Re: [Samba] The network path was not found.
From the client what is the results of a nslookup on redacted.com and ad.redacted.com Could be a simple dns entry missing Regards, Daniel -Original Message- From: "Hef" Sent: 9/04/2013 2:43 PM To: "samba@lists.samba.org" Subject: [Samba] The network path was not found. I am attempting to join a windows 7 computer running in virtual box to a samba4 domain (version 4.1.0pre1-GIT-243278a). I get prompted for credentials, I use the provisioned Administrator account, and then get the following: The Following error occured attempting to join the domain "ad.redacted.com" The network path was not found. (I have replaced the actual domain with redacted for this email) I have a ns record for ad.redacted.com pointing to the samba 4 instance, but the samba4 server is running on a vm instance in several hundred miles away. What am I doing wrong? What else can I do to debug this problem? --hef -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] The network path was not found.
I am attempting to join a windows 7 computer running in virtual box to a samba4 domain (version 4.1.0pre1-GIT-243278a). I get prompted for credentials, I use the provisioned Administrator account, and then get the following: The Following error occured attempting to join the domain "ad.redacted.com" The network path was not found. (I have replaced the actual domain with redacted for this email) I have a ns record for ad.redacted.com pointing to the samba 4 instance, but the samba4 server is running on a vm instance in several hundred miles away. What am I doing wrong? What else can I do to debug this problem? --hef -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Force python for Samba on platforms with a too old installed python (eg RHEL 5.9)
Hi Andrew, Many, many thanks and sorry about that... I was somewhat lost while writing the post myself, I was trying to distill all of the different things I had tried down into useful information but I somehow missed the mark. After I had posted the message, I manually did a configure of Samba's private copy of Python and then did a make uninstall to let it do some housecleaning. After doing that, I was then able to compile Samba successfully without passing any flags but I'm still getting a libgnutls error when attempting to execute pdbedit and the same error as before with samba-tool. I pulled down and applied your patch against master but it didn't seem to have any effect. I did another build with the install_with_python script but am still getting the same errors: [root@Server1 samba4]# pdbedit pdbedit: error while loading shared libraries: libgnutls.so.26: cannot open shared object file: No such file or directory [root@Server1 samba4]# samba-tool Traceback (most recent call last): File "/usr/local/samba/bin/samba-tool", line 33, in from samba.netcmd.main import cmd_sambatool File "/usr/local/samba/lib/python2.6/site-packages/samba/__init__.py", line 50, in from samba._ldb import Ldb as _Ldb ImportError: libgnutls.so.26: cannot open shared object file: No such file or directory [root@Server1 samba4]# git status # On branch master # Changes not staged for commit: # (use "git add ..." to update what will be committed) # (use "git checkout -- ..." to discard changes in working directory) # # modified: buildtools/wafsamba/samba_python.py # modified: buildtools/wafsamba/wafsamba.py # modified: wscript # # Untracked files: # (use "git add ..." to include in what will be committed) # # buildtools/wafsamba/wscript.orig # buildtools/wafsamba/wscript.rej # wscript.orig # wscript.rej no changes added to commit (use "git add" and/or "git commit -a") - Phil -- View this message in context: http://samba.2283325.n4.nabble.com/Re-Python-UCS2-vs-UCS4-issue-on-latest-git-ImportError-undefined-symbol-PyUnicodeUCS2-Decode-NOT-SOL-tp4646314p4646438.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Please help: classicupgrade not importing users -- SOLVED
I finally found the solution. I was moving from a Gentoo system to Centos and the layout of the files is different under Gentoo. In the Gentoo layout, the default location for passdb.tdb, schannel_store.tdb and secrets.tdb is in /var/lib/samba/private . When I first tried to import, I had got an error message about secrets.tdb not being found, so I had made a link /var/lib/samba/secrets.tdb that pointed to /var/lib/samba/private/secrets.tdb, but, crucially, I did not do this for the other files in the secrets subdirectory. Once I made the links for the other files, all I had to do was clean up my old tdb files (duplicate and otherwise bad entries) and then the import worked! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
Thank you Matthieu for your answer. Le 08/04/2013 01:37, Matthieu Patou a écrit : >> 1) First attempt to join the domain in the member server >> >> root@member~# samba-tool domain join chezmoi.priv member -U >> administrator --realm=chezmoi.priv >> Password for [CHEZMOI\administrator]: >> Joined domain CHEZMOI (S-1-5-21-3370545617-3166960116-3193249687) >> >> root@member~# ldconfig >> >> root@member~# smbd && nmbd >> >> And now impossible to run winbindd. >> >> --- >> root@member~# winbindd -i -d 10 [...] >> pack_tdc_domains: Packing 2 trusted domains >> pack_tdc_domains: Packing domain BUILTIN () >> pack_tdc_domains: Packing domain WHEEZY-2 () >> idmap config WHEEZY-2 : range = not defined >> Added domain WHEEZY-2 S-1-5-21-210096926-4033722923-1792459932 >> Could not fetch our SID - did we join? >> unable to initialize domain list >> --- > Hum, interesting, would be worth to check that from a clean setup you > have this issue again and again. I have 2 "virtualbox" snapshots of Debian Wheezy with a Samba 4.0.4 installation in /usr/local/samba/. And I have the problem each time. Let me explain you what I have done exactly. In the DC server *and* in the MEMBER server (both in static IP), I have done this: --- apt-get update apt-get dist-upgrade apt-get install build-essential libacl1-dev libattr1-dev libblkid-dev libgnutls-dev libreadline-dev python-dev python-dnspython gdb pkg-config libpopt-dev libldap2-dev dnsutils libtool xsltproc libpam0g-dev attr acl psmisc ntp libtalloc2 libtalloc-dev vi /etc/fstab # I add the acl and user_xattr options for "/" partition mount -o remount / cd /usr/local/src/ wget https://ftp.samba.org/pub/ldb/ldb-1.1.15.tar.gz && tar -zxvf ldb-1.1.15.tar.gz wget http://ftp.samba.org/pub/samba/samba-4.0.4.tar.gz && tar -zxvf samba-4.0.4.tar.gz cd /usr/local/src/ldb-1.1.15/ && ./configure && make && make install cd /usr/local/src/samba-4.0.4 && ./configure && make && make install echo 'export PATH="/usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH"' > ~/.bashrc halt --- Couic ! Snapshot of the DC server and snapshot of the MEMBER server. :-) Then, in the DC server, I have done: --- samba-tool domain provision # I keep the default answers each time, seems to work fine # 192.168.0.21 = IP of DC server which are DNS server (internal DNS) echo "nameserver 192.168.0.21" > /etc/resolv.conf ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig samba --- Just for information, here is the smb.conf on the DC server after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- In the MEMBER server, I have done: --- echo "nameserver 192.168.0.21" > /etc/resolv.conf samba-tool domain join chezmoi.priv MEMBER -U administrator --realm=CHEZMOI.PRIV # seems to work fine ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 vi /etc/nsswitch.conf # add winbind for passwd and group ldconfig vi /usr/local/samba/etc/smb.conf # see below smbd && nmbd winbindd -i -d 10 --- And Boum ! I have the same error which I have described in my previous message. The winbindd command is stopped. Just for information, here is the smb.conf in the MEMBER server: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- Do I have forgotten one step ? >> 2) Second attempt to join the domain in the member server. It's better >> but It doesn't work too. >> >> root@member:~# net ads join -U administrator >> Enter administrator's password: >> Using short domain name -- CHEZMOI >> Joined 'WHEEZY-2' to dns
[Samba] Wrong local DNS responses from samba4
I'm running samba4 (compiled via git a few days ago, off 5530cc481653) on Ubuntu, as an AD DC. Everything works perfectly with the domain, /except/ that Samba seems to be returning incorrect DNS entries for the local domain computers -- any thoughts on how to debug this (or where Samba is getting its IPs from?). As an example: router/dhcp/upstream DNS is at 192.168.0.1 samba4 is at 192.168.0.2 aio1.corp.example.com is at 192.168.0.171 (and has been for 48+ hours) [ask upstream router/DHCP for the IP] $ dig +short @192.168.0.1 aio1.corp.example.com 192.168.0.171 ^^ correct ^^ [ask samba4 for the IP] $ dig +short @192.168.0.2 aio1.corp.example.com 192.168.0.168 ^^ wrong ^^ The samba4 server's resolv.conf is: nameserver 192.168.0.2 nameserver 192.168.0.1 search corp.example.com smb.conf contains: dns forwarder = 192.168.0.1 Any thoughts on how to debug this? Best, Nick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ClassicUpgrade => EpicFail
On Mon, 2013-04-08 at 13:21 -0500, Jon Detert wrote: > - Original Message - > > From: "Andrew Bartlett" > > To: "Jon Detert" > > Cc: samba@lists.samba.org > > Sent: Sunday, April 7, 2013 4:16:30 AM > > Subject: Re: [Samba] ClassicUpgrade => EpicFail > > > > On Fri, 2013-04-05 at 14:47 -0500, Jon Detert wrote: > > > ClassicUpgrade of my samba3 data to samba4 fails, with this error: > > > > > >ERROR(): uncaught exception - Unable > > >to get id for sid > > > > > > Full log of the classicupgrade is at the end of this email. > > > > > > Project member on this list, Andrew Barlett, wrote that the issue > > > is probably that my Samba 3 passdb was passable in an NT 4 DC > > > mode, but is actually 'invalid' : > > > > I should have been clearer: I make no statement as to that validity > > of > > your database, but note that this tool has much stricter requirements > > than we enforced on passdb databases in the past. > > Understood. I think you were clear. My problem is that I have no idea how > to proceed. > > -- snip -- > > > > In any case, from here the next debugging step would be to run with > > git > > master or v4-0-test, as I included some idmap patches there that > > didn't > > make 4.0.4. > > > I already tried the git master (as of March 18th) as well as the v4-0-test > (as of March 4th). Are you saying I should try a more recent snapshot of > those > git projects? Probably not, but if you have nothing else to loose, please try current master. > > Eventually, we will either to improve the import of the DB for your > > particular issue, either to accept it (possibly fixing it along the > > way) > > or more clearly rejecting it with a proper explanation. > > That would be great. In the mean-time, is there nothing for me to do but > wait? Can someone give a list of common data problems to look for and fix? > I.e. I've already resolved user/group name overlaps. You listed 2 other > common probs (duplicate SIDs; accounts flagged as both user and machine > accounts). Any tips on how to detect those problems? > In other words, it might be faster for me to resolve my data problems than > to wait for updated code. If those problems were present, then it would have failed much earlier than this. At this stage we need to work out which SID is failing to convert, and then look at the uidNumber or gidNumber records on that record. Inserting some print statements into the python scripts would be the best place to start, if you are comfortable with that. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP (Schemas,Users) to Samba4 migration
On Mon, 2013-04-08 at 07:07 -0700, alxgrb wrote: > Ok is clear, but samba-tool domain classicupgrade works only if samba > instance is installed. Is it right? Correct > Our old server has only LDAP/Automount services without any samba's > instances. Then you won't be able to migrate passwords in any case. > I would like to migrate only the LDAP users in the new samba4 server. For simple user accounts, you shouldn't need to add any new schema anyway. Just migrate the users, manually translating the required attributes. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Doubt create user samba via DSA.msc
Look at https://wiki.samba.org/index.php/Samba4/Winbind , also, samba 4 (AD DC) uses ACL's now, so you really don't need to do any per share changes anymore. Have fun, Ricky On Mon, Apr 8, 2013 at 3:03 PM, Ricardo Barbosa wrote: > Hi. > > I deploy samba 4 and create user via console dsa.msc, but her not create > user in /etc/passwd for settings permission in share, Its possible > automatic process. Any idea?. > > Regards > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Doubt create user samba via DSA.msc
Hi. I deploy samba 4 and create user via console dsa.msc, but her not create user in /etc/passwd for settings permission in share, Its possible automatic process. Any idea?. Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ClassicUpgrade => EpicFail
- Original Message - > From: "Andrew Bartlett" > To: "Jon Detert" > Cc: samba@lists.samba.org > Sent: Sunday, April 7, 2013 4:16:30 AM > Subject: Re: [Samba] ClassicUpgrade => EpicFail > > On Fri, 2013-04-05 at 14:47 -0500, Jon Detert wrote: > > ClassicUpgrade of my samba3 data to samba4 fails, with this error: > > > >ERROR(): uncaught exception - Unable > >to get id for sid > > > > Full log of the classicupgrade is at the end of this email. > > > > Project member on this list, Andrew Barlett, wrote that the issue > > is probably that my Samba 3 passdb was passable in an NT 4 DC > > mode, but is actually 'invalid' : > > I should have been clearer: I make no statement as to that validity > of > your database, but note that this tool has much stricter requirements > than we enforced on passdb databases in the past. Understood. I think you were clear. My problem is that I have no idea how to proceed. -- snip -- > In any case, from here the next debugging step would be to run with > git > master or v4-0-test, as I included some idmap patches there that > didn't > make 4.0.4. I already tried the git master (as of March 18th) as well as the v4-0-test (as of March 4th). Are you saying I should try a more recent snapshot of those git projects? > Eventually, we will either to improve the import of the DB for your > particular issue, either to accept it (possibly fixing it along the > way) > or more clearly rejecting it with a proper explanation. That would be great. In the mean-time, is there nothing for me to do but wait? Can someone give a list of common data problems to look for and fix? I.e. I've already resolved user/group name overlaps. You listed 2 other common probs (duplicate SIDs; accounts flagged as both user and machine accounts). Any tips on how to detect those problems? In other words, it might be faster for me to resolve my data problems than to wait for updated code. Thanks, Jon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DDNS / DHCPd && Internal DNS or BIND_DLZ
So, I don't see much on the Wiki [actually nothing] and the relevant threads on the issue are few. So, let me try to outline what appears to be the current state of things and if I'm wrong, please correct me. Running DHCPd on the Samba 4 server works fine. Doing DDNS [dynamic DNS] updates can work with the BIND9_DLZ setup, but not the internal DNS setup. However, if the connecting Samba clients are mostly Windows, doing DHCPd - BIND9_DLZ updates is probably not worth the effort anyway, since the Windows clients will handle updating their DNS via Kerberos and the AD anyway. This isn't the case for Linux clients, so if you have lots of those and you need the DDNS updates then perhaps it's worth tackling. How Mac's handle DNS updates is unknown - [though I'd *guess* it will be exactly/nearly the same as Linux clients.] -- Summary: If your clients are Windows clients, just leave things as is... they will handle updating DNS records in EITHER the internal DNS or BIND_DLZ server without any special hacks or scripts to handle it. If you have a large mix of clients and need the non-windows clients to update DNS via DHCPD, then using the script found in the following link might be useful. http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ --- Do I have that largely right? -Greg -- Gregory Sloop, Principal: Sloop Network & Computer Consulting 503.251.0452 x121 Voice | 503.251.0452 Fax www.sloop.net mailto:gr...@sloop.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP (Schemas,Users) to Samba4 migration
Ok is clear, but samba-tool domain classicupgrade works only if samba instance is installed. Is it right? Our old server has only LDAP/Automount services without any samba's instances. I would like to migrate only the LDAP users in the new samba4 server. Greetings, Alexander -- View this message in context: http://samba.2283325.n4.nabble.com/LDAP-Schemas-Users-to-Samba4-migration-tp4646168p4646419.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [4.0] Inter-realm trust
On Mon, 2013-04-08 at 13:08 +0200, Kaito Kumashiro wrote: > On Mon, Apr 8, 2013 at 12:51 PM, Andrew Bartlett wrote: > > > > Yes, I did use a Windows tool to create a two-way trust between Samba > > > 4.0 servers, but since this feature is still in development, I don't > > > know how reliable it is. Our kerberized services are pretty critical. > > > If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then > > > I'll be more than happy to use it. > > > [...] > > > To add it to make test we mostly need to have client tools to set up the > > trust, and then we could add tests. At this point, I'm not even sure > > what we can do with the tools we have - some research is required. > > > Maybe you could use kgetcred from Heimdal since Samba has it as a Kerberos > subsystem? But that will test only Kerberos trust. That's not really the hard bit - you can prove the same things that does with smbclient4 -k yes. > Note that we totally trust the other realm (another reason this is > > unfinished), so the two forests become one security domain, in the sense > > the a rouge administrator in one could easily forge and admin ticket in > > the other. > > > That should not be a problem in our case. All realms are under our control. > They are separated because we had autonomic NT domains (Samba 3.x). This > will probably change when Samba 4.0 gains full NT forest support > (replication, trusts etc.). Yes, we would love to have that (some of this also works, again as long as you stick to kerberos). Sadly it is a matter of resources, and we are all tied up on maintenance of 4.0 at this point, and no feature work is going on in the AD DC currently. Note that joining two forests isn't going to be at all easy (compared with upgrading an Samba classic domain into a forest, which would be hard, but not impossible). Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP (Schemas,Users) to Samba4 migration
On Fri, 2013-04-05 at 12:10 +1100, Andrew Bartlett wrote: > On Thu, 2013-04-04 at 01:15 -0700, alxgrb wrote: > > I've tried with Apache Directory Studio to export LDAP (Schema) into LDIF > > file. Its works. > > But convert to (AD ldif) with oLschema2ldif don't work. S. message: > > > > sudo /usr/local/samba/bin/oLschema2ldif -b DN=domainname -I > > /home/alxgrb/ldapschemas/old_ldap_schema_250313.ldif -O converted.ldif > > malformed entry on line 1265 > > Converted 0 records with 1 failures > > > > Any Idea? (The line 1265 is empty) > > Can I use ldbadd? > > We really need to drop this tool, it has never really worked well, the > parsing text schema with a C tool was always a bad idea. It would be > faster and more effective to have someone rewrite it in python. I should however be clear: To convert existing users and groups, use samba-tool domain classicupgrade. This is different to if you can convert specific schema extensions, which you may need to re-create by hand, and then import the data for. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [4.0] Inter-realm trust
On Mon, Apr 8, 2013 at 12:51 PM, Andrew Bartlett wrote: > > Yes, I did use a Windows tool to create a two-way trust between Samba > > 4.0 servers, but since this feature is still in development, I don't > > know how reliable it is. Our kerberized services are pretty critical. > > If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then > > I'll be more than happy to use it. > [...] > To add it to make test we mostly need to have client tools to set up the > trust, and then we could add tests. At this point, I'm not even sure > what we can do with the tools we have - some research is required. > Maybe you could use kgetcred from Heimdal since Samba has it as a Kerberos subsystem? But that will test only Kerberos trust. Note that we totally trust the other realm (another reason this is > unfinished), so the two forests become one security domain, in the sense > the a rouge administrator in one could easily forge and admin ticket in > the other. > That should not be a problem in our case. All realms are under our control. They are separated because we had autonomic NT domains (Samba 3.x). This will probably change when Samba 4.0 gains full NT forest support (replication, trusts etc.). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [4.0] Inter-realm trust
On Mon, 2013-04-08 at 12:37 +0200, Kaito Kumashiro wrote: > On Fri, Apr 5, 2013 at 3:05 AM, Andrew > Bartlett wrote: > > I know that inter-domain trust is not supported in Samba, > but is it > > possible to create an inter-realm trust on Kerberos level? I > have a > > kerberized service in realm X (Samba 4.0 as DC) and I want > to allow users > > from realm Y (also Samba 4.0, but different domain) to > access it using > > SPNEGO GSSAPI. > > If it is possible, how can I accomplish this? > > You can try and set up such a trust with the windows tools. > The pure > kerberos level should work (because it is a natrual part of > kerberos, > which we didn't cripple, but instead did the small work to > enable and > the FreeIPA project added the RPC calls for), but not much > else will. > Yes, I did use a Windows tool to create a two-way trust between Samba > 4.0 servers, but since this feature is still in development, I don't > know how reliable it is. Our kerberized services are pretty critical. > If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then > I'll be more than happy to use it. It's untested, and not really supported, but we don't intend to break it either. I love seeing Samba stretched into new places, and want to break things for you. We would love for this to be more developed, and for it to become tested as part of 'make test'. The primary mechanics here is just pure kerberos, where inter-realm is a well understood thing, and that is why it works as well as it does. To add it to make test we mostly need to have client tools to set up the trust, and then we could add tests. At this point, I'm not even sure what we can do with the tools we have - some research is required. Note that we totally trust the other realm (another reason this is unfinished), so the two forests become one security domain, in the sense the a rouge administrator in one could easily forge and admin ticket in the other. Note that trusts are quite special in AD, which is why you can't just do it with an SPN. That much we already have well coded up, as otherwise it would be too easy to break in. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [4.0] Inter-realm trust
On Fri, Apr 5, 2013 at 3:05 AM, Andrew Bartlett wrote: > > I know that inter-domain trust is not supported in Samba, but is it > > possible to create an inter-realm trust on Kerberos level? I have a > > kerberized service in realm X (Samba 4.0 as DC) and I want to allow users > > from realm Y (also Samba 4.0, but different domain) to access it using > > SPNEGO GSSAPI. > > If it is possible, how can I accomplish this? > You can try and set up such a trust with the windows tools. The pure > kerberos level should work (because it is a natrual part of kerberos, > which we didn't cripple, but instead did the small work to enable and > the FreeIPA project added the RPC calls for), but not much else will. > Yes, I did use a Windows tool to create a two-way trust between Samba 4.0 servers, but since this feature is still in development, I don't know how reliable it is. Our kerberized services are pretty critical. If inter-realm trust (on Kerberos level) in Samba 4.0 is stable, then I'll be more than happy to use it. I tried setting up a simple Kerberos trust by creating cross-principals (with some LDAP hacking), but that didn't work in Samba and worked only partially when I used SPN instead of "regular" principal, so it's not exactly a 1 to 1 transition. Something has changed in this regard or some other mechanism is used for making a trust. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Force python for Samba on platforms with a too old installed python (eg RHEL 5.9)
Phil,
I've tried following your mails, and your trials, but got totally lost.
So what I've done is write up a patch, which should address the one
issue I've been able to distil out of this, which is that when Samba is
built against something other than the default python, samba-tool
segfaults.
This happens because if we build and link against one library, but you
run samba-tool with a different python, internal things go boom.
This patch works for me on my Centos 5 box.
As to all your trials building different versions of python, I can't
really offer a solution - I've not seen those myself, and you really
seem to have quite a mix of things going wrong here. I would suggest
that if you do want to build a new AD DC, you should do so on a modern
OS, where python just works.
While I will certainly work (as this patch will help a lot with) to have
install_with_python work for the AD DC, the intended purpose was simply
to get enough of python going to run our build system for simpler file
server installations, to allow a transition from the second (autoconf)
build system. (And in that it has been quite successful).
Please test these patches, hopefully they will resolve your issue.
Finally, if you get odd build errors (such as the symlink error you
got), then 'git clean -x -f -d' will blow away everything not nailed
down in the git checkout. This tends to fix that kind of issue (such as
happened when I moved our python code around in master and in v4-0-test
for 4.0.5).
Metze (or someone else on the team),
Please review or push to master.
Thanks,
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From 7cbada3356a797f72dc6af3f170183c8e2159e1c Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Mon, 8 Apr 2013 15:57:45 +1000
Subject: [PATCH 1/3] build: Replace #!/usr/bin/env python with passed in
PYTHON=
This means that if we were forced to use a specific python for the build, we
will put that binary into the top of samba-tool, so it continues to work
after the install.
Andrew Bartlett
---
buildtools/wafsamba/samba_python.py | 10 ++
buildtools/wafsamba/wafsamba.py | 15 ++-
wscript | 5 +
3 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/buildtools/wafsamba/samba_python.py b/buildtools/wafsamba/samba_python.py
index b2172f7..847b431 100644
--- a/buildtools/wafsamba/samba_python.py
+++ b/buildtools/wafsamba/samba_python.py
@@ -5,6 +5,16 @@ from samba_utils import *
from samba_autoconf import *
from Configure import conf
+
+@conf
+def SAMBA_CHECK_PYTHON(conf, mandatory=True):
+# enable tool to build python extensions
+conf.find_program('python', var='PYTHON', mandatory=mandatory)
+conf.check_tool('python')
+path_python = conf.find_program('python')
+conf.env.PYTHON_SPECIFIED = (conf.env.PYTHON != path_python)
+conf.check_python_version((2,4,2))
+
@conf
def SAMBA_CHECK_PYTHON_HEADERS(conf, mandatory=True):
if conf.env["python_headers_checked"] == []:
diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py
index f7156ec..3559cc1 100644
--- a/buildtools/wafsamba/wafsamba.py
+++ b/buildtools/wafsamba/wafsamba.py
@@ -696,14 +696,25 @@ def copy_and_fix_python_path(task):
replacement="""sys.path.insert(0, "%s")
sys.path.insert(1, "%s")""" % (task.env["PYTHONARCHDIR"], task.env["PYTHONDIR"])
+shebang = None
+
+if task.env["PYTHON"][0] == "/":
+replacement_shebang = "#!%s" % task.env["PYTHON"]
+else:
+replacement_shebang = "#!/usr/bin/env %s" % task.env["PYTHON"]
+
installed_location=task.outputs[0].bldpath(task.env)
source_file = open(task.inputs[0].srcpath(task.env))
installed_file = open(installed_location, 'w')
+lineno = 0
for line in source_file:
newline = line
-if pattern in line:
+if lineno == 0 and task.env["PYTHON_SPECIFIED"] == True and line[:2] == "#!":
+newline = replacement_shebang
+elif pattern in line:
newline = line.replace(pattern, replacement)
installed_file.write(newline)
+lineno = lineno + 1
installed_file.close()
os.chmod(installed_location, 0755)
return 0
@@ -727,6 +738,8 @@ def install_file(bld, destdir, file, chmod=MODE_644, flat=False,
target=inst_file)
bld.add_manual_dependency(bld.path.find_or_declare(inst_file), bld.env["PYTHONARCHDIR"])
bld.add_manual_dependency(bld.path.find_or_declare(inst_file), bld.env["PYTHONDIR"])
+bld.add_manual_dependency(bld.path.find_or_declare(inst_file), str(bld.env["PYTHON_SPECIFIED"]))
+bld.add_manual_dependency(bld.path.find_or_declare(inst_file), bld.env["PYTHON"])
file = inst_file
if base_name:
file = os.path.join(base_name, file)
diff --git a/wscript b/wscript
index
[Samba] samba3.5- problem with domain member client logon
Hi all, I installed the samba-3.5.10-125.el6.x86_64 on my CentOS 6.3.Then I add a file share. My client is a windows 7 machine and it join a ad.And the ad'name is 360BUYAD.LOCAL.My file server doesn't join the ad. When I use a user that the user is also in the ad to attach the network filesystem, then reboot the windows client,when the computer logined,the network filesystem not logon successfully.But I use a user that the user is not in the ad to do that,the network filesystem will logon successfully.Why that happend? The fllowing is my smb.conf: [global] workgroup = 360BUYAD server string = Samba Server Version %v netbios name = vdesktop_user_server # logs split per machine log file = /var/log/samba/log.%m # max 50KB per log file, then rotate max log size = 50 security = user passdb backend = tdbsam load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes valid users = %S ; valid users = MYDOMAIN\%S [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
