[Samba] Samba4 - create a new auxiliary classe in AD
Hello I've migrated from Samba3 to Samba4 using this howto : http://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO : ok ! great ! Now I want to create a new auxiliary classe in AD by using mmc - Schéma Active Directory. I've generated the object OID using the script : http://www.microsoft.com/technet/scriptcenter/scripts/ad/domains/addmvb03.mspx?mfr=true I've added to the root OID : root OID.1.1 But I have the following error : Server doesn't wish to process this request (in reality my message is in french le serveur ne souhaite pas traiter la requête) So how can I modify AD schema with Samba4 ? Thanks -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 1750, chemin du Lavarin, 84000 Avignon Téléphone : 04.90.27.57.44 Messagerie : h.hen...@isc84.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4: winbind separator
Hi When I try and login as a domain user called s3: su MARINA\\s3 I get: Kerberos: AS-REQ marin...@hh3.site from ipv4:192.168.1.2:50945 for krbtgt/hh3.s...@hh3.site Kerberos: UNKNOWN -- marin...@hh3.site: no such entry found in hdb Kerberos is not seeing the winbind separator. So I try winbind separator = + wbinfo -i s3 MARINA+s3:*:328:20513::/home/MARINA/s3:/bin/bash getent passwd s3 MARINA+s3:*:328:20513::/home/MARINA/s3:/bin/bash This time it sees the separator but still no login: Kerberos: AS-REQ marina...@hh3.site from ipv4:192.168.1.2:56583 for krbtgt/hh3.s...@hh3.site Kerberos: UNKNOWN -- marina...@hh3.site: no such entry found in hdb But s3 can kinit fine: kinit s3 Password for s...@hh3.site: Warning: Your password will expire in 41 days on Tue Jul 3 09:45:30 2012 Could this be pam? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
On 21/05/12 23:36, Dale Schroeder wrote: On 05/21/2012 3:42 PM, Newman, John W wrote: Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? Hi Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read: chgrp MYDAOMAIN\\My\ Group /media/share Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 ZFS - acl_xattr still needed ?
Thanks Jonathan, I missed that. So, zfsacl is provided by Oracle. Should I favor acl_xattr besides zfsacl ? Dragos On Fri, May 18, 2012 at 1:10 PM, Jonathan Buzzard jonat...@buzzard.me.ukwrote: On Fri, 2012-05-18 at 09:18 +0300, Pacher Dragos wrote: Dear list, Setup is: Solaris 11 ZFS + Samba 3.5.10 What is the recommended way nowadays of performing strict permissions mapping between Samba and Windows NT 6.1 ? And a more broader question: is it desirable ? As we know ZFS has native NFSv4 ACL's and this would mean that permissions applied on Windows side should have an exact match on the ZFS side. Is it acl_xattr module still needed ? Example: [samba] path=/export/home/samba writable=yes vfs objects=acl_xattr By the way: acl_xattr is production ready now if I am not mistaken ? I would imagine that you want to be using the vfs_zfsacl module if you are running on Solaris with ZFS. Note that NFSv4 ACL's don't exactly match Windows ACL's either, though they are a close match. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 ZFS - acl_xattr still needed ?
On Tue, 2012-05-22 at 12:34 +0300, Pacher Dragos wrote: Thanks Jonathan, I missed that. So, zfsacl is provided by Oracle. I have no idea as I don't use Solaris Should I favor acl_xattr besides zfsacl ? I would have thought that zfsacl which stores the ACL's as native NFSv4 ACL's would be preferable. My personal experience is with vfs_gpfs and GPFS to store the Windows ACL's as native NFSv4 ACL's in GPFS. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 (The trust relationship between this workstation and the primary domain failed )
Hello everyone I have configured samba4 as per the details prived on samba how to homepage. Now i can successfully add my windows XP and windows 7 machine to the domain. I logged in to windows XP machine as domain administrator and created a user using dsa.msc The user is able to login on windows XP machine but when I tried to login on windows 7 this is the error which I get The trust relationship between this workstation and the primary domain failed. I have tried with all the registry tweeks available on samba page but could not get a fix. Can anyone please help me overcome this problem.I am not at all able to login the windows 7 machine -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - create a new auxiliary classe in AD
I'm using the 4.0.0alpha21-GIT-1d53e57 version. I've tried your proposal and it seems that it works ... thank you. Another question : my fonctionnal level (domain and forest) is 2003 can I grow it to 2008R2 ? Regards Le 22/05/2012 11:42, Lukasz Zalewski a écrit : On 22/05/12 07:37, Hervé Hénoch wrote: Hello I've migrated from Samba3 to Samba4 using this howto : http://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO : ok ! great ! Now I want to create a new auxiliary classe in AD by using mmc - Schéma Active Directory. I've generated the object OID using the script : http://www.microsoft.com/technet/scriptcenter/scripts/ad/domains/addmvb03.mspx?mfr=true Hi Which version of Samba 4 are you using? In later versions you have to explicitly allow schema modifications by adding the following to smb.conf dsdb:schema update allowed = yes HTH L -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 1750, chemin du Lavarin, 84000 Avignon Téléphone : 04.90.27.57.44 Messagerie : h.hen...@isc84.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - create a new auxiliary classe in AD
On 22/05/12 10:49, Hervé Hénoch wrote: I'm using the 4.0.0alpha21-GIT-1d53e57 version. I've tried your proposal and it seems that it works ... thank you. Another question : my fonctionnal level (domain and forest) is 2003 can I grow it to 2008R2 ? Hi, samba-tool allows you to raise the functional level (for both the domain and the forest - check the options), i.e. ./samba-tool domain level Usage: samba-tool domain level (show|raise options) [options] But i have not used it myself. L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - create a new auxiliary classe in AD
On 22/05/12 07:37, Hervé Hénoch wrote: Hello I've migrated from Samba3 to Samba4 using this howto : http://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO : ok ! great ! Now I want to create a new auxiliary classe in AD by using mmc - Schéma Active Directory. I've generated the object OID using the script : http://www.microsoft.com/technet/scriptcenter/scripts/ad/domains/addmvb03.mspx?mfr=true Hi Which version of Samba 4 are you using? In later versions you have to explicitly allow schema modifications by adding the following to smb.conf dsdb:schema update allowed = yes HTH L -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - create a new auxiliary classe in AD
I've tried to raise the level of both the domain and the forest with the command (with a functional samba4 test server) : samba-tool domain level raise --forest-level=2008_R2 --domain-level=2008_R2 And everything worked for me : Domain function level changed! Forest function level changed! All changes applied successfully! Thank you very much. Le 22/05/2012 11:57, Lukasz Zalewski a écrit : On 22/05/12 10:49, Hervé Hénoch wrote: I'm using the 4.0.0alpha21-GIT-1d53e57 version. I've tried your proposal and it seems that it works ... thank you. Another question : my fonctionnal level (domain and forest) is 2003 can I grow it to 2008R2 ? Hi, samba-tool allows you to raise the functional level (for both the domain and the forest - check the options), i.e. ./samba-tool domain level Usage: samba-tool domain level (show|raise options) [options] But i have not used it myself. L -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 1750, chemin du Lavarin, 84000 Avignon Téléphone : 04.90.27.57.44 Messagerie : h.hen...@isc84.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: winbind separator [SOLVED]
On 22/05/12 09:56, steve wrote: Hi When I try and login as a domain user called s3: Could this be pam? Cheers, Steve Yes it was. For the record, you need to build with the pam devel headers. On openSUSE that's libpam-dev Cheers, Steve Oh. whilst I'm here, we are finding that having to have all home directories in one place restricting. There doesn't seem a way of replacing /home/DOMAIN/user with e.g. /home/DOMAIN/what-we-want/user. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can't populate LDAP directory with smbldap-populate
It seems that issue was due to old perl-LDAP module. I have updated with perl-LDAP-0.34-6.fc12 from Fedora Core 12 and now all works fine. # smbldap-populate -a Administrator -g 1 -l 1 -r 1 -u 1 Populating LDAP directory for domain SYSADM (S-1-5-21-206255134-223837211-2022137911) (using builtin directory structure) adding new entry: dc=sys-adm,dc=local adding new entry: ou=Users,dc=sys-adm,dc=local adding new entry: ou=Groups,dc=sys-adm,dc=local adding new entry: ou=Computers,dc=sys-adm,dc=local adding new entry: ou=Idmap,dc=sys-adm,dc=local adding new entry: sambaDomainName=SYSADM,dc=sys-adm,dc=local adding new entry: uid=Administrator,ou=Users,dc=sys-adm,dc=local adding new entry: uid=nobody,ou=Users,dc=sys-adm,dc=local adding new entry: cn=Domain Admins,ou=Groups,dc=sys-adm,dc=local adding new entry: cn=Domain Users,ou=Groups,dc=sys-adm,dc=local adding new entry: cn=Domain Guests,ou=Groups,dc=sys-adm,dc=local adding new entry: cn=Domain Computers,ou=Groups,dc=sys-adm,dc=local adding new entry: cn=Administrators,ou=Groups,dc=sys-adm,dc=local adding new entry: cn=Account Operators,ou=Groups,dc=sys-adm,dc=local adding new entry: cn=Print Operators,ou=Groups,dc=sys-adm,dc=local adding new entry: cn=Backup Operators,ou=Groups,dc=sys-adm,dc=local adding new entry: cn=Replicators,ou=Groups,dc=sys-adm,dc=local Please provide a password for the domain Administrator: Changing UNIX and samba passwords for Administrator New password: *** Retype new password: *** # smbldap-usershow Administrator dn: uid=Administrator,ou=Users,dc=sys-adm,dc=local objectClass: top,person,organizationalPerson,inetOrgPerson,sambaSamAccount,posixAccount,shadowAccount uid: Administrator cn: Administrator sn: Administrator gidNumber: 0 uidNumber: 0 homeDirectory: /home/Administrator sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\PDC-SRV\Administrator sambaHomeDrive: H: sambaProfilePath: \\PDC-SRV\profiles\Administrator sambaPrimaryGroupSID: S-1-5-21-206255134-223837211-2022137911-512 sambaSID: S-1-5-21-206255134-223837211-2022137911-500 loginShell: /bin/false gecos: Netbios Domain Administrator sambaLMPassword: 0AFA9EFC9DE20294AAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 8F4BC1891E1050BDB614E72625AC2D7B sambaPwdLastSet: 1337682668 sambaPwdMustChange: 1341570668 userPassword: {SSHA}ux+8irlDG6QkyFr0iswpw/iX1QJhOFFv shadowLastChange: 15482 shadowMax: 45 On Mon, May 21, 2012 at 6:44 PM, Alex Domoradov alex@gmail.com wrote: It seems that this issue RHEL/CentOS related. I have tried the following Install smbldap-tools-0.9.8 on Debian squeeze, locate smbldap.conf to my test server with CentOS-5.8. All works fine # smbldap-populate -a Administrator -g 1 -l 1 -r 1 -u 1 Populating LDAP directory for domain SYSADM (S-1-5-21-206255134-223837211-2022137911) (using builtin directory structure) adding new entry: dc=sysadm,dc=local adding new entry: ou=Users,dc=sysadm,dc=local adding new entry: ou=Groups,dc=sysadm,dc=local adding new entry: ou=Computers,dc=sysadm,dc=local adding new entry: ou=Idmap,dc=sysadm,dc=local adding new entry: uid=Administrator,ou=Users,dc=sysadm,dc=local adding new entry: uid=nobody,ou=Users,dc=sysadm,dc=local adding new entry: cn=Domain Admins,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Domain Users,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Domain Guests,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Domain Computers,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Administrators,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Account Operators,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Print Operators,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Backup Operators,ou=Groups,dc=sysadm,dc=local adding new entry: cn=Replicators,ou=Groups,dc=sysadm,dc=local adding new entry: sambaDomainName=SYSADM,dc=sysadm,dc=local Please provide a password for the domain Administrator: Changing UNIX and samba passwords for Administrator New password: *** Retype new password: *** On CentOS server # smbldap-usershow Administrator dn: uid=Administrator,ou=Users,dc=sysadm,dc=local cn: Administrator sn: Administrator objectClass: top,person,organizationalPerson,inetOrgPerson,sambaSamAccount,posixAccount,shadowAccount gidNumber: 0 uid: Administrator uidNumber: 0 homeDirectory: /home/Administrator sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\PDC-SRV\Administrator sambaHomeDrive: H: sambaProfilePath: \\PDC-SRV\profiles\Administrator sambaPrimaryGroupSID: S-1-5-21-206255134-223837211-2022137911-512 sambaSID: S-1-5-21-206255134-223837211-2022137911-500 loginShell: /bin/false gecos: Netbios Domain Administrator sambaLMPassword: 0AFA9EFC9DE20294AAD3B435B51404EE sambaAcctFlags: [U] sambaNTPassword: 8F4BC1891E1050BDB614E72625AC2D7B sambaPwdLastSet: 1337613886
Re: [Samba] Solaris 11 ZFS - acl_xattr still needed ?
Seems resonable, zfsacl stores the ACE's natively compared to acl_xattr that makes use of extended attributes. It seems that the big players (Oracle, IBM) made their own tools. Any idea of the strict mapping completeness among zfsacl and acl_xattr ? Is samba4 any breakthrough regarding this issue ? Dragos On Tue, May 22, 2012 at 12:43 PM, Jonathan Buzzard jonat...@buzzard.me.ukwrote: On Tue, 2012-05-22 at 12:34 +0300, Pacher Dragos wrote: Thanks Jonathan, I missed that. So, zfsacl is provided by Oracle. I have no idea as I don't use Solaris Should I favor acl_xattr besides zfsacl ? I would have thought that zfsacl which stores the ACL's as native NFSv4 ACL's would be preferable. My personal experience is with vfs_gpfs and GPFS to store the Windows ACL's as native NFSv4 ACL's in GPFS. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Solaris 11 ZFS - acl_xattr still needed ?
On Tue, May 22, 2012 at 02:12:02PM +0300, Pacher Dragos wrote: Seems resonable, zfsacl stores the ACE's natively compared to acl_xattr that makes use of extended attributes. It seems that the big players (Oracle, IBM) made their own tools. Any idea of the strict mapping completeness among zfsacl and acl_xattr ? Closer than posix acls, but depending on your requirements still pretty bad for some aspects of ACLs. In particular inheritance based things are not covered properly, and chown operations have very different semantics. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04)
On 21 May 2012 17:44, Jeff Layton jlay...@samba.org wrote: On Mon, 21 May 2012 09:59:44 -0500 scott_purc...@dell.com wrote: Early responses are not encouraging. It sounds like this was not an accidently happening, but they *intend* to obscure the root level of the share. Might it work to try to downgrade my Samba installation to a version prior to the introduction of this bug? If so, do you know which version would be the latest to still work? No, it was not intentional, just not simple to fix. I think you misinterpreted Scott's message :) I read it to mean that the people who set up his NAS intended for the root of the share to be obscured. Not that the cifsfs developers intended to break things. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - create a new auxiliary classe in AD
On 22 May 2012 11:49, Hervé Hénoch h.hen...@isc84.org wrote: I'm using the 4.0.0alpha21-GIT-1d53e57 version. I've tried your proposal and it seems that it works ... thank you. It might not work correctly. I think schema modification has been disabled by default because it can break things. Another question : my fonctionnal level (domain and forest) is 2003 can I grow it to 2008R2 ? Regards Le 22/05/2012 11:42, Lukasz Zalewski a écrit : On 22/05/12 07:37, Hervé Hénoch wrote: Hello I've migrated from Samba3 to Samba4 using this howto : http://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO : ok ! great ! Now I want to create a new auxiliary classe in AD by using mmc - Schéma Active Directory. I've generated the object OID using the script : http://www.microsoft.com/technet/scriptcenter/scripts/ad/domains/addmvb03.mspx?mfr=true Hi Which version of Samba 4 are you using? In later versions you have to explicitly allow schema modifications by adding the following to smb.conf dsdb:schema update allowed = yes HTH L -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 1750, chemin du Lavarin, 84000 Avignon Téléphone : 04.90.27.57.44 Messagerie : h.hen...@isc84.org -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trouble with mount.cifs while smbclient works (Ubuntu 12.04)
On Tue, 22 May 2012 15:24:56 +0200 Michael Wood esiot...@gmail.com wrote: On 21 May 2012 17:44, Jeff Layton jlay...@samba.org wrote: On Mon, 21 May 2012 09:59:44 -0500 scott_purc...@dell.com wrote: Early responses are not encouraging. It sounds like this was not an accidently happening, but they *intend* to obscure the root level of the share. Might it work to try to downgrade my Samba installation to a version prior to the introduction of this bug? If so, do you know which version would be the latest to still work? No, it was not intentional, just not simple to fix. I think you misinterpreted Scott's message :) I read it to mean that the people who set up his NAS intended for the root of the share to be obscured. Not that the cifsfs developers intended to break things. Yes, he mailed that to me privately later. He also asked whether downgrading the client's kernel might help here. It might, but you'll need to go pretty far back -- pre-3.0 or so... -- Jeff Layton jlay...@samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Password problem
From: Jorell [mailto:jore...@fastmail.net] Sent: 21 May 2012 02:39 On 5/18/2012 11:06 AM, Jaap Winius wrote: Hi folks, My client and I are having a problem getting a portable Esaote ultrasound machine to connect to a Samba server. The unit has an integrated laptop with a Windows XP version that can hardly be modified. Upon delivery the vendor only changed the user name and workgroup for us. When I asked for the user password to make a matching Samba account, the vendor refused because they use a key on a USB stick for that. They said to fill in a name and password for the server every time we needed to access the Windows share. So far I've experimented with the Samba map to guest and guest account options, which should work, but I'd really like to see this machine connect to the Samba server in the usual fashion. Does anyone have any suggestions? Any workarounds, or hacks that I might try? Thanks, Jaap Isn't there a check box on windows for mapping a network drive Connect using different credentials? Then every time the machine tries connecting to the share it should be using the credentials provided for the mapped drive. Another option would be to reset the administrator password on the XP machine, google: ntpasswd. As for samba tricks, give the machine a static IP or a reserved IP and allow write access from only that IP? If you have access to the command prompt or the ability to create batch files, you could try net use commands. Moray. To err is human; to purr, feline. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 (The trust relationship between this workstation and the primary domain failed )
If you are using Samba4 as your DC, you shouldn't need any of the old registry hacks previously used to allow joining to a Samba3 server. There's something else going on. Which Samba page exactly are you referring to? (There are a lot of them. ;-) On Tue, May 22, 2012 at 5:44 AM, deepak prasad deep2...@yahoo.com wrote: Hello everyone I have configured samba4 as per the details prived on samba how to homepage. Now i can successfully add my windows XP and windows 7 machine to the domain. I logged in to windows XP machine as domain administrator and created a user using dsa.msc The user is able to login on windows XP machine but when I tried to login on windows 7 this is the error which I get The trust relationship between this workstation and the primary domain failed. I have tried with all the registry tweeks available on samba page but could not get a fix. Can anyone please help me overcome this problem.I am not at all able to login the windows 7 machine -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Charles Tryon _ “Risks are not to be evaluated in terms of the probability of success, but in terms of the value of the goal.” - Ralph D. Winter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
Thanks.. Unfortunately neither suggestion worked chgrp still just says invalid group valid users = @DOMAIN\\My Group behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password.I already tried all sorts of things in valid users, but nothing is the magic string I need. Any other ideas? Thanks for the help so far, much appreciated!! -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Tuesday, May 22, 2012 04:59 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 21/05/12 23:36, Dale Schroeder wrote: On 05/21/2012 3:42 PM, Newman, John W wrote: Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? Hi Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read: chgrp MYDAOMAIN\\My\ Group /media/share Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
A few questions that might narrow things - Which version of Samba are you using? What does the idmap backend configuration for winbind look like? Does testparm yield any errors? Do getent group and wbinfo -g return the expected results? Are nsswitch.conf and PAM configured for authentication? http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm On 05/22/2012 1:01 PM, Newman, John W wrote: Thanks.. Unfortunately neither suggestion worked chgrp still just says invalid group valid users = @DOMAIN\\My Group behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password. I already tried all sorts of things in valid users, but nothing is the magic string I need. Any other ideas? Thanks for the help so far, much appreciated!! -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Tuesday, May 22, 2012 04:59 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 21/05/12 23:36, Dale Schroeder wrote: On 05/21/2012 3:42 PM, Newman, John W wrote: Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? Hi Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read: chgrp MYDAOMAIN\\My\ Group /media/share Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ctdb issue: existing header for db_id 0xf2a58948 has larger RSN 1 than new RSN 1 in ctdb_persistent_store
