Re: [Samba] Codepage Problem?
On Mon, Oct 17, 2011 at 11:57:13PM +0200, Philipp Schmiedeknecht wrote: > Hi, > > I have the following logs in log.smbd: > > - > [2011/10/17 16:40:54.464688, 3] smbd/process.c:1485(process_smb) > Transaction 2732 of length 200 (0 toread) > [2011/10/17 16:40:54.464704, 3] smbd/process.c:1294(switch_message) > switch message SMBntcreateX (pid 19814) conn 0x7fa6eeb5d430 > [2011/10/17 16:40:54.464753, 3] smbd/msdfs.c:746(dfs_redirect) > dfs_redirect: Not redirecting \vera\Extern\SomeFolder\Sîÿÿ. > [2011/10/17 16:40:54.464768, 3] smbd/msdfs.c:757(dfs_redirect) > dfs_redirect: Path \vera\Extern\SomeFolder\Sîÿÿ converted to non-dfs path > SomeFolder/Sîÿÿ > [2011/10/17 16:40:54.464804, 3] smbd/vfs.c:851(check_reduced_name) > check_reduced_name [SomeFolder/Sîÿÿ] [/raid/extern] > [2011/10/17 16:40:54.464839, 3] smbd/vfs.c:1008(check_reduced_name) > check_reduced_name: SomeFolder/Sîÿÿ reduced to /raid/extern/SomeFolder/Sîÿÿ > [2011/10/17 16:40:54.464855, 3] smbd/vfs.c:851(check_reduced_name) > check_reduced_name [SomeFolder/Sîÿÿ] [/raid/extern] > [2011/10/17 16:40:54.464889, 3] smbd/vfs.c:1008(check_reduced_name) > check_reduced_name: SomeFolder/Sîÿÿ reduced to /raid/extern/SomeFolder/Sîÿÿ > [2011/10/17 16:40:54.464912, 3] smbd/dosmode.c:166(unix_mode) > unix_mode(SomeFolder/Sîÿÿ) returning 0744 > [2011/10/17 16:40:54.464927, 3] smbd/vfs.c:851(check_reduced_name) > check_reduced_name [SomeFolder/Sîÿÿ] [/raid/extern] > [2011/10/17 16:40:54.464961, 3] smbd/vfs.c:1008(check_reduced_name) > check_reduced_name: SomeFolder/Sîÿÿ reduced to /raid/extern/SomeFolder/Sîÿÿ > [2011/10/17 16:40:54.464978, 3] smbd/error.c:80(error_packet_set) > error packet at smbd/error.c(160) cmd=162 (SMBntcreateX) > NT_STATUS_OBJECT_NAME_NOT_FOUND > - > > "Sîÿÿ" of course is no existing file. > > Is this caused by a wrong codepage configuration? > In my smb.conf no codepage is configured That should mean utf8. Is "\vera\Extern\SomeFolder\Sîÿÿ" actually the path sent by the client ? Can you look at a wireshark trace, or a debug level 10 log ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ntlm_auth NT_STATUS_INVALID_HANDLE with windbind
Thank you very much for your answer; a very detailed answer! I hope you will find few more minutes to clarify the things I didn't understand... particularly the Fumiyas law :-) wbinfo should show three domains: # wbinfo -m BULITIN YOUR_DOMAIN YOUR_SERVER In my case "MY_SERVER" is missing. # net getdomainsid SID for local machine YOUR_SERVER is: LOCAL-SID SID for domain YOUR_DOMAIN is: DOMAIN-SID Ok. In my case local and domain sids are the same # ldapsearch -xLLL "(&(objectclass=sambaDomain)(sambaDomainName=*))" I don't use ldap, but the simple tdbsam. I'm trying to switch to openldap, but I'm in trouble as far as I can't find a working guide. As you can confirm later, for example, smbldaptools has some "bugs" but I have never read about them. and finally # wbinfo --ping-dc MUST succeed Ok, it succeed As SATOH Fumiyas tells us, one SHOULD join without a running winbindd Daemon. # net rpc join -S localhost -U administrator One are NOT joining "localhost"! One join $HOSTNAME!! Sorry, I don't understand.. Verify with # net rpc testjoin Join to 'YOUR_DOMAIN' is OK ..but this works :-) and # pdbedit -v $HOSTNAME$ Account Flags:[S ] User SID: "DOMAIN-SID"-"SERVER-RID" Primary Group SID:"DOMAIN-SID"-515 Ok, but I have a problem: the PG-SID ends with 3007 Primary Group SID:"DOMAIN-SID"-3007 All our machines have this issue.. because #> net groupmap list|grep 3007 Domain Computers ("DOMAIN-SID"-3007) -> msmachines I don't know why.. I remember it was 515.. I'm confused, it's very strange. How can I have changed it? Many other SID ends in 30xx I don't know if this can cause the following problem. # wbinfo -a user%secret plaintext password authentication succeeded challenge/response password authentication succeeded and this fails It works for me with Samba 3.5.6 and also with 3.5.11 from backports :-) Perfect, so I'm sure I can make it works :-) Are you using the windbind.conf workaround? Step-by-step guide You should verify these three groups: # net sam list builtin administrators guests users For me "guest" is missing # net sam show administrators BUILTIN\administrators is a Local Group with SID S-1-5-32-544 # net sam show guests BUILTIN\guests is a Local Group with SID S-1-5-32-546 # net sam show users BUILTIN\users is a Local Group with SID S-1-5-32-545 Finally a perfect result! :-) and verify that these groups have their default members: # net rpc group members Administrators YOUR_DOMAIN\Domain Admins # net rpc group members guests YOUR_DOMAIN\Domain Guests # net rpc group members users YOUR_DOMAIN\Domain Users Strange, it ask me for root's password, but: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE You must have a valid "idmap alloc setup" and have stored the secret in secrets.tdb smb.conf: I hope "idmap secret" refers to a ldpap password. will store user and passord in secrets.tdb, so that winbindd has enough rights to work. If