Re: [Samba] LDAP access to Samba 4
On 29 August 2012 21:48, Kristofer wrote:
> Hello,
>
> I am currently migrating from OpenLDAP to Samba 4 PDC, and I have a webpage
> (PHP/Apache) available for users so that they can change their password on
> the existing LDAP server.
>
> I attempted to adjust that script to change the password on the Samba 4 AD
> controller, but I get a "cannot connect" error to LDAP. The web server the
> password script is running on is not on the same machine as the Samba 4
> controller, and is not joined to the AD domain. What is the best way to
> connect to the LDAP server from PHP to make this happen? Is there something
> with Kerberos I need to do? or am I going to have to fully join the machine
> to the domain before it can connect to LDAP?
You basically need to do whatever would be needed with a Windows AD server.
You'll need to do it over TLS (on port 636. Make sure you compiled
with GnuTLS support if you do this.) or using GSSAPI (Kerberos).
It goes something like this (pseudocode), I believe:
# Bind to the directory
ldap_simple_bind_s(userdn, oldpass)
# or: tokens = ldap.sasl.gssapi(); ldap_sasl_interactive_bind_s("", tokens)
oldencoded = encode_pass(oldpass)
newencoded = encode_pass(newpass)
modlist = make_modlist(oldencoded, newencoded)
ldap_modify_s(userdn, modlist)
The encoding works like this:
* First wrap the password in double quotes.
* Then encode it using UTF-16-le format.
so the string 'PASSWORD' would be encoded as '"\0P\0A\0S\0S\0W\0O\0R\0D\0"\0'
In Python this would be done like this:
encodedpass = ('"%s"' % password).encode("utf-16-le")
The modlist is basically a delete of the unicodePwd attribute followed
by an add with the new encoded password.
--
Michael Wood
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Permissions incorrectly ordered on Windows after disabling inheritance
On Thu, Aug 30, 2012 at 17:52:08, Jeremy Allison wrote: > On Thu, Aug 30, 2012 at 05:09:10PM -0600, Walkes, Dan wrote: > > On Wed, Aug 29, 2012 at 21:45:24, Jeremy Allison wrote: > > > On Fri, Aug 24, 2012 at 11:08:53AM -0600, Walkes, Dan wrote: > > > > Hi everyone, > > > > > > > > I've noticed a problem with Debian wheezy + samba 3.6.6 > > > > configured with acl_xattr in my configuration. The following > > > > test sequence causes Windows Explorer to report incorrectly > > > > ordered permission > > entries: > > > > 1) Map a share as with "admin" user credentials to a drive letter > > > > on a Windows client > > > > 2) Create a folder at the root of the share "rootfolder" > > > > 3) Create a subfolder "subfolder1" under "rootfolder" > > > > 4) Un-check "Include inheritable permissions from this object's > > > > parent" in the windows security settings dialog for Windows > > > > Explorer > > > > > > on the root folder > > > > 5) Create a subfolder "subfolder2" under "subfolder1" > > > > 6) Right-click with Windows Explorer and attempt to edit the > > > > permissions of "subfolder2". Windows Explorer pops up a message > > > > stating "The permissions on subfolder2 are incorrectly ordered, > > > > which may cause some entries to be ineffective." > > > > > > FYI, the complete and correct fix for this ifor 3.6.next s now > > attached to bug : > > > > > > https://bugzilla.samba.org/show_bug.cgi?id=9124 > > > > > > as a patch. Please test (it fixes the problem here). Thanks for > > > reporting this, the same code will go into master as soon as I've > > > finished wrestling with autobuild :-). > > > > > > > Thanks Jeremy. I've tested today. I can confirm it fixes the > > incorrect ordering issue and sequence 1-6 works for me. I can also > > confirm that after removing inheritance on a root folder from > > windows the I flag is set for all permissions on subfolders as > > expected. I did notice however that in my case if I never modify > > permissions or change permissions from Windows Explorer the I flag > > is still not set on inherited permissions, at least with my configuration. > > Actually this is what you'd expect with a security descriptor type of : > CONTROL:0x8004 > > (SEC_DESC_SELF_RELATIVE = 0x8000| > SEC_DESC_DACL_PRESENT = 0x0004). > > On Windows you'll probably have : > > CONTROL:0x8404 > > (SEC_DESC_SELF_RELATIVE = 0x8000| > SEC_DESC_DACL_AUTO_INHERITED= 0x0400| > SEC_DESC_DACL_PRESENT = 0x0004). > > which explains the difference. If you set a security descriptor on > rootfolder/ from the Windows client and end up with CONTROL:0x8404, > then whenever you create subfolders/files below that you'll see the "INHERITED" > bit (that's what the patch solves). > > Jeremy. Yes this explains it. Thanks for your help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] replication error?
On Thu, 2012-08-30 at 09:33 -0400, Steve Thompson wrote: > On Wed, 29 Aug 2012, Steve Thompson wrote: > > > On Wed, 29 Aug 2012, Steve Thompson wrote: > > More information. If I have two DC's, dc1 and dc2, and I point ldap_uri and > > krb5_server in sssd.conf directly at dc1, it always works. If I point > > either > > of those parameters at dc2, it always fails. > > Well, this was a red herring. Wait long enough (overnight) and it turns > out that dc1 stops working as well (dc2 never works). This stuff is > unusable. Does this configuration of SSSD work any differently against a windows domain? (Trial versions of windows server can be downloaded). These issues appear to be client-side (using the wrong ticket, or attempting to do krb5 against a name mapping to more than one server), but with so little detail it is hard to say with clarity. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 & kpasswd: refuses to change
On Thu, 2012-08-30 at 14:59 +, Thomas Mueller wrote: > Am Thu, 30 Aug 2012 14:07:00 + schrieb Thomas Mueller: > > > Am Thu, 30 Aug 2012 13:45:50 + schrieb Thomas Mueller: > > > > > >> # kpasswd Password for user@TEST.DOMAIN: > >> Enter new password: > >> Enter it again: > >> Password change rejected: Password must be at least 7 characters long, > >> and cannot match any of your 24 previous passwords > > > > OK, it's not a kpasswd problem. Changing the password from windows (ctrl > > - > > alt -del -> change password) brings up the same message. > > > > - Thomas > > and finally found the root cause: > > the default password policy is set to a minimal password age of 1 day Samba generates that message, so if you want to patch source4/kdc/kpasswd.c to give a better message, you would be most welcome. The restrictions are implemented in source4/dsdb/samdb/ldb_modules/password_hash.c. We could either try and send back a better string from there, or at least use the string sent back already (without the windows error code on the front). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Permissions incorrectly ordered on Windows after disabling inheritance
On Thu, Aug 30, 2012 at 05:09:10PM -0600, Walkes, Dan wrote: > On Wed, Aug 29, 2012 at 21:45:24, Jeremy Allison wrote: > > On Fri, Aug 24, 2012 at 11:08:53AM -0600, Walkes, Dan wrote: > > > Hi everyone, > > > > > > I've noticed a problem with Debian wheezy + samba 3.6.6 configured > > > with acl_xattr in my configuration. The following test sequence > > > causes Windows Explorer to report incorrectly ordered permission > entries: > > > 1)Map a share as with "admin" user credentials to a drive letter > > > on a Windows client > > > 2)Create a folder at the root of the share "rootfolder" > > > 3)Create a subfolder "subfolder1" under "rootfolder" > > > 4)Un-check "Include inheritable permissions from this object's > > > parent" in the windows security settings dialog for Windows Explorer > > > > on the root folder > > > 5)Create a subfolder "subfolder2" under "subfolder1" > > > 6)Right-click with Windows Explorer and attempt to edit the > > > permissions of "subfolder2". Windows Explorer pops up a message > > > stating "The permissions on subfolder2 are incorrectly ordered, > > > which may cause some entries to be ineffective." > > > > FYI, the complete and correct fix for this ifor 3.6.next s now > attached to bug : > > > > https://bugzilla.samba.org/show_bug.cgi?id=9124 > > > > as a patch. Please test (it fixes the problem here). Thanks for > > reporting this, the same code will go into master as soon as I've > > finished wrestling with autobuild :-). > > > > Thanks Jeremy. I've tested today. I can confirm it fixes the incorrect > ordering issue and sequence 1-6 works for me. I can also confirm that > after removing inheritance on a root folder from windows the I flag is > set for all permissions on subfolders as expected. I did notice however > that in my case if I never modify permissions or change permissions from > Windows Explorer the I flag is still not set on inherited permissions, > at least with my configuration. Actually this is what you'd expect with a security descriptor type of : CONTROL:0x8004 (SEC_DESC_SELF_RELATIVE = 0x8000| SEC_DESC_DACL_PRESENT = 0x0004). On Windows you'll probably have : CONTROL:0x8404 (SEC_DESC_SELF_RELATIVE = 0x8000| SEC_DESC_DACL_AUTO_INHERITED= 0x0400| SEC_DESC_DACL_PRESENT = 0x0004). which explains the difference. If you set a security descriptor on rootfolder/ from the Windows client and end up with CONTROL:0x8404, then whenever you create subfolders/files below that you'll see the "INHERITED" bit (that's what the patch solves). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Permissions incorrectly ordered on Windows after disabling inheritance
On Wed, Aug 29, 2012 at 21:45:24, Jeremy Allison wrote: > On Fri, Aug 24, 2012 at 11:08:53AM -0600, Walkes, Dan wrote: > > Hi everyone, > > > > I've noticed a problem with Debian wheezy + samba 3.6.6 configured > > with acl_xattr in my configuration. The following test sequence > > causes Windows Explorer to report incorrectly ordered permission entries: > > 1) Map a share as with "admin" user credentials to a drive letter > > on a Windows client > > 2) Create a folder at the root of the share "rootfolder" > > 3) Create a subfolder "subfolder1" under "rootfolder" > > 4) Un-check "Include inheritable permissions from this object's > > parent" in the windows security settings dialog for Windows Explorer > > on the root folder > > 5) Create a subfolder "subfolder2" under "subfolder1" > > 6) Right-click with Windows Explorer and attempt to edit the > > permissions of "subfolder2". Windows Explorer pops up a message > > stating "The permissions on subfolder2 are incorrectly ordered, > > which may cause some entries to be ineffective." > > FYI, the complete and correct fix for this ifor 3.6.next s now attached to bug : > > https://bugzilla.samba.org/show_bug.cgi?id=9124 > > as a patch. Please test (it fixes the problem here). Thanks for > reporting this, the same code will go into master as soon as I've > finished wrestling with autobuild :-). > Thanks Jeremy. I've tested today. I can confirm it fixes the incorrect ordering issue and sequence 1-6 works for me. I can also confirm that after removing inheritance on a root folder from windows the I flag is set for all permissions on subfolders as expected. I did notice however that in my case if I never modify permissions or change permissions from Windows Explorer the I flag is still not set on inherited permissions, at least with my configuration. For instance if my share folder permissions are: smbcacls --user=K9\\tandberg //localhost/20120830_4 rootfolder/.. REVISION:1 CONTROL:0x8004 OWNER:BIZNAS-B2\nobody GROUP:Unix Group\root ACL:BIZNAS-B2\nobody:ALLOWED/0x0/FULL ACL:K9\domain users:ALLOWED/0x0/FULL ACL:Unix Group\%naslocal%:ALLOWED/0x0/FULL ACL:Unix Group\root:ALLOWED/0x0/FULL ACL:BIZNAS-B2\admin:ALLOWED/0x0/FULL ACL:Everyone:ALLOWED/0x0/ ACL:Creator Owner:ALLOWED/OI|CI|IO/RWXDPO ACL:Creator Group:ALLOWED/OI|CI|IO/RWXDPO ACL:Everyone:ALLOWED/OI|CI|IO/RWXDPO Each of my subfolders have permissions which look like this: smbcacls --user=K9\\tandberg //localhost/20120830_4 rootfolder REVISION:1 CONTROL:0x8004 OWNER:BIZNAS-B2\admin GROUP:BIZNAS-B2\None ACL:BIZNAS-B2\admin:ALLOWED/0x0/RWXDPO ACL:Creator Owner:ALLOWED/OI|CI|IO/RWXDPO ACL:BIZNAS-B2\None:ALLOWED/0x0/RWXDPO ACL:Creator Group:ALLOWED/OI|CI|IO/RWXDPO ACL:Everyone:ALLOWED/OI|CI/RWXDPO I would have expected the I flag to be set on Creator Owner, Creator Group and Everyone in this case since these permissions were inherited from the share folder. This is what I see with a Windows 7 file share. However, after I modify permissions on any folder in any way from windows explorer (even if I don't modify Creator Owner, Creator Group or Everyone), all inherited permissions on subfolders have the I flag set. This applies both to subfolders which existed before the change and for new subfolders created after I made the change from Windows Explorer. I don't see this behavior if I change from smbcacls, only if I change from Windows Explorer. If I use Windows Explorer to modify the permissions on the root folder in any way, all inherited permissions have the I flag set on all subfolders as I would expect. I'm not sure that missing the I flag is actually important as long as the permissions are inheriting and now that windows is no longer complaining about ordering. I just thought I would bring it up here in case it was related and in case you thought it was important. I can gather more data if you are interested... let me know Thanks again! Dan > Cheers, > > Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 and Office 2010
On Thu, Aug 30, 2012 at 11:46:55AM +0400, Андрей Гребенников wrote: > Hi there people! I'd like someone to help me with samba shares and > Office 2010. Whe a user opens a file from a share, msword or excel > tells him that the file was got from internet and if you like to > edit it you should push the button "allow". How could I solve the > issue from samba side?" It's almost certainly the alternate data stream with "Internet Zone" being required. Try using the streams_xattr module on the share. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba complie problem
hi all Samba build problem when compiling with --with-ads I have complid, kerberos and openldap in /opt/local/samba and I am using gcc with gnu binutils. Its a solaris 10 sparc. Configure gives me following error: - checking for LDAP support... yes checking ldap.h usability... yes checking ldap.h presence... yes checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_tag_t... yes checking for ber_scanf in -llber... yes checking for ber_sockbuf_add_io... yes checking for LDAP_OPT_SOCKBUF... yes checking for LBER_OPT_LOG_PRINT_FN... yes checking for ldap_init in -lldap... no checking for ldap_set_rebind_proc... no checking whether ldap_set_rebind_proc takes 3 arguments... 3 checking for ldap_initialize... no configure: error: libldap is needed for LDAP support Config.log output: - configure:25335: gcc -o conftest -I/opt/local/samba/include -I/opt/local/samba/include -D_REENTRANT -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include -L/opt/local/samba/lib -R/opt/local/samba/lib -lthread -L./bin -L/usr/lib conftest.c -lldap -llber -lresolv -lrt-lnsl -lsocket -lmd5 -lrt -liconv >&5 /usr/local/lib/gcc/sparc-sun-solaris2.10/3.4.6/../../../../sparc-sun-solaris2.10/bin/ld: /opt/local/samba/lib/libldap.so: dladdr: invalid version 12 (max 0) /opt/local/samba/lib/libldap.so: could not read symbols: Bad value I installed openldap in /opt/local/samba. # find /opt/local/samba -name libldap\* /opt/local/samba/lib/libldap_r.a /opt/local/samba/lib/libldap.so /opt/local/samba/lib/libldap.la /opt/local/samba/lib/libldap-2.4.so.2 /opt/local/samba/lib/libldap.a /opt/local/samba/lib/libldap_r.so /opt/local/samba/lib/libldap_r-2.4.so.2 /opt/local/samba/lib/libldap-2.4.so.2.8.4 /opt/local/samba/lib/libldap_r-2.4.so.2.8.4 /opt/local/samba/lib/libldap_r.la Thanks Nitin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] syntax of samba-tool to deal with SRV DNS record
On 8/30/12, Alain Foucher wrote: > i try to use something like : > samba-tool dns add smb4 domain.local_http._tcp.domain.local SRV > tx4.domain.local 80 1 5 > but i get this message > Usage: samba-tool dns add > You've forgot quotes around data: samba-tool dns add smb4 domain.local_http._tcp.domain.local SRV "tx4.domain.local 80 1 5" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] join domain from different subnet (VPN)
A post went by on this list not too long about using openvpn. https://lists.samba.org/archive/samba/2012-July/168209.html In that post, a quote from http://openvpn.net/index.php/open-source/faq/75-general/293-what-is-the-principle-behind-openvpn-tunnels.html indicates that running openvpn as a bridge will pass layer 2 traffic. Perhaps that will help in your situation... On Thu, 2012-08-30 at 15:21 +0200, real-men-dont-cl...@gmx.net wrote: > Hi, > > I already tried that, no success. > > The VPN connects two subnets via OpenVPN with dedicated routers on each side. > > > thx > > Carsten > > > > -Original message- > To: samba@lists.samba.org; > From: Gaiseric Vandal > Sent: Thu 30-08-2012 14:58 > Subject: Re: [Samba] join domain from different subnet (VPN) > > Did you try a packet capture on the samba server? > > > > Try adding a entry for the XP machine in the server's /etc/hosts file. > > > > I am guessing there is some sort of weird name resolution issue going on > > with the server.I don't think there is any reason the server should > > need to resolve the name of the client machine but I have had weird > > issues with VPN connections before. > > > > This is a site-to-site VPN? > > > > On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: > > > Hello everybody, > > > > > > we have a problem joining a domain from a remote location. > > > > > > The remote location is connected via VPN. Everything is working as > > > exspected > > but joining the samba domain from the remote location does not work. > > > > > > - Server Samba Version is 3.5.10 > > > - Windows Client is XP SP3 > > > - Joining the domain locally works without problems > > > - ping does work in both directions > > > - WINS is running on the local PDC and resolves across VPN (I tested with > > > a > > Linux client using nbmlookup) > > > - the WINS server is configured on the client > > > - NetBIOS over TCP/IP is enabled on the client > > > - Windows on the client firewall is OFF > > > - even adding entries to the client's lmhosts file didn't solve the > > > problem > > > > > > > > > Any suggestions? > > > > > > > > > thx > > > > > > Carsten > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC: Admin tools?
On 30/08/12 18:57, Gaiseric Vandal wrote: I use apache directory studio for LDAP management. It is not samba specific but it is easy enough to use existing user, group or machine objects as templates for new ones. It runs on Windows and Linux (and maybe on Mac.) On 08/25/12 16:39, John Drescher wrote: On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno wrote: Guys. I have use smbldap-tools to handle my accounts for my PDC with samba+openldap. Now, I ask here because a lot of people have PDC running on their networks, what tools do u use to manage your openldap db for samba: users, machines, groups? Working with Centos 6.x. Any input will be appreciated, thanks!!! I use ldap account manager to manage my users / machines / group accounts. John Hi openSUSE's yast has a really nice and little known frontend to LDAP which handles samba objects too. You can point and click your way through adding/deleting samba specific users and groups. It also has an LDAP browser similar to phpldapadmin. I'm not sure if Yast will fire up on Centos but may be worth a look. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC: Admin tools?
I use apache directory studio for LDAP management. It is not samba specific but it is easy enough to use existing user, group or machine objects as templates for new ones. It runs on Windows and Linux (and maybe on Mac.) On 08/25/12 16:39, John Drescher wrote: > On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno wrote: >> Guys. >> >> I have use smbldap-tools to handle my accounts for my PDC with >> samba+openldap. >> >> Now, I ask here because a lot of people have PDC running on their >> networks, what tools do u use to manage your openldap db for samba: >> users, machines, groups? >> >> Working with Centos 6.x. >> >> Any input will be appreciated, thanks!!! >> > I use ldap account manager to manage my users / machines / group accounts. > > John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] join domain from different subnet (VPN)
Do the routers block any ports or netbios traffic? Did you restrict the samba ports in smb.conf - samba I think listens by default on 137, 138, 139 + 445 . 445 is for SMB-over-ip, which isn't actually used by samba 3.x/ XP machines will try to connect to 445 then redirect to 137-139 for "classic" smb-over-NBT. " Restricting the ports may cause more issues then it solves. I can't think of anything else that would cause issues with a routed environment. On 08/30/12 11:09, real-men-dont-cl...@gmx.net wrote: > Hi, > > I already tried that, no success. > > The VPN connects two subnets via OpenVPN with dedicated routers on each side. > > > thx > > Carsten > > > > -Original message- > To: samba@lists.samba.org; > From: Gaiseric Vandal > Sent: Thu 30-08-2012 14:58 > Subject: Re: [Samba] join domain from different subnet (VPN) >> Did you try a packet capture on the samba server? >> >> Try adding a entry for the XP machine in the server's /etc/hosts file. >> >> I am guessing there is some sort of weird name resolution issue going on >> with the server.I don't think there is any reason the server should >> need to resolve the name of the client machine but I have had weird >> issues with VPN connections before. >> >> This is a site-to-site VPN? >> >> On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: >>> Hello everybody, >>> >>> we have a problem joining a domain from a remote location. >>> >>> The remote location is connected via VPN. Everything is working as >>> exspected >> but joining the samba domain from the remote location does not work. >>> - Server Samba Version is 3.5.10 >>> - Windows Client is XP SP3 >>> - Joining the domain locally works without problems >>> - ping does work in both directions >>> - WINS is running on the local PDC and resolves across VPN (I tested with a >> Linux client using nbmlookup) >>> - the WINS server is configured on the client >>> - NetBIOS over TCP/IP is enabled on the client >>> - Windows on the client firewall is OFF >>> - even adding entries to the client's lmhosts file didn't solve the problem >>> >>> >>> Any suggestions? >>> >>> >>> thx >>> >>> Carsten >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] join domain from different subnet (VPN)
Hi, I already tried that, no success. The VPN connects two subnets via OpenVPN with dedicated routers on each side. thx Carsten -Original message- To: samba@lists.samba.org; From: Gaiseric Vandal Sent: Thu 30-08-2012 14:58 Subject:Re: [Samba] join domain from different subnet (VPN) > Did you try a packet capture on the samba server? > > Try adding a entry for the XP machine in the server's /etc/hosts file. > > I am guessing there is some sort of weird name resolution issue going on > with the server.I don't think there is any reason the server should > need to resolve the name of the client machine but I have had weird > issues with VPN connections before. > > This is a site-to-site VPN? > > On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: > > Hello everybody, > > > > we have a problem joining a domain from a remote location. > > > > The remote location is connected via VPN. Everything is working as > > exspected > but joining the samba domain from the remote location does not work. > > > > - Server Samba Version is 3.5.10 > > - Windows Client is XP SP3 > > - Joining the domain locally works without problems > > - ping does work in both directions > > - WINS is running on the local PDC and resolves across VPN (I tested with a > Linux client using nbmlookup) > > - the WINS server is configured on the client > > - NetBIOS over TCP/IP is enabled on the client > > - Windows on the client firewall is OFF > > - even adding entries to the client's lmhosts file didn't solve the problem > > > > > > Any suggestions? > > > > > > thx > > > > Carsten > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] join domain from different subnet (VPN)
Hi abosch, I checked with nblookup.exe from the cleint side. WINS resolution works without any problems. The DC as well as the client and the domain are resolved via WINS. ;-( thx Carsten -Original message- To: real-men-dont-cl...@gmx.net; CC: samba@lists.samba.org; gaiseric vandal ; From: Angel Bosch Sent: Thu 30-08-2012 15:27 Subject:Re: [Samba] join domain from different subnet (VPN) > we had lot of problems with Wins and remote sites. > > be sure Wins traffic is passing. > > abosch > > > > From: real-men-dont-cl...@gmx.net > To: samba@lists.samba.org, "gaiseric vandal" > Sent: Thursday, August 30, 2012 3:21:06 PM > Subject: Re: [Samba] join domain from different subnet (VPN) > > Hi, > > I already tried that, no success. > > The VPN connects two subnets via OpenVPN with dedicated routers on each side. > > > thx > > Carsten > > > > -Original message- > To:samba@lists.samba.org; > From:Gaiseric Vandal > Sent:Thu 30-08-2012 14:58 > Subject:Re: [Samba] join domain from different subnet (VPN) > > Did you try a packet capture on the samba server? > > > > Try adding a entry for the XP machine in the server's /etc/hosts file. > > > > I am guessing there is some sort of weird name resolution issue going on > > with the server. I don't think there is any reason the server should > > need to resolve the name of the client machine but I have had weird > > issues with VPN connections before. > > > > This is a site-to-site VPN? > > > > On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: > > > Hello everybody, > > > > > > we have a problem joining a domain from a remote location. > > > > > > The remote location is connected via VPN. Everything is working as > exspected > > but joining the samba domain from the remote location does not work. > > > > > > - Server Samba Version is 3.5.10 > > > - Windows Client is XP SP3 > > > - Joining the domain locally works without problems > > > - ping does work in both directions > > > - WINS is running on the local PDC and resolves across VPN (I tested with > > > a > > Linux client using nbmlookup) > > > - the WINS server is configured on the client > > > - NetBIOS over TCP/IP is enabled on the client > > > - Windows on the client firewall is OFF > > > - even adding entries to the client's lmhosts file didn't solve the > > > problem > > > > > > > > > Any suggestions? > > > > > > > > > thx > > > > > > Carsten > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 & kpasswd: refuses to change
Am Thu, 30 Aug 2012 14:07:00 + schrieb Thomas Mueller: > Am Thu, 30 Aug 2012 13:45:50 + schrieb Thomas Mueller: > > >> # kpasswd Password for user@TEST.DOMAIN: >> Enter new password: >> Enter it again: >> Password change rejected: Password must be at least 7 characters long, >> and cannot match any of your 24 previous passwords > > OK, it's not a kpasswd problem. Changing the password from windows (ctrl > - > alt -del -> change password) brings up the same message. > > - Thomas and finally found the root cause: the default password policy is set to a minimal password age of 1 day - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't join Samba as DC to existing Win2k3 Domain
I downloaded and built Samba 4, and I'm at the step where I'm trying to add it to the domain and I'm getting a replication error when it's trying to do it's initial replication. bin/samba-tool domain join domain.coop DC -Uusername --realm=domain.coop Finding a writeable DC for domain 'domain.coop' Found DC DC.domain.coop Password for [DOMAIN\username]: workgroup is DOMAIN realm is domain.coop checking sAMAccountName Adding CN=SambaServer,OU=Domain Controllers,DC=domain,DC=coop Adding CN=SambaServer,CN=Servers,CN=SV,CN=Sites,CN=Configuration,DC=domain,DC=coop Adding CN=NTDS Settings,CN=SambaServer,CN=Servers,CN=SV,CN=Sites,CN=Configuration,DC=domain,DC= coop Adding SPNs to CN=SambaServer,OU=Domain Controllers,DC=domain,DC=coop Setting account password for SambaServer$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=domain,DC=coop Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=coop] objects[402] linked_values[0] Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=coop] objects[804] linked_values[0] Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=coop] objects[1206] linked_values[0] Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=coop] objects[1376] linked_values[0] Analyze and apply schema objects Partition[CN=Configuration,DC=domain,DC=coop] objects[402] linked_values[0] Partition[CN=Configuration,DC=domain,DC=coop] objects[804] linked_values[0] Partition[CN=Configuration,DC=domain,DC=coop] objects[1206] linked_values[0] Partition[CN=Configuration,DC=domain,DC=coop] objects[1608] linked_values[55] Partition[CN=Configuration,DC=domain,DC=coop] objects[1650] linked_values[10] Replicating critical objects from the base DN of the domain Partition[DC=domain,DC=coop] objects[96] linked_values[20] Partition[DC=domain,DC=coop] objects[434] linked_values[64] Partition[DC=domain,DC=coop] objects[698] linked_values[37] Partition[DC=domain,DC=coop] objects[945] linked_values[20] Partition[DC=domain,DC=coop] objects[1130] linked_values[45] Refusing to replicate DC=TAPI3Directory\0ADEL:421d2b48-4a80-45e1-a921- b1700eb4daca,DC=domain,DC=coop from a read-only repilca into a read-write replica! Failed to convert object DC=TAPI3Directory\0ADEL:421d2b48-4a80-45e1-a921- b1700eb4daca,DC=domain,DC=coop: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA Failed to convert objects: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA Join failed - cleaning up checking sAMAccountName Deleted CN=SambaServer,OU=Domain Controllers,DC=domain,DC=coop Deleted CN=NTDS Settings,CN=SambaServer,CN=Servers,CN=SV,CN=Sites,CN=Configuration,DC=domain,DC= coop Deleted CN=SambaServer,CN=Servers,CN=SV,CN=Sites,CN=Configuration,DC=domain,DC=coop ERROR(): uncaught exception - Failed to process chunk: NT code 0xc0002111 File "bin/python/samba/netcmd/__init__.py", line 160, in _run return self.run(*args, **kwargs) File "bin/python/samba/netcmd/domain.py", line 256, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "bin/python/samba/join.py", line 1079, in join_DC ctx.do_join() File "bin/python/samba/join.py", line 984, in do_join ctx.join_replicate() File "bin/python/samba/join.py", line 736, in join_replicate replica_flags=ctx.domain_replica_flags) File "bin/python/samba/drs_utils.py", line 252, in replicate schema=schema, req_level=req_level, req=req) When I first got this I ran tapicfg on a windows DC and saw a TAPI3Directory partition. I deleted it and it didn't seem to help. I've also run ldp.exe, and tried to find it that way. As well as running repadmin /removelingeringobjects thinking it might just not have been fully deleted. Is this just having to wait for the tombstone lifetime of the deleted object to pass, or is there something I can do to fix this and get the replication working for the Samba 4 server I'm trying to setup. Thanks! Liam liam(dot)k(at)weaverstreetmarket(dot)coop -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 & kpasswd: refuses to change
Am Thu, 30 Aug 2012 13:45:50 + schrieb Thomas Mueller: > # kpasswd Password for user@TEST.DOMAIN: > Enter new password: > Enter it again: > Password change rejected: Password must be at least 7 characters long, > and cannot match any of your 24 previous passwords OK, it's not a kpasswd problem. Changing the password from windows (ctrl - alt -del -> change password) brings up the same message. - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Centos 6.3 smbldap-tools installation issue
On Mon, Aug 27, 2012 at 8:31 AM, Alex Domoradov wrote: >> Hi. >> >> I got a fresh installation of centos 6.3 x64, I want to setup a PDC >> with samba+ldap and see what I need to upgrade my centos 5.x servers. >> I follow my manual, but I got issues went I want to install >> smbldap-tools, check: >> >> Processing Dependency: perl(Unicode::MapUTF8) for package: >> smbldap-tools-0.9.5-2.el6.rf.noarch >> --> Finished Dependency Resolution >> Error: Package: smbldap-tools-0.9.5-2.el6.rf.noarch (rpmforge) >>Requires: perl(Unicode::MapUTF8) >> You could try using --skip-broken to work around the problem >> You could try running: rpm -Va --nofiles --nodigest >> >> I'm using rpmforge repo. >> >> Does someone here knows how to fix this issue? > 0.9.5 it's too old. Try to use from EPEL > > # yum info smbldap-tools > Available Packages > Name: smbldap-tools > Arch: noarch > Version : 0.9.6 > Release : 3.el6 > Size: 309 k > Repo: epel > Summary : User and group administration tools for Samba/OpenLDAP > URL : http://gna.org/projects/smbldap-tools/ > License : GPLv2+ > Description : In conjunction with OpenLDAP and Samba-LDAP servers, > this collection is useful > : to add, modify and delete users and groups, and to > change Unix and Samba > : passwords. In those contexts they replace the system > tools to manage users, > : groups and passwords. > > And you can also directly install from off site > > # yum install perl-Crypt-SmbHash perl-Digest-SHA perl-LDAP > # rpm -ivh > http://download.gna.org/smbldap-tools/packages/el6/smbldap-tools-0.9.8-1.el6.noarch.rpm Thanks Alex, looks that one was installed good, thanks again!!! -- LIving the dream... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 & kpasswd: refuses to change
hi after kpasswd paniced samba4 (debian wheezy packages, beta2) i've compiled the latest from git (Version 4.0.0beta8-GIT-5131359). It does not panic anymore but tells me the following: # kpasswd Password for user@TEST.DOMAIN: Enter new password: Enter it again: Password change rejected: Password must be at least 7 characters long, and cannot match any of your 24 previous passwords The new password hasn't been used before on this account. Complexety criteria are met too (otherwise it correctly fails and tells that they are not met). Is kpasswd supposed to work with samba4? - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] join domain from different subnet (VPN)
we had lot of problems with Wins and remote sites. be sure Wins traffic is passing. abosch - Original Message - From: real-men-dont-cl...@gmx.net To: samba@lists.samba.org, "gaiseric vandal" Sent: Thursday, August 30, 2012 3:21:06 PM Subject: Re: [Samba] join domain from different subnet (VPN) Hi, I already tried that, no success. The VPN connects two subnets via OpenVPN with dedicated routers on each side. thx Carsten -Original message- To: samba@lists.samba.org; From: Gaiseric Vandal Sent: Thu 30-08-2012 14:58 Subject: Re: [Samba] join domain from different subnet (VPN) > Did you try a packet capture on the samba server? > > Try adding a entry for the XP machine in the server's /etc/hosts file. > > I am guessing there is some sort of weird name resolution issue going on > with the server. I don't think there is any reason the server should > need to resolve the name of the client machine but I have had weird > issues with VPN connections before. > > This is a site-to-site VPN? > > On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: > > Hello everybody, > > > > we have a problem joining a domain from a remote location. > > > > The remote location is connected via VPN. Everything is working as > > exspected > but joining the samba domain from the remote location does not work. > > > > - Server Samba Version is 3.5.10 > > - Windows Client is XP SP3 > > - Joining the domain locally works without problems > > - ping does work in both directions > > - WINS is running on the local PDC and resolves across VPN (I tested with a > Linux client using nbmlookup) > > - the WINS server is configured on the client > > - NetBIOS over TCP/IP is enabled on the client > > - Windows on the client firewall is OFF > > - even adding entries to the client's lmhosts file didn't solve the problem > > > > > > Any suggestions? > > > > > > thx > > > > Carsten > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] replication error?
On Wed, 29 Aug 2012, Steve Thompson wrote: On Wed, 29 Aug 2012, Steve Thompson wrote: More information. If I have two DC's, dc1 and dc2, and I point ldap_uri and krb5_server in sssd.conf directly at dc1, it always works. If I point either of those parameters at dc2, it always fails. Well, this was a red herring. Wait long enough (overnight) and it turns out that dc1 stops working as well (dc2 never works). This stuff is unusable. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] join domain from different subnet (VPN)
Hi, I already tried that, no success. The VPN connects two subnets via OpenVPN with dedicated routers on each side. thx Carsten -Original message- To: samba@lists.samba.org; From: Gaiseric Vandal Sent: Thu 30-08-2012 14:58 Subject:Re: [Samba] join domain from different subnet (VPN) > Did you try a packet capture on the samba server? > > Try adding a entry for the XP machine in the server's /etc/hosts file. > > I am guessing there is some sort of weird name resolution issue going on > with the server.I don't think there is any reason the server should > need to resolve the name of the client machine but I have had weird > issues with VPN connections before. > > This is a site-to-site VPN? > > On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: > > Hello everybody, > > > > we have a problem joining a domain from a remote location. > > > > The remote location is connected via VPN. Everything is working as > > exspected > but joining the samba domain from the remote location does not work. > > > > - Server Samba Version is 3.5.10 > > - Windows Client is XP SP3 > > - Joining the domain locally works without problems > > - ping does work in both directions > > - WINS is running on the local PDC and resolves across VPN (I tested with a > Linux client using nbmlookup) > > - the WINS server is configured on the client > > - NetBIOS over TCP/IP is enabled on the client > > - Windows on the client firewall is OFF > > - even adding entries to the client's lmhosts file didn't solve the problem > > > > > > Any suggestions? > > > > > > thx > > > > Carsten > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] join domain from different subnet (VPN)
Did you try a packet capture on the samba server? Try adding a entry for the XP machine in the server's /etc/hosts file. I am guessing there is some sort of weird name resolution issue going on with the server.I don't think there is any reason the server should need to resolve the name of the client machine but I have had weird issues with VPN connections before. This is a site-to-site VPN? On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: > Hello everybody, > > we have a problem joining a domain from a remote location. > > The remote location is connected via VPN. Everything is working as exspected > but joining the samba domain from the remote location does not work. > > - Server Samba Version is 3.5.10 > - Windows Client is XP SP3 > - Joining the domain locally works without problems > - ping does work in both directions > - WINS is running on the local PDC and resolves across VPN (I tested with a > Linux client using nbmlookup) > - the WINS server is configured on the client > - NetBIOS over TCP/IP is enabled on the client > - Windows on the client firewall is OFF > - even adding entries to the client's lmhosts file didn't solve the problem > > > Any suggestions? > > > thx > > Carsten -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba - Can you please check the below questions and advise us accordingly?
[removing from development mailing-list] Hi Maria, On Wed, 29 Aug 2012 11:34:04 +0300 "Maria Karamanli" wrote: > i navigated to > http://ftp.samba.org/pub/samba/Binary_Packages/AIX/ (AIX is our server > operating system) but there is not any installation file. How can i > download this installation file? https://ftp.samba.org/pub/samba/Binary_Packages/AIX/README lists pware.hvcc.edu as a Samba AIX package provider. http://pware.hvcc.edu/ftpdownloads.html Cheers, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] join domain from different subnet (VPN)
Hello everybody, we have a problem joining a domain from a remote location. The remote location is connected via VPN. Everything is working as exspected but joining the samba domain from the remote location does not work. - Server Samba Version is 3.5.10 - Windows Client is XP SP3 - Joining the domain locally works without problems - ping does work in both directions - WINS is running on the local PDC and resolves across VPN (I tested with a Linux client using nbmlookup) - the WINS server is configured on the client - NetBIOS over TCP/IP is enabled on the client - Windows on the client firewall is OFF - even adding entries to the client's lmhosts file didn't solve the problem Any suggestions? thx Carsten -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba3 and Office 2010
Hi there people! I'd like someone to help me with samba shares and Office 2010. Whe a user opens a file from a share, msword or excel tells him that the file was got from internet and if you like to edit it you should push the button "allow". How could I solve the issue from samba side?" -- Andrey Grebennikov Saratov, Russia -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] High load while printing a Word document
Alexander Busam schrieb: Hello! Sometimes I have problems printing a particular Word document on a Windows XP machine. The printing takes very long and the server load/CPU are very high. For testing I set the log level = 3 printdrivers:10 and got an STATUS_BUFFER_OVERFLOW error (see logfile-extract below) On the client side I use MS Office 2003 SP3 and Windows XP SP3. With Windows 7 all works fine. The postscript-driver of Lexmark X464 is configured as point-and-click. Samba 3.6.7 is configured as PDC on OpenSuSE 10.3. I've attached the log.smbd and smb.conf as zip-file. The word document is too big (272 kb). If it is needed for testing I can send directly. Probably the eps-part of the picture in the header of the word-document is the problem. Is it possible to config/fix samba to avoid this problem ? Thanks a lot. Alex extract of log.smbd: [2012/08/27 11:07:16.205463, 3] rpc_server/srv_pipe.c:1626(api_rpcTNP) api_rpcTNP: rpc command: SPOOLSS_ADDJOB [2012/08/27 11:07:16.205706, 3] smbd/error.c:81(error_packet_set) error packet at smbd/ipc.c(137) cmd=37 (SMBtrans) STATUS_BUFFER_OVERFLOW [2012/08/27 11:07:16.208747, 3] smbd/process.c:1662(process_smb) Transaction 149 of length 63 (0 toread) [2012/08/27 11:07:16.208959, 3] smbd/process.c:1467(switch_message) switch message SMBreadX (pid 30185) conn 0x80936638 ... no idea ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
