Re: [Samba] getent group return only local users
Yes I did. It was a idmap problem ... The command works withe the following lines in smb.conf : idmap *:backend = tdb idmap *:range = 70001-8 idmap config SC:backend = ad idmap config SC:schema_mode = rfc2307 idmap config SC:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes I've suppressed config in the first two lines ... But an explanation would be welcome. Thanks Le 20/02/2013 18:20, Ricky Nance a écrit : Did you make the appropriate symlinks for winbind.so ? I use Ubuntu and mine look like the following: root@server:/lib/x86_64-linux-gnu# ls -alh | grep winbind lrwxrwxrwx 1 root root40 Nov 23 14:45 libnss_winbind.so - /usr/local/samba/lib/libnss_winbind.so.2 lrwxrwxrwx 1 root root40 Nov 23 14:45 libnss_winbind.so.2 - /usr/local/samba/lib/libnss_winbind.so.2 However your distribution may store them in a different location, so first you need to find out where your other libnss files are at, and then cd to that directory (in my example, cd /lib/x86_64-linux-gnu ) and then do a ln -s /usr/local/samba/lib/libnss_winbind.so.2 ./ ln -s /usr/local/samba/lib/libnss_winbind.so.2 ./libnss_winbind.so (that is a lower case LN not IN) Ricky On Wed, Feb 20, 2013 at 8:24 AM, Hervé Hénoch h.hen...@isc84.org mailto:h.hen...@isc84.org wrote: Hello I use S4 file server with nsswitch.conf (ad server is another Linux with S4) : passwd: compat winbind group: compat winbind I wonder how it can be possible that : * getent passwd is ok * but getent group returns only local users (wbinfo -g is ok and gives domain user) Any idea ? Regards -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 --- 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 --- 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP recommendations please
On Wed, 2013-02-20 at 20:50 +, ray klassen wrote: Currently I have a samba 3 domain setup with an LDAP backend. It's been very convenient and fault tolerant for me to put read-only replicas of the ldap database on all servers that use LDAP authentication. I'd like to keep doing that after switching to samba 4. Can that be done? Yes, it can. However, it will remain a 'classic' domain controller, and not be an AD domain controller. Upgrading to AD requires that you use our internal LDAP backend. https://wiki.samba.org/index.php/Samba4/FAQ Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba PDC not in network environment (Windows 7/8)
I recently changed my clients (3 notebooks, 2 desktop pcs) from Windows XP Pro to Windows 7/8 Pro. I followed the guides that can be found on samba.org and all over the internet. Client migration worked after some minor trouble. There is only one thing left that I could no resolve the last few days. All clients see each other under Network but no client sees my samba server. Though the samba PDC cannot be seen most of the network related stuff works as expected. Domain logons work, the per user netlogon script ist executed (network shares on the PDC get mapped, time is synced), shares can be opened with \\PDC\share. Executing nbtstat on the clients works except for -[s|S|R|RR] which results in no connection. Executing smbtree -N | smbclient -N works on the PDC. To prevent common questions: - client installation is not older than 30 days - disabled pw change after 30 days in registry - no firewall on clients - PDC firewall allows traffic to and from ports 137-139,445 - samba version Version 3.6.12-162.1-2943-SUSE-SL12.1-x86_64 Output of netstat -an | egrep '13[789]|445' tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN tcp0 0 192.168.11.10:60002 192.168.11.230:445 VERBUNDEN udp0 0 192.168.11.255:137 0.0.0.0:* udp0 0 192.168.11.10:137 0.0.0.0:* udp0 0 0.0.0.0:137 0.0.0.0:* udp0 0 192.168.11.255:138 0.0.0.0:* udp0 0 192.168.11.10:138 0.0.0.0:* udp0 0 0.0.0.0:138 0.0.0.0:* Remark: 192.168.11.230 is a nas storage which cannot be seen from clients either. My smb.conf: [global] unix charset = UTF8 display charset = UTF8 workgroup = MyWorkgroupName server string = MyServerString netbios name = MyServerName netbios aliases = PDC interfaces = eth0, 127.0.0.0/8 bind interfaces only = no map to guest = Bad User passdb backend = tdbsam username map = /etc/samba/smbusers username level = 1 server signing = auto max protocol = SMB2 client NTLMv2 auth = Yes log level = 2 smb:1 auth:1 sam:1 acls:1 passdb:1 tdb:1 winbind:1 idmap:1 syslog = 0 log file = /var/log/samba/log.%m max xmit = 65535 name resolve order = wins bcast lmhosts hosts time server = Yes deadtime = 10 paranoid server security = No socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_BROADCAST SO _SNDBUF=16384 SO_RCVBUF=16384 hostname lookups = Yes add user script = /usr/sbin/useradd -d /home/%u -g users -k /etc/samba/s kel -m -s /bin/false %u delete user script = /usr/sbin/userdel %u add user to group script = /usr/sbin/usermod -G %g %u set primary group script = /usr/sbin/usermod -g %g %u delete user from group script = /usr/sbin/groupmod -R %u %g add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false -g machines %u logon script = %U.bat logon path = \\%N\profiles\%U\%a domain logons = Yes os level = 88 preferred master = Yes domain master = Yes local master = yes time server = yes wins support = Yes client use spnego = no ldap ssl = no winbind enum users = Yes winbind enum groups = Yes winbind expand groups = 3 winbind use default domain = no winbind rpc only = Yes winbind offline logon = no idmap config * : backend = tdb idmap config * : range = 15000 - 25000 encrypt passwords = yes pam password change = yes passwd program = /usr/bin/passwd %u passwd chat = Neues*Passwort* %n\nGeben Sie das neue Passwort erneut ein * %n\nPass*dert.\n veto files = /*.eml/*.nws/riched20.dll/*.{*}/ dos filetime resolution = Yes printing = cups printcap = cups [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = @samba-domain-admins @Administrators read list = @samba-domain-users @machines @Familie force group = samba-domain-users browseable = No [profiles] path = /var/lib/samba/profiles profile acls = yes csc policy = disable read only = No browsable = no store dos attributes = yes guest ok = no printable = no hide files = /desktop.ini/*Briefcase*/ write list = %S %S%w%D root hosts allow = 192.168.11., 127.0.0.1, 10.168.11. create mask = 0600 directory mask = 0700 [IPC$] path
[Samba] Samba 4
Hi, where could i find documentation on setting up samba 4? Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ACL problem with Samba 3.4.x on GPFS
On Mon, 2013-02-18 at 13:52 +0100, Alexander Födisch wrote: When a file is created with samba 3.5.x or 3.6.x, it is created effective read-only: ~ # getfacl Microsoft\ Word-Dokument\ \(neu\).docx # file: Microsoft\040Word-Dokument\040(neu).docx # owner: root # group: 11816 user::rwx user:11582:rwx#effective:r-- group::rwx#effective:r-- mask::r-- other::--- The ACL-settings for the parent directory are ok: ~ # getfacl . # file: . # owner: root # group: 11816 user::rwx user:11582:rwx group::rwx mask::rwx other::--- default:user::rwx default:user:11582:rwx default:group::rwx default:mask::rwx default:other::--- I strongly recommend that you stop using system ACL tools to look at GPFS ACL's and use the vendor provided mmgetacl, mmputacl and mmeditacl to manipulate them. You don't mention whether you are using the vfs_gpfs module, or why you are using Posix ACL's rather than NFSv4 ACL's. That latter makes much more sense. All that said are you running into the Office 2007 upwards feature where if you modify a document created by user A by user B, then user B ends up with read-only permissions on the document. The fix I deployed was to use the following options so that vfs_gpfs was storing DOS attributes in the file system itself. ea support = yes store dos attributes = yes map readonly = no map archive = no map system = no gpfs : winattr = yes Note that this was with an NFSv4 only GPFS file system. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 DC - idmap config on a samba 4 member server
Did you compile Samba --with-shared-modules=idmap_ad? On Thu, Feb 21, 2013 at 2:21 AM, Hervé Hénoch h.hen...@isc84.org wrote: Hello Franck I had the same problem. When I removed config in the two lines, getent group worked. idmap config *:backend = tdb idmap config *:range = 70001-8 For the role of idmap you can read : http://www.samba.org/samba/** docs/man/Samba-HOWTO-**Collection/idmapper.htmlhttp://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Regards Le 20/02/2013 21:39, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI a écrit : Without idmap line, it work too. [global] workgroup = DDCS security = ADS realm = DDCS.LOCAL encrypt passwords = yes # idmap config *:backend = tdb # idmap config *:range = 70001-8 # idmap config DDCS:backend = ad # idmap config DDCS:schema_mode = rfc2307 # idmap config DDCS:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes What is the really role of idmap's line ? I have of to miss something -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 — 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4
Hi, first hit on google. http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO grettings, Markus On 2013-02-21 12:17, Friedrich Locke wrote: Hi, where could i find documentation on setting up samba 4? Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [INTERNET] Re: Samba 4 DC - idmap config on a samba 4 member server
Hello I test your solution but if getent return all users and groups (AD + local), all have the same UID/GID. Strange ... This morning I commented idmap config DDCS67:range = 500-4 and it works !! ADs users/groups idmap config *:backend = tdb idmap config *:range = 7-7 idmap config DDCS67:backend = ad idmap config DDCS67:schema_mode = rfc2307 #idmap config DDCS67:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = Yes winbind enum users = yes winbind enum groups = yes user1:*:70001:70001:user1l:/data/individuel/DDCS67/user1:/bin/false user2:*:70002:70001:user2:/data/individuel/DDCS67/user2:/bin/false user3:*:70011:70001:user3:/data/individuel/DDCS67/user3:/bin/false administrator:*:70003:70001:Administrator:/data/individuel/DDCS67/administrator:/bin/false user4:*:70004:70001:user4:/data/individuel/DDCS67/user4:/bin/false user5:*:70005:70001:user5:/data/individuel/DDCS67/user5:/bin/false It's good but I don't understand why Franck Le 21/02/2013 08:21, Hervé Hénoch (par Internet) a écrit : Hello Franck I had the same problem. When I removed config in the two lines, getent group worked. idmap config *:backend = tdb idmap config *:range = 70001-8 For the role of idmap you can read : http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Regards Le 20/02/2013 21:39, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI a écrit : Without idmap line, it work too. [global] workgroup = DDCS security = ADS realm = DDCS.LOCAL encrypt passwords = yes # idmap config *:backend = tdb # idmap config *:range = 70001-8 # idmap config DDCS:backend = ad # idmap config DDCS:schema_mode = rfc2307 # idmap config DDCS:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes What is the really role of idmap's line ? I have of to miss something -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC not in network environment (Windows 7/8)
Something I came across. Don't know if it is related. Trying to connect to a Windows 8 share from my PDC results in cli_session_setup: NT1 session setup failed: NT_STATUS_INVALID_PARAMETER session setup failed: NT_STATUS_INVALID_PARAMETER when client NTLMv2 auth = yes set in smb.conf. smbtree executed by a domain admin user lists all shares on PDC and nas but only the name of the client. Changing settings to client NTLMv2 auth = no client lanman auth = yes gives access to shares on the Windows 8 client. smbtree lists all adminstrative shares (C$, D$, etc.) on Windows 8 client. --- There are some entries in the samba logfile for client JOGO which seem to be problem related: [2013/02/21 12:17:27.638163, 0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bi nd) pipe_schannel_auth_bind: Attempt to bind using schannel without successful ser verauth2 [2013/02/21 12:17:27.762403, 2] rpc_server/samr/srv_samr_nt.c:4071(_samr_Lookup Domain) Returning domain sid for domain MyDomainName - S-1-5-21-3406496673- 2355577635-1274 693878 [2013/02/21 12:17:32.774569, 2] ../libcli/auth/credentials.c:308(netlogon_creds _server_check_internal) credentials check failed [2013/02/21 12:17:32.774681, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_S erverAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client JOGO machine account JOGO$ [2013/02/21 12:17:32.777495, 2] rpc_server/samr/srv_samr_nt.c:4071(_samr_Lookup Domain) Returning domain sid for domain MyDomainName - S-1-5-21-3406496673- 2355577635-1274 693878 [2013/02/21 12:17:45.665467, 2] smbd/smb2_server.c:2628(smbd_smb2_request_incom ing) smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET [2013/02/21 12:18:03.168300, 2] smbd/smb2_server.c:2628(smbd_smb2_request_incom ing) smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET [2013/02/21 12:18:50.279081, 2] smbd/smb2_server.c:2628(smbd_smb2_request_incom ing) smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET [2013/02/21 12:21:36.293203, 2] smbd/smb2_server.c:2628(smbd_smb2_request_incom ing) smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [INTERNET] Re: Samba 4 DC - idmap config on a samba 4 member server
I just recently dealt with these problems myself. I had the same issues you've mentioned. https://lists.samba.org/archive/samba/2012-December/170521.html On Thu, Feb 21, 2013 at 6:32 AM, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI franck.b...@bas-rhin.gouv.fr wrote: Hello I test your solution but if getent return all users and groups (AD + local), all have the same UID/GID. Strange ... This morning I commented idmap config DDCS67:range = 500-4 and it works !! ADs users/groups idmap config *:backend = tdb idmap config *:range = 7-7 idmap config DDCS67:backend = ad idmap config DDCS67:schema_mode = rfc2307 #idmap config DDCS67:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = Yes winbind enum users = yes winbind enum groups = yes user1:*:70001:70001:user1l:/**data/individuel/DDCS67/user1:/**bin/false user2:*:70002:70001:user2:/**data/individuel/DDCS67/user2:/**bin/false user3:*:70011:70001:user3:/**data/individuel/DDCS67/user3:/**bin/false administrator:*:70003:70001:**Administrator:/data/**individuel/DDCS67/** administrator:/bin/false user4:*:70004:70001:user4:/**data/individuel/DDCS67/user4:/**bin/false user5:*:70005:70001:user5:/**data/individuel/DDCS67/user5:/**bin/false It's good but I don't understand why Franck Le 21/02/2013 08:21, Hervé Hénoch (par Internet) a écrit : Hello Franck I had the same problem. When I removed config in the two lines, getent group worked. idmap config *:backend = tdb idmap config *:range = 70001-8 For the role of idmap you can read : http://www.samba.org/samba/** docs/man/Samba-HOWTO-**Collection/idmapper.htmlhttp://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Regards Le 20/02/2013 21:39, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI a écrit : Without idmap line, it work too. [global] workgroup = DDCS security = ADS realm = DDCS.LOCAL encrypt passwords = yes # idmap config *:backend = tdb # idmap config *:range = 70001-8 # idmap config DDCS:backend = ad # idmap config DDCS:schema_mode = rfc2307 # idmap config DDCS:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes What is the really role of idmap's line ? I have of to miss something -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [INTERNET] Re: Samba 4 DC - idmap config on a samba 4 member server
Yes. I compiled samba with this : ./configure --with-ads --with-shared-modules=idmap_ad --enable-debug --enable-selftest --prefix=/samba Le 21/02/2013 12:27, Thomas Simmons (par Internet) a écrit : Did you compile Samba --with-shared-modules=idmap_ad? On Thu, Feb 21, 2013 at 2:21 AM, Hervé Hénoch h.hen...@isc84.org mailto:h.hen...@isc84.org wrote: Hello Franck I had the same problem. When I removed config in the two lines, getent group worked. idmap config *:backend = tdb idmap config *:range = 70001-8 For the role of idmap you can read : http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Regards Le 20/02/2013 21:39, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI a écrit : Without idmap line, it work too. [global] workgroup = DDCS security = ADS realm = DDCS.LOCAL encrypt passwords = yes # idmap config *:backend = tdb # idmap config *:range = 70001-8 # idmap config DDCS:backend = ad # idmap config DDCS:schema_mode = rfc2307 # idmap config DDCS:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes What is the really role of idmap's line ? I have of to miss something -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 — 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [INTERNET] Re: Samba 4 DC - idmap config on a samba 4 member server
On Thursday, February 21, 2013 12:32:18 PM BOTZ Franck - DDT 67/SG/MGI/CI wrote: Hello I test your solution but if getent return all users and groups (AD + local), all have the same UID/GID. Strange ... This morning I commented idmap config DDCS67:range = 500-4 and it works !! ADs users/groups I am testing idmap_ad as well and I have lot of issue with idmap_ad but I was thinking that it's because I haven't provision with rfc2307 at that time. When you say it work, do you mean that the returned uid/gid are the ones stored in the directorie (uidNumber/gidNumber) ? thanks idmap config *:backend = tdb idmap config *:range = 7-7 idmap config DDCS67:backend = ad idmap config DDCS67:schema_mode = rfc2307 #idmap config DDCS67:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = Yes winbind enum users = yes winbind enum groups = yes user1:*:70001:70001:user1l:/data/individuel/DDCS67/user1:/bin/false user2:*:70002:70001:user2:/data/individuel/DDCS67/user2:/bin/false user3:*:70011:70001:user3:/data/individuel/DDCS67/user3:/bin/false administrator:*:70003:70001:Administrator:/data/individuel/DDCS67/administra tor:/bin/false user4:*:70004:70001:user4:/data/individuel/DDCS67/user4:/bin/false user5:*:70005:70001:user5:/data/individuel/DDCS67/user5:/bin/false It's good but I don't understand why Franck Le 21/02/2013 08:21, Hervé Hénoch (par Internet) a écrit : Hello Franck I had the same problem. When I removed config in the two lines, getent group worked. idmap config *:backend = tdb idmap config *:range = 70001-8 For the role of idmap you can read : http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html Regards Le 20/02/2013 21:39, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI a écrit : Without idmap line, it work too. [global] workgroup = DDCS security = ADS realm = DDCS.LOCAL encrypt passwords = yes # idmap config *:backend = tdb # idmap config *:range = 70001-8 # idmap config DDCS:backend = ad # idmap config DDCS:schema_mode = rfc2307 # idmap config DDCS:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes What is the really role of idmap's line ? I have of to miss something -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [INTERNET] Re: Re: Samba 4 DC - idmap config on a samba 4 member server
Hello I test your solution but if getent return all users and groups (AD + local), all have the same UID/GID. Strange ... This morning I commented idmap config DDCS67:range = 500-4 and it works !! ADs users/groups I am testing idmap_ad as well and I have lot of issue with idmap_ad but I was thinking that it's because I haven't provision with rfc2307 at that time. Perhaps, but how doing that on a member server ? I use provisionning on the first DC (DC1). Next DC2 synchronize itself. For the member, no synchronization biut writing a smb.conf with (or not) the idmap. When you say it work, do you mean that the returned uid/gid are the ones stored in the directorie (uidNumber/gidNumber) ? thanks Yes. Here is the result of a getfacl ./ on a directory on the member server Domain Users, administrator, sg-ci are AD groups. getfacl ./ # file: . # owner: administrator # group: domain\040users user::rwx user:administrator:rwx group::--- group:domain\040users:--- group:domain\040admins:rwx group:sg-ci:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:group::--- default:group:domain\040users:--- default:group:domain\040admins:rwx default:group:sg-ci:rwx default:mask::rwx default:other::--- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Upgrade from 4.0.0 to 4.0.3 creates unfixable errors with dbcheck
Hello, Today I tried to upgrade from samba 4.0.0 to 4.0.3 on my test environment. I patched the source with the diffs patch-4.0.0-4.0.1.diffs, patch-4.0.1-4.0.2.diffs, patch-4.0.2-4.0.3.diffs , then make, make install. # samba-tool dbcheck Checking 807 objects Not fixing nTSecurityDescriptor on CN=Performance Monitor Users,CN=Builtin,DC=inview,DC=local --- all errors were same for each object Checked 807 objects (805 errors) Tried # samba-tool dbcheck --fix (fix all.) Checked 807 objects (763 errors) now # samba-tool dbcheck Not fixing nTSecurityDescriptor on CN=Performance Monitor Users,CN=Builtin,DC=inview,DC=local --- all errors were same for each object Checked 807 objects (650 errors) Fixing again has no further effect on the number of errors. It should be noted that before the upgrade dbcheck found no errors So what has changed between the versions to cause this and how can I fix these errors? Cheers Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] replace Windows 2003 dc / dns issues
Peter Beck pe...@datentraeger.li quatschte am Thu, Feb 14, 2013 at 03:04:40AM +0100: After lots of 'trial and error' I have done following scenario * setup samba4 as additional dc (samba internal dns) * added +dns to smb.conf server services, dns recursive queries = yes and allow dns updates = true * on the windows dc I've added a recursive zone for my network and the samba4-dc in the nameservers-tab of each zone. Replication changed to All dns servers. (still not sure if this is needed with ad integrated zones ?) * replication with samba-tool/repadmin - no issues * samba-tool drs replicate s4dc w2k3dc dc=domaindnszones,dc..- no errors * samba-tool drs replicate s4dc w2k3dc dc=forestdnszones,dc..- no errors * samba_dnsupdate --verbose - no errors * dns was replicated completely now, including the entries inside the zones * transferring the fsmo roles to samba4 - no issues * disable global catalog for the windows dc * dcpromo demote the windows server I am still able to read the existing dns entries, but as soon as I try to update an existing entry or add an additional I get the local security authority database contains an internal inconsistency from Windows MMC-Snapin and samba-tool is reporting uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') But adding additional zones and entries for them seems to work. It seems it's just dns related as adding groups and users is working fine. Any ideas ? If there is a best practice to replace an existing dc i would like to contribute that to the samba Wiki... Best Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind against samba4 AD DC
Hello, Could you please give me some precision about the current state of the winbind support on a member server. I have tried to list what I understand about it. (I suppose that the libnss_winbind symlink are correct in /lib and/or lib64) * samba4 join as member join: samba-tool domain join dnsdomain MEMBER smb.conf should contain: idmap_ldb:use rfc2307 = yes the AD DC doesn't need to be provisioned with the option --use-rfc2307 then the member should be able to read uidNumber gidNumber from the directory. * smbd + winbindd samba4: compile with --with-shared-modules=...,idmap_ad samba3 compile with --with-shared-modules=...,idmap_ad,--with-ads join: net ads join smb.conf should contain (from the wiki): idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SHORTDOMAINNAME:backend = ad idmap config SHORTDOMAINNAME:schema_mode = rfc2307 idmap config SHORTDOMAINNAME:range = 500-4 But the AD have to be provisioned with --use-rfc2307 You then should add the objectclass: posixAccount in the AD samdb for each user and posixGroup for the group Is it mandatory to have provioned the AD with --use-rfc2307 ? mac OSX client seems to be OK without, they can read uid/gid Number, but not linux client using smbd/winbindd. If yes what is the best way to add rfc2307 support to an already provisioned AD ? Applying ypServ30.ldif will it be good enough ? Thanks Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 file server and DNS
Hervé Hénoch h.hen...@isc84.org quatschte am Tue, Feb 19, 2013 at 02:56:43PM +0100: Hello The problem seems to be with DNS dynamic updates. I insist on the fact that my DNS server is working (all tests were successful). Bind version is 9.8.1. Debian Wheeze. Maybe it's related to bug 692416 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692416 The plan is to get bind 9.8.4.dfsg.P1-3 migrated to wheezy, which should support dynamic updates. As far as I know it's not working with the current version in wheezy. hope that helps Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind against samba4 AD DC
On Thursday, February 21, 2013 04:03:53 PM Ali Bendriss wrote: Hello, Could you please give me some precision about the current state of the winbind support on a member server. I have tried to list what I understand about it. (I suppose that the libnss_winbind symlink are correct in /lib and/or lib64) * samba4 join as member join: samba-tool domain join dnsdomain MEMBER smb.conf should contain: idmap_ldb:use rfc2307 = yes the AD DC doesn't need to be provisioned with the option --use-rfc2307 then the member should be able to read uidNumber gidNumber from the directory. * smbd + winbindd samba4: compile with --with-shared-modules=...,idmap_ad samba3 compile with --with-shared-modules=...,idmap_ad,--with-ads join: net ads join smb.conf should contain (from the wiki): idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SHORTDOMAINNAME:backend = ad idmap config SHORTDOMAINNAME:schema_mode = rfc2307 idmap config SHORTDOMAINNAME:range = 500-4 But the AD have to be provisioned with --use-rfc2307 You then should add the objectclass: posixAccount in the AD samdb for each user and posixGroup for the group Is it mandatory to have provioned the AD with --use-rfc2307 ? mac OSX client seems to be OK without, they can read uid/gid Number, but not linux client using smbd/winbindd. If yes what is the best way to add rfc2307 support to an already provisioned AD ? Applying ypServ30.ldif will it be good enough ? I reply to myself after some more testing using winbindd against samba ADDC It looks like that there is no need to provision the AD with --use-rfc2307. the wiki page https://wiki.samba.org/index.php/Samba4/Domain_Member#Make_domain_users.2Fgroups_available_locally_through_winbind is correct but it should emphasize that the primary group of the users must have the gid set. And then every thing work out of the box, without the need to add the objectClass posixAccount and posixGroup as well. Thanks Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Auto-start
Greg, Rick-- Thanks both for your suggestions. Here is how it finally ended up: As Greg thought, /usr/local/samba/sbin/samba as part of that upstart script was trying to use the default smb.conf (in /etc/samba) as opposed to the properly configured one in /usr/local/samba/etc. The solution here was simply removing the bad configuration and then symlink to the proper one. One lingering question here is why manually calling /usr/local/samba/sbin/samba (after the killall) used the correct configuration file automatically, but why it didn't do that magic when part of a script. However, at this point, it still wasn't up and running properly. After some group analysis, we believed it was the fact that bind9 was not yet started when Samba was starting (we have --dns-backend=BIND9_DLZ). After poking around to set up a proper dependency between bind9 and Samba4, it worked as expected. In case anyone else wants to set this up, here the files -- note please that this converts bind9 to an upstart minion, not a sysV relic; thus bind9 must be removed from the sysV start method. This can be achieved with update-rc.d -f bind9 remove . /etc/init/samba4.conf : _ #description SMB/CIFS File and Active Directory Server #author Jelmer Vernooij jel...@ubuntu.com start on (local-filesystems and net-device-up and started bind9) stop on runlevel [!2345] expect fork normal exit 0 pre-start script [ -r /etc/default/samba4 ] . /etc/default/samba4 install -o root -g root -m 755 -d /var/run/samba install -o root -g root -m 755 -d /var/log/samba end script exec /usr/local/samba/sbin/samba -D _ /etc/init/bind9.conf : _ #UPSTART JOB FOR BIND9 start on runlevel [2345] stop on runlevel [!2345] pre-start script # dirs under /var/run can go away on reboots. mkdir -p /var/run/named chmod 775 /var/run/named chown root:bind /var/run/named /dev/null 21 || true end script #Add bind command-line options below exec /usr/sbin/named -f -u bind pre-stop exec rndc stop post-stop exec logger -p user.warning -t upstart-bind bind stopped respawn respawn limit 3 10 kill timeout 30 console none #END _ Thanks much, - Original Message - From: Ricky Nance ricky.na...@weaubleau.k12.mo.us To: Greg Sloop gr...@sloop.net Cc: Mike Ray m...@xes-inc.com, samba@lists.samba.org Sent: Wednesday, February 20, 2013 4:52:27 PM Subject: Re: [Samba] Samba4 Auto-start My bet is that smbd is spawning before your upstart script causing major problems. Try to issue a update-rc.d -f smbd remove then reboot and see if your problem goes away. Ricky On Wed, Feb 20, 2013 at 3:15 PM, Gregory Sloop gr...@sloop.net wrote: MR I'll cut to the chase -- several weeks ago, I thought I had an MR upstart configuration file that would start Samba4 when the VM was MR turned on; but it turns out I was wrong. At the time there was MR nothing on the wiki about it (the links were broken). MR The script I thought was working was simply: MR start on runlevel [2345] MR exec /usr/local/samba/sbin/samba MR In any case, looking at the official wiki today, I found a new MR note, stating that the links were indeed broken and that this one should probably work: -SNIP- MR I am running Version 4.1.0pre1-GIT-f25debf on Ubuntu 12.04 LTS, MR with the samba executable at /usr/local/samba/sbin/samba and the MR conf file as /etc/init/samba4.conf. I'm the one that dug up that upstart script and put it in the Wiki. [Since the link we broken.] But I don't think the upstart script has anything to do with what ports Samba's going to listen on. While someone else may be able to offer more helpful advice, I'd guess that the difference is that the upstart is starting samba with a different config than the manual start - if you figure out how it's getting a different config, then I suspect your problem will go away or be trivially solvable. Also, while I think there's no difference in terms of if the upstart script works properly or not, I used it on version 4.0.3. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP recommendations please
Actually I was hoping to use the new internal LDAP as the master. I notice that http://www.windowsitpro.com/content1/topic/integrate-active-directory-and-openldap-98449/catpath/ldap has an article on using slapd as a proxy to Active Directory. This one looks even better. Never used 389Server but there's a first time for everything http://www.linuxmail.info/ad-fds-sync-howto/ (I did google this before I asked the question, but I was searching for samba4 ldap, not active directory ldap. I hope samba4 AD is that similar that I can pull similar stunts to the ones described) - Original Message - From: Andrew Bartlett abart...@samba.org To: ray klassen julius_ahenobar...@yahoo.co.uk Cc: samba@lists.samba.org samba@lists.samba.org Sent: Thursday, 21 February 2013, 0:51 Subject: Re: [Samba] LDAP recommendations please On Wed, 2013-02-20 at 20:50 +, ray klassen wrote: Currently I have a samba 3 domain setup with an LDAP backend. It's been very convenient and fault tolerant for me to put read-only replicas of the ldap database on all servers that use LDAP authentication. I'd like to keep doing that after switching to samba 4. Can that be done? Yes, it can. However, it will remain a 'classic' domain controller, and not be an AD domain controller. Upgrading to AD requires that you use our internal LDAP backend. https://wiki.samba.org/index.php/Samba4/FAQ Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 file server and DNS
The errors on the pdc are : client 192.168.77.5#52962: RFC 1918 response from Internet for 2.77.168.192.in-addr.arpa Feb 21 18:06:19 vspdc named[10891]: samba_dlz: starting transaction on zone isc84.org Feb 21 18:06:19 vspdc named[10891]: client 192.168.77.5#58576: updating zone 'isc84.org/NONE': update unsuccessful: ssc011.isc84.org/A: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Feb 21 18:06:19 vspdc named[10891]: samba_dlz: cancelling transaction on zone isc84.org Feb 21 18:06:19 vspdc named[10891]: samba_dlz: starting transaction on zone isc84.org Feb 21 18:06:19 vspdc named[10891]: samba_dlz: spnego update failed Feb 21 18:06:19 vspdc named[10891]: client *192.168.77.5*#58576: updating zone 'isc84.org/NONE': update failed: rejected by secure update (REFUSED) Feb 21 18:06:19 vspdc named[10891]: samba_dlz: cancelling transaction on zone isc84.org Feb 21 18:08:22 vspdc smbd[17144]: [2013/02/21 18:08:22.797810, 0] ../source3/printing/print_standard.c:68(std_pcap_cache_reload) Feb 21 18:08:22 vspdc smbd[17144]: Unable to open printcap file /etc/printcap for read! Feb 21 18:08:25 vspdc named[10891]: samba_dlz: starting transaction on zone isc84.org Feb 21 18:08:25 vspdc named[10891]: client 192.168.77.5#58582: updating zone 'isc84.org/NONE': update unsuccessful: ssc011.isc84.org/A: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Feb 21 18:08:25 vspdc named[10891]: samba_dlz: cancelling transaction on zone isc84.org Feb 21 18:08:25 vspdc named[10891]: samba_dlz: starting transaction on zone isc84.org Feb 21 18:08:25 vspdc named[10891]: samba_dlz: spnego update failed Feb 21 18:08:25 vspdc named[10891]: client 192.168.77.5#58582: updating zone 'isc84.org/NONE': update failed: rejected by secure update (REFUSED) Feb 21 18:08:25 vspdc named[10891]: samba_dlz: cancelling transaction on zone isc84.org The ip in bold is the server i joined to the domain (whose name is ssc011.isc84.org) Le 21/02/2013 16:28, Peter Beck a écrit : Hervé Hénochh.hen...@isc84.org quatschte am Tue, Feb 19, 2013 at 02:56:43PM +0100: Hello The problem seems to be with DNS dynamic updates. I insist on the fact that my DNS server is working (all tests were successful). Bind version is 9.8.1. Debian Wheeze. Maybe it's related to bug 692416 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692416 The plan is to get bind 9.8.4.dfsg.P1-3 migrated to wheezy, which should support dynamic updates. As far as I know it's not working with the current version in wheezy. hope that helps Peter -- Hervé Hénoch Responsable informatique Institut Sainte Catherine 250 chemin de Baigne-Pieds CS 80005 --- 84918 AVIGNON cedex 9 Téléphone : 04.90.27.57.44 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] What will happen if I disable reverse check for \\server\printer on samba?
On Wed, Feb 20, 2013 at 12:03:08PM -0500, Alex Korobkin wrote: Hi team, In Samba 3.6, rpc_server/spoolss/srv_spoolss_nt.c file has this stance at line 1740: /* some sanity check because you can open a printer or a print server */ /* aka: \\server\printer or \\server */ DEBUGADD(3,(checking name: %s\n, r-in.printername)); result = open_printer_hnd(p, r-out.handle, r-in.printername, 0); if (!W_ERROR_IS_OK(result)) { DEBUG(0,(_spoolss_OpenPrinterEx: Cannot open a printer handle for printer %s\n, r-in.printername)); ZERO_STRUCTP(r-out.handle); return result; } In my specific environment it causes a problem, because when client calls the cluster under its public name, Samba performs this reverse check from inside the cluster and connects to a different cluster instance, causing printer installation to fail. I know, it shouldn't be configured like that, but that won't be fixed soon. Could anything bad happen if I remove this check manually? I don't think so. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4
On Thu, 2013-02-21 at 12:20 +0100, Markus Bajones wrote: first hit on google. http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO Or, even *BETTER*, skip the stupid search engines [which will lead you astray as often as not] - and just go to www.samba.org. Huge time saver! -- Adam Tauno Williams GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Possible bug in Samba 4 - no Recycle VFS object
Just a quick check here before I file a bug report. I've just checked if I can use the recycle VFS object in Samba 4 like I do in Samba 3 - and it seems that is not implemented yet. Should I file it as a bug report - or Samba 4 supports/will support this functionality in some other way? Thanks, Sebastian -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Incorrect Password on Windows 2008 R2 trying to install SAP
This is the weirdest issue I've seen in 8 years of running Samba as our domain controller for 120 users... I've created a Windows 2008 R2 Server, joined it to the domain successfully, can log on to the server using any username, including: * sbxadm* * * So now we go to run sapinst.exe (we're installing SAP on this server, which we've done several times before, but for Windows Server 2003) and it asks for the username and password, so we type in sbxadm and it's password however it fails with an Incorrect Password. If I look on samba it has increased the Incorrect password attempts value by 1. I know for a fact we're typing the correct password, there is no doubt there, we've tried making it 1, a, 12345678 etc... it ALWAYS fails with incorrect password. The username can log on elsewhere, no issues, it only seems to happen when trying to use the credentials in this setup file. We've tried different servers, rejoining the domain, turning off firewalls, making everyone an admin etc...this leads me to believe that perhaps it's samba. We're running Samba 3.3.15 with an LDAP password backend, has anyone else ever experienced this issue with Windows Server 2008? -- *Chris Beach* Manager IT Services Pinty's Delicious Foods Inc. 905-319-5300 ext 5255 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP recommendations please
On Thu, 2013-02-21 at 16:36 +, ray klassen wrote: Actually I was hoping to use the new internal LDAP as the master. I notice that http://www.windowsitpro.com/content1/topic/integrate-active-directory-and-openldap-98449/catpath/ldap has an article on using slapd as a proxy to Active Directory. This one loks even better. Never used 389Server but there's a first time for everything http://www.linuxmail.info/ad-fds-sync-howto/ (I did google this before I asked the question, but I was searching for samba4 ldap, not active directory ldap. I hope samba4 AD is that similar that I can pull similar stunts to the ones described) Upgrading to AD requires that you use our internal LDAP backend. https://wiki.samba.org/index.php/Samba4/FAQ stop with the googling, and just look at the docs. https://wiki.samba.org/index.php/Samba4/beyond The wiki has an openLDAP proxy to AD section. -- Adam Tauno Williams GPG D95ED383 Systems Administrator, Python Developer, LPI / NCLA -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Issue with pam_winbind not able to reset password
Hi Experts, I am facing issue with pam_winbind. Where users are not able to reset password for domain user id. We have 2 sites single domain on the other site same domain we are able to rest the password using rhel. Feb 21 18:58:56 CIVAPTC01 passwd: pam_unix(passwd:chauthtok): user balothiag does not exist in /etc/passwd Feb 21 18:58:56 CIVAPTC01 passwd: pam_winbind(passwd:chauthtok): [pamh: 0x131e7720] ENTER: pam_sm_chauthtok (flags: 0x4000) Feb 21 18:58:56 CIVAPTC01 passwd: pam_winbind(passwd:chauthtok): username [balothiag] obtained Feb 21 18:58:56 CIVAPTC01 passwd: pam_winbind(passwd:chauthtok): user 'balothiag' OK Feb 21 18:58:56 CIVAPTC01 passwd: pam_winbind(passwd:chauthtok): getting password (0x0023) Feb 21 18:59:01 CIVAPTC01 passwd: pam_winbind(passwd:chauthtok): request failed: Wrong Password, PAM error was Authentication failure (7), NT error was NT_STATUS_WRONG_PASSWORD Feb 21 18:59:01 CIVAPTC01 passwd: pam_winbind(passwd:chauthtok): user 'balothiag' denied access (incorrect password or invalid membership) Feb 21 18:59:01 CIVAPTC01 passwd: pam_winbind(passwd:chauthtok): [pamh: 0x131e7720] LEAVE: pam_sm_chauthtok returning 7 Please let me know if you can help us. Thanks, Gautam -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4(linux cloud) PDC remote clients(windows)
Hi I'm using samba4 on cloud server. 1- Provision configured with internal DNS server. 2- All tests on server works fine! But when a try connect from remote client, windows didn't resolve domain. The same configuration on local-network works! Maybe i need configure bind9, but i dont know exactly. Anybody are using samba4 pdc remote? Thanks ps.: I'm frm Brasil, so sorry my bad english..lol -- Moacir R.F Desenvolvedor de Softwares http://www.moacirrf.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Roaming Profile synchronization errors on new samba server
Hi, I am running an old CentOS 4 server with samba 3.4.9 and am trying to move to a new server running Centos 6 and the latest stock samba 3.5.10-125. Upon trying to switch over to the new server, I noticed that accessing shares and copying files worked perfectly fine, however upon login off, the roaming profile fails with error message: Your roaming profile was not completely synchronized. See the event log for details or contact administrator. Further inspection of the event viewer shows several entries like: - Windows cannot copy file \\?\C:\Users\dijuremo\Favorites\Links to location \\?\UNC\p3file\Users\dijuremo\.winprofile.V2\Favorites\Links. This error may be caused by network problems or insufficient security rights. DETAIL - The parameter is incorrect. - The client logs show messages such as: - [2013/02/21 15:03:09.737537, 2] smbd/open.c:2508(open_directory) open_directory: unable to create dijuremo/.winprofile.V2/Favorites/Links. Error was NT_STATUS_OBJECT_NAME_COLLISION - I have tried upgrading to 3.6.9 using the SRPM from RHEL 6.4 and also even build the latest 3.6.12 sources from samba.org with the spec file from redhat and the problem seems to persist. I have deleted the profile totally from both server and workstation to try and get a new profile and the problem persist. The problem occurs on both Windows 7 and 8 clients, but most of the testing I have done with Windows 8. I would appreciate if I can get some help with this. I can upload log files or open a bugzilla if appropriate. Thanks, Diego -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4(linux cloud) PDC remote clients(windows)
Hello, You're trying to connect to a Domain Controller that you setup in the cloud? Can you further explain your setup? I hope it includes some type of VPN connection? On Thu, Feb 21, 2013 at 3:33 PM, Moacir da Roza moaci...@gmail.com wrote: Hi I'm using samba4 on cloud server. 1- Provision configured with internal DNS server. 2- All tests on server works fine! But when a try connect from remote client, windows didn't resolve domain. The same configuration on local-network works! Maybe i need configure bind9, but i dont know exactly. Anybody are using samba4 pdc remote? Thanks ps.: I'm frm Brasil, so sorry my bad english..lol -- Moacir R.F Desenvolvedor de Softwares http://www.moacirrf.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba On Thu, Feb 21, 2013 at 3:33 PM, Moacir da Roza moaci...@gmail.com wrote: Hi I'm using samba4 on cloud server. 1- Provision configured with internal DNS server. 2- All tests on server works fine! But when a try connect from remote client, windows didn't resolve domain. The same configuration on local-network works! Maybe i need configure bind9, but i dont know exactly. Anybody are using samba4 pdc remote? Thanks ps.: I'm frm Brasil, so sorry my bad english..lol -- Moacir R.F Desenvolvedor de Softwares http://www.moacirrf.com.br -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Destroyed my samba4 domain
Hello, I am using samba4 with zentyal distro. I am trying to have user homes mounted as W: and I am trying to use GPO. I have spurious permissions problems. I have fixed most of them with samba-tool ntacl sysvolreset But some users write files and cannot see them anymore to read. The biggest problem is that I have created group policies with Microsoft tools but they are not applied. I have looked at sysvol share and I cannot see logon dirs and my scripts so I suppose it is a permission problem. So I have given this command: samba-tool gpo aclcheck --fix and it has found around 1700 errors ( I have more than 1000 users). But now permissions are wrong: microsoft tools do not recognize the domain anymore and I cannot browse it anymore with \\domainname.lan\ Help me please!!! What can I do? I forgot to say that I have two domain controllers based on zentyal. Thanks in advance for any help! Mario Giammarco -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question marks, asterisks, colons in filenames
On Wednesday, February 20, 2013, Jeremy Allison j...@samba.org wrote: On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote: What we have here is a problem of two incompatible text fields, and it does not make a difference if that incompatibility is a filenames in a file system or some table in some kind of non-filesytem media library. If you can't fix the incompatibility and if you can't change the underlying process that generates the data to only create names that fit the lowest common denominator all systems can handle, the obvious solution is to put in some kind of translation rule. The only question is whether that translation rule belongs in Samba :-). It used to, but now I think it's better for it to be done externally :-). Jeremy. -- Could there be an add-on module such as samba-enforce-dumb-filefolder-names ? Is Samba written in a modular enough way to add in a filesystem layer? To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question marks, asterisks, colons in filenames
On Thu, Feb 21, 2013 at 04:38:13PM -0600, Rob Townley wrote: On Wednesday, February 20, 2013, Jeremy Allison j...@samba.org wrote: On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote: What we have here is a problem of two incompatible text fields, and it does not make a difference if that incompatibility is a filenames in a file system or some table in some kind of non-filesytem media library. If you can't fix the incompatibility and if you can't change the underlying process that generates the data to only create names that fit the lowest common denominator all systems can handle, the obvious solution is to put in some kind of translation rule. The only question is whether that translation rule belongs in Samba :-). It used to, but now I think it's better for it to be done externally :-). Jeremy. -- Could there be an add-on module such as samba-enforce-dumb-filefolder-names ? Is Samba written in a modular enough way to add in a filesystem layer? Samba is *designed* to allow this :-). Check out the VFS module interface. You'd have to catch all the path-based calls. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Possible bug in Samba 4 - no Recycle VFS object
On Thu, Feb 21, 2013 at 07:24:26PM +, Sebastian Arcus wrote: Just a quick check here before I file a bug report. I've just checked if I can use the recycle VFS object in Samba 4 like I do in Samba 3 - and it seems that is not implemented yet. Should I file it as a bug report - or Samba 4 supports/will support this functionality in some other way? The vfs recycle module works in the same way in Samba4 that it worked in previous versions of Samba. It doesn't work with the ntvfs file server backend, but that isn't recommended anyway. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question marks, asterisks, colons in filenames
On Thursday, February 21, 2013, Jeremy Allison j...@samba.org wrote: On Thu, Feb 21, 2013 at 04:38:13PM -0600, Rob Townley wrote: On Wednesday, February 20, 2013, Jeremy Allison j...@samba.org wrote: On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote: What we have here is a problem of two incompatible text fields, and it does not make a difference if that incompatibility is a filenames in a file system or some table in some kind of non-filesytem media library. If you can't fix the incompatibility and if you can't change the underlying process that generates the data to only create names that fit the lowest common denominator all systems can handle, the obvious solution is to put in some kind of translation rule. The only question is whether that translation rule belongs in Samba :-). It used to, but now I think it's better for it to be done externally :-). Jeremy. -- Could there be an add-on module such as samba-enforce-dumb-filefolder-names ? Is Samba written in a modular enough way to add in a filesystem layer? Samba is *designed* to allow this :-). Check out the VFS module interface. You'd have to catch all the path-based calls. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question marks, asterisks, colons in filenames
On Thu, Feb 21, 2013 at 5:45 PM, Rob Townley rob.town...@gmail.com wrote: On Thursday, February 21, 2013, Jeremy Allison j...@samba.org wrote: On Thu, Feb 21, 2013 at 04:38:13PM -0600, Rob Townley wrote: On Wednesday, February 20, 2013, Jeremy Allison j...@samba.org wrote: On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote: What we have here is a problem of two incompatible text fields, and it does not make a difference if that incompatibility is a filenames in a file system or some table in some kind of non-filesytem media library. If you can't fix the incompatibility and if you can't change the underlying process that generates the data to only create names that fit the lowest common denominator all systems can handle, the obvious solution is to put in some kind of translation rule. The only question is whether that translation rule belongs in Samba :-). It used to, but now I think it's better for it to be done externally :-). Jeremy. -- Could there be an add-on module such as samba-enforce-dumb-filefolder-names ? Is Samba written in a modular enough way to add in a filesystem layer? Samba is *designed* to allow this :-). Check out the VFS module interface. You'd have to catch all the path-based calls. Jeremy. Sorry i fat fingered gmail on my smartphone web browser. Now, i am thinking it would be better as an ext2/3/4 module for those cases the Linux users are accessing the same file hierarchy but not via Samba. Maybe it has to be in Samba as well to satisfy all the different file systems available to Linux servers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [SOLVED] replace Windows 2003 dc
Hi guys, weehoo! Samba4 rocks ! Great work! if someone is interested - I finally managed to replace a Windows DC successfully. (at least i hope so ;-) this is what I have done: * Windows DC: Domain and Forest Operation Level = 2003 * Reboot Windows DC (always a good idea on Windows ;-) * joining the Samba Domain Controller to the existing 2003 domain * adding a Reverse zone for my network in DNS (on Windows) * replicating forestdnszones, domaindnszones * on the Windows DC i've changed the nameserver for each zone to the samba domain controller (which automatically added an NS-record to dns) * samba_dnsupdate --all-names --verbose * removing the Global Catalog on the Windows DC (including reboot ;-) * transferring all fsmo roles to the samba dc (what's the differnce to seizing ? for me transfer seems to work more reliable..) * demote the windows server Now I am able to add or remove records in dns (with samba tool and on Windows with the MMC-Snapin) and it looks very good. Now I think I just need to do some cleaning (removing dns entries for the replaced windows dc, etc). Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] RPM building tools for Samba 4.0.3 on RHEL 6 published bye me on Github
I've been spending some time backporting Samba 4.0.3 from Fedora 19 to RHEL 6, partly as proof of concept, partly to make it available to others. I've published my work at: https://github.com/nkadel/samba4repo/ The key RPM building tools are at: https://github.com/nkadel/samba-4.0.3-srpm/ And there are dependencies listed for libtalloc, libtevent, iniparser, etc. that I've also put up at https://github.com. It works in my basic testing, but I don't have a local set of Active Directory clients and servers to play with for full testing. This includes hooks for building all the components with mock, including notes on where to get the necessary components from github.com. The README.md from that directory is below. I'm happy to make these as refined and idiot proof as anyone would like, since I'm between jobs right now, but but I don't want to confuse anyone. I've also noticed that several dependencies, such as krb5-1.10, may be already available as part of RHEL 6.4 which was released *less than 24 hours ago*. = Wrapper for SRPM building tools for Samba 4 on RHEL 6. These are rebuilt from Fedora rawhide releases, and need to be built and installed in the following order. samba4repo-6-x86_64.cfg - install in /etc/mock/ samba4repo.repo - install in /etc/yum.repos.d/. Then install and enable a yum repository on the local server, or a designated host, with this kind of layout: mkdir /var/www/linux mkdir /var/www/linux/samba4repo mkdir /var/www/linux/samba4repo/6 mkdir /var/www/linux/samba4repo/6/x86_64 createrepo /var/www/linux/samba4repo/6/x86_64 mkdir /var/www/linux/samba4repo/6/SRPMS createrepo /var/www/linux/samba4repo/6/SRPMS Set up symlinks for $releasever names in yum setups. ln -s -f -n 6 /var/www/linux/samba4repo/6.3 ln -s -f -n 6 /var/www/linux/samba4repo/6Server The make command will build all components. If they don't exist yet, they will be git cloned from https://github.com/nkadel/. The components there are somewhat interwoven with this samba4repo structure, so review it before building or deploying with it. *** NOTE: The git repos at github.com do not include the tarballs *** This is for basic security reasons: I do not want to become responsible for publishing the source code software for other people's compnents, and possibly getting hacked and corrupting your software. You'll need to get the tarballs manually, usually from the Source: locations designated in the .spec file. make install will attempt to deploy them in a designated directory for yum repository access, run createrepo, to get the packages listeed, and and clear away old mock configurations. createrepo --update and mock clean are somewhat unreliable in their behavior, so actually re-running and createrepo and using rm -rf on the mock cache works better. Samba 4.0.3 has strong dependencies on additional components that are not part of RHEL 6, or are not recent enough in RHEL 6, and need to be built and deployed for local compilation or for mock compilation. These dependencies are detailed in the Makefile, but include: iniparser krb5 libtalloc libtdb libldb libtevent Nico Kadel-Garcia nka...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question marks, asterisks, colons in filenames
Am Montag, 18. Februar 2013, 20:16:15 schrieb Ray: Hi, I suppose this question must have been posted a hundred times, but Google brings up nothing useful: Consider The Wall from Pink Floyd in an MP3 collection. There's In The Flesh.mp3 and In The Flesh?.mp3 as tracks. Or, another example in an MP3 collection: There's a Band called Stellar, but there's also a band called Stellar*. Naming files like this is no problem in Linux. Now I had the idea of using my files on other computers such as Macs and Windows-boxes, but both Systems have trouble with the characters mentioned above. My question is how Samba can help me to map these characters to something else so that the files become usable on the Windows/Mac side *without destroying the readability of the filenames entorely*. Hashing into 8.3 random character sequences with mangled names = yes is not really an option. What is the successor of the removed mangled map option? I did not find anything in the current man page of smb.conf (5). I'm running Samba 3.5.10, which is the latest in CentOS 6.3. Surely there must be some elegant way to fix this? I don't want to rename all my files at the Linux end. Any help would be very appreciated. Cheers, Raimund Hi Raimund, I guess you were the one to whom i was talking on IRC some days ago. I assured you to have a look at the source of VFS vfs_catia.c, because we were not able to get it working and it caught my inetrest, too. Also there is nearly NO info on the web about the usage of this re-written vfs module - the samba man page is useless (only old usage info) I now found the bug in vfs_catia.c and will push a fix soon. See http://pastie.org/6313997 how it is working. One can specify translations for all invalid windows characters \ / : * ?| and even more ones. I hope this is the one you were looking for. :-) Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question marks, asterisks, colons in filenames
Am Freitag, 22. Februar 2013, 04:18:33 schrieb Günter Kukkukk: Am Montag, 18. Februar 2013, 20:16:15 schrieb Ray: Hi, I suppose this question must have been posted a hundred times, but Google brings up nothing useful: Consider The Wall from Pink Floyd in an MP3 collection. There's In The Flesh.mp3 and In The Flesh?.mp3 as tracks. Or, another example in an MP3 collection: There's a Band called Stellar, but there's also a band called Stellar*. Naming files like this is no problem in Linux. Now I had the idea of using my files on other computers such as Macs and Windows-boxes, but both Systems have trouble with the characters mentioned above. My question is how Samba can help me to map these characters to something else so that the files become usable on the Windows/Mac side *without destroying the readability of the filenames entorely*. Hashing into 8.3 random character sequences with mangled names = yes is not really an option. What is the successor of the removed mangled map option? I did not find anything in the current man page of smb.conf (5). I'm running Samba 3.5.10, which is the latest in CentOS 6.3. Surely there must be some elegant way to fix this? I don't want to rename all my files at the Linux end. Any help would be very appreciated. Cheers, Raimund Hi Raimund, I guess you were the one to whom i was talking on IRC some days ago. I assured you to have a look at the source of VFS vfs_catia.c, because we were not able to get it working and it caught my inetrest, too. Also there is nearly NO info on the web about the usage of this re-written vfs module - the samba man page is useless (only old usage info) I now found the bug in vfs_catia.c and will push a fix soon. See http://pastie.org/6313997 how it is working. One can specify translations for all invalid windows characters \ / : * ?| and even more ones. I hope this is the one you were looking for. :-) Cheers, Günter sorry, just a follow up. I now used more invalid characters and also tried it with windows. Linux and samba: http://pastie.org/6314301 Windows screenshot: http://picpaste.com/pics/vfs_catia-pcvuDc44.1361505596.JPG Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Destroyed my samba4 domain
On Thu, 2013-02-21 at 22:28 +, Mario Giammarco wrote: Hello, I am using samba4 with zentyal distro. I am trying to have user homes mounted as W: and I am trying to use GPO. I have spurious permissions problems. I have fixed most of them with samba-tool ntacl sysvolreset But some users write files and cannot see them anymore to read. The biggest problem is that I have created group policies with Microsoft tools but they are not applied. I have looked at sysvol share and I cannot see logon dirs and my scripts so I suppose it is a permission problem. So I have given this command: samba-tool gpo aclcheck --fix and it has found around 1700 errors ( I have more than 1000 users). There is no --fix option to samba-tool gpo aclcheck. What does 'samba-tool ntacl sysvolcheck' give? But now permissions are wrong: microsoft tools do not recognize the domain anymore and I cannot browse it anymore with \\domainname.lan\ Help me please!!! What can I do? First, take a full backup. What about the options to fix the permissions as given by the AD tools? I forgot to say that I have two domain controllers based on zentyal. Is this based on Samba 4.0.3, or if not, which version is it based on? Which file server are you using? Depending on which file server you are using, see the --use-ntvfs and --use-s3fs options. We try to guess the right mode, but perhaps it was run in the wrong mode, or you have a patched Samba that gets this wrong? Does using a stock Samba from the 4.0.3 tarball work better? I'm sorry I can't help much more right now, hopefully you can find a way to get back working. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC not in network environment (Windows 7/8)
Jörg Nissen joerg at nissen.de.hm writes: Looks like I'm talking to myself all the time. Anyway, solved this small problem. Accidentally the parameter client use spnego was set to no during testing. Setting it back to yes made the client tools on the server behave normally. Still looking for help on my starting post. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Question marks, asterisks, colons in filenames
Am Freitag, 22. Februar 2013, 05:09:58 schrieb Günter Kukkukk: Am Freitag, 22. Februar 2013, 04:18:33 schrieb Günter Kukkukk: Am Montag, 18. Februar 2013, 20:16:15 schrieb Ray: Hi, I suppose this question must have been posted a hundred times, but Google brings up nothing useful: Consider The Wall from Pink Floyd in an MP3 collection. There's In The Flesh.mp3 and In The Flesh?.mp3 as tracks. Or, another example in an MP3 collection: There's a Band called Stellar, but there's also a band called Stellar*. Naming files like this is no problem in Linux. Now I had the idea of using my files on other computers such as Macs and Windows-boxes, but both Systems have trouble with the characters mentioned above. My question is how Samba can help me to map these characters to something else so that the files become usable on the Windows/Mac side *without destroying the readability of the filenames entorely*. Hashing into 8.3 random character sequences with mangled names = yes is not really an option. What is the successor of the removed mangled map option? I did not find anything in the current man page of smb.conf (5). I'm running Samba 3.5.10, which is the latest in CentOS 6.3. Surely there must be some elegant way to fix this? I don't want to rename all my files at the Linux end. Any help would be very appreciated. Cheers, Raimund Hi Raimund, I guess you were the one to whom i was talking on IRC some days ago. I assured you to have a look at the source of VFS vfs_catia.c, because we were not able to get it working and it caught my inetrest, too. Also there is nearly NO info on the web about the usage of this re-written vfs module - the samba man page is useless (only old usage info) I now found the bug in vfs_catia.c and will push a fix soon. See http://pastie.org/6313997 how it is working. One can specify translations for all invalid windows characters \ / : * ?| and even more ones. I hope this is the one you were looking for. :-) Cheers, Günter sorry, just a follow up. I now used more invalid characters and also tried it with windows. Linux and samba: http://pastie.org/6314301 Windows screenshot: http://picpaste.com/pics/vfs_catia-pcvuDc44.1361505596.JPG Cheers, Günter sorry, another follow-up... I've posted a patch to https://lists.samba.org/archive/samba-technical/2013-February/090653.html Until i've updated the manual page for vfs_catia, use the following in smb.conf: Note - vfs objects = catia can be used in both the [global] and any other [share] section. Due to performance penalties i would not recommend to use it in [global], but that's up to the user. Sample configuration: [someshare] vfs objects = catia # mapping is done: # hex unix char : hex windows char # comma is used to separate char mappings # The following will map all invalid windows filename chars: # \ / : * ?| # (plus the blank char, not always allowed with legacy clients) catia:mappings = 0x22:0xa8,0x2a:0xa4,0x2f:0xf8,0x3a:0xf7,0x3c:0xab,0x3e:0xbb,0x3f:0xbf,0x5c:0xff,0x7c:0xa6,0x20:0xb1 # # Unix chars: # 0x22: # 0x2a: * # 0x2f: / # 0x3a: : # 0x3c: # 0x3e: # 0x3f: ? # 0x5c: \ # 0x7c: | # 0x20: blank char # Windows chars (not listed here) ! I hope this explains the usage. :-) Cheers, Günter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] CTDB repository - branch 1.2.40 updated - ctdb-1.2.58-3-g158a1e8
The branch, 1.2.40 has been updated via 158a1e8d045c4b65dd3f52eb70535e446ec4fb48 (commit) via 9db4a482ac8910a3dd1d4109d156420ced3551b3 (commit) via c668d5d2d3111bd0e89159c432d191e09661435f (commit) from 44558223c2f83cafbe4ee63b4ce3d508dc7f0a02 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.2.40 - Log - commit 158a1e8d045c4b65dd3f52eb70535e446ec4fb48 Author: Amitay Isaacs ami...@gmail.com Date: Fri Feb 22 12:28:56 2013 +1100 ctdbd: Remove the variable declaration shadowing earlier declaration Signed-off-by: Amitay Isaacs ami...@gmail.com commit 9db4a482ac8910a3dd1d4109d156420ced3551b3 Author: Amitay Isaacs ami...@gmail.com Date: Fri Feb 22 12:28:25 2013 +1100 ctdbd: Use the correct local variable to check status Signed-off-by: Amitay Isaacs ami...@gmail.com commit c668d5d2d3111bd0e89159c432d191e09661435f Author: Volker Lendecke v...@samba.org Date: Wed Feb 20 10:46:47 2013 +0100 ctdbd: Fix a struct initializer --- Summary of changes: server/ctdb_ltdb_server.c |2 +- server/ctdb_persistent.c |8 server/ctdb_tunables.c|2 +- 3 files changed, 6 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/server/ctdb_ltdb_server.c b/server/ctdb_ltdb_server.c index dc93c3f..c9cf021 100644 --- a/server/ctdb_ltdb_server.c +++ b/server/ctdb_ltdb_server.c @@ -257,7 +257,7 @@ store: if (schedule_for_deletion) { int ret2; ret2 = ctdb_local_schedule_for_deletion(ctdb_db, header, key); - if (ret != 0) { + if (ret2 != 0) { DEBUG(DEBUG_ERR, (__location__ ctdb_local_schedule_for_deletion failed.\n)); } } diff --git a/server/ctdb_persistent.c b/server/ctdb_persistent.c index 5a31101..eb7f65d 100644 --- a/server/ctdb_persistent.c +++ b/server/ctdb_persistent.c @@ -477,13 +477,13 @@ static int ctdb_persistent_store(struct ctdb_persistent_write_state *state) ctdb_ltdb_fetch will unconditionally create a record */ if (state-flags UPDATE_FLAGS_REPLACE_ONLY) { - TDB_DATA rec; - rec = tdb_fetch(state-ctdb_db-ltdb-tdb, key); - if (rec.dsize == 0) { + TDB_DATA rec2; + rec2 = tdb_fetch(state-ctdb_db-ltdb-tdb, key); + if (rec2.dsize == 0) { talloc_free(tmp_ctx); continue; } - free(rec.dptr); + free(rec2.dptr); } /* fetch the old header and ensure the rsn is less than the new rsn */ diff --git a/server/ctdb_tunables.c b/server/ctdb_tunables.c index 4c7146e..a8e8e23 100644 --- a/server/ctdb_tunables.c +++ b/server/ctdb_tunables.c @@ -73,7 +73,7 @@ static const struct { { DeferredRebalanceOnNodeAdd, 300, offsetof(struct ctdb_tunable, deferred_rebalance_on_node_add) }, { RecoverPDBBySeqNum, 1, offsetof(struct ctdb_tunable, recover_pdb_by_seqnum) }, { FetchCollapse, 1, offsetof(struct ctdb_tunable, fetch_collapse) }, - { PullDBPreallocation, 10*1024*1024, offsetof(struct ctdb_tunable, pulldb_preallocation_size), false }, + { PullDBPreallocation, 10*1024*1024, offsetof(struct ctdb_tunable, pulldb_preallocation_size) }, }; /* -- CTDB repository