Re: [Samba] Building with debug symbols and different optimisation levels
On Thu, 2013-07-18 at 11:54 +0100, Edward Robbins wrote: Hello, I would like to build samba at different optimisation levels with debug symbols, in order to test a static analysis tool I have developed. I have found the configure option --enable-developer, which I presume enables debug symbols and sets optimisation to O0, and --enable-debug (is the difference between these two options just the warning levels?), however I would also like to be able to enable debug symbols and set the optimisation level to O2. I've been searching but cannot find a way to do this in the build system, I can't even find where the optimisation level is set, however, I am unfamiliar with waf. Is there a (even hacky) way to do this? Just pass whatever CFLAGS you desire to the ./configure wrapper, and they will be used. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Errors in parse_share_modes Testing CTDB 2.3 and Samba 4.0.7
On Mon, Jul 22, 2013 at 03:43:21PM -0500, John P Janosik wrote: I'm working on building a CTDB/Samba cluster on AIX 7.1 with the latest levels to replace an older one running CTDB 1.0.113 and Samba 3.6.1. I have the new servers up and running and they seem to work, but I'm worried about some messages in the logs. I run with log level 1 on the servers so that the connection details are logged. On the old cluster there were only connection/closed connection, and client time-out messages in the logs. On the new cluster I see the following messages very often: [2013/07/22 15:09:02.594483, 1, pid=9437314] ../librpc/ndr/ndr.c:412(ndr_pull_error) ndr_pull_error(11): Pull bytes 4 (../librpc/ndr/ndr_basic.c:148) [2013/07/22 15:09:02.594636, 1, pid=9437314] locking/share_mode_lock.c:136(parse_share_modes) ndr_pull_share_mode_lock failed Very likely that's bug 10008. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Hai, I'm having exactly the same problem with winbind as Matthew Daubenspeck. also on ubuntu 12.04 with sernet packages. ( used sernet-samba-winbind 4.0.7 ) I remove the complete config atm but am at the point reinstalling now. I'll wait with that until you put you howto on. i cant loose the rfc2307 :-( and i cant lose control over uidNumber, gidNumber, home directories and login shells. and im adding a second DC later on, but whats the difference between RID and AD exactly. or just these 4 things? I'll go try the sssd as suggested below on ubuntu 12.04. Best regards, Louis -Oorspronkelijk bericht- Van: rowlandpe...@googlemail.com [mailto:samba-boun...@lists.samba.org] Namens Rowland Penny Verzonden: maandag 22 juli 2013 23:45 Aan: steve CC: samba@lists.samba.org Onderwerp: Re: [Samba] Winbind troubles If you want my opinion, this is just another example of why not to use winbind, if you can wait until tomorrow , I will send you an howto on sssd on Ubuntu 12.04 Rowland On Jul 22, 2013 10:36 PM, steve st...@steve-ss.com wrote: On Mon, 2013-07-22 at 17:29 -0400, Matthew Daubenspeck wrote: On Mon, Jul 22, 2013 at 10:15:10PM +0100, Rowland Penny wrote: OK, that seems like it should work, I had the winbind ad backend working, but found it difficult to setup so jumped ship to sssd The idmap setup I used was: idmap config *:backend = tdb idmap config *:range = 1100-2000 idmap config DOMAIN:backend = ad idmap config DOMAIN:schema_mode = rfc2307 idmap config DOMAIN:range = 1-310 As you can see the number ranges are the opposite way round to what you have i.e. config*:range is lower than DOMAIN:range You could also try (as a test) changing backend = ad to backend = rid, this will ignore the rfc2307 bit but will test the connect to the AD server. Rowland Changing the above ranges made no difference. However, changing backend = rid gets me: root@srv2:~# getent passwd administrator administrator:*:10005:1013:Administrator:/home/Administrator:/bin/sh Amazing;) That seems to be working perfectly. What would I be losing without rfc2307 (please excuse the ignorance)? You'd lose control over uidNumber, gidNumber and you wouldn't be able to specify your own home directories and login shells. It's also a nightmare if you add a second DC. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 09:40 +0200, L.P.H. van Belle wrote: Hai, I'm having exactly the same problem with winbind as Matthew Daubenspeck. also on ubuntu 12.04 with sernet packages. ( used sernet-samba-winbind 4.0.7 ) I remove the complete config atm but am at the point reinstalling now. I'll wait with that until you put you howto on. i cant loose the rfc2307 :-( and i cant lose control over uidNumber, gidNumber, home directories and login shells. and im adding a second DC later on, but whats the difference between RID and AD exactly. or just these 4 things? With AD you get exactly what _you_ put into the directory. There are no algorithms or separate databases used to confuse an already complicated issue. You put rfc2307 in AD and you get it back out when you need it, e.g. when a user logs in. I'll go try the sssd as suggested below on ubuntu 12.04. +1 sssd just works: there is plain English documentation available and you get rfc2307 out of the box. The same day;) otoh, if you must stick with winbind there are reports of success here. Just one more thought to bugzilla it. ¡Suerte! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 10:15 +0200, steve wrote: [SNIP] +1 sssd just works: there is plain English documentation available and you get rfc2307 out of the box. The same day;) otoh, if you must stick with winbind there are reports of success here. Just one more thought to bugzilla it. Winbind just works if you configure it properly. There is also plain English documentation available for winbind as well. The problem is that Matthew either did not read it or did not follow it. From man idmap_ad The writeable default config is also needed in order to be able to create group mappings. This catch-all default idmap configuration should have a range that is disjoint from any explicitly configured domain with idmap backend ad. This is where Matthew went wrong, it's right there in the man page (unlike three years ago). There are also a large smattering of posts from myself on this list over the last two years on how important it is not to have overlapping ranges for the local allocatable range. If you do it simply does not work. It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:25 +0200, steve wrote: On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Good point, never run winbind and nscd at the same time on the same box. It's a recipe for trouble. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 10:05, Jonathan Buzzard jonat...@buzzard.me.uk wrote: This is where Matthew went wrong, it's right there in the man page (unlike three years ago). There are also a large smattering of posts from myself on this list over the last two years on how important it is not to have overlapping ranges for the local allocatable range. If you do it simply does not work. OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. The user and group ranges are already set by the admin in uidNumber gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:06 +0100, Rowland Penny wrote: [SNIP] OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. testparm does not guarantee a working configuration, it guarantee's that you don't have any invalid configuration lines from a syntactic point of view. I fully appreciate that it can seem confusing. I know three years ago when I first set it up I ended up reading large chunks of this mailing lists archive to find a single posts that told me what I was doing wrong. At the time the idmap_ad manual page did not hold the necessary information. However today in mid 2013, the manual page is accurate and there are a *lot* more posts in the mailing list on how to set it up. The user and group ranges are already set by the admin in uidNumber gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group The issues is that winbind needs somewhere to allocate UID's and GID's for the BUILTIN backend. As such it does not know in advance what a suitable block for this is. Only you the administrator can say this range here is not allocated in the AD. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 11:40, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-07-23 at 11:06 +0100, Rowland Penny wrote: [SNIP] OK, I see where you are coming from, but until testparm starts saying 'this will not work because' people will keep on having problems with winbind, also why do you need to set up the ranges anyway. testparm does not guarantee a working configuration, it guarantee's that you don't have any invalid configuration lines from a syntactic point of view. I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. I fully appreciate that it can seem confusing. I know three years ago when I first set it up I ended up reading large chunks of this mailing lists archive to find a single posts that told me what I was doing wrong. At the time the idmap_ad manual page did not hold the necessary information. Darned right it is confusing. However today in mid 2013, the manual page is accurate and there are a *lot* more posts in the mailing list on how to set it up. Yet people still get it wrong. The user and group ranges are already set by the admin in uidNumber gidNumber, so again why do they need setting in smb.conf, IMHO the setting should be 'idmap config:backend = ad' and that should make winbind pull all the rfc2307 items for a user or group The issues is that winbind needs somewhere to allocate UID's and GID's for the BUILTIN backend. As such it does not know in advance what a suitable block for this is. Only you the administrator can say this range here is not allocated in the AD. Why are the BUILTIN uid's gid's not set in stone? and noted somewhere and users told 'do not use this range' Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. sssd can do this very easily, so your point is? Rowland JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Win 2003 DC Demotion
All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. Thanx, Garth -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Compiling Samba 4.0.7 - make test results
Hallo, I'm new here. Doing compilation of Samba 4.0.7 on Debian Wheezy accordingly to Samba Wiki page. I have used configure parameters --enable-debug --enable-selftest and after make, I ran make test. Now I'm puzzled, because it apparently stops at step 96 (after 15 minutes, CPU still running at full speed), and I don't know how to interpret the results. I'm sending the output in attachment. Please, is my samba ready to go or not? What is the 1 error reported about? And why the test dosen't end up correctly? Or how long should one normally wait for test to complete? Sincerely, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote: [SNIP] I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. You thought wrong then. It tests to see if they are valid so 1000-akjf is invalid and will throw an error, 1000-2000 is valid and will not throw an error even if it overlaps with some other range. Darned right it is confusing. It was confusing because the documentation at the time was not complete. That is no longer the case. Yet people still get it wrong. There is no accounting for what some people do. I have just checked and a Google search for winbind ad rfc2307 setup give a top hit that explains the ranges must be orthogonal. Why are the BUILTIN uid's gid's not set in stone? and noted somewhere and users told 'do not use this range' Because your set in stone range might already be allocated in the AD. Not all Samba servers are green field deployments. Some/many have to integrate into already existing environments and hence admins need the flexibility to adapt to the environment they find themselves in. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. sssd can do this very easily, so your point is? That is the one thing that sssd cannot do. At least according to the documents I have read multiple domains with cross domain trusts equals use winbind. Either way there is no way for either sssd or winbind to known which of the potential multiple domains it should look that up in. You could I guess take a sledgehammer approach and look it up in all the domains, but I can think of lots of reasons why that would not be a good idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 11:25 +0200, steve wrote: On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Another thought. The primary windows group of the account has to have unix attributes. For reasons I cannot fathom the gidNumber attribute of the account is not used by winbind and instead the primaryGroupID is used. If this group does not have a GID set then the lookup fails! I guess best practice is to keep the GID of the primaryGroupID and the gidNumber of the user the same but I don't understand why it is the way it is. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
OK, the documentation is better but people still get it wrong probably because it is more complex than it needs to be, I personally find it easier to set sssd up, but that is just me. Why use a word like orthogonal?, just who knows what orthogonal means, I have only being speaking english for 56 years and have never used that word in a sentence, just say what you mean and do not hide behind gobbledy-gook. From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Your turn ;-) Rowland On 23 July 2013 13:48, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-07-23 at 11:55 +0100, Rowland Penny wrote: [SNIP] I thought that testparm did exactly that, it tested all the parameters in smb.conf, so if the ranges overlap, it should report the error. You thought wrong then. It tests to see if they are valid so 1000-akjf is invalid and will throw an error, 1000-2000 is valid and will not throw an error even if it overlaps with some other range. Darned right it is confusing. It was confusing because the documentation at the time was not complete. That is no longer the case. Yet people still get it wrong. There is no accounting for what some people do. I have just checked and a Google search for winbind ad rfc2307 setup give a top hit that explains the ranges must be orthogonal. Why are the BUILTIN uid's gid's not set in stone? and noted somewhere and users told 'do not use this range' Because your set in stone range might already be allocated in the AD. Not all Samba servers are green field deployments. Some/many have to integrate into already existing environments and hence admins need the flexibility to adapt to the environment they find themselves in. Also winbind can handle multiple domains so it needs to know which domain to use to lookup a given UID or GID in. sssd can do this very easily, so your point is? That is the one thing that sssd cannot do. At least according to the documents I have read multiple domains with cross domain trusts equals use winbind. Either way there is no way for either sssd or winbind to known which of the potential multiple domains it should look that up in. You could I guess take a sledgehammer approach and look it up in all the domains, but I can think of lots of reasons why that would not be a good idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Rowland On 23 July 2013 13:54, Jonathan Buzzard jonat...