Re: [Samba] Eliminating Samba4 (as a name)
On 2012-12-22 02:00 (GMT-0500) Andrew Bartlett composed: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO That page seems to assume every potential reader, including Google, knows that AD DC means. I had to think about it for a while, as it doesn't appear to be defined on the page except by inference. When my brain sees it, what it thinks initially is AC DC typo. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Eliminating Samba4 (as a name)
On Sat, 2012-12-22 at 02:22 -0500, Felix Miata wrote: > On 2012-12-22 02:00 (GMT-0500) Andrew Bartlett composed: > > > https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO > > That page seems to assume every potential reader, including Google, knows > that AD DC means. I had to think about it for a while, as it doesn't appear > to be defined on the page except by inference. When my brain sees it, what it > thinks initially is AC DC typo. I've updated the into. Someone else with a wiki account can wikifiy some of the terms into links, but it should cover the basics for now. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Eliminating Samba4 (as a name)
Now that Samba 4.0 has been released - a very proud moment for the whole Samba Team - I want to emphasise something that most of the team has been trying to do over the past few months, but that we haven't really announced: That is, gong forward, we are generally avoiding using the term Samba4 (and Samba3 for that matter). The reason is that while these terms were useful for a time before the merge the originally separate parts of Samba on a technical level, now they just cause us more confusion, and it is only going to get worse now we have made a 4.0 production release. The issue is that Samba 4.0 is a full release of many different Samba components. We didn't make a big fuss about the file server changes, as the biggest changes there are preparation for doing even bigger things in a future release, but what we have done is release a single Samba 4.0. Therefore it is confusing for users and developers when questions are asked about samba4, as while that name generally referred to the AD DC effort, Samba 4.0 is a full Samba release. So, in the future, if you wish to talk about the "Samba 4.0 AD DC", please us that term. The same applies to Samba3 as a term referring to the smbd files server, nmbd, winbindd etc. It is one thing to discuss the Samba 3.x release series, but to talk about the Samba3 components of Samba 4.0 is just confusing. Towards that, I have tried to stop using the term Samba4 in my mailing list posts, and to ensure that folks who mention 'samba4' really do mean the AD DC. I've started editing the Samba4/HOWTO to remove samba4 references, and I've renamed it to https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO There is still a lot to do, but our users can help this a lot by being clear when referring to Samba, and not using these terms. By doing to, we acknowledge that while the big new feature in the Samba 4.0 release is the AD DC, there is much more in Samba 4.0 besides, and we can't do that if we confuse fellow users who might equate Samba4 with Samba 4.0. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Moving a domain to new Linux install - Win7 ok but WinXP not ok
Hi all, I am migrating a Samba 3 domain from an ageing server to a new server. I've exported all users from the old server and imported them on the new server using the following command (LDAP to TdbSam): pdbedit -i ldapsam:ldap://127.0.0.1 -e tdbsam:/tmp/tdbsam.agix scp /tmp/tdbsam.agix new.server.local:/etc/samba/passdb.tdb I've set the same SID on the new server. Windows7 workstations have no issues with this change. But WindowsXP just won't play along. The WindowsXP workstations state that the password is wrong. But the Samba logs show the process is successful. I got and set the SID using: net getlocalsid ...and net setlocalsid BLABLA Any suggestions? Is there something more that needs to be done? I really don't want to rejoin the workstations to the [new] domain. Ta. -- -Andrew Galdes Managing Director RHCSA, LPI, CCENT AGIX Linux Ph: 08 7324 4429 Mb: 0422 927 598 Site: http://www.agix.com.au Twitter: http://twitter.com/agixlinux LinkedIn: http://au.linkedin.com/in/andrewgaldes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] generate keytab
On Thu, 2012-12-20 at 14:44 -0200, Clodonil Trigo wrote: > Hi Kleb Valoshka, > > thereby I did. > > $ samba-tool user add proxy-user > $ samba-tool user setexpiry proxy-user -noexpiry > $ samba-tool spn add http/proxy-user proxy.nisled.org > $ samba-tool spn add http/proxy.nisled.org proxy-user > > does not work, > > Clodonil > > > > 2012/12/20 Hleb Valoshka <375...@gmail.com> > > > On 12/20/12, Clodonil Trigo wrote: > > > $ samba-tool user add proxy-user > > > $ samba-tool user setexpiry proxy-user -noexpiry > > > $ samba-tool spn add http/proxy-user proxy.nisled.org > > > > Find the difference: > > > > samba-tool spn add http/proxy.nisled.org proxy-user > > > > > $ samba-tool domain exportkeytab /etc/proxy.keytab --principal=http/ > > > proxy.nisled.org At this point some idea of the errors you got where it 'does not work' would be helpful, as would the output of ktlist on the generated keytab: ktutil rkt /etc/proxy.keytab list Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-22 at 14:28 +1300, Pieter De Wit wrote: > I stand corrected re the MS comment then. How do I get the userAccountControl? userAccountControl is an ldap attribute, on the DC object. ldapsearch, or a GUI LDAP browser (ldp.exe on windows is one) will be able to show it. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Re: Changing administrator password after Samba4 classic upgrade
On Thu, 2012-12-20 at 22:55 +1300, Mario Codeniera wrote:
> I used to upgrade samba3 to samba4 with almost successful with one problem,
> administrator can't access. As administrator, by default it is the only
> user account that is given full control over the system.
>
> My query is how to change the administrator password? we have one account
> which can join to the samba 4 AD based on the migrated data but the problem
> can't change the administrator or can't alter the domain.
> After that re-run the classic upgrade, and found out that the administrator
> SID was wrong and modified to xxx-500 where xxx domain SID and modified
> group Administrators because there are other domain SIDs.
>
> *- (remove the description, displaying only the last part)
> -
> Importing idmap database
> Importing groups
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
> groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
> groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
> groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
> Group already exists sid=S-1-5-32-544, groupname=Administrators
> existing_groupname=Administrators, Ignoring.
> Group already exists sid=S-1-5-32-545, groupname=Users
> existing_groupname=Users, Ignoring.
> Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
> groupname=Domain Users existing_groupname=Domain Users, Ignoring.
> Importing users
> User 'Administrator' in your existing directory has SID
> S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
> S-1-5-21-1511653421-423844657-761698953-500
> ERROR(): uncaught exception -
> ProvisioningError: User 'Administrator' in your existing directory does not
> have SID ending in -500
> File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 1318, in run
> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
> File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 889, in upgrade_from_samba3
> raise ProvisioningError("User 'Administrator' in your existing
> directory does not have SID ending in -500")*
>
>
> Finally got this with no errors, but again the administrator can't login
> even using the kinit. As mentioned above I used to login other user in
> Windows 7 and run the Windows Remote Administration Tools and able to check
> the data is successfully migrated including administrator (but the problem
> it was changed during upgrading) and I observed in the log see highlighted.
> And every time I run the samba-tool domain classicupgrade, the Admin
> password: (see other highlighted below) have different values (
> >0ngHrG~IIMHZ>DhNIPYOU *
> [root@gaara ambot]# /usr/local/samba/bin/samba-tool domain classicupgrade
> --dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
> --dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
> /srv/smb.conf
> Reading smb.conf
What it should have said was 'using the existing admin password of user
root/administrator'. So, try the old password, but if neither the old
password nor the generated one works, you can reset it using 'samba-tool
user setpassword administrator'
> Thank you, hope someone can give insights on it.
Thanks for your patience with this.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From 12a0d94c8b80562a775b939fab24196897ed0cf5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Sat, 22 Dec 2012 09:28:05 +1100
Subject: [PATCH] samba-tool classicupgrade: Do not print the admin password
during upgrade
This changes the code to only set and show a new password if no admin
user is found during the upgrade.
Andrew Bartlett
---
source4/scripting/python/samba/upgrade.py | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/source4/scripting/python/samba/upgrade.py b/source4/scripting/python/samba/upgrade.py
index df9415e..f524e68 100644
--- a/source4/scripting/python/samba/upgrade.py
+++ b/source4/scripting/python/samba/upgrade.py
@@ -835,11 +835,19 @@ Please fix this account before attempting to upgrade again
if not (serverrole == "ROLE_DOMAIN_BDC" or serverrole == "ROLE_DOMAIN_PDC"):
dns_backend = "NONE"
+# If we found an admin user, set a fake pw that we will override.
+# This avoids us printing out an admin password that we won't actually
+# set.
+if admin_user:
+adminpass = samba.generate_random_password(12, 32)
+else:
+adminpass = None
+
# Do full provision
result = provision(logger, session_info, None,
Re: [Samba] Samba3 joining W2k3 as member server
I stand corrected re the MS comment then. How do I get the userAccountControl?
Thx
Sent from my iPhone
On 22/12/2012, at 12:18, Andrew Bartlett wrote:
> On Sat, 2012-12-22 at 12:01 +1300, Pieter De Wit wrote:
>> On 22/12/2012 11:47, Andrew Bartlett wrote:
>>> On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
> On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
>> Hi list,
>>
>> I have tried with all my might to get a samba3 server (Ubuntu 12.04.1
>> LTS) to join a Windows 2003 domain as a member server, without any luck.
>> I have used,from memory, the official way of doing this (aka, from the
>> samba.org website). No matter what settings I use in smb.conf, the
>> server always joins as a domain controller. This doesn't seem to break
>> the domain how ever. All I am after is that my users do not need to
>> enter a username/password for access from a domain PC to shares on my
>> Linux box.
>>
>> Any pointers please or is this intended as the server does single sign?
> If you can list exactly the steps you took, we might be able to help.
>
> But to answer your question: Yes, Samba will happily join Windows 2003
> as a domain member. The key command is 'net ads join'.
>
> Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down for
the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U
6) kinit
From then, users can connect to the shares on the server using Single
Sign On. The "issue" is that if I look under my Active Directory, the
server will state that it is a "Domain Controller". Running the usual DC
Info tools they seem to think the domain is ok. I would prefer to have
the server say Member server, rather than DC :)
I would like to send you a screenshot of what "Active Directory Users
and Computers" shows but this will be hard to do remotely.
>>> Many years ago, we found this issue, which was a display but in ADUC.
>>> We are almost certainly not registered as an AD DC, but because our
>>> account flags in the directory don't match exactly what windows does,
>>> then it promotes us to a DC in the GUI. I saw this with Windows 2000
>>> over a decade ago, but perhaps it wasn't fixed in 2003.
>>>
>>> Andrew Bartlett
>> Hey Andrew,
>>
>> I suspect it is the same issue. Is it worth logging a bug for it ? In my
>> case I have other people that maintain AD and I would prefer to "clean
>> it up". If it is in the "too hard to fix basket" (I know MS isn't really
>> forth comming with info re AD), then so be it.
>
> Microsoft is very forthcoming on info re AD. However, please check if
> the latest tools from Microsoft also show this incorrectly as a DC.
>
> If you want to send me the userAccountControl value it set, I can
> confirm it doesn't have the DC flag set.
>
> Andrew Bartlett
>
> --
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem compiling Samba4, Python installed in nonstandard location
I recompiled my Python installation, looks like I didn't use the
--enable-shared switch. Now I have a .so file and linking seems to be working
correctly. So far the Samba compile is running fine. Thanks!
F
> Subject: Re: [Samba] Problem compiling Samba4, Python installed in
> nonstandard location
> From: abart...@samba.org
> To: fdmill...@msn.com
> CC: samba@lists.samba.org
> Date: Sat, 22 Dec 2012 09:11:52 +1100
>
> On Fri, 2012-12-21 at 15:55 -0600, Flint Million wrote:
> > Hi,I am working with a custom built (LFS-based) Linux distro and am
> > attempting to compile Samba4.
> > Samba3 has always compiled without issue.
> > The system has its Python installed in /opt/python2. There are symlinks to
> > put "python" in /usr/local/bin and the "python2.7" lib folder in
> > /usr/include.
> > The configure command used was simply ./configure --enable-fhs
> > --with-quotas
> > The compile runs fine until it gets to steps involving Python. I'm guessing
> > this has to do with Python headers not being properly included, but I can't
> > figure out what approach to take to make it work right:
> > [3286/3752] Linking
> > default/lib/talloc/libpytalloc-util.so/opt/python2/lib/libpython2.7.a(longobject.o):
> > In function
> > `PyLong_FromString':/usr/src/Python-2.7.3/Objects/longobject.c:1851:
> > undefined reference to
> > `log'/opt/python2/lib/libpython2.7.a(dynload_shlib.o): In function
> > `_PyImport_GetDynLoadFunc':/usr/src/Python-2.7.3/Python/dynload_shlib.c:94:
> > undefined reference to
> > `dlsym'/usr/src/Python-2.7.3/Python/dynload_shlib.c:130: undefined
> > reference to `dlopen'/usr/src/Python-2.7.3/Python/dynload_shlib.c:141:
> > undefined reference to
> > `dlsym'/usr/src/Python-2.7.3/Python/dynload_shlib.c:133: undefined
> > reference to `dlerror'/opt/python2/lib/libpython2.7.a(signalmodule.o): In
> > function
> > `timeval_from_double':/usr/src/Python-2.7.3/./Modules/signalmodule.c:112:
> > undefined reference to
> > `floor'/usr/src/Python-2.7.3/./Modules/signalmodule.c:112: undefined
> > reference to `floor'/usr/src/Python-2.7.3/./Modules/signalmodule.c:113:
> > undefined reference to `fmod'/usr/src/Python-2.7.3/./Modules/s
ignalmodule.c:113: undefined reference to
`fmod'/opt/python2/lib/libpython2.7.a(posixmodule.o): In function
`posix_openpty':/usr/src/Python-2.7.3/./Modules/posixmodule.c:3756: undefined
reference to `openpty'/opt/python2/lib/libpython2.7.a(posixmodule.o): In
function `posix_forkpty':/usr/src/Python-2.7.3/./Modules/posixmodule.c:3816:
undefined reference to
`forkpty'/opt/python2/lib/libpython2.7.a(complexobject.o): In function
`_Py_c_pow':/usr/src/Python-2.7.3/Objects/complexobject.c:139: undefined
reference to `hypot'/usr/src/Python-2.7.3/Objects/complexobject.c:140:
undefined reference to `pow'/usr/src/Python-2.7.3/Objects/complexobject.c:141:
undefined reference to
`atan2'/usr/src/Python-2.7.3/Objects/complexobject.c:143: undefined reference
to `sincos'/usr/src/Python-2.7.3/Objects/complexobject.c:144: undefined
reference to `exp'/usr/src/Python-2.7.3/Objects/complexobject.c:145: undefined
reference to `log'/opt/python2/lib/libpython2.7.a(complexobject.o): In function
`_Py
_c_abs':/usr/src/Python-2.7.3/Objects/complexobject.c:210: undefined ref
> > erence to `hypot'/opt/python2/lib/libpython2.7.a(floatobject.o): In
> > function `float_divmod':/usr/src/Python-2.7.3/Objects/floatobject.c:750:
> > undefined reference to
> > `fmod'/opt/python2/lib/libpython2.7.a(floatobject.o): In function
> > `float_rem':/usr/src/Python-2.7.3/Objects/floatobject.c:718: undefined
> > reference to `fmod'/opt/python2/lib/libpython2.7.a(floatobject.o): In
> > function `float_pow':/usr/src/Python-2.7.3/Objects/floatobject.c:912:
> > undefined reference to
> > `pow'/usr/src/Python-2.7.3/Objects/floatobject.c:888: undefined reference
> > to `fmod'/usr/src/Python-2.7.3/Objects/floatobject.c:863: undefined
> > reference to `fmod'/usr/src/Python-2.7.3/Objects/floatobject.c:853:
> > undefined reference to
> > `fmod'/opt/python2/lib/libpython2.7.a(floatobject.o): In function
> > `_Py_double_round':/usr/src/Python-2.7.3/Objects/floatobject.c:1137:
> > undefined reference to `fmod'collect2: error: ld returned 1 exit statusWaf:
> > Leaving directory `/home/src/samba-4.0.0/bin'Build failed: -> task failed
> > (er
r #1): {task: cc_link pytalloc_util_5.o -> libpytalloc-util.so}make:
*** [all] Error 1
> > I'm not at all familiar with the "waf" build system, so I'm not sure how I
> > can do things like apply additional LD or C flags (was thinking of forcing
> > it to use /opt/python2/include as an include dir) or if this is something
> > completely unrelated. I do know there's something that's always happened
> > with this system where the LDFLAGS doesn't include "-ldl" so those "dl"
> > errors might be related to that, but executing "LDFLAGS=-ldl make" didn't
> > change the behavior at all.
> > Any advice?
> > F
>
> These errors seem to ind
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-22 at 12:01 +1300, Pieter De Wit wrote:
> On 22/12/2012 11:47, Andrew Bartlett wrote:
> > On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
> >> On 18/12/2012 10:47, Andrew Bartlett wrote:
> >>> On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
> Hi list,
>
> I have tried with all my might to get a samba3 server (Ubuntu 12.04.1
> LTS) to join a Windows 2003 domain as a member server, without any luck.
> I have used,from memory, the official way of doing this (aka, from the
> samba.org website). No matter what settings I use in smb.conf, the
> server always joins as a domain controller. This doesn't seem to break
> the domain how ever. All I am after is that my users do not need to
> enter a username/password for access from a domain PC to shares on my
> Linux box.
>
> Any pointers please or is this intended as the server does single sign?
> >>> If you can list exactly the steps you took, we might be able to help.
> >>>
> >>> But to answer your question: Yes, Samba will happily join Windows 2003
> >>> as a domain member. The key command is 'net ads join'.
> >>>
> >>> Andrew Bartlett
> >>>
> >> Hi Andrew,
> >>
> >> Sorry for the delay in my reply, things has been hectic closing down for
> >> the holidays. In a nut shell, there is what I do/did:
> >>
> >> 1) apt-get install samba winbindd krb5-user
> >> 2) Configure smb.conf as per :
> >>
> >> [global]
> >>
> >> workgroup = WORK
> >> realm = WORK.LOCAL
> >> preferred master = no
> >> server string = Linux Test Machine
> >> security = ADS
> >> encrypt passwords = yes
> >> log level = 3
> >> log file = /var/log/samba/%m
> >> max log size = 50
> >> printcap name = cups
> >> printing = cups
> >> # winbind enum users = Yes
> >> # winbind enum groups = Yes
> >> # winbind use default domain = Yes
> >> winbind nested groups = Yes
> >> winbind separator = +
> >> idmap uid = 2000-2
> >> idmap gid = 2000-2
> >> template shell = /bin/bash
> >> veto files = lost+found
> >>
> >> 3) Configure krb5.conf:
> >> [libdefaults]
> >> default_realm = WORK.LOCAL
> >>
> >> [realms]
> >> YPG.LOCAL={
> >> kdc=DC.WORK.LOCAL
> >> }
> >> [domain_realm]
> >> .kerberos.server=WORK.LOCAL
> >>
> >> 4) Restart Samba/Winbind
> >> 5) In /etc/nsswitch.conf add winbind to passwd and group
> >> 5) Join the domain : net ads join -U
> >> 6) kinit
> >>
> >> From then, users can connect to the shares on the server using Single
> >> Sign On. The "issue" is that if I look under my Active Directory, the
> >> server will state that it is a "Domain Controller". Running the usual DC
> >> Info tools they seem to think the domain is ok. I would prefer to have
> >> the server say Member server, rather than DC :)
> >>
> >> I would like to send you a screenshot of what "Active Directory Users
> >> and Computers" shows but this will be hard to do remotely.
> > Many years ago, we found this issue, which was a display but in ADUC.
> > We are almost certainly not registered as an AD DC, but because our
> > account flags in the directory don't match exactly what windows does,
> > then it promotes us to a DC in the GUI. I saw this with Windows 2000
> > over a decade ago, but perhaps it wasn't fixed in 2003.
> >
> > Andrew Bartlett
> >
> Hey Andrew,
>
> I suspect it is the same issue. Is it worth logging a bug for it ? In my
> case I have other people that maintain AD and I would prefer to "clean
> it up". If it is in the "too hard to fix basket" (I know MS isn't really
> forth comming with info re AD), then so be it.
Microsoft is very forthcoming on info re AD. However, please check if
the latest tools from Microsoft also show this incorrectly as a DC.
If you want to send me the userAccountControl value it set, I can
confirm it doesn't have the DC flag set.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 22/12/2012 11:47, Andrew Bartlett wrote:
On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to
join a Windows 2003 domain as a member server, without any luck. I have
used,from memory, the official way of doing this (aka, from the samba.org
website). No matter what settings I use in smb.conf, the server always joins as
a domain controller. This doesn't seem to break the domain how ever. All I am
after is that my users do not need to enter a username/password for access from
a domain PC to shares on my Linux box.
Any pointers please or is this intended as the server does single sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down for
the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U
6) kinit
From then, users can connect to the shares on the server using Single
Sign On. The "issue" is that if I look under my Active Directory, the
server will state that it is a "Domain Controller". Running the usual DC
Info tools they seem to think the domain is ok. I would prefer to have
the server say Member server, rather than DC :)
I would like to send you a screenshot of what "Active Directory Users
and Computers" shows but this will be hard to do remotely.
Many years ago, we found this issue, which was a display but in ADUC.
We are almost certainly not registered as an AD DC, but because our
account flags in the directory don't match exactly what windows does,
then it promotes us to a DC in the GUI. I saw this with Windows 2000
over a decade ago, but perhaps it wasn't fixed in 2003.
Andrew Bartlett
Hey Andrew,
I suspect it is the same issue. Is it worth logging a bug for it ? In my
case I have other people that maintain AD and I would prefer to "clean
it up". If it is in the "too hard to fix basket" (I know MS isn't really
forth comming with info re AD), then so be it.
Cheers,
Pieter
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On Sat, 2012-12-22 at 11:36 +1300, Pieter De Wit wrote:
> On 18/12/2012 10:47, Andrew Bartlett wrote:
> > On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
> >> Hi list,
> >>
> >> I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS)
> >> to join a Windows 2003 domain as a member server, without any luck. I have
> >> used,from memory, the official way of doing this (aka, from the samba.org
> >> website). No matter what settings I use in smb.conf, the server always
> >> joins as a domain controller. This doesn't seem to break the domain how
> >> ever. All I am after is that my users do not need to enter a
> >> username/password for access from a domain PC to shares on my Linux box.
> >>
> >> Any pointers please or is this intended as the server does single sign?
> > If you can list exactly the steps you took, we might be able to help.
> >
> > But to answer your question: Yes, Samba will happily join Windows 2003
> > as a domain member. The key command is 'net ads join'.
> >
> > Andrew Bartlett
> >
> Hi Andrew,
>
> Sorry for the delay in my reply, things has been hectic closing down for
> the holidays. In a nut shell, there is what I do/did:
>
> 1) apt-get install samba winbindd krb5-user
> 2) Configure smb.conf as per :
>
> [global]
>
> workgroup = WORK
> realm = WORK.LOCAL
> preferred master = no
> server string = Linux Test Machine
> security = ADS
> encrypt passwords = yes
> log level = 3
> log file = /var/log/samba/%m
> max log size = 50
> printcap name = cups
> printing = cups
> # winbind enum users = Yes
> # winbind enum groups = Yes
> # winbind use default domain = Yes
> winbind nested groups = Yes
> winbind separator = +
> idmap uid = 2000-2
> idmap gid = 2000-2
> template shell = /bin/bash
> veto files = lost+found
>
> 3) Configure krb5.conf:
> [libdefaults]
> default_realm = WORK.LOCAL
>
> [realms]
> YPG.LOCAL={
> kdc=DC.WORK.LOCAL
> }
> [domain_realm]
> .kerberos.server=WORK.LOCAL
>
> 4) Restart Samba/Winbind
> 5) In /etc/nsswitch.conf add winbind to passwd and group
> 5) Join the domain : net ads join -U
> 6) kinit
>
> From then, users can connect to the shares on the server using Single
> Sign On. The "issue" is that if I look under my Active Directory, the
> server will state that it is a "Domain Controller". Running the usual DC
> Info tools they seem to think the domain is ok. I would prefer to have
> the server say Member server, rather than DC :)
>
> I would like to send you a screenshot of what "Active Directory Users
> and Computers" shows but this will be hard to do remotely.
Many years ago, we found this issue, which was a display but in ADUC.
We are almost certainly not registered as an AD DC, but because our
account flags in the directory don't match exactly what windows does,
then it promotes us to a DC in the GUI. I saw this with Windows 2000
over a decade ago, but perhaps it wasn't fixed in 2003.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 joining W2k3 as member server
On 18/12/2012 10:47, Andrew Bartlett wrote:
On Mon, 2012-12-17 at 17:00 +1300, Pieter De Wit wrote:
Hi list,
I have tried with all my might to get a samba3 server (Ubuntu 12.04.1 LTS) to
join a Windows 2003 domain as a member server, without any luck. I have
used,from memory, the official way of doing this (aka, from the samba.org
website). No matter what settings I use in smb.conf, the server always joins as
a domain controller. This doesn't seem to break the domain how ever. All I am
after is that my users do not need to enter a username/password for access from
a domain PC to shares on my Linux box.
Any pointers please or is this intended as the server does single sign?
If you can list exactly the steps you took, we might be able to help.
But to answer your question: Yes, Samba will happily join Windows 2003
as a domain member. The key command is 'net ads join'.
Andrew Bartlett
Hi Andrew,
Sorry for the delay in my reply, things has been hectic closing down for
the holidays. In a nut shell, there is what I do/did:
1) apt-get install samba winbindd krb5-user
2) Configure smb.conf as per :
[global]
workgroup = WORK
realm = WORK.LOCAL
preferred master = no
server string = Linux Test Machine
security = ADS
encrypt passwords = yes
log level = 3
log file = /var/log/samba/%m
max log size = 50
printcap name = cups
printing = cups
# winbind enum users = Yes
# winbind enum groups = Yes
# winbind use default domain = Yes
winbind nested groups = Yes
winbind separator = +
idmap uid = 2000-2
idmap gid = 2000-2
template shell = /bin/bash
veto files = lost+found
3) Configure krb5.conf:
[libdefaults]
default_realm = WORK.LOCAL
[realms]
YPG.LOCAL={
kdc=DC.WORK.LOCAL
}
[domain_realm]
.kerberos.server=WORK.LOCAL
4) Restart Samba/Winbind
5) In /etc/nsswitch.conf add winbind to passwd and group
5) Join the domain : net ads join -U
6) kinit
From then, users can connect to the shares on the server using Single
Sign On. The "issue" is that if I look under my Active Directory, the
server will state that it is a "Domain Controller". Running the usual DC
Info tools they seem to think the domain is ok. I would prefer to have
the server say Member server, rather than DC :)
I would like to send you a screenshot of what "Active Directory Users
and Computers" shows but this will be hard to do remotely.
Thanks,
Pieter
P.S. Good work on the AD integration btw, I am using the above for Squid
aswell and it's pretty neat ! :)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 in a Windows workgroup
On Fri, 2012-12-21 at 17:44 +, Eduardo Sotomayor wrote: > > I have found a lot of information about how to setup a samba4 active > directory server, but I haven't found anything about configuring a > standalone server in a windows workgroup, provisioning, configuring > the smb.conf file, creating users, (I read that samba4 doesn't > requires to have a unix user for every samba users) how to set up > permissions, network browsing setup, etc. > > is there any good guide or can anyone post a good guide here The Samba By Example book is quite old now, but the parts for setting up a simple server should still be correct, except where it references security=share (which has been removed from 4.0): https://www.samba.org/samba/docs/man/Samba-Guide/ Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem compiling Samba4, Python installed in nonstandard location
On Fri, 2012-12-21 at 15:55 -0600, Flint Million wrote:
> Hi,I am working with a custom built (LFS-based) Linux distro and am
> attempting to compile Samba4.
> Samba3 has always compiled without issue.
> The system has its Python installed in /opt/python2. There are symlinks to
> put "python" in /usr/local/bin and the "python2.7" lib folder in /usr/include.
> The configure command used was simply ./configure --enable-fhs --with-quotas
> The compile runs fine until it gets to steps involving Python. I'm guessing
> this has to do with Python headers not being properly included, but I can't
> figure out what approach to take to make it work right:
> [3286/3752] Linking
> default/lib/talloc/libpytalloc-util.so/opt/python2/lib/libpython2.7.a(longobject.o):
> In function
> `PyLong_FromString':/usr/src/Python-2.7.3/Objects/longobject.c:1851:
> undefined reference to `log'/opt/python2/lib/libpython2.7.a(dynload_shlib.o):
> In function
> `_PyImport_GetDynLoadFunc':/usr/src/Python-2.7.3/Python/dynload_shlib.c:94:
> undefined reference to
> `dlsym'/usr/src/Python-2.7.3/Python/dynload_shlib.c:130: undefined reference
> to `dlopen'/usr/src/Python-2.7.3/Python/dynload_shlib.c:141: undefined
> reference to `dlsym'/usr/src/Python-2.7.3/Python/dynload_shlib.c:133:
> undefined reference to
> `dlerror'/opt/python2/lib/libpython2.7.a(signalmodule.o): In function
> `timeval_from_double':/usr/src/Python-2.7.3/./Modules/signalmodule.c:112:
> undefined reference to
> `floor'/usr/src/Python-2.7.3/./Modules/signalmodule.c:112: undefined
> reference to `floor'/usr/src/Python-2.7.3/./Modules/signalmodule.c:113:
> undefined reference to `fmod'/usr/src/Python-2.7.3/./Modules/sig
nalmodule.c:113: undefined reference to
`fmod'/opt/python2/lib/libpython2.7.a(posixmodule.o): In function
`posix_openpty':/usr/src/Python-2.7.3/./Modules/posixmodule.c:3756: undefined
reference to `openpty'/opt/python2/lib/libpython2.7.a(posixmodule.o): In
function `posix_forkpty':/usr/src/Python-2.7.3/./Modules/posixmodule.c:3816:
undefined reference to
`forkpty'/opt/python2/lib/libpython2.7.a(complexobject.o): In function
`_Py_c_pow':/usr/src/Python-2.7.3/Objects/complexobject.c:139: undefined
reference to `hypot'/usr/src/Python-2.7.3/Objects/complexobject.c:140:
undefined reference to `pow'/usr/src/Python-2.7.3/Objects/complexobject.c:141:
undefined reference to
`atan2'/usr/src/Python-2.7.3/Objects/complexobject.c:143: undefined reference
to `sincos'/usr/src/Python-2.7.3/Objects/complexobject.c:144: undefined
reference to `exp'/usr/src/Python-2.7.3/Objects/complexobject.c:145: undefined
reference to `log'/opt/python2/lib/libpython2.7.a(complexobject.o): In function
`_Py_c
_abs':/usr/src/Python-2.7.3/Objects/complexobject.c:210: undefined ref
> erence to `hypot'/opt/python2/lib/libpython2.7.a(floatobject.o): In function
> `float_divmod':/usr/src/Python-2.7.3/Objects/floatobject.c:750: undefined
> reference to `fmod'/opt/python2/lib/libpython2.7.a(floatobject.o): In
> function `float_rem':/usr/src/Python-2.7.3/Objects/floatobject.c:718:
> undefined reference to `fmod'/opt/python2/lib/libpython2.7.a(floatobject.o):
> In function `float_pow':/usr/src/Python-2.7.3/Objects/floatobject.c:912:
> undefined reference to `pow'/usr/src/Python-2.7.3/Objects/floatobject.c:888:
> undefined reference to `fmod'/usr/src/Python-2.7.3/Objects/floatobject.c:863:
> undefined reference to `fmod'/usr/src/Python-2.7.3/Objects/floatobject.c:853:
> undefined reference to `fmod'/opt/python2/lib/libpython2.7.a(floatobject.o):
> In function
> `_Py_double_round':/usr/src/Python-2.7.3/Objects/floatobject.c:1137:
> undefined reference to `fmod'collect2: error: ld returned 1 exit statusWaf:
> Leaving directory `/home/src/samba-4.0.0/bin'Build failed: -> task failed
> (err
#1): {task: cc_link pytalloc_util_5.o -> libpytalloc-util.so}make: ***
[all] Error 1
> I'm not at all familiar with the "waf" build system, so I'm not sure how I
> can do things like apply additional LD or C flags (was thinking of forcing it
> to use /opt/python2/include as an include dir) or if this is something
> completely unrelated. I do know there's something that's always happened with
> this system where the LDFLAGS doesn't include "-ldl" so those "dl" errors
> might be related to that, but executing "LDFLAGS=-ldl make" didn't change the
> behavior at all.
> Any advice?
> F
These errors seem to indicate the python isn't sufficiently linked on
your platform. Do other things compile correctly against python? Is
your /etc/ld.so.conf correct?
On the broader question, you can pass additional LDFLAGS to Samba's
build process like so:
LDFLAGS=-lm ./configure
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem compiling Samba4, Python installed in nonstandard location
Hi,I am working with a custom built (LFS-based) Linux distro and am attempting
to compile Samba4.
Samba3 has always compiled without issue.
The system has its Python installed in /opt/python2. There are symlinks to put
"python" in /usr/local/bin and the "python2.7" lib folder in /usr/include.
The configure command used was simply ./configure --enable-fhs --with-quotas
The compile runs fine until it gets to steps involving Python. I'm guessing
this has to do with Python headers not being properly included, but I can't
figure out what approach to take to make it work right:
[3286/3752] Linking
default/lib/talloc/libpytalloc-util.so/opt/python2/lib/libpython2.7.a(longobject.o):
In function
`PyLong_FromString':/usr/src/Python-2.7.3/Objects/longobject.c:1851: undefined
reference to `log'/opt/python2/lib/libpython2.7.a(dynload_shlib.o): In function
`_PyImport_GetDynLoadFunc':/usr/src/Python-2.7.3/Python/dynload_shlib.c:94:
undefined reference to `dlsym'/usr/src/Python-2.7.3/Python/dynload_shlib.c:130:
undefined reference to
`dlopen'/usr/src/Python-2.7.3/Python/dynload_shlib.c:141: undefined reference
to `dlsym'/usr/src/Python-2.7.3/Python/dynload_shlib.c:133: undefined reference
to `dlerror'/opt/python2/lib/libpython2.7.a(signalmodule.o): In function
`timeval_from_double':/usr/src/Python-2.7.3/./Modules/signalmodule.c:112:
undefined reference to
`floor'/usr/src/Python-2.7.3/./Modules/signalmodule.c:112: undefined reference
to `floor'/usr/src/Python-2.7.3/./Modules/signalmodule.c:113: undefined
reference to `fmod'/usr/src/Python-2.7.3/./Modules/signa
lmodule.c:113: undefined reference to
`fmod'/opt/python2/lib/libpython2.7.a(posixmodule.o): In function
`posix_openpty':/usr/src/Python-2.7.3/./Modules/posixmodule.c:3756: undefined
reference to `openpty'/opt/python2/lib/libpython2.7.a(posixmodule.o): In
function `posix_forkpty':/usr/src/Python-2.7.3/./Modules/posixmodule.c:3816:
undefined reference to
`forkpty'/opt/python2/lib/libpython2.7.a(complexobject.o): In function
`_Py_c_pow':/usr/src/Python-2.7.3/Objects/complexobject.c:139: undefined
reference to `hypot'/usr/src/Python-2.7.3/Objects/complexobject.c:140:
undefined reference to `pow'/usr/src/Python-2.7.3/Objects/complexobject.c:141:
undefined reference to
`atan2'/usr/src/Python-2.7.3/Objects/complexobject.c:143: undefined reference
to `sincos'/usr/src/Python-2.7.3/Objects/complexobject.c:144: undefined
reference to `exp'/usr/src/Python-2.7.3/Objects/complexobject.c:145: undefined
reference to `log'/opt/python2/lib/libpython2.7.a(complexobject.o): In function
`_Py_c_a
bs':/usr/src/Python-2.7.3/Objects/complexobject.c:210: undefined reference to
`hypot'/opt/python2/lib/libpython2.7.a(floatobject.o): In function
`float_divmod':/usr/src/Python-2.7.3/Objects/floatobject.c:750: undefined
reference to `fmod'/opt/python2/lib/libpython2.7.a(floatobject.o): In function
`float_rem':/usr/src/Python-2.7.3/Objects/floatobject.c:718: undefined
reference to `fmod'/opt/python2/lib/libpython2.7.a(floatobject.o): In function
`float_pow':/usr/src/Python-2.7.3/Objects/floatobject.c:912: undefined
reference to `pow'/usr/src/Python-2.7.3/Objects/floatobject.c:888: undefined
reference to `fmod'/usr/src/Python-2.7.3/Objects/floatobject.c:863: undefined
reference to `fmod'/usr/src/Python-2.7.3/Objects/floatobject.c:853: undefined
reference to `fmod'/opt/python2/lib/libpython2.7.a(floatobject.o): In function
`_Py_double_round':/usr/src/Python-2.7.3/Objects/floatobject.c:1137: undefined
reference to `fmod'collect2: error: ld returned 1 exit statusWaf: Leaving direc
tory `/home/src/samba-4.0.0/bin'Build failed: -> task failed (err #1):
{task: cc_link pytalloc_util_5.o -> libpytalloc-util.so}make: *** [all] Error 1
I'm not at all familiar with the "waf" build system, so I'm not sure how I can
do things like apply additional LD or C flags (was thinking of forcing it to
use /opt/python2/include as an include dir) or if this is something completely
unrelated. I do know there's something that's always happened with this system
where the LDFLAGS doesn't include "-ldl" so those "dl" errors might be related
to that, but executing "LDFLAGS=-ldl make" didn't change the behavior at all.
Any advice?
F
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] NEED Windows 7 64 bit Postscript drivers
Alas I am having success on my third install. I am however missing the Windows 7 64 Bit Postscript drivers. I have the 32 bit but have only one copy of windows that is 32 bit and use mostly Linux It would be greatly appreciated if someone could take them off of an ENGLISH system, and zip and email them to me. They come from \Windows\System32\spool\drivers\x64\PCC\ntprint.inf_.cab the names are ps5ui.dll pscript.hlp pscript.ntf pscript5.dll MUST BE Windows 7 English 64 bit system Thanks much! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba4] Is VFS working in Samba 4.0.0?
On Fri, Dec 21, 2012 at 6:37 PM, Hleb Valoshka <375...@gmail.com> wrote: > On 12/21/12, Kaito Kumashiro wrote: > > server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbind, ntp_signd, kcc, dnsupdate, dns > > You are using ntvfs, use s3fs. > > server services = -smb +s3fs > dcerpc endpoint servers = -winreg -srvsvc > > see https://wiki.samba.org/index.php/Samba4/s3fs > That fixed the problem. Thank you. I don't know why samba_tool didn't put those lines with provision. I wasn't using "--use-ntvfs" option. Anyway, looks like it's working fine now. -- 熊城 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 in a Windows workgroup
I have found a lot of information about how to setup a samba4 active directory server, but I haven't found anything about configuring a standalone server in a windows workgroup, provisioning, configuring the smb.conf file, creating users, (I read that samba4 doesn't requires to have a unix user for every samba users) how to set up permissions, network browsing setup, etc. is there any good guide or can anyone post a good guide here thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Samba4] Is VFS working in Samba 4.0.0?
On 12/21/12, Kaito Kumashiro wrote: > server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbind, ntp_signd, kcc, dnsupdate, dns You are using ntvfs, use s3fs. server services = -smb +s3fs dcerpc endpoint servers = -winreg -srvsvc see https://wiki.samba.org/index.php/Samba4/s3fs -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [Samba4] Is VFS working in Samba 4.0.0?
Hello I'm testing Samba 4.0.0 (latest stable) as an AD DC. Here is how it was build: lvmtest samba # sbin/samba -b Samba version: 4.0.0 Build environment: Build host: Linux lvmtest 3.6.8-gentoo #3 SMP Wed Dec 5 14:27:26 CET 2012 i686 Intel(R) Core(TM) i3-2100 CPU @ 3.10GHz GenuineIntel GNU/Linux Paths: BINDIR: /usr/local/samba/bin SBINDIR: /usr/local/samba/sbin CONFIGFILE: /usr/local/samba/etc/smb.conf NCALRPCDIR: /usr/local/samba/var/run/ncalrpc LOGFILEBASE: /usr/local/samba/var LMHOSTSFILE: /usr/local/samba/etc/lmhosts DATADIR: /usr/local/samba/share MODULESDIR: /usr/local/samba/lib LOCKDIR: /usr/local/samba/var/lock STATEDIR: /usr/local/samba/var/locks CACHEDIR: /usr/local/samba/var/cache PIDDIR: /usr/local/samba/var/run PRIVATE_DIR: /usr/local/samba/private SWATDIR: /usr/local/samba/share/swat CODEPAGEDIR: /usr/local/samba/share/codepages SETUPDIR: /usr/local/samba/share/setup WINBINDD_SOCKET_DIR: /usr/local/samba/var/run/winbindd WINBINDD_PRIVILEGED_SOCKET_DIR: /usr/local/samba/var/lib/winbindd_privileged NTP_SIGND_SOCKET_DIR: /usr/local/samba/var/lib/ntp_signd And here is my test configuration file: lvmtest samba # cat etc/smb.conf [global] workgroup = WGP realm = RLM netbios name = LVMTEST server role = active directory domain controller server services = smb, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns dns forwarder = 10.0.0.238 kerberos method = system keytab log level = 3 log file = /var/log/samba.log.%m max log size = 50 debug timestamp = yes client signing = yes client schannel = no client use spnego = yes client lanman auth = no client NTLMv2 auth = yes client plaintext auth = no [netlogon] path = /usr/local/samba/var/locks/sysvol/rlm/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [profiles] path = /usr/local/samba/var/profiles read only = no [public] path = /usr/local/samba/var/public read only = no browseable = yes vfs objects = scannedonly acl_xattr recycle foobar doesnotwork scannedonly:domain_socket = True scannedonly:socketname = /var/lib/scannedonly/scan scannedonly:hide_nonscanned_files = True scannedonly:allow_nonscanned_files = False Logging in, roaming profiles etc. is working fine, but VFS are not. It looks like "vfs objects" directive is totally ignored. Samba (with log level 3) prints no error messages regarding VFS, nor any other information stating that any of those modules are loaded or not. I can browse, read from and write into "public" share, but removed files are not moved to recycle dir, new files are not scanned (scannedonlyd_clamav is not getting any updates) and those with "scanned", "virus" prefixes (created by manually forcing scannedonlyd to check directory) are visible for the users, so vfs_scannedonly is not working. I couldn't find any information about VFS configuration in Samba4. Is it working in this version? Is VFS configuration changed? Regards -- 熊城 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrate samba3.5 classic domain to Windows2008R2
On Thu, 2012-12-20 at 16:33 -0500, Adam Tauno Williams wrote: > On Thu, 2012-12-20 at 14:06 -0600, Hoover, Tony wrote: > > Most of the documentation I have found on the subject is several years old > > and involves creating a new domain and then migrating users/workstations > > from the classic domain to the new AD. I'd prefer to not create another > > domain. > > AFAIK, Microsoft no longer provides any means to upgrade from an NT > domain. All the tools are deprecated, and they don't like to run on > current servers. At least that is what I found. > > > I have ~150 users & workstations, 30 domain groups, 5 local groups, and an > > interdomain trust (to a 2003AD) to allow some administrative users access to > > some academic resources. > > What is the simplest/cleanest method to accomplish the migration? What > > precautions do I need to take to make sure I can get back to the current > > setup if migration experiments fail? > > It is actually pretty simple. > > (a) Provision a LINUX host > (b) Install Samba4 > (c) Perform and Samba3 -> Samba4 domain upgrade. This will migrate you > data from the Samba3 NT domain to an Active Directory domain. > (d) Promote a Windows 2008 server to be a DC > (e) Demote the Samba4 as DC > > You are now on Active Directory with a Windows 2008 DC. > > You'll have to recreate your trust accounts, I assume. This is pretty much what I would have suggested. I agree that inter-domain trusts will almost certainly need to be re-established. I would hope the original poster would be able to show the Samba 4.0 domain working very nicely, but I understand that management directions are difficult to shift, even with the new features that a Samba 4.0 upgrade brings. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
