Re: [Samba] [samba4] Print all dns records of the samba4 internal DNS server
On Sun, 7 Apr 2013, François Lafont wrote: All is in the title. I'm using Samba4 (version 4.0.4) in Debian Wheezy with the builtin DNS server. I'm searching a command to print all the dns records. I have searched in samba-tool command but I haven't found. https://lists.samba.org/archive/samba-technical/2013-February/090300.html samba-tool dns query localhost yourdomain.lan @ ALL HTH, David Adam zanc...@ucc.gu.uwa.edu.au-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] classicupgrade from LDAP - failed to find Unix account for machine account
Hi all,
We have a somewhat crufty Samba 3 PDC NT-style domain backed on to an
OpenLDAP server that we use for both Linux and Windows 7 authentication,
thanks to the magic of ldapsam and smbk5pwd.
I am investigating the feasability of moving to Samba 4 and have tried
upgrading with the classicupgrade tool in both the Samba 4.0.0 packages in
Debian unstable and also with GIT v4-0-stable (b341371).
The current roadblock is that a machine account produces an error in the
migration:
init_sam_from_ldap: Failed to find Unix account for CICHLID$
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'CICHLID$'!
ERROR(class 'passdb.error'): uncaught exception - Unable to get user
information for 'CICHLID$', (-1073741724,No such user)
Notably all of our Linux machines joined to the domain have posixAccount
credentials, but the Windows machines do not.
The LDAP entry for this machine is:
dn: uid=CICHLID$,ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
objectClass: sambaSamAccount
objectClass: account
displayName: CICHLID$
sambaAcctFlags: [W ]
sambaNTPassword: {elided}
sambaPwdLastSet: 1364267120
sambaSID: S-1-5-21-3342141748-1574249315-1264630062-1075
uid: CICHLID$
The entries for all our Windows 7 machines look similar.
The Linux machines all also have a posixAccount objectClass with the
appropriate attributes.
Importantly, we have ldapsam:trusted set in our Samba 3 config, and with
the add machine script set to:
/usr/sbin/cpu -C /etc/cpu/cpu-samba.conf useradd -d /dev/null -o %u
(where cpu-samba.conf sets the default container to the Computers OU,
disables the home directory and shell, and sets the GID to the computers
group).
Any suggestions? I am particularly curious as to why the add machine
script doesn't appear to be doing anything for Windows machines joined to
the domain, and why the classicupgrade script is trying to look for user
account details for machine accounts.
Thanks,
David Adam
zanc...@ucc.gu.uwa.edu.au
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] classicupgrade from LDAP - failed to find Unix account for machine account
On Thu, 4 Apr 2013, Andrew Bartlett wrote: On Thu, 2013-04-04 at 15:30 +0800, David Adam wrote: Hi all, We have a somewhat crufty Samba 3 PDC NT-style domain backed on to an OpenLDAP server that we use for both Linux and Windows 7 authentication, thanks to the magic of ldapsam and smbk5pwd. So, what has happened is that I've forced on the 'ldapsam:trusted' in our classicupgrade script, as it makes it much, much easier to set up a migration, as you don't have to set up nss_ldap and then tear it down again. I had assumed that almost all installations of Samba as a DC on LDAP would store the unix account with the Samba account. Your psychic powers were accurate; for some reason we still have a few machine accounts in /etc/passwd on the PDC and not in LDAP, even though we have ldapsam:trusted set. (I'm surprised that works.) Deleting the entries in /etc/passwd and rejoining the machines to the domain helps immensely. Thanks David zanc...@ucc.gu.uwa.edu.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] possible to use samba without unix accounts for each user?
On Tue, 1 Jun 2010, Ben Cohen wrote: We use samba as a domain controller and file server for small separate network environments. We've currently got samba configured to get posixAccount and sambaAccount information from ldap -- and have nss_ldap configured to feed the same posixaccount objects into the posix user account apis via nsswitch.conf (getpwent etc...). In our environments we seem to regularly run into problems which result from having the unix accounts populated with information from ldap. Here are some observations: 1. if ldap server(s) become unavailable all getpwent lookups experience long timeouts (default nss_ldap behavior) -- there are a number of gotchas resulting from this -- including having to be careful that nothing which does a passwd lookup starts before the ldap server on the server that's running the ldap server ... 2. for security reasons we don't want our samba users to be able to get a login shell on our server so we have to implement server access controls to prevent this it seems it would be simpler for us if there was some way to get samba to work without requiring local unix accounts for each samba user ... Is there anyway to get samba to to use ldap for passwd data without simultaneously modifying the system-wide settings? I don't care if samba file operations result in files owned by uid's which don't correspond to system-wide logins ... I think it would be sufficient if there was some way to point the getpwent() call from samba to a different nsswitch.conf file than the api uses when called from everywhere else? I think the ldapsam:trusted option should do what you want (if I've read your email correctly and you already have passdb = ldapsam set). David Adam zanc...@ucc.gu.uwa.edu.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trouble joining Windows 7 machines to Samba PDC
On Mon, 15 Mar 2010, David Adam wrote: We have a domain controller running Samba 3.4.5 that is backed onto an OpenLDAP datastore. The domain has no trouble joining Windows XP clients, but we've got a couple of Windows 7 / Windows Server 2008 R2 Standard that we can't join to the domain. The registry changes suggested in http://wiki.samba.org/index.php?title=Windows7oldid=4766 have been applied, and a UNIX account for the machine has been created. While the creation of the object in LDAP appears to succeed, the join fails with super-helpful message The parameter is incorrect on the client. For the archives, I reported this as bug 7395 - as discussed, it appears that Windows 7 has tightened up a bit on valid SIDs and we somehow had an invalid one, possibly due to an endianness issue in an old version of Samba. Replacing our SID that started with S-1-5-352321536 with S-1-5-21 solved all our problems. David Adam zanc...@ucc.gu.uwa.edu.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] browsing across subnets/vpn
On Fri, 16 Apr 2010, David Cake wrote: At 4:40 PM +0800 14/4/10, David Adam wrote: On Wed, 14 Apr 2010, David Cake wrote: I am setting up a client with vpn to access a samba share. The samba server (which is both file and WINS server) is also the vpn machine, so nothing too complicated as far as routing goes, and the vpn stuff (openvpn stuff) all seems to work fine, client can manually log into shares by specifying the name and vpn interface address of the share. I am using layer three bridging (IP over a tun interface), not layer two (ethernet over a tap interface) But what I would need to do to allow clients to browse shares on this one machine. Is there a way to configure the Windows client (and samba if necessary) to allow browsing of shares, without switching everything over to ethernet bridging (which seems a lot to do do for simple task). I assume this is, at heart, a fairly simple browsing across subnets question. Please forgive my cluelessness. I think the instructions at http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#DMB will solve your problem - I assume you are not using a domain? Anyway, set your VPN server up to be the domain master browser and you should be laughing. I have set my VPN up to be the domain master browser, it still does not appear to be working. If you are using a VPN configuration interface that lets you hand out options as well as addresses, you might consider running a WINS server as well. I am running a wins server, and I am pushing the WINS server details via the VPN (successfully as far as I can tell). Any suggestions for how to work out what is going wrong here? Are you able to access the Samba shares by IP address (\\ip.add.re.ss\sharename)? If not, this may indicate a lower-level networking problem. Another thing to make sure you have checked is your firewall rules for VPN clients. I'd start with wireshark/tcpdump, turning the logging up on nmbd, and/or using strace on the nmbd process. You can use nbtstat on Windows and nmblookup on Linux to force name queries - http://toasterz.com/node/27 has been a useful reference for me. David Adam zanc...@ucc.gu.uwa.edu.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] browsing across subnets/vpn
On Wed, 14 Apr 2010, David Cake wrote: I am setting up a client with vpn to access a samba share. The samba server (which is both file and WINS server) is also the vpn machine, so nothing too complicated as far as routing goes, and the vpn stuff (openvpn stuff) all seems to work fine, client can manually log into shares by specifying the name and vpn interface address of the share. I am using layer three bridging (IP over a tun interface), not layer two (ethernet over a tap interface) But what I would need to do to allow clients to browse shares on this one machine. Is there a way to configure the Windows client (and samba if necessary) to allow browsing of shares, without switching everything over to ethernet bridging (which seems a lot to do do for simple task). I assume this is, at heart, a fairly simple browsing across subnets question. Please forgive my cluelessness. I think the instructions at http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/NetworkBrowsing.html#DMB will solve your problem - I assume you are not using a domain? Anyway, set your VPN server up to be the domain master browser and you should be laughing. If you are using a VPN configuration interface that lets you hand out options as well as addresses, you might consider running a WINS server as well. David Adam zanc...@ucc.gu.uwa.edu.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba3 and admin users
On Thu, 18 Mar 2010, d_lemai...@cpbourg.com wrote: Hi to all, We did an upgrade of samba. Now, we use samba3. Previously, the smb.conf was configured like that: [global] ... admin users = @somepeople ... This would not be possible with samba3. How to solve this problem ? You want the 'net groupmap' command. `net groupmap add unixgroup=somepeople ntgroup=Domain Admins` or similar should do the trick, I think, though it's a while since I had to. David Adam zanc...@ucc.gu.uwa.edu.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Version required for Win7 Clients
On Tue, 16 Mar 2010, csirt wrote: Hi, which version of Samba do i need, when i want to run Win 7 Clients ? At the moment i am running Samba version 3.0.28a with Ubuntu 8.04 LTS. http://wiki.samba.org/index.php/Windows7 suggests you will need a Samba 3.4 or 3.3 version; 3.4.0 and 3.3.7 or above apparently work. David Adam -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 as a plain LDAP server?
On Tue, 16 Mar 2010, SMC wrote: On Monday 15 March 2010 22:42:41 Mike wrote: I may well be insane, but as soon as I read your question, I thought how novel and now want to find out the answer, myself. Well, not necessarily novel if I reword my question as Would I still have to maintain two separate authentication databases if I want to use Samba4 with some non-Microsoft clients that don't have Samba installed? For example, can Samba4 work with mail or web servers that can authenticate via LDAP, or simple Linux workstations that I don't necessarily want to implement and maintain full-scale ActiveDirectory(tm)-mode authentication for? The need to maintain two separate authentication databases has been my biggest annoyance with Samba (I realize this isn't the fault of Samba but rather a consequence of Microsoft's special password-hashing method). That means if you don't use Samba every time you change your password, you end up with your normal password and your Windows/Samba password out of sync. We use the smbk5pwd overlay for OpenLDAP to solve this problem - when you change your password using 'passwd' on a Linux machine or on a Windows machine, all password entries are updated. One of my colleagues has written some basic documentation as part of his overarching guide to LDAP: http://wiki.ucc.asn.au/LDAP/LazySysadmin#smbk5pwd I would be happy to answer questions about our setup. We seem to have almost perfected the One True Password system across our range of Linux, FreeBSD, Mac OS X, Windows and miscellaneous boxes. David Adam University Computer Club -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trouble joining Windows 7 machines to Samba PDC
Hi folks, We have a domain controller running Samba 3.4.5 that is backed onto an OpenLDAP datastore. The domain has no trouble joining Windows XP clients, but we've got a couple of Windows 7 / Windows Server 2008 R2 Standard that we can't join to the domain. The registry changes suggested in http://wiki.samba.org/index.php?title=Windows7oldid=4766 have been applied, and a UNIX account for the machine has been created. While the creation of the object in LDAP appears to succeed, the join fails with super-helpful message The parameter is incorrect on the client. I've attached the NetSetup.log, the output of testparm, and a debug log at level 5 from one of the clients. The only thing particularly notable in the NetSetup output is: NetpSetNetlogonDomainCache: DsEnumerateDomainTrustsW for all trusts failed with ERROR_NOT_SUPPORTED -- retry Any hints? David Adam University Computer Club, UWA zanc...@ucc.gu.uwa.edu.au[global] workgroup = UCCDOMAYNE server string = %h server obey pam restrictions = Yes passdb backend = ldapsam:ldaps://mussel.ucc.gu.uwa.edu.au ldaps://martello.ucc.gu.uwa.edu.au/ log level = all:10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 debug pid = Yes logon path = \musundo\profiles logon drive = H: logon home = \\musundo\%U domain logons = Yes preferred master = Yes domain master = Yes dns proxy = No wins server = 130.95.13.3 ldap admin dn = cn=admin,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au ldap machine suffix = ou=Computers ldap passwd sync = only ldap suffix = dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au ldap ssl = no ldap user suffix = ou=People panic action = /usr/share/samba/panic-action %d 03/15/2010 18:19:21:613 - 03/15/2010 18:19:21:613 NetpValidateName: checking to see if 'MAAXEN' is valid as type 1 name 03/15/2010 18:19:21:633 NetpCheckNetBiosNameNotInUse for 'MAAXEN' [MACHINE] returned 0x0 03/15/2010 18:19:21:633 NetpValidateName: name 'MAAXEN' is valid for type 1 03/15/2010 18:19:21:664 - 03/15/2010 18:19:21:664 NetpValidateName: checking to see if 'MAAXEN.ucc.gu.uwa.edu.au' is valid as type 5 name 03/15/2010 18:19:21:664 NetpValidateName: name 'MAAXEN.ucc.gu.uwa.edu.au' is valid for type 5 03/15/2010 18:19:21:700 - 03/15/2010 18:19:21:701 NetpValidateName: checking to see if 'UCCDOMAYNE' is valid as type 3 name 03/15/2010 18:19:21:828 NetpCheckDomainNameIsValid [ Exists ] for 'UCCDOMAYNE' returned 0x0 03/15/2010 18:19:21:828 NetpValidateName: name 'UCCDOMAYNE' is valid for type 3 03/15/2010 18:19:26:413 - 03/15/2010 18:19:26:413 NetpDoDomainJoin 03/15/2010 18:19:26:413 NetpMachineValidToJoin: 'MAAXEN' 03/15/2010 18:19:26:413 OS Version: 6.1 03/15/2010 18:19:26:413 Build number: 7600 (7600.win7_rtm.090713-1255) 03/15/2010 18:19:26:414 SKU: Windows Server 2008 R2 Standard 03/15/2010 18:19:26:414 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0 03/15/2010 18:19:26:414 NetpGetLsaPrimaryDomain: status: 0x0 03/15/2010 18:19:26:414 NetpMachineValidToJoin: status: 0x0 03/15/2010 18:19:26:415 NetpJoinDomain 03/15/2010 18:19:26:415 Machine: MAAXEN 03/15/2010 18:19:26:415 Domain: UCCDOMAYNE 03/15/2010 18:19:26:415 MachineAccountOU: (NULL) 03/15/2010 18:19:26:415 Account: UCCDOMAYNE\zanchey 03/15/2010 18:19:26:415 Options: 0x25 03/15/2010 18:19:26:415 NetpLoadParameters: loading registry parameters... 03/15/2010 18:19:26:415 NetpLoadParameters: status: DNSNameResolutionRequired set to '0' 03/15/2010 18:19:26:415 NetpLoadParameters: status: DomainCompatibilityMode set to '1' 03/15/2010 18:19:26:415 NetpLoadParameters: status: 0x0 03/15/2010 18:19:26:415 NetpValidateName: checking to see if 'UCCDOMAYNE' is valid as type 3 name 03/15/2010 18:19:26:517 NetpCheckDomainNameIsValid [ Exists ] for 'UCCDOMAYNE' returned 0x0 03/15/2010 18:19:26:517 NetpValidateName: name 'UCCDOMAYNE' is valid for type 3 03/15/2010 18:19:26:517 NetpDsGetDcName: trying to find DC in domain 'UCCDOMAYNE', flags: 0x1020 03/15/2010 18:19:34:025 NetpLoadParameters: loading registry parameters... 03/15/2010 18:19:34:025 NetpLoadParameters: status: DNSNameResolutionRequired set to '0' 03/15/2010 18:19:34:025 NetpLoadParameters: status: DomainCompatibilityMode set to '1' 03/15/2010 18:19:34:025 NetpLoadParameters: status: 0x0 03/15/2010 18:19:34:025 NetpDsGetDcName: found DC '\\MYLAH' in the specified domain 03/15/2010 18:19:34:025 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0 03/15/2010 18:20:29:939 NetpJoinDomain: status
