[Samba] domain RODC fails with default provisioning

[Andreas Calvo Gómez]

We're evaluating joining another samba domain controller in read-only mode.
With a default provisioning, when running the samba-tool domain RODC, it
fails with the following error:
ldb: ldb_trace_request: (tdb)->search
ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
ldb_wrap open of hklm.ldb
ldb: start ldb transaction (nesting: 0)
ldb: ldb_trace_request: (tdb)->start_transaction
ldb: start ldb transaction error: (null)
ldb: ldb_trace_request: ADD
dn: @ATTRIBUTES
changetype: add
key: CASE_INSENSITIVE
value: CASE_INSENSITIVE


 control: 

ldb: ldb_trace_request: (tdb)->add
ldb: ldb_trace_request: (tdb)->prepare_commit
ldb: commit ldb transaction (nesting: 0)
ldb: ldb_trace_request: (tdb)->end_transaction
Key 'key=SOFTWARE,hive=NONE' not found
key added: key=SOFTWARE,hive=NONE
Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE
About to write CurrentVersion with type (null), length 3: 6.1
Key 'key=SYSTEM,hive=NONE' not found
key added: key=SYSTEM,hive=NONE
Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
About to write ProductType with type (null), length 8: LanmanNT
Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
found
key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
About to write RefusePasswordChange with type dword, length 8: 
Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
partition_metadata: Migrating partition metadata
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
talloc: access after free error - first free may be at @<�3
Bad talloc magic value - access after free
Aborted

Is there something special to be done prior to the domain join command?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] RODC between samba v4 servers

[Andreas Calvo]

I've dug a little bit more on the RODC set up.

I've tried using BIND with DLZ and without as well as the internal DNS
server.

In both cases, I get an error when the RODC tries to register itself to gc._
msdcs.test.com.
Under DLZ, it fails for a non-secure transaction:
Jul 26 15:11:39 dc named[3341]: samba_dlz: disallowing update of
signer=RODC\$\@TEST.COM name=gc._msdcs.test.com type=A error=insufficient
access rights
When using the internal DNS server, it fails with the following output:
[2013/07/26 18:39:56,  0]
../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574(netr_dnsupdate_RODC_callback)
  ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574: IRPC callback
failed NT_STATUS_IO_TIMEOUT

Also forced on the clients to use the Try Next Closes Site, but it gives an
error.

What is the behavior of an RODC?
It should have a copy of the AD without the passwords, and also it has a
copy of the DNS records?
Does it act like a proxy between one subnet and the main DC?
Should a new DNS entry be added to advertise the RODC as an available
KDC/AD?

Thanks


On Thu, Jul 25, 2013 at 4:33 PM, Andreas Calvo  wrote:

> I'm preparing a lab to test the scenario in which a remote office uses a
> RODC to cache all users/computers/GPOs from a DC.
> I've set up a environment with all requirements (two subnets, one with a
> DC and the other with a RODC).
> I've joined the domain with a windows machine to the RODC subnet with both
> DCs being up.
>
> Using the windows tools (DSA), I've placed a user account and the machine
> account inside the Allowed password replication group.
>
> I've switched off the master DC, and tried to login with the cached user
> in the cached computer, but it failed.
>
> I've preloaded (samba-tool rodc preload) both the user account and the
> machine account in the RODC, without luck.
>
> I've a couple of questions:
> - Does samba 4.0.7 supports caching passwords for users?
> - What is the preload command for? Caching of passwords?
>
> The following link (
> http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx)
> talks about setting up the Next Closest DC in the network in the DC
> settings to allow RODCs to be trusted, should this be performed as well?
> Or is it enough to set it up as a GPO?
>



-- 
Atentamente,
Andreas Calvo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] RODC between samba v4 servers

[Andreas Calvo]

I'm preparing a lab to test the scenario in which a remote office uses a
RODC to cache all users/computers/GPOs from a DC.
I've set up a environment with all requirements (two subnets, one with a DC
and the other with a RODC).
I've joined the domain with a windows machine to the RODC subnet with both
DCs being up.

Using the windows tools (DSA), I've placed a user account and the machine
account inside the Allowed password replication group.

I've switched off the master DC, and tried to login with the cached user in
the cached computer, but it failed.

I've preloaded (samba-tool rodc preload) both the user account and the
machine account in the RODC, without luck.

I've a couple of questions:
- Does samba 4.0.7 supports caching passwords for users?
- What is the preload command for? Caching of passwords?

The following link (
http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx)
talks about setting up the Next Closest DC in the network in the DC
settings to allow RODCs to be trusted, should this be performed as well?
Or is it enough to set it up as a GPO?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] domain RODC fails with default provisioning

[Andreas Calvo]

Sure.
However, notice that it was caused by an incorrect libdefaults entry in
krb5.conf (wrote bdefaults] instead of [libdefaults]).
I've uploaded the log on pastebin: http://pastebin.com/sP8VNXQ5


On Thu, Jul 11, 2013 at 2:08 AM, Andrew Bartlett  wrote:

> On Wed, 2013-07-10 at 17:27 +0200, Andreas Calvo wrote:
> > We're evaluating joining another samba domain controller in read-only
> mode.
> > With a default provisioning, when running the samba-tool domain RODC, it
> > fails with the following error:
> > ldb: ldb_trace_request: (tdb)->search
> > ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
> > ldb_wrap open of hklm.ldb
> > ldb: start ldb transaction (nesting: 0)
> > ldb: ldb_trace_request: (tdb)->start_transaction
> > ldb: start ldb transaction error: (null)
> > ldb: ldb_trace_request: ADD
> > dn: @ATTRIBUTES
> > changetype: add
> > key: CASE_INSENSITIVE
> > value: CASE_INSENSITIVE
> >
> >
> >  control: 
> >
> > ldb: ldb_trace_request: (tdb)->add
> > ldb: ldb_trace_request: (tdb)->prepare_commit
> > ldb: commit ldb transaction (nesting: 0)
> > ldb: ldb_trace_request: (tdb)->end_transaction
> > Key 'key=SOFTWARE,hive=NONE' not found
> > key added: key=SOFTWARE,hive=NONE
> > Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
> > key added: key=Microsoft,key=SOFTWARE,hive=NONE
> > Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> > key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
> > Key 'key=CurrentVersion,key=Windows
> > NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> > key added: key=CurrentVersion,key=Windows
> > NT,key=Microsoft,key=SOFTWARE,hive=NONE
> > About to write CurrentVersion with type (null), length 3: 6.1
> > Key 'key=SYSTEM,hive=NONE' not found
> > key added: key=SYSTEM,hive=NONE
> > Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> > key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> > key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> >
> 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found
> > key added:
> > key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > About to write ProductType with type (null), length 8: LanmanNT
> > Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not
> > found
> > key added:
> key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key 'key=Terminal
> > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> > key added: key=Terminal
> > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> > key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found
> > key added:
> > key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> >
> 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found
> > key added:
> >
> key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > About to write RefusePasswordChange with type dword, length 8: 
> > Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found
> > key added:
> > key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > Key
> >
> 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> > not found
> > key added:
> >
> key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> > lpcfg_servicenumber: couldn't find ldb
> > lpcfg_servicenumber: couldn't find ldb
> > lpcfg_servicenumber: couldn't find ldb
> > lpcfg_servicenumber: couldn't find ldb
> > partition_metadata: Migrating partition metadata
> > krb5_init_context failed (Invalid argument)
> > smb_krb5_context_init_basic failed (Invalid argument)
> > talloc: access after free error - first free may be at @ <�3
> > Bad talloc magic value - access after free
> > Aborted
> >
> > Is there something special to be done prior to the domain join command?
>
> Can you re-run this under valgrind?  While krb5_init_context should not
> fail (I did see your reply), it also shouldn't cause a crash, and we can
> at least fix that much.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
>
>
>


-- 
Atentamente,
Andreas Calvo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] domain RODC fails with default provisioning

[Andreas Calvo]

Nevermind, it was an incorrect krb5.conf on the RODC (hence the krb5 init
fail).


On Wed, Jul 10, 2013 at 5:27 PM, Andreas Calvo  wrote:

> We're evaluating joining another samba domain controller in read-only mode.
> With a default provisioning, when running the samba-tool domain RODC, it
> fails with the following error:
> ldb: ldb_trace_request: (tdb)->search
> ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
> ldb_wrap open of hklm.ldb
> ldb: start ldb transaction (nesting: 0)
> ldb: ldb_trace_request: (tdb)->start_transaction
> ldb: start ldb transaction error: (null)
> ldb: ldb_trace_request: ADD
> dn: @ATTRIBUTES
> changetype: add
> key: CASE_INSENSITIVE
> value: CASE_INSENSITIVE
>
>
>  control: 
>
> ldb: ldb_trace_request: (tdb)->add
> ldb: ldb_trace_request: (tdb)->prepare_commit
> ldb: commit ldb transaction (nesting: 0)
> ldb: ldb_trace_request: (tdb)->end_transaction
> Key 'key=SOFTWARE,hive=NONE' not found
> key added: key=SOFTWARE,hive=NONE
> Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=CurrentVersion,key=Windows
> NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=CurrentVersion,key=Windows
> NT,key=Microsoft,key=SOFTWARE,hive=NONE
> About to write CurrentVersion with type (null), length 3: 6.1
> Key 'key=SYSTEM,hive=NONE' not found
> key added: key=SYSTEM,hive=NONE
> Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key
> 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> About to write ProductType with type (null), length 8: LanmanNT
> Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
> found
> key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Terminal
> Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=Terminal
> Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
> key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key
> 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> About to write RefusePasswordChange with type dword, length 8: 
> Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> Key
> 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
> not found
> key added:
> key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
> lpcfg_servicenumber: couldn't find ldb
> lpcfg_servicenumber: couldn't find ldb
> lpcfg_servicenumber: couldn't find ldb
> lpcfg_servicenumber: couldn't find ldb
> partition_metadata: Migrating partition metadata
> krb5_init_context failed (Invalid argument)
> smb_krb5_context_init_basic failed (Invalid argument)
> talloc: access after free error - first free may be at @ <�3
> Bad talloc magic value - access after free
> Aborted
>
> Is there something special to be done prior to the domain join command?
>



-- 
Atentamente,
Andreas Calvo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] domain RODC fails with default provisioning

[Andreas Calvo]

We're evaluating joining another samba domain controller in read-only mode.
With a default provisioning, when running the samba-tool domain RODC, it
fails with the following error:
ldb: ldb_trace_request: (tdb)->search
ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search
ldb_wrap open of hklm.ldb
ldb: start ldb transaction (nesting: 0)
ldb: ldb_trace_request: (tdb)->start_transaction
ldb: start ldb transaction error: (null)
ldb: ldb_trace_request: ADD
dn: @ATTRIBUTES
changetype: add
key: CASE_INSENSITIVE
value: CASE_INSENSITIVE


 control: 

ldb: ldb_trace_request: (tdb)->add
ldb: ldb_trace_request: (tdb)->prepare_commit
ldb: commit ldb transaction (nesting: 0)
ldb: ldb_trace_request: (tdb)->end_transaction
Key 'key=SOFTWARE,hive=NONE' not found
key added: key=SOFTWARE,hive=NONE
Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE
About to write CurrentVersion with type (null), length 3: 6.1
Key 'key=SYSTEM,hive=NONE' not found
key added: key=SYSTEM,hive=NONE
Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
About to write ProductType with type (null), length 8: LanmanNT
Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not
found
key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found
key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
About to write RefusePasswordChange with type dword, length 8: 
Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
Key
'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE'
not found
key added:
key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
partition_metadata: Migrating partition metadata
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
talloc: access after free error - first free may be at @ <�3
Bad talloc magic value - access after free
Aborted

Is there something special to be done prior to the domain join command?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 errors

[Andreas Calvo]

A more detailed output:
[root@sauron ~]# netstat -tnp|grep 445|grep "192.168.0.222"|grep 55257
tcp   24  0 192.168.0.222:55257 192.168.0.222:445
ESTABLISHED 17417/samba
tcp0  0 192.168.0.222:445   192.168.0.222:55257
ESTABLISHED 23713/smbd

Note that 192.168.0.222 is the IP address of the samba server.
This occurs when the backup agent starts running.
It seems that samba it's connecting to itself, and the socket remains open.


On Tue, Jun 11, 2013 at 11:30 AM, Andreas Calvo  wrote:

> We found out that samba is performing connections on the RPC port (TCP
> 445) against itself, and it scales until the memory is gone completely and
> crashes.
>
> Any hint?
>
>
> On Mon, Jun 10, 2013 at 3:08 PM, Andreas Calvo wrote:
>
>> Hello,
>> We've been using samba v4 for a while, but recently we faced two problems
>> for which we cannot determine the source - nor the solution:
>> - every day samba4 stops authenticating new users and sharing folders.
>> While previous logged users can access resources and services, users that
>> weren't logged can't log in. It happens either from kerberos or directly
>> from LDAP.
>> - We are forwarding all DNS requests to the internal DNS server in samba.
>> When samba it's restarted, our main DNS server must be restarted too as it
>> cannot forward new queries to the samba server - howerver, both reply to
>> requests if queried individually.
>>
>> We have tried to update from 4.0.5 to 4.0.6, and to downgrade it as it
>> wasn't working either.
>>
>> Logs don't show anything that we can identify as an
>> error/misconfiguration - and samba main log file remains with extension %m,
>> it does not get expanded; while client's log file end with the IP/hostname
>> of the machine.
>>
>> What steps can we perform to identify the root of the problem?
>> Is there a particular string in the log files that can help?
>>
>> PS: if necessary, we can upload a log file sample and the samba
>> configuration.
>>
>> Thanks in advance.
>>
>
>
>
> --
> Atentamente,
> Andreas Calvo
>



-- 
Atentamente,
Andreas Calvo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 errors

[Andreas Calvo]

We found out that samba is performing connections on the RPC port (TCP 445)
against itself, and it scales until the memory is gone completely and
crashes.

Any hint?


On Mon, Jun 10, 2013 at 3:08 PM, Andreas Calvo  wrote:

> Hello,
> We've been using samba v4 for a while, but recently we faced two problems
> for which we cannot determine the source - nor the solution:
> - every day samba4 stops authenticating new users and sharing folders.
> While previous logged users can access resources and services, users that
> weren't logged can't log in. It happens either from kerberos or directly
> from LDAP.
> - We are forwarding all DNS requests to the internal DNS server in samba.
> When samba it's restarted, our main DNS server must be restarted too as it
> cannot forward new queries to the samba server - howerver, both reply to
> requests if queried individually.
>
> We have tried to update from 4.0.5 to 4.0.6, and to downgrade it as it
> wasn't working either.
>
> Logs don't show anything that we can identify as an error/misconfiguration
> - and samba main log file remains with extension %m, it does not get
> expanded; while client's log file end with the IP/hostname of the machine.
>
> What steps can we perform to identify the root of the problem?
> Is there a particular string in the log files that can help?
>
> PS: if necessary, we can upload a log file sample and the samba
> configuration.
>
> Thanks in advance.
>



-- 
Atentamente,
Andreas Calvo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 errors

[Andreas Calvo]

Hello,
We've been using samba v4 for a while, but recently we faced two problems
for which we cannot determine the source - nor the solution:
- every day samba4 stops authenticating new users and sharing folders.
While previous logged users can access resources and services, users that
weren't logged can't log in. It happens either from kerberos or directly
from LDAP.
- We are forwarding all DNS requests to the internal DNS server in samba.
When samba it's restarted, our main DNS server must be restarted too as it
cannot forward new queries to the samba server - howerver, both reply to
requests if queried individually.

We have tried to update from 4.0.5 to 4.0.6, and to downgrade it as it
wasn't working either.

Logs don't show anything that we can identify as an error/misconfiguration
- and samba main log file remains with extension %m, it does not get
expanded; while client's log file end with the IP/hostname of the machine.

What steps can we perform to identify the root of the problem?
Is there a particular string in the log files that can help?

PS: if necessary, we can upload a log file sample and the samba
configuration.

Thanks in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 migration

[Andreas Calvo Gómez]

Follow the classic upgrade howto:
https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO


On Tue, Apr 2, 2013 at 10:28 AM, alxgrb  wrote:

> I have a question ...
>
> How can I migrate existing LDAP users ( or schemas) on Ubuntu 10.04.2 to
> the
> new Samba4 (Ubuntu 12.04.2) server?
>
> Does anyone have an idea?
> Thanks for support
>
> Alex
>
>
>
> --
> View this message in context:
> http://samba.2283325.n4.nabble.com/Samba4-migration-tp4646168.html
> Sent from the Samba - General mailing list archive at Nabble.com.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Atentamente,
Andreas Calvo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 classicupgrade w7 clients errors

[Andreas Calvo]

We faced the following error while testing a Kerberos login on a linux
machine joined in the domain by likewise-open:
root@test:/etc# kinit test
Password for test@MYDOMAIN.LOCAL :
Warning: Your password will expire in less than one hour on Thu Jan 1
01:00:00 1970

What do actually mean:
Minimum password age (days): 0
Maximum password age (days): 0

I've dumped all users from the builtin LDAP in Samba v4, and none of them
had any reference to the password expiration date - they did have a value
for the last time they changed the password though.

It seems that it is really important to set a password expiration date
after a classic upgrade, isn't it?



On Tue, Apr 30, 2013 at 10:00 AM, Andreas Calvo  wrote:

> These are the current settings for the password expiration policy in the
> domain:
> Password complexity: on
> Store plaintext passwords: off
> Password history length: 0
> Minimum password length: 8
> Minimum password age (days): 0
> Maximum password age (days): 0
>
> Is it necessary to set a value?
> A lot of users are seeing the pop-up "windows needs your credentials. Log
> off and on again".
>
>
> On Mon, Apr 29, 2013 at 3:11 AM, Andrew Bartlett wrote:
>
>> On Sun, 2013-04-28 at 14:31 +0200, Andreas Calvo wrote:
>> > I've changed some of my test users passwords, just to renew the password
>> > expiration date.
>> > I may check if they are still expired or if I have to set a new
>> expiration
>> > policy.
>> > Is it set as a GPO or using the samba-tools?
>>
>> Password expiry for the domain is applied using samba-tool:
>>
>> samba-tool domain passwordsettings
>>
>> As Samba can't read GPO files (but can serve them to clients), we don't
>> follow anything from the GPO.  The only exception is that if a windows
>> DC shares the domain, and it has the GPO files, it will 'fix' the
>> directory to match the GPO.
>>
>> Andrew Bartlett
>> --
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Team   http://samba.org
>>
>>
>>
>
>
> --
> Atentamente,
> Andreas Calvo
>



-- 
Atentamente,
Andreas Calvo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 classicupgrade w7 clients errors

[Andreas Calvo]

These are the current settings for the password expiration policy in the
domain:
Password complexity: on
Store plaintext passwords: off
Password history length: 0
Minimum password length: 8
Minimum password age (days): 0
Maximum password age (days): 0

Is it necessary to set a value?
A lot of users are seeing the pop-up "windows needs your credentials. Log
off and on again".


On Mon, Apr 29, 2013 at 3:11 AM, Andrew Bartlett  wrote:

> On Sun, 2013-04-28 at 14:31 +0200, Andreas Calvo wrote:
> > I've changed some of my test users passwords, just to renew the password
> > expiration date.
> > I may check if they are still expired or if I have to set a new
> expiration
> > policy.
> > Is it set as a GPO or using the samba-tools?
>
> Password expiry for the domain is applied using samba-tool:
>
> samba-tool domain passwordsettings
>
> As Samba can't read GPO files (but can serve them to clients), we don't
> follow anything from the GPO.  The only exception is that if a windows
> DC shares the domain, and it has the GPO files, it will 'fix' the
> directory to match the GPO.
>
> Andrew Bartlett
> --
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
>
>
>


-- 
Atentamente,
Andreas Calvo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 classicupgrade w7 clients errors

[Andreas Calvo]

I've changed some of my test users passwords, just to renew the password
expiration date.
I may check if they are still expired or if I have to set a new expiration
policy.
Is it set as a GPO or using the samba-tools?


On Sun, Apr 28, 2013 at 8:46 AM, Andrew Bartlett  wrote:

> On Sat, 2013-04-27 at 14:31 +0200, Andreas Calvo wrote:
> > I had a test environment with a few hundreds of users using Windows 7
> under
> > a samba 3 domain.
> > They had the registry tweaks required to join a samba 3 domain.
> > I followed the classicupgrade migration to samba 4 and everything seemed
> to
> > be ok.
> >
> > In my scenario I have a DNS server different from the samba server, and
> the
> > DNS server forwards all queries to my samba domain to the samba server.
> > The samba server is also acting as a NTP server, and the option
> ntp-servers
> > on DHCP is specified.
> >
> > Some users see a pop-up requesting to log off and log in again - with a
> > "windows need your credentials" message.
> > Moreover, they seem to not have any kerberos ticket  - running a klist
> > shows no active tickets; and they do not have the time synchronized and
> > sometimes they see a message regarding the time mismatch.
> > We tried to set up a NTP time using GPOs without luck.
> >
> > Looking at the samba logs doesn't give a clue - just some errors which
> may
> > be normal.
> >
> > Any hint to look at or any configuration/misconfiguration?
>
> Have the passwords expired (incorrectly)?  I just saw the same message
> with my test domain (not upgraded), and it then asked me to change the
> password which had expired.
>
> Andrew Bartlett
>
> --
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
>
>
>


-- 
Atentamente,
Andreas Calvo
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 classicupgrade w7 clients errors

[Andreas Calvo]

I had a test environment with a few hundreds of users using Windows 7 under
a samba 3 domain.
They had the registry tweaks required to join a samba 3 domain.
I followed the classicupgrade migration to samba 4 and everything seemed to
be ok.

In my scenario I have a DNS server different from the samba server, and the
DNS server forwards all queries to my samba domain to the samba server.
The samba server is also acting as a NTP server, and the option ntp-servers
on DHCP is specified.

Some users see a pop-up requesting to log off and log in again - with a
"windows need your credentials" message.
Moreover, they seem to not have any kerberos ticket  - running a klist
shows no active tickets; and they do not have the time synchronized and
sometimes they see a message regarding the time mismatch.
We tried to set up a NTP time using GPOs without luck.

Looking at the samba logs doesn't give a clue - just some errors which may
be normal.

Any hint to look at or any configuration/misconfiguration?

Thanks!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] (no subject)

[Andreas Calvo]

I had a test environment with a few hundreds of users using Windows 7 under
a samba 3 domain.
They had the registry tweaks required to join a samba 3 domain.
I followed the classicupgrade migration to samba 4 and everything seemed to
be ok.

In my scenario I have a DNS server different from the samba server, and the
DNS server forwards all queries to my samba domain to the samba server.
The samba server is also acting as a NTP server, and the option ntp-servers
on DHCP is specified.

Some users see a pop-up requesting to log off and log in again - with a
"windows need your credentials" message.
Moreover, they seem to not have any kerberos ticket  - running a klist
shows no active tickets; and they do not have the time synchronized and
sometimes they see a message regarding the time mismatch.
We tried to set up a NTP time using GPOs without luck.

Looking at the samba logs doesn't give a clue - just some errors which may
be normal.

Any hint to look at or any configuration/misconfiguration?

Thanks!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problems with the option "force user"

[Andreas Calvo]

Hi.
I've set up a samba share which was working fine.
But now, I need to force to be a especific user, so I've modified the 
configuration to use that option.

And now it complains about not existing the directory.

Here's the config:
[advantage]
  comment = advantage
  path = /home/fileserver/advantage
  public = yes
  writable = yes
  create mask = 0770
  directory mask = 0770
  force user = advantage
  guest ok = yes
  case sensitive = no

Is there any problem with that?

Thanks

--
---------
Andreas Calvo Gómez <[EMAIL PROTECTED]>
Dept. Informàtica ESCI
Pg. Pujades, 1 08003 Barcelona
tel. (34) 932954710 ext.233 fax. (34) 932954720
http://www.esci.es
-

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: samba + ldap query filter

[Andreas Calvo]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Felipe Augusto van de Wiel escribió:
> On 09/03/2006 11:13 AM, Andreas Calvo escreveu:
>>> Hi!
>>> I've been using samba as PDC with a LDAP backend, and everything seems to
>>> work fine but, whenever a user has to auth to samba, it seems that the
>>> query
>>> that it performs is against the mail attribute, instead of the uid as I
>>> desired.
>>> Is there any way to manually specify the query filter to use agains the
>>> LDAP
>>> tree?
> 
>   I remeber that there is an 'ldap filter' parameter.
> 
>   I couldn't find it on the smb.conf manpage (I'm cc:ing
> John Terpstra), but in the [1]docs I could find a reference.
> 
> 1.http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2559680

it seems that is not used in new versions of samba :(

> 
> 
>   I hope this helps.
> 
> 
>>> Thanks!
> 
>   You are welcome, kind regards!
> 
> --
> Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
> http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE/EfFybtJO4snRH0RAvAwAJ0Y3tmadrjhcaLDDR2D/hgB/vu6FACfTA7G
MybM4vAk960+8OZlIU1d7DE=
=CONe
-END PGP SIGNATURE-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba + ldap query filter

[Andreas Calvo]

Hi!
I've been using samba as PDC with a LDAP backend, and everything seems to
work fine but, whenever a user has to auth to samba, it seems that the query
that it performs is against the mail attribute, instead of the uid as I
desired.
Is there any way to manually specify the query filter to use agains the LDAP
tree?
Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba