[Samba] Sharing AD domain info with 2 SBS2003 servers
When I took over as the IT guy in September, there were 2 separate locations with different domains each managed by a SBS 2003 machine. The connection between them was an OpenVPN tunnel. The network was fine and one could see 2 domains in the network. Local and Local2 are working names. From a workstation on Local one could see Local2 in the Microsoft Windows Network, and vice versa from Local2 one could see Local. Additionally, one could easily browse through the remote network as long as the user permissions were correct. With the same user name and password for the two domains there was no issue with authentication. Teh configuration was this: Local == IpTables firewall, FC4, with Samba, OpenVpn, Freshclam, Apache and Sendmail Local2 ==IpTables firewal, FC4, with Samba, OpenVpn, Freshclam Then we had the firewall hacked on Local. The server was compromised and a NEW drive was put in place and reinstalled with Etch (Debian 4.0) The firewall was restored, different but similar function. The OpenVPN tunnel was restored with the same configuration. All is fine except for the lack of name based browsing. The second domain no longer shows. From local, there is no Local2. From Local2, there is no Local. From Local2 server one can find Local by name, but only because of an entry in the hosts file. Samba was running on the firewall, and is now, but I don't know how to configure it to help with the domains. SBS is, I believe, dumbed down and cannot manage to read another SBS server's information. After a couple more months passed the firewall on Local2 was hacked and the drive replaced and reinstalled, also with Etch. I do have the old drives intact (never throw things away) and accessible. Any thoughts, suggestions, links to solutions and requests for clarification are appreciated.. Regards, Bill -- -- Bill Ries-Knight Stockton, CA Respect the process, Vote. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Active directory not working across openvpn tunnel
resend as original did not post in the last 36 hours -- Forwarded message -- From: Bill Ries-Knight [EMAIL PROTECTED] Date: Jan 14, 2007 12:00 AM Subject: Active directory not working across openvpn tunnel To: samba@lists.samba.org Network is 192.168.1.x office --HSP domain --small business server and exchange host Linux server openvpn tunnel Linux server 192.168.19.x 192.168.10.x CRAGMART domain --school--small business server I had to replace the linux server on the office side. We now have nost services except active direcory stuff, and can only see the local domain from either side. Browsing by IP across the tunnel to the other domain in either direction brings up a logon request, but the username is not accepted on the other side. the local domain is expected to provide credentials. from HSP it try to logon to a CRAGMART workstation with a username that is valid on both active server domains as an entry on both servers. I have a return for HSP/username. I cannot authenticate. In the other direction I will get a logon request from CRAGMART to an HSP workstation and it will return CRAGMART/username. I cannot authenticate. Looking at syslog I get the following: Jan 13 23:31:51 router kernel: REJECT INPUT IN=eth0 OUT= MAC= SRC=XX.XX.21.78 DST=XX.XX.21.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 Jan 13 23:31:51 router winbindd[21809]: [2007/01/13 23:31:51, 0] libsmb/namequery.c:getlmhostsent(681) Jan 13 23:31:51 router winbindd[21809]: getlmhostsent: Ill formed hosts line [127.0.0.0] Jan 13 23:31:53 router kernel: REJECT INPUT IN=eth0 OUT= MAC= SRC=XX.XX.21.78 DST=XX.XX.21.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 Jan 13 23:31:55 router last message repeated 2 times Jan 13 23:31:56 router kernel: REJECT INPUT IN=eth0 OUT= MAC= SRC=XX.XX.21.78 DST=XX.XX.21.255 LEN=211 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=191 System specifics. OFFICE Debian Etch 192.168.1.1 mail:/# smbd -V :: Version 3.0.23d mail:~# cat /etc/hosts 127.0.0.1 localhost.localdomainlocalhostmail 192.168.1.1 ntserver.mail...org XX.XX.21.78 mail..org 192.168.1.3 server 192.168.19.3 cserver 192.168.1.1 router.hsp.local router ntserver ntserver.hsp.local mail # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts SCHOOL Fedora Core 4 192.168.19.1 [EMAIL PROTECTED] ~]# smbd -V :: Version 3.0.14a-2 [EMAIL PROTECTED] ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 ntserver.cragmart.local localhost.localdomain localhost filter.cragmart.localfilter 192.168.1.9 jukebox -- -- Bill Ries-Knight Stockton, CA Respect the process, Vote. -- -- Bill Ries-Knight Stockton, CA Respect the process, Vote. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Active directory not working across openvpn tunnel
Network is 192.168.1.x office --HSP domain --small business server and exchange host Linux server openvpn tunnel Linux server 192.168.19.x 192.168.10.x CRAGMART domain --school--small business server I had to replace the linux server on the office side. We now have nost services except active direcory stuff, and can only see the local domain from either side. Browsing by IP across the tunnel to the other domain in either direction brings up a logon request, but the username is not accepted on the other side. the local domain is expected to provide credentials. from HSP it try to logon to a CRAGMART workstation with a username that is valid on both active server domains as an entry on both servers. I have a return for HSP/username. I cannot authenticate. In the other direction I will get a logon request from CRAGMART to an HSP workstation and it will return CRAGMART/username. I cannot authenticate. Looking at syslog I get the following: Jan 13 23:31:51 router kernel: REJECT INPUT IN=eth0 OUT= MAC= SRC=XX.XX.21.78 DST=XX.XX.21.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 Jan 13 23:31:51 router winbindd[21809]: [2007/01/13 23:31:51, 0] libsmb/namequery.c:getlmhostsent(681) Jan 13 23:31:51 router winbindd[21809]: getlmhostsent: Ill formed hosts line [127.0.0.0] Jan 13 23:31:53 router kernel: REJECT INPUT IN=eth0 OUT= MAC= SRC=XX.XX.21.78 DST=XX.XX.21.255 LEN=78 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=137 DPT=137 LEN=58 Jan 13 23:31:55 router last message repeated 2 times Jan 13 23:31:56 router kernel: REJECT INPUT IN=eth0 OUT= MAC= SRC=XX.XX.21.78 DST=XX.XX.21.255 LEN=211 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=191 System specifics. OFFICE Debian Etch 192.168.1.1 mail:/# smbd -V :: Version 3.0.23d mail:~# cat /etc/hosts 127.0.0.1 localhost.localdomainlocalhostmail 192.168.1.1 ntserver.mail...org XX.XX.21.78 mail..org 192.168.1.3 server 192.168.19.3 cserver 192.168.1.1 router.hsp.local router ntserver ntserver.hsp.local mail # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts SCHOOL Fedora Core 4 192.168.19.1 [EMAIL PROTECTED] ~]# smbd -V :: Version 3.0.14a-2 [EMAIL PROTECTED] ~]# cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 ntserver.cragmart.local localhost.localdomain localhost filter.cragmart.localfilter 192.168.1.9 jukebox -- -- Bill Ries-Knight Stockton, CA Respect the process, Vote. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba fails to start.
After a hiccup or two with Samba not wanting to restart, I opted to look for a pid/lock file and found none. Tried to correct by restarting the server and had no success with samba restarting. There are no errors in smbd.log I did apt-get upgrade. No help I did apt-get remove samba, samba and swat went away. I did note that the pid was not found during install when samba was to be killed. I did : apt-get install samba smbclient swat winbind krb5-doc krb5-user \krb5-config following a suggested installation pattern for debian at http://www.debian-administration.org/articles/340 (The log of the install is at the bottom for reference.) Samba failed to start and this is the smbd.log result: [2007/01/04 13:45:27, 0] auth/auth_util.c:create_builtin_administrators(785) create_builtin_administrators: Failed to create Administrators [2007/01/04 13:45:27, 0] auth/auth_util.c:create_builtin_users(751) create_builtin_users: Failed to create Users [2007/01/04 13:45:27, 0] passdb/pdb_interface.c:guest_user_info(295) guest_user_info: Unable to locate guest account [local_user]! [2007/01/04 13:45:27, 0] smbd/server.c:main(960) ERROR: failed to setup guest info. Any help is appreciated. Bill mail:/# apt-get install samba smbclient swat winbind krb5-doc krb5-user \krb5-config Reading package lists... Done Building dependency tree... Done The following extra packages will be installed: libkadm55 The following packages will be REMOVED: smbget The following NEW packages will be installed: krb5-config krb5-doc krb5-user libkadm55 samba smbclient swat winbind 0 upgraded, 8 newly installed, 1 to remove and 1 not upgraded. Need to get 7852kB/11.9MB of archives. After unpacking 28.1MB of additional disk space will be used. Do you want to continue [Y/n]? y Get:1 http://ftp.debian.org etch/main krb5-config 1.12 [13.8kB] Get:2 http://ftp.debian.org etch/main krb5-doc 1.4.4-5 [1805kB] Get:3 http://ftp.debian.org etch/main libkadm55 1.4.4-5 [173kB] Get:4 http://ftp.debian.org etch/main krb5-user 1.4.4-5 [123kB] Get:5 http://ftp.debian.org etch/main smbclient 3.0.23d-2+b1 [3875kB] Get:6 http://ftp.debian.org etch/main winbind 3.0.23d-2+b1 [1862kB] Fetched 7852kB in 1m17s (102kB/s) Preconfiguring packages ... (Reading database ... 82937 files and directories currently installed.) Removing smbget ... Selecting previously deselected package krb5-config. (Reading database ... 82928 files and directories currently installed.) Unpacking krb5-config (from .../krb5-config_1.12_all.deb) ... Selecting previously deselected package krb5-doc. Unpacking krb5-doc (from .../krb5-doc_1.4.4-5_all.deb) ... Selecting previously deselected package libkadm55. Unpacking libkadm55 (from .../libkadm55_1.4.4-5_i386.deb) ... Selecting previously deselected package krb5-user. Unpacking krb5-user (from .../krb5-user_1.4.4-5_i386.deb) ... Selecting previously deselected package samba. Unpacking samba (from .../samba_3.0.23d-2+b1_i386.deb) ... Selecting previously deselected package smbclient. Unpacking smbclient (from .../smbclient_3.0.23d-2+b1_i386.deb) ... Selecting previously deselected package swat. Unpacking swat (from .../swat_3.0.23d-2+b1_i386.deb) ... Selecting previously deselected package winbind. Unpacking winbind (from .../winbind_3.0.23d-2+b1_i386.deb) ... Setting up krb5-config (1.12) ... Setting up krb5-doc (1.4.4-5) ... Setting up libkadm55 (1.4.4-5) ... Setting up krb5-user (1.4.4-5) ... Setting up samba (3.0.23d-2+b1) ... Starting Samba daemons: nmbd smbd. Setting up smbclient (3.0.23d-2+b1) ... Setting up swat (3.0.23d-2+b1) ... Setting up winbind (3.0.23d-2+b1) ... Starting the Winbind daemon: winbind. mail:/# ps aux | grep s* mail:/# ps aux | grep smb root 4295 0.0 0.0 2852 704 pts/0R+ 13:33 0:00 grep smb mail:/# ps aux | grep smbd root 4297 0.0 0.0 2848 700 pts/0R+ 13:34 0:00 grep smbd mail:/# ps aux | grep swat -- -- Bill Ries-Knight Stockton, CA Respect the process, Vote. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba needed to network across openvpn tunnel
I have been assued in other places that I need to have Samba and Wins
in place touse Windows networking across an openvpn tunnel.
back history:
There was a network in place when I was hired to replace the former it
guy. All ran very smooth with only one networking issue. There were
fights between the Windows server and the Linux box:
The master browser has received a server announcement from the
computer MAIL that believes that it is the master browser for the
domain on transport NetBT_Tcpip_{7678958F-827A-4381-B5B6. The master
browser is stopping or an election is being forced.
There were two locations (office and school) with windows boxes on 3
subnets talking across an openvpn tunnel built on two FC4 servers.
there is a Microsoft Small Business Server 2003 installed at each end
to handle the users as seperate domains. HSP and CRAGMART. All mail
is handled by the office SBS (HSP).
The system worked great until I had a server cracked at the office
end. The school end was not touched. The damage was limited to the
one server (whew!).
The server has been rebuilt with debian etch and I have the tunnel
working great. The old filesystem is intact and configuration files
are availible.
Office subnet 192.168.1.x
School subnets 192.168.19.x 1
92.168.10.x
I can communicate over tcp/ip fine from the office to the school and vice versa.
from 192.168.1.x I can get to the SBS server at \\192.168.19.3 but not
by \\cserver
from 192.168.19.x I cannot get to the SBS server at \\192.168.1.3 or
by \\server.
There is no windows browsing across the openvpn tunnel, everything is
normal within the seperate domains.
I have tried resolving this on irc.feenode.net #samba
here is the smb.conf for the server before it was cracked: It did not
work on this install.
# Samba config file created using SWAT
# from 192.168.1.112 (192.168.1.112)
# Date: 2006/04/18 11:10:34
[global]
workgroup = HSP
realm = SERVER.HSP.LOCAL
netbios aliases = ntserver
server string = Samba Server
security = ADS
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
wins support = Yes
ldap ssl = no
cups options = raw
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[c$]
path = /
admin users = ntemple, mc, root
read list = ntemple, mc, root
write list = ntemple, mc, root
[music]
path = /home/jukebox/www/html/songs
guest ok = Yes
[install]
path = /usr/local/share/unattended/install
admin users = ntemple, mc
write list = ntemple, mc
*
here is a recent variation that was configured with swat it did not work
***
# Samba config file created using SWAT
# from 192.168.1.100 (192.168.1.100)
# Date: 2007/01/04 12:12:14
[global]
workgroup = HSP
realm = SERVER.HSP.LOCAL
netbios aliases = ntserver
server string = Samba Server
security = DOMAIN
password server =
guest account = local_user
log file = /var/log/samba/%m.log
max log size = 5
name resolve order = wins lmhosts host bcast
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
dns proxy = No
wins server = 192.168.1.3
ldap ssl = no
username = brk, mc, root, ntemple, bries-knight
admin users = brk, mc, root, ntemple, bries-knight
hosts allow = 192.168.10., 192.168.19., 127., 192.168.1.
cups options = raw
[root]
path = /
username = root ntemple mc bries-knight
admin users = mc, root, ntemple, bries-knight
write list = mc, root, ntemple, bries-knight
[base]
path = /
username = root ntemple mc bries-knight
admin users = mc, root, ntemple, bries-knight
write list = mc, root, ntemple, bries-knight
[homes]
comment = Home Directories
read only = No
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[c$]
path = /
admin users = ntemple, mc, root
read list = ntemple, mc, root
write list = ntemple, mc, root
[music]
path = /home/jukebox/www/html/songs
guest ok = Yes
[install]
path = /usr/local/share/unattended/install
admin users = ntemple, mc
write list = ntemple, mc
**
--
--
Bill Ries-Knight
Stockton, CA
Respect the process, Vote.
--
To unsubscribe from this list go to the following