@buzzard.me.uk wrote: On Tue, 2013-07-23 at 11:25 +0200, steve wrote: On Tue, 2013-07-23 at 10:05 +0100, Jonathan Buzzard wrote: It's probably still not working for him because he needs to clear the now poluted cache/database that winbind has created from previous attempts. Using net cache flush might work. Personally I would stop samba delete the tdb files and start it again, redo the domain join and try it. Just thought about nscd too. On some distros it's default. . . Another thought. The primary windows group of the account has to have unix attributes. For reasons I cannot fathom the gidNumber attribute of the account is not used by winbind and instead the primaryGroupID is used. If this group does not have a GID set then the lookup fails! I guess best practice is to keep the GID of the primaryGroupID and the gidNumber of the user the same but I don't understand why it is the way it is. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:20 +0100, Rowland Penny wrote: OK, the documentation is better but people still get it wrong probably because it is more complex than it needs to be, I personally find it easier to set sssd up, but that is just me. Why use a word like orthogonal?, just who knows what orthogonal means, I have only being speaking english for 56 years and have never used that word in a sentence, just say what you mean and do not hide behind gobbledy-gook. Orthogonal is a single word, is precise and describes what is required exactly. It has been in my vocabulary for approaching 30 years. None overlapping range is three words and more characters as well. I was not aware that Newspeak was now a requirement for posting on this list. From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. The SID's are set in stone, they have no UID's set in stone. Winbind to work allocates a UID to them in it's allocatable (usually local) database. There must be no conflicts between these allocated UID's and the UID's in the domain, hence the requirement that the ranges given to winbind be orthogonal. from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Well that's relatively new (aka less than a year old). I guess not that many enterprise distributions will carry it (though RHEL 6.4 does). What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. Sometimes my mind boggles at just how much people don't understand AD and Samba in the Linux/Unix world. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Errors in parse_share_modes Testing CTDB 2.3 and Samba 4.0.7
Volker Lendecke volker.lende...@sernet.de wrote on 07/23/2013 02:15:03 AM: On Mon, Jul 22, 2013 at 03:43:21PM -0500, John P Janosik wrote: I'm working on building a CTDB/Samba cluster on AIX 7.1 with the latest levels to replace an older one running CTDB 1.0.113 and Samba 3.6.1. I have the new servers up and running and they seem to work, but I'm worried about some messages in the logs. I run with log level 1 on the servers so that the connection details are logged. On the old cluster there were only connection/closed connection, and client time-out messages in the logs. On the new cluster I see the following messages very often: [2013/07/22 15:09:02.594483, 1, pid=9437314] ../librpc/ndr/ndr.c:412(ndr_pull_error) ndr_pull_error(11): Pull bytes 4 (../librpc/ndr/ndr_basic.c:148) [2013/07/22 15:09:02.594636, 1, pid=9437314] locking/share_mode_lock.c:136(parse_share_modes) ndr_pull_share_mode_lock failed Very likely that's bug 10008. Volker That does appear to be the problem. Can anyone comment on the likelihood of a fix in the next few weeks? I'm trying to decide if I should wait or go with CTDB 2.3/Samba 3.6.16. Thanks, John jpjan...@us.ibm.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 14:53, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Orthogonal is a single word, is precise and describes what is required exactly. It has been in my vocabulary for approaching 30 years. None overlapping range is three words and more characters as well. I was not aware that Newspeak was now a requirement for posting on this list. OK, so it is in your vocabulary, but it it is not in mine, nor I believe the vast number of the English speaking world. You think that you know what it means, but have a look here: http://www.merriam-webster.com/dictionary/orthogonal Your definition is not mentioned. From what I can see the BUILTIN uids come from windows (and are called SID's) and there they are set in stone. The SID's are set in stone, they have no UID's set in stone. Winbind to work allocates a UID to them in it's allocatable (usually local) database. There must be no conflicts between these allocated UID's and the UID's in the domain, hence the requirement that the ranges given to winbind be orthogonal. Well perhaps they should be now, the problem that I see is that RHEL etc uses 0-500 for local users and Debian uses 0-999, so perhaps reserve 1100 - 1200 for the BUILTIN users from the sssd-1.9.0 announcement - Add a new PAC responder for dealing with cross-realm Kerberos trusts Well that's relatively new (aka less than a year old). I guess not that many enterprise distributions will carry it (though RHEL 6.4 does). ER, isn't RHEL THE enterprise distro? What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. For me it is a lot easier to configure, I don't have to worry about orthogonal numbers for instance (drat, now you have got me at it ) ;-0 Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 15:04, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As I said sssd uses the users gidNumber not the primaryGroupID, I may be wrong but I believe that the primaryGroupID is a windows thing and as such should be ignored by winbind if it is instructed to use rfc2307 attributes, but that is just my opinion As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
Hallo, Jonathan, Du meintest am 23.07.13: Why use a word like orthogonal? Orthogonal is a single word, is precise and describes what is required exactly. Sorry - that depends. I know this word as a synonym of rectangular, and I mostly know it in a geometrical environment. 90 degrees = pi/2 = 100 gon. These degrees not to be mistaken with degrees Fahrenheit or degrees Celsius. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 14:53 +0100, Jonathan Buzzard wrote: What gets me is people claiming that half a dozen lines of configuration in smb.conf is more complicated than 30+ lines of configuration in an entirely separate configuration file in addition to several lines in smb.conf. It might be more performant, it might have fewer bugs etc. but it is absolutely not simpler to configure. The main difference is that even though sssd may involve copying and pasting a configuration file to /etc somewhere and changing the domain name therein, once you've done it, you just start it and forget it. Unfortunately most mortles here cannot do that with winbind. That's why we always try and help users with winbind. Don't let's forget the OP in all this: the winbind documentations seems to be written for devs for devs. There is nothing written in simple terms to help us nor the OP. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote: On 23 July 2013 15:04, Jonathan Buzzard jonat...@buzzard.me.uk wrote: Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. As I said sssd uses the users gidNumber not the primaryGroupID, I may be wrong but I believe that the primaryGroupID is a windows thing and as such should be ignored by winbind if it is instructed to use rfc2307 attributes, but that is just my opinion. You don't seem to have taken on board that primaryGroupID is a numerical identifier for an actual group. Now why Microsoft didn't use the group's SID I have not the faintest idea. The number returned by primaryGroupID is only used by winbind to identify the primary group of the user. It then looks up the gidNumber for that group and returns that. Would it be a good idea for the user to have a different primary group in Windows land from Unix land? I tend to think that keeping them the same is a good idea and hence the way winbind does it has considerable merit. In particular you can use the Windows tools to change the primary group of the user and get expected results on both Windows and Unix. Basically adding a gidNumber to each user is a redundant feature of RFC2307. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. It might well be what you claim is true, it is just your example does not demonstrate it to be conclusively the case. If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Absolutely. I think much of the Samba4 related stuff on this mailing list would not be here if the users bothered to read a dummies guide to AD at a minimum. If you don't have a good understanding of how AD works then trying to setup a Samba4 AD domain controller is probably a bad idea. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 15:04 +0100, Jonathan Buzzard wrote: On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: Could this be yet another reason to use sssd instead of winbind? sssd does use the account gidNumber testuser primaryGroupID: 513 uidNumber: 3001106 gidNumber: 20513 getent passwd testuser testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash Not what I said. The primaryGroupID is an identifier for a group in AD, bit like a SID is (I don't get that either). So primaryGroupID 513 might refer to a group called sambausers, which has a it's own set of RFC2307bis attributes which include a gidNumber. Winbind uses the gidNumber of the primaryGroupID, not the primaryGroupID itself which is something entirely different. I'd put good money on this working as both group and primary group: getent group Domain\ Users Domain Users:*:20513: ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users # record 1 dn: CN=Domain Users,CN=Users,DC=hh3,DC=site cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20130605151145.0Z uSNCreated: 3541 name: Domain Users objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b objectSid: S-1-5-21-451355595-2219208293-2714859210-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site gidNumber: 20513 whenChanged: 20130605152357.0Z objectClass: top objectClass: posixGroup objectClass: group uSNChanged: 3792 distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site There are problems in setting primaryGroupID to groups other than Domain Users using S4 but as I understand it, the primary group will determine the default group of the file ownership when a user creates a file. He could be in many groups but files created by default will be of group of the primary group. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. Sometimes my mind boggles at just how much people don't understand AD and Samba in the Linux/Unix world. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 16:44 +0100, Jonathan Buzzard wrote: On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote: If you want my opinion and you probably don't, people need to stop thinking NT server if they connect to a samba4 AD server and start thinking AD server, they are totally different. Absolutely. I think much of the Samba4 related stuff on this mailing list would not be here if the users bothered to read a dummies guide to AD at a minimum. If you don't have a good understanding of how AD works then trying to setup a Samba4 AD domain controller is probably a bad idea. To me AD is LDAP. If I'd never setup openLDAP in a Linux only environment a few years back, I'd be totally and utterly knackered with S4 AD. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23 July 2013 16:44, Jonathan Buzzard jonat...@buzzard.me.uk wrote: You don't seem to have taken on board that primaryGroupID is a numerical identifier for an actual group. Now why Microsoft didn't use the group's SID I have not the faintest idea. I suppose that you have noticed that the primaryGroupID is the RID from the group's SID and yes I had taken it on board. The number returned by primaryGroupID is only used by winbind to identify the primary group of the user. It then looks up the gidNumber for that group and returns that. Would it be a good idea for the user to have a different primary group in Windows land from Unix land? I tend to think that keeping them the same is a good idea and hence the way winbind does it has considerable merit. In particular you can use the Windows tools to change the primary group of the user and get expected results on both Windows and Unix. I would agree with you here, the users primary group needs to be the same in windows linux Basically adding a gidNumber to each user is a redundant feature of RFC2307. Redundant it may be, but it is the way that windows wants it to be done. As such your example does not show what you think it does show because you have not shown the gidNumber of the group identified by primaryGroupID 513. I would say even if sssd uses the gidNumber of the user it would in my opinion be good practice to keep the gidNumber of the user the same as the gidNumber of the Windows primary group. So sorry, this is the gidNumber attribute from dn: CN=Domain Users,CN=Users,DC=example,DC=com gidNumber: 20513 As you can see, it is the same gidNumber that the user has. But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dns query not giving back all registers (solved)
Hello list. If I query my samba4 Active Directory domain with dig mydomain ANY or MX it answers just with SOA and NS records, but not MX or some others I have already defined. Is it right?? I've tried from the own samba4 server and from another linux host. My samba4 is up-to-date. Using bind9.7.3 with samba_dlz. my mistake. I created the records from DNS console in Windows in a wrong way. I should have left the first space blank when creating a mx record. After leaving the first space in blank (host or child domain) everything worked fine! Cheers, Felix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Upgrading samba3 to samba4 on a new server, and running them both at the same time
With relation to this page: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO I would like to upgrade to samba4 on a new server, but would like to test it all out before finalizing the switch. My question is, can I copy over my tdb and smb.conf files (as mentioned in the above link), and then upgrade to samba4 on the new server, while staying on the same subnet of my network? In other words, have both servers live at the same time, on the same network? The domain name and SID would be the same, but the host (netbios) name of the two samba servers would be different. I've gotta say, this sounds like a Very Bad Idea, and I can't imagine anything good coming of it, but hey, maybe it would work? Or maybe I could make it work with some slight config changes on the new server, during or after the upgrade provisioning? What I'm trying to avoid is having to physically set up a test network that is completely isolated from our live samba3 network, in order to test everything out. If I can run them both on the same network, it would be so much easier for me. (Our server closet is pretty small, and the thought of physically wiring up a different switch with test workstations, etc, is not something I want to do if at all possible). Thanks for any input. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
Hi, In time honoured fashion I am replying to my own post, as I think I have figured out a workaround to my issue. Hopefully this will help others - here's what I did. On 22 July 2013 22:01, Jonathan Hunter jmhunt...@gmail.com wrote: Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7 from source), but I get the following: [...] ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 2035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org'! After some careful googling, and trying to figure out what the heck a RID Set was, and why it couldn't be added, I discovered it was a property of a domain controller, and I think I should really have one against my existing DC - but I didn't. First step was ADSI Edit, to create it - but then I discovered that whilst ADSI Edit can create many things, a RID Set is not one of them. Second step was LDIFDE, I exported the RID Set from my other DC (in the other site), edited the LDIF to make a new RID Set for my existing DC - but couldn't import it (The server is unwilling to process the request) Finally I hit upon the plan of transferring the RIDAllocationMaster FSMO role across between the DCs: second-existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! The transfer was successful, but some kind of error occurred.. (!) But, I was able to transfer the role back to the first DC - and this time, a RID Set finally appeared in AD! I did, however, get exactly the same error. This happened however many times I transfer the role, and for any role (I tried all of them :-)) existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! Still.. I have now been able to successfully join my domain - which does solve my initial problem, so I'm happy there at least. (Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure if this is good, or bad! :)) Hopefully this post will be helpful to somebody in the future... Just a note, however - I hardly ever check this gmail account, so please don't rely on a speedy response if you do see this post and want to reply to me personally! Thanks all, Jonathan -- If we knew what it was we were doing, it would not be called research, would it? - Albert Einstein -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
On Tue, 2013-07-23 at 20:38 +0100, Jonathan Hunter wrote: Hi, In time honoured fashion I am replying to my own post, as I think I have figured out a workaround to my issue. Hopefully this will help others - here's what I did. On 22 July 2013 22:01, Jonathan Hunter jmhunt...@gmail.com wrote: Now, I try to join the new server (CentOS 6.4 clean install; Samba 4.0.7 from source), but I get the following: [...] ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 2035: ../source4/dsdb/samdb/ldb_modules/ridalloc.c:517: No RID Set DN - Failed to add RID Set CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org - objectclass: object class 'rIDSet' is system-only, rejecting creation of 'CN=RID Set,CN=EXISTING-DC,OU=Domain Controllers,DC=mydomain,DC=org'! After some careful googling, and trying to figure out what the heck a RID Set was, and why it couldn't be added, I discovered it was a property of a domain controller, and I think I should really have one against my existing DC - but I didn't. First step was ADSI Edit, to create it - but then I discovered that whilst ADSI Edit can create many things, a RID Set is not one of them. Second step was LDIFDE, I exported the RID Set from my other DC (in the other site), edited the LDIF to make a new RID Set for my existing DC - but couldn't import it (The server is unwilling to process the request) Finally I hit upon the plan of transferring the RIDAllocationMaster FSMO role across between the DCs: second-existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! The transfer was successful, but some kind of error occurred.. (!) The error is a red herring, resolved in current versions. There wasn't actually an error :-) But, I was able to transfer the role back to the first DC - and this time, a RID Set finally appeared in AD! I did, however, get exactly the same error. This happened however many times I transfer the role, and for any role (I tried all of them :-)) existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! Still.. I have now been able to successfully join my domain - which does solve my initial problem, so I'm happy there at least. (Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure if this is good, or bad! :)) A DC should ask for a RID set to be created shortly after starting up, and certainly an attempt to create users is made. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
On 07/23/2013 02:54 PM, Andrew Bartlett wrote: On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett On 07/23/2013 02:54 PM, Andrew Bartlett wrote: On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett First, thanx for the reply. I'm not exactly sure what to send so I'll send a lot. Let me know if you need more. The errors (not really errors) have to do with the fact that Forest and Domain DNS repl are one-way from WINDC to SAMBADC so when I try and demote WINDC, it refuses to demote because it believes it is the only holder of that info. Also, when I try and add the Samba DC to the Win DNS MMC, it refuses to add it because it does not detect that the Samba DC is in fact an Active Domain server. This is in spite of the fact that (some) replication does occur. root@sambadc:~# samba --version Version 4.1.0rc1 root@sambadc:~# root@sambadc:~# samba-tool drs showrepl PRR\SAMBADC DSA Options: 0x0001 DSA object GUID: 981910d4-81a9-4421-8134-4961a3c474ad DSA invocationId: c004e70f-5b8c-4dd8-b364-b1c110cd241c INBOUND NEIGHBORS DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT DC=ForestDnsZones,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT CN=Schema,CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT DC=DomainDnsZones,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT OUTBOUND NEIGHBORS DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT CN=Schema,CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT KCC CONNECTION OBJECTS Connection -- Connection name: 130d9758-a7b2-4a25-b0b7-40ce00d9ef2a Enabled: TRUE Server DNS name : windc.mydomain.com Server DN name : CN=NTDS Settings,CN=WINDC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! root@sambadc:~# root@sambadc:~# samba-tool dbcheck Checking 2290 objects ERROR: missing GUID component for ipsecOwnersReference in object CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A3},CN=IP Security,CN=System,DC=mydomain,DC=com -
Re: [Samba] Upgrading samba3 to samba4 on a new server, and running them both at the same time
On Tue, 2013-07-23 at 09:46 -0700, Scott Goodwin wrote: What I'm trying to avoid is having to physically set up a test network that is completely isolated from our live samba3 network, in order to test everything out. If I can run them both on the same network, it would be so much easier for me. (Our server closet is pretty small, and the thought of physically wiring up a different switch with test workstations, etc, is not something I want to do if at all possible). Use a test network. Once clients see an AD DC, they won't like the old server, particularly for NT System Policies, or if they change their machine account passwords. Additionally, the DCs will fight over the PDC role netbios name. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
On 07/23/2013 03:37 PM, Garth Keesler wrote: On 07/23/2013 02:54 PM, Andrew Bartlett wrote: On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett On 07/23/2013 02:54 PM, Andrew Bartlett wrote: On Tue, 2013-07-23 at 06:49 -0500, Garth Keesler wrote: All, I've posted a few times about this but without response so it seems that not many folks are trying to do this. So, before I spend many more hours on this trying to make it work, a simple yes or no question: Has anyone successfully demoted a Win 2003 PDC without error after joining a Samba 4.x DC to it? That's it. I'm primarily interested in yes responses but I'll take what I can get. It would help if you can describe the errors you get when this fails for you. It certainly is meant to work. Thanks, Andrew Bartlett First, thanx for the reply. I'm not exactly sure what to send so I'll send a lot. Let me know if you need more. The errors (not really errors) have to do with the fact that Forest and Domain DNS repl are one-way from WINDC to SAMBADC so when I try and demote WINDC, it refuses to demote because it believes it is the only holder of that info. Also, when I try and add the Samba DC to the Win DNS MMC, it refuses to add it because it does not detect that the Samba DC is in fact an Active Domain server. This is in spite of the fact that (some) replication does occur. root@sambadc:~# samba --version Version 4.1.0rc1 root@sambadc:~# root@sambadc:~# samba-tool drs showrepl PRR\SAMBADC DSA Options: 0x0001 DSA object GUID: 981910d4-81a9-4421-8134-4961a3c474ad DSA invocationId: c004e70f-5b8c-4dd8-b364-b1c110cd241c INBOUND NEIGHBORS DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT DC=ForestDnsZones,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT CN=Schema,CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT DC=DomainDnsZones,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Tue Jul 23 14:57:42 2013 CDT was successful 0 consecutive failure(s). Last success @ Tue Jul 23 14:57:42 2013 CDT OUTBOUND NEIGHBORS DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT CN=Schema,CN=Configuration,DC=mydomain,DC=com PRR\WINDC via RPC DSA object GUID: a8260438-0154-4429-829b-c0b7914e4525 Last attempt @ Sat Jul 20 05:57:20 2013 CDT was successful 0 consecutive failure(s). Last success @ Sat Jul 20 05:57:20 2013 CDT KCC CONNECTION OBJECTS Connection -- Connection name: 130d9758-a7b2-4a25-b0b7-40ce00d9ef2a Enabled: TRUE Server DNS name : windc.mydomain.com Server DN name : CN=NTDS Settings,CN=WINDC,CN=Servers,CN=PRR,CN=Sites,CN=Configuration,DC=mydomain,DC=com TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! root@sambadc:~# root@sambadc:~# samba-tool dbcheck Checking 2290 objects ERROR: missing GUID component for ipsecOwnersReference in object CN=ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A3},CN=IP
[Samba] Cannot join Windows XP Pro to new Samba 4 AD
I have upgraded my Samba3+LDAP system to Samba 4 following the instructions given here: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO I did this on a test server (so I also moved the ldap database, installed openldap, etc). The installation passes all the simple tests suggested here: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Testing_connectivity_to_your_Samba_AD_DC However, when I attempt to join a Windows XP Pro system to the domain, I get an RCP error. Also, if I attempt to log onto a system that was already joined, I am prompted for a password change and then I get a message about the domain not being available. Both of the Windows systems had the registry changes that were once required for Samba3 (signorseal in particular). I have not been able to find any information about the RPC error that makes sense. Some have suggested adding entries such as https://lists.samba.org/archive/samba/2013-January/171216.html If anyone has any suggestions for troubleshooting, I'd appreciate the advice. Sincerely, Dave Hopkins Newark Charter School -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 AD SysVol Replication (HowTo + Script)
Hello, as it is often a question here on the lists and by many others on the internet, I wrote a new HowTo for setting up a SysVol replication workaround, until Samba supports this feature by itself: https://wiki.samba.org/index.php/SysVol_Replication For the replication process, I wrote a Bash script, put it on my webspace and linked it in the HowTo, which should describe everything. I hope this would be a good start/solution for people currently missing this feature. Feel free to give suggestions, comments, etc. :-) Regards, Marc PS: If the Samba developers think it would be an advantage, it would be OK for me, if the script would be added to the samba package. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 join new DC: No RID Set DN - Failed to add RID Set
On 23 July 2013 21:37, Andrew Bartlett abart...@samba.org wrote: On 22 July 2013 22:01, Jonathan Hunter jmhunt...@gmail.com wrote: second-existing-dc# samba-tool fsmo seize --role=rid Attempting transfer... FSMO transfer of 'rid' role successful ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify message must have elements/attributes! The error is a red herring, resolved in current versions. There wasn't actually an error :-) Ahh great - thank you! :) (Interestingly, my shiny new DC does not have a RID Set.. I'm not yet sure if this is good, or bad! :)) A DC should ask for a RID set to be created shortly after starting up, and certainly an attempt to create users is made. OK. At this point I must admit to being impatient, and I did the 'fsmo seize' trick a couple of times again, to get a RID set for my new server. I didn't realise (or know!) that there was, or could be, a short delay... although, during my 'fsmo seize' on one DC, and 'fsmo show' on another DC, I did realise there was a delay in replication at the very least. I should also at least mention that when I tried 'fsmo seize --role=all', it just seized the rid role and no others - I had to run each one manually. Not sure if that was an error in my setup, or a bug in samba-tool, but that was only a minor hiccup in my larger exercise. Anyway, I'm on to my next challenge now in my 'setting up new server' saga, so that's good - thank you very much! :) Jonathan -- If we knew what it was we were doing, it would not be called research, would it? - Albert Einstein -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On 23/07/13 17:10, Rowland Penny wrote: [SNIP] But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? Only in that you gave an example that claimed to show that sssd used the gidNumber from the users entry. The point I was making is that it did not actually show that. What it showed was sssd returning a GID that matched the gidNumber from the users entry which while close is not what you claimed. But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Well then that sucks and I prefer the winbind method, because as far as I am aware changing the Windows primary group (at least under 2003R2 and 2008R2, not tested 2012 or Samba4) of a user has no effect on the users gidNumber. As such it is inevitable that mistakes will be made, things will get out of sync and stuff will break in odd not apparent ways. Reasons why winbind is better than sssd if you ask me :-) JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind troubles
On Tue, 2013-07-23 at 23:21 +0100, Jonathan Buzzard wrote: On 23/07/13 17:10, Rowland Penny wrote: [SNIP] But if the group identified by primaryGroupID 513 has gidNumber 20513 (which would be in my opinion best practice) without looking in the source code of sssd you don't know whether sssd took the gidNumber of the user or took the primaryGroupID, and then looked up gidNumber of that group. As your example has not shown what the gidNumber of the group identified by primaryGroupID 513 it has not demonstrated what you claim it has demonstrated. Does it matter, as long as the right answer is returned? Only in that you gave an example that claimed to show that sssd used the gidNumber from the users entry. The point I was making is that it did not actually show that. What it showed was sssd returning a GID that matched the gidNumber from the users entry which while close is not what you claimed. But for your information, sssd pulls ALL the information from the users RFC2307 information, in fact it pulls more information than winbind. Well then that sucks and I prefer the winbind method, because as far as I am aware changing the Windows primary group (at least under 2003R2 and 2008R2, not tested 2012 or Samba4) of a user has no effect on the users gidNumber. As such it is inevitable that mistakes will be made, things will get out of sync and stuff will break in odd not apparent ways. Reasons why winbind is better than sssd if you ask me :-) Well, I don't think we're here to decide what is better and I don't think we're helping the OP at all, rather serving to confuse:( For the record, sssd pulls all it's info from AD. A user does not need a gidNumber, it is drawn from the primaryGroupID. For Linux clients it is vital that whatever the primaryGroupID is contains the gidNumber attribute. sssd does the rest. I see that the classicupgrade retains the user gidNumber so maybe we should keep it in the DN of not only the primaryGroup but also in the DN for new users too. For compatibility? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error on classic upgrade - valid group
Hi. I'm trying to convert from s3 to s4 using classic upgrade. I have LDAP backend and i'm getting this error: Ignoring group 'pgrd' S-1-5-21-511255529-1355219746-1726288727-3007 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION) The problem is that this group is valid and almost all our users are in this group, so i can't just ignore. Brownsing my ldap i can find and see this group and this SID. What could be wrong? Tks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Issues launching files from a Command Prompt
Ever since upgrading from Fedora 17 to Fedora 19, which included moving from Samba 3.* to 4.*, I've had issues opening files from a Windows Command Prompt. I can open files fine from an Explorer window, but if I drop down to a Command Prompt and type a file name, that no longer opens the file. I've done some poking around and discovered that if I set the execute bit on the files, then everything works. That said, I'd rather not set the execute bit on entire swaths of directory trees, and this didn't seem to be an issue under Samba 3. I used Procmon.exe to confirm that cmd.exe is definitely requesting Execute/Traverse on the file and that the response is failing. This behavior also has interesting impacts on *.BAT files. If I don't set the execute bit (and I'd rather not, since I don't want Unix attempting to execute those files), I can't launch *.BAT files from Explorer because Explorer checks Execute/Traverse permissions. I can, however, run the *.BAT file from a Command Prompt, because it doesn't check Execute/Traverse! So basically Windows does inconsistent things with the access permissions it requests when opening files from a Command Prompt vs. Explorer. Once again, I didn't have these issues until I migrated from 3.* to 4.*. In general, the Windows world generally grants Execute whenever it grants Read and leaves it up to file extensions to control what runs. I'd prefer not to have to mess with the execute bit on the Unix side if I can - my preference is for that bit to be reserved for controlling whether Unix considers the file to be executable or not. I've poked around, but I can't seem to find any setting in smb.conf that lets me control the mapping from Unix permissions bits to Windows ACLs. I'd really like some sort of setting that allows me to say, whenever you see the read bit turned on, map that to Read and Execute. It's not so much how the ACLs display in Windows that matters, since I've tried using nt acl support = no and the underlying request still gets denied. It's how Samba responds to the desired access mask. Thoughts? Details: * Server is running Fedora 19 x86_64 w/ samba-4.0.7-1.fc19.x86_64 * Client is running Windows 7 x64 SP1 Interesting sections from smb.conf: map archive = no map hidden = no map read only = no map system = no store dos attributes = yes unix extensions = no [homes] comment = Home Directories browseable = no writable = yes hide files = /Thumbs.db*/desktop.ini/$RECYCLE.BIN/ create mask = 0675 directory mask = 0775 wide links = yes --Toby Ovod-Everett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] memory consumption with treesize pro and cifs shares
Hi everyone. I'm looking to solve an issue with Samba on a NAS being accessed with TreeSize Pro. Using that program to scan through millions of files is eating up memory on swap and eventually crashing the system. It's scanning mounted CIFS shares on the NAS running TrueNAS with samba version 3.6.9 We have a test case and have been able to replicate the issue on another machine. The solution right now is to simply not run TreeSize Pro. Not the best of plans. In the meantime, I'm going to continue to check the usual manuals/google sources to see if I can find anything. I haven't as yet and am short on time with this. Basically looking to see if this is an actual bug that might require a patch/upgrade, or something I can fix with some tuneables. Thanks, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] memory consumption with treesize pro and cifs shares
Add more memory or split the volume into smaller shares. Gc Cy Mike cym...@gmail.com wrote: Hi everyone. I'm looking to solve an issue with Samba on a NAS being accessed with TreeSize Pro. Using that program to scan through millions of files is eating up memory on swap and eventually crashing the system. It's scanning mounted CIFS shares on the NAS running TrueNAS with samba version 3.6.9 We have a test case and have been able to replicate the issue on another machine. The solution right now is to simply not run TreeSize Pro. Not the best of plans. In the meantime, I'm going to continue to check the usual manuals/google sources to see if I can find anything. I haven't as yet and am short on time with this. Basically looking to see if this is an actual bug that might require a patch/upgrade, or something I can fix with some tuneables. Thanks, Mike -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 AD SysVol Replication (HowTo + Script)
Hello Dewayne, Am 24.07.2013 01:59, schrieb Dewayne Geraghty: Where you mention in the document PDC role, do you mean PdcEmulationMasterRole, or is there some other meaning? Yes. I thought the DC with the FSMO role PDC would be a good choice to be the Master, because some Microsoft tools, like the GPO console, can be configured to connect to the PDC automatically. And group policies is one of the most important things, stored on the SysVol share. Sorry for being pedantic. I'm very new to AD DC, where I've found that being very precise is necessary; but very old to samba (since 2.2.5) and openldap. No problem. It's good to get improvement suggestions. I'll tonight add some more information to the HowTo, to be more specific on that. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Git- Samba 4.1 Glusterfs 3.4, CentOs 6.4
Dear all, to your notice:Samba 4.1 pulled from git will not compile under CentOs 6.4 if Glusterfs 3.4 is installed from epel-repo. Make will die with an error concerning vfs modul glusterfs. There should be more documentation about the vfs modul glusterfs. Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] CTDB repository - branch 1.2.40 updated - ctdb-1.2.65-2-g9321cc2
The branch, 1.2.40 has been updated via 9321cc2b24c351bca92bf728046cafa3073ef89a (commit) via d973a575eb619c0cad139ae9c22d7d1770dc3666 (commit) from dc84c8ed12ed1bf136827b55128c2e74b38bdf55 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.2.40 - Log - commit 9321cc2b24c351bca92bf728046cafa3073ef89a Author: Martin Schwenke mar...@meltin.net Date: Thu Jul 18 13:33:04 2013 +1000 New version 1.2.66 Signed-off-by: Martin Schwenke mar...@meltin.net commit d973a575eb619c0cad139ae9c22d7d1770dc3666 Author: Martin Schwenke mar...@meltin.net Date: Tue Jul 16 19:31:05 2013 +1000 eventscripts: A missing interface should cause monitoring to fail A missing interface is at least as bad as an interface with a link that is down so should have a similar effect. This couldn't be done previously because orphaned interfaces used to be listed for monitoring. This was worked around in 10.interface in commit a5b8e2c1ec1b4fd7ef25e70a919ef4c70f3e1c75. If $CTDB_PARTIALLY_ONLINE_INTERFACES=yes then monitoring won't actually fail but the interface is still marked as down. This effectively reverts d40330453854d81d182112b49f5f6f2e0814b231 and 89547a1910fd74f98ae9d5737914328eb5cc3eaf. However, it heeds the warning in the commit message for latter by avoiding an early exit. it just flags a failure and marks the interfaces as down in ctdbd. Signed-off-by: Martin Schwenke mar...@meltin.net --- Summary of changes: config/events.d/10.interface |3 +++ packaging/RPM/ctdb.spec.in |4 +++- 2 files changed, 6 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/config/events.d/10.interface b/config/events.d/10.interface index d407154..ce648a1 100755 --- a/config/events.d/10.interface +++ b/config/events.d/10.interface @@ -38,6 +38,9 @@ monitor_interfaces() for IFACE in $INTERFACES ; do ip addr show $IFACE 2/dev/null /dev/null || { + echo ERROR: Interface $IFACE does not exist but is used by public addresses + fail=1 + ctdb setifacelink $IFACE down /dev/null 2/dev/null continue } diff --git a/packaging/RPM/ctdb.spec.in b/packaging/RPM/ctdb.spec.in index 5084d2a..8f74e3e 100644 --- a/packaging/RPM/ctdb.spec.in +++ b/packaging/RPM/ctdb.spec.in @@ -3,7 +3,7 @@ Name: ctdb Summary: Clustered TDB Vendor: Samba Team Packager: Samba Team sa...@samba.org -Version: 1.2.65 +Version: 1.2.66 Release: 1GITHASH Epoch: 0 License: GNU GPL version 3 @@ -155,6 +155,8 @@ development libraries for ctdb %changelog +* Thu Jul 18 2013 : Version 1.2.66 + - A missing interface should cause monitoring to fail * Tue Jul 02 2013 : Version 1.2.65 - Fix the flags passed in modify flags control from recovery daemon - Do early return from recoverd main loop if node is inactive -- CTDB repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9adfe82 pam_winbind: update documentation for DIR krb5ccname pragma. via 7ad3a36 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication. via 73e6fef wbinfo: allow to define a custom krb5ccname for kerberized pam auth. via e9ae36e s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr() from fe06e1b smbd: Fix CID 1035536 Uninitialized pointer read http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9adfe82a1785aa6a7baefb435072a0a81dfb13cb Author: Günther Deschner g...@samba.org Date: Thu Jul 18 19:09:14 2013 +0200 pam_winbind: update documentation for DIR krb5ccname pragma. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Wed Jul 24 02:43:10 CEST 2013 on sn-devel-104 commit 7ad3a367d52b1f123c318946d654e95639202130 Author: Günther Deschner g...@samba.org Date: Thu Jul 18 19:05:51 2013 +0200 s3-winbindd: support the DIR pragma for raw kerberos user pam authentication. It is currently only available in MIT. In addition, allow to define custom filepaths for FILE, WRFILE and DIR pragmas and substitute one occurence of the %u pattern. Guenther Signed-off-by: Günther Deschner g...@samba.org Pair-Programmed-With: Andreas Schneider a...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit 73e6feff9b3f30e70d84fe256aff239fafdfdb95 Author: Günther Deschner g...@samba.org Date: Thu Jul 18 19:04:29 2013 +0200 wbinfo: allow to define a custom krb5ccname for kerberized pam auth. Guenther Signed-off-by: Günther Deschner g...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit e9ae36e9683372b86f1efbd29904722a33fea083 Author: Andrew Bartlett abart...@samba.org Date: Wed Jul 24 10:19:26 2013 +1200 s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_peer_addr() This caused crashes in _tsocket_address_bsd_from_sockaddr() when we read past the end of the allocation. Andrew Bartlett Signed-off-by: Andrew Bartlett abart...@samba.org Reviewed-by: Jeremy Allison j...@samba.org --- Summary of changes: docs-xml/manpages/pam_winbind.conf.5.xml | 39 ++--- examples/pam_winbind/pam_winbind.conf|3 +- nsswitch/wbinfo.c|6 +++- source3/winbindd/winbindd_pam.c | 23 + source4/lib/socket/socket_unix.c |4 +- 5 files changed, 60 insertions(+), 15 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/pam_winbind.conf.5.xml b/docs-xml/manpages/pam_winbind.conf.5.xml index 8c36719..020cb67 100644 --- a/docs-xml/manpages/pam_winbind.conf.5.xml +++ b/docs-xml/manpages/pam_winbind.conf.5.xml @@ -106,16 +106,35 @@ termkrb5_ccache_type = [type]/term listitempara - When pam_winbind is configured to try kerberos authentication - by enabling the parameterkrb5_auth/parameter option, it can - store the retrieved Ticket Granting Ticket (TGT) in a - credential cache. The type of credential cache can be set with - this option. Currently the only supported value is: - parameterFILE/parameter. In that case a credential cache in - the form of /tmp/krb5cc_UID will be created, where UID is - replaced with the numeric user id. Leave empty to just do - kerberos authentication without having a ticket cache after the - logon has succeeded. This setting is empty by default. + When pam_winbind is configured to try kerberos authentication by + enabling the parameterkrb5_auth/parameter option, it can + store the retrieved Ticket Granting Ticket (TGT) in a credential + cache. The type of credential cache can be controlled with this + option. The supported values are: parameterFILE/parameter + and parameterDIR/parameter (when the DIR type is supported + by the system's Kerberos library). In case of FILE a credential + cache in the form of /tmp/krb5cc_UID will be created - in case + of DIR it will be located under the /run/user/UID/krb5cc + directory. UID is replaced with the numeric user id./para + + paraIt is also possible to define custom filepaths and use the %u + pattern in order to substitue the numeric user id. + Examples:/para + +