Re: [Samba] Hostname and kerberos
Hello, thank you for your answer! Понедельник, 29 апреля 2013, 9:58 +10:00 от Andrew Bartlett : >On Mon, 2013-04-29 at 00:51 +0400, Александр Свиридов wrote: >> In samba 4 log I get the following message: >> >> [2013/04/29 00:44:30, 0] ../source4/smbd/server.c:369(binary_smbd_main) >> samba version 4.1.0pre1-GIT-5727bfa started. >> Copyright Andrew Tridgell and the Samba Team 1992-2013 >> [2013/04/29 00:44:31, 0] ../source4/smbd/server.c:475(binary_smbd_main) >> samba: using 'standard' process model >> [2013/04/29 00:44:32, 1] >> ../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_start) >> Could not determine hostname for target computer, cannot use kerberos >> [2013/04/29 00:44:32, 1] >> ../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_start) >> Could not determine hostname for target computer, cannot use kerberos > >Don't worry about this. I'll need to change the log level of the >message, it isn't important, just a status message. > >> and in another log I have: >> [2013/04/29 00:44:32.534527, 0] >> ../source3/lib/util_sock.c:423(open_socket_in) >> open_socket_in(): socket() call failed: Address family not supported by >> protocol >> [2013/04/29 00:44:32.541347, 0] >> ../source3/smbd/server.c:684(smbd_open_one_socket) >> smbd_open_once_socket: open_socket_in: Address family not supported by >> protocol >> [2013/04/29 00:44:32.542740, 0] >> ../source3/lib/util_sock.c:423(open_socket_in) >> open_socket_in(): socket() call failed: Address family not supported by >> protocol >> [2013/04/29 00:44:32.542874, 0] >> ../source3/smbd/server.c:684(smbd_open_one_socket) >> smbd_open_once_socket: open_socket_in: Address family not supported by >> protocol > >This is more odd, but is anything actually wrong? > >Perhaps you have IPv6 half-enabled in some way? In OS I disabled IPv6 maybe that's why this error arises? But samba works. > >Andrew Bartlett >-- >Andrew Bartlett http://samba.org/~abartlet/ >Authentication Developer, Samba Team http://samba.org > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] libnss_winbind.so spawning many smbd processes
I've currently got a samba 4.0.6-GIT-3f8ea16 deployment that's spawning many (250 or more) smbd processes whenever a backup runs and starts backing up files that have samba ACL's attached to them. (Such as the 'sysvol' volume) This will effectively lock up the machine until I've restarted samba and killed the backup job. If the backup is still running, samba will immediately spawn smbd processes again. My machine is a 64-bit CentOS 6.4 server with 16 GB of RAM and an Intel 8-core Xeon processor. Kernel is the stock CentOS 2.6.32-358.2.1.el6.x86_64. The Samba part of this runs fine from the Windows perspective (that is, until the backup system kicks in). I setup my samba4 server per the instructions on the samba wiki. Specifically, I followed the winbind setup instructions from here: http://wiki.samba.org/index.php/Samba4/Winbind In a nutshell, I had to create these sym-links: ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so ln -s /lib64/libnss_winbind.so /lib64/libnss_winbind.so.2 and edit my nsswitch.conf file as follows: passwd: files winbind shadow: files group: files winbind All of the suggested testing on that page works great. After a fresh samba restart, without anything running, things look like this: [root@server ~]# ps ax | grep samba 21420 ?Ss 0:00 /usr/local/samba/sbin/samba 21422 ?S 0:00 /usr/local/samba/sbin/samba 21423 ?S 0:00 /usr/local/samba/sbin/samba 21424 ?Ss 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 21425 ?S 0:00 /usr/local/samba/sbin/samba 21426 ?S 0:00 /usr/local/samba/sbin/samba 21427 ?S 0:00 /usr/local/samba/sbin/samba 21428 ?S 0:00 /usr/local/samba/sbin/samba 21429 ?S 0:00 /usr/local/samba/sbin/samba 21430 ?S 0:00 /usr/local/samba/sbin/samba 21431 ?S 0:00 /usr/local/samba/sbin/samba 21432 ?S 0:00 /usr/local/samba/sbin/samba 21433 ?S 0:00 /usr/local/samba/sbin/samba 21434 ?S 0:00 /usr/local/samba/sbin/samba 21435 ?S 0:00 /usr/local/samba/sbin/samba 21438 ?S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground [root@server ~]# ps ax | grep samba | wc -l 17 When a backup job kicks in, I'll see hundreds of lines similar to : 22026 ?S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 22043 ?S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground 22044 ?S 0:00 /usr/local/samba/sbin/smbd --option=server role check:inhibit=yes --foreground and I have the approximate number of samba processes: [root@server ~]# ps ax | grep samba | wc -l 258 smbstatus will look like this, but with many more lines: [root@server ~]# smbstatus Samba version 4.0.6-GIT-3f8ea16 PID Username Group Machine --- 21809 KAUKAUNA\SERVER$ KAUKAUNA\Domain Controllers 192.168.150.1 (ipv4:192.168.150.1:56761) 21796 KAUKAUNA\SERVER$ KAUKAUNA\Domain Controllers 192.168.150.1 (ipv4:192.168.150.1:56748) 21771 KAUKAUNA\SERVER$ KAUKAUNA\Domain Controllers 192.168.150.1 (ipv4:192.168.150.1:56722) If I engage Name Service Cache Daemon (nscd), then the backup will run just fine, and I don't sen to get an extraordinary number of samba processes. (It will bump up to about 27, but stays there.) Unfortunately, nscd doesn't' seem to play well with Samba4's internal winbind system. The "id " command will only return results for some of the users. And Apache PAM authentication stops working with unusual errors. (Both of which work fine when nscd isn't running.) I've been looking at setting up SSSD, but I get the feeling that's not quite what I'm looking for either. I get the impression that it does it's own ID mapping, which would probably differ from the internal winbind's mapping. Please correct me if I'm wrong on this. If I turn off the libnss_winbind part, there seem to be some other issues that crop up, such as users unable to log into their own home folders. It seems that I need to either: 1.) Figure out how to make the internal winbind server behave when doing lots of libnss_winbind look-ups 2.) Figure out how to take the load off winbind by using nscd and figure out how to make that work reliably with other things (like id or apache mod_auth_pam) 3.) Perhaps figure out sssd (which I haven't gotten to work yet, but haven't spent a ton of time on.) If anyone has some suggestions or pointers, I'd be eternally grateful. Thanks! -Joe My smb.conf: # Global parameters [global] workgroup = KAUKAUNA realm = KAUKAUNA.NEWSPUB netbios name = SERVER server role = active dir
Re: [Samba] samba 4 classicupgrade w7 clients errors
On Sun, 2013-04-28 at 14:31 +0200, Andreas Calvo wrote: > I've changed some of my test users passwords, just to renew the password > expiration date. > I may check if they are still expired or if I have to set a new expiration > policy. > Is it set as a GPO or using the samba-tools? Password expiry for the domain is applied using samba-tool: samba-tool domain passwordsettings As Samba can't read GPO files (but can serve them to clients), we don't follow anything from the GPO. The only exception is that if a windows DC shares the domain, and it has the GPO files, it will 'fix' the directory to match the GPO. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Hostname and kerberos
On Mon, 2013-04-29 at 00:51 +0400, Александр Свиридов wrote: > In samba 4 log I get the following message: > > [2013/04/29 00:44:30, 0] ../source4/smbd/server.c:369(binary_smbd_main) > samba version 4.1.0pre1-GIT-5727bfa started. > Copyright Andrew Tridgell and the Samba Team 1992-2013 > [2013/04/29 00:44:31, 0] ../source4/smbd/server.c:475(binary_smbd_main) > samba: using 'standard' process model > [2013/04/29 00:44:32, 1] > ../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_start) > Could not determine hostname for target computer, cannot use kerberos > [2013/04/29 00:44:32, 1] > ../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_start) > Could not determine hostname for target computer, cannot use kerberos Don't worry about this. I'll need to change the log level of the message, it isn't important, just a status message. > and in another log I have: > [2013/04/29 00:44:32.534527, 0] > ../source3/lib/util_sock.c:423(open_socket_in) > open_socket_in(): socket() call failed: Address family not supported by > protocol > [2013/04/29 00:44:32.541347, 0] > ../source3/smbd/server.c:684(smbd_open_one_socket) > smbd_open_once_socket: open_socket_in: Address family not supported by > protocol > [2013/04/29 00:44:32.542740, 0] > ../source3/lib/util_sock.c:423(open_socket_in) > open_socket_in(): socket() call failed: Address family not supported by > protocol > [2013/04/29 00:44:32.542874, 0] > ../source3/smbd/server.c:684(smbd_open_one_socket) > smbd_open_once_socket: open_socket_in: Address family not supported by > protocol This is more odd, but is anything actually wrong? Perhaps you have IPv6 half-enabled in some way? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Migrate from MS-AD to Samba4
On Mon, 2013-04-29 at 07:54 +1000, Alex Ferrara wrote: > Hi all, > > This might be a silly question, but what is the best way to migrate an > existing AD domain to promote Samba4 as the domain controller. It's all in the wiki: https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC I hope this helps, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrate from MS-AD to Samba4
Hi all, This might be a silly question, but what is the best way to migrate an existing AD domain to promote Samba4 as the domain controller. Alex Ferrara Director Receptive IT Solutions P 0403 604 604 F (02) 4822 7700 E a...@receptiveit.com.au W www.receptiveit.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Hostname and kerberos
In samba 4 log I get the following message: [2013/04/29 00:44:30, 0] ../source4/smbd/server.c:369(binary_smbd_main) samba version 4.1.0pre1-GIT-5727bfa started. Copyright Andrew Tridgell and the Samba Team 1992-2013 [2013/04/29 00:44:31, 0] ../source4/smbd/server.c:475(binary_smbd_main) samba: using 'standard' process model [2013/04/29 00:44:32, 1] ../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_start) Could not determine hostname for target computer, cannot use kerberos [2013/04/29 00:44:32, 1] ../source4/auth/gensec/gensec_gssapi.c:339(gensec_gssapi_client_start) Could not determine hostname for target computer, cannot use kerberos and in another log I have: [2013/04/29 00:44:32.534527, 0] ../source3/lib/util_sock.c:423(open_socket_in) open_socket_in(): socket() call failed: Address family not supported by protocol [2013/04/29 00:44:32.541347, 0] ../source3/smbd/server.c:684(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Address family not supported by protocol [2013/04/29 00:44:32.542740, 0] ../source3/lib/util_sock.c:423(open_socket_in) open_socket_in(): socket() call failed: Address family not supported by protocol [2013/04/29 00:44:32.542874, 0] ../source3/smbd/server.c:684(smbd_open_one_socket) smbd_open_once_socket: open_socket_in: Address family not supported by protocol I changed the hostname in /etc/sysconfig/network to name of realm, but it didn't help. I use samba 4, centos 6.3. Please help me. Pavel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] AD client can't connect to share after winbind cache expires [Samba 3.4.12 on Gentoo]
Hello, we're using Samba 3.4.12 on older installation of Gentoo (2.6.34-gentoo-r12) to serve files to AD users and after Samba restart, users can't connect to shared folders - error on client side: session setup failed: NT_STATUS_LOGON_FAILURE; errors on server side - Get_Pwnam_internals didn't find user [user]!,check_ntlm_password: winbind authentication for user [user] FAILED with error NT_STATUS_NO_SUCH_USER wbinfo -i user returns "Could not get info for user" BUT wbinfo -u, wbinfo -g work (list all >30K AD users,groups) also getent passwd, group work (list all local and AD users/groups) and after issuing wbinfo -u, the user is able to log in and access shared files - and at the same time the wbinfo -i user works as expected returning line from /etc/passwd with AD account after 5 minutes (default winbind cache is 5 minutes) it's in in original state again - user can't log in and wbinfo -i doesn't work again. So quick summary - I have to issue wbinfo -u to populate winbind cache to be able to log in with AD account. After the cache expires, the AD accounts can't log in anymore. smb.conf: [global] netbios name = MSVMSVFMGT01 socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 idmap alloc backend = tdb idmap uid = 1-10 winbind enum users = yes winbind gid = 1-2 workgroup = DC os level = 20 winbind enum groups = yes socket address = 10.1.73.250 password server = * preferred master = no winbind separator = + max log size = 500 log level = 10 log file = /var/log/samba/log.%m encrypt passwords = yes dns proxy = no realm = DC.REALM.SK security = ADS # wins server = ip of your wins server wins proxy = no /etc/nsswitch.conf: passwd: compat winbind shadow: compat winbind group: compat winbind ... log.winbindd (when wbinfo -i issued and fails) [2013/04/28 20:39:45, 6] winbindd/winbindd.c:827(new_connection) accepted socket 22 [2013/04/28 20:39:45, 10] winbindd/winbindd.c:530(process_request) process_request: request fn INTERFACE_VERSION [2013/04/28 20:39:45, 3] winbindd/winbindd_misc.c:754(winbindd_interface_version) [16641]: request interface version [2013/04/28 20:39:45, 10] winbindd/winbindd.c:530(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2013/04/28 20:39:45, 3] winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir) [16641]: request location of privileged pipe [2013/04/28 20:39:45, 6] winbindd/winbindd.c:827(new_connection) accepted socket 25 [2013/04/28 20:39:45, 10] winbindd/winbindd.c:530(process_request) process_request: request fn GETPWNAM [2013/04/28 20:39:45, 3] winbindd/winbindd_user.c:438(winbindd_getpwnam) [16641]: getpwnam DC+matej.zary [2013/04/28 20:39:45, 10] winbindd/winbindd_dual.c:125(async_request) Sending request to child pid 16287 (domain=DC) [2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug) s3_event: Added timed event "async_request_timeout_handler": 0x7f337ab2fc60 [2013/04/28 20:39:45, 10] lib/events.c:156(get_timed_events_timeout) timed_events_timeout: 299/72 [2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug) s3_event: Destroying timer event 0x7f337ab2fc60 "async_request_timeout_handler" [2013/04/28 20:39:45, 10] winbindd/winbindd_cache.c:2667(cache_retrieve_response) Retrieving response for pid 16287 [2013/04/28 20:39:45, 10] winbindd/winbindd_dual.c:125(async_request) Sending request to child pid 16287 (domain=DC) [2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug) s3_event: Added timed event "async_request_timeout_handler": 0x7f337aab2030 [2013/04/28 20:39:45, 10] lib/events.c:156(get_timed_events_timeout) timed_events_timeout: 299/77 [2013/04/28 20:39:45, 10] lib/events.c:295(s3_event_debug) s3_event: Destroying timer event 0x7f337aab2030 "async_request_timeout_handler" [2013/04/28 20:39:45, 10] winbindd/winbindd_cache.c:2667(cache_retrieve_response) Retrieving response for pid 16287 [2013/04/28 20:39:45, 5] winbindd/winbindd_async.c:296(lookupname_recv2) lookup_name returned an error [2013/04/28 20:39:45, 5] winbindd/winbindd_user.c:497(getpwnam_name2sid_recv) Could not lookup name for user DC+matej.zary Any ideas where to look further? Many thanks... Best Regards Matej Zary -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 classicupgrade w7 clients errors
I've changed some of my test users passwords, just to renew the password expiration date. I may check if they are still expired or if I have to set a new expiration policy. Is it set as a GPO or using the samba-tools? On Sun, Apr 28, 2013 at 8:46 AM, Andrew Bartlett wrote: > On Sat, 2013-04-27 at 14:31 +0200, Andreas Calvo wrote: > > I had a test environment with a few hundreds of users using Windows 7 > under > > a samba 3 domain. > > They had the registry tweaks required to join a samba 3 domain. > > I followed the classicupgrade migration to samba 4 and everything seemed > to > > be ok. > > > > In my scenario I have a DNS server different from the samba server, and > the > > DNS server forwards all queries to my samba domain to the samba server. > > The samba server is also acting as a NTP server, and the option > ntp-servers > > on DHCP is specified. > > > > Some users see a pop-up requesting to log off and log in again - with a > > "windows need your credentials" message. > > Moreover, they seem to not have any kerberos ticket - running a klist > > shows no active tickets; and they do not have the time synchronized and > > sometimes they see a message regarding the time mismatch. > > We tried to set up a NTP time using GPOs without luck. > > > > Looking at the samba logs doesn't give a clue - just some errors which > may > > be normal. > > > > Any hint to look at or any configuration/misconfiguration? > > Have the passwords expired (incorrectly)? I just saw the same message > with my test domain (not upgraded), and it then asked me to change the > password which had expired. > > Andrew Bartlett > > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining samba4 as a DC to Windows Server 2012 active directory
Hello all,
I am attempting to join samba4 to my current domain which is controlled by
a Windows 2012 Active Directory Server. When following the instructions on
the official WIKI:
http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
I am able to do a kinit administrator, which then gives me a ticket which I
can see via klist.
The problem is that once I run the command:
# bin/samba-tool domain join samba.example.com DC -Uadministrator
--realm=samba.example.com
It does not work. I get the following error:
DsAddEntry failed with status (5, 'WERR_ACCESS_DENIED') info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')
Could this be because of the version of AD? I can't find much
around compatibility of this version of Windows. Any help is greatly
appreciated.
Here is the full debug:
1. ./samba-tool domain join example.com DC -Uadministrator --realm=
example.com
2. Finding a writeable DC for domain 'example.com'
3. Found DC dc01.example.com
4. Password for [WORKGROUP\administrator]:
5. workgroup is EXAMPLE
6. realm is example.com
7. checking sAMAccountName
8. Deleted CN=DC02,CN=Computers,DC=example,DC=com
9. Adding CN=DC02,OU=Domain Controllers,DC=example,DC=com
10. Adding
CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
11. Adding CN=NTDS
Settings,CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
12. DsAddEntry failed with status (5, 'WERR_ACCESS_DENIED') info (8567,
'WERR_DS_INCOMPATIBLE_VERSION')
13. Join failed - cleaning up
14. checking sAMAccountName
15. Deleted CN=DC02,OU=Domain Controllers,DC=example,DC=com
16. Deleted
CN=DC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
17. ERROR(runtime): uncaught exception - DsAddEntry failed
18. File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
19. return self.run(*args, **kwargs)
20. File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 552, in run
21. machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
22. File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1104,
in join_DC
23. ctx.do_join()
24. File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 1007,
in do_join
25. ctx.join_add_objects()
26. File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 525,
in join_add_objects
27. ctx.join_add_ntdsdsa()
28. File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 458,
in join_add_ntdsdsa
29. ctx.DsAddEntry([rec])
30. File
"/usr/local/samba/lib64/python2.6/site-packages/samba/join.py", line 421,
in DsAddEntry
31. raise RuntimeError("DsAddEntry failed")
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] Users can't change password from the server
On Sun, 2013-04-28 at 03:50 +0200, Dirbaio Minikiwi wrote: > Hello everyone, > > I've installed Samba 4.0.4 from source on an Ubuntu Server 12.04 machine. > I've configured it as an AD DC following the instructions here: > http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO > Then I configured Winbind following the instructions here: > http://wiki.samba.org/index.php/Samba4/Winbind > > Users can now login through SSH to the server and access their files and > it's all working fine. > But users can't change their password. That codepath is just not implemented in the winbind we use in the AD DC. (One of the many reasons it needs to be replaced). Instead, have your users connect to a member server, rather than the DC (which shouldn't really have user interactive logins anyway, as a matter of network hygiene). Sorry, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
