Re: [Samba] SYSVOL ACLs and GPOs
On Thu, 2012-11-01 at 14:54 +, Alex Matthews wrote:
> On 30/10/2012 00:08, Jeremy Allison wrote:
> > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
> be a particular trigger - but it shouldn't be able to make a
> modification that doesn't go via vfs_acl_xattr.
>
> For Alex, before running the Group Policy tools on WinXP, he gets (at
> level 10 on samba-tool ntacl sysvolcheck):
>
> get_nt_acl_internal: blob hash matches for
> file
> /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>
> then after, he gets:
>
> get_nt_acl_internal: blob hash does not match for
> file
> /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> - returning file system SD mapping.
> >>> Is this message from smbd, or from samba-tool ?
> >> That's what vfs_acl_common is printing, being run from samba-tool ntacl
> >> sysvolcheck. It links to the VFS layer.
> > So this looks like it's running the Group Policy tools on WinXP
> > that causes the problem ?
> >
> > Can we get a debug level 10 log of that activity going on
> > against smbd ?
> >
> > Jeremy.
> Ok I have some additional info.
>
> Using the GPMC I cannot create new GPOs. I get the message: "This
> security ID may not be assigned as the owner of this object"
>
> If I use samba-tool gpo create I get the following:
>
> # bin/samba-tool gpo create "SMC Students"
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
>File
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
>File
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
> line 952, in run
> self.samdb.add(m)
>
> If I supply administrator as username I get:
>
> # bin/samba-tool gpo create "SMC Students" -U administrator
> Password for [SMC\administrator]:
> ERROR(runtime): uncaught exception - (-1073741734,
> 'NT_STATUS_INVALID_OWNER')
>File
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
>File
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
> line 987, in run
> conn.set_acl(sharepath, fs_sd, sio)
>
> However this time it has successfully created the GPO. (GPMC still
> throws the same warnings about inconsistent ACLs).
>
> bin/samba-tool gpo create "SMC Students" -d 10: http://pastebin.com/tjutA68u
> bin/samba-tool gpo create "SMC Students" -U administrator -d 10:
> http://pastebin.com/8kkVEy7V
>
> I would hazard a guess and say the GPMC error (when creating a GPO) is
> the same error as the samba-tool error.
Jeremy,
You said earlier in the thread that you were going to look into this.
I'll continue to try and find angles on this, but did you get anywhere
with sorting out Alex's issues?
Thanks,
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 documentation
Not this. I'm talking about man pages. Thanks. 2012/11/10 Andrew Bartlett > On Thu, 2012-11-08 at 21:15 -0300, José Neto wrote: > > Where is the samb4 (nice typo) documentation? > > > > Sorry about the question, but I can't find samba4 docs anywhere. > > > > Someone, please, help me. > > > > Thanks! > https://wiki.samba.org/index.php/Samba4/HOWTO > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question about filtering
On Sat, 2012-11-10 at 23:23 +0100, Enrico Scantamburlo wrote: > Hi, > We are having some performances problems with users that have folders > shared over their internal networks. > We were wondering, when the user list files using dir *.dat or calls > /FirstNextFile , is the filtering done on the local or on the remote > one? > > Thanks in advance! You would need a network capture to be sure - the client can do either in theory, but the protocol is perfectly capable of doing this remotely. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 documentation
On Thu, 2012-11-08 at 21:15 -0300, José Neto wrote: > Where is the samb4 (nice typo) documentation? > > Sorry about the question, but I can't find samba4 docs anywhere. > > Someone, please, help me. > > Thanks! https://wiki.samba.org/index.php/Samba4/HOWTO -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with filtering
Hi, We are having some performances problems with users that have folders shared over their internal networks. We were wondering, when the user list files using dir *.dat or calls FindFirstFile/FirstNextFile , is the filtering done on the local machine or on the remote one? Thanks in advance! -- Enrico Scantamburlo Software Development Consultant Web: Streamsim Technologies, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [SAMBA4 RC1] Strange internal DNS behaviour
Checked in snap in remote dns management and only hosts A records visible are for server and my machine with remote tools. All others does not appear on list. My resolv.conf look like that: nameserver 172.23.198.20 search 4lo.czest.pl.lan domain 4lo.czest.pl.lan I made a step from debug dns in howto and received error list below (this is only a piece): ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.265b11ab-284e-4235-8091-623864f7d334.domains._msdcs.4lo.czest.pl.lan sienkiewiczpdc.4lo.czest.pl.lan 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.265b11ab-284e-4235-8091-623864f7d334.domains._msdcs.4lo.czest.pl.lan. 900 IN SRV 0 100 389 sienkiewiczpdc.4lo.czest.pl.lan. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Calling nsupdate for SRV _gc._tcp.4lo.czest.pl.lan sienkiewiczpdc.4lo.czest.pl.lan 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.4lo.czest.pl.lan. 900 IN SRV 0 100 3268 sienkiewiczpdc.4lo.czest.pl.lan. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.4lo.czest.pl.lan sienkiewiczpdc.4lo.czest.pl.lan 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.default-first-site-name._sites.4lo.czest.pl.lan. 900 IN SRV 0 100 3268 sienkiewiczpdc.4lo.czest.pl.lan. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Failed update of 21 entries Googling didn't help. I don't want to blind update to RC4 becouse ale i really need works ok. If the errors are solved in next RC releases i can update, but i would be better to wait for final release. Szymon PS. Don't know why some posts are on the list if i post via news.gmane.org and some are not feed properly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Question about filtering
Hi, We are having some performances problems with users that have folders shared over their internal networks. We were wondering, when the user list files using dir *.dat or calls /FirstNextFile , is the filtering done on the local or on the remote one? Thanks in advance! -- Enrico Scantamburlo Software Development Consultant Web: Streamsim Technologies, Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with Remote Announce
Never mind. User error. I'd forgotten to set the DHCP server to hand out the WINS IP. :( On 10/11/2012 08:44, Nick Howitt wrote: Hi, I've been running Samba 3.5.18 on ClearOS 5.2 for a while now. I have a server on its own LAN's (192.168.2.0/24 and 192.168.3.0/24) and an IPSec VPN through to 192.168.10.0/24. The remote LAN is just one machine on the other side of a router. I've been successfully seeing its netbios name and I've been able to ping the remote PC by name and browse it and vice versa. A few weeks ago I upgraded to ClearOS 6.3 with Samba 3.6.7 and with the same config I can no longer use the remote PC's name or browse it. Both ends of the VPN are on the same Workgroup. I believe these are the relevant bits of smb.conf: [global] # General netbios name = Server workgroup = HOME server string = Server # Network bind interfaces only = yes interfaces = lo eth2 eth1 smb ports = 139 445 # WINS wins support = Yes wins server = # Other preferred master = Yes domain master = Yes remote announce = 192.168.10.255 192.168.10.120 hosts allow = 127.0.0.0/24 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24 10.8.0.0/24 With 3.6.7 I also use: max protocol = SMB2 The remote PC is running WinXP. In my log files in /var/log/samba I see logs for mum-blue - the remote PC - as it connects to a shared drive. On the XP machine I am forcing it yo use NetBIOS over TCP/IP and its WINS server entry is pointing to my server. Its firewall is open to UDP/TCP 137-139 and 445. The PC is on 192.168.10.120. Have I got something wrong or is there a problem with Samba? Regards, Nick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] issues with Windows 7 roaming profiles
Hello, I have a centOS 5.5 box acting as as a PDC with samba 3.4.9 and openldap 2.4.22. Then I joined the domain with a centOS box (samba 3.4.17) which hosts the homes and profiles. I have no problem with XP clients. I can join a windows 7 client to my domain but it is unable to load the profile when logging in. See below a level 2 log.smdb from the file server when I log in with a domain account. Is the "unable to create profs/lacoste.V2" the culprit ? What do I have to do to make it work ? Best regards, Thierry Lacoste. [2012/11/09 13:17:40, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/09 13:17:40, 2] smbd/sesssetup.c:1360(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/09 13:17:40, 2] libsmb/namequery.c:781(name_query) Got a positive name query response from 194.214.12.135 ( 194.214.12.135 ) [2012/11/09 13:17:40, 2] auth/auth.c:310(check_ntlm_password) check_ntlm_password: authentication for user [lacoste] -> [lacoste] -> [lacoste] succeeded [2012/11/09 13:17:40, 2] lib/module.c:64(do_smb_load_module) Module '/usr/lib/samba/vfs/fake_perms.so' loaded [2012/11/09 13:17:40, 1] smbd/service.c:1063(make_connection_snum) test-win7 (:::194.214.12.186) connect to service Profiles initially as user lacoste (uid=5001, gid=4000) (pid 27369) [2012/11/09 13:17:40, 2] smbd/open.c:2415(open_directory) open_directory: unable to create profs/lacoste.V2. Error was NT_STATUS_ACCESS_DENIED [2012/11/09 13:17:41, 1] smbd/service.c:1063(make_connection_snum) test-win7 (:::194.214.12.186) connect to service lacoste initially as user lacoste (uid=5001, gid=4000) (pid 27369) [2012/11/09 13:17:50, 1] smbd/service.c:1240(close_cnum) test-win7 (:::194.214.12.186) closed connection to service Profiles -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with Remote Announce
Hi, I've been running Samba 3.5.18 on ClearOS 5.2 for a while now. I have a server on its own LAN's (192.168.2.0/24 and 192.168.3.0/24) and an IPSec VPN through to 192.168.10.0/24. The remote LAN is just one machine on the other side of a router. I've been successfully seeing its netbios name and I've been able to ping the remote PC by name and browse it and vice versa. A few weeks ago I upgraded to ClearOS 6.3 with Samba 3.6.7 and with the same config I can no longer use the remote PC's name or browse it. Both ends of the VPN are on the same Workgroup. I believe these are the relevant bits of smb.conf: [global] # General netbios name = Server workgroup = HOME server string = Server # Network bind interfaces only = yes interfaces = lo eth2 eth1 smb ports = 139 445 # WINS wins support = Yes wins server = # Other preferred master = Yes domain master = Yes remote announce = 192.168.10.255 192.168.10.120 hosts allow = 127.0.0.0/24 192.168.2.0/24 192.168.3.0/24 192.168.10.0/24 10.8.0.0/24 With 3.6.7 I also use: max protocol = SMB2 The remote PC is running WinXP. In my log files in /var/log/samba I see logs for mum-blue - the remote PC - as it connects to a shared drive. On the XP machine I am forcing it yo use NetBIOS over TCP/IP and its WINS server entry is pointing to my server. Its firewall is open to UDP/TCP 137-139 and 445. The PC is on 192.168.10.120. Have I got something wrong or is there a problem with Samba? Regards, Nick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
