[Samba] Samba with dns error Failed to connect to our DC

[Gilmour, Scott]

Hi,
I just installed Ubuntu Server and Ubuntu classic desktop.  Now I am trying to 
join active directory and I get this DNS error and failed to connect to the DC.
How to fix this error plus I noticed on my windows 2008 Server that my Ubuntu 
server showed up as a Computer and not a domain controller.
Is this correct?  I would think it would show up as a DC just as it does when I 
joined my 2003 Server to my 2008 Server.
Thanks
Scott

root@FreeRadius:/home/sqauser# net ads join -U Administrator
Enter Administrator's password:
Using short domain name -- SQA
Joined 'FREERADIUS' to realm 'SQA.net'
[2012/02/09 16:48:09.744544,  0] utils/net_ads.c:1147(net_update_dns_internal)
  net_update_dns_internal: Failed to connect to our DC!
DNS update failed!
root@FreeRadius:/home/sqauser# wbinfo -u
FREERADIUS\nobody
FREERADIUS\sqauser
SQA\administrator
SQA\guest
SQA\krbtgt
SQA\00-01-88-00-00-00
SQA\00-01-88-00-00-01
SQA\00-01-88-00-00-02

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Include directory in smb.conf

[Nico Kadel-Garcia]

On Thu, Feb 9, 2012 at 1:04 PM, Santiago Diez  wrote:
> Hi there,
>
> I'm wondering if there any patch or recent developement that would allow to
> include a directory rather than a file in smb.conf
>
> Something like
>
> includedir = /etc/samba/shares.d/
>
> instead of
>
> include = /etc/samba/shares.conf

That seems potentially destabilizing, and makes for considerably more
complex parsing of a target directory. In particular, order
sensitivity of included files is a pain in the ass and can be
enormously destabilizing.  And me, I'd be concerned that some idiot
would point to an auto-mounted or NFS-mounted directory and lead to
all *sorts* of timeout craziness.

This kind of approach is, of course, used for other tools like Nagios
and NRPE and httpd. But it can get very tricky to handle. If I had to
have a configuration for Samba built up from dynamically arranged
smaller components, I'd set up /etc/samba/Makefile, drop components in
/etc/samba/*.conf, and use it to build and source control
/etc/samba/smb.conf.

Do you have some particular need for this? Or did it just seem like a good idea?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba-tool set default group

[Gémes Géza]

2012-02-09 14:21 keltezéssel, steve írta:
> Hi
> How do I set the default group for a user?
>
> e.g.
> samba-tool group add opensuse
> samba-tool group addusers opensuse steve
>
> But steve's default group is still Users.
>
> I'm looking for soething like this:
> 'samba-tool group setdefaultgroup steve opensuse'
>
> But here isn't that command. I have to do it in Windows.
>
> Is there a command I'm missing?
> Cheers,
> Steve
IMHO currently your best bet is ldbmodify.

Regards

Geza
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 and new Kerberos version

[Gémes Géza]

2012-02-08 09:29 keltezéssel, steve írta:
> On 07/02/12 20:52, Gémes Géza wrote:
>> 2012-02-07 16:07 keltezéssel, steve írta:
>>> On 07/02/12 12:01, Andrew Bartlett wrote:
 On Tue, 2012-02-07 at 10:24 +0100, steve wrote:
> I just got this from the mit list:
>
> 
> DES transition
> ==
>
> The krb5-1.8 release disables single-DES cryptosystems by
> default.  As
> a result, you may need to add the libdefaults setting
> "allow_weak_crypto = true" to communicate with existing Kerberos
> infrastructures if they do not support stronger ciphers.
>
> 
>
> Does/will this apply to us?
 Heimdal did this a long time ago, so yes.  If you wish to use DES, you
 have to set that in your krb5.conf.

 Andrew Bartlett

>>> Hi
>>> I'm using S4 out of the box on openSUSE 12.1. All the Kerberos
>>> transactions seem to choose arcfour.
>>> Does the des stuff apply to me?
>>> Thanks,
>>> Steve
>>>
>> Hi,
>> You need to enable weak crypto if you want to use kerberos with apps
>> which depends on des (e.g nfs, openafs).
>> Regards
>> Geza
> Mmm. That's what I thought. I added that line to krb5.conf before
> using nfs. I commented it and it still works. The s4 nfs transactions
> seem to choose arcfour, not des. I can't find this documented anywhere
> but noises on the nfs kernel list suggest that the weak crypto is not
> now necessary. Will leave the line commented until nfs explodes at
> some stage.
> Cheers,
> Steve
>
Could have been fixed I've used nfs with gss/krb a few years ago when it
ws working with des-cbc-crc only, have migrated to openafs since then.

Cheers

Geza
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Include directory in smb.conf

[Santiago Diez]

Hi there,

I'm wondering if there any patch or recent developement that would allow to
include a directory rather than a file in smb.conf

Something like

includedir = /etc/samba/shares.d/

instead of

include = /etc/samba/shares.conf

Thanks for your help

Santiago
-
*Santiago DIEZ*
*Director*
*+33 6 37 90 81 98*
-


-
*Quark Systems & CAOBA*
*23 rue du Buisson Saint-Louis, 75010 Paris
*-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Unable to create principle and join domain with solaris / samba 3.5.8

[Paul Smith]

Has anyone had any success using net ads join to create a new service
principal and join Active Directory using samba 3.5.8. This works fine
in 3.0.35 but I'm not able to get a working create/join with 3.5.8

In samba 3.0.35 (on a host which is already allowing kerberised
loginsvia AD), the following works:

net ads join createupn='CIFS/host.domain.com' \
createcomputer='path/to/principal/' -U myadlogin

After upgrading and restarting, samba works fine but deleting the AD
service principal and samba/private files to reconfigure, the net join
fails:

# net ads join createupn='CIFS/smbtest.uk.domain.com'
createcomputer='MITKerberos/Services' -U myadlogin
Enter myadlogin's password:
Failed to join domain: failed to precreate account in ou
MITKerberos/Services: Invalid DN syntax

The OU exists in AD (and works for earlier samba versions). Looking at
net ads join output with -d 99, it looks like the net command isn't
passing the netbios name through?

[2012/02/09 15:45:29.014700, 1] libnet/libnet_join.c:1978()
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'AAA'
dns_domain_name : 'aaa.ads.domain.com'
forest_name : 'ADS.DOMAIN.COM'
dn : NULL
domain_sid : *
domain_sid : S-1-5-21-1606980848-1965331169-1417001333
modified_config : 0x00 (0)
error_string : 'failed to precreate account in ou
MITKerberos/Services: Invalid DN syntax'
domain_is_ad : 0x01 (1)
result : WERR_DEFAULT_JOIN_REQUIRED
[2012/02/09 15:45:29.014909, 10] intl/lang_tdb.c:138()
lang_tdb_init: /usr/lib/samba/en_GB.UTF-8.msg: No such file or directory
Failed to join domain: failed to precreate account in ou
MITKerberos/Services: Invalid DN syntax
[2012/02/09 15:45:29.015245, 2] utils/net.c:916()
return code = -1

The smb.conf for this is as follows

[global]
server string = SMBTEST Samba Server
security = ADS
realm = AAA.ADS.DOMAIN.COM
netbios name = SMBTEST
workgroup = AAA
interfaces = SMBTEST.uk.domain.com
bind interfaces only = Yes
log level = 3
log file = /var/samba/log/log.%m
max log size = 128
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536
SO_SNDBUF=65536 SO_KEEPALIVE
nis homedir = No
hide dot files = Yes
wide links = No
local master = No
domain master = No
preferred master = No
os level = 0

[homes]
comment = Home Directories
browseable = yes
public = no
writable = yes

Anyone have any pointers on how to create principles and join AD using
3.5.8 or any ideas of relevant changes between 3.0.35 and 3.5.8 that
might explain this?

Regards

Paul
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Group Mappings

[Gaiseric Vandal]

Do you have any XP clients?  Do they have the same issue?  What backend 
are you using?




On 02/08/2012 03:03 PM, Simon Faulkner wrote:

Samba 3.6.2

My Domain Admins, including root, don't get admin permissions on local 
PCs.


My Windows 7 clients can join the domain but when I look in the 
Administrators group it shows the sid for the Domain Admins group (RID 
= 512) and the icon has a question mark


net groupmap list seems OK

Any ideas where to look next?

TIA

Simon



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Screenshot

[Gaiseric Vandal]

Can't see the attached screenshot.   I don't think the lists support it.

Did you set up group mapping ("net group map list" should show this.)  I 
have samba 3.5.x with ldap backend.   Make sure the windows "domain 
admins" group is mapping to a unix group with RID 512.



On 02/09/2012 02:50 AM, Simon Faulkner wrote:
Any chance anyone can take a look at this screen shot of the 
Administrator group on a Domain PC


I can't figure out why it is showing the SID rather than the name of 
the group?


TIA

Simon



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 user mapping into filesystem

[steve]

- Winbind isn't installed.  I followed the HOWTO, but didn't see a
step about installing winbind.
If you installed S4 you already have it. But s4 winbind doesn't seem to 
map uid:gid correctly at te mo:( We used nss-ldapd with nfs4 to do the 
mapping for the Linux side. See the:


Re: [Samba] RFC2307 & Samba4 [Was: Linux users and Samba 4]

thread. Just posted an update to it so it's prob. in your inbox now.

HTH,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba-tool set default group

[steve]

Hi
How do I set the default group for a user?

e.g.
samba-tool group add opensuse
samba-tool group addusers opensuse steve

But steve's default group is still Users.

I'm looking for soething like this:
'samba-tool group setdefaultgroup steve opensuse'

But here isn't that command. I have to do it in Windows.

Is there a command I'm missing?
Cheers,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 user mapping into filesystem

[Aaron E.]

This may help you out..

https://wiki.samba.org/index.php/Samba4/Winbind

On 02/09/2012 07:17 AM, Brantley Hobbs wrote:

On Wed, Feb 8, 2012 at 5:31 PM, William Brown
  wrote:

You likely don't have ACL's enabled on the filesystem that samba is sharing.
You can check with

sudo tune2fs -l /dev/vg_lillie/lv_root | grep option

replacing your disk into that command. You should see something like

Default mount options:user_xattr acl

If not, you should enable the filesystem ACL using tune2fs, then reboot your
machine.

tune2fs -o acl /dev/sda1


And this is why you don't use a mailing list while half asleep. I misread
yoru problem. Probably still good to check that.

Anyway, do you have the machine joined to its own domain? Are you running
winbind to resolve the usernames etc?

The issue you might be seeing is that while they have an owner that isn't
there, if you use getfacl on the file it should have the ACL's to allow the
group / user in question to read/write it. The non existent user could be
due to winbind trying to map the user Id to an account, but you don't have
the client side of the resolver setup, so it shows "non existant". using ls,
check the numerical ID on the files.



Odd.  I certainly have the mount options in /etc/fstab, and using the
little test on the HOWTO
(https://wiki.samba.org/index.php/Samba4/HOWTO#NOTE_about_filesystem_support),
it's supposed to be working.  However, listing the filesystem options
with tune2fs shows "none" for "Default mount options".  "ext_attr"
does show as a feature in "Filesystem features" however.

To your other questions:

- I assume that provisioning the installation implicitly joined it to
the domain.  This is the only domain controller on a very small
network.  If provisioning didn't join it automatically, then no, it's
not joined to its own domain.

- Winbind isn't installed.  I followed the HOWTO, but didn't see a
step about installing winbind.

Like I say, everything else appears to be working fine.  I'm just
trying to wrap my head around the relationship between Samba's
internal users and the underlying filesystem permissions.

Thanks for you help!
Brantley


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] RFC2307 & Samba4 [Was: Linux users and Samba 4]

[steve]

On 13/01/12 16:59, Adam Tauno Williams wrote:

On Fri, 2012-01-13 at 10:32 -0500, Adam Tauno Williams wrote:

On Fri, 2012-01-13 at 02:51 +0100, steve wrote:

On 12/01/12 23:02, Adam Tauno Williams wrote:

Quoting steve:

Samba4's winbind does not support RFC2307,  so doing this is pretty
rough.  I think you need to either use CIFS + winbind everywhere or
somehow maintain an external idmap.
Yea, it is horrible.  We are staring down the barrell of the same
gun.

As Jeremy said, they are discussing what needs to be done before
releasing Samba 4.0.0 and how to reconcile Samba 3's winbind and Samba
4's winbind etc., so if something that is critical for you does not
currently work, you should file a bug report.

Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone
with my issue. I think I should be easy to fix now before it goes beta.
https://bugzilla.samba.org/show_bug.cgi?id=8635

Holy awesome; it got better.  I just tested an upgrade of our
production domain and it appears that Samba4 took [and kept] the UID
number from the existing account.
Production
-
[root@littleboy ~]# id adam
uid=437(adam) gid=230(cis) groups=230(cis)
Test Server

barbel:~ # wbinfo -i adam
BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false
Home directory is a bit wierd, and the gidNumber didn't stick.  But at
least I have the uidNumber.
4.0.0alpha18-GIT-103c1cb [openSUSE 12.1 x86_64] transitioned via
"samba-tool domain samba3upgrade" from Samba S3w/LDAPSAM.

Nice find you have there. Meanwhile I've got it working. Very rough. But
working for 10 hour Kerberos sessions at a time;)
http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html
Steve

What I'm puzzled by [and maybe this is a deficiency in Samba4 still] is
that while the LDAP modify works the wbinfo output doesn't change.

dn: CN=adam,CN=Users,DC=micore,DC=us
changetype: modify
add: objectclass
objectclass: posixaccount
-
add: objectclass
objectclass: shadowaccount
-
add: uidnumber
uidnumber: 437
-
add: gidnumber
gidnumber: 230
-
add:unixhomedirectory
unixhomedirectory: /home/adam
-
add: loginshell
loginshell: /bin/ksh

barbel:~ # wbinfo -i adam
BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false

I am able to get my home-directory path back to the previous value
[ based on the useful information from this link -
  ]

Setting: template homedir = /home/%ACCOUNTNAME%

The old %U type variables aren't supported.  But the above results in
the same thing -

barbel:/opt/s4 # wbinfo -i adam
BACKBONE\adam:*:437:100:Adam Williams:/home/adam:/bin/false

I found a list of Windows environment variables here
   According the
old 2010 thread these are now expanded on the client side in Microsoft
fashion rather than expanded on the serve [in the config backend??].


You have to rfc2307-ify the group too. e.g.:
samba-tool group add suseusers
samba-tool group addmembers suseusers steve6

wbinfo --group-info=suseusers
suseusers:*:316:

kinit Administrator

ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -Y 
GSSAPI

dn: cn=suseusers,sn=Users,dc=hh3,dc=site
changetype: modify
add: objectClass
objectClass: posixAccount
-
add: objectClass
objectClass: posixGroup

Then,
Use nslcd to map uid:gid from LDAP:
/etc/nsswitch.conf
passwd:files ldap
group: files ldap

and then:
hh3:/home/steve # getent passwd steve6
steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash
hh3:/home/steve # getent group suseusers
suseusers:*:316:
hh3:/home/steve # wbinfo -i steve6
CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false

Linux= nfs4/idmapd. w7= out of the box.

Server:
hh3:/tmp # id steve6
uid=315(steve6) gid=316(suseusers) groups=316(suseusers)

Client:
steve6@hh6:~> id
uid=315(steve6) gid=316(suseusers) groups=316(suseusers)
steve6@hh6:~> echo "Hola" > file
steve6@hh6:~> ls -l file
-rw-r--r-- 1 steve6 suseusers 5 Feb  9 13:52 file

Maybe I should add this to the bug report.
Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 user mapping into filesystem

[Brantley Hobbs]

On Wed, Feb 8, 2012 at 5:31 PM, William Brown
 wrote:
> You likely don't have ACL's enabled on the filesystem that samba is sharing.
> You can check with
>
> sudo tune2fs -l /dev/vg_lillie/lv_root | grep option
>
> replacing your disk into that command. You should see something like
>
> Default mount options:    user_xattr acl
>
> If not, you should enable the filesystem ACL using tune2fs, then reboot your
> machine.
>
> tune2fs -o acl /dev/sda1
>
>
> And this is why you don't use a mailing list while half asleep. I misread
> yoru problem. Probably still good to check that.
>
> Anyway, do you have the machine joined to its own domain? Are you running
> winbind to resolve the usernames etc?
>
> The issue you might be seeing is that while they have an owner that isn't
> there, if you use getfacl on the file it should have the ACL's to allow the
> group / user in question to read/write it. The non existent user could be
> due to winbind trying to map the user Id to an account, but you don't have
> the client side of the resolver setup, so it shows "non existant". using ls,
> check the numerical ID on the files.
>

Odd.  I certainly have the mount options in /etc/fstab, and using the
little test on the HOWTO
(https://wiki.samba.org/index.php/Samba4/HOWTO#NOTE_about_filesystem_support),
it's supposed to be working.  However, listing the filesystem options
with tune2fs shows "none" for "Default mount options".  "ext_attr"
does show as a feature in "Filesystem features" however.

To your other questions:

- I assume that provisioning the installation implicitly joined it to
the domain.  This is the only domain controller on a very small
network.  If provisioning didn't join it automatically, then no, it's
not joined to its own domain.

- Winbind isn't installed.  I followed the HOWTO, but didn't see a
step about installing winbind.

Like I say, everything else appears to be working fine.  I'm just
trying to wrap my head around the relationship between Samba's
internal users and the underlying filesystem permissions.

Thanks for you help!
Brantley
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smbd crashes

[Peter Trifonov]

Hi all,

I managed to fix the problem.  The solution was to apply this patch
http://www.opensource.apple.com/source/samba/samba-235/patches/ignore-tdb-sp
inlock-flag
to  libtdb sources. Maybe this helps someone facing the same problem...

With best regards,
P. Trifonov


> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-
> boun...@lists.samba.org] On Behalf Of Peter Trifonov
> Sent: Thursday, February 09, 2012 12:57 AM
> To: samba@lists.samba.org
> Subject: Re: [Samba] smbd crashes
> 
> Hello folks,
> 
> 
> > After upgrading from samba 3.4.9 to samba 3.6.1 on a FreeBSD 8.1 x86
> > system smbd stopped working.
> > It starts successfully, but crashes as soon as someone tries to
> > connect to
> a
> > share.
> > Log file contains a lot of entries like the following:
> >
> > [2012/02/06 11:05:13,  1] lib/util_tdb.c:521(tdb_wrap_log)
> >   tdb(unnamed): tdb_open_ex: spinlocks no longer supported
> > [2012/02/06 11:05:13,  0] lib/messages_local.c:112(messaging_tdb_init)
> >   ERROR: Failed to initialise messages database: Unknown error: 0
> 
> The problem still remains  after upgrading to samba 3.6.3.
> It appears that spinlocks are somehow automatically enabled for any newly
> created database. Is there any way to avoid this behavior?
> 
> 
> 
> 
> 
> With best regards,
> P. Trifonov
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba