Re: [Samba] Problems with a trust relation between samba and samba different subnet
I have successfully created trust relationships with Samba 3.3.8 on CentOS 5.5. My /etc/samba/lmhosts file looks like on both PDCs looks similar to the following: 127.0.0.1 localhost 10.208.7.198server1.domain.br#20 10.208.7.198server1#20 10.208.7.198df-cgu#1b 10.208.7.198df-cgu#1c 10.208.38.2 server2.domain.br#20 10.208.38.2 server2#20 10.208.38.2 ac-cgu#1b 10.208.38.2 ac-cgu#1c where server1 is the PDC for domain df-cgu and server2 is the PDC for domain AC-CGU Hope this helps. On 01/21/2011 01:25 PM, Alberto Moreno wrote: Hi, well once u try lot and no good result is time to ask. My friends I want to make to domains running samba+ldap to share resources, I want to create a trust relation in two directions. Both domains have wins enable but are on different subnet. Domain Name: DOM1Netbios Name = DOM1PDC 192.168.50.0/24 Domain Name: DOM2Netbios Name = DOM2PDC 192.168.40.0/24 Both networks are separate, each one with his own switch, a FW is what help me they can communicate. OS: Centos 5.5 Samba 3.3.x. First, I follow the instructions from the bible of samba and say that I need to create the Interdomain account on each network: smbldap-useradd -a -i DOMAIN-NAME Done. smbldap-usershow I have the I flag on each account. I have enable the ports in my fw to communicate both domainsm done. Now went I run the command: net rpc trustdom establish DOM1 on PDC DOM2 I got the error net rpc trustdom establish DOM1 running on PDC DOM2 [2011/01/21 07:17:16, 0] libsmb/namequery.c:internal_resolve_name(1609) resolve_name: unknown name switch type lmhost [2011/01/21 07:17:16, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) Couldn't find domain controller for domain DOM1 Some search pages point me that in this case I need to setup the file lmhosts to make this happen because no service is helping my PDC to reach the other end, I read the MS KB where it say how to setup a LMHOSTS and have this on my PDC DOM2: 127.0.0.1 localhost 192.168.50.3 "DOM1 \0x1b" #PRE 192.168.50.3 DOM1PDC #PRE #DOM:DOM1 on DOM1 I have 192.168.40.3 "DOM2 \0x1b" #PRE 192.168.40.3 DOM2PDC #PRE #DOM:DOM2 In samba smb.conf I have: hosts allow = 192.168.40. 192.168.50. 127. name resolve order = wins hosts bcast lmhost nsswitch have the line: hosts: files wins dns I try again and in DOM1 PDC: net rpc trustdom establish DOM2 [2011/01/21 07:22:13, 0] libsmb/namequery.c:internal_resolve_name(1609) resolve_name: unknown name switch type lmhost [2011/01/21 07:22:13, 0] utils/net_rpc.c:rpc_trustdom_establish(5565) Couldn't find domain controller for domain DOM2 There is something I forget to setup or what I'm doing wrong, hope some could give some tips and point my errors, I will appreciated, thanks!!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Maximum number of trust relationships
I have samba 3.3.8 installed on CentOS 5.5 on 27 different sites. We want the 27 differente sites to have two-way trust relationships with each other. My question is: is there an upper limit on the number of trust relationships for a samba server and/or windows XP clients? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind filling up log with "Possible deadlock: Trying to lookup SID xxx with passdb backend"
On 12/13/2010 11:48 AM, Michael Wood wrote: On 13 December 2010 12:38, Andre Fonseca de Oliveira wrote: Appreciate your reply. On 6 December 2010 14:54, Andre Fonseca de Oliveira wrote: Hello, I have samba 3.3.8 installed on CentOS 5.5 on a production server. Winbind is filling up the logs with these messages: [2010/12/06 10:43:28, 0] winbindd/winbindd_passdb.c:sid_to_name(159) Possible deadlock: Trying to lookup SID S-1-5-21-2106371596-187675891-3351287853 with passdb backend If you enable debug level 10, do you get this just before each of those messages? Converting SID S-1-5-21-2106371596-187675891-3351287853 Yes. Here is a snippet: [2010/12/13 08:28:59, 10] winbindd/winbindd_dual.c:child_process_request(452) child_process_request: request fn LOOKUPSID [2010/12/13 08:28:59, 3] winbindd/winbindd_async.c:winbindd_dual_lookupsid(239) [13229]: lookupsid S-1-5-21-2106371596-187675891-3351287853 [2010/12/13 08:28:59, 10] winbindd/winbindd_passdb.c:sid_to_name(147) *Converting SID S-1-5-21-2106371596-187675891-3351287853* [2010/12/13 08:28:59, 0] winbindd/winbindd_passdb.c:sid_to_name(159) Possible deadlock: Trying to lookup SID S-1-5-21-2106371596-187675891-3351287853 with passdb backend OK, so it looks like it's coming from the sid_to_name() function (which I should have realised from the line number (159) in the first place). We have been having problems when activating winbind daemon. Could this error message be causing trouble? I don't think so. I'm not sure what would cause this, but the code logs that message if the SID is not in the BUILTIN domain and is not in your domain and is not a local user/group and is not a well known SID (like "Everybody"). It looks like just a sanity check. I have no idea what it has to do with deadlocks, but perhaps someone familiar with the code could comment. The SID that appears in the logs is the domain SID: [r...@phoenix samba]# net getdomainsid SID for local machine PHOENIX is: S-1-5-21-2106371596-187675891-3351287853 SID for domain DF-CGU is: S-1-5-21-2106371596-187675891-3351287853 Strange. So instead of the SID being e.g. a user or group, it is the domain itself. That explains why you're getting the message, but not why someone is calling sid_to_name() on the domain SID. I'm out of my depth here. I don't know if it's normal to call sid_to_name() on a domain SID. Well, I guess i will have to live with this message. Is there a way to supress this error message, besides changing the source code? Attached is smb.conf globals section (shares removed). Thanks in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind filling up log with "Possible deadlock: Trying to lookup SID xxx with passdb backend"
Appreciate your reply. On 6 December 2010 14:54, Andre Fonseca de Oliveira wrote: Hello, I have samba 3.3.8 installed on CentOS 5.5 on a production server. Winbind is filling up the logs with these messages: [2010/12/06 10:43:28, 0] winbindd/winbindd_passdb.c:sid_to_name(159) Possible deadlock: Trying to lookup SID S-1-5-21-2106371596-187675891-3351287853 with passdb backend If you enable debug level 10, do you get this just before each of those messages? Converting SID S-1-5-21-2106371596-187675891-3351287853 Yes. Here is a snippet: [2010/12/13 08:28:59, 10] winbindd/winbindd_dual.c:child_process_request(452) child_process_request: request fn LOOKUPSID [2010/12/13 08:28:59, 3] winbindd/winbindd_async.c:winbindd_dual_lookupsid(239) [13229]: lookupsid S-1-5-21-2106371596-187675891-3351287853 [2010/12/13 08:28:59, 10] winbindd/winbindd_passdb.c:sid_to_name(147) *Converting SID S-1-5-21-2106371596-187675891-3351287853* [2010/12/13 08:28:59, 0] winbindd/winbindd_passdb.c:sid_to_name(159) Possible deadlock: Trying to lookup SID S-1-5-21-2106371596-187675891-3351287853 with passdb backend We have been having problems when activating winbind daemon. Could this error message be causing trouble? I don't think so. I'm not sure what would cause this, but the code logs that message if the SID is not in the BUILTIN domain and is not in your domain and is not a local user/group and is not a well known SID (like "Everybody"). It looks like just a sanity check. I have no idea what it has to do with deadlocks, but perhaps someone familiar with the code could comment. The SID that appears in the logs is the domain SID: [r...@phoenix samba]# net getdomainsid SID for local machine PHOENIX is: S-1-5-21-2106371596-187675891-3351287853 SID for domain DF-CGU is: S-1-5-21-2106371596-187675891-3351287853 Attached is smb.conf globals section (shares removed). Thanks in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] error in module acl: insufficient access rights (50)
Wireshark is not needed on the server. You only need tcpdump with the "-w filename" option. This ouput file can later be opened with wireshark. André Fonseca On 12/07/2010 02:41 PM, dobrima...@yahoo.pl wrote: Thanks for answer. The error code is 50. Actually I can't check it by Wireshark because I don't have graphic interface on my server machine where's Samba4 running. Please give me a clue why it won't work. It's very important to me. Maybe I need to use SASL (but how? which mechanism should I use?). Regards --- 7.12.10 (Wt), Andrew Bartlett wrote: Od: Andrew Bartlett Temat: Re: [Samba] error in module acl: insufficient access rights (50) Do: "dobrima...@yahoo.pl" DW: samba@lists.samba.org Data: 7 Grudzień 2010 (Wtorek), 6:39 On Sat, 2010-12-04 at 11:48 +, dobrima...@yahoo.pl wrote: Andrew, yes, bind is successful, I can read records without any problems. Until very recently, we allowed reads by anonymous users. Can you actually check the error code, and double-check with Wireshark, that the bind worked? Anil, I don't think so, because even if I run the script with root privileges I'm getting the same error. changing the mode to 777 of anything is almost never the correct solution, and indeed yes, this isn't relevent for LDAP anyway. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind filling up log with "Possible deadlock: Trying to lookup SID xxx with passdb backend"
Hello, I have samba 3.3.8 installed on CentOS 5.5 on a production server. Winbind is filling up the logs with these messages: [2010/12/06 10:43:28, 0] winbindd/winbindd_passdb.c:sid_to_name(159) Possible deadlock: Trying to lookup SID S-1-5-21-2106371596-187675891-3351287853 with passdb backend [2010/12/06 10:43:29, 0] winbindd/winbindd_passdb.c:sid_to_name(159) Possible deadlock: Trying to lookup SID S-1-5-21-2106371596-187675891-3351287853 with passdb backend [2010/12/06 10:43:29, 0] winbindd/winbindd_passdb.c:sid_to_name(159) Possible deadlock: Trying to lookup SID S-1-5-21-2106371596-187675891-3351287853 with passdb backend [2010/12/06 10:43:29, 0] winbindd/winbindd_passdb.c:sid_to_name(159) Possible deadlock: Trying to lookup SID S-1-5-21-2106371596-187675891-3351287853 with passdb backend [2010/12/06 10:43:29, 0] winbindd/winbindd_passdb.c:sid_to_name(159) We have been having problems when activating winbind daemon. Could this error message be causing trouble? Attached is smb.conf globals section (shares removed). Thanks in advance [global] workgroup = DF-CGU server string = "" passdb backend = ldapsam:"ldap://ldaprr.df.cgu"; passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = "Changing*\nNew password*" %n\n "*Retype new password*" %n\n" username map = /etc/samba/smbusers unix password sync = Yes client NTLMv2 auth = Yes log level = 0 auth:5 syslog = 0 max log size = 10 min protocol = NT1 name resolve order = wins lmhosts host bcast time server = Yes deadtime = 5 load printers = No printcap name = /dev/null disable spoolss = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -t 5 -w "%u" logon script = logon.vbs logon path = logon home = domain logons = Yes os level = 255 lm announce = No preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=suporte,dc=cgu,dc=gov,dc=br ldap delete dn = Yes ldap group suffix = ou=grupos,ou=df ldap machine suffix = ou=computadores,ou=df ldap passwd sync = yes ldap replication sleep = 5000 ldap suffix = dc=cgu,dc=gov,dc=br ldap user suffix = ou=usuarios,ou=df utmp directory = /var/run wtmp directory = /var/log utmp = Yes comment = "SERVIDOR DE ARQUIVOS GNU/LINUX" create mask = 0640 directory mask = 02750 nt acl support = No use sendfile = Yes printing = bsd print command = lpr -r -P'%p' %s lpq command = lpq -P'%p' lprm command = lprm -P'%p' %j case sensitive = No hide unreadable = Yes veto files = /.*/ strict locking = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba