[Samba] sysvolreset failing on glusterfs
Hi, I'm trying to setup a domain with two DCs based on 4.0.3. Following some hint, I wanna use glusterfs for the sysvol. Glusterfs it runs nicely. I can set acls on both machines using setfacl and the other one lists them almost immediately with getfacl. But running "samba-tool ntacl sysvolreset is failing badly giving the following error. In a later attempt, without significant changes I remember, the script more or less seemed to work and created indeed ACEs, but still came up with this error after some minutes. root@dc1:~# samba-tool ntacl sysvolreset set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_NOT_SUPPORTED. ERROR(runtime): uncaught exception - (-1073741637, 'NT_STATUS_NOT_SUPPORTED') File "/opt/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/opt/samba/lib/python2.6/site-packages/samba/netcmd/ntacl.py", line 214, in run lp, use_ntvfs=use_ntvfs) File "/opt/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 1563, in setsysvolacl setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb) File "/opt/samba/lib/python2.6/site-packages/samba/ntacls.py", line 154, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) Running mount is showing the target fs without ACLs, although they do work, as said before, and although I do have mounted the fs using -o acl,rw. The underlying ext3 fs is of cause running with acls enabled, too. This is what mount looks like for the involved fs's: fusectl on /sys/fs/fuse/connections type fusectl (rw) /dev/xvda3 on /var/glusterfs/brick1 type ext3 (rw,acl,user_xattr) localhost:/dc-vol on /export/dc-vol type fuse.glusterfs (rw,allow_other,max_read=131072) Andreas -- Andreas Gaiser, Berlin, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] meta questing about the list
Hi fellow list users and admins, I hope it's not absolutely off topic, sorry if so. would there perhaps be a way to improve the usability of the list a bit. Let me explain what I mean. I'm using Thunderbird and it's a whole bunch of little things to watch out for not to produce a suboptimal posting: - don't forget to push SHIFT when clicking on write/reply to make sure it's not edited and sent as HTML but as ASCII (I vaguely remind TB has help for this using an address book entry, will research that part). - select the correct identity in order not to get a soft bounce (maybe it's a bad decision to register with a separate address, the reason was to avoid my normal signature, because it's a bit too long for a list and renders awkwardly because originally it's an HTML table) - change the recipient to the list address in order not to write a PM, accidentally So there's a significant potential to mess something up, here, if you're just stumbling in right away. To reduce this a bit, would it perhaps be possible to set a "Reply-To:" header by the list processor to at least ensure the right destination's set for answers? Any hints for helpful/specialized TB addons are also very appreciated. Other than this, is HTML mail actually ok here? Thanks, and Regards, Andreas -- Andreas Gaiser, Berlin, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] posixAccount objectClass
Yeah, that's the thread I'd found as well. It seems, though, the patch has not gone into 4.0.3, neither into 3.5/3.6 yet as I can derive from what happens here (have not looked at code). Apart from this, even with the objectClasses set, I'm only getting the DC's winbind itself resolve UIDs correctly. No luck with idmap_ad(ex) on 3.4/3.5/3.6 members yet, but I think I have the option to fallback to the idmap_rid on them. According to wireshark, things look alright. OCs and attribs are requested by winbind and returned to it as well. No idea what's going on. Andreas *From:* Hansjoerg Maurer *To:* Andreas Gaiser/L, Samba Mailing List *Date:* Freitag, 1. März 2013 10:39:17 *Subject:* AW: [Samba] posixAccount objectClass > Samba 4, Winbind & RFC2307 -- Andreas Gaiser, Berlin, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 PDC to BDC file replication
> I'm voting for... So do I, with the reservation that glusterfs requires an amd64 system, at least officially, whereas some people report (partial) success on i386 (don't know about non-Intel). But it will still be required to provide some sort of synchronous ID-mapping, which seems to be a much tougher task than just glusterfs. The only promising alternative I have found so far is the use of RFC2307 schema attributes, which is no fun to maintain manually and even then seems not to work out of the box with ADUC only. I've written a script (I'm admitting it's PHP) for this task and my plan is to test the entire setup this weekend. *From:* L.P.H. van Belle *To:* muel...@tropenklinik.de *Date:* Freitag, 1. März 2013 09:29:50 *Subject:* Re: [Samba] samba4 PDC to BDC file replication > Daniel is going make a nice example/howto howto do this. ;-)) > i've seen him talking a lot about this, but howto setup this... > I like to know.. > > ;-) > > Gr. > > Louis > >> -Oorspronkelijk bericht- >> Van: muel...@tropenklinik.de >> [mailto:samba-boun...@lists.samba.org] Namens Daniel Müller >> Verzonden: vrijdag 1 maart 2013 8:09 >> Aan: 'C Waddy'; 'Greg Sloop' >> CC: samba@lists.samba.org >> Onderwerp: Re: [Samba] samba4 PDC to BDC file replication >> >> Use glusterfs. >> >> And samba4 in replication mode. >> >> Good Luck >> >> >> --- >> EDV Daniel Müller >> >> Leitung EDV >> Tropenklinik Paul-Lechler-Krankenhaus >> Paul-Lechler-Str. 24 >> 72076 Tübingen >> >> Tel.: 07071/206-463, Fax: 07071/206-499 >> eMail: muel...@tropenklinik.de >> Internet: www.tropenklinik.de >> --- >> -Ursprüngliche Nachricht- >> Von: samba-boun...@lists.samba.org >> [mailto:samba-boun...@lists.samba.org] Im >> Auftrag von C Waddy >> Gesendet: Freitag, 1. März 2013 07:19 >> An: Greg Sloop >> Cc: samba@lists.samba.org >> Betreff: Re: [Samba] samba4 PDC to BDC file replication >> >> Hi Greg, >> >> Thanks for the info, its a tough one. I was hoping the msdsf >> would replicate >> data but it appears it doesnt appear to or am i missing something? >> >> I used a program in the past called File replication pro on >> Suse/novell and >> it worked. I haave emailed their support and asked if it will >> work in our >> situation. >> >> I am going to give it a go in the Samba4 test environment over >> the weekend, >> ill let you know if it works. >> >> On Fri, Mar 1, 2013 at 3:13 PM, Gregory Sloop wrote: >> >>> >>> CW> I have built two samba4 boxes, one as a PDC and the as a DC, all >>> working >>> CW> perfectly. If I create a user through the mmc snapin >> then turn off >>> CW> the >>> PDC, >>> CW> I can still login to the domain using the DC which is great. The >>> problem is >>> CW> their files and ntfs permissions on BDC. >>> >>> CW> I have assigned user and group rights using windows explorer to >>> CW> certain folders, i.e granted user1 full permissions to >> that folder >>> >>> CW> The problem I have is trying to replicate/snc the users >> data/files >>> from PDC >>> CW> to DC whilst keeping the NTFS permissions that have been set. >>> CW> Rysnc >>> doesnt >>> CW> seem to keep the ntfs permissions >>> >>> CW> The reason for this is if the PDC goes down, user logs on using >>> CW> the DC >>> and >>> CW> can access their files which have retained their files and >> permissions. >>> >>> CW> Is there some way to achieve this? >>> >>> I'm in the same boat, and I'm only aware of two possibilities. >>> >>> 1) Robocopy - using a Windows client. >>>BUT Robocopy doesn't do file deltas - changed files are copied in >>>their entirety. Which isn't a problem if you don't have large >>>files. But if you've got a 10G file that changes often, then this >>>probably isn't the best alternative. >>> >>> 2) http://www.bvckup.com/support/ [Bvckup] >>>This also appears to be a Windows utility, but does handle file >>>delta's. I have never used this tool and so can't vouch >> for it in any >>>way. >>> >>> If you find a functional solution, that preferably can be >> used on the >>> two Linux/Samba boxes to do file-deltas and still maintain the >>> permissions - that would be best. >>> >>> One other option that might work: >>> Rsync the data, and use robocopy to simply duplicate the permissions >>> structure. [I believe this is possible.] >>> >>> This last idea sounds bat$hit insane - but hey, it might >> actually work >>> reasonably well. :) >>> >>> -Greg >>> >>> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba wiki
I think there is a bug in the MediaWki installtion with Pages containing a "&" in the title. Example: https://wiki.samba.org/index.php/Samba_%26_Active_Directory This link doesn't work despite appearing on many pages, like https://wiki.samba.org/index.php/Category:Category_Integration Where ever it is linked, it looks like an existing page (blue link). Even when searching for the Page title, I get an excerpt and the link. Regards, Andreas -- Andreas Gaiser, Berlin, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] posixAccount objectClass
Hi Thomas, greeting to all readers, > Is there something I miss or is this to be considered a bug? > > If this is the problem I am thinking of, I originally noticed it in > 4.0.0. I believe Andrew provided a patch, however I don't need this in > my production environment and only stumbled onto the issue while testing > something else, so I don't know if what I'm referring to was fixed in > later releases. I'll see if I can find the thread and bug shortly. > I remember a thread which was about winbind ignoring objects without posixAccount/posixGroup OCs. The conclusion was to change winbind to not ignore them. But, actually, shouldn't S4 in DC mode really add them? Or is ADUC the culprit here? I didn't check out yet how recent Samba 3.6 winbind behaves as a member here. When I tried against 4.0.0 I ended up using Wireshark to analyse LDAP traffic and figured RFC2307 attrs weren't returned by the LDAP server although requested by winbind, whereas they WERE returned to Apache Directory Studio at the same time - logged in as administra...@sub.domain.tld; a permission issue I guess. Is this a known issue? I blamed it to poor provisioning (without RFC2307 in the beginning) that day. Will try again this part later this weekend. At the moment, I'm working on a script that adds Unix Attributes automatically to all relevant users (i.e. all that winbind shows on a member. Btw. I would love to have a way to filter them, because most groups I won't ever need and they're gonna make things look complicated on the Unix side. Does anybody know anything about this?). Andreas -- Andreas Gaiser, Berlin, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] posixAccount objectClass
Hi fellow list users, I'm setting up a 4.0.3 DC and I am observing the following issue: - nsswitch.conf contains winbind for passwd and group - provisioned with use_rfc2307 - creating user with ADUC - creating group - adding Unix Attributes to user and group - 1st part of issue: ADUC throws error message (translated from German XP: "The object properties of the object could not be changed. [4 more line of misleading information about possible networking issues]") - but nevertheless it adds a Unix userID which is displayed when opening the object properties/Unix Attributes tab again - 2nd part of issue: winbind on the DC itself does not respect the uidNumber attribute, though it's visible with an LDAP client (Apache DS), checked with wbinfo -i and with getent passwd - taking a closer look at the object, I find the objectClass (posixAccount) missing - adding posixAccount as objectClass (I have to click through a warning and reject creating an ntSecurityDescriptor attribute) winbind suddenly used the uidNumber Attribute Is there something I miss or is this to be considered a bug? Regards, Andreas -- Andreas Gaiser, Berlin, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] make dist: errors, and www.oasis-open.org almost stale
Hi, I am trying to create a tarball from a 4.0.3 git checkout using "make dist", but it throws errors (small sample below, detailed Copy&Paste on request), and apart from this, www.oasis-open.org seems stale on connects from xsltproc, as can be seen in the lsof sample, below as well. Briefly and cheekily asked, is that normal? Are we all omitting docs in packaging at the moment? If so, what are reasonable build options to use these days? don't know, maybe it's a dumb question... I could also imagine I have a version problem with certain build dependencies. Does that look familiar to anybody? Thanks+a good day, Andreas ** make dist output: ... make[1]: Entering directory `/usr/src/SAMBA4/samba/docs-xml' Converting Samba-specific tags for Samba3-HOWTO... http://www.oasis-open.org/docbook/xml/4.2/dbcentx.mod:1: parser error : Content error in the external subset HTTP/1.1 200 OK ^ http://www.oasis-open.org/docbook/xml/4.2/dbcentx.mod:1: validity error : All markup of the conditional section is not in the same entity HTTP/1.1 200 OK ... ** lsof | grep [pid-of-xsltproc] output: ... xsltproc 1538 root3r REG 202,215165 557136 /usr/src/SAMBA4/samba/docs-xml/Samba3-HOWTO/TOSHARG-StandAloneServer.xml xsltproc 1538 root4r REG 202,2 1629 557230 /usr/src/SAMBA4/samba/docs-xml/build/DTD/samba-doc xsltproc 1538 root5u IPv4 14062 0t0 TCP host1.fakedomain.mad:56877->www.oasis-open.org:www (CLOSE_WAIT) xsltproc 1538 root6u IPv4 14070 0t0 TCP host1.fakedomain.mad:56879->www.oasis-open.org:www (CLOSE_WAIT) xsltproc 1538 root7w FIFO0,8 0t0 6968 pipe xsltproc 1538 root8u IPv4 14224 0t0 TCP host1.fakedomain.mad:56901->www.oasis-open.org:www (ESTABLISHED) ... -- Andreas Gaiser, Berlin, Germany -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba