Re: [Samba] Samba4, ZFS and FreeBSD
Hi Andrew, thanks for the quick answer. Apologies that some of my "guesswork" wasn't right. From: "Andrew Bartlett" smbd has NFSv4 ACLs Great! On Thu, 2013-09-26 at 14:55 +1000, Petros wrote: I am happy to become a FreeBSD beta tester for any kind of FreeBSD ZFS support. But I am afraid I am not good enough to code it myself. I am a sysadmin who reads C code frequently, it does not make me a good coder.. The issue is essentially that the python-based provision code need to detect the use of zfs, load the zfsacl module in the generated smb.conf, and instead of testing simple posix ACLs, proceed to setting a full NT ACL when we create the sysvol share. Okay.. python is one of the languages I did not learn so far. Well, I will see what I can do. For the sake of clarification: In case - I get the provisioning right, - Have the zfsacl module in the generated smb.conf I will have a working smbd? Thanks again Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4, ZFS and FreeBSD
On Thu, 2013-09-26 at 14:55 +1000, Petros wrote: > Hi all, > I am in the process of finding the best way to use Samba4 as an AD > under FreeBSD and ZFS. > > The following is based on own research, google, mail archives, a bit > of source code etc. So please correct me if I am wrong. > > 1. ZFS is using NFSv4 ACLs. > 2. NFSv4 ACLs are modelled with NTFS (Windows) ACLs in mind. > 3. Samba4 started with a new ntvfs file server but that was abandoned > (or delayed?) to get samba4 released > 4. Samba4 was released with s3fs as a default (the "old" Samba3 smbd) > 5. s3fs is relying on POSIX ACLs which are not implemented on ZFS > 6. There is a libsunacl library, a wrapper around FreeBSD ZFS NFSv4 ACLs > I can install an experimental module but cannot provision AD with s3fs. > 7. The provisioning with ntvfs seems to work > > For me, there are two uncertainties: > a) Will be ntvfs supported in the future? Or will it be the default later? No, and No. We support the ntvfs file server with the existing functionality, but are not developing it. Essentially we are keeping it as a technology demonstration, as well not breaking any existing users. > b) Will s3fs gain support for NFSv4 ACLs? smbd has NFSv4 ACLs > If a) is the case, I am happy to proceed with using ntvfs. > > If b) is the case, I may try to use ZFS on volume management level > (for samba4 jails only, I am running other "stuff" on the FreeBSD > boxes with ZFS). > > I may create ZFS volumes and create UFS volumes, with POSIX support. > > Later I may revert them to ZFS, if s3fs provides ZFS NFSv4 ACL support. > > The other option would be to run it with ntvfs for now, switching to > s3fs when it is "ZFS ready". > > I do not know who has any plans in any directions. Of course, "Solaris > people" (Oracle, illumos) may have interests and plans in this area too. > > I am happy to become a FreeBSD beta tester for any kind of FreeBSD ZFS > support. But I am afraid I am not good enough to code it myself. I am > a sysadmin who reads C code frequently, it does not make me a good > coder.. The issue is essentially that the python-based provision code need to detect the use of zfs, load the zfsacl module in the generated smb.conf, and instead of testing simple posix ACLs, proceed to setting a full NT ACL when we create the sysvol share. Thanks, -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4, ZFS and FreeBSD
Hi all, I am in the process of finding the best way to use Samba4 as an AD under FreeBSD and ZFS. The following is based on own research, google, mail archives, a bit of source code etc. So please correct me if I am wrong. 1. ZFS is using NFSv4 ACLs. 2. NFSv4 ACLs are modelled with NTFS (Windows) ACLs in mind. 3. Samba4 started with a new ntvfs file server but that was abandoned (or delayed?) to get samba4 released 4. Samba4 was released with s3fs as a default (the "old" Samba3 smbd) 5. s3fs is relying on POSIX ACLs which are not implemented on ZFS 6. There is a libsunacl library, a wrapper around FreeBSD ZFS NFSv4 ACLs I can install an experimental module but cannot provision AD with s3fs. 7. The provisioning with ntvfs seems to work For me, there are two uncertainties: a) Will be ntvfs supported in the future? Or will it be the default later? b) Will s3fs gain support for NFSv4 ACLs? If a) is the case, I am happy to proceed with using ntvfs. If b) is the case, I may try to use ZFS on volume management level (for samba4 jails only, I am running other "stuff" on the FreeBSD boxes with ZFS). I may create ZFS volumes and create UFS volumes, with POSIX support. Later I may revert them to ZFS, if s3fs provides ZFS NFSv4 ACL support. The other option would be to run it with ntvfs for now, switching to s3fs when it is "ZFS ready". I do not know who has any plans in any directions. Of course, "Solaris people" (Oracle, illumos) may have interests and plans in this area too. I am happy to become a FreeBSD beta tester for any kind of FreeBSD ZFS support. But I am afraid I am not good enough to code it myself. I am a sysadmin who reads C code frequently, it does not make me a good coder.. Can you give any hints or advice? Thank you Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] delete Kerberos database and start over
Never mind. I had a failing disk controller. Thank God for backups! -jimc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings
On 2013-09-25 2:47 PM, Johan Hendriks wrote: Kevin Field wrote: Hi, I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these global settings (not overridden): read only = No force create mode = 0777 force directory mode = 0777 inherit acls = yes inherit owner = yes inherit permissions = yes On a Windows client, I have Thunderbird 24.0 storing its profile and mail on the Samba share. The perms on everything in the share were chmod -R 777'd. Then I get mail, compact a folder, whatever, and it looks like this: ... -rwxrwxrwx. 1 1128 513 2684 Sep 25 13:20 Templates.msf -rwxrwx---+ 1 1128 5130 Sep 25 13:50 Trash -rwxrwx---+ 1 1128 513 2223 Sep 25 13:50 Trash.msf Whatever it touches is now 770. How can that be, when the parent of this folder is 777, Samba is set to inherit and force 0777? Is this Samba misbehaving, or Thunderbird? Thanks, Kev It looks like the you have acl's active, hence the + after the permissions rwxrwx---+ . These acls overrule the local permissions set by samba. Not samba not thundebird is misbehaving. regards Johan Hendriks I only partially understand. I get that + means some extended ACLs. I don't get why Samba/Thunderbird makes the file 770 instead of 777. What I really don't get, though, is--since you mentioned ACLs I went and checked some example files in Windows--that despite the 777 files having "Everyone" with no settings, the 770 files have "Everyone" with "Full Control", not inherited! I certainly didn't intend that for a user's mail profile :) (Really though, I didn't set things up that way from the Windows side--this is someone's home drive, in which they have full control, and I didn't touch the defaults, but I certainly didn't put Everyone in there, and certainly not with Full Control.) Where did this come from? possibility a) smb.conf, in which case I don't understand the settings I posted here possibility b) ACLs set by me, which I can't see being the case because our setup is so simple* possibility c) ? * Now just in case, and barring any Group Policy suggestions, what's the easiest way to, either from Windows or Linux, set it up so that admins have Full Control over every file, and home drives additionally have Full Control of the user having the same name as the home dir, and the 'shared' drive has Everyone having Full Control? So far, because our network is so small, I had done this manually in the past, but it's a bit of a PITA to do again at this point, since each user's home dir takes a few minutes to propagate ACL changes through if I use Windows GUI tools and meanwhile semi-hangs the UI. I don't really care how the perms look on the Linux end of things, since users only have access via Windows clients. From what you said about ACLs overruling, to me it would seem that our setup is simple enough that we shouldn't need "+"/Windows ACLs at all, because the normal unix ACLs are more than enough for our purposes, except that currently, Windows users don't get properly mapped, mainly because their Linux equivalents don't necessarily exist (e.g. for most users they don't have a CentOS login, but I do and the "users" group and such could map from "Domain Users", I guess.) Or even if Linux perms were the same everywhere, and smb.conf enforced the rules so they came out right on the Windows side. If someone could lay this out for me, I'd really find it helpful--I've been trying to make sense of the docs and tutorials and mailing lists and Q&A sites, and for what I would think is a fairly common setup, I can't seem to get something working without glitches for us. It's just that, somehow, since we recently switched home drives from W2K3 to Samba serving them up, this has suddenly started happening, and is somehow causing strange side effects like Thunderbird much more often deciding to rebuild summary files of mailboxes, and mail not coming in right away (perhaps due to an un-indicated summary rebuild conflicting with a too-often mail check), and, well, these strange permissions that we never had before appearing on most files that Thunderbird modifies. More help/hints/examples would be much appreciated :) Thanks Johan, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
Top posting:
In resolv.conf - remove any DNS servers other than the AD one.
Is the AD server actually responding to DNS queries from the S4 box?
I have not followed this thread carefully, so my suggestion could
easily be wrong - but DNS from the real AD controller is *really*
important, and IMO, it shouldn't be getting answers from ANY other
servers. [And you should be *sure* it really IS getting answers,
rather than a refusal.]
-Greg
A> Rowland Penny schrieb:
>> On 25/09/13 16:57, Axel wrote:
>>> Rowland Penny schrieb:
On 25/09/13 15:36, Axel wrote:
> Rowland Penny schrieb:
>> On 25/09/13 14:43, Axel wrote:
>>> Yes, this works all the time:
>>>
>>> root@samba-dc1:~# kinit admin
>>> ad...@intranet.domain.de's Password:
>>> root@samba-dc1:~# klist
>>> Credentials cache: FILE:/tmp/krb5cc_0
>>> Principal: ad...@intranet.domain.de
>>> IssuedExpires Principal
>>> Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
>>> krbtgt/intranet.domain...@intranet.domain.de
>>> root@samba-dc1:~#
>>>
>>> The Security-Monitor on Windows 2003 DC told me (in german):
>>>
>>> Ereignistyp:Erfolgsüberw.
>>> Ereignisquelle:Security
>>> Ereigniskategorie:Verzeichnisdienstzugriff
>>> Ereigniskennung:566
>>> Datum:25.09.2013
>>> Zeit:15:35:28
>>> Benutzer:INTRANET\admin
>>> Computer:WI-PAS01
>>> Beschreibung:
>>> Objektvorgang:
>>> Objektserver:DS
>>> VorgangstypObject Access
>>> Objekttyp:organizationalUnit
>>> Objektname:OU=Domain
>>> Controllers,DC=intranet,DC=domain,DC=de
>>> Handlekennung:-
>>> Primärer Benutzername:WI-PAS01$
>>> Primäre Domäne:INTRANET
>>> Primäre Anmeldekennung:(0x0,0x3E7)
>>> Clientbenutzername:admin
>>> Clientdomäne:INTRANET
>>> Clientanmeldekennung:(0x0,0x5B2D755F)
>>> ZugriffeUntergeordnetes Objekt erzeugen
>>>
>>> Eigenschaften:
>>> Untergeordnetes Objekt erzeugen
>>> computer
>>>
>>> Weitere Info:CN=SAMBA-DC1,OU=Domain
>>> Controllers,DC=intranet,DC=domain,DC=de
>>> Weitere Info2: %{34f6dfb0-e508-4124-a996-d80843a31445}
>>> Zugriffsmaske:0x1
>>>
>>> and:
>>>
>>> Ereignistyp:Erfolgsüberw.
>>> Ereignisquelle:Security
>>> Ereigniskategorie:An-/Abmeldung
>>> Ereigniskennung:540
>>> Datum:25.09.2013
>>> Zeit:15:35:28
>>> Benutzer:INTRANET\admin
>>> Computer:WI-PAS01
>>> Beschreibung:
>>> Erfolgreiche Netzwerkanmeldung:
>>> Benutzername:admin
>>> Domäne:INTRANET
>>> Anmeldekennung:(0x0,0x5B2D755F)
>>> Anmeldetyp:3
>>> Anmeldevorgang:Kerberos
>>> Authentifizierungspaket:Kerberos
>>> Arbeitsstationsname:
>>> Anmelde-GUID: {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
>>> Aufruferbenutzername:-
>>> Aufruferdomäne:-
>>> Aufruferanmeldekennung:-
>>> Aufruferprozesskennung: -
>>> Übertragene Dienste: -
>>> Quellnetzwerkadresse:192.168.200.210
>>> Quellport:43028
>>>
>>> Login from samba-dc1.intranet.domain.de and IP 192.168.200.210
>>> works. NO insufficient user rights!
>>>
>>> Another test - copying SYSVOL - works too:
>>> smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
>>> intranet.domain.de'
>>>
>>> That's all...
>>>
>>>
>>>
>>> Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
> Of course,
>
> Rowland Penny schrieb:
>> On 25/09/13 12:37, Axel wrote:
>>> Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
> <>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1104, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1007, in do_join
ctx.join_add_object
Re: [Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings
Kevin Field wrote: Hi, I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these global settings (not overridden): read only = No force create mode = 0777 force directory mode = 0777 inherit acls = yes inherit owner = yes inherit permissions = yes On a Windows client, I have Thunderbird 24.0 storing its profile and mail on the Samba share. The perms on everything in the share were chmod -R 777'd. Then I get mail, compact a folder, whatever, and it looks like this: -rwxrwxrwx. 1 1128 5130 Oct 18 2012 Archives -rwxrwxrwx. 1 1128 513 3158 Sep 25 13:20 Archives.msf drwxrwxrwx. 2 1128 513 4096 Sep 25 09:12 Archives.sbd -rwxrwx---+ 1 1128 5130 Sep 25 13:49 Drafts -rwxrwx---+ 1 1128 513 2450 Sep 25 13:50 Drafts.msf -rwxrwx---+ 1 1128 5130 Sep 25 13:08 Inbox -rwxrwx---+ 1 1128 513 2317 Sep 25 13:50 Inbox.msf drwxrwxrwx. 3 1128 513 4096 May 28 09:26 Inbox.sbd -rwxrwxrwx. 1 1128 513 1268 Apr 12 2007 Junk.msf -rwxrwxrwx. 1 1128 513 28 Oct 2 2012 msgFilterRules.dat -rwxrwxrwx 1 1128 51313736 Sep 25 13:50 popstate.dat -rwxrwxrwx 1 1128 513 96061164 Sep 25 13:21 Sent -rwxrwx---+ 1 1128 513 2988277 Sep 25 13:21 Sent.msf -rwxrwxrwx. 1 1128 5130 Mar 25 2010 Templates -rwxrwxrwx. 1 1128 513 2684 Sep 25 13:20 Templates.msf -rwxrwx---+ 1 1128 5130 Sep 25 13:50 Trash -rwxrwx---+ 1 1128 513 2223 Sep 25 13:50 Trash.msf Whatever it touches is now 770. How can that be, when the parent of this folder is 777, Samba is set to inherit and force 0777? Is this Samba misbehaving, or Thunderbird? Thanks, Kev It looks like the you have acl's active, hence the + after the permissions rwxrwx---+ . These acls overrule the local permissions set by samba. Not samba not thundebird is misbehaving. regards Johan Hendriks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
Rowland Penny schrieb:
On 25/09/13 16:57, Axel wrote:
Rowland Penny schrieb:
On 25/09/13 15:36, Axel wrote:
Rowland Penny schrieb:
On 25/09/13 14:43, Axel wrote:
Yes, this works all the time:
root@samba-dc1:~# kinit admin
ad...@intranet.domain.de's Password:
root@samba-dc1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@intranet.domain.de
IssuedExpires Principal
Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
krbtgt/intranet.domain...@intranet.domain.de
root@samba-dc1:~#
The Security-Monitor on Windows 2003 DC told me (in german):
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:Verzeichnisdienstzugriff
Ereigniskennung:566
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Objektvorgang:
Objektserver:DS
VorgangstypObject Access
Objekttyp:organizationalUnit
Objektname:OU=Domain
Controllers,DC=intranet,DC=domain,DC=de
Handlekennung:-
Primärer Benutzername:WI-PAS01$
Primäre Domäne:INTRANET
Primäre Anmeldekennung:(0x0,0x3E7)
Clientbenutzername:admin
Clientdomäne:INTRANET
Clientanmeldekennung:(0x0,0x5B2D755F)
ZugriffeUntergeordnetes Objekt erzeugen
Eigenschaften:
Untergeordnetes Objekt erzeugen
computer
Weitere Info:CN=SAMBA-DC1,OU=Domain
Controllers,DC=intranet,DC=domain,DC=de
Weitere Info2: %{34f6dfb0-e508-4124-a996-d80843a31445}
Zugriffsmaske:0x1
and:
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:An-/Abmeldung
Ereigniskennung:540
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Erfolgreiche Netzwerkanmeldung:
Benutzername:admin
Domäne:INTRANET
Anmeldekennung:(0x0,0x5B2D755F)
Anmeldetyp:3
Anmeldevorgang:Kerberos
Authentifizierungspaket:Kerberos
Arbeitsstationsname:
Anmelde-GUID: {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
Aufruferbenutzername:-
Aufruferdomäne:-
Aufruferanmeldekennung:-
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse:192.168.200.210
Quellport:43028
Login from samba-dc1.intranet.domain.de and IP 192.168.200.210
works. NO insufficient user rights!
Another test - copying SYSVOL - works too:
smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
intranet.domain.de'
That's all...
Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
Of course,
Rowland Penny schrieb:
On 25/09/13 12:37, Axel wrote:
Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
<>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1104, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1007, in do_join
ctx.join_add_objects()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
499, in join_add_objects
ctx.samdb.add(rec)
It seems to be, that all prerequisites fine. DNS, ACL etc.,
ping works fine... also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
Well I think this:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
says it all.
Does user intranet/admin exist and if so, do they have the
right to add a machine to the domain, also have you tried
replacing intranet/admin with Administrator?
Rowland
as i said in my first mail, that is THE Domain Administrator
(renamed in my environment to admin). This "admin" has all
rights to this domain since 2005 :)
Same problem with another Domain-Administrator Account.
I've also tried with "Administrator" like you suggested. Same
issue...
Thanks to your reply,
axel
OK, I did this yesterday, but with a samba4 DC joining to
another samba4 DC, try this:
kinit admin
/usr/local/samba/bin/samba-tool domain join intranet.domain.de
DC -Uadmin --realm=intranet.domain.de
Rowland
Yes, admin can log into the servers, but does he have the right to
add workstations to the domain?
Also was Administrator renamed or was a new user called admin
created?
Rowland
Like i said, "admin" ist the main domain-administrator and has all
rights to this domain. He wasn't created new, just renamed.
Axel
Wel
[Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings
Hi, I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these global settings (not overridden): read only = No force create mode = 0777 force directory mode = 0777 inherit acls = yes inherit owner = yes inherit permissions = yes On a Windows client, I have Thunderbird 24.0 storing its profile and mail on the Samba share. The perms on everything in the share were chmod -R 777'd. Then I get mail, compact a folder, whatever, and it looks like this: -rwxrwxrwx. 1 1128 5130 Oct 18 2012 Archives -rwxrwxrwx. 1 1128 513 3158 Sep 25 13:20 Archives.msf drwxrwxrwx. 2 1128 513 4096 Sep 25 09:12 Archives.sbd -rwxrwx---+ 1 1128 5130 Sep 25 13:49 Drafts -rwxrwx---+ 1 1128 513 2450 Sep 25 13:50 Drafts.msf -rwxrwx---+ 1 1128 5130 Sep 25 13:08 Inbox -rwxrwx---+ 1 1128 513 2317 Sep 25 13:50 Inbox.msf drwxrwxrwx. 3 1128 513 4096 May 28 09:26 Inbox.sbd -rwxrwxrwx. 1 1128 513 1268 Apr 12 2007 Junk.msf -rwxrwxrwx. 1 1128 513 28 Oct 2 2012 msgFilterRules.dat -rwxrwxrwx 1 1128 51313736 Sep 25 13:50 popstate.dat -rwxrwxrwx 1 1128 513 96061164 Sep 25 13:21 Sent -rwxrwx---+ 1 1128 513 2988277 Sep 25 13:21 Sent.msf -rwxrwxrwx. 1 1128 5130 Mar 25 2010 Templates -rwxrwxrwx. 1 1128 513 2684 Sep 25 13:20 Templates.msf -rwxrwx---+ 1 1128 5130 Sep 25 13:50 Trash -rwxrwx---+ 1 1128 513 2223 Sep 25 13:50 Trash.msf Whatever it touches is now 770. How can that be, when the parent of this folder is 777, Samba is set to inherit and force 0777? Is this Samba misbehaving, or Thunderbird? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
On 25/09/13 16:57, Axel wrote:
Rowland Penny schrieb:
On 25/09/13 15:36, Axel wrote:
Rowland Penny schrieb:
On 25/09/13 14:43, Axel wrote:
Yes, this works all the time:
root@samba-dc1:~# kinit admin
ad...@intranet.domain.de's Password:
root@samba-dc1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@intranet.domain.de
IssuedExpires Principal
Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
krbtgt/intranet.domain...@intranet.domain.de
root@samba-dc1:~#
The Security-Monitor on Windows 2003 DC told me (in german):
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:Verzeichnisdienstzugriff
Ereigniskennung:566
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Objektvorgang:
Objektserver:DS
VorgangstypObject Access
Objekttyp:organizationalUnit
Objektname:OU=Domain Controllers,DC=intranet,DC=domain,DC=de
Handlekennung:-
Primärer Benutzername:WI-PAS01$
Primäre Domäne:INTRANET
Primäre Anmeldekennung:(0x0,0x3E7)
Clientbenutzername:admin
Clientdomäne:INTRANET
Clientanmeldekennung:(0x0,0x5B2D755F)
ZugriffeUntergeordnetes Objekt erzeugen
Eigenschaften:
Untergeordnetes Objekt erzeugen
computer
Weitere Info:CN=SAMBA-DC1,OU=Domain
Controllers,DC=intranet,DC=domain,DC=de
Weitere Info2: %{34f6dfb0-e508-4124-a996-d80843a31445}
Zugriffsmaske:0x1
and:
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:An-/Abmeldung
Ereigniskennung:540
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Erfolgreiche Netzwerkanmeldung:
Benutzername:admin
Domäne:INTRANET
Anmeldekennung:(0x0,0x5B2D755F)
Anmeldetyp:3
Anmeldevorgang:Kerberos
Authentifizierungspaket:Kerberos
Arbeitsstationsname:
Anmelde-GUID: {05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
Aufruferbenutzername:-
Aufruferdomäne:-
Aufruferanmeldekennung:-
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse:192.168.200.210
Quellport:43028
Login from samba-dc1.intranet.domain.de and IP 192.168.200.210
works. NO insufficient user rights!
Another test - copying SYSVOL - works too:
smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
intranet.domain.de'
That's all...
Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
Of course,
Rowland Penny schrieb:
On 25/09/13 12:37, Axel wrote:
Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
<>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1104, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1007, in do_join
ctx.join_add_objects()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 499, in join_add_objects
ctx.samdb.add(rec)
It seems to be, that all prerequisites fine. DNS, ACL etc.,
ping works fine... also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
Well I think this:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
says it all.
Does user intranet/admin exist and if so, do they have the
right to add a machine to the domain, also have you tried
replacing intranet/admin with Administrator?
Rowland
as i said in my first mail, that is THE Domain Administrator
(renamed in my environment to admin). This "admin" has all
rights to this domain since 2005 :)
Same problem with another Domain-Administrator Account.
I've also tried with "Administrator" like you suggested. Same
issue...
Thanks to your reply,
axel
OK, I did this yesterday, but with a samba4 DC joining to another
samba4 DC, try this:
kinit admin
/usr/local/samba/bin/samba-tool domain join intranet.domain.de DC
-Uadmin --realm=intranet.domain.de
Rowland
Yes, admin can log into the servers, but does he have the right to
add workstations to the domain?
Also was Administrator renamed or was a new user called admin created?
Rowland
Like i said, "admin" ist the main domain-administrator and has all
rights to this domain. He wasn't created new, just renamed.
Axel
Well if admin has all the requ
Re: [Samba] samba-tool join domain fails
Rowland Penny schrieb:
On 25/09/13 15:36, Axel wrote:
Rowland Penny schrieb:
On 25/09/13 14:43, Axel wrote:
Yes, this works all the time:
root@samba-dc1:~# kinit admin
ad...@intranet.domain.de's Password:
root@samba-dc1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@intranet.domain.de
IssuedExpires Principal
Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
krbtgt/intranet.domain...@intranet.domain.de
root@samba-dc1:~#
The Security-Monitor on Windows 2003 DC told me (in german):
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:Verzeichnisdienstzugriff
Ereigniskennung:566
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Objektvorgang:
Objektserver:DS
VorgangstypObject Access
Objekttyp:organizationalUnit
Objektname:OU=Domain Controllers,DC=intranet,DC=domain,DC=de
Handlekennung:-
Primärer Benutzername:WI-PAS01$
Primäre Domäne:INTRANET
Primäre Anmeldekennung:(0x0,0x3E7)
Clientbenutzername:admin
Clientdomäne:INTRANET
Clientanmeldekennung:(0x0,0x5B2D755F)
ZugriffeUntergeordnetes Objekt erzeugen
Eigenschaften:
Untergeordnetes Objekt erzeugen
computer
Weitere Info:CN=SAMBA-DC1,OU=Domain
Controllers,DC=intranet,DC=domain,DC=de
Weitere Info2:%{34f6dfb0-e508-4124-a996-d80843a31445}
Zugriffsmaske:0x1
and:
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:An-/Abmeldung
Ereigniskennung:540
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Erfolgreiche Netzwerkanmeldung:
Benutzername:admin
Domäne:INTRANET
Anmeldekennung:(0x0,0x5B2D755F)
Anmeldetyp:3
Anmeldevorgang:Kerberos
Authentifizierungspaket:Kerberos
Arbeitsstationsname:
Anmelde-GUID:{05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
Aufruferbenutzername:-
Aufruferdomäne:-
Aufruferanmeldekennung:-
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse:192.168.200.210
Quellport:43028
Login from samba-dc1.intranet.domain.de and IP 192.168.200.210
works. NO insufficient user rights!
Another test - copying SYSVOL - works too:
smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
intranet.domain.de'
That's all...
Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
Of course,
Rowland Penny schrieb:
On 25/09/13 12:37, Axel wrote:
Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
<>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1104, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1007, in do_join
ctx.join_add_objects()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 499, in join_add_objects
ctx.samdb.add(rec)
It seems to be, that all prerequisites fine. DNS, ACL etc.,
ping works fine... also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
Well I think this:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
says it all.
Does user intranet/admin exist and if so, do they have the right
to add a machine to the domain, also have you tried replacing
intranet/admin with Administrator?
Rowland
as i said in my first mail, that is THE Domain Administrator
(renamed in my environment to admin). This "admin" has all rights
to this domain since 2005 :)
Same problem with another Domain-Administrator Account.
I've also tried with "Administrator" like you suggested. Same
issue...
Thanks to your reply,
axel
OK, I did this yesterday, but with a samba4 DC joining to another
samba4 DC, try this:
kinit admin
/usr/local/samba/bin/samba-tool domain join intranet.domain.de DC
-Uadmin --realm=intranet.domain.de
Rowland
Yes, admin can log into the servers, but does he have the right to
add workstations to the domain?
Also was Administrator renamed or was a new user called admin created?
Rowland
Like i said, "admin" ist the main domain-administrator and has all
rights to this domain. He wasn't created new, just renamed.
Axel
Well if admin has all the required rights, I wonder if i
Re: [Samba] samba-tool join domain fails
On 25/09/13 15:36, Axel wrote:
Rowland Penny schrieb:
On 25/09/13 14:43, Axel wrote:
Yes, this works all the time:
root@samba-dc1:~# kinit admin
ad...@intranet.domain.de's Password:
root@samba-dc1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@intranet.domain.de
IssuedExpires Principal
Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
krbtgt/intranet.domain...@intranet.domain.de
root@samba-dc1:~#
The Security-Monitor on Windows 2003 DC told me (in german):
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:Verzeichnisdienstzugriff
Ereigniskennung:566
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Objektvorgang:
Objektserver:DS
VorgangstypObject Access
Objekttyp:organizationalUnit
Objektname:OU=Domain Controllers,DC=intranet,DC=domain,DC=de
Handlekennung:-
Primärer Benutzername:WI-PAS01$
Primäre Domäne:INTRANET
Primäre Anmeldekennung:(0x0,0x3E7)
Clientbenutzername:admin
Clientdomäne:INTRANET
Clientanmeldekennung:(0x0,0x5B2D755F)
ZugriffeUntergeordnetes Objekt erzeugen
Eigenschaften:
Untergeordnetes Objekt erzeugen
computer
Weitere Info:CN=SAMBA-DC1,OU=Domain
Controllers,DC=intranet,DC=domain,DC=de
Weitere Info2:%{34f6dfb0-e508-4124-a996-d80843a31445}
Zugriffsmaske:0x1
and:
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:An-/Abmeldung
Ereigniskennung:540
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Erfolgreiche Netzwerkanmeldung:
Benutzername:admin
Domäne:INTRANET
Anmeldekennung:(0x0,0x5B2D755F)
Anmeldetyp:3
Anmeldevorgang:Kerberos
Authentifizierungspaket:Kerberos
Arbeitsstationsname:
Anmelde-GUID:{05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
Aufruferbenutzername:-
Aufruferdomäne:-
Aufruferanmeldekennung:-
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse:192.168.200.210
Quellport:43028
Login from samba-dc1.intranet.domain.de and IP 192.168.200.210
works. NO insufficient user rights!
Another test - copying SYSVOL - works too:
smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
intranet.domain.de'
That's all...
Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
Of course,
Rowland Penny schrieb:
On 25/09/13 12:37, Axel wrote:
Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
<>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1104, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1007, in do_join
ctx.join_add_objects()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 499, in join_add_objects
ctx.samdb.add(rec)
It seems to be, that all prerequisites fine. DNS, ACL etc.,
ping works fine... also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
Well I think this:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
says it all.
Does user intranet/admin exist and if so, do they have the right
to add a machine to the domain, also have you tried replacing
intranet/admin with Administrator?
Rowland
as i said in my first mail, that is THE Domain Administrator
(renamed in my environment to admin). This "admin" has all rights
to this domain since 2005 :)
Same problem with another Domain-Administrator Account.
I've also tried with "Administrator" like you suggested. Same
issue...
Thanks to your reply,
axel
OK, I did this yesterday, but with a samba4 DC joining to another
samba4 DC, try this:
kinit admin
/usr/local/samba/bin/samba-tool domain join intranet.domain.de DC
-Uadmin --realm=intranet.domain.de
Rowland
Yes, admin can log into the servers, but does he have the right to
add workstations to the domain?
Also was Administrator renamed or was a new user called admin created?
Rowland
Like i said, "admin" ist the main domain-administrator and has all
rights to this domain. He wasn't created new, just renamed.
Axel
Well if admin has all the required rights, I wonder if it is a problem
with acc
Re: [Samba] samba-tool join domain fails
Rowland Penny schrieb:
On 25/09/13 14:43, Axel wrote:
Yes, this works all the time:
root@samba-dc1:~# kinit admin
ad...@intranet.domain.de's Password:
root@samba-dc1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@intranet.domain.de
IssuedExpires Principal
Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
krbtgt/intranet.domain...@intranet.domain.de
root@samba-dc1:~#
The Security-Monitor on Windows 2003 DC told me (in german):
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:Verzeichnisdienstzugriff
Ereigniskennung:566
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Objektvorgang:
Objektserver:DS
VorgangstypObject Access
Objekttyp:organizationalUnit
Objektname:OU=Domain Controllers,DC=intranet,DC=domain,DC=de
Handlekennung:-
Primärer Benutzername:WI-PAS01$
Primäre Domäne:INTRANET
Primäre Anmeldekennung:(0x0,0x3E7)
Clientbenutzername:admin
Clientdomäne:INTRANET
Clientanmeldekennung:(0x0,0x5B2D755F)
ZugriffeUntergeordnetes Objekt erzeugen
Eigenschaften:
Untergeordnetes Objekt erzeugen
computer
Weitere Info:CN=SAMBA-DC1,OU=Domain
Controllers,DC=intranet,DC=domain,DC=de
Weitere Info2:%{34f6dfb0-e508-4124-a996-d80843a31445}
Zugriffsmaske:0x1
and:
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:An-/Abmeldung
Ereigniskennung:540
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Erfolgreiche Netzwerkanmeldung:
Benutzername:admin
Domäne:INTRANET
Anmeldekennung:(0x0,0x5B2D755F)
Anmeldetyp:3
Anmeldevorgang:Kerberos
Authentifizierungspaket:Kerberos
Arbeitsstationsname:
Anmelde-GUID:{05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
Aufruferbenutzername:-
Aufruferdomäne:-
Aufruferanmeldekennung:-
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse:192.168.200.210
Quellport:43028
Login from samba-dc1.intranet.domain.de and IP 192.168.200.210 works.
NO insufficient user rights!
Another test - copying SYSVOL - works too:
smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
intranet.domain.de'
That's all...
Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
Of course,
Rowland Penny schrieb:
On 25/09/13 12:37, Axel wrote:
Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
<>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1104, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1007, in do_join
ctx.join_add_objects()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 499, in join_add_objects
ctx.samdb.add(rec)
It seems to be, that all prerequisites fine. DNS, ACL etc., ping
works fine... also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
Well I think this:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
says it all.
Does user intranet/admin exist and if so, do they have the right
to add a machine to the domain, also have you tried replacing
intranet/admin with Administrator?
Rowland
as i said in my first mail, that is THE Domain Administrator
(renamed in my environment to admin). This "admin" has all rights
to this domain since 2005 :)
Same problem with another Domain-Administrator Account.
I've also tried with "Administrator" like you suggested. Same issue...
Thanks to your reply,
axel
OK, I did this yesterday, but with a samba4 DC joining to another
samba4 DC, try this:
kinit admin
/usr/local/samba/bin/samba-tool domain join intranet.domain.de DC
-Uadmin --realm=intranet.domain.de
Rowland
Yes, admin can log into the servers, but does he have the right to add
workstations to the domain?
Also was Administrator renamed or was a new user called admin created?
Rowland
Like i said, "admin" ist the main domain-administrator and has all
rights to this domain. He wasn't created new, just renamed.
Axel
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailm
Re: [Samba] samba-tool join domain fails
On 25/09/13 14:43, Axel wrote:
Yes, this works all the time:
root@samba-dc1:~# kinit admin
ad...@intranet.domain.de's Password:
root@samba-dc1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@intranet.domain.de
IssuedExpires Principal
Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
krbtgt/intranet.domain...@intranet.domain.de
root@samba-dc1:~#
The Security-Monitor on Windows 2003 DC told me (in german):
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:Verzeichnisdienstzugriff
Ereigniskennung:566
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Objektvorgang:
Objektserver:DS
VorgangstypObject Access
Objekttyp:organizationalUnit
Objektname:OU=Domain Controllers,DC=intranet,DC=domain,DC=de
Handlekennung:-
Primärer Benutzername:WI-PAS01$
Primäre Domäne:INTRANET
Primäre Anmeldekennung:(0x0,0x3E7)
Clientbenutzername:admin
Clientdomäne:INTRANET
Clientanmeldekennung:(0x0,0x5B2D755F)
ZugriffeUntergeordnetes Objekt erzeugen
Eigenschaften:
Untergeordnetes Objekt erzeugen
computer
Weitere Info:CN=SAMBA-DC1,OU=Domain
Controllers,DC=intranet,DC=domain,DC=de
Weitere Info2:%{34f6dfb0-e508-4124-a996-d80843a31445}
Zugriffsmaske:0x1
and:
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:An-/Abmeldung
Ereigniskennung:540
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Erfolgreiche Netzwerkanmeldung:
Benutzername:admin
Domäne:INTRANET
Anmeldekennung:(0x0,0x5B2D755F)
Anmeldetyp:3
Anmeldevorgang:Kerberos
Authentifizierungspaket:Kerberos
Arbeitsstationsname:
Anmelde-GUID:{05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
Aufruferbenutzername:-
Aufruferdomäne:-
Aufruferanmeldekennung:-
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse:192.168.200.210
Quellport:43028
Login from samba-dc1.intranet.domain.de and IP 192.168.200.210 works.
NO insufficient user rights!
Another test - copying SYSVOL - works too:
smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
intranet.domain.de'
That's all...
Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
Of course,
Rowland Penny schrieb:
On 25/09/13 12:37, Axel wrote:
Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
<>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1104, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1007, in do_join
ctx.join_add_objects()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 499, in join_add_objects
ctx.samdb.add(rec)
It seems to be, that all prerequisites fine. DNS, ACL etc., ping
works fine... also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
Well I think this:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr: DSID-031A0F44,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
says it all.
Does user intranet/admin exist and if so, do they have the right to
add a machine to the domain, also have you tried replacing
intranet/admin with Administrator?
Rowland
as i said in my first mail, that is THE Domain Administrator
(renamed in my environment to admin). This "admin" has all rights to
this domain since 2005 :)
Same problem with another Domain-Administrator Account.
I've also tried with "Administrator" like you suggested. Same issue...
Thanks to your reply,
axel
OK, I did this yesterday, but with a samba4 DC joining to another
samba4 DC, try this:
kinit admin
/usr/local/samba/bin/samba-tool domain join intranet.domain.de DC
-Uadmin --realm=intranet.domain.de
Rowland
Yes, admin can log into the servers, but does he have the right to add
workstations to the domain?
Also was Administrator renamed or was a new user called admin created?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
Yes, this works all the time:
root@samba-dc1:~# kinit admin
ad...@intranet.domain.de's Password:
root@samba-dc1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@intranet.domain.de
IssuedExpires Principal
Sep 25 15:31:44 2013 Sep 26 01:31:42 2013
krbtgt/intranet.domain...@intranet.domain.de
root@samba-dc1:~#
The Security-Monitor on Windows 2003 DC told me (in german):
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:Verzeichnisdienstzugriff
Ereigniskennung:566
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Objektvorgang:
Objektserver:DS
VorgangstypObject Access
Objekttyp:organizationalUnit
Objektname:OU=Domain Controllers,DC=intranet,DC=domain,DC=de
Handlekennung:-
Primärer Benutzername:WI-PAS01$
Primäre Domäne:INTRANET
Primäre Anmeldekennung:(0x0,0x3E7)
Clientbenutzername:admin
Clientdomäne:INTRANET
Clientanmeldekennung:(0x0,0x5B2D755F)
ZugriffeUntergeordnetes Objekt erzeugen
Eigenschaften:
Untergeordnetes Objekt erzeugen
computer
Weitere Info:CN=SAMBA-DC1,OU=Domain
Controllers,DC=intranet,DC=domain,DC=de
Weitere Info2:%{34f6dfb0-e508-4124-a996-d80843a31445}
Zugriffsmaske:0x1
and:
Ereignistyp:Erfolgsüberw.
Ereignisquelle:Security
Ereigniskategorie:An-/Abmeldung
Ereigniskennung:540
Datum:25.09.2013
Zeit:15:35:28
Benutzer:INTRANET\admin
Computer:WI-PAS01
Beschreibung:
Erfolgreiche Netzwerkanmeldung:
Benutzername:admin
Domäne:INTRANET
Anmeldekennung:(0x0,0x5B2D755F)
Anmeldetyp:3
Anmeldevorgang:Kerberos
Authentifizierungspaket:Kerberos
Arbeitsstationsname:
Anmelde-GUID:{05cd8dd6-7c8b-c9ee-d237-3c482ca39c89}
Aufruferbenutzername:-
Aufruferdomäne:-
Aufruferanmeldekennung:-
Aufruferprozesskennung: -
Übertragene Dienste: -
Quellnetzwerkadresse:192.168.200.210
Quellport:43028
Login from samba-dc1.intranet.domain.de and IP 192.168.200.210 works. NO
insufficient user rights!
Another test - copying SYSVOL - works too:
smbclient -U admin //wi-pas01/SYSVOL -c 'prompt;recurse;mget
intranet.domain.de'
That's all...
Rowland Penny schrieb:
On 25/09/13 13:18, Axel wrote:
Of course,
Rowland Penny schrieb:
On 25/09/13 12:37, Axel wrote:
Anyone? Join failed - cleaning up
checking sAMAccountName
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr:
DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
<>
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1104, in join_DC
ctx.do_join()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1007, in do_join
ctx.join_add_objects()
File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
499, in join_add_objects
ctx.samdb.add(rec)
It seems to be, that all prerequisites fine. DNS, ACL etc., ping
works fine... also resolutions of fqdn's
Can someone help?
Thanks & Cheers
axel
Well I think this:
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr: DSID-031A0F44,
problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
says it all.
Does user intranet/admin exist and if so, do they have the right to
add a machine to the domain, also have you tried replacing
intranet/admin with Administrator?
Rowland
as i said in my first mail, that is THE Domain Administrator (renamed
in my environment to admin). This "admin" has all rights to this
domain since 2005 :)
Same problem with another Domain-Administrator Account.
I've also tried with "Administrator" like you suggested. Same issue...
Thanks to your reply,
axel
OK, I did this yesterday, but with a samba4 DC joining to another
samba4 DC, try this:
kinit admin
/usr/local/samba/bin/samba-tool domain join intranet.domain.de DC
-Uadmin --realm=intranet.domain.de
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4.0.9 Build Error
On Wed, Sep 25, 2013 at 10:00:02AM +0200, Thomas Zeitinger wrote:
> Hi there,
>
> I tried to build samba 4.0.9 on a Debian Wheezy 7.1 x86 fresh install
> and got this error:
>
> [2717/3935] Compiling source3/smbd/scavenger.c
> ../source3/smbd/scavenger.c: In function ‘scavenger_timer’:
> ../source3/smbd/scavenger.c:482:3: error: format ‘%lu’ expects argument
> of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’
> [-Werror=format]
> ../source3/smbd/scavenger.c:490:3: error: format ‘%lu’ expects argument
> of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’
> [-Werror=format]
> cc1: some warnings being treated as errors
> Waf: Leaving directory `/root/samba-4.0.9/bin'
> Build failed: -> task failed (err #1):
> {task: cc scavenger.c -> scavenger_92.o}
> make: *** [all] Fehler 1
>
> Never got this befor. Is there something I can do? I need a samba4 on
> this machine.
Does the attached patch help? If it does, please open a bug
at bugzilla.samba.org and attach it, so that it will get
fixed in the next Samba release.
Thanks,
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kont...@sernet.de
*
visit us on it-sa:IT security exhibitions in Nürnberg, Germany
October 8th - 10th 2013, hall 12, booth 333
free tickets available via code 270691 on: www.it-sa.de/gutschein
**
>From a075eb64952d58749660a87049bb7e3d326c5968 Mon Sep 17 00:00:00 2001
From: Volker Lendecke
Date: Wed, 25 Sep 2013 06:24:19 -0700
Subject: [PATCH] smbd: Fix a 64-bit warning
---
source3/smbd/scavenger.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/source3/smbd/scavenger.c b/source3/smbd/scavenger.c
index fe4e56e..0ca18c8 100644
--- a/source3/smbd/scavenger.c
+++ b/source3/smbd/scavenger.c
@@ -480,16 +480,16 @@ static void scavenger_timer(struct tevent_context *ev,
ctx->msg.open_persistent_id);
if (!ok) {
DEBUG(2, ("Failed to cleanup share modes and byte range locks "
- "for file %s open %lu\n",
+ "for file %s open %llu\n",
file_id_string_tos(&ctx->msg.file_id),
- ctx->msg.open_persistent_id));
+ (unsigned long long)ctx->msg.open_persistent_id));
}
status = smbXsrv_open_cleanup(ctx->msg.open_persistent_id);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(2, ("Failed to cleanup open global for file %s open %lu:"
+ DEBUG(2, ("Failed to cleanup open global for file %s open %llu:"
" %s\n", file_id_string_tos(&ctx->msg.file_id),
- ctx->msg.open_persistent_id, nt_errstr(status)));
+ (unsigned long long)ctx->msg.open_persistent_id,
nt_errstr(status)));
}
}
--
1.7.9.5
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] problem server WIN 2003 R2 - samba HP-UX
Hello all, I am running Samba 2.2.8a and am trying to connect to a Windows 2003 domain controller server1 (BDC – back up). I keep getting the error "Tree connect failed - NT_Status_Access_Denied" I have another domain controller server2 (PDC - primary)in the same domain with the same share etc and I can connect successfully. The only difference is the version of WIN2003 R2 for server1 WIN2003 R1 for server2 server1 failed # /opt/samba/bin/smbclient server1\\pdf -d 3 -U sstef Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/opt/samba/smb.conf" Processing section "[global]" Client started (version 2.2.8a based HP CIFS Server A.01.10). resolve_lmhosts: Attempting lmhosts lookup for name server1<0x20> resolve_hosts: Attempting host lookup for name mailserver<0x20> Connecting to 192.. at port 139 Password: Domain=[PROVA] OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Wi ndows Server 2003 R2 5.2] tree connect failed: NT_STATUS_ACCESS_DENIED server2 OK # /opt/samba/bin/smbclient server2\\pdf -d 3 -U sstef Initialising global parameters params.c:pm_process() - Processing configuration file "/etc/opt/samba/smb.conf" Processing section "[global]" Client started (version 2.2.8a based HP CIFS Server A.01.10). resolve_lmhosts: Attempting lmhosts lookup for name server2003<0x20> resolve_hosts: Attempting host lookup for name server2003<0x20> Connecting to 192.. at port 139 Password: Domain=[PROVA] OS=[Windows Server 2003 3790 Service Pack 2] Server=[Windo ws Server 2003 5.2] smb: \> pwd Current directory is \\server2\pdf\ smb: \> exit # my smb.conf [global] netbios aliases = hpxxx (is server HP-UX) workgroup = PROVA load printers = No printing = guest ok = yes guest account = root read only = no null passwords = Yes read prediction = yes socket options = TCP_NODELAY share modes = yes locking = yes strict locking = yes server string = %h (Samba %v) security = share preserve case = yes os level = 1 oplocks = false hosts allow = 192. wins server = 192.(is server2) Can you help me??? Stefania -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
On 25/09/13 13:18, Axel wrote: Of course, Rowland Penny schrieb: On 25/09/13 12:37, Axel wrote: Anyone? Join failed - cleaning up checking sAMAccountName ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 <> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1104, in join_DC ctx.do_join() File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1007, in do_join ctx.join_add_objects() File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 499, in join_add_objects ctx.samdb.add(rec) It seems to be, that all prerequisites fine. DNS, ACL etc., ping works fine... also resolutions of fqdn's Can someone help? Thanks & Cheers axel Well I think this: ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 says it all. Does user intranet/admin exist and if so, do they have the right to add a machine to the domain, also have you tried replacing intranet/admin with Administrator? Rowland as i said in my first mail, that is THE Domain Administrator (renamed in my environment to admin). This "admin" has all rights to this domain since 2005 :) Same problem with another Domain-Administrator Account. I've also tried with "Administrator" like you suggested. Same issue... Thanks to your reply, axel OK, I did this yesterday, but with a samba4 DC joining to another samba4 DC, try this: kinit admin /usr/local/samba/bin/samba-tool domain join intranet.domain.de DC -Uadmin --realm=intranet.domain.de Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4.0.9 Build Error
Hi Thomas, On 2013-09-25 14:19, Thomas Harold wrote: > On 9/25/2013 4:00 AM, Thomas Zeitinger wrote: >> [...] > > Maybe try the sernet samba4 packages? They have a DEB for wheezy. > > http://enterprisesamba.com/ > > You have to register, but the package downloads are free and they > support apt-get. I use the sernet packages for CentOS6 with no issues. > > (I built samba 4.0.6 on CentOS 6 earlier this year, now we just use > the sernet packages. It's easier.) Thanks for the hint, but this is no option. We build already a few instances from source and I don't want to mix the installations. Best regards -- Thomas Zeitinger Kundenbetreuung IT-Quadrat EDV Dienstleistungs- und Handels GmbH Krongasse 8/2 A-1050 Wien Tel: +43 (1) 311 44 00 - 10 Fax: +43 (1) 311 44 00 - 90 thomas.zeitin...@it2.at www.it2.at FN 287345t UID ATU63123113 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
On 9/23/2013 12:17 PM, Axel wrote: Hi folks, big problem with my testint environment... my windows 2003-domain exists since 2004 and the credentials are correct, guaranteed. This problem is actually same on Ubuntu 12.04.3 and Debian 7... (I just added Samba4 to an existing Windows 2003 Active Directory domain this morning. So I'm in a similar situation, but my setup worked flawlessly.) Were you able to do: # kinit administrator - Try it with a wrong password, see if it gives the correct error message of "kinit: Preauthentication failed while getting initial credentials" - Successful kinit outputs nothing If that test doesn't work, then I'd suspect issues in your /etc/krb5.conf file. https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4.0.9 Build Error
On 9/25/2013 4:00 AM, Thomas Zeitinger wrote:
Hi there,
I tried to build samba 4.0.9 on a Debian Wheezy 7.1 x86 fresh install
and got this error:
[2717/3935] Compiling source3/smbd/scavenger.c
../source3/smbd/scavenger.c: In function ‘scavenger_timer’:
../source3/smbd/scavenger.c:482:3: error: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’
[-Werror=format]
../source3/smbd/scavenger.c:490:3: error: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’
[-Werror=format]
cc1: some warnings being treated as errors
Waf: Leaving directory `/root/samba-4.0.9/bin'
Build failed: -> task failed (err #1):
{task: cc scavenger.c -> scavenger_92.o}
make: *** [all] Fehler 1
Never got this befor. Is there something I can do? I need a samba4 on
this machine.
Maybe try the sernet samba4 packages? They have a DEB for wheezy.
http://enterprisesamba.com/
You have to register, but the package downloads are free and they
support apt-get. I use the sernet packages for CentOS6 with no issues.
(I built samba 4.0.6 on CentOS 6 earlier this year, now we just use the
sernet packages. It's easier.)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
Of course, Rowland Penny schrieb: On 25/09/13 12:37, Axel wrote: Anyone? Join failed - cleaning up checking sAMAccountName ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 <> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1104, in join_DC ctx.do_join() File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1007, in do_join ctx.join_add_objects() File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 499, in join_add_objects ctx.samdb.add(rec) It seems to be, that all prerequisites fine. DNS, ACL etc., ping works fine... also resolutions of fqdn's Can someone help? Thanks & Cheers axel Well I think this: ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <0522: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0 says it all. Does user intranet/admin exist and if so, do they have the right to add a machine to the domain, also have you tried replacing intranet/admin with Administrator? Rowland as i said in my first mail, that is THE Domain Administrator (renamed in my environment to admin). This "admin" has all rights to this domain since 2005 :) Same problem with another Domain-Administrator Account. I've also tried with "Administrator" like you suggested. Same issue... Thanks to your reply, axel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 DNS - setting up forwarding zones (or how to configure clients)?
On 9/25/2013 7:52 AM, Thomas Harold wrote: #2 - Can Samba4 DNS be setup to forward all queries that are not for "addomain.example.com" to the firewall BIND DNS server? Or should we continue to point our DHCP clients at the firewall as their primary DNS server? http://www.sloop.net/smb.conf.html It looks like I just add the following to the [global] section of /etc/samba/smb.conf? dns forwarder = .1 (Where .1 would be the IP address of the firewall server running BIND DNS.) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
On 25/09/13 12:37, Axel wrote: Anyone? This is from log-level 10: root@samba-dc1:/# samba-tool domain join intranet.DOMAIN.de DC -Uintranet/admin --realm=intranet.DOMAIN.de INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 Finding a writeable DC for domain 'intranet.DOMAIN.de' added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain intranet.DOMAIN.de finddcs: looking for SRV records for _ldap._tcp.intranet.DOMAIN.de ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed wi-pas04.intranet.DOMAIN.de [0, 100, 389] ads_dns_parse_rr_srv: Parsed wi-pas01.intranet.DOMAIN.de [0, 100, 389] finddcs: DNS SRV response 0 at '192.168.200.14' finddcs: DNS SRV response 1 at '10.8.0.1' finddcs: DNS SRV response 2 at '192.168.200.10' finddcs: performing CLDAP query on 192.168.200.14 &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x (0) server_type : 0x01fc (508) 0: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 0: NBT_SERVER_FULL_SECRET_DOMAIN_6 0: NBT_SERVER_ADS_WEB_SERVICE 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : d4836b14-2bf0-4c30-812a-aa7113035d1e forest : 'intranet.DOMAIN.de' dns_domain : 'intranet.DOMAIN.de' pdc_dns_name : 'wi-pas04.intranet.DOMAIN.de' domain_name : 'INTRANET' pdc_name : 'WI-PAS04' user_name: '' server_site : 'Standardname-des-ersten-Standorts' client_site : 'Standardname-des-ersten-Standorts' sockaddr_size: 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x (0) pdc_ip : (null) remaining: DATA_BLOB length=0 next_closest_site: NULL nt_version : 0x0005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0x (65535) lm20_token : 0x (65535) finddcs: Found matching DC 192.168.200.14 with server_type=0x01fc Found DC wi-pas04.intranet.DOMAIN.de Security token SIDs (1): SID[ 0]: S-1-5-18 Privileges (0x): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeSecurityPrivilege Privilege[ 9]: SeSystemtimePrivilege Privilege[ 10]: SeShutdownPrivilege Privilege[ 11]: SeDebugPrivilege Privilege[ 12]: SeSystemEnvironmentPrivilege Privilege[ 13]: SeSystemProfilePrivilege Privilege[ 14]: SeProf
[Samba] Samba4 DNS - setting up forwarding zones (or how to configure clients)?
Let's assume that we have a network with:
domain = "addomain.example.com"
.1 - firewall server that runs BIND9, is not in the domain, but can
resolve all DNS queries. It is setup to forward any queries for the
"addomain.example.com" to the internal Samba4 server.
.8 - Samba4 server (sernet packages on CentOS 6) running with integrated
DNS in Active Directory mode.
Questions:
#1 - Where would you put the DHCPD service to hand out DHCP addresses
(currently, our Windows 2003 domain controller handles this and
registers the host names of clients in the "addomain.example.com"
automatically). I would like to put the DHCPD service on the .1
firewall and have it send updates to the Samba4 server on .8.
#1a - Should we instead move to a setup where we create a second
internal domain ("dhcp.example.com") for our DHCP clients?
#2 - Can Samba4 DNS be setup to forward all queries that are not for
"addomain.example.com" to the firewall BIND DNS server? Or should we
continue to point our DHCP clients at the firewall as their primary DNS
server?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool join domain fails
Anyone? This is from log-level 10: root@samba-dc1:/# samba-tool domain join intranet.DOMAIN.de DC -Uintranet/admin --realm=intranet.DOMAIN.de INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 Finding a writeable DC for domain 'intranet.DOMAIN.de' added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 added interface eth0 ip=192.168.200.210 bcast=192.168.200.255 netmask=255.255.255.0 finddcs: searching for a DC by DNS domain intranet.DOMAIN.de finddcs: looking for SRV records for _ldap._tcp.intranet.DOMAIN.de ads_dns_lookup_srv: 2 records returned in the answer section. ads_dns_parse_rr_srv: Parsed wi-pas04.intranet.DOMAIN.de [0, 100, 389] ads_dns_parse_rr_srv: Parsed wi-pas01.intranet.DOMAIN.de [0, 100, 389] finddcs: DNS SRV response 0 at '192.168.200.14' finddcs: DNS SRV response 1 at '10.8.0.1' finddcs: DNS SRV response 2 at '192.168.200.10' finddcs: performing CLDAP query on 192.168.200.14 &response->data.nt5_ex: struct NETLOGON_SAM_LOGON_RESPONSE_EX command : LOGON_SAM_LOGON_RESPONSE_EX (23) sbz : 0x (0) server_type : 0x01fc (508) 0: NBT_SERVER_PDC 1: NBT_SERVER_GC 1: NBT_SERVER_LDAP 1: NBT_SERVER_DS 1: NBT_SERVER_KDC 1: NBT_SERVER_TIMESERV 1: NBT_SERVER_CLOSEST 1: NBT_SERVER_WRITABLE 0: NBT_SERVER_GOOD_TIMESERV 0: NBT_SERVER_NDNC 0: NBT_SERVER_SELECT_SECRET_DOMAIN_6 0: NBT_SERVER_FULL_SECRET_DOMAIN_6 0: NBT_SERVER_ADS_WEB_SERVICE 0: NBT_SERVER_HAS_DNS_NAME 0: NBT_SERVER_IS_DEFAULT_NC 0: NBT_SERVER_FOREST_ROOT domain_uuid : d4836b14-2bf0-4c30-812a-aa7113035d1e forest : 'intranet.DOMAIN.de' dns_domain : 'intranet.DOMAIN.de' pdc_dns_name : 'wi-pas04.intranet.DOMAIN.de' domain_name : 'INTRANET' pdc_name : 'WI-PAS04' user_name: '' server_site : 'Standardname-des-ersten-Standorts' client_site : 'Standardname-des-ersten-Standorts' sockaddr_size: 0x00 (0) sockaddr: struct nbt_sockaddr sockaddr_family : 0x (0) pdc_ip : (null) remaining: DATA_BLOB length=0 next_closest_site: NULL nt_version : 0x0005 (5) 1: NETLOGON_NT_VERSION_1 0: NETLOGON_NT_VERSION_5 1: NETLOGON_NT_VERSION_5EX 0: NETLOGON_NT_VERSION_5EX_WITH_IP 0: NETLOGON_NT_VERSION_WITH_CLOSEST_SITE 0: NETLOGON_NT_VERSION_AVOID_NT4EMUL 0: NETLOGON_NT_VERSION_PDC 0: NETLOGON_NT_VERSION_IP 0: NETLOGON_NT_VERSION_LOCAL 0: NETLOGON_NT_VERSION_GC lmnt_token : 0x (65535) lm20_token : 0x (65535) finddcs: Found matching DC 192.168.200.14 with server_type=0x01fc Found DC wi-pas04.intranet.DOMAIN.de Security token SIDs (1): SID[ 0]: S-1-5-18 Privileges (0x): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeSecurityPrivilege Privilege[ 9]: SeSystemtimePrivilege Privilege[ 10]: SeShutdownPrivilege Privilege[ 11]: SeDebugPrivilege Privilege[ 12]: SeSystemEnvironmentPrivilege Privilege[ 13]: SeSystemProfilePrivilege Privilege[ 14]: SeProfileSingleProcessPrivilege Priv
Re: [Samba] Sernet Samba-4 Howto for Centos 6.4
On 7/2/2013 7:23 AM, schmero...@gmail.com wrote: I have registered at https://portal.enterprisesamba.com, but am unclear regarding which packages to install for a fully functioning samba4 installation, or if there are prerequisites such as krb5. I am starting with a minimal install of Centos 6.4. I can make some reasonably educated guesses, but don't want to miss something important. Anyone know if there is a step by step howto for installing samba4 on Centos using the Sernet repository? For an Active Directory setup with sernet-samba 4.0.9 on CentOS, I believe the only package that needs to be installed is: # yum install sernet-samba-ad Prerequisites seem to be: /etc/resolv.conf - make sure that this points at your existing Active Directory server (if you have one) /etc/krb5.conf - configure this if you have an existing AD controller and test using 'kinit administrator' [libdefaults] default_realm = ADDOMAIN.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true /etc/sysconfig/selinux - set to "permissive" while you configure the server - "service auditd rotate" to rotate the log files prior to install/setup - "cat /var/log/audit/audit.log | audit2allow" to check for exceptions - fix SELinux issues, then go back to "enforcing" mode After that you can follow the instructions at either: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC The only service that runs at startup is (AFAIK) "sernet-samba-ad". I am moderately sure that the other (3) services (sernet-samba-nmbd, sernet-samba-smbd, sernet-samba-winbindd) do not need to run if you are doing an Active Directory domain. But I'm not certain yet because I'm in the process of testing this in our environment. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] setting permissions for unix users on samba shares
On Tue, 2013-09-24 at 16:13 -0700, Robert Watson wrote: > I'm trying to grant permissions for linux system users (apache,mysql...) to > have permissions on samba shares. I've established domain users permissions > while logged in as the domain admin and thought the SYSTEM account would > cover these types of usersbut apparently not. > Is there a built in linux group that maps to a windows domain group or do I > have to establish this manually. Hi Not much to go on but you could: [global] username map = /some/place.txt [apache] path = /srv/www/wherever read only = yes write list = SomeDomainUser with place.txt containing: !apache = SomeDomainUser HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 4.0.9 Build Error
Hi there,
I tried to build samba 4.0.9 on a Debian Wheezy 7.1 x86 fresh install
and got this error:
[2717/3935] Compiling source3/smbd/scavenger.c
../source3/smbd/scavenger.c: In function ‘scavenger_timer’:
../source3/smbd/scavenger.c:482:3: error: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’
[-Werror=format]
../source3/smbd/scavenger.c:490:3: error: format ‘%lu’ expects argument
of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’
[-Werror=format]
cc1: some warnings being treated as errors
Waf: Leaving directory `/root/samba-4.0.9/bin'
Build failed: -> task failed (err #1):
{task: cc scavenger.c -> scavenger_92.o}
make: *** [all] Fehler 1
Never got this befor. Is there something I can do? I need a samba4 on
this machine.
Thanks and best regards
Tom
--
Thomas Zeitinger
Kundenbetreuung
IT-Quadrat EDV Dienstleistungs- und Handels GmbH
Krongasse 8/2 A-1050 Wien
Tel: +43 (1) 311 44 00 - 10
Fax: +43 (1) 311 44 00 - 90
thomas.zeitin...@it2.at
www.it2.at
FN 287345t
UID ATU63123113
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] [Announce] Samba 3.6.19 Available for Download
=== "What I've enjoyed most, though, is meeting people who have a real interest in food and sharing ideas with them. Good food is a global thing and I find that there is always something new and amazing to learn - I love it!" Jamie Oliver === Release Announcements = This is is the latest maintenance release of Samba 3.6. Please note that this will probably be the last maintenance release of the Samba 3.6 release series. With the release of Samba 4.1.0, the 3.6 release series will be turned into the "security fixes only" mode. Changes since 3.6.18: - o Jeremy Allison * BUG 5917: Make Samba work on site with Read Only Domain Controller. o Christian Ambach * BUG 8955: NetrServerPasswordSet2 timeout is too short. o Günther Deschner * BUG 9899: Fix fallback to ncacn_np in cm_connect_lsat(). * BUG 9615: Fix fallback to ncacn_np in cm_connect_lsat(). * BUG 10127: Fix 'smbstatus' as non-root user. o Volker Lendecke * BUG 8955: Give machine password changes 10 minutes of time. * BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo requests. * BUG 10114: Handle Dropbox (write-only-directory) case correctly in pathname lookup. o Karolin Seeger * BUG 10076: Fix variable list in man vfs_crossrename. o Andreas Schneider * BUG 9994: s3-winbind: Do not delete an existing valid credential cache. * BUG 10073: 'net ads join': Fix segmentation fault in create_local_private_krb5_conf_for_domain. o Richard Sharpe * BUG 10097: MacOSX 10.9 will not follow path-based DFS referrals handed out by Samba. ## Reporting bugs & Development Discussion ### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the Samba corresponding product in the project's Bugzilla database (https://bugzilla.samba.org/). == == Our Code, Our Bugs, Our Responsibility. == The Samba Team == Download Details The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/ The release notes are available online at: http://www.samba.org/samba/ftp/history/samba-3.6.19.html Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as AD member & local rights problem...
Hi Marc, Am 24.09.2013 23:46, schrieb Marc Muehlfeld: Am 24.09.2013 09:13, schrieb Thomas Besser: > Like described here > (http://geekyprojects.com/ubuntu/getting-windows-printer-drivers- > from-cups/) > I enabled 'root' for short and granted the 'SePrintOperator' right > to a normal account and switched back to security = ads I'm not sure if I understand this. Did you took the server out of the domain and temporary downgrade it to a standalone server for granting the privilege? Yes. Can you make sure, that the privilege was granted to a _domain account_? # net rpc rights list accounts -Uadministrator Okay, yes and no ;-) It's a little bit difficult to describe... We have a special setup in our large institution: we have an ldap and AD filled from an identity management with all employees separated by OU's. Thats the reason why I don't have an 'Domain Admin' account, because I administrate only a small part of it. For our OU my personal account is getting delegated rights (domain join, GPO, creating AD accounts). Our samba4 server uses AD for authentication (User & Password exists), the underlaying linux (NSS & PAM) uses LDAP. Found this here: https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP The privileged account 'Admin' is only known in AD (created manually), not in LDAP. Therefore I created it locally in /etc/passwd on the samba4 server. That should be the reason, why the process of privileging in standalone mode worked!? > Now the next problem arises: > > I can now upload the win drivers as described in your howto section > "Uploading printer drivers for Point'n'Print driver installation" > successfully. I can also see the files in the samba drivers share. > > But I can not associate it with a printer! The dropdown on > https://wiki.samba.org/index.php/File:Choose_driver.png is empty! I haven't had this case yet. Just some questions that may help us to find the cause of your problem: - Do you connect to to the server as the user you granted the SePrintOperator permissions to? Yes - Is the user you granted the permission to is a domain account? Yes (and locally created too on linux server). In samba it is shown like this: net rpc rights list accounts -U Admin [...] Unix User\Admin SePrintOperatorPrivilege [...] - The account you use to associate the driver with a printer is the same than the one you used for uploading the drivers? Yes - Did the driver upload wizzard runs fine? Or any errors or untypical messages? Yes, no errors. After that I can see it over 'server properties'. I can also delete it. Only if I switch to the 'printer properties' the dropdown is empty. So I can not associate over windows. - Can you associate the driver on *nix side by using 'rpcclient'? (see https://wiki.samba.org/index.php/Samba_as_a_print_server#Associating_a_shared_printer_with_a_driver_and_preconfiguring) Yes. rpcclient localhost -U Admin -c 'setdriver "printername" "name of printer driver"' After that I can see also in windows that the dropdown is not empty any more. I uploaded a second driver to test, if I can then switch to the second one. Result: no, I only see the orginally associated driver. With 'rpcclient localhost -U Admin -c "enumdrivers" I see both drivers. - Is the combobox still empty, if you use a domain admin account (grant the privilege to first)? I don't have a domain admin account (see our special environment above) Regards Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] delete kerberos databases and start over
On 24-9-2013 19:10, jimc wrote: Hi. Something happened with my Kerberos database*. I don't know what. I don't care much (right now). What I need to do now is to recover. I am running a small home network: 3 win7 boxes, 2 xps, 2 Mint Linux and one Puppy. I tried deleting /usr/local/samba/private/* and /usr/local/samba/etc/smb.conf as the how-to suggests, then doing a samba-tool domain provision. All my Windoze boxes event logs say they can't establish a secure connection to authenticate. Correct behaviour because there is/was a relation between Windows and Samba4, called SIDs. Put you windows boxes in a workgroup and then add them back to the domain. Regards, Joop -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
