[Samba] bind9 dlopen/dlz problems [update]
Hi, just a short update on this issue: By using strace and having a look at the source code, I found the reason for the named error: Accessing samba database via ldapi requires the use of ildap.so (samba ldb module, which is not located in "standard ldb modules path"). Just setting LDB_MODULES_PATH to the directory containing it makes named start: export LDB_MODULES_PATH=/usr/lib/samba/ldb/ named -u named -> startup complete So it wasn't my first suspect "ldap uri": ldapi:///var/lib/samba4/private/ldap_priv/ldapi ldapi://%2Fvar%2Flib%2Fsamba4%2Fprivate%2Fldap_priv%2Fldapi This leaves me with the task to finally get some DNS entries into the samba database :-) Bye, Marcel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.5.6 - Windows 2008r2 domain trust fail
Hi, I'm trying to configure a Domain trust between Samba 3.5.6 (TEST domain) and Windows 2008 r2 (WTEST Domain). Samba is the trusting side and Windows is the trusted side. I created the "incoming trust" in the W2K8 called TEST. Then I executed the "net rpc trustdom establish WTEST" and got: Enter TEST$'s password: Could not connect to server W2K8SERVER Could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED I tried with "net -d3 rpc trustdom establish WTEST" and got: [2011/02/07 02:11:13, 3] param/loadparm.c:9158(lp_load_ex) lp_load_ex: refreshing parameters [2011/02/07 02:11:13, 3] param/loadparm.c:4929(init_globals) Initialising global parameters [2011/02/07 02:11:13, 2] param/loadparm.c:4788(max_open_files) rlimit_max: rlimit_max (10240) below minimum Windows limit (16384) [2011/02/07 02:11:13.212239, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" [2011/02/07 02:11:13.212291, 3] param/loadparm.c:7842(do_section) Processing section "[global]" [2011/02/07 02:11:13.212970, 2] lib/interface.c:340(add_interface) added interface eth0 ip=10.10.10.137 bcast=10.10.10.255 netmask=255.255.255.0 lp_load_ex: refreshing parameters params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf" Processing section "[global]" added interface eth0 ip=10.10.10.137 bcast=10.10.10.255 netmask=255.255.255.0 Enter CANC$'s password: Connecting to host=W2K8SERVER Connecting to 10.10.10.202 at port 445 Doing spnego session setup (blob length=136) got OID=1.3.6.1.4.1.311.2.2.30 got OID=1.2.840.48018.1.2.2 got OID=1.2.840.113554.1.2.2 got OID=1.2.840.113554.1.2.2.3 got OID=1.3.6.1.4.1.311.2.2.10 got principal=not_defined_in_RFC4178@please_ignore Got challenge flags: Got NTLMSSP neg_flags=0x62898215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60088215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 SPNEGO login failed: No logon interdomain trust account failed session setup with NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT Could not connect to server W2K8SERVER Connecting to host=W2K8SERVER Connecting to 10.10.10.202 at port 445 NetServerEnum2 error: Couldn't find primary domain controllerfor domain WTEST Could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED return code = -1 I haven't found information about trust between 2008 and Samba. May be it's not supported. Regards, Diego -- Diego Woitasen XTECH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Freebsd pdc
Hi On 7 February 2011 09:32, Eric Shubert wrote: > > Terry was asking about roaming profiles specifically, not a stock pdc. > My bad ; I had missed that part. Having roaming profile these days is something you get to live without. We had a user who installed iTunes on his machine and copied GB of music. Logging-out would take 30+ minutes because it was transferring each time the content of his My Documents back to the server. JY -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Freebsd pdc
On 02/06/2011 03:04 PM, Jean-Yves Avenard wrote: I haven't used FreeBSD, but I have set up several PDCs. They work ok with default settings, however if users have a large amount of data associated with their account (in Application Data, My Documents, and/or Desktop folders for example), logging off/on can become terribly inefficient. This is because Windoze saves all of this local data to the server when the user logs off, taking a good bit of time (I've seen 20 minutes or so), while putting a strain on both the network and server. ??? That would only be the case if you enabled roaming profiles ; which isn't active by default either. Terry was asking about roaming profiles specifically, not a stock pdc. And this would be an either wether you use samba PDA or windows server. Absolutely. This is part of the reason why many windows admins choose to not implement roaming profiles. The solution to this problem is to change the default location for various folders to be on the server, so that the data doesn't need to be copied to the server during the logoff process. This is accomplished by creating a custom NTConfig.POL file in the netlogon directory which changes the location of these folders to reside on the server instead of the local HDD. no the solution is to disable roaming profiles That's no solution. http://wiki.samba.org/index.php/Samba_&_Windows_Profiles Don't have a "logon path" set. If that's your preference. I was just trying to be helpful with getting roaming profiles working. They do work nicely when properly configured. It takes some doing though. -- -Eric 'shubes' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 3.5.6 pdc ldap backend and windows 7
Hi, as I found a lot of postings in web concerning the : _netr_ServerAuthenticate3: netlogon_creds_server_check failed, . Rejecting auth request from client ... but not any solution for this issue, maybe I've missed one,it would be very nice if somebody solved this issue, to share the findings, or better the solution should be written down at http://wiki.samba.org/index.php/Windows7 kind regards Manfred -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Freebsd pdc
> > I haven't used FreeBSD, but I have set up several PDCs. They work ok with > default settings, however if users have a large amount of data associated > with their account (in Application Data, My Documents, and/or Desktop > folders for example), logging off/on can become terribly inefficient. This > is because Windoze saves all of this local data to the server when the user > logs off, taking a good bit of time (I've seen 20 minutes or so), while > putting a strain on both the network and server. ??? That would only be the case if you enabled roaming profiles ; which isn't active by default either. And this would be an either wether you use samba PDA or windows server. > > The solution to this problem is to change the default location for various > folders to be on the server, so that the data doesn't need to be copied to > the server during the logoff process. This is accomplished by creating a > custom NTConfig.POL file in the netlogon directory which changes the > location of these folders to reside on the server instead of the local HDD. no the solution is to disable roaming profiles http://wiki.samba.org/index.php/Samba_&_Windows_Profiles Don't have a "logon path" set. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ADS 2008 configuration
On 04/02/2011 17:31, Robert Freeman-Day wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/03/2011 08:54 AM, Inder wrote: Hi, I am Inderjit, and have some issues with configuration of samba with ADS 2008. I am able to connect to ADS 2008, but command "getent group" doesn't show always the output with ADS groups. We have more that 25000 users and domain controller is not located at same location. Could you please give me a hints or suggestions, what can be changed to solve this issue. Regards Inderjit We have a large AD deployment as well. I hope that someone in the developer group can speak to this with authority, but I theorize that there is a timeout implemented in a generalized query that broad. Remember, you are asking for a listing of ALL groups in your AD controller. I can't even get Active Directory Users and Computers nor Powershell commands to output every group. Exact, the man page of smb.conf says: " winbind enum groups (G) On large installations using winbindd(8) it may be necessary to suppress the enumeration of groups through the setgrent(), getgrent() and endgrent() group of system calls. If the winbind enum groups parameter is no, calls to the getgrent() system call will not return any data. Warning Turning off group enumeration may cause some programs to behave oddly. Default: winbind enum groups = no " Matthieu -- Matthieu Patou Samba Teamhttp://samba.org Private repo http://git.samba.org/?p=mat/samba.git;a=summary -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Freebsd pdc
On 02/05/2011 01:57 PM, Terry Danter wrote: I was just wondering how many people out there are using FreeBSD as a pdc. I see a few guides on the net mostly followed by a load of posts of problems people encounter. Is it like most things that once you have done it once you can soon set up a machine at the drop of hat as you encounter and remedy any problems. I have a few customers at the moment one of who requires a pdc with roaming profiles. I use bsd and samba all the time for normal file sharing and never have problems. I try and avoid windows servers due to costs and licensing but a pdc would be new for me. Any opinions welcome Thanks Terry I haven't used FreeBSD, but I have set up several PDCs. They work ok with default settings, however if users have a large amount of data associated with their account (in Application Data, My Documents, and/or Desktop folders for example), logging off/on can become terribly inefficient. This is because Windoze saves all of this local data to the server when the user logs off, taking a good bit of time (I've seen 20 minutes or so), while putting a strain on both the network and server. The solution to this problem is to change the default location for various folders to be on the server, so that the data doesn't need to be copied to the server during the logoff process. This is accomplished by creating a custom NTConfig.POL file in the netlogon directory which changes the location of these folders to reside on the server instead of the local HDD. There a few wiki pages that explain this: http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba See also: http://www.pcc-services.com/custom_poledit.html -- -Eric 'shubes' -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] bind9 dlopen/dlz problems
Hi, I'm trying to replace my current samba4/bind setup with Tridge's new DLZ bind method (s. http://blog.tridgell.net/?p=122). Instructions about how to set this up seem a little rare right now, and I'm not even sure wether this is supposed to work at all in its current state (but I'll give it a try anyway :-) What I found so far: In order to use the new dlopen DLZ you'll need at lease bind-9.8.0b1 (make sure to enable it during configure using --with-dlz-dlopen). Having installed the new bind, add a new config section to your bind config: dlz "Samba zone" { database "dlopen /usr/lib/libdlz_bind9.so"; } And that's about as far as I get. During bind startup I only get this error message: Loading 'Samba zone' using driver dlopen Unable to get basedn for ldapi:///var/lib/samba4/private/ldap_priv/ldapi - (null) dlz_dlopen of 'Samba zone' failed SDLZ driver failed to load. DLZ driver failed to load. loading configuration: failure exiting (due to fatal error) So I tried ldapi access using ldapsearch: > ldapsearch -U Administrator -H ldapi:///var/lib/samba4/private/ldap_priv/ldapi DNS SRV: Could not turn DN="var/lib/samba4/private/ldap_priv/ldapi" into a domain This didn't work - but by replacing "/" with "%2F" in the file path fixes the problem: > ldapsearch -U Administrator -H ldapi://%2Fvar%2Flib%2Fsamba4%2Fprivate%2Fldap_priv%2Fldapi Next step: source code: In the samba dlz code the first url format seems to be used, maybe that's the cause of this trouble. There's a config option "url" mentioned there, however I was unable to figure out how to use this option to override the path name. It'd be great if someone could have a look at this, and maybe comment on the current state of dlopen/dlz. Bye, Marcel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Old question - NT4 BDC in Samba domain?
On Thu, 2011-02-03 at 08:08 +0100, Martin Hochreiter wrote: > Hi! > > I have to migrate a samba domain to an Active Directory and > therefore I need as first step to have a NT4.0 BDC in my network. > > As I don't find an useful answer via google I want to ask you if a > NT4 BDC will work in a Samba PDC enviroment? Look into the tools (myldap-pub.py or something) mentioned on the lists to migrate Samba3 to Samba4, which will get you a replication source you could then use to migrate to AD if you can't use Samba4. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC & Exchange 2000 Server
On Sat, 2011-02-05 at 07:18 -0500, Gaiseric Vandal wrote: > exchange 2000 requires Active Directory. I would guess MAYBE you could use > Samba 4. BUt I don't know if Samba 4 supports all the account attributes > that Exchange would require. I would guess not. Yes, Samba4 intends to support Exchange. Any issues with the exchange install failing are bugs we want to fix. Certainly we have reports of exchange-supporting AD environments being imported into Samba4, but I don't know if folks have used Exchange itself directly against Samba4. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba