[Samba] HTML docs and the removal of SWAT in 4.1
On Fri, 2013-10-11 at 15:17 -0400, Charles Marcus wrote: > On 2013-10-11 9:49 AM, samba-requ...@lists.samba.org > wrote: > > REMOVED COMPONENTS > > == > > > > The Samba Web Administration Tool (SWAT) has been removed. > > Details why SWAT has been removed can be found on the samba-technical > > mailing > > list: > > > > https://lists.samba.org/archive/samba-technical/2013-February/090572.html > > Just curious what was decided about this comment (he has a very > excellent point): > > "I have yet to make the jump to Samba4, so I have not seen the version of > SWAT designed for it. > > For me, the primary benefit of SWAT in Samba3 was the ability to use the > help link for any parameter to see what that parameter did, what the > default was, and what its proper syntax was. For reference, I ran "man > smb.conf". Viewing full screen, I pressed the "Page Down" key 34 times > and was still in the 1st third of the alphabetical listing of > parameters. It's no small wonder that I never used "man smb.conf" to > configure Samba. SWAT was my friend. > > So, if Samba4 has anywhere near the number of parameters as Samba3, I > would be greatly disappointed to see SWAT go away entirely. An html > version of the samba-doc package that contained all parameters with > links to their definitions/descriptions would be a welcome and suitable > replacement. You can search the manpage with the normal pager commands (eg /directory). No matter if we would have liked to keep SWAT around, it was simply not maintained, and fixing the CVE issues only introduced other issues. HTML documentation should be generated by running 'make htmlman' in the docs-xml directory, but some of this seems to have bitrotted, at least in my brief testing. Patches to have HTML manpages generated by our main buildsystem (see docs-xml/wscript_build and buildtools/wafsamba/wafsamba.py) are most welcome. Andrew Bartlett Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Port 139 Not open on bootup...
I am running SUSE 12.0 I have had this problem on another machine months ago, but never solved it. I have done many searches, but have come up empty. When booted, port 139 is not open on IPv4. There os no 0.0.0.0:139listening. HOWEVER: :::139 is listening. SO I know it is open on IPv6. When I try to gain remote access through a share, the machine is not found. When I try to telnet to port 139, the connection is refused. To solve it, I have to manually restart smb. So this is some kind of 'first bootup' problem. All the searches I came up with all describe a problem that it just isn't working at all. This is just that it doesn't work until I restart the daemon. It's annoying to work around, especially when I'm using a VM and starting/stopping the machine often. Can anyone advise on what this problem is, or how to fix it? -Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.10 - 4.1.0 - master can no longer join existing Win2003 domain?
Andrew, thank goodness! I am completely lost and run out of ideas... I just checked the output from samba-master, it looks just the same as the message I posted on Oct. 10 -- Samba4 can't join domain - drsuapi.DsBindInfoFallBack object has no attribute. OK if I dont repost so I dont clutter the list? Thanks for now! Let me know if you need more debugging info. And please keep in mind (maybe it has something to do with my problem) I have installed Group Policy Preference Client Side Extensions for W2k3 server). > To make any progress we need the full backtrace. >Andrew Bartlett > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0.10 - 4.1.0 - master can no longer join existing Win2003 domain?
On Fri, 2013-10-11 at 10:54 -0700, Mauricio Alvarez wrote: > Hello, > >I can NO LONGER join the existing win 2003 domain (functional level win > 2003, I also have installed Group Policy Client Side Extensions for Windows > Server 2003). > > I am running on Ubuntu Server 13.04. I have tried Samba 4.0.10, 4.1.0 and > also, in desperation, samba-master. > > I managed to join the domain with samba 4.0.8 (not sure if it was .8 or .9, > it was in mid-September), downloaded via git, compiled and followed the wiki. > > All was running OK for some time, until I found out it wan no longer > replicating. Then I noticed WERR_VERSION_MISMATCH errors when running drs > showrepl. > > Since I was no longer able to demote the Samba4 DC, I decided to manualy > delete from the Win2003, delete the samba4 directories and start over. > > Now when I try join the domain it fails with > ERROR(): uncaught exception - > 'drsuapi.DsBindInfoFallBack' object has no attribute 'supported_extensions' To make any progress we need the full backtrace. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Fix Samba 4.1.0 join Windows 2003 Server with BIND9_DLZ
Is there any chance the problem I am having (drsuapi.DsBindInfoFallBack' object has no attribute 'supported_extensions') is related to this patch? I cannot find *anything* on Google concerning this, I have no idea what to do, just banging head against the wall... Anybody please help? -M -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] HTML docs and the removal of SWAT in 4.1
On Fri, 2013-10-11 at 15:17 -0400, Charles Marcus wrote: > On 2013-10-11 9:49 AM, samba-requ...@lists.samba.org > wrote: > > REMOVED COMPONENTS > > == > > > > The Samba Web Administration Tool (SWAT) has been removed. > > Details why SWAT has been removed can be found on the samba-technical > > mailing > > list: > > > > https://lists.samba.org/archive/samba-technical/2013-February/090572.html > > Just curious what was decided about this comment (he has a very > excellent point): > > "I have yet to make the jump to Samba4, so I have not seen the version of > SWAT designed for it. > > For me, the primary benefit of SWAT in Samba3 was the ability to use the > help link for any parameter to see what that parameter did, what the > default was, and what its proper syntax was. For reference, I ran "man > smb.conf". Viewing full screen, I pressed the "Page Down" key 34 times > and was still in the 1st third of the alphabetical listing of > parameters. It's no small wonder that I never used "man smb.conf" to > configure Samba. SWAT was my friend. > > So, if Samba4 has anywhere near the number of parameters as Samba3, I > would be greatly disappointed to see SWAT go away entirely. An html > version of the samba-doc package that contained all parameters with > links to their definitions/descriptions would be a welcome and suitable > replacement. You can search the manpage with the normal pager commands (eg /directory). No matter if we would have liked to keep SWAT around, it was simply not maintained, and fixing the CVE issues only introduced other issues. HTML documentation should be generated by running 'make htmlman' in the docs-xml directory, but some of this seems to have bitrotted, at least in my brief testing. Patches to have HTML manpages generated by our main buildsystem (see docs-xml/wscript_build and buildtools/wafsamba/wafsamba.py) are most welcome. Andrew Bartlett Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Fix Samba 4.1.0 join Windows 2003 Server with BIND9_DLZ
On Fri, 2013-10-11 at 12:06 -0300, Jacó Ramos wrote:
> Hi guys,
>
> When run join in DC
>
> root@samba4:~# samba-tool domain join jacoramos.net.br DC -Uadministrador
> --realm=jacoramos.net.br --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'jacoramos.net.br'
> Found DC win2003.jacoramos.net.br
> Password for [WORKGROUP\administrador]:
> workgroup is JACORAMOS
> realm is jacoramos.net.br
> checking sAMAccountName
> Adding CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
> Adding
> CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> Adding CN=NTDS
> Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> Adding SPNs to CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
> Setting account password for SAMBA4$
> Enabling account
> Adding DNS account CN=dns-SAMBA4,CN=Users,DC=jacoramos,DC=net,DC=br with
> dns/ SPN
> Join failed - cleaning up
> checking sAMAccountName
> Deleted CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
> Deleted CN=NTDS
> Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> Deleted
> CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
> ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
> <052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
> > <>
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
> 552, in run
> machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1169, in join_DC
> ctx.do_join()
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 1072, in do_join
> ctx.join_add_objects()
> File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
> 616, in join_add_objects
> ctx.samdb.add(msg)
> root@samba4:~#
Sorry about that. Try the attached patch.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From db44a43564a5a994184986e5bf5d059512ff5695 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Sun, 13 Oct 2013 07:40:58 +1300
Subject: [PATCH] provision: Do not set dns-HOSTNAME password during add
Windows servers do not accept password set using clearTextPassword (a
samba only thing), so change it after the creation using the standard routines.
Andrew Bartlett
Signed-off-by: Andrew Bartlett
---
python/samba/join.py | 1 -
python/samba/provision/__init__.py | 6 ++
source4/setup/provision_dns_add_samba.ldif | 1 -
3 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/python/samba/join.py b/python/samba/join.py
index 9cac8f5..c52ffdb 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -608,7 +608,6 @@ class dc_join(object):
{"DNSDOMAIN": ctx.dnsdomain,
"DOMAINDN": ctx.base_dn,
"HOSTNAME" : ctx.myname,
- "DNSPASS_B64": b64encode(ctx.dnspass),
"DNSNAME" : ctx.dnshostname}))
for changetype, msg in recs:
assert changetype == ldb.CHANGETYPE_NONE
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index d8f353f..a31132a 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1127,6 +1127,12 @@ def setup_self_join(samdb, admin_session_info, names, fill, machinepass,
"DNSNAME" : '%s.%s' % (
names.netbiosname.lower(), names.dnsdomain.lower())
})
+samdb.setpassword("(&(objectClass=user)(samAccountName=dns-%s))"
+ % ldb.binary_encode(names.hostname),
+ dnspass,
+ force_change_at_next_login=False,
+ username="dns-%s"
+ % names.hostname)
def getpolicypath(sysvolpath, dnsdomain, guid):
diff --git a/source4/setup/provision_dns_add_samba.ldif b/source4/setup/provision_dns_add_samba.ldif
index 7fb2e78..82f95d4 100644
--- a/source4/setup/provision_dns_add_samba.ldif
+++ b/source4/setup/provision_dns_add_samba.ldif
@@ -12,5 +12,4 @@ userAccountControl: 512
accountExpires: 9223372036854775807
sAMAccountName: dns-${HOSTNAME}
servicePrincipalName: DNS/${DNSNAME}
-clearTextPassword:: ${DNSPASS_B64}
isCriticalSystemObject: TR
[Samba] Samba_kcc error in /var/log/messages
Hello, I am getting these errors in /var/log/messages : Oct 12 16:36:15 sambadc samba[7147]: [2013/10/12 16:36:15.817541, 0] ../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc) Oct 12 16:36:15 sambadc samba[7147]: Calling samba_kcc script Oct 12 16:36:15 sambadc abrt: detected unhandled Python exception in '/usr/local/samba/sbin/samba_kcc' Oct 12 16:36:15 sambadc samba[7147]: [2013/10/12 16:36:15.959943, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) Oct 12 16:36:15 sambadc samba[7147]: /usr/local/samba/sbin/samba_kcc: close failed in file object destructor: Oct 12 16:36:15 sambadc abrtd: New client connected Oct 12 16:36:15 sambadc abrtd: Directory 'pyhook-2013-10-12-16:36:15-7630' creation detected Oct 12 16:36:15 sambadc abrt-server[7633]: Saved Python crash dump of pid 7630 to /var/spool/abrt/pyhook-2013-10-12-16:36:15-7630 Oct 12 16:36:15 sambadc samba[7147]: [2013/10/12 16:36:15.973347, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) Oct 12 16:36:15 sambadc samba[7147]: /usr/local/samba/sbin/samba_kcc: IOError: [Errno 10] No child processes Oct 12 16:36:15 sambadc samba[7147]: [2013/10/12 16:36:15.994361, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) Oct 12 16:36:15 sambadc samba[7147]: /usr/local/samba/sbin/samba_kcc: close failed in file object destructor: Oct 12 16:36:15 sambadc samba[7147]: [2013/10/12 16:36:15.994469, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) Oct 12 16:36:15 sambadc samba[7147]: /usr/local/samba/sbin/samba_kcc: IOError: [Errno 10] No child processes Oct 12 16:36:16 sambadc abrtd: Executable '/usr/local/samba/sbin/samba_kcc' doesn't belong to any package Oct 12 16:36:16 sambadc abrtd: 'post-create' on '/var/spool/abrt/pyhook-2013-10-12-16:36:15-7630' exited with 1 Oct 12 16:36:16 sambadc abrtd: Corrupted or bad directory '/var/spool/abrt/pyhook-2013-10-12-16:36:15-7630', deleting The thing is, these errors appear exactly every 5 minutes. The domain controller seems to be working fine in my test environment so far, but I don't recall seeing these errors with Samba 4.0.7. This was also with 4.0.9, now I just compiled 4.1.0 and the same thing. Any cause of concern, or is it just supposed to happen ? Thank you, George -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
On Fri, Oct 11, 2013 at 10:16:48AM -0400, Lee Allen wrote: > Samba 3.6.17 joined to Samba 4.2.0 AD domain, using winbind > > 'wbinfo -g' and 'getent group' successfully list all groups. > 'getent group 10006' returns: > domain users:x:10006: > 'getent group "domain users"' fails with return code 2 > > partial log.winbind after above command: > > [2013/10/11 10:01:31.288199, 3] > winbindd/winbindd_misc.c:384(winbindd_interface_version) > [31911]: request interface version > [2013/10/11 10:01:31.288288, 3] > winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) > [31911]: request location of privileged pipe > [2013/10/11 10:01:31.288421, 3] > winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) > getgrnam domain users > [2013/10/11 10:01:31.288520, 3] > winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) > msrpc_name_to_sid: name=DOMAIN\USERS > [2013/10/11 10:01:31.288547, 3] > winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) > name_to_sid [rpc] DOMAIN\USERS for domain DOMAIN > > if I specify the domain name, ie: 'getent group "ALLENLAN\\domain users"' > it still fails... > > [2013/10/11 10:02:18.280728, 3] > winbindd/winbindd_misc.c:384(winbindd_interface_version) > [31925]: request interface version > [2013/10/11 10:02:18.280823, 3] > winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) > [31925]: request location of privileged pipe > [2013/10/11 10:02:18.280940, 3] > winbindd/winbindd_getgrnam.c:56(winbindd_getgrnam_send) > getgrnam ALLENLAN\domain users > [2013/10/11 10:02:18.281033, 3] > winbindd/winbindd_msrpc.c:252(msrpc_name_to_sid) > msrpc_name_to_sid: name=ALLENLAN\DOMAIN\USERS > [2013/10/11 10:02:18.281060, 3] > winbindd/winbindd_msrpc.c:266(msrpc_name_to_sid) > name_to_sid [rpc] ALLENLAN\DOMAIN\USERS for domain ALLENLAN\DOMAIN > > Note the missing space in "DOMAIN\USERS" in the logs. I don't know whether > this is relevant. > > 'getent passwd' does not have any such problems - it can query by UID or > username > > > smb.conf: > > [global] > workgroup = ALLENLAN > realm = allenlan.net > password server = 192.168.0.13 > preferred master = no > server string = zone-samba3 > security = ads > encrypt passwords = yes > log level = 3 > log file = /var/log/samba/%m > max log size = 50 > printcap name = cups > printing = cups > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes Please try without "winbind use default domain = yes" > winbind nested groups = yes > winbind separator = \ Just a wild guess: Can you try removing this line? \ is default. If that does not help, please send us full debug level 10 logs of that command together with the output of strace -ttT -s 1000 -o /tmp/getent.out getent group "domain users" Regards, Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.sernet.de, mailto:kont...@sernet.de * visit us on it-sa:IT security exhibitions in Nürnberg, Germany October 8th - 10th 2013, hall 12, booth 333 free tickets available via code 270691 on: www.it-sa.de/gutschein ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] getent group by name fails
On Fri, 2013-10-11 at 14:06 -0400, Lee Allen wrote: > Steve thank you for pointing that out. > > > I made those changes and it does not effect the results. > 'getent group UID' works > 'getent group groupname' does not work, for the same group > > > On Fri, Oct 11, 2013 at 12:25 PM, steve wrote: > > Quite a bit missing here. Try: > > idmap config * : backend = tdb > idmap config * : range = 9800-9900 > idmap config ALLENLAN : default = yes > idmap config ALLENLAN : schema mode = rfc2307 > idmap config ALLENLAN : backend = ad > idmap config ALLENLAN : range = 1-100 > > HTH > Steve > I don't think it works with winbind. If you really need it, the best way is to use sssd or nslcd. Is it important that it works for you? A script maybe? Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
