Re: [Samba] Can someone explain SMB passwords?
On Sun, Jul 21, 2013 at 11:41:17AM -0700, Paul D. DeRocco wrote: (This is an embedded box, so, short of taking a screwdriver and opening the unit, there is no other access besides this share.) Thanks for taking the time to try to explain this. The fog is starting to lift a little. I assume force user = root means ignore the username provided by the client, and pretend all clients are username root instead. So what password does the client need to provide? The root Unix password, or some password entered into the SMB password database by the smbpasswd command? Does Samba use an SMB password if it finds an appropriate username in its own database, and fall back to using the Unix password if it doesn't find the username in its own database? If so, is the purpose of the SMB password to provide an alternate namespace, so that one can use a different password (and perhaps username) than has no analog among local user accounts? force user happens after any user authentication. Samba uses the client provided username to find the entry in the smbpasswd file. After that succeeded, when connecting to the share, it will switch back to root for accessing files. But the local user must exist for Samba to let the user in at all. For instance, if my root account has the password blahblah, can I invent an arbitrary username like foobar that doesn't correspond to any local Unix user account, put that into the SMB password database with the password yadayada, and then put force user = foobar in smb.conf? Will all external clients then be able to log in with any username and yadayada, so I don't need to reveal blahblah to anyone? Or will Samba be unable (or unwilling) to access the files owned by root without somehow being given the blahblah password? No, Samba will require a local user foobar. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can someone explain SMB passwords?
From: Volker Lendecke [mailto:volker.lende...@sernet.de] force user happens after any user authentication. Samba uses the client provided username to find the entry in the smbpasswd file. After that succeeded, when connecting to the share, it will switch back to root for accessing files. But the local user must exist for Samba to let the user in at all. So is there ANY way to provide access to a share, with only a password, not caring about a username? Or must I pick a name (e.g., root) and tell all clients to log in under that username? If I do the latter, and root isn't listed in smbpasswd, will it just do ordinary Unix authentication, demanding a password that matches the local root password? Is the purpose of an SMB password to allow a client to be assigned a different password, without having to reveal the local Unix one? Or MUST I list root in smbpasswd with the same password as the local Unix one? -- Ciao, Paul D. DeRocco Paulmailto:pdero...@ix.netcom.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can someone explain SMB passwords?
On Mon, Jul 22, 2013 at 01:07:34AM -0700, Paul D. DeRocco wrote: From: Volker Lendecke [mailto:volker.lende...@sernet.de] force user happens after any user authentication. Samba uses the client provided username to find the entry in the smbpasswd file. After that succeeded, when connecting to the share, it will switch back to root for accessing files. But the local user must exist for Samba to let the user in at all. So is there ANY way to provide access to a share, with only a password, not caring about a username? Or must I pick a name (e.g., root) and tell all clients to log in under that username? If I do the latter, and root isn't listed in smbpasswd, will it just do ordinary Unix authentication, demanding a password that matches the local root password? Is the purpose of an SMB password to allow a client to be assigned a different password, without having to reveal the local Unix one? Or MUST I list root in smbpasswd with the same password as the local Unix one? There is also the username map parameter, using which you can for example say username map = /etc/samba/usermap and then open a file named /etc/samba/username with a single line containing root = * With best regards, Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can someone explain SMB passwords?
From: Volker Lendecke [mailto:volker.lende...@sernet.de] There is also the username map parameter, using which you can for example say username map = /etc/samba/usermap and then open a file named /etc/samba/username with a single line containing root = * That looks like just the ticket. But I still need to know which of the following three things is true: 1) I can rely on Unix authentication and not even bother with SMB passwords, if I don't mind telling the clients the local root password. 2) I can use smbpasswd to assign a different client password, so I can keep the local root password secret from the clients. 3) I must use smbpasswd and assign the same password as the local root password. -- Ciao, Paul D. DeRocco Paulmailto:pdero...@ix.netcom.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can someone explain SMB passwords?
On Mon, Jul 22, 2013 at 01:24:52AM -0700, Paul D. DeRocco wrote: From: Volker Lendecke [mailto:volker.lende...@sernet.de] There is also the username map parameter, using which you can for example say username map = /etc/samba/usermap and then open a file named /etc/samba/username with a single line containing root = * That looks like just the ticket. But I still need to know which of the following three things is true: 1) I can rely on Unix authentication and not even bother with SMB passwords, if I don't mind telling the clients the local root password. 2) I can use smbpasswd to assign a different client password, so I can keep the local root password secret from the clients. 3) I must use smbpasswd and assign the same password as the local root password. 2) is correct. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Debian 7.1 net user add etc returns exit code 255
I have a pristine Debian 7.1 system running Samba 3.6.6. root@tv:/etc/samba# apt-cache policy samba samba: Installed: 2:3.6.6-6 Candidate: 2:3.6.6-6 Version table: *** 2:3.6.6-6 0 500 http://ftp.debian.org/debian/ wheezy/main amd64 Packages 100 /var/lib/dpkg/status Between strace (-s 102400 -ffO for net user, and all pid's of smbd), log level = 5, man pages, and as much white noise as I've been able to wade through from Google and the mailing list, I think the initial tdb was never setup. I created a new one with tdbtool, but I suppose I do not know what values to inject to bootstrap this. I checked http://bugs.debian.org/samba , but did not find anything relevant. strace may as well be Greek, as I really only see smb/445 traffic by and large. The logs are more verbose ... but I just cannot seem to wrap my head around it or zero into where the issue may be. Is it safe (security wise) to attach the verbose /var/log/samba logs? (1.2mb right now). I just want my home share accessible when I authenticate from other systems (mac osx, windows 7, etc). Additionally, I would like / access as any non root user (authenticated). root@tv:/etc/samba# ls -laR /etc/samba/ /etc/samba/: total 88 drwxr-xr-x 2 root root75 Jul 21 21:18 . drwxr-xr-x 138 root root 8192 Jul 21 20:24 .. -rw-r--r-- 1 root root 8 Nov 10 2002 gdbcommands -rw--- 1 root root 696 Jul 21 21:18 secrets.tdb -rw-r--r-- 1 root root 12240 Jul 21 21:17 smb.conf -rw--- 1 root root 54016 Jul 21 20:58 traceit.txt testparam checks out. root@tv:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [homes] Processing section [printers] Processing section [print$] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] server string = %h server map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 load printers = No dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S create mask = 0700 directory mask = 0700 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = No I'm not sure if this is success via smbclient, I would expect to see my home share, but maybe that needs browsable = yes ? (will this expose it to other users?) supaplex@tv:~$ smbclient -L 127.0.0.1 //tv/supaplex Enter supaplex's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] Sharename Type Comment - --- IPC$IPC IPC Service (tv server) print$ Disk Printer Drivers Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] Server Comment ---- TV tv server WorkgroupMaster ---- WORKGROUPTV supaplex@tv:~$ echo $? 0 Interesting enough, the man page suggests the private dir = /etc/samba/private, though the default is /etc/samba (hence my creation of the secrets.tdb in /etc/samba). root@tv:/etc/samba# testparm -v | egrep '(tdb|priv)' private dir = /etc/samba Thanks and regards, Scott Edwards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can someone explain SMB passwords?
Hallo, Volker, Du meintest am 22.07.13: So is there ANY way to provide access to a share, with only a password, not caring about a username? Or must I pick a name (e.g., root) and tell all clients to log in under that username? If I do the latter, and root isn't listed in smbpasswd, will it just do ordinary Unix authentication, demanding a password that matches the local root password? Is the purpose of an SMB password to allow a client to be assigned a different password, without having to reveal the local Unix one? Or MUST I list root in smbpasswd with the same password as the local Unix one? There is also the username map parameter, using which you can for example say username map = /etc/samba/usermap and then open a file named /etc/samba/username with a single line containing /etc/samba/usermap (looks like a cp error ...) root = * Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] need soms tips for adding samba4 to windows 2008R2 domain
Hai, Base on below, i want to use the sernet samba4 packages. Should i install : sernet-samba-ad or sernet-samba-winbind The server is joining a windows 2008 R2 domain, and the zarafaschema wil be applied. 2) add samba4 to the windows domain dc as secondairy DC. ( this server wil be my zarafa mail server ) Setup and joining a Samba machine as DC you can find here: http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 3.6.16 and kinit
Hi. When I'm trying to join a machine to a domain via ADS I get kerberos_kinit_password d...@norma.com failed: Looping detected inside krb5_get_in_tkt. In the same time plain kinit d...@norma.com from a console gives me a ticket without errors. Is this a bug (so I should report it) or can this still be some misconfiguration on my side ? I'm doing this on testparm-approved config file from 3.5.x. P.S. FreeBSD 10.0-CURRENT. Thanks. Eugene. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Can someone explain SMB passwords?
On Mon, Jul 22, 2013 at 11:12:00AM +0200, Helmut Hullen wrote: Hallo, Volker, Du meintest am 22.07.13: So is there ANY way to provide access to a share, with only a password, not caring about a username? Or must I pick a name (e.g., root) and tell all clients to log in under that username? If I do the latter, and root isn't listed in smbpasswd, will it just do ordinary Unix authentication, demanding a password that matches the local root password? Is the purpose of an SMB password to allow a client to be assigned a different password, without having to reveal the local Unix one? Or MUST I list root in smbpasswd with the same password as the local Unix one? There is also the username map parameter, using which you can for example say username map = /etc/samba/usermap and then open a file named /etc/samba/username with a single line containing /etc/samba/usermap (looks like a cp error ...) Thanks :-) Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] AIX, Samba and ADS issue
I’m trying to get an AIX + samba + ADS system working properly. The samba server is a domain member and I can use the wbinfo –u and wbinfo –g commands with no problem. We’re running pware64 version 3.5.11 on AIX 6.1. I need to know if as a group member of the ADS, do I still need to do a net groupmap to map ADS groups to AIX groups or does this happen automatically with this version of samba? The users can log in, but can’t access their shares. The only way they’ve been able to access their shares is if I change the directory permissions to 777. Here’s our configuration: Smb.conf #=== Global Settings = [global] workgroup = CINTASFIT server string = CINSD20 Samba Server netbios name = CINSD20 security = ADS encrypt passwords = yes password server = * realm = CINTAS.FIT local master = no domain master = no wins support = no dns proxy = no load printers = no admin users = root allow trusted domains = yes map untrusted to domain = yes client use spnego = yes log file = /var/log/samba/%m.log max log size = 1000 log level = 3 nmbd bind explicit broadcast = no winbind enum users = no winbind enum groups = no winbind separator = + winbind nested groups = yes winbind use default domain = yes nt acl support = yes inherit acls = yes map acl inherit = yes map to guest = Never store dos attributes = yes inherit permissions = yes idmap uid = 20 - 50 idmap gid = 20 - 50 # Share Definitions == [don] comment = Sample share path = /tmp create mask = 0644 directory mask = 0775 writeable=yes guest ok = no valid users = CINTASFIT+aixuser, root admin users = root [BISHAREDDEV] path = /BI_SHARED create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+c_acct_cptr_app_g, @CINTAS+sap_cintas_pp, @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G, @CINTAS+C_Payroll_G write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G, @CINTAS+C_Payroll_G admin users = root [FIFTHTHDEV] path = /interface_secure/FifthThird create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G admin users = root [NOVASCOTDEV] path = /interface_secure/NovaScotia create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G admin users = root [HEWITTDEV] path = /interface_secure/Hewitt create mask = 0644 directory mask = 0c = yes public = no writeable = no guest ok = no valid users = @CINTAS+c_sap_hewitt_u, @CINTAS+C_MIS_Finance_G, @CINTAS+C_Payroll_G write list = @CINTAS+c_sap_hewitt_u, @CINTAS+C_MIS_Finance_G, @CINTAS+C_Payroll_G admin users = root [INTSECUREDEV] path = /interface_secure create mask = 0644 directory mask = 0775 writeable = no guest ok = no valid users = @CINTAS+C_MIS_Finance_G admin users = root [INOVISDEV] path = /interface/Inovis create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_MIS_EDI write list = @CINTAS+C_MIS_EDI admin users = root [OPTIPLANDEV] path = /interface/Optiplan create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+SAPITTech, @CINTAS+SAP_Cintas_PP write list = @CINTAS+SAPITTech, @CINTAS+SAP_Cintas_PP admin users = root [CONCURDEV] path = /interface_secure/Concur create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G admin users = root [INTERFACEDEV] path = /interface create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_MIS_Finance_G write list = @CINTAS+C_MIS_Finance_G admin users = root [PITNEYBOWDEV] path = /interface_secure/PitneyBowes create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G admin users = root [IRSAUDITDEV] path = /interface_secure/IRSAUDITDEV create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_Acct_Cptr_App_G, @CINTAS+C_MIS_Finance_G write list = @CINTAS+C_Acct_Cptr_App_G, @CINTAS+C_MIS_Finance_G admin users = root [PNCDEV] path = /interface_secure/PNCDEV create mask = 0644 directory mask = 0775 public = no writeable = no guest ok = no valid users = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G write list = @CINTAS+C_Acct_Alchemy_AP, @CINTAS+C_MIS_Finance_G admin users = root [PROJDEVARCH] path = /interface_secure/Projections/I-780683-1-ECC/Archive create mask = 0644 directory mask = 0775
[Samba] Winbind troubles
I've rolled 2 virtual servers running Ubuntu 12.04 LTS and have installed the SerNet packages. SRV1 has the AD setup and SRV2 is a member server. I've followed the wiki for both servers to the letter, and winbind still refuses to grab info on the member server. I rolled the provision with --use-rfc2307, added a bunch of users with samba-tool. I then manually created a group and made sure it had valid gid. I then did the same with the 3 users, made sure their primary group was set, and they had valid UIDs. All 3 users have UIDs of 1, 10001, and 10002. The single group has a GID of 1 and all 3 users are a member. I joined the domain fine, everything appears correct in DNS, and the SRV2 member server shows up in ADUC under Computers. Both smb.conf files match exactly (except for the domain names) the config file examples in the wiki articles. wbinfo -u and wbinfo -g both work and pull the proper users/groups. However, when I run getent passwd all I get is local users. I checked and re-checked libnss_winbind.so with ldconfig -v, and that is there as well. What the heck could I be missing? I've followed everything to the letter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Have you tried 'getent passwd username' Rowland On 22 July 2013 19:56, Matthew Daubenspeck m...@oddprocess.org wrote: I've rolled 2 virtual servers running Ubuntu 12.04 LTS and have installed the SerNet packages. SRV1 has the AD setup and SRV2 is a member server. I've followed the wiki for both servers to the letter, and winbind still refuses to grab info on the member server. I rolled the provision with --use-rfc2307, added a bunch of users with samba-tool. I then manually created a group and made sure it had valid gid. I then did the same with the 3 users, made sure their primary group was set, and they had valid UIDs. All 3 users have UIDs of 1, 10001, and 10002. The single group has a GID of 1 and all 3 users are a member. I joined the domain fine, everything appears correct in DNS, and the SRV2 member server shows up in ADUC under Computers. Both smb.conf files match exactly (except for the domain names) the config file examples in the wiki articles. wbinfo -u and wbinfo -g both work and pull the proper users/groups. However, when I run getent passwd all I get is local users. I checked and re-checked libnss_winbind.so with ldconfig -v, and that is there as well. What the heck could I be missing? I've followed everything to the letter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: Have you tried 'getent passwd username' Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 No results. They are all there though: root@srv2:~# wbinfo -u administrator krbtgt guest user1 user2 user3 Verified the uidNumber was set as well on the DC: # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep uidNumber uidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep gid gidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep uidNumber uidNumber: 10001 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep gid gidNumber: 1 etc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
/etc/nsswitch.conf setup correctly? On 22 July 2013 20:52, Matthew Daubenspeck m...@oddprocess.org wrote: On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: Have you tried 'getent passwd username' Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 No results. They are all there though: root@srv2:~# wbinfo -u administrator krbtgt guest user1 user2 user3 Verified the uidNumber was set as well on the DC: # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep uidNumber uidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user1|grep gid gidNumber: 1 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep uidNumber uidNumber: 10001 # ldbsearch --url=/var/lib/samba/private/sam.ldb cn=user2|grep gid gidNumber: 1 etc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 15:52 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 08:41:09PM +0100, Rowland Penny wrote: Have you tried 'getent passwd username' Rowland root@srv2:~# getent passwd Administrator root@srv2:~# getent passwd user1 root@srv2:~# getent passwd user2 root@srv2:~# getent passwd user3 Can you post smb.conf on SRV2? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Errors in parse_share_modes Testing CTDB 2.3 and Samba 4.0.7
I'm working on building a CTDB/Samba cluster on AIX 7.1 with the latest levels to replace an older one running CTDB 1.0.113 and Samba 3.6.1. I have the new servers up and running and they seem to work, but I'm worried about some messages in the logs. I run with log level 1 on the servers so that the connection details are logged. On the old cluster there were only connection/closed connection, and client time-out messages in the logs. On the new cluster I see the following messages very often: [2013/07/22 15:09:02.594483, 1, pid=9437314] ../librpc/ndr/ndr.c:412(ndr_pull_error) ndr_pull_error(11): Pull bytes 4 (../librpc/ndr/ndr_basic.c:148) [2013/07/22 15:09:02.594636, 1, pid=9437314] locking/share_mode_lock.c:136(parse_share_modes) ndr_pull_share_mode_lock failed I would like to know how I can tell if there is some problem with the locking database in CTDB before I go any farther in testing. I upped the log level and I can see that this happens when getting each entry of a directory in dir.c:smbd_dirptr_get_entry() when it calls locking.c:get_file_infos() and eventually tries to parse the locking data. I took a look at the Samba 3.6.1 source and I see that the code that parses the locking data has changed in 4.0.X. I haven't spent enough time yet to understand the code to find the reason for the messages. Can anyone give me some pointers on debugging this? I've upped the log level to 10 and it pointed me down the code path that is getting hit, but doesn't make it clear to me what the problem is. Here are all the messages generated at log level 10 inside the loop over the directory entries: [2013/07/19 12:42:45.724992, 6, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dir.c:1061(smbd_dirptr_get_entry) smbd_dirptr_get_entry: dirptr 0x2064dc18 now at offset 576 [2013/07/19 12:42:45.725084, 8, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dosmode.c:632(dos_mode) dos_mode: ./rt_aos4 [2013/07/19 12:42:45.725157, 8, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dosmode.c:206(dos_mode_from_sbuf) dos_mode_from_sbuf returning d [2013/07/19 12:42:45.725227, 8, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dosmode.c:683(dos_mode) dos_mode returning d [2013/07/19 12:42:45.725637, 1, pid=4063418, effective(39803, 14161), real(0, 0)] ../librpc/ndr/ndr.c:412(ndr_pull_error) ndr_pull_error(11): Pull bytes 4 (../librpc/ndr/ndr_basic.c:148) [2013/07/19 12:42:45.725722, 1, pid=4063418, effective(39803, 14161), real(0, 0), class=locking] locking/share_mode_lock.c:136(parse_share_modes) ndr_pull_share_mode_lock failed [2013/07/19 12:42:45.725792, 3, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/dir.c:1144(smbd_dirptr_get_entry) smbd_dirptr_get_entry mask=[*] found ./rt_aos4 fname=rt_aos4 (rt_aos4) [2013/07/19 12:42:45.725880, 10, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/trans2.c:1666(smbd_marshall_dir_entry) smbd_marshall_dir_entry: space_remaining = 16232 [2013/07/19 12:42:45.725955, 10, pid=4063418, effective(39803, 14161), real(0, 0)] smbd/trans2.c:1819(smbd_marshall_dir_entry) smbd_marshall_dir_entry: SMB_FIND_FILE_BOTH_DIRECTORY_INFO If anyone would like more configuration details or complete logs I can provide them Thanks, John Janosik jpjan...@us.ibm.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: Can you post smb.conf on SRV2? Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 08:59:47PM +0100, Rowland Penny wrote: /etc/nsswitch.conf setup correctly? passwd: compat winbind group: compat winbind shadow: compat snipped -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
Hi, I have a Samba4 domain consisting of two 4.0.6 Samba servers, in two different AD sites. I am trying to join a new 4.0.7 Samba server as a DC. Previously, I had had some issues caused by hardware failure of one of the DCs; I have learnt my lesson about checking backups properly, as it took me a surprisingly (for me) long time to recover from this (there was no FSMO after the failure and I had to use ADSI Edit to fix this). However, everything has been running fine since then - up till now. Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7 from source), but I get the following: (edited out to remove domain name) [root@newdc ~]# samba-tool domain join mydomain.org DC -UMYDOMAIN\\administrator --realm=mydomain.org Finding a writeable DC for domain 'mydomain.org' Found DC existing-dc.mydomain.org Password for [MYDOMAIN\administrator]: workgroup is MYDOMAIN realm is mydomain.org checking sAMAccountName Adding CN=NEWDC,OU=Domain Controllers,DC=mydomain,DC=org Join failed - cleaning up checking sAMAccountName ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 2035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org'! File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1104, in join_DC ctx.do_join() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 1007, in do_join ctx.join_add_objects() File /usr/local/samba/lib64/python2.6/site-packages/samba/join.py, line 499, in join_add_objects ctx.samdb.add(rec) I think this is the same issue as in bug 9954: https://bugzilla.samba.org/show_bug.cgi?id=9954 and in this previous post (I couldn't find a response to): https://lists.samba.org/archive/samba-technical/2013-April/091668.html I'm not adverse to a bit of ADSI Edit or similar - but I don't really know where to start with this.. Any ideas? Thanks! Jonathan -- If we knew what it was we were doing, it would not be called research, would it? - Albert Einstein -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland On 22 July 2013 21:46, Matthew Daubenspeck m...@oddprocess.org wrote: On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: Can you post smb.conf on SRV2? Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 16:46 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:27:36PM +0200, steve wrote: Can you post smb.conf on SRV2? Steve Certainly: [global] workgroup = NWLTECH security = ADS realm = NWLTECH.ORG encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes Similar to what I had when I used winbind, except the * range was lower than the range we wanted. Try something like 3000-3500 and 3501-4 perhaps? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh root@srv2:~# id user1 uid=1(user1) gid=1013(domain users) groups=1013(domain users),70002(BUILTIN\users) root@srv2:~# id user2 uid=10001(user2) gid=1013(domain users) groups=1013(domain users),70002(BUILTIN\users) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 11:19:26PM +0200, steve wrote: Similar to what I had when I used winbind, except the * range was lower than the range we wanted. Try something like 3000-3500 and 3501-4 perhaps? Like this? idmap config *:backend = tdb idmap config *:range = 3000-3500 idmap config NWLTECH:backend = ad idmap config NWLTECH:schema_mode = rfc2307 idmap config NWLTECH:range = 3501-4 That makes no difference. Still no results. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Rowland On Jul 22, 2013 10:36 PM, steve st...@steve-ss.com wrote: On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 11:36:26PM +0200, steve wrote: Amazing;) Amazing all right. I have a headache :) You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. So if I plan on using this for Windows clients ONLY, uidNumber, gidNumber, homedirs and shells shouldn't really be a problem to me. Key word being shouldn't? Not being able to add a backup DC WOULD be a problem, however. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Mon, Jul 22, 2013 at 10:45:28PM +0100, Rowland Penny wrote: If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Something like this? http://linuxcostablanca.blogspot.com/2013/04/sssd-in-samba-40.html That's about the most verbose thing Google seems to come up with. I'll wait as long as it takes, this is all just initial testing... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2013-07-22-0854/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2013-07-22-0854/samba3.stderr http://git.samba.org/autobuild.flakey/2013-07-22-0854/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2013-07-22-0854/samba.stderr http://git.samba.org/autobuild.flakey/2013-07-22-0854/samba.stdout The top commit at the time of the failure was: commit 44429f948b72e7bcf968da492592c57864f211c7 Author: Günther Deschner g...@samba.org Date: Fri Jul 19 15:10:05 2013 +0200 s3-printing: avoid KRB5CCNAME overwrite in printer publishing (Bug #7444). Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Andreas Schneider a...@samba.org Autobuild-User(master): Günther Deschner g...@samba.org Autobuild-Date(master): Fri Jul 19 17:53:08 CEST 2013 on sn-devel-104
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via b505111 s3-waf: Rename regedit to samba-regedit. from 44429f9 s3-printing: avoid KRB5CCNAME overwrite in printer publishing (Bug #7444). http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit b505d2fd3a9ae3b3aa028ccf013a98c20b38 Author: Andreas Schneider a...@samba.org Date: Fri Jul 19 16:08:39 2013 +0200 s3-waf: Rename regedit to samba-regedit. This is needed cause wine already provides a binary with the name regedit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10040 Signed-off-by: Andreas Schneider a...@samba.org Reviewed-by: Kai Blin k...@samba.org Autobuild-User(master): Andreas Schneider a...@cryptomilk.org Autobuild-Date(master): Mon Jul 22 14:12:38 CEST 2013 on sn-devel-104 --- Summary of changes: source3/wscript_build |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/wscript_build b/source3/wscript_build index 19c6d08..a8bdaf0 100755 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -1615,7 +1615,7 @@ bld.SAMBA3_PYTHON('pylibsmb', realname='samba/samba3/libsmb_samba_internal.so' ) -bld.SAMBA3_BINARY('regedit', +bld.SAMBA3_BINARY('samba-regedit', source=utils/regedit.c utils/regedit_samba3.c utils/regedit_wrap.c utils/regedit_treeview.c utils/regedit_valuelist.c utils/regedit_dialog.c -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fe06e1b smbd: Fix CID 1035536 Uninitialized pointer read via d7da8da smbd: Fix CID 1035537 Uninitialized pointer read via a1e0acc smbd: Fix CID 1035538 Uninitialized pointer read via a6a0d23 tdb: Fix CID 1034959 Uninitialized scalar variable via f25449b tdb: Fix CID 1034960 Uninitialized scalar variable from b505111 s3-waf: Rename regedit to samba-regedit. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fe06e1b0a3c06ffa859fa0d5e52ed4cc59de0950 Author: Volker Lendecke v...@samba.org Date: Sat Jun 22 13:06:34 2013 +0200 smbd: Fix CID 1035536 Uninitialized pointer read rpc_pipe_open_interface just returns okay if the pipe in question is already open. For this, it needs to read the value. Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Tue Jul 23 02:05:19 CEST 2013 on sn-devel-104 commit d7da8dabaa94af6662741c8ce8efdf87c34c03d2 Author: Volker Lendecke v...@samba.org Date: Sat Jun 22 13:06:34 2013 +0200 smbd: Fix CID 1035537 Uninitialized pointer read rpc_pipe_open_interface just returns okay if the pipe in question is already open. For this, it needs to read the value. Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit a1e0accc5f4f33ce296bad79a088499cf082d9b5 Author: Volker Lendecke v...@samba.org Date: Sat Jun 22 13:06:34 2013 +0200 smbd: Fix CID 1035538 Uninitialized pointer read rpc_pipe_open_interface just returns okay if the pipe in question is already open. For this, it needs to read the value. Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit a6a0d238b368fd15ceb0237c2f9ff13c58b18fad Author: Volker Lendecke v...@samba.org Date: Sat Jun 22 12:13:26 2013 +0200 tdb: Fix CID 1034959 Uninitialized scalar variable log_ctx.log_private was used uninitialized. Not a real bug here, as tdb_log does not access it, but tdb_open_ex still moves around uninitialized data. So this would show up in valgrind as well. Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit f25449b00a81bdb4010aed36d7c713513b70bcce Author: Volker Lendecke v...@samba.org Date: Sat Jun 22 12:13:26 2013 +0200 tdb: Fix CID 1034960 Uninitialized scalar variable log_ctx.log_private was used uninitialized. Not a real bug here, as tdb_log does not access it, but tdb_open_ex still moves around uninitialized data. So this would show up in valgrind as well. Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org --- Summary of changes: lib/tdb/tools/tdbtool.c |4 ++-- source3/smbd/lanman.c |6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/tdb/tools/tdbtool.c b/lib/tdb/tools/tdbtool.c index d007796..01b9a14 100644 --- a/lib/tdb/tools/tdbtool.c +++ b/lib/tdb/tools/tdbtool.c @@ -222,7 +222,7 @@ static void terror(const char *why) static void create_tdb(const char *tdbname) { - struct tdb_logging_context log_ctx; + struct tdb_logging_context log_ctx = { NULL, NULL}; log_ctx.log_fn = tdb_log; if (tdb) tdb_close(tdb); @@ -235,7 +235,7 @@ static void create_tdb(const char *tdbname) static void open_tdb(const char *tdbname) { - struct tdb_logging_context log_ctx; + struct tdb_logging_context log_ctx = { NULL, NULL }; log_ctx.log_fn = tdb_log; if (tdb) tdb_close(tdb); diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index b5598a4..9278a3f 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -2341,7 +2341,7 @@ static bool api_RNetGroupEnum(struct smbd_server_connection *sconn, uint32_t num_groups; uint32_t resume_handle; - struct rpc_pipe_client *samr_pipe; + struct rpc_pipe_client *samr_pipe = NULL; struct policy_handle samr_handle, domain_handle; NTSTATUS status, result; struct dcerpc_binding_handle *b; @@ -2525,7 +2525,7 @@ static bool api_NetUserGetGroups(struct smbd_server_connection *sconn, uint32_t i; char *endp = NULL; - struct rpc_pipe_client *samr_pipe; + struct rpc_pipe_client *samr_pipe = NULL; struct policy_handle samr_handle, domain_handle, user_handle; struct lsa_String name; struct lsa_Strings names; @@ -2715,7 +2715,7 @@ static bool api_RNetUserEnum(struct smbd_server_connection *sconn, int i, resume_context, cli_buf_size; uint32_t resume_handle; -