[Samba] Strange LDAP query

[Juan Asensio Sánchez]

Hi

We have a large installation consisting of many Citrix servers using 2
Samba servers as domain controllers, using 2 LDAP 389 Directory
Servers as user database. Also, there are workstations using the Samba
servers. These LDAP servers have around 3 user accounts, and we
have detected that Samba servers make this ldap search:

[07/Oct/2009:13:54:06 +0200] conn=46 op=13 SRCH base="dc=domain,dc=my"
scope=2 filter="(&(uid=*)(objectClass=sambaSamAccount))" attrs="uid
sambaSID displayNam
e description sambaAcctFlags"

So Samba is trying to retrieve the 3 user accounts, making the
LDAP servers freeze. We don't what is happening to make this big
query, I think that this query results of running the "net user"
command from a Windows or Linux machine, but I cannot find which
machine is executing that command. Is there any way to obtain which
host is running this command, or which host is the responsible of make
Samba make that LDAP query?

If not, is there any way to make Samba apply an additional filter when
obtaining accounts? I would like to make the query like
(&(uid=*)(objectClass=sambaSamAccount)(&(objectClass=myOwnClass)(ou:dn:=People))).

Regards.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Interdomain trust with different WINS servers

[Juan Asensio Sánchez]

Hi

I am trying to stablish a relation between two different Samba domains. Each
domain has two PDCs, all they are WINS servers, and the two domains are in
different subnets. They are configured to use LDAP as the user/group/machine
database. First, I will create the relation, being DOM1.CORP the trusted
domain, and DOM2.CORP the trusting domain, so in a server of DOM1.CORP, I
create a user this way:

DOM1-S1$ /usr/bin/perl -w /opt/ldap/smbldap-tools/bin/smbldap-useradd -W -t
5 'DOM1.CORP$'
DOM1-S1$ smbpasswd -i DOM1.CORP$

The two commands are OK, and the domain account is created in LDAP, in
ou=Computers. I can see the machine in "getent passwd". Now, in a server of
the trusting domain, i run the command:

DOM2-S1$ net rpc trustdom establish 'DOM1.CORP'
[2010/05/26 11:21:03, 0] utils/net_rpc.c:rpc_trustdom_establish(5647)
  Couldn't find domain controller for domain DOM1.CORP

Well, I know this is normal because servers of DOM2 don't know anything
about DOM1. I suppose I will have to add the entries of the two servers of
DOM1 in lmhosts, and the entry for the own domain, but i can't get it to
work. Now, my lmhosts is this:

127.0.0.1 localhost

1.1.1.1  DOM1-S1
1.1.1.2  DOM1-S2

1.1.1.1  DOM1.CORP
1.1.1.2  DOM1.CORP

But the previuos command gives error again. Even if I run nmblookup querying
the servers or the domain, i get errors:

DOM2-S1$ nmblookup -R -U localhost 'DOM1.CORP'
added interface ip=1.1.2.1 bcast=1.1.2.255 nmask=255.255.255.0
querying DOM1.CORP on 127.0.0.1
name_query failed to find name DOM1.CORP

Is this the right way to stablish the relationship? How should I add the
entries to the lmhosts file?

Regards and thanks in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Interdomain trust with different WINS servers

[Juan Asensio Sánchez]

I have tried with lots of lmhosts formats, but it looks nmbd is ignoring the
lmhosts file when trying to resolve hostnames using nmblookup. nmblookup
gives the correct data when the name of the machine is in the DNS server.

So now, i wonder if the trust relationship could be done using entries of
DNS server, but i don't know what format must have these entries in the ldap
server.

I know the documentation says that all servers must use the same WINS
server, but in our case this is impossible. All we can do is configure Samba
so the WINS server all use the same DNS server.

Any idea or help how to configure this?

Regards.


2010/5/27 Gaiseric Vandal 

> I think the syntax may be the same as for Microsoft lmhosts
>
> http://support.microsoft.com/kb/314108
>
>
>
>
>
> On 05/26/2010 05:35 AM, Juan Asensio Sánchez wrote:
>
>> Hi
>>
>> I am trying to stablish a relation between two different Samba domains.
>> Each
>> domain has two PDCs, all they are WINS servers, and the two domains are in
>> different subnets. They are configured to use LDAP as the
>> user/group/machine
>> database. First, I will create the relation, being DOM1.CORP the trusted
>> domain, and DOM2.CORP the trusting domain, so in a server of DOM1.CORP, I
>> create a user this way:
>>
>> DOM1-S1$ /usr/bin/perl -w /opt/ldap/smbldap-tools/bin/smbldap-useradd -W
>> -t
>> 5 'DOM1.CORP$'
>> DOM1-S1$ smbpasswd -i DOM1.CORP$
>>
>> The two commands are OK, and the domain account is created in LDAP, in
>> ou=Computers. I can see the machine in "getent passwd". Now, in a server
>> of
>> the trusting domain, i run the command:
>>
>> DOM2-S1$ net rpc trustdom establish 'DOM1.CORP'
>> [2010/05/26 11:21:03, 0] utils/net_rpc.c:rpc_trustdom_establish(5647)
>>   Couldn't find domain controller for domain DOM1.CORP
>>
>> Well, I know this is normal because servers of DOM2 don't know anything
>> about DOM1. I suppose I will have to add the entries of the two servers of
>> DOM1 in lmhosts, and the entry for the own domain, but i can't get it to
>> work. Now, my lmhosts is this:
>>
>> 127.0.0.1 localhost
>>
>> 1.1.1.1  DOM1-S1
>> 1.1.1.2  DOM1-S2
>>
>> 1.1.1.1  DOM1.CORP
>> 1.1.1.2  DOM1.CORP
>>
>> But the previuos command gives error again. Even if I run nmblookup
>> querying
>> the servers or the domain, i get errors:
>>
>> DOM2-S1$ nmblookup -R -U localhost 'DOM1.CORP'
>> added interface ip=1.1.2.1 bcast=1.1.2.255 nmask=255.255.255.0
>> querying DOM1.CORP on 127.0.0.1
>> name_query failed to find name DOM1.CORP
>>
>> Is this the right way to stablish the relationship? How should I add the
>> entries to the lmhosts file?
>>
>> Regards and thanks in advance.
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Interdomain trust with different WINS servers

[Juan Asensio Sánchez]

If I am not wrong, "nmblookup -U" connects to a WINS server, which is
configured  "name resolve order = lmhosts wins hosts bcast", so i think nmbd
will try to find the requested name first in lmhosts, then in the wins
database, and so on.

I have not said nothing about nslookup, but i think its behavior is like
"nmblooup -U" (it does not use directly hosts, as nmblookup dos not use
directly lmhosts, or am I wrong?)

Regards.

2010/6/14 Tom Reijnders 

> Ehmm, isn't nmblookup ignoring the lmhosts file, like nslookup ignores the
> hosts file?
>
> Juan Asensio Sánchez schreef:
>
>  I have tried with lots of lmhosts formats, but it looks nmbd is ignoring
>> the
>> lmhosts file when trying to resolve hostnames using nmblookup. nmblookup
>> gives the correct data when the name of the machine is in the DNS server.
>>
>> So now, i wonder if the trust relationship could be done using entries of
>> DNS server, but i don't know what format must have these entries in the
>> ldap
>> server.
>>
>> I know the documentation says that all servers must use the same WINS
>> server, but in our case this is impossible. All we can do is configure
>> Samba
>> so the WINS server all use the same DNS server.
>>
>> Any idea or help how to configure this?
>>
>> Regards.
>>
>>
>> 2010/5/27 Gaiseric Vandal 
>>
>>
>>
>>> I think the syntax may be the same as for Microsoft lmhosts
>>>
>>> http://support.microsoft.com/kb/314108
>>>
>>>
>>>
>>>
>>>
>>> On 05/26/2010 05:35 AM, Juan Asensio Sánchez wrote:
>>>
>>>
>>>
>>>> Hi
>>>>
>>>> I am trying to stablish a relation between two different Samba domains.
>>>> Each
>>>> domain has two PDCs, all they are WINS servers, and the two domains are
>>>> in
>>>> different subnets. They are configured to use LDAP as the
>>>> user/group/machine
>>>> database. First, I will create the relation, being DOM1.CORP the trusted
>>>> domain, and DOM2.CORP the trusting domain, so in a server of DOM1.CORP,
>>>> I
>>>> create a user this way:
>>>>
>>>> DOM1-S1$ /usr/bin/perl -w /opt/ldap/smbldap-tools/bin/smbldap-useradd -W
>>>> -t
>>>> 5 'DOM1.CORP$'
>>>> DOM1-S1$ smbpasswd -i DOM1.CORP$
>>>>
>>>> The two commands are OK, and the domain account is created in LDAP, in
>>>> ou=Computers. I can see the machine in "getent passwd". Now, in a server
>>>> of
>>>> the trusting domain, i run the command:
>>>>
>>>> DOM2-S1$ net rpc trustdom establish 'DOM1.CORP'
>>>> [2010/05/26 11:21:03, 0] utils/net_rpc.c:rpc_trustdom_establish(5647)
>>>>  Couldn't find domain controller for domain DOM1.CORP
>>>>
>>>> Well, I know this is normal because servers of DOM2 don't know anything
>>>> about DOM1. I suppose I will have to add the entries of the two servers
>>>> of
>>>> DOM1 in lmhosts, and the entry for the own domain, but i can't get it to
>>>> work. Now, my lmhosts is this:
>>>>
>>>> 127.0.0.1 localhost
>>>>
>>>> 1.1.1.1  DOM1-S1
>>>> 1.1.1.2  DOM1-S2
>>>>
>>>> 1.1.1.1  DOM1.CORP
>>>> 1.1.1.2  DOM1.CORP
>>>>
>>>> But the previuos command gives error again. Even if I run nmblookup
>>>> querying
>>>> the servers or the domain, i get errors:
>>>>
>>>> DOM2-S1$ nmblookup -R -U localhost 'DOM1.CORP'
>>>> added interface ip=1.1.2.1 bcast=1.1.2.255 nmask=255.255.255.0
>>>> querying DOM1.CORP on 127.0.0.1
>>>> name_query failed to find name DOM1.CORP
>>>>
>>>> Is this the right way to stablish the relationship? How should I add the
>>>> entries to the lmhosts file?
>>>>
>>>> Regards and thanks in advance.
>>>>
>>>>
>>>>
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>>
>>
> --
> Tom Reijnders
> TOR Informatica
> Chopinlaan 27
> 5242HM Rosmalen
> Tel: 073 5226191
> Fax: 073 5226196
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Group policy management per OU

[Juan Asensio Sánchez]

Hi all

We are testing to migrate our multiple domain Samba3-LDAP system to Samba4.
As Samba 4 doesn't support multiple domains, we will convert every domain
into an OU, delegating the administration of each OU to a specific group of
users. Our environment has about 38 OUs and thousand of users and
computers, so we want each OU admin group can manage also the group
policies. I have read a lot, but I have not seen anything about the
creation and modification of group policies per OU, just giving permissions
to and existing GPO. What I would like is to allow admin groups of each OU
create and modify their own GPOs, without needing to request the "central"
administrators to create one and give permissions to it. In brief, what I
have read:

- If a OU admin user wants to create a GPO, he must have rights to manage
all GPOs, or a admin user have to create previously a GPO and give
permissions to that GPO to the user, and then the OU admin user can link it
and edit it.

What I would like to:

- Each OU admin user can create GPOs and modify (and link) the GPOs he has
created, but not modify (or delete or link) the GPOs that other OUs admin
users have created.

Is this possible or just a dream? :D

Regards.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 RPMs for RHEL 6

[Juan Asensio Sánchez]

Hi

You have updated precompiled packages from Sernet at
http://enterprisesamba.com/ (for Samba 3 and Samba 4, although you have to
register to use the Samba 4 repository). I have tried it and they works
fine.

Regards.


2013/9/19 Malcolm Cowe 

> My apologies if this is something of a FAQ, but I would be grateful of
> some assistance. I am evaluating Samba 4 and would like to be able to
> create packages for installation on RHEL and CentOS 6.x servers. I've
> cloned the git repository and checked out tag 4.0.9, then used the
> "./packaging/RHEL-CTDB/**makerpms.sh" script to build the RPMs. The
> process succeeds but the packages, while labelled 4.0.9, are not Samba 4
> packages.
>
> Closer inspection of the spec file indicates that this is only geared
> towards Samba 3 builds. Have I missed something in the process of creating
> these packages? Is there a better way for me to proceed? For the moment,
> I'm just using make && make install on the servers but would like to move
> away from this mode.
>
> Regards,
>
> Malcolm.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] NT_STATUS_INTERNAL_DB_CORRUPTION when creating users from script in Samba4

[Juan Asensio Sánchez]

Hi all

I am trying to create a script to migrate our current old Samba3 LDAP based
domain to a new Samba4 (4.0.9, Sernet compilation) domain. We have 3
servers, all replicating. If I add a user using samba-tool, all wotks fine,
but If I try to create a user using a Python script, for example, with this
LDIF:

dn: cn=XXX,OU=Usuarios,OU=dept,DC=org,DC=test
displayName: X
samAccountName: X
objectClass: top
objectClass: person
objectClass: user
objectClass: organizationalPerson
userAccountControl: 512
userPrincipalName: xxx...@org.test
samAccountType: 805306368
sn: XX
mail: xxx...@xxx.es
givenName: X
cn: X
unicodePwd:: XX

importing it using ldbadd, the user is imported well (NOTE: cn,
displayname, sn and givenname contains special chars like tildes). When I
try to search the user using ldapsearch I get this error:

# ldapsearch -LLL -H ldap://X -D
"cn=Administrator,cn=Users,dc=org,dc=test" -b "dc=org,dc=test" -w X
"(samaccountname=XX)"
Operations error (1)
Additional information: acl_read: cannot get descriptor of
cn=X,OU=Usuarios,OU=dept,DC=org,DC=test

But If I search that user with ldbsearch, the result is correct, although
no attributes related to replication that do appear in other objects (like
replPropertyMetaData, uSNChanged or nTSecurityDescriptor) don't appear in
this user. Even more, if the user tries to do a smbclient whit his
username, he gets a db corruption error:

# smbclient -L localhost -U XX
Enter  password:
session setup failed: NT_STATUS_INTERNAL_DB_CORRUPTION

Any idea about this error? I think the LDIF is correct, but it looks it
doesn't

Regards.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Password policies in the LDAP server

[Juan Asensio Sánchez]

Hi

We have some Samba servers using LDAP (389 DS) as backend. In the LDAP
server, we have defined some policies to make the passwords stronger. When a
user tries to change his password (Control-Alt-Del), this message appears in
the LOGs:

==> /var/log/samba/xptest <==
[2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [1001S] -> [1001S]
-> [1001S] succeeded
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
  init_sam_from_ldap: Entry found for user: 1001S
[2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
  init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
  init_group_from_ldap: Entry found for group: 10001
[2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
  init_ldap_from_sam: Setting entry for user: 1001S
[2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
  ldapsam_modify_entry: LDAP Password could not be changed for user
1001S: Constraint violation
  Failed to update password


==> /var/log/dirsrv/slapd-pruebas/audit <==
time: 20100628122637
dn: uid=1001s,X
changetype: modify
delete: sambaLMPassword
sambaLMPassword: 0182BD0BDBF836077A718CCDF409
-
add: sambaLMPassword
sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC
-
delete: sambaNTPassword
sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
-
add: sambaNTPassword
sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D
-
delete: sambaPwdLastSet
sambaPwdLastSet: 1277720109
-
add: sambaPwdLastSet
sambaPwdLastSet: 1277720798
-
replace: modifiersname
modifiersname: uid=adminsamba,XXX
-
replace: modifytimestamp
modifytimestamp: 20100628102637Z
-

So, the Samba passwords are changed, but the unix password is not changed
because the LDAP rejects it because it is not as string as required. Is
there any way to avoid this? Shouldn't the unix password be changed before
the samba passwords to check if the LDAP server accepts it?

Regards.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.3 ldap tools

[Juan Asensio Sánchez]

These connections that give error are stablished with the ldap system libs,
not with smbldap-tools (that use perl), so you have to configure your system
to use your certificates (etc/{ldap,openldap}/ldap.conf).

regards.

2010/6/30 Indexer 

> I am currently trying to setup my Samba server to act as a samba PDC, with
> ldap as a backend. I have a selfsigned CA, that has signed the certificates
> to my ldap server.
>
> Starting my smbd, i keep getting the message
>
> smb_ldap_setup_connection: ldap://ldap.streetgeek.lan/
> Failed to issue the StartTLS instruction: Connect error
> Connection to LDAP server failed for the 1 try!
> smbldap_open: already connected to the LDAP server
> Failed search for base: dc=dev,dc=gamersalliance,dc=net,dc=au, error: -1
> (Can't contact LDAP server) (error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed
> certificate in certificate chain))
>
> I have set in smbldap-tools.conf to verify="allow", as well as in ldap.conf
> to TLS_REQCERT = allow, so i dont understand why this is happening. All of
> my systems are pointed to the same cacert file so i doubt that it is
> confusing certificates. Are there any other options i should be considering?
>
> Thanks
>
> William
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Password policies in the LDAP server

[Juan Asensio Sánchez]

Well, if this can help anybody, i found a workaround that is not perfect,
but works fine.

http://lists.fedoraproject.org/pipermail/389-users/2010-June/011685.html

Regards.


El 28 de junio de 2010 12:40, Juan Asensio Sánchez escribió:

> Hi
>
> We have some Samba servers using LDAP (389 DS) as backend. In the LDAP
> server, we have defined some policies to make the passwords stronger. When a
> user tries to change his password (Control-Alt-Del), this message appears in
> the LOGs:
>
> ==> /var/log/samba/xptest <==
> [2010/06/28 12:26:26, 2] auth/auth.c:check_ntlm_password(309)
>   check_ntlm_password:  authentication for user [1001S] -> [1001S]
> -> [1001S] succeeded
> [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>   init_sam_from_ldap: Entry found for user: 1001S
> [2010/06/28 12:26:26, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
>   init_group_from_ldap: Entry found for group: 10001
> [2010/06/28 12:26:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2167)
>   init_group_from_ldap: Entry found for group: 10001
> [2010/06/28 12:26:38, 2] passdb/pdb_ldap.c:init_ldap_from_sam(972)
>   init_ldap_from_sam: Setting entry for user: 1001S
> [2010/06/28 12:26:38, 0] passdb/pdb_ldap.c:ldapsam_modify_entry(1651)
>   ldapsam_modify_entry: LDAP Password could not be changed for user
> 1001S: Constraint violation
>   Failed to update password
>
>
> ==> /var/log/dirsrv/slapd-pruebas/audit <==
> time: 20100628122637
> dn: uid=1001s,X
> changetype: modify
> delete: sambaLMPassword
> sambaLMPassword: 0182BD0BDBF836077A718CCDF409
> -
> add: sambaLMPassword
> sambaLMPassword: 39EAD569B79C7EA2C2265B23734E0DAC
> -
> delete: sambaNTPassword
> sambaNTPassword: 259745CB123A52AA2E693AAACCA2DB52
> -
> add: sambaNTPassword
> sambaNTPassword: 8EC60ADEA316D957D1CF532C5841758D
> -
> delete: sambaPwdLastSet
> sambaPwdLastSet: 1277720109
> -
> add: sambaPwdLastSet
> sambaPwdLastSet: 1277720798
> -
> replace: modifiersname
> modifiersname: uid=adminsamba,XXX
> -
> replace: modifytimestamp
> modifytimestamp: 20100628102637Z
> -
>
> So, the Samba passwords are changed, but the unix password is not changed
> because the LDAP rejects it because it is not as string as required. Is
> there any way to avoid this? Shouldn't the unix password be changed before
> the samba passwords to check if the LDAP server accepts it?
>
> Regards.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Password policies in the LDAP server

[Juan Asensio Sánchez]

Hi

We are using 389 Directory Server (formerly Fedora Directory Server).

http://directory.fedoraproject.org/

There, regarding to password policies, you can specifiy minimum password
length, minimum digits, minimum letters, minimum uppercase, minimum
lowercase, minimum simbols, minimum ascii characters, minimum group types of
characters, password history, etc.

http://www.redhat.com/docs/manuals/dir-server/8.1/admin/User_Account_Management.html

Regards.


El 1 de julio de 2010 14:27, Willy Offermans
escribió:

> Hello Samba Friend,
>
> I'm sorry that I cannot help you in finding an answer to your question,
> but I'm rather interested in how you can add password policies to the
> LDAP sever. Is this openldap? and how did you implement the policies?
>


> --
> Met vriendelijke groeten,
> With kind regards,
> Mit freundlichen Gruessen,
> De jrus wah,
>
> Willy
>
> *
> Dr. W.K. Offermans
> CAT Postdoctoral Fellow
> CAT Catalytic Center
> Institut für Technische und Makromolekulare Chemie
> RWTH Aachen
> Worringerweg 1, Raum 38C-150
> D-52074 Aachen, Germany
> Phone:  +49 241 80 28592
> Fax:+49 241 80 22593
> Home:   +31 45 544 49 44
> Mobile: +31 681 15 87 68
> e-mail: wi...@offermans.rompen.nl
> e-mail: willy.offerm...@catalyticcenter.rwth-aachen.de
>
>   Powered by 
>
>(__)
> \\\'',)
>   \/  \ ^
>   .\._/_)
>
>   www.FreeBSD.org
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Implementing Samba4

[Juan Asensio Sánchez]

Hi

I am trying to install Samba 4 on a Ubuntu 10.04 Server machine. I have
downloaded the sources, compiled it and installed. Now I have to do the
provision step. I want to use an existing LDAP server (389 Directory Server)
installed in other machine (well, really a lot of machines, yet configured
for replication). Also, the servers only accept SSL connections. But all the
examples I have seen in the Samba Wiki use ldapi. I have tried a lot of
commands to configure the provisioning, but I don't understand what this
step does:

- Create any special user in the LDAP server?
- Create any branches in the LDAP server?
- Add any schema?

What should be the command to make Samba work with my LDAP servers, with
SSL? The LDAP servers also have yet user and group data (also Samba3 domain,
but it is not being used).

After the provisioning, I have seen that is needed to start the LDAP server
using start-slapd of the Samba package. What? What is this for?

And one last question, is it possible to create interdomain trust with the
current version of Samba4?

Regards and thanks in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Implementing Samba4

[Juan Asensio Sánchez]

El 1 de septiembre de 2010 09:54, Daniel Müller
escribió:

> On Wed, 1 Sep 2010 09:42:45 +0200, Juan Asensio Sánchez 
> wrote:
> > Hi
> >
> > I am trying to install Samba 4 on a Ubuntu 10.04 Server machine. I have
> > downloaded the sources, compiled it and installed. Now I have to do the
> > provision step. I want to use an existing LDAP server (389 Directory
> > Server)
> > installed in other machine (well, really a lot of machines, yet
> configured
> > for replication). Also, the servers only accept SSL connections. But all
> > the
> Why do not just use the samba 4 internal ldap-server?? And just net rpc
> vampire the users and groups from
> the sanba3/Ldap?? I think with samba 4 the old way samba3/ldap just makes
> no sense at all. What should be the advantage of
> the old way??
> Greetings Daniel
>
>
We have more than 60 LDAP servers already workin, with custom schemas, and
lot of users and groups, so I think the migration is not trivial. Also, our
LDAP servers are not used only for Samba, and I think 389 DS is more
appropiate for high load environments.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] using include directives for shares?

[Juan Asensio Sánchez]

include = /path/to/file

(note "=")

2010/9/28 Roel van Meer 

> scott_st...@trendmicro.com writes:
>
>  From the smb.conf manpage, it says that an 'include ' will include
>> that file into smb.conf as if it were typed in place.
>>
>
> Yes, that should work.
>
> Some things you want to look at:
> - Is the include file world readable?
> - Does the output of 'testparm -sv' give any clues?
>
> Regards,
>
> roel
>
>
>
>
>>
>> /etc/samba/smb.conf contains:
>>
>>
>> [global]
>>
>>   
>>
>>
>> include /etc/samba/smb.conf.local
>>
>>
>>
>>
>> and then /etc/samba/smb.conf.local contains my share definitions.  I'm
>> doing it this way because I'm using puppet to manage the global parameters
>> on my various file servers, but each individual file server may have a
>> different local configuration that operations guys without access to the
>> puppetmaster might need to change.  It seems to me that this should be
>> supported as I'm doing it, but it appears not - the shares defined in
>> smb.conf.local aren't getting served.  What am I doing wrong, or am I
>> running up against a known limitation?
>>
>>
>> Using CentOS 5, latest updates installed, samba RPM version
>> samba-3.0.33-3.29.el5_5.1
>>
>>
>> 
>>
>> Scott Stone 
>>
>> Lead Developer, DCS-RD
>>
>> Trend Micro, Inc. http://www.trendmicro.com
>>
>>
>>
>> TREND MICRO EMAIL NOTICE
>> The information contained in this email and any attachments is
>> confidential and may be subject to copyright or other intellectual
>> property protection. If you are not the intended recipient, you are not
>> authorized to use or disclose this information, and we request that you
>> notify us by reply mail or telephone and delete the original message from
>> your mail system.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba printer management commands

[Juan Asensio Sánchez]

Hi

I am trying to setup remote printer management commands, so the users
could add and delete printers from "Printers" share of Samba in
Windows. I have this script, that is launched using an administrator
account, when I add a printer from there, using a new TCP/IP port:



#!/bin/bash

{


##
# Parámetros

##

# Nombre de la impresora
LPNAME=$(echo "$1" | iconv -t ascii//translit | sed --regexp-extended
's/\s+/_/g')

# Nombre del recurso compartido
SHARENAME=$2

# Nombre del puerto
PORTNAME=$3

# Nombre del controlador
DRIVERNAME=$4

# Localización
LOCATION_OLD=$5

# Localización en Windows 95
LOCATIONWIN9X=$6

# Comprobar la sintaxis de la localización, y añadir el protocolo por
defecto si no lo tiene
if [[ ! ${LOCATION_OLD} =~ ":/" ]]
then
LOCATION_NEW="lpd://${LOCATION_OLD}"
else
LOCATION_NEW="${LOCATION_OLD}"
fi

# Mostrar mensaje
echo "Añadiendo impresora. Nombre: $1 (${LPNAME}); recurso:
${SHARENAME}; puerto: ${PORTNAME}; driver: ${DRIVERNAME};
localización: ${LOCATION_OLD} (${LOCATION_NEW}); localización Win9X:
${LOCATIONWIN9X}..."

# Añadir la impresora
/usr/sbin/lpadmin -p "${SHARENAME}" -D "${DRIVERNAME}" -E -v 
"${LOCATION_NEW}"


# Recargar la configuración de Samba
/etc/init.d/smb reload

} 2>&1 | logger -t SMB_PRINTER_ADD



The printer is recognized correctly in the wizard, but when I press
the Finish button, i get ever "Access denied", although the printer
has been created correctly in /etc/printcap. What am I doing wrong?

Regards.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba printer management commands

[Juan Asensio Sánchez]

Well, I realized that the script is not executed, neither the printer
created... I am stuck. This is the complete configuration:

[global]
unix charset = LOCALE
workgroup = 
netbios name = 
server string = Controlador de dominio %h de %D
passdb backend = ldapsam:ldaps://XXX
log level = 2
syslog = 0
log file = /var/log/samba/%m.trace
max log size = 1000
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Opciones de gestión de recursos compartidos
add share command= /bin/bash /opt/ldap/samba/smb_share_add.sh
change share command = /bin/bash /opt/ldap/samba/smb_share_add.sh
delete share command = /bin/bash /opt/ldap/samba/smb_share_del.sh

# Opciones de gestión de impresión
add printer command= /bin/bash /opt/ldap/samba/smb_printer_add.sh
delete printer command = /bin/bash /opt/ldap/samba/smb_printer_del.sh
printcap cache time   = 60

logon script = logon.cmd
logon path =
logon home =
domain logons = Yes

os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
name resolve order = wins lmhosts hosts bcast

ldap admin dn = XXX
ldap group suffix = 
ldap machine suffix = XXX
ldap passwd sync = Yes
ldap suffix = X
ldap ssl = Off
template shell = /bin/bash
invalid users = root
map acl inherit = yes
ntlm auth = yes
enable privileges = yes

[homes]
comment = Directorio personal del usuario %u
root preexec = /bin/bash /opt/ldap/samba/mkhomedir.sh %u
read only = no


[printers]
comment = Impresoras
path = /var/spool/samba
printing = cups
printable = yes


[print$]
comment = Controladores de impresión
path = /var/lib/samba/printing
read only = no

Regards and thanks in advance.

El día 16 de diciembre de 2010 10:15, Juan Asensio Sánchez
 escribió:
> Hi
>
> I am trying to setup remote printer management commands, so the users
> could add and delete printers from "Printers" share of Samba in
> Windows. I have this script, that is launched using an administrator
> account, when I add a printer from there, using a new TCP/IP port:
>
> 
>
> #!/bin/bash
>
> {
>
>        
> ##
>        # Parámetros
>        
> ##
>
>        # Nombre de la impresora
>        LPNAME=$(echo "$1" | iconv -t ascii//translit | sed --regexp-extended
> 's/\s+/_/g')
>
>        # Nombre del recurso compartido
>        SHARENAME=$2
>
>        # Nombre del puerto
>        PORTNAME=$3
>
>        # Nombre del controlador
>        DRIVERNAME=$4
>
>        # Localización
>        LOCATION_OLD=$5
>
>        # Localización en Windows 95
>        LOCATIONWIN9X=$6
>
>        # Comprobar la sintaxis de la localización, y añadir el protocolo por
> defecto si no lo tiene
>        if [[ ! ${LOCATION_OLD} =~ ":/" ]]
>        then
>                LOCATION_NEW="lpd://${LOCATION_OLD}"
>        else
>                LOCATION_NEW="${LOCATION_OLD}"
>        fi
>
>        # Mostrar mensaje
>        echo "Añadiendo impresora. Nombre: $1 (${LPNAME}); recurso:
> ${SHARENAME}; puerto: ${PORTNAME}; driver: ${DRIVERNAME};
> localización: ${LOCATION_OLD} (${LOCATION_NEW}); localización Win9X:
> ${LOCATIONWIN9X}..."
>
>        # Añadir la impresora
>        /usr/sbin/lpadmin -p "${SHARENAME}" -D "${DRIVERNAME}" -E -v 
> "${LOCATION_NEW}"
>
>
>        # Recargar la configuración de Samba
>        /etc/init.d/smb reload
>
> } 2>&1 | logger -t SMB_PRINTER_ADD
>
> 
>
> The printer is recognized correctly in the wizard, but when I press
> the Finish button, i get ever "Access denied", although the printer
> has been created correctly in /etc/printcap. What am I doing wrong?
>
> Regards.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba File Server as Domain Member of Samba PDC

[Juan Asensio Sánchez]

Hi

We have configured 2 PDC Samba (v3.0.33, sambapdc1 and sambapdc2)
servers using LDAP (389 DS v1.2.5) as its database backend. If I run
"net rpc user -U" from theses servers I get all groups in LDAP.
These servers are working fine for a long time.

Now I have configured a file server (not logon server, sambafs1), as a
member of the domain served by those servers (this with v3.3.8). I
have configured the LDAP client, so I can do "getent passwd" and
"getent group" and I see all objects from LDAP. Next, I have
configured Samba with this conf:

[global]
unix charset = LOCALE
workgroup = X.Y
server string = Samba FS X.Y - Z

security = domain
encrypt passwords = yes
password server = sambapdc1 sambapdc2
wins server = sambapdc1 sambapdc2

syslog = 0
log level = 2
#log level = 20
log file = /var/log/samba/%m.trace
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Opciones de gestión de recursos compartidos
add share command= /bin/bash /opt/ldap/samba/smb_share_add.sh
change share command = /bin/bash /opt/ldap/samba/smb_share_add.sh
delete share command = /bin/bash /opt/ldap/samba/smb_share_del.sh

map acl inherit = Yes

Next, I have joined the Samba FS in the domain, using the command "net
rpc join -UXX", without any errors. Now, If I run "net rpc group
-S sambafs1 -UX", I get no groups. Is this normal? As Samba can't
see any groups, I cannot assign privileges using "net rpc rights
grant", so users can manage shares from Windows using the add, change
and delete share commands.

Thanks in advance. Regards,
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba File Server as Domain Member of Samba PDC

[Juan Asensio Sánchez]

OK, thanks both four your answers. I am not using Winbind, because (I
think) Winbind dows the same than configuring the ldap client on the
server, as I can see with "getent passwd" and "getent group" all
objects in LDAP.

> Do you use winbind? If not, you should create a local admin user:

Why I can't use a domain account member of administrators group?

Anyway, I added a local root account as you said. When I type:


[root@sambafs1 ~]# net rpc rights grant "X.Y\Administradores"
SeAddUsersPrivilege -U "sambafs1\root"
Enter sambafs1\root's password:
Successfully granted rights.

[root@sambafs1 ~]# net rpc rights list privileges SeAddUsersPrivilege
-U "sambafs1\root"
Enter sambafs1\root's password:
SeAddUsersPrivilege:
  BUILTIN\Administrators
  Unix Group\Administradores

I got "Unix Group\Administradores"; shouldn't it be
"X.Y\Administradores"?

Regards.


El día 28 de enero de 2011 14:19, TAKAHASHI Motonobu  escribió:
> 2011/1/28 Juan Asensio Sánchez :
>> We have configured 2 PDC Samba (v3.0.33, sambapdc1 and sambapdc2)
>> servers using LDAP (389 DS v1.2.5) as its database backend. If I run
>> "net rpc user -U" from theses servers I get all groups in LDAP.
>> These servers are working fine for a long time.
>>
>> Now I have configured a file server (not logon server, sambafs1), as a
>> member of the domain served by those servers (this with v3.3.8). I
>> have configured the LDAP client, so I can do "getent passwd" and
>> "getent group" and I see all objects from LDAP. Next, I have
>> configured Samba with this conf:
> (snip)
>> Next, I have joined the Samba FS in the domain, using the command "net
>> rpc join -UXX", without any errors. Now, If I run "net rpc group
>> -S sambafs1 -UX", I get no groups. Is this normal? As Samba can't
>> see any groups, I cannot assign privileges using "net rpc rights
>> grant", so users can manage shares from Windows using the add, change
>> and delete share commands.
>
> This is an expected behavior.
>
> "net rpc group -S sambafs1 -UX" returns local groups defined on
> sambafs1, not
> domain groups.
>
> Recently (3.0.24 and after) no groups are defined by default. so you
> should get no
> (local) groups.
>
>> I cannot assign privileges using "net rpc rights grant"
>
> Do you use winbind? If not, you should create a local admin user:
>
>  sambafs1# pdbedit -a root
>
> And try like:
>  sambafs1# net rpc rights grant  DOMAINNAME\\USERNAME
> SeAddUsersPrivilege -U sambafs1\\root
>
> ---
> TAKAHASHI Motonobu 
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] LDAP Samba Schema

[Juan Asensio Sánchez]

Hi

I am trying to use Postfix to expand the members of the LDAP Samba
groups. Because of the Samba groups have only the uid of the member
(memberUid), not the full dn (memberdn or uniquemember), the expansion
for use in Postfix cannot be done. Mi question is if Samba (with
smbldap-tools) is able to store the full dn of the members in the
group attributes (i have read about rfc2307bis.schema, or
samba3.schema, but no much information), so Samba, LDAP and Postfix
could live together.

Thanks in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Fwd: [Samba] Transferring Local User Profiles When Joining Domain

[Juan Asensio Sánchez]

-- Forwarded message --
From: Juan Asensio Sánchez <[EMAIL PROTECTED]>
Date: 2008/5/28
Subject: Re: [Samba] Transferring Local User Profiles When Joining Domain
To: [EMAIL PROTECTED]


See last quention on http://mds.mandriva.org/wiki/MdsFaq

Regards.

2008/5/27 John H Terpstra <[EMAIL PROTECTED]>:
> On Tuesday 27 May 2008 02:29:35 pm Leandro Tracchia wrote:
>> i have about a dozen users who i would like to join to the samba domain
>> (pdc). how can i preserve their existing local windows xp user profiles
>> when they join the domain??? this is a big issue because i want my users to
>> experience this migration as easy as possible and not notice anything
>> different.
>
> Migrate the profiles to your Samba domain using the tools Microsoft provides.
>
> 1. Log onto the PC that has the profile.
> 2. Join the Samba domain.
> 3. Log onto the PC as the domain administrator (root, or whatever you have
> called this account)
> 4. Click: Start
> 5. Right-click on My Computer, select Properties, select Advanced, select User
> Profiles
> 6. click on the user profile you wish to migrate
> 7. Click on CopyTo, and follow the prompts.
>
> Make sure you give the new domain user account full access control to the
> profile before you copy it to the Samba PDC profile share.
>
> Not very difficult is it?
>
> - John T.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] samba-tool domain classicupgrade with LDAP backend

[Juan Asensio Sánchez]

Hi

I am testing the migration from our actual Samba domain, based on Samba
3.3.8 and LDAP (389DS) to Samba 4. I have followed the Samba4 Howto, and I
have successfully compiled it. Now I am running the classicupgrade command,
but I am getting some errors.

First of them is that the script is ignoring the "ldap group suffix"
parameter in smb.conf, and is always searching in the "ldap suffix".
Because our LDAP database is very big, the script is getting a timeout as
all groups are not received in time. I have changed the timeout and
timelimit values in ldap.conf to 300, but they are also being ignored. This
is the output of the script:

[root@samba4 ~]# samba-tool domain classicupgrade ~/sambav3/smb.conf
--dbdir ~/sambav3/private --realm XX.TEST
Reading smb.conf
Processing section "[netlogon]"
Processing section "[unixscripts]"
Provisioning
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XX.SACYL))]
smbldap_open_connection: connection opened
init_sam_from_ldap: Entry found for user: XX$
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XX.SACYL))]
smbldap_open_connection: connection opened
Exporting account policy
Exporting groups
ldapsam_setsamgrent: LDAP search failed: Timed out
ldapsam_enum_group_mapping: Unable to open passdb
ERROR(): uncaught exception - Unable to enumerate
group mappings, (-1073741790,Access denied)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 635, in upgrade_from_samba3
grouplist = s3db.enum_group_mapping()


And this is the LDAP access LOG:

[03/Jan/2013:10:58:01 +0100] conn=24304 op=13 SRCH
base="dc=XX,dc=XX" scope=2 filter="(objectClass=sambaGroupMapping)"
attrs="gidNumber sambaSID sambaGroupType sambaSIDList description
displayName cn objectClass"
[03/Jan/2013:10:58:16 +0100] conn=24304 op=14 UNBIND
[03/Jan/2013:10:58:16 +0100] conn=24304 op=14 fd=73 closed - U1

dc=XX,dc=XX is our "ldap suffix", not our "ldap group suffix", as
it should. Any ideas how to fix these problems and continue with the tests?

Regards and thanks in advance,
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba-tool domain classicupgrade with LDAP backend

[Juan Asensio Sánchez]

Hi again

Well, finally I got it, adding "ldap timeout" to smb.conf. Now I am getting
another error when running the domain classicupgrade command of samba-tool:

...
init_sam_from_ldap: Entry found for user: 
init_sam_from_ldap: Entry found for user: $
Next rid = 12801001
Failed to connect to ldap URL 'ldap://XXX.XXX.XX' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://XXX.XXX.XX' with backend 'ldap': (null)
Could not open ldb connection to ldap://XXX.XXX.XX, the error
message is: (1, None)
Exporting posix attributes
ERROR(): uncaught exception - local
variable 'ldb_object' referenced before assignment
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 800, in upgrade_from_samba3
homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object,
base_dn, username, "homeDirectory")


I don't understand why the NT_STATUS_BAD_NETWORK_NAME error is thrown; I
can ping and telnet the server XXX.XXX.XX in port 389 (previously
it was on port 636 and ldaps, but changed to ldap and 389 to try to avoid
the error); indeed, the script has obtained all groups and users
previously...

Any ideas?




2013/1/3 Juan Asensio Sánchez 

> Hi
>
> I am testing the migration from our actual Samba domain, based on Samba
> 3.3.8 and LDAP (389DS) to Samba 4. I have followed the Samba4 Howto, and
> I have successfully compiled it. Now I am running the classicupgrade
> command, but I am getting some errors.
>
> First of them is that the script is ignoring the "ldap group suffix"
> parameter in smb.conf, and is always searching in the "ldap suffix".
> Because our LDAP database is very big, the script is getting a timeout as
> all groups are not received in time. I have changed the timeout and
> timelimit values in ldap.conf to 300, but they are also being ignored. This
> is the output of the script:
>
> [root@samba4 ~]# samba-tool domain classicupgrade ~/sambav3/smb.conf
> --dbdir ~/sambav3/private --realm XX.TEST
> Reading smb.conf
> Processing section "[netlogon]"
> Processing section "[unixscripts]"
> Provisioning
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=XX.SACYL))]
> smbldap_open_connection: connection opened
> init_sam_from_ldap: Entry found for user: XX$
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=XX.SACYL))]
> smbldap_open_connection: connection opened
> Exporting account policy
> Exporting groups
> ldapsam_setsamgrent: LDAP search failed: Timed out
> ldapsam_enum_group_mapping: Unable to open passdb
> ERROR(): uncaught exception - Unable to enumerate
> group mappings, (-1073741790,Access denied)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
> 1318, in run
> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
> line 635, in upgrade_from_samba3
> grouplist = s3db.enum_group_mapping()
>
>
> And this is the LDAP access LOG:
>
> [03/Jan/2013:10:58:01 +0100] conn=24304 op=13 SRCH
> base="dc=XX,dc=XX" scope=2 filter="(objectClass=sambaGroupMapping)"
> attrs="gidNumber sambaSID sambaGroupType sambaSIDList description
> displayName cn objectClass"
> [03/Jan/2013:10:58:16 +0100] conn=24304 op=14 UNBIND
> [03/Jan/2013:10:58:16 +0100] conn=24304 op=14 fd=73 closed - U1
>
> dc=XX,dc=XX is our "ldap suffix", not our "ldap group suffix", as
> it should. Any ideas how to fix these problems and continue with the tests?
>
> Regards and thanks in advance,
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba-tool domain classicupgrade with LDAP backend

[Juan Asensio Sánchez]

Hi

I forgot to explain my scenario... I have one Samba3 test-production with
LDAP backend (it's a test server, but used intensively), so to make the
tests I created a new virtual machine in a separated/isolated network. This
is a clean CentOS 6.3 machine, just installed the compile dependencies and
then compile and install Samba; I didn't modify resolv.conf, neither
nscd.conf, so the name resolution is using an "official" DNS server. After
posting the message, I continued investigating and I found this message
https://lists.samba.org/archive/samba-technical/2012-September/086979.html,
where the user reports the same problem than me. The solution there is to
use the IP address instead of the DNS name, and he says that the problem
can be due to his configuration, but I have the same problem... so I could
think this is bug, not a server configuration problem I can connect
perfectly to the LDAP server, use ldapsearch command, etc. Indeed, the
script retrieves correctly the users, but only fails when exporting the
Posix attributes).

The problem with us about "ldap group suffix" is that our LDAP has multiple
organizations, each one with their own users and groups:

dc=myorg,dc=es
- o=suborg1,dc=myorg,dc=es
- - ou=People,o=suborg1,dc=myorg,dc=es
- - ou=Groups,o=suborg1,dc=myorg,dc=es
- o=suborg2,dc=myorg,dc=es
- - ou=People,o=suborg2,dc=myorg,dc=es
- - ou=Groups,o=suborg2,dc=myorg,dc=es
...

So, in our Samba3 configuration we have "ldap suffix" to "dc=myorg,dc=es"
but "ldap group suffix" to "ou=Groups,o=suborg1" (for the Samba3 domain
controller for suborg1; each suborganization has its own domain under its
tree and its own domain controller using that domain). Then, all users
(from any suborganization) can login in any organization/domain/domain
controller (we have resolved the problem with SIDs from one domain to
another using a plugin in the 389DS LDAP server).

Our target (is and here comes my big doubt) is to configure Samba4 to host
multiple domains under the same forest, replicating our current environment
and stablishing trust relationships between the domains. Is this possible?
How should I do it?

Regards again, and thanks for your help.




2013/1/4 Andrew Bartlett 

> On Thu, 2013-01-03 at 12:52 +0100, Juan Asensio Sánchez wrote:
> > Hi again
> >
> > Well, finally I got it, adding "ldap timeout" to smb.conf.
>
> Good.  The 'ldap suffix' is used because while we write new groups under
> 'ldap group suffix' we always search under 'ldap suffix' for all
> objects.  That is, it is a default, not a restriction.
>
> This hasn't changed in a number of releases, and the 'passdb' code used
> as the upgrade source is actually the same code that powers the classic
> DC implementation.
>
> > Now I am getting
> > another error when running the domain classicupgrade command of
> samba-tool:
>
>
> > ...
> > init_sam_from_ldap: Entry found for user: 
> > init_sam_from_ldap: Entry found for user: $
> > Next rid = 12801001
> > Failed to connect to ldap URL 'ldap://XXX.XXX.XX' - LDAP client
> > internal error: NT_STATUS_BAD_NETWORK_NAME
> > Failed to connect to 'ldap://XXX.XXX.XX' with backend 'ldap':
> (null)
> > Could not open ldb connection to ldap://XXX.XXX.XX, the error
> > message is: (1, None)
> > Exporting posix attributes
> > ERROR(): uncaught exception - local
> > variable 'ldb_object' referenced before assignment
> >   File
> > "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py",
> line
> > 1318, in run
> > useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
> >   File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
> > line 800, in upgrade_from_samba3
> > homes[username] = get_posix_attr_from_ldap_backend(logger,
> ldb_object,
> > base_dn, username, "homeDirectory")
> >
> >
> > I don't understand why the NT_STATUS_BAD_NETWORK_NAME error is thrown; I
> > can ping and telnet the server XXX.XXX.XX in port 389 (previously
> > it was on port 636 and ldaps, but changed to ldap and 389 to try to avoid
> > the error); indeed, the script has obtained all groups and users
> > previously...
>
> In this second stage of the migration, we use the ldb API and ldb's
> ildap driver (a new implementation of an LDAP client) to connect to the
> server.  We do this in the hope of migrating some ext

Re: [Samba] samba-tool domain classicupgrade with LDAP backend

[Juan Asensio Sánchez]

Hi


2013/1/4 Andrew Bartlett 

> On Fri, 2013-01-04 at 08:57 +0100, Juan Asensio Sánchez wrote:
> > Hi
> >
> >
> > I forgot to explain my scenario... I have one Samba3 test-production
> > with LDAP backend (it's a test server, but used intensively), so to
> > make the tests I created a new virtual machine in a separated/isolated
> > network. This is a clean CentOS 6.3 machine, just installed the
> > compile dependencies and then compile and install Samba; I didn't
> > modify resolv.conf, neither nscd.conf, so the name resolution is using
> > an "official" DNS server. After posting the message, I continued
> > investigating and I found this message
> >
> https://lists.samba.org/archive/samba-technical/2012-September/086979.html,
> where the user reports the same problem than me. The solution there is to
> use the IP address instead of the DNS name, and he says that the problem
> can be due to his configuration, but I have the same problem... so I could
> think this is bug, not a server configuration problem I can connect
> perfectly to the LDAP server, use ldapsearch command, etc. Indeed, the
> script retrieves correctly the users, but only fails when exporting the
> Posix attributes).
>
> What is your 'name resolve order' parameter set to?
>
>
name resolve order = wins lmhosts hosts bcast

(Samba3 is not installed in the new virtual machine, just copied smb.conf
and tdb files; smb.conf is configured to make the server act as a PDC using
the LDAP server in other machine)



> > The problem with us about "ldap group suffix" is that our LDAP has
> > multiple organizations, each one with their own users and groups:
> >
> >
> > dc=myorg,dc=es
> >
> > - o=suborg1,dc=myorg,dc=es
> >
> > - - ou=People,o=suborg1,dc=myorg,dc=es
> > - - ou=Groups,o=suborg1,dc=myorg,dc=es
> > - o=suborg2,dc=myorg,dc=es
> > - - ou=People,o=suborg2,dc=myorg,dc=es
> > - - ou=Groups,o=suborg2,dc=myorg,dc=es
> > ...
> >
> >
> > So, in our Samba3 configuration we have "ldap suffix" to
> > "dc=myorg,dc=es" but "ldap group suffix" to "ou=Groups,o=suborg1" (for
> > the Samba3 domain controller for suborg1; each suborganization has its
> > own domain under its tree and its own domain controller using that
> > domain). Then, all users (from any suborganization) can login in any
> > organization/domain/domain controller (we have resolved the problem
> > with SIDs from one domain to another using a plugin in the 389DS LDAP
> > server).
>
> why is your ldap suffix 'dc=myorg,dc=es' and not
> 'o=suborg1,dc=myorg,dc=es'?
>

Because we want all users from the rest of organizations can login in any
domain, so the user search base is set to the entire organization, but the
group search base is set to the group from the organization; so, the users
are global to the organization (from the point of view of Samba, as they
really are in the ou=People,o=X,dc=myorg,dc=es), but groups (and
machines) are locally to the suborganization (users SIDs are changed
dynamically to match the SambaSid of the domain where the user is logging
in, although he belongs to another domain; the path to 389DS LDAP Server I
refer previously). This is a requisite of the client.


>
> Either way, the migration script expects a directory layout at least
> somewhat near the typical described in our documentation and populated
> with either the ldapsam:edixposix tool or smbldap-tools.  As you move
> beyond that, the ability of a standardised script to cope drastically
> decreases.
>
> I'm very happy for the script to try and cope with more diverse
> configurations, if you wish to propose patches however.  I'm keen for it
> to import any additional attributes for which we have matching schema,
> for example (not just the posix attributes).
>
>
I know the particularities of our organization, so I don't expect the
script to match all our requisites. As you said, we have made a lot of
modifications in the source LDAP schema, so we would need to write
additional scripts to add the schema and re-sync the new object classes and
attributes to the users in Samba4.



> > Our target (is and here comes my big doubt) is to configure Samba4 to
> > host multiple domains under the same forest, replicating our current
> > environment and stablishing trust relationships between the domains.
> > Is this possible? How should I do it?
>
> Samba as an AD DC does not support either being or hosting a subdomain,
> nor the trust relationships needed between those domains.  This remains
> a future development task.
>
> A small amount of support exists 

[Samba] Samba4 domain classicupgrade "conversion not supported"

[Juan Asensio Sánchez]

Hi

I am running the "samba-tool domain classicupgrade", and after solving some
problems (thread
http://lists.samba.org/archive/samba/2013-January/170777.html), now I am
getting this error:

# samba-tool domain classicupgrade --dbdir ~/sambav3 --realm
XX.YY.TEST --use-xattrs=yes ~/sambav3/smb.conf -d9

...
init_sam_from_ldap: Entry found for user: XX
init_sam_from_ldap: Entry found for user: XX$
Next rid = 12801001
Exporting posix attributes
Reading WINS database
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
doing parameter idmap_ldb:use rfc2307 = yes
Processing section "[netlogon]"
doing parameter path =
/usr/local/samba/var/locks/sysvol/x.y.test/scripts
doing parameter read only = No
Processing section "[sysvol]"
add_a_service: Creating snum = 2 for sysvol
doing parameter path = /usr/local/samba/var/locks/sysvol
doing parameter read only = No
pm_process() returned Yes
lp_servicenumber: couldn't find homes
Initialising default vfs hooks
Successfully added vfs backend 'posixacl'
Successfully added vfs backend '/[Default VFS]/'
Successfully added vfs backend 'dfs_samba4'
Initialising custom vfs hooks from [/[Default VFS]/]
Successfully loaded vfs module [/[Default VFS]/] with the new modules system
Initialising custom vfs hooks from [acl_xattr]
vfs module [acl_xattr] not loaded - trying to load...
Loading module 'acl_xattr'
Loading module 'acl_xattr': Trying to load from
/usr/local/samba/lib/vfs/acl_xattr.so
Module 'acl_xattr' loaded
Successfully added vfs backend 'acl_xattr'
Successfully loaded vfs module [acl_xattr] with the new modules system
Initialising custom vfs hooks from [dfs_samba4]
Successfully loaded vfs module [dfs_samba4] with the new modules system
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Successfully loaded vfs module [/[Default VFS]/] with the new modules system
Initialising custom vfs hooks from [acl_xattr]
Successfully loaded vfs module [acl_xattr] with the new modules system
Initialising custom vfs hooks from [dfs_samba4]
Successfully loaded vfs module [dfs_samba4] with the new modules system
Setting up share.ldb
lpcfg_servicenumber: couldn't find ldb
Setting up secrets.ldb
lpcfg_servicenumber: couldn't find ldb
lpcfg_servicenumber: couldn't find ldb
Setting up the registry
ldb: no modules required by the db
ldb: No modules specified for this database
ldb_wrap open of hklm.ldb
ldb: start ldb transaction (nesting: 0)
ldb: commit ldb transaction (nesting: 0)
Key 'key=SOFTWARE,hive=NONE' not found
key added: key=SOFTWARE,hive=NONE
Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
Key 'key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
key added: key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE
About to write CurrentVersion with type (null), length 3: 6.1
convert_string_talloc: Conversion not supported.
Error converting string to value for line:
"CurrentVersion"
ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE')
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 841, in upgrade_from_samba3
use_ntvfs=use_ntvfs, skip_sysvolacl=True)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py",
line 2012, in provision
setup_registry(paths.hklm, session_info, lp=lp)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py",
line 939, in setup_registry
reg.diff_apply(provision_reg)
The connection to the LDAP server was closed


I think the problem is:

About to write CurrentVersion with type (null), length 3: 6.1
convert_string_talloc: Conversion not supported.

Type null? Is normal the suffix hive=NONE? What is the conversion that
generates the error?

Regards.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [PATCH] Re: samba-tool domain classicupgrade with LDAP backend

[Juan Asensio Sánchez]

Hi Andrew

Unfortunately, after applying the patch, recompile, uninstall and install
again, I am getting the same error:

# cd ~/samba-4.0.0
# patch -p1 <
~/0001-s4-libcli-resolv-Add-alias-hosts-for-host-in-name-re.patch
# make uninstall && rm -Rf /usr/local/samba/ && make clean && make && make
install
# samba-tool domain classicupgrade --dbdir ~/sambav3 --realm
SSCC.SACYL.TEST --use-xattrs=yes ~/sambav3/smb.conf -d9

...
init_sam_from_ldap: Entry found for user: XXX
init_sam_from_ldap: Entry found for user: XXX$
Next rid = 12801001
Failed to connect to ldap URL 'ldap://XX.X.es' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://XX.X.es' with backend 'ldap': (null)
Could not open ldb connection to ldap://XX.X.es, the error message
is: (1, None)
Exporting posix attributes
ERROR(): uncaught exception - local
variable 'ldb_object' referenced before assignment
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 800, in upgrade_from_samba3
homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object,
base_dn, username, "homeDirectory")

Regards.



2013/1/4 Andrew Bartlett 

> On Fri, 2013-01-04 at 10:18 +0100, Juan Asensio Sánchez wrote:
> > Hi
> >
> >
> > 2013/1/4 Andrew Bartlett 
> > On Fri, 2013-01-04 at 08:57 +0100, Juan Asensio Sánchez wrote:
> > > Hi
> > >
> > >
> >
> > > I forgot to explain my scenario... I have one Samba3
> > test-production
> > > with LDAP backend (it's a test server, but used
> > intensively), so to
> > > make the tests I created a new virtual machine in a
> > separated/isolated
> > > network. This is a clean CentOS 6.3 machine, just installed
> > the
> > > compile dependencies and then compile and install Samba; I
> > didn't
> > > modify resolv.conf, neither nscd.conf, so the name
> > resolution is using
> > > an "official" DNS server. After posting the message, I
> > continued
> > > investigating and I found this message
> > >
> >
> https://lists.samba.org/archive/samba-technical/2012-September/086979.html,
> where the user reports the same problem than me. The solution there is to
> use the IP address instead of the DNS name, and he says that the problem
> can be due to his configuration, but I have the same problem... so I could
> think this is bug, not a server configuration problem I can connect
> perfectly to the LDAP server, use ldapsearch command, etc. Indeed, the
> script retrieves correctly the users, but only fails when exporting the
> Posix attributes).
> >
> >
> > What is your 'name resolve order' parameter set to?
> >
> >
> >
> > name resolve order = wins lmhosts hosts bcast
>
> Thanks, that is the clue I needed.  The attached patch should help.
>
> Andrew Bartlett
>
> --
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [PATCH] Re: samba-tool domain classicupgrade with LDAP backend

[Juan Asensio Sánchez]

Hi Andrew

These are the new results. After running the classicupgrade with "log level
= 10" this is the output:

# cd ~/samba-4.0.0
# patch -p1 <
~/0001-s4-libcli-resolv-Add-alias-hosts-for-host-in-name-re.patch
# patch -p1 <
~/0001-samba-tool-domain-classicupgrade-Make-failure-to-con.patch
# make uninstall && rm -Rf /usr/local/samba/ && make clean && make && make
install
# samba-tool domain classicupgrade --dbdir ~/sambav3 --realm
MYSUBORG1.MYORG.TEST --use-xattrs=yes ~/sambav3/smb.conf


Looking up login cache for user somecomputeraccount$
No cache entry found
No cache entry, bad count = 0, bad time = 0
smbldap_search_ext: base => [o=mysuborg1,dc=myorg,dc=es], filter =>
[(&(sambaSid=S-1-5-21-2808594902-4197342290-404042715-31036)(|(objectClass=sambaGroupMapping)(objectClass=sambaSamAccount)))],
scope => [2]
attribute sambaGroupType does not exist
Adding cache entry with key =
IDMAP/SID2XID/S-1-5-21-55-666-7-31036 and timeout =
Wed Jan 16 09:36:19 2013
 (604800 seconds ahead)
Adding cache entry with key = IDMAP/UID2SID/15018 and timeout = Wed Jan 16
09:36:19 2013
 (604800 seconds ahead)
smbldap_search_ext: base => [o=mysuborg1,dc=myorg,dc=es], filter =>
[(&(objectClass=posixGroup)(|(memberUid=somecomputeraccount$)(gidNumber=10003)))],
scope => [2]
Next rid = 12801001
Failed to connect to ldap URL 'ldap://ldappruebas.myorg.es' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://ldappruebas.myorg.es' with backend 'ldap':
(null)
Could not open ldb connection to ldap://ldappruebas.myorg.es, the error
message is: (1, None)
Exporting posix attributes
smbldap_search_paged: base => [o=mysuborg1,dc=myorg,dc=es], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_ext: base => [o=mysuborg1,dc=myorg,dc=es], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))], scope => [2]
smbldap_search_paged: search was successful
"description" not found
"description" not found
[...lots of same line...]
"description" not found
"description" not found
ERROR(): uncaught exception - local
variable 'ldb_object' referenced before assignment
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 800, in upgrade_from_samba3
homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object,
base_dn, username, "homeDirectory")
The connection to the LDAP server was closed


I don't see any additional relevant information... The lsbsearch command
works fine:

# ldbsearch -b "dc=myorg,dc=es" -H
ldap://ldappruebas.myorg.es--simple-bind-dn="cn=readonlyuser";
--password= "(uid=someuser)" uid

# the results...


After applying the second patch, when the connection fails the exporting
posix attributes step doesn't start.


Next rid = 12801001
Failed to connect to ldap URL 'ldap://ldappruebas.myorg.es' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://ldappruebas.myorg.es' with backend 'ldap':
(null)
ERROR(): uncaught exception - __init__() takes
exactly 2 arguments (4 given)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 790, in upgrade_from_samba3
raise ProvisioningError("Could not open ldb connection to %s, the error
message is: %s", url, e)
The connection to the LDAP server was closed


I don't know what more to test...

Regards and thanks again.




2013/1/8 Andrew Bartlett 

> On Tue, 2013-01-08 at 18:42 +1100, Andrew Bartlett wrote:
> > On Fri, 2013-01-04 at 12:53 +0100, Juan Asensio Sánchez wrote:
> > > Hi Andrew
> > >
> > >
> > > Unfortunately, after applying the patch, recompile, uninstall and
> > > install again, I am getting the same error:
> > >
> > > # cd ~/samba-4.0.0
> > > # patch -p1 <
> > > ~/0001-s4-libcli-resolv-Add-alias-hosts-for-host-in-name-re.patch
> > > # make uninstall && rm -Rf /usr/local/samba/ && make clean && make &&
> > > make install
> > &

Re: [Samba] Samba4 domain classicupgrade "conversion not supported"

[Juan Asensio Sánchez]

Anyone?


2013/1/4 Juan Asensio Sánchez 

> Hi
>
> I am running the "samba-tool domain classicupgrade", and after solving
> some problems (thread
> http://lists.samba.org/archive/samba/2013-January/170777.html), now I am
> getting this error:
>
> # samba-tool domain classicupgrade --dbdir ~/sambav3 --realm
> XX.YY.TEST --use-xattrs=yes ~/sambav3/smb.conf -d9
>
> ...
> init_sam_from_ldap: Entry found for user: XX
> init_sam_from_ldap: Entry found for user: XX$
> Next rid = 12801001
> Exporting posix attributes
> Reading WINS database
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> INFO: Current debug levels:
>   all: 9
>   tdb: 9
>   printdrivers: 9
>   lanman: 9
>   smb: 9
>   rpc_parse: 9
>   rpc_srv: 9
>   rpc_cli: 9
>   passdb: 9
>   sam: 9
>   auth: 9
>   winbind: 9
>   vfs: 9
>   idmap: 9
>   quota: 9
>   acls: 9
>   locking: 9
>   msdfs: 9
>   dmapi: 9
>   registry: 9
> doing parameter idmap_ldb:use rfc2307 = yes
> Processing section "[netlogon]"
> doing parameter path =
> /usr/local/samba/var/locks/sysvol/x.y.test/scripts
> doing parameter read only = No
> Processing section "[sysvol]"
> add_a_service: Creating snum = 2 for sysvol
> doing parameter path = /usr/local/samba/var/locks/sysvol
> doing parameter read only = No
> pm_process() returned Yes
> lp_servicenumber: couldn't find homes
> Initialising default vfs hooks
> Successfully added vfs backend 'posixacl'
> Successfully added vfs backend '/[Default VFS]/'
> Successfully added vfs backend 'dfs_samba4'
> Initialising custom vfs hooks from [/[Default VFS]/]
> Successfully loaded vfs module [/[Default VFS]/] with the new modules
> system
> Initialising custom vfs hooks from [acl_xattr]
> vfs module [acl_xattr] not loaded - trying to load...
> Loading module 'acl_xattr'
> Loading module 'acl_xattr': Trying to load from
> /usr/local/samba/lib/vfs/acl_xattr.so
> Module 'acl_xattr' loaded
> Successfully added vfs backend 'acl_xattr'
> Successfully loaded vfs module [acl_xattr] with the new modules system
> Initialising custom vfs hooks from [dfs_samba4]
> Successfully loaded vfs module [dfs_samba4] with the new modules system
> Initialising default vfs hooks
> Initialising custom vfs hooks from [/[Default VFS]/]
> Successfully loaded vfs module [/[Default VFS]/] with the new modules
> system
> Initialising custom vfs hooks from [acl_xattr]
> Successfully loaded vfs module [acl_xattr] with the new modules system
> Initialising custom vfs hooks from [dfs_samba4]
> Successfully loaded vfs module [dfs_samba4] with the new modules system
> Setting up share.ldb
> lpcfg_servicenumber: couldn't find ldb
> Setting up secrets.ldb
> lpcfg_servicenumber: couldn't find ldb
> lpcfg_servicenumber: couldn't find ldb
> Setting up the registry
> ldb: no modules required by the db
> ldb: No modules specified for this database
> ldb_wrap open of hklm.ldb
> ldb: start ldb transaction (nesting: 0)
> ldb: commit ldb transaction (nesting: 0)
> Key 'key=SOFTWARE,hive=NONE' not found
> key added: key=SOFTWARE,hive=NONE
> Key 'key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE
> Key 'key=CurrentVersion,key=Windows
> NT,key=Microsoft,key=SOFTWARE,hive=NONE' not found
> key added: key=CurrentVersion,key=Windows
> NT,key=Microsoft,key=SOFTWARE,hive=NONE
> About to write CurrentVersion with type (null), length 3: 6.1
> convert_string_talloc: Conversion not supported.
> Error converting string to value for line:
> "CurrentVersion"
> ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE')
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
> 1318, in run
> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
> line 841, in upgrade_from_samba3
> use_ntvfs=use_ntvfs, skip_sysvolacl=True)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py

Re: [Samba] Home Directory Issue

[Juan Asensio Sánchez]

obey pam restrictions = yes?

http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#id2554457

2011/6/13 Jenkins, Mack :
> I hope all is well with everyone.  I've got sometime a little strange going 
> on.
>
> I'm running RHEL 6 and SMB Version 3.5.6-86.el6.  I am using Samba so that my 
> Windows users can mount a home directory share to their Windows machine, with 
> my Linux/Samba server and the storage point, and their account is validated 
> against out campus AD servers.
>
> The issue I am having is that the share fails to connect if the home 
> directory does not exist.  I can ssh to the box and the home directory is 
> created on the fly if it does not exist, but not when the samba share is 
> attempting to connect.
>
> It almost seems as if the pam_mkhomedir module is not being called.  Any 
> suggestions?
>
> --
> Mack J. Jenkins, II
> 404-385-1591
> mack.jenk...@eas.gatech.edu
> System Support Engineer II
> Earth & Atmospheric Sciences
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba