Re: [Samba] 3.6.12 winbind problem

2013-02-13 Thread Christopher Chan 

On Thursday, February 14, 2013 03:09 PM, Christopher Chan wrote:

On Thursday, February 14, 2013 02:19 PM, Christopher Chan wrote:

winbind has problems resolving gid sids.

I get cli_rpc_pipe_open_schannel_with_key failed: 
NT_STATUS_UNSUCCESSFUL in the debug output each time I try to look up 
a group name. e.g. wbinfo -n domain\ users


wbinfo -s of group SIDs will fail with:

failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-00-0-0-513

wbinfo -t, wbinfo -n of users and wbinfo -S/-U will however work.


Running over time, even wbinfo -n of users will fail.

Running winbindd -n will result in consistent failures to lookup 
anything from the get-go.



Got pdu len 64, data_len 40, ss_len 0
rpc_api_pipe: got frag len of 64 at offset 0: NT_STATUS_OK
rpc_api_pipe: host bradbdc.bradbury.lan returned 40 bytes.
 epm_Map: struct epm_Map
out: struct epm_Map
entry_handle : *
entry_handle: struct policy_handle
handle_type  : 0x (0)
uuid : 
252e6404-1bfb-4aab-ac99-1421a1b83330

num_towers   : *
num_towers   : 0x (0)
towers: ARRAY(0)
result   : 0x16c9a0d6 (382312662)
cli_rpc_pipe_open_schannel_with_key failed: NT_STATUS_UNSUCCESSFUL
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 3.6.12 winbind problem

2013-02-13 Thread Christopher Chan 

On Thursday, February 14, 2013 02:19 PM, Christopher Chan wrote:

winbind has problems resolving gid sids.

I get cli_rpc_pipe_open_schannel_with_key failed: 
NT_STATUS_UNSUCCESSFUL in the debug output each time I try to look up 
a group name. e.g. wbinfo -n domain\ users


wbinfo -s of group SIDs will fail with:

failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-00-0-0-513

wbinfo -t, wbinfo -n of users and wbinfo -S/-U will however work.


Running over time, even wbinfo -n of users will fail.

Running winbindd -n will result in consistent failures to lookup 
anything from the get-go.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] rsync'ing samba shares

2013-02-13 Thread Daniel Müller 
Use glusterfs on a raid. It is just easy to setup. Real-time syncing between 
file shares HA. Block devices like drbd are limited to have only two nodes, 
glusterfs can have as many as you like.




---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im 
Auftrag von Christian Rost
Gesendet: Donnerstag, 14. Februar 2013 07:52
An: Greg Sloop; Gregory Sloop; samba@lists.samba.org
Betreff: Re: [Samba] rsync'ing samba shares

Hi Greg,

the answer to your question can be quite complex, depending on your needs and 
your setup. If we are sticking with file-syncing than you can use robocopy as 
well as rsync. It depends on the amount of data hat needs to be synced, how 
often you want to sync, how can the DCs reach each other, ...

If you link your DCs together via a separate sync-only network, I would prefer 
rsync. That way you do not interfere with the regular network. Anyway, syncing 
by rsync/ robocopy has the drawback that it is always lagging behind. 

If both machines are in the same network consider using a distributed 
filesystem/ block device that syncs the data between the nodes on the fly.

Cheers,

Christian



Gregory Sloop  schrieb:

>I know this has come up a bit in the past, but consider this
>situation:
>
>Two Samba4 DC's - and I want to "mirror" the data shares to the 
>"backup" DC in case we lose the primary DC and it's file shares.
>
>[A cheap, dirty, poor-mans semi-CTDB. How did you ever guess that Red 
>Green was helping me?!]
>
>The easiest way is probably rsync'ing the data.
>
>However, will that include all the ACL's and extra data associated with 
>the files. I understand that to a disk on part of the DC, it might not. 
>But on the second DC, all the relevant users, AD group etc do all 
>exist.
>
>So, is using rsync in such a situation reasonable/workable, or should 
>we use some windows based utility - say robocopy to handle this?
>
>TIA
>-Greg
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

Dipl.-Ing. Christian Rost [T.I.S.P.]
roCon - Informationstechnologie
Ulmenstraße 45

44534 Lünen

fon: +49 (0) 2306 910 658
fax: +49 (0) 2306 910 664
url: http://www.rocon-it.de
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] rsync'ing samba shares

2013-02-13 Thread Christian Rost 
Hi Greg,

the answer to your question can be quite complex, depending on your needs and 
your setup. If we are sticking with file-syncing than you can use robocopy as 
well as rsync. It depends on the amount of data hat needs to be synced, how 
often you want to sync, how can the DCs reach each other, ...

If you link your DCs together via a separate sync-only network, I would prefer 
rsync. That way you do not interfere with the regular network. Anyway, syncing 
by rsync/ robocopy has the drawback that it is always lagging behind. 

If both machines are in the same network consider using a distributed 
filesystem/ block device that syncs the data between the nodes on the fly.

Cheers,

Christian



Gregory Sloop  schrieb:

>I know this has come up a bit in the past, but consider this
>situation:
>
>Two Samba4 DC's - and I want to "mirror" the data shares to the
>"backup" DC in case we lose the primary DC and it's file shares.
>
>[A cheap, dirty, poor-mans semi-CTDB. How did you ever guess that Red
>Green was helping me?!]
>
>The easiest way is probably rsync'ing the data.
>
>However, will that include all the ACL's and extra data associated
>with the files. I understand that to a disk on part of the DC, it
>might not. But on the second DC, all the relevant users, AD group etc
>do all exist.
>
>So, is using rsync in such a situation reasonable/workable, or should
>we use some windows based utility - say robocopy to handle this?
>
>TIA
>-Greg
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

Dipl.-Ing. Christian Rost [T.I.S.P.]
roCon - Informationstechnologie
Ulmenstraße 45

44534 Lünen

fon: +49 (0) 2306 910 658
fax: +49 (0) 2306 910 664
url: http://www.rocon-it.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] 3.6.12 winbind problem

2013-02-13 Thread Christopher Chan 

winbind has problems resolving gid sids.

I get cli_rpc_pipe_open_schannel_with_key failed: NT_STATUS_UNSUCCESSFUL 
in the debug output each time I try to look up a group name. e.g. wbinfo 
-n domain\ users


wbinfo -s of group SIDs will fail with:

failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-00-0-0-513

wbinfo -t, wbinfo -n of users and wbinfo -S/-U will however work.

regards,

Christopher
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: Extending the Schema

2013-02-13 Thread Gémes Géza 

2013-02-14 06:42 keltezéssel, Fabian von Romberg írta:

Hi Bob,

could you please share the link where you found in google how to enable it.

Regards,
Fabian



Hi,

You are probably looking for: 
http://technet.microsoft.com/en-us/library/cc737499%28v=ws.10%29.aspx


Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: Extending the Schema

2013-02-13 Thread Fabian von Romberg 
Hi Bob,

could you please share the link where you found in google how to enable it.

Regards,
Fabian

On 02/11/2013 04:50 PM, Bob Miller wrote:
> 
> On Mon, 2013-02-11 at 20:11 +0100, Gémes Géza wrote:
>> 2013-02-11 20:04 keltezéssel, Varoujan Avanessians írta:
>>> Hi
>>>
>>> We are thinking of Developing a corporate Directory application the would
>>> pull user information from Samba4 Ad. However for our needs we need some
>>> additional User attributes that don't seem to be available as part of the
>>> AD-schema, such as "Hire Date" or "Emergancy contact information", so it
>>> seems to me that I would need to Extend the Schema to make this user
>>> attributes available. My question is: Can this be done? and if so has
>>> anyone done something similar and can direct me to the right place for
>>> information? Any help is greatly appreciated.
>>>
>> Hi,
>>
>> As a jump-start: https://wiki.samba.org/index.php/Samba4/Schema_extenstions
>>
>> Regards
>>
>> Geza Gemes
> 
> One thing that is not on that page that I found useful was the schema
> snap in.  Google will show you how to enable it.  It is very labour
> intensive if you are going to be adding tens or hundreds of attributes,
> but for adding two or three attributes, I found it much faster and
> easier to use than ldifs.
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "map to guest = bad user" ignored in Samba 4?

2013-02-13 Thread Ricky Nance 
Hi Sebastian,
Many of the per share options can now be done using ACL's. In this case you
would open the netlogon share (via windows) start -> run ->
\\MY-SERVER\netlogon (then press enter), then right click on a blank spot
in that folder (not on any other file or folder) and select properties.
Find the security tab and you can make the modifications you want
(specifically adding Everyone with full permissions should give you what
you are looking for, though I have not been able to test this yet). If I
get a chance soon I will do some testing to make sure that the acl change
is all that is needed.

To find out what options are available, samba-tool testparm -v will give
you a nice list (at least for global).

Ricky


On Wed, Feb 13, 2013 at 4:33 AM, Sebastian Arcus  wrote:

> I would like to migrate some of my Samba 3.x domains to Samba 4. Part of
> the functionality of the current system is allowing some Windows XP Pro
> computers, which are not joined to the domain, access to some public shares
> on the Samba server. I tried using "map to guest = bad user" with Samba 4 -
> but it appears to be completely ignored and the Windows XP machine keeps on
> prompting for username/password when trying to access the server share. Has
> this option been dropped in Samba 4? Is there another way to accomplish the
> same?
>
> Otherwise my Samba 4 domain seems to be working fine - and the Windows XP
> Pro machines which are joined to it can access the share fine.
>
> As a side note, I find it hard to figure out which smb.conf options are
> still available for Samba 4 and which are not. I've googled around and
> can't seem to find a wiki page or authoritative page.
>
> I use Samba 4.1.0pre1
>
> Here is my smb.conf
>
>
> [global]
> workgroup = MYDOMAIN
> realm = mydomain.local
> netbios name = MY-SERVER
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> map to guest = bad user
>
> [netlogon]
> path = /var/lib/samba/sysvol/**mydomain.local/scripts
> read only = No
> public = Yes
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>



--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] replace Windows 2003 dc / dns issues

2013-02-13 Thread Peter Beck 
Hi guys,

I'm about to replace an existing Windows Server 2003 Active Directory
domain with Samba4 (package from Debian Wheezy).

Joining the Samba4 dc according the Samba Wiki[1] is working great,
replication works without errors from both worlds (windows or samba).

After transferring the fsmo roles with ntdsutil to the samba4 domain
controller (btw: does it matter if ntdsutil or samba-tool fsmo transfer 
is being used ?), I would like to demote the windows server and use samba4 only.

But if I shutdown the Windows DC, all DNS entries are "empty" on the
samba side (the forward zones are created on the Samba server, but the only 
entries are the global catalog entries.)
The domain functional level was set to "Server 2003" (the highest available 
option with 2003) before adding the new Samba4 dc.
If I run samba_dnsupdate --verbose there are no errors - everything
seems to be fine.

samba-tool dns zonelist  shows me following zones
2 zone(s) found

pszZoneName : adlab.local
Flags   : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType: DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags   : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn   : DomainDnsZones.adlab.local

pszZoneName : _msdcs.adlab.local
Flags   :
DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE 
ZoneType: DNS_ZONE_TYPE_PRIMARY
Version : 50
dwDpFlags   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED 
pszDpFqdn   :
ForestDnsZones.adlab.local

My question now is, if the Windows Server will be demoted, do I need to 
add "dns" to the "server services" section in smb.conf ? (I would like
to use Samba internal DNS) IMO it's needed when Samba is the only dc in 
the network. Is that correct ? Do I also need to add the "nsupdate
command" parameter to smb.conf after demoting the windows dc ?

How do I correctly move dns to the Samba Server and replace the
Windows DC finally ?

Is it needed to configure zone transfers from the Windows DC to the
Samba Server ? (even if both dns are active directory integrated ?)
But even if I enable transfers, there is no content on the samba server
dns... do I need to disable "Global Catalog" on the Windows DC before
demoting the server ? Lots of questions...

There are lots of manuals how to add an additional DC, but somehow I am
missing a howto for _replacing_ an existing DC with Samba4.

Thanks in advance
Peter

[1] https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] rsync'ing samba shares

2013-02-13 Thread Edward Ashley 
Hi,
I have a slightly similar setup with a primary / slave samba server on
site, using DRBD for the data replication. And I nightly rsync the
directories to a third samba server offsite. I also then rsync that third
system with a backup server running ZFS on linux and then take a snapshot.
I would be using rsync with the a option or at least look into what the a
option implies. I would also be checking the permissions on the parent
directories, that caught me out once.
Thanks
Ned


On 13 February 2013 23:35, Gregory Sloop  wrote:

> I know this has come up a bit in the past, but consider this
> situation:
>
> Two Samba4 DC's - and I want to "mirror" the data shares to the
> "backup" DC in case we lose the primary DC and it's file shares.
>
> [A cheap, dirty, poor-mans semi-CTDB. How did you ever guess that Red
> Green was helping me?!]
>
> The easiest way is probably rsync'ing the data.
>
> However, will that include all the ACL's and extra data associated
> with the files. I understand that to a disk on part of the DC, it
> might not. But on the second DC, all the relevant users, AD group etc
> do all exist.
>
> So, is using rsync in such a situation reasonable/workable, or should
> we use some windows based utility - say robocopy to handle this?
>
> TIA
> -Greg
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
Edward Ashley
Developer

e. n...@redmonkeysoftware.com
u. www.redmonkeysoftware.com
t. 0845 867 3849
f. 0845 867 4127

Red Monkey Software | Superior Software Solutions

Red Monkey Software Ltd, 24 The Layne, Elmer Sands, Bognor Regis, West Sussex. 
PO22 6JL
Registered in England and Wales no 5923420
Registered Office: 20 Springfield Road, Crawley, West Sussex, RH11 8AD
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] rsync'ing samba shares

2013-02-13 Thread Gregory Sloop 
I know this has come up a bit in the past, but consider this
situation:

Two Samba4 DC's - and I want to "mirror" the data shares to the
"backup" DC in case we lose the primary DC and it's file shares.

[A cheap, dirty, poor-mans semi-CTDB. How did you ever guess that Red
Green was helping me?!]

The easiest way is probably rsync'ing the data.

However, will that include all the ACL's and extra data associated
with the files. I understand that to a disk on part of the DC, it
might not. But on the second DC, all the relevant users, AD group etc
do all exist.

So, is using rsync in such a situation reasonable/workable, or should
we use some windows based utility - say robocopy to handle this?

TIA
-Greg

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 binary

2013-02-13 Thread ask-Q-view 
Hi,

Does somebody can tell anything about an upcoming samba4 binary scheduling, 
especially for red hat enterprise resp. centos ?

Because the alpha release of smb4 was comparatively pretty quick part of the 
official repositories.
 
Best,
Q.

 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] make dist: errors, and www.oasis-open.org almost stale

2013-02-13 Thread Andreas Gaiser/L 
Hi,


I am trying to create a tarball from a 4.0.3 git checkout using "make
dist", but it throws errors (small sample below, detailed Copy&Paste on
request), and apart from this, www.oasis-open.org seems stale on
connects from xsltproc, as can be seen in the lsof sample, below as well.

Briefly and cheekily asked, is that normal? Are we all omitting docs in
packaging at the moment? If so, what are reasonable build options to use
these days? don't know, maybe it's a dumb question... I could also
imagine I have a version problem with certain build dependencies. Does
that look familiar to anybody?


Thanks+a good day,

Andreas

** make dist output:

...

make[1]: Entering directory `/usr/src/SAMBA4/samba/docs-xml'
Converting Samba-specific tags for Samba3-HOWTO...
http://www.oasis-open.org/docbook/xml/4.2/dbcentx.mod:1: parser error :
Content error in the external subset
HTTP/1.1 200 OK
^
http://www.oasis-open.org/docbook/xml/4.2/dbcentx.mod:1: validity error
: All markup of the conditional section is not in the same entity
HTTP/1.1 200 OK

...

** lsof | grep [pid-of-xsltproc] output:

...

xsltproc  1538   root3r  REG  202,215165
 557136
/usr/src/SAMBA4/samba/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml
xsltproc  1538   root4r  REG  202,2 1629
 557230 /usr/src/SAMBA4/samba/docs-xml/build/DTD/samba-doc
xsltproc  1538   root5u IPv4  14062  0t0
TCP host1.fakedomain.mad:56877->www.oasis-open.org:www (CLOSE_WAIT)
xsltproc  1538   root6u IPv4  14070  0t0
TCP host1.fakedomain.mad:56879->www.oasis-open.org:www (CLOSE_WAIT)
xsltproc  1538   root7w FIFO0,8  0t0
   6968 pipe
xsltproc  1538   root8u IPv4  14224  0t0
TCP host1.fakedomain.mad:56901->www.oasis-open.org:www (ESTABLISHED)

...

-- 
Andreas Gaiser, Berlin, Germany
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Can't get working nsswitch, specifically "wbinfo -u"

2013-02-13 Thread Sigun Nesvarbus 

Hi,
my environment: Win2003 AD + Samba4 as second RW DC on debian wheeze.
Samba compiled from source: samba --version
Version 4.1.0pre1-GIT-c932b13

Installed Samba4 according these:
https://wiki.samba.org/index.php/Main_Page
https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
https://wiki.samba.org/index.php/Samba4/Winbind

Everything went good according tutorial, until I try get user list with 
wbinfo -u

After 4 to 5 minutes (yes, minutes, not seconds) it writes
Error looking up domain users

Interesting, what does not include listing all users, works:
wbinfo --user-info info
CENTRAS\info:*:317:100:Test User:/home/CENTRAS/info:/bin/false

wbinfo --user-groups info
list of group's id's

wbinfo --gid-info 340
pr_pletra  (AD group, where info user belongs)

wbinfo --pam-logon info
Enter info's password:
plaintext password authentication succeeded

id info
works to, I get all AD groups where user belongs

wbinfo -g works, I get AD groups.

I can access samba share, create/read files.

I attached excerpt from wbinfo -u strace. There are timeouts accessing 
/usr/local/samba/var/lib/winbindd_privileged

(socket exists and after samba restart is created again)

What's wrong with that? Where to search for a problem? I think I have 
similar problem with post <50ee8d9d.2000...@lillimoth.com> from 
2013-01-10, only there were waiting time for a couple of seconds, mine 
are couple of minutes and I don't get user list.


May it be, because of more than 1000 AD users we have?

Sig.

15:19:55.446218 read(3, "/usr/local/samba/var/lib/winbind"..., 45) = 45 
<0.08>
15:19:55.446254 lstat("/usr/local/samba/var/lib/winbindd_privileged", 
{st_mode=S_IFDIR|S_ISGID|0750, st_size=4096, ...}) = 0 <0.10>
15:19:55.446309 lstat("/usr/local/samba/var/lib/winbindd_privileged/pipe", 
{st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0 <0.09>
15:19:55.446361 socket(PF_FILE, SOCK_STREAM, 0) = 4 <0.11>
15:19:55.446397 fcntl(4, F_GETFL)   = 0x2 (flags O_RDWR) <0.05>
15:19:55.446427 fcntl(4, F_SETFL, O_RDWR|O_NONBLOCK) = 0 <0.06>
15:19:55.446457 fcntl(4, F_GETFD)   = 0 <0.06>
15:19:55.446487 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 <0.06>
15:19:55.446516 connect(4, {sa_family=AF_FILE, 
path="/usr/local/samba/var/lib/winbindd_privileged/pipe"}, 110) = 0 <0.97>
15:19:55.446655 close(3)= 0 <0.56>
15:19:55.446740 poll([{fd=4, events=POLLIN|POLLHUP}], 1, 0) = 0 (Timeout) 
<0.07>
15:19:55.446776 write(4, 
"0\10\0\0\22\0\0\0\0\0\0\0gk\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 2096) = 
2096 <0.000120>
15:19:55.446951 poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout) 
<5.002095>
15:20:00.449121 poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout) 
<5.003899>
15:20:05.453109 poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout) 
<5.003930>
15:20:10.457128 poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout) 
<5.005036>
15:20:15.462254 poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout) 
<5.005045>
15:20:20.467382 poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout) 
<5.001633>
15:20:25.469099 poll([{fd=4, events=POLLIN|POLLHUP}], 1, 5000) = 0 (Timeout) 
<5.003915>
15:20:30.473105 close(4)= 0 <0.18>
15:20:30.473198 write(2, "Error looking up domain users\n", 30Error looking up 
domain users
) = 30 <0.10>
15:20:30.473354 exit_group(1)   = ?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] tdb2 idmap script issue

2013-02-13 Thread Orlando Richards 

Hi folks,

In our happy adventures in ID mapping between windows and Unix, I've 
come across an odd issue with the idmap : script mapping method when 
using tdb2.


Basically - my idmap script behaves like this:

#idmap.sh IDTOSID GID 123456
SID:S-blah-blah-blah

as one would hope, and as per the requirements in the idmap_tdb2 man 
page. Similarly, it'll return UID:123545 or GID:1234356 in response to 
SIDTOID S-blah-blah-blah


This all works well when calling the script directly, but when running 
it through winbind I was getting:


# wbinfo -G 12345
Could not convert gid 12345 to sid

despite the fact that this would return fine:

# idmap.sh IDTOSID 12345
SID:S-blah-blah-blah

However, going the other way would always work fine (SIDTOID).

(To be clear - I was flushing the cache and deleting the relevant 
entries from the tdb's between lookups.)


In a flash of inspiration, I changed the "echo SID:$SID" line in my 
idmap to be "printf SID:$SID" so that it didn't give a newline in the 
response, and, lo and behold, it magically started working fine!


Note that the SIDTOID calls still use "echo GID:$GID", and not printf, 
and work fine.


So - a quick patch to the example "idmap-nis.sh" script might act as a 
quick workaround:


--- examples/scripts/idmap/idmap_nis.sh.orig	2013-02-13 
16:27:07.253852132 +

+++ examples/scripts/idmap/idmap_nis.sh 2013-02-13 16:27:18.633913917 +
@@ -108,7 +108,7 @@
echo "ERR: name $name not found in ADS"
exit 1
}
-   echo "SID:$sid"
+   printf "SID:$sid"
;;
 *)
echo "ERR: Unknown command $cmd"


but I'm afraid my efforts to dig into the source3/winbindd/idmap_tdb2.c 
code came up against my non-coder impenetrable barrier of fail!


Hope this helps someone - let me know if you think I should do anything 
further with this (like submitting a bug).



--
  Orlando

The University of Edinburgh is a charitable body, registered in 
Scotland, with registration number SC005336.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC log.smd flooded with Conversion error

2013-02-13 Thread Kinglok, Fong 
Dear all,

After setting dos charset = CP950 (which is the codepage for traditional 
chinese), the same error still remains.

Furthermore, I have tried testing in a real production environment by the 
following steps:

1.  In smb.conf,
 I create a share called Chinese and increase the log level to 10.
[global]
workgroup = YAUOICHURCH
realm = SAMBA4.YAUOI.ORG
netbios name = FILE
server role = active directory domain controller
dns forwarder = 192.168.107.1
log level = 10
unix charset = UTF8
dos charset = CP950
[netlogon]
path = 
/usr/local/samba/var/locks/sysvol/samba4.yauoi.org/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
...
[Chinese]
path = /home/chinese
read only = No

2.  In the file server, I have created a directory /home/chinese and also, 
inside it, I have open a folder called "$BCfJ8B,;n(B" and I have tested the 
name is in UTF-8.

3.  I made use of Windows 7 64-bit Traditional Chinese as client to try to 
browse the share Chinese and then the folder (the client has joined the domain 
already) and I install wireshark to capture the packet.
The wireshark capture is here:
http://kinglok.org/wireshark2.pcapng

4.  the log.smbd still show
[2013/02/13 18:12:11.869648,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+#"1$(C!)$(D)A(B<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.870614,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D"1$(C!)$(D)A(B<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.871426,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(C!)$(D)A(B<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.872210,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D)A(B<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.872970,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.873757,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(<87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.874520,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.875503,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.876199,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.876953,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+2"m"C(B)
[2013/02/13 18:12:11.877743,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D"m"C(B)

The whole log is here:
http://kinglok.org/log.smbd.2

Should I file a bug for it?

Kinglok, Fong


On 11 Feb 2013, at 11:14 PM, TAKAHASHI Motonobu wrote:

> From: "Kinglok, Fong" 
> Date: Sun, 10 Feb 2013 09:40:49 +0800
> 
>> Thank you for your help but$B!D(B
>> 
>> I execute some commands to make sure the locale is in UTF-8 by
>> dpkg-reconfigure locales and even adding setting in /etc/environment
>> 
>> and using utility like convmv to turn all file and folder into UTF-8 (in 
>> fact, they were in UTF-8 already.)
>> 
>> I add option in smb.conf
>> unix charset = UTF8
>> dos charset is omitted as default (dos charset = CP850)
>> 
>> However, when I run
>> /usr/local/samba/bin/smbclient //localhost/Public 
>> -UAdministrator%'verysecurepasswd' -c 'ls'
>> 
>> The same error in my log

[Samba] "map to guest = bad user" ignored in Samba 4?

2013-02-13 Thread Sebastian Arcus 
I would like to migrate some of my Samba 3.x domains to Samba 4. Part of 
the functionality of the current system is allowing some Windows XP Pro 
computers, which are not joined to the domain, access to some public 
shares on the Samba server. I tried using "map to guest = bad user" with 
Samba 4 - but it appears to be completely ignored and the Windows XP 
machine keeps on prompting for username/password when trying to access 
the server share. Has this option been dropped in Samba 4? Is there 
another way to accomplish the same?


Otherwise my Samba 4 domain seems to be working fine - and the Windows 
XP Pro machines which are joined to it can access the share fine.


As a side note, I find it hard to figure out which smb.conf options are 
still available for Samba 4 and which are not. I've googled around and 
can't seem to find a wiki page or authoritative page.


I use Samba 4.1.0pre1

Here is my smb.conf


[global]
workgroup = MYDOMAIN
realm = mydomain.local
netbios name = MY-SERVER
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
map to guest = bad user

[netlogon]
path = /var/lib/samba/sysvol/mydomain.local/scripts
read only = No
public = Yes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Possibly solved] Trust problems after upgrade from 3.5 to 3.6

2013-02-13 Thread Andrea Venturoli 

On 02/09/13 13:12, Andrea Venturoli wrote:


There are some message in event viewer which confirm the fact that my
samba is contacting the Windows servers for authentication (which
succeeds or fails normally).



I'm investigating further.


I did some further testing:

_ winbindd authenticates correctly against the trusted domain;

_ smbd, however, won't recognize the user and we have two cases:
  a) if an user with the same name exists in the Samba domain, it will 
be mistakenly choosen; this is enough for browsing (smbclient -L);
  b) if an user with the same name does not exist in the Samba domain, 
browsing will fail;


_ even in case a), no access will be granted to a share.



I searched the web and saw a lot of other people having the same or 
similar problem; I even found bug reports about this and got discouraged.
Since this was happening on a production box and we could not stand this 
trouble anymore, I moved back to Samba 3.5, since




I then prepared a new box, with Samba 3.6, configured as a member of the 
Samba domain and continued my tests there.

A message in the logs finally opened my eyes:

[2013/02/12 18:11:16.282916,  0] passdb/lookup_sid.c:1684(get_primary_group_sid)
  Failed to find a Unix account for nagcheckUser nagcheck in passdb, but 
getpwnam() fails!


So I went in /etc/nsswitch.conf and changed

passwd: files ldap

to

passwd: files ldap winbindd


Everything started working as expected.



Now, before I try again on the production server (which is also the 
PDC), I'm asking for confirmation that this might have been the cause.

This was not needed under Samba 3.5; is it really needed with 3.6?
No way to avoid this, given I won't in any case have any local file 
owned by the trusted domain users?




 bye & Thanks
av.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] 389 Directory Server (LDAP) and SAMBA

2013-02-13 Thread Christian Rost 
Hi Dorian,

samba and ldap don't need to be on the same machine, but most setups use it 
this way. In smb.conf you have to specify your passdb backend like

passdb backend = ldapsam:ldap:///

or better 

passdb backend = ldapsam:ldaps:///

to transmit the queries over TLS/ SSL. In addition to samba, you need to setup 
your OS itself, to authenticate against LDAP (see nsswitch, pam).

With samba 3.x you need to add additional objectlasses and attributes to your 
ldap based user/ group profiles. See 
[http://www.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html] for more 
details. If the Windows RID and Linux UID/ GID are stored in your user/ group 
profiles, you don't need winbind and idmap. 

You only need winbind/ idmap if you're authenticating Linux against samba or a 
Windows host, but that's not what you want to do. 

## Additional Information:
http://www.samba.org/samba/docs/man/Samba3-HOWTO/
http://www.samba.org/samba/docs/man/Samba3-HOWTO/samba-bdc.html#id2566941
http://www.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html#id2593073
http://www.samba.org/samba/docs/man/Samba3-HOWTO/passdb.html

Cheers,

Christian
===
Dipl.-Ing. Christian Rost [T.I.S.P.]
roCon - Informationstechnologie
Ulmenstraße 45

44534 Lünen

fon: +49 (0) 2306 910 658
fax: +49 (0) 2306 910 664
url: http://www.rocon-it.de


Dorian Preston  wrote
Subject: [Samba] 389 Directory Server (LDAP) and SAMBA
Date: 12.02.2013 23:09

>I have:
>
>*389 Directory Server (v1.2) with about 100+ current and active users.
>*Separate SAMBA server that I would like to use LDAP credentials to
>authenticate with.
>
>Found guides for using LDAP credentials with SAMBA here:
>http://directory.fedoraproject.org/wiki/Howto:Samba
>http://sangacollins.wordpress.com/posts/directory-server/
>
>
>
>What I have been able to do:
>
>Added the samba schema information (61samba.ldif) into my 389 directory
>server.
>
>Used the configure.pl script to configure smbldap-tools for my 389
>Directory server.
>
>Ran smbldap-populate to add the basic Windows user setup for SAMBA. 
>
>
>Issues:
>
>It seems that all of the SAMBA/LDAP guides expect SAMBA and LDAP to be on
>the same server.
>
>Don't really understand how I am supposed to add the SAMBA schema
>information to my current LDAP users so they can be authenticated via
>SAMBA.
>
>One of the guides says alot about enabling winbind and authconfig. Don't
>know if this is needed.
>
>
>Questions:
>
>Is there any up to date documentation for using 389 Directory Server as an
>LDAP Authentication Backend for SAMBA?
>
>Is there a process (read. I unfortunately can't just delete/add user
>accounts with SAMBA info) for adding SAMBA information into my existing
>LDAP accounts?
>
>Do I need to do anything using authconfig?
>
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba