[Samba] Regarding changing ACL with LDAP or SAMBA

[Michael Persson]

Hi

I am trying to change the ACL for a Active Directory group using Perl on 
Linux. The problem is that there are no Perl bindings for Samba and I 
couldn't find any UNIX compatible module that can me do this.


This is the same as setting "Managed By" and then clicking "(X) Manager 
can update membership list" in the AD admin tools.


# ldapmodify -x -h Server -W -D "Domain\User" -f update.ldif --- 
update.ldif dn: CN=Group,OU=Location,DC=Domain,DC=Local changetype: 
modify replace: managedBy managedBy: CN=User,CN=Users,DC=Domain,DC=Local 
 # ldapsearch -LLL -x -h Server -p 3268 -W -b "DC=Domain,DC=Local" 
-D "Domain\User" "(&(CN=Group)(ntSecurityDescriptor=*))" 
ntSecurityDescriptor dn: CN=Group,OU=Location,DC=Domain,DC=Local 
nTSecurityDescriptor:: 
EaKFAKoAMEDAAAEALQAAAUAOAUAOAUAOAUAOADA 
AEALQQEaKFDdARooU2AwAA+ANnwaV6lr/mFAKoAMEniAQEDAAEAB1o4ACADvz 
...


Does anyone have a good advice as how to easiest solve this. I would 
like to avoid writing a module with Samba bindings or a module that 
actually interprets the binary info.


Regards
Michael
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?

[Robert LeBlanc]

I beleive that if you are using msDNS in some fashion (as your DNS or
delegated domain) or have something like Bind updated with the SVR records
for the AD domain, then there is little configuration needed in krb5.conf as
the libraries will query DNS for a KDC. If your DNS is not set-up with the
SVR records then you will need to enter the domain and KDC information in
krb5.conf. We have a delegated AD domain from Bind and I used to enter all
the info in krb5.conf, I then started taking stuff out until I got to an
empty krb5.conf file and it still worked. Our krb5.conf does have a few
lines for options that we override the defaults, but they are not needed.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Wed, Oct 14, 2009 at 5:03 PM,  wrote:

> Hi folks,
>
> In a scenerio where you are just joining samba to an existing windows 2003
> AD as a member server, I have been told that in some unknown/unsubscribed
> conditions you need to manually need to set up kerberos and use kinit
> before joining the active directory with net ads join.
>
> I think this is untrue personally because from what I understand about
> samba joining a domain, is that samba/winbind/net ads join command
> automatically uses kerberos libraries to autogenerate its tickets upon a
> successful domain join.
> Additionally AFAIK tickets are refreshed by winbind automatically so you
> really never need to run kinit or set up krb5.conf if you use samba to join
> the AD as a domain member server.
>
> Could someone please clarify this so I can make this myth go away? Could I
> be wrong? Is there a special circumstance where this applies that i dont
> know about? Some magic non default active directory configuration that
> insists kerberos be set up differently than samba can muster to do
> automatically??
>
>
> Thanks!
> -Clayton
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Solved (work around): Compiling SAMBA on Solaris 10 to use AD on Windows 2008 server

[Tom Hallam]

I ended up upgrading openssl, compiling kerberos from source and 
recompiling samba against that.  After the recompile I was able to get 
Solaris to join the domain with the existing configuration.


It looks like there is some feature in kerberos that samba needs but 
kerberos that comes with Solaris does not provide.  It's got something 
to do with krb5_mk_req_extended but I'm not sure exactly what.  I read 
somewhere that Solaris (9) only provides the gssapi and not the "older 
krb5" interface.  This seems no longer to be the case but it does look 
like the features available through krb5 may only be partial.


Tom Hallam

Tom Hallam wrote:
We've just set up a number of linux servers to access our AD server 
(Windows server 2008) and now have to set up a Solaris server.  I've 
downloaded, compiled and install Samba (3.4.2), configured kerberos 
and am now trying to get it to join the AD.  I get the following error:


samba-3.4.2/source3# net ads join -U username
Enter username's password:
[2009/10/13 13:10:42,  0] libads/sasl.c:819(ads_sasl_spnego_bind)
 kinit succeeded but ads_sasl_spnego_krb5_bind failed: krb5 conf file 
not configured
Failed to join domain: failed to connect to AD: krb5 conf file not 
configured

samba-3.4.2/source3#

If I run with "-d 1" I get:

[2009/10/13 13:26:47,  1] libnet/libnet_join.c:1871(libnet_Join)
 libnet_Join:
 libnet_JoinCtx: struct libnet_JoinCtx
 in: struct libnet_JoinCtx
 dc_name  : NULL
 machine_name : 'BADGER'
 domain_name  : *
 domain_name  : 'EEDS.EE.UWA.EDU.AU'
 account_ou   : NULL
 admin_account: 'thallam'
 admin_password   : *
 machine_password : NULL
 join_flags   : 0x0023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
 os_version   : NULL
 os_name  : NULL
 create_upn   : 0x00 (0)
 upn  : NULL
 modify_config: 0x00 (0)
 ads  : NULL
 debug: 0x01 (1)
 use_kerberos : 0x00 (0)
 secure_channel_type  : SEC_CHAN_WKSTA (2)
[2009/10/13 13:26:48,  1] libsmb/clikrb5.c:786(ads_krb5_mk_req)
 ads_krb5_mk_req: krb5_mk_req_extended failed (krb5 conf file not 
configured)

[2009/10/13 13:26:48,  0] libads/sasl.c:819(ads_sasl_spnego_bind)
 kinit succeeded but ads_sasl_spnego_krb5_bind failed: krb5 conf file 
not configured

[2009/10/13 13:26:48,  1] libnet/libnet_join.c:1902(libnet_Join)
 libnet_Join:
 libnet_JoinCtx: struct libnet_JoinCtx
 out: struct libnet_JoinCtx
 account_name : NULL
 netbios_domain_name  : 'EEDS'
 dns_domain_name  : 'eeds.ee.uwa.edu.au'
 forest_name  : 'eeds.ee.uwa.edu.au'
 dn   : NULL
 domain_sid   : *
 domain_sid   : 
S-1-5-21-2693662547-1243528254-4028546715

 modified_config  : 0x00 (0)
 error_string : 'failed to connect to AD: krb5 
conf file not configured'

 domain_is_ad : 0x01 (1)
 result   : WERR_GENERAL_FAILURE
Failed to join domain: failed to connect to AD: krb5 conf file not 
configured



I've checked the krb5.conf file and it's fine.  Issuing tickets etc 
works.  Any ideas what the issue is.?


Tom Hallam
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] One Question .. the question... nobody don´t have answer ..

[Miguel Medalha]

I can see that you are using LDAP.

Do you have the mandatory groups on your LDAP database?

Domain Users
Domain Guests
Domain Admins

Did you set up the appropriate rights with the "net rights grant" command?

Take a look at the smbldap-tools scripts:

https://gna.org/projects/smbldap-tools/

Chapter 5 of the "Samba 3 by Example" book can be very useful to you. It 
deals Samba with LDAP configuration.

Look here:

http://www.samba.org/samba/docs/man/Samba-Guide/happy.html

Regards

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] One Question .. the question... nobody don´t have answer ..

[Bruno Steven]

Please ignore the line  "guest account = root"  I commented the line .


On Wed, Oct 14, 2009 at 9:37 PM, Bruno Steven  wrote:

> Sure , my smb.conf .. thanks ...
> #
> #=== Global Settings
> =
>
> [global]
>
> # --- Network Related Options -
> #
> netbios name = LinuxDefault
> workgroup = AMBLIVRE.COM
> server string = Samba Server Version %v
> #   enable privileges = yes
>
> ;   netbios name = MYSERVER
>
> ;   interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
> ;   hosts allow = 127. 192.168.12. 192.168.13.
> 
> encrypt passwords = yes
>
>
> # --- Logging Options -
> #
> # Log File let you specify where to put logs and how to split them up.
> #
> # Max Log Size let you specify the max size log files should reach
>
> # logs split per machine
> # max 50KB per log file, then rotate
> ;   max log size = 50
>
> # --- Standalone Server Options
> 
> #
> # Security can be set to user, share(deprecated) or server(deprecated)
> #
> # Backend to store user information in. New installations should
> # use either tdbsam or ldapsam. smbpasswd is available for backwards
> # compatibility. tdbsam requires no further configuration.
> guest account = root
> #   security = share
> #   passdb backend = tdbsam
> #   passdb backend = ldapsam:ldap://127.0.0.1
>
> # --- Domain Members Options 
> #
> # Security must be set to domain or ads
> #
> # Use the realm option only with security = ads
> # Specifies the Active Directory realm the host is part of
> #
> # Backend to store user information in. New installations should
> # use either tdbsam or ldapsam. smbpasswd is available for backwards
> # compatibility. tdbsam requires no further configuration.
> #
> # Use password server option only with security = server or if you can't
> # use the DNS to locate Domain Controllers
> # The argument list may include:
> #   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
> # or to auto-locate the domain controller/s
> #   password server = *
>
>
> ;   security = domain
> ;   passdb backend = tdbsam
> ;   realm = MY_REALM
>
> ;   password server = 
>
> # --- Domain Controller Options
> 
> #
> # Security must be set to user for domain controllers
> #
> # Backend to store user information in. New installations should
> # use either tdbsam or ldapsam. smbpasswd is available for backwards
> # compatibility. tdbsam requires no further configuration.
> #
> # Domain Master specifies Samba to be the Domain Master Browser. This
> # allows Samba to collate browse lists between subnets. Don't use this
> # if you already have a Windows NT domain controller doing this job
> #
> # Domain Logons let Samba be a domain logon server for Windows
> workstations.
> #
> # Logon Scrpit let yuou specify a script to be run at login time on the
> client
> # You need to provide it in a share called NETLOGON
> #
> # Logon Path let you specify where user profiles are stored (UNC path)
> #
> # Various scripts can be used on a domain controller or stand-alone
> # machine to add or delete corresponding unix accounts
> #
> ;   security = user
> ;   passdb backend = tdbsam
>
> domain master = yes
> domain logons = yes
># the login script name depends on the machine name
> ;   logon script = %m.bat
> # the login script name depends on the unix user used
> ;   logon script = %u.bat
> ;   logon path = \\%L\Profiles\%u
> # disables profiles support by specifing an empty path
> ;   logon path =
>
> ;   add user script = /usr/sbin/useradd "%u" -n -g users
> ;   add group script = /usr/sbin/groupadd "%g"
> ;   add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
> -d /nohome -s /bin/false "%u"
> ;   delete user script = /usr/sbin/userdel "%u"
> ;   delete user from group script = /usr/sbin/userdel "%u" "%g"
> ;   delete group script = /usr/sbin/groupdel "%g"
>
>
> # --- Browser Control Options
> 
> #
> # set local master to no if you don't want Samba to become a master
> # browser on your network. Otherwise the normal election rules apply
> #
> # OS Level determines the precedence of this server in master browser
> # elections. The default value should be reasonable
> #
> # Preferred Master causes Samba to force a local browser election on
> startup
> # and gives it a slightly higher chance of winning the election
> local master = yes
> os level = 64
> preferred master = yes
>
> #- Name Resolution
> ---
> # Windows Internet Name Serving Supp

Re: [Samba] One Question .. the question... nobody don´t have answer ..

[Bruno Steven]

Sure , my smb.conf .. thanks ...
#
#=== Global Settings
=

[global]

# --- Network Related Options -
#
netbios name = LinuxDefault
workgroup = AMBLIVRE.COM
server string = Samba Server Version %v
#   enable privileges = yes

;   netbios name = MYSERVER

;   interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24
;   hosts allow = 127. 192.168.12. 192.168.13.

encrypt passwords = yes


# --- Logging Options -
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

# logs split per machine
# max 50KB per log file, then rotate
;   max log size = 50

# --- Standalone Server Options 
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
guest account = root
#   security = share
#   passdb backend = tdbsam
#   passdb backend = ldapsam:ldap://127.0.0.1

# --- Domain Members Options 
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *


;   security = domain
;   passdb backend = tdbsam
;   realm = MY_REALM

;   password server = 

# --- Domain Controller Options 
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations.
#
# Logon Scrpit let yuou specify a script to be run at login time on the
client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;   security = user
;   passdb backend = tdbsam

domain master = yes
domain logons = yes
   # the login script name depends on the machine name
;   logon script = %m.bat
# the login script name depends on the unix user used
;   logon script = %u.bat
;   logon path = \\%L\Profiles\%u
# disables profiles support by specifing an empty path
;   logon path =

;   add user script = /usr/sbin/useradd "%u" -n -g users
;   add group script = /usr/sbin/groupadd "%g"
;   add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M
-d /nohome -s /bin/false "%u"
;   delete user script = /usr/sbin/userdel "%u"
;   delete user from group script = /usr/sbin/userdel "%u" "%g"
;   delete group script = /usr/sbin/groupdel "%g"


# --- Browser Control Options

#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
local master = yes
os level = 64
preferred master = yes

#- Name Resolution
---
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS
Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#

Re: [Samba] One Question .. the question... nobody don´t have answer ..

[Miguel Medalha]

Can you shows us the contents of your smb.conf file?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE

[simo]

On Wed, 2009-10-14 at 17:02 -0700, Kathy Khagani wrote:
> MY OS is:
> 
> Red Hat Enterprise Linux ES release 4 (Nahant Update 8)
> 
> Samba version:
> 
> samba-3.0.25b-0.4E.6

As far as I know RHEL 4.8 has samba 3.0.33, this package is from RHEL
4.6, are you sure your ssytem was properly updated ?

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer 
Principal Software Engineer at Red Hat, Inc. 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE

[Kathy Khagani]

MY OS is:

Red Hat Enterprise Linux ES release 4 (Nahant Update 8)

Samba version:

samba-3.0.25b-0.4E.6

I'm map a share drive and I get asked for user name and password.  Right now 
I'm just trouble shooting the samba part.  "smb" service is running and 
"winbind" server is running too.


The /var/log/samba/ log file has the following in it:

libads/authdata.c:pac_io_pac_info_hdr_ctr(569)
  unknown PAC type 12
[2009/10/14 16:51:05, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [kkhagani...@stec-inc.ad]
[2009/10/14 16:51:05, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username STEC-INC=KKHAGANIXP$ is invalid on this system
[2009/10/14 16:51:05, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2009/10/14 16:51:05, 3] smbd/process.c:process_smb(1068)
  Transaction 3 of length 1854
[2009/10/14 16:51:05, 3] smbd/process.c:switch_message(926)
  switch message SMBsesssetupX (pid 31213) conn 0x0
[2009/10/14 16:51:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/10/14 16:51:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1244)
  wct=12 flg2=0xc807
[2009/10/14 16:51:05, 2] smbd/sesssetup.c:setup_new_vc_session(1200)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old 
resources.
[2009/10/14 16:51:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1029)
  Doing spnego session setup
[2009/10/14 16:51:05, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1060)
  NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] 
PrimaryDomain=[]
[2009/10/14 16:51:05, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
  reply_spnego_negotiate: Got secblob of size 1623
[2009/10/14 16:51:05, 3] libads/authdata.c:pac_io_pac_info_hdr_ctr(569)
  unknown PAC type 12
[2009/10/14 16:51:05, 3] smbd/sesssetup.c:reply_spnego_kerberos(321)
  Ticket name is [kkhag...@stec-inc.ad]
[2009/10/14 16:51:05, 1] smbd/sesssetup.c:reply_spnego_kerberos(439)
  Username STEC-INC=kkhagani is invalid on this system
[2009/10/14 16:51:05, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(444) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2009/10/14 16:51:05, 3] smbd/process.c:timeout_processing(1328)
  timeout_processing: End of file from client (client has disconnected).
[2009/10/14 16:51:05, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/10/14 16:51:05, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2009/10/14 16:51:05, 3] smbd/server.c:exit_server_common(768)
  Server exit (normal exit)
[2009/10/14 16:51:06, 0] lib/util_sock.c:write_data(562)
  write_data: write failure in writing to client xxx.xxx.xxx.xxx. Error 
Connection reset by peer
[2009/10/14 16:51:06, 0] lib/util_sock.c:send_smb(769)
  Error writing 4 bytes to client. -1. (Connection reset by peer)
[2009/10/14 16:51:06, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/10/14 16:51:06, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2009/10/14 16:51:06, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does not 
exist.
[2009/10/14 16:51:06, 3] smbd/server.c:exit_server_common(768)
  Server exit (process_smb: send_smb failed.)
[2009/10/14 16:51:06, 0] lib/util_sock.c:write_data(562)
  write_data: write failure in writing to client 0.0.0.0. Error Connection 
reset by peer
[2009/10/14 16:51:06, 0] lib/util_sock.c:send_smb(769)
  Error writing 4 bytes to client. -1. (Connection reset by peer)
[2009/10/14 16:51:06, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2009/10/14 16:51:06, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2009/10/14 16:51:06, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does not 
exist.
[2009/10/14 16:51:06, 3] smbd/server.c:exit_server_common(768)
  Server exit (process_smb: send_smb failed.)



Also the following command results:

#smbclient -d 4 -U kkhagani -W STEC-INC -L ldaptest


Connecting to xxx.xxx.xx.xxx at port 445
 session request ok
Password:
cli_session_setup: NT1 session setup failed: NT_STATUS_LOGON_FAILURE
session setup failed: NT_STATUS_LOGON_FAILURE


Any information and suggestion is greatly appreciated.



Regards,
Kathy


PROPRIETARY-CONFIDENTIAL INFORMATION INCLUDED

This electronic transmission, and any documents attached hereto, may contain 
confidential, proprietary and/or legally privileged information. The 
information is intended only for use by the recipient named above. If you 
received this electronic message in error, please notify the sender and delete 
the electronic message. Any disclosure, copying, distribution, or use of the 
contents of information received in error is strictly prohibited, and violators 
will be pursued lega

Re: [Samba] One Question .. the question... nobody don´t have answer ..

[Bruno Steven]

hello Miguel , I just comment this line cause the message* [2009/10/14
18:38:11, 0] param/loadparm.c:set_server_**role(4293)
 Server's Role (logon server) conflicts with share-level security,  *but the
true problem continues .. it´s very hard resolve this problem , Do have idea
about this message

[2009/10/14 18:38:11, 0] services/services_db.c:svcctl_init_keys(420)
  svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
[2009/10/14 18:38:11, 0] smbd/server.c:main(1057)
  ERROR: failed to setup guest info.

Ok ... thanks  very much ...


On Wed, Oct 14, 2009 at 9:12 PM, Miguel Medalha wrote:

> If I were you, I would look at this problem first:
>
>  [2009/10/14 18:38:11, 0] param/loadparm.c:set_server_role(4293)
>>  Server's Role (logon server) conflicts with share-level security
>>
>>
>
> You have told your server to behave as a Domain Controller and yet at the
> same time you tell it to use share-level security?
>
>
>


-- 
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] One Question .. the question... nobody don´t have answer ..

[Bruno Steven]

Hi .. the option security level was uncomment , but I comment this option ,
so this message continues
 Copyright Andrew Tridgell and the Samba Team 1992-2009
[2009/10/14 18:51:35, 0] services/services_db.c:svcctl_init_keys(420)
  svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
[2009/10/14 18:51:35, 0] smbd/server.c:main(1057)
  ERROR: failed to setup guest info

Which is problem ?

Please any idea .. thank for all

 option don´t have relation with my problem , so I comment the line security
, but

On Wed, Oct 14, 2009 at 9:08 PM, Jeremy Allison  wrote:

> On Wed, Oct 14, 2009 at 09:03:40PM -0300, Bruno Steven wrote:
> > Hello
> >
> > Somebody have idea which user account is responsible of guest info ?
>  There
> > is any box linux with openldap and samba integrated ?
> >
> > Thanks .. .
> >
> > [2009/10/14 18:38:11, 0] smbd/server.c:main(942)
> >   smbd version 3.0.34 started.
> >   Copyright Andrew Tridgell and the Samba Team 1992-2009
> > [2009/10/14 18:38:11, 0] param/loadparm.c:set_server_role(4293)
> >   Server's Role (logon server) conflicts with share-level security
> > [2009/10/14 18:38:11, 0] services/services_db.c:svcctl_init_keys(420)
> >   svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
> > [2009/10/14 18:38:11, 0] smbd/server.c:main(1057)
> >   ERROR: failed to setup guest info.
>
> You can't have "security = share" with "domain logons = yes",
> it makes no sense. Fix that first.
>
> Jeremy.
>



-- 
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] One Question .. the question... nobody don´t have answer ..

[Miguel Medalha]

If I were you, I would look at this problem first:


[2009/10/14 18:38:11, 0] param/loadparm.c:set_server_role(4293)
  Server's Role (logon server) conflicts with share-level security
  


You have told your server to behave as a Domain Controller and yet at 
the same time you tell it to use share-level security?



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] One Question .. the question... nobody don´t have answer ..

[Jeremy Allison]

On Wed, Oct 14, 2009 at 09:03:40PM -0300, Bruno Steven wrote:
> Hello
> 
> Somebody have idea which user account is responsible of guest info ?  There
> is any box linux with openldap and samba integrated ?
> 
> Thanks .. .
> 
> [2009/10/14 18:38:11, 0] smbd/server.c:main(942)
>   smbd version 3.0.34 started.
>   Copyright Andrew Tridgell and the Samba Team 1992-2009
> [2009/10/14 18:38:11, 0] param/loadparm.c:set_server_role(4293)
>   Server's Role (logon server) conflicts with share-level security
> [2009/10/14 18:38:11, 0] services/services_db.c:svcctl_init_keys(420)
>   svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
> [2009/10/14 18:38:11, 0] smbd/server.c:main(1057)
>   ERROR: failed to setup guest info.

You can't have "security = share" with "domain logons = yes",
it makes no sense. Fix that first.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] One Question .. the question... nobody don´t have answer ..

[Bruno Steven]

Hello

Somebody have idea which user account is responsible of guest info ?  There
is any box linux with openldap and samba integrated ?

Thanks .. .

[2009/10/14 18:38:11, 0] smbd/server.c:main(942)
  smbd version 3.0.34 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2009
[2009/10/14 18:38:11, 0] param/loadparm.c:set_server_role(4293)
  Server's Role (logon server) conflicts with share-level security
[2009/10/14 18:38:11, 0] services/services_db.c:svcctl_init_keys(420)
  svcctl_init_keys: key lookup failed! (WERR_ACCESS_DENIED)
[2009/10/14 18:38:11, 0] smbd/server.c:main(1057)
  ERROR: failed to setup guest info.


-- 
Bruno Steven - Administrador de sistemas.
LPIC-1 - LPI ID: lpi000119659 / Code: p2e4wz47e4
https://www.lpi.org/caf/Xamman/certification

MCP-Windows 2003 - TranscriptID: 793804 / Access Code: 080089100
https://mcp.microsoft.com/authenticate/validatemcp.aspx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Is it EVER needed to set up kerberos manually i f you use samba to join an ADS domain as a domain member?

[admin]

Hi folks,

In a scenerio where you are just joining samba to an existing windows 2003
AD as a member server, I have been told that in some unknown/unsubscribed
conditions you need to manually need to set up kerberos and use kinit
before joining the active directory with net ads join.

I think this is untrue personally because from what I understand about
samba joining a domain, is that samba/winbind/net ads join command
automatically uses kerberos libraries to autogenerate its tickets upon a
successful domain join.
Additionally AFAIK tickets are refreshed by winbind automatically so you
really never need to run kinit or set up krb5.conf if you use samba to join
the AD as a domain member server.

Could someone please clarify this so I can make this myth go away? Could I
be wrong? Is there a special circumstance where this applies that i dont
know about? Some magic non default active directory configuration that
insists kerberos be set up differently than samba can muster to do
automatically??


Thanks!
-Clayton

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)

[admin]

Hopefully that isn't a bad thing! haha 
Thanks! 


On Wed, 14 Oct 2009 15:44:54 -0700, Jeremy Allison  wrote:
> On Wed, Oct 14, 2009 at 04:02:41PM -0600, ad...@ateamonsite.com wrote:
>> Hi Jeremy,
>> 
>> 
>> > Sorry, didn't look too closely at your winbindd issue.
>> > winbindd will cache all information to allow disconnected
>> > operation (we made this work perfectly at SuSE), so there
>> > certainly shouldn't be a problem with a loss of connection to a DC.
>> 
>> I am sorry to report that I am in fact using SuSE, and this problem is
>> very
>> easy to reproduce if I power off my AD domain, then wait (I guess) 10
>> minutes - then try and ssh to my Linux box. There is no way to log into
>> the
>> box. 
> 
> Ok, then I'm going to hand you over to the SuSE Samba Team
> maintainers on this list (sorry :-).
> 
> Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)

[Jeremy Allison]

On Wed, Oct 14, 2009 at 04:02:41PM -0600, ad...@ateamonsite.com wrote:
> Hi Jeremy,
> 
> 
> > Sorry, didn't look too closely at your winbindd issue.
> > winbindd will cache all information to allow disconnected
> > operation (we made this work perfectly at SuSE), so there
> > certainly shouldn't be a problem with a loss of connection to a DC.
> 
> I am sorry to report that I am in fact using SuSE, and this problem is very
> easy to reproduce if I power off my AD domain, then wait (I guess) 10
> minutes - then try and ssh to my Linux box. There is no way to log into the
> box. 

Ok, then I'm going to hand you over to the SuSE Samba Team
maintainers on this list (sorry :-).

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Does the BDC need to "join" a domain?

[Thierry Lacoste]

On 14 oct. 09, at 18:36, Gaiseric Vandal wrote:

I supposed it depends if Samba is configured to automatically create  
the underlying unix accounts when you create samba accounts.  My  
setup doesn't.  I created a "user"  account in ldap for my BDC.
(the unix passwd shd be *LK* and the shell shd be /bin/false)
Running "net rpc join" will then add the appropriate samba attributes.


I think you also need to grab the domain SID

BDC# net rpc getsid
Password:
Storing SID S-...1234 for Domain MYDOMAIN in secrets.tdb
#


However, I am not sure the domainsid for the machine is meant to  
match the domainsid of the domain.On my PDC, they match.  On the  
BDC, they don't.I am not sure if I need to change that.
They shoul match (see e.g. http://lists.samba.org/archive/samba/2007-August/134734.html) 
.


group mappings do NOT seem to be stored in ldap.  So you either need  
to copy the approp tdb file over or run the identical net group map  
commands on the BDC.

Group mappings should be stored in LDAP.
This is the purpose of the sambaGroupMapping auxiliary objectClass which
extends the posixGroup structural objectClass in a typical samba/ldap  
implementation.


Regards,
Thierry



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] RedHat Linux AS4 64bit samba to ADS share issue ... winbind start/stop makes it work....

[Brian Murphy]

Have a bit of a situation and hope someone can help shed some light.  Have
the attached samba config on a RedHat Linux AS4 x86_64bit system and have
joined the box to our Windows 2003 ADS environment using:

 

Net ads join -Uadmin.

 

We can map a user to their home directory without issue.  The [dataload]
or other shares we receive a window on our windows boxes that request
identification on the other shares, unless we have started and then
stopped winbind service.  If the winbind service is running, we get the id
window again.  I sure hope someone can tell us where our config has gone
wrong.  I suspect that winbind has setup some structure or cached some
info that makes our config work. 

 

 

Thanks.

 

Brian Murphy

Eastern Illinois University

 

 

#=== Global Settings
=

[global]

realm = eiuad.eiu.edu

 

# workgroup = NT-Domain-Name or Workgroup-Name

   workgroup = EIU

 

# server string is the equivalent of the NT Description field

   server string = sysbdb03 Samba Server

 

;   hosts allow = 192.168.1. 192.168.2. 127.

hosts allow = 139.67.

 

# if you want to automatically load your printer list rather

# than setting them up individually then you'll need this

   printcap name = /etc/printcap

   load printers = yes

 

# It should not be necessary to spell out the print system type unless

# yours is non-standard. Currently supported print systems include:

# bsd, sysv, plp, lprng, aix, hpux, qnx

   printing = cups

 

# This option tells cups that the data has already been rasterized

cups options = raw

 

 

log file = /var/log/samba/%m.log

 

# Put a capping on the size of the log files (in Kb).

   max log size = 50

 

# Security mode. Most people will want user level security. See

# security_level.txt for details.

   security = ads

# Use password server option only with security = server

  password server = eiudc06.eiuad.eiu.edu eiudc05.eiuad.eiu.edu
eiudc04.eiuad.eiu.edu

 

# Password Level allows matching of _n_ characters of the password for

# all combinations of upper and lower case.

  password level = 8

;  username level = 8

 

# You may wish to use password encryption. Please read

# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.

# Do not enable this option unless you have read those documents

  encrypt passwords = yes

;  smb passwd file = /etc/samba/smbpasswd

 

# The following are needed to allow password changing from Windows to

# update the Linux system password also.

# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.

# NOTE2: You do NOT need these to allow workstations to change only

#the encrypted SMB passwords. They allow the Unix password

#to be kept in sync with the SMB password.

;  unix password sync = Yes

;  passwd program = /usr/bin/passwd %u

;  passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*

 

# Unix users can map to different SMB User names

;  username map = /etc/samba/smbusers

 

# Using the following line enables you to customise your configuration

# on a per machine basis. The %m gets replaced with the netbios name

# of the machine that is connecting

;   include = /etc/samba/smb.conf.%m

 

# Most people will find that this option gives better performance.

# See speed.txt and the manual pages for details

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

 

# Configure Samba to use multiple interfaces

# If you have multiple network interfaces then you must list them

# here. See the man page for details.

;   interfaces = 192.168.12.2/24 192.168.13.2/24 

 

# Configure remote browse list synchronisation here

#  request announcement to, or browse list sync from:

# a specific host or from / to a whole subnet (see below)

;   remote browse sync = 192.168.3.25 192.168.5.255

# Cause this host to announce itself to local subnets here

;   remote announce = 192.168.1.255 192.168.2.44

 

# Browser Control Options:

# set local master to no if you don't want Samba to become a master

# browser on your network. Otherwise the normal election rules apply

;   local master = no

 

# OS Level determines the precedence of this server in master browser

# elections. The default value should be reasonable

;   os level = 33

 

# Domain Master specifies Samba to be the Domain Master Browser. This

# allows Samba to collate browse lists between subnets. Don't use this

# if you already have a Windows NT domain controller doing this job

   domain master = no 

 

# Preferred Master causes Samba to force a local browser election on
startup

# and gives it a slightly higher chance of winning the election

;   preferred master = yes

 

# Enable this if you want Samba to be a domain logon server for 

# Windows95 workstations. 

;   domain logons = yes

 

# if you enable domain logons then you may want a per-machine or

# per

[Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)

[admin]

Hi Jeremy,


> Sorry, didn't look too closely at your winbindd issue.
> winbindd will cache all information to allow disconnected
> operation (we made this work perfectly at SuSE), so there
> certainly shouldn't be a problem with a loss of connection to a DC.

I am sorry to report that I am in fact using SuSE, and this problem is very
easy to reproduce if I power off my AD domain, then wait (I guess) 10
minutes - then try and ssh to my Linux box. There is no way to log into the
box. 

If I am fortunate to have a terminal open already logged in, I cannot run
commands like "ls" or "man" "getfacl" or many others. The machine is
useless until I  "killall winbindd" then magically the system is back to
normal and commands are able to execute.
I looked at the init script for that version on SUSE for winbind and it is
running in cached mode.


If it helps to know, I have about 4 user/group objects in the windows
2003 R2 AD (with 1 child domain) and I try and put as many acls as I can in
the filesystem permissions using setfacl for my cross platform filesystem
capability testing. I doubt this is the issue though, I just want you to be
informed in case some gotcha I dont know about exists for this scenerio.
I have a nice server with plenty of ram and cpu oomph and a nice RAID setup
so I doubt it is that either.


I am hoping some light can be shed on this issue, so here is my smb.conf
and system info:.



samba-3.2.7-11.2.1.x86_64
krb5-1.6.3-50.1.x86_64


openSUSE 11.0 (X86-64)
VERSION = 11.0




[global]
workgroup=qa2k3192
realm=QA2K3192.EDU
server string=HSA-PFX10101001 - 10.10.1.72
os level=24
domain master=no
local master=no
preferred master=yes
encrypt passwords=yes
level2 oplocks=yes
security=ads
password server=*
wins server=
inherit acls=yes
map acl inherit=yes
log file=/var/log/samba/log%m
dos filemode=yes
printing=BSD
printcap name = /dev/null
admin users = webadmin
username map = /etc/samba/smbusers
winbind enum users=no
winbind enum groups=no
map to guest = bad user
interfaces = eth2
disable spoolss = yes

idmap domains =  \
QA2K3192 \
QA2K3SUB192

#QA2K3192 S-1-5-21-937701456-36023052-1036737269
idmap config QA2K3192:backend = rid
idmap config QA2K3192:base_rid = 0
idmap config QA2K3192:range = 100 - 199

#QA2K3SUB192 S-1-5-21-3854371235-711543302-3856612158
idmap config QA2K3SUB192:backend = rid
idmap config QA2K3SUB192:base_rid = 0
idmap config QA2K3SUB192:range = 200 - 299

[company]
comment=foo
path=/cifs/company
writeable=yes
browseable=yes
hosts allow=
hosts deny=
inherit acls=yes
guest ok=no
force unknown acl user=no
valid users = @"QA2K3192\domain admins",@"QA2K3SUB192\domain
admins",@QA2K3192\ladies
write list = @"QA2K3192\domain admins",@"QA2K3SUB192\domain
admins",@QA2K3192\ladies
read list =




I desperately hope we can nail down this issue... it is giving me support
headaches when people change their networks then want to reconfigure the
samba server last.. catch 22!

.
Thank you again,
-Clayton






On Tue, 13 Oct 2009 21:14:30 -0700, Jeremy Allison  wrote:
> On Tue, Oct 13, 2009 at 08:10:56PM -0700, Clayton Hill wrote:
>> Thank you for the info Jeremy
>>
>> I think I will try EXT4 and see if I have better results then - also I  
>> agree with you about streams - I just think some of my more foolish  
>> clients wont.
>> Better just tell them "NO" firmly and then give them the example you  
>> gave - ;-)
> 
> Well I'm not saying we won't support streams in Samba,
> we'll just have to do it by layering meta-data over
> the filesystem. We already have 2 vfs modules that
> implement this.
> 
>> Any workaround for the winbind problem I have? This to me is a very  
>> serious problem and all I can think of for a solution is of making a  
>> script that would ping the DC and if the connection to the DC was gone, 

>> to kill winbind, then if the DC is back, start winbind back up.
>> IS this a good idea? It seems very very bad and hacky to me... I am  
>> hoping with all my fingers crossed that you have a better solution!
> 
> Sorry, didn't look too closely at your winbindd issue.
> winbindd will cache all information to allow disconnected
> operation (we made this work perfectly at SuSE), so there
> certainly shouldn't be a problem with a loss of connection to a DC.
> 
> Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Does the BDC need to "join" a domain?

[Thierry Lacoste]

On 14 oct. 09, at 22:57, Mariano Absatz wrote:


On Wed, Oct 14, 2009 at 13:36, Gaiseric Vandal
 wrote:


I supposed it depends if Samba is configured to automatically  
create the underlying unix accounts when you create samba  
accounts.  My setup doesn't.  I created a "user"  account in ldap  
for my BDC.   (the unix passwd shd be *LK* and the shell shd be / 
bin/false)   Running "net rpc join" will then add the appropriate  
samba attributes.

(...)



Thanx Gaiseric,

it was more or less the way you said... only changing the order:
1) BDC# net join -S PDC -UAdministrator
(since I'm using ldapsam:editposix = yes, the posix account is created
automatically by samba)
2) BDC# net rpc getsid
(this automatically retrieves the domain SID from the PDC and stores
it into secrets.tdb)


According to "samba 3 by example"  this is not necessary unless you  
run winbind
(http://www.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap- 
bldg1)


Now you must obtain the domain SID from the PDC and store it into the
secrets.tdb file also. This step is not necessary with an LDAP passdb
backend because Samba-3 obtains the domain SID from the sambaDomain  
object
it automatically stores in the LDAP backend. It does not hurt to add  
the SID
to the secrets.tdb, and if you wish to do so, this command can achieve  
that:


root#  net rpc getsid MEGANET2
Storing SID S-1-5-21-3504140859-1010554828-2431957765 \
   for Domain MEGANET2 in secrets.tdb

When configuring a Samba-3 BDC that has an LDAP backend, there is no  
need to

take any special action to join it to the domain. However, winbind
communicates with the domain controller that is running on the  
localhost and
must be able to authenticate, thus requiring that the BDC should be  
joined to

the domain. The process of joining the domain creates the necessary
authentication accounts.




The only thing that doesn't seem completely right is that after  
this, if I run

BDC# net getdomainsid
I get: "Could not fetch local SID"


However, if I run
BDC# sudo net getlocalsid MYDOMAIN
I get the correct SID for the domain... maybe I must generate a local
SID for the BDC? or something went wrong?...
You can issue "net setlocalsid S-" on your BDC where S- is the  
SID obtained

with "net getlocalsid MYDOMAIN"

Regards,
Thierry


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Does the BDC need to "join" a domain?

[Mariano Absatz]

On Wed, Oct 14, 2009 at 13:36, Gaiseric Vandal
 wrote:
>
> I supposed it depends if Samba is configured to automatically create the 
> underlying unix accounts when you create samba accounts.  My setup doesn't.  
> I created a "user"  account in ldap for my BDC.   (the unix passwd shd be 
> *LK* and the shell shd be /bin/false)   Running "net rpc join" will then add 
> the appropriate samba attributes.
> (...)


Thanx Gaiseric,

it was more or less the way you said... only changing the order:
1) BDC# net join -S PDC -UAdministrator
(since I'm using ldapsam:editposix = yes, the posix account is created
automatically by samba)
2) BDC# net rpc getsid
(this automatically retrieves the domain SID from the PDC and stores
it into secrets.tdb)


The only thing that doesn't seem completely right is that after this, if I run
BDC# net getdomainsid
I get: "Could not fetch local SID"


However, if I run
BDC# sudo net getlocalsid MYDOMAIN
I get the correct SID for the domain... maybe I must generate a local
SID for the BDC? or something went wrong?...



--
Mariano Absatz - El Baby
www.clueless.com.ar
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] sambaShare used?

[Kent Nasveschuk]

Just curious, is sambaShare objectClass used by Samba 3.4.2? Currently testing 
Samba 3.4.2 with OpenLDAP 2.4.11 backend in test environment. Couldn't find out 
much about it other than it has 2 attributes and is part of the samba.schema. 

Thanks 

Kent 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Somehow Solved ad 2003 & nss_ldap produce: smbd/service.c:make_connection_snum(1003): Permission denied

[Andreas Zickner]

Hi,

I found out that it works on a physical machine. Before I had 3 
Installations in vmware -- all where giving me a 'Permission denied' for 
the stat system call. Somehow there is an impact of having RedHat 
running in VMWare.


Andreas Zickner wrote:

Hi,

in case I'm using Samba 3.0.22 based HP CIFS Server A.02.03.02 the setup 
works. I can mount the home dir without any issues. I used exactly the 
same smb.conf (except the line winbind offline logon = false).

Any idea why this does not work with RH 5.4 (and 5.3)?

thanks for any help

Andreas

P.S.: on hp ux I'm using ldapux ... not nss_ldap; but nsswitch.conf is 
the same and windbindd ist running.


Andreas Zickner wrote:

Hello all,

since some weeks I try to get the following configuration working

Windows 2003 AD (no R2!!) with SFU 3.5
Red Hat Enterprise Linux Server release 5.4 (Tikanga) with
 Samba (samba-3.0.33-3.14.el5)
 nss_ldap (nss_ldap-253-21.el5)

So I wanted to implement the following setup:

http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2607783 



The main reason using this combination is that I must maintain the 
UID/GID of users in the AD. The UIDs of the users must be the same on 
all UX systems. I have two samba servers and other UX only servers.


(let me know if you find a better way doing this type of integration)

I followed several manuals and howtos to get it running. It looks all 
working except that I can't mount shares within samba. From my point 
of view Samba returns me a strange error:


Here is the log (user tata -> UID 1 from AD):

[2009/10/03 08:57:51, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 1
  Primary group is 10003 and contains 3 supplementary groups
  Group[  0]: 603
  Group[  1]: 600
  Group[  2]: 602
[2009/10/03 08:57:51, 5] smbd/uid.c:change_to_user(273)
  change_to_user uid=(1,1) gid=(0,10003)
[2009/10/03 08:57:51, 0] smbd/service.c:make_connection_snum(1003)
  '/home/tata' does not exist or permission denied when connecting to 
[share1] Error was Permission denied


I checked the source code and it looks to me that samba does a 'stat 
/home/tata' running as user tata (uid 1) but is getting a 
'Permission denied' from the OS. Ok I thought this is simply a 
permission issue  no success :-(


Ok what I already did & what is working:

* /home/tata is existing and has 777 (for test ... I tried also 755)
* su - tata and stat /home/tata are ok
* I can log on with the AD users on ux / ssh etc.; I have access etc.
* 'getent passwd' is fine
* 'wbinfo -u' and 'wbinfo -g' is fine
* mounting a share tmp with /tmp 
(http://us5.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html) 
is working!!

* Kerberos and winbind look ok to me ...
* winbind authentication of the user seem to be fine (from the logs)
* all things I see with the 'net' command seem to be ok.

Here my samba conf:

[global]
   workgroup = W2K3
   password server = AD.W2K3.LOCAL
   realm = W2K3.LOCAL
   security = ads
   idmap uid = 600-33554431
   idmap gid = 600-33554431
   template shell = /bin/bash
   winbind use default domain = false
   winbind offline logon = false
   winbind nested groups = yes
   server string = Samba Server Version %v
   passdb backend = tdbsam
   load printers = yes
   cups options = raw

[homes] ; not working share
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

[share1] ; not working share
comment = Share 1
path = /home/tata
read only = yes

[tmp] ; working share
comment = temporary files
path = /tmp
read only = yes


/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group:  files ldap
hosts:  files dns



I'm unable to mount share1 or homes  but I can mount tmp. If I 
change the path in share1 to /tmp I can mount share1 as well. I 
changed the permissions of /home/tata to the exact values as /tmp -> 
no luck


In the code I did not really found a reference to /tmp but I'm not a 
samba guru  (btw. I like the code!!, easy to read :D )


Unfortunate I have to get this also running on HP-UX11iv3  any 
input if this is even possible?


I'm also happy to get any alternative solutions that enable me to 
manage the uid in AD and having the accounts only in AD 


I would appreciate any help here.

thanks,
Andreas

P.S: of course I can provide much more details / logs. Just tell me 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Does the BDC need to "join" a domain?

[Gaiseric Vandal]

I supposed it depends if Samba is configured to automatically create the 
underlying unix accounts when you create samba accounts.  My setup 
doesn't.  I created a "user"  account in ldap for my BDC.   (the unix 
passwd shd be *LK* and the shell shd be /bin/false)   Running "net rpc 
join" will then add the appropriate samba attributes.


I think you also need to grab the domain SID

BDC# net rpc getsid
Password:
Storing SID S-...1234 for Domain MYDOMAIN in secrets.tdb
#


However, I am not sure the domainsid for the machine is meant to match 
the domainsid of the domain.On my PDC, they match.  On the BDC, they 
don't.I am not sure if I need to change that.


PDC# net getdomainsid
SID for domain PDC is: S--1234
SID for domain MYDOMAIN is: S--1234


BDC# net getdomainsid
SID for domain BDC is: S--1234
SID for domain MYDOMAIN is: S--1234


And you also need to set the ldap password

BDC# smbpasswd -w xx
Setting stored password for "Admin" in secrets.tdb
BDC#


pdbedit -Lv bdc$ should indicate the machine is type S.


group mappings do NOT seem to be stored in ldap.  So you either need to 
copy the approp tdb file over or run the identical net group map 
commands on the BDC.


I am not 100% convinced my BDC is setup correctly tho.

On 10/14/09 02:05, Mariano Absatz wrote:

If I configure a samba PDC and then a samba BDC, do I need a machine
trust account for the BDC?

That is, do I have to run "net rpc join" on the BDC?

Or manually create the account for the BDC in LDAP?

   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] SOLVED: Samba as fileserver on Active Directory domain

[Ivan Ordonez]

We got our Samba joined our Active Directory domain as a fileserver.  We 
emerge the latest Samba version on 3.4.2.  Instead of using the group 
name on Active Directory as the owner and group of a directory or file 
we are sharing, I used GID and UID instead. 


hostname~#chown 1:200 /share/test

Also, below is a portion of my smb.conf.

[test]
   comment = test
   path = /share/test
   public = yes
   browseable = yes
   writable = yes
   users = "MYDOMAIN+mygroup"

Thanks,
-Ivan

Ivan Ordonez wrote:
I was able to set ACL with local username but can't do it on domain 
username or groups.


hostname ~ # getfacl /shared/drive
getfacl: Removing leading '/' from absolute path names
# file: shared/drive
# owner: mylocalusername
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

When I tried to set ACLs for domain account or groups, it was invalid 
option.


hostname ~ #setfacl -m g:"DOMAIN+Domain Admins":rwx /shared/drive
setfacl: Option -m: Invalid argument near character 3

hostname ~ #setfacl -m g:"DOMAIN+myusername":rwx /shared/drive
setfacl: Option -m: Invalid argument near character 3

I believe the drive is mounted and ACL is enable.

hostname ~ # mount
/dev/hda3 on / type ext3 (rw,noatime,acl)

Here is my /etc/fstab
/dev/hda3/ext3noatime,acl0 1

What I find odd is running wbinfo and getent command to be very 
inconsistent.  I would sometimes get result and sometimes not. 
hostname ~ # wbinfo -u

Error looking up domain users

Any other suggestions?

Thanks.









Robert LeBlanc wrote:
Sorry, my bad, 3.3.8 was the security release. It sounds like it is 
working however. As far as ACLs, make sure that ACLs are turned on on 
your file system (mount -o acl for most filesystems) and the make 
sure you have the ACL packages for your distro installed (Debian 
apt-get install acl). Then it's a matter of using the setfacl command 
like `setfacl -m 
d:u::rwx,u::rwx,d:g::rx,g::rx 
/my/shared/dir.


You can add as many ACLs as you want, remember that the linux default 
rwx perms sets the max for ACL users and groups. If the linux user 
(owner) ACL is rx, then even though an ACL specifies another user 
with rwx, they will only have rx. The second thing to remember is 
that the default ACL is not needed, but if specified will set those 
ACLs on all new files and directories and act much like Windows. If 
you set the permissions using Windows, the default ACL will be set. 
Thidly, only Linux user and group have the file counted against their 
quota, permissions assigned in ACLs do not affect thoes user and 
groups quotas. Fourtly, some applications are not ACL aware, Apache 
for instance does not look at ACLs on Linux. To check your set ACLs, 
use getfacl /this/is/my/file.


Hope that helps.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez > wrote:


I was able to install 3.3.8 version of Samba.  I am running it
now.  I can see shares, but could not write at all.
ACL seems simple but I can't get it to work.  Any help or advise
would be greatly appreciated.


Robert LeBlanc wrote:

The changes have not made it into a 3.3.x release yet, 3.3.7 was
a security release, ideally 3.3.8 should have the fix. There were
quiet a number of configuration changes from 3.0.x to 3.3.x in
regards to Active Directory, you may not be able to use you old
config without updating some things.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez
mailto:iordo...@berkeley.edu>> wrote:


I am using Samba version 3.0.36.  When I upgraded to 3.3.7, I
got some "realm" complaints when I run testparm and some
"ADS"  related error.  The 3.3.7 version is masked by Gentoo
portage and not sure if it will be available soon.

Thanks,
-Ivan


Robert LeBlanc wrote:

What version of samba are you using? I submitted a patch to
Samba that is in 3.4.1 and slated for the next version of
3.3.x that fixes the workgroup/realm thing. It falls back to
SPEGO without the patch, but it takes a little while, the
patch speeds things up.

Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University


On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson
mailto:jpeters...@garnser.se>> wrote:

How did you solve the kerberos portion how things, when
winbind tries
to connect to my server the kerberos sessions fails as
it tries to
connect with the workgroup instead of the realm.

Thanks

/Jonathan

On Fri, Oct 2, 2009 at 9:36 AM

Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

[Douglas E. Engert]

ravi channavajhala wrote:

To my understanding, windows treat principal names as case insensitive.
Kerberos treats them as case sensitive.  MIT Kerberos version - 1.7 is
supposed to have fixed this.

The way to get around this is to add uppercase SPN names into the Kerberos
keytab. 


Not exactly. Windows AD will accept any case and return the principal in the 
ticket
using the case requested by the caller.

A service principal usually consists of three parts, service,  hostname  and 
realm.
The service should be entered in the correct case, for example: host, ldap or 
HTTP.
The hostname should be the FQDN in lower case, and the realm should be the AD 
domain
name in uppercase.

Case becomes an issue to a unix service if the case of the principal in the
ticket does not match the case in keytab. It is also an issue when creating a 
keytab
file using DES or AES as the key is derived from a password and a salt. The salt
is is the concatenation of  "host"||lowercase(samAccountName)||uppercase(AD 
domain name)
(Archfour does not use a salt.)



Regards,
/rkc

-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Bober, Mark
Sent: Wednesday, October 14, 2009 12:17 AM
To: samba@lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

DNS, /etc/hosts, all that is correct, on the Samba box, the client, and the
2008 AD server.

It still works perfectly if you use \\128.252.x.x in the URI instead of the
name.

What is the functional difference between accessing a URI via IP rather than
the hostname or FQDN?

Mark


-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
On Behalf Of Dirk Jakobsmeier
Sent: Tuesday, October 13, 2009 12:04 AM
To: samba@lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

Hello Mark,

Am Montag 12 Oktober 2009 16:56:35 schrieb Bober, Mark:

Here's some things from log level 99:

[2009/10/12 09:43:53, 10] lib/util.c:2626(name_to_fqdn)
  name_to_fqdn: lookup for HOSTNAME -> hostname.domain.wustl.edu.
[2009/10/12 09:43:53, 10]
libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/hostname.domain.wustl@d
OMAIN.WUSTL.EDU) failed: Wrong principal in request
 [2009/10/12 09:43:53, 10]
libads/kerberos_verify.c:220(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket:
krb5_rd_req_return_keyblock_from_keytab(host/hostn...@domain.wustl.edu)
failed: Wrong principal in request
 [2009/10/12 09:43:53,  3]
libads/kerberos_verify.c:266(ads_keytab_verify_ticket)
  ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
principals
[2009/10/12 09:43:53,  3]
libads/kerberos_verify.c:567(ads_verify_ticket)
  ads_verify_ticket: krb5_rd_req with auth failed (Wrong principal in
request)
[2009/10/12 09:43:53, 10]
libads/kerberos_verify.c:576(ads_verify_ticket)
  ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE


i've found several informations about "wrong principal in request" errors 
pointing to a name resolution problem. Can you check dns, /etc/hosts ...?



I cut some of that out - it tried each name 6 times, hence the 12?
Looking at the system keytab, and the computer account in AD, everything
seems to match. FWIW, if I leave the domain and come back specifying the
remaining 2003 server as the password server, this all looks the same
and seems to work

How much does capitalization matter? ADSIEDIT shows the
ServicePrincipalNames as

HOST/hostname.domain.wustl.edu
HOST/HOSTNAME

Where the keytab is:

host/hostname.domain.wustl.edu
host/hostname


-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] On Behalf Of Dirk Jakobsmeier
Sent: Thursday, October 08, 2009 10:57 PM
To: samba@lists.samba.org
Subject: Re: [Samba] Authenticating Samba 3.4.2 vs WinServer 2008R2

Hello Mark,

Am Donnerstag 08 Oktober 2009 16:03:13 schrieb Bober, Mark:

Hello! I'm having an odd issue between Samba and Win2k8R2. We updated
one of our domain controllers to 2k8R2, and as such are working in a
2003-level AD environment. If I force the 'password server' to the

2003


DC, then everything works fine, only working against the 2008 box has
issues.

we have several issues here depending on one of our servers (2008). E.g.

domainnames (usern...@domainname) has to be written in capital lettres
when
connecting to shares...


\\128.252.123.123\sharename 

And it works as expected - my clients are in the same domain, no
password is asked for, etc.

Using any form of the hostname in the URI, either \\hostname\sharename
  or \\hostname.domain.name\sharename
  in the URI will

continually


prompt for a password.  Using 'smbclient' with the names in the URI on
the Samba box itself works fine.


log level = 1

did you try to set this to a higher level (and restart samba)? I always
use 99
so i get large logfiles with nearly al

[Samba] How to disallow to create files with bad charracters

[Dusan Zatkovsky]

Hi.

I would like to ask you, if it is possible to disallow to create files which 
contains 'bad' charracters in filenames.

I have blocked filenames with national charracters by specifying
unix charset = ascii, but it is still possible to create file named:
"my stupid file ... . . .doc".

I'd like to disallow this ( allowing only alphanums and underscore 
["my_stupid_file.doc"] ).

Is it possible?

Thank you.

-- 
Dusan
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] AD Integration woes - rfc2307 data not being honored

[Andreas Zickner]

Hi,

thanks, this works for me too. But I do not get the nss info using 'id 
' or with 'getent passwd'. Is this working for you?


thx Andreas

Matthew J. Salerno wrote:

- Original Message 
From: Andreas Zickner 
To: Matthew J. Salerno 
Cc: samba@lists.samba.org
Sent: Sun, October 11, 2009 8:23:06 AM
Subject: Re: [Samba] AD Integration woes - rfc2307 data not being honored

Hi,

I tired with Linux rh54 2.6.18-164.el5 smbd
Version 3.0.33-3.14.el5 using your settings. With the same result. I looked at 
the ldap communication and from there I can't see any things that are related 
to the rfc2307 / sfu attributes! So from the past I often found that it is a 
mapping issue. Here winbind /smb does not even search for the extended 
attributes!
I will do a second test with an own compiled version 3.4.2 later.

regards,
Andreas


Matthew J. Salerno wrote:

Actually, the schema I am working with has been extended for both
methods! (Before I arrived).  The plan is to use rfc2307 - win2k3r2. Regarding 
where I got those settings, I have read countless man pages, howto's,
wiki's and forum threads to put it all together.  The main issue is the fact 
that I am using
an oldish version of samba, and since the release of 3.3.x I believe
things have gotten much easier, have you tried adex?.  Check out:
http://samba.org/samba/docs/man/manpages-3/idmap_adex.8.html

Other points of reference:
http://samba.org/samba/docs/man/manpages-3/idmap_ad.8.html

The only issue I have with having to use the ldap backend is the fact that I would 
need to hardcode the ldap server.  With winbind, all you need to supply is the 
realm & domain, then winbind takes care of which server to connect to, so it 
wont be limited to 1 server.

Let me know if you make any progress.

Thanks




I was able to get it working with the following configs:

# /etc/samba/smb.conf
[global]
workgroup = TESTDOMAIN
realm = TESTDOMAIN.NET
server string = Samba file and print server
security = ADS
log level = 1
max log size = 4192
printcap name = cups
preferred master = No
idmap backend = tdb
idmap alloc backend = tdb
idmap alloc config:range = 5000 - 
idmap cache time = 1800
template shell = /bin/bash
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind nss info = rfc2307
winbind refresh tickets = Yes
idmap config TESTDOMAINN:cache time = 1800
idmap config TESTDOMAIN:range = 2-99
idmap config TESTDOMAIN:backend = ad
idmap config TESTDOMAIN:schema_mode = rfc2307
idmap domains = TESTDOMAIN
idmap config TESTDOMAIN:default = yes
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = All Printers
guest ok = Yes
printable = Yes
browseable = No
available = No

#/etc/krb5.conf
  
[logging]

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = TESTDOMAIN.NET
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 36000
 forwardable = yes
[realms]
 TESTDOMAIN.NET = {
  kdc = *
  kdc = TESTDOMAIN.NET
  default_domain = TESTDOMAIN.NET
 }
[domain_realm]
 .TESTDOMAIN.net = TESTDOMAIN.NET
 TESTDOMAIN.net = TESTDOMAIN.NET
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba