Re: [Samba] DNS replication and BDCs
Hello David, Am 21.06.2013 23:42, schrieb "David González Herrera - [DGHVoIP]": root@bdc:~# dig @10.10.10.20 AXFR example.local . example.local. 900 IN A 10.10.10.5 example.local. 900 IN A 21x.xxx.xxx.xxx example.local. 900 IN A 10.10.10.20 example.local. 900 IN A 10.10.10.15 example.local. 900 IN A 192.168.5.5 . > . Now I'd like to remove the public IP 21x.xxx.xxx.xxx from the zone I use: samba-tool dns delete samba.example.local example.local samba.example.local NS 21x.xxx.xxx.xxx -U Administrator samba-tool dns delete samba.example.local example.local samba.example.local A 21x.xxx.xxx.xxx -U Administrator They all succeed, but I keep seeing that when I dig the zone as you can see on the previous dig. I guess Samba is listening on the public IP as well? # netstat -taunp | grep samba | grep 21x.xxx.xxx.xxx If it does, then bind samba just to the interfaces, it should listen (this would also save you firewall rules, to prevent access on the other interfaces, when it won't listen there). bind interfaces only = yes interfaces = lo eth0 (set "interfaces" to all devices, Sambas services should listen on + localhost) Then restart Samba. Then you only have to configure your clients, to use the second machine as DNS server, too. > This is what concerns me the most, as I'm connecting services as Postfix/Dovecot,OpenVPN I was using the IP of the PDC 10.10.10.5. Can I use "example.local" on my LDAP/AD clients configuration?. And will it be like round robin-dns, if one server doesn't respond will the pther take over?. Normally the most services work fine with hostnames instead of IPs. It makes you more flexible (round robin), but then the service depents on DNS, too. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba rejecting Machine account auth requests
On 13/06/13 12:37 AM, Julien Savoie wrote: > On 21/08/12 11:46 AM, John Drescher wrote: >>> I have a samba domain with over 100 machines in it. For some reason every >>> 30-35 >>> days, 2 of the machines fail the trust relationship at login and need to be >>> removed from the domain and rejoined. >>> >>> In the logs I see the following: >>> >>> [2012/08/21 07:55:52.981302, 0] >>> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) >>> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting >>> auth request from client RED-TEAM machine account RED-TEAM$ >>> >>> I am running samba 3.6.6 on a Centos-5 machine. >>> >>> Does anyone have any suggestions on what could cause this or how to >>> troubleshoot this problem? >>> >> I believe the problem is caused when the machine changes the password >> and no user is logged in at that time. To avoid this issue I have >> disabled the machines from changing their passwords via the registry. >> > I'm also experiencing this issue in production here. It appears to be a > "new" problem and didn't happen with my older version of Samba (3.5.6 on > Debian squeeze) > > Jun 13 00:23:49 ldap smbd[5241]: [2013/06/13 00:23:49.807899, 0] > rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) > Jun 13 00:23:49 ldap smbd[5241]: _netr_ServerAuthenticate3: > netlogon_creds_server_check failed. Rejecting auth request from client > HFX-B0253 machine account HFX-B0253$ > > I'm on Debian wheezy running Samba 3.6.6 > > # pdbedit -u HFX-B0253$ -v > Unix username:hfx-b0253$ > NT username: hfx-b0253$ > Account desc: Computer > Password last set:Thu, 02 May 2013 18:03:19 ADT > Password can change: Thu, 02 May 2013 18:03:19 ADT > Password must change: never > > It's as if machine account password changes stopped functioning. Rejoined machines to the domain, 7 days later this is reoccurring. # pdbedit -u acct$ -v Unix username:acct$ NT username: acct$ Password last set:Wed, 12 Jun 2013 22:35:21 ADT Password can change: Wed, 12 Jun 2013 22:35:21 ADT Password must change: never rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client ACCT machine account ACCT$ [2013/06/12 22:35:21.461137, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3) Anyone have any idea why this might not be working? I haven't changed anything in the configuration files between Samba 3.5.6 and 3.6.6. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mac Os 10.6 - 10.8 and Samba 3.6.9
On 6/21/2013 4:24 PM, Bob Miller wrote: Hi, On the mac, connected to the remote (smbtest1) machine, when I double click on the finder to enter the test directory that has about 200 files in it, the finder just sits there... for at least two or more minuets before showing anything. I tried to connect to the smbtest1 machine from inside the remote network, using a mac running 10.6 (instead of 10.8) it does the same thing as connecting from here, the finder just sits there for a long time then shows files and its very slow. What i don't get is that i can use the local mac and connect to the local smbtest and it works fine. But, if i connect a remote mac to the remote smbtest1, or try to connect the local mac to the remote smbtest1 it total bogs down and is slow. I recently set up a mac laptop as a road warrior connecting via ipsec/l2tp to the customer's LAN, and experienced the symptoms you describe. I spent a few hours with google figuring out the why of it, and came to the conclusion that finder is what is actually causing the problem. The connection itself was solid, but there is something in finder that causes it to be very very slow, even when there are only 2-3 files in the directory. I dont' remember the details, but I am sure you can find the same articles if you are interested. Since I was forbidden to install new software on that machine and I haven't heard back, I don't know if my suggested fix worked, or was even tried, but there was a pay-for file browser I found (pathmapper/pathfinder/path...?) that several people said solved this problem. It is unfortunate mac machines seem to be going the way they are. 10 years ago, I was always sure mac would work and unsure if windows would work with whatever I was doing. These days I am finding the tables turned, so many protocols mac says they support just don't work, or don't work reliably, or don't work without hugely complicated workarounds. With many of my clients buying mac to avoid windows8, I hope apple gets back on track sooner than later... Yeah, I noticed the slowness even when the directly only has a couple items in it. I considered alternatives to Finder, but also found the problem occurs when using Quark Express when importing a photo the Import Dialog (looks like finder) opens and that to locate the file then import it this dialog is slow loading folders and when closing the document. It's quite annoying being that I don't seem to have to problem here in my local network, just at the other office. I'm considering setting up a new machine, and testing it here then lugging it down to the other office and trying it there too. Just to eliminate the hardware from the mix. Thanks, Terre -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mac Os 10.6 - 10.8 and Samba 3.6.9
On 6/21/2013 3:44 PM, Jeremy Allison wrote: On Fri, Jun 21, 2013 at 03:03:33PM -0400, Terre Porter wrote: socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 Not to comment on any other thing in your post bue please remove this line from your smb.conf. It's voodoo bullshit from the long-ancient past :-). Linux kernels have been able to tune their own TCP params pretty well for many years now. You're only making things worse by having this line. Jeremy. Ok that is good to know. I was trying anything I could find that said it helped Mac clients. Thanks Terre -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS replication and BDCs
Hi Marc, comments below. On 6/20/2013 5:26 PM, Marc Muehlfeld wrote: Hello David, Am 20.06.2013 19:55, schrieb "David González Herrera - [DGHVoIP]": I would like youi to point me or tell me how do I create a fail-over or high availability system so that when one of the DCs is down the other takes over Auth tasks and obviously DNS. I've thought a solution would be to make a slave BIND DNS on another slaver and replicate the Samba Zone and add aappropriate NS and A records to the main zone so that clients can query another DNS for the zone and not fail as I faced yesterday. This is a production environment scenario and I have many servers authenticating users against the samba server so if this fails everything else does. When you join a second DC to the AD (http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC), then the DNS part is also automatically replicated. Alright I have done that on the second DC but using internal, I get this if I dig the zone. root@bdc:~# dig @10.10.10.20 AXFR example.local ; <<>> DiG 9.9.2-P2 <<>> @10.10.10.20 AXFR example.local ; (1 server found) ;; global options: +cmd ; Transfer failed. root@bdc:~# dig @10.10.10.5 AXFR example.local ; <<>> DiG 9.9.2-P2 <<>> @10.10.10.5 AXFR example.local ; (1 server found) ;; global options: +cmd example.local. 3600IN SOA samba.example.local. hostmaster.example.local. 65 900 600 86400 0 example.local. 900 IN NS samba.example.local. example.local. 900 IN A 10.10.10.5 example.local. 900 IN A 21x.xxx.xxx.xxx example.local. 900 IN A 10.10.10.20 example.local. 900 IN A 10.10.10.15 example.local. 900 IN A 192.168.5.5 bdc.example.local. 900 IN A 10.10.10.20 bdc.example.local. 900 IN A 192.168.5.5 w2k8.example.local.1200IN A 10.10.10.15 samba.example.local. 900 IN A 10.10.10.5 samba.example.local. 900 IN A 21x.xxx.xxx.xxx DGHPC.example.local. 1200IN 2002:505:5bd::505:5bd DGHPC.example.local. 1200IN A 192.168.5.211 DGHPC.example.local. 1200IN A 5.5.5.189 _msdcs.example.local. 900 IN NS samba.example.local. _gc._tcp.example.local. 900IN SRV 0 100 3268 samba.example.local. _gc._tcp.example.local. 900IN SRV 0 100 3268 W2K8.example.local. _gc._tcp.example.local. 900IN SRV 0 100 3268 bdc.example.local. _ldap._tcp.example.local. 900 IN SRV 0 100 389 samba.example.local. _ldap._tcp.example.local. 900 IN SRV 0 100 389 W2K8.example.local. _ldap._tcp.example.local. 900 IN SRV 0 100 389 bdc.example.local. _kpasswd._udp.example.local. 900 INSRV 0 100 464 samba.example.local. _kpasswd._udp.example.local. 900 INSRV 0 100 464 W2K8.example.local. _kpasswd._udp.example.local. 900 INSRV 0 100 464 bdc.example.local. _kpasswd._tcp.example.local. 900 INSRV 0 100 464 samba.example.local. _kpasswd._tcp.example.local. 900 INSRV 0 100 464 W2K8.example.local. _kpasswd._tcp.example.local. 900 INSRV 0 100 464 bdc.example.local. _kerberos._udp.example.local. 900 IN SRV 0 100 88 samba.example.local. _kerberos._udp.example.local. 900 IN SRV 0 100 88 W2K8.example.local. _kerberos._udp.example.local. 900 IN SRV 0 100 88 bdc.example.local. _kerberos._tcp.example.local. 900 IN SRV 0 100 88 samba.example.local. _kerberos._tcp.example.local. 900 IN SRV 0 100 88 W2K8.example.local. _kerberos._tcp.example.local. 900 IN SRV 0 100 88 bdc.example.local. ForestDnsZones.example.local. 900 IN A 10.10.10.5 DomainDnsZones.example.local. 900 IN A 10.10.10.5 _ldap._tcp.ForestDnsZones.example.local. 900 IN SRV 0 100 389 samba.example.local. _ldap._tcp.DomainDnsZones.example.local. 900 IN SRV 0 100 389 samba.example.local. _gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 3268 samba.example.local. _gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 3268 W2K8.example.local. _gc._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 3268 bdc.example.local. _ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 389 samba.example.local. _ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 389 W2K8.example.local. _ldap._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 389 bdc.example.local. _kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 88 samba.example.local. _kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 88 W2K8.example.local. _kerberos._tcp.Default-First-Site-Name._sites.example.local. 900 IN SRV 0 100 88 bdc.example.local. _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.example.local. 900 INSRV 0
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
Thanks for the recommendations! I was hoping that there'd be a simple solution/config parameter to force the samba server trust the LDAP (it's still puzzling me why the other machines I have do work like that). I'll try to set up my new servers as DCs and see how this goes. The idea with using the samba servers for LDAP replication as well sounds interesting. I'll look into that as well. Thanks! Philipp On 21.06.2013 10:23, Daniel Müller wrote: For me the better way would be, to run serveral openldap servers in master master replication on your DC and several BDC. And no headache about anything. Or just point your BSCs to authenticate against the DCs openldap. But when your DC is down your authentication is gone. Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Andrew Bartlett Gesendet: Freitag, 21. Juni 2013 09:58 An: Philipp Lies Cc: samba@lists.samba.org Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote: Hi, I'm trying to get my new samba server running for a few days now and I start losing my mind over not figuring out what I'm doing wrong. Here's my setup: OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix and a samba NT password stored in the LDAP as well as a User SID and Primary Group SID assigned and stored in the LDAP, derived from the SID of the LDAP Server. Now I want several samba servers to use the LDAP server to authenticate users. If you want multiple samba servers to use the same LDAP backend, they essentially all need to be domain controllers of the same domain. This is the supported way to have a single backend shared between multiple servers. You don't need to ever use the DC function from windows clients, but the servers need to think they are a DC. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mac Os 10.6 - 10.8 and Samba 3.6.9
Hi, > On the mac, connected to the remote (smbtest1) machine, when I double > click on the finder to enter the test directory that has about 200 files > in it, the finder just sits there... for at least two or more minuets > before showing anything. > > I tried to connect to the smbtest1 machine from inside the remote > network, using a mac running 10.6 (instead of 10.8) it does the same > thing as connecting from here, the finder just sits there for a long > time then shows files and its very slow. > > What i don't get is that i can use the local mac and connect to the > local smbtest and it works fine. But, if i connect a remote mac to the > remote smbtest1, or try to connect the local mac to the remote smbtest1 > it total bogs down and is slow. I recently set up a mac laptop as a road warrior connecting via ipsec/l2tp to the customer's LAN, and experienced the symptoms you describe. I spent a few hours with google figuring out the why of it, and came to the conclusion that finder is what is actually causing the problem. The connection itself was solid, but there is something in finder that causes it to be very very slow, even when there are only 2-3 files in the directory. I dont' remember the details, but I am sure you can find the same articles if you are interested. Since I was forbidden to install new software on that machine and I haven't heard back, I don't know if my suggested fix worked, or was even tried, but there was a pay-for file browser I found (pathmapper/pathfinder/path...?) that several people said solved this problem. It is unfortunate mac machines seem to be going the way they are. 10 years ago, I was always sure mac would work and unsure if windows would work with whatever I was doing. These days I am finding the tables turned, so many protocols mac says they support just don't work, or don't work reliably, or don't work without hugely complicated workarounds. With many of my clients buying mac to avoid windows8, I hope apple gets back on track sooner than later... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] cifs mounts fail after kernel upgrade
Upgrading Debian testing's linux-image from 3.2.46-1 to 3.9.6-1 causes cifs mounts via fstab or command line to fail with return code -38 "function not implemented". Reverting back to the old kernel yields working cifs mounts. The only option I use is a credentials file. Attempting the mount without this option does not work either. Has anyone else seen this? Thanks, Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mac Os 10.6 - 10.8 and Samba 3.6.9
On Fri, Jun 21, 2013 at 03:03:33PM -0400, Terre Porter wrote: > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 > SO_SNDBUF=65536 Not to comment on any other thing in your post bue please remove this line from your smb.conf. It's voodoo bullshit from the long-ancient past :-). Linux kernels have been able to tune their own TCP params pretty well for many years now. You're only making things worse by having this line. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Mac Os 10.6 - 10.8 and Samba 3.6.9
Hello, I have a very odd issue happening, that I hope someone else might be able to give me pointers. I have two different networks running in two different locations, connected by a network vpn. In each network I have a test smb virtual machine. - Smb Machine 1: (smbtest1) (remote network) # cat /etc/redhat-release CentOS release 6.4 (Final) #rpm -qa | grep samba samba-3.6.9-151.el6.x86_64 samba-common-3.6.9-151.el6.x86_64 samba-client-3.6.9-151.el6.x86_64 samba-winbind-3.6.9-151.el6.x86_64 samba-winbind-clients-3.6.9-151.el6.x86_64 # smbd -V Version 3.6.9-151.el6 - Smb Machine 2: (smbtest) (local network) cat /etc/redhat-release CentOS release 6.4 (Final) #rpm -qa | grep samba samba-3.6.9-151.el6.x86_64 samba-common-3.6.9-151.el6.x86_64 samba-client-3.6.9-151.el6.x86_64 samba-winbind-3.6.9-151.el6.x86_64 samba-winbind-clients-3.6.9-151.el6.x86_64 # smbd -V Version 3.6.9-151.el6 - I used the same smb.conf file for both. (attached) Only difference is the netbios name, one is smbtest the other is smbtest1. I created a directory on each machine, like so: mkdir -p /home/shares/testshare chmod -R ug+rwx,o+rx-w /home/shares/testshare set up a user, # useradd smbuser -g users # passwd smbuser (same on both) added in to samba, #smbpasswd -a smbuser (same password as linux acct) I've tried with the firewall stoped, and by adding in ports. -A INPUT -p udp -m udp --dport 137 -j ACCEPT -A INPUT -p udp -m udp --dport 138 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT Started up the smb server and connected with my windows 7 machine - no problems connected fine. Dumped in about a gig of files, images mostly. Went to the Mac on my workbench (local network) connected to the local smbtest machine, it connects was able to browse the files in finder no problem. Ok, logged in to the remote (smbtest1) machine (over network vpn) with the windows 7 machine, no problem really fast actually. On the mac, connected to the remote (smbtest1) machine, when I double click on the finder to enter the test directory that has about 200 files in it, the finder just sits there... for at least two or more minuets before showing anything. I tried to connect to the smbtest1 machine from inside the remote network, using a mac running 10.6 (instead of 10.8) it does the same thing as connecting from here, the finder just sits there for a long time then shows files and its very slow. What i don't get is that i can use the local mac and connect to the local smbtest and it works fine. But, if i connect a remote mac to the remote smbtest1, or try to connect the local mac to the remote smbtest1 it total bogs down and is slow. I ran tcpdump on the local network machine (smbtest) and it showed a few lines, every seconds. I ran tcpdump on the remote network machine (smbtest1) and it flooded the screen with text. # tcpdump -i eth0 -n -p -s 0 "port 445 or port 139" I can create dumps if someone thinks that will help. I'm looking for anything to try that would help figure out what the problem is. Any ideas? really anything? Thanks, Terre [global] workgroup = MYGROUP server string = Samba Test Server netbios name = smbtest1 interfaces = lo eth0 bind interfaces only = yes security = user passdb backend = tdbsam log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=65536 SO_SNDBUF=65536 load printers = No idmap config * : backend = tdb cups options = raw # Debug logging information log level = 3 log file = /var/log/samba/samba.log.%m max log size = 5000 debug timestamp = yes [ipc$] comment = IPC path = /usr/fileshare/ipc valid users = smbuser hosts allow = [local-network]/255.255.255.0 [remote-network]/255.255.255.0 [homes] comment = Home Directories read only = No browseable = No [testshare] writeable = yes path = /home/shares/testshare force directory mode = 755 force group = users force create mode = 755 force user = smbuser comment = test valid users = smbuser case sensitive = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 and (pseudo) LDAP backend for users, groups and rights
Hello Marcus, Am 21.06.2013 17:27, schrieb Marcus Mundt: Environtment: - LDAP-Master-Server with all the information needed - mostly Windows XP and Windows 7 Clients They should auto mount network drives after login (user, pass and rights from LDAP-Master) Here is what I want to achieve: A LDAP-Master-Server should be the basis for all users, passwords, > groups, rights, rights to execute Programs, mails and mounting > network drives. We are looking for a "single sign on" solution > based on the LDAP-Master-Server. Our Mail-Server and some other > services rely on the LDAP-Master. Now Samba should work as ADS > using the Information stored on the LDAP-Master. Meaning > getting users, passwords, groups, rights, drives etc. from > LDAP. Is that even possible? Any ideas? This is all possible with samba 4 and AD. Setup an DC according to the HowTo, do a classicupgrade and then hook up all your services to AD. I did this in production last september (170 users, 230 workstations, and around 25 services getting information from LDAP or authenticating against). After some weeks of building a testing environment with everything, I did the final switch on a weekend (1.5 days for changing and adapting everything). And it's running absolutely great. My quick guesses of possible solutions: - Samba 4 + Slapd on the same machine. Slapd synced to LDAP-Master - https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD - I don't know if I get this one... The "beyond samba" page is from me. Just let me know, what's unclear. Then I will extend the HowTo and improve the descriptions. The openLDAP proxy is a good way if you have in your internal network your ADC and don't want to have a "real" DC in your DMZ for mailserver, etc. too. An additional DC would bring you many open ports you mostly don't need, etc. That's why I use an openLDAP proxy for that (just one service with one open port: 389/tcp). You have to use the configuration from the HowTo. Then openLDAP doesn't use a own database. All requests are forwarded to the DC(s). The openLDAP server you can use as usual (I only use it read-only. I don't require write-access in LDAP in the DMZ). Also you can use openLDAP ACLs to restrict access to attributes, like before, etc. And of course, you can authenticate against it (also mentioned on the wiki page). But the openLDAP proxy doesn't mean, that it's only a proxy. You can have different tree of your LDAP pointing to a local database, too. Then you can store additional information in LDAP, byside the AD backend. - Samba 4 importing an ldif-export of our LDAP-Master, problem: how to sync? I wouldn't do that. Much workaround stuff, directory ACLs won't be synced, etc. Questions: - What about using "smbd + nmbd" instead of "samba"? What > are the drawbacks and what functionalities would we sacrifice? You need the samba binary, because it provides the AD stuff. If you plan to keep your NT4-style domain, then you can just upgrade. Samba 4 doesn't mean "AD only" and "build-in LDAP only". AD is just "an additionally feature" of version 4. But AD requires the internal LDAP. - Is using samba 3 + LDAP backend a possible solution? We really > waited for Samba 4 and are now a bit overwhelmed by > the numerous innovations. But we would like to use the most > current software. It depents what you plan to have. If you are happy, you can stay at the NT4-style domain together with your openLDAP backend. But then you miss all the great improvements of AD (group policies, to manage your clients, easy multi-DC environments, etc.). But as already said: Samba 4 with openLDAP is still possible - but not when you want to have an AD. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 and (pseudo) LDAP backend for users, groups and rights
Dear List, I am used to Samba 3 and LDAP. But since Samba 4 I'm struggeling hard to understand what has to be done and how a possible solution might look like for our scenario. I already found out that Samba 4 comes with its own LDAP Server and if I want to use a slapd on the same system, it should listen on another port. I know that using a LDAP backend isn't supported in the current version of samba, but I'm looking for a similar solution anyway. Environtment: - LDAP-Master-Server with all the information needed - mostly Windows XP and Windows 7 Clients They should auto mount network drives after login (user, pass and rights from LDAP-Master) Here is what I want to achieve: A LDAP-Master-Server should be the basis for all users, passwords, groups, rights, rights to execute Programs, mails and mounting network drives. We are looking for a "single sign on" solution based on the LDAP-Master-Server. Our Mail-Server and some other services rely on the LDAP-Master. Now Samba should work as ADS using the Information stored on the LDAP-Master. Meaning getting users, passwords, groups, rights, drives etc. from LDAP. Is that even possible? Any ideas? My quick guesses of possible solutions: - Samba 4 + Slapd on the same machine. Slapd synced to LDAP-Master - https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD - I don't know if I get this one... - Samba 4 importing an ldif-export of our LDAP-Master, problem: how to sync? Questions: - What about using "smbd + nmbd" instead of "samba"? What are the drawbacks and what functionalities would we sacrifice? - Is using samba 3 + LDAP backend a possible solution? We really waited for Samba 4 and are now a bit overwhelmed by the numerous innovations. But we would like to use the most current software. Any hints or some short step by step list with the required services and their dependencies would be highly appreciated. Thanks for reading. Have a wonderful weekend! Cheers, Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 15:39 +0200, Ali Bendriss wrote: > On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote: > > Hi, well yet another reason to use sssd instead of winbind. > > [...] > > Hi, > > An other option is to use samba AD in one server and the file server (smbd + > winbindd) in an other. Since I've done that (last year I think) I've got no > problem at all. At first you may think that it's to much resources (2 servers > or vm) but it's really flexible and easy to maintain. Hi, That's a good idea but we don't know what setup the OP has, we only know that getent group doesn't work. In any case, if he wants to see getent password work with the setup you suggest, he's going to have to configure winbind in at least two distinct ways, once for the DC and once for the file server. He will also have to edit smb.conf. Or maybe, he could get away with not using getent at all on the DC? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Friday, June 21, 2013 10:12:26 AM Rowland Penny wrote: > Hi, well yet another reason to use sssd instead of winbind. > [...] Hi, An other option is to use samba AD in one server and the file server (smbd + winbindd) in an other. Since I've done that (last year I think) I've got no problem at all. At first you may think that it's to much resources (2 servers or vm) but it's really flexible and easy to maintain. -- Ali -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain
No it is not working! My domain is named "example.com" and windows 8 is not able to join this domain. My other domain named "test" windows 8 can join without any problem. It seems dotted domains old style are lost for ever. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Carlos R. Pena Evertsz Gesendet: Donnerstag, 20. Juni 2013 21:33 An: Christophe Dezé Cc: samba@lists.samba.org Betreff: Re: [Samba] Fix the Issue Windows 8 cannot join if a example.com domain Ok Thank you Christophe On Jun/20/2013 2:38 PM, Christophe Dezé wrote: > hi > read this > https://www.multifake.net/2013/01/windows-8-not-joining-certain-samba- > domains/ > > > Le 20/06/2013 16:25, Carlos R. Pena Evertsz a écrit : >> Hi Daniel, >> >> Try modifying the "Network Security: LAN Manager authorization Level". >> >> Run SecPol.msc >> SelectLocal Policies>Security Options>Network Security: LAN >> Manager authorization Level >> >> Double click and change to "Send LM & NTLM - use NTLMv2 session >> security if " option in the combo box. >> >> I hope this could help. >> >> Sincerely, >> >> Carlos R. P. Evertsz >> Santo Domingo, Dominican Republic >> >> >> Correr el SecPol.msc y selecionar Local Policies>Security >> Options>Network Security: LAN Manager authorization Level >> Aqui seleccionar el "Send LM & NTLM - use NTLMv2 session >> security renegotiated" >> >> >> On Jun/20/2013 2:25 AM, Daniel Müller wrote: >>> Dear all, >>> >>> could anyone approve if the issue windows 8 could not join a samba3 >>> old style dot domain, ex.: "'example.com' would not join-- but >>> 'example' >>> join >>> well!", is solved in any hack? >>> Greetings >>> Daniel >>> >>> --- >>> EDV Daniel Müller >>> >>> Leitung EDV >>> Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 >>> 72076 Tübingen >>> >>> Tel.: 07071/206-463, Fax: 07071/206-499 >>> eMail: muel...@tropenklinik.de >>> Internet: www.tropenklinik.de >>> --- >>> >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Provision new domain from Windows AD
Hello Alex,
Am 21.06.2013 08:22, schrieb Alex Ferrara:
What I want to achieve is to provision a new domain with the users,
> groups and group policy of an existing AD domain. Is this what
> I would use the vampire function for? Am I on the wrong track?
First you setup a new Samba DC, according to the Wiki:
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
but without the privisioning step.
Then you join the new DC to the Domain:
http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
Because Samba currently doesn't support the replication of the SysVol
share, you have to move the content from the share to the new DC (if you
plan to keep the Windows server, you have to find a workaround to do the
replication, like with rsync).
If you want to shutdown the Windows DC in the end, you have to transfer
the FSMO roles ("samba-tool fsmo ...").
Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 10:12 +0100, Rowland Penny wrote: > Hi, well yet another reason to use sssd instead of winbind. When I > turned on winbind in /etc/nsswitch.conf on my test S4 server, > > > > Also I would suggest forgetting using @group in smb.conf and use ACL's > instead. Didn't see this, but absolutely. Use acl's. Have you ever tried referring to man smb.conf. Phew! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 08:36 +, philippe.simo...@swisscom.com wrote: > Hi Steve > > give an empty result, and > with the same result as , without user/group membership. > > in fact my problem goes further : shares access control (write list, ...) > does not work for @g1, only with u1 ... > > Philippe Oh dear. I know the feeling. You can wait for someone who knows winbind to read and help or, if you want it to just work, use sssd or nslcd and forget winbind. The latter you can do now. . . hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
Hi, well yet another reason to use sssd instead of winbind. When I turned on winbind in /etc/nsswitch.conf on my test S4 server, I get: id user uid=3001106(HOME\user) gid=20513(HOME\Domain Users) groups=20513(HOME\Domain Users),21110(HOME\linuxusers) getent group linuxusers HOME\linuxusers:*:21110: But when I turn sssd back on instead of winbind: id user uid=3001106(user) gid=20513(Domain Users) groups=20513(Domain Users),21110(linuxusers) getent group linuxusers linuxusers:*:21110:user Oh look, getent displays group users! Also I would suggest forgetting using @group in smb.conf and use ACL's instead. Rowland On 21 June 2013 09:36, wrote: > Hi Steve > > give an empty result, and > with the same result as , without user/group membership. > > in fact my problem goes further : shares access control (write list, ...) > does not work for @g1, only with u1 ... > > Philippe > > > > -Original Message- > > From: samba-boun...@lists.samba.org [mailto:samba- > > boun...@lists.samba.org] On Behalf Of steve > > Sent: Friday, June 21, 2013 9:31 AM > > To: samba@lists.samba.org > > Subject: Re: [Samba] samba4 missing group membership with getent group > > > > On Fri, 2013-06-21 at 06:23 +, philippe.simo...@swisscom.com wrote: > > > Hi Samba users > > > > > > > > but does not return group/user membership : > > > TEST3\g1:*:327: > > > > > > any advices ? > > > > It doesn't work for groups:( > > use: > > getent group TEST\g1 > > > > hth > > Steve > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 missing group membership with getent group
Hi Steve give an empty result, and with the same result as , without user/group membership. in fact my problem goes further : shares access control (write list, ...) does not work for @g1, only with u1 ... Philippe > -Original Message- > From: samba-boun...@lists.samba.org [mailto:samba- > boun...@lists.samba.org] On Behalf Of steve > Sent: Friday, June 21, 2013 9:31 AM > To: samba@lists.samba.org > Subject: Re: [Samba] samba4 missing group membership with getent group > > On Fri, 2013-06-21 at 06:23 +, philippe.simo...@swisscom.com wrote: > > Hi Samba users > > > > > but does not return group/user membership : > > TEST3\g1:*:327: > > > > any advices ? > > It doesn't work for groups:( > use: > getent group TEST\g1 > > hth > Steve > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
For me the better way would be, to run serveral openldap servers in master master replication on your DC and several BDC. And no headache about anything. Or just point your BSCs to authenticate against the DCs openldap. But when your DC is down your authentication is gone. Greetings Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Andrew Bartlett Gesendet: Freitag, 21. Juni 2013 09:58 An: Philipp Lies Cc: samba@lists.samba.org Betreff: Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote: > Hi, > > I'm trying to get my new samba server running for a few days now and I > start losing my mind over not figuring out what I'm doing wrong. > Here's my setup: > > OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a > unix and a samba NT password stored in the LDAP as well as a User SID > and Primary Group SID assigned and stored in the LDAP, derived from > the SID of the LDAP Server. > > Now I want several samba servers to use the LDAP server to > authenticate users. If you want multiple samba servers to use the same LDAP backend, they essentially all need to be domain controllers of the same domain. This is the supported way to have a single backend shared between multiple servers. You don't need to ever use the DC function from windows clients, but the servers need to think they are a DC. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Workaround very slow nss_winbind, fix crash on the AD DC (particularly for backups)
I tried both, and I get still crashes : 0001-gensec-work-around-nested-event-loops-by-ensuring-th.patch 0002-s4-winbind-Add-special-case-for-BUILTIN-domain.patch - samba version 4.0.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using 'single' process model talloc: access after free error - first free may be at ../source4/kdc/db-glue.c:206 Bad talloc magic value - access after free PANIC: Bad talloc magic value - access after free Aborted philippe > -Original Message- > From: Andrew Bartlett [mailto:abart...@samba.org] > Sent: Friday, June 21, 2013 9:35 AM > To: Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE > Cc: samba-techni...@samba.org; sa...@samba.org; > qoole.sa...@lillimoth.com > Subject: Re: [PATCH] Workaround very slow nss_winbind, fix crash on the AD > DC (particularly for backups) > > On Fri, 2013-06-21 at 07:23 +, philippe.simo...@swisscom.com wrote: > > Hi Andrew, > > > > sorry (my English...) I was not clear. I tried to say that the patch > > does not change anything for me, the crash is still here. > > Which (named) patch did you try? > > I've attached both patches which I proposed. Each attempts to solve the > problem in a different way. Please try each of them, and tell me if you still > get the crash. > > Thanks, > > Andrew Bartlett > > > best regards > > > > Philippe > > > > > > > -Original Message- > > > From: Andrew Bartlett [mailto:abart...@samba.org] > > > Sent: Friday, June 21, 2013 9:18 AM > > > To: Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE > > > Cc: samba-techni...@samba.org; sa...@samba.org; > > > qoole.sa...@lillimoth.com > > > Subject: Re: [PATCH] Workaround very slow nss_winbind, fix crash on > > > the AD DC (particularly for backups) > > > > > > On Fri, 2013-06-21 at 05:58 +, philippe.simo...@swisscom.com > wrote: > > > > Hi Andrew, > > > > > > > > many thanks for you patch, > > > > i tested it on 2 different systems but without success (the crash > > > > is always > > > happening). > > > > > > > > before applying the patch, I had a strange problem : I couldn't > > > > reproduce the problem (with wbinfo --uid-info 300) on one of > > > > the machine. no chance even if I reinstall, re-provision, ...). I > > > > finally reboot the machine and after the reboot the crash was > > > > reproduceable again (...) > > > > > > Thank you for finally getting back to me on this. After seeing it > > > once, I was also unable to reproduce the crash, and so was patching blind. > > > This remains illusive. > > > > > > Does this alternative patch help? > > > > > > > on both machines, what I've done : > > > > (...untar...) > > > > cd samba-4.0.6 > > > > patch -p1 < > > > > 0001-s4-winbind-Add-special-case-for-BUILTIN-domain.patch > > > > ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var > > > > --enable-fhs make make install rm /etc/samba/smb.conf samba-tool > > > > domain provision --dns-backend=BIND9_FLATFILE --server-role=dc > > > > --realm TEST.CH --domain TEST --adminpass=Pa$$w0rd samba -i -M > > > > single > > > > > > > > and ->>> wbinfo --uid-info 300 > > > > > > > > I get : > > > > - > > > > samba version 4.0.6 started. > > > > Copyright Andrew Tridgell and the Samba Team 1992-2012 > > > > samba: using 'single' process model Attempting to autogenerate TLS > > > > self-signed keys for https for hostname > > > 'WZ3.test3.ch' > > > > TLS self-signed keys generated OK > > > > > > > > == > > > = > > > > INTERNAL ERROR: Signal 11 in pid 4844 (4.0.6) Please read the > > > > Trouble-Shooting section of the Samba HOWTO > > > > > > > > == > > > = > > > > PANIC: internal error > > > > Aborted > > > > - > > > > > > > > Best regards > > > > > > > > Philippe > > > > > > Thanks, > > > > > > Andrew Bartlett > > > > > > -- > > > Andrew Bartletthttp://samba.org/~abartlet/ > > > Authentication Developer, Samba Team http://samba.org > > > > > > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba+LDAP: NT_STATUS_UNSUCCESSFUL because of primary group SID mismatch
On Thu, 2013-06-20 at 10:26 +0200, Philipp Lies wrote: > Hi, > > I'm trying to get my new samba server running for a few days now and I > start losing my mind over not figuring out what I'm doing wrong. Here's > my setup: > > OpenLDAP 2.4.21 server with ~15 groups and >100 users, all having a unix > and a samba NT password stored in the LDAP as well as a User SID and > Primary Group SID assigned and stored in the LDAP, derived from the SID > of the LDAP Server. > > Now I want several samba servers to use the LDAP server to authenticate > users. If you want multiple samba servers to use the same LDAP backend, they essentially all need to be domain controllers of the same domain. This is the supported way to have a single backend shared between multiple servers. You don't need to ever use the DC function from windows clients, but the servers need to think they are a DC. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Workaround very slow nss_winbind, fix crash on the AD DC (particularly for backups)
On Fri, 2013-06-21 at 07:23 +, philippe.simo...@swisscom.com wrote:
> Hi Andrew,
>
> sorry (my English...) I was not clear. I tried to say that the patch does not
> change anything for me,
> the crash is still here.
Which (named) patch did you try?
I've attached both patches which I proposed. Each attempts to solve the
problem in a different way. Please try each of them, and tell me if you
still get the crash.
Thanks,
Andrew Bartlett
> best regards
>
> Philippe
>
>
> > -Original Message-
> > From: Andrew Bartlett [mailto:abart...@samba.org]
> > Sent: Friday, June 21, 2013 9:18 AM
> > To: Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE
> > Cc: samba-techni...@samba.org; sa...@samba.org;
> > qoole.sa...@lillimoth.com
> > Subject: Re: [PATCH] Workaround very slow nss_winbind, fix crash on the AD
> > DC (particularly for backups)
> >
> > On Fri, 2013-06-21 at 05:58 +, philippe.simo...@swisscom.com wrote:
> > > Hi Andrew,
> > >
> > > many thanks for you patch,
> > > i tested it on 2 different systems but without success (the crash is
> > > always
> > happening).
> > >
> > > before applying the patch, I had a strange problem : I couldn't
> > > reproduce the problem (with wbinfo --uid-info 300) on one of the
> > > machine. no chance even if I reinstall, re-provision, ...). I finally
> > > reboot the machine and after the reboot the crash was reproduceable
> > > again (...)
> >
> > Thank you for finally getting back to me on this. After seeing it once, I
> > was
> > also unable to reproduce the crash, and so was patching blind.
> > This remains illusive.
> >
> > Does this alternative patch help?
> >
> > > on both machines, what I've done :
> > > (...untar...)
> > > cd samba-4.0.6
> > > patch -p1 < 0001-s4-winbind-Add-special-case-for-BUILTIN-domain.patch
> > > ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
> > > --enable-fhs make make install rm /etc/samba/smb.conf samba-tool
> > > domain provision --dns-backend=BIND9_FLATFILE --server-role=dc
> > > --realm TEST.CH --domain TEST --adminpass=Pa$$w0rd samba -i -M single
> > >
> > > and ->>> wbinfo --uid-info 300
> > >
> > > I get :
> > > -
> > > samba version 4.0.6 started.
> > > Copyright Andrew Tridgell and the Samba Team 1992-2012
> > > samba: using 'single' process model
> > > Attempting to autogenerate TLS self-signed keys for https for hostname
> > 'WZ3.test3.ch'
> > > TLS self-signed keys generated OK
> > >
> > ==
> > =
> > > INTERNAL ERROR: Signal 11 in pid 4844 (4.0.6) Please read the
> > > Trouble-Shooting section of the Samba HOWTO
> > >
> > ==
> > =
> > > PANIC: internal error
> > > Aborted
> > > -
> > >
> > > Best regards
> > >
> > > Philippe
> >
> > Thanks,
> >
> > Andrew Bartlett
> >
> > --
> > Andrew Bartletthttp://samba.org/~abartlet/
> > Authentication Developer, Samba Team http://samba.org
>
>
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From 213dd8c754e381fcca0bc692422189fb0a9fa9d6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Sat, 15 Jun 2013 19:54:14 +1000
Subject: [PATCH] gensec: work around nested event loops by ensuring that the
gensec_security remains valid
Some nested event loops cause the main context varible here to become
deallocated. This ensures that cannot happen until the end of the
call.
Andrew Bartlett
---
auth/gensec/gensec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index ea62861..ad6a19d 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -216,9 +216,11 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
const DATA_BLOB in, DATA_BLOB *out)
{
NTSTATUS status;
-
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ talloc_reference(mem_ctx, gensec_security);
status = gensec_security->ops->update(gensec_security, out_mem_ctx,
ev, in, out);
+ talloc_free(mem_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--
1.7.11.7
>From 4497f21ec6790d2c99aaafde4a7ceae026b3aacd Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Sat, 15 Jun 2013 23:01:44 +1000
Subject: [PATCH 2/2] s4-winbind: Add special case for BUILTIN domain
This should mean that lookups for the BUILTIN domain cause less trouble
then they have in the past, because they will no longer go via the
trusted domain handler.
Andrew Bartlett
Signed-off-by: Andrew Bartlett
---
source4/winbind/wb_dom_info.c| 5 +++--
source4/winbind/wb_init_domain.c | 38 --
source4/winbind/wb_sid2domain.c | 14 ++
3 files changed, 37 insertions(+), 20 deletions(-)
diff --git a/source4/winbind/wb_dom_info.c b/source4/winbind/wb
Re: [Samba] samba4 missing group membership with getent group
On Fri, 2013-06-21 at 06:23 +, philippe.simo...@swisscom.com wrote: > Hi Samba users > > but does not return group/user membership : > TEST3\g1:*:327: > > any advices ? It doesn't work for groups:( use: getent group TEST\g1 hth Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Workaround very slow nss_winbind, fix crash on the AD DC (particularly for backups)
Hi Andrew, sorry (my English...) I was not clear. I tried to say that the patch does not change anything for me, the crash is still here. best regards Philippe > -Original Message- > From: Andrew Bartlett [mailto:abart...@samba.org] > Sent: Friday, June 21, 2013 9:18 AM > To: Simonet Philippe, ITS-OUS-OP-IFM-NW-IPE > Cc: samba-techni...@samba.org; sa...@samba.org; > qoole.sa...@lillimoth.com > Subject: Re: [PATCH] Workaround very slow nss_winbind, fix crash on the AD > DC (particularly for backups) > > On Fri, 2013-06-21 at 05:58 +, philippe.simo...@swisscom.com wrote: > > Hi Andrew, > > > > many thanks for you patch, > > i tested it on 2 different systems but without success (the crash is always > happening). > > > > before applying the patch, I had a strange problem : I couldn't > > reproduce the problem (with wbinfo --uid-info 300) on one of the > > machine. no chance even if I reinstall, re-provision, ...). I finally > > reboot the machine and after the reboot the crash was reproduceable > > again (...) > > Thank you for finally getting back to me on this. After seeing it once, I was > also unable to reproduce the crash, and so was patching blind. > This remains illusive. > > Does this alternative patch help? > > > on both machines, what I've done : > > (...untar...) > > cd samba-4.0.6 > > patch -p1 < 0001-s4-winbind-Add-special-case-for-BUILTIN-domain.patch > > ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var > > --enable-fhs make make install rm /etc/samba/smb.conf samba-tool > > domain provision --dns-backend=BIND9_FLATFILE --server-role=dc > > --realm TEST.CH --domain TEST --adminpass=Pa$$w0rd samba -i -M single > > > > and ->>> wbinfo --uid-info 300 > > > > I get : > > - > > samba version 4.0.6 started. > > Copyright Andrew Tridgell and the Samba Team 1992-2012 > > samba: using 'single' process model > > Attempting to autogenerate TLS self-signed keys for https for hostname > 'WZ3.test3.ch' > > TLS self-signed keys generated OK > > > == > = > > INTERNAL ERROR: Signal 11 in pid 4844 (4.0.6) Please read the > > Trouble-Shooting section of the Samba HOWTO > > > == > = > > PANIC: internal error > > Aborted > > - > > > > Best regards > > > > Philippe > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Workaround very slow nss_winbind, fix crash on the AD DC (particularly for backups)
On Fri, 2013-06-21 at 05:58 +, philippe.simo...@swisscom.com wrote:
> Hi Andrew,
>
> many thanks for you patch,
> i tested it on 2 different systems but without success (the crash is always
> happening).
>
> before applying the patch, I had a strange problem : I couldn't reproduce
> the problem (with wbinfo --uid-info 300)
> on one of the machine. no chance even if I reinstall, re-provision, ...). I
> finally reboot the machine and after the reboot the crash
> was reproduceable again (...)
Thank you for finally getting back to me on this. After seeing it once,
I was also unable to reproduce the crash, and so was patching blind.
This remains illusive.
Does this alternative patch help?
> on both machines, what I've done :
> (...untar...)
> cd samba-4.0.6
> patch -p1 < 0001-s4-winbind-Add-special-case-for-BUILTIN-domain.patch
> ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-fhs
> make
> make install
> rm /etc/samba/smb.conf
> samba-tool domain provision --dns-backend=BIND9_FLATFILE --server-role=dc
> --realm TEST.CH --domain TEST --adminpass=Pa$$w0rd
> samba -i -M single
>
> and ->>> wbinfo --uid-info 300
>
> I get :
> -
> samba version 4.0.6 started.
> Copyright Andrew Tridgell and the Samba Team 1992-2012
> samba: using 'single' process model
> Attempting to autogenerate TLS self-signed keys for https for hostname
> 'WZ3.test3.ch'
> TLS self-signed keys generated OK
> ===
> INTERNAL ERROR: Signal 11 in pid 4844 (4.0.6)
> Please read the Trouble-Shooting section of the Samba HOWTO
> ===
> PANIC: internal error
> Aborted
> -
>
> Best regards
>
> Philippe
Thanks,
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From 213dd8c754e381fcca0bc692422189fb0a9fa9d6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Sat, 15 Jun 2013 19:54:14 +1000
Subject: [PATCH] gensec: work around nested event loops by ensuring that the
gensec_security remains valid
Some nested event loops cause the main context varible here to become
deallocated. This ensures that cannot happen until the end of the
call.
Andrew Bartlett
---
auth/gensec/gensec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/auth/gensec/gensec.c b/auth/gensec/gensec.c
index ea62861..ad6a19d 100644
--- a/auth/gensec/gensec.c
+++ b/auth/gensec/gensec.c
@@ -216,9 +216,11 @@ _PUBLIC_ NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_
const DATA_BLOB in, DATA_BLOB *out)
{
NTSTATUS status;
-
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
+ talloc_reference(mem_ctx, gensec_security);
status = gensec_security->ops->update(gensec_security, out_mem_ctx,
ev, in, out);
+ talloc_free(mem_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--
1.7.11.7
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
