[Samba] krb5-1.4.3 Solaris 8
Has anyone managed to get krb5-1.4.3 to compile on Solaris 8? My compile fails because it can't find freeifaddrs or getifaddrs, using gcc. [] making all in lib/rpc/unit-test... gmake[3]: Entering directory `/var/tmp/sambastuff/krb5-1.4.3/src/lib/rpc/unit-test' gcc -L../../../lib -R/usr/local/testsamba/kerberos/lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -o client client.o rpc_test_clnt.o \ -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lresolv -lsocket -lnsl ld: warning: file libgcc_s.so.1: required by ../../../lib/libgssrpc.so, not found Undefined first referenced symbol in file freeifaddrs ../../../lib/libkrb5.so getifaddrs ../../../lib/libkrb5.so ld: fatal: Symbol referencing errors. No output written to client collect2: ld returned 1 exit status [...] % gcc --version gcc (GCC) 3.4.2 I've you've succeeded, can you send me your ./configure line, and relevant environment variables you may have set? Thanks! --Dragon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba Question
Worth noting: The 3.0.x recommendation regarding nscd is that you /do not run it at all/. Though I think that might only apply when you're using winbindd, you might want to take a look at your nscd process to see if it's notably busy. It was on our server, taking up half of one of the CPUs. Very bad. So I turned nscd off. --Dragon Gerry Maddock wrote: Got it working. I had to restart nscd service. Nscd was not reflecting the group entries. Ok, it seems to be an LDAP problem. for some reason linux isnt reading the ldap groups, even though /etc/nsswitch.conf states groups = files ldap Here is my problem: I ran smbldap-groupadd TEST to create the group test. I then ran: smbldap-groupmod -m gerrym,briang TEST to add gerrym (me) and briang to that group. I next created a test linux directory called TESTDIR to check permisions. I changed the ownership to briang.TEST TESTDR (chown briang.TEST ./TESTDIR). I then changed directory permisions to 770 (user and group have read,write,and execute). I then logged in as my self (gerrym) and tried to access that directory and I am unable to. The directory permisions should allow me in w/full control as I am in the group TEST. I run getent group|grep TEST and verify I am a member of that group and I am. I then checked /etc/nsswitch.conf and it shows: group: files ldap Just wondering why it will not let me in that directory if permisions are right? I used IDEALX's smb-ldap script 1.2. Any help or suggestions would be appreciated. THANKS! I have a share access question for you. I have been running Samba 2.2.7 as a PDC on my RH7.2 box for several years now. I just setup a new PDC running Samba 3.0.10 on a FC3 box. I used to control read-write acces to shares via samba like: [TRData] path = /tr/TRData valid users = administrator,@IT,@fl,@tx,@eu,@ca,@ny,@wa,@uk write list = administrator,@IT,@FLTR force group = FLTR read only = no create mask = 0777 directory mask = 0777 That would work fine when I was running Samba 2.2.7, but now it doesnt work with Samba 3.0.10. What can I enter to my new smb.conf (3.0.10) to get the shares to behave like they did when I ran 2.2.7? Thanks in advance!!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] \PIPE\NETLOGON (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
Michael Wray wrote: Help, wbinfo -t fails with the error in subject, and getting sids of groups that aren't BUILTIN fail. Everything else seems to work. Note: I am not converting my kerberos tickets to krb4, is this necessary? (It used to work without it..but now it seems not to work.) I get no errors from kinit. all other wbinfo requests succeed with the exception of looking up the SIDS of groups that aren't BUILTIN. I need to get the SIDS for my application. net ads testjoin succeeds, as does net rpc testjoin. Get the exact same error on 2 different domains, one is 2003 the other is 2000 Active Directory on both. I was seeing this behavior with 3.0.4, server = domain. wbinfo -t would usually result in the subject message appearing in the winbind error log file, and the secret check would fail. I modified my password server = entry to point to the FQDN of the PDC, /and/ the canoniical name of the PDC (hostname only). After that, wbinfo -t returned success, quickly, and repeatedly. Give that a try? --Dragon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba PDC with nfs mount of homes
Alexander Lazarevich wrote: Hi, samba-3.0.9-1.3E.2 on RHEL3-AS. Let's say we have a samba 3 PDC (workgroup = testdomain) on linux.host.1, and the passwd backend is NIS ypbind that binds to ypserv on liunx.host.2. Further, linux.host.2 also runs samba 3, not as a PDC, but rather points it's authentication to an NT4 PDC (workgroup = realdomain). Even further, linux.host.2 also holds the user /home directories. Now, if we NFS mount linux.host.2:/home onto linux.host.1, and then setup the smb.conf on linux.host.1 to share out that NFS mount of /home, my question is this: will samba on linux.host.2 be involved in any of the authentication? I think it shouldn't be. Samba on linux.host.1 should handle all the auth, right? Samba on linux.host.2 shouldn't even know that anything is being shared out, right? linux.host.2 will be involved in NIS authentication, as it is the ypserv that linux.host.1 is ypbound to. But it won't play any role in Windows authentication, since linux.host.1 is (a) in a different workgroup/domain, and (b) likely referring only to itself for SMB-related authentication. Your nsswitch.conf or pam modules might say otherwise, but that would be (more) convoluted. So, linux.host.1 should be doing the shares just as though /home was a local drive. Of course, /home is NFS mounted, but that simply adds a layer of overhead between the data source and the data destination. It will slow things down for the end-user. But it should not impact the authentication architecture, for the most part. Obviously, if linux.host.2 is not properly exporting the filesystem to linux.host.1, then the share won't work, even though Samba on linux.host.1 authenticates the client user. Hope this helps! --Dragon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] nsswitch.conf winbind
Samba 3.0.4 // Solaris 8 I saw this behavior as well, when doing wbinfo -u or -g, when I had winbind default domain = yes in my smb.conf file. If you comment that out, then restart winbind, you should see your domain in wbinfo -u and -g. For me, getent still returns my NIS entries only, but I think it's because I didn't properly install the nsswitch stuff from Samba. I'm tinkering with that now. I don't think it's installed by default, I think you have to do some manual copying for that to work. I'll post results once/if I get it working. --Dragon Guillaume C. wrote: Hi! When a configured samba server i enter the following command, i don't see any of my domain user. MORGOTH:~# getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh ... nobody:x:65534:65534:nobody:/home:/bin/sh guillaume:x:1000:1000:Guillaume C.,,,:/home/guillaume:/bin/bash identd:x:100:65534::/var/run/identd:/bin/false sshd:x:101:65534::/var/run/sshd:/bin/false It dont list the domain user. but, the command wbinfo -ug list all I want... Here is my nsswitch.conf file #/etc/nsswitch.conf# passwd: compat winbind group: compat winbind shadow: compat hosts: files wins dns networks: files protocols: db files services: db files ethers: db files rpc:db files netgroup: nis I don't think that the error come from this file but Thanks for your help. __ Découvrez le nouveau Yahoo! Mail : 250 Mo d'espace de stockage pour vos mails ! Créez votre Yahoo! Mail sur http://fr.mail.yahoo.com/ -- Raytheon *David P. Michaels* Senior Multi-Disciplined Engineer II W.H. NPOESS IS Platform OS Unix 303.344.6840 720.858.5952 fax 720.521.0561 pager [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *aka Dragon* I wonder what news is doing... [EMAIL PROTECTED] 29 ps -fu news news 18624 12367 2 0:00 makehistory News is making history. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.11 hammering NIS
I installed Samba recently on a ClearCase server (Solaris 8) to remove the need for DiskAccess on the Windows clients. I'm having two problems with it, actually. The important one that I'm asking the list about is that Samba is hammering my NIS master with requests for DoMaiN+UseR (and every conceivable combination of cases--note + instead of \, per winbind separator statement in config file, though the same problem manifested with the default \). This results in hundreds of requests per authentication need. I've mitigated the problem somewhat by making the server a NIS slave, so it's no longer using the network to make these requests. However, my ypserv process is chewing up almost an entire CPU by itself, and is slowing everything else down. I have my nsswitch.conf to use 'winbind' before NIS, but that doesn't seem to have helped. (The other problem has to do with ClearCase munging up path names (mixing \ and / within a single pathname). Haven't been able to reproduce that problem outside of Rational ClearCase, so I haven't bothered the Samba list with it.--anyone know how to tell Samba to treat both \ and / as /?) Here are my global settings, and one of the shares. Does it have to do with the 'username level' perhaps? I started this config file with an existing/working config file from another project, and modified it from /security = server/ to /security = domain/ (and made other appropriate changes). This output is from testparm: # Global parameters [global] workgroup = MYDOMAIN interfaces = ce*, 127.0.0.1 bind interfaces only = Yes security = DOMAIN password server = W2003-in-NT-emulation.my.win.domain.com username level = 5 log file = /var/samba/log/clients/%m max log size = 50 socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65535 add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u preferred master = No local master = No domain master = No wins server = 1.2.3.236 kernel oplocks = No lock directory = /var/samba/lock pid directory = /var/samba/run template homedir = /npd/%U winbind separator = + winbind use default domain = Yes hosts deny = 1.2.3.4, 1.2.3.5 case sensitive = No mangled names = No oplocks = No [rational] comment = ClearCase Share path = /rational read only = No force create mode = 0664 force directory mode = 0775 guest ok = Yes --Dragon **In theory, there is no difference between theory and practice. But, in practice, there is. ** -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] make_server_info_info3: pdb_init_sam failed!
I'm seeing this problem as well, and while our Windows servers are using Active Directory, my samba configuration is employing the server = domain technique, and the password server is the one Windows AD DC that's in NT emulation mode. Authentications seem to work okay, and users can navigate just fine, but every client has lots of these pdb_init_sam failed errors in its respective log file. pdb looks like password database, and sam is specifically a unix thing, so I'm not sure the Windows servers are involved at this point. I'm wondering if I need to create an 'empty' password database on the unix server, or otherwise find a way to tell Samba not to bother with such, and to just use strictly Windows authentication for Samba clients. Is this turning on any lightbulbs? --Dragon Willem Jaap Zwart wrote: Hi We ran into exactly the same problem (although the AD is from W2K), but didn't find a solution yet. I've increased the logging from Samba to pinpoint the problem and it appears that the AD simply does not reply to a request to authenticate the Domain Admin. We are now working on the diagnostic output of the Directory Service on the Micro$oft server to see what's happening over there (ref to http://support.microsoft.com/default.aspx?scid=kb;en-us;314980sd=tech) . Not much of a help yet, so anyone who has some ideas or pointers?? Willem Jaap Benoit Panizzon said: Next strange problem... W2k3 ADS. Sambe as ADS Member. pam_krb5 nss_ldap winbindd all seam to working correctls. Windows Users can access the shares on the Samba Server and can login using pam. smbclient works for all users... except from the Domain Administrator. smbclient //server/user -U user = is fine smbclient //server/Administrator -U Administrator [2005/03/23 17:33:30, 0] auth/auth_util.c:make_server_info_info3(1134) make_server_info_info3: pdb_init_sam failed! From a Windows Client the Domain Admin can connect \\server\Administrator without troubles. So what could be wrong? -- Benoît Panizzon, [EMAIL PROTECTED] ImproWare AG, UNIXSP ISP Phone: +41 61 826 93 00 Zurlindenstrasse 29Fax: +41 61 826 93 01 CH-4133 Pratteln Net: http://www.imp.ch/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- Raytheon *David P. Michaels* Senior Multi-Disciplined Engineer II W.H. NPOESS IS Platform OS Unix 303.344.6840 720.858.5952 fax 720.521.0561 pager [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] *aka Dragon* I wonder what news is doing... [EMAIL PROTECTED] 29 ps -fu news news 18624 12367 2 0:00 makehistory News is making history. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Compiling samba on Solaris 8 --with-ads
For historical reasons, the administrator is member in lots of groups. As a result the ticket size is too big for UDB, so the W2k3-server sends an KRB5KRB_ERR_RESPONSE_TOO_BIG (Response too big for UDP, retry with TCP) error back to kinit. Unfortunatly this case is not handled in lib/krb5/get_in_tck.c - krb5_get_in_cred(). Only the KRB5KDC_ERR_PREAUTH_REQUIRED error is handled. Sorry for not responding eailer, If you grap the latest heimdal-0.6-date.tar.gz snapshot it will contains code that support falling back to TCP when UDP failes or the error KRB5KRB_ERR_RESPONSE_TOO_BIG is returned. If you don't want to upgrade you can force tcp in krb5.conf [realms] MY.REALM = { kdc = tcp/my.first.kdc.my.realm kdc = tcp/my.second.kdc.my.realm } I'm trying to get ADS support in Samba 3.0.11 on Solaris 8 to work. I am pretty close, but Samba doesn't recognize the 'realm' keyword in the smb.conf file. It seems to be okay with security = ads, but that doesn't do much good if it can't determine the realm. ;) Also, I'm running into the same udp-too-big error, and the above fix using /etc/krb5.conf does not work. I end up with: kinit: krb5_get_init_creds: unable to reach any KDC in realm {MY.REALM} I'm pulling down the latest heimdal now, but I had to do a trick to get even 0.6.3 to compile -- I had to close permissions to /usr/include/gssapi (otherwise it complained about duplicate definitions of stuff). I tried using MIT's kerberos (1.4), but it has a problem finding freeifaddrs and getifaddrs: gcc -L../../../lib -R/usr/local/lib -g -O2 -Wall -Wmissing-prototypes -Wcast-qual -Wcast-align -Wconversion -Wshadow -pedantic -o client client.o rpc_test_clnt.o \ -lgssrpc -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lkrb5support -lresolv -lsocket -lnsl Undefined first referenced symbol in file freeifaddrs ../../../lib/libkrb5.so getifaddrs ../../../lib/libkrb5.so ld: fatal: Symbol referencing errors. No output written to client collect2: ld returned 1 exit status The only place I found those referenced were in the Heimdal files (in the libroken.a library). But I can't compile a shared version of that library, because --enable-shared for Heimdal results in huge lists of undefined symbols when compiling libsl.so. I can't seem to win here. I saw Joseph Gaude's message that said: I used: MIT Kerberos 1.3.4 OpenSSL 0.9.7d OpenLdap 2.2.14 Samba 3.0.7 all compiled from source. Do not use the Sunfreeware supplied packages as the libraries will not work. Also, installed ncurses, popt, libiconv from Sunfreeware. How did you get MID Kerberos to install? (i.e., where are its freeifaddrs and getifaddrs functions coming from?) I've got OpenLdap 2.2.23 installed, OpenSSL 0.9.7d, Heimdal 0.6.3, and Samba 3.0.11. Any ideas? --Dave Dragon Michaels -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba