Re: [Samba] How to tell a machine is properly joined to a domain?
Hi aps, I have been using 'net ads testjoin' but the issue is it seems to ask for a password when the box is not joined to a domain (even if I specify '-U username%pass'). This *seems* like a bug - I would expect it to pass or fail using the creds passed in. Is this by design and if so, why? Is there a better alternative? ('net ads info'?) I think that wbinfo -t should do it. It checks the trust relation ship. [root@srvfichiers.tranq ~]# wbinfo -t checking the trust secret for domain TRANQUILIT via RPC calls succeeded Denis -aps -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] (no subject)
Le 28/09/2013 01:15, Jim Jenkins a écrit : Hey Gang, I'm stuck near the end of installing Samba 4 on a Debian Wheezy machine. I'm trying to connect to a Win2k AD. Basically I can't get "getent passwd" to show domain accounts. I also can't access shares using my credentials. What did I forget?! Here is what works: sudo net ads join -U "DOMAINADMIN" wbinfo -g //shows domain groups! wbinfo -u //shows domain users! I have setup symlinks from */lib/i386-linux-gnu/libnss_winbind.so* to * /lib/i386-linux-gnu/libnss_winbind.so if you did compile samba4, then the correct libnss_winbind.so library is located at /usr/local/samba/lib/libnss_winbind.so.2 (cf. http://wiki.samba.org/index.php/Samba4/Winbind#Using_libnss_winbind) if you used the samba4 (4.0.0~beta2+dfsg1-3.2) package from debian repository, then you'd better go for the compiled version. The package in wheezy repository are quite old. * *smb.conf [global] workgroup = DOMAIN realm = DOMAIN.COM server string = %h server security = ADS map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . I guess most of those lines are not needed if you are using AD authentication I guess. unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind nss info = rfc2307 idmap config SHORTDOMAINNAME:range = 500-4 idmap config SHORTDOMAINNAME:schema_mode = rfc2307 idmap config SHORTDOMAINNAME:backend = ad idmap config *:range = 70001-8 idmap config * : backend = tdb store dos attributes = Yes * *Besides "getent passwd" failing to show domain accounts, I get this when I attempt to authenticate via a SMB client. [2013/09/27 19:03:28.678145, 3] ../auth/ntlmssp/ntlmssp_server.c:358(ntlmssp_server_preauth) Got user=[TestUser] domain=[DOMAIN] workstation=[BADASS] len1=24 len2=154 . . [2013/09/27 19:03:28.681267, 3] ../source3/auth/auth.c:177(auth_check_ntlm_password) check_ntlm_password: Checking password for unmapped user samba is complaining of "unmapped user", this should go away once libnss is proprely configured Cheers, Denis [**DOMAIN]\[TestUser]@[BADASS] with the new password interface [2013/09/27 19:03:28.681359, 3] ../source3/auth/auth.c:180(auth_check_ntlm_password) check_ntlm_password: mapped user is: [**DOMAIN]\[**TestUser]@[BADASS] [2013/09/27 19:03:28.691085, 3] ../source3/auth/auth_util.c:1247(check_account) Failed to find authenticated user **DOMAIN+jjenkins via getpwnam(), denying access. [2013/09/27 19:03:28.691235, 2] ../source3/auth/auth.c:288(auth_check_ntlm_password) check_ntlm_password: Authentication for user [jjenkins] -> [**TestUser] FAILED with error NT_STATUS_NO_SUCH_USER [2013/09/27 19:03:28.691354, 3] ../source3/auth/auth_util.c:1593(do_map_to_guest_server_info) No such user jjenkins [**DOMAIN] - using guest account * -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Must Samba4 AD be provisionned with rfc2307 to use winbind ?
Hi Nicolas, (Trying to connect squid, postfix, dovecot, pptp, etc ... to AD) Samba 4.0.9, as PDC, on Ubuntu 12.04.3 server. Compiled with : ./configure --enable-debug --enable-selftest Domain provision : /usr/local/samba/bin/samba-tool domain provision Despite my reads and tries, I'm unable to list the AD users from Linux. /usr/local/samba/bin/wbinfo -t /usr/local/samba/bin/wbinfo -u /usr/local/samba/bin/wbinfo -g are OK but : getent passwd only lists Linux users. in order to have getent password to work, you need to have the correct nss module in the path. It is not in the default path when compiling. Please take a look at http://wiki.samba.org/index.php/Samba4/Winbind for a 32bit system, you can run : ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 However if you are not using rfc2307, you will have random idmap (no rid idmap yet). Cheers, Denis AD works OK and lot of work has been done onto. If the rfc2307 option if required during domain provision, can I launch it without loosing the whole AD configuration ? Thanks in advance for your time. Nicolas -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] default idmap range in samba4
Hi Stéphane, migration from samba 3 (without winbind) to samba4. New user use idmap range. But I don't know what is the range. By uidNumber, I just see 300 is the first uidNumber but what is the max (default max) ? I had the same issue yesterday when I upgraded a NAS on a small branch office from samba3 member server to samba4 in order to have on site authentication in case or internet failure. I didn't found anyway to reproduce the same behavior of rid/uid mapping of winbind 3.6 with samba4. I gave up quickly as it was not a big deal to have different sid/uid mapping on that site. However I'd be glad to hear from you if you have found a solution. Cheers, Denis After migration can I change range in smb.conf by idmap config *:range = 2500-100 ty Stéphane Purnelle --- Stéphane PURNELLE Admin. Systèmes et Réseaux Service Informatique Corman S.A. Tel : 00 32 (0)87/342467 -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] folder name screwed up
Hi Patrick, on my linux box i can see the folder as: "1996 - E.I.N.S." on my windows 7 box it is show as: "1MNOXH~A" what about the dot at the end of the folder name? Cheers, Denis other folders in the same order are shown identical on both boxes...what can this be? greetings -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba Domain Rename
Hi Sandeep, Changing a domain name, even in an all-Microsoft Windows server environment, is strongly discouraged, at least on the user mailing lists I am on. Better would be to use the domain migration tools, and migrate to a newly named domain. I had recently to migrate a windows 2003 domaine from a short dns domain name media1 to standard dns name media1.local before migrating to a samba4 domain. There are actually some microsoft tool to do the migration, but it is far from trivial. I don't know if there are anything in samba4 to do the same thing though, and probably the method outlined by Michael might still be the best one. Cheers, Denis On Tue, Jul 2, 2013 at 11:07 AM, Ricky Nance wrote: Like Michael said, samba 4 as an AD DC would probably not be happy if you just change the 'workgroup = ' line in your smb.conf (as a matter of fact, that line shouldn't exist in a AD DC setup in my opinion) the domain is more than likely embedded very deep inside of the LDB's, and I would strongly recommend against changing those, however, with sufficient backups and lots of luck you might be successful in changing it (look into ldbsearch and ldbedit if you are really REALLY brave). I think even changing every instance in the LDB's however will still not work, as during provision the machine joins itself to the domain (yes it joins itself to itself if I recall right). I would try to avoid this at all costs, but if you must do it, starting over may be your best option. Just my thoughts, Ricky -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.6 - Debian 7
Hi Marco, I use Samba + Ldapas a domain controller but after the update the version of Debian6 to Debain 7I can't authenticate my users in the Samba server. logs: [2013/05/23 08:29:55.811240, 1] auth/server_info.c:386(samu_to_SamInfo3) The primary group domain sid(S-1-5-21-3651478259-4121578499-3132057975-513) does not match the domain sid(S-1-5-21-3182595135-1874831366-4239877494) for user(S-1-5-21-3182595135-1874831366-4239877494-60012) [2013/05/23 08:29:55.811383, 0] auth/check_samsec.c:491(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' # net getlocalsid SID for domain ROCKY is: S-1-5-21-2260219023-4180104146-1160048873 # net getdomainsid SID for local machine ROCKY is: S-1-5-21-2260219023-4180104146-1160048873 SID for domain PRINTERRESERVA is: S-1-5-21-3651478259-4121578499-3132057975 #pdbedit -v user User SID: S-1-5-21-3182595135-1874831366-4239877494-60012 Primary Group SID: S-1-5-21-3651478259-4121578499-3132057975-513 You user SID is composed of the domain SID (ie S-1-5-21-3182595135-1874831366-4239877494-60012), which is the same for all users and groups of a domain, and the end part which is the user RID (relative ID) -60012. Same thing for your group SID. So you can see here that the domain SID part of the user SID is not the same as the domain SID S-1-5-21-3651478259-4121578499-3132057975. That is what your debug log message basically says. I don't think that it is just a squeeze to wheezy upgrade that would have messed'up that much with you ldap entries. You should double check your ldap. And take a look at samba4, it is much easier to setup and manage. Cheers, Denis Thanks, Marcos. -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 - Manage DNS with MMC shows "ghost" Entries
Hi Mark, We wanted to deploy Samba4 in our existing Samba3 Environment. So far everything (migrating the user data etc) went quite well, but after the initial domain-deployment we are seeing ghost entries or random data in our "DNS" MMC snap-in on our windows client. Every refresh triggers a new view. Basically it is the problem/bug outlined here: https://bugzilla.samba.org/show_bug.cgi?id=9791 As you can see from bugzilla, we tried a lot of different versions but the odd behavior still stays the same. So we had to stop the deployment and have yet to wait for some information regarding this issue. We'd really like to deploy Samba4, but we need to understand the outlined behavior first before we dare to use it in a running production environment. Does anyone else has encountered or seen this behavior as well? There has been some people having the same weird issue (cf. thread http://article.gmane.org/gmane.network.samba.general/130443/). The thing is quite visually annoying, but it does not seem to have any consequences on the proper functionning of the dns server. I've had this issue both with internal DNS and bind, and with a few different versions of samba4. I haven't tried the fresh 4.0.6 though. When looking at entries through samba-tool or directly in ldap with apache directory studio, everything seems to be fine. It is probably some non ms handling of the dnsRecord attribute data that make the weird display. If you can bear with the strange display, this shouldn't be a show stopper. Cheers, Denis regards Mark B. Sander -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failure to join existing domain Windows 2003 Server domain
Hi Tony, Hi, before I start, I would like to point out that this is a guess, I have never done what you are trying to do, BUT. Is the DC you are trying to join to, running as an exchange server? if it is, I do not think the join will work because, as standard samba4 does not have the exchange schema, it may work if you add openchange to your samba4 server. As I said this is all just a guess. ;-) Rowland The particular DC does not have any Exchange components, but yes we Exchange in the organization. Exchange servers adds schema to the Active Directory, even if it is installed on another servers. This was a pilot project, I think this is the point to shelve it for a few months and see what the landscape looks like then. Thanks very much for the information. I don't have exchange server currently running with samba4, but I have been able to switch MSAD to samba4 even though there was old Exchange 2000 schema loaded. The ldap entries are still there and I didn't have any issues when adding a samba4 DC to the MSAD and synchronizing. Actually when synchronising, you transfert both data and schema definition. However you may not be as smooth with other Exchange version. Keep on trying, samba4 is worth it! Cheers, Denis Tony Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it. -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Fwd: Re: Re: Cannot add/modify ACL through windows client
Hi Lucas, on both samba hosts (donald and pluto) these commands work great: id johndoe getent group getent passwd My pluto:/etc/nsswitch.conf looks like that: [...] passwd: compat ldap group: compat ldap shadow: compat ldap [...] I want to add, that the described problem works fine if I try it on a share on "donald", my domain controller. The users are displayed fine under the security tab. So where could be the problem? Users may be displayed because through query to the PDC. If your nsswitch works properly, then I think we ought to look into your smb.conf. Could you please post the global part? Are you using security=user or security=domain? What do you get with pdbedit -L -v ? By the way, samba4 rocks and it is much easier to setup. You should try it. Cheers, Denis Lucas Втр 14 Май 2013 19:57:00 +0400, Denis Cardon написал: Hi Lucas, I am struggling around with Windows ACLs and cannot find a solution nor how to troubleshoot that. I have two samba3 hosts. Hostname "donald" is my domain controller with samba 3.x + OpenLDAP server running. Hostname "pluto" is my other samba 3.x server which was joined to my domain. I use LDAP for my users+groups. I dont have winbind on my machines. On hostname "pluto" I have a share in smb.conf which says: [free4all] path = /data/free4all read onlyXSSCleaned= No create mask = 0777 directory mask = 0777 vfs object = acl_xattr nt acl support = yes dos filemode = yes "testparm -s -a -v |grep acl" shows me: acl compatibility = auto acl check permissions = Yes acl group control = No acl map full control = Yes force unknown acl user = No inherit acls = No nt acl support = Yes profile acls = No map acl inherit = No vfs objects = acl_xattr force unknown acl user = Yes On a windows client I am right-clicking on \\pluto\free4all\subdir and choose the "Security" tab. I see a user called "Everyone" and a user without username, but only SID number. The SID is S-1-5-21-blablabla-1234567-blabla-500. I manually checked this SID at my LDAP database. Funnily I have two users with this same SID, one is called "root" and the is called "admin". Weird, but not important imho at this point. Rid -500 is part of the well known SID, it should be for admin user and shouldn't be used for root (http://support.microsoft.com/kb/243330) Back on the windows client, inside the "Security" tab, I click on "Add" and choose a user of my Domain Users. I see him in the list. But as soon as I click "Apply" on this window, the user disappears from the security tab list. The logfile at samba-server hostname=pluto outputs: [2013/05/14 15:48:08.861822, 0] smbd/posix_acls.c:1755(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid. This SID was the user I tried to add. Why does this not work and how should I fix or even troubleshoot that? I really need some assistance, I have no clue what else to try. Thanks to everyone. Are you sure that there is a uid/gid mapping for your samba users on your server. For instance, if you type "id myusername" or "getent passwd", do you get a uid? If not, you should check if your /etc/nsswitch.conf configuration is ok. If you don't use winbind, you should have nssldap configured. Cheers, Denis Lucas. -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Cannot add/modify ACL through windows client
Hi Lucas, I am struggling around with Windows ACLs and cannot find a solution nor how to troubleshoot that. I have two samba3 hosts. Hostname "donald" is my domain controller with samba 3.x + OpenLDAP server running. Hostname "pluto" is my other samba 3.x server which was joined to my domain. I use LDAP for my users+groups. I dont have winbind on my machines. On hostname "pluto" I have a share in smb.conf which says: [free4all] path = /data/free4all read only = No create mask = 0777 directory mask = 0777 vfs object = acl_xattr nt acl support = yes dos filemode = yes "testparm -s -a -v |grep acl" shows me: acl compatibility = auto acl check permissions = Yes acl group control = No acl map full control = Yes force unknown acl user = No inherit acls = No nt acl support = Yes profile acls = No map acl inherit = No vfs objects = acl_xattr force unknown acl user = Yes On a windows client I am right-clicking on \\pluto\free4all\subdir and choose the "Security" tab. I see a user called "Everyone" and a user without username, but only SID number. The SID is S-1-5-21-blablabla-1234567-blabla-500. I manually checked this SID at my LDAP database. Funnily I have two users with this same SID, one is called "root" and the is called "admin". Weird, but not important imho at this point. Rid -500 is part of the well known SID, it should be for admin user and shouldn't be used for root (http://support.microsoft.com/kb/243330) Back on the windows client, inside the "Security" tab, I click on "Add" and choose a user of my Domain Users. I see him in the list. But as soon as I click "Apply" on this window, the user disappears from the security tab list. The logfile at samba-server hostname=pluto outputs: [2013/05/14 15:48:08.861822, 0] smbd/posix_acls.c:1755(create_canon_ace_lists) create_canon_ace_lists: unable to map SID S-1-5-21-1062190697-4189521229-2202214947-129762 to uid or gid. This SID was the user I tried to add. Why does this not work and how should I fix or even troubleshoot that? I really need some assistance, I have no clue what else to try. Thanks to everyone. Are you sure that there is a uid/gid mapping for your samba users on your server. For instance, if you type "id myusername" or "getent passwd", do you get a uid? If not, you should check if your /etc/nsswitch.conf configuration is ok. If you don't use winbind, you should have nssldap configured. Cheers, Denis Lucas. -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba fsmo/demote/unjoin trouble after crash
Hi Giedrius, i've got initial setup on DC1 (4.0.1)... all working good and flawless Added additional geographically distributed controllers (DC2, DC3, DC4,DC5) with 4.0.5 - no problem. All PC's can connect to their own site/DC Transferred all FSMO's to DC2 - transferred successfully (with seize "error" bug) DC1 crashed badly during maintenance, SAMBA was updated to 4.0.5, data restored from backup. Now, the problem is: 1) DC1 sees itself as owner of all FSMO's, although DC[2,3,4,5] sees DC2 as owner of FSMO's 3) DC1 is missing some users (created between backup and crash), wbinfo for these users return E_DOMAIN_NOT_FOUND 4) Got "decrypt integrity check failed" errors, fixed with chtdcpass, witch not results to "Failed to find HOST$#DOMAIN(kvno)" (client reboot seems to fix this) 4) any attempt to replicate missing information from DC2/DC3 to DC1 (samba-tool drs replicate) results in errors after it (cannot find own NTDS) 5) impossible to demote / unjoin server and provision from scratch - some DRS errors Question is: how can i change FSMO owner (ldbedit ?) on DC1 to be DC2 and then: a) replicate missing users (and computer trust accounts) to DC1 b) force removing DC1 from domain for good ( reinstall from scratch ) Domain as a whole recreation from scratch is sadly *not* an option :( On https://wiki.samba.org/index.php/Backup_and_Recovery#General it is clearly stated that you shouldn't restore a DC from backup in a multi DC environment. Others DC have evolved since you backed up your data, and you cannot have synchronisation with the other DCs. It is not a Samba problem, but it is by design because the multi master replication between DCs. You should just re-install samba4 4.0.5 on your DC1 server, and then join it to the domain as a DC, it will synchronise and all will be back to normal. Cheers, Denis -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 + Zimbra 8
Hi Martin, I have a setup - Samba 4 for AD functionality and Zimbra 8 for e-mail and collaboration. Configured in Zimbra that for authentication Samba 4 has to be used. Basically it works, but now randomly one time in two or three days authentication just stops working. Nobody is able to log in to Zimbra e-mail. Had to restart samba and everything goes as nothing ever happened! :( are you using the zimbra SSO kerberos auth (no login/password to type in) or the ldap bind authentication? As far as ldap auth is concerned, I have a few sites with similar configuration and no issues (at least up to now :-). Here at the office we are using zimbra 8 (8.0.2.GA.5569.UBUNTU10.64) on ubuntu 10.04.3, and samba 4.0.5 compiled from source on debian wheezy. What version of samba are you using? I had some issues ealier with beta2 when one would change password. Cheers, Denis Last entry in log.samba is: [2013/05/14 11:11:06, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! But it was written in log ~1,5 hours before it happened! Before service restart 'ps -ef | grep samba' showed: root 4486 1 0 08:27 ?00:00:00 /usr/local/samba/sbin/samba -D root 4487 4486 0 08:27 ?00:00:00 /usr/local/samba/sbin/samba -D root 4488 4486 0 08:27 ?00:00:09 /usr/local/samba/sbin/samba -D root 4489 4486 0 08:27 ?00:00:00 /usr/local/samba/sbin/samba -D root 4490 4486 0 08:27 ?00:00:00 /usr/local/samba/sbin/samba -D root 4491 4487 0 08:27 ?00:00:01 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 4492 4486 0 08:27 ?00:00:38 /usr/local/samba/sbin/samba -D root 4493 4486 0 08:27 ?00:00:02 /usr/local/samba/sbin/samba -D root 4494 4486 0 08:27 ?00:00:03 /usr/local/samba/sbin/samba -D root 4495 4486 0 08:27 ?00:00:05 /usr/local/samba/sbin/samba -D root 4496 4486 0 08:27 ?00:00:01 /usr/local/samba/sbin/samba -D root 4497 4486 0 08:27 ?00:00:00 /usr/local/samba/sbin/samba -D root 4498 4486 0 08:27 ?00:00:02 /usr/local/samba/sbin/samba -D root 4499 4486 0 08:27 ?00:00:00 /usr/local/samba/sbin/samba -D root 4502 4491 0 08:27 ?00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 4516 4491 0 08:29 ?00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 5004 4491 0 10:08 ?00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 5438 4491 0 11:36 ?00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground root 5746 4491 0 12:38 ?00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 371 6291 4491 0 13:32 ?00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground 367 6297 4491 0 13:32 ?00:00:00 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground Does anybody have idea where to dig?! Is there any other logs or verbose/debug mode how to find out what causes this unexpected stop?! regards, Martins -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ntp and samba4
Hi Michael, Recently i noticed that upon starting the samba4 'samba' daemon, that it changes the group ownership of the socket for ntpd to *staff* $ls -l /usr/local/samba/var/lib/ntp_signd/ total 0 srwxrwxrwx 1 root *staff* 0 May 6 16:35 socket The documentation says it needs to be *ntp* (FYI: i'm running this on debian wheezy) I have just added ntp to group staff, but that seems like a workaround... I had to do the same on each new install for some time. I guess that it must work out of the box on some other distrib than debian. It is a pitty that samba4 didn't make it in the wheezy release. Fortunatly the build system is very neat and compilation is quite easy anyway. Cheers, Denis -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dns entries look weird in remote administration dns tool
Hi Chantal and Alex, yes exactly like that Alex! Well, with other entries ofcourse :) I have the same strange MS DNS console display here on multiple samba4 production installs (both with classicupgrad'ed server and servers joined to MS AD). I first noticed it at the beta or rc stage, so I didn't care much about it at that time since it does not seems to have any issue with real dns queries. However I still have the same issue as you have with samba 4.0.5. Cheers, Denis On 05/02/2013 02:32 PM, Alex Matthews wrote: Hiya, My Windows based DNS utility always looks like this: http://i.imgur.com/hhGmm0w.png Is that similar to what you're referring to Chantal? I've not noticed it cause a problem. Although I'm sure it shouldn't be like it! Thanks, Alex On 02/05/2013 08:13, Chantal Rosmuller wrote: Hi, On our samba 4 testserver we inserted the dns records from our dns server using samba-tool. Everything seems to work ok but when I look at the dns entries with the windows dns remote administration tool it all looks very weird. Here's an example: This is the insert command: samba-tool dns add samba4.example.com example.com www1 A 192.168.0.120 -U administrator When I query the dns with samba-tool I get this (looks fine to me); [root@samba4 ~]# samba-tool dns query localhost example.com www1 A -U administrator Password for [EXAMPLE\administrator]: Name=, Records=1, Children=0 A: 192.168.0.120 (flags=f0, serial=280, ttl=900) In the windows dns tools however the record for www1 shows up twice, one looks normal, the other doesn't have any values for type data and timestamp. Can anyone explain this, we would like to be sure everything is ok before we start using the server in our production environment. our OS: CentOS release 6.3 (Final) samba version: samba 4.0.3 Thanks! -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] named pipe, dcom and samba4
Hi again, after a classicupgrade from a samba3 domain to a samba4, I have a weird issue related to DCOM and named pipes. The switch to samba4 went fine and everything works perfectly except one old software that uses Windows named pipes and DCOM for client-server communication. When trying to access the DCOM server the software fails. The failure can be easily reproduced with a simple vbscript call. dim vl set vl = CreateObject("ManagerMax.clsmanager","magnus") this call gives me the following windows error code : 80070721 There is a blog post (http://blogs.msdn.com/b/distributedservices/archive/2009/07/20/activation-of-a-com-component-fails-on-windows-server-2008-with-the-error-80070721.aspx) suggesting to create SPN for the DCOM services. For those who might be interested, I added the SPN using the following command line for all the username that had to access the DCOM service (the DCOM service is launch on the server with the identity of the user on the client machine), and then everything went back to normal : setspn.exe -A Interface_Max.Cls_Interface/Magnus.mydomain.local MYDOMAIN\myusername However I am wondering why the authentication to the DCOM server on a win2k3 AD appears to fall back to NTLM while the GSSAPI negociation though a samba4 server goes the kerberos way by default... Hope this post will help another poor adminsys that will face the same DCOM horror story. And by the way, samba4 really rocks! :-) Cheers, Denis However the software maker helpdesk tells me that they have never heard of service principals and says it should work out of the box. I asked them to provide me with a setspn -l listing of the principal of a working configuration, and indeed there is no SPN associated with the DCOM objects. So I guess the authentication probably goes through NTMLv2 in a MSAD environement but seems to require kerberos auth in a Samba4 setup. Is anyone gone through this kind of issue yet? Thanks, Denis -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] named pipe, dcom and samba4
Hi everyone, after a classicupgrade from a samba3 domain to a samba4, I have a weird issue related to DCOM and named pipes. The switch to samba4 went fine and everything works perfectly except one old software that uses Windows named pipes and DCOM for client-server communication. When trying to access the DCOM server the software fails. The failure can be easily reproduced with a simple vbscript call. dim vl set vl = CreateObject("ManagerMax.clsmanager","magnus") this call gives me the following windows error code : 80070721 There is a blog post (http://blogs.msdn.com/b/distributedservices/archive/2009/07/20/activation-of-a-com-component-fails-on-windows-server-2008-with-the-error-80070721.aspx) suggesting to create SPN for the DCOM services. However the software maker helpdesk tells me that they have never heard of service principals and says it should work out of the box. I asked them to provide me with a setspn -l listing of the principal of a working configuration, and indeed there is no SPN associated with the DCOM objects. So I guess the authentication probably goes through NTMLv2 in a MSAD environement but seems to require kerberos auth in a Samba4 setup. Is anyone gone through this kind of issue yet? Thanks, Denis -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Organization of Users in Samba4
Hi Andrew Martin, Le 24/01/2013 23:54, Andrew Martin a écrit : Thanks for the clarification. Andrew I am working on migrating from OpenLDAP using the inetOrgPerson schema to Samba4. I would like to continue to provide backwards compatibility with our existing authentication service. In OpenLDAP, users are all contained inside the People organizational unit and referenced by uid, for example: dn: uid=myuser,ou=People,dc=example,dc=com When using samba-tool to add a user, it places the user inside of the Users cn, and references the user via its cn entry rather than via uid: dn: cn=myuser,cn=Users,dc=example,dc=com Is there any Samba4 or AD reason why I need to use cn=myuser,cn=Users,dc=example,dc=com for users, or can I import them to uid=username,ou=People,dc=example,dc=com and use this organizational structure instead? You can import them in an OU called People but they will have the rdn CN not UID, why is it like that is because we have to be compatible with the other AD implementation. If you really need to present your ldap rdn as uid for legacy stuff, I guess you could set up a openldap with a rwm overlay (http://linux.die.net/man/5/slapo-rwm). However I think if would be easier in the end to stick to MSAD standards with cn rid. Cheers, Denis Matthieu -- Matthieu Patou Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
Hi Mario, Any ideas how to implement roaming profile under Linux as the clients? pam_csync http://www.csync.org/ seems to be pretty close to a direct feature-equivalent for linux. Csync indeed seems to be the closest match I found too. Unfortunatly the project does not seems very lively, last release was in 2010 and the developpement trac interface is down... However the blog linked on the main page talked about csync recently (http://blog.cryptomilk.org/2012/03/21/synchronize-two-folders-on-a-mac-and-other-unix-systems-with-csync/) so I might still give it a try. If anyone has some experience with that, I'm interested in earing from them, especially the bad cases scenario (two sessions opens concurently, clock skew, etc.). though such a thing is not always appropriate, nfs or pam_mount will be faster and easier to maintain if you don't need the clients to be able to work off-line. In the past, I've been using nfs for home directory export but I've never have been able to make file ACL working right (share ACL, defaults ACL, usmask and all). Then I switched to CIFS mounting and the ACL issue is now resolved. However when you have 40 users with badly written userland programs pounding 'round the clock on their CIFS mounted home, it gets tought for the file server. I'd prefer for that bunch of mostly useless random io to stay locally than to be transfered to the server. Roaming profile is a pain to maintain, but mounted home share are not a solution either in my use case. note : I had some bad time with pam_mount. I would advise to use pam_script and handling the mounting in your own script, it is much more versatile and easier to debug. Cheers, Denis -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to configure NTP server
Hi Deepak, I am still struggling with the NTP server configuration. Is there no method by which I can sync all my domain users with the same time as on server because I have to face alot of issue due to the same. I have searched alot but the only thing which I found was to add these two lines in my ntp.conf ntpsigndsocket /opt/ad/samba4/var/run/ntp_signd/ restrict default mssntp I am using CentOS 6 and ntp rpm is 4.2 I guess the version of ntp you are using does not support ntp signing. You might check the samba4 wiki, it asks for a ntp version 4.2.6 or higher. https://wiki.samba.org/index.php/Samba4/HOWTO#Step_10:_Configure_NTP_.28Optional.29 After the configuration is straight forward, just add the two lines you posted above and check the socket path which might change depending on your compilation/installation. Cheers, Denis I also tried to compile using a tar ntp file with --enable-ntp-signd Can any one help me please. Thanks deepak -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Roaming Profiles under Linux clients
Hi Mario, As I configured the Roaming profiles under linux, it more or less generate an abnormal operation (in less than 2 mins) if I add/copy some files to the home directory. But for Windows XP and Windows 7 is running smoothly and it generates folders at the Samba4 server location with corresponding users. e.g. Administrator (for XP), and Administrator.V2 (for Win7/2008) based on my observations. I'm interested in the way you configured the roaming profile on the linux side. Did you use csync for the synchronisation? I've looked at it in the past and didn't found any straight away solution. Anyway, I guess there should be some kind of Administrator.linux profile directory on the server side since the ubuntu profile won't be compatible from windows to linux (those profiles are not even compatible between winxp and win7...) Cheers, Denis I was confused on roaming under linux (or maybe it was not yet supported), because once I login as the administrator (one account in Samba4 - AD user) in linux, adding (files to the desktop) or modifying (I used to move to the home directory). Then login to the Windows 7 and WinXP, it will NOT login when I see the logs of the server using -d3 Kerberos: Client sent patypes: encrypted-timestamp, 128 Kerberos: Looking for PKINIT pa-data -- administrator@UCHIHA Kerberos: Looking for ENC-TS pa-data -- administrator@UCHIHA Kerberos: Failed to decrypt PA-DATA -- administrator@UCHIHA (enctype arcfour-hmac-md5) error Decrypt integrity check failed Kerberos: Failed to decrypt PA-DATA -- administrator@UCHIHA Kerberos: AS-REQ administrator@UCHIHA from ipv4:192.168.150.135:3064 for krbtgt/UCHIHA@UCHIHA But for a few minutes, you can login again and this time it will display at the system tray (a dialog box) "User Profile Service There was a problem with your roaming profile. You have been logged on with your previously saved local profile. Please see the event logs for details or contact your administrator", but those files are just only few bytes (less than 1MB) just the pam.d files. The saved files are not located either of Windows XP or 7. auth_check_password_send: Checking password for unmapped user [UCHIHA]\[administrator]@[\\AMBOT-LINUX] auth_check_password_send: mapped user is: [UCHIHA]\[administrator]@[\\AMBOT-LINUX] ntlm_password_check: NTLMv2 password check failed ntlm_password_check: Lanman passwords NOT PERMITTED for user administrator ntlm_password_check: LM password, NT MD4 password in LM field and LMv2 failed for user administrator auth_check_password_recv: sam_ignoredomain authentication for user [UCHIHA\administrator] FAILED with error NT_STATUS_WRONG_PASSWORD schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/AMBOT-LINUX auth_check_password_send: Checking password for unmapped user [UCHIHA]\[administrator]@[\\AMBOT-LINUX] auth_check_password_send: mapped user is: [UCHIHA]\[administrator]@[\\AMBOT-LINUX] Got a dns update request. Update not allowed for unsigned packet. Tkey handshake completed Terminating connection - 'dns_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[dns_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] But after a 20mins, coz I went somewhere. It goes to normal again. I conclude that Linux (Ubuntu 12.04) roaming profiles is not yet implemented in Samba4 RC2 - Centos 6.3. Other observation, Windows7 machine is not detected in the network, but WinXp and Ubuntu machines are visible. Any ideas how to implement roaming profile under Linux as the clients? Cheers, Mario -- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 provisioning error on Ubuntu 12.04
Hi Rowland, Well, after a bit of thought and downloading the kernel source from Ubuntu, I am answering my own question. I came across the same issue last week. Actually the newest kernel (wheezy/ ubuntu 12.04), the /proc/mounts does not show options that are setup by default in tune2fs (see the "Default mount options" below) [root@debian ~]# tune2fs -l /dev/xvda1 tune2fs 1.42.2 (9-Apr-2012) Filesystem volume name: Last mounted on: / Filesystem UUID: 571f5042-f210-45a1-9385-e5caf2f86e8b Filesystem magic number: 0xEF53 Filesystem revision #:1 (dynamic) Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery extent flex_bg sparse_super large_file huge_file uninit_bg dir_nlink extra_isize Filesystem flags: signed_directory_hash Default mount options:user_xattr acl If you want to have the acl flag displayed in /proc/mounts (and /etc/mtab which now finally symlinks to /proc/mounts), you have to remove the "Default mount options" with the command below and add the acl option in /etc/fstab : tune2fs -o ^acl /dev/xvda1 Cheers, Denis This is from the source file for the kernel that Ubuntu 12.04 uses (3.2.0-25) It comes from "Documentation/filesystems/ext4.txt" nouser_xattr Disables Extended User Attributes. If you have extended attribute support enabled in the kernel configuration (CONFIG_EXT4_FS_XATTR), extended attribute support is enabled by default on mount. See the attr(5) manual page and http://acl.bestbits.at/ for more information about extended attributes. noacl This option disables POSIX Access Control List support. If ACL support is enabled in the kernel configuration (CONFIG_EXT4_FS_POSIX_ACL), ACL is enabled by default on mount. See the acl(5) manual page and http://acl.bestbits.at/ for more information about acl. If I run: cat /boot/config-3.2.0-25-generic | grep CONFIG_EXT4 I get: CONFIG_EXT4_FS=y CONFIG_EXT4_FS_XATTR=y CONFIG_EXT4_FS_POSIX_ACL=y CONFIG_EXT4_FS_SECURITY=y # CONFIG_EXT4_DEBUG is not set I would suggest that, as I thought, you do not have to add anything to /etc/fstab to get acl's, in fact you have to add something to turn them off. Rowland -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Technical problems with samba 3.5.11 and access 97 .mdb
Hi Adria, I'm having trouble with samba 3.5.11 and an access 97 database. I work in a business with 5 users that use a mdb database over samba, and for the first to make a query everything works fine, but if some other user tries to make a query when the first one is doing it, the database works really slow, like if the .mdb file is being blocked (that's what I suppose). I've been reading a lot about it, i found people talking about changing the smb.conf to oplock = no and level2 oplock = no, but it doesn't work for me. Have you tried adding the following line to your shares? veto oplock files = /*.mdb/*.MDB/ Cheers, Denis smb.conf [global] log file = /var/log/samba/log.%m syslog = 0 panic action = /usr/share/samba/panic-action %d guest account = nobody encrypt passwords = true passdb backend = tdbsam passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . obey pam restrictions = yes map to guest = bad user socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 IPTOS_LOWDELAY passwd program = /usr/bin/passwd %u dns proxy = no netbios name= Server server string = %h logon script = INICIO.BAT unix password sync = yes workgroup = TRM os level = 99 usershare allow guests = yes security = share max log size = 1000 pam password change = yes # domain logons = yes domain logons = no interfaces = 192.168.0.193/255.255.255.0 oplocks = no level2 oplocks = no # strict locking = no fake oplocks = no [netlogon] path = /usr/lib/samba/netlogon [SHARE] comment = Servidor path = /mnt/fitxers browseable = yes read only = no guest ok = yes With an earlier version of samba (2 i think) everything was fine, but since i upgraded it users complain me about how slowly the database works (just when 2 people are using it). Sorry for my horrible english and thanks for your time. Adrià, -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smb_acl_to_posix: ACL is invalid for set (Invalid argument) - in 3.5.6
hi lejeczek, this happens when a Domain Admin adds a user-permission set via properties/security in Windows folder_A was created by a Domain Admin new permission - Modify - was added over the folder_A to the user_A user_A created a file_A.txt in folder_A now Domain Admin goes back to the properties of folder_A wanting to change/modify security entries operation fails on windows: "An error occurred while applying security information to: ..\folder_A\files_A.txt. Access is denied" on samba: as in the subject I had the same issue on a samba 3.5.6 from debian squeeze this week. The server is an AD member with interdomain trust, acl and user_xattr. Applying the patch https://bugzilla.samba.org/show_bug.cgi?id=7509 did solve the problem (at least I didn't got that error since then). Cheers, Denis that could a bug, no? thanks -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] system freeze with message CIFS VFS: Unexpected lookup error -88
Hi everyone, I have had a few system freezes in the recent months (debian squeeze with vmlinuz-2.6.32-5-686-bigmem), with the following message in dmesg : CIFS VFS: Unexpected lookup error -88 CIFS VFS: Send error in SessSetup = -88 It is the same symptoms as in the redhat bugzilla : https://bugzilla.redhat.com/show_bug.cgi?id=711400 It it mentionned that it is patched in redhat kernel kernel-2.6.32-170.el6, but I have not found any information if that patch was sent upstream, and if yes, in which cifs module version. If anyone has information on this one, I'd be glad to hear. Cheers, Denis Cardon -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with clients in multiple domains
Hi Robin, I've not got a good starting point I'm afraid, but I was forced to deploy Samba under pressure of failing hardware so an urgent migration was done. We didn't get the IBM AIX 6.1 supplied one running at all, so we pulled down the samba.org version 3.4.3. We couldn't get that working as we wished, but it did at least share. It has been merrily allowing any request to mount (read-only) the shares. All was well with the function, but obviously it is not appropriate for the sensitive data was are sharing. The setting I had to put in was security=SHARE and on each share, we have guest login allowed. My problem is that our clients are in at least two domains and the server is standalone, i.e. no LDAP or whatever connection set up on the operating system in /etc/netsrv.conf or anything. We are an outsourcing company so we have our servers& users and the client company users all wanting to access the data. I've tried reading the manual pages, but I have to understand much more about security and protocols than I do to get my foot in the door, so to speak. The more I try to find out, the more confused I get. What I have tried has always prevented any access. Great for security, but useless for actually operating the business. It has been parked for quite a while now especially as the failing hardware also allowed guest connections so I had nothing to compare to. I've now forgotten what attempts I have made, but now Internal Audit are on my case to lock it down. Can anyone point me in the right direction? I would prefer to grant access to an Active Directory group of users if that is possible, but then it needs to validate the user on more than one domain..um? My head hurts already. Full config (slightly sanitised) can be posted if this is useful, but I didn't want to flood the thread first off. documentation on the web is fine for configuring kerberos/smb/winbind for one domain, but I also found it hard to getthe sid/uid mapping right in a multiple domain environment. Idmap has changed so many times since smb 3.0 that it is hard to know which doc is fine... I hope the 3.6 way will be the definitive one :-) Here is a smb.conf that I is working fine with two domain. servera is joined to AD kerberos DOMA.LOCAL. There is interdomain trust with DOMB.LOCAL. === [global] security = ads realm = DOMA.LOCAL password server = 192.168.123.11 workgroup = DOMA winbind separator = + idmap backend = tdb idmap uid = 100-199 idmap gid = 100-199 idmap config DOMA : backend = rid idmap config DOMA : range = 1 - 4 idmap config DOMB : backend = rid idmap config DOMB : range= 5 - 9 winbind enum users = yes winbind enum groups = yes template homedir = /home/%D/%U template shell = /bin/bash client use spnego = yes client ntlmv2 auth = yes encrypt passwords = yes winbind use default domain = yes restrict anonymous = 2 wins server = 192.168.123.11 printcap name = /etc/printcap load printers = no [myshare] path = /home/myshare guest ok= no write list= @"group1" @"DOMB+group2" writeable = yes force create mode = 0770 === Hope this helps, Denis Cardon Robin Liverpool/Blackburn UK Diligenta Limited (No. 5535029) is a subsidiary of Tata Consultancy Services Limited. Diligenta 2 Limited (No. 4087012) is a subsidiary of Diligenta Limited. Both companies are registered in England and have their registered office at Lynch Wood, Peterborough, PE2 6FY and are authorised and regulated by the Financial Services Authority. The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee and access to this e-mail by anyone else is unauthorised. Although this message and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Diligenta Limited or Diligenta 2 Limited for any loss or damage in any way arising from its use. Any views or opinions presented are solely those of the author and do not necessarily represent those of Diligenta Limited or Diligenta 2 Limited. Replies to this e-mail may be monitored for operational or business reasons. -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba with a lot of users (1500-2000) : experience ? hints ? references ?
Hi Denis, I have installed many PC infrastructures with Samba and Windows roaming profiles working successfully and fast with installations of around 100 users. But now, a customer of mine is asking if this is possible for around 1500 users. Of course I know it is possible, but I would like to know if some people here already did such an installation, if it requires more than one Samba server, if there are some limitations, and what could be (will be) the difficulties If you know some web pages about success stories, examples, hints, whatever, I would also be interested... I have no web page to point at, but still I can give you some feedback on an install with 1500+ users on 800+ workstations with roaming profile running for a few years. It indeed works fine but you have to be very careful about the iops and throughput of your fileserver, and you'll have to enforce strict quota on the roaming profile so it does not go over a few hundred megs. You may also redirect some of the profile sub-directories to the user home dir so it does not clutter the profile. You can also distribute the profile directory on more than one server. If your user do not frequently change of workstation, roaming profiles won't create too much transfer though. You may also have to take into account the timeframe of the session opening/closing in the morning and afternoon. cheers, Denis Cardon Thanks a lot in advance for any help ! Denis -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.57 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba PDC, OpenLDAP, and passwd chat
Hi Ryan, I'm using Samba 3.0.24 and OpenLDAP 2.3.30 (with the ppolicy and smbk5pwd overlays). While testing Samba as a PDC with an OpenLDAP backend, I've hit a snag on password change. I currently have the following in my smb.conf related to password changes: passwd program = /usr/bin/ldappasswd -x -W -S -D uid=%u,ou=Users,dc=example,dc=com passwd chat = "*Enter NEW password*" %n\n "*Confirm NEW password*" %n\n "*Verify OLD password*" %o\n "*Password changed*" \n passdb backend = ldapsam:ldap://127.0.0.1 Correct me if I'm wrong, but I thought that the password chat was refering to some kind of Expect script to interact with the script refered by the "password program" parameters (/usr/bin/ldappasswd in your case). There is some more info on this in the smb.conf man page. Cheers, Denis I can change passwords, but there are a couple of things I've noticed that don't work properly. 1. My 'passwd chat' text isn't reflected on the Windows clients on the domain. Instead, I get (when changing via ctrl+alt+delete or during domain logon if the password has expired): User name: Log on to: Old password: New password: Confirm new password: 2. The password requirements set forth by ppolicy (such as length, strength, and recently used passwords) don't seem to be adhered to. I can put in 'foobar' as the new password, change it to 'foobar1', change it back to 'foobar', and Samba will happily change the passwords. While the change does take, and I can log in to the domain with 'foobar' or 'foobar1' as the password, it's certainly not what I want. Conversely, I get this desired results when invoking 'ldappasswd' from the command-line: # Testing the weak password 'foobar' server:~# /usr/bin/ldappasswd -x -W -S -D uid=tester,ou=Users,dc=example,dc=com New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password fails quality checking policy # Testing a password in the list of the last six passwords server:~# /usr/bin/ldappasswd -x -W -S -D uid=tester,ou=Users,dc=example,dc=com New password: Re-enter new password: Enter LDAP Password: Result: Constraint violation (19) Additional info: Password is in history of old passwords If I try putting in something like 'a' as the password, I get a dialog box that says: "Your password must be at least 5 characters, cannot repeat any of your previous 0 passwords and must be at least 0 days old. Please type a different password. Type a password that meets these requirements in both text boxes." Where is this text/requirement list coming from? And, how can I configure Samba such that it returns the desired errors (above) to the user? In the same vein, instead of having the sambaPasswordHistory attribute in LDAP reflect the old hashed passwords, I just get one entry which reads: sambaPasswordHistory: I would very much appreciate any advice you folks might be able to offer. Thanks, Ryan -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.62.67 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Folder redirection without roaming profiles
[EMAIL PROTECTED] a écrit : Hi, i'm new in the mailing list :)... I have a little question... Is there any way to enable folder redirection for some folders like My Docs, or Desktop without using roaming profiles? You can just update you registry key during netlogon. Here are some of the relevant registry key : [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders] "Personal"="U:" "My Pictures"="U:" "My Music"="U:" "My Video"="U:" By the way, roaming profiles do not redirect My docs/Desktop folders, but just sync them back to the server on logout. Cheers, Denis That's all :P Thanks -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.62.67 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Sync passwords unix/smb with FDS backend?
Hi Jim, Using simple authentication I have been able to tie FDS to Samba 3.x.24. Knowing that the unix passwd and smb passwd are different, dare I ask how difficult it would be to have them sync? Most of my users are using netatalk w/ posix user info and MD5 password. I would like to swing this over to samba without the worries of two passwords per user. I have seen blips on this but not directly related to FDS if you store both your samba and your unix password in the ldap, you can get them in sync by updating both of them when one change its password. You'll need to update the smb.conf file to take that into account for the windows part, and update your other password changing apps accordingly. If what you want is in fact getting a NTLM hash from the existing md5 hash, I'm afraid it won't be possible. Users will have to change their password once to update both ntlm and md5 password hash. Cheers, Denis -- Denis Cardon Tranquil IT Systems 44 bvd des pas enchantés 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.62.67 http://www.tranquil-it-systems.fr -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba