Re: [Samba] Samba 4 and AD sites

[Matthieu Patou]

On 09/21/2012 12:50 AM, Ben Metcalfe wrote:

Is site support on the road map? Very useful for WAN-connected branch
offices with local servers, or doing manual load-balancing with cloud
servers.
Note that client that are site aware (ie. windows xp, 7, 8) will still 
be able to take advantage of our current site implementation as they 
will go in the closest DC.


I think next version (4.1) will improve this situation but before 4.1 we 
have to ship 4.0 ...


Of course patches are welcome.

Matthieu.

On 21 Sep 2012 07:34, "Matthieu Patou"  wrote:


On 09/19/2012 12:02 PM, Kristofer wrote:


I have several Samba 4 AD controllers set up at multiple sites.

I set up sites and subnets.  We have several /24's at each site, but each
site is dedicated a /16, so I set up the Sites & Subnets using the /16's.

However, when I log into any system that is joined to the AD domain, it
is using a DC at a different site.  There doesn't seem to be any
consistency to it, but it seems that the Sites & Subnets are not working
correctly.


Samba didn't comply too much with sites, it means that it contacts DCs in
other sites as if they were in the same site.

--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  
https://lists.samba.org/**mailman/options/samba




--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Login batch file not working for Win7

[Fernando Lozano]

Hi Tony,



I'm running samba3x-3.5.10-0.110.el5_8.x86_64 on a fully updated
CentOS-5.8 system as PDC.

We upgraded our lab machines to Win7 over the summer

The logins work ok and the homes share is being mounted from a
separate fileserver. However the login batch command script is not
running.
I have RHEL 5.4 with servnet Samba3.4 RPMS and it works OK with Windows 
7 clients, besides a few Windows Vista and Windows XP ones. Even with 
different releases and package sources our setups should work the same. 
I know this for sure because one of my BDCs run RHEL 5.6 with RHEL own 
Samba3.6 packages, which didn't exist on previous releases for RHEL 5.x 
and this also didn't for CentOS 5.x where x < 6.



Part of smb.conf

logon script = %G.cmd
I guess this is your problem, because this hurt me with my first setup 
(and it was before I had Windows 7 clients). From "man smb.conf":


   %G   primary group name of %U.

Are you sure your users have the correct primary group set? "Primary 
group" is a Unix concept which doesn't exist in the Windows world. As 
you didn't sent the rest of your smb.conf and your NSS/PAM config files 
I don't know from there your PDC user information comes and how 
Samba/Windows user and group definitions map to Unix user and groups.


My first setup had all users getting the same Unix group, which was 
something generic such as "users", and was not mapped to any 
Samba/Windows group. I have a few Unix groups which are not mapped 
because they are used only for Unix (actually Linux) sysadmins and 
applications.


I changed my user creation policies and procedures so the primary user 
group was set to the unix group mapped to the "main" Samba/Windows group 
for the new user, and manually set the correct primary group for all old 
users. It was quite a bit of work but I could not see any other way as 
some (most) of my users were members of multiple Samba/Windows groups.


The "main" Samba/Windows group is what MS calls "organizational group": 
it reflects the user position as a member of a company department or 
project.


Try using the command "id user_name" for a few users and check the if 
the gid (which is the primary user group) is mapped to an existing 
Samba/Windows group, and then chech if the Samba/Windows group has a 
login script with the expected name at the correct path.


For example, my own regular user is:
# id lozano
uid=563(lozano) gid=508(suporte) 
groups=508(suporte),548(ntaccount),100(users)


gid=508(suporte) is mapped to a Samba/Windows group of the same name. 
While group 548(ntaccount) is mapped to the Samba/Windows "Account 
Operators" group and grupo 100(users) is mapped to no Samba/Windows 
group and is used by us to flag users with shell access to our servers.


I can check de Samba/Windows group memberships and mappings using the 
net command from Samba, for example:


# net user info lozano
Enter root's password:
suporte
Account Operators


# net groupmap list
Enter root's password:
[... filtered ...]
Account Operators (S-1-5-32-548) -> ntaccount
suporte (S-1-5-21-2052653627-1561675057-495535119-1020) -> suporte


Also beware the factory settings for RHEL and CentOS systems is to 
create a "private group" with its name equal to the user name for all 
new users, so user "lozano" would have as its gid "lozano". But "lozano" 
was a Unix-only group and this didn't enabled us to use %G in any 
effective way inside the Windows login script.


See for example a Unix-only user which is used by us to run a few cron 
scripts:


# id analista
uid=500(analista) gid=100(users) groups=100(users),99(nobody),508(suporte)

# net user info analista
Enter root's password:
Failed to get groups for 'analista' with: Could not map names to SIDs

Hope this long message helps.


[]s, Fernando Lozano

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Login batch file not working for Win7

[Tony Molloy]

HI

I'm running samba3x-3.5.10-0.110.el5_8.x86_64 on a fully updated 
CentOS-5.8 system as PDC.

We upgraded our lab machines to Win7 over the summer

The logins work ok and the homes share is being mounted from a 
separate fileserver. However the login batch command script is not 
running. It's just a simple script  which syncs the system time and 
mounts another share. 

Part of smb.conf

   logon script = %G.cmd
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\YOUNGMUNSTER\homes

and an example script from /samba/netlogon/cs1yr.cmd

@echo  
@echoSetting System Policies:  Please Wait. 
@echo off 
NET TIME \\janus /SET /YES > X 
net use M: \\youngmunster\ug2012 /persistent:no > X 

where janus is the PDC and youngmunster is the fileserver with the 
homes share and the other share I want to mount.


Any idea why it's not working.

Thanks,

Tony
Script e.g.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 8 Pro no domain logon possible

[Roland Schwingel]

Hi ...

So here are my current findings...

samba-boun...@lists.samba.org wrote on 20.09.2012 11:30:23:
> From: Roland Schwingel 
> [...]
> I got a serious problem with it. I cannot logon as domain user.
> [...]
> Does anyone have the same problems?
> Has anyone already got a working windows 8 pro in a domain?

After some more tests and changes I can give a small report on domain 
logon using windows 8 together with samba 3:


Logon is possible after some changes, but there remains some logout trouble.

I am using samba 3.6.6 on my PDCs and my fileservers with enabled smb2.
My PDCs are solely responsible for keeping the windows profiles and for 
managing the domain itself. No printing or file services.


To join a samba domain you need the same registry settings as for 
windows 7. When they are applied and you have rebooted you can join a 
samba 3 domain with windows 8 but can't login.


The problem with win8 seems to be the smb2 implementation. I assume at 
least since the release preview of win8 it is using smb2.2/3.0 
extensions unknown to samba.


So I switched off smb2 in windows 8 using regedit.
Under "HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation" one can 
find a key "DependOnService". Open it. Remove "MRxSmb20" and reboot.


Now I can login... Hooray...

Instead of disabling smb2 in win8 I tried disabling it on my PDC 
(smb.conf: "max protocol = nt1"). This also worked.


Login is possible. I can even read/write to my fileservers which do have 
smb2 still enabled and fully saturate my GBit connection. Nice. :-)


So the problem lies in the login process. Something has changed here 
with win8. Once you pass login the implementations appear to be 
compatible - as long as you don't log out.


Logout trouble:
As long as I stay logged in everything is fine. I can work as usual. 
Enumerate users/groups from the domain. Really fine. But there are 
problems when I logout.


Logout takes sometimes ages (even with a user who has a nearly empty 
profile). Often windows 8 writes on logout that it can't sync all data 
from the local profile on the disk to the server. There are some 
messages in windows eventlog listing certain pathes which are not 
synced. There is nothing in the logs on the PDC (which hosts my profiles).


Roland
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4, DHCP, & BIND DLZ

[Rowland Penny]

On 21/09/12 00:55, Jeff wrote:

(2) I need to ensure that DHCP is playing nicely with samba4.  How are DNS 
updates from the DHCP server propagated to samba4??  I've changed my BIND so 
that it no longer uses zone files for the local domain. Instead it uses the 
bind9 dlz driver that came with samba4.  If I understand correctly, this means 
that bind will now pass queries about the local domain off to samba.  So samba 
must be updated whenever a new DHCP lease is granted by the dhcp server.  Does 
the DLZ driver handle this, or does the DHCP server need to be configured to 
cause these updates to go directly to samba??


Thanks,
Jeff





Hi, you could start here:

http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/

I did have a variant of this working on Ubuntu 12.04 with Bind 9.9.1, 
dhcp & samba4 beta8 but had problems when I moved to samba RC1 & the 
internal dns.
The problem turned out to be, although the script updated dns it always 
returned an error, so it seemed not work, I just rewrote the script to 
check another way.


Rowland


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 8 Pro no domain logon possible

[Marco Ciampa]

On Fri, Sep 21, 2012 at 11:10:56AM +0200, Roland Schwingel wrote:
> Hi Andrew...
> 
> Andrew Bartlett  wrote on 20.09.2012 19:56:30:
> > > > No, it is not possible to use another LDAP server instead of
> > > > Samba 4's
> > > > built-in LDAP implementation.  At one point there was support for
> > > > this, but as far as I understand it, it is not technically
> > > > possible to
> > >  > make it work properly and the support was removed/deprecated.
> > > This is bad. Is it really expected to migrate over all data which is
> > > most likely present in companies current LDAP solutions to the samba
> > > ldap? Can samba ldap fullfill all needs here (eg. rock solid life
> > > replication and general purpose usage?). I would very much appreciate
> > > the possibility of being able to not use the embedded ldap. This would
> > > very much reduce the effort of moving from samba3 to 4 in
> > > existing ldap environments.
> > We spent considerable effort over a period of years in attempting to
> > make this possible.  It is not.  Even if it was, it would not involve
> > 'simply' reading the companies LDAP server, it would be a very intrusive
> > change no more acceptable than using our own built-in LDAP server.
> Hmmm... I see...
> 
> This will very much complicate migration from samba 3 to 4 if you are
> having an existing infrastructure. We use our LDAP for
> users,groups,dns,dhcp,networks and a lot of other things. So you say
> if one wants to use samba 4 (s)he has to move fully over to the ldap
> of samba4 and abandon the current infrastructure? This is quite a
> burden and will take many months. So it won't happen here in a
> forseable time even samba 4 would be released today as a final
> stable version. I believe I am not the only one having these
> concerns. Don't get me wrong, I would love to get AD support but the
> road from an at present well working (beside of windows 8 yet)
> domain infrastructure for windows hosts and seamless integration of
> linux and Mac OS hosts to samba 4 based AD appears to become very
> long and hard. I hope you will maintain samba 3 for a longer time
> (including windows 8 support).

For what I understand, not making possible to merge 2 LDAPs (enterprise
with smb4 internal) does not imply that it is not possible to integrate
Samba 4 into a large environment. The problem IMHO simply shift from a
merging into a sincronization problem...

-- 


Marco Ciampa

++
| Linux User  #78271 |
| FSFE fellow   #364 |
++
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 8 Pro no domain logon possible

[Roland Schwingel]

Hi Andrew...

Andrew Bartlett  wrote on 20.09.2012 19:56:30:
> >  > No, it is not possible to use another LDAP server instead of 
Samba 4's

> >  > built-in LDAP implementation.  At one point there was support for
> >  > this, but as far as I understand it, it is not technically 
possible to

> >  > make it work properly and the support was removed/deprecated.
> > This is bad. Is it really expected to migrate over all data which is
> > most likely present in companies current LDAP solutions to the samba
> > ldap? Can samba ldap fullfill all needs here (eg. rock solid life
> > replication and general purpose usage?). I would very much appreciate
> > the possibility of being able to not use the embedded ldap. This would
> > very much reduce the effort of moving from samba3 to 4 in existing 
ldap

> > environments.
>
> We spent considerable effort over a period of years in attempting to
> make this possible.  It is not.  Even if it was, it would not involve
> 'simply' reading the companies LDAP server, it would be a very intrusive
> change no more acceptable than using our own built-in LDAP server.
Hmmm... I see...

This will very much complicate migration from samba 3 to 4 if you are
having an existing infrastructure. We use our LDAP for 
users,groups,dns,dhcp,networks and a lot of other things. So you say if 
one wants to use samba 4 (s)he has to move fully over to the ldap of 
samba4 and abandon the current infrastructure? This is quite a burden 
and will take many months. So it won't happen here in a forseable time 
even samba 4 would be released today as a final stable version. I 
believe I am not the only one having these concerns. Don't get me wrong, 
I would love to get AD support but the road from an at present well 
working (beside of windows 8 yet) domain infrastructure for windows 
hosts and seamless integration of linux and Mac OS hosts to samba 4 
based AD appears to become very long and hard. I hope you will maintain 
samba 3 for a longer time (including windows 8 support).


Thanks for your reply,

Roland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance

[John Russell]

Thought for sure this was a real bug, but you are correct Mr. Bartlett,
thats just how the SMB protocol works. I verified this with another
wireshark capture from the same XP machine and a working SAMBA4 appliance
from Sernet. This second capture also reveals that bind9 is still having
issues on the SOGo appliance. The host machine registers itself into the
DNS zone, but will not add client machines when they try to join the
domain. How do I use the internal DNS service with SAMBA4?

On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett  wrote:

> On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote:
> > Ran wireshark on the XP client while joining the domain and saw SAM LOGON
> > request from client and SAM Active Directory Response - user unknown.
> >
> > I noticed on the request and the response packets the user name field in
> > the packet is blank (yes, I am typing the user name and password into the
> > prompt from the XP machine!).
> >
> > Any ideas on what causes this?
>
> While an odd feature of the protocol, this is actually a normal
> successful response to the expected packet.  (Essentially, this is a
> historical oddity from a time when asking if a server knew about a user
> over an un-authenticated UDP packet wasn't considered a
> security/confidentially issue).
>
> --
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
>
>
>


-- 
"It's better to be boldly decisive and risk being wrong than to agonize at
length and be right too late."
Marilyn Moats Kennedy
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 and AD sites

[Ben Metcalfe]

Is site support on the road map? Very useful for WAN-connected branch
offices with local servers, or doing manual load-balancing with cloud
servers.
On 21 Sep 2012 07:34, "Matthieu Patou"  wrote:

> On 09/19/2012 12:02 PM, Kristofer wrote:
>
>> I have several Samba 4 AD controllers set up at multiple sites.
>>
>> I set up sites and subnets.  We have several /24's at each site, but each
>> site is dedicated a /16, so I set up the Sites & Subnets using the /16's.
>>
>> However, when I log into any system that is joined to the AD domain, it
>> is using a DC at a different site.  There doesn't seem to be any
>> consistency to it, but it seems that the Sites & Subnets are not working
>> correctly.
>>
> Samba didn't comply too much with sites, it means that it contacts DCs in
> other sites as if they were in the same site.
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba