Re: [Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"

2013-05-27 Thread Andrew Bartlett 
On Tue, 2013-05-28 at 10:32 +0800, Tide wrote:
> We have a third party mail system which can write/read accounts to/from AD 
> using ldaps protocol, it works fine with active directory of windows server 
> 2003.
> 
> When I test the mail system with samba4 DC, I can't disable user from the 
> mail system, because the mail system write 0x82 
> (8388610,UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED) to userAccountControl field 
> of AD/samba4, and samldb returns "Unrecognized account type" error.
> 
> Is this expected behaviour or a possible bug?
> 
> # test from command line
> ldbedit --show-binary -H /usr/local/samba/private/sam.ldb 
> sAMAccountName=YOUR_ACCOUNT userAccountControl
> # then change userAccountControl to 8388610, save, quit editor

If it works against Windows and doesn't work against Samba, it's a bug.
We need to know what the value becomes after you do this against
windows, then then we need the tests updated to cover this case.  

Presumably the UF_NORMAL_ACCOUNT flag is implied.

Once that's done, it shouldn't be too hard to also imply it.

Any chance you can look into this for us?  

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] userAccountControl can't be set to 0x800002 (8388610, UF_ACCOUNTDISABLED | UF_PASSWORDEXPIRED):"samldb: Unrecognized account type"

2013-05-27 Thread Tide 
We have a third party mail system which can write/read accounts to/from AD 
using ldaps protocol, it works fine with active directory of windows server 
2003.

When I test the mail system with samba4 DC, I can't disable user from the mail 
system, because the mail system write 0x82 (8388610,UF_ACCOUNTDISABLED | 
UF_PASSWORDEXPIRED) to userAccountControl field of AD/samba4, and samldb 
returns "Unrecognized account type" error.

Is this expected behaviour or a possible bug?

# test from command line
ldbedit --show-binary -H /usr/local/samba/private/sam.ldb 
sAMAccountName=YOUR_ACCOUNT userAccountControl
# then change userAccountControl to 8388610, save, quit editor
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba3 file-server crash for Samba4 DC

2013-05-27 Thread Andrew Bartlett 
On Sun, 2013-05-26 at 12:58 +0200, steve wrote:
> Username HH3\Administrator is invalid on this system

Does HH3\Administrator exist on the system (exactly as indicated)?

eg what does this give:

getent passwd HH3\\Administrator

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] New Samba Error We Have Not Seen Before

2013-05-27 Thread Andrew Bartlett 
On Mon, 2013-05-27 at 18:32 +, Robinson, Eric wrote:
> We have about 40 samba servers in our domain. The two newest ones are 
> throwing an error we've never seen before.
> 
> [root@vmhost06a samba]# net join
> Enter root's password:
> dos charset 'CP850' unavailable - using ASCII

This worries me.  I think it may be the source of your issue.  It
suggests your build was without iconv support!  (We removed the internal
code page handling in 3.6 from memory, relying on the system to handle
it for us). 

> convert_string_talloc: Conversion not supported.
> Failed to join domain: failed to lookup DC info for domain 'MYCHARTS.MD' over 
> rpc: Memory allocation error
> ADS join did not work, falling back to RPC...
> convert_string_talloc: Conversion not supported.
> Connection failed: NT_STATUS_NO_MEMORY
> Enter root's password:
> convert_string_talloc: Conversion not supported.
> Could not connect to server RPT01
> Connection failed: NT_STATUS_NO_MEMORY
> Any thoughts?
> 
> Possibly related: It alwways says "could not connect to server RPT01." I'm 
> not sure why it says this since RPT01 is our oldest domain controller and it 
> is not referenced in any of the config files. Only servers DC01 and TS04 are 
> mentioned in krb5.conf. I suppose it must be getting it from DNS, but why 
> only RPT01?
> 
> Samba version info follows...
> 
> [root@vmhost06a samba]# rpm -qa|grep -i samba
> samba-winbind-3.6.9-151.el6.x86_64
> samba-3.6.9-151.el6.x86_64
> samba-common-3.6.9-151.el6.x86_64
> samba-client-3.6.9-151.el6.x86_64
> samba-winbind-clients-3.6.9-151.el6.x86_64

It seems unlikely that these RPMs are built without iconv support, but
can you verify by getting us the output of smbd -b?

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] New Samba Error We Have Not Seen Before

2013-05-27 Thread Robinson, Eric 
> -Original Message-
> From: Marc Muehlfeld [mailto:sa...@marc-muehlfeld.de] 
> Sent: Monday, May 27, 2013 2:46 PM
> To: Robinson, Eric
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] New Samba Error We Have Not Seen Before
> 
> Hello Eric,
> 
> Am 27.05.2013 20:32, schrieb Robinson, Eric:
> > We have about 40 samba servers in our domain. The two 
> newest ones are throwing an error we've never seen before.
> >
> > [root@vmhost06a samba]# net join
> > Enter root's password:
> > dos charset 'CP850' unavailable - using ASCII
> > convert_string_talloc: Conversion not supported.
> > Failed to join domain: failed to lookup DC info for domain 
> > 'MYCHARTS.MD' over rpc: Memory allocation error ADS join 
> did not work, falling back to RPC...
> > convert_string_talloc: Conversion not supported.
> > Connection failed: NT_STATUS_NO_MEMORY Enter root's password:
> > convert_string_talloc: Conversion not supported.
> > Could not connect to server RPT01
> > Connection failed: NT_STATUS_NO_MEMORY Any thoughts?
> 
> There's an open bug report with the same error:
> https://bugzilla.samba.org/show_bug.cgi?id=9080
> 
> 

I noticed that. It's about the only thing that turns up on Google.

> 
> Is it AD or a NT4 style environment?
> 
> 
> Can you join with (if it's AD):
> # net ads join -U administrator
> 
> 

net ads join does the same thing. I'm embarrased to say that I'm not 100% sure 
how to answer you question about NT4 vs ADS. I assume it is ADS as there are 
only Win 2K3 and above servers in the domain. 

> 
> > Possibly related: It alwways says "could not connect to server
>  > RPT01." I'm not sure why it says this since RPT01 is our 
> oldest  > domain controller and it is not referenced in any 
> of the config  > files. Only servers DC01 and TS04 are 
> mentioned in krb5.conf.
>  > I suppose it must be getting it from DNS, but why only RPT01?
> 
> I guess DNS, too. Does RPT01 have any special role?

No, it's just a DC.

> 
> Do you have 'dns_lookup_kdc = true'? Then the lookup for the 
> KDC is done via DNS (I don't know if the hardcoded entries 
> are then ignored). It's just a guess.
> 
> 

I removed the hardcoded entries and went with the bare bones example that was 
provided earlier in this thread. Things are working better, but still getting a 
lot of hanging and timeouts. I'm pretty sure it is DNS related, but I have not 
tracked it down yet.

--Eric





 

Disclaimer - May 27, 2013 
This email and any files transmitted with it are confidential and intended 
solely for 'Marc Muehlfeld',samba@lists.samba.org. If you are not the named 
addressee you should not disseminate, distribute, copy or alter this email. Any 
views or opinions presented in this email are solely those of the author and 
might not represent those of Physicians' Managed Care or Physician Select 
Management. Warning: Although Physicians' Managed Care or Physician Select 
Management has taken reasonable precautions to ensure no viruses are present in 
this email, the company cannot accept responsibility for any loss or damage 
arising from the use of this email or attachments. 
This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] New Samba Error We Have Not Seen Before

2013-05-27 Thread Marc Muehlfeld 

Hello Eric,

Am 27.05.2013 20:32, schrieb Robinson, Eric:

We have about 40 samba servers in our domain. The two newest ones are throwing 
an error we've never seen before.

[root@vmhost06a samba]# net join
Enter root's password:
dos charset 'CP850' unavailable - using ASCII
convert_string_talloc: Conversion not supported.
Failed to join domain: failed to lookup DC info for domain 'MYCHARTS.MD' over 
rpc: Memory allocation error
ADS join did not work, falling back to RPC...
convert_string_talloc: Conversion not supported.
Connection failed: NT_STATUS_NO_MEMORY
Enter root's password:
convert_string_talloc: Conversion not supported.
Could not connect to server RPT01
Connection failed: NT_STATUS_NO_MEMORY
Any thoughts?


There's an open bug report with the same error:
https://bugzilla.samba.org/show_bug.cgi?id=9080



Is it AD or a NT4 style environment?


Can you join with (if it's AD):
# net ads join -U administrator




Possibly related: It alwways says "could not connect to server

> RPT01." I'm not sure why it says this since RPT01 is our oldest
> domain controller and it is not referenced in any of the config
> files. Only servers DC01 and TS04 are mentioned in krb5.conf.
> I suppose it must be getting it from DNS, but why only RPT01?

I guess DNS, too. Does RPT01 have any special role?

Do you have 'dns_lookup_kdc = true'? Then the lookup for the KDC is done 
via DNS (I don't know if the hardcoded entries are then ignored). It's 
just a guess.



Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf sync

2013-05-27 Thread Marc Muehlfeld 

Hello Robert,

Am 27.05.2013 21:37, schrieb Sandbox:

Just a quick question.
Do I have to syncronise my smb.conf file between my servers?


No. And it would be a bad idea. Each Samba server has it's own
smb.conf, with it's own shares/paths/server name/etc. If you mix there
something (e. g. twice the same DC name in your network), you maybe
confuse everything in your network.


That was the reason why I thought about this, I sat up the DC, and
joined to the DC with my other Samba. But I asked myself if the "master"
server dies for any reason the member server how could provide the
shares if there is only basic smb.conf settings on the member server.


It's not just done with syncing the smb.conf. If an other server should 
take over the job of the failed one, you also would need the whole share 
data on the second host, the servers tdb files, etc - what brings you to 
the clustering topic.



Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux Servers in an AD Domain with Multiple Windows Domain Controllers

2013-05-27 Thread steve 
On Mon, 2013-05-27 at 19:46 +0100, Rowland Penny wrote:
> I do not think that you actually need the krb.conf, try it without it,
> after all what have you got to lose?
> 
> Rowland

Hi
Confirmed. Certainly not needed if running sssd.
Cheers,
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf sync

2013-05-27 Thread Sandbox 


2013-05-27 17:07 keltezéssel, Marc Muehlfeld írta:

Hello Robert,

Am 27.05.2013 11:15, schrieb Sandbox:

Just a quick question.
Do I have to syncronise my smb.conf file between my servers?


No. And it would be a bad idea. Each Samba server has it's own 
smb.conf, with it's own shares/paths/server name/etc. If you mix there 
something (e. g. twice the same DC name in your network), you maybe 
confuse everything in your network.


Regards
Marc




Hi Marc,

That was the reason why I thought about this, I sat up the DC, and 
joined to the DC with my other Samba. But I asked myself if the "master" 
server dies for any reason the member server how could provide the 
shares if there is only basic smb.conf settings on the member server.


Regards, Robert

--
Üdvözlettel / Kind regards:

SandBoX ;)



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux Servers in an AD Domain with Multiple Windows Domain Controllers

2013-05-27 Thread Rowland Penny 
I do not think that you actually need the krb.conf, try it without it,
after all what have you got to lose?

Rowland


On 27 May 2013 19:43, Robinson, Eric  wrote:

> Thanks, I will try that. What about krb.conf? Any changes required there?
>
> (Sorry about the top post. Your MUA's message quoting mechanism makes it
> hard to bottom post as I am normally used to doing.)
>
> --
> Eric Robinson
>
>
> 
> From: Robinson, Eric
> Sent: Monday, May 27, 2013 11:39 AM
> To: 'Rowland Penny'
> Cc: 'Marc Muehlfeld'; 'samba@lists.samba.org'
> Subject: RE: [Samba] Linux Servers in an AD Domain with Multiple Windows
> Domain Controllers
>
>
> On 27 May 2013 19:14, Robinson, Eric  eric.robin...@psmnv.com>> wrote:
> > -Original Message-
> > From: Marc Muehlfeld [mailto:sa...@marc-muehlfeld.de sa...@marc-muehlfeld.de>]
> > Sent: Saturday, May 25, 2013 3:31 PM
> > To: Robinson, Eric
> > Cc: samba@lists.samba.org
> > Subject: Re: [Samba] Linux Servers in an AD Domain with
> > Multiple Windows Domain Controllers
> >
> > Hello Eric,
> >
> > Am 25.05.2013 18:29, schrieb Robinson, Eric:
> > > We have three Windows domain controllers in our AD domain. They are
> >  > DC01, DC02, and DC03. We have Linux (RHEL5 and 6) servers
> > in the  > domain as well. The Linux servers are working fine
> > with AD. However,  > they are currently configured in
> > krb.conf and krb5.conf to use only  > DC01 for AD domain
> > controller. if DC01 is down, Linux servers cannot  >
> > authenticate. How do we configure the Linux servers to use
> > multiple  > domain controllers for AD, so if DC01 is down
> > everything continues  > to work on the Linux side?
> >
> > I saw, that you asked that question already 1.5 years ago on
> > this list:
> > http://markmail.org/message/slugpbka33ap4ima
> >
> > Didn't the two suggestions from Marcel and Andrew work? If
> > not, what were the problems with them? Then maybe we find a
> > way to get it work.
> >
> > Regards,
> > Marc
> >
>
> Hi Marc -- Thanks very much for following up on this. I did try Marcel and
> Andrew's suggestions (see below) but it did not work. When server DC01 is
> down, Windows users can still login fine, but when I try to ssh to a Linux
> box, the login hangs for a long time or forever. Also, Marcel and Andrew
> did not address my follow-up question about the krb.conf file. They only
> mentioned the krb5.conf file.
>
> For reference, my krb.conf looks like this...
>
> MYCHARTS.MD dc01.mycharts.md:88<
> http://dc01.mycharts.md:88>
> MYCHARTS.MD dc01.mycharts.md:749<
> http://dc01.mycharts.md:749> admin server
>
> My krb5.conf looks like the following... note the second entry for the DC
> named TS04.
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = MYCHARTS.MD
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>
> [realms]
>  MYCHARTS.MD = {
>   kdc = dc01.mycharts.md:88
>   kdc = ts04.mycharts.md:88
>   admin_server = dc01.mycharts.md:749
>   kpasswd_server = dc01.mycharts.md:464
>   kpasswd_protocol = SET_CHANGE
>   #default_domain = example.com
>  }
>
> [domain_realm]
>  *.mycharts.md = MYCHARTS.MD
>  .mycharts.md = MYCHARTS.MD
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>debug = false
>ticket_lifetime = 36000
>renew_lifetime = 36000
>forwardable = true
>krb4_convert = false
>  }
>
> --Eric
>
>
>
>
> Disclaimer - May 27, 2013
> This email and any files transmitted with it are confidential and intended
> solely for 'Marc Muehlfeld',samba@lists.samba.org samba@lists.samba.org>. If you are not the named addressee you should not
> disseminate, distribute, copy or alter this email. Any views or opinions
> presented in this email are solely those of the author and might not
> represent those of Physicians' Managed Care or Physician Select Management.
> Warning: Although Physicians' Managed Care or Physician Select Management
> has taken reasonable precautions to ensure no viruses are present in this
> email, the company cannot accept responsibility for any loss or damage
> arising from the use of this email or attachments.
> This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:

Re: [Samba] Linux Servers in an AD Domain with Multiple Windows Domain Controllers

2013-05-27 Thread Robinson, Eric 
Thanks, I will try that. What about krb.conf? Any changes required there?

(Sorry about the top post. Your MUA's message quoting mechanism makes it hard 
to bottom post as I am normally used to doing.)

--
Eric Robinson



From: Robinson, Eric
Sent: Monday, May 27, 2013 11:39 AM
To: 'Rowland Penny'
Cc: 'Marc Muehlfeld'; 'samba@lists.samba.org'
Subject: RE: [Samba] Linux Servers in an AD Domain with Multiple Windows Domain 
Controllers


On 27 May 2013 19:14, Robinson, Eric 
mailto:eric.robin...@psmnv.com>> wrote:
> -Original Message-
> From: Marc Muehlfeld 
> [mailto:sa...@marc-muehlfeld.de]
> Sent: Saturday, May 25, 2013 3:31 PM
> To: Robinson, Eric
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Linux Servers in an AD Domain with
> Multiple Windows Domain Controllers
>
> Hello Eric,
>
> Am 25.05.2013 18:29, schrieb Robinson, Eric:
> > We have three Windows domain controllers in our AD domain. They are
>  > DC01, DC02, and DC03. We have Linux (RHEL5 and 6) servers
> in the  > domain as well. The Linux servers are working fine
> with AD. However,  > they are currently configured in
> krb.conf and krb5.conf to use only  > DC01 for AD domain
> controller. if DC01 is down, Linux servers cannot  >
> authenticate. How do we configure the Linux servers to use
> multiple  > domain controllers for AD, so if DC01 is down
> everything continues  > to work on the Linux side?
>
> I saw, that you asked that question already 1.5 years ago on
> this list:
> http://markmail.org/message/slugpbka33ap4ima
>
> Didn't the two suggestions from Marcel and Andrew work? If
> not, what were the problems with them? Then maybe we find a
> way to get it work.
>
> Regards,
> Marc
>

Hi Marc -- Thanks very much for following up on this. I did try Marcel and 
Andrew's suggestions (see below) but it did not work. When server DC01 is down, 
Windows users can still login fine, but when I try to ssh to a Linux box, the 
login hangs for a long time or forever. Also, Marcel and Andrew did not address 
my follow-up question about the krb.conf file. They only mentioned the 
krb5.conf file.

For reference, my krb.conf looks like this...

MYCHARTS.MD 
dc01.mycharts.md:88
MYCHARTS.MD 
dc01.mycharts.md:749 admin server

My krb5.conf looks like the following... note the second entry for the DC named 
TS04.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYCHARTS.MD
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 MYCHARTS.MD = {
  kdc = dc01.mycharts.md:88
  kdc = ts04.mycharts.md:88
  admin_server = dc01.mycharts.md:749
  kpasswd_server = dc01.mycharts.md:464
  kpasswd_protocol = SET_CHANGE
  #default_domain = example.com
 }

[domain_realm]
 *.mycharts.md = MYCHARTS.MD
 .mycharts.md = MYCHARTS.MD

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

--Eric




Disclaimer - May 27, 2013
This email and any files transmitted with it are confidential and intended 
solely for 'Marc 
Muehlfeld',samba@lists.samba.org. If you are not 
the named addressee you should not disseminate, distribute, copy or alter this 
email. Any views or opinions presented in this email are solely those of the 
author and might not represent those of Physicians' Managed Care or Physician 
Select Management. Warning: Although Physicians' Managed Care or Physician 
Select Management has taken reasonable precautions to ensure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage arising from the use of this email or attachments.
This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux Servers in an AD Domain with Multiple Windows Domain Controllers

2013-05-27 Thread Robinson, Eric 

On 27 May 2013 19:14, Robinson, Eric 
mailto:eric.robin...@psmnv.com>> wrote:
> -Original Message-
> From: Marc Muehlfeld 
> [mailto:sa...@marc-muehlfeld.de]
> Sent: Saturday, May 25, 2013 3:31 PM
> To: Robinson, Eric
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Linux Servers in an AD Domain with
> Multiple Windows Domain Controllers
>
> Hello Eric,
>
> Am 25.05.2013 18:29, schrieb Robinson, Eric:
> > We have three Windows domain controllers in our AD domain. They are
>  > DC01, DC02, and DC03. We have Linux (RHEL5 and 6) servers
> in the  > domain as well. The Linux servers are working fine
> with AD. However,  > they are currently configured in
> krb.conf and krb5.conf to use only  > DC01 for AD domain
> controller. if DC01 is down, Linux servers cannot  >
> authenticate. How do we configure the Linux servers to use
> multiple  > domain controllers for AD, so if DC01 is down
> everything continues  > to work on the Linux side?
>
> I saw, that you asked that question already 1.5 years ago on
> this list:
> http://markmail.org/message/slugpbka33ap4ima
>
> Didn't the two suggestions from Marcel and Andrew work? If
> not, what were the problems with them? Then maybe we find a
> way to get it work.
>
> Regards,
> Marc
>

Hi Marc -- Thanks very much for following up on this. I did try Marcel and 
Andrew's suggestions (see below) but it did not work. When server DC01 is down, 
Windows users can still login fine, but when I try to ssh to a Linux box, the 
login hangs for a long time or forever. Also, Marcel and Andrew did not address 
my follow-up question about the krb.conf file. They only mentioned the 
krb5.conf file.

For reference, my krb.conf looks like this...

MYCHARTS.MD 
dc01.mycharts.md:88
MYCHARTS.MD 
dc01.mycharts.md:749 admin server

My krb5.conf looks like the following... note the second entry for the DC named 
TS04.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYCHARTS.MD
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 MYCHARTS.MD = {
  kdc = dc01.mycharts.md:88
  kdc = ts04.mycharts.md:88
  admin_server = dc01.mycharts.md:749
  kpasswd_server = dc01.mycharts.md:464
  kpasswd_protocol = SET_CHANGE
  #default_domain = example.com
 }

[domain_realm]
 *.mycharts.md = MYCHARTS.MD
 .mycharts.md = MYCHARTS.MD

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

--Eric




Disclaimer - May 27, 2013
This email and any files transmitted with it are confidential and intended 
solely for 'Marc 
Muehlfeld',samba@lists.samba.org. If you are not 
the named addressee you should not disseminate, distribute, copy or alter this 
email. Any views or opinions presented in this email are solely those of the 
author and might not represent those of Physicians' Managed Care or Physician 
Select Management. Warning: Although Physicians' Managed Care or Physician 
Select Management has taken reasonable precautions to ensure no viruses are 
present in this email, the company cannot accept responsibility for any loss or 
damage arising from the use of this email or attachments.
This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux Servers in an AD Domain with Multiple Windows Domain Controllers

2013-05-27 Thread Rowland Penny 
Hi, I think that you misunderstood what Andrew was trying to tell you, my
/etc/krb5.conf on a linux client is this:

[logging]
default = FILE:/var/log/krb5libs.log

[libdefaults]
default_realm = MYDOMAIN.LAN
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = true

[realms]

[domain_realm]

Note that NO particular server is referenced, yet it works, the client must
find the server itself via dns, try it, it just might cure your problems.

Rowland




On 27 May 2013 19:14, Robinson, Eric  wrote:

> > -Original Message-
> > From: Marc Muehlfeld [mailto:sa...@marc-muehlfeld.de]
> > Sent: Saturday, May 25, 2013 3:31 PM
> > To: Robinson, Eric
> > Cc: samba@lists.samba.org
> > Subject: Re: [Samba] Linux Servers in an AD Domain with
> > Multiple Windows Domain Controllers
> >
> > Hello Eric,
> >
> > Am 25.05.2013 18:29, schrieb Robinson, Eric:
> > > We have three Windows domain controllers in our AD domain. They are
> >  > DC01, DC02, and DC03. We have Linux (RHEL5 and 6) servers
> > in the  > domain as well. The Linux servers are working fine
> > with AD. However,  > they are currently configured in
> > krb.conf and krb5.conf to use only  > DC01 for AD domain
> > controller. if DC01 is down, Linux servers cannot  >
> > authenticate. How do we configure the Linux servers to use
> > multiple  > domain controllers for AD, so if DC01 is down
> > everything continues  > to work on the Linux side?
> >
> > I saw, that you asked that question already 1.5 years ago on
> > this list:
> > http://markmail.org/message/slugpbka33ap4ima
> >
> > Didn't the two suggestions from Marcel and Andrew work? If
> > not, what were the problems with them? Then maybe we find a
> > way to get it work.
> >
> > Regards,
> > Marc
> >
>
> Hi Marc -- Thanks very much for following up on this. I did try Marcel and
> Andrew's suggestions (see below) but it did not work. When server DC01 is
> down, Windows users can still login fine, but when I try to ssh to a Linux
> box, the login hangs for a long time or forever. Also, Marcel and Andrew
> did not address my follow-up question about the krb.conf file. They only
> mentioned the krb5.conf file.
>
> For reference, my krb.conf looks like this...
>
> MYCHARTS.MD dc01.mycharts.md:88
> MYCHARTS.MD dc01.mycharts.md:749 admin server
>
> My krb5.conf looks like the following... note the second entry for the DC
> named TS04.
>
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm = MYCHARTS.MD
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>
> [realms]
>  MYCHARTS.MD = {
>   kdc = dc01.mycharts.md:88
>   kdc = ts04.mycharts.md:88
>   admin_server = dc01.mycharts.md:749
>   kpasswd_server = dc01.mycharts.md:464
>   kpasswd_protocol = SET_CHANGE
>   #default_domain = example.com
>  }
>
> [domain_realm]
>  *.mycharts.md = MYCHARTS.MD
>  .mycharts.md = MYCHARTS.MD
>
> [kdc]
>  profile = /var/kerberos/krb5kdc/kdc.conf
>
> [appdefaults]
>  pam = {
>debug = false
>ticket_lifetime = 36000
>renew_lifetime = 36000
>forwardable = true
>krb4_convert = false
>  }
>
> --Eric
>
>
>
>
> Disclaimer - May 27, 2013
> This email and any files transmitted with it are confidential and intended
> solely for 'Marc Muehlfeld',samba@lists.samba.org. If you are not the
> named addressee you should not disseminate, distribute, copy or alter this
> email. Any views or opinions presented in this email are solely those of
> the author and might not represent those of Physicians' Managed Care or
> Physician Select Management. Warning: Although Physicians' Managed Care or
> Physician Select Management has taken reasonable precautions to ensure no
> viruses are present in this email, the company cannot accept responsibility
> for any loss or damage arising from the use of this email or attachments.
> This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] New Samba Error We Have Not Seen Before

2013-05-27 Thread Robinson, Eric 
We have about 40 samba servers in our domain. The two newest ones are throwing 
an error we've never seen before.

[root@vmhost06a samba]# net join
Enter root's password:
dos charset 'CP850' unavailable - using ASCII
convert_string_talloc: Conversion not supported.
Failed to join domain: failed to lookup DC info for domain 'MYCHARTS.MD' over 
rpc: Memory allocation error
ADS join did not work, falling back to RPC...
convert_string_talloc: Conversion not supported.
Connection failed: NT_STATUS_NO_MEMORY
Enter root's password:
convert_string_talloc: Conversion not supported.
Could not connect to server RPT01
Connection failed: NT_STATUS_NO_MEMORY
Any thoughts?

Possibly related: It alwways says "could not connect to server RPT01." I'm not 
sure why it says this since RPT01 is our oldest domain controller and it is not 
referenced in any of the config files. Only servers DC01 and TS04 are mentioned 
in krb5.conf. I suppose it must be getting it from DNS, but why only RPT01?

Samba version info follows...

[root@vmhost06a samba]# rpm -qa|grep -i samba
samba-winbind-3.6.9-151.el6.x86_64
samba-3.6.9-151.el6.x86_64
samba-common-3.6.9-151.el6.x86_64
samba-client-3.6.9-151.el6.x86_64
samba-winbind-clients-3.6.9-151.el6.x86_64

--
Eric Robinson






Disclaimer - May 27, 2013 
This email and any files transmitted with it are confidential and intended 
solely for 'samba@lists.samba.org'. If you are not the named addressee you 
should not disseminate, distribute, copy or alter this email. Any views or 
opinions presented in this email are solely those of the author and might not 
represent those of Physicians' Managed Care or Physician Select Management. 
Warning: Although Physicians' Managed Care or Physician Select Management has 
taken reasonable precautions to ensure no viruses are present in this email, 
the company cannot accept responsibility for any loss or damage arising from 
the use of this email or attachments. 
This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Linux Servers in an AD Domain with Multiple Windows Domain Controllers

2013-05-27 Thread Robinson, Eric 
> -Original Message-
> From: Marc Muehlfeld [mailto:sa...@marc-muehlfeld.de] 
> Sent: Saturday, May 25, 2013 3:31 PM
> To: Robinson, Eric
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Linux Servers in an AD Domain with 
> Multiple Windows Domain Controllers
> 
> Hello Eric,
> 
> Am 25.05.2013 18:29, schrieb Robinson, Eric:
> > We have three Windows domain controllers in our AD domain. They are
>  > DC01, DC02, and DC03. We have Linux (RHEL5 and 6) servers 
> in the  > domain as well. The Linux servers are working fine 
> with AD. However,  > they are currently configured in 
> krb.conf and krb5.conf to use only  > DC01 for AD domain 
> controller. if DC01 is down, Linux servers cannot  > 
> authenticate. How do we configure the Linux servers to use 
> multiple  > domain controllers for AD, so if DC01 is down 
> everything continues  > to work on the Linux side?
> 
> I saw, that you asked that question already 1.5 years ago on 
> this list:
> http://markmail.org/message/slugpbka33ap4ima
> 
> Didn't the two suggestions from Marcel and Andrew work? If 
> not, what were the problems with them? Then maybe we find a 
> way to get it work.
> 
> Regards,
> Marc
>

Hi Marc -- Thanks very much for following up on this. I did try Marcel and 
Andrew's suggestions (see below) but it did not work. When server DC01 is down, 
Windows users can still login fine, but when I try to ssh to a Linux box, the 
login hangs for a long time or forever. Also, Marcel and Andrew did not address 
my follow-up question about the krb.conf file. They only mentioned the 
krb5.conf file.

For reference, my krb.conf looks like this... 

MYCHARTS.MD dc01.mycharts.md:88
MYCHARTS.MD dc01.mycharts.md:749 admin server

My krb5.conf looks like the following... note the second entry for the DC named 
TS04. 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYCHARTS.MD
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 MYCHARTS.MD = {
  kdc = dc01.mycharts.md:88
  kdc = ts04.mycharts.md:88
  admin_server = dc01.mycharts.md:749
  kpasswd_server = dc01.mycharts.md:464
  kpasswd_protocol = SET_CHANGE
  #default_domain = example.com
 }

[domain_realm]
 *.mycharts.md = MYCHARTS.MD
 .mycharts.md = MYCHARTS.MD

[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

--Eric




Disclaimer - May 27, 2013 
This email and any files transmitted with it are confidential and intended 
solely for 'Marc Muehlfeld',samba@lists.samba.org. If you are not the named 
addressee you should not disseminate, distribute, copy or alter this email. Any 
views or opinions presented in this email are solely those of the author and 
might not represent those of Physicians' Managed Care or Physician Select 
Management. Warning: Although Physicians' Managed Care or Physician Select 
Management has taken reasonable precautions to ensure no viruses are present in 
this email, the company cannot accept responsibility for any loss or damage 
arising from the use of this email or attachments. 
This disclaimer was added by Policy Patrol: http://www.policypatrol.com/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf sync

2013-05-27 Thread Marc Muehlfeld 

Hello Robert,

Am 27.05.2013 11:15, schrieb Sandbox:

Just a quick question.
Do I have to syncronise my smb.conf file between my servers?


No. And it would be a bad idea. Each Samba server has it's own smb.conf, 
with it's own shares/paths/server name/etc. If you mix there something 
(e. g. twice the same DC name in your network), you maybe confuse 
everything in your network.


Regards
Marc


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf sync

2013-05-27 Thread Michael De Groote 
watch out when you do that!!
i killed one of my previous test-setups by doing that when i forgot to
change the netbios name for the second machine (so there were to DCs with
the same netbios name, which totally blasted my setup. Even after shutting
down all samba servers, stopping BIND, correcting the config, and trying to
wipe the offending entries in the ._msdcs.blablabla zone, it kept spamming
my logs every 5 secs about something (which i unfortunately dont remember
now) so the simplest route was to reprovision. Lucky for me it was only a
test setup :)

Michael


2013/5/27 Sandbox 

> Hi,
>
> Just a quick question.
> Do I have to syncronise my smb.conf file between my servers?
>
> Thanks, Robert
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Michael De Groote
ICT-coordinator Sint-Pietersschool Korbeek-Lo
ICT-support Sancta Maria Basisschool Leuven
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Upgrade Samba 4 alpha 18 to Samba 4 stable version

2013-05-27 Thread Erik Flinck - Warp Nine 
Hi,

We are still running Samba 4 alpha 18 for our servers, its integrated with
postfix/dovecot, sugarcrm and a samba 3 fileserver.

All of these systems are virtual running on Proxmox. Now we are trying to
upgrade Samba 4 alpha 18 to a stable version. We are also running Ubuntu
server.

What would be the best way to upgrade it?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] smb.conf sync

2013-05-27 Thread Sandbox 
Hi,

Just a quick question.
Do I have to syncronise my smb.conf file between my servers?

Thanks, Robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba