[Samba] domain RODC fails with default provisioning
We're evaluating joining another samba domain controller in read-only mode. With a default provisioning, when running the samba-tool domain RODC, it fails with the following error: ldb: ldb_trace_request: (tdb)->search ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search ldb_wrap open of hklm.ldb ldb: start ldb transaction (nesting: 0) ldb: ldb_trace_request: (tdb)->start_transaction ldb: start ldb transaction error: (null) ldb: ldb_trace_request: ADD dn: @ATTRIBUTES changetype: add key: CASE_INSENSITIVE value: CASE_INSENSITIVE control: ldb: ldb_trace_request: (tdb)->add ldb: ldb_trace_request: (tdb)->prepare_commit ldb: commit ldb transaction (nesting: 0) ldb: ldb_trace_request: (tdb)->end_transaction Key 'key=SOFTWARE,hive=NONE' not found key added: key=SOFTWARE,hive=NONE Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found key added: key=Microsoft,key=SOFTWARE,hive=NONE Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE Key 'key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found key added: key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE About to write CurrentVersion with type (null), length 3: 6.1 Key 'key=SYSTEM,hive=NONE' not found key added: key=SYSTEM,hive=NONE Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE About to write ProductType with type (null), length 8: LanmanNT Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE About to write RefusePasswordChange with type dword, length 8: Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE lpcfg_servicenumber: couldn't find ldb lpcfg_servicenumber: couldn't find ldb lpcfg_servicenumber: couldn't find ldb lpcfg_servicenumber: couldn't find ldb partition_metadata: Migrating partition metadata krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) talloc: access after free error - first free may be at @<�3 Bad talloc magic value - access after free Aborted Is there something special to be done prior to the domain join command? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RODC between samba v4 servers
I've dug a little bit more on the RODC set up. I've tried using BIND with DLZ and without as well as the internal DNS server. In both cases, I get an error when the RODC tries to register itself to gc._ msdcs.test.com. Under DLZ, it fails for a non-secure transaction: Jul 26 15:11:39 dc named[3341]: samba_dlz: disallowing update of signer=RODC\$\@TEST.COM name=gc._msdcs.test.com type=A error=insufficient access rights When using the internal DNS server, it fails with the following output: [2013/07/26 18:39:56, 0] ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574(netr_dnsupdate_RODC_callback) ../source4/rpc_server/netlogon/dcerpc_netlogon.c:2574: IRPC callback failed NT_STATUS_IO_TIMEOUT Also forced on the clients to use the Try Next Closes Site, but it gives an error. What is the behavior of an RODC? It should have a copy of the AD without the passwords, and also it has a copy of the DNS records? Does it act like a proxy between one subnet and the main DC? Should a new DNS entry be added to advertise the RODC as an available KDC/AD? Thanks On Thu, Jul 25, 2013 at 4:33 PM, Andreas Calvo wrote: > I'm preparing a lab to test the scenario in which a remote office uses a > RODC to cache all users/computers/GPOs from a DC. > I've set up a environment with all requirements (two subnets, one with a > DC and the other with a RODC). > I've joined the domain with a windows machine to the RODC subnet with both > DCs being up. > > Using the windows tools (DSA), I've placed a user account and the machine > account inside the Allowed password replication group. > > I've switched off the master DC, and tried to login with the cached user > in the cached computer, but it failed. > > I've preloaded (samba-tool rodc preload) both the user account and the > machine account in the RODC, without luck. > > I've a couple of questions: > - Does samba 4.0.7 supports caching passwords for users? > - What is the preload command for? Caching of passwords? > > The following link ( > http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx) > talks about setting up the Next Closest DC in the network in the DC > settings to allow RODCs to be trusted, should this be performed as well? > Or is it enough to set it up as a GPO? > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] RODC between samba v4 servers
I'm preparing a lab to test the scenario in which a remote office uses a RODC to cache all users/computers/GPOs from a DC. I've set up a environment with all requirements (two subnets, one with a DC and the other with a RODC). I've joined the domain with a windows machine to the RODC subnet with both DCs being up. Using the windows tools (DSA), I've placed a user account and the machine account inside the Allowed password replication group. I've switched off the master DC, and tried to login with the cached user in the cached computer, but it failed. I've preloaded (samba-tool rodc preload) both the user account and the machine account in the RODC, without luck. I've a couple of questions: - Does samba 4.0.7 supports caching passwords for users? - What is the preload command for? Caching of passwords? The following link ( http://technet.microsoft.com/en-us/library/dd736918%28v=ws.10%29.aspx) talks about setting up the Next Closest DC in the network in the DC settings to allow RODCs to be trusted, should this be performed as well? Or is it enough to set it up as a GPO? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] domain RODC fails with default provisioning
Sure. However, notice that it was caused by an incorrect libdefaults entry in krb5.conf (wrote bdefaults] instead of [libdefaults]). I've uploaded the log on pastebin: http://pastebin.com/sP8VNXQ5 On Thu, Jul 11, 2013 at 2:08 AM, Andrew Bartlett wrote: > On Wed, 2013-07-10 at 17:27 +0200, Andreas Calvo wrote: > > We're evaluating joining another samba domain controller in read-only > mode. > > With a default provisioning, when running the samba-tool domain RODC, it > > fails with the following error: > > ldb: ldb_trace_request: (tdb)->search > > ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search > > ldb_wrap open of hklm.ldb > > ldb: start ldb transaction (nesting: 0) > > ldb: ldb_trace_request: (tdb)->start_transaction > > ldb: start ldb transaction error: (null) > > ldb: ldb_trace_request: ADD > > dn: @ATTRIBUTES > > changetype: add > > key: CASE_INSENSITIVE > > value: CASE_INSENSITIVE > > > > > > control: > > > > ldb: ldb_trace_request: (tdb)->add > > ldb: ldb_trace_request: (tdb)->prepare_commit > > ldb: commit ldb transaction (nesting: 0) > > ldb: ldb_trace_request: (tdb)->end_transaction > > Key 'key=SOFTWARE,hive=NONE' not found > > key added: key=SOFTWARE,hive=NONE > > Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found > > key added: key=Microsoft,key=SOFTWARE,hive=NONE > > Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found > > key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE > > Key 'key=CurrentVersion,key=Windows > > NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found > > key added: key=CurrentVersion,key=Windows > > NT,key=Microsoft,key=SOFTWARE,hive=NONE > > About to write CurrentVersion with type (null), length 3: 6.1 > > Key 'key=SYSTEM,hive=NONE' not found > > key added: key=SYSTEM,hive=NONE > > Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found > > key added: key=CurrentControlSet,key=SYSTEM,hive=NONE > > Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found > > key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE > > Key > > > 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' > > not found > > key added: > > key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE > > About to write ProductType with type (null), length 8: LanmanNT > > Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' > not > > found > > key added: > key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE > > Key 'key=Terminal > > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found > > key added: key=Terminal > > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE > > Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found > > key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > > Key > 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' > > not found > > key added: > > key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > > Key > > > 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' > > not found > > key added: > > > key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > > About to write RefusePasswordChange with type dword, length 8: > > Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' > > not found > > key added: > > key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > > Key > > > 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' > > not found > > key added: > > > key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > > lpcfg_servicenumber: couldn't find ldb > > lpcfg_servicenumber: couldn't find ldb > > lpcfg_servicenumber: couldn't find ldb > > lpcfg_servicenumber: couldn't find ldb > > partition_metadata: Migrating partition metadata > > krb5_init_context failed (Invalid argument) > > smb_krb5_context_init_basic failed (Invalid argument) > > talloc: access after free error - first free may be at @ <�3 > > Bad talloc magic value - access after free > > Aborted > > > > Is there something special to be done prior to the domain join command? > > Can you re-run this under valgrind? While krb5_init_context should not > fail (I did see your reply), it also shouldn't cause a crash, and we can > at least fix that much. > > Thanks, > > Andrew Bartlett > > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] domain RODC fails with default provisioning
Nevermind, it was an incorrect krb5.conf on the RODC (hence the krb5 init fail). On Wed, Jul 10, 2013 at 5:27 PM, Andreas Calvo wrote: > We're evaluating joining another samba domain controller in read-only mode. > With a default provisioning, when running the samba-tool domain RODC, it > fails with the following error: > ldb: ldb_trace_request: (tdb)->search > ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search > ldb_wrap open of hklm.ldb > ldb: start ldb transaction (nesting: 0) > ldb: ldb_trace_request: (tdb)->start_transaction > ldb: start ldb transaction error: (null) > ldb: ldb_trace_request: ADD > dn: @ATTRIBUTES > changetype: add > key: CASE_INSENSITIVE > value: CASE_INSENSITIVE > > > control: > > ldb: ldb_trace_request: (tdb)->add > ldb: ldb_trace_request: (tdb)->prepare_commit > ldb: commit ldb transaction (nesting: 0) > ldb: ldb_trace_request: (tdb)->end_transaction > Key 'key=SOFTWARE,hive=NONE' not found > key added: key=SOFTWARE,hive=NONE > Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found > key added: key=Microsoft,key=SOFTWARE,hive=NONE > Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found > key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE > Key 'key=CurrentVersion,key=Windows > NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found > key added: key=CurrentVersion,key=Windows > NT,key=Microsoft,key=SOFTWARE,hive=NONE > About to write CurrentVersion with type (null), length 3: 6.1 > Key 'key=SYSTEM,hive=NONE' not found > key added: key=SYSTEM,hive=NONE > Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found > key added: key=CurrentControlSet,key=SYSTEM,hive=NONE > Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found > key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE > Key > 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' > not found > key added: > key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE > About to write ProductType with type (null), length 8: LanmanNT > Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not > found > key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE > Key 'key=Terminal > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found > key added: key=Terminal > Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE > Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found > key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' > not found > key added: > key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > Key > 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' > not found > key added: > key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > About to write RefusePasswordChange with type dword, length 8: > Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' > not found > key added: > key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > Key > 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' > not found > key added: > key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE > lpcfg_servicenumber: couldn't find ldb > lpcfg_servicenumber: couldn't find ldb > lpcfg_servicenumber: couldn't find ldb > lpcfg_servicenumber: couldn't find ldb > partition_metadata: Migrating partition metadata > krb5_init_context failed (Invalid argument) > smb_krb5_context_init_basic failed (Invalid argument) > talloc: access after free error - first free may be at @ <�3 > Bad talloc magic value - access after free > Aborted > > Is there something special to be done prior to the domain join command? > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] domain RODC fails with default provisioning
We're evaluating joining another samba domain controller in read-only mode. With a default provisioning, when running the samba-tool domain RODC, it fails with the following error: ldb: ldb_trace_request: (tdb)->search ldb: ldb_asprintf/set_errstring: NULL Base DN invalid for a base search ldb_wrap open of hklm.ldb ldb: start ldb transaction (nesting: 0) ldb: ldb_trace_request: (tdb)->start_transaction ldb: start ldb transaction error: (null) ldb: ldb_trace_request: ADD dn: @ATTRIBUTES changetype: add key: CASE_INSENSITIVE value: CASE_INSENSITIVE control: ldb: ldb_trace_request: (tdb)->add ldb: ldb_trace_request: (tdb)->prepare_commit ldb: commit ldb transaction (nesting: 0) ldb: ldb_trace_request: (tdb)->end_transaction Key 'key=SOFTWARE,hive=NONE' not found key added: key=SOFTWARE,hive=NONE Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found key added: key=Microsoft,key=SOFTWARE,hive=NONE Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE Key 'key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found key added: key=CurrentVersion,key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE About to write CurrentVersion with type (null), length 3: 6.1 Key 'key=SYSTEM,hive=NONE' not found key added: key=SYSTEM,hive=NONE Key 'key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE About to write ProductType with type (null), length 8: LanmanNT Key 'key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Terminal Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE About to write RefusePasswordChange with type dword, length 8: Key 'key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE Key 'key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE' not found key added: key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE lpcfg_servicenumber: couldn't find ldb lpcfg_servicenumber: couldn't find ldb lpcfg_servicenumber: couldn't find ldb lpcfg_servicenumber: couldn't find ldb partition_metadata: Migrating partition metadata krb5_init_context failed (Invalid argument) smb_krb5_context_init_basic failed (Invalid argument) talloc: access after free error - first free may be at @ <�3 Bad talloc magic value - access after free Aborted Is there something special to be done prior to the domain join command? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 errors
A more detailed output: [root@sauron ~]# netstat -tnp|grep 445|grep "192.168.0.222"|grep 55257 tcp 24 0 192.168.0.222:55257 192.168.0.222:445 ESTABLISHED 17417/samba tcp0 0 192.168.0.222:445 192.168.0.222:55257 ESTABLISHED 23713/smbd Note that 192.168.0.222 is the IP address of the samba server. This occurs when the backup agent starts running. It seems that samba it's connecting to itself, and the socket remains open. On Tue, Jun 11, 2013 at 11:30 AM, Andreas Calvo wrote: > We found out that samba is performing connections on the RPC port (TCP > 445) against itself, and it scales until the memory is gone completely and > crashes. > > Any hint? > > > On Mon, Jun 10, 2013 at 3:08 PM, Andreas Calvo wrote: > >> Hello, >> We've been using samba v4 for a while, but recently we faced two problems >> for which we cannot determine the source - nor the solution: >> - every day samba4 stops authenticating new users and sharing folders. >> While previous logged users can access resources and services, users that >> weren't logged can't log in. It happens either from kerberos or directly >> from LDAP. >> - We are forwarding all DNS requests to the internal DNS server in samba. >> When samba it's restarted, our main DNS server must be restarted too as it >> cannot forward new queries to the samba server - howerver, both reply to >> requests if queried individually. >> >> We have tried to update from 4.0.5 to 4.0.6, and to downgrade it as it >> wasn't working either. >> >> Logs don't show anything that we can identify as an >> error/misconfiguration - and samba main log file remains with extension %m, >> it does not get expanded; while client's log file end with the IP/hostname >> of the machine. >> >> What steps can we perform to identify the root of the problem? >> Is there a particular string in the log files that can help? >> >> PS: if necessary, we can upload a log file sample and the samba >> configuration. >> >> Thanks in advance. >> > > > > -- > Atentamente, > Andreas Calvo > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 errors
We found out that samba is performing connections on the RPC port (TCP 445) against itself, and it scales until the memory is gone completely and crashes. Any hint? On Mon, Jun 10, 2013 at 3:08 PM, Andreas Calvo wrote: > Hello, > We've been using samba v4 for a while, but recently we faced two problems > for which we cannot determine the source - nor the solution: > - every day samba4 stops authenticating new users and sharing folders. > While previous logged users can access resources and services, users that > weren't logged can't log in. It happens either from kerberos or directly > from LDAP. > - We are forwarding all DNS requests to the internal DNS server in samba. > When samba it's restarted, our main DNS server must be restarted too as it > cannot forward new queries to the samba server - howerver, both reply to > requests if queried individually. > > We have tried to update from 4.0.5 to 4.0.6, and to downgrade it as it > wasn't working either. > > Logs don't show anything that we can identify as an error/misconfiguration > - and samba main log file remains with extension %m, it does not get > expanded; while client's log file end with the IP/hostname of the machine. > > What steps can we perform to identify the root of the problem? > Is there a particular string in the log files that can help? > > PS: if necessary, we can upload a log file sample and the samba > configuration. > > Thanks in advance. > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 errors
Hello, We've been using samba v4 for a while, but recently we faced two problems for which we cannot determine the source - nor the solution: - every day samba4 stops authenticating new users and sharing folders. While previous logged users can access resources and services, users that weren't logged can't log in. It happens either from kerberos or directly from LDAP. - We are forwarding all DNS requests to the internal DNS server in samba. When samba it's restarted, our main DNS server must be restarted too as it cannot forward new queries to the samba server - howerver, both reply to requests if queried individually. We have tried to update from 4.0.5 to 4.0.6, and to downgrade it as it wasn't working either. Logs don't show anything that we can identify as an error/misconfiguration - and samba main log file remains with extension %m, it does not get expanded; while client's log file end with the IP/hostname of the machine. What steps can we perform to identify the root of the problem? Is there a particular string in the log files that can help? PS: if necessary, we can upload a log file sample and the samba configuration. Thanks in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 migration
Follow the classic upgrade howto: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO On Tue, Apr 2, 2013 at 10:28 AM, alxgrb wrote: > I have a question ... > > How can I migrate existing LDAP users ( or schemas) on Ubuntu 10.04.2 to > the > new Samba4 (Ubuntu 12.04.2) server? > > Does anyone have an idea? > Thanks for support > > Alex > > > > -- > View this message in context: > http://samba.2283325.n4.nabble.com/Samba4-migration-tp4646168.html > Sent from the Samba - General mailing list archive at Nabble.com. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 classicupgrade w7 clients errors
We faced the following error while testing a Kerberos login on a linux machine joined in the domain by likewise-open: root@test:/etc# kinit test Password for test@MYDOMAIN.LOCAL : Warning: Your password will expire in less than one hour on Thu Jan 1 01:00:00 1970 What do actually mean: Minimum password age (days): 0 Maximum password age (days): 0 I've dumped all users from the builtin LDAP in Samba v4, and none of them had any reference to the password expiration date - they did have a value for the last time they changed the password though. It seems that it is really important to set a password expiration date after a classic upgrade, isn't it? On Tue, Apr 30, 2013 at 10:00 AM, Andreas Calvo wrote: > These are the current settings for the password expiration policy in the > domain: > Password complexity: on > Store plaintext passwords: off > Password history length: 0 > Minimum password length: 8 > Minimum password age (days): 0 > Maximum password age (days): 0 > > Is it necessary to set a value? > A lot of users are seeing the pop-up "windows needs your credentials. Log > off and on again". > > > On Mon, Apr 29, 2013 at 3:11 AM, Andrew Bartlett wrote: > >> On Sun, 2013-04-28 at 14:31 +0200, Andreas Calvo wrote: >> > I've changed some of my test users passwords, just to renew the password >> > expiration date. >> > I may check if they are still expired or if I have to set a new >> expiration >> > policy. >> > Is it set as a GPO or using the samba-tools? >> >> Password expiry for the domain is applied using samba-tool: >> >> samba-tool domain passwordsettings >> >> As Samba can't read GPO files (but can serve them to clients), we don't >> follow anything from the GPO. The only exception is that if a windows >> DC shares the domain, and it has the GPO files, it will 'fix' the >> directory to match the GPO. >> >> Andrew Bartlett >> -- >> Andrew Bartlett >> http://samba.org/~abartlet/ >> Authentication Developer, Samba Team http://samba.org >> >> >> > > > -- > Atentamente, > Andreas Calvo > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 classicupgrade w7 clients errors
These are the current settings for the password expiration policy in the domain: Password complexity: on Store plaintext passwords: off Password history length: 0 Minimum password length: 8 Minimum password age (days): 0 Maximum password age (days): 0 Is it necessary to set a value? A lot of users are seeing the pop-up "windows needs your credentials. Log off and on again". On Mon, Apr 29, 2013 at 3:11 AM, Andrew Bartlett wrote: > On Sun, 2013-04-28 at 14:31 +0200, Andreas Calvo wrote: > > I've changed some of my test users passwords, just to renew the password > > expiration date. > > I may check if they are still expired or if I have to set a new > expiration > > policy. > > Is it set as a GPO or using the samba-tools? > > Password expiry for the domain is applied using samba-tool: > > samba-tool domain passwordsettings > > As Samba can't read GPO files (but can serve them to clients), we don't > follow anything from the GPO. The only exception is that if a windows > DC shares the domain, and it has the GPO files, it will 'fix' the > directory to match the GPO. > > Andrew Bartlett > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 classicupgrade w7 clients errors
I've changed some of my test users passwords, just to renew the password expiration date. I may check if they are still expired or if I have to set a new expiration policy. Is it set as a GPO or using the samba-tools? On Sun, Apr 28, 2013 at 8:46 AM, Andrew Bartlett wrote: > On Sat, 2013-04-27 at 14:31 +0200, Andreas Calvo wrote: > > I had a test environment with a few hundreds of users using Windows 7 > under > > a samba 3 domain. > > They had the registry tweaks required to join a samba 3 domain. > > I followed the classicupgrade migration to samba 4 and everything seemed > to > > be ok. > > > > In my scenario I have a DNS server different from the samba server, and > the > > DNS server forwards all queries to my samba domain to the samba server. > > The samba server is also acting as a NTP server, and the option > ntp-servers > > on DHCP is specified. > > > > Some users see a pop-up requesting to log off and log in again - with a > > "windows need your credentials" message. > > Moreover, they seem to not have any kerberos ticket - running a klist > > shows no active tickets; and they do not have the time synchronized and > > sometimes they see a message regarding the time mismatch. > > We tried to set up a NTP time using GPOs without luck. > > > > Looking at the samba logs doesn't give a clue - just some errors which > may > > be normal. > > > > Any hint to look at or any configuration/misconfiguration? > > Have the passwords expired (incorrectly)? I just saw the same message > with my test domain (not upgraded), and it then asked me to change the > password which had expired. > > Andrew Bartlett > > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > > -- Atentamente, Andreas Calvo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 4 classicupgrade w7 clients errors
I had a test environment with a few hundreds of users using Windows 7 under a samba 3 domain. They had the registry tweaks required to join a samba 3 domain. I followed the classicupgrade migration to samba 4 and everything seemed to be ok. In my scenario I have a DNS server different from the samba server, and the DNS server forwards all queries to my samba domain to the samba server. The samba server is also acting as a NTP server, and the option ntp-servers on DHCP is specified. Some users see a pop-up requesting to log off and log in again - with a "windows need your credentials" message. Moreover, they seem to not have any kerberos ticket - running a klist shows no active tickets; and they do not have the time synchronized and sometimes they see a message regarding the time mismatch. We tried to set up a NTP time using GPOs without luck. Looking at the samba logs doesn't give a clue - just some errors which may be normal. Any hint to look at or any configuration/misconfiguration? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] (no subject)
I had a test environment with a few hundreds of users using Windows 7 under a samba 3 domain. They had the registry tweaks required to join a samba 3 domain. I followed the classicupgrade migration to samba 4 and everything seemed to be ok. In my scenario I have a DNS server different from the samba server, and the DNS server forwards all queries to my samba domain to the samba server. The samba server is also acting as a NTP server, and the option ntp-servers on DHCP is specified. Some users see a pop-up requesting to log off and log in again - with a "windows need your credentials" message. Moreover, they seem to not have any kerberos ticket - running a klist shows no active tickets; and they do not have the time synchronized and sometimes they see a message regarding the time mismatch. We tried to set up a NTP time using GPOs without luck. Looking at the samba logs doesn't give a clue - just some errors which may be normal. Any hint to look at or any configuration/misconfiguration? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems with the option "force user"
Hi. I've set up a samba share which was working fine. But now, I need to force to be a especific user, so I've modified the configuration to use that option. And now it complains about not existing the directory. Here's the config: [advantage] comment = advantage path = /home/fileserver/advantage public = yes writable = yes create mask = 0770 directory mask = 0770 force user = advantage guest ok = yes case sensitive = no Is there any problem with that? Thanks -- --------- Andreas Calvo Gómez <[EMAIL PROTECTED]> Dept. Informàtica ESCI Pg. Pujades, 1 08003 Barcelona tel. (34) 932954710 ext.233 fax. (34) 932954720 http://www.esci.es - -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: samba + ldap query filter
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Felipe Augusto van de Wiel escribió: > On 09/03/2006 11:13 AM, Andreas Calvo escreveu: >>> Hi! >>> I've been using samba as PDC with a LDAP backend, and everything seems to >>> work fine but, whenever a user has to auth to samba, it seems that the >>> query >>> that it performs is against the mail attribute, instead of the uid as I >>> desired. >>> Is there any way to manually specify the query filter to use agains the >>> LDAP >>> tree? > > I remeber that there is an 'ldap filter' parameter. > > I couldn't find it on the smb.conf manpage (I'm cc:ing > John Terpstra), but in the [1]docs I could find a reference. > > 1.http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id2559680 it seems that is not used in new versions of samba :( > > > I hope this helps. > > >>> Thanks! > > You are welcome, kind regards! > > -- > Felipe Augusto van de Wiel <[EMAIL PROTECTED]> > Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE > http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE/EfFybtJO4snRH0RAvAwAJ0Y3tmadrjhcaLDDR2D/hgB/vu6FACfTA7G MybM4vAk960+8OZlIU1d7DE= =CONe -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba + ldap query filter
Hi! I've been using samba as PDC with a LDAP backend, and everything seems to work fine but, whenever a user has to auth to samba, it seems that the query that it performs is against the mail attribute, instead of the uid as I desired. Is there any way to manually specify the query filter to use agains the LDAP tree? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba