Re: [Samba] Debian Package Updates
Hi Andrew, Would it be possible to upload the packages to the samba team ppa? Sent from my iPhone On 05/08/2013, at 10:28 AM, Andrew Bartlett wrote: > On Fri, 2013-08-02 at 14:41 +0100, Dominic Evans wrote: >> The debian package of samba4 is still sitting at 4.0.3 in >> experimental. Please could someone (Andrew?) upload an updated package >> now that we are up to 4.0.7? >> >> http://packages.qa.debian.org/s/samba4.html > > We have toiled mightily, and have new experimental packages. They are > stuck in the NEW queue, and have been for a month: > http://ftp-master.debian.org/new.html > > (This is because we have additional package names, as part of the merge > with the 'samba' package). > > Once that's in, I expect a 4.0.7 will follow shortly. > > Andrew Bartlett > > -- > Andrew Bartlett > http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 using existing DNS and LDAP
Hi Olivier, I had a similar situation for many of my clients, and I am not anywhere near the end of it yet. I can offer some of my experience though. The upgrade procedure is documented in https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO and I ended up using --dns-backend=BIND9_DLZ. If you want to set up an AD domain controller then DNS is really important. As far as the other ldap things, the classic upgrade does not pull in anything that doesn't have samba attributes. I ended up creating some things from scratch after the fact. Sent from my iPhone On 06/08/2013, at 7:08 PM, Olivier Nicole wrote: > > Hi, > > I have been using Samba3 (and 2) for years, with an openLDAP backend for > authentication. This is working fine, my directory includes a number of > local settings for my specific needs. > > Now I would like to move to Samba4. > > I understand that Samba4 comes with its own DNS and LDAP servers. > > By provisioning Samba4 with --dns-backend=NONE and including the > necessary to my existing DNS zone, is that enough to get rid of the DNS > server included with Samba4? What kind of updates does Samba need to > perform to DNS? The one at the provisioning and the machine name that > join the domain (this is already taken care of by DHCP). Is there > anything I oversee? > > Now regarding LDAP, is there a way to tell Samba to replicate the > directory from my existing openLDAP? > > Best regards, > > Olivier > > > -- > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Joining DC
On 05/08/2013, at 7:03 AM, Mike Ray wrote: > Alex- > > A few things: > > 1) Don't run DCs on the same domain with different versions of Samba. Either > add in another 4.0.1 DC and replicate, or use the backup tool to create a > copy of the database first. > 2) CN=DeletedObjects is hidden by design. You can view it using ldp.exe on a > windows box (http://technet.microsoft.com/en-us/library/cc978013.aspx) and a > google search will show you where to look for it in ASDIEdit. > 3) In this instance, I see why you are trying to delete this item; in 99% of > other cases though, the tombstone policy should take care of removing deleted > objects. > > Good luck, > Mike Ray > > From: "Alex Ferrara" > To: "samba@lists.samba.org List" > Sent: Sunday, August 4, 2013 3:03:11 PM > Subject: Re: [Samba] Joining DC > > Does nobody know how to manually remove items from Samba4 directory? I've > tried using adsiedit but cn=deleted items doesn't show up. > > Sent from my iPhone > > On 02/08/2013, at 1:58 PM, Alex Ferrara wrote: > > > I am having some trouble joining a new samba4 server as a DC. I am pretty > > sure this stems from trying to use OpenChange and subsequently removing it. > > The new samba4 machine is running 4.0.7 and the existing is running 4.0.1. > > I am a little hesitant to do an in-place upgrade of the last working DC, so > > I wanted a replica to fall back on in case things go bad. > > > > Any help would be appreciated. > > > > On the new machine > > > >> samba-tool domain join domain.local DC -Uadministrator realm=domain.local > >> --dns-backend=BIND9_DLZ > > > > Finding a writeable DC for domain 'domain.local' > > Found DC tachyon.domain.local > > Password for [DOMAIN\administrator]: > > workgroup is DOMAIN > > realm is domain.local > > checking sAMAccountName > > Adding CN=NEXUS,OU=Domain Controllers,DC=domain,DC=local > > Adding > > CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local > > Adding CN=NTDS > > Settings,CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local > > Adding SPNs to CN=NEXUS,OU=Domain Controllers,DC=domain,DC=local > > Setting account password for NEXUS$ > > Enabling account > > Calling bare provision > > No IPv6 address will be assigned > > Provision OK for domain DN DC=domain,DC=local > > Starting replication > > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[402/2620] > > linked_values[0/0] > > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[804/2620] > > linked_values[0/0] > > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1206/2620] > > linked_values[0/0] > > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1608/2620] > > linked_values[0/0] > > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[2010/2620] > > linked_values[0/0] > > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[2412/2620] > > linked_values[0/0] > > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[2620/2620] > > linked_values[0/0] > > Analyze and apply schema objects > > Join failed - cleaning up > > checking