the data directory for sage was fine for bout week then slowed right down a samba restart seemed to help but sage still runs rather slow We are only talking about 5 users at a time the data dir is about 2gb in size Any help would be handy or tweaks for samba Samba version 2.2.8a Freebsd 4.9 2.4 cpu with 512 ram 100 mb Nic and switch Clients running nt4 sp6 sage version 10. Regards Terry -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Newbie question on AD permissions
Hi, you have to options, 1.- Configure winbind 2.- Create local users and maps to them in smb.conf -> username map parameter. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.6 Problems w/AD and Kerberos
Le vendredi 10 Septembre 2004 22:28, Gerald (Jerry) Carter a écrit :
>
> Tom, I'm not completely willing to cross this out as a redhat
> specific issue. I've sen at least one specific report
> with debian (krb 1.3.4 and samba 3.0.6 both compiled locally).
> However, krb5 is tricky to debug remotely like this :-\
>
> Can anyone shed any more light on any more platforms? Other
> than debian and redhat?
Yes!
I've spend some hours on looking on version used on other compulters, and I
have an Aurora sparc with kerberos 1.3.2, samba compiled from sources 3.0.6
with patch on winbind.
Here is the logs when I mount my share \\sparc\user:
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [18] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [17] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [16] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [23] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(183)
ads_verify_ticket: enc type [1] failed to decrypt with error Bad encryption
type
[2004/09/11 15:09:14, 10] libads/kerberos_verify.c:ads_verify_ticket(177)
ads_verify_ticket: enc type [3] decrypted message !
[2004/09/11 15:09:14, 10] passdb/secrets.c:secrets_named_mutex_release(716)
secrets_named_mutex: released mutex for replay cache mutex
[2004/09/11 15:09:14, 10] libsmb/clikrb5.c:get_krb5_smb_session_key(386)
Got KRB5 session key of length 8
*
the same part, on debian (same samba 3.0.6 + winbind patch, same smb.conf, but
krb1.3.4) \\debian\user
[2004/09/11 15:10:18, 10] passdb/secrets.c:secrets_named_mutex(702)
secrets_named_mutex: got mutex for replay cache mutex
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [18] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [17] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [16] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 3]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [23] failed to decrypt with error
Decrypt integrity check failed
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [1] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10]
libads/kerberos_verify.c:ads_secrets_verify_ticket(193)
ads_secrets_verify_ticket: enc type [2] failed to decrypt with error Bad
encryption type
[2004/09/11 15:10:18, 10] passdb/secrets.c:secrets_named_mutex_release(714)
secrets_named_mutex: released mutex for replay cache mutex
[2004/09/11 15:10:18, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
ads_verify_ticket: krb5_rd_req with auth failed (Succès)
[2004/09/11 15:10:18, 1] smbd/sesssetup.c:reply_spnego_kerberos(173)
Failed to verify incoming ticket!
[2004/09/11 15:10:18, 3] smbd/error.c:error_packet(129)
error packet at smbd/sesssetup.c(174) cmd=115 (SMBsesssetupX)
NT_STATUS_LOGON_FAILURE
note the :
[2004/09/11 15:10:18, 3] libads/kerberos_verify.c:ads_verify_ticket(307)
ads_verify_ticket: krb5_rd_req with auth failed (Succes)
There is probably a problem here too.
The krb5.conf on the sparc:
**
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = DPTINFO.URS.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
DPTINFO.URS.LOCAL = {
kdc = canard.u-strasbg.fr:88
admin_server = canard.u-strasbg.fr:749
default_domain = u-strasbg.fr
[domain_realm]
u-strasbg.fr = DPTINFO.URS.LOCAL
.u-strasbg.fr = DPTINFO.URS.LOCAL
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
the krb5 on the debian:
***
libdefaults]
default_realm = DPTINFO.URS.LOCAL
# The following krb5.conf variables are only for MIT Kerberos.
krb4
[Samba] Questions on VFS modules (audit)
Hello, I'm configuring Samba 3.0.6 on Debian stable, after using version 2.2.8a for a while. I have some questions on VFS modules, which could be summed up into a single big question: is there any documentation about them, other than the few paragaphs in the official howto? Now for the single questions: 1. audit: its output goes into syslog, no options to change this, right? And also no options to only record some specific actions, right? Due to the way Windows clients access files, I see lots of useless lines cluttering syslog. 2. extd_audit: same as audit, but it ALSO outputs to Samba logs. Can't the output to syslog be deactivated here? Also, I read it has a configurable parameter, a log level; what's the syntax for this parameter? The howto does not explain it. 3. In my installation I can see more modules, not mentioned at all in the howto: cap.so default_quota.so expand_msdfs.so full_audit.so readonly.so What's their use? Of course, I'm particularly interested in "full_audit". Its source code (seen downloading the samba tarball) contains some limited docs, e.g. it does not list all possible options for its parameters. But, most of all, if I try using it in smb.conf my samba won't run at all, reporting errors with full_audit.so. Sorry that I can't show you the error log now, I currently do not have access to that machine. Thanks in advance for any info. -- Ciao, Marco. ..."Hergest Ridge", Mike Oldfield 1974 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] failing to print 'point-n-print'
Samba 3.0.6 I have successfully gotten other printers to work using the 'point-n-click' method for downloadable drivers. However, playing with one printer leads to failed results. I have created the CUPS port/printer, added it to samba and then used the Windows APW to upload the drivers. After upload, the print properties windows readjusts for the new printer options - I have checked the print$ directory on the samba box and the files are there - and doing an enumprinters displays the uploaded driver associated with the correct printer. I am able to right click 'connect' - but when I print a test page - windows pops a message 'test page failed to print' .. I also get an error message when trying to print from an application (ie WORD) The printer is a TOSHIBA studio 35 - and I am using the vendor drivers. If I try it using the PPD/ADOBE method - it works fine If someone would like to test the driver, it can be downloaded from: http://copiers.toshiba.com/support/drivers/GL-1010v2.shtml Any suggestions would be appreciated - thanks chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
