Re: [Samba] Samba 4 & W2k8_R2 - No automatic DNS Updates

2012-11-27 Thread Johannes Paechnatz 
Any ideas/solutions/hints for the DNS Updating Issues?


2012/11/21 Johannes Paechnatz 

> What works:
> - Samba4 Server migrated from Samba3 data.
> - adding a 2008_R2 DC.
> - Replication sofar as I could monitor.
> - internal DNS Server on Samba.
>
> What fails:
> Automatic DNS Updates are not working, althought "allow dns updates =
> true" in smb.conf is set - which seems to enable secure AND unsecure
> updates.
>
> Manual adding an Record works on both machines, and it gets replicated on
> both.
>
> I also raised the Domain and Forest Level from 2003 to 2008 R2.
>
> Did I miss a security setting on the used Client, Samba or W2K8-Server?
>
> I also tried disabling IPv6 on Win7:
> http://support.microsoft.com/kb/929852/en-us
>
> I read several wiki pages but found no real hint, some of them are
> outdated I think...no changes since 2006 etc.
>
> Additional Info:
> samba-tool drs showrepl
> Default-First-Site-Name\SAMBA4SRV
> DSA Options: 0x0001
> DSA object GUID: e0c557b0-2ea7-41af-9298-a6cee7fde615
> DSA invocationId: 50a38aa7-2774-4131-ac6c-edd349915945
>
>  INBOUND NEIGHBORS 
>
> DC=DomainDnsZones,DC=bfetv,DC=bfe-systemhaus,DC=de
> Default-First-Site-Name\BFETVSRV via RPC
>  DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
> Last attempt @ Wed Nov 21 10:14:06 2012 CET was successful
>  0 consecutive failure(s).
> Last success @ Wed Nov 21 10:14:06 2012 CET
>
> DC=ForestDnsZones,DC=bfetv,DC=bfe-systemhaus,DC=de
>  Default-First-Site-Name\BFETVSRV via RPC
> DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
> Last attempt @ Wed Nov 21 10:14:06 2012 CET was successful
>  0 consecutive failure(s).
> Last success @ Wed Nov 21 10:14:06 2012 CET
>
> DC=bfetv,DC=bfe-systemhaus,DC=de
>  Default-First-Site-Name\BFETVSRV via RPC
> DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
> Last attempt @ Wed Nov 21 10:14:06 2012 CET was successful
>  0 consecutive failure(s).
> Last success @ Wed Nov 21 10:14:06 2012 CET
>
> CN=Schema,CN=Configuration,DC=bfetv,DC=bfe-systemhaus,DC=de
>  Default-First-Site-Name\BFETVSRV via RPC
> DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
> Last attempt @ Wed Nov 21 10:14:06 2012 CET was successful
>  0 consecutive failure(s).
> Last success @ Wed Nov 21 10:14:06 2012 CET
>
> CN=Configuration,DC=bfetv,DC=bfe-systemhaus,DC=de
>  Default-First-Site-Name\BFETVSRV via RPC
> DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
> Last attempt @ Wed Nov 21 10:14:06 2012 CET was successful
>  0 consecutive failure(s).
> Last success @ Wed Nov 21 10:14:06 2012 CET
>
>  OUTBOUND NEIGHBORS 
>
> DC=DomainDnsZones,DC=bfetv,DC=bfe-systemhaus,DC=de
> Default-First-Site-Name\BFETVSRV via RPC
> DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
>  Last attempt @ Tue Nov 20 16:24:22 2012 CET was successful
> 0 consecutive failure(s).
> Last success @ Tue Nov 20 16:24:22 2012 CET
>
> DC=ForestDnsZones,DC=bfetv,DC=bfe-systemhaus,DC=de
> Default-First-Site-Name\BFETVSRV via RPC
> DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
>  Last attempt @ Tue Nov 20 16:24:22 2012 CET was successful
> 0 consecutive failure(s).
> Last success @ Tue Nov 20 16:24:22 2012 CET
>
> DC=bfetv,DC=bfe-systemhaus,DC=de
> Default-First-Site-Name\BFETVSRV via RPC
> DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
>  Last attempt @ Tue Nov 20 16:24:22 2012 CET was successful
> 0 consecutive failure(s).
> Last success @ Tue Nov 20 16:24:22 2012 CET
>
> CN=Schema,CN=Configuration,DC=bfetv,DC=bfe-systemhaus,DC=de
> Default-First-Site-Name\BFETVSRV via RPC
> DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
>  Last attempt @ Tue Nov 20 16:24:22 2012 CET was successful
> 0 consecutive failure(s).
> Last success @ Tue Nov 20 16:24:22 2012 CET
>
> CN=Configuration,DC=bfetv,DC=bfe-systemhaus,DC=de
> Default-First-Site-Name\BFETVSRV via RPC
> DSA object GUID: cdf7bc5f-28c8-4477-a3cb-459aa4390db0
>  Last attempt @ Tue Nov 20 16:24:22 2012 CET was successful
> 0 consecutive failure(s).
> Last success @ Tue Nov 20 16:24:22 2012 CET
>
>  KCC CONNECTION OBJECTS 
>
> Connection --
> Connection name: ba1c7365-189f-4cfd-945e-a2c9ac4e6cb7
> Enabled: TRUE
>  Server DNS name : BFETVSRV.bfetv.bfe-systemhaus.de
> Server DN name  : CN=NTDS
> Settings,CN=BFETVSRV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bfetv,DC=bfe-systemhaus,DC=de
>  TransportType: RPC
> options: 0x0001
> Warning: No NC replicated for Connection!
>
> samba-tool domain level show
> Domain and forest function level for domain
> 'DC=bfetv,DC=bfe-systemhaus,DC=de'
>
> Forest function level: (Windows) 2008 R2
> Domain function level: (Windows) 2008 R2
> Lowest function level of a DC: (Windows) 2008 R2
>
>
> Any troubleshooting advice or ideas? Debuglevel for debugging internal DNS?
>
>
> cu Joh.
> --
> Johannes Paechnatz
>
> --> googleplus: http://goo.gl/GVNoM
> --> facebook: http://www.facebook.com/jpaechnatz
> --> jabber/xmpp: 
> jpaechn...@gmail.com

Re: [Samba] samba4 AD DNS zone corrupted

2012-11-27 Thread Matthieu Patou 

On 11/27/2012 02:56 PM, Johannes Schmid wrote:


However, when querying it with samba-tool, the problems start:

# samba-tool dns query sambapdc.mydomain.local mydomain.local @ ALL

ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 162, in _run

return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 
925, in run 

Can you restart samba ?
Also can you rerun this command with -d 10 and post the log on the list ?

Matthieu.

--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Printers management

2012-11-27 Thread Novosielski, Ryan 
First, I'd be surprised if it were possible. It did not used to be. 

Second, those printers that sit out there are not the right ones to use anyway. 
I don't recall why they exist there, but the printers (when browsing) appear in 
the Printers folder which behaves differently than the root folder. 



- Original Message -
From: Marcio Oli [mailto:marcio.oli...@gmail.com]
Sent: Tuesday, November 27, 2012 04:07 PM
To: samba@lists.samba.org 
Subject: Re: [Samba] Printers management

The question is how to put all my printers within a share. Because of
the current configuration, all printers are appearing at \\server-name\
(the first level of shares).
I'd like to make something like: \\server-name\CompanyPrinters\ , so
below this directory all printers should be located.

Anybody?


Thanks again,
Marcio.

2012/11/27 Marcio Oli 

>
> Hi people,
>
>
> I have a server where all shares are at a same level. I would like to
> put the printers within a subfolder with any name. Could anybody help me?
>
>
> Thanks,
> --
> Marcio Oliveira.
> "Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
>



-- 
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 AD DNS zone corrupted

2012-11-27 Thread Johannes Schmid 

Hello everyone,

somehow I broke my DNS zone managed by samba4. Unfortunately, I'm out of 
ideas and you are my last hope!


When I want to open it in Windows DNS administration MSC, I get the 
following error when selecting the zone: "Zone Not Loaded by DNS Server".


When running regular DNS queries on that zone, everything works fine.

# host -t A mydomain.local
mydomain.local has address 192.168.122.1

# host -t NS mydomain.local
mydomain.local name server sambapdc.mydomain.local.

# host -t SOA mydomain.local
mydomain.local has SOA record sambapdc.mydomain.local. 
hostmaster.mydomain.local. 94 900 600 86400 0


# host -t A sambapdc.mydomain.local
sambapdc.mydomain.local has address 192.168.122.1


However, when querying it with samba-tool, the problems start:

# samba-tool dns query sambapdc.mydomain.local mydomain.local @ ALL

ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 162, in _run

return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 
925, in run


Note: querying the _msdcs.mydomain.local works fine using
# samba-tool dns query sambapdc.mydomain.local _msdcs.mydomain.local @ ALL
so does
# samba-tool dns query sambapdc.mydomain.local mydomain.local sambapdc ALL

ldbsearch also has no problems when accessing the @ records, at least 
they show up without problems when running
# ldbsearch -H /var/lib/samba/private/dns/sam.ldb -b 
"DC=DomainDnsZones,DC=mydomain,DC=local" "(objectclass=dnsNode)" 
--show-binary



Is there anything I could try to get my DNS zone back?
Is there a way to dump the sam.ldb to a text file and re-build it somehow?

Thanks for your support!




PS: Here is the output for some additional samba-tool calls, maybe this 
helps...


-

# samba-tool dns serverinfo sambapdc.mydomain.local
  dwVersion   : 0xece0205
  fBootMethod : DNS_BOOT_METHOD_DIRECTORY
  fAdminConfigured: FALSE
  fAllowUpdate: TRUE
  fDsAvailable: TRUE
  pszServerName   : sambapdc.mydomain.local
  pszDsContainer  : 
CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local
  aipServerAddrs  : ['255.255.255.255 (53)', 
'255.255.255.255 (53)', '255.255.255.255 (53)', '255.255.255.255 (53)', 
'255.255.255.255 (53)', '255.255.255.255 (53)']
  aipListenAddrs  : ['255.255.255.255 (53)', 
'255.255.255.255 (53)', '255.255.255.255 (53)', '255.255.255.255 (53)', 
'255.255.255.255 (53)', '255.255.255.255 (53)']

  aipForwarders   : []
  dwLogLevel  : 0
  dwDebugLevel: 0
  dwForwardTimeout: 3
  dwRpcPrototol   : 0x5
  dwNameCheckFlag : DNS_ALLOW_MULTIBYTE_NAMES
  cAddressAnswerLimit : 0
  dwRecursionRetry: 3
  dwRecursionTimeout  : 8
  dwMaxCacheTtl   : 86400
  dwDsPollingInterval : 180
  dwScavengingInterval: 0
  dwDefaultRefreshInterval: 168
  dwDefaultNoRefreshInterval  : 168
  fAutoReverseZones   : FALSE
  fAutoCacheUpdate: FALSE
  fRecurseAfterForwarding : FALSE
  fForwardDelegations : TRUE
  fNoRecursion: FALSE
  fSecureResponses: FALSE
  fRoundRobin : TRUE
  fLocalNetPriority   : FALSE
  fBindSecondaries: FALSE
  fWriteAuthorityNs   : FALSE
  fStrictFileParsing  : FALSE
  fLooseWildcarding   : FALSE
  fDefaultAgingState  : FALSE
  dwRpcStructureVersion   : 0x2
  aipLogFilter: []
  pwszLogFilePath : None
  pszDomainName   : mydomain.local
  pszForestName   : mydomain.local
  pszDomainDirectoryPartition : DC=DomainDnsZones,DC=mydomain,DC=local
  pszForestDirectoryPartition : DC=ForestDnsZones,DC=mydomain,DC=local
  dwLocalNetPriorityNetMask   : 0xff
  dwLastScavengeTime  : 0
  dwEventLogLevel : 4
  dwLogFileMaxSize: 0
  dwDsForestVersion   : 2
  dwDsDomainVersion   : 2
  dwDsDsaVersion  : 4
  fReadOnlyDC : FALSE

# samba-tool dns zoneinfo sambapdc.mydomain.local mydomain.local
  pszZoneName : mydomain.local
  dwZoneType  : DNS_ZONE_TYPE_PRIMARY
  fReverse: FALSE
  fAllowUpdate: DNS_ZONE_UPDATE_SECURE
  fPaused : FALSE
  fShutdown   : FALSE
  fAutoCreated: FALSE
  fUseDatabase: TRUE
  pszDataFile : None
  aipMasters  : []
  fSecureSecondaries  : DNS_ZONE_SECSECURE_NO_XFER
  fNotifyLevel: DNS_ZONE_NOTIFY_LIST_ONLY
  aipSecondaries  : []
  aipNotify   : []
  fUseWins: FALSE
  fUseNbstat  : FALSE
  fAging

Re: [Samba] Printers management

2012-11-27 Thread Marcio Oli 
The question is how to put all my printers within a share. Because of
the current configuration, all printers are appearing at \\server-name\
(the first level of shares).
I'd like to make something like: \\server-name\CompanyPrinters\ , so
below this directory all printers should be located.

Anybody?


Thanks again,
Marcio.

2012/11/27 Marcio Oli 

>
> Hi people,
>
>
> I have a server where all shares are at a same level. I would like to
> put the printers within a subfolder with any name. Could anybody help me?
>
>
> Thanks,
> --
> Marcio Oliveira.
> "Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
>



-- 
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-11-27 Thread Harry Jede 
On 20:15:56 wrote Andrej Šimko:
> net getdomainsid
> SID for local machine HOST is:
> S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is:
> S-1-5-21-2390795950-2727105968-4008069955
> 
> I compared my smb.conf with yours. I have "ldap suffix" before
>  "ldap group suffix".
> 
> I switched that but result still the same.
> 
>  ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
> dn: cn=admin,dc=example,dc=sk
> 
> tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )
> 
> ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid
> =users)))" 2>/dev/null
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 1
> sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

Sorry, that I haven't seen this in your mail at 09:07

This is a working group object:

# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"  2>/dev/null
dn: cn=users,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: users
description: Netbios Domain Users
sambaSID: S-1-5-32-545
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
sambaGroupType: 4
displayName: Users


The main difference ist the objectclass posixGroup instead of 
sambaSidEntry.
Samba Group Mapping is not a simple task. Your definition with 
objectclass=sambasidentry is not totally wrong, but the intended use is 
that you store your posixgroups in /etc/group or in NIS.
With an LDAP backend that is not the best approach.

Here the three standard definitions with objectclass=posixgroup

###
A primary group: posix and windows primary
members should NOT stored here

dn: cn=teachers,ou=groups,dc=europa,dc=xx
cn: teachers
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1001
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003
sambaGroupType: 2
displayName: teachers

# getent group teachers
teachers:*:1001:

# net  rpc group members teachers
# 



###
A regular group in posix, a global group in windows
members are stored in memberUid

dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: DomainAdmins
memberUid: Administrator
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 2
displayName: Domain Admins

# getent group domainadmins
DomainAdmins:*:512:Administrator,root


# Asking for the Windows name, which is stored in "displayName"
# net rpc group members "domain admins"
EUROPA\Administrator
EUROPA\root

# Asking for the posix name, which is stored in "cn"
# net rpc group members domainadmins
EUROPA\Administrator
EUROPA\root


###
A windows/samba builtin group
no posix members
Windows members must be stored in sambaSIDList. These type of groups 
will be used in Windows OS (client and/or server)

# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(cn=administrators))"  2>/dev/null
dn: cn=Administrators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer
sambaSID: S-1-5-32-544
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 4
displayName: Administrators


# getent group administrators
Administrators:*:544:

# net rpc group members administrators
EUROPA\Domain Admins

###
-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Printers management

2012-11-27 Thread Marcio Oli 
Hi people,


I have a server where all shares are at a same level. I would like to
put the printers within a subfolder with any name. Could anybody help me?


Thanks,
-- 
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problem loading login.bat on a windows 7 machine

2012-11-27 Thread John Drescher 
On 1 windows 7 workstation in my work samba 3 domain roaming profiles
are not loading. The problem seems to be a failure in loading the
login.bat

Samba version 3.5.19
PID Username  Group Machine
---
8078  jdrescher Domain Users  radimgws70   (192.168.2.157)

Service  pid machine   Connected at
---
IPC$ 8199   datastore2Tue Nov 27 12:29:05 2012
IPC$ 8180   datastore1Tue Nov 27 12:28:07 2012
IPC$ 8229   radimgws68Tue Nov 27 12:31:10 2012
netlogon 8078   radimgws70Tue Nov 27 12:22:26 2012

Locked files:
Pid  UidDenyMode   Access  R/WOplock
SharePath   Name   Time
--
8078 1000   DENY_WRITE 0xa1RDONLY NONE
/home/netlogon   login.bat   Tue Nov 27 12:22:26 2012


[2012/11/27 12:24:02.704884,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (1000, 513) - sec_ctx_stack_ndx = 0
[2012/11/27 12:24:02.705305,  3] smbd/vfs.c:881(check_reduced_name)
  check_reduced_name
[login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}]
[/home/netlogon]
[2012/11/27 12:24:02.705338,  3] smbd/vfs.c:1038(check_reduced_name)
  check_reduced_name:
login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}
reduced to 
/home/netlogon/login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}
[2012/11/27 12:24:02.705362,  3] smbd/dosmode.c:166(unix_mode)
  
unix_mode(login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20})
returning 0744
[2012/11/27 12:24:02.705381,  3] smbd/error.c:80(error_packet_set)
  error packet at smbd/error.c(160) cmd=162 (SMBntcreateX)
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2012/11/27 12:24:14.064825,  3] smbd/process.c:1489(process_smb)


For me an interesting thing from the above output is
login.bat.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}

why is it trying to append
.34308300201211260203NT7TT.{10E39A49-4531-4496-A08E-842D4C440D20}
to the filename? Or am I reading this wrong?

-- 
John M. Drescher
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-11-27 Thread Andrej Šimko 
net getdomainsid
SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955

I compared my smb.conf with yours. I have "ldap suffix" before
 "ldap group suffix".

I switched that but result still the same.

 ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=example,dc=sk

tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )

ldapsearch -LLLY external -H ldapi:///
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))"
2>/dev/null
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 1
sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

ldapsearch -xLLL
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))"
dn
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk


I do not see anything bad, I do not have installed windbindd


On Tue, Nov 27, 2012 at 2:46 PM, Harry Jede  wrote:

> (displayname=users)(uid=users)))"  dn
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] CTDB / Samba / GFS2 - Performance - with Picture Link

2012-11-27 Thread Volker Lendecke 
On Tue, Nov 27, 2012 at 03:50:40PM +, Vogel, Sven wrote:
> Hi Volker,
> 
> thanks for the fast reply. So used the strace command. I am not so a strace 
> specialist but is it possible that the problem are the many polls?`
> 
> 12513 15:33:24.593065 poll([{fd=9, events=POLLIN|POLLHUP}, {fd=7, 
> events=POLLIN|POLLHUP}, {fd=40, events=POLLIN|POLLHUP}, {fd=32, 
> events=POLLIN|POLLHUP}, {fd=34, events=POLLIN|POLLHUP}], 5, 4436) = 1 
> ([{fd=32, revents=POLLIN}]) <0.002497>
> 12513 15:33:24.595615 read(32, "\0\0\0T", 4) = 4 <0.17>
> 
> i added a link to the strace. I dont see which syscalls take long. There are 
> such many syscalls in any second so i dont know whats normal. :-|
> 
> http://dev.kupper-computer.com/intern/smbd.txt
> 
> Did you have any idea?

One question -- do you have your brlock.tdb on gfs? If so,
move them to a local file system, they will be taken care of
by ctdb. Your fcntl calls on that seem slow. Also, you might
want to try "posix locking = no". There is a call at
timestamp 15:32:47.383963, 1.9 seconds to find out whether a
range is locked. That shows that at this point in time GFS
was busy regarding fcntl locks. Also, your network or your
client seems to have a problem. For example at timestamp
15:32:51.837717 we are waiting 30 milliseconds for a new
request from the client. This is very long for a client
continuously trying to write.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kont...@sernet.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] CTDB / Samba / GFS2 - Performance - with Picture Link

2012-11-27 Thread Vogel, Sven 
Hi Volker,

thanks for the fast reply. So used the strace command. I am not so a strace 
specialist but is it possible that the problem are the many polls?`

12513 15:33:24.593065 poll([{fd=9, events=POLLIN|POLLHUP}, {fd=7, 
events=POLLIN|POLLHUP}, {fd=40, events=POLLIN|POLLHUP}, {fd=32, 
events=POLLIN|POLLHUP}, {fd=34, events=POLLIN|POLLHUP}], 5, 4436) = 1 ([{fd=32, 
revents=POLLIN}]) <0.002497>
12513 15:33:24.595615 read(32, "\0\0\0T", 4) = 4 <0.17>

i added a link to the strace. I dont see which syscalls take long. There are 
such many syscalls in any second so i dont know whats normal. :-|

http://dev.kupper-computer.com/intern/smbd.txt

Did you have any idea?

Thanks

Sven

-Ursprüngliche Nachricht-
Von: Volker Lendecke [mailto:volker.lende...@sernet.de] 
Gesendet: Dienstag, 27. November 2012 14:06
An: Vogel, Sven
Cc: samba@lists.samba.org
Betreff: Re: [Samba] CTDB / Samba / GFS2 - Performance - with Picture Link

On Tue, Nov 27, 2012 at 01:00:49PM +, Vogel, Sven wrote:
> Hello,
> 
> maybe there is someone they can help and answer a question why i get these 
> network screen on my ctdb clusters. I have two ctdb clusters. One physical 
> and one in a vmware enviroment.
> 
> So when i transfer any files (copy) in a samba share so i get such network 
> curves with performance breaks. I dont see that the transfer will stop but 
> why is that so? can i change anything or does anybody know which ist he 
> problem?
> 
> 
> http://dev.kupper-computer.com/intern/transfer_network.jpg

Do a

strace -ttT -f -o /tmp/smbd.strace -p 

and see in /tmp/smbd.strace which syscalls take long.

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. 
Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-11-27 Thread Harry Jede 
Hi Simo,
please post to the list !!!

> On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede  wrote:
> > Hi Simo,
> > 
> > > Hi this is my listing:
> > > 
> > > net -U administrator rpc group members Administrators
> > > Enter administrator's password:
> > > Couldn't list alias members
> > 
> > Your samba server WILL not list the members of this global group,
> > mostly a security issue.
> 
> User administrator has all rights, so I dont think it is a security
> issue. Or do you know some checks that I could try?
> 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=S-1-5-32*))'
> > > 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=*))'
> > > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> > > objectClass: sambaSidEntry
> > > objectClass: sambaGroupMapping
> > > sambaSID: S-1-5-32-545
> > > sambaGroupType: 4
> > > displayName: Users
> > > gidNumber: 1
> > > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
> > 
> > Your LDAP client WILL list the group members.
> > 
> > > Do you know what does this mean?
> > 
> > The reason is often "wrong configured" smbldap-tools. Check the
> > /etc/smbldap-tools/smbldap.conf file for the wrong SID entry.
> 
> > SID in smbldap.conf is:
> SID="S-1-5-21-2390795950-2727105968-4008069955"
> 
> So that is correct.
> 
> > > > > net getdomainsid
> > > > > SID for local machine HOST is:
> > > > > S-1-5-21-2242576961-186067218-2214866780 SID for domain
> > > > > EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
> > 
> > Your server and your domain have different SIDs, that may be is yor
> > problem. Try:
> > # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955
> > 
> > and restart samba.
> 
> Tried that, nothing changed.
Post:
net getdomainsid


Do the following steps (enclosed with ###) in order
###

I compared my smb.conf with yours. I have "ldap suffix" before
 "ldap group suffix".

ldap suffix  = dc=europa,dc=xx
ldap admin dn= cn=admin,dc=europa,dc=xx
ldap group suffix= ou=groups
ldap user suffix = ou=people,ou=accounts
ldap machine suffix  = ou=machines,ou=accounts

and I have NOT installed winbindd!

###
Check if you have the groups defined in LDAP and in /etc/groups. The 
groups should only be in LDAP.

###
check the admin account in ldap:

# ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=europa,dc=xx

Check that your ldap admin password is OK.
# tdbdump /var/lib/samba/secrets.tdb

look for:
{
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx"
data(12) = "ThePassword\00"
}



Try to bind with this password:
# ldapsearch -xLLL -D "cn=admin,dc=europa,dc=xx" -w ThePassword 
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"


Check if root get the same result:
# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"  2>/dev/null

###

at last, search for duplicate names:
# ldapsearch -xLLL "(&(objectclass=sambaGroupMapping)(|(cn=users)
(displayname=users)(uid=users)))"  dn



You should get one result.
> 
> > > Thanks.
> > 
> > --
> > 
> > regards
> > 
> > Harry Jede
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba


-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] CTDB / Samba / GFS2 - Performance - with Picture Link

2012-11-27 Thread Volker Lendecke 
On Tue, Nov 27, 2012 at 01:00:49PM +, Vogel, Sven wrote:
> Hello,
> 
> maybe there is someone they can help and answer a question why i get these 
> network screen on my ctdb clusters. I have two ctdb clusters. One physical 
> and one in a vmware enviroment.
> 
> So when i transfer any files (copy) in a samba share so i get such network 
> curves with performance breaks. I dont see that the transfer will stop but 
> why is that so? can i change anything or does anybody know which ist he 
> problem?
> 
> 
> http://dev.kupper-computer.com/intern/transfer_network.jpg

Do a

strace -ttT -f -o /tmp/smbd.strace -p 

and see in /tmp/smbd.strace which syscalls take long.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kont...@sernet.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] CTDB / Samba / GFS2 - Performance - with Picture Link

2012-11-27 Thread Vogel, Sven 
Hello,

maybe there is someone they can help and answer a question why i get these 
network screen on my ctdb clusters. I have two ctdb clusters. One physical and 
one in a vmware enviroment.

So when i transfer any files (copy) in a samba share so i get such network 
curves with performance breaks. I dont see that the transfer will stop but why 
is that so? can i change anything or does anybody know which ist he problem?


http://dev.kupper-computer.com/intern/transfer_network.jpg

thanks

Sven Vogel


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] CTDB / Samba / GFS2 - Performance

2012-11-27 Thread Vogel, Sven 
Hello,

maybe there is someone they can help and answer a question why i get these 
network screen on my ctdb clusters. I have two ctdb clusters. One physical and 
one in a vmware enviroment.

So when i transfer any files (copy) in a samba share so i get such network 
curves with performance breaks. I dont see that the transfer will stop but why 
is that so? can i change anything or does anybody know which ist he problem?

thanks

Sven Vogel


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Local Administrator access

2012-11-27 Thread Knut Olav Bøhmer 
Hi,

I'm sorry about last mail. It was incompleate.
It was not me who installed the machine. And from what I can see, there was
not created any local users.

So when I installed a new samba domain controller I was not able to log in
to that computer.

So I took the old SID and put in in to a new (temporary, on my laptop)
samba server, and copied the old machine account password.
Then I was able to log inn. But the user I created on the samba server does
not have local administration rights on the windows client.

And now, when composing this email, gathering information about my setup
(and a good nights sleep), I discover that the user I used to access the
computer was set to another domain. I found this out by pdbedit -Lv knobo

Thank you for the help :) Without you I would not have figured out ;)
(maybe)

Best regards
Knut Olav Bøhmer

2012/11/26 Gaiseric Vandal 

> Have you tried logging into the PC using the samba domain administrator
> account?
>
> Assuming the PC was properly joined to the domain then you should be able
> to configure the local accounts and groups.
>
> You can create domain group that is then a member of the PC's local
> administrator group.  This will allow you do defined samba users who are PC
> administrators but NOT domain administrators.
>
> Whomever joins a PC to a domain needs to be both a local administrator on
> that computer and (in most cases) have domain administrator credentials.
>  (If the machine account was created in advance then the domain
> administrator credentials should not be needed.)
>
> Are you sure the PC was joined to the domain?
>
>
>
> On 11/26/12 10:51, Knut Olav Bøhmer wrote:
>
>> 2012/11/26 Gaiseric Vandal > gaiseric.vandal@gmail.**com >>
>>
>>
>> With Windows7, the 1st account you create  during the initial
>> setup is typically a member of the local admin group.  The actual
>> "Administrator" account is normally disabled.  Did this 1st
>> account get deleted?
>>
>>
>> I did not install the computer. How can I find out if there is such a
>> user? But, I don't have the password anyway.
>>
>> When you joined the domain, the Domain Admin's groups should have
>> been added to the local Admin group.
>>
>>
>> Ok, so the trick is to get my user a member of the "Domain Admins" group.
>>
>> This can get messed up if your group mappings are not set up
>> correctly.
>>
>> Also, I think when running the "net" command you may want to use
>> "-U Administrator" to use the credentials of your domain
>> Administrator account  (assuming one has been defined.)  In my
>> setup the unix root does not have a samba account.
>>
>>
>>
>>
>>
>> On 11/26/12 10:03, Knut Olav Bøhmer wrote:
>>
>> Hi,
>>
>> I have a windows 7 machine withouth local administrator account.
>> I need to create such an account. I can log in to the machine
>> with a user
>> on my samba domain.
>>
>> What do I need to do in order to get administrator access, or
>> access to
>> create an local administrator account?
>>
>> I have tried to do this:
>>
>> [root@float samba]# net rpc group addmem "Administrators"
>> 'DOMAIN\username'
>> Enter root's password:
>> Could not add SKOLELINUX\knobo to Administrators:
>> NT_STATUS_NO_SUCH_ALIAS
>>
>> I have tried to give some rights this way:
>>
>> net rpc rights grant 'DOMAIN\username' SeMachineAccountPrivilege
>> SeAddUsersPrivilege SeDiskOperatorPrivilege SeSecurityPrivilege
>> SeUndockPrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege
>> SePrintOperatorPrivilege SeCreateGlobalPrivilege
>> SeEnableDelegationPrivilege  SeUndockPrivilege
>>  SeTakeOwnershipPrivilege
>>
>> And it does what I tell it:
>> [root@float samba]# net rpc rights list knobo
>> Enter root's password:
>> SeMachineAccountPrivilege
>> SeTakeOwnershipPrivilege
>> SeRemoteShutdownPrivilege
>> SePrintOperatorPrivilege
>> SeAddUsersPrivilege
>> SeDiskOperatorPrivilege
>> SeSecurityPrivilege
>> SeSystemProfilePrivilege
>> SeUndockPrivilege
>> SeImpersonatePrivilege
>> SeCreateGlobalPrivilege
>> SeEnableDelegationPrivilege
>>
>>
>> But I'm still promptet for username and password, when I try
>> to access the
>> user accounts in windows 7.
>>
>> Any suggestions?
>>
>>
>> Regards
>>
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: 
>> https://lists.samba.org/**mailman/options/samba
>>
>>
>>
>>
>> --
>> Knut Olav Bøhmer
>> 41 000 108
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-11-27 Thread Harry Jede 
Hi Simo,
> Hi this is my listing:
> 
> net -U administrator rpc group members Administrators
> Enter administrator's password:
> Couldn't list alias members
Your samba server WILL not list the members of this global group, mostly 
a security issue.

> ldapsearch -xLLL '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> (sambaSID=S-1-5-32*))'
> 
> ldapsearch -xLLL '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> (sambaSID=*))'
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 1
> sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
Your LDAP client WILL list the group members.

> Do you know what does this mean?
The reason is often "wrong configured" smbldap-tools. Check the 
/etc/smbldap-tools/smbldap.conf file for the wrong SID entry.

> > > net getdomainsid
> > > SID for local machine HOST is:
> > > S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE
> > > is: S-1-5-21-2390795950-2727105968-4008069955
Your server and your domain have different SIDs, that may be is yor 
problem. Try:
# net setlocalsid S-1-5-21-2390795950-2727105968-4008069955

and restart samba.



> Thanks.

-- 

regards
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba