Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Tue, 2013-02-26 at 13:36 +0200, Pekka L.J. Jalkanen wrote:
> On Sat, 2013-02-16 Andrew Bartlett wrote:
> > On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote:
> >> On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote:
> >> > On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote:
> >> > > Thank you, Andrew. Just to be clear, you're saying I can upgrade to
> >> > > 4.0.3
> >> > > (but do nothing after make install)? If it will make things worse in
> >> > > any
> >> > > way, I can stay at 4.0.0. Thanks, Thomas.
> >> >
> >> > It's fine to upgrade. That protects you against the security issue we
> >> > fixed in 4.0.1, and makes a significant number of other fixes.
> >>
> >> My current testing shows that:
> >>
> >> samba_upgradeprovision --full
> >> dbcheck --cross-ncs [--fix [--yes]]
> >>
> >> Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own
> >> LDAP object. The --full is important, without that the result is
> >> actually worse (as far as I can tell).
> >>
> >> I would like to make some progress on this before I recommend it as the
> >> final solution.
> >>
> >> It is however pretty close, and better than what is in the database
> >> right now.
> >
> > I retract any advise to run this tool. I hope to have patches soon, but
> > for the moment it treats any beta or release version as being *before*
> > alpha9. Essentially we have been caught out by a regex that never
> > expected Samba to move beyond endless alphas :-)
> >
> > Please do not run samba_upgradeprovision under any circumstances, until
> > I have tested patches to fix this.
>
> Since the discussion on samba-technical gave somehow mixed
> recommendations about whether it should be run or not, I had attempted
> to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3.
NO! At this point I've tried to be very clear, and I'm not sure what
part of what I've said above was not clear.
Who suggested you should run this tool?
> I
> figured out that as I'm having some problems with my group policies
> anyway, and am not generally using them, it shouldn't hurt too much.
> (Back then, I had missed this thread, as I had mistakenly only followed
> the samba-technical list.)
>
> Here are my experiences:
>
> First, the command failed with python errors because I don't run DNS in
> my AD, and as such didn't have DnsAdmins group. I then went on to create
> the said group.
>
> Second, it asked me to run the following command, and then re-run it:
> "ldbadd -H /usr/local/samba/private/sam.ldb /tmp/usnprovTuWu85dif"
>
> I ran it. Don't know exactly what it did, but I didn't get any errors.
>
> Third, it finally didn't run at all, as it stated that multiple DC
> setups aren't supported. This wasn't stated anywhere in advance. The
> command doesn't have a manpage, and "--help" switch doesn't give any
> clue what the command is actually supposed to do.
This is an extra safety check we added. But the lack of clear
documentation on this is one of the many reasons why I'm now of a mind
to remove this tool until it meets these and many other standards.
> So in the end I didn't run it at all, as it can only be run in single DC
> setups. But I did run the ldbadd command, and don't know how serious
> mistake that was.
>
> Afterwards, I tried to run "samba-tool dbcheck --cross-ncs --fix", and
> unlike in 4.0.0, it didn't manage to fix everything:
>
> Checking 3378 objects
> ERROR: wrong instanceType 0 on CN=RID Set,CN=W2K3DC,OU=Domain
> Controllers,DC=mydomain,DC=site, should be 4
> Change instanceType from 0 to 4 on CN=RID Set,CN=W2K3DC,OU=Domain
> Controllers,DC=mydomain,DC=site? [y/N/all/none] all
> Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain
> Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65,
> "objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on
> entry 'CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site'
> wasn't specified!")
> ERROR: wrong instanceType 0 on CN=RID Set,CN=SAMBA4DC,OU=Domain
> Controllers,DC=mydomain,DC=site, should be 4
> Change instanceType from 0 to 4 on CN=RID Set,CN=SAMBA4DC,OU=Domain
> Controllers,DC=mydomain,DC=site? [YES]
> Failed to correct missing instanceType on CN=RID
> Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site by setting
> instanceType=4 : (65, "objectclass_attrs: at least one mandatory
> attribute ('rIDNextRID') on entry 'CN=RID Set,CN=SAMBA4DC,OU=Domain
> Controllers,DC=mydomain,DC=site' wasn't specified!")
> Checked 3378 objects (0 errors)
This is a concern, and looks like it was initially due to an incorrect
implementation of the instanceType check in the dbcheck shipped with
4.0.0, after your domain was imported from a Windows 2000 level domain.
Can you give me some more detail on this history of this domain?
It is more of a worry that it can't fix it - but this might be due to us
missing some special case logic that needs to be applied around the Rid
Set objects.
Re: [Samba] Security: ads - "net ads user" works, "wbinfo -u" does not
On 6 February 2013 01:24, Vladimir Levijev wrote: >> I have Debian Squeeze running Samba being a member of the domain (PDC >> and BDC are Windows servers) and it's users are authenticated against >> AD using winbind for years. >> >> Now there is a need to setup another virtual Debian box exactly like >> that. So the name of the first is STUDENT, I named the virtual >> STUDENT2. I'm trying to set up the virtual box exactly the same, using >> exactly the same configs (smb.conf, krb5.conf) as on the working box, >> but this is what I get: >> >> STUDENT2, I can: >> - create kerberos tickets (kinit Administrator@FOO.LOCAL) >> - list kerberos tickets (klist) >> - join the domain (net ads join -U Administrator) >> Here I get next output: >> Using short domain name -- FOO >> Joined 'STUDENT2' to realm 'FOO.Local' >> DNS update failed! >> But as I understand the last message is not something to worry about. >> - (here I start samba, then winbind) >> >> And at this point strange thing happen. I cannot get domain users >> using wbinfo (wbinfo -u returns nothing) but I get them all using "net >> ads user -U Administrator". Of course, "getent passwd" lists only >> local users too. >> >> I believe my winbind is not working properly. Here are the questions: >> >> 1). How to effectively debug why wbinfo is acting this way? >> 2). Could the problem be because of 2 machines conflicting because of >> one letter difference (STUDENT vs STUDENT2)? >> >> I can't delete the first box from domain in order to test it as it's >> in production. >> >> STUDENT2 details: >> - Debian Squeeze up-to-date (6.0.6) >> - standard repo packages: # dpkg -l '*samba*' '*winbind*' | grep ^ii >> ii samba 2:3.5.6~dfsg-3squeeze9 >> ii samba-common 2:3.5.6~dfsg-3squeeze9 >> ii samba-common-bin 2:3.5.6~dfsg-3squeeze9 >> ii winbind2:3.5.6~dfsg-3squeeze9 >> - # wbinfo -p >> Ping to winbindd succeeded >> >> PDC and BDCs are running Windows Server 2008 R2. >> >> I can post the configs in case it helps. However I feel like I have >> tried all the possible variations of the configs (from so many good >> howto's) with no effect at all. > > More info. > > STUDENT: > # wbinfo -D foo > Name : FOO > Alt_Name : FOO.Local > SID : S-1-5-21-831812219-1424057545-2139100090 > Active Directory : Yes > Native: Yes > Primary : Yes > > STUDENT2: > # wbinfo -D foo > Name : FOO > Alt_Name : FOO.LOCAL > SID : S-1-5-21-831812219-1424057545-2139100090 > Active Directory : No > Native: No > Primary : Yes > > Firstly, why is Alt_Name different (both boxes have identical configs) > and where does it come from exactly? > And secondly, what do "Active Directory", "Native" and "Primary" mean? OK, just for those that will encounter the same problem, port 445 from linux box running Samba to Active Directory was blocked by firewall. Cheers, VL -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
On Tue, 2013-02-26 at 18:16 +0200, Pekka L.J. Jalkanen wrote: > True, webservers can authenticate against AD in a similar fashion to > other LDAPs. But that's not the whole story. > > The thing is that Samba 4 is designed from a ground up with AD in mind, > and AD itself has been designed with workstation authentication and NT4 > client compatibility in mind. All this adds a lot of complexity to the > system--and to the schema itself--that isn't in my opinion really > benefical. Also, manually editing the AD schema, and especially removing > objectclasses and/or attributes from the default schema, is generally > regarded as a big no-no. If I'd have to do this with AD, I'd use AD LDS, > but that isn't an option with Samba (which is perfectly understandable, > as on Linux, unlike Windows, there are many alternatives). > > However, after a lot of googling it appears that there should be a way > to make OpenLDAP to accept simple binds both with and without kerberos > backing, using SASL as an authentication vehicle: > http://www.openldap.org/lists/openldap-software/201002/threads.html#3 > > Perhaps I'll try that route. So to avoid your perceived complexity of the Samba 4.0 AD DC, you instead want to build a private and even more complex arrangement with synchronisation between multiple directories? Anyway, currently the only way to get a cleartext password out of Samba 4.0 as an AD DC is to permit storage of cleartext passwords in the password policy and set it per-user. Then a tool (not yet written) could extract these from Samba. However, I'm well aware of demand for better password handling, particularly for users who need to sync with Google Docs (this comes up quite often), so I'm planning (at some point) on adding a mode where we expose somehow a more standard password hash, or provide a 'hook' that sends cleartext passwords to some ongoing listener process (like the old password sync scripts). Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cross-subnet browsing with LMBs + remote browse sync + samba4WINS
From: vagy Date: Tue, 26 Feb 2013 09:08:57 +0200 >>> Btw how did you examine it? Did you setup a test lab >>> that implements the setup as i described it? >> >> - Setup 2 subnets connected via a router >> - Setup 2 Samba box in each subnet, each smb.conf is like >> >> - >> [global] >> workgroup = SAMBAxx >> domain master = yes >> wins support = yes >> remote browse sync = x.x.x.x >> -- >> >> - x.x.x.x means the IP address of another peer. >> - SAMBAxx means the unique workgroup name (for example SAMBA01 and SAMBA02) >> >> Then, each Samba box exchanges its browse list. >> >> --- >> TAKAHASHI Motonobu / @damemonyo >>facebook.com/takahashi.motonobu > > Hi Takahashi, > > thats very interesting and is a fallback scenario in case > samba4WINS doesn't work. Maybe the need for a DMB comes > from the fact that you used two different workgroups? > What if workgroup=SAME in both smb.conf? I used two different workgroups. One is SAMBA01, the other is SAMBA02. If I use same workgroup name, then they should be recognized as a domain. --- TAKAHASHI Motonobu / @damemonyo facebook.com/takahashi.motonobu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
>> PLJJ> I know that if I were running a Windows AD, I could most likely >> PLJJ> accomplish what I want with--if nothing else--the 389 DS by using >> PLJJ> DS-provided Password Sync Service (see >> PLJJ> >> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html >> PLJJ> for more information). >> >> This is way over my head, in terms of expertise - but since the AD >> should function identically to the Windows AD setup, it may well work >> just fine, even though the back-end isn't a Windows AD box, but a >> Samba4 AD. PLJJ> Read the guide on the page that I linked. The said Password Sync Service PLJJ> is a Windows application. It installs a new password filtering DLL and a PLJJ> system service to a Windows DC. PLJJ> Samba, on the other hand, hardly runs on Windows. And even if it can be PLJJ> run (by compiling under Cygwin, perhaps?) it would be rather pointless. Sorry, I missed that - I did do a very cursory scan and didn't see anything Windows specific. Guess that's what happens when you scan a little too quickly/lightly. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] some DNS trouble ...
Correct me if I am wrong, but isn't it dns forwarder = (not dns forwarderS) run your config through samba-tool testparm and see if it complains. Ricky On Tue, Feb 26, 2013 at 9:11 AM, Gregory Sloop wrote: > > mmgc> Well … just found that the options > mmgc> server role > mmgc> dns recursive queries > mmgc> dns forwarders > > mmgc> are ignored … hmmm … well … does anyone know how to achieve the > mmgc> desired behavior without these options ? > > Perhaps I don't understand what's going on - but are you sure your DNS > forwarder *IS* working properly? Because if the forwarder wasn't > servicing the DNS queries, then it would *look* like [dns forwarders] > wasn't working. > > This came up in another thread in the last week. Make sure the DNS > server specified in the [dns forwarders] is actually serving DNS > queries for the AD host in question. > > It's common for BIND to be locked down so it will handle local > queries for all requests, or remote queries for zones it's "auth" for > - but not to handle remote requests for non-auth zones. > > [See listen-on and allow-query in BIND docs, among other things.] > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
On 26.2.2013 17:16, Gregory Sloop wrote: > > > PLJJ> I know that if I were running a Windows AD, I could most likely > PLJJ> accomplish what I want with--if nothing else--the 389 DS by using > PLJJ> DS-provided Password Sync Service (see > PLJJ> > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html > PLJJ> for more information). > > This is way over my head, in terms of expertise - but since the AD > should function identically to the Windows AD setup, it may well work > just fine, even though the back-end isn't a Windows AD box, but a > Samba4 AD. Read the guide on the page that I linked. The said Password Sync Service is a Windows application. It installs a new password filtering DLL and a system service to a Windows DC. Samba, on the other hand, hardly runs on Windows. And even if it can be run (by compiling under Cygwin, perhaps?) it would be rather pointless. Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
True, webservers can authenticate against AD in a similar fashion to other LDAPs. But that's not the whole story. The thing is that Samba 4 is designed from a ground up with AD in mind, and AD itself has been designed with workstation authentication and NT4 client compatibility in mind. All this adds a lot of complexity to the system--and to the schema itself--that isn't in my opinion really benefical. Also, manually editing the AD schema, and especially removing objectclasses and/or attributes from the default schema, is generally regarded as a big no-no. If I'd have to do this with AD, I'd use AD LDS, but that isn't an option with Samba (which is perfectly understandable, as on Linux, unlike Windows, there are many alternatives). However, after a lot of googling it appears that there should be a way to make OpenLDAP to accept simple binds both with and without kerberos backing, using SASL as an authentication vehicle: http://www.openldap.org/lists/openldap-software/201002/threads.html#3 Perhaps I'll try that route. Pekka L.J. Jalkanen On 26.2.2013 16:13, Daniel Müller wrote: > Apache can authenticate against samba4 ads the same way as if it were > openldap. > http://wiki.samba.org/index.php/Samba4/beyond > > Good Luck > Daniel > > --- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: muel...@tropenklinik.de > Internet: www.tropenklinik.de > --- > -Ursprüngliche Nachricht- > Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im > Auftrag von Pekka L.J. Jalkanen > Gesendet: Dienstag, 26. Februar 2013 15:01 > An: samba@lists.samba.org > Betreff: [Samba] Synchronising password of some AD users with an external > LDAP? > > I'm in a situation where I should establish an external (i.e. non-AD) LDAP > directory for my employer for various web-based authentication purposes. I > don't think that Samba--or Windows AD, for that matter--in and itself would > be the best tool for this purpose; so far I've been reviewing 389 DS, > ApacheDS, OpenDJ and plain old OpenLDAP, but have made no final decision > yet. > > Now however, it would be beneficial, even if not strictly speaking > necessary, if I could automatically synchronise the passwords of certain > accounts between that LDAP and our AD; most sensible solution here would > probably be to do it between the LDAP users having a corresponding AD > account belonging to a specific AD OU. Other than passwords, the accounts > and their attributes themselves should stay separate. > > I know that if I were running a Windows AD, I could most likely accomplish > what I want with--if nothing else--the 389 DS by using DS-provided Password > Sync Service (see > https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/ > html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html > for more information). > > However, our goal is to completely migrate our AD to Samba 4, so committing > to any software that depends on the continued availability of a Windows DC > simply won't do. > > How could I accomplish this synchronisation with Samba 4? Can anyone nudge > me to the right direction? Or is possible at all? > > > Pekka L.J. Jalkanen > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
PLJJ> I know that if I were running a Windows AD, I could most likely PLJJ> accomplish what I want with--if nothing else--the 389 DS by using PLJJ> DS-provided Password Sync Service (see PLJJ> https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html PLJJ> for more information). This is way over my head, in terms of expertise - but since the AD should function identically to the Windows AD setup, it may well work just fine, even though the back-end isn't a Windows AD box, but a Samba4 AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] some DNS trouble ...
mmgc> Well … just found that the options mmgc> server role mmgc> dns recursive queries mmgc> dns forwarders mmgc> are ignored … hmmm … well … does anyone know how to achieve the mmgc> desired behavior without these options ? Perhaps I don't understand what's going on - but are you sure your DNS forwarder *IS* working properly? Because if the forwarder wasn't servicing the DNS queries, then it would *look* like [dns forwarders] wasn't working. This came up in another thread in the last week. Make sure the DNS server specified in the [dns forwarders] is actually serving DNS queries for the AD host in question. It's common for BIND to be locked down so it will handle local queries for all requests, or remote queries for zones it's "auth" for - but not to handle remote requests for non-auth zones. [See listen-on and allow-query in BIND docs, among other things.] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Synchronising password of some AD users with an external LDAP?
Apache can authenticate against samba4 ads the same way as if it were openldap. http://wiki.samba.org/index.php/Samba4/beyond Good Luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Pekka L.J. Jalkanen Gesendet: Dienstag, 26. Februar 2013 15:01 An: samba@lists.samba.org Betreff: [Samba] Synchronising password of some AD users with an external LDAP? I'm in a situation where I should establish an external (i.e. non-AD) LDAP directory for my employer for various web-based authentication purposes. I don't think that Samba--or Windows AD, for that matter--in and itself would be the best tool for this purpose; so far I've been reviewing 389 DS, ApacheDS, OpenDJ and plain old OpenLDAP, but have made no final decision yet. Now however, it would be beneficial, even if not strictly speaking necessary, if I could automatically synchronise the passwords of certain accounts between that LDAP and our AD; most sensible solution here would probably be to do it between the LDAP users having a corresponding AD account belonging to a specific AD OU. Other than passwords, the accounts and their attributes themselves should stay separate. I know that if I were running a Windows AD, I could most likely accomplish what I want with--if nothing else--the 389 DS by using DS-provided Password Sync Service (see https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/ html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html for more information). However, our goal is to completely migrate our AD to Samba 4, so committing to any software that depends on the continued availability of a Windows DC simply won't do. How could I accomplish this synchronisation with Samba 4? Can anyone nudge me to the right direction? Or is possible at all? Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Synchronising password of some AD users with an external LDAP?
I'm in a situation where I should establish an external (i.e. non-AD) LDAP directory for my employer for various web-based authentication purposes. I don't think that Samba--or Windows AD, for that matter--in and itself would be the best tool for this purpose; so far I've been reviewing 389 DS, ApacheDS, OpenDJ and plain old OpenLDAP, but have made no final decision yet. Now however, it would be beneficial, even if not strictly speaking necessary, if I could automatically synchronise the passwords of certain accounts between that LDAP and our AD; most sensible solution here would probably be to do it between the LDAP users having a corresponding AD account belonging to a specific AD OU. Other than passwords, the accounts and their attributes themselves should stay separate. I know that if I were running a Windows AD, I could most likely accomplish what I want with--if nothing else--the 389 DS by using DS-provided Password Sync Service (see https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Windows_Sync-Configuring_Windows_Sync.html for more information). However, our goal is to completely migrate our AD to Samba 4, so committing to any software that depends on the continued availability of a Windows DC simply won't do. How could I accomplish this synchronisation with Samba 4? Can anyone nudge me to the right direction? Or is possible at all? Pekka L.J. Jalkanen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).
> What I was getting at about the full name is that if this was a odd character > encoding issue, knowing that this was a user with non-ascii full name would > be an important data point. Yes, I see what you mean. No, neither the full username, nor the login name, contain anything other than Good 'Ole ASCII. > See, the PAC is much more than just SIDs, it is a lot of different bits of > information that a user needs to log in to a desktop, or (less so) to operate > against a file server. I can see I'm going to have to look into the contents of the PAC in a bit more detail. Although I have some familiarity with Kerberos, I've not had to dig into a PAC before; so far as I was aware it was mainly supplemental group membership, and similar information - obviously there's more in there than I was aware of. Still, a day where something is learned is never a day wasted - it will be interesting to have a dig! > The key password in this case isn't the user's password (it isn't involved), > but the machine account password of the server. Sorry, yes - I meant that I had no problem sending you any data which might be contained in any WireShark capture; as you pointed out, any password can easily be changed (including the Samba machine account password on the AD server). Apologies for not being clearer. > Andrew Bartlett Once again, many thanks - I'll update you when I have anything useful. Tris Mabbs. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recommended Upgrade technique for 4.0.3 (was Re: Should I run dbcheck and sysvolreset when upgrading 4.0.0 to 4.0.3?)
On Sat, 2013-02-16 Andrew Bartlett wrote:
> On Sat, 2013-02-16 at 12:55 +1100, Andrew Bartlett wrote:
>> On Fri, 2013-02-15 at 12:52 +1100, Andrew Bartlett wrote:
>> > On Thu, 2013-02-14 at 20:50 -0500, Thomas Simmons wrote:
>> > > Thank you, Andrew. Just to be clear, you're saying I can upgrade to 4.0.3
>> > > (but do nothing after make install)? If it will make things worse in any
>> > > way, I can stay at 4.0.0. Thanks, Thomas.
>> >
>> > It's fine to upgrade. That protects you against the security issue we
>> > fixed in 4.0.1, and makes a significant number of other fixes.
>>
>> My current testing shows that:
>>
>> samba_upgradeprovision --full
>> dbcheck --cross-ncs [--fix [--yes]]
>>
>> Will break some ACLs on DNS, and not fix one of the ACLs on the DC's own
>> LDAP object. The --full is important, without that the result is
>> actually worse (as far as I can tell).
>>
>> I would like to make some progress on this before I recommend it as the
>> final solution.
>>
>> It is however pretty close, and better than what is in the database
>> right now.
>
> I retract any advise to run this tool. I hope to have patches soon, but
> for the moment it treats any beta or release version as being *before*
> alpha9. Essentially we have been caught out by a regex that never
> expected Samba to move beyond endless alphas :-)
>
> Please do not run samba_upgradeprovision under any circumstances, until
> I have tested patches to fix this.
Since the discussion on samba-technical gave somehow mixed
recommendations about whether it should be run or not, I had attempted
to run it anyway, when I upgraded my installation from 4.0.0 to 4.0.3. I
figured out that as I'm having some problems with my group policies
anyway, and am not generally using them, it shouldn't hurt too much.
(Back then, I had missed this thread, as I had mistakenly only followed
the samba-technical list.)
Here are my experiences:
First, the command failed with python errors because I don't run DNS in
my AD, and as such didn't have DnsAdmins group. I then went on to create
the said group.
Second, it asked me to run the following command, and then re-run it:
"ldbadd -H /usr/local/samba/private/sam.ldb /tmp/usnprovTuWu85dif"
I ran it. Don't know exactly what it did, but I didn't get any errors.
Third, it finally didn't run at all, as it stated that multiple DC
setups aren't supported. This wasn't stated anywhere in advance. The
command doesn't have a manpage, and "--help" switch doesn't give any
clue what the command is actually supposed to do.
So in the end I didn't run it at all, as it can only be run in single DC
setups. But I did run the ldbadd command, and don't know how serious
mistake that was.
Afterwards, I tried to run "samba-tool dbcheck --cross-ncs --fix", and
unlike in 4.0.0, it didn't manage to fix everything:
Checking 3378 objects
ERROR: wrong instanceType 0 on CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site, should be 4
Change instanceType from 0 to 4 on CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site? [y/N/all/none] all
Failed to correct missing instanceType on CN=RID Set,CN=W2K3DC,OU=Domain
Controllers,DC=mydomain,DC=site by setting instanceType=4 : (65,
"objectclass_attrs: at least one mandatory attribute ('rIDNextRID') on
entry 'CN=RID Set,CN=W2K3DC,OU=Domain Controllers,DC=mydomain,DC=site'
wasn't specified!")
ERROR: wrong instanceType 0 on CN=RID Set,CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site, should be 4
Change instanceType from 0 to 4 on CN=RID Set,CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site? [YES]
Failed to correct missing instanceType on CN=RID
Set,CN=SAMBA4DC,OU=Domain Controllers,DC=mydomain,DC=site by setting
instanceType=4 : (65, "objectclass_attrs: at least one mandatory
attribute ('rIDNextRID') on entry 'CN=RID Set,CN=SAMBA4DC,OU=Domain
Controllers,DC=mydomain,DC=site' wasn't specified!")
Checked 3378 objects (0 errors)
Don't know if I should be worried about these errors, though, or whether
they have anything to do with my mistaken ldbadd command.
Pekka L.J. Jalkanen
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba wiki
On 2013-02-24 at 19:35 +0100 Andreas Gaiser/L sent off: > I think there is a bug in the MediaWki installtion with Pages containing > a "&" in the title. > > Example: https://wiki.samba.org/index.php/Samba_%26_Active_Directory > > This link doesn't work despite appearing on many pages, like > https://wiki.samba.org/index.php/Category:Category_Integration > > Where ever it is linked, it looks like an existing page (blue link). > Even when searching for the Page title, I get an excerpt and the link. what a great idea to put a "&" in a path name of a URL. That one works again but I guess sooner or later it will break again. Maybe we'll rename that beast later. Thanks for your error report. Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen ☎ +49-551-37-0, ℻ +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).
On Tue, 2013-02-26 at 11:22 +, Tris Mabbs wrote: > Wow. > > Hiya Andrew, > > OK, this sounds like a very promising approach, and potentially saves me > working through a large number of "git bisect"s (as also most helpfully > suggested by Michael Wood) - so far, I'm right back into the beta code and > there have been a lot of commits since then... > > I'm not easily in a position to set up a test domain for this, but I have no > problem with your suggestion of capturing on the live domain and sending to > you (especially since changing the password doesn't affect the issue). Or of > dumping the information and decoding the PAC using "ndrdump" (wasn't aware of > that). > > I'll work through your suggestions and see if I can get anywhere; when I > reach a stage where I can't figure it out any further I'll send you what I've > got. Any useful conclusions that don't contain sensitive information, I'll > put back onto this thread in case they're of use to anyone else as well. > > It will probably take me a few days to get anywhere useful, as I can only > really poke this out of normal working hours. So if there's no update for a > few days, please don't think that means I've stopped. > > BTW, to answer your question, access is based on the username not the full > name (haven't tried that, which in itself is an interesting point - not sure > whether that would affect it as presumably that just forms an alternative > mapping back to the underlying internal AD entity, but ...). > > Many thanks, I'll update as soon as I can. What I was getting at about the full name is that if this was a odd character encoding issue, knowing that this was a user with non-ascii full name would be an important data point. See, the PAC is much more than just SIDs, it is a lot of different bits of information that a user needs to log in to a desktop, or (less so) to operate against a file server. The key password in this case isn't the user's password (it isn't involved), but the machine account password of the server. Once you get this PAC isolated, you won't have to work on your production server BTW, just on a development box. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).
Wow.
Hiya Andrew,
OK, this sounds like a very promising approach, and potentially saves me
working through a large number of "git bisect"s (as also most helpfully
suggested by Michael Wood) - so far, I'm right back into the beta code and
there have been a lot of commits since then...
I'm not easily in a position to set up a test domain for this, but I have no
problem with your suggestion of capturing on the live domain and sending to you
(especially since changing the password doesn't affect the issue). Or of
dumping the information and decoding the PAC using "ndrdump" (wasn't aware of
that).
I'll work through your suggestions and see if I can get anywhere; when I reach
a stage where I can't figure it out any further I'll send you what I've got.
Any useful conclusions that don't contain sensitive information, I'll put back
onto this thread in case they're of use to anyone else as well.
It will probably take me a few days to get anywhere useful, as I can only
really poke this out of normal working hours. So if there's no update for a
few days, please don't think that means I've stopped.
BTW, to answer your question, access is based on the username not the full name
(haven't tried that, which in itself is an interesting point - not sure whether
that would affect it as presumably that just forms an alternative mapping back
to the underlying internal AD entity, but ...).
Many thanks, I'll update as soon as I can.
Cheers!
Tris.
-Original Message-
From: Andrew Bartlett [mailto:abart...@samba.org]
Sent: 26 February 2013 11:05
To: Tris Mabbs
Cc: samba@lists.samba.org
Subject: Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
2008 R2" domain, "Server 2008" functional level forest).
On Mon, 2013-02-25 at 11:51 +, Tris Mabbs wrote:
> Hello,
>...
> When accessing our main server using that account, "smbd" always
> reports "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL". This has
> come from "../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)",
> trying to use NDR to pull a blob from the Kerberos ticket (that's
> reported as
> "ndr_pull_error(11): Pull bytes 34 (../librpc/ndr/ndr_string.c:591)").
>...
'Clearly' (as in, clear as mud, but the general direction to look at) either
the IDL in librpc/idl/krb5pac.idl is incorrect, or the parsing code in Heimdal
in unpacking this particular user's PAC incorrectly.
It is interesting that this user causes the issue regardless of being
re-created. Is this triggered on their full or user name?
Does this happen if you set up a new testing domain? If so, what would be
really, really helpful would be a network capture including the server keytab.
(Or if you don't mind, and change the server password after, on your live
domain to me personally).
The procedure you or I will need to follow is to extract the decrypted 'PAC'.
You could do this either from wireshark (export selected packet bytes, after
running wireshark -k /tmp/server.keytab, or by patching the code to call:
_PUBLIC_ bool file_save(const char *fname, const void *packet, size_t
length)
somewhere near auth3_generate_session_info_pac()
Then, using that file, run
bin/ndrdump krb5pac decode_pac in /tmp/pac
Then essentially we keep changing the idl in librpc/idl/krb5pac.idl and the C
helpers in librpc/ndr/ndr_krb5pac.c until this works.
See also http://msdn.microsoft.com/en-us/library/cc237917.aspx
Good luck!
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).
On Mon, 2013-02-25 at 11:51 +, Tris Mabbs wrote: > Hello, > > > > We're having a problem with "Samba 4" joined to a "Server 2008 R2" domain > (at "Server 2008" functional level across the forest). > > The interesting thing is that this only affects a single user - all other > accounts work without problems. > > > > When accessing our main server using that account, "smbd" always reports > "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL". This has come from > "../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", trying to use > NDR to pull a blob from the Kerberos ticket (that's reported as > "ndr_pull_error(11): Pull bytes 34 (../librpc/ndr/ndr_string.c:591)"). > > > So can anyone suggest any way forward to resolve this please? It would > appear that something is incorrectly being decoded somewhere, so it's > probably to everyone's advantage to get this sorted out - I know it would > certainly be to mine :-) 'Clearly' (as in, clear as mud, but the general direction to look at) either the IDL in librpc/idl/krb5pac.idl is incorrect, or the parsing code in Heimdal in unpacking this particular user's PAC incorrectly. It is interesting that this user causes the issue regardless of being re-created. Is this triggered on their full or user name? Does this happen if you set up a new testing domain? If so, what would be really, really helpful would be a network capture including the server keytab. (Or if you don't mind, and change the server password after, on your live domain to me personally). The procedure you or I will need to follow is to extract the decrypted 'PAC'. You could do this either from wireshark (export selected packet bytes, after running wireshark -k /tmp/server.keytab, or by patching the code to call: _PUBLIC_ bool file_save(const char *fname, const void *packet, size_t length) somewhere near auth3_generate_session_info_pac() Then, using that file, run bin/ndrdump krb5pac decode_pac in /tmp/pac Then essentially we keep changing the idl in librpc/idl/krb5pac.idl and the C helpers in librpc/ndr/ndr_krb5pac.c until this works. See also http://msdn.microsoft.com/en-us/library/cc237917.aspx Good luck! Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] any available asynchronous dce rpc library?
On Mon, 2013-02-25 at 11:19 +0800, 安静的风 wrote: > Hi > > > Thanks in advanced. > > > I'm writing a proxy server doing NTLMv2 authentication. > I think I need a NetLogon client service . > Is there any available library providing netlogon function? > or at least an dce rpc library? > > > an asynchronous library is the best. :) There is no need for you to implement this. Instead, just use the ntlm_auth binary in --helper-protocol=squid-2.5-ntlmssp or gss-server mode. This already handles all the details of contacting the DC, as well as all the parsing of the SPNEGO/NTLMSSP blobs etc. The session keys can be returned. This mechanism is already used by Squid, Wine and many other projects that need to do NTLM authentication. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] some DNS trouble ...
Hey, me again :) Well … just found that the options server role dns recursive queries dns forwarders are ignored … hmmm … well … does anyone know how to achieve the desired behavior without these options ? greetings, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb2 vs. NT1
On 02/26/2013 09:28 AM, Björn JACKE wrote: On 2013-02-25 at 20:35 +0100 Papp Tamas sent off: It seems, you're right. However in this case the documentation in default smb.conf is wrong. there is no default smb.conf shipped with Samba. File a bug against the Samba package of your distribution that you use then, please. SMB2 in Samba is fully supported from Samba 3.6.0 onwards. It was "experimental" (read, didn't really work :-) in 3.5.x and below. OK, thanks for the answer and thanks so much for the tuning tips. Every single samba tuning guide starts with that options! I would also add that you should use a recent 3.6 version. There have been a number of more or less important smb2 related bugs been fixed in the 3.6 series. Which version is recommended at this time, v3.6 or v4? Thank you, tamas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4, DHCP and Bind
On 25/02/13 22:44, Scott Whitten wrote:
Hi All,
I'm trying to integrate Samba 4 DHCPD and Bind 9.9 into a complete solution.
I'm using the BIND/Samba 4 DLZ plugin.
DHCP by itself works and hands out IP addresses.
What I would like to have happen is the following:
- PC is joined to the Samba 4 domain (this works)
- PC gets an IP via DHCPD
- DHCP or the PC registers the IP in BIND
Network PC's should resolve cleanly when pinging pc01.office.local
My logs are full of messges aalong the lines of:
Feb 25 14:36:24 knottypine named[22655]: samba_dlz: starting transaction on
zone office.local
Feb 25 14:36:24 knottypine named[22655]: client 192.168.65.101#57781:
update 'office.local/IN' denied
Feb 25 14:36:24 knottypine named[22655]: samba_dlz: cancelling transaction
on zone office.local
Clearly I'm missing something but not sure what exactly.
Thanks for any suggestions you might have.
For reference... here are my various config files:
==
smb.conf
---
# Global parameters
[global]
server role = active directory domain controller
workgroup = OFFICE
interfaces = eth0
bind interfaces only = yes
realm = office.local
netbios name = KNOTTYPINE
passdb backend = samba4
idmap_ldb:use rfc2307 = yes
allow dns updates = True
[netlogon]
path = /usr/local/samba/var/locks/sysvol/office.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[IPC$]
path = /tmp
read only = No
[Data]
path = /u0/sambashares/data
read only = no
==
ddns-update-style ad-hoc;
allow unknown-clients;
subnet 192.168.65.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.65.1;
option subnet-mask 255.255.255.0;
option domain-name "office.local";
option domain-name-servers 192.168.65.2;
option netbios-name-servers 192.168.65.2;
option netbios-node-type 2;
default-lease-time 21600;
max-lease-time 43200;
allow unknown-clients;
range 192.168.65.100 192.168.65.150;
}
==
//
// sample BIND configuration file
//
acl mynet {
192.168.65.0/24;
127.0.0.1;
};
options {
listen-on { 127.0.0.1; 192.168.65.0/24; };
allow-query { 192.168.65.0/24; localhost; };
allow-recursion { 192.168.65.0/24; localhost; };
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
forwarders {8.8.8.8;};
};
// Where the localhost hostname is defined
zone "localhost" IN {
type master;
file "/etc/namedb/zone.localhost";
allow-update { none; };
};
// Where the 127.0.0.0 network is defined
zone "0.0.127.in-addr.arpa" IN {
type master;
file "/etc/namedb/revp.127.0.0";
allow-update { none; };
};
zone "65.168.192.in-addr.arpa" {
type master;
file "/etc/namedb/192.168.65.0.rev";
allow-query {
mynet;
};
allow-transfer {
mynet;
};
allow-update {
mynet;
};
};
include "/usr/local/samba/private/named.conf";
Hi, you appear to be trying to get DHCP to carry out the updates
directly, this does not work, or at least I could not get it to work,
try starting here:
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
This works for me, Ubuntu 12.04, DHCP, Bind 9.9.1 and a version of the
script found on Michael Kurons webpage.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] some DNS trouble ...
Hi list ! I ran into some interesting behavior I don't understand. I'm using samba4 as my domain controller in a virtual machine. My settings are as follow: [global] server role = domain controller workgroup = LAN realm = lan.example.com netbios name = ADC passdb backend = samba4 dns recursive queries = yes dns forwarders = 192.168.60.1 [netlogon] path = /var/lib/samba/sysvol/lan.vbk.at/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No the IP of the ADC is 192.168.60.11 it seems that the DNS forwarding does not work, because if I only use the IP of my ADC in my clients they can resolve the internal names but nothing from outside (internet) When I set the ADC as my primary and my router's IP (192.168.60.1) as the secondary DNS server within my clients everything works like a charm … So far so good … theoretically I could live with such a setting, even though not what I intended in the first place, but the real trouble started when I connected via VPN and tried to get outside. Here setting primary and secondary DNS does not work like it did before. Setting only my ADC results in being able to resolve internal names but no outside. Setting the router as my secondary results in being able to resolve outside but no inside. I'm using a TL-ER6020 as my vpn-/router and ubuntu 12.04LTS within a XEN virtualization environment. Any hints and comments are highly appreciated :) Thanks, Oliver -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb2 vs. NT1
On 2013-02-25 at 20:35 +0100 Papp Tamas sent off: > It seems, you're right. However in this case the documentation in default > smb.conf is wrong. there is no default smb.conf shipped with Samba. File a bug against the Samba package of your distribution that you use then, please. > >SMB2 in Samba is fully supported from Samba 3.6.0 onwards. > >It was "experimental" (read, didn't really work :-) in > >3.5.x and below. > > OK, thanks for the answer and thanks so much for the tuning tips. > Every single samba tuning guide starts with that options! I would also add that you should use a recent 3.6 version. There have been a number of more or less important smb2 related bugs been fixed in the 3.6 series. Cheers Björn -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen ☎ +49-551-37-0, ℻ +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 答复: how to dynamic update or refresh vfs_fn_pointers and ntvfs_ops stacks
[test] comment = VFS TEST path = /data writeable = yes browseable = yes vfs objects = example:example1 example example:test example1: parameter = 1 example: parameter = 5 test: parameter = 7 for example, when change the example1: parameter = 2, how to change or update the already constructed handler. 发件人: Liujun (A) 发送时间: 2013年2月25日 20:59 收件人: 'samba@lists.samba.org' 主题: how to dynamic update or refresh vfs_fn_pointers and ntvfs_ops stacks When review vfs plugin architecture, the vfs hander or ntvfs hander is initial by tree connect, but when dynamic change the the share configure, how to change or update the already constructed handler . -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