your administrator account has uidnumber=0, you may use this account. stop samba, start winbind, start samba wait some seconds, winbindd will now create the third domain which has the name of your PDCs hostname. I lost myself.. because I cant' distinguish the ldap from the tdbsam operations. In my case, with tdbsam, winbind needs to find a password in secret.tdb? HINT when I checked winbindd.conf with testparm, I have get some errors, until I put an empty or comment line before the line with the include statement :-) . Here it doesn't need it :-) I will try to know how is possible to have Sid ending in 3007, but I'm sure I have some problem in the tdbsam database as far I can't delete some machine accounts. Probably it could be better to solve this problem before all others ("tdbbackup -s" should be enaugh.. ). Alessandro -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrating user accounts Samba 3.5.3 to Windows 2003 (2008)
Am 18.10.2011 17:58 schrieb ITSEF Admin: Hi all, I need some help with the following problem: I need to migrate a bunch of user accounts to another domain on a Windows 2003 server (eventually to 2008R2, but that step seemed to big to do in one go). To keep all access rights etc. correct, I need to get the SID history set correctly as well. > From what I've researched so far, I'm aware of http://lists.samba.org/archive/samba/2005-April/103743.html and http://lists.samba.org/archive/samba/2005-June/107028.html which basically state that this migration should be possible using ADMT. As far as I know, I have all prerequisites in places as listed in those postings, however, I still cannot get ADMT to run. It does find the Samba server and recognises it as domain controller for OLDDOMAIN, but when I ask it to migrate SID history as well, I get a rather cryptic error "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. The system cannot find the file specified." Unfortunately, Aunt Google does not have much on that one... Neither tshark nor Process Monitor nor the Samba logs provided any additional clues (that I would recognise), so this was a dead end for the time being. After having checked and re-checked domain trusts, administrator accounts (with equal passwords), SID filters being off, ... on both machines, I then tried a different approach: The "sidhist.vbs" script from the 2003 support tools, which in theory should be able to accomplish the same. However, when I try to run this script, I also get an error: "Error 0x800706BA, Unable to read the configuration information of the computer "SAMBA_DC". The error was: The RPC server is unavailable." I've done a lot of searching on this one as well, I even went as far as running tshark on the connection to see whether that would yield any clues - but came up empty yet again. Unfortunately, I'm now at the end of my - limited - knowledge of both Samba and Windows and would therefore like to ask whether anyone on this list may be able to hit me with the appropriate clue stick and/or point me in the direction of the proper TFM. Any tips for solving or even just debugging this are most welcome. Thanks in advance, Thomas Hi Thomas! We did a complete migration from Samba 3.5.9 to Windows2008R2 - but we did not find any windows tool that was helpful to migrate the password and the sid history. So we installed a AD domain with a Win2008R2 Server and joined a Samba 4 pre 17. Then we migrated all (6000!) accounts with the windows based active directory migration tool version 2 (all higher ones are not working) and run a script that converted the hash from password in the form that Samba 4 stores it and feed that together with the sid history into the Samba 4 database directly (with ldbedit tools). Samba synced that with the win2008R2 Server and that was almost working "Almost" meens, that a windows 7 client can only authenticate (the user of course) if its request hits a samba server and if the "password never expire" flag is set. If a user sets its password on the new AD domain then it was working with a win2008R2 server too. WinXP does not show this behaviour. We force the users to change there passwords quickly so we could shut down the Sambas a few days after the migration. The Sid history was working without any problems, from the beginning. That is/was our working way regars Martin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrating user accounts Samba 3.5.3 to Windows 2003 (2008)
Hi all, I need some help with the following problem: I need to migrate a bunch of user accounts to another domain on a Windows 2003 server (eventually to 2008R2, but that step seemed to big to do in one go). To keep all access rights etc. correct, I need to get the SID history set correctly as well. >From what I've researched so far, I'm aware of http://lists.samba.org/archive/samba/2005-April/103743.html and http://lists.samba.org/archive/samba/2005-June/107028.html which basically state that this migration should be possible using ADMT. As far as I know, I have all prerequisites in places as listed in those postings, however, I still cannot get ADMT to run. It does find the Samba server and recognises it as domain controller for OLDDOMAIN, but when I ask it to migrate SID history as well, I get a rather cryptic error "Could not verify auditing and TcpipClientSupport on domains. Will not be able to migrate Sid's. The system cannot find the file specified." Unfortunately, Aunt Google does not have much on that one... Neither tshark nor Process Monitor nor the Samba logs provided any additional clues (that I would recognise), so this was a dead end for the time being. After having checked and re-checked domain trusts, administrator accounts (with equal passwords), SID filters being off, ... on both machines, I then tried a different approach: The "sidhist.vbs" script from the 2003 support tools, which in theory should be able to accomplish the same. However, when I try to run this script, I also get an error: "Error 0x800706BA, Unable to read the configuration information of the computer "SAMBA_DC". The error was: The RPC server is unavailable." I've done a lot of searching on this one as well, I even went as far as running tshark on the connection to see whether that would yield any clues - but came up empty yet again. Unfortunately, I'm now at the end of my - limited - knowledge of both Samba and Windows and would therefore like to ask whether anyone on this list may be able to hit me with the appropriate clue stick and/or point me in the direction of the proper TFM. Any tips for solving or even just debugging this are most welcome. Thanks in advance, Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file_mode and dir_mode options ignored
>> Hi there. I'm using samba3x-3.5.4-0.83.el5_7.2 on CentOS release 5.7 >> x86_64 to mount a Terastation filesystem. The "file_mode" and >> "dir_mode" options to mount.cifs seem to be ignored; I >> systematically get a "drwxrwxrwx" permission, no matter what values >> I provide for these options: >Try noperm option instead of file_mode and dir_mode. Hi Motonobu, thanks for your answer. However noperm doesn't seem to do what I need. I want to restrict access on the CentOS system to the "backuppc" user exclusively. The only way I've been able to do that up to now is to put the mountpoint in a restricted subdirectory. It kind of works but it's not optimal. Do you have an idea what the problem here is? Is it related to the Terastation itself? Thanks, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] template options ignored
From: "Zabel, Daniel" Date: Tue, 18 Oct 2011 17:12:45 +0200 > i have installed samba 3.5.11 on centos 5 and samba 3.6.0 on centos 6. > > Both system are connected to a Microsoft Domain. AD Users can resolved > and "getent passwd username" or "wbinfo -i username" works. > > Now I have setup some template options in my smb.conf: > > template shell = /sbin/nologin > template homedir = /home/%U > > This options seems to be completely ignored. > > "getent passwd" username and "wbinfo -i username" returns the configured > values from AD. How do you configure "winbind nss info" parameter? And have you tried against newly created AD user when you examine shell and homedir for the user? --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] template options ignored
Hi, i have installed samba 3.5.11 on centos 5 and samba 3.6.0 on centos 6. Both system are connected to a Microsoft Domain. AD Users can resolved and "getent passwd username" or "wbinfo -i username" works. Now I have setup some template options in my smb.conf: template shell = /sbin/nologin template homedir = /home/%U This options seems to be completely ignored. "getent passwd" username and "wbinfo -i username" returns the configured values from AD. Are there other options that affect this behavior? Did I understand the options wrong? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mac OS X / MS Office save issues and possible .TemporaryItems fix
> -Original Message- > From: Craig White [mailto:craigwh...@azapple.com] > Sent: Saturday, October 15, 2011 3:06 PM > To: samba@lists.samba.org > Subject: Re: [Samba] Mac OS X / MS Office save issues and possible > .TemporaryItems fix > > On Sat, 2011-10-15 at 15:53 +, Nathan A Friedl wrote: > > We have an issue where Macs that try to save MS Office files on our 3.5.11 > samba servers occasionally get error messages such as "There has been a > network or file permission error. The network connection may be lost.” > When this happens, the user often has to save the file to their local drive > and > then copy it over to the network share. > > > > After doing some research, we suspect the issue may be related to the > .TemporaryItems folder that MS Office creates on any drive that it opens a > file on (described here: > http://prowiki.isc.upenn.edu/wiki/MS_Office_and_Network_Volumes ). > MS Office apparently continually modifies the permissions on this folder and > can occasionally prevent a user from opening a file due to wonky > permissions. Yesterday we created a .TemporaryItems folder for every > share and set the default acl to be rwx for all, as there's no way that Office > should be able to change that. We're hoping that will solve the problem, but > we've been unable to replicate these problems ourselves so we're just > waiting to see if the errors appear again. > > > > Are we on the right track here, or do you suspect something else may be > going on? Do you have any suggestions for other things to try? > > > > Additionally, we've been having a hard time determining a good logging > level. When we up the logging, the Macs can rotate the logs quite quickly as > they "touch" every file in a folder whenever the folder is opened. What > would your suggestion be for a proper logging level to monitor these issues? > > > > Thanks for your time, > > gosh that's a real old problem and the solution is painful. You should be able > to google the issue/resolution. > > The issue is that one each local Macintosh, the first user created is uid #500 > and the next is #501, etc. > > On probably about 70% of the Mac's, the primary user is the only user and he > is uid 500. Likewise, other users simultaneously open files on the server with > the same uid # and Microsoft Office just plays havoc (I wonder if they fixed > this problem with Office 2008?) > > Anyway, the only way to permanently fix this problem is to have unique > UID's assigned to each user on each Macintosh (at one location, I used LDAP > for authenticating users on each Mac). > > The user can also 'copy' existing files from the server to their desktop, make > their changes and then move it back to the server when they are finished > (ugh). > > Otherwise, you can use Libre Office which doesn't suffer from the same > issues ;-) > > Craig Thanks for the advice Craig. I should have mentioned that we're in the process of binding our Macs to our Active Directory domain. We've got Services for UNIX installed on the domain servers and have verified that they have the correct domain uids when logged into their Macs. Oddly enough, some domain users have still had these Office problems on their home shares (which only they have access to). In addition, some of the complaints have come from Office 2011 users, so it doesn't appear that Microsoft has changed anything. We are hopeful that forcing the rwx acls for all users on the .TemporaryItems folder has resolved this (we've had no reports of these problems since before we made the change on Friday), but I wanted to check and see if anyone has any other ideas for things we could be looking at here...and suggestions for the proper logging level to help monitor this issue. Best, Nate -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] file_mode and dir_mode options ignored
From: Christian Roche Date: Tue, 18 Oct 2011 11:59:21 + > Hi there. I'm using samba3x-3.5.4-0.83.el5_7.2 on CentOS release 5.7 > x86_64 to mount a Terastation filesystem. The "file_mode" and > "dir_mode" options to mount.cifs seem to be ignored; I > systematically get a "drwxrwxrwx" permission, no matter what values > I provide for these options: Try noperm option instead of file_mode and dir_mode. --- TAKAHASHI Motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] file_mode and dir_mode options ignored
Hi there. I'm using samba3x-3.5.4-0.83.el5_7.2 on CentOS release 5.7 x86_64 to mount a Terastation filesystem. The "file_mode" and "dir_mode" options to mount.cifs seem to be ignored; I systematically get a "drwxrwxrwx" permission, no matter what values I provide for these options: # mount.cifs //terastation/Backup /bkp/BackupPC/ -o credentials=/etc/samba/terastation.cred, uid=backuppc,gid=backuppc,file_mode=0640,dir_mode=0750 # ls -la /bkp drwxr-x--- 3 root backuppc 4096 Oct 18 11:23 . drwxr-xr-x 24 root root 4096 Oct 17 12:30 .. drwxrwxrwx 7 backuppc backuppc0 Oct 5 17:59 BackupPC What gives? Thanks, Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo command generate a winbindd core dump
Am Dienstag, 18. Oktober 2011 schrieben Sie: > On Tue, Oct 04, 2011 at 11:48:04PM +0200, Harry Jede wrote: > > OS Debian squeeze > > # wbinfo -V > > Version 3.5.6 > > > > > > ute@alix:~$ wbinfo --getdcname=KRONPRINZ > > Could not get dc name for KRONPRINZ > > > > As root and as unprivilegd user, this command results in a winbind > > core dump. > > This smells severely like > > https://bugzilla.samba.org/show_bug.cgi?id=7730 > > which was fixed in Samba 3.5.8. I dont have a 3.5.8 avaiable, but in $ wbinfo -V Version 3.5.11 it is fixed and I cannot produce a core dump. Fine. > > Volker -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo command generate a winbindd core dump
On Tue, Oct 04, 2011 at 11:48:04PM +0200, Harry Jede wrote: > OS Debian squeeze > # wbinfo -V > Version 3.5.6 > > > ute@alix:~$ wbinfo --getdcname=KRONPRINZ > Could not get dc name for KRONPRINZ > > As root and as unprivilegd user, this command results in a winbind core > dump. This smells severely like https://bugzilla.samba.org/show_bug.cgi?id=7730 which was fixed in Samba 3.5.8. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba