Re: [Samba] Change default GID of users
On Tue, 2013-08-27 at 16:07 -0300, Bruno Vane wrote: Hi Steve, Seems that this attribute does not matter, see my user bruno.vane: primaryGroupID: 513 gidNumber: 100 Hi How are you obtaining the infromation from AD? If you set: gidNumber: 100 in the DN of a user, then that is what will be returned when e.g. nss-ldapd is used. It will not return primaryGroupID unless you have mapped that attribute to gidNumber in nslcd.conf. primaryGroupID is not a rfc2307 atribute. HTH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 00:06 +0200, Luca Olivetti wrote: Al 27/08/13 23:02, En/na Rowland Penny ha escrit: If nslcd needs the posix objectclasses, then that is their bug, windows does not use them so Samba 4 doesn't either. I wouldn't be so sure, since many (all?) of the attributes specified by rfc2307 are not needed by windows but are there for compatibility with unix. I don't know what a real windows server does, but it seems it can work with nslcd, see, e.g., here https://help.ubuntu.com/community/ADWin2k8KerberosLDAP This document has been tested on Windows Server 2008 and Ubuntu 10.04. 2008 does not add the posixAccount not posixGroup classes. Samba4 uses the same schema. You can add them if you wish but they will be ignored. nslcd works with both 2008 and Samba4 with exactly the same nslcd.conf but be sure to use version 0.8.10 or above which contains all the AD stuff. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 00:30 +0200, Luca Olivetti wrote: Al 27/08/13 23:56, En/na Gary Greene ha escrit: If you set it up with '--use-rfc2307', nslcd needs configured as though it is talking to an SFU 3.5 DC. The RFC 2307bis attributes never add additional classes to the AD member objects, even in an SFU environment. Thank you, that gave me an hint: I added a filter passwd (objectclass=user) to /etc/nslcd.conf and that gave me the missing users. I suppose I should add also a filter group (objectclass=group) for groups. Note that those filters are also, e.g. here https://help.ubuntu.com/community/ADWin2k8KerberosLDAP but I overlooked them. With recent versions of nslcd, neither of the filters are needed and serve only to slow down lookups. All that is needed is: uid nslcd gid nslcd uri ldap://your.f.q.d.n base dc=foo,dc=bar map passwd uid samAccountName map passwd homeDirectory unixHomeDirectory sasl_mech GSSAPI sasl_realm SOME.REALM krb5_ccname /tmp/nslcd.tkt hth to speed things up a little. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On 27/08/13 23:06, Luca Olivetti wrote: Al 27/08/13 23:02, En/na Rowland Penny ha escrit: If nslcd needs the posix objectclasses, then that is their bug, windows does not use them so Samba 4 doesn't either. I wouldn't be so sure, since many (all?) of the attributes specified by rfc2307 are not needed by windows but are there for compatibility with unix. I don't know what a real windows server does, but it seems it can work with nslcd, see, e.g., here https://help.ubuntu.com/community/ADWin2k8KerberosLDAP This document has been tested on Windows Server 2008 and Ubuntu 10.04. Bye If nslcd wants to work with AD, it has to play by AD rules, and AD does not use the posix objectclasses. If you want proof of this, create a user with samba-tool, go to a windows pc with ADUC and add the posix attributes. Now go back to the samba4 AD DC and examine the users DN, you will not find the posix objectclasses, but you will find uidNumber etc. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem with nslcd and samba
Hi, I try to use nslcd with samba 4 for get suers and group for AD. if I do a ldapsearch, I have a message : Server not in kerberos database if I do a getent passwd, nslcd display same error message. log of samba4: [2013/08/28 10:15:47, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ administra...@cormandom.int-corman.be from ipv4:10.217.7.3:40947 for ldap/admin01.cormandom.int-corman...@cormandom.int-corman.be [canonicalize, renewable] [2013/08/28 10:15:47, 4] ../source4/dsdb/samdb/cracknames.c:169(LDB_lookup_spn_alias) LDB_lookup_spn_alias: no alias for service ldap applicable [2013/08/28 10:15:47, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Searching referral for admin01.cormandom.int-corman.be [2013/08/28 10:15:47, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server not found in database: ldap/admin01.cormandom.int-corman...@cormandom.int-corman.be: no such entry found in hdb [2013/08/28 10:15:47, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:10.217.7.3:40947 [2013/08/28 10:15:47, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ administra...@cormandom.int-corman.be from ipv4:10.217.7.3:38379 for ldap/admin01.cormandom.int-corman...@cormandom.int-corman.be [renewable] [2013/08/28 10:15:47, 4] ../source4/dsdb/samdb/cracknames.c:169(LDB_lookup_spn_alias) LDB_lookup_spn_alias: no alias for service ldap applicable [2013/08/28 10:15:47, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server not found in database: ldap/admin01.cormandom.int-corman...@cormandom.int-corman.be: no such entry found in hdb [2013/08/28 10:15:47, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:10.217.7.3:38379 [2013/08/28 10:15:47, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2013/08/28 10:15:47, 5] ../source4/lib/messaging/messaging.c:554(imessaging_cleanup) imessaging: cleaning up /srv/samba/private/smbd.tmp/msg/msg.17615.25 [2013/08/28 10:15:47, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] output of ldapsearch SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) DNS config: BIND_DLZ Version of samba: samba 4.1rc1 anyone have idea ? best regards, Stéphane --- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with nslcd and samba
On Wed, 2013-08-28 at 10:34 +0200, Stéphane PURNELLE wrote: Hi, I try to use nslcd with samba 4 for get suers and group for AD. if I do a ldapsearch, I have a message : Server not in kerberos database Hi You get those errors when you are not joined to the domain. Is this the DC or a client? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with nslcd and samba
Hi, On the DC File-server and DC are on the same server. --- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 samba-boun...@lists.samba.org wrote on 28/08/2013 10:58:19: De : steve st...@steve-ss.com A : samba@lists.samba.org, Date : 28/08/2013 10:59 Objet : Re: [Samba] Problem with nslcd and samba Envoyé par : samba-boun...@lists.samba.org On Wed, 2013-08-28 at 10:34 +0200, Stéphane PURNELLE wrote: Hi, I try to use nslcd with samba 4 for get suers and group for AD. if I do a ldapsearch, I have a message : Server not in kerberos database Hi You get those errors when you are not joined to the domain. Is this the DC or a client? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with nslcd and samba
On Wed, 2013-08-28 at 11:03 +0200, Stéphane PURNELLE wrote: Hi, On the DC File-server and DC are on the same server. Hi Is it really there? nslookup admin01 ldbsearch --url=/usr/local/samba/private/sam.ldb cn=admin01 samba-tool domain exportkeytab /tmp/test.keytab --principal=ADMIN01$ klist -k Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with nslcd and samba
Hi Steve nslookup : OK ldbsearch --url=/usr/local/samba/private/sam.ldb cn=admin01: see output file steve2.log samba-tool domain exportkeytab /tmp/test.keytab --principal=ADMIN01$: see output file steve3.log klist -k: see output file steve4.log This last command has a bad result for me. But I don't know why. regards Stéphane --- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 De :steve st...@steve-ss.com A : samba@lists.samba.org, Date : 28/08/2013 11:52 Objet : Re: [Samba] Problem with nslcd and samba Envoyé par :samba-boun...@lists.samba.org On Wed, 2013-08-28 at 11:03 +0200, Stéphane PURNELLE wrote: Hi, On the DC File-server and DC are on the same server. Hi Is it really there? nslookup admin01 ldbsearch --url=/usr/local/samba/private/sam.ldb cn=admin01 samba-tool domain exportkeytab /tmp/test.keytab --principal=ADMIN01$ klist -k Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 09:58, En/na steve ha escrit: filter passwd (objectclass=user) to /etc/nslcd.conf and that gave me the missing users. I suppose I should add also a filter group (objectclass=group) [...] With recent versions of nslcd, neither of the filters are needed and serve only to slow down lookups. All that is needed is: 0.8.12 is not recent enough and those filters are needed. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 13:17 +0200, Luca Olivetti wrote: Al 28/08/13 09:58, En/na steve ha escrit: filter passwd (objectclass=user) to /etc/nslcd.conf and that gave me the missing users. I suppose I should add also a filter group (objectclass=group) [...] With recent versions of nslcd, neither of the filters are needed and serve only to slow down lookups. All that is needed is: 0.8.12 is not recent enough and those filters are needed. I'll try 0.8.12 later but I doubt it will have changed: - - - hh16:/home/steve # samba --version Version 4.2.0pre1-GIT-617c647 hh16:/home/steve # nslcd --version nss-pam-ldapd 0.8.10 uid nslcd-user gid nslcd-user uri ldap://hh3.site base dc=hh3,dc=site mappasswd uid samAccountName mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/nslcd.tkt hh16:/home/steve # k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K 360 -k /tmp/nslcd.tkt hh16:/home/steve # getent passwd ... steve2:*:321:20513:steve2:/home/users/steve2:/bin/bash steve3:*:322:20513:steve3:/home/users/steve3:/bin/bash ... - - - Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ACL issue in samba 4.0.7
Hi samba team, , We have recently moved samba to 4.0.7 since then acl are not working when we try to set any deny permission from windows hosts. The error is as shown below in log.smbd [2013/08/21 02:49:36.322907, 0] ../source3/smbd/posix_acls.c:1814(add_current_ace_to_acl) add_current_ace_to_acl: malformed ACL in file ACL ! Deny entry after Allow entry. Failing to set on file Raghu. Share in smb.conf is given below . and attached the smb.conf . [pubshar] path= /mnt/pools/A/A0/pubshar/ max connections= 50 directory mode= 0777 create mode= 0777 follow symlinks= yes wide links= no nt acl support= yes dos filemode= yes writeable= yes public= yes store dos attributes= yes write list= guest I see the bug is similar to https://lists.samba.org/archive/samba/2012-October/169503.html https://bugzilla.samba.org/show_bug.cgi?id=9275 There the problem solved once they move from posix acl to windows acl . But we would like to use posix acls only . we did not notice this in 3.x samba versions . can you tell me how to fix this problem?. Thanks /Suresh -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS managment error
Hello again, I wanted to notify everybody that I managed to overcome this problem. The issue was that CN=MicrosoftDNS,DC=ForestDnsZones,... branch was missing because the Forest was operating in Windows 2000 native functional level. The thing that I did was, transfer all FSMO roles back to Windows 2003 server plugged off Samba servers, cleaned Samba server metadata and then raised the level of the domain to Windows 2003 Native. Then in the DNS tool I configured forest wide zone replication. Then i did fresh install of Samba on Linux servers and joined the them to the domain. When I was sure that all changes are being replicated across all domain controllers, I transfered all FSMO roles back to one Linux server and unplugged Windows 2003 from the network. Now I have full access to DNS services and all other levels of Domain are functional. To be exact, I still have some minor issues such as long logon times , but soon I will resolve them to. All best, Antun On 08/27/2013 09:00 PM, Antun Horvat wrote: Well that's the thing, I can only replicate DNS changes from WinDC to Samba, but not in other way. I can't even update DNS records on Samba side, only on Windows side. I managed to figure out an error on Samba caused by RPC call: dnsserver: Found DNS zone . Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=Radio101,DC=local Now I am surfing on the web trying to find some kind of solution. All best, Antun On 08/27/2013 08:46 PM, Garth Keesler wrote: Interesting. Are Forest and Domain records being replicated in both directions from all DCs? It always worked from the WinDC to the S4DC but not in the other direction. Also, were you able to use the WIN DNS MMC to examine the DNS records on any of the Samba DCs? If so, you are probably close to having it working; something I never managed to do. See ya... Garth On 08/27/2013 12:07 PM, Antun Horvat wrote: Thanks for such quick reply, I have just executed samba-tool drs showrepl command and it seems that Forest and Domain LDAP DIT are being replicated successfully. But I still doubt that it can not be fixed since all RR records that are added to w2k3 server are successfully propagated and present. All name resolution queries on samba reflect the state of w2k3 DNS. Is there some way to debug RPC calls so that we can more precisely locate the error? All best, Antun On 08/27/2013 06:40 PM, Garth Keesler wrote: This issue has been discussed at length before with no resolution to my knowledge. If you use samba-tool drs showrepl, you will probably notice that Forest and Domain DNS is not being replicated to/from all DCs. Additionally, if you use Win2003 DNS MMC, you will not be able to detect that DNS is running on the Samba DCs nor that they are DCs at all. I have only tested this using internal Samba DNS but have found no workaround and have dropped trying to use Samba to demote/replace a Win2003 DC for now. Good luck, Garth On 08/27/2013 09:58 AM, Antun Horvat wrote: Hello, i have an issue with existing installation of samba4 domain controller that is specific to dns managment. In the domain I have two samba4 4.0.7 and one windows 2003 server that I plug periodically to manage the dns. All fsmo roles are transfered to samba. All aspects of the domain work perfectly, except one, the samba-tool dns commands do not work. All commands when executed on samba server return ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') error. The same command pointed to windows server works fine. All commands that add hosts to window are replicated to samba instances. The domain is functioning at 2003 native level (reported by windows tool), but samba can't figure out the level. Also when i try to demote the w2k3 server i get the error that Active Directory could not find another domain controller to transfer the remaining data in the directory partition DC=DomainDnsZones,Dc=example,dc=com Could you please point me to the right resources so that i can resolve my current issues. Thanks in advance, and I wish best to all Samba community. ps If you need some kind of help, such as testing rc's in certain configuration, please contact me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] groups command not working as expected
Hi all, I can't seem to figure this one out. I have a test rig Samba 4 VM up and running nicely. Have imported my old Samba 3 directory and am using nslcd to get users and groups back to *nix. I have a perl login script which generates on-the-fly .bat scripts per user as they login using the root preexec and postexec commands in my smb.conf (which worked out of the box with Samba 4 surprisingly). My current issue is that I use the groups user.name command to list what groups that user is a member of. This is then parsed into my batch script and the users and mapped drives accordingly. The groups command appeared to be working ok, but I've just noticed that any changes I make to existing or new users aren't passed to the groups command. getent group and getent passwd still work ok but neither of these can list a users' groups in the manner that I need. Can anyone suggest an alternative method or a fix for the groups problem? Thanks in advance. Chris. -- ACS (Alavoine Computer Services Ltd) Chris Alavoine mob +44 (0)7724 710 730 www.alavoinecs.co.uk http://twitter.com/#!/alavoinecs http://www.linkedin.com/pub/chris-alavoine/39/606/192 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] groups command not working as expected
Update on this. It appears that the groups command is working, it takes a while to filter through for some reason (like, about 15 minutes). Any ideas why it should be so slow to update? c:) On 28 August 2013 16:17, Chris Alavoine chr...@acs-info.co.uk wrote: Hi all, I can't seem to figure this one out. I have a test rig Samba 4 VM up and running nicely. Have imported my old Samba 3 directory and am using nslcd to get users and groups back to *nix. I have a perl login script which generates on-the-fly .bat scripts per user as they login using the root preexec and postexec commands in my smb.conf (which worked out of the box with Samba 4 surprisingly). My current issue is that I use the groups user.name command to list what groups that user is a member of. This is then parsed into my batch script and the users and mapped drives accordingly. The groups command appeared to be working ok, but I've just noticed that any changes I make to existing or new users aren't passed to the groups command. getent group and getent passwd still work ok but neither of these can list a users' groups in the manner that I need. Can anyone suggest an alternative method or a fix for the groups problem? Thanks in advance. Chris. -- ACS (Alavoine Computer Services Ltd) Chris Alavoine mob +44 (0)7724 710 730 www.alavoinecs.co.uk http://twitter.com/#!/alavoinecs http://www.linkedin.com/pub/chris-alavoine/39/606/192 -- ACS (Alavoine Computer Services Ltd) Chris Alavoine mob +44 (0)7724 710 730 www.alavoinecs.co.uk http://twitter.com/#!/alavoinecs http://www.linkedin.com/pub/chris-alavoine/39/606/192 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba Winbind and NTLM
Hi, I have a setup where two Domain's exist. 1 domain is in a DMZ and the other on an internal network. Both running Window 2003 R2. They have an external NTLM trust setup between them, from DMZ to Internal. Linux clients in the DMZ are joined to the DMZ AD. I'm trying to get the Linux clients to authenticate users that exist on the internal AD Domain, but it is failing. When attempting to auth users as INT\username it is trying to connect to the INT server but can't as it's in the DMZ. Is there a way to force clients to negotiate the NTLM trust and avoid attempting to connect to the INT server? I.e using the DMZ server to pass through the authentication? Or setup some sort of NTLM auth? Windows clients appear to do this without issue. Thanks, Dan. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] One Way Domain Trust Problem
Hi, I know that Trusts are not finished but Samba can be Trusted. I sucessfully finished a trust between Windows 2003 Domain (PREFDOM) and Samba4 (PREFEITURA). PREFDOM trusts PREFEITURA. It works fine. Now, I'm trying to establish a new trust between another Windows 2003 Domain (SIA) and Samba4 (PREFEITURA). SIA trusts PREFEITURA. I'm using Active Directory Domains and Trust GUI The error message: The operation failed. The specified domain already exists Is there another way to establish/force a trust Thanks! -- Ricardo Suguita Analista de Redes CSCO11723146 Prefeitura Unicamp Ramal 14619 // Fone +55(19)3521-4619 http://www.prefeitura.unicamp.br Cidade Universitária Zeferino Vaz Rua Roxo Moreira, 1831 Campinas, SP – Brasil -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS managment error
Wow! I'm impressed! :-) I also ensured that the domain was at 2003 native but with no improvement. When you say that in the DNS tool I configured forest wide zone replication, is that the Win DNS MMC or samba-tool? Can you be specific? That may have been my problem. Thanx, Garth On 08/28/2013 09:52 AM, Antun Horvat wrote: Hello again, I wanted to notify everybody that I managed to overcome this problem. The issue was that CN=MicrosoftDNS,DC=ForestDnsZones,... branch was missing because the Forest was operating in Windows 2000 native functional level. The thing that I did was, transfer all FSMO roles back to Windows 2003 server plugged off Samba servers, cleaned Samba server metadata and then raised the level of the domain to Windows 2003 Native. Then in the DNS tool I configured forest wide zone replication. Then i did fresh install of Samba on Linux servers and joined the them to the domain. When I was sure that all changes are being replicated across all domain controllers, I transfered all FSMO roles back to one Linux server and unplugged Windows 2003 from the network. Now I have full access to DNS services and all other levels of Domain are functional. To be exact, I still have some minor issues such as long logon times , but soon I will resolve them to. All best, Antun On 08/27/2013 09:00 PM, Antun Horvat wrote: Well that's the thing, I can only replicate DNS changes from WinDC to Samba, but not in other way. I can't even update DNS records on Samba side, only on Windows side. I managed to figure out an error on Samba caused by RPC call: dnsserver: Found DNS zone . Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=Radio101,DC=local Now I am surfing on the web trying to find some kind of solution. All best, Antun On 08/27/2013 08:46 PM, Garth Keesler wrote: Interesting. Are Forest and Domain records being replicated in both directions from all DCs? It always worked from the WinDC to the S4DC but not in the other direction. Also, were you able to use the WIN DNS MMC to examine the DNS records on any of the Samba DCs? If so, you are probably close to having it working; something I never managed to do. See ya... Garth On 08/27/2013 12:07 PM, Antun Horvat wrote: Thanks for such quick reply, I have just executed samba-tool drs showrepl command and it seems that Forest and Domain LDAP DIT are being replicated successfully. But I still doubt that it can not be fixed since all RR records that are added to w2k3 server are successfully propagated and present. All name resolution queries on samba reflect the state of w2k3 DNS. Is there some way to debug RPC calls so that we can more precisely locate the error? All best, Antun On 08/27/2013 06:40 PM, Garth Keesler wrote: This issue has been discussed at length before with no resolution to my knowledge. If you use samba-tool drs showrepl, you will probably notice that Forest and Domain DNS is not being replicated to/from all DCs. Additionally, if you use Win2003 DNS MMC, you will not be able to detect that DNS is running on the Samba DCs nor that they are DCs at all. I have only tested this using internal Samba DNS but have found no workaround and have dropped trying to use Samba to demote/replace a Win2003 DC for now. Good luck, Garth On 08/27/2013 09:58 AM, Antun Horvat wrote: Hello, i have an issue with existing installation of samba4 domain controller that is specific to dns managment. In the domain I have two samba4 4.0.7 and one windows 2003 server that I plug periodically to manage the dns. All fsmo roles are transfered to samba. All aspects of the domain work perfectly, except one, the samba-tool dns commands do not work. All commands when executed on samba server return ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE') error. The same command pointed to windows server works fine. All commands that add hosts to window are replicated to samba instances. The domain is functioning at 2003 native level (reported by windows tool), but samba can't figure out the level. Also when i try to demote the w2k3 server i get the error that Active Directory could not find another domain controller to transfer the remaining data in the directory partition DC=DomainDnsZones,Dc=example,dc=com Could you please point me to the right resources so that i can resolve my current issues. Thanks in advance, and I wish best to all Samba community. ps If you need some kind of help, such as testing rc's in certain configuration, please contact me. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nslcd: kerberos vs. simple bind
Hello, I took this out of the OpenSSH auth in SAMBA4 LDAP thread, because it was drifting away from it's origin question :-) I played this afternoon a bit with nslcd and kerberos for extending my Wiki HowTo. But as more as I read, one question comes bigger and bigger: What are the advantages of kerberos against simple bind with DN and password? Simple bind method: Create a user, add the credentials to the root only readable file nslcd.conf. Done Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok. This is all done only once.). But then, if I understand it right, I need something that renews the kerberos ticket from time to time. In your blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it in their repositories. So something more to compile and to be ensured that it starts and run. :-) So currently I don't see what are the advantages of Kerberos and in which way it should be easier or anything else. :-) Maybe someone can give me (Kerberos beginner) some answers/hints. :-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd: kerberos vs. simple bind
On Wed, 2013-08-28 at 18:37 +0200, Marc Muehlfeld wrote: Hello, I took this out of the OpenSSH auth in SAMBA4 LDAP thread, because it was drifting away from it's origin question :-) I played this afternoon a bit with nslcd and kerberos for extending my Wiki HowTo. But as more as I read, one question comes bigger and bigger: What are the advantages of kerberos against simple bind with DN and password? Simple bind method: Create a user, add the credentials to the root only readable file nslcd.conf. Done Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok. This is all done only once.). But then, if I understand it right, I need something that renews the kerberos ticket from time to time. In your blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it in their repositories. So something more to compile and to be ensured that it starts and run. :-) So currently I don't see what are the advantages of Kerberos and in which way it should be easier or anything else. :-) Maybe someone can give me (Kerberos beginner) some answers/hints. :-) Hi If you're happy with plain text passwords being passed over the network then use them. There may be some admins that will not be able to do that though, so. . . You may want to kerberise it. It's very easy: you don't need to create anything new. Just use an object you already have. You always have a machine key for example. On the DC, you'll have to extract its keytab but otherwise, away you go: k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K 360 -k /tmp/nslcd.tkt If you need to be up more than 10 hours a day and if you don't like k5start, cron it. The clients already have the keytab so nothing else to do. HTH -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Make Winbind/PAM not return domain part for usernames
Ok, I figured out a way to make all this work in my case. I made Exim use Dovecot LDA transport instead of local delivery. With dovecot_delivery transport you can specify -d username (would be -d $local_part in case of Exim), which will trigger the same userdb lookup that Dovecot will do later to fetch the mails from the files. So now the mails are delivered by Exim and fetched by Dovecot from the same location, when using AD users. Hope this helps somebody else. Anyway, the issue with the winbind use default domain option not working will need to be resolved at some point. Best regards! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd: kerberos vs. simple bind
On Wed, 2013-08-28 at 18:37 +0200, Marc Muehlfeld wrote: In your blog you use k5start for that. Also Fedora 19 and RHEL6 doesn't have it in their repositories. So something more to compile and to be ensured that it starts and run. :-) A quick google shows that both Fedora and Red Hut Pizza have k5start. It's in the package: kstart HTH Cheers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 13:43, En/na steve ha escrit: 0.8.12 is not recent enough and those filters are needed. I'll try 0.8.12 later but I doubt it will have changed: I have 0.8.12 $ rpm -q nss-pam-ldapd nss-pam-ldapd-0.8.12-3.mga3 With the filter (aimaretti is a migrated user, pruebaunix is a new user) $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix uid=10069(pruebaunix) gid=513(Domain Users) grups=513(Domain Users),496(vcsa),675(intranet) Without the filter $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix id: pruebaunix: l’usuari no existeix $ LC_ALL=en id pruebaunix id: pruebaunix: no such user Do you think it's because I have specified a binddn and a bindpw? Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd: kerberos vs. simple bind
Am 28.08.2013 19:11, schrieb steve: If you're happy with plain text passwords being passed over the network then use them. There may be some admins that will not be able to do that though, so. . . Ok. This is an good argument I haven't tought about. In production I have used LDAPS. But the HowTo is currently describing it in plain text, right. You may want to kerberise it. It's very easy: you don't need to create anything new. Just use an object you already have. You always have a machine key for example. Good idea with the machine key. If I use the machine account, then I have to re-export the keytab if I rejoin the machine, right? On the DC, you'll have to extract its keytab but otherwise, away you go: k5start -v -f /etc/krb5.keytab -U -o nslcd-user -K 360 -k /tmp/nslcd.tkt If you need to be up more than 10 hours a day and if you don't like k5start, cron it. The clients already have the keytab so nothing else to do. HTH Thanks for that information. It clarifies some questions that came up with the first Kerberos tries. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote: Without the filter $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix id: pruebaunix: l’usuari no existeix $ LC_ALL=en id pruebaunix id: pruebaunix: no such user Hi OK then, so just compare the DN of aimaretti with that of pruebauinx. Post them here if you like: ldbsearch --url=/usr/local/samba/private/sam.ldb cn=aimaretti and ldbsearch --url=/usr/local/samba/private/sam.ldb cn=pruebaunix Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd: kerberos vs. simple bind
On Wed, 2013-08-28 at 19:27 +0200, Marc Muehlfeld wrote: Am 28.08.2013 19:11, schrieb steve: If you're happy with plain text passwords being passed over the network then use them. There may be some admins that will not be able to do that though, so. . . Ok. This is an good argument I haven't tought about. In production I have used LDAPS. But the HowTo is currently describing it in plain text, right. You may want to kerberise it. It's very easy: you don't need to create anything new. Just use an object you already have. You always have a machine key for example. Good idea with the machine key. If I use the machine account, then I have to re-export the keytab if I rejoin the machine, right? No. Once you have exported the key to the keytab on the DC, that's it. Forever. The question doesn't make sense on a client. If you're on the DC, you do not have a default keytab, erm, by default, so just extract the machine key manually. On a remote client, the process of joining the domain with security=ADS and kerberos method = something will automatically create the keytab for you. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 19:30, En/na steve ha escrit: On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote: Without the filter $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix id: pruebaunix: l’usuari no existeix $ LC_ALL=en id pruebaunix id: pruebaunix: no such user Hi OK then, so just compare the DN of aimaretti with that of pruebauinx. Post them here if you like: OK, but just to avoid you the hassle to compare the two, here is a summary of the differences: * pruebaunix is missing the posixAccount objectClass, the description and homeDrive (though I don't think the last two are what's causing the problem and the missing posixAccount is normal AD behavior) * pruebaunix has the following fields not present in aimaretti: -givenName -msSFU3OName -sn -uid -unixUserPassword -userPrincipalName ldbsearch --url=/usr/local/samba/private/sam.ldb cn=aimaretti # record 1 dn: CN=aimaretti,CN=Users,DC=wetron,DC=es cn: aimaretti instanceType: 4 whenCreated: 20130816222436.0Z whenChanged: 20130816222436.0Z uSNCreated: 5300 name: aimaretti objectGUID: cf69597e-c29e-4734-8fee-0c5f261593b9 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-1375475485-2168029398-3937786652-3468 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: aimaretti sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=wetron,DC=es pwdLastSet: 12911595683000 displayName: Alberto Aimaretti homeDrive: U: logonHours:: userAccountControl: 512 description: Usuario Wetron uidNumber: 1234 objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user unixHomeDirectory: /home/aimaretti loginShell: /bin/false gidNumber: 513 msSFU30NisDomain: wetron uSNChanged: 5304 memberOf: CN=devel,CN=Users,DC=wetron,DC=es memberOf: CN=intranet,CN=Users,DC=wetron,DC=es memberOf: CN=portal,CN=Users,DC=wetron,DC=es distinguishedName: CN=aimaretti,CN=Users,DC=wetron,DC=es # Referral ref: ldap://wetron.es/CN=Configuration,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=DomainDnsZones,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=ForestDnsZones,DC=wetron,DC=es # returned 4 records # 1 entries # 3 referrals and ldbsearch --url=/usr/local/samba/private/sam.ldb cn=pruebaunix # Referral ref: ldap://wetron.es/CN=Configuration,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=DomainDnsZones,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=ForestDnsZones,DC=wetron,DC=es # returned 3 records # 0 entries # 3 referrals (oops, I forgot that this user has a space in the cn, and, no, that's not the problem, I have other users without a space in the cn, don't mind the OU, it was an unrelated test, other users under CN=Users work the same) $ sudo /usr/local/samba/bin/ldbsearch --url=/usr/local/samba/private/sam.ldb cn=prueba unix # record 1 dn: CN=prueba unix,OU=kk,DC=wetron,DC=es objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: prueba unix sn: unix givenName: prueba instanceType: 4 whenCreated: 20130827101804.0Z uSNCreated: 7219 name: prueba unix objectGUID: deb50617-08a6-4c98-8d81-73c0134514ee badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-1375475485-2168029398-3937786652-4011 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: pruebaunix sAMAccountType: 805306368 userPrincipalName: pruebau...@wetron.es objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=wetron,DC=es pwdLastSet: 13022072284000 userAccountControl: 512 msSFU30Name: pruebaunix unixUserPassword: ABCD!efgh12345$67890 uid: pruebaunix msSFU30NisDomain: wetron loginShell: /bin/sh unixHomeDirectory: /home/pruebaunix uidNumber: 10069 displayName: pruebaunix gidNumber: 513 memberOf: CN=intranet,CN=Users,DC=wetron,DC=es memberOf: CN=brmuestra,CN=Users,DC=wetron,DC=es whenChanged: 20130828004001.0Z uSNChanged: 7249 distinguishedName: CN=prueba unix,OU=kk,DC=wetron,DC=es # Referral ref: ldap://wetron.es/CN=Configuration,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=DomainDnsZones,DC=wetron,DC=es # Referral ref: ldap://wetron.es/DC=ForestDnsZones,DC=wetron,DC=es # returned 4 records # 1 entries # 3 referrals Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 19:15 +0200, Luca Olivetti wrote: Al 28/08/13 13:43, En/na steve ha escrit: 0.8.12 is not recent enough and those filters are needed. I'll try 0.8.12 later but I doubt it will have changed: I have 0.8.12 $ rpm -q nss-pam-ldapd nss-pam-ldapd-0.8.12-3.mga3 With the filter (aimaretti is a migrated user, pruebaunix is a new user) $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix uid=10069(pruebaunix) gid=513(Domain Users) grups=513(Domain Users),496(vcsa),675(intranet) Without the filter $ id aimaretti uid=1234(aimaretti) gid=513(Domain Users) grups=513(Domain Users),675(intranet),676(portal),507(devel) $ id pruebaunix id: pruebaunix: l’usuari no existeix $ LC_ALL=en id pruebaunix id: pruebaunix: no such user Do you think it's because I have specified a binddn and a bindpw? Hi Without objectClass: posixAccount you need the filter for nslcd. IOW, for AD, you either must add it yourself or use the nslcd filter. Windows does not need the objectClass. nslcd does unless you want to filter everything. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 20:11, En/na steve ha escrit: Hi Without objectClass: posixAccount you need the filter for nslcd. IOW, for AD, you either must add it yourself or use the nslcd filter. Windows does not need the objectClass. nslcd does unless you want to filter everything. Thank you, I though that was the case. It's something that Marc will have to specify in the howto. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS managment error
To clarify things a bit for others with the same problem, I will try to explain exact things that I did. Like I said, one of my issues was that the domain was functioning in level 2003 native, but the forest remained in the 2000 native functioning level. So you need to be sure that both domain and forest levels are indeed functioning in 2003 native level. If your domain and forest is not running in that level, you need to transfer all FSMO roles to your Windows server. These roles are (RID, PDC, Infrastructure, Naming master, Schema master). At that point I removed all samba servers from the domain which may not be needed, but I wanted to decrease the chance of Samba to interfere with the process of raising the level. Since I could not demote the samba for some reason from the domain, i simply stopped the Samba process on Linux servers and removed Samba metadata on windows using ntdsutil tool. You must be careful with that command since you can destroy all your domain data with it. Now with just Windows 2003 server in the domain I have simply raised the forest level and did not experience any problems with it. Next, I opened DNS MMC in Windows2003 and selected my domain zones, right clicked the zone and in options selected forest wide replication. I don't remember the exact name of the tab, but it is easily identified. Now I have reinstalled (make uninstall; make install) Samba on the Linux servers and joined them as DC's to Windows server. Now it is a good time to test replication of LDAP data between server by adding for example user1 to Windows and user2 to Linux server and see if the users are being replicated between the servers. Also check the status of samba-tool drs showrepl. Then if the data is replicating without any error using the samba-tool fsmo transfer --role=all transfer all FSMO roles to Linux server. Now wait few minutes and shutdown Windows 2003 server from the network. At this point the domain should be running just fine and everything can be based on Samba4 AD's. Now you can manage your Domain and DNS data through Windows MMC tools or through samba-tool CLI tool. Also if you experience some issue with slow logins in Domain workstations, be sure to delete ipv6 address from DNS zone, as it fixed login times in my case. If you are doing this in fully functional environment where everything is depending on your DC, and people are using workstations 24H don't worry, it can be done since I did that without any downtime. I have successfully converted old windows 2000 domain into 2003 compatible domain running only on (for now) two Samba DC's. On 08/28/2013 06:29 PM, Garth Keesler wrote: Wow! I'm impressed! :-) I also ensured that the domain was at 2003 native but with no improvement. When you say that in the DNS tool I configured forest wide zone replication, is that the Win DNS MMC or samba-tool? Can you be specific? That may have been my problem. Thanx, Garth On 08/28/2013 09:52 AM, Antun Horvat wrote: Hello again, I wanted to notify everybody that I managed to overcome this problem. The issue was that CN=MicrosoftDNS,DC=ForestDnsZones,... branch was missing because the Forest was operating in Windows 2000 native functional level. The thing that I did was, transfer all FSMO roles back to Windows 2003 server plugged off Samba servers, cleaned Samba server metadata and then raised the level of the domain to Windows 2003 Native. Then in the DNS tool I configured forest wide zone replication. Then i did fresh install of Samba on Linux servers and joined the them to the domain. When I was sure that all changes are being replicated across all domain controllers, I transfered all FSMO roles back to one Linux server and unplugged Windows 2003 from the network. Now I have full access to DNS services and all other levels of Domain are functional. To be exact, I still have some minor issues such as long logon times , but soon I will resolve them to. All best, Antun On 08/27/2013 09:00 PM, Antun Horvat wrote: Well that's the thing, I can only replicate DNS changes from WinDC to Samba, but not in other way. I can't even update DNS records on Samba side, only on Windows side. I managed to figure out an error on Samba caused by RPC call: dnsserver: Found DNS zone . Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=Radio101,DC=local Now I am surfing on the web trying to find some kind of solution. All best, Antun On 08/27/2013 08:46 PM, Garth Keesler wrote: Interesting. Are Forest and Domain records being replicated in both directions from all DCs? It always worked from the WinDC to the S4DC but not in the other direction. Also, were you able to use the WIN DNS MMC to examine the DNS records on any of the Samba DCs? If so, you are probably close to having it working; something I never managed to do. See ya... Garth On 08/27/2013 12:07 PM, Antun Horvat wrote: Thanks for such quick reply, I have
Re: [Samba] nslcd: kerberos vs. simple bind
Oi, Simple bind method: Create a user, add the credentials to the root only readable file nslcd.conf. Done Kerberos: Create user, add a SPN, extract keytab, edit nslcd.conf (ok. This is all done only once.). But then, if I understand it right, I need something that renews the kerberos ticket from time to time. So currently I don't see what are the advantages of Kerberos and in which way it should be easier or anything else. :-) If you're happy with plain text passwords being passed over the network then use them. There may be some admins that will not be able to do that though, so. . . If this were the only kerberos advantage, we'd all be using LDAP with TLS to secure passwords on the wire. []s, Fernando Lozano -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS managment error
Many thanks! I'll give this a try. See ya... Garth On 08/28/2013 01:18 PM, Antun Horvat wrote: To clarify things a bit for others with the same problem, I will try to explain exact things that I did. Like I said, one of my issues was that the domain was functioning in level 2003 native, but the forest remained in the 2000 native functioning level. So you need to be sure that both domain and forest levels are indeed functioning in 2003 native level. If your domain and forest is not running in that level, you need to transfer all FSMO roles to your Windows server. These roles are (RID, PDC, Infrastructure, Naming master, Schema master). At that point I removed all samba servers from the domain which may not be needed, but I wanted to decrease the chance of Samba to interfere with the process of raising the level. Since I could not demote the samba for some reason from the domain, i simply stopped the Samba process on Linux servers and removed Samba metadata on windows using ntdsutil tool. You must be careful with that command since you can destroy all your domain data with it. Now with just Windows 2003 server in the domain I have simply raised the forest level and did not experience any problems with it. Next, I opened DNS MMC in Windows2003 and selected my domain zones, right clicked the zone and in options selected forest wide replication. I don't remember the exact name of the tab, but it is easily identified. Now I have reinstalled (make uninstall; make install) Samba on the Linux servers and joined them as DC's to Windows server. Now it is a good time to test replication of LDAP data between server by adding for example user1 to Windows and user2 to Linux server and see if the users are being replicated between the servers. Also check the status of samba-tool drs showrepl. Then if the data is replicating without any error using the samba-tool fsmo transfer --role=all transfer all FSMO roles to Linux server. Now wait few minutes and shutdown Windows 2003 server from the network. At this point the domain should be running just fine and everything can be based on Samba4 AD's. Now you can manage your Domain and DNS data through Windows MMC tools or through samba-tool CLI tool. Also if you experience some issue with slow logins in Domain workstations, be sure to delete ipv6 address from DNS zone, as it fixed login times in my case. If you are doing this in fully functional environment where everything is depending on your DC, and people are using workstations 24H don't worry, it can be done since I did that without any downtime. I have successfully converted old windows 2000 domain into 2003 compatible domain running only on (for now) two Samba DC's. On 08/28/2013 06:29 PM, Garth Keesler wrote: Wow! I'm impressed! :-) I also ensured that the domain was at 2003 native but with no improvement. When you say that in the DNS tool I configured forest wide zone replication, is that the Win DNS MMC or samba-tool? Can you be specific? That may have been my problem. Thanx, Garth On 08/28/2013 09:52 AM, Antun Horvat wrote: Hello again, I wanted to notify everybody that I managed to overcome this problem. The issue was that CN=MicrosoftDNS,DC=ForestDnsZones,... branch was missing because the Forest was operating in Windows 2000 native functional level. The thing that I did was, transfer all FSMO roles back to Windows 2003 server plugged off Samba servers, cleaned Samba server metadata and then raised the level of the domain to Windows 2003 Native. Then in the DNS tool I configured forest wide zone replication. Then i did fresh install of Samba on Linux servers and joined the them to the domain. When I was sure that all changes are being replicated across all domain controllers, I transfered all FSMO roles back to one Linux server and unplugged Windows 2003 from the network. Now I have full access to DNS services and all other levels of Domain are functional. To be exact, I still have some minor issues such as long logon times , but soon I will resolve them to. All best, Antun On 08/27/2013 09:00 PM, Antun Horvat wrote: Well that's the thing, I can only replicate DNS changes from WinDC to Samba, but not in other way. I can't even update DNS records on Samba side, only on Windows side. I managed to figure out an error on Samba caused by RPC call: dnsserver: Found DNS zone . Failed to find DNS Zones in CN=MicrosoftDNS,DC=ForestDnsZones,DC=Radio101,DC=local Now I am surfing on the web trying to find some kind of solution. All best, Antun On 08/27/2013 08:46 PM, Garth Keesler wrote: Interesting. Are Forest and Domain records being replicated in both directions from all DCs? It always worked from the WinDC to the S4DC but not in the other direction. Also, were you able to use the WIN DNS MMC to examine the DNS records on any of the Samba DCs? If so, you are probably close to having it working; something I never managed to do.
Re: [Samba] objectClass:posixAccount missing
On Wed, 2013-08-28 at 20:18 +0200, Luca Olivetti wrote: Al 28/08/13 20:11, En/na steve ha escrit: Hi Without objectClass: posixAccount you need the filter for nslcd. IOW, for AD, you either must add it yourself or use the nslcd filter. Windows does not need the objectClass. nslcd does unless you want to filter everything. Thank you, I though that was the case. It's something that Marc will have to specify in the howto. Hi Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Al 28/08/13 23:09, En/na steve ha escrit: Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 I'll try it. I only used nslcd because that's what was suggested in the samba wiki. Bye -- Luca Olivetti Wetron Automation Technology http://www.wetron.es Tel. +34 935883004 Fax +34 935883007 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 consumes more CPU
On Mon, 2013-08-26 at 22:39 +0530, Prema wrote: Dear Andrew, As per your suggestion , I have attached the gdb log of the samba and smbd process log running in the single server mode. Also when I noted in the perf top, libndr.so consumes the maximum cpu. I noticed that it happens soon after sometime the samba process is started and the CPU is filled up. Since the samba process occupies 100% atleast two or more CPUs out of 8 CPU , the clients are not able to get authenticate to the server. Kindly go through the logs and suggest what can be done to lessen the CPU consumption. Sadly the gdb backtrace does not happen to be from the point that is consuming the CPU, if that really is in libndr. It is in both cases in a poll() loop. Are you using the internal DNS server? If so, please change to using DLZ_BIND9 using the samba_upgradedns script, and see if that helps. I have had a more successful investigation with another user that indicates an issue there, trigged by double-processing of secure DNS updates from clients in our DNS server. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 Member Server not working
Hi, I have one Samba4 server running as Active Directory Domain Controller. It's working like a charm. So I needed to add another server to be a Member Server (File Server). The server is running samba-4.0.9. Configured and compiled ok: ./configure --prefix=/usr/local/samba --sysconfdir=/etc --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads --with-shared-modules=idmap_ad,pam Installed ok. Kerberos OK. I can run kinit and klist root@MYNETSRV08:/etc/samba# kinit Administrator Password for administra...@mynet.net: root@MYSRV08:/etc/samba# root@MYNETSRV08:/etc/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@mynet.net Valid startingExpires Service principal 28/08/2013 19:59 29/08/2013 05:59 krbtgt/mynet@mynet.net renew until 29/08/2013 19:59 root@MYNETSRV08:/etc/samba# My SMB.CONF is below: [global] workgroup = MYNET security = ADS realm = MYNET.NET encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config MYNET:backend = ad idmap config MYNET:schema_mode = rfc2307 idmap config MYNET:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [test] path = /mnt/files read only = no I can add my server to domain: root@PCOSRV08:/etc/samba# net ads join -U administrator Enter administrator's password: Using short domain name -- MYNET Joined 'MYNETSRV08' to dns domain 'mynet.net' root@MYNETSRV08:/etc/samba# libnss_winbind.so is in the right place: root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so* /lib/libnss_winbind.so /lib/libnss_winbind.so.2 The libs are loaded fine: root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_ldap.so.2 - libnss_ldap.so.2 libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so libnss_wins.so - libnss_wins.so.2 libnss_winbind.so - libnss_winbind.so.2 libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so root@MYNETSRV08:/etc/samba# I added winbind to my nsswitch.conf passwd: compat winbind group: compat winbind I can start the daemon without issues: smbd nmbd winbindd wbinfo -u list all my domain users wbinfo -g list all my domain groups Here is the problems: When I run getent passwd, it lists only the local users. When I run id Administrator, it returns No such user. If I try to access the share defined in smb.conf, the server does not recognizes my user/password. I'm lost. Thanks in advance. -- http://www.endomondo.com/profile/3312580 Veja: http://naofoiacidente.org/blog/por-quem/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Member Server not working
On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote: Hi, I have one Samba4 server running as Active Directory Domain Controller. It's working like a charm. So I needed to add another server to be a Member Server (File Server). The server is running samba-4.0.9. Configured and compiled ok: ./configure --prefix=/usr/local/samba --sysconfdir=/etc --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads --with-shared-modules=idmap_ad,pam Installed ok. Kerberos OK. I can run kinit and klist root@MYNETSRV08:/etc/samba# kinit Administrator Password for administra...@mynet.net: root@MYSRV08:/etc/samba# root@MYNETSRV08:/etc/samba# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@mynet.net Valid startingExpires Service principal 28/08/2013 19:59 29/08/2013 05:59 krbtgt/mynet@mynet.net renew until 29/08/2013 19:59 root@MYNETSRV08:/etc/samba# My SMB.CONF is below: [global] workgroup = MYNET security = ADS realm = MYNET.NET encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config MYNET:backend = ad idmap config MYNET:schema_mode = rfc2307 idmap config MYNET:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes [test] path = /mnt/files read only = no I can add my server to domain: root@PCOSRV08:/etc/samba# net ads join -U administrator Enter administrator's password: Using short domain name -- MYNET Joined 'MYNETSRV08' to dns domain 'mynet.net' root@MYNETSRV08:/etc/samba# libnss_winbind.so is in the right place: root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so* /lib/libnss_winbind.so /lib/libnss_winbind.so.2 The libs are loaded fine: root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_ldap.so.2 - libnss_ldap.so.2 libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so libnss_wins.so - libnss_wins.so.2 libnss_winbind.so - libnss_winbind.so.2 libnss_hesiod.so.2 - libnss_hesiod-2.13.so libnss_compat.so.2 - libnss_compat-2.13.so libnss_dns.so.2 - libnss_dns-2.13.so libnss_nis.so.2 - libnss_nis-2.13.so libnss_nisplus.so.2 - libnss_nisplus-2.13.so libnss_files.so.2 - libnss_files-2.13.so root@MYNETSRV08:/etc/samba# I added winbind to my nsswitch.conf passwd: compat winbind group: compat winbind I can start the daemon without issues: smbd nmbd winbindd wbinfo -u list all my domain users wbinfo -g list all my domain groups Here is the problems: When I run getent passwd, it lists only the local users. For performance reasons, by default we do not list users in the AD domain. See winbind enum users in your smb.conf When I run id Administrator, it returns No such user. You need to use 'id MYNET\\administrator' If I try to access the share defined in smb.conf, the server does not recognizes my user/password. Can you give more detail on this part of the issue, and include logs etc? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] objectClass:posixAccount missing
Am 29.08.2013 00:10, schrieb Luca Olivetti: Yeah, nslcd works well, but for AD funcionality and speed, sssd is the only way to go for nss on Samba4 or any m$ server. Just my €0.02 I'll try it. I only used nslcd because that's what was suggested in the samba wiki. The Winbind and sssd Howto isn't finished yet. Currently I don't have to much time, but I'm working on. :-) Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client) behaviour #2 - accept: Software caused connection abort.
On Sun, 2013-08-25 at 18:50 +0100, Tris Mabbs wrote:
Probably should have posted this to samba-technical in the
first place, so re-posting in case anyone has any useful ideas .
From: Tris Mabbs
Sent: 12 August 2013 23:08
To: 'samba@lists.samba.org'
Subject: Odd Samba 4 (4.2.0pre1-GIT-b505111; actually only using client)
behaviour #2 - accept: Software caused connection abort.
Good day oh technical ones .
I was running Samba 4 (client only, not using it as a DC so
effectively running Samba 3 code from the Samba 4 tree) and, other than a
little Gotcha! regarding decoding Kerberos PACs, it was all working
perfectly.
Then recently I had to upgrade, to 4.2.0pre1-GIT-b505111
(I had to upgrade the OS on the server running Samba - 'twas OpenSolaris
and is now Solaris 11.1) so I recompiled it all up and installed afresh
(so no .tdbs from the previous installation or anything).
But here's a funny thing (#2). The log file gets absolutely
ridiculous numbers of messages thus:
Aug 12 22:45:01 Gateway smbd[16327]: [ID 702911 daemon.error] [2013/08/12
22:45:01.731562, 0] ../source3/smbd/server.c:556(smbd_accept_connection)
Aug 12 22:45:01 Gateway smbd[16327]: [ID 702911 daemon.error] accept:
Software caused connection abort
Aug 12 22:45:03 Gateway smbd[16327]: [ID 702911 daemon.error] [2013/08/12
22:45:03.556423, 0] ../source3/smbd/server.c:556(smbd_accept_connection)
Aug 12 22:45:03 Gateway smbd[16327]: [ID 702911 daemon.error] accept:
Software caused connection abort
Aug 12 22:45:03 Gateway smbd[16327]: [ID 702911 daemon.error] [2013/08/12
22:45:03.556688, 0] ../source3/smbd/server.c:556(smbd_accept_connection)
Aug 12 22:45:03 Gateway smbd[16327]: [ID 702911 daemon.error] accept:
Software caused connection abort
And so on. These will come in spurts; there won't be any
such messages for several minutes then a whole load will come along all at
once. Rather like busses .
I will catch smbd in the act at some point though, and
when I do I'll follow-up with a system call trace to show exactly what is
happening when this message gets triggered. It will, of course, be
something bizarrely Solaris specific (you didn't set the
SO_DONT_RANDOMLY_ABORT_CONNECTIONS socket() option, did you? Tsk tsk tsk
.).
I think that's probably the right track :-)
The code here is triggered when poll() indicates that the socket is
reaable. This socket should only be readable when a new connection is
being made, and accept() should succeed.
In the source4/smbd/process_single.c code equivalent to this, there is
this helpful hint:
/* accept an incoming connection. */
status = socket_accept(listen_socket, connected_socket);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,(single_accept_connection: accept: %s\n,
nt_errstr(status)));
/* this looks strange, but is correct.
We can only be here if woken up from select, due to
an incoming connection.
We need to throttle things until the system clears
enough resources to handle this new socket.
If we don't then we will spin filling the log and
causing more problems. We don't panic as this is
probably a temporary resource constraint */
sleep(1);
return;
}
So, my only conclusion is that your box momentarily does not have the
resources to accept the connection, and because there isn't the sleep()
in the source3 code, it prints this in a loop until the resources become
available.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nslcd / pam_ldap HowTo
Am 27.08.2013 10:52, schrieb Marc Muehlfeld: I had a short search for 0.8 and it seems that since that, some comfortable changes where done for AD. If I have time tonight, I'll compile the latest version and try to find out the differences and comment my examples accordingly. Then the users can decite to stay on their old version (if the use an enterprise distribution) of to use the new one. I published a larger rework of the HowTo. It's containing Kerberos and other information I collected from the discussions from the last days about nslcd. https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd @All: Please give some feedback. Thanks. Regards, Marc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 91186fc s3: fix missing braces in nfs4_acls.c
from 617c647 Fix valgrind errors with memmove and talloc pools.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 91186fcf9da6fa1180d9d773882a388e78c4c3b9
Author: Abhidnya Joshi achir...@in.ibm.com
Date: Mon Aug 26 12:31:49 2013 +0530
s3: fix missing braces in nfs4_acls.c
Reviewed-by: Jeremy Allison j...@samba.org
Reviewed-by: Simo Sorce i...@samba.org
Autobuild-User(master): Jeremy Allison j...@samba.org
Autobuild-Date(master): Wed Aug 28 20:25:56 CEST 2013 on sn-devel-104
---
Summary of changes:
source3/modules/nfs4_acls.c |3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/modules/nfs4_acls.c b/source3/modules/nfs4_acls.c
index dab1a2a..500cb47 100644
--- a/source3/modules/nfs4_acls.c
+++ b/source3/modules/nfs4_acls.c
@@ -987,9 +987,10 @@ NTSTATUS smb_set_nt_acl_nfs4(vfs_handle_struct *handle,
files_struct *fsp,
(unsigned int)newGID));
if (smbacl4_GetFileOwner(fsp-conn,
fsp-fsp_name-base_name,
-sbuf))
+sbuf)){
TALLOC_FREE(frame);
return map_nt_error_from_unix(errno);
+ }
/* If we successfully chowned, we know we must
* be able to set the acl, so do it as root.
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 6e3650e torture: Add buffercheck tests via 1b1935b smbd: Correctly return INFO_LENGTH_MISMATCH for smb1 via 5634f24 smbd: Fix error return for STREAM_INFO via b37edda smbd: Revert a93f9c3 via 40f6002 smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo via 9193961 smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo via ac41df9 smbd: qfsinfo has fixed/variable buffers via 5312399 smbd: qfilepathinfo has fixed/variable buffers via e1843cd torture3: add clipathinfo-bufsize via 1cae59c dbwrap_ctdb: Treat empty records as non-existing from 91186fc s3: fix missing braces in nfs4_acls.c http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 6e3650edd3cbdd9f29be4e8fa9ec9cd307f178e7 Author: Volker Lendecke v...@samba.org Date: Tue Aug 27 09:41:13 2013 + torture: Add buffercheck tests Make sure we get the smb2 infolevel fixed portions right I could not find correct #defines for the infolevels Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Aug 29 01:27:11 CEST 2013 on sn-devel-104 commit 1b1935b876a14154ef74e447bf53eb7cd0a5dde9 Author: Volker Lendecke v...@samba.org Date: Tue Aug 27 09:40:19 2013 + smbd: Correctly return INFO_LENGTH_MISMATCH for smb1 This is required if the client offered less buffer than the fixed portion of the info level data requires Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit 5634f240fd4273cb732740ccbea0fd41e3fc Author: Volker Lendecke v...@samba.org Date: Tue Aug 27 09:39:17 2013 + smbd: Fix error return for STREAM_INFO The stream_info marshalling follows its own rules. This needs unifying eventually... Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit b37edda32930fec372d6467d442f67532c3fbd33 Author: Volker Lendecke v...@samba.org Date: Tue Aug 27 09:38:29 2013 + smbd: Revert a93f9c3 This was too broad and has been replaced by finer-grained error checks Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit 40f60024ca19e33cbbe9825b42692f386a8f1dd9 Author: Volker Lendecke v...@samba.org Date: Tue Aug 27 09:37:34 2013 + smbd: Correctly return BUFFER_OVERFLOW in smb2_getinfo Also, don't overflow the client buffer Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit 91939614760837b2ac2c6bb8b5daac108a4f4670 Author: Volker Lendecke v...@samba.org Date: Tue Aug 27 09:36:03 2013 + smbd: Correctly return INFO_LENGTH_MISMATCH in smb2_getinfo We have to return this error if the client offered less than the fixed portion of the infolevel data requires Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit ac41df91a5a425633fc716ca02187e753879d795 Author: Volker Lendecke v...@samba.org Date: Tue Aug 27 09:06:27 2013 + smbd: qfsinfo has fixed/variable buffers The error message will have to change depending whether the buffer is too small for the fixed or variable buffers Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit 53123996033594f68a3fc9037474aada3aef0750 Author: Volker Lendecke v...@samba.org Date: Tue Aug 27 09:06:27 2013 + smbd: qfilepathinfo has fixed/variable buffers The error message will have to change depending whether the buffer is too small for the fixed or variable buffers Bug: https://bugzilla.samba.org/show_bug.cgi?id=10106 Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit e1843cd33274a3d790a4214b3d50a584d3d3fc95 Author: Volker Lendecke v...@samba.org Date: Fri Aug 23 13:57:03 2013 + torture3: add clipathinfo-bufsize Signed-off-by: Volker Lendecke v...@samba.org Reviewed-by: Jeremy Allison j...@samba.org commit 1cae59ce112ccb51b45357a52b902f80fce1eef1 Author: Volker Lendecke v...@samba.org Date: Wed Aug 28 11:34:08 2013 + dbwrap_ctdb: Treat empty records as non-existing This is a patch
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 4dd1523 docs: Add man samba-regedit.8. from 6e3650e torture: Add buffercheck tests http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 4dd1523b95b214723dc9c0dfc5b5a6778bf4fc4d Author: Karolin Seeger ksee...@samba.org Date: Thu Aug 22 12:55:53 2013 +0200 docs: Add man samba-regedit.8. Fix bug #10001 - Man page for samba-regedit tool missing. Signed-off-by: Karolin Seeger ksee...@samba.org Signed-off-by: Björn Jacke b...@sernet.de Autobuild-User(master): Björn Jacke b...@sernet.de Autobuild-Date(master): Thu Aug 29 03:15:51 CEST 2013 on sn-devel-104 --- Summary of changes: docs-xml/manpages/samba-regedit.8.xml | 121 + docs-xml/wscript_build|1 + 2 files changed, 122 insertions(+), 0 deletions(-) create mode 100644 docs-xml/manpages/samba-regedit.8.xml Changeset truncated at 500 lines: diff --git a/docs-xml/manpages/samba-regedit.8.xml b/docs-xml/manpages/samba-regedit.8.xml new file mode 100644 index 000..e7ec761 --- /dev/null +++ b/docs-xml/manpages/samba-regedit.8.xml @@ -0,0 +1,121 @@ +?xml version=1.0 encoding=iso-8859-1? +!DOCTYPE refentry PUBLIC -//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN http://www.samba.org/samba/DTD/samba-doc; +refentry id=samba-regedit.8 + +refmeta + refentrytitlesamba-regedit/refentrytitle + manvolnum8/manvolnum + refmiscinfo class=sourceSamba/refmiscinfo + refmiscinfo class=manualSystem Administration tools/refmiscinfo + refmiscinfo class=version4.1/refmiscinfo +/refmeta + + +refnamediv + refnamesamba-regedit/refname + refpurposencurses based tool to manage the Samba registry/refpurpose +/refnamediv + +refsynopsisdiv + cmdsynopsis + commandsamba-regedit/command + arg choice=opt--help/arg + arg choice=opt--usage/arg + arg choice=opt-d lt;debug levelgt;/arg + arg choice=opt-s lt;configuration filegt;/arg + arg choice=opt-l lt;log directorygt;/arg + arg choice=opt-V/arg + arg choice=opt--option=lt;parametergt;=lt;valuegt;/arg + arg choice=opt--socket-options=lt;SOCKETOPTIONSgt;/arg + arg choice=opt--netbiosname=lt;NETBIOSNAMEgt;/arg + arg choice=opt--workgroup=lt;WORKGROUPgt;/arg + arg choice=opt--scope=lt;SCOPEgt;/arg + arg choice=opt--user=lt;USERNAMEgt;/arg + arg choice=opt-N/arg + arg choice=opt-k/arg + arg choice=opt--authentication-file=lt;FILEgt;/arg + arg choice=opt--signing=[on|off|required]/arg + arg choice=opt-P/arg + arg choice=opt-e/arg + arg choice=opt-C/arg + arg choice=opt--pw-nt-hash/arg + /cmdsynopsis +/refsynopsisdiv + +refsect1 + titleDESCRIPTION/title + + paraThis tool is part of the citerefentryrefentrytitlesamba/refentrytitle + manvolnum7/manvolnum/citerefentry suite./para + paracommandsamba-regedit/command is a ncurses based tool to manage the Samba + registry. It can be used to show/edit registry keys/subkeys and + their values./para +/refsect1 + +refsect1 + titleOPTIONS/title + variablelist + stdarg.help; + varlistentry + term--usage/term + listitemparaDisplay brief usage message./para/listitem + /varlistentry + varlistentry + term-d|--debuglevel=lt;debuglevelgt;/term + listitemparaSet debug level./para/listitem + /varlistentry + popt.common.samba; + varlistentry + term--option=lt;parametergt;=lt;valuegt;/term + listitemparaSet smb.conf option from command line./para/listitem + /varlistentry + popt.common.connection; + varlistentry + term-S|--signing/term + listitemparaSet the client signing state./para/listitem + /varlistentry + varlistentry + term-P|--machine-pass/term + listitemparaUse stored machine account password./para/listitem + /varlistentry + popt.common.credentials; + varlistentry + term-e|--encrypt/term + listitemparaEncrypt SMB transport (UNIX extended servers only)./para + /listitem + /varlistentry + varlistentry + term--pw-nt-hash/term + listitemparaThe supplied password is the NT hash./para + /listitem + /varlistentry + /variablelist +/refsect1 + +
[SCM] CTDB repository - branch 1.2.40 updated - ctdb-1.2.66-14-g91f522f
The branch, 1.2.40 has been updated via 91f522f928f28b3c3463963aedd71a251545b910 (commit) via dec866151a85cd2574a1e6acefc0125386fe854b (commit) via 91d60247b360b032a987604f60220176d350daa2 (commit) via b0d147dbac28a4dd9a5d002ded3f0d0488009ebc (commit) via 1268ed6edbdee97f6757205bb10d1f285f6394c6 (commit) via 3e898f99ba497e1c9f9bb3db02cb0285f6d27a82 (commit) via 04922de5ffbaaec7384990dd1b5af412982eb716 (commit) via 2f4dab3d06759e6fea4b6fbc6599aba53d68e9b3 (commit) via 61de7d17229c7d3061bf8501e66d7a18f16feabf (commit) via 3bdc8331051b0182d5383fb3b16b34dd4dabd3d1 (commit) via 9132e6814ed927fa317f333f03dedb18f75d0e5b (commit) via ec20cf74ac70434402d7ccf2d72c2e1b86ed87be (commit) via d9f6ddb67ec06ba87a7debc04908296773809bf2 (commit) via 8d251ce2871770708a2304fa5dae2ddab12d2539 (commit) from 9321cc2b24c351bca92bf728046cafa3073ef89a (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.2.40 - Log - commit 91f522f928f28b3c3463963aedd71a251545b910 Author: Amitay Isaacs ami...@gmail.com Date: Wed Aug 14 16:23:27 2013 +1000 New version 1.2.67 Signed-off-by: Amitay Isaacs ami...@gmail.com commit dec866151a85cd2574a1e6acefc0125386fe854b Author: Martin Schwenke mar...@meltin.net Date: Wed Aug 14 19:17:46 2013 +1000 client: Change timeout to 10 seconds for the call to ctdb_ctrl_getpnn() A more flexible solution would be to backport the patch to add a timeout argument to ctdb_cmdline_client() but that breaks to many things for this branch. Signed-off-by: Martin Schwenke mar...@meltin.net commit 91d60247b360b032a987604f60220176d350daa2 Author: Martin Schwenke mar...@meltin.net Date: Fri Aug 9 11:56:29 2013 +1000 tools/ctdb: Increase default control timeout to 10 seconds The current 3 second timeout is arbitrary and users trip over it sometimes. Signed-off-by: Martin Schwenke mar...@meltin.net (cherry picked from commit b49c4f39666d5b1596213bf41bcdc47ed3c327ae) commit b0d147dbac28a4dd9a5d002ded3f0d0488009ebc Author: Amitay Isaacs ami...@gmail.com Date: Tue Aug 13 14:02:46 2013 +1000 recoverd: Use TDB_INCOMPATIBLE_HASH when creating volatile databases When creating missing databases either locally or remotely, recovery master calls ctdb_ctrl_createdb(). Recovery master always passes 0 for tdb_flags. For volatile databases, if TDB_INCOMPATIBLE_HASH is not specified, then they will be attached without using jenkins hash causing database corruption. Signed-off-by: Amitay Isaacs ami...@gmail.com (cherry picked from commit 2fc6b6403707a292d134140fc0b9145b454992c5) commit 1268ed6edbdee97f6757205bb10d1f285f6394c6 Author: Amitay Isaacs ami...@gmail.com Date: Wed Jul 10 12:23:30 2013 +1000 ctdbd: Print tdb flags when logging attached to database message Signed-off-by: Amitay Isaacs ami...@gmail.com (cherry picked from commit 846109169ee5e3d03135156e45c8dac93aa2e95b) commit 3e898f99ba497e1c9f9bb3db02cb0285f6d27a82 Author: Martin Schwenke mar...@meltin.net Date: Wed Aug 14 15:40:27 2013 +1000 tools/ctdb: Make ban/unban more resilient to timeouts Signed-off-by: Martin Schwenke mar...@meltin.net commit 04922de5ffbaaec7384990dd1b5af412982eb716 Author: Martin Schwenke mar...@meltin.net Date: Thu Aug 8 14:37:03 2013 +1000 eventscripts: Move NFS reconfigure to ipreallocated event Doing this in the monitor event is unsafe because it causes the node health status to flip-flop. At the moment when a node goes unhealthy it is failed out, IPs are released and the monitor event handles the reconfigure, returning 0 even though the service failure is unresolved. This change was made in the master branch a long time ago. Signed-off-by: Martin Schwenke mar...@meltin.net commit 2f4dab3d06759e6fea4b6fbc6599aba53d68e9b3 Author: Martin Schwenke mar...@meltin.net Date: Tue Aug 6 16:46:21 2013 +1000 eventscripts: Change the nfsd RPC check failure policy Signed-off-by: Martin Schwenke mar...@meltin.net commit 61de7d17229c7d3061bf8501e66d7a18f16feabf Author: Martin Schwenke mar...@meltin.net Date: Tue Aug 6 16:46:01 2013 +1000 eventscripts: New function ctdb_check_counter() This provides much more flexible counter handling. Signed-off-by: Martin Schwenke mar...@meltin.net commit 3bdc8331051b0182d5383fb3b16b34dd4dabd3d1 Author: Martin Schwenke mar...@meltin.net Date: Tue Aug 6 16:44:50 2013 +1000 eventscripts: Add optional counter name argument to some counter functions This helps some calling code look less like line noise. Signed-off-by: Martin Schwenke mar...@meltin.net commit 9132e6814ed927fa317f333f03dedb18f75d0e5b Author: Martin Schwenke mar...@meltin.net Date: Fri Aug 2
[SCM] CTDB repository - annotated tag ctdb-1.2.67 created - ctdb-1.2.67
The annotated tag, ctdb-1.2.67 has been created at 6256a5fce84f13ed3d5b1a7ef23c2d552eed2e07 (tag) tagging 91f522f928f28b3c3463963aedd71a251545b910 (commit) replaces ctdb-1.2.66 tagged by Amitay Isaacs on Thu Aug 29 14:34:10 2013 +1000 - Log - new version 1.2.67 Amitay Isaacs (4): client: Exit with non-zero status when unix socket is closed ctdbd: Print tdb flags when logging attached to database message recoverd: Use TDB_INCOMPATIBLE_HASH when creating volatile databases New version 1.2.67 Martin Schwenke (10): recoverd: Log node that causes takoever run to fail recoverd: Call takeover fail callback only once per node recoverd: Banned nodes should not be told to run ipreallocated event eventscripts: Add optional counter name argument to some counter functions eventscripts: New function ctdb_check_counter() eventscripts: Change the nfsd RPC check failure policy eventscripts: Move NFS reconfigure to ipreallocated event tools/ctdb: Make ban/unban more resilient to timeouts tools/ctdb: Increase default control timeout to 10 seconds client: Change timeout to 10 seconds for the call to ctdb_ctrl_getpnn() --- -- CTDB repository