sAMAccountName > > Deleted CN=NEXUS,OU=Domain Controllers,DC=domain,DC=local > > Deleted CN=NTDS > > Settings,CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local > > Deleted > > CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local > > ERROR(runtime): uncaught exception - (8442, 'WERR_DS_DRA_INTERNAL_ERROR') > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > > 175, in _run > >return self.run(*args, **kwargs) > > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, > > in run > >machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1104, in > > join_DC > >ctx.do_join() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1009, in > > do_join > >ctx.join_replicate() > > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 734, in > > join_replicate > >replica_flags=ctx.replica_flags) > > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 248, in > > replicate > >(level, ctr)
Re: [Samba] Joining DC
Does nobody know how to manually remove items from Samba4 directory? I've tried using adsiedit but cn=deleted items doesn't show up. Sent from my iPhone On 02/08/2013, at 1:58 PM, Alex Ferrara wrote: > I am having some trouble joining a new samba4 server as a DC. I am pretty > sure this stems from trying to use OpenChange and subsequently removing it. > The new samba4 machine is running 4.0.7 and the existing is running 4.0.1. I > am a little hesitant to do an in-place upgrade of the last working DC, so I > wanted a replica to fall back on in case things go bad. > > Any help would be appreciated. > > On the new machine > >> samba-tool domain join domain.local DC -Uadministrator realm=domain.local >> --dns-backend=BIND9_DLZ > > Finding a writeable DC for domain 'domain.local' > Found DC tachyon.domain.local > Password for [DOMAIN\administrator]: > workgroup is DOMAIN > realm is domain.local > checking sAMAccountName > Adding CN=NEXUS,OU=Domain Controllers,DC=domain,DC=local > Adding > CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local > Adding CN=NTDS > Settings,CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local > Adding SPNs to CN=NEXUS,OU=Domain Controllers,DC=domain,DC=local > Setting account password for NEXUS$ > Enabling account > Calling bare provision > No IPv6 address will be assigned > Provision OK for domain DN DC=domain,DC=local > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[402/2620] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[804/2620] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1206/2620] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1608/2620] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[2010/2620] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[2412/2620] > linked_values[0/0] > Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[2620/2620] > linked_values[0/0] > Analyze and apply schema objects > Join failed - cleaning up > checking sAMAccountName > Deleted CN=NEXUS,OU=Domain Controllers,DC=domain,DC=local > Deleted CN=NTDS > Settings,CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local > Deleted > CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local > ERROR(runtime): uncaught exception - (8442, 'WERR_DS_DRA_INTERNAL_ERROR') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, > in _run >return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, in > run >machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1104, in join_DC >ctx.do_join() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1009, in do_join >ctx.join_replicate() > File "/usr/lib/python2.7/dist-packages/samba/join.py", line 734, in > join_replicate >replica_flags=ctx.replica_flags) > File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 248, in > replicate >(level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req) > > On the existing DC logs > > [2013/08/02 13:53:04, 0] > ../source4/rpc_server/drsuapi/getncchanges.c:220(get_nc_changes_build_object) > ../source4/rpc_server/drsuapi/getncchanges.c:220: Failed to find attribute > in schema for attrid 2786216 mentioned in replPropertyMetaData of > CN=Recipient Update Service > (DOMAIN)\0ADEL:cbf078d9-a0ff-4609-a05b-743816af619d,CN=Deleted > Objects,CN=Configuration,DC=domain,DC=local > > Alex Ferrara > Director > Receptive IT Solutions > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining DC
I am having some trouble joining a new samba4 server as a DC. I am pretty sure this stems from trying to use OpenChange and subsequently removing it. The new samba4 machine is running 4.0.7 and the existing is running 4.0.1. I am a little hesitant to do an in-place upgrade of the last working DC, so I wanted a replica to fall back on in case things go bad. Any help would be appreciated. On the new machine >samba-tool domain join domain.local DC -Uadministrator realm=domain.local >--dns-backend=BIND9_DLZ Finding a writeable DC for domain 'domain.local' Found DC tachyon.domain.local Password for [DOMAIN\administrator]: workgroup is DOMAIN realm is domain.local checking sAMAccountName Adding CN=NEXUS,OU=Domain Controllers,DC=domain,DC=local Adding CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local Adding CN=NTDS Settings,CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local Adding SPNs to CN=NEXUS,OU=Domain Controllers,DC=domain,DC=local Setting account password for NEXUS$ Enabling account Calling bare provision No IPv6 address will be assigned Provision OK for domain DN DC=domain,DC=local Starting replication Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[402/2620] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[804/2620] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1206/2620] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[1608/2620] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[2010/2620] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[2412/2620] linked_values[0/0] Schema-DN[CN=Schema,CN=Configuration,DC=domain,DC=local] objects[2620/2620] linked_values[0/0] Analyze and apply schema objects Join failed - cleaning up checking sAMAccountName Deleted CN=NEXUS,OU=Domain Controllers,DC=domain,DC=local Deleted CN=NTDS Settings,CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local Deleted CN=NEXUS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local ERROR(runtime): uncaught exception - (8442, 'WERR_DS_DRA_INTERNAL_ERROR') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1104, in join_DC ctx.do_join() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1009, in do_join ctx.join_replicate() File "/usr/lib/python2.7/dist-packages/samba/join.py", line 734, in join_replicate replica_flags=ctx.replica_flags) File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line 248, in replicate (level, ctr) = self.drs.DsGetNCChanges(self.drs_handle, req_level, req) On the existing DC logs [2013/08/02 13:53:04, 0] ../source4/rpc_server/drsuapi/getncchanges.c:220(get_nc_changes_build_object) ../source4/rpc_server/drsuapi/getncchanges.c:220: Failed to find attribute in schema for attrid 2786216 mentioned in replPropertyMetaData of CN=Recipient Update Service (DOMAIN)\0ADEL:cbf078d9-a0ff-4609-a05b-743816af619d,CN=Deleted Objects,CN=Configuration,DC=domain,DC=local Alex Ferrara Director Receptive IT Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling Samba 4.0.7 - make test results
Nice to see my how to is helping out. Sent from my iPhone On 29/07/2013, at 4:12 PM, "Mgr. Peter Tuharsky, MsU Banska Bystrica" wrote: > Thank You > > Dňa 24.07.2013 15:38, L.P.H. van Belle wrote / napísal(a): >> Hai, >> >> Just look here >> >> http://www.enterprisesamba.com/samba/ >> >> make an account so you can use the packages of sernet samba. >> >> and use this one for very basic setup. >> ( this also works for debian, since ubuntu is based on debian ) >> >> http://www.ferrara.com.au/mediawiki/index.php/Ubuntu:_Samba_4_Active_Directory_Domain_Master >> >> >> >> Best regards, >> >> Louis >> >> >>> -Oorspronkelijk bericht- >>> Van: tuhar...@misbb.sk [mailto:samba-boun...@lists.samba.org] >>> Namens Mgr. Peter Tuharsky, MsU Banska Bystrica >>> Verzonden: woensdag 24 juli 2013 14:08 >>> Aan: samba@lists.samba.org >>> Onderwerp: Re: [Samba] Compiling Samba 4.0.7 - make test results >>> >>> The tests eventually finished, however several errors have been >>> reported. Sincerely, I don't understand them. I'm sending the >>> st/summary >>> file in attachment. >>> >>> Please, is there anybody capable telling me, what's the problem with my >>> compilation? Am I missing some package, or is there some lack of >>> information on Wiki, or...? >>> >>> Or should I better contact the technical mailing list? >>> >>> I'm not eager to compile samba myself, however Debian packages are >>> rather old even in experimental branch... >>> >>> Peter >>> >>> D?a 23.07.2013 14:17, Mgr. Peter Tuharsky, MsU Banska Bystrica wrote / >>> napísal(a): Hallo, I'm new here. Doing compilation of Samba 4.0.7 on Debian Wheezy accordingly to Samba Wiki page. I have used configure parameters --enable-debug --enable-selftest and after make, I ran make test. Now I'm puzzled, because it apparently stops at step 96 (after 15 minutes, CPU still running at full speed), and I don't know how to interpret the results. I'm sending the output in attachment. Please, is my samba "ready to go" or not? What is the 1 >>> error reported about? And why the test dosen't end up correctly? Or how >>> long should one normally wait for test to complete? Sincerely, Peter >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Replication problems
Thanks Andrew, I did see that in the change log, but haven't tried it as of yet. aF On 17/06/2013, at 9:01 PM, Andrew Bartlett wrote: > On Wed, 2013-06-12 at 06:54 +1000, Alex Ferrara wrote: >> Hi everyone, >> >> Samba4 has been going great for quite a while now, so I thought I would get >> a little adventurous. The goal is to install Openchange with SOGo. >> >> The SOGo part is fine, but Openchange extends the AD schema in a similar way >> that Exchange extends the AD schema. To facilitate this, I joined a new DC >> to the domain, and transferred the fsmo schema role to this new DC. When I >> say transferred, the transfer failed and it seized the role. The schema >> update went fine, but after all this I noticed replication errors had >> started to creep in. > >> >> >> I have tried manually replicating, but this doesn't seem to work. Any >> insight would be fantastic. > > Some of this has improved in master in the past few days. We found some > issues in our replication code, and have been slowly fixing it, but due > to the complexity of replication, when we write tests we often find even > more issues :-) > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > Alex Ferrara Director Receptive IT Solutions P 0403 604 604 F (02) 4822 7700 E a...@receptiveit.com.au W www.receptiveit.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Provision new domain from Windows AD
Hi everyone, What I want to achieve is to provision a new domain with the users, groups and group policy of an existing AD domain. Is this what I would use the vampire function for? Am I on the wrong track? Alex Ferrara Director Receptive IT Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Replication problems
Last attempt @ Wed Jun 12 06:50:52 2013 EST was successful 0 consecutive failure(s). Last success @ Wed Jun 12 06:50:52 2013 EST OUTBOUND NEIGHBORS DC=DomainDnsZones,DC=hq,DC=domain,DC=com,DC=au Default-First-Site-Name\LACHESIS via RPC DSA object GUID: 89a6915d-6b54-42fb-9bf8-e670ed9f8d08 Last attempt @ Wed Jun 12 06:50:41 2013 EST was successful 0 consecutive failure(s). Last success @ Wed Jun 12 06:50:41 2013 EST CN=Schema,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au Default-First-Site-Name\LACHESIS via RPC DSA object GUID: 89a6915d-6b54-42fb-9bf8-e670ed9f8d08 Last attempt @ Wed Jun 12 06:50:41 2013 EST was successful 0 consecutive failure(s). Last success @ Wed Jun 12 06:50:41 2013 EST DC=ForestDnsZones,DC=hq,DC=domain,DC=com,DC=au Default-First-Site-Name\LACHESIS via RPC DSA object GUID: 89a6915d-6b54-42fb-9bf8-e670ed9f8d08 Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=hq,DC=domain,DC=com,DC=au Default-First-Site-Name\LACHESIS via RPC DSA object GUID: 89a6915d-6b54-42fb-9bf8-e670ed9f8d08 Last attempt @ Wed Jun 12 06:50:41 2013 EST was successful 0 consecutive failure(s). Last success @ Wed Jun 12 06:50:41 2013 EST CN=Configuration,DC=hq,DC=domain,DC=com,DC=au Default-First-Site-Name\LACHESIS via RPC DSA object GUID: 89a6915d-6b54-42fb-9bf8-e670ed9f8d08 Last attempt @ Wed Jun 12 06:50:41 2013 EST was successful 0 consecutive failure(s). Last success @ Wed Jun 12 06:50:41 2013 EST KCC CONNECTION OBJECTS Connection -- Connection name: 91042d21-6f25-4a7b-8c7f-4ecd3d04cd8f Enabled: TRUE Server DNS name : lachesis.hq.domain.com.au Server DN name : CN=NTDS Settings,CN=LACHESIS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hq,DC=domain,DC=com,DC=au TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! I have tried manually replicating, but this doesn't seem to work. Any insight would be fantastic. Alex Ferrara Director Receptive IT Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 success story
Hi guys, I thought I should send a quick email through to report my experience upgrading a Samba3 + OpenLDAP site to Samba4. I did lots of reading and had a bunch of howto documents, including the official one, at my disposal. I set up a shiny new Ubuntu 12.04 64bit virtual machine using OpenVZ and installed the samba4 packages out of http://ppa.launchpad.net/kernevil. I went through the samba-tool classic upgrade documented in the official how to several times in a test environment to beat our LDAP into shape, which was mostly usernames with the same name as a group, and a few duplicate SIDs, but all this was fairly painless. After the testing migration worked, the "for-real" migration worked first time. We used "ldapsam:trussed = yes" in the classic upgrade step as we did it on new hardware. I modified our existing Bind DNS servers to look to the Samba 4 DNS server for the AD domain, and modified the /etc/resolv.conf to search the AD domain. We ended up using bind9-dlz on the Samba4 server as this gave us greater flexibility. I installed the krb5-user package and copied /var/lib/samba/private/krb5.conf to /etc. This was the only thing I had to do to make the kerberos client work. A kinit root@FQDN.DOMAIN worked first time, and a klist confirmed the ticket. I modified my existing DHCP server to serve out the new AD domain name to our clients, and removed the WINS stuff. Once this was done, our clients pretty much logged on and migrated to the new domain on their own, as per the Microsoft migration path. Most clients needed two reboots, and one client had a problem with the time skewing the kerberos ticket, but mostly it worked first time. By this time, the whole migration had taken about 90 minutes and it was all working really well. I spent quite a bit of time testing everything and I even installed the Microsoft remote admin pack which worked just like we were running an AD server…. Oh wait, we are! In hindsight, the use of kernevil packages was bad decision, as those packages don't include the winbind client tools or CUPS support. It worked flawlessly other than that, and upgrading those packages should be nice and easy. I have been told that the Debian packages out of squeeze-backports would have been a better choice, but I haven't looked at them as of yet. This is day 3 of running Samba4 and after a few changes to make other things talk to AD Samba instead of NT4 Samba, things are really stable. A big "thank-you" goes out to all the Samba developers. This is one of those situations where I took extreme caution just in case things broke, but they never did. Site #1 migrated to Samba4, and I have quite a few more to go. Exciting times. Alex Ferrara Director Receptive IT Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Migrate from MS-AD to Samba4
Hi all, This might be a silly question, but what is the best way to migrate an existing AD domain to promote Samba4 as the domain controller. Alex Ferrara Director Receptive IT Solutions P 0403 604 604 F (02) 4822 7700 E a...@receptiveit.com.au W www.receptiveit.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba3+OpenLDAP -> Samba4 implications.
Hi everyone, I might be going over old stuff, and if so, I apologise. I administer a network that uses Samba 3 with an OpenLDAP backend for domain logons, printing and file sharing. I am interested in moving to Samba4 for the domain control side of things, but the twist is that I have many other things relying on OpenLDAP for authentication and configuration, with several custom schemas. Is there a samba4 schema for OpenLDAP or is there a migration path for networks like mine? Alex Ferrara Director Receptive IT Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba on FreeNAS permissions
Hi list, I am having a weird issue with samba as included with FreeNAS 8.0.2. All my users are in LDAP, and the local server can see and authenticate LDAP users via other mechanisms like SSH. When I log into this FreeNAS machine via SSH, the server understands group permissions and all works as expected. The filesystem that the share is on is ZFS and FreeNAS is based on FreeBSD. My issue is, when I mount a CIFS share from a Windows workstation to the FreeNAS Samba server, secondary group permissions are not honoured. In a bit more detail. I have a user in LDAP called alex.ferrara with the primary group of "Domain Users" and I can mount CIFS shares just fine. The main CIFS share destination directory is set to mode 2775 with the owner "root" and group "Domain Users". My user can create files as you would expect. So far so good. The problem comes in when I have a directory underneath the main share that is owned by "root" and group "Domain Admins". My user is a member of the domain admins group and I can create files if I log in via SSH, but when I access the same directory via CIFS, I get the message "You need permission to perform this action". The version of Samba is 3.5.11 and my config file is included below. [global] encrypt passwords = yes dns proxy = no strict locking = no read raw = yes write raw = yes oplocks = yes max xmit = 65535 deadtime = 15 display charset = LOCALE max log size = 10 syslog only = yes syslog = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes smb passwd file = /var/etc/private/smbpasswd private dir = /var/etc/private getwd cache = yes guest account = nobody map to guest = Bad Password netbios name = server workgroup = DOMAIN server string = FreeNAS Server use sendfile = yes large readwrite = no store dos attributes = yes security = user passdb backend = ldapsam:ldap://10.16.0.10 ldap admin dn = cn=admin,dc=domain ldap suffix = dc=domain ldap user suffix = ou=users ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap ssl = off ldap replication sleep = 1000 ldap passwd sync = yes #ldap debug level = 1 #ldap debug threshold = 1 ldapsam:trusted = yes idmap uid = 1-3 idmap gid = 1-3 create mask = 0664 directory mask = 0775 client ntlmv2 auth = yes dos charset = CP437 unix charset = UTF-8 log level = 3 aio read size = 1 aio write size = 1 [share] path = /mnt/data/share printable = no veto files = /.snap/.windows/ writeable = yes browseable = yes inherit owner = yes inherit permissions = yes vfs objects = zfsacl recycle recycle:repository = .recycle/%U recycle:keeptree = yes recycle:versions = yes recycle:touch = yes recycle:directory_mode = 0777 recycle:subdir_mode = 0700 inherit acls = Yes map archive = No map readonly = no nfs4:mode = special nfs4:acedup = merge nfs4:chown = yes Alex Ferrara Director Receptive IT Solutions P 0403 604 604 F (02) 4822 7700 E a...@receptiveit.com.au W www.receptiveit.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ADS member server to 2008 R2
Hi all, I have a strange problem, and I can't seem to solve it. I have set up a Ubuntu 9.10 server with samba+kerberos to be an ADS member server. The PDC was a 2003 SBS server, and all was well. Recently I added a 2008 R2 server standard to the mix, and promoted it as a domain controller. Ever since I did this, the samba server stops working daily. I have updated to 3.4.7 out of the lucid tree, but it still has the same behaviour. After a few days of this happening, I have found that to get it working again, I have to perform a "net ads join", and it will magically start working. I don't even need to restart samba or winbind. Does this seems to indicate that the kerberos side is ok? Ideas? Alex Ferrara Director Receptive IT Solutions -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with Windows 7 and roaming profiles
Hi Andre, I have a site with all Windows 7 Professional 64bit clients, and Samba 3.4.3 with an LDAP backend. Roaming profiles are working great. A few things come to mind. Disk space on the profile path Permissions on the directory Does Windows give any error messages on logout? What filesystem are you using? aF On 23/02/2010, at 1:57 AM, André Egerer wrote: > Hello together, > > we try to setup a samba domain controller with LDAP and roaming profiles for > Win7-Clients. > Everything looks fine last Friday but today the clients did not longer save > changes to the profiles. There is no error in samba log and also no in the > windows log. If I delete a profile from a client it is loaded correctly at > next logon, but the changes are not saved at logout. > > Windows XP profiles are working well all the time... > > Any ideas? > > OS: Debian Etch > Kernel: 2.6.24 > Samba: 3.4.5 > Disk is mounted with "user_xattr" > > > [profiles] >path = /home/samba/profiles >comment = roaming profiles >create mask = 0600 >directory mask = 0700 >browsable = no >writable = yes >read only = no >store dos attributes = yes > > > > --- > André Egerer > Diplom-Wirtschaftsinformatiker > Technischer Leiter SmartCom Center > > Quintec GmbH > Siemensstr. 2-4 > 90766 Fürth > Tel: 0911 7667014 > Fax.: 0911 7667015 > > www.quintec.de > QUINTEC Ges. für Datentechnik mbH > Geschäftsführung: Konrad Trosky, Firmensitz Overath, Amtsgericht Köln, HR B > 46046 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] windows users can login but OS X users cannot
I have seen this behaviour recently using Samba 3.4.5 from the Lucid tree on Ubuntu 9.10 Try using domain\username for the username To me, it appears to be a bug in winbind not using the default domain, but I could be wrong. Sent from my iPhone On 20/02/2010, at 8:29 PM, grant little wrote: Hello, having spent many hours scouring archives, docs, books and googling without finding an answer I need to ask your help on this. running samba 3.4.0-3ubuntu5.3 on ubuntu 9.10 server, client users can login to the share from windows clients but the same users is denied access when connecting from OS X via GO/Connect To Server in format smb://fqdnofserver user authentication is to active directory using kerberos and LDAP and am not running winbind pam.d/samba is set to allow smb logins, that is shell logins are not permitted for active directory authenticated users. here's that snippet: # /etc/pam.d/samba auth sufficient pam_krb5.so minimum_uid=1000 use_first_pass account sufficient pam_ldap.so use_first_pass session sufficient pam_ldap.so I have tested my configs on samba 3.0.33 on CENTOS and it works fine there for both OS X and windows the share is setup on /shares/asgs with these permissions: drwxrwsrwx 8 root root 87 2010-02-20 00:17 shares drwxrws--- 2 grant ASGSFileUsers 18 2010-02-20 00:21 asgs here's smb.conf: [global] unix extensions = no disable spoolss = Yes disable netbios = yes name resolve order = hosts workgroup = AD realm = AD.UCSD.EDU server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 log level = 3 panic action = /usr/share/samba/panic-action %d security = ads encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes unix password sync = yes pam password change = no map to guest = bad user usershare allow guests = no [asgs] comment = ASGS path = /shares/asgs browsable = Yes valid users = @ad\ASGSFileUsers write list = @ad\ASGSFileUsers create mask = 2660 directory mask = 2770 The tail n20 of the log of the conecting ip shows this for an OS X attempt: [2010/02/20 00:56:16, 3] smbd/oplock_linux.c:219 (linux_init_kernel_oplocks) Linux kernel oplocks enabled [2010/02/20 00:56:16, 3] smbd/process.c:1453(process_smb) Transaction 0 of length 51 (0 toread) [2010/02/20 00:56:16, 3] smbd/process.c:1272(switch_message) switch message SMBnegprot (pid 5658) conn 0x0 [2010/02/20 00:56:16, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/02/20 00:56:16, 3] smbd/negprot.c:567(reply_negprot) Requested protocol [NT LM 0.12] [2010/02/20 00:56:16, 3] smbd/negprot.c:387(reply_nt1) using SPNEGO [2010/02/20 00:56:16, 3] smbd/negprot.c:672(reply_negprot) Selected protocol NT LM 0.12 [2010/02/20 00:56:18, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/02/20 00:56:18, 3] smbd/connection.c:31(yield_connection) Yielding connection to [2010/02/20 00:56:18, 3] smbd/server.c:848(exit_server_common) Server exit (failed to receive smb request) Hope someone can give me a pointer where to look next or what to tweak. Let me know if you need other log snippets. Thanks, Grant -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 machine trust accounts expiring
I think I have narrowed this down even further. I have been working through getting rid of error messages in the logs, and I have updated Samba to 3.4.3. This might have fixed the issue, and I won't know for some time, but I can still see the following error appearing in the logs, which seems to line up with the core issue of machine trust accounts expiring. rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-2150 machine account AC-2150$ I have noticed that the new Windows 7 machines say the password has expired on the same date that is in "sambaPwdLastSet". I added the "X" attribute in sambaAcctFlags in an attempt to stop the accounts from expiring. Below is an ldif of a Windows 7 machine trust account dn: uid=ac-2150$,ou=computers,dc=domain,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: ac-2150$ uid: ac-2150$ uidNumber: gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaDomainName: DOMAIN sambaPrimaryGroupSID: S-1-5-21-3581057417-3103041693-70022037-515 sambaSID: S-1-5-21-3581057417-3103041693-70022037-3222 sambaNTPassword: DABA25E3910551C63347D399520C123D sambaAcctFlags: [WX ] sambaPwdLastSet: 1260776037 Any help would be appreciated. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 + Samba domain issues
Just for completeness, when I successfully join the domain I get the following in /var/log/syslog Dec 7 19:50:33 percy slapd[2514]: conn=219 op=6 do_bind: invalid dn (NTLM) Dec 7 19:50:33 percy slapd[2514]: conn=220 op=6 do_bind: invalid dn (NTLM) Dec 7 19:50:34 percy dhcpd: DHCPREQUEST for 192.168.0.114 from 00:1c:c0:57:b4:9d (AC-1391) via eth0 Dec 7 19:50:34 percy dhcpd: DHCPACK on 192.168.0.114 to 00:1c:c0:57:b4:9d (AC-1391) via eth0 Dec 7 19:50:34 percy slapd[2514]: conn=218 op=27 do_search: invalid dn (sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local) and I get the following in the machines samba log [2009/12/07 19:50:34, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:50:41, 0] smbd/map_username.c:140(map_username) can't open username map /etc/samba/smbusers. Error No such file or directory [2009/12/07 19:50:41, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [domain]\[ac-139...@[ac-1391] with the new password interface [2009/12/07 19:50:41, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [domain]\[ac-139...@[ac-1391] [2009/12/07 19:50:41, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:50:41, 1] auth/auth_sam.c:178(sam_account_ok) sam_account_ok: Account for user 'ac-1391$' password expired!. [2009/12/07 19:50:41, 1] auth/auth_sam.c:179(sam_account_ok) sam_account_ok: Password expired at 'Mon, 07 Dec 2009 19:50:34 EST' (1260175834) unix time. [2009/12/07 19:50:41, 3] auth/auth_winbind.c:54(check_winbind_security) check_winbind_security: Not using winbind, requested domain [DOMAIN] was for this SAM. [2009/12/07 19:50:41, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [AC-1391$] -> [AC-1391$] FAILED with error NT_STATUS_PASSWORD_EXPIRED aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 + Samba domain issues
Hi all, Earlier I emailed the list on some issues I was having with Windows 7, and one of those issues was the trust relationship breaking down after one month. I think I have some more light to shed on this topic. First, some environmental facts I am running Ubuntu Karmic 9.10 with Samba 3.4.0-3ubuntu5.1 I have installed the latest LDAP schema into OpenLDAP 2.4.18-0ubuntu1 I have a working LDAP directory with users and machine trust accounts. This is continuing to work flawlessly with XP clients. I have applied the two registry hacks into my Windows 7 workstations to enable legacy domains, and to turn off the dns resolution requirement. When I join the domain, everything happens as advertised, and I do get the error message from Windows 7 about DNS that I read on wiki.samba.org can be safely ignored. Immediately after joining the domain, and after the mandatory reboot, I can log in as advertised. However, after a period of time (not sure how long), the Windows 7 clients start using their cached credentials, and no longer communicate properly with the Samba PDC. After a period of about 1 month, the clients no longer use their cached credentials, as they probably expire, and then I can no longer log in, with the message that "The trust relationship between this workstation and the primary domain failed." After some digging, I noticed that the problem in the machines log file was that the machine trust account could not be found. [2009/12/07 19:33:13, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[ac-1391] with the new password interface [2009/12/07 19:33:13, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [domain]...@[ac-1391] [2009/12/07 19:33:13, 3] auth/auth.c:271(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:33:13, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-1391 machine account AC-1391$ [2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:33:13, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-1391 machine account AC-1391$ [2009/12/07 19:33:26, 0] lib/util_sock.c:537(read_socket_with_timeout) [2009/12/07 19:33:26, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer. The interesting line there is "Failed to find Unix account for ac-1391$". This implies that the account is missing, but when I look at the LDAP directory with my browser, it is there. Now it gets interesting... At the time I am trying to log in, I get the following in /var/log/syslog Dec 7 19:46:27 server slapd[2514]: conn=184 op=2 do_search: invalid dn (sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local) Invalid dn indeed. sambaDomainName=DOMAIN,dc=domain,dc=local exists, but sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local does not. Does anyone know why Samba would be performing this as a lookup? I have seen other people with these symptoms, but I have not been able to find an answer. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 domain issues
The DNS update issue I have resolved by insisting that DHCPD perform the update, and ignore the client request. I found that Windows 7 tells DHCPD that it will perform the DNS update, and by default, DHCPD will then let it. The directive in dhcpd.conf is "deny client-updates". As for the password related issues, I think you might be right, and the answer lies in the password strength required. I too am holding my breath for Samba4. I have been considering implementing either Franky, or Samba4 alpha in the role of PDC, and using Samba3 to do the file sharing. I'm just a little concerned that it might eat my cat. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 domain issues
I am running Windows 7 Professionaly 64-bit with domain membership to a Samba domain. I have noticed some weird behaviour. 1) For some reason, dhcp3-server does not add the forward dns entry into bind9. This works perfectly with Windows 7 if it is not a domain member, or other operating systems (XP, OS/X and Linux). I know this isn't specifically a Samba issue, but I thought I should mention it. 2) Strange entries in log files. Authentication for user [AC2161$] -> [AC2161$] FAILED with error NT_STATUS_PASSWORD_EXPIRED. I did run the Windows 7 64bit RC and after about 1 month, the trust relationship broke down and I would have to re-join the domain to make it work again. This could be related. 3) Password issues. I use a LDAP backend, and use LAM to manage the directory. If I set a password in LAM, it generates the UNIX and SMB passwords, and then stores them in LDAP. This works perfectly for XP but not for Windows 7. Logons persist to use the old password, and I have a feeling that the password being used is a cached password. Has anyone seen similar issues? aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Interdomain Trust between Samba3 and 2000 AD
The Windows 2000 server is indeed in mixed mode. I probably should have mentioned that. I'm pretty sure it has something to do with browsing/WINS. I have both machines pointing to the same WINS server, but my gut feeling tells me that is where the problem lyes. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Interdomain Trust between Samba3 and 2000 AD
I am having some trouble creating a two-way domain trust account between Samba3 and Windows 2000 Server. The Windows 2000 server is an AD domain controller, and my Samba 3 server has an LDAP backend and is running on Ubuntu 9.04 64bit. Samba 3 is acting as the WINS server, and the Windows server has been pointed to the samba server for WINS in the TCP/IP settings on the network adapter. I have created the interdomain trust accounts on the Linux side by issuing the following commands. > net rpc trustdom add W2KDOMAIN password -Uroot Enter root's password: > net rpc trustdom add SAMBADOMAIN password -S W2KSERVER -U administrator Enter administrator's password: [2009/10/12 13:46:15, 0] utils/net_rpc.c:rpc_trustdom_add_internals (5277) Could not set trust account password: NT_STATUS_ACCESS_DENIED Once performing those commands, I can see that a user called w2kdomain $ has been created in LDAP, and a user called SAMBADOMAIN$ has been created in active directory. Since the error message concerning the trust password appeared, I will manually change the password of the user sambadomain$ in AD Users and Computers. At this stage, if I execute > net rpc trustdom list Enter root's password: Trusted domains list: none Trusting domains list: Unable to find a suitable server for domain W2KDOMAIN domain controller is not responding: NT_STATUS_UNSUCCESSFUL W2KDOMAIN If I go into AD Domains and Trusts on the Windows server, and create a "Domains trusted by this domain", it works as advertised. At this point I seem to be able to connect to shares located on the windows domain from computers on the samba domain. If I create a "Domains that trust this domain", ask it to verify the trust and supply the samba root password, I get a message that "Active Directory cannot verify the trust" blah blah "The error returned was: The specified domain either does not exist or could not be contacted" That error implies that the Windows server does not know how to contact the samba domain controller, but if I go to a command prompt and run "net view /domain:SAMBADOMAIN", it shows the domain, and the samba domain controller. I am a little unsure as to how to proceed. I am sure the documentation out there will make complete sense once I figure it out, but at the moment, I am struggling. Any help would be appreciated. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
