Re: [Samba] Samba 4 KVNO mismatch - Failure to join AD domain (Windows & Freenas)
On Fri, 2012-04-06 at 01:38 +0300, George Diamantopoulos wrote:
> On Fri, Apr 6, 2012 at 1:17 AM, Andrew Bartlett wrote:
> >
> > George,
> >
> > Sadly I don't follow the freeNAS bug tracker as part of my daily work.
> > If you or anyone suspects a Samba issue, then raise it in our bugzilla
> > or on these lists (samba-technical is better for Samba4, at least until
> > we release).
> >
> > If you can tell me what *exactly* you think is wrong - by example of
> > Samba4 and Windows 2008 (available for free download), I'll happily fix
> > it.
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartletthttp://samba.org/~abartlet/
> > Authentication Developer, Samba Team http://samba.org
> >
> >
>
> Andrew,
>
> I really can't say much more other than what's already in the ticket
> ("[...] samba 4 puts the unique 'netbios' identifier in the 'cn'
> attribute, not the 'nETBIOSName' attribute [...]"). The reason why I
> believe I've run into this bug is that I'm getting an error with a
> reference to "nETBIOSName" upon opening the CIFS configuration panel
> on FreeNAS.
>
> I would post this on samba-technical, but I have very little
> understanding of the internals so I think it would be more of a
> nuisance than helping out the project. However, if you believe
> otherwise, I'd be happy to do so.
I'm sorry to be blunt, but please tell me
- exactly on which ldap object
- exactly the difference between us and Windows
Please do that by showing the comparative output of
ldbsearch -H ldap://sambadc -s base -b -Uadmin%pass
ldbsearch -H ldap://windowsdc -s base -b -Uadmin%pass
I'm sorry, but what is clear to you is not clear to me, and the
specifics will help us fix the bug, and write a test to ensure it does
not re-occur.
On where to post, posting to this list is a good way to have your
concerns lost in the flood of discussion. While we wait for our first
release, we handle Samba4 AD issues on the samba-technical list to
ensure they are seen and handled.
Thanks,
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 KVNO mismatch - Failure to join AD domain (Windows & Freenas)
On Fri, Apr 6, 2012 at 1:17 AM, Andrew Bartlett wrote:
>
> George,
>
> Sadly I don't follow the freeNAS bug tracker as part of my daily work.
> If you or anyone suspects a Samba issue, then raise it in our bugzilla
> or on these lists (samba-technical is better for Samba4, at least until
> we release).
>
> If you can tell me what *exactly* you think is wrong - by example of
> Samba4 and Windows 2008 (available for free download), I'll happily fix
> it.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
Andrew,
I really can't say much more other than what's already in the ticket
("[...] samba 4 puts the unique 'netbios' identifier in the 'cn'
attribute, not the 'nETBIOSName' attribute [...]"). The reason why I
believe I've run into this bug is that I'm getting an error with a
reference to "nETBIOSName" upon opening the CIFS configuration panel
on FreeNAS.
I would post this on samba-technical, but I have very little
understanding of the internals so I think it would be more of a
nuisance than helping out the project. However, if you believe
otherwise, I'd be happy to do so.
George
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] RESOLVED CTDB and Pacemaker - last mile!!! - CTDB complains cluster IP is not a public address
Errol Neal wrote: > This project has been on my bucket list for a long time with > a higher priority than say visiting Japan :) > For the last several days, I've been knee deep in XCP, OCFS2, Samba, CTDB and > Pacemaker; trying to get all these technologies to coalesce into one > solution, and I think I'm at the last mile. > I finally have two debian squeeze VMs (BIM AND BAM) on XCP 1.0 that are > running Samba 3.6 in an HA configuration! But I have one small problem.. when > I connect to a share on the cluster IP (pacemaker IPaddr2 resource), I get an > access denied and an error in log.ctdb: > The problem was my smb.conf file. I changed my idmap config to be idmap config * versus FOO and my idmap config backend to be tdb. The symptoms were that wbinfo -u and -g were returning groups and users, but getent wasn't and wbinfo -i wasn't working either.. Hope this helps someone in the future. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 KVNO mismatch - Failure to join AD domain (Windows & Freenas)
On Fri, 2012-04-06 at 01:08 +0300, George Diamantopoulos wrote: > That might have been the case, after all. FreeNAS AD Web Config has a > non-intuitive field called "Host Name (NetBIOS-Name)" where I put > ADPDC in at first, then changed it to freenas. I've reinstalled > everything on clean VMs now and it seems to be working. > > User authentication on computers I had previously joined to the domain > however is a little tricky now (for example, I need to explicitly set > NT style domain in the username field such as SYNDOM\Administrator in > order for login to work), but I've been changing so many settings I > might have caused this. I guess I'll have to reinstall Windows on > them. When FreeNAS authenticates, I get "Selected protocol [8][NT > LANMAN 1.0]" on the samba4 console, and freenas logs print "freenas > freenas: Using short domain name -- SYNDOM". > > On a side note, isn't the samba4 server supposed to join itself to the > AD domain when running the provision script? At least that's what I > get on STDOUT after running provision... > > It now seems I've run into this bug, though: > http://support.freenas.org/ticket/1135 (which has a won't fix status > from FreeNAS devs). It's a pity because samba4 and FreeNAS integration > can prove very useful in some situations. > There are not many references to this online, however. I think I > spotted a discussion somewhere between a samba developer (I can't > remember who it was) and a user (not sure either) where it was > mentioned that it's most probably a samba 3/4 incompatibility issue > and that it wouldn't be too hard to fix. Unfortunately I have been > unable to find more information on this matter, and whether this . George, Sadly I don't follow the freeNAS bug tracker as part of my daily work. If you or anyone suspects a Samba issue, then raise it in our bugzilla or on these lists (samba-technical is better for Samba4, at least until we release). If you can tell me what *exactly* you think is wrong - by example of Samba4 and Windows 2008 (available for free download), I'll happily fix it. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 KVNO mismatch - Failure to join AD domain (Windows & Freenas)
On Wed, Apr 4, 2012 at 1:22 PM, Andrew Bartlett wrote: > On Fri, 2012-03-30 at 00:02 +0300, George Diamantopoulos wrote: >> Hello all, >> >> I've run into the issue described here: >> http://lists.samba.org/archive/samba-technical/2010-September/073075.html >> >> To sum it up, I installed samba4 from git on a debian wheezy system. >> Initially, I was able to join Windows 7 clients to the AD controller. >> However, trying to get freenas 8 to join has been failing. In the end, >> trying to get it to work I changed administrator's password (via >> dsa.msc) which broke AD joining for windows clients too. KVNO in >> secrets.keytab file has always been "1". Could this mismatch be the >> cause of the failures? >> >> I rebooted all clients (to get rid of stale tickets) to no avail. The >> only way to fix this was to run the provision script again, but now >> samba is not very stable (I managed to join the AD domain, but upon >> login I get The security database on the server does not have a >> computer account for this workstation trust relationship). >> >> I really don't know where to start. Do you think using samba from >> debian SID would be wiser than building from git? Are there any other >> errors in the log I didn't spot? Is KVNO mismatch the reason joining >> fails, or are there more errors? > > Samba is best installed from git. > > As to the KVNO mismatch, have you somehow installed a client with the > same name as the server (ADPDC), or attempted to 'join' the server to > itself? That can cause this kind of thing. > > Changing the administrator password won't be the issue, but if anything > (a join, or reset with any tool) of the machine account password > certainly could update sam.ldb but not the local > secrets.ldb/secrets.keytab. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > Thanks for the reply. That might have been the case, after all. FreeNAS AD Web Config has a non-intuitive field called "Host Name (NetBIOS-Name)" where I put ADPDC in at first, then changed it to freenas. I've reinstalled everything on clean VMs now and it seems to be working. User authentication on computers I had previously joined to the domain however is a little tricky now (for example, I need to explicitly set NT style domain in the username field such as SYNDOM\Administrator in order for login to work), but I've been changing so many settings I might have caused this. I guess I'll have to reinstall Windows on them. When FreeNAS authenticates, I get "Selected protocol [8][NT LANMAN 1.0]" on the samba4 console, and freenas logs print "freenas freenas: Using short domain name -- SYNDOM". On a side note, isn't the samba4 server supposed to join itself to the AD domain when running the provision script? At least that's what I get on STDOUT after running provision... It now seems I've run into this bug, though: http://support.freenas.org/ticket/1135 (which has a won't fix status from FreeNAS devs). It's a pity because samba4 and FreeNAS integration can prove very useful in some situations. There are not many references to this online, however. I think I spotted a discussion somewhere between a samba developer (I can't remember who it was) and a user (not sure either) where it was mentioned that it's most probably a samba 3/4 incompatibility issue and that it wouldn't be too hard to fix. Unfortunately I have been unable to find more information on this matter, and whether this . George -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3 Windows 7 Temporary Profile on 2nd Login
Hi, I'm bashing my head against a brick wall against a strange Win7 domain login issue. We have a Samba 3 CentOS server which for some months has been a problem free PDC for a network of about 15 Win7Pro64 clients in a school. Recently, for some reason, the following situation has now arisen: * After client PC reboot, domain login is fine. * After logging out of windows, any attempt to log in again immediately leads to a temporary profile being loaded. * If the client PC is left unused for several minutes, or is rebooted, logging in normally is possible again. I've tried quite a number of things, including rolling back a client PC to an image from well before the problem occurred and removing the antivirus from a client PC, and nothing seems to make any difference. If I set "Do not log users on with temporary profiles" on a client PC via gpedit.msc, I get an error "The user profile service failed the login. User profile cannot be loaded" if I try to re-log-on too soon, and this seems to reset the timer on when login will be possible again to requiring a further 2 or 3 minute delay. After a couple of days of googling and testing, this is sending me a bit crazy. Has anyone else encountered a similar situation and solved or worked around it? Or does anyone have any insight into possible causes? Many thanks, Ben Clayton Irax Ltd. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] CTDB and Pacemaker - last mile!!! - CTDB complains cluster IP is not a public address
Errol Neal wrote: > This project has been on my bucket list for a long time with > a higher priority than say visiting Japan :) > For the last several days, I've been knee deep in XCP, OCFS2, Samba, CTDB and > Pacemaker; trying to get all these technologies to coalesce into one > solution, and I think I'm at the last mile. > I finally have two debian squeeze VMs (BIM AND BAM) on XCP 1.0 that are > running Samba 3.6 in an HA configuration! But I have one small problem.. when > I connect to a share on the cluster IP (pacemaker IPaddr2 resource), I get an > access denied and an error in log.ctdb: > > I should also mention that I'm running Samba 3.6.3 from squeeze-backports. root@BAM:/etc/samba# dpkg --list | grep samba ii samba 2:3.6.3-1~bpo60+2SMB/CIFS file, print, and login server for Unix ii samba-common2:3.6.3-1~bpo60+2common files used by both the Samba server and client ii samba-common-bin2:3.6.3-1~bpo60+2common files used by both the Samba server and client -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CTDB and Pacemaker - last mile!!! - CTDB complains cluster IP is not a public address
Nicolas Ecarnot wrote: > Le 05/04/2012 16:55, Errol Neal a écrit : > >[...] > > What does your ctdb config file look like? Apologies for excluding that.. root@BAM:/etc/samba# cat /etc/default/ctdb # CTDB-RA: Auto-generated by /usr/lib/ocf/resource.d//heartbeat/CTDB, backup is a tc/default/ctdb.ctdb-ra-orig CTDB_MONITOR_FREE_MEMORY=100 CTDB_SAMBA_SKIP_SHARE_CHECK=yes CTDB_MANAGES_SAMBA=yes CTDB_MANAGES_WINBIND=yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can CTDB respawn Samba?
Hi Nicolas, On Tue, 03 Apr 2012 16:21:22 +0200 Nicolas Ecarnot wrote: > There a builtin method for ctdb to monitor smb - My log files are > showing me that the port 445 gets monitored, and ctdb becomes unhealthy > when it fails to reach it. > But is there a builtin method to react to such event and restart samba > daemon? Not builtin AFAICT, there are a couple of options though. - Parse the output of ctdb status, checking for UNHEALTHY node status. Restart ctdbd if detected, which results in an smbd restart. This (crude) method is used by newer versions of the Linux-HA CTDB resource-agent - http://linux-ha.org/wiki/CTDB_%28resource_agent%29 - Intercept transition to UNHEALTHY state by specifying a CTDB_NOTIFY_SCRIPT call-out. Detecting specifically for the presence of smbd in the above methods should be easy enough using `ctdb eventscript monitor/startup`. Cheers, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CTDB and Pacemaker - last mile!!! - CTDB complains cluster IP is not a public address
Le 05/04/2012 16:55, Errol Neal a écrit : >[...] What does your ctdb config file look like? -- Nicolas Ecarnot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] CTDB and Pacemaker - last mile!!! - CTDB complains cluster IP is not a public address
This project has been on my bucket list for a long time with a higher priority than say visiting Japan :) For the last several days, I've been knee deep in XCP, OCFS2, Samba, CTDB and Pacemaker; trying to get all these technologies to coalesce into one solution, and I think I'm at the last mile. I finally have two debian squeeze VMs (BIM AND BAM) on XCP 1.0 that are running Samba 3.6 in an HA configuration! But I have one small problem.. when I connect to a share on the cluster IP (pacemaker IPaddr2 resource), I get an access denied and an error in log.ctdb: Could not add client IP 172.24.100.202. This is not a public address. Here is my smb.conf on pastebin: http://pastebin.com/raw.php?i=Jdks4UmK Here is my crm configure show: node BAM node BIM primitive ctdb ocf:heartbeat:CTDB \ params ctdb_recovery_lock="/mnt/ctdb.lock" ctdb_manages_samba="yes" ctdb_manages_winbind="yes" ctdb_start_as_disabled="no" \ op monitor interval="10" timeout="30" \ op start interval="0" timeout="90" \ op stop interval="0" timeout="100" primitive dlm ocf:pacemaker:controld \ op monitor interval="120s" primitive ip ocf:heartbeat:IPaddr2 \ params ip="172.24.100.202" clusterip_hash="sourceip-sourceport" \ op monitor interval="60s" primitive o2cb ocf:pacemaker:o2cb \ op monitor interval="120s" primitive sharedFS ocf:heartbeat:Filesystem \ params options="acl,localalloc=16,atime_quantum=86400" device="/dev/xvdc1" directory="/mnt" fstype="ocfs2" \ op start interval="0" timeout="60" \ op stop interval="0" timeout="60" clone ctdb-clone ctdb \ meta globally-unique="false" interleave="true" target-role="Started" clone dlm-clone dlm \ meta globally-unique="false" interleave="true" clone ip-clone ip \ meta globally-unique="true" target-role="Started" clone o2cb-clone o2cb \ meta globally-unique="false" interleave="true" target-role="Started" clone sharedFS-clone sharedFS \ meta globally-unique="false" interleave="true" target-role="Started" colocation ip-with-ctdb inf: ip-clone ctdb-clone colocation o2cb-with-dlm inf: o2cb-clone dlm-clone order start-ctdb-after-sharedFS inf: sharedFS-clone ctdb-clone order start-ip-after-ctdb inf: ctdb-clone ip-clone order start-o2cb-after-dlm inf: dlm-clone o2cb-clone order start-sharedFS-after-o2cb inf: o2cb-clone sharedFS-clone property $id="cib-bootstrap-options" \ no-quorum-policy="ignore" \ stonith-enabled="false" \ dc-version="1.1.6-9971ebba4494012a93c03b40a2c58ec0eb60f50c" \ cluster-infrastructure="openais" \ expected-quorum-votes="2" \ last-lrm-refresh="1333632988" Here is the result of crm resource show: Clone Set: dlm-clone [dlm] Started: [ BIM BAM ] Clone Set: o2cb-clone [o2cb] Started: [ BIM BAM ] Clone Set: sharedFS-clone [sharedFS] Started: [ BAM BIM ] Clone Set: ctdb-clone [ctdb] Started: [ BAM BIM ] Clone Set: ip-clone [ip] (unique) ip:0 (ocf::heartbeat:IPaddr2) Started ip:1 (ocf::heartbeat:IPaddr2) Started Here is the result of ctdb status: Number of nodes:2 pnn:0 172.24.100.201 OK pnn:1 172.24.100.200 OK (THIS NODE) Generation:927649812 Size:2 hash:0 lmaster:0 hash:1 lmaster:1 Recovery mode:NORMAL (0) Recovery master:0 When I set public_addresses in /etc/ctdb - that sends the system into a tail spin: 2012/04/05 09:20:35.82 [recoverd:17432]: We are still serving a public address '172.24.100.202' that we should not be serving. 2012/04/05 09:20:35.888945 [recoverd:17432]: Trigger takeoverrun 2012/04/05 09:20:35.892438 [17356]: server/ctdb_takeover.c:813 release_ip of IP 172.24.100.202 is known to the kernel, but we have no interface assigned, has someone manually configured it? Ignore for now. Any thoughts? I'm so close (I think)! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] CHOWN
Hello list, here is the procedure to permit user create in active directory login samba4 server, using pam_winbind Installing and configuring Ensure that you built Samba 4 with libpam0g-dev installed on your system. If not, install the PAM development libraries and re-compile Samba 4 from the ./configure.developer stage. Install pam_winbind.so in the usual place: 1 ln -s /usr/local/samba/lib/pam_winbind.so /lib/security Ckeck you have a similar entry in smb.conf: [global] template shell = /bin/bash 2. Restart your samba 4 server Note: The following actions can cause you not to be able to connect to your system if you do something wrong. You are invitated to make a backup of your previous configuration and to have a spare connection to the server as root to be able to restore them in case of problem. 3. Files to modify: /etc/pam.d/common-auth Add this line before pam_unix.so: auth sufficient pam_winbind.so Also add the option use_first_pass to the pam_unix.so line /etc/pam.d/common-account Add this line before pam_unix.so: account sufficient pam_winbind.so /etc/pam.d/common-session Add these lines before any other session line: session required pam_mkhomedir.so session required pam_winbind.so Testing Check that getent passwd return a correct entry: getent passwd ... ssh administrator@10.0.100.1 ... It's important that the shell must be a real shell (and not /bin/false). Check that you can connect as a non domain user (ie. root or any other account that used before -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 high cpu load
On 05/04/12 10:54, steve wrote: On 05/04/12 10:33, NdK wrote: Il 05/04/2012 09:39, steve ha scritto: Nope. Doesn't fix it. We have deleted Gnome-keyring andthe pkcs11 packages. After a reboot it is back to the 5 minute wait. The 'can't connect to socket' error has however gone. The wait is back:-( openSUSE 5 minues. Ubuntu 30 seconds. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 high cpu load[SOLVED]
On 05/04/12 10:33, NdK wrote: Il 05/04/2012 09:39, steve ha scritto: Are we losing anything (on a server) by not having the stuff we've removed? I don't think so. Yes: the ability to use a TPM (or other HW keystore like smartcards) as the private key store -- if your server gets compromised, all the keys/certs on it must be revoked and re-issued. But probably you aren't interested in such a thing. BTW I agree that 5 minutes is really too much time (much more than needed to generate a 2048-bit RSA key on a smartcard!). BYtE, Diego. I think that's OK for us. Either that or we'll have to go back to the wait. I don't think openSUSE will entertain bugzillas against alpha releases:-( Wow about taking a copy of /usr/local/samba/private home with us on a removable drive instead? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 high cpu load[SOLVED]
Il 05/04/2012 09:39, steve ha scritto: > Are we losing anything (on a server) by not having the stuff we've > removed? I don't think so. Yes: the ability to use a TPM (or other HW keystore like smartcards) as the private key store -- if your server gets compromised, all the keys/certs on it must be revoked and re-issued. But probably you aren't interested in such a thing. BTW I agree that 5 minutes is really too much time (much more than needed to generate a 2048-bit RSA key on a smartcard!). BYtE, Diego. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 high cpu load[SOLVED]
On 05/04/12 00:55, Günter Kukkukk wrote: On Wednesday 04 April 2012 15:33:46 steve wrote: OpenSUSE 12.1 Version 4.0.0alpha19-GIT-7290a62 Upon starting, s4 burns the CPU for around 5 minutes: PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 3672 root 20 0 72780 20m 2388 R 95.4 1.1 0:36.84 samba After which all is well. Maybe this is just openSUSE as on Ubuntu it's less than 5 minutes (but still there). Any ideas? Cheers, Steve Further investigation showed that pkcs11 was using the gnome-keyring module /usr/lib/pkcs11/gnome-keyring-pkcs11.so This module was also displaying the strange string "WARNING! no socket to connect to" (see also /etc/pkcs11/modules/* ) Btw - i'm running KDE here. I de-installed gnome-keyring and most pkcs11 related stuff - and the s4 hang was gone! :-) It already took me a lot of time those days - so i did no further investigations ... Possibly it's enough to only de-install gnome-keyring. Excellent observations. I can confirm that both Gnome-keyring _and_ the pkcs11 packages have to be removed. The 5 minute delay in startup is now down to 2 seconds and the 'no socket to connect to' message has gone too. I can live with that:-) Are we losing anything (on a server) by not having the stuff we've removed? I don't think so. Thanks for the help. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
