[Samba] I get a kinit: Client credentials have been revoked while getting initial credentials
I get a kinit: Client credentials have been revoked while getting initial credentials when I try to use kinit on the samba4 latest git -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 high cpu load
On Friday 04 May 2012 08:53:25 steve wrote: > On 04/05/12 03:23, Günter Kukkukk wrote: > > On Monday 30 April 2012 16:04:37 steve wrote: > >> On 05/04/12 00:55, Günter Kukkukk wrote: > >>> On Wednesday 04 April 2012 15:33:46 steve wrote: > OpenSUSE 12.1 > Version 4.0.0alpha19-GIT-7290a62 > > > > I have started again to track that down. > > Will write a test applet to catch that as simple as possible, to discuss > > it with the gnutls devs. > > > > As a workaround you can use > > > > tls enabled = no > > > > in the [global] section of smb.conf > > > > I'll keep you informed about my findings. > > > > Cheers, Günter > > Thanks Günter > The workaround works fine. Please let me know if there is anything I can > test. I've switched to Ubuntu for the moment but have left this S4 > install on openSUSE in case I can test anything. > Cheers, > Steve did some further investigations - intermediate results: The "samba4 hang with high cpu usage" happens during "gnutls_dh_params_generate2" which calculates the Diffie-Hellman key. One can check/simulate the same behaviour with: certtool --generate-dh-params --bits 1024 or to get a file certtool --generate-dh-params --bits 1024 --outfile dh1024.pem The time it takes to calculate this key depends at least on the used gnutls version! Using certtool -v opensuse 11.4 (GnuTLS) 2.8.6 fast opensuse 12.1 (GnuTLS) 3.0.3 slow ubuntu 12.04(GnuTLS) 2.12.14 fast I'll do further investigations the next days. To use TLS with samba4 with those slow versions, one can generate this DH key with certool, as noted above. One must then add that param file to smb.conf in the [global] section: tls dh params file = /path/to/dh1024.pem I'm atm not quite sure whether this dh param file creation should be directed to cron to generate a new one - say every week ... (?) Cheers, Günter Some further readings: http://lists.gnu.org/archive/html/help-gnutls/2011-12/msg8.html http://lists.gnu.org/archive/html/help-gnutls/2011-12/msg00012.html Also this bug is fixed in the 3.0.3 version: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475168 The opensuse 12.1 version only reads 32 bytes (256 bit) from /dev/urandom One can check this with: strace -e trace=open,read -s12 certtool --generate-dh-params --bits 1024 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] security mask for extended ACL permissions / change of create mode for Samba
Le 06/05/2012 23:59, Németh Ákos Ferenc a écrit : Dear All, I manage a Debian Squeeze GNU/Linux (with kernel 2.6.32-5-686 #1 SMP) with Samba 3.5.6 (samba 2:3.5.6~dfsg-3squeeze8 package is installed). I have a "test" directory with native Linux ACL permissions. getfacl test's output: # file: test # owner: akos # group: grp # flags: -s- user::rwx group::rwx group:read:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:read:r-x default:mask::rwx default:other::--- If I create a new file (called linfile) under this directory, its permissions are the following: (as I expected) # file: linfile # owner: akos # group: grp user::rw- group::rwx #effective:rw- group:read:r-x #effective:r-- mask::rw- other::--- If I create a new file (called winfile) under this directory via Samba (from another Linux machine or from another Windows machine), its permissions are the following: (as I didn't expect) # file: winfile # owner: akos # group: grp user::rw- group::rw- group:read:r-x mask::rwx other::--- My problem is regarding to the read group's (extended ACL) permissions or better saying regarding to the mask of extended ACL permissions. With other worlds the extended execute bit of the file disturb me. The legacy owner group's permissions are correct because of the security mask of smb.conf, but I couldn't find a security mask which is valid for the extended permissions. As I read about it on the net, the base of the problem is that Linux's touch command and the samba file creation rutine use different mode(?)/umask(?) to create a new file. How can I change them? I read the archive and the whole Google but I couldn't find a way how to solve this problem however sombody elses also wrote about this issue. :-) Please help me and please forgive me if I only missconfigured my system. :-) The relevant part of the smb.conf: [file-server] comment = File Server path = ***somewhere in the world - because of security reason*** browsable = yes read only = no guest ok = no # create mask = 0660 # directory mask = 0770 security mask = 0666 directory security mask = inherit permissions = yes map archive = no map hidden = no map system = no AFAIK create mask and directory mask are irrelevant in case of inheritance of permissions - that's why they are uncommented. Thanx in advance for any help. Best regards, Ákos Three days ago, I discovered the exact same issue. I have plenty of previous samba 3.0.something samba servers on RHEL 5.6 running fine with ACLs, and they behave like expected by me and by Ákos. But on a recent install on Ubuntu oneiric and samba 3.5..., I had to add the create and directory modes for them to respect the previous behaviour. I took the time to checks the diffs between the 'testparm -v' (please not the -v ) between RHEL/smb3.0 and Ubuntu/smb3.5 but clearly saw NO difference. So for the time being, my workaround is the use of create and dir modes, but I'd be glad to be enlighted on that situation. -- Nicolas Ecarnot -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] security mask for extended ACL permissions / change of create mode for Samba
Dear All, I manage a Debian Squeeze GNU/Linux (with kernel 2.6.32-5-686 #1 SMP) with Samba 3.5.6 (samba 2:3.5.6~dfsg-3squeeze8 package is installed). I have a "test" directory with native Linux ACL permissions. getfacl test's output: # file: test # owner: akos # group: grp # flags: -s- user::rwx group::rwx group:read:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:read:r-x default:mask::rwx default:other::--- If I create a new file (called linfile) under this directory, its permissions are the following: (as I expected) # file: linfile # owner: akos # group: grp user::rw- group::rwx #effective:rw- group:read:r-x #effective:r-- mask::rw- other::--- If I create a new file (called winfile) under this directory via Samba (from another Linux machine or from another Windows machine), its permissions are the following: (as I didn't expect) # file: winfile # owner: akos # group: grp user::rw- group::rw- group:read:r-x mask::rwx other::--- My problem is regarding to the read group's (extended ACL) permissions or better saying regarding to the mask of extended ACL permissions. With other worlds the extended execute bit of the file disturb me. The legacy owner group's permissions are correct because of the security mask of smb.conf, but I couldn't find a security mask which is valid for the extended permissions. As I read about it on the net, the base of the problem is that Linux's touch command and the samba file creation rutine use different mode(?)/umask(?) to create a new file. How can I change them? I read the archive and the whole Google but I couldn't find a way how to solve this problem however sombody elses also wrote about this issue. :-) Please help me and please forgive me if I only missconfigured my system. :-) The relevant part of the smb.conf: [file-server] comment = File Server path = ***somewhere in the world - because of security reason*** browsable = yes read only = no guest ok = no #create mask = 0660 #directory mask = 0770 security mask = 0666 directory security mask = inherit permissions = yes map archive = no map hidden = no map system = no AFAIK create mask and directory mask are irrelevant in case of inheritance of permissions - that's why they are uncommented. Thanx in advance for any help. Best regards, Ákos -- NÉMETH, Ákos e-mail: nemetha...@f-labor.mkt.bme.hu web:http://f-labor.mkt.bme.hu/~akos -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] transfer users after samba upgrade to new server
Hi, I want to transfer all of my users from an older version of samba to a new one here. The old version is 3.0.28 and the file with user passwords is /etc/samba/smbpasswd and the new version is 3.6.5 and there does not seem to be that file anymore. I think the user info is now in /var/lib/samba/private/passdb.tdb /var/lib/samba/private/secrets.tdb My question is how to transport my users to my new system? i.e. How to convert /etc/samba/smbpasswd --> /var/lib/samba/private/passdb.tdb Any suggestions would be greatly appreciated. Bill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] New unexpected behaviour when joining a domain
Good morning, I'm running Samba 3.6.5 on a Fedora 16 box, where I configured Samba to act as a PDC. A few weeks ago everything went smoothly; I then had to change the -physical- box running linux + samba, and everything went weird since then. First, I'm using the same smb.conf file from the previous box. The OS hasn't changed, Samba packages might have been updated, but since I update that box on a almost-daily basis, not sure it could be a factor. Some basic info : Linux box is called oslo (10.2.1.1 / 13), domain name is devnet A Win7 box (helsinki, 10.3.2.1 / 13) has to join the domain A Win2K8R2 box (bergen, 10.2.1.101 / 13, VM running on oslo) has to join the domain. I've applied the registry patch (as provided on http://wiki.samba.org/index.php/Windows7) on all machines awhile back; those machines were on the domain before I changed the linux box. Everything was fine then. Now, the Win7 machine had to be rebuilt, too, from scratch. I applied the registry patch, made sure that 10.2.1.1 was present as a WINS server in its ip config and so on. I joined the domain the usual way, and allowed all domain users to use the win7 box. Funny thing now is that I see those things in the samba server logs: _netr_ServerAuthenticate3: netlogon_creds_server_checkj failed. Rejecting auth request from client HELSINKI machine account HELSINKI$ (which exists in /etc/passwd and the samba backend, as shown with pdbedit -L). Not sure if this error message is valuable. The next funny thing that shows up now is that on my windows box, the users' domain accounts on the boxes appear as c:\users\USERNAME.oslo (the linux box hostname), instead of c:\users\USERNAME.devnet (devnet being the domain name). I'm not sure what is going on. DNS issues ? WINS issues ? I can provide any info you might ask. I did not include my smb.conf file yet as I did not want to clutter this mailing list, especially if someone thought of something before me posting the file. Regards, -- Jeff -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User's home folders
On 05/04/2012 12:42 PM, Helmut Hullen wrote: Hallo, Stefano, Du meintest am 04.05.12: #!/bin/bash Login="rw,file_mode=0644,dir_mode=0755,username=zingalo,password=** ** ,noserverino" smbmount //192.168.5.219/users/zingalo /mnt/samba/Dati df is Filesystem 1K-blocks Used Available Use% Mounted on /dev/sda5 44186760 4459704 37482448 11% / udev 1539868 4 1539864 1% /dev tmpfs 618748 868617880 1% /run none 5120 0 5120 0% /run/lock none 1546868 480 1546388 1% /run/shm /dev/sda4195262036 186862356 8399680 96% /media/44A936374932B99A Shit - no cifs share mounted. Maybe it's an LDAP problem ... Viele Gruesse! Helmut Hi, i have problems to mount the home directories on the client from the server. I configured pam_mount.conf.xml: server="amahoro" mountpoint="/home/%(USER)" ssh="0" /> allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> smbmount //192.168.5.219/users/%(USER) /home/%(USER) umount /home/%(USER) The directory /users is on the server and it's mounted, this is its line in /etc/fstab on the server: /dev/sdb3 /users ext2auto,rw 0 0 After logging using the user zingalo the error message is: pam_mount(pam_mount.c:553): pam_mount 2.10: entering session stage pam_mount(misc.c:38): Session open: (ruid/rgid=0/0, e=0/0) pam_mount(pam_mount.c:614): no volumes to mount command: 'pmvarrun' '-u' 'zingalo' '-o' '1' pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/0, e=0/0) pam_mount(misc.c:38): set_myuid: (ruid/rgid=0/0, e=0/0) pmvarrun(pmvarrun.c:252): parsed count value 0 pam_mount(pam_mount.c:440): pmvarrun says login count is 1 pam_mount(pam_mount.c:645): done opening session (ret=0) No directory, logging in with HOME=/ It doesn't find the volume and am not sure about /users partition in fstab on the server, is it correct that line? Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Cannot mount users home directories from a samba server
Hi, as subject, i cannot mount usersìs home directory after login on a client. i configured pam_mount: path="//192.168.5.219/users/%(USER)" noroot="1" server="amahoro" mountpoint="/home/%(USER)" ssh="0" /> allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" /> smbmount smbmount but the error message is volume not found. Could you take a look of samba and smbldap configuration files please? am not sure everything is ok. [global] #identificazione workgroup = AMAHORO server string = amahoro security = user #opzioni di rete hosts allow = 192.168.5.0/24 localhost #opzioni per il log log file = /var/log/samba/log.%u max log size = 1000 log level = 3 #opzioni per l'accesso alle condivisioni encrypt passwords = yes null passwords = no security = user #smb passwd file = /etc/samba/smbpasswd username map = /etc/samba/smbusers #LDAP passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=Manager,dc=amahoro,dc=bi ldap suffix = dc=amahoro,dc=bi ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap ssl = no add user script = /usr/local/sbin/smbldap-useradd -m "%u" add group script = /usr/local/sbin/smbldap-groupadd "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" delete user script = /usr/local/sbin/smbldap-userdel "%u" delete group script = /usr/loca/sbin/smbldap-groupdel "%g" [homes] path = /users/%u browseable = no writable = yes valid users = %S read only = no guest ok = no admin users = %u write list = %u read list = %u create mask = 0700 directory mask = 0700 [user_data] comment = Leçon browseable = yes public = yes writable = no path = /user_data and this is smbldap.conf: # $Source: $ # $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ## # # General Configuration # ## # Put your own SID. To obtain this number do: "net getlocalsid". # If not defined, parameter is taking from "net getlocalsid" return SID="S-1-5-21-251852451-2940789264-3475694606" # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain="IDEALX-NT" sambaDomain="AMAHORO" #realm="amahoro.bi" ## # # LDAP Configuration # ## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Slave LDAP server # Ex: slaveLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" slaveLDAP="127.0.0.1" # Slave LDAP port # If not defined, parameter is set to "389" slavePort="389" # Master LDAP server: needed for write operations # Ex: masterLDAP=127.0.0.1 # If not defined, parameter is set to "127.0.0.1" masterLDAP="127.0.0.1" # Master LDAP port # If not defined, parameter is set to "389" #masterPort="389" masterPort="389" # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) # If not defined, parameter is set to "0" ldapTLS="0" # Use SSL for LDAP # If set to 1, this option will use SSL for connection # (standard port for ldaps is 636) # If not defined, parameter is set to "0" ldapSSL="0" # How to verify the server's certificate (none, optional or require) # see "man Net::LDAP" in start_tls section for more details verify="require" # CA certificate # see "man Net::LDAP" in start_tls section
