[Samba] [samba4] Thank you to the Samba Team
Hi, I wanted to write this message in order to thank the Samba team for the work they provided. With some colleagues we had to organize a national competitive examination for the Education (in France) for which the candidates worked on computers (on Windows 7). After thought, we had decided to use Samba4 with : - a domain controller on a Debian Wheezy (it was a virtual machine that we had cloned, just in case), - a member server on a Debian Wheezy (a real machine this time) which included users' data and roaming profiles, - a second member server identical to the first one (except for the name and the ip address) which copied in real time the previous server's data just in case. Everything was alright ! :-) A real thanks to the whole Samba team for their work. It's a real pleasure and a chance to take advantage of such a software through a free licence. On the mailing list, generally the problems and bugs are obviously reported which is normal (because every important software contains bugs and evry important software is perfectible) but I wanted to point out here that, as far as we were concerned, the samba 4 technology worked out perfectly and it has even been really invaluable, the whole in a sensitive environment because all the same it was an examination. Therefore an interruption in services could have been quite problematic (but there wasn't any). Well. Once again thanks a lot to the Samba team for this huge work which I hope will keep on improving and evolving for a very long time. Bye. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] Thank you to the Samba Team
Hello, Le 03/06/2013 01:20, steve a écrit : On Mon, 2013-06-03 at 00:56 +0200, François Lafont wrote: - a second member server identical to the first one (except for the name and the ip address) which copied in real time the previous server's data just in case. Hi Just curious. Did you rsync it? Did you try disabling the first file server and do an IP takeover on the second? Or was it a cluster? The samba-2 server (the second member server) checked the smb connections in samba-1 (the first member server which contained the users homes) and for these users, we ran rsync in samba-2. Here is a simplified version of the script in samba-2: # # specific interface on samba-1 used just for the rsync. IP_RSYNC=192.168.46.1 while true; do # check if samba-1 is ok... connected_users=$(ssh $IP_RSYNC bash get_smbstatus.bash) for user in $(cat $connected_users); do rsync -auzvAX --exclude '*.tmp' $IP_RSYNC:/home/$user/ /home/$user/ done sleep 10 done # samba-1 interfaces: - eth0 -- 172.20.0.4 - eth0:0 -- 172.20.0.46 # alias IP - eth1 -- 192.168.46.1 # just of the rsync samba-2 interfaces: - eth0 -- 172.20.0.6 - eth1 -- 192.168.46.2 # just of the rsync DNS records: - samba-1.capesdoc.priv -- 172.20.0.4 - samba-2.capesdoc.priv -- 172.20.0.6 - alexandrie.capesdoc.priv -- 172.20.0.46 And, for all the users, the profile path was \\alexandrie.capesdoc.priv\myhome\profile (and there were folder redirections like \\alexandrie.capesdoc.priv\myhome\docs etc). If samba-1 is down, we delete the alias IP in samba-1 and create the alias IP eth0:0 = 172.20.0.46 in samba-2. The routine were manual, with shell scripts, but manual. Samba-1 was checked by samba-2 and we received SMS if samba-1 had problems. I didn't wanted an automatic fail-over, I wanted a human operation. This case never took place during the examination. ;-) I hope I have answered to your question. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba4] rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) message with smbstatus command
Hello, I'm using samba4 (4.0.5 version) in Debian Wheezy. When I run the smbstatus command, I have a curious message. Here is an example: # root@samba-1:~# smbstatus -b rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Samba version 4.0.5 PID Username Group Machine --- 10833 jcoudour domain users 172.20.100.21 (ipv4:172.20.100.21:55594) 10989 mcoullet domain users 172.20.100.87 (ipv4:172.20.100.87:58532) 20178 jury1 domain users 172.20.100.116 (ipv4:172.20.100.116:50330) 10779 hcoubard domain users 172.20.100.22 (ipv4:172.20.100.22:51675) 11852 administrator domain users 172.20.100.53 (ipv4:172.20.100.53:528 # etc. # etc. # 1) What is the meaning of the message below? 2) Is it a serious problem? Thanks in advance for your help. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] smbd processes never die after logoff
Le 24/05/2013 12:42, Volker Lendecke wrote : Can you try to add the socket options TCP_KEEPIDLE=120 TCP_KEEPINTVL=10 TCP_KEEPCNT=5 This should make the sessions go away more quickly in case the clients just go away. Thanks for your help. I will try. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba4] smbd processes never die after logoff
Hello, I'm using Samba 4.0.5 in Debian Wheezy as a member server of a DC (in Debian Wheezy too with Samba 4.0.5) and the clients are Windows7 Pro. The users use shares in the member server. Sometimes, after the logoff of the users in the Win7 clients, there are connections with the member server whiches never stop. I can see it with the smbstatus command which point PID out to me and indeed with the « ps aux | grep smbd » I can see smbd processes whiches never die. I have try this in the smb.conf file : deadtime = 10 socket options = TCP_NODELAY SO_KEEPALIVE But it doesn't work. This is a embarrassing problem for me because it takes resources of the server. Thanks in advande for your help. PS: here is my smb.conf for the member server : [global] workgroup = MYDOMAIN security = ADS realm = MYDOMAIN.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind cache time = 300 deadtime = 10 socket options = TCP_NODELAY SO_KEEPALIVE [myhome] path = /home/%U hide files = *.ini/*.INI/*.bin/*.BIN/desktop - Raccourci.lnk/~*/ read only = No browseable = Yes [admhomes] path = /home read only = No browseable = Yes valid users = administrator admin users = administrator -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] smbd processes never die after logoff
Just one detail, Le 24/05/2013 03:15, François Lafont wrote : indeed with the « ps aux | grep smbd » I can see smbd processes whiches never die. Of course, with: kill PID the processes die. But if I don't use the kill command some processes never die although all users are disconnected of the Windows seven clients. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] crash of winbind after ls -l /usr/local/samba/var/locks/sysvol
Hi, Le 26/04/2013 11:38, Andrew Bartlett a écrit : Can you try that again with: valgrind samba -i -M single out 21 I'm not worried about memory leaks (they don't cause crashes), and missing the '-' in front of -M probably means you didn't get the crash in the log you gave. Oops, sorry. It's very strange, with your command, there is no problem in the log. I have tried this: ~# valgrind samba -i -M single out 21 During, the execution of samba, I have done this in another shell: - ~# wbinfo -u Administrator Guest krbtgt test1 ~# ls -l /usr/local/samba/var/locks/sysvol/ # 1 minute'wait total 8 drwxrws---+ 4 root 300 4096 Apr 21 13:00 chezmoi.priv ~# wbinfo -u Error looking up domain users - And here my out file: - ==2377== Memcheck, a memory error detector ==2377== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==2377== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==2377== Command: samba -i -M single ==2377== samba version 4.0.5 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using 'single' process model ==2377== ==2377== HEAP SUMMARY: ==2377== in use at exit: 4,601,429 bytes in 36,998 blocks ==2377== total heap usage: 696,172 allocs, 659,174 frees, 113,032,156 bytes allocated ==2377== ==2377== LEAK SUMMARY: ==2377==definitely lost: 0 bytes in 0 blocks ==2377==indirectly lost: 0 bytes in 0 blocks ==2377== possibly lost: 4,283,837 bytes in 35,214 blocks ==2377==still reachable: 317,592 bytes in 1,784 blocks ==2377== suppressed: 0 bytes in 0 blocks ==2377== Rerun with --leak-check=full to see details of leaked memory ==2377== ==2377== For counts of detected and suppressed errors, rerun with: -v ==2377== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 285 from 8) - No problem ! It's very curious. I hope that we would more information with the thomas'log... -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] crash of winbind after ls -l /usr/local/samba/var/locks/sysvol
[Ooops, sorry Michael for my first message, I have made a mistake with the recipients] Hello, Le 22/04/2013 13:29, Michael Wood a écrit : Did winbind also crash when you ran it under valgrind? Yes, I think so. I have done 2 tests with valgrind --leak-check=full samba -i M single out 21 and for the 2 tests I have the same problem: -- ~# wbinfo -u Administrator Guest krbtgt test1 ~# time ls -l /usr/local/samba/var/locks/sysvol/ total 8 drwxrws---+ 4 root 300 4096 Apr 21 13:00 chezmoi.priv real1m13.350s user0m0.000s sys 0m0.068s ~# wbinfo -u Error looking up domain users -- Perhaps you should attach the two logs directly to the bug instead of just linking to them. Ok, it's done. One of the Samba developers will have to let you know if the information you have provided is enough. Ok, thanks for your help Michael. :) -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] crash of winbind after ls -l /usr/local/samba/var/locks/sysvol
Hello, Le 20/04/2013 20:00, Michael Wood a écrit : As Andrew suggested it would be good if you could run it under valgrind and reproduce the crash. I don't know valgrind sorry. In spite of all, I have tried this: --- apt-get install valgrind ./configure --enable-debug #--- I add the --enable-debug make make install samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' echo nameserver 192.168.0.21 /etc/resolv.conf samba ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 # I put winbind in the nsswitch.conf file. sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g' /etc/nsswitch.conf valgrind --leak-check=full samba -i M single out 21 --- Here is the output during the ls -l /usr/local/samba/var/locks/sysvol/ problem: http://sisco.laf.free.fr/codes/samba4_gid_300_valgrind.log Will that be enough? Also, you should probably log a bug in bugzilla. It's done: https://bugzilla.samba.org/show_bug.cgi?id=9820 -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] crash of winbind after ls -l /usr/local/samba/var/locks/sysvol
Hi, I go back to this thread (the title is explicit) just to have news. I have seen in other threads that other people have similar problems. Should we consider this problem as a bug (in Samba 4.0.5) or is it a wrong installation from my part? In the first case, are information that I have given enough or should I provide other things? In the second case, I'm interesting by clues. Thanks. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] crash of winbind after ls -l /usr/local/samba/var/locks/sysvol
Le 14/04/2013 13:51, François Lafont a écrit : I'm going to search, meanwhile, here is the ouput of the samba -i -M single -d 10 command during the ls -l /usr/local/samba/var/locks/sysvol/ problem. Ooups! Sorry I have forgotten the url address: http://sisco.laf.free.fr/codes/samba4_gid_300.log Will that information be enough? Or should I provide other things? -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
Le 15/04/2013 04:28, steve a écrit : Indeed, for each new user or group you create you always end up with an idmap entry too. What idmap_ldb:use rfc2307 = yes is saying is 'ignore idmap and give priority to AD'. Of course, the attributes must be there in the first place otherwise it will fall back to idmap again. Exactly what we are trying to avoid at all costs. I had to prove this to myself by creating a user in AD with rfc2307 stuff and then deleting his entry in idmap. With the idmap_ldb:use rfc2307 = yes in place then no problem. All his stuff came from AD as expected:) Ok. I think it's clear for me now. I think we're speaking the same language now. Yes, thank you for your help Steve. :-) Bye. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] crash of winbind after ls -l /usr/local/samba/var/locks/sysvol
Le 14/04/2013 08:30, Andrew Bartlett a écrit : --- # ls -n /usr/local/samba/var/locks/sysvol/ total 8 drwxrws---+ 4 0 300 4096 Apr 14 01:40 chezmoi.priv --- Which group has the gid 300? The files are owned by the domain administrators group. Do you mean the CN=Administrators,CN=Builtin,DC=chezmoi,DC=priv group? Why don't this group appear with the wbinfo -g command? --- # wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers --- Winbind doesn't know how to make up a 'user' record for that group yet. And it's not a normal behavior, isn't it? Can you please try to get a gdb backtrace, or better still run 'samba' under valgrind? We would very much like to fix that. Sorry, I don't know how to do that, I'm a samba beginner. I'm going to search, meanwhile, here is the ouput of the samba -i -M single -d 10 command during the ls -l /usr/local/samba/var/locks/sysvol/ problem. Thanks for your help. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] crash of winbind after ls -l /usr/local/samba/var/locks/sysvol
Le 14/04/2013 13:49, François Lafont a écrit : I'm going to search, meanwhile, here is the ouput of the samba -i -M single -d 10 command during the ls -l /usr/local/samba/var/locks/sysvol/ problem. Ooups! Sorry I have forgotten the url address: http://sisco.laf.free.fr/codes/samba4_gid_300.log -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
Le 14/04/2013 08:00, steve a écrit : Ok, if I understand, after a provision of a domain with samba-tool and the --use-rfc2307 option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself. It can do that whether you provision with --use-rfc2307 or not. Are you sure? In this case, I won't use this option. I believe that it adds the possibility of adding the uid:gid from windows. I've never used windows for this. Me too. I prefer to manage the AD in the samba server. If you want to pull uid:gid from AD then you'll need to add uidNumber and gidNumber for users and gidNumber for groups. And memberUid too for groups, isn't it? All users which need to login will need the attributes but there's no need to allocate gidNumber to al the groups. Many of them have no meaning in Linux. e.g. To begin with, just allocate a gidNumber to Domain Users. A good way to decide which gidNumber to allocate is to take the RID of the group and add, say, 2 to keep it well away from local groups. As the RID of Domain Users is 513 then our gidNumber becomes 20513. For users, we allocated our first user uidNumber 332 to avoid collision with the xidnumbers which have to remain in idmap. I don't think that 332 is a good uidNumber because idmap seems to use the 300-400 range. # getent passwd Guest CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false uid=311 although I have done no change in the Guest account.oming from /ur/ Those uid:gid pairs are coming from idmap. idmap is not part of AD and confuses the issue for many of us. If you are going to add more DC's, these uid:gid's will change depending upon which DC you refer to. Probably (almost certainly) not what you want. Absolutely. :) How choose Samba these uid/gid numbers (e.g 311/312) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba? That is best answered by looking at: ldbsearch --url=/usr/local/samba/private/idmap.ldb Ok, it's a good answer indeed. And I can see: # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=config # record 1 dn: CN=CONFIG cn: CONFIG lowerBound: 300 upperBound: 400 xidNumber: 317 distinguishedName: CN=CONFIG Then, I understand that idmap uses the 300-400 range to assign xidNumber to the users and groups. There, you'll see the sids with the xidnumber that Samba has allocated to them. This xidnumber becomes the uid or gid depending upon whether the object is a user, group or both. A basic set of objects has to remain in idmap so leave it as it is after provision. If you add the line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the provision has already done for you) then any new user or group object that is created will not have an entry in idmap. You are then free to add the necessary uid/gidNumbers to AD. Yes, indeed: # grep 'rfc' /usr/local/samba/etc/smb.conf idmap_ldb:use rfc2307 = yes # samba # samba-tool user add test4 test4 User 'test4' created successfully # ldbsearch --url=/usr/local/samba/private/sam.ldb cn=test4 | grep -i objectsid objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106 # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106 # returned 0 records # 0 entries # 0 referrals But after this: # getent passwd test4 CHEZMOI\test4:*:319:100::/home/CHEZMOI/test4:/bin/false the idmap entry is automatically created: # ldbsearch --url=/usr/local/samba/private/idmap.ldb cn=S-1-5-21-3840058276-1254623269-3939424142-1106 # record 1 dn: CN=S-1-5-21-3840058276-1254623269-3939424142-1106 cn: S-1-5-21-3840058276-1254623269-3939424142-1106 objectClass: sidMap objectSid: S-1-5-21-3840058276-1254623269-3939424142-1106 type: ID_TYPE_BOTH xidNumber: 319 distinguishedName: CN=S-1-5-21-3840058276-1254623269-3939424142-1106 I have noticed that I have exactly the same behavior without the idmap_ldb:use rfc2307 = yes option. Then, I don't see exactly the meaning of this option... Sorry, I can't access the list archive at the moment. The thread is called 'Some clarification?' Ok, I see. Thanks a lot for yours explanations Steeve. It's become more clean in my mind. :) -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
Hi, Le 11/04/2013 22:39, Gémes Géza a écrit : The easiest way to test out rfc2307 would be to provision a new domain with samba-tool domain provision --use-rfc2307 --the-other-options-of-your-choice, and test a rfc2307 client against it. The difference is, that in this case the provisioning script loads a schema file (ypServ30.ldif) which makes it easier to administer the rfc2307 attributes using ADUC. [...] Ok. I try this in a wheezy server: --- samba-tool domain provision --realm=CHEZMOI.PRIV \ --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL \ --adminpass='+toto123' --use-rfc2307 echo nameserver 192.168.0.21 /etc/resolv.conf samba samba-tool user add test1 +test123 --- Here is my smb.conf file after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-1 server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- But when I run: ldbedit --url=/usr/local/samba/private/sam.ldb cn=test1 --- # editing 1 records # record 1 dn: CN=test1,CN=Users,DC=chezmoi,DC=priv objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: test1 instanceType: 4 whenCreated: 20130413162647.0Z whenChanged: 20130413162647.0Z uSNCreated: 3769 name: test1 objectGUID: 0d95a85f-92d9-425c-8ddf-bcdb401a1c99 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 513 objectSid: S-1-5-21-3595212667-731548510-1075401445-1103 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: test1 sAMAccountType: 805306368 userPrincipalName: te...@chezmoi.priv objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=chezmoi,DC=priv pwdLastSet: 13010344007000 userAccountControl: 512 uSNChanged: 3771 distinguishedName: CN=test1,CN=Users,DC=chezmoi,DC=priv --- I have no objectClass: posixAccount entry and then no uidNumber, gidNumber attribute. Is it normal? I thought that use-rfc2307 option allowed to create posixaccount users. Isn't It the case? -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
Hello, Le 13/04/2013 20:24, steve a écrit : You still have to add the objects. Yourself! Ok, if I understand, after a provision of a domain with samba-tool and the --use-rfc2307 option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself. But, after this: --- samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \ --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' \ --use-rfc2307 ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 # I had winbind in nsswitch.conf sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g' /etc/nsswitch.conf samba --- I have a few users and groups which are already created: # wbinfo -u Administrator Guest krbtgt # wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy Must I add objectclass: posixAccount, uid:..., uidNumber:... etc. entries for each account above? And must I add objetclass: posixGroup, gidNumber: ... etc. entries for each group above? Which uid/gid numbers should I use? Without posixAccount uid uidNumber etc. entries, the domain accounts are automatically already allied to a uid number that I can see with getent passwd: # getent passwd Guest CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false uid=311 although I have done no change in the Guest account. How choose Samba these uid/gid numbers (e.g 311/312) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba? Another problem: just after provision, the /usr/local/samba/var/locks/sysvol/ repository is already created with particulary settings regarding the unix rights and the alc (with particulary uid/gid numbers). Must I change the (unix/acl) rights of this repository too ? There's another thread here at the moment about how or how not to do that. Where? I don't see it. Personally, I never succeed in the rfc2307 working, until now. My purpose is to have the same uid/gid numbers between 2 samba4 servers. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba4] crash of winbind after ls -l /usr/local/samba/var/locks/sysvol
Hi, I used Samba 4.0.5 in Wheezy. Here is that I have done: --- samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \ --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' echo nameserver 192.168.0.21 /etc/resolv.conf samba ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2 # I put winbind in the nsswitch.conf file. sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g' /etc/nsswitch.conf samba-tool user add test1 +test123 --- That's all. Here is my smb.conf after this commands: --- # Global parameters [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-1 server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- It seems to work well: --- ~# getent passwd [couic...] CHEZMOI\Administrator:*:0:100::/home/CHEZMOI/Administrator:/bin/false CHEZMOI\Guest:*:311:312::/home/CHEZMOI/Guest:/bin/false CHEZMOI\krbtgt:*:316:100::/home/CHEZMOI/krbtgt:/bin/false CHEZMOI\test1:*:317:100::/home/CHEZMOI/test1:/bin/false ~# wbinfo -u Administrator Guest krbtgt test1 # wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy --- But there is something curious with the /usr/local/samba/var/locks/sysvol/ directory: --- # ls -n /usr/local/samba/var/locks/sysvol/ total 8 drwxrws---+ 4 0 300 4096 Apr 14 01:40 chezmoi.priv --- Which group has the gid 300? --- # wbinfo -g | tr '\n' '\0' | xargs -0 -n 1 wbinfo --group-info CHEZMOI\Enterprise Read-Only Domain Controllers:*:318: CHEZMOI\Domain Admins:*:308: CHEZMOI\Domain Users:*:100: CHEZMOI\Domain Guests:*:312: CHEZMOI\Domain Computers:*:319: CHEZMOI\Domain Controllers:*:320: CHEZMOI\Schema Admins:*:307: CHEZMOI\Enterprise Admins:*:306: CHEZMOI\Group Policy Creator Owners:*:304: CHEZMOI\Read-Only Domain Controllers:*:321: CHEZMOI\DnsUpdateProxy:*:322: --- There is no 300 gid. And, a bit more embarrassing, if I use ls -l to resolv the gid to a name, winbind is crashing: --- # time ls -l /usr/local/samba/var/locks/sysvol total 8 drwxrws---+ 4 root 300 4096 Apr 14 01:40 chezmoi.priv real0m33.483s # 33 seconds ! user0m0.012s sys 0m0.000s # wbinfo -u Error looking up domain users # wbinfo -g failed to call wbcListGroups: WBC_ERR_WINBIND_NOT_AVAILABLE Error looking up domain groups # wbinfo -i Guest failed to call wbcGetpwnam: WBC_ERR_WINBIND_NOT_AVAILABLE Could not get info for user Guest # wbinfo -p Ping to winbindd failed could not ping winbindd! --- I have to restart samba: --- # killall samba; sleep 2; samba # wbinfo -u Administrator Guest krbtgt test1 # wbinfo -g Enterprise Read-Only Domain Controllers Domain Admins Domain Users Domain Guests Domain Computers Domain Controllers Schema Admins Enterprise Admins Group Policy Creator Owners Read-Only Domain Controllers DnsUpdateProxy # wbinfo -p Ping to winbindd succeeded --- Have I made a mistake? Where is the problem? Thanks in advande. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
Le 10/04/2013 06:59, Gémes Géza a écrit : You should check rfc2307 on the samba AD, if your users do not have uidNumber gidNumber attributes they are going to be ignored by the winbind daemon if you specify rfc2307 schema mode on the domain member. If I have understood, when I don't use rfc2307 in the dc server (this is the default) and if I don't use rfc2307 in the member server with this config: --- # No refer to rfc2307. [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- It seems to work well, but the uid and the gid of the domain accounts are different between the dc and the member. And if I use the rfc2307, then it's possible to have the same uid and gid on the dc and the member. Is it correct ? For the moment, I don't succeed in the use rfc2307 with a dc and a member. Without rfc2307, I think It works well with: 1. For the dc: --- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- 2. And for the member: --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- It works well (imho), but, for each account, the uid/gid are different between the dc and the member, and I don't like it. When I try to use rfc2307, it doesn't work for me (but I should make mistakes). For example, I have tried this: 1. On the dc server: # samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' --use-rfc2307 that creates this smb.conf: --- [global] workgroup = CHEZMOI realm = CHEZMOI.PRIV netbios name = WHEEZY-SERVER server role = active directory domain controller dns forwarder = 212.27.40.241 idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba/var/locks/sysvol/chezmoi.priv/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No --- Next, I use winbind in nsswitch.conf in order to resolv the uid/gid -- names. 2. On the member, I edit this smb.conf file (found here https://wiki.samba.org/index.php/Samba4/Domain_Member#Setting_up_a_basic_smb.conf): --- [global] workgroup = CHEZMOI security = ADS realm = CHEZMOI.PRIV encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config CHEZMOI:backend = ad idmap config CHEZMOI:schema_mode = rfc2307 idmap config CHEZMOI:range = 500-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes --- and I join the server with net ads join (next I use winbind too in nsswitch.conf). Next, I create a account in the dc (samba-tool user add test1 --random-password) and, under a Windows station, I edit this account with dsa.msc and I set: - the UID attribute in the Unix attributes tab - the GID attribute in the Unix attributes tab But, the dc and the member seems to ignore this value and, for example, with getent passwd the uid/gid are different for each user between the dc and the member. If you are advices or links to install dc and member so that the uid/gid are the same between the dc and the member, It interest me very much. :-) Thanks in advance. PS: and very sorry for my poor english. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
root@member:~# getent passwd Because the toto user isn't printed in the output. However, I wait during 5-6 minutes, the toto user appears in the output of this commands. Another solution: if I do: root@member:~# killall smbd nmbd winbindd root@member:~# smbd nmbd winbindd the toto user appears in the member server immediately Is this behavior (the 5-6 minutes period) normal? Is this configuration correct for a member server? Thanks for your help. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
DNS update failed: NT_STATUS_UNSUCCESSFUL root@member:~# ldconfig root@member:~# smbd nmbd root@member:~# winbindd -i -d 10 And winbindd seems to be ok. I have : root@member:~# wbinfo -u administrator krbtgt test10 test11 guest test1 test2 test3 test4 test5 test6 ... root@member:~# wbinfo -i test9 test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false But if I create an user in the domain controller server: root@dc:~# samba-tool user add test12 --random-password User 'test12' created successfully after in the member server: root@member:~# wbinfo -i test12 failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user test12 Here is the stdout of winbindd during the command : --- info : * info: struct wbint_userinfo acct_name: * acct_name: 'test12' full_name: NULL homedir : NULL shell: NULL primary_gid : 0x (4294967295) user_sid : S-1-5-21-3370545617-3166960116-3193249687-1115 group_sid: S-1-5-21-3370545617-3166960116-3193249687-513 result : NT_STATUS_NOT_FOUND Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115: NT_STATUS_NOT_FOUND wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND winbind_client_response_written[2813:GETPWNAM]: delivered response to client closing socket 23, client exited --- Don't you have rfc2307 configured ? The smb.conf of DC server and the smb.conf of MEMBER server are exacty like above in this message. So, I have « winbind nss info = rfc2307 » in the smb.conf of the MEMBER server. if so for the new user did you set the needed attributes ? I have just run: samba-tool user add test12 --random-password That's all. Which are the needed attributes? Thanks for your help. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba4] Print all dns records of the samba4 internal DNS server
Hi, All is in the title. I'm using Samba4 (version 4.0.4) in Debian Wheezy with the builtin DNS server. I'm searching a command to print all the dns records. I have searched in samba-tool command but I haven't found. Thanks in advance for your help. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba4] Print all dns records of the samba4 internal DNS server
[Sorry, I think I have missed my sending message] Le 07/04/2013 14:26, David Adam a écrit : On Sun, 7 Apr 2013, François Lafont wrote: All is in the title. I'm using Samba4 (version 4.0.4) in Debian Wheezy with the builtin DNS server. I'm searching a command to print all the dns records. I have searched in samba-tool command but I haven't found. https://lists.samba.org/archive/samba-technical/2013-February/090300.html samba-tool dns query localhost yourdomain.lan @ ALL Thank you David. This this perfect for me. I have used: samba-tool dns query localhost chezmoi.priv @ ALL -U administrator Just one detail, the command don't print all the dns records: -- ~# samba-tool dns query localhost chezmoi.priv @ ALL -U administrator Password for [CHEZMOI\administrator]: Name=, Records=4, Children=0 SOA: serial=8, refresh=900, retry=600, expire=86400, ns=wheezy-server.chezmoi.priv., email=hostmaster.chezmoi.priv. (flags=60f0, serial=8, ttl=3600) NS: wheezy-server.chezmoi.priv. (flags=60f0, serial=1, ttl=900) A: 192.168.0.21 (flags=60f0, serial=1, ttl=900) A: 192.168.0.22 (flags=60f0, serial=110, ttl=900) Name=_msdcs, Records=0, Children=0 Name=_sites, Records=0, Children=1 Name=_tcp, Records=0, Children=4 Name=_udp, Records=0, Children=2 Name=alexandrie, Records=1, Children=0 CNAME: wheezy-2.chezmoi.priv. (flags=f0, serial=8, ttl=900) Name=DomainDnsZones, Records=0, Children=2 Name=ForestDnsZones, Records=0, Children=2 Name=wheezy-2, Records=1, Children=0 A: 192.168.0.22 (flags=f0, serial=110, ttl=900) Name=wheezy-server, Records=1, Children=0 A: 192.168.0.21 (flags=f0, serial=1, ttl=900) Name=WIN7PC, Records=1, Children=0 A: 192.168.0.116 (flags=f0, serial=110, ttl=1200) Name=WIN7PC-2, Records=1, Children=0 A: 192.168.0.117 (flags=f0, serial=110, ttl=1200) -- But, for example, I have a CNAME record which isn't print by the commad: -- ~# dig e55fe667-c95d-4189-acb4-7ad10aee13f3._msdcs.chezmoi.priv CNAME ; DiG 9.8.4-rpz2+rl005.12-P1 e55fe667-c95d-4189-acb4-7ad10aee13f3._msdcs.chezmoi.priv CNAME ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 63547 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;e55fe667-c95d-4189-acb4-7ad10aee13f3._msdcs.chezmoi.priv. IN CNAME ;; ANSWER SECTION: e55fe667-c95d-4189-acb4-7ad10aee13f3._msdcs.chezmoi.priv. 900 IN CNAME wheezy-server.chezmoi.priv. ;; Query time: 0 msec ;; SERVER: 192.168.0.21#53(192.168.0.21) ;; WHEN: Sun Apr 7 15:37:10 2013 ;; MSG SIZE rcvd: 102 -- -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 member of an another « Samba4 » domain
trusted domains only = no doing parameter winbind use default domain = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes pm_process() returned Yes lp_servicenumber: couldn't find homes added interface eth0 ip=fe80::a00:27ff:fe4b:65d3%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0 Netbios name list:- my_netbios_names[0]=WHEEZY-2 added interface eth0 ip=fe80::a00:27ff:fe4b:65d3%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.0.22 bcast=192.168.0.255 netmask=255.255.255.0 Process with PID=2689 does not exist. Deleting /usr/local/samba/var/run/winbindd.pid, since 2689 is not a Samba process. fcntl_lock 8 6 0 1 1 fcntl_lock: Lock call successful TimeInit: Serverzone is -7200 initialize_winbindd_cache: clearing cache and re-creating with version number 2 check lock order 2 for /usr/local/samba/var/lock/serverid.tdb lock order: 1:none 2:/usr/local/samba/var/lock/serverid.tdb 3:none Locking key 870A Allocated locked data 0x0x2136700 Unlocking key 870A release lock order 2 for /usr/local/samba/var/lock/serverid.tdb lock order: 1:none 2:none 3:none Registering messaging pointer for type 33 - private_data=(nil) Registering messaging pointer for type 13 - private_data=(nil) Registering messaging pointer for type 1028 - private_data=(nil) Registering messaging pointer for type 1027 - private_data=(nil) Registering messaging pointer for type 1029 - private_data=(nil) Registering messaging pointer for type 1280 - private_data=(nil) Registering messaging pointer for type 1032 - private_data=(nil) Registering messaging pointer for type 1033 - private_data=(nil) Registering messaging pointer for type 1034 - private_data=(nil) Registering messaging pointer for type 1 - private_data=(nil) Overriding messaging pointer for type 1 - private_data=(nil) wcache_tdc_add_domain: Adding domain BUILTIN (), SID S-1-5-32, flags = 0x0, attributes = 0x0, type = 0x0 pack_tdc_domains: Packing 1 trusted domains pack_tdc_domains: Packing domain BUILTIN () idmap config BUILTIN : range = not defined Added domain BUILTIN S-1-5-32 wcache_tdc_add_domain: Adding domain WHEEZY-2 (), SID S-1-5-21-210096926-4033722923-1792459932, flags = 0x0, attributes = 0x0, type = 0x0 pack_tdc_domains: Packing 2 trusted domains pack_tdc_domains: Packing domain BUILTIN () pack_tdc_domains: Packing domain WHEEZY-2 () idmap config WHEEZY-2 : range = not defined Added domain WHEEZY-2 S-1-5-21-210096926-4033722923-1792459932 Could not fetch our SID - did we join? unable to initialize domain list --- Boum !!! The command is stopped. 2) Second attempt to join the domain in the member server. It's better but It doesn't work too. root@member:~# net ads join -U administrator Enter administrator's password: Using short domain name -- CHEZMOI Joined 'WHEEZY-2' to dns domain 'chezmoi.priv' DNS Update for wheezy-2.chezmoi.priv failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL root@member:~# ldconfig root@member:~# smbd nmbd root@member:~# winbindd -i -d 10 And winbindd seems to be ok. I have : root@member:~# wbinfo -u administrator krbtgt test10 test11 guest test1 test2 test3 test4 test5 test6 ... root@member:~# wbinfo -i test9 test9:*:70004:70001:test9:/home/CHEZMOI/test9:/bin/false But if I create an user in the domain controller server: root@dc:~# samba-tool user add test12 --random-password User 'test12' created successfully after in the member server: root@member:~# wbinfo -i test12 failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user test12 Here is the stdout of winbindd during the command : --- info : * info: struct wbint_userinfo acct_name: * acct_name: 'test12' full_name: NULL homedir : NULL shell: NULL primary_gid : 0x (4294967295) user_sid : S-1-5-21-3370545617-3166960116-3193249687-1115 group_sid: S-1-5-21-3370545617-3166960116-3193249687-513 result : NT_STATUS_NOT_FOUND Could not convert sid S-1-5-21-3370545617-3166960116-3193249687-1115: NT_STATUS_NOT_FOUND wb_request_done[2813:GETPWNAM]: NT_STATUS_NOT_FOUND winbind_client_response_written[2813:GETPWNAM]: delivered response to client closing socket 23, client exited --- Sorry for this long message. -- François Lafont -- To unsubscribe from this list go to the following URL and read the instructions