Re: [Samba] Need help with share permissions
Am 05.10.2012 21:11, schrieb Jeremy Allison: Hmmm. The : force directory mode = 0770 directory mask = 0770 setting should do the trick. Are you also storing the DOS attributes in EA's ? You probably also need that to prevent UNIX permission modification. Try adding: store dos attributes = yes map readonly = no map system = no map hidden = no map archive = no and re-test creating a new directory. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Hello Jeremy, thank you for your reply. Unfortunately these settings did not help. Directories still will have 0750 permission and now this does not change to 0770 when doing a renaming. Files will now be created with 0640 instead of 0660. Here the output of testparm : [global] workgroup = MYDOM realm = MYDOM.DE server string = %h server (Samba, Ubuntu) security = ADS map to guest = Bad User obey pam restrictions = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 max protocol = SMB2 printcap name = cups dns proxy = No wins support = Yes panic action = /usr/share/samba/panic-action %d template homedir = /shares/homes/%U template shell = /bin/sh winbind cache time = 10 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind refresh tickets = Yes winbind offline logon = Yes idmap config *:range = 1-2 idmap config MYDOM:range = 1-2 idmap config MYDOM:backend = rid idmap config * : backend = tdb use client driver = Yes map archive = No map readonly = no store dos attributes = Yes [homes] comment = Home Directories valid users = %S write list = %S, +MYDOM\Domain Admins force group = MYDOM\Domain Users create mask = 0770 directory mask = 0770 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers [Pictures] comment = Pictures auf TICKSMB3 path = /shares/pictures valid users = +MYDOM\Pictures, +MYDOM\Domain Admins force group = MYDOM\Pictures read only = No create mask = 0660 force create mode = 0660 directory mask = 0770 force directory mode = 0770 Thank you for your kind help. best regards Andreas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
On 5 October 2012 17:36, steve st...@steve-ss.com wrote: On 05/10/12 17:21, Michael Wood wrote: On 5 October 2012 13:14, steve st...@steve-ss.com wrote: [...] Hi It's working here with Version 4.0.0rc3-GIT-56ffe75 All we do to set up the roaming profile on Linux is to add the attribute: profilePath: \\server\profiles\steve2 to the user DN entry in LDAP. and whilst we're there we also map his windows home directory to his Linux home directory: homeDrive: Z: homeDirectory: \\server\home\steve2 Make sure that the profiles share is writeable by the users. We chmod 1777'd it. HTH Steve I've never looked at this and don't need it now, but I'm interested. How is this implemented on client? [...] Linux clients map whatever the [home] share points at to the unixHomeDirectory attribute. The latter can use either winbind or nslcd to pull the info from ldap. Let me know if you need any more detail. That doesn't sound like a roaming profile at all. As far as I understand it a roaming profile is copied to the client on login and copied/synced back to the server on logout. I think that's what Mario and Denis are talking about. Is that possible on Linux clients? If so, how is it implemented? With csync as Denis asked? -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4: character encoding issue (was: Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8)
Hi On 5 October 2012 21:25, x-dimens...@gmx.net wrote: Original-Nachricht Datum: Thu, 4 Oct 2012 12:22:54 +0200 Von: Michael Wood esiot...@gmail.com An: Julian Timm x-dimens...@gmx.net CC: samba@lists.samba.org Betreff: Re: [Samba] Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8 On 4 October 2012 09:46, Julian Timm x-dimens...@gmx.net wrote: Original-Nachricht Datum: Wed, 3 Oct 2012 16:56:42 +0200 Von: Michael Wood esiot...@gmail.com An: x-dimens...@gmx.net CC: samba@lists.samba.org Betreff: Re: [Samba] Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8 On 3 October 2012 16:26, x-dimens...@gmx.net wrote: After updating our Samba4 server from alpha17 to beta8 samba-tool dbcheck shows 24 incorrect GUID errors. What does it mean and what should i do to fix this? Try samba-tool dbcheck --fix. Also, why did you not install rc2 instead of beta8? I don't want to compile every Samba version for myself, so i'm using the Zentyal 2.3 PPA. The latest Samba version here is beta8, but rc2 packages are in testing and should be available soon. After running samba-tool dbcheck --fix the errors still exists, when running dbcheck again. Try posting the errors to the list and maybe someone will be able to say what causes them. -- Michael Wood esiot...@gmail.com Ok, here is an example: ERROR: incorrect GUID component for member in object CN=Mitarbeiter,OU=Benutzer,DC=test,DC=lan - GUID=c385ad50-c728-41ba-8b94-22fa07b57b41;SID=S-1-5-21-2936403297-3018184044-1011683372-1153;CN=Max Müller,OU=Benutzer,DC=test,DC=lan unable to find object for DN CN=Max Müller,OU=Benutzer,DC=test,DC=lan - (No such Base DN: CN=Max Müller,OU=Benutzer,DC=test,DC=lan) Not removing dangling forward link All of these database errors affecting users who have german umlauts in their names like Ä,Ö,Ü. These users are also not shown within the Microsoft RSAT AD manager. When i add a new user now like Horst Müller with the management tool, i get the error that the user could not be verified and can't login, but RSAT still creates the user. Is there a simple way to correct this problem? I've copied this to the samba-technical list, since the Samba 4 HOWTO still says to report successes/failures there. The problem does look suspiciously like a character encoding issue. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4: character encoding issue (was: Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8)
On Sat, 2012-10-06 at 11:20 +0200, Michael Wood wrote: Hi On 5 October 2012 21:25, x-dimens...@gmx.net wrote: Original-Nachricht Datum: Thu, 4 Oct 2012 12:22:54 +0200 Von: Michael Wood esiot...@gmail.com An: Julian Timm x-dimens...@gmx.net CC: samba@lists.samba.org Betreff: Re: [Samba] Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8 On 4 October 2012 09:46, Julian Timm x-dimens...@gmx.net wrote: Original-Nachricht Datum: Wed, 3 Oct 2012 16:56:42 +0200 Von: Michael Wood esiot...@gmail.com An: x-dimens...@gmx.net CC: samba@lists.samba.org Betreff: Re: [Samba] Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8 On 3 October 2012 16:26, x-dimens...@gmx.net wrote: After updating our Samba4 server from alpha17 to beta8 samba-tool dbcheck shows 24 incorrect GUID errors. What does it mean and what should i do to fix this? Try samba-tool dbcheck --fix. Also, why did you not install rc2 instead of beta8? I don't want to compile every Samba version for myself, so i'm using the Zentyal 2.3 PPA. The latest Samba version here is beta8, but rc2 packages are in testing and should be available soon. After running samba-tool dbcheck --fix the errors still exists, when running dbcheck again. Try posting the errors to the list and maybe someone will be able to say what causes them. -- Michael Wood esiot...@gmail.com Ok, here is an example: ERROR: incorrect GUID component for member in object CN=Mitarbeiter,OU=Benutzer,DC=test,DC=lan - GUID=c385ad50-c728-41ba-8b94-22fa07b57b41;SID=S-1-5-21-2936403297-3018184044-1011683372-1153;CN=Max Müller,OU=Benutzer,DC=test,DC=lan unable to find object for DN CN=Max Müller,OU=Benutzer,DC=test,DC=lan - (No such Base DN: CN=Max Müller,OU=Benutzer,DC=test,DC=lan) Not removing dangling forward link All of these database errors affecting users who have german umlauts in their names like Ä,Ö,Ü. These users are also not shown within the Microsoft RSAT AD manager. When i add a new user now like Horst Müller with the management tool, i get the error that the user could not be verified and can't login, but RSAT still creates the user. Is there a simple way to correct this problem? I've copied this to the samba-technical list, since the Samba 4 HOWTO still says to report successes/failures there. The problem does look suspiciously like a character encoding issue. On my e-mail client, the german umlauts in the DN show up as other characters (1/4 for example). If the original DN is not utf8, then this will fail. (Because we will be unable to create the canonical form of the DN, it will fail to match). Julian, can you confirm if the CN attribute and DN was created using only valid UTF8? What client or tool was used to create it? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
On 06/10/12 10:14, Michael Wood wrote: On 5 October 2012 17:36, stevest...@steve-ss.com wrote: On 05/10/12 17:21, Michael Wood wrote: On 5 October 2012 13:14, stevest...@steve-ss.com wrote: [...] Hi It's working here with Version 4.0.0rc3-GIT-56ffe75 All we do to set up the roaming profile on Linux is to add the attribute: profilePath: \\server\profiles\steve2 to the user DN entry in LDAP. and whilst we're there we also map his windows home directory to his Linux home directory: homeDrive: Z: homeDirectory: \\server\home\steve2 Make sure that the profiles share is writeable by the users. We chmod 1777'd it. HTH Steve I've never looked at this and don't need it now, but I'm interested. How is this implemented on client? [...] Linux clients map whatever the [home] share points at to the unixHomeDirectory attribute. The latter can use either winbind or nslcd to pull the info from ldap. Let me know if you need any more detail. That doesn't sound like a roaming profile at all. As far as I understand it a roaming profile is copied to the client on login and copied/synced back to the server on logout. I think that's what Mario and Denis are talking about. Is that possible on Linux clients? If so, how is it implemented? With csync as Denis asked? Hi, What you can do is use pam-mount to mount the users home directory from the server onto the Linux client, This is actually faster than roaming profiles as no data actually moves. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4: character encoding issue (was: Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8)
Original-Nachricht Datum: Sat, 06 Oct 2012 19:27:10 +1000 Von: Andrew Bartlett abart...@samba.org An: Michael Wood esiot...@gmail.com CC: x-dimens...@gmx.net, samba@lists.samba.org, samba-techni...@lists.samba.org Betreff: Re: Samba 4: character encoding issue (was: Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8) On Sat, 2012-10-06 at 11:20 +0200, Michael Wood wrote: Hi On 5 October 2012 21:25, x-dimens...@gmx.net wrote: Original-Nachricht Datum: Thu, 4 Oct 2012 12:22:54 +0200 Von: Michael Wood esiot...@gmail.com An: Julian Timm x-dimens...@gmx.net CC: samba@lists.samba.org Betreff: Re: [Samba] Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8 On 4 October 2012 09:46, Julian Timm x-dimens...@gmx.net wrote: Original-Nachricht Datum: Wed, 3 Oct 2012 16:56:42 +0200 Von: Michael Wood esiot...@gmail.com An: x-dimens...@gmx.net CC: samba@lists.samba.org Betreff: Re: [Samba] Samba-tool dbcheck shows incorrect GUID after update from alpha17 to beta8 On 3 October 2012 16:26, x-dimens...@gmx.net wrote: After updating our Samba4 server from alpha17 to beta8 samba-tool dbcheck shows 24 incorrect GUID errors. What does it mean and what should i do to fix this? Try samba-tool dbcheck --fix. Also, why did you not install rc2 instead of beta8? I don't want to compile every Samba version for myself, so i'm using the Zentyal 2.3 PPA. The latest Samba version here is beta8, but rc2 packages are in testing and should be available soon. After running samba-tool dbcheck --fix the errors still exists, when running dbcheck again. Try posting the errors to the list and maybe someone will be able to say what causes them. -- Michael Wood esiot...@gmail.com Ok, here is an example: ERROR: incorrect GUID component for member in object CN=Mitarbeiter,OU=Benutzer,DC=test,DC=lan - GUID=c385ad50-c728-41ba-8b94-22fa07b57b41;SID=S-1-5-21-2936403297-3018184044-1011683372-1153;CN=Max Müller,OU=Benutzer,DC=test,DC=lan unable to find object for DN CN=Max Müller,OU=Benutzer,DC=test,DC=lan - (No such Base DN: CN=Max Müller,OU=Benutzer,DC=test,DC=lan) Not removing dangling forward link All of these database errors affecting users who have german umlauts in their names like Ä,Ö,Ü. These users are also not shown within the Microsoft RSAT AD manager. When i add a new user now like Horst Müller with the management tool, i get the error that the user could not be verified and can't login, but RSAT still creates the user. Is there a simple way to correct this problem? I've copied this to the samba-technical list, since the Samba 4 HOWTO still says to report successes/failures there. The problem does look suspiciously like a character encoding issue. On my e-mail client, the german umlauts in the DN show up as other characters (1/4 for example). If the original DN is not utf8, then this will fail. (Because we will be unable to create the canonical form of the DN, it will fail to match). Julian, can you confirm if the CN attribute and DN was created using only valid UTF8? What client or tool was used to create it? Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Hi Andrew! How can i test if it uses valid UTF8? To reproduce the problem, maybe it helps to know the steps I've done so far... 1. Install Ubuntu Server 10.04 LTS 2. Adding Resara-Server PPA and installing Resara-Server (which includes Samba4) I've started with Resara-Server 1.0 and updated it to the version 1.1.2 which we are using now. 3. Provisioning was done by the RDS-Console tool from Resara I've used this tool to setup our domain, adding shares, users and DNS entries, but after running into problems when adding users with German umlauts, I've switched to Microsoft RSAT where it was working fine! So, all users with umlauts was created with RSAT, the RDS-Console don't shows them, but they can login successfully from Windows XP and Windows 7, so i ignored the RDS-Console behavior and only uses RSAT for managing the Samba4 domain from now on. 4. Samba-tool dbcheck shows 0 errors at this point 5. Moving /usr/local/samba/ to /var/lib/samba because we want to use the Zentyal packages in the future, which are using /var/lib/samba instead of /usr/local/samba 6. Remove (apt-get purge) the Resara-Server packages rds, rdssamba4, rdsserver etc 7. Updating from Ubuntu 10.04 to 12.04 by using do-release-update tool 8. Adding Zentyal 2.3 PPA and install Samba 4.0.0 beta 8 (rc2 packages are in experimental stage and should be available soon. https://launchpad.net/~kernevil/+archive/samba4-experimental) 9. Doing
[Samba] Samba4: Folder Redirection GPO not working with Windows 7
Hi I have folder redirection working fine in XP. I see that W7 has taken the same configuration as I made in XP. Here is a screenshot: http://dl.dropbox.com/u/45150875/gpo.png Unfortunately, on w7, whilst the roaming profile is correctly set, there is no folder redirection. Nothing appears in the \\hh1\USERS folder for the user who has logged in. Upon opening the GPO editor as Administrator in W7, I get an error message about AD and sysvol permissions: 'The permissions for this GPO in the SYSVOL folder are inconsistent with those in ctive Directory. (...) To change the SYSVOL permissions to those in Active Directory, click OK.' Clicking OK gives 'Access is Denied. I then ran samba-tool ntacl sysvolreset and restarted the GPO editor. It then opened without the error:) The settings appear exactly as I set them on XP but are not honoured in W7. The share for the redirected folders says it's offline. There is an offline tab where the security tab normally is under the share properties. Relevant? Can anyone help me trace what's wrong? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
On 06/10/12 11:14, Michael Wood wrote: On 5 October 2012 17:36, steve st...@steve-ss.com wrote: On 05/10/12 17:21, Michael Wood wrote: On 5 October 2012 13:14, steve st...@steve-ss.com wrote: [...] [...] Linux clients map whatever the [home] share points at to the unixHomeDirectory attribute. The latter can use either winbind or nslcd to pull the info from ldap. Let me know if you need any more detail. That doesn't sound like a roaming profile at all. No it isn't. The bit before it was. I mentioned it as we set it at the same time as the profile path in the directory. That's all. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
On 06/10/12 11:32, Rowland Penny wrote: On 06/10/12 10:14, Michael Wood wrote: On 5 October 2012 17:36, stevest...@steve-ss.com wrote: On 05/10/12 17:21, Michael Wood wrote: On 5 October 2012 13:14, stevest...@steve-ss.com wrote: Is that possible on Linux clients? If so, how is it implemented? With csync as Denis asked? Hi, What you can do is use pam-mount to mount the users home directory from the server onto the Linux client, This is actually faster than roaming profiles as no data actually moves. Hi We use NFS4 to mount the samba share directories on the Linux clients. If you want, you could also mount the profiles share so that your users had access to whatever was on e.g. their windows desktop too. As we have more Linux clients than windows, I try to encourage users to store stuff in their home folder rather than in their windows profile. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Finally got DNS partially working, the following tests were successful: host -t SRV _ldap._tcp.example.com. host -t SRV _kerberos._udp.example.com. host -t A sogo.example.com. Still can not join any windows clients (XP or 7) to the EXAMPLE.COM domain. Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then --dns-backend=SAMBA_INTERNAL but both return update failed: REFUSED So DNS now seems to be having permission problems? Attached are outputs from samba_dnsupdate --verbose --all-names and the subsequent tail /var/log/syslog. Any ideas? On Fri, Sep 21, 2012 at 4:30 AM, John Russell jb.fr...@gmail.com wrote: Thought for sure this was a real bug, but you are correct Mr. Bartlett, thats just how the SMB protocol works. I verified this with another wireshark capture from the same XP machine and a working SAMBA4 appliance from Sernet. This second capture also reveals that bind9 is still having issues on the SOGo appliance. The host machine registers itself into the DNS zone, but will not add client machines when they try to join the domain. How do I use the internal DNS service with SAMBA4? On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett abart...@samba.orgwrote: On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: Ran wireshark on the XP client while joining the domain and saw SAM LOGON request from client and SAM Active Directory Response - user unknown. I noticed on the request and the response packets the user name field in the packet is blank (yes, I am typing the user name and password into the prompt from the XP machine!). Any ideas on what causes this? While an odd feature of the protocol, this is actually a normal successful response to the expected packet. (Essentially, this is a historical oddity from a time when asking if a server knew about a user over an un-authenticated UDP packet wasn't considered a security/confidentially issue). -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy root@sogo:~# samba_dnsupdate --verbose --all-names IPs: ['fe80::a00:27ff:fef2:b592%eth0', '172.16.1.7'] Calling nsupdate for A example.com 172.16.1.7 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: example.com.900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A sogo.example.com 172.16.1.7 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: sogo.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A gc._msdcs.example.com 172.16.1.7 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for CNAME a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com sogo.example.com Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com. 900 IN CNAME sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._tcp.example.com sogo.example.com 464 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._udp.example.com sogo.example.com 464 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.example.com sogo.example.com 88 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.example.com. 900 IN SRV 0 100 88 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.example.com sogo.example.com 88 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE
Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Or could be reverse lookup is not working... root@sogo:~# nslookup sogo Server: 172.16.1.7 Address:172.16.1.7#53 Name: sogo.example.com Address: 172.16.1.7 root@sogo:~# nslookup 172.16.1.7 Server: 172.16.1.7 Address:172.16.1.7#53 ** server can't find 7.1.16.172.in-addr.arpa: SERVFAIL On Sat, Oct 6, 2012 at 10:22 PM, John Russell jb.fr...@gmail.com wrote: Finally got DNS partially working, the following tests were successful: host -t SRV _ldap._tcp.example.com. host -t SRV _kerberos._udp.example.com. host -t A sogo.example.com. Still can not join any windows clients (XP or 7) to the EXAMPLE.COMdomain. Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then --dns-backend=SAMBA_INTERNAL but both return update failed: REFUSED So DNS now seems to be having permission problems? Attached are outputs from samba_dnsupdate --verbose --all-names and the subsequent tail /var/log/syslog. Any ideas? On Fri, Sep 21, 2012 at 4:30 AM, John Russell jb.fr...@gmail.com wrote: Thought for sure this was a real bug, but you are correct Mr. Bartlett, thats just how the SMB protocol works. I verified this with another wireshark capture from the same XP machine and a working SAMBA4 appliance from Sernet. This second capture also reveals that bind9 is still having issues on the SOGo appliance. The host machine registers itself into the DNS zone, but will not add client machines when they try to join the domain. How do I use the internal DNS service with SAMBA4? On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett abart...@samba.orgwrote: On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: Ran wireshark on the XP client while joining the domain and saw SAM LOGON request from client and SAM Active Directory Response - user unknown. I noticed on the request and the response packets the user name field in the packet is blank (yes, I am typing the user name and password into the prompt from the XP machine!). Any ideas on what causes this? While an odd feature of the protocol, this is actually a normal successful response to the expected packet. (Essentially, this is a historical oddity from a time when asking if a server knew about a user over an un-authenticated UDP packet wasn't considered a security/confidentially issue). -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
On 6 October 2012 17:13, steve st...@steve-ss.com wrote: On 06/10/12 11:14, Michael Wood wrote: On 5 October 2012 17:36, steve st...@steve-ss.com wrote: On 05/10/12 17:21, Michael Wood wrote: On 5 October 2012 13:14, steve st...@steve-ss.com wrote: [...] [...] Linux clients map whatever the [home] share points at to the unixHomeDirectory attribute. The latter can use either winbind or nslcd to pull the info from ldap. Let me know if you need any more detail. That doesn't sound like a roaming profile at all. No it isn't. The bit before it was. I mentioned it as we set it at the same time as the profile path in the directory. That's all. By the bit before that I assume you mean the LDAP and share changes? That would not magically make the client do anything. In particular it would not make them copy profiles to/from the server. That is why I was asking about configuration and software on the client and not the server, which you had already mentioned. Anyway, from what you and Rowland have said that is not possible with Linux clients. Of course roaming profiles may not be what you want and you could instead access everything directly over the network using e.g. NFS4 as you say. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9fc42da s3: Add two tests a CLEAR_IF_FIRST crash via c62f8ba tdb: Make tdb robust against improper CLEAR_IF_FIRST restart via 37fd931 tdb: Make robust against shrinking tdbs from 8287938 We should never just assign an st_mode to an ace-perms field, theoretically they are different so should go through a mapping function. Ensure this is so. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9fc42daf75d0eee9fd22e66a3eeb687b178e29e3 Author: Volker Lendecke v...@samba.org Date: Tue Oct 2 15:44:41 2012 +0200 s3: Add two tests a CLEAR_IF_FIRST crash Autobuild-User(master): Volker Lendecke v...@samba.org Autobuild-Date(master): Sat Oct 6 17:16:39 CEST 2012 on sn-devel-104 commit c62f8baff878001ead921112dd653ff69d1cfe7d Author: Volker Lendecke v...@samba.org Date: Tue Oct 2 15:26:14 2012 +0200 tdb: Make tdb robust against improper CLEAR_IF_FIRST restart When winbind is restarted, there is a potential crash in tdb. Following situation: We are in a cluster with ctdb. A winbind child hangs in a request to the DC. Cluster monitoring decides the node has a problem. Cluster monitoring decides to kill ctdbd. winbind child still hangs in a RPC request. winbind parent figures that ctdb is dead and immediately commits suicide. winbind parent is restarted by cluster management, overwriting gencache.tdb with CLEAR_IF_FIRST. The CLEAR_IF_FIRST logic as implemented now will not see that a child still has the tdb open, only the parent holds the ACTIVE_LOCK due to performance reasons. During the CLEAR_IF_FIRST logic is done, there is a very small window where we ftruncate(tfd, 0) the file and re-write a proper header without a lock. When during this small window the winbind child comes back, wanting to store something into gencache.tdb, that winbind child will crash with a SIGBUS. Sounds unlikely? See: [2012/09/29 07:02:31.871607, 0] lib/util.c:1183(smb_panic) PANIC (pid 1814517): internal error [2012/09/29 07:02:31.877596, 0] lib/util.c:1287(log_stack_trace) BACKTRACE: 35 stack frames: #0 winbindd(log_stack_trace+0x1a) [0x7feb7d4ca18a] #1 winbindd(smb_panic+0x2b) [0x7feb7d4ca25b] #2 winbindd(+0x1a3cc4) [0x7feb7d4bacc4] #3 /lib64/libc.so.6(+0x32900) [0x7feb7a929900] #4 /lib64/libc.so.6(memcpy+0x35) [0x7feb7a97f355] #5 /usr/lib64/libtdb.so.1(+0x6e76) [0x7feb7b0b0e76] #6 /usr/lib64/libtdb.so.1(+0x3d37) [0x7feb7b0add37] #7 /usr/lib64/libtdb.so.1(+0x863d) [0x7feb7b0b263d] #8 /usr/lib64/libtdb.so.1(+0x8700) [0x7feb7b0b2700] #9 /usr/lib64/libtdb.so.1(+0x2505) [0x7feb7b0ac505] #10 /usr/lib64/libtdb.so.1(+0x25b7) [0x7feb7b0ac5b7] #11 /usr/lib64/libtdb.so.1(tdb_fetch+0x13) [0x7feb7b0ac633] #12 winbindd(gencache_set_data_blob+0x259) [0x7feb7d4d8449] #13 winbindd(gencache_set+0x53) [0x7feb7d4d85b3] #14 winbindd(gencache_del+0x5e) [0x7feb7d4d879e] #15 winbindd(saf_delete+0x93) [0x7feb7d54b693] #16 winbindd(+0xe507e) [0x7feb7d3fc07e] #17 winbindd(+0xe85e5) [0x7feb7d3ff5e5] #18 winbindd(+0xe65be) [0x7feb7d3fd5be] #19 winbindd(+0xe7562) [0x7feb7d3fe562] #20 winbindd(init_dc_connection+0x2e) [0x7feb7d3fe5be] #21 winbindd(+0xe75d9) [0x7feb7d3fe5d9] #22 winbindd(cm_connect_netlogon+0x58) [0x7feb7d3fe658] #23 winbindd(_wbint_PingDc+0x61) [0x7feb7d410991] #24 winbindd(+0x103175) [0x7feb7d41a175] #25 winbindd(winbindd_dual_ndrcmd+0xb7) [0x7feb7d4107d7] #26 winbindd(+0xf8609) [0x7feb7d40f609] #27 winbindd(+0xf9075) [0x7feb7d410075] #28 winbindd(tevent_common_loop_immediate+0xe8) [0x7feb7d4db198] #29 winbindd(run_events_poll+0x3c) [0x7feb7d4d93fc] #30 winbindd(+0x1c2b52) [0x7feb7d4d9b52] #31 winbindd(_tevent_loop_once+0x90) [0x7feb7d4d9f60] #32 winbindd(main+0x7b3) [0x7feb7d3e7aa3] #33 /lib64/libc.so.6(__libc_start_main+0xfd) [0x7feb7a915cdd] #34 winbindd(+0xce2a9) [0x7feb7d3e52a9] This is in a winbind child, logfiles surrounding indicate the parent was restarted. This patch takes all chain locks around the CLEAR_IF_FIRST introduced tdb_new_database. commit 37fd93194db10fc832ed3fa1ec880ebc26be904b Author: Rusty Russell ru...@rustcorp.com.au Date: Sat Oct 6 13:23:05 2012 +0200 tdb: Make robust against shrinking tdbs When probing for a size change (eg. just before tdb_expand, tdb_check, tdb_rescue) we call tdb_oob(tdb, tdb-map_size, 1, 1). Unfortunately this does nothing if the tdb has actually shrunk, which as Volker demonstrated, can actually happen if a longlived parent crashes. So move the map/update size/remap before the limit check. Signed-off-by: Rusty
[SCM] CTDB repository - branch master updated - ctdb-1.13-274-g2122982
The branch, master has been updated via 212298279557a2833ef0f81809b4a5cdac72ca02 (commit) from 3a3dae4cb5ec8b4b8381a4013adda25b87641f3a (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 212298279557a2833ef0f81809b4a5cdac72ca02 Author: Martin Schwenke mar...@meltin.net Date: Tue Oct 2 11:51:24 2012 +1000 util: ctdb_fork() closes all sockets opened by the main daemon Do some other hosuekeeping including stopping tevent. Pair-programmed-with: Amitay Isaacs ami...@gmail.com Signed-off-by: Martin Schwenke mar...@meltin.net --- Summary of changes: client/ctdb_client.c | 24 ++-- common/ctdb_fork.c | 18 ++ 2 files changed, 24 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/client/ctdb_client.c b/client/ctdb_client.c index 9162a47..d7c3031 100644 --- a/client/ctdb_client.c +++ b/client/ctdb_client.c @@ -4091,9 +4091,11 @@ int ctdb_ctrl_recd_ping(struct ctdb_context *ctdb) return 0; } -/* when forking the main daemon and the child process needs to connect back - * to the daemon as a client process, this function can be used to change - * the ctdb context from daemon into client mode +/* When forking the main daemon and the child process needs to connect + * back to the daemon as a client process, this function can be used + * to change the ctdb context from daemon into client mode. The child + * process must be created using ctdb_fork() and not fork() - + * ctdb_fork() does some necessary housekeeping. */ int switch_from_server_to_client(struct ctdb_context *ctdb, const char *fmt, ...) { @@ -4105,25 +4107,11 @@ int switch_from_server_to_client(struct ctdb_context *ctdb, const char *fmt, ... debug_extra = talloc_strdup_append(talloc_vasprintf(NULL, fmt, ap), :); va_end(ap); - /* shutdown the transport */ - if (ctdb-methods) { - ctdb-methods-shutdown(ctdb); - } - /* get a new event context */ - talloc_free(ctdb-ev); ctdb-ev = event_context_init(ctdb); tevent_loop_allow_nesting(ctdb-ev); - close(ctdb-daemon.sd); - ctdb-daemon.sd = -1; - - /* the client does not need to be realtime */ - if (ctdb-do_setsched) { - ctdb_restore_scheduler(ctdb); - } - - /* initialise ctdb */ + /* Connect to main CTDB daemon */ ret = ctdb_socket_connect(ctdb); if (ret != 0) { DEBUG(DEBUG_ALERT, (__location__ Failed to init ctdb client\n)); diff --git a/common/ctdb_fork.c b/common/ctdb_fork.c index 81055c5..24534e6 100644 --- a/common/ctdb_fork.c +++ b/common/ctdb_fork.c @@ -37,6 +37,24 @@ pid_t ctdb_fork(struct ctdb_context *ctdb) return -1; } if (pid == 0) { + /* Close the Unix Domain socket and the TCP socket. +* This ensures that none of the child processes will +* look like the main daemon when it is not running. +* tevent needs to be stopped before closing sockets. +*/ + if (ctdb-ev != NULL) { + talloc_free(ctdb-ev); + ctdb-ev = NULL; + } + if (ctdb-daemon.sd != -1) { + close(ctdb-daemon.sd); + ctdb-daemon.sd = -1; + } + if (ctdb-methods != NULL) { + ctdb-methods-shutdown(ctdb); + } + + /* The child does not need to be realtime */ if (ctdb-do_setsched) { ctdb_restore_scheduler(ctdb); } -- CTDB repository
[SCM] CTDB repository - branch 1.2.40 updated - ctdb-1.2.51-3-g3919698
The branch, 1.2.40 has been updated via 39196986c69f3a7751f2b3a69f242263d6864514 (commit) via 4f8d22453c04217f75330a642671dbec625f4b13 (commit) via 7d69ce7506db2bb6f363f9dc689e154cae4de7da (commit) from 0b7027db12ad83232e969c80e4ffbdcdb4a1adcd (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.2.40 - Log - commit 39196986c69f3a7751f2b3a69f242263d6864514 Author: Martin Schwenke mar...@meltin.net Date: Fri Oct 5 12:05:19 2012 +1000 New version 1.2.52 Signed-off-by: Martin Schwenke mar...@meltin.net commit 4f8d22453c04217f75330a642671dbec625f4b13 Author: Martin Schwenke mar...@meltin.net Date: Tue Oct 2 11:51:24 2012 +1000 util: ctdb_fork() closes all sockets opened by the main daemon Do some other housekeeping including stopping tevent. Pair-programmed-with: Amitay Isaacs ami...@gmail.com Signed-off-by: Martin Schwenke mar...@meltin.net commit 7d69ce7506db2bb6f363f9dc689e154cae4de7da Author: Martin Schwenke mar...@meltin.net Date: Tue Oct 2 11:54:00 2012 +1000 Revert logging: Close unix socket /tmp/ctdb.socket in syslogd process This reverts commit 450bedccbee3f89aba3b33777a4ae8841c456a65. This will be fixed in ctdb_fork() for all children. Won't somebody PLEASE think of the children?!? --- Summary of changes: client/ctdb_client.c | 24 ++-- common/ctdb_util.c | 17 + packaging/RPM/ctdb.spec.in |4 +++- server/ctdb_logging.c |5 - 4 files changed, 26 insertions(+), 24 deletions(-) Changeset truncated at 500 lines: diff --git a/client/ctdb_client.c b/client/ctdb_client.c index 8b9df42..739c21b 100644 --- a/client/ctdb_client.c +++ b/client/ctdb_client.c @@ -4048,9 +4048,11 @@ int ctdb_ctrl_recd_ping(struct ctdb_context *ctdb) return 0; } -/* when forking the main daemon and the child process needs to connect back - * to the daemon as a client process, this function can be used to change - * the ctdb context from daemon into client mode +/* When forking the main daemon and the child process needs to connect + * back to the daemon as a client process, this function can be used + * to change the ctdb context from daemon into client mode. The child + * process must be created using ctdb_fork() and not fork() - + * ctdb_fork() does some necessary housekeeping. */ int switch_from_server_to_client(struct ctdb_context *ctdb, const char *fmt, ...) { @@ -4062,25 +4064,11 @@ int switch_from_server_to_client(struct ctdb_context *ctdb, const char *fmt, ... debug_extra = talloc_strdup_append(talloc_vasprintf(NULL, fmt, ap), :); va_end(ap); - /* shutdown the transport */ - if (ctdb-methods) { - ctdb-methods-shutdown(ctdb); - } - /* get a new event context */ - talloc_free(ctdb-ev); ctdb-ev = event_context_init(ctdb); tevent_loop_allow_nesting(ctdb-ev); - close(ctdb-daemon.sd); - ctdb-daemon.sd = -1; - - /* the client does not need to be realtime */ - if (ctdb-do_setsched) { - ctdb_restore_scheduler(ctdb); - } - - /* initialise ctdb */ + /* Connect to main CTDB daemon */ ret = ctdb_socket_connect(ctdb); if (ret != 0) { DEBUG(DEBUG_ALERT, (__location__ Failed to init ctdb client\n)); diff --git a/common/ctdb_util.c b/common/ctdb_util.c index bb212f5..dfd0b9f 100644 --- a/common/ctdb_util.c +++ b/common/ctdb_util.c @@ -367,6 +367,23 @@ pid_t ctdb_fork(struct ctdb_context *ctdb) pid = fork(); if (pid == 0) { + /* Close the Unix Domain socket and the TCP socket. +* This ensures that none of the child processes will +* look like the main daemon when it is not running. +* tevent needs to be stopped before closing sockets. +*/ + if (ctdb-ev != NULL) { + talloc_free(ctdb-ev); + ctdb-ev = NULL; + } + if (ctdb-daemon.sd != -1) { + close(ctdb-daemon.sd); + ctdb-daemon.sd = -1; + } + if (ctdb-methods != NULL) { + ctdb-methods-shutdown(ctdb); + } + if (ctdb-do_setsched) { ctdb_restore_scheduler(ctdb); } diff --git a/packaging/RPM/ctdb.spec.in b/packaging/RPM/ctdb.spec.in index d057b34..73a49b7 100644 --- a/packaging/RPM/ctdb.spec.in +++ b/packaging/RPM/ctdb.spec.in @@ -3,7 +3,7 @@ Name: ctdb Summary: Clustered TDB Vendor: Samba Team Packager: Samba Team sa...@samba.org -Version: 1.2.51 +Version: 1.2.52 Release: 1GITHASH Epoch: 0 License: GNU GPL version 3 @@ -146,6 +146,8 @@
[SCM] CTDB repository - annotated tag ctdb-1.2.52 created - ctdb-1.2.52
The annotated tag, ctdb-1.2.52 has been created at 5a7f80347fdae7fbed83a9ba5c7affaab12a7697 (tag) tagging 39196986c69f3a7751f2b3a69f242263d6864514 (commit) replaces ctdb-1.2.51 tagged by Amitay Isaacs on Sun Oct 7 15:30:01 2012 +1100 - Log - new version 1.2.52 Martin Schwenke (3): Revert logging: Close unix socket /tmp/ctdb.socket in syslogd process util: ctdb_fork() closes all sockets opened by the main daemon New version 1.2.52 --- -- CTDB repository