Hello, I have an issue with ctdb that I am not sure how to handle. I am running ctdb-1.0.114.3-3. It looks like some sort of error occurs during the first time initialization. The log looks like the following: 2012/05/11 04:33:16.881297 [16069]: Starting CTDBD as pid : 16069 2012/05/11 04:33:16.987610 [16069]: Starting service nfs 2012/05/11 04:33:17.522194 [16069]: Starting NFS statd: [ OK ] 2012/05/11 04:33:17.584356 [16069]: Starting NFS services: [ OK ] 2012/05/11 04:33:17.599905 [16069]: Starting NFS quotas: [ OK ] 2012/05/11 04:33:17.610284 [16069]: Starting NFS daemon: [ OK ] 2012/05/11 04:33:17.614978 [16069]: Starting NFS mountd: [ OK ] 2012/05/11 04:33:18.690755 [16069]: Freeze priority 1 2012/05/11 04:33:18.690797 [16069]: Freeze priority 2 2012/05/11 04:33:18.690823 [16069]: Freeze priority 3 2012/05/11 04:33:25.366763 [16310]: Taking out recovery lock from recovery daemon 2012/05/11 04:33:25.366798 [16310]: Take the recovery lock 2012/05/11 04:33:25.384030 [16310]: Recovery lock taken successfully 2012/05/11 04:33:25.384082 [16310]: Recovery lock taken successfully by recovery daemon 2012/05/11 04:33:25.385542 [16069]: Freeze priority 1 2012/05/11 04:33:25.385925 [16069]: Freeze priority 2 2012/05/11 04:33:25.386353 [16069]: Freeze priority 3 2012/05/11 04:33:25.502987 [16069]: Thawing priority 1 2012/05/11 04:33:25.503015 [16069]: Release freeze handler for prio 1 2012/05/11 04:33:25.503029 [16069]: Thawing priority 2 2012/05/11 04:33:25.503035 [16069]: Release freeze handler for prio 2 2012/05/11 04:33:25.503043 [16069]: Thawing priority 3 2012/05/11 04:33:25.503048 [16069]: Release freeze handler for prio 3 2012/05/11 04:33:25.628783 [16310]: Resetting ban count to 0 for all nodes 2012/05/11 04:33:36.630768 [16310]: Trigger takeoverrun 2012/05/11 04:33:40.311048 [16069]: Vacuuming is disabled for persistent database secrets.tdb 2012/05/11 04:33:40.318936 [16069]: Starting Winbind services: [ OK ] 2012/05/11 04:33:40.364715 [16069]: Register srvid 18302628885633695744 for client 65882 2012/05/11 04:33:40.651327 [16310]: Trigger takeoverrun 2012/05/11 04:33:40.715231 [16069]: Vacuuming is disabled for persistent database registry.tdb 2012/05/11 04:33:40.716911 [16069]: Register srvid 18302628885633695744 for client 590225 2012/05/11 04:33:40.918393 [16069]: Deregister srvid 18302628885633695744 for client 65882 2012/05/11 04:33:41.272762 [16069]: Deregister srvid 18302628885633695744 for client 590225 2012/05/11 04:33:41.277908 [16069]: Register srvid 18302628885633695744 for client 590225 2012/05/11 04:33:41.278179 [16069]: Deregister srvid 18302628885633695744 for client 590225 2012/05/11 04:33:41.278363 [16069]: Register srvid 18302628885633695744 for client 590225 2012/05/11 04:33:41.665087 [16069]: Deregister srvid 18302628885633695744 for client 590225 2012/05/11 04:33:41.812788 [16069]: Starting SMB services: [ OK ] 2012/05/11 04:33:41.823170 [16069]: Register srvid 18302628885633695744 for client 197066 2012/05/11 04:33:41.823470 [16069]: Deregister srvid 18302628885633695744 for client 197066 2012/05/11 04:33:41.830941 [16310]: Trigger takeoverrun 2012/05/11 04:33:41.868203 [16069]: Vacuuming is disabled for persistent database idmap2.tdb 2012/05/11 04:33:42.295718 [16069]: Starting NFS statd: [ OK ] 2012/05/11 04:33:42.356951 [16069]: Starting NFS services: [ OK ] 2012/05/11 04:33:42.360369 [16069]: Starting NFS quotas: [ OK ] 2012/05/11 04:33:42.379459 [16069]: Starting NFS daemon: [ OK ] 2012/05/11 04:33:42.384079 [16069]: Starting NFS mountd: [ OK ] 2012/05/11 04:33:42.423498 [16069]: Vacuuming is disabled for persistent database passdb.tdb 2012/05/11 04:33:43.128728 [16069]: Vacuuming is disabled for persistent database account_policy.tdb 2012/05/11 04:33:43.130165 [16069]: Register srvid 18302628885633695744 for client 197066 2012/05/11 04:33:43.552421 [16069]: Deregister srvid 18302628885633695744 for client 197066 2012/05/11 04:33:43.553907 [16069]: Register srvid 18302628885633695744 for client 197066 2012/05/11 04:33:44.511739 [16069]: Deregister srvid 18302628885633695744 for client 197066 2012/05/11 04:33:44.650918 [17887]: existing header for db_id 0xf2a58948 has larger RSN 2 than new RSN 1 in ctdb_persistent_store 2012/05/11 04:33:44.650953 [17887]: server/ctdb_persistent.c:548 Failed to write persistent data 2012/05/11 04:33:44.782324 [16069]: Register srvid 18302628885633695744 for client 197066 2012/05/11 04:33:44.939908 [16069]: Deregister srvid 18302628885633695744 for client 197066 2012/05/11 04:33:44.940054 [16069]: Register srvid 18302628885633695744 for client 197066 2012/05/11 04:33:45.531550 [16069]: Deregister srvid 18302628885633695744 for client 197066 2012/05/11 04:33:45.783438 [16069]: Register srvid 18302628885633695744 for client 197066 2012/05/11 04:33:45.922782 [16069]: Deregister srvid 18302628885633695744 for client 197066 2012/05/11 04:33:45.923314 [16069]: Register srvid 18302628885633695744 for client 197066
Re: [Samba] Samba4 DNS - Adding CNAME
On 21/05/2012 20:38, Charles Tryon wrote: I have been working on this too, and found that I needed to add the FQDN as the target of the CNAME. This is what appears to be happening... When I just put in the name, for example: samba-tool dns add dnsserver mydomain.org http://mydomain.org newname CNAME realname ...and I use the Windows DNS tool to look at the record in the mydomain.org http://mydomain.org zone, it maps newname to realname. --- NOTICE the dot at the end. In DNS parlance, that dot usually means, don't add anything after this. So, when DNS is trying to resolve the actual IP, it tries to look up realname with no domain, and eventually times out. If you change this to: samba-tool dns add dnsserver mydomain.org http://mydomain.org newname CNAME realname.mydomain.org http://realname.mydomain.org ... then doing a dig or ping or whatever seems to work correctly. I may be doing this wrong, but at least this is how I got it to work. On Sat, May 19, 2012 at 6:57 AM, Mike Howard m...@dewberryfields.co.uk mailto:m...@dewberryfields.co.uk wrote: On 19/05/2012 11:12, Michael Wood wrote: So, the question is; What am I doing wrong? I haven't tried the above myself, but it seems you are adding it the wrong way around. i.e. it looks like you are saying that the canonical name of centos is debian instead of what you want (i.e. that the canonical name of debian is centos.) i.e. it looks like you now have this situation: centos IN A 192.168.1.11 centos IN CNAME debian Yes, I did wonder about that and did try it the other way around. That resulted in a new record as follows; Name=debian, Records=1, Children=0 CNAME: centos. (flags=f0, serial=21, ttl=900) But it still doesn't resolve. OK, then try specifying the FQDN for centos when you add the CNAME record. From the output above it looks like it's adding a CNAME to centos. instead of centos.example.com http://centos.example.com. Also try: dig @192.168.1.254 http://192.168.1.254 debian.example.com http://debian.example.com. IN CNAME If everything is set up correctly you should get something like this: [...] ;; QUESTION SECTION: ;debian.example.com http://debian.example.com.IN CNAME ;; ANSWER SECTION: debian.example.com http://debian.example.com. 3600IN CNAME centos.example.com http://centos.example.com. [...] Ok, I used; samba-tool dns add 127.0.0.1 example.com http://example.com debian CNAME centos.example.com http://centos.example.com a query now returns; Name=centos, Records=1, Children=0 A: 192.168.1.11 (flags=f0, serial=2, ttl=900) Name=debian, Records=1, Children=0 CNAME: centos.example.com http://centos.example.com. (flags=f0, serial=23, ttl=900) and 'dig @192.168.1.254 http://192.168.1.254 debian.example.com http://debian.example.com. IN CNAME' returns; [...] ;; QUESTION SECTION: ;debian.example.com http://debian.example.com. IN CNAME ;; ANSWER SECTION: debian.example.com http://debian.example.com. 900 IN CNAME centos.example.com http://centos.example.com. [...] However, neither 'debian' nor 'debian.example.com http://debian.example.com' resolve to an IP, yet the output from dig implies the entry is correct? Of course, 'centos' does resolve. -- Any question is easy if you know the answer! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Charles Tryon _ “Risks are not to be evaluated in terms of the probability of success, but in terms of the value of the goal.” - Ralph D. Winter Well I too got dig, on the server, to produce the correct output but the hostname (either short or fully qualified) would not resolve to an ip address from _any_ clients. I'm using the internal dns server by the way. As I mentioned, I bodged it by just adding would be CNAME entries as A records. Not orthodox but it works for now. -- Any question is easy if you know the answer! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Some what breaking security model in Samba; LDAP + SMB shares
Hi all, Been a Samba user for some time now. I have a sort of odd request due to the nature of my env. I have been authing my XP/7 clients against OpenLDAP for years now and all is well (using pGina). I've even wrote a few scripts to tie in the SFU NFS client so that all is clean with regards to UGO of files/dirs. However because NFS just plain sux on M$, I wish to come back to Samba as its so darn fast. Is there any way I can simply map Samba shares as a user w/o a password to preserve UGO? This can't be a guest map as I really need owner ship/mask to follow the user login. I mean my users auth to login using my OpenLDAP server so I don;t feel the need to auth again for drive mapping. And I can't have any Samba fromage (thats good cheese by the way as I love cheese) in my LDAP DB. Thanks in advance, - aurf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
Which version of Samba are you using? Samba version 3.5.11 What does the idmap backend configuration for winbind look like? Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 1-2 idmap gid=1-2 I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it? Does testparm yield any errors? ERROR: the 'winbind separator' parameter must be a single character.Hmm.. I just changed that to a single \ , and our existing authentication service still works fine, but the share behaves no differently. The extra \ was probably in error from this file being edited with sed. Do getent group and wbinfo -g return the expected results? getent group shows all of the local linux groups on this machine - no AD groups. Is that expected? wbinfo -g shows the windows groups fine, the only thing that's odd is is all of the groups on this domain show in lower case. They may or may not be that way in their AD, I can't see for sure. (We are forcing a linux machine into someones windows network ) Are nsswitch.conf and PAM configured for authentication? For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults. All that has really been setup so far is an apache service that uses mod_auth_ntlm_winbind to authenticate users of a webpage to their DC. We are now trying to expand that samba/winbind stack over into sharing a folder. So, we probably do need to look at modifying those files, and id mapping, to have a samba share authenticate against the DC. Right? For some reason I figured this part would just work since the join already happened. Thanks again! -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, May 22, 2012 14:51 To: Newman, John W Cc: samba@lists.samba.org Subject: Re:[Samba] Grant only one AD group to samba share ? A few questions that might narrow things - Which version of Samba are you using? What does the idmap backend configuration for winbind look like? Does testparm yield any errors? Do getent group and wbinfo -g return the expected results? Are nsswitch.conf and PAM configured for authentication? http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm On 05/22/2012 1:01 PM, Newman, John W wrote: Thanks.. Unfortunately neither suggestion worked chgrp still just says invalid group valid users = @DOMAIN\\My Group behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password.I already tried all sorts of things in valid users, but nothing is the magic string I need. Any other ideas? Thanks for the help so far, much appreciated!! -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Tuesday, May 22, 2012 04:59 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 21/05/12 23:36, Dale Schroeder wrote: On 05/21/2012 3:42 PM, Newman, John W wrote: Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? Hi Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read: chgrp MYDAOMAIN\\My\ Group /media/share Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Grant only one AD group to samba share ?
On 05/22/2012 3:17 PM, Newman, John W wrote: Which version of Samba are you using? Samba version 3.5.11 What does the idmap backend configuration for winbind look like? Well.. I'm not really sure what that is (I inherited this project). In smb.conf all he has here is: idmap uid = 1-2 idmap gid=1-2 I don't see idmap backend = set at all in here. That is probably a big part of the problem isn't it? It would be using the default tdb backend. You could do a testparm -sv and grep for idmap and winbind to see all the parameters that are available. Better still, if you have SWAT and samba-doc installed, you can easily see the options available for each parameter. Does testparm yield any errors? ERROR: the 'winbind separator' parameter must be a single character.Hmm.. I just changed that to a single \ , and our existing authentication service still works fine, but the share behaves no differently. The extra \ was probably in error from this file being edited with sed. Do getent group and wbinfo -g return the expected results? getent group shows all of the local linux groups on this machine - no AD groups. Is that expected? If you have winbind enum groups = Yes, then they should show, otherwise not. Domains with large numbers of users usually leave this as No (also winbind enum users). wbinfo -g shows the windows groups fine, the only thing that's odd is is all of the groups on this domain show in lower case. That's normal for winbind. They may or may not be that way in their AD, I can't see for sure. (We are forcing a linux machine into someones windows network ) Are nsswitch.conf and PAM configured for authentication? For what kind of authentication? /etc/nsswitch and /etc/pam/* are untouched from the defaults. In nsswitch.conf, you will need to add winbind to the passwd and group entries. The article I previously linked (below) has an example PAM config (/etc/pam.d/login) for winbind. For completeness, you might also want to look at this: http://www.enterprisenetworkingplanet.com/netos/article.php/3487081/Join-Samba-3-to-Your--Active-Directory-Domain.htm All that has really been setup so far is an apache service that uses mod_auth_ntlm_winbind to authenticate users of a webpage to their DC. We are now trying to expand that samba/winbind stack over into sharing a folder. So, we probably do need to look at modifying those files, and id mapping, to have a samba share authenticate against the DC. Right? For some reason I figured this part would just work since the join already happened. A domain can be joined without winbind, but there are steps to take to actually use it. Thanks again! -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, May 22, 2012 14:51 To: Newman, John W Cc: samba@lists.samba.org Subject: Re:[Samba] Grant only one AD group to samba share ? A few questions that might narrow things - Which version of Samba are you using? What does the idmap backend configuration for winbind look like? Does testparm yield any errors? Do getent group and wbinfo -g return the expected results? Are nsswitch.conf and PAM configured for authentication? http://www.enterprisenetworkingplanet.com/netsysm/article.php/3502441/Join-Linux-to-Active-Directory-With-Winbind.htm On 05/22/2012 1:01 PM, Newman, John W wrote: Thanks.. Unfortunately neither suggestion worked chgrp still just says invalid group valid users = @DOMAIN\\My Group behaves the same as I described in the OP. Valid credentials = access denied ; invalid credentials = invalid name or bad password. I already tried all sorts of things in valid users, but nothing is the magic string I need. Any other ideas? Thanks for the help so far, much appreciated!! -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of steve Sent: Tuesday, May 22, 2012 04:59 To: samba@lists.samba.org Subject: Re: [Samba] Grant only one AD group to samba share ? On 21/05/12 23:36, Dale Schroeder wrote: On 05/21/2012 3:42 PM, Newman, John W wrote: Thanks for the suggestion, but .. that doesn't work ... chgrp My\ Group /media/share chgrp: invalid group: `My Group' My Group is a windows AD group, not a local linux group. The machine is joined to the windows domain through net ads join, but I don't think the security is that tightly integrated. I don't have windows groups mapped to linux groups I've created or anything like that. chgrp is expecting a linux group. Right? Probably I am missing something, or you guys need more information. Any thoughts? Hi Sorry. I forgot about winbind (we use nss-pam-ldapd). With winbind running that should read: chgrp MYDAOMAIN\\My\ Group /media/share Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from
[Samba] Does Samba4 support Cross forest trusts
We have two Samba4 forest domains. We would like to establish trust between them (either at forest level or at domain level). We are wondering if Samba4 supports this scenario. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] NNTP server for Samba newsgroup
I am trying to configure Newsgroup account in “Windows Live Mail”. I will appreciate if someone could inform us the NNTP server for below Samba lists 1. samba-technical 2. samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - create a new auxiliary classe in AD
On 05/22/2012 06:29 AM, Michael Wood wrote: On 22 May 2012 11:49, Hervé Hénochh.hen...@isc84.org wrote: I'm using the 4.0.0alpha21-GIT-1d53e57 version. I've tried your proposal and it seems that it works ... thank you. It might not work correctly. I think schema modification has been disabled by default because it can break things. Well we used to not generate some attributes that are critical for the schema on certain object (ie. oMSyntax on attribute who have a DN syntax). I made several patches lately for this should work much better but as general safety measure we keep it still disabled a bit like you've been warned. Matthieu -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via f9e4105 s3:smbd: remove unused 'connection_struct-used' from c531aac Added torture test for bug #8910. Test remove_duplicate_addrs2(). http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit f9e4105f4170181989c44a2326a8a8a89314fc98 Author: Michael Adam ob...@samba.org Date: Tue May 22 11:56:36 2012 +0200 s3:smbd: remove unused 'connection_struct-used' Pair-Programmed-With: Stefan Metzmacher me...@samba.org Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Tue May 22 16:42:22 CEST 2012 on sn-devel-104 --- Summary of changes: source3/include/smb.h |1 - source3/smbd/reply.c |2 -- source3/smbd/service.c |1 - 3 files changed, 0 insertions(+), 4 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/include/smb.h b/source3/include/smb.h index b5c674d..245ff7b 100644 --- a/source3/include/smb.h +++ b/source3/include/smb.h @@ -400,7 +400,6 @@ typedef struct connection_struct { time_t lastused; time_t lastused_count; - bool used; int num_files_open; unsigned int num_smb_operations; /* Count of smb operations on this tree. */ int encrypt_level; diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 45f761c..b93052a 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -5063,8 +5063,6 @@ void reply_tdis(struct smb_request *req) return; } - conn-used = False; - close_cnum(conn,req-vuid); req-conn = NULL; diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 7b538b0..d0fd215 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -576,7 +576,6 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn, conn-num_files_open = 0; conn-lastused = conn-lastused_count = time(NULL); - conn-used = True; conn-printer = (strncmp(dev,LPT,3) == 0); conn-ipc = ( (strncmp(dev,IPC,3) == 0) || ( lp_enable_asu_support() strequal(dev,ADMIN$)) ); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 42b2026 Second part of fix for bug 8953 - winbind can hang as nbt_getdc() has no timeout. via d673402 Fix bug #8953 - winbind can hang as nbt_getdc() has no timeout. from f9e4105 s3:smbd: remove unused 'connection_struct-used' http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 42b2026a83983ad17bfd1651f2256b38e9fe8dad Author: Herb Lewis hle...@panasas.com Date: Tue May 22 16:40:17 2012 -0700 Second part of fix for bug 8953 - winbind can hang as nbt_getdc() has no timeout. If we're running with SEC_ADS and we don't get a cldap response from the server when querying its name, don't fall back to NetBIOS requests as they're unlikely to succeed. Signed-off-by: Jeremy Allison j...@samba.org Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Wed May 23 03:49:36 CEST 2012 on sn-devel-104 commit d6734029924e849dcd336728dde8d24141e8ccc3 Author: Jeremy Allison j...@samba.org Date: Tue May 22 16:25:14 2012 -0700 Fix bug #8953 - winbind can hang as nbt_getdc() has no timeout. Add a timeout_in_seconds parameter to nbt_getdc() to make it fail after that time with NT_STATUS_IO_TIMEOUT. --- Summary of changes: source3/libsmb/clidgram.c | 12 source3/libsmb/clidgram.h |1 + source3/libsmb/dsgetdcname.c |2 +- source3/winbindd/winbindd_cm.c |3 ++- 4 files changed, 16 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/libsmb/clidgram.c b/source3/libsmb/clidgram.c index 04964bd..cfed067 100644 --- a/source3/libsmb/clidgram.c +++ b/source3/libsmb/clidgram.c @@ -437,6 +437,7 @@ NTSTATUS nbt_getdc_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, } NTSTATUS nbt_getdc(struct messaging_context *msg_ctx, + uint32_t timeout_in_seconds, const struct sockaddr_storage *dc_addr, const char *domain_name, const struct dom_sid *sid, @@ -449,6 +450,8 @@ NTSTATUS nbt_getdc(struct messaging_context *msg_ctx, TALLOC_CTX *frame = talloc_stackframe(); struct tevent_context *ev; struct tevent_req *req; + enum tevent_req_state err_state; + uint64_t error; NTSTATUS status = NT_STATUS_NO_MEMORY; ev = tevent_context_init(frame); @@ -460,12 +463,21 @@ NTSTATUS nbt_getdc(struct messaging_context *msg_ctx, if (req == NULL) { goto fail; } + if (!tevent_req_set_endtime(req, ev, + timeval_current_ofs(timeout_in_seconds, 0))) { + goto fail; + } if (!tevent_req_poll_ntstatus(req, ev, status)) { goto fail; } status = nbt_getdc_recv(req, mem_ctx, pnt_version, dc_name, samlogon_response); fail: + if (ev req + tevent_req_is_error(req, err_state, error) + err_state == TEVENT_REQ_TIMED_OUT) { + status = NT_STATUS_IO_TIMEOUT; + } TALLOC_FREE(frame); return status; } diff --git a/source3/libsmb/clidgram.h b/source3/libsmb/clidgram.h index a449724..6cd6222 100644 --- a/source3/libsmb/clidgram.h +++ b/source3/libsmb/clidgram.h @@ -37,6 +37,7 @@ NTSTATUS nbt_getdc_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, uint32_t *nt_version, const char **dc_name, struct netlogon_samlogon_response **samlogon_response); NTSTATUS nbt_getdc(struct messaging_context *msg_ctx, + uint32_t timeout_in_seconds, const struct sockaddr_storage *dc_addr, const char *domain_name, const struct dom_sid *sid, diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c index 5df833f..05be272 100644 --- a/source3/libsmb/dsgetdcname.c +++ b/source3/libsmb/dsgetdcname.c @@ -946,7 +946,7 @@ static NTSTATUS process_dc_netbios(TALLOC_CTX *mem_ctx, return NT_STATUS_UNSUCCESSFUL; } - status = nbt_getdc(msg_ctx, dclist[i].ss, domain_name, + status = nbt_getdc(msg_ctx, 10, dclist[i].ss, domain_name, NULL, nt_version, mem_ctx, nt_version, dc_name, r); if (NT_STATUS_IS_OK(status)) { diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 4188b5e..f36ccea 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -1158,10 +1158,11 @@ static bool dcip_to_name(TALLOC_CTX *mem_ctx, } ads_destroy( ads ); + return false; } #endif - status =