Re: [Samba] Samba 4 security

2011-12-04 Thread steve 

On 03/12/11 17:32, Matthieu Patou wrote:

Steve


Beware that on your machine where samba 4 DC is running file / folders
needs to have guid/uid of your AD users not your linux users.



Did you read this ^.


Did a git pull ./configure.developer make and make install about an
hour ago.
And, well, something has changed. Now neither user can create nor
delete files!

smbclient //hh3/homes
Password for [HH1\steve]:
smb: \ ls
. D 0 Wed Nov 30 20:37:48 2011
.. D 0 Fri Dec 2 07:15:17 2011
lynn D 0 Thu Dec 1 13:25:45 2011
steve D 0 Fri Dec 2 11:50:09 2011

29284192 blocks of size 512. 10550432 blocks available
smb: \ cd lynn
smb: \lynn\ mkdir h
NT_STATUS_ACCESS_DENIED making remote directory \lynn\h
smb: \lynn\ cd ../steve
smb: \steve\ mkdir h
NT_STATUS_ACCESS_DENIED making remote directory \steve\h
smb: \steve\

This has something to do with uid/gid no? But wait, both steve and
lynn _are_ AD users who just happen to have linux accounts.


No there is something that you missunderstand, the thing is that in
order to do the file access control samba needs to know on the behalf of
which uid/gid the access are done.
With series of samba 3.x you have different way of doing this mapping or
to create unix users that have the same name as the user declared in
Samba (either in the local sam or in the NT domain sam), but most of the
time now it's winbind that is used. In Samba AD there is just the
winbind solution as other solution didn't have a real interest in the
context of an active directory domain.

So what winbind does ? it allocate a UID to users and GID to groups in a
database it stores the association SID-UID/GID and next time it is
asked to translate the same SID to a UID/GID it will use the value in
its database.

In your particular case, when you connect to the samba AD with smbclient
as AD user steve and try to create a dir the server checks the
security.NTACL extended attribute, as it didn't exists it knows that it
will have to translate posix rights to NT ACLs. At this moment in order
to know if you are the owner of the parent directory or in group of the
parent directory it will ask its internal winbind to translate user's
SID and the SID of user's groups to UID and GID, and it will turn out
that the UID of unix user steve is not at all the UID of AD user steve
(which is in the 300+ range), as other translated posix rights
didn't give any write rights to the AD user the directory creation was
not created.




How do I change the gid/uid of my linux users to gid/uid AD users? Is
there a script? But that shouldn't matter no?

Thinking you may want more info I'll leave it as it is for now. The
users are the same as they were before the new build. I did not delete
and recreate them.

Sure this is the expected behavior, before there was a bug in the posix
to NT ACLs translation that granted the write right even if you had just
the read and execute right you can have the detail by looking at this
changeset: d1274f7f6236b47a1c6aa1737b054ed521d31b67

I don't really know your case but I think it's not such a problem at
least so far nobody complained, on the DC you don't need to create unix
account for the AD users. As you need to create directory for each user
there is a couple of solution:

1) change the rights on the directory that is shared as home so that
the group has a write right, then change group to be users (that's
because we map the domain users group to the user unix group)
2) for each user connect using smbclient and create the directory of
this user

or

For each user, use wbinfo -i ad_user and then create a folder for this
user and use the uid obtained with wbinfo to set the owner of the
directory.

For instance on my test server I have:

./bin/wbinfo -i steve
MATWS\steve:*:310:100::/home/MATWS/steve:/bin/false

Note: first you have to do a ./bin/wbinfo -u and beware the first time
it is _slow_

Matthieu.


Hi Matthieu

Thanks for your patience. Yes, your clear explanation is excellent. I'm 
going to try it as soon as I get Samba 4 running again.


I reinstalled from nothing to get a clean slate. Now, DNS isn't working. 
The method of configuring as outlined in the wiki doesn't work anymore. 
The dns files in /usr/local/samba/private  have changed since my first 
install last week:( I've another thread open on this.


Thanks again
Steve.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 named. dlz_bind9.so not found

2011-12-04 Thread Marcel Ritter 
Hi Steve,

the last configuration is the correct one.

However you may have to set LD_LIBRARY_PATH to the
directory containing libsamdb.so.0 (or other libraries it may complain
about during startup).

Bye,
   Marcel


Von: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org]quot; im 
Auftrag von quot;steve [st...@steve-ss.com]
Gesendet: Sonntag, 4. Dezember 2011 08:16
Bis: samba@lists.samba.org
Betreff: Re: [Samba] samba 4 named. dlz_bind9.so not found

Hi again

I reinstalled Samba 4 and bind from nothing. Following the wiki I now
get this:

with include /usr/local/samba/private/named.conf; in the options{}
section of /etc/named.conf, I get this:

Dec  4 08:10:43 hh3 named[5470]: Starting name server BIND
/usr/local/samba/private/named.conf:11: unknown option 'dlz'


When it is outside the options {} I get this:


Dec  4 08:12:58 hh3 named[5597]: Loading 'AD DNS Zone' using driver dlopen
Dec  4 08:12:58 hh3 named[5597]: dlz_dlopen failed to open library
'/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot
open shared object file: No such file or directory
Dec  4 08:12:58 hh3 named[5597]: dlz_dlopen of 'AD DNS Zone' failed
Dec  4 08:12:58 hh3 named[5597]: SDLZ driver failed to load.
Dec  4 08:12:58 hh3 named[5597]: DLZ driver failed to load.
Dec  4 08:12:58 hh3 named[5597]: loading configuration: failure
Dec  4 08:12:58 hh3 named[5597]: exiting (due to fatal error)
Dec  4 08:12:58 hh3 named[5547]: Starting name server BIND ..failed
Dec  4 08:12:58 hh3 systemd[1]: named.service: control process exited,
code=exited status=1
Dec  4 08:12:58 hh3 systemd[1]: Unit named.service entered failed state.

What am I missing?
THanks
Steve.


On 04/12/11 00:40, steve wrote:
 Hi everyone

 openSUSE 12.1
 samba Version 4.0.0alpha18-GIT-30d4484

 Following the wiki instructions for Samba 4, I added

 include /usr/local/samba/private/named.conf;

 to /etc/named.conf (the last line)

 The logs give:

 3 23:52:50 hh3 named[5743]: Loading 'AD DNS Zone' using driver dlopen
 3 23:52:50 hh3 named[5743]: dlz_dlopen failed to open library
 '/usr/local/samba/modules/bind9/dlz_bind9.so' -
 /usr/local/samba/modules/bind. . .no such file. . .
 3 23:52:50 hh3 named[5743]: dlz_dlopen of 'AD DNS Zone' failed
 3 23:52:50 hh3 named[5743]: SDLZ driver failed to load.
 3 23:52:50 hh3 named[5743]: DLZ driver failed to load.
 3 23:52:50 hh3 named[5743]: loading configuration: failure
 3 23:52:50 hh3 named[5743]: exiting (due to fatal error)
 3 23:52:50 hh3 named[5689]: Starting name server BIND ..failed

 The file is in the place it should be but named is chrooted and that
 path is not inside the jail. If that's correct, and the wiki is to stay
 the same then dlz_bind9.so should be copied to:

 /var/lib/named/usr/local/samba/modules/bind9/

 But if I do that, I now get another error:

 Dec 4 00:26:12 hh3 named[5968]: Loading 'AD DNS Zone' using driver dlopen
 Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen failed to open library
 '/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot
 open shared object file: No such file. . .
 Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen of 'AD DNS Zone' failed

 Ahhgghh!

 openSUSE makes it difficult to remove the chroot, which I think is the
 problem. Does anyone know how I can get around this?

 Thanks.
 Steve.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 named. dlz_bind9.so not found

2011-12-04 Thread steve 

Hi Marcel

Thanks for the confirmation. It narrows down the problem.

I can confirm:
/usr/local/samba/modules/bind9/dlz_bind9.so
is there OK.

However:
hh3:/home/steve # echo $LD_LIBRARY_PATH

hh3:/home/steve # export LD_LIBRARY_PATH=/usr/local/samba/modules/bind9/
hh3:/home/steve # echo $LD_LIBRARY_PATH
/usr/local/samba/modules/bind9/
hh3:/home/steve # rcnamed restart
redirecting to systemctl
Job failed. See system logs and 'systemctl status' for details.

And the file not found error reappears even with the library path set.

In openSUSE named runs chroot (at /var/lib/named). Could that be why it
cannot find the library at the given path? Or a combination of the jail 
and the path?


Confused. Any ideas?
Cheers
Steve.


On 04/12/11 09:45, Marcel Ritter wrote:

Hi Steve,

the last configuration is the correct one.

However you may have to set LD_LIBRARY_PATH to the
directory containing libsamdb.so.0 (or other libraries it may complain
about during startup).

Bye,
Marcel


Von: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org]quot; im Auftrag 
vonquot;steve [st...@steve-ss.com]
Gesendet: Sonntag, 4. Dezember 2011 08:16
Bis: samba@lists.samba.org
Betreff: Re: [Samba] samba 4 named. dlz_bind9.so not found

Hi again

I reinstalled Samba 4 and bind from nothing. Following the wiki I now
get this:

with include /usr/local/samba/private/named.conf; in the options{}
section of /etc/named.conf, I get this:

Dec  4 08:10:43 hh3 named[5470]: Starting name server BIND
/usr/local/samba/private/named.conf:11: unknown option 'dlz'


When it is outside the options {} I get this:


Dec  4 08:12:58 hh3 named[5597]: Loading 'AD DNS Zone' using driver dlopen
Dec  4 08:12:58 hh3 named[5597]: dlz_dlopen failed to open library
'/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot
open shared object file: No such file or directory
Dec  4 08:12:58 hh3 named[5597]: dlz_dlopen of 'AD DNS Zone' failed
Dec  4 08:12:58 hh3 named[5597]: SDLZ driver failed to load.
Dec  4 08:12:58 hh3 named[5597]: DLZ driver failed to load.
Dec  4 08:12:58 hh3 named[5597]: loading configuration: failure
Dec  4 08:12:58 hh3 named[5597]: exiting (due to fatal error)
Dec  4 08:12:58 hh3 named[5547]: Starting name server BIND ..failed
Dec  4 08:12:58 hh3 systemd[1]: named.service: control process exited,
code=exited status=1
Dec  4 08:12:58 hh3 systemd[1]: Unit named.service entered failed state.

What am I missing?
THanks
Steve.


On 04/12/11 00:40, steve wrote:

Hi everyone

openSUSE 12.1
samba Version 4.0.0alpha18-GIT-30d4484

Following the wiki instructions for Samba 4, I added

include /usr/local/samba/private/named.conf;

to /etc/named.conf (the last line)

The logs give:

3 23:52:50 hh3 named[5743]: Loading 'AD DNS Zone' using driver dlopen
3 23:52:50 hh3 named[5743]: dlz_dlopen failed to open library
'/usr/local/samba/modules/bind9/dlz_bind9.so' -
/usr/local/samba/modules/bind. . .no such file. . .
3 23:52:50 hh3 named[5743]: dlz_dlopen of 'AD DNS Zone' failed
3 23:52:50 hh3 named[5743]: SDLZ driver failed to load.
3 23:52:50 hh3 named[5743]: DLZ driver failed to load.
3 23:52:50 hh3 named[5743]: loading configuration: failure
3 23:52:50 hh3 named[5743]: exiting (due to fatal error)
3 23:52:50 hh3 named[5689]: Starting name server BIND ..failed

The file is in the place it should be but named is chrooted and that
path is not inside the jail. If that's correct, and the wiki is to stay
the same then dlz_bind9.so should be copied to:

/var/lib/named/usr/local/samba/modules/bind9/

But if I do that, I now get another error:

Dec 4 00:26:12 hh3 named[5968]: Loading 'AD DNS Zone' using driver dlopen
Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen failed to open library
'/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot
open shared object file: No such file. . .
Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen of 'AD DNS Zone' failed

Ahhgghh!

openSUSE makes it difficult to remove the chroot, which I think is the
problem. Does anyone know how I can get around this?

Thanks.
Steve.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] resara frontend for Samba 4

2011-12-04 Thread steve 

Hi
I had a go at resara (resara.org), mainly because it looks like they 
have written a GUI to manage AD under Linux.


I got the source code since I don't have enough resources for their 
virtual machine. The documentation is poor, but I managed to compile and 
install from source on Ubuntu 11.10. Now I'm stuck. It doesn't mention 
anything about Samba 4 integration or where to start unless you go for 
the virtual machine option.


Anyone got it going from source?

Thanks
Steve.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 named. dlz_bind9.so not found

2011-12-04 Thread Marcel Ritter 
Hi Steve,

it's quite likely, that bind running in chroot is the cause of
the problem. You can easily test it by disabling chroot for
named on SuSE systems by editing /etc/sysconfig/named

NAMED_RUN_CHROOTED=no

If the problem is still there, try running named using strace,
and have a look at all stat()/open() calls concerning dlz_bind9.so.

This should give some hints about missing files/permissions and
may help to narrow down the problem.

Bye,
   Marcel




Von: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org]quot; im 
Auftrag von quot;steve [st...@steve-ss.com]
Gesendet: Sonntag, 4. Dezember 2011 10:26
Bis: samba@lists.samba.org
Betreff: Re: [Samba] samba 4 named. dlz_bind9.so not found

Hi Marcel

Thanks for the confirmation. It narrows down the problem.

I can confirm:
/usr/local/samba/modules/bind9/dlz_bind9.so
is there OK.

However:
hh3:/home/steve # echo $LD_LIBRARY_PATH

hh3:/home/steve # export LD_LIBRARY_PATH=/usr/local/samba/modules/bind9/
hh3:/home/steve # echo $LD_LIBRARY_PATH
/usr/local/samba/modules/bind9/
hh3:/home/steve # rcnamed restart
redirecting to systemctl
Job failed. See system logs and 'systemctl status' for details.

And the file not found error reappears even with the library path set.

In openSUSE named runs chroot (at /var/lib/named). Could that be why it
cannot find the library at the given path? Or a combination of the jail
and the path?

Confused. Any ideas?
Cheers
Steve.


On 04/12/11 09:45, Marcel Ritter wrote:
 Hi Steve,

 the last configuration is the correct one.

 However you may have to set LD_LIBRARY_PATH to the
 directory containing libsamdb.so.0 (or other libraries it may complain
 about during startup).

 Bye,
 Marcel

 
 Von: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org]quot; im 
 Auftrag vonquot;steve [st...@steve-ss.com]
 Gesendet: Sonntag, 4. Dezember 2011 08:16
 Bis: samba@lists.samba.org
 Betreff: Re: [Samba] samba 4 named. dlz_bind9.so not found

 Hi again

 I reinstalled Samba 4 and bind from nothing. Following the wiki I now
 get this:

 with include /usr/local/samba/private/named.conf; in the options{}
 section of /etc/named.conf, I get this:

 Dec  4 08:10:43 hh3 named[5470]: Starting name server BIND
 /usr/local/samba/private/named.conf:11: unknown option 'dlz'


 When it is outside the options {} I get this:


 Dec  4 08:12:58 hh3 named[5597]: Loading 'AD DNS Zone' using driver dlopen
 Dec  4 08:12:58 hh3 named[5597]: dlz_dlopen failed to open library
 '/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot
 open shared object file: No such file or directory
 Dec  4 08:12:58 hh3 named[5597]: dlz_dlopen of 'AD DNS Zone' failed
 Dec  4 08:12:58 hh3 named[5597]: SDLZ driver failed to load.
 Dec  4 08:12:58 hh3 named[5597]: DLZ driver failed to load.
 Dec  4 08:12:58 hh3 named[5597]: loading configuration: failure
 Dec  4 08:12:58 hh3 named[5597]: exiting (due to fatal error)
 Dec  4 08:12:58 hh3 named[5547]: Starting name server BIND ..failed
 Dec  4 08:12:58 hh3 systemd[1]: named.service: control process exited,
 code=exited status=1
 Dec  4 08:12:58 hh3 systemd[1]: Unit named.service entered failed state.

 What am I missing?
 THanks
 Steve.


 On 04/12/11 00:40, steve wrote:
 Hi everyone

 openSUSE 12.1
 samba Version 4.0.0alpha18-GIT-30d4484

 Following the wiki instructions for Samba 4, I added

 include /usr/local/samba/private/named.conf;

 to /etc/named.conf (the last line)

 The logs give:

 3 23:52:50 hh3 named[5743]: Loading 'AD DNS Zone' using driver dlopen
 3 23:52:50 hh3 named[5743]: dlz_dlopen failed to open library
 '/usr/local/samba/modules/bind9/dlz_bind9.so' -
 /usr/local/samba/modules/bind. . .no such file. . .
 3 23:52:50 hh3 named[5743]: dlz_dlopen of 'AD DNS Zone' failed
 3 23:52:50 hh3 named[5743]: SDLZ driver failed to load.
 3 23:52:50 hh3 named[5743]: DLZ driver failed to load.
 3 23:52:50 hh3 named[5743]: loading configuration: failure
 3 23:52:50 hh3 named[5743]: exiting (due to fatal error)
 3 23:52:50 hh3 named[5689]: Starting name server BIND ..failed

 The file is in the place it should be but named is chrooted and that
 path is not inside the jail. If that's correct, and the wiki is to stay
 the same then dlz_bind9.so should be copied to:

 /var/lib/named/usr/local/samba/modules/bind9/

 But if I do that, I now get another error:

 Dec 4 00:26:12 hh3 named[5968]: Loading 'AD DNS Zone' using driver dlopen
 Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen failed to open library
 '/usr/local/samba/modules/bind9/dlz_bind9.so' - libsamdb.so.0: cannot
 open shared object file: No such file. . .
 Dec 4 00:26:12 hh3 named[5968]: dlz_dlopen of 'AD DNS Zone' failed

 Ahhgghh!

 openSUSE makes it difficult to remove the chroot, which I think is the
 problem. Does anyone know how I can get around this?

 Thanks.
 Steve.

 --
 To unsubscribe from this list go to the following URL and read the
 instructions:

Re: [Samba] samba 4 named. dlz_bind9.so not found

2011-12-04 Thread steve 

On 04/12/11 14:19, Marcel Ritter wrote:

Hi Steve,

it's quite likely, that bind running in chroot is the cause of
the problem. You can easily test it by disabling chroot for
named on SuSE systems by editing /etc/sysconfig/named

NAMED_RUN_CHROOTED=no

If the problem is still there, try running named using strace,
and have a look at all stat()/open() calls concerning dlz_bind9.so.

This should give some hints about missing files/permissions and
may help to narrow down the problem.

Bye,
Marcel


Hi Marcel

Progress.

Removing the jail worked and named starts. It's getting better. Now I 
have this:


hh3:/home/steve # host -t SRV _ldap._tcp.hh3.site.
_ldap._tcp.hh3.site has SRV record 0 100 389 hh3.hh3.site.
hh3:/home/steve # host -t SRV _kerberos._udp.hh3.site.
_kerberos._udp.hh3.site has SRV record 0 100 88 hh3.hh3.site.
hh3:/home/steve # host -t A samba.hh3.site
Host samba.hh3.site not found: 3(NXDOMAIN)

2 successes and a 1 failure.

(hh3.site is the fqdn)

The logs give this:

Dec  4 17:04:27 hh3 named[3383]: couldn't add command channel ::1#953: 
address not available
Dec  4 17:04:27 hh3 named[3383]: zone 0.0.127.in-addr.arpa/IN: loaded 
serial 42
Dec  4 17:04:27 hh3 named[3383]: zone 
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: 
loaded serial 42

Dec  4 17:04:27 hh3 named[3383]: zone localhost/IN: loaded serial 42
Dec  4 17:04:27 hh3 named[3383]: managed-keys-zone ./IN: loading from 
master file managed-keys.bind failed: file not found

Dec  4 17:04:27 hh3 named[3383]: managed-keys-zone ./IN: loaded serial 0
Dec  4 17:04:27 hh3 named[3356]: Starting name server BIND ..done
Dec  4 17:04:27 hh3 named[3383]: running

Am trying hard to keep calm! I asked about the managed-keys-zone on the 
openSUSE list a few days ago, but nothing.

Any ideas where to turn next?
Cheers
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] cant access shares on members of samba domain from windows domain

2011-12-04 Thread damiien 
 First, you had better understand Windows domain trustrelationship
 before working on Samba issue. Then you will understand what to be
 done.

I've set up trust between domains. Users from windows domain can
access shares on Samba PDC but not on other machines in samba domain.
That is the puzzling part. Trust works fine if the only thing I access
is samba PDC.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 security

2011-12-04 Thread steve 

On 04/12/11 09:04, steve wrote:

On 03/12/11 17:32, Matthieu Patou wrote:

Steve


Beware that on your machine where samba 4 DC is running file / folders
needs to have guid/uid of your AD users not your linux users.



Did you read this ^.


Did a git pull ./configure.developer make and make install about an
hour ago.
And, well, something has changed. Now neither user can create nor
delete files!

smbclient //hh3/homes
Password for [HH1\steve]:
smb: \ ls
. D 0 Wed Nov 30 20:37:48 2011
.. D 0 Fri Dec 2 07:15:17 2011
lynn D 0 Thu Dec 1 13:25:45 2011
steve D 0 Fri Dec 2 11:50:09 2011

29284192 blocks of size 512. 10550432 blocks available
smb: \ cd lynn
smb: \lynn\ mkdir h
NT_STATUS_ACCESS_DENIED making remote directory \lynn\h
smb: \lynn\ cd ../steve
smb: \steve\ mkdir h
NT_STATUS_ACCESS_DENIED making remote directory \steve\h
smb: \steve\

This has something to do with uid/gid no? But wait, both steve and
lynn _are_ AD users who just happen to have linux accounts.


No there is something that you missunderstand, the thing is that in
order to do the file access control samba needs to know on the behalf of
which uid/gid the access are done.
With series of samba 3.x you have different way of doing this mapping or
to create unix users that have the same name as the user declared in
Samba (either in the local sam or in the NT domain sam), but most of the
time now it's winbind that is used. In Samba AD there is just the
winbind solution as other solution didn't have a real interest in the
context of an active directory domain.

So what winbind does ? it allocate a UID to users and GID to groups in a
database it stores the association SID-UID/GID and next time it is
asked to translate the same SID to a UID/GID it will use the value in
its database.

In your particular case, when you connect to the samba AD with smbclient
as AD user steve and try to create a dir the server checks the
security.NTACL extended attribute, as it didn't exists it knows that it
will have to translate posix rights to NT ACLs. At this moment in order
to know if you are the owner of the parent directory or in group of the
parent directory it will ask its internal winbind to translate user's
SID and the SID of user's groups to UID and GID, and it will turn out
that the UID of unix user steve is not at all the UID of AD user steve
(which is in the 300+ range), as other translated posix rights
didn't give any write rights to the AD user the directory creation was
not created.




How do I change the gid/uid of my linux users to gid/uid AD users? Is
there a script? But that shouldn't matter no?

Thinking you may want more info I'll leave it as it is for now. The
users are the same as they were before the new build. I did not delete
and recreate them.

Sure this is the expected behavior, before there was a bug in the posix
to NT ACLs translation that granted the write right even if you had just
the read and execute right you can have the detail by looking at this
changeset: d1274f7f6236b47a1c6aa1737b054ed521d31b67

I don't really know your case but I think it's not such a problem at
least so far nobody complained, on the DC you don't need to create unix
account for the AD users. As you need to create directory for each user
there is a couple of solution:

1) change the rights on the directory that is shared as home so that
the group has a write right, then change group to be users (that's
because we map the domain users group to the user unix group)
2) for each user connect using smbclient and create the directory of
this user

or

For each user, use wbinfo -i ad_user and then create a folder for this
user and use the uid obtained with wbinfo to set the owner of the
directory.

For instance on my test server I have:

./bin/wbinfo -i steve
MATWS\steve:*:310:100::/home/MATWS/steve:/bin/false

Note: first you have to do a ./bin/wbinfo -u and beware the first time
it is _slow_

Matthieu.


Hi Matthieu

Thanks for your patience. Yes, your clear explanation is excellent. I'm
going to try it as soon as I get Samba 4 running again.

I reinstalled from nothing to get a clean slate. Now, DNS isn't working.
The method of configuring as outlined in the wiki doesn't work anymore.
The dns files in /usr/local/samba/private have changed since my first
install last week:( I've another thread open on this.

Thanks again
Steve.
Almost there at the command line. Permissions are respected. Following 
your method to create a user and allocate them a home folder:


cat /usr/local/samba/etc/smb.conf
# Global parameters
[global]
server role = domain controller
workgroup = HH1
realm = hh3.site
netbios name = HH3
passdb backend = samba4

[home]
path = /home
read only = No

[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No



samba-tool user add lynn 123@456
User 'lynn' created

Re: [Samba] samba 4 named. dlz_bind9.so not found

2011-12-04 Thread Marcel Ritter 
Hi Steve,

as 2 of the 3 queries did succeed, are you sure the hostname
of your dc was correctly detected during provision?

Does hostname -f return samba.hh3.site?

You may also try samba-tool / ldbsearch to get info about
the DNS entries stored by samba.
(Please replace 192.168.1.6 with the IP of your samba4 dc.)

The following command will try to do a dns lookup using
samba only (no bind) for samba.hh3.site:

/opt/samba4/bin/samba-tool  dns query 192.168.1.6 hh3.site samba A -U 
Administrator%password

You may also try to list entries via ldbsearch (change path to your sam.ldb.d):
 
/opt/samba4/bin/ldbsearch  -H 
/opt/samba4/var/lib/samba/private/sam.ldb.d/DC\=DOMAINDNSZONES\,DC\=HH3\,DC\=SITE.ldb
 -b dc=domaindnszones,dc=hh3,dc=site name


Hope this helps,
   Marcel


Von: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org]quot; im 
Auftrag von quot;steve [st...@steve-ss.com]
Gesendet: Sonntag, 4. Dezember 2011 17:17
Bis: samba@lists.samba.org
Betreff: Re: [Samba] samba 4 named. dlz_bind9.so not found

On 04/12/11 14:19, Marcel Ritter wrote:
 Hi Steve,

 it's quite likely, that bind running in chroot is the cause of
 the problem. You can easily test it by disabling chroot for
 named on SuSE systems by editing /etc/sysconfig/named

 NAMED_RUN_CHROOTED=no

 If the problem is still there, try running named using strace,
 and have a look at all stat()/open() calls concerning dlz_bind9.so.

 This should give some hints about missing files/permissions and
 may help to narrow down the problem.

 Bye,
 Marcel

Hi Marcel

Progress.

Removing the jail worked and named starts. It's getting better. Now I
have this:

hh3:/home/steve # host -t SRV _ldap._tcp.hh3.site.
_ldap._tcp.hh3.site has SRV record 0 100 389 hh3.hh3.site.
hh3:/home/steve # host -t SRV _kerberos._udp.hh3.site.
_kerberos._udp.hh3.site has SRV record 0 100 88 hh3.hh3.site.
hh3:/home/steve # host -t A samba.hh3.site
Host samba.hh3.site not found: 3(NXDOMAIN)

2 successes and a 1 failure.

(hh3.site is the fqdn)

The logs give this:

Dec  4 17:04:27 hh3 named[3383]: couldn't add command channel ::1#953:
address not available
Dec  4 17:04:27 hh3 named[3383]: zone 0.0.127.in-addr.arpa/IN: loaded
serial 42
Dec  4 17:04:27 hh3 named[3383]: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 42
Dec  4 17:04:27 hh3 named[3383]: zone localhost/IN: loaded serial 42
Dec  4 17:04:27 hh3 named[3383]: managed-keys-zone ./IN: loading from
master file managed-keys.bind failed: file not found
Dec  4 17:04:27 hh3 named[3383]: managed-keys-zone ./IN: loaded serial 0
Dec  4 17:04:27 hh3 named[3356]: Starting name server BIND ..done
Dec  4 17:04:27 hh3 named[3383]: running

Am trying hard to keep calm! I asked about the managed-keys-zone on the
openSUSE list a few days ago, but nothing.
Any ideas where to turn next?
Cheers
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba