[Samba] Powerpoint 2007 not advancing slides
Hi Everyone Samba 3.6.7 on OpenSuse 12.2 x86_64 I have an unusual problem for which I have not been able to find a solution on the Internet. With Powerpoint 2003, there was no issue. With Powerpoint 2007, the user cannot advance slides unless the file is saved locally on the client (Windows XP SP3, ntfs filesystem). When the file is loaded from the samba share, the user can edit and save their powerpoint. They simply cannot run a slideshow. Regardless of the slideshow settings, you cannot advance to the next slide. Any assistance would be appreciated. Kevin Hall -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] name mangling makes 8.3 unreadable unlike Windows fileserver
Hi, I'm cross-posting here from serverfault.com in case anyone can help. I just found a similar question on askubuntu.com also without an answer. Switched recently from W2K3 to Samba4.0.9/CentOS6.4 for our fileshare for WinXP clients. Have an ancient (1995!) piece of software that uses 8.3 filename format. After the switch, long filenames became useless in the context of the File-Open dialog box. Instead of the first few characters, we get maybe 1 character the same if we're lucky, which in a directory of thousands makes it impossible to find. For example, instead of S:\Air conditioning control system becoming S:\AIRCON~1 like it would before, it's displayed in this program as S:\A51FHG~S. In our directory of client identifiers with their contact names appended, formerly directory mangling would leave enough characters intact that client identifiers could still be used. Not anymore. None of the settings in the docs seem to talk about this exact problem. In fact, they seem to show it the way we were used to. Our smb.conf doesn't use any of the settings because the defaults seem to be what we want, according to the docs. Any hints? (If you want to answer on serverfault feel free: http://serverfault.com/questions/543320/samba-name-mangling-too-mangled-to-be-practical ) Thanks for any help, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] name mangling makes 8.3 unreadable unlike Windows fileserver
On 2013-10-03 2:38 PM, Jeremy Allison wrote: On Thu, Oct 03, 2013 at 10:17:18AM -0400, Kevin Field wrote: Hi, I'm cross-posting here from serverfault.com in case anyone can help. I just found a similar question on askubuntu.com also without an answer. Switched recently from W2K3 to Samba4.0.9/CentOS6.4 for our fileshare for WinXP clients. Have an ancient (1995!) piece of software that uses 8.3 filename format. After the switch, long filenames became useless in the context of the File-Open dialog box. Instead of the first few characters, we get maybe 1 character the same if we're lucky, which in a directory of thousands makes it impossible to find. For example, instead of S:\Air conditioning control system becoming S:\AIRCON~1 like it would before, it's displayed in this program as S:\A51FHG~S. In our directory of client identifiers with their contact names appended, formerly directory mangling would leave enough characters intact that client identifiers could still be used. Not anymore. None of the settings in the docs seem to talk about this exact problem. In fact, they seem to show it the way we were used to. Our smb.conf doesn't use any of the settings because the defaults seem to be what we want, according to the docs. Any hints? This is the mangling method that changed to hash2 (gives better protection against duplicates). Use the smb.conf parameter mangling method = hash to change it back to the way it used to be. Jeremy. Thanks Jeremy! I'm not sure how I missed that in the docs. Anyway, it is much, much better than before, but still not exactly like Windows. For example, we have two folders beginning with C-FZP. Instead of C-FZPD~1 and C-FZPP~1, which in our context is exactly enough to tell which one we want, it's a bit (or in this case...a byte) more aggressive in hashing and makes it C-FZP~59 and C-FZP~A5, so that we can no longer tell and have to guess. Oh but wait, now I see: The minimum value is 1 and the maximum value is 6. mangle prefix is effective only when mangling method is hash2. This does exactly what we want! And now I also see how I think I missed it: this parameter isn't in the NAME MANGLING section. Thanks! Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] magic user mapping
Hi, Samba 4.0.9 on CentOS 6.4 serving Windows XP clients here. I still haven't sat down and figured out Windows-RID-to-unix-ID maps yet. However, I noticed that I can put a person's lowercased name in a 'valid users' list for a share and it works, even though they don't have a unix account. But doing this for lowercased custom group names (we have a 'MYDOM\Supervisors' group, so I tried @supervisors or supervisors) didn't seem to have any effect. Why is that? I also tried to figure out the unix ID that that group maps to by taking a test file in Windows and going to the Advanced part of security and changing the owner to MYDOM\Supervisors. In ls -l on CentOS it shows up as 314. So I tried 314 with or without @ in front of it in 'valid users' for a share, but to no effect. That I understand even less. :) Thanks for any illumination here, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] vfs_recycle folder limit management
Hi all, Running SerNet Samba 4.0.9 on CentOS 6.4 serving as an AD DC and fileshare for XP clients. Added recycler per the example at https://wiki.samba.org/index.php/Frequently_Asked_Questions to my smb.conf. Works great. My concern is that the recycle dir will eventually grow large. vfs_recycle's docs mention a parameter for limiting individual file sizes, but what's a best practice to prevent the whole recycle folder from growing too large? Cronjob to delete old files when the total is past a certain size? Anyone have a script handy? (I'm hoping I'm not the only one with this problem :) Seems like it would be a common concern...) Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] vfs_recycle folder limit management
On 2013-09-26 10:20 AM, Taylor, Jonn wrote: On 09/26/2013 08:47 AM, Kevin Field wrote: Hi all, Running SerNet Samba 4.0.9 on CentOS 6.4 serving as an AD DC and fileshare for XP clients. Added recycler per the example at https://wiki.samba.org/index.php/Frequently_Asked_Questions to my smb.conf. Works great. My concern is that the recycle dir will eventually grow large. vfs_recycle's docs mention a parameter for limiting individual file sizes, but what's a best practice to prevent the whole recycle folder from growing too large? Cronjob to delete old files when the total is past a certain size? Anyone have a script handy? (I'm hoping I'm not the only one with this problem :) Seems like it would be a common concern...) Thanks, Kev I use a script to cleanup the deleted files and run it daily with cron. cat /usr/bin/cleanupold #!/bin/bash find /var/share/.recycle/* -mtime +30 -exec rm {} \; In /var/spool/cron/root @daily/usr/bin/cleanupold /dev/null 21 #Cleanup old audio files Jonn Thanks John, but I meant more so is there a way to have it look at the total size of the recycle dir too? I.e. only delete stale files when it needs to to stay within a limit, and also even delete not-so-stale files if it needs to because there have been too many GB deleted lately to keep 30 days worth (or whatever) around? Thanks again, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] vfs_recycle folder limit management
On 2013-09-26 10:37 AM, Taylor, Jonn wrote: On 09/26/2013 09:24 AM, Kevin Field wrote: On 2013-09-26 10:20 AM, Taylor, Jonn wrote: On 09/26/2013 08:47 AM, Kevin Field wrote: Hi all, Running SerNet Samba 4.0.9 on CentOS 6.4 serving as an AD DC and fileshare for XP clients. Added recycler per the example at https://wiki.samba.org/index.php/Frequently_Asked_Questions to my smb.conf. Works great. My concern is that the recycle dir will eventually grow large. vfs_recycle's docs mention a parameter for limiting individual file sizes, but what's a best practice to prevent the whole recycle folder from growing too large? Cronjob to delete old files when the total is past a certain size? Anyone have a script handy? (I'm hoping I'm not the only one with this problem :) Seems like it would be a common concern...) Thanks, Kev I use a script to cleanup the deleted files and run it daily with cron. cat /usr/bin/cleanupold #!/bin/bash find /var/share/.recycle/* -mtime +30 -exec rm {} \; In /var/spool/cron/root @daily/usr/bin/cleanupold /dev/null 21 #Cleanup old audio files Jonn Thanks John, but I meant more so is there a way to have it look at the total size of the recycle dir too? I.e. only delete stale files when it needs to to stay within a limit, and also even delete not-so-stale files if it needs to because there have been too many GB deleted lately to keep 30 days worth (or whatever) around? Thanks again, Kev This will find files larger than 50MB. find /var/share/.recycle/* -type f -size +5k -exec rm {} \; Look at the man pages for find to get more options. Jonn Hmm...that's a bit closer, but not exactly. Maybe I described it better on stackexchange...let me copy: I found tmpwatch, but it's only time-based. What I'd like the system to do is keep files as long as it reasonably can, i.e., without too much space being taken up. The flip side is that I also don't want it keeping files too long if it means running out of space. Thus I'm looking for something with roughly this thinking: 1. if bin_size limit then quit 2. delete oldest file in bin 3. goto 1. Of course there may be a more efficient algorithm, and it could be tweaked to prefer deleting bigger files unless they're past a certain age so that a big delete doesn't unnecessarily result in the pruning of a bunch of older-but-not-too-old small files. [/quote] Maybe I'm getting too complicated? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings
On 2013-09-25 8:03 PM, Kevin Field wrote: On 2013-09-25 2:47 PM, Johan Hendriks wrote: Kevin Field wrote: Hi, I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these global settings (not overridden): read only = No force create mode = 0777 force directory mode = 0777 inherit acls = yes inherit owner = yes inherit permissions = yes On a Windows client, I have Thunderbird 24.0 storing its profile and mail on the Samba share. The perms on everything in the share were chmod -R 777'd. Then I get mail, compact a folder, whatever, and it looks like this: ... -rwxrwxrwx. 1 1128 513 2684 Sep 25 13:20 Templates.msf -rwxrwx---+ 1 1128 5130 Sep 25 13:50 Trash -rwxrwx---+ 1 1128 513 2223 Sep 25 13:50 Trash.msf Whatever it touches is now 770. How can that be, when the parent of this folder is 777, Samba is set to inherit and force 0777? Is this Samba misbehaving, or Thunderbird? Thanks, Kev It looks like the you have acl's active, hence the + after the permissions rwxrwx---+ . These acls overrule the local permissions set by samba. Not samba not thundebird is misbehaving. regards Johan Hendriks I only partially understand. I get that + means some extended ACLs. I don't get why Samba/Thunderbird makes the file 770 instead of 777. What I really don't get, though, is--since you mentioned ACLs I went and checked some example files in Windows--that despite the 777 files having Everyone with no settings, the 770 files have Everyone with Full Control, not inherited! I certainly didn't intend that for a user's mail profile :) (Really though, I didn't set things up that way from the Windows side--this is someone's home drive, in which they have full control, and I didn't touch the defaults, but I certainly didn't put Everyone in there, and certainly not with Full Control.) Where did this come from? possibility a) smb.conf, in which case I don't understand the settings I posted here possibility b) ACLs set by me, which I can't see being the case because our setup is so simple* possibility c) ? * Now just in case, and barring any Group Policy suggestions, what's the easiest way to, either from Windows or Linux, set it up so that admins have Full Control over every file, and home drives additionally have Full Control of the user having the same name as the home dir, and the 'shared' drive has Everyone having Full Control? So far, because our network is so small, I had done this manually in the past, but it's a bit of a PITA to do again at this point, since each user's home dir takes a few minutes to propagate ACL changes through if I use Windows GUI tools and meanwhile semi-hangs the UI. I don't really care how the perms look on the Linux end of things, since users only have access via Windows clients. From what you said about ACLs overruling, to me it would seem that our setup is simple enough that we shouldn't need +/Windows ACLs at all, because the normal unix ACLs are more than enough for our purposes, except that currently, Windows users don't get properly mapped, mainly because their Linux equivalents don't necessarily exist (e.g. for most users they don't have a CentOS login, but I do and the users group and such could map from Domain Users, I guess.) Or even if Linux perms were the same everywhere, and smb.conf enforced the rules so they came out right on the Windows side. If someone could lay this out for me, I'd really find it helpful--I've been trying to make sense of the docs and tutorials and mailing lists and QA sites, and for what I would think is a fairly common setup, I can't seem to get something working without glitches for us. It's just that, somehow, since we recently switched home drives from W2K3 to Samba serving them up, this has suddenly started happening, and is somehow causing strange side effects like Thunderbird much more often deciding to rebuild summary files of mailboxes, and mail not coming in right away (perhaps due to an un-indicated summary rebuild conflicting with a too-often mail check), and, well, these strange permissions that we never had before appearing on most files that Thunderbird modifies. More help/hints/examples would be much appreciated :) Thanks Johan, Kev As one of my users reports: I updated to 24.0. I went offline, then hit Compact Folders in the File menu. (It appeared to compact all my folders.) Then I rebooted my computer. Now it is the afternoon, and 2 or 3 of my folders are Building Summary again ! --- This behaviour has only happened since switching from W2K3 to Samba for our home drives where Thunderbird profiles live. What have I done wrong here? Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings
Hi, I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these global settings (not overridden): read only = No force create mode = 0777 force directory mode = 0777 inherit acls = yes inherit owner = yes inherit permissions = yes On a Windows client, I have Thunderbird 24.0 storing its profile and mail on the Samba share. The perms on everything in the share were chmod -R 777'd. Then I get mail, compact a folder, whatever, and it looks like this: -rwxrwxrwx. 1 1128 5130 Oct 18 2012 Archives -rwxrwxrwx. 1 1128 513 3158 Sep 25 13:20 Archives.msf drwxrwxrwx. 2 1128 513 4096 Sep 25 09:12 Archives.sbd -rwxrwx---+ 1 1128 5130 Sep 25 13:49 Drafts -rwxrwx---+ 1 1128 513 2450 Sep 25 13:50 Drafts.msf -rwxrwx---+ 1 1128 5130 Sep 25 13:08 Inbox -rwxrwx---+ 1 1128 513 2317 Sep 25 13:50 Inbox.msf drwxrwxrwx. 3 1128 513 4096 May 28 09:26 Inbox.sbd -rwxrwxrwx. 1 1128 513 1268 Apr 12 2007 Junk.msf -rwxrwxrwx. 1 1128 513 28 Oct 2 2012 msgFilterRules.dat -rwxrwxrwx 1 1128 51313736 Sep 25 13:50 popstate.dat -rwxrwxrwx 1 1128 513 96061164 Sep 25 13:21 Sent -rwxrwx---+ 1 1128 513 2988277 Sep 25 13:21 Sent.msf -rwxrwxrwx. 1 1128 5130 Mar 25 2010 Templates -rwxrwxrwx. 1 1128 513 2684 Sep 25 13:20 Templates.msf -rwxrwx---+ 1 1128 5130 Sep 25 13:50 Trash -rwxrwx---+ 1 1128 513 2223 Sep 25 13:50 Trash.msf Whatever it touches is now 770. How can that be, when the parent of this folder is 777, Samba is set to inherit and force 0777? Is this Samba misbehaving, or Thunderbird? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings
On 2013-09-25 2:47 PM, Johan Hendriks wrote: Kevin Field wrote: Hi, I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these global settings (not overridden): read only = No force create mode = 0777 force directory mode = 0777 inherit acls = yes inherit owner = yes inherit permissions = yes On a Windows client, I have Thunderbird 24.0 storing its profile and mail on the Samba share. The perms on everything in the share were chmod -R 777'd. Then I get mail, compact a folder, whatever, and it looks like this: ... -rwxrwxrwx. 1 1128 513 2684 Sep 25 13:20 Templates.msf -rwxrwx---+ 1 1128 5130 Sep 25 13:50 Trash -rwxrwx---+ 1 1128 513 2223 Sep 25 13:50 Trash.msf Whatever it touches is now 770. How can that be, when the parent of this folder is 777, Samba is set to inherit and force 0777? Is this Samba misbehaving, or Thunderbird? Thanks, Kev It looks like the you have acl's active, hence the + after the permissions rwxrwx---+ . These acls overrule the local permissions set by samba. Not samba not thundebird is misbehaving. regards Johan Hendriks I only partially understand. I get that + means some extended ACLs. I don't get why Samba/Thunderbird makes the file 770 instead of 777. What I really don't get, though, is--since you mentioned ACLs I went and checked some example files in Windows--that despite the 777 files having Everyone with no settings, the 770 files have Everyone with Full Control, not inherited! I certainly didn't intend that for a user's mail profile :) (Really though, I didn't set things up that way from the Windows side--this is someone's home drive, in which they have full control, and I didn't touch the defaults, but I certainly didn't put Everyone in there, and certainly not with Full Control.) Where did this come from? possibility a) smb.conf, in which case I don't understand the settings I posted here possibility b) ACLs set by me, which I can't see being the case because our setup is so simple* possibility c) ? * Now just in case, and barring any Group Policy suggestions, what's the easiest way to, either from Windows or Linux, set it up so that admins have Full Control over every file, and home drives additionally have Full Control of the user having the same name as the home dir, and the 'shared' drive has Everyone having Full Control? So far, because our network is so small, I had done this manually in the past, but it's a bit of a PITA to do again at this point, since each user's home dir takes a few minutes to propagate ACL changes through if I use Windows GUI tools and meanwhile semi-hangs the UI. I don't really care how the perms look on the Linux end of things, since users only have access via Windows clients. From what you said about ACLs overruling, to me it would seem that our setup is simple enough that we shouldn't need +/Windows ACLs at all, because the normal unix ACLs are more than enough for our purposes, except that currently, Windows users don't get properly mapped, mainly because their Linux equivalents don't necessarily exist (e.g. for most users they don't have a CentOS login, but I do and the users group and such could map from Domain Users, I guess.) Or even if Linux perms were the same everywhere, and smb.conf enforced the rules so they came out right on the Windows side. If someone could lay this out for me, I'd really find it helpful--I've been trying to make sense of the docs and tutorials and mailing lists and QA sites, and for what I would think is a fairly common setup, I can't seem to get something working without glitches for us. It's just that, somehow, since we recently switched home drives from W2K3 to Samba serving them up, this has suddenly started happening, and is somehow causing strange side effects like Thunderbird much more often deciding to rebuild summary files of mailboxes, and mail not coming in right away (perhaps due to an un-indicated summary rebuild conflicting with a too-often mail check), and, well, these strange permissions that we never had before appearing on most files that Thunderbird modifies. More help/hints/examples would be much appreciated :) Thanks Johan, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] gpresult returns ERROR: The RPC server is unavailable.
Hi, I have a CentOS 6.4 box running SerNet Samba 4.0.9 as an AD DC replicating from a W2k3 box. If I run gpresult /s OLDDC /user MYDOM\Me on a command prompt on OLDDC, I get a normal output, listing which GPOs are applied. If I run gpresult /s NEWDC /user MYDOM\Me in the same place, I get ERROR: The RPC server is unavailable. This is after a fresh restart of Samba. log.samba says (starting at last restart): samba: using 'standard' process model [2013/09/21 20:01:30.191185, 0] ../source4/smbd/server.c:121(sig_term) [2013/09/21 20:01:30.191208, 0] ../source4/smbd/server.c:121(sig_term) [2013/09/21 20:01:30.191223, 0] ../source4/smbd/server.c:121(sig_term) [2013/09/21 20:01:30.191223, 0] ../source4/smbd/server.c:121(sig_term) Exiting pid 30885 on SIGTERM Exiting pid 30882 on SIGTERM [2013/09/21 20:01:30.191221, 0] ../source4/smbd/server.c:121(sig_term) [2013/09/21 20:01:30.191225, 0] ../source4/smbd/server.c:121(sig_term) Exiting pid 30877 on SIGTERM Exiting pid 30876 on SIGTERM Exiting pid 30879 on SIGTERM Exiting pid 30880 on SIGTERM [2013/09/21 20:01:30.191674, 0] ../source4/smbd/server.c:121(sig_term) Exiting pid 30878 on SIGTERM [2013/09/21 20:01:30.194399, 0] ../source4/smbd/server.c:121(sig_term) Exiting pid 30881 on SIGTERM [2013/09/21 20:01:30.201604, 0] ../source4/smbd/server.c:121(sig_term) [2013/09/21 20:01:30.201604, 0] ../source4/smbd/server.c:121(sig_term) [2013/09/21 20:01:30.201685, 0] ../source4/smbd/server.c:121(sig_term) [2013/09/21 20:01:30.201685, 0] ../source4/smbd/server.c:121(sig_term) Exiting pid 30871 on SIGTERM Exiting pid 30874 on SIGTERM [2013/09/21 20:01:30.201713, 0] ../source4/smbd/server.c:121(sig_term) Exiting pid 30873 on SIGTERM Exiting pid 30872 on SIGTERM Exiting pid 30875 on SIGTERM [2013/09/21 20:01:30.213640, 0] ../source4/smbd/server.c:116(sig_term) SIGTERM: killing children [2013/09/21 20:01:30.214204, 0] ../source4/smbd/server.c:121(sig_term) [2013/09/21 20:01:30.213612, 0] ../source4/smbd/server.c:121(sig_term) Exiting pid 30867 on SIGTERM Exiting pid 30870 on SIGTERM [2013/09/21 20:01:30.343028, 0] ../source4/smbd/server.c:370(binary_smbd_main) samba version 4.0.9-SerNet-RedHat-4.el6 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/09/21 20:01:30.607037, 0] ../source4/smbd/server.c:482(binary_smbd_main) samba: using 'standard' process model ...and log.smbd doesn't have anything from recent days. smb.conf has this for its global section: [global] workgroup = MYDOM realm = mydom.lan netbios name = NEWDC server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns allow dns updates = true dns forwarder = 192.168.0.1 dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc My question is, if I down OLDDC, will NEWDC be able to successfully serve Group Policy to our WinXPSP3 clients, or does this error indicate otherwise? If it won't work, what can I do to fix it? I see a couple recent-ish threads about this but no answer to the one, and the other I've already seemed to incorporate the answer of into smb.conf. Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD DC eventually not browsable without restart, RPC server unavailable for user selection
I'm now getting another error in a different spot that I hadn't tried before. If I go to a share \\newdc\\whatever, right-click a folder in it, go Properties, then the Security tab, then Advanced, then Effective Permissions, then Select, I get this: The program cannot open the required dialog box because it cannot determine whether the computer named newdc is joined to a domain. Close this message, and try again. [Close] And upon clicking Close: --- Security --- Unable to display the user selection dialog. The RPC server is unavailable. --- OK --- I'm using this particular share in production at the moment so I'll have to wait until after-hours to try restarting Samba to see if it goes away. Has anyone else come across either of these errors? Why does Samba's equivalent of the RPC server seem to function fine and then after some amount of time no longer seem to be available? Thanks, Kev On 2013-09-06 2:49 PM, Kevin Field wrote: Nothing too interesting: $ sudo tail -n 50 /var/log/samba/log.smbd smbd version 4.0.8-SerNet-RedHat-4.el6 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/08/15 17:56:21.535409, 0] ../source3/smbd/server.c:1253(main) server role = 'active directory domain controller' not compatible with running smbd standalone. You should start 'samba' instead, and it will control starting smbd if required [2013/08/15 22:57:15, 0] ../source3/smbd/server.c:1201(main) smbd version 4.0.8-SerNet-RedHat-4.el6 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/08/15 22:57:15, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 22:57:15.902304, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 22:57:15.909854, 0] ../source3/smbd/server.c:1281(main) standard input is not a socket, assuming -D option [2013/08/15 22:57:16.631301, 0] ../source3/printing/print_cups.c:151(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2013/08/15 22:57:16.632045, 0] ../source3/printing/print_cups.c:528(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2013/08/15 22:58:16.689780, 0] ../source3/printing/print_cups.c:151(cups_connect) Unable to connect to CUPS server localhost:631 - Connection refused [2013/08/15 22:58:16.690368, 0] ../source3/printing/print_cups.c:528(cups_async_callback) failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL [2013/08/15 23:00:37.725980, 0] ../source3/param/loadparm.c:3033(lp_set_enum_parm) WARNING: Ignoring invalid value 'unsecure' for parameter 'allow dns updates' [2013/08/15 23:00:37.726249, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:00:37.772626, 0] ../source3/param/loadparm.c:3033(lp_set_enum_parm) WARNING: Ignoring invalid value 'unsecure' for parameter 'allow dns updates' [2013/08/15 23:00:37.772883, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:00:38.037790, 0] ../source3/param/loadparm.c:3033(lp_set_enum_parm) WARNING: Ignoring invalid value 'unsecure' for parameter 'allow dns updates' [2013/08/15 23:00:38.038080, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:02:35.872174, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:02:35.935461, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:02:36.200408, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:02:39.710286, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:02:39.792444, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:02:40.054341, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:02:55.374983, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries [2013/08/15 23:04:13.125656, 0] ../source3/param/loadparm.c:3121(lp_do_parameter) Ignoring unknown parameter dns recursive queries And: top - 14:47:13 up 14 days, 22:05, 1 user, load average: 0.13, 0.12, 0.09 Tasks: 222 total, 1 running, 221 sleeping, 0 stopped, 0 zombie Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 12194316k total, 6204420k used, 5989896k free, 810524k buffers Swap: 6168568k total, 2784k used, 6165784k free
Re: [Samba] AD DC eventually not browsable without restart
Yep, that's exactly it. Thanks! Kev On 2013-09-06 10:16 AM, Ricky Nance wrote: Have you disabled syslinux? That is what that change looks like to me. Ricky On Thu, Sep 5, 2013 at 3:26 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I just noticed something interesting, since I have /etc under version control: /etc/mtab changed thusly: -tmpfs /dev/shm tmpfs rw,rootcontext=system_u:__object_r:tmpfs_t:s0 0 0 +tmpfs /dev/shm tmpfs rw 0 0 Does this mean anything to our troubleshooting? Thanks, Kev On 2013-09-04 2:02 PM, Kevin Field wrote: Yeah, it's still tmpfs 5.9G 0 5.9G 0% /dev/shm The really odd thing is, currently, it's telling me this if I try to access it from OLDDC, running Windows Server 2003. But if I remote into another computer (GEYSER) on the network that's running Windows XP, I can access \\NEWDC just fine. Back to OLDDC and it still doesn't work. Besides the OS I noticed another difference, running echo %logonserver% from GEYSER, it reports \\G5, whereas running that on OLDDC reports \\OLDDC. I know this is normal behaviour, but I wonder if it has anything to do with it. I also wonder if, if I leave GEYSER logged in long enough, I'll have the same result on it as I do on OLDDC. So nobody else is having this browsability problem, eh? Kev On 2013-08-24 1:41 PM, Kevin Field wrote: Hmm...it hasn't been long enough since a restart yet, because it's not doing it ATM, but nonetheless if it's a question of an extra 45 mb I think we have it covered: tmpfs 5.9G 0 5.9G 0% /dev/shm But I'll check anyway next opportunity and report back if it's a positive. Kev On 2013-08-24 11:51 AM, Ricky Nance wrote: I wonder if your hitting the /run/lock fill up that another user reported on a week or two ago (they are using ubuntu). I think the solution was to make that tmpfs partition bigger (like 50 mb instead of 5 mb). next time it is unresponsive check and see what the output of 'df -h' is. Ricky On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? �Is nobody else experiencing this? Thanks, Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/show_bug.cgi?id=9820 https://bugzilla.samba.org/__show_bug.cgi?id=9820 https://bugzilla.samba.org/__show_bug.cgi?id=9820 https://bugzilla.samba.org/show_bug.cgi?id=9820 --__--__ *From: *Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com *To: *samba@lists.samba.org mailto:samba@lists.samba.org mailto:samba@lists.samba.org mailto:samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). �When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc
Re: [Samba] AD DC eventually not browsable without restart
000 S 0.0 0.0 0:00.47 watchdog/2 15 root RT 0 000 S 0.0 0.0 0:00.81 migration/3 16 root RT 0 000 S 0.0 0.0 0:00.00 migration/3 17 root 20 0 000 S 0.0 0.0 0:03.78 ksoftirqd/3 18 root RT 0 000 S 0.0 0.0 0:00.48 watchdog/3 19 root RT 0 000 S 0.0 0.0 0:00.25 migration/4 20 root RT 0 000 S 0.0 0.0 0:00.00 migration/4 21 root 20 0 000 S 0.0 0.0 0:03.81 ksoftirqd/4 22 root RT 0 000 S 0.0 0.0 0:00.46 watchdog/4 23 root RT 0 000 S 0.0 0.0 0:00.23 migration/5 24 root RT 0 000 S 0.0 0.0 0:00.00 migration/5 25 root 20 0 000 S 0.0 0.0 0:03.56 ksoftirqd/5 On 2013-09-06 2:03 PM, Ricky Nance wrote: What about log.smbd ... also what does samba-tool processes output? Ricky On Fri, Sep 6, 2013 at 12:57 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: (Just for the record, I haven't restarted samba in a couple weeks now.) That's very interesting: via the IP, it is browsable. As for the outputs: $ sudo netstat -anp | grep samba\|smb tcp0 0 0.0.0.0:139 http://0.0.0.0:139 0.0.0.0:* LISTEN 5714/samba tcp0 0 0.0.0.0:464 http://0.0.0.0:464 0.0.0.0:* LISTEN 19028/samba tcp0 0 0.0.0.0:53 http://0.0.0.0:53 0.0.0.0:* LISTEN 19035/samba tcp0 0 0.0.0.0:88 http://0.0.0.0:88 0.0.0.0:* LISTEN 19028/samba tcp0 0 0.0.0.0:636 http://0.0.0.0:636 0.0.0.0:* LISTEN 19026/samba tcp0 0 0.0.0.0:445 http://0.0.0.0:445 0.0.0.0:* LISTEN 19034/samba tcp0 0 0.0.0.0:1024 http://0.0.0.0:1024 0.0.0.0:* LISTEN 19023/samba tcp0 0 0.0.0.0:3268 http://0.0.0.0:3268 0.0.0.0:* LISTEN 19026/samba tcp0 0 0.0.0.0:3269 http://0.0.0.0:3269 0.0.0.0:* LISTEN 19026/samba tcp0 0 0.0.0.0:389 http://0.0.0.0:389 0.0.0.0:* LISTEN 19026/samba tcp0 0 0.0.0.0:135 http://0.0.0.0:135 0.0.0.0:* LISTEN 19023/samba tcp0 0 10.0.1.2:445 http://10.0.1.2:445 10.0.1.1:1777 http://10.0.1.1:1777 ESTABLISHED 19044/samba tcp0 0 10.0.1.2:1024 http://10.0.1.2:1024 10.0.1.1:3024 http://10.0.1.1:3024 ESTABLISHED 19023/samba tcp0 0 10.0.1.2:445 http://10.0.1.2:445 10.0.1.1:2130 http://10.0.1.1:2130 ESTABLISHED 5714/samba tcp0 0 10.0.1.2:58561 http://10.0.1.2:58561 10.0.1.1:1025 http://10.0.1.1:1025 ESTABLISHED 19029/samba udp0 0 10.0.1.2:389 http://10.0.1.2:389 0.0.0.0:* 19027/samba udp0 0 0.0.0.0:389 http://0.0.0.0:389 0.0.0.0:* 19027/samba udp0 0 10.0.1.2:137 http://10.0.1.2:137 0.0.0.0:* 19024/samba udp0 0 10.255.255.255:137 http://10.255.255.255:137 0.0.0.0:* 19024/samba udp0 0 0.0.0.0:137 http://0.0.0.0:137 0.0.0.0:* 19024/samba udp0 0 10.0.1.2:138 http://10.0.1.2:138 0.0.0.0:* 19024/samba udp0 0 10.255.255.255:138 http://10.255.255.255:138 0.0.0.0:* 19024/samba udp0 0 0.0.0.0:138 http://0.0.0.0:138 0.0.0.0:* 19024/samba udp0 0 0.0.0.0:53 http://0.0.0.0:53 0.0.0.0:* 19035/samba udp0 0 10.0.1.2:464 http://10.0.1.2:464 0.0.0.0:* 19028/samba udp0 0 0.0.0.0:464 http://0.0.0.0:464 0.0.0.0:* 19028/samba udp0 0 10.0.1.2:88 http://10.0.1.2:88 0.0.0.0:* 19028/samba udp0 0 0.0.0.0:88 http://0.0.0.0:88 0.0.0.0:* 19028/samba unix 2 [ ] DGRAM 1900834 5714 tel:1900834%205714/samba /var/lib/samba/private/smbd.__tmp/msg/msg.5714 unix 2 [ ACC ] STREAM LISTENING 413329 19023/samba /var/run/samba/ncalrpc/np/__dnsserver unix 2 [ ACC ] STREAM LISTENING 413331 19023/samba /var/run/samba/ncalrpc/np/__ntsvcs unix 2 [ ACC ] STREAM LISTENING 413334 19023/samba /var/run/samba/ncalrpc/np/__browser unix 2 [ ACC ] STREAM LISTENING 413336 19023/samba /var/run/samba/ncalrpc/np/__unixinfo unix 2 [ ACC ] STREAM LISTENING 413339 19023/samba /var/run/samba/ncalrpc/np/__protected_storage unix 2 [ ACC ] STREAM LISTENING 413344 19023/samba /var/run
Re: [Samba] AD DC eventually not browsable without restart
/util.c:3118: WARNING: forestFunctionality not setup [2013/09/06 13:53:21.498801, 0] ../source4/smb_server/smb/service.c:127(make_connection) make_connection: couldn't find service *.: NT_STATUS_OBJECT_NAME_NOT_FOUND [2013/09/06 13:53:23.152701, 0] ../source4/smb_server/smb/service.c:127(make_connection) make_connection: couldn't find service DESKTOP.INI: NT_STATUS_OBJECT_NAME_NOT_FOUND The forestFunctionality errors are from the Windows AD replication status tool. Thanks, Kev On 2013-09-06 1:46 PM, Ricky Nance wrote: Next time its unresponsive, try hitting it with \\ip.to.new.dc and see if its browsable, also get the output of netstat -anp | grep samba\|smbd as well as tail -n 50 /usr/local/samba/var/log.samba and tail -n 50 usr/local/samba/var/log.smbd (adjust the path as needed), also I am interested if top has anything to say about samba or smbd (as for processor and memory usage). Ricky On Fri, Sep 6, 2013 at 12:12 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: Yep, that's exactly it. Thanks! Kev On 2013-09-06 10:16 AM, Ricky Nance wrote: Have you disabled syslinux? That is what that change looks like to me. Ricky On Thu, Sep 5, 2013 at 3:26 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I just noticed something interesting, since I have /etc under version control: /etc/mtab changed thusly: -tmpfs /dev/shm tmpfs rw,rootcontext=system_u:object_r:tmpfs_t:s0 0 0 +tmpfs /dev/shm tmpfs rw 0 0 Does this mean anything to our troubleshooting? Thanks, Kev On 2013-09-04 2:02 PM, Kevin Field wrote: Yeah, it's still tmpfs 5.9G 0 5.9G 0% /dev/shm The really odd thing is, currently, it's telling me this if I try to access it from OLDDC, running Windows Server 2003. But if I remote into another computer (GEYSER) on the network that's running Windows XP, I can access \\NEWDC just fine. Back to OLDDC and it still doesn't work. Besides the OS I noticed another difference, running echo %logonserver% from GEYSER, it reports \\G5, whereas running that on OLDDC reports \\OLDDC. I know this is normal behaviour, but I wonder if it has anything to do with it. I also wonder if, if I leave GEYSER logged in long enough, I'll have the same result on it as I do on OLDDC. So nobody else is having this browsability problem, eh? Kev On 2013-08-24 1:41 PM, Kevin Field wrote: Hmm...it hasn't been long enough since a restart yet, because it's not doing it ATM, but nonetheless if it's a question of an extra 45 mb I think we have it covered: tmpfs 5.9G 0 5.9G 0% /dev/shm But I'll check anyway next opportunity and report back if it's a positive. Kev On 2013-08-24 11:51 AM, Ricky Nance wrote: I wonder if your hitting the /run/lock fill up that another user reported on a week or two ago (they are using ubuntu). I think the solution was to make that tmpfs partition bigger (like 50 mb instead of 5 mb). next time it is unresponsive check and see what the output of 'df -h' is. Ricky On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? �Is nobody else experiencing this? Thanks, Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want
Re: [Samba] AD DC eventually not browsable without restart
I just noticed something interesting, since I have /etc under version control: /etc/mtab changed thusly: -tmpfs /dev/shm tmpfs rw,rootcontext=system_u:object_r:tmpfs_t:s0 0 0 +tmpfs /dev/shm tmpfs rw 0 0 Does this mean anything to our troubleshooting? Thanks, Kev On 2013-09-04 2:02 PM, Kevin Field wrote: Yeah, it's still tmpfs 5.9G 0 5.9G 0% /dev/shm The really odd thing is, currently, it's telling me this if I try to access it from OLDDC, running Windows Server 2003. But if I remote into another computer (GEYSER) on the network that's running Windows XP, I can access \\NEWDC just fine. Back to OLDDC and it still doesn't work. Besides the OS I noticed another difference, running echo %logonserver% from GEYSER, it reports \\G5, whereas running that on OLDDC reports \\OLDDC. I know this is normal behaviour, but I wonder if it has anything to do with it. I also wonder if, if I leave GEYSER logged in long enough, I'll have the same result on it as I do on OLDDC. So nobody else is having this browsability problem, eh? Kev On 2013-08-24 1:41 PM, Kevin Field wrote: Hmm...it hasn't been long enough since a restart yet, because it's not doing it ATM, but nonetheless if it's a question of an extra 45 mb I think we have it covered: tmpfs 5.9G 0 5.9G 0% /dev/shm But I'll check anyway next opportunity and report back if it's a positive. Kev On 2013-08-24 11:51 AM, Ricky Nance wrote: I wonder if your hitting the /run/lock fill up that another user reported on a week or two ago (they are using ubuntu). I think the solution was to make that tmpfs partition bigger (like 50 mb instead of 5 mb). next time it is unresponsive check and see what the output of 'df -h' is. Ricky On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? �Is nobody else experiencing this? Thanks, Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/__show_bug.cgi?id=9820 https://bugzilla.samba.org/show_bug.cgi?id=9820 --__--__ *From: *Kevin Field k...@brantaero.com mailto:k...@brantaero.com *To: *samba@lists.samba.org mailto:samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). �When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. �One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. �I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] � � � � � workgroup = MYDOMAIN � � � � � realm = mydomain.lan � � � � � netbios name = NEWDC � � � � � server role = active directory domain controller � � � � � server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns � � � � � allow dns updates = true � � � � � dns forwarder = 192.168.1.1 # � � � �dns recursive queries = yes � � � � � dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # � � � dcerpc endpoint servers = winreg srvsvc � � � � � load printers = yes � � � � � printing
Re: [Samba] AD DC eventually not browsable without restart
Yeah, it's still tmpfs 5.9G 0 5.9G 0% /dev/shm The really odd thing is, currently, it's telling me this if I try to access it from OLDDC, running Windows Server 2003. But if I remote into another computer (GEYSER) on the network that's running Windows XP, I can access \\NEWDC just fine. Back to OLDDC and it still doesn't work. Besides the OS I noticed another difference, running echo %logonserver% from GEYSER, it reports \\G5, whereas running that on OLDDC reports \\OLDDC. I know this is normal behaviour, but I wonder if it has anything to do with it. I also wonder if, if I leave GEYSER logged in long enough, I'll have the same result on it as I do on OLDDC. So nobody else is having this browsability problem, eh? Kev On 2013-08-24 1:41 PM, Kevin Field wrote: Hmm...it hasn't been long enough since a restart yet, because it's not doing it ATM, but nonetheless if it's a question of an extra 45 mb I think we have it covered: tmpfs 5.9G 0 5.9G 0% /dev/shm But I'll check anyway next opportunity and report back if it's a positive. Kev On 2013-08-24 11:51 AM, Ricky Nance wrote: I wonder if your hitting the /run/lock fill up that another user reported on a week or two ago (they are using ubuntu). I think the solution was to make that tmpfs partition bigger (like 50 mb instead of 5 mb). next time it is unresponsive check and see what the output of 'df -h' is. Ricky On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? �Is nobody else experiencing this? Thanks, Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/__show_bug.cgi?id=9820 https://bugzilla.samba.org/show_bug.cgi?id=9820 --__--__ *From: *Kevin Field k...@brantaero.com mailto:k...@brantaero.com *To: *samba@lists.samba.org mailto:samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). �When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. �One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. �I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] � � � � � workgroup = MYDOMAIN � � � � � realm = mydomain.lan � � � � � netbios name = NEWDC � � � � � server role = active directory domain controller � � � � � server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns � � � � � allow dns updates = true � � � � � dns forwarder = 192.168.1.1 # � � � �dns recursive queries = yes � � � � � dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # � � � dcerpc endpoint servers = winreg srvsvc � � � � � load printers = yes � � � � � printing = cups [netlogon] � � � � � path = /var/lib/samba/sysvol/__mydomain.lan/scripts � � � � � read only = No [sysvol] � � � � � path = /var/lib/samba/sysvol � � � � � read only = No [printers] � � � �comment = All Printers � � � �path
Re: [Samba] AD DC eventually not browsable without restart
I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? Is nobody else experiencing this? Thanks, Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/show_bug.cgi?id=9820 *From: *Kevin Field k...@brantaero.com *To: *samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] workgroup = MYDOMAIN realm = mydomain.lan netbios name = NEWDC server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns allow dns updates = true dns forwarder = 192.168.1.1 #dns recursive queries = yes dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # dcerpc endpoint servers = winreg srvsvc load printers = yes printing = cups [netlogon] path = /var/lib/samba/sysvol/mydomain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] comment = All Printers path = /var/spool/samba browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /var/lib/samba/printing read only = No [mytestshare] path = /srv/mytestshare/ read only = No Any ideas? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD DC eventually not browsable without restart
Hmm...it hasn't been long enough since a restart yet, because it's not doing it ATM, but nonetheless if it's a question of an extra 45 mb I think we have it covered: tmpfs 5.9G 0 5.9G 0% /dev/shm But I'll check anyway next opportunity and report back if it's a positive. Kev On 2013-08-24 11:51 AM, Ricky Nance wrote: I wonder if your hitting the /run/lock fill up that another user reported on a week or two ago (they are using ubuntu). I think the solution was to make that tmpfs partition bigger (like 50 mb instead of 5 mb). next time it is unresponsive check and see what the output of 'df -h' is. Ricky On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I've upgraded to 4.0.9 and this behaviour persists. Should I file a bug report, do you think? �Is nobody else experiencing this? Thanks, Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/__show_bug.cgi?id=9820 https://bugzilla.samba.org/show_bug.cgi?id=9820 --__--__ *From: *Kevin Field k...@brantaero.com mailto:k...@brantaero.com *To: *samba@lists.samba.org mailto:samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). �When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. �One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. �I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] � � � � � workgroup = MYDOMAIN � � � � � realm = mydomain.lan � � � � � netbios name = NEWDC � � � � � server role = active directory domain controller � � � � � server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns � � � � � allow dns updates = true � � � � � dns forwarder = 192.168.1.1 # � � � �dns recursive queries = yes � � � � � dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # � � � dcerpc endpoint servers = winreg srvsvc � � � � � load printers = yes � � � � � printing = cups [netlogon] � � � � � path = /var/lib/samba/sysvol/__mydomain.lan/scripts � � � � � read only = No [sysvol] � � � � � path = /var/lib/samba/sysvol � � � � � read only = No [printers] � � � �comment = All Printers � � � �path = /var/spool/samba � � � �browseable = Yes � � � �read only = No � � � �printable = Yes [print$] � � � �comment = Point and Print Printer Drivers � � � �path = /var/lib/samba/printing � � � �read only = No [mytestshare] � � � � � path = /srv/mytestshare/ � � � � � read only = No Any ideas? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: �https://lists.samba.org/__mailman/options/samba https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: �https://lists.samba.org/__mailman/options/samba https://lists.samba.org/mailman
[Samba] CUPS working but errors from Windows clients accessing printer
Hi, On CentOS 6.4 (newdc), I have CUPS 1.4.2-50.el6_4.5 installed, can access its web interface. There I set up our main shared printer, an OCE Imagistics cm2520, and successfully printed a test page. With SerNet Samba 4.0.9 on the same box configured every which example way I could find, I cannot seem to get it to the point where double-clicking the printer in Windows (W2K3, OLDDC) opens up the print queue (as it does from \\olddc). The closest I get, by manually defining the printer in smb.conf, is that it shows up in \\newdc in Windows Explorer, but double-clicking the BackOfficeCopier printer gives this error: --- Printers --- Operation could not be completed. Either the printer name was typed incorrectly, or the specified printer has lost its connection to the server. For more information, click Help. --- OK Help --- If I double-click the printers share, I get: --- \\newdc --- \\newdc\printers is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Incorrect function. --- OK --- Neither of these causes an entry to appear in log.samba. However, double-clicking on Printers and Faxes shows me a folder containing just Add Printer and generates this log entry in log.samba: [2013/08/23 09:18:39.921226, 0] ../source4/smb_server/smb/service.c:127(make_connection) make_connection: couldn't find service ::{2227A280-3AEA-1069-A2DE-08002B30309D}: NT_STATUS_OBJECT_NAME_NOT_FOUND [2013/08/23 09:18:39.935896, 0] ../source4/rpc_server/spoolss/dcesrv_spoolss.c:1189(dcesrv_spoolss_RemoteFindFirstPrinterChangeNotifyEx) unable to call back to \\OLDDC [2013/08/23 09:18:39.952321, 0] ../source4/rpc_server/spoolss/dcesrv_spoolss.c:1189(dcesrv_spoolss_RemoteFindFirstPrinterChangeNotifyEx) unable to call back to \\OLDDC If I then try Add Printer and click Next, my only choice is the top one and there are no ports listed. Trying Next again at that point just gives: --- Add Printer Wizard --- Operation could not be completed. --- OK --- About the first error, the queue name in CUPS is OCE, and in smb.conf I have this: [global] workgroup = MYDOMAIN realm = mydomain.lan netbios name = NEWDC server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns allow dns updates = true dns forwarder = 192.168.1.1 #dns recursive queries = yes dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # dcerpc endpoint servers = winreg srvsvc load printers = yes printing = cups printcap name = cups [netlogon] path = /var/lib/samba/sysvol/mydomain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] comment = All Printers path = /var/spool/samba/ guest ok = Yes browseable = Yes read only = No printable = Yes create mask = 0700 [print$] comment = Point and Print Printer Drivers path = /var/lib/samba/printing read only = No [BackOfficeCopier] path = /var/spool/samba/ browseable = yes printable = yes printer name = OCE [mytest] path = /home/srv/samba-test-share read only = No As far as ACL goes for the second error, etc.: $ sudo ls -l /var/spool/ ... drwxrwxrwt. 2 root root 4096 Aug 15 18:10 samba $ sudo ls -l /var/lib/samba/ ... drwxr-xr-x. 4 root root4096 Aug 22 22:19 printing I copied everything from \\olddc\print$ to \\newdc\print$ before chmodding printing back to 755. I'm not sure what I'm missing here. I tried following the HOWTO to the letter, and then I started trying configurations mentioned on various help sites, and nothing seems to do the trick yet. Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] share permissions
I can understand that. However, I'm a bit confused about how this is supposed to be practical in the case of Samba. Samba runs as root, so it can see everything. I'm telling it to share a particular folder. Why should it look at the ACLs of folders above that, when there's no way they will be otherwise accessible via Samba? The reason I bother with this question is that /home and /srv are on two different partitions. I set it up so that the bulk of space would be available under /home. Okay, so it sounds like links can come to rescue here. I dig around and it seems that hard links on directories have not been allowed since the 70's. Symbolic links could work, but if you enable the following of symbolic links in smb.conf, it can open up security holes. So to me it seems there's no workaround for a design that doesn't make sense in the first place (checking the ACLs of parent directories even if you're root and they're irrelevant to the application of sharing the given directory.) Am I missing something? Thanks, Kev On 2013-08-20 11:22 AM, Ricky Nance wrote: Permissions are hard to explain (possibly because I don't fully understand them myself I guess), but if you have a directory (say /srv) and you give it 0700 permissions, then only the person that owns that directory is able to see anything under it, however if you give it 0755, then ANYONE can see (the second 5 is R-X for everyone) whats in there, now you have a directory under that, lets call it share, (so /srv/share) and you give it permissions of 0777, then everyone can read/write in the share folder, but no one can write to the /srv folder except the owner. So when you had a share under /home/user (which is typically /home is 755, and the /home/user is 0700) then no one had access to the underlying directories (even if the underlying directory is 777, because the user simply can't get to that point)... If anyone disagree's or could explain this better please feel free to do so, I am not opposed to learning new things :) Ricky On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: Aha! Moving it worked. I can now see it from Windows. If I chmod 777 on the directory I can also add files to it from Windows. However, I don't quite understand why the parent of the share directory affects it. BTW /home/me has 700 permissions and /srv has 755. If the +x on /srv allows the +x on my test share directory to allow Windows to browse it, why doesn't the -w on /srv prevent the +w on my test share directory from allowing Windows to create files there? I always thought negative permissions took precedence in ACL, generally? Thanks, Kev On 2013-08-20 10:22 AM, Kevin Field wrote: Hi Ricky, I don't think I should have to reboot. setenforce is documented to work without rebooting. If I need to reboot a Linux server to troubleshoot something like this--and I hear SELinux is often a first thing to try disabling to troubleshoot--then it's worse than Windows for rebooting requirements. But I'm pretty sure that's simply not true. Otherwise this is meaningless: $ sudo setenforce 0 $ sudo getenforce Permissive Also I'm a bit confused as to why the permissions on /home should affect /home/me if I've explicitly set them on /home/me and haven't defined some kind of ACL inheritance policy. Is it the default that higher directories' permissions override lower ones in CentOS? Or is it a Samba fileshare thing? I would like to know exactly how this works, but in any case, I'll try moving the share and see how it goes. Thanks, Kev On 2013-08-17 9:47 AM, Ricky Nance wrote: Have a look at http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html and you will probably have to reboot after making the changes. I have seen this cause more problems then not, so I would start with disabling it and see if it fixes your problem. Also since you are using a /home/me before your share, you need to make sure you have at least 755 permissions in both /home and /home/me, it might be a good idea to make a directory named /srv/mytestshare instead. Ricky On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: Interestingly, I couldn't turn off selinux using their method: $ sudo echo 0 /selinux
Re: [Samba] share permissions
Oh, so it only looks at the immediate parent's permissions? Not the grandparent? I find that even more bewildering but a whole lot easier to work with if that's the case :) Thanks, Kev On 2013-08-22 11:44 AM, Ricky Nance wrote: No, you can use /home/srv/share as long as srv (under home) is 755 permissions. Samba does run as root, but it also still obeys the rules underlying file system. Ricky On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I can understand that. However, I'm a bit confused about how this is supposed to be practical in the case of Samba. Samba runs as root, so it can see everything. I'm telling it to share a particular folder. Why should it look at the ACLs of folders above that, when there's no way they will be otherwise accessible via Samba? The reason I bother with this question is that /home and /srv are on two different partitions. I set it up so that the bulk of space would be available under /home. Okay, so it sounds like links can come to rescue here. I dig around and it seems that hard links on directories have not been allowed since the 70's. Symbolic links could work, but if you enable the following of symbolic links in smb.conf, it can open up security holes. So to me it seems there's no workaround for a design that doesn't make sense in the first place (checking the ACLs of parent directories even if you're root and they're irrelevant to the application of sharing the given directory.) Am I missing something? Thanks, Kev On 2013-08-20 11:22 AM, Ricky Nance wrote: Permissions are hard to explain (possibly because I don't fully understand them myself I guess), but if you have a directory (say /srv) and you give it 0700 permissions, then only the person that owns that directory is able to see anything under it, however if you give it 0755, then ANYONE can see (the second 5 is R-X for everyone) whats in there, now you have a directory under that, lets call it share, (so /srv/share) and you give it permissions of 0777, then everyone can read/write in the share folder, but no one can write to the /srv folder except the owner. So when you had a share under /home/user (which is typically /home is 755, and the /home/user is 0700) then no one had access to the underlying directories (even if the underlying directory is 777, because the user simply can't get to that point)... If anyone disagree's or could explain this better please feel free to do so, I am not opposed to learning new things :) Ricky On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: Aha! Moving it worked. I can now see it from Windows. If I chmod 777 on the directory I can also add files to it from Windows. However, I don't quite understand why the parent of the share directory affects it. BTW /home/me has 700 permissions and /srv has 755. If the +x on /srv allows the +x on my test share directory to allow Windows to browse it, why doesn't the -w on /srv prevent the +w on my test share directory from allowing Windows to create files there? I always thought negative permissions took precedence in ACL, generally? Thanks, Kev On 2013-08-20 10:22 AM, Kevin Field wrote: Hi Ricky, I don't think I should have to reboot. setenforce is documented to work without rebooting. If I need to reboot a Linux server to troubleshoot something like this--and I hear SELinux is often a first thing to try disabling to troubleshoot--then it's worse than Windows for rebooting requirements. But I'm pretty sure that's simply not true. Otherwise this is meaningless: $ sudo setenforce 0 $ sudo getenforce Permissive Also I'm a bit confused as to why the permissions on /home should affect /home/me if I've explicitly set them on /home/me and haven't defined some kind of ACL inheritance policy. Is it the default that higher directories' permissions override lower ones in CentOS? Or is it a Samba fileshare thing? I would like to know exactly how this works
Re: [Samba] share permissions
Oh, I see. At first I read it as /home/me/srv. Gotcha. It works! Thanks very much Ricky! -K On 2013-08-22 12:49 PM, Ricky Nance wrote: It looks at all of them, but the important thing is that its 0755 all the way to the folder being used (if there is any XXX0 permissions on the way to the folder it will cause things to fail, which is the case with the 'me' part of /home/me/share as it has 0700 permissions). On Thu, Aug 22, 2013 at 10:54 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: Oh, so it only looks at the immediate parent's permissions? Not the grandparent? I find that even more bewildering but a whole lot easier to work with if that's the case :) Thanks, Kev On 2013-08-22 11:44 AM, Ricky Nance wrote: No, you can use /home/srv/share as long as srv (under home) is 755 permissions. Samba does run as root, but it also still obeys the rules underlying file system. Ricky On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I can understand that. However, I'm a bit confused about how this is supposed to be practical in the case of Samba. Samba runs as root, so it can see everything. I'm telling it to share a particular folder. Why should it look at the ACLs of folders above that, when there's no way they will be otherwise accessible via Samba? The reason I bother with this question is that /home and /srv are on two different partitions. I set it up so that the bulk of space would be available under /home. Okay, so it sounds like links can come to rescue here. I dig around and it seems that hard links on directories have not been allowed since the 70's. Symbolic links could work, but if you enable the following of symbolic links in smb.conf, it can open up security holes. So to me it seems there's no workaround for a design that doesn't make sense in the first place (checking the ACLs of parent directories even if you're root and they're irrelevant to the application of sharing the given directory.) Am I missing something? Thanks, Kev On 2013-08-20 11:22 AM, Ricky Nance wrote: Permissions are hard to explain (possibly because I don't fully understand them myself I guess), but if you have a directory (say /srv) and you give it 0700 permissions, then only the person that owns that directory is able to see anything under it, however if you give it 0755, then ANYONE can see (the second 5 is R-X for everyone) whats in there, now you have a directory under that, lets call it share, (so /srv/share) and you give it permissions of 0777, then everyone can read/write in the share folder, but no one can write to the /srv folder except the owner. So when you had a share under /home/user (which is typically /home is 755, and the /home/user is 0700) then no one had access to the underlying directories (even if the underlying directory is 777, because the user simply can't get to that point)... If anyone disagree's or could explain this better please feel free to do so, I am not opposed to learning new things :) Ricky On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: Aha! Moving it worked. I can now see it from Windows. If I chmod 777 on the directory I can also add files to it from Windows. However, I don't quite understand why the parent of the share directory affects it. BTW /home/me has 700 permissions and /srv has 755. If the +x on /srv allows the +x on my test share directory to allow Windows to browse it, why doesn't the -w on /srv
Re: [Samba] share permissions
Hi Ricky, I don't think I should have to reboot. setenforce is documented to work without rebooting. If I need to reboot a Linux server to troubleshoot something like this--and I hear SELinux is often a first thing to try disabling to troubleshoot--then it's worse than Windows for rebooting requirements. But I'm pretty sure that's simply not true. Otherwise this is meaningless: $ sudo setenforce 0 $ sudo getenforce Permissive Also I'm a bit confused as to why the permissions on /home should affect /home/me if I've explicitly set them on /home/me and haven't defined some kind of ACL inheritance policy. Is it the default that higher directories' permissions override lower ones in CentOS? Or is it a Samba fileshare thing? I would like to know exactly how this works, but in any case, I'll try moving the share and see how it goes. Thanks, Kev On 2013-08-17 9:47 AM, Ricky Nance wrote: Have a look at http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html and you will probably have to reboot after making the changes. I have seen this cause more problems then not, so I would start with disabling it and see if it fixes your problem. Also since you are using a /home/me before your share, you need to make sure you have at least 755 permissions in both /home and /home/me, it might be a good idea to make a directory named /srv/mytestshare instead. Ricky On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: Interestingly, I couldn't turn off selinux using their method: $ sudo echo 0 /selinux/enforce -bash: /selinux/enforce: Permission denied Perhaps it's a CentOS thing. Anyway, `sudo setenforce 0` seemed to work in that it didn't give me an error message, but OTOH didn't seem to work in that the output of ls -alhDZ was the same: drwxrwxr-x. me me unconfined_u:object_r:samba___share_t:s0 mytestshare But in any case, it still gives me the same error from Windows. Also something strange happened, after a while I could not navigate to \\newdc without a similar error, but I had not been doing anything in the system, so I'm not sure what might have caused it. Running `sudo killall samba` and then `sudo samba` made it suddenly be browseable again. Maybe not related...not sure... Anyway thanks for your help, Ricky. Any other ideas? BTW I had set up the selinux permissions on the mytestshare dir per the HOWTO at http://wiki.centos.org/HowTos/__SetUpSamba http://wiki.centos.org/HowTos/SetUpSamba . I'm pretty sure that's why it says samba_share_t on the ls output above. Kev On 2013-08-16 11:52 AM, Ricky Nance wrote: Temporarily turn off selinux, if that fixes your issue you will need to adjust the selinux rules to take care of the problem (or just completely disable selinux). Also if you do a ls -alhDZ /home/me/mytestshare before you turn it off it can tell you if selinux is on, then run that again after its turned off to confirm. You can read about disabling/turning off selinux at�http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html http://www.revsys.com/writings/quicktips/turn-off-selinux.html Ricky On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I have a share setup on a Samba 4.0.8 / CentOS 6.4 box that is successfully replicating with a W2K3 server. �I'm following the HOWTO here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares https://wiki.samba.org/index.__php/Setup_and_configure_file___shares https://wiki.samba.org/index.__php/Setup_and_configure_file___shares https://wiki.samba.org/index.php/Setup_and_configure_file_shares [mytest] � � � � path = /home/me/mytestshare -- with or without trailing slash � � � � read only = No On the W2K3 box, I can browse to \\newdc and I see my test share listed there. �I can also see it if I connect to newdc in Computer Management. �However, what I can't get from either of those places is a Security tab if I right-click the share and go to Properties. �There's a Share Permissions tab in CM only that says that Everyone has Full Control. Despite that, if I try to double-click the share in Explorer, I get: --- \\newdc --- \\newdc\mytest is not accessible. You might not have permission to use this network resource. Contact the administrator
[Samba] AD DC eventually not browsable without restart
I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] workgroup = MYDOMAIN realm = mydomain.lan netbios name = NEWDC server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns allow dns updates = true dns forwarder = 192.168.1.1 #dns recursive queries = yes dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # dcerpc endpoint servers = winreg srvsvc load printers = yes printing = cups [netlogon] path = /var/lib/samba/sysvol/mydomain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] comment = All Printers path = /var/spool/samba browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /var/lib/samba/printing read only = No [mytestshare] path = /srv/mytestshare/ read only = No Any ideas? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] share permissions
Aha! Moving it worked. I can now see it from Windows. If I chmod 777 on the directory I can also add files to it from Windows. However, I don't quite understand why the parent of the share directory affects it. BTW /home/me has 700 permissions and /srv has 755. If the +x on /srv allows the +x on my test share directory to allow Windows to browse it, why doesn't the -w on /srv prevent the +w on my test share directory from allowing Windows to create files there? I always thought negative permissions took precedence in ACL, generally? Thanks, Kev On 2013-08-20 10:22 AM, Kevin Field wrote: Hi Ricky, I don't think I should have to reboot. setenforce is documented to work without rebooting. If I need to reboot a Linux server to troubleshoot something like this--and I hear SELinux is often a first thing to try disabling to troubleshoot--then it's worse than Windows for rebooting requirements. But I'm pretty sure that's simply not true. Otherwise this is meaningless: $ sudo setenforce 0 $ sudo getenforce Permissive Also I'm a bit confused as to why the permissions on /home should affect /home/me if I've explicitly set them on /home/me and haven't defined some kind of ACL inheritance policy. Is it the default that higher directories' permissions override lower ones in CentOS? Or is it a Samba fileshare thing? I would like to know exactly how this works, but in any case, I'll try moving the share and see how it goes. Thanks, Kev On 2013-08-17 9:47 AM, Ricky Nance wrote: Have a look at http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html and you will probably have to reboot after making the changes. I have seen this cause more problems then not, so I would start with disabling it and see if it fixes your problem. Also since you are using a /home/me before your share, you need to make sure you have at least 755 permissions in both /home and /home/me, it might be a good idea to make a directory named /srv/mytestshare instead. Ricky On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: Interestingly, I couldn't turn off selinux using their method: $ sudo echo 0 /selinux/enforce -bash: /selinux/enforce: Permission denied Perhaps it's a CentOS thing. Anyway, `sudo setenforce 0` seemed to work in that it didn't give me an error message, but OTOH didn't seem to work in that the output of ls -alhDZ was the same: drwxrwxr-x. me me unconfined_u:object_r:samba___share_t:s0 mytestshare But in any case, it still gives me the same error from Windows. Also something strange happened, after a while I could not navigate to \\newdc without a similar error, but I had not been doing anything in the system, so I'm not sure what might have caused it. Running `sudo killall samba` and then `sudo samba` made it suddenly be browseable again. Maybe not related...not sure... Anyway thanks for your help, Ricky. Any other ideas? BTW I had set up the selinux permissions on the mytestshare dir per the HOWTO at http://wiki.centos.org/HowTos/__SetUpSamba http://wiki.centos.org/HowTos/SetUpSamba . I'm pretty sure that's why it says samba_share_t on the ls output above. Kev On 2013-08-16 11:52 AM, Ricky Nance wrote: Temporarily turn off selinux, if that fixes your issue you will need to adjust the selinux rules to take care of the problem (or just completely disable selinux). Also if you do a ls -alhDZ /home/me/mytestshare before you turn it off it can tell you if selinux is on, then run that again after its turned off to confirm. You can read about disabling/turning off selinux at�http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html http://www.revsys.com/writings/quicktips/turn-off-selinux.html Ricky On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com mailto:k...@brantaero.com wrote: I have a share setup on a Samba 4.0.8 / CentOS 6.4 box that is successfully replicating with a W2K3 server. �I'm following the HOWTO here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares https://wiki.samba.org/index.__php/Setup_and_configure_file___shares https://wiki.samba.org/index.__php/Setup_and_configure_file___shares https://wiki.samba.org/index.php/Setup_and_configure_file_shares [mytest] � � � � path = /home/me/mytestshare -- with or without trailing slash � � � � read only = No On the W2K3 box, I can browse to \\newdc and I see my test share listed there. �I can also see it if I connect to newdc in Computer Management. �However, what I can't get from either of those
[Samba] chmod + remote save denied = file wiped?
I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). newdc also has a test share. I'm experiencing something strange whereby chmod and then an attempted file save causes a shared file to become zero bytes (despite the save not being blank, and also being denied): At olddc: 1) open \\newdc\testshare\yay.txt At newdc: $ ls -l total 8 -rw-rw-rw-. 1 me me 9 Aug 20 10:59 yay.txt $ cat yay.txt It works!$ chmod 664 yay.txt At olddc: 1) add a space to yay.txt and attempt to save. popup: --- TextPad --- Access to \\newdc\testshare\yay.txt was denied. --- OK --- 2) (optional) click OK to close the popup At newdc*: $ ls -l total 4 -rw-rw-r--. 1 kev kev 0 Aug 20 11:12 yay.txt * Alternatively, without touching newdc, I can shift focus from the TextPad window and back to it, and it will say that the file has changed. If I choose to reload it, it's now blank. Isn't this a bug? I would expect a write that fails due to lack of write permissions to not actually affect the content of the file. Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] chmod + remote save denied = file wiped?
BTW, I just confirmed this also happens with SELinux disabled. -K On 2013-08-20 11:23 AM, Kevin Field wrote: I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). newdc also has a test share. I'm experiencing something strange whereby chmod and then an attempted file save causes a shared file to become zero bytes (despite the save not being blank, and also being denied): At olddc: 1) open \\newdc\testshare\yay.txt At newdc: $ ls -l total 8 -rw-rw-rw-. 1 me me 9 Aug 20 10:59 yay.txt $ cat yay.txt It works!$ chmod 664 yay.txt At olddc: 1) add a space to yay.txt and attempt to save. popup: --- TextPad --- Access to \\newdc\testshare\yay.txt was denied. --- OK --- 2) (optional) click OK to close the popup At newdc*: $ ls -l total 4 -rw-rw-r--. 1 kev kev 0 Aug 20 11:12 yay.txt * Alternatively, without touching newdc, I can shift focus from the TextPad window and back to it, and it will say that the file has changed. If I choose to reload it, it's now blank. Isn't this a bug? I would expect a write that fails due to lack of write permissions to not actually affect the content of the file. Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD DC eventually not browsable without restart
Thanks for the lead! The discussion there is a bit beyond me ATM but I'll try a `wbinfo -g` next time it stops working and see whether it's crashed or what. -K On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/show_bug.cgi?id=9820 *From: *Kevin Field k...@brantaero.com *To: *samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] workgroup = MYDOMAIN realm = mydomain.lan netbios name = NEWDC server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns allow dns updates = true dns forwarder = 192.168.1.1 #dns recursive queries = yes dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # dcerpc endpoint servers = winreg srvsvc load printers = yes printing = cups [netlogon] path = /var/lib/samba/sysvol/mydomain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] comment = All Printers path = /var/spool/samba browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /var/lib/samba/printing read only = No [mytestshare] path = /srv/mytestshare/ read only = No Any ideas? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] AD DC eventually not browsable without restart
Okay, I'm not sure, but I don't *think* it's that bug. First, I don't know much about winbind, and never meant to set it up (although it's possible I did by accident) but I'm not using NetBIOS, if that makes a difference. Second, wbinfo still worked after \\newdc ceased to be browsable. Some more detail from log.samba. I was not here for this and I'm not sure when browsability ceased, but it's the only other entry: ../source4/dsdb/repl/drepl_out_helpers.c:833(dreplsrv_update_refs_done) UpdateRefs failed with WERR_DS_DRA_BUSY/NT code 0xc00020f6 for fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan CN=Configuration,DC=mydomain,DC=lan After I logged in and tried to browse \\newdc -- it does this every time I try to browse right now: ../source4/smb_server/smb/service.c:127(make_connection) make_connection: couldn't find service *.: NT_STATUS_OBJECT_NAME_NOT_FOUND ../source4/smb_server/smb/service.c:127(make_connection) make_connection: couldn't find service DESKTOP.INI: NT_STATUS_OBJECT_NAME_NOT_FOUND The bug linked to doesn't mention either of these error codes, so I think it might not be related. I also found that whenever I run the AD Replication Status Tool on the Windows server, everything succeeds even right now while browsability is broken, but the log says this (also from times when browsability wasn't broken and I ran it): ../source4/dsdb/common/util.c:3118(dsdb_forest_functional_level) ../source4/dsdb/common/util.c:3118: WARNING: forestFunctionality not setup ../source4/dsdb/common/util.c:3118(dsdb_forest_functional_level) ../source4/dsdb/common/util.c:3118: WARNING: forestFunctionality not setup I guess the errors are fine. It's strange the status tool says replication is fine even though the log says it had problems. But maybe it just had one problem, and now replication is working again but whatever that problem was somehow put Samba in a state where browsing \\newdc would not work. Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/show_bug.cgi?id=9820 *From: *Kevin Field k...@mydomain.com *To: *samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] workgroup = MYDOMAIN realm = mydomain.lan netbios name = NEWDC server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns allow dns updates = true dns forwarder = 192.168.1.1 #dns recursive queries = yes dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # dcerpc endpoint servers = winreg srvsvc load printers = yes printing = cups [netlogon] path = /var/lib/samba/sysvol/mydomain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] comment = All Printers path = /var/spool/samba browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /var/lib/samba/printing read only = No [mytestshare] path = /srv/mytestshare/ read only = No Any ideas? Thanks, Kev -- To unsubscribe from this list go to the following URL
Re: [Samba] AD DC eventually not browsable without restart
One other thing, I just noticed that while \\newdc is still unbrowsable, \\newdc\mytestshare works fine, as does \\newdc\netlogon. Kev On 2013-08-20 9:49 PM, Kevin Field wrote: Okay, I'm not sure, but I don't *think* it's that bug. First, I don't know much about winbind, and never meant to set it up (although it's possible I did by accident) but I'm not using NetBIOS, if that makes a difference. Second, wbinfo still worked after \\newdc ceased to be browsable. Some more detail from log.samba. I was not here for this and I'm not sure when browsability ceased, but it's the only other entry: ../source4/dsdb/repl/drepl_out_helpers.c:833(dreplsrv_update_refs_done) UpdateRefs failed with WERR_DS_DRA_BUSY/NT code 0xc00020f6 for fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan CN=Configuration,DC=mydomain,DC=lan After I logged in and tried to browse \\newdc -- it does this every time I try to browse right now: ../source4/smb_server/smb/service.c:127(make_connection) make_connection: couldn't find service *.: NT_STATUS_OBJECT_NAME_NOT_FOUND ../source4/smb_server/smb/service.c:127(make_connection) make_connection: couldn't find service DESKTOP.INI: NT_STATUS_OBJECT_NAME_NOT_FOUND The bug linked to doesn't mention either of these error codes, so I think it might not be related. I also found that whenever I run the AD Replication Status Tool on the Windows server, everything succeeds even right now while browsability is broken, but the log says this (also from times when browsability wasn't broken and I ran it): ../source4/dsdb/common/util.c:3118(dsdb_forest_functional_level) ../source4/dsdb/common/util.c:3118: WARNING: forestFunctionality not setup ../source4/dsdb/common/util.c:3118(dsdb_forest_functional_level) ../source4/dsdb/common/util.c:3118: WARNING: forestFunctionality not setup I guess the errors are fine. It's strange the status tool says replication is fine even though the log says it had problems. But maybe it just had one problem, and now replication is working again but whatever that problem was somehow put Samba in a state where browsing \\newdc would not work. Kev On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote: You may want to see if it is this bug, which is fixed in 4.0.9: https://bugzilla.samba.org/show_bug.cgi?id=9820 *From: *Kevin Field k...@mydomain.com *To: *samba@lists.samba.org *Sent: *Tuesday, August 20, 2013 9:38:32 AM *Subject: *[Samba] AD DC eventually not browsable without restart I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) replicating from a W2K3 DC (olddc). When I first launch Samba using `sudo samba`, I can go to the Windows server and browse to \\newdc in Explorer, and I see mytestshare, netlogon, printers, sysvol, and Printers and Faxes. After a while (I'm not sure how long precisely, but under 24 hours) I could not navigate to \\newdc without the following error: --- \\newdc --- \\newdc is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. The Server service is not started. --- OK --- But in the interim, I had not been doing anything in the system, so I'm not sure what might have caused it. One time it even happened on a weekend when no backup or anything particularly special is scheduled while I was away. Anyway, running `sudo killall samba` and then `sudo samba` makes it suddenly browsable again. This is happening every day. I guess it would be best to figure this problem out before we make Samba the only DC. Here's my smb.conf, mostly set up by samba-tool, and now a work in progress to add the extras we will use: # Global parameters [global] workgroup = MYDOMAIN realm = mydomain.lan netbios name = NEWDC server role = active directory domain controller server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns allow dns updates = true dns forwarder = 192.168.1.1 #dns recursive queries = yes dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc # dcerpc endpoint servers = winreg srvsvc load printers = yes printing = cups [netlogon] path = /var/lib/samba/sysvol/mydomain.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No [printers] comment = All Printers path = /var/spool/samba browseable = Yes read only = No printable = Yes [print$] comment = Point and Print Printer Drivers path = /var/lib/samba/printing read only
Re: [Samba] share permissions
Interestingly, I couldn't turn off selinux using their method: $ sudo echo 0 /selinux/enforce -bash: /selinux/enforce: Permission denied Perhaps it's a CentOS thing. Anyway, `sudo setenforce 0` seemed to work in that it didn't give me an error message, but OTOH didn't seem to work in that the output of ls -alhDZ was the same: drwxrwxr-x. me me unconfined_u:object_r:samba_share_t:s0 mytestshare But in any case, it still gives me the same error from Windows. Also something strange happened, after a while I could not navigate to \\newdc without a similar error, but I had not been doing anything in the system, so I'm not sure what might have caused it. Running `sudo killall samba` and then `sudo samba` made it suddenly be browseable again. Maybe not related...not sure... Anyway thanks for your help, Ricky. Any other ideas? BTW I had set up the selinux permissions on the mytestshare dir per the HOWTO at http://wiki.centos.org/HowTos/SetUpSamba . I'm pretty sure that's why it says samba_share_t on the ls output above. Kev On 2013-08-16 11:52 AM, Ricky Nance wrote: Temporarily turn off selinux, if that fixes your issue you will need to adjust the selinux rules to take care of the problem (or just completely disable selinux). Also if you do a ls -alhDZ /home/me/mytestshare before you turn it off it can tell you if selinux is on, then run that again after its turned off to confirm. You can read about disabling/turning off selinux at�http://www.revsys.com/writings/quicktips/turn-off-selinux.html Ricky On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field k...@brantaero.com mailto:k...@brantaero.com wrote: I have a share setup on a Samba 4.0.8 / CentOS 6.4 box that is successfully replicating with a W2K3 server. �I'm following the HOWTO here: https://wiki.samba.org/index.__php/Setup_and_configure_file___shares https://wiki.samba.org/index.php/Setup_and_configure_file_shares [mytest] � � � � path = /home/me/mytestshare -- with or without trailing slash � � � � read only = No On the W2K3 box, I can browse to \\newdc and I see my test share listed there. �I can also see it if I connect to newdc in Computer Management. �However, what I can't get from either of those places is a Security tab if I right-click the share and go to Properties. �There's a Share Permissions tab in CM only that says that Everyone has Full Control. Despite that, if I try to double-click the share in Explorer, I get: --- \\newdc --- \\newdc\mytest is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Access is denied. --- OK --- My account has all privileges I can think of, including the SeDiskOperatorPrivilege as laid out in the HOWTO. Even if I chmod 777 /home/me/mytestshare I get this error. What am I missing? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: �https://lists.samba.org/__mailman/options/samba https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trying to Join a Working W2K3 AD
Hi Marc, On 2013-08-15 4:18 AM, Marc Muehlfeld wrote: Hello Kevin, hello Eli, Am 15.08.2013 05:48, schrieb Kevin Field: I get to the step /usr/local/samba/bin/samba-tool dns add 192.168.1.252 _msdcs.domain.co.il 2d59ac49-1175-4656-943e-d556baa242cb CNAME DC2.domain.co.il -Uadministrator I get the following error message: ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 1053, in run 0, server, zone, name, add_rec_buf, None) Is 192.168.1.252 is the already existing DNS on your W2k3 Server or is it the IP of your Samba DC? It should be the IP of your existing DNS server, because Samba isn't up at that time. In my case, it is the IP of the W2k3 server which has a working DNS. I've also tried replacing the IP with its hostname instead as I had found suggested somewhere, but it doesn't change the outcome. You can also add the record through the MS DNS Console on windows. Thanks for the suggestion...okay, I've done that. It seemed to work: $ host -t CNAME fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan. fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan is an alias for newdc.mydomain.lan. However, I run sudo samba, and then check the log.samba file, and it says: [2013/08/15 08:02:33.285448, 0] ../source4/lib/tls/tlscert.c:166(tls_cert_generate) TLS self-signed keys generated OK [2013/08/15 08:02:34.371461, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure This latter error it repeats about 15-20 times. https://lists.samba.org/archive/samba/2013-February/171688.html says it may be just cosmetic. The Windows AD Replication Status Tools, after a refresh, says: NEWDC.mydomain.lan,Failed to collect data against Node 'NEWDC.mydomain.lan'. It was retried 0 time(s). The following error occurred: Domain controller NEWDC.mydomain.lan does not exist or cannot be contacted.. Type=Microsoft.Sirona.Collection.CollectionException ...but it's been saying that since I ran samba-tool successfully to join the AD. (The LDAP query succeeds, but the Get Domain Controller Replication Status is where it's failing.) ps -A | grep samba shows a bunch of samba threads running that weren't before. samba-tool drs kcc says Consistency check [...] successful. samba-tools drs showrepl gives all successes for inbound neighbours, and then just this: OUTBOUND NEIGHBORS KCC CONNECTION OBJECTS Connection -- Connection name: 90c120f5-b240-4771-a4d6-673927d63b84 Enabled: TRUE Server DNS name : olddc.mydomain.lan Server DN name : CN=NTDS Settings,CN=IN,CN=Servers,CN=mydomain-office,CN=Sites,CN=Configuration,DC=mydomain,DC=lan TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! Although, this also could just be 'cosmetic': https://lists.samba.org/archive/samba-technical/2011-November/080377.html Okay, so I'll try adding a user. samba-tool user add worked fine, says it added successfully, and I can see info about it with wbinfo. However, it doesn't show up in Active Directory Users and Computers on the old DC. Are these errors all really cosmetic? If so, why doesn't it replicate to the old dc? Thanks for your help, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 and iptables
Hi everyone, I had posted recently about getting Samba4 to work on CentOS 6.4 but having changes only replicating in one direction, from the Win2k3 AD but not back to it. I solved the problem, this time, by disabling iptables. I find it a bit hard to understand. These are the rules I have set up: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [52:5888] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -m udp -p udp --dport 53 -m comment --comment DNS -j ACCEPT -A INPUT -m udp -p udp --dport 123 -m comment --comment NTP -j ACCEPT -A INPUT -m udp -p udp --dport 135 -m comment --comment RPC UDP -j ACCEPT -A INPUT -m udp -p udp --dport 389 -m comment --comment LDAP UDP -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment --comment Kerberos -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment --comment Kerberos Password Management -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment --comment SMB CIFS -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment --comment LDAP TCP -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment --comment LDAP SSL -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment --comment LDAP Global Catalog -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment --comment LDAP Global Catalog SSL -j ACCEPT -A INPUT -p udp -m udp --dport 631 -m comment --comment CUPS -j ACCEPT -A INPUT -p tcp -m tcp --dport 631 -m comment --comment CUPS -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT Additionally, I used to have -s 10.0.0.0/8 on all of the samba-related ones, but then I couldn't connect to the new DC via the Windows AD Users and Computers tool. Take away -s, and it works. So the above is now what I have, but when iptables is enabled, I get Warning: No NC replicated for Connection! on outbound when I run samba-tool drs showrepl and I get errors like this in Windows Event Viewer: Event Type: Warning Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1925 Date: 2013-08-15 Time: 10:21:27 AM User: NT AUTHORITY\ANONYMOUS LOGON Computer: OLDDC Description: The attempt to establish a replication link for the following writable directory partition failed. Directory partition: DC=mydomain,DC=lan Source domain controller: CN=NTDS Settings,CN=NEWDC,CN=Servers,CN=mydomain-office,CN=Sites,CN=Configuration,DC=mydomain,DC=lan Source domain controller address: fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan Intersite transport (if any): This domain controller will be unable to replicate with the source domain controller until this problem is corrected. User Action Verify if the source domain controller is accessible or network connectivity is available. Additional Data Error value: 1722 The RPC server is unavailable. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. - (end quote) Also, the AD Replication Status Viewer tool will say that NEWDC cannot be contacted. Disable iptables, and voila, it starts reporting successful replication. IIUC it's the port 135 that allows RPC contact, which I believe my iptables config above should correctly open. If not, could someone show me where I've gone wrong here? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] users don't replicate from W2K3 to CentOS 6.4
With iptables disabled until I can figure out appropriate rules ( http://www.spinics.net/lists/samba/msg104592.html -- what do you do then? ) I added a user using samba-tool user add. If I go to the Windows box and fire up ADUC, the user is not there, even though the AD Replication Status tool reports successful replication. If I right-click the domain in ADUC, and choose Connect to Domain Controller, I can connect to the CentOS/SerNet Samba 4.0.8 DC. When I do that, I see the same list but with my added test user, too. Unlike with iptables, drs showrepl gives a few success entries just after OUTBOUND NEIGHBORS , but then under KCC CONNECTION OBJECTS it gives the same warning as before, Warning: No NC replicated for Connection!. Nonetheless, samba-tool drs kcc from the new DC still reports a successful consistency check when given either the new DC or the old DC. (Every step of the HOWTO or other help seems to end in a new error. Since we don't make extensive use of policies, I'm tempted to set up Samba as a non-AD fileserver and just map drives from the clients.) Any help would be greatly appreciated. Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and iptables
Thanks for your help, Thomas. I think it was the missing state part of some of the lines. When I use your example, it replicates, even in both directions this time! Which is quite odd, since without iptables running, I still had problems getting my Samba test user to replicate over to the Windows DC. Also in case it helps anyone else who is not using NetBIOS, even if I cut the NetBIOS ports, it still works fine. Same with SSL ports. So now I have for the main part of it: -A INPUT -m comment --comment DNS -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT -A INPUT -m comment --comment DNS -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT -A INPUT -m comment --comment Kerberos -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT -A INPUT -m comment --comment Kerberos -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT -A INPUT -m comment --comment End Point Mapper (DCE/RPC Locator Service) -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT -A INPUT -m comment --comment LDAP -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT -A INPUT -m comment --comment LDAP -p udp -m state --state NEW -m udp --dport 389 -j ACCEPT -A INPUT -m comment --comment SMB -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -m comment --comment Kerberos kpasswd -p tcp -m state --state NEW -m tcp --dport 464 -j ACCEPT -A INPUT -m comment --comment Kerberos kpasswd -p udp -m state --state NEW -m udp --dport 464 -j ACCEPT -A INPUT -m comment --comment CUPS -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT -A INPUT -m comment --comment CUPS -p udp -m state --state NEW -m udp --dport 631 -j ACCEPT -A INPUT -m comment --comment RPC -p tcp -m state --state NEW -m tcp --dport 1024 -j ACCEPT -A INPUT -m comment --comment Global Catalog -p tcp -m state --state NEW -m tcp --dport 3268 -j ACCEPT -A INPUT -m comment --comment Multicast DNS -p tcp -m state --state NEW -m tcp --dport 5353 -j ACCEPT -A INPUT -m comment --comment Multicast DNS -p udp -m state --state NEW -m udp --dport 5353 -j ACCEPT Just tested adding a second user and it replicated immediately. Yay! Thanks again, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] share permissions
I have a share setup on a Samba 4.0.8 / CentOS 6.4 box that is successfully replicating with a W2K3 server. I'm following the HOWTO here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares [mytest] path = /home/me/mytestshare -- with or without trailing slash read only = No On the W2K3 box, I can browse to \\newdc and I see my test share listed there. I can also see it if I connect to newdc in Computer Management. However, what I can't get from either of those places is a Security tab if I right-click the share and go to Properties. There's a Share Permissions tab in CM only that says that Everyone has Full Control. Despite that, if I try to double-click the share in Explorer, I get: --- \\newdc --- \\newdc\mytest is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Access is denied. --- OK --- My account has all privileges I can think of, including the SeDiskOperatorPrivilege as laid out in the HOWTO. Even if I chmod 777 /home/me/mytestshare I get this error. What am I missing? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] File timestamp mismatch using smbclient on share from Win 2K Server...
Hi Samba Peeps! Perhaps someone can shed some light on a peculiar problem I'm seeing. I have files located in a share on a Win2K server. When using smbclient on my HP-UX system to look at the files on the Win2K server I see that the timestamps are off by 1 hour. When looking at the same files on a Win XP client I see that the timestamps are correct. When looking at the same files on a Win 7 client I see that the timestamps are off by 1 hour and agree with the smbclient running on HP-UX. I have checked the timezone settings on all systems involved and they are all correct. I have verified that all systems involved have the correct current time as they are all using NTP based timekeeping. I'm using Samba 3 on the HP-UX server. I would certainly appreciate it if someone could offer a solution to the problem with respect to smbclient. We use smbclient in our production file processing endeavors and I need the timestamp from smbclient to be accurate. Any advice is greatly appreciated! :o) Thanks! kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Failed to find a writeable DC for domain joining to win2k3 AD DC
Sorry, I didn't realize we were carrying on off-list. Figured it out--had been giving samba-tool the hostname for both domain and realm, rather than, hmm, the domain and realm. (I think because in my case my domain and realm have two parts, unlike the HOWTO where they have three...confusion.) Works great now! Even without the new DC in resolv.conf nor domain ... in there either, just search ... and nameserver [olddc]. Thanks for your help Daniel, hope this point helps someone else too. On 2013-08-14 1:51 AM, � wrote: Look at your /etc/resolv.conf There should be an entry of your existing DC in it ex.: nameserver your.existing.dc And you should be able to ping the existing DC. Greetings Daniel --- EDV Daniel M�ller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 T�bingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Urspr�ngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Kevin Field Gesendet: Dienstag, 13. August 2013 16:15 An: samba@lists.samba.org Betreff: [Samba] �Failed to find a writeable DC for domain� joining to win2k3 AD DC I have a CentOS 6.4 box with SerNet's Samba 4.0.8 installed and no smb.conf file yet, as it should be. I want it to become an AD DC in my existing Windows domain, replicating from the existing Windows Server 2003 box. I have SELinux enabled and want it to stay that way. I'm getting this error trying to run samba-tool: $ sudo samba-tool domain join currentwindowsadserver.mydomain.lan DC -Uadministrator --realm=currentwindowsadserver.mydomain.lan Finding a writeable DC for domain 'currentwindowsadserver.mydomain.lan' ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'currentwindowsadserver.mydomain.lan' File /usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File /usr/lib64/python2.6/site-packages/samba/join.py, line 1082, in join_DC machinepass, use_ntvfs, dns_backend, promote_existing) File /usr/lib64/python2.6/site-packages/samba/join.py, line 73, in __init__ ctx.server = ctx.find_dc(domain) File /usr/lib64/python2.6/site-packages/samba/join.py, line 246, in find_dc raise Exception(Failed to find a writeable DC for domain '%s' % domain) I have a StackExchange thread open with all the things I've tried changing and all the things I've verified so far: http://unix.stackexchange.com/questions/86516/samba-4-gives-failed-to-find-a -writeable-dc-for-domain-on-samba-tool-domain-jo I'd appreciate any pointers. I seem to have run out of things to try. Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trying to Join a Working W2K3 AD
Hi Eli, I'm trying to join a freshly compiled 4.0.3 installation as an additional DC to an existing W2K3 AD according to: https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC I have built samba 4.0.3 on CentOS 6.3 x86_64. I am using the method that describes using the built in dns. I get to the step /usr/local/samba/bin/samba-tool dns add 192.168.1.252 _msdcs.domain.co.il 2d59ac49-1175-4656-943e-d556baa242cb CNAME DC2.domain.co.il -Uadministrator I get the following error message: ERROR(runtime): uncaught exception - (9601, 'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST') File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 1053, in run 0, server, zone, name, add_rec_buf, None) And, of course, without proper DNS configuration I can not get replication to work. Have I done something wrong? How can I resolve this? Thanks Eli I'm in a very similar situation, trying to get a SerNet Samba 4.0.8 on CentOS 6.4 to join a working Win2k3 AD domain, and am now stuck at the same error message. I see there were no replies on-list to your question. Did you get it sorted out in the end? If so, what helped? Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] “Failed to find a writeable DC for domain” joining to win2k3 AD DC
I have a CentOS 6.4 box with SerNet's Samba 4.0.8 installed and no smb.conf file yet, as it should be. I want it to become an AD DC in my existing Windows domain, replicating from the existing Windows Server 2003 box. I have SELinux enabled and want it to stay that way. I'm getting this error trying to run samba-tool: $ sudo samba-tool domain join currentwindowsadserver.mydomain.lan DC -Uadministrator --realm=currentwindowsadserver.mydomain.lan Finding a writeable DC for domain 'currentwindowsadserver.mydomain.lan' ERROR(exception): uncaught exception - Failed to find a writeable DC for domain 'currentwindowsadserver.mydomain.lan' File /usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File /usr/lib64/python2.6/site-packages/samba/join.py, line 1082, in join_DC machinepass, use_ntvfs, dns_backend, promote_existing) File /usr/lib64/python2.6/site-packages/samba/join.py, line 73, in __init__ ctx.server = ctx.find_dc(domain) File /usr/lib64/python2.6/site-packages/samba/join.py, line 246, in find_dc raise Exception(Failed to find a writeable DC for domain '%s' % domain) I have a StackExchange thread open with all the things I've tried changing and all the things I've verified so far: http://unix.stackexchange.com/questions/86516/samba-4-gives-failed-to-find-a-writeable-dc-for-domain-on-samba-tool-domain-jo I'd appreciate any pointers. I seem to have run out of things to try. Thanks, Kev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nmbd is not running
I have change the broadcast ip (172.17.255.255) of the server. now nmbd is working. Thank you kevin On Wed, Jul 31, 2013 at 7:26 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: It looks like you have are using a block of private class B's as a contiguous CIDR range including 172.16.x.x and 172.17.x.x I played around with the IP's using various on line subnet calculators http://jodies.de/ipcalc?host=172.16.30.4mask1=15mask2= Address: 172.16.30.4 Netmask: 255.254.0.0 = 15 Network: 172.16.0.0/15 Broadcast: 172.17.255.255 HostMin: 172.16.0.1 HostMax: 172.17.255.254 It looks to me like the broadcast address is wrong. Or are you trying to treat 172.16.x.x and 172.17.x.x as separate class B subnets? On 07/31/13 08:54, Kevin Sha wrote: root@srv:~# ifconfig -a eth0 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.17.30.4 Bcast:172.31.255.255 Mask:255.254.0.0 inet6 addr: fe80::bc27:29ff:fed3:c733/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:48965895 errors:0 dropped:0 overruns:0 frame:0 TX packets:1460501 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1888712573 (1.7 GiB) TX bytes:785972618 (749.5 MiB) eth0:1 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.3 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:2 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.5 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:3 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.6 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:4 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.17 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:5 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.8 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:6 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.30 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:7 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.4 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:8 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.6.10 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:9 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.6.11 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:10 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.18 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:11 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.20 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:12 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.21 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:13 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.29 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:14 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.6.13 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:15 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.2.0 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth0:16 Link encap:Ethernet HWaddr be:27:29:d3:c7:33 inet addr:172.16.6.14 Bcast:172.31.255.255 Mask:255.254.0.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:5532 errors:0 dropped:0 overruns:0 frame:0 TX packets:5532 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:369954 (361.2 KiB) TX bytes:369954 (361.2 KiB) On Wed, Jul 31, 2013 at 6:18 PM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: Can you show the ifconfig -a output on your server (or whatever the appropriate command for your OS .) The bind failed on ... 255 suggests the IP of the server is set wrong. On 07/31/13 05:17, Kevin Sha wrote: Hi I have samba domain controller in my network. and recently I have changed the netmask of the network. Then nmbd is not working could you please help me to solve this issue nmbd -i nmbd version 3.5.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 Unknown parameter encountered: wide symlinks Ignoring unknown parameter wide symlinks Unknown parameter encountered: wide
[Samba] nmbd is not running
Hi I have samba domain controller in my network. and recently I have changed the netmask of the network. Then nmbd is not working could you please help me to solve this issue nmbd -i nmbd version 3.5.6 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 Unknown parameter encountered: wide symlinks Ignoring unknown parameter wide symlinks Unknown parameter encountered: wide symlinks Ignoring unknown parameter wide symlinks standard input is not a socket, assuming -D option bind failed on port 137 socket_addr = 172.17.255.255. Error = Cannot assign requested address nmbd_subnetdb:make_subnet() Failed to open nmb bcast socket on interface 172.17.255.255 for port 137. Error was Cannot assign requested address ERROR: Failed when creating subnet lists. Exiting. - /etc/init.d/samba status nmbd is not running ... failed! smbd is running. My samba configuration file --- [global] workgroup = KEVIN netbios name = KEVINDC server string = KEVIN Domain controller obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = lmhosts host wins bcast unix extensions = No add user script = /usr/sbin/adduser --quiet --disabled-password --gecos %u add group script = /usr/sbin/addgroup --force-badname %g add machine script = /usr/sbin/useradd -g machines -c %u machine account -d /var/lib/samba -s /bin/false %u logon path = logon home = domain logons = Yes os level = 33 preferred master = Auto domain master = Yes dns proxy = No panic action = /usr/share/samba/panic-action %d [homes] comment = Home Directories valid users = %S create mask = 0700 directory mask = 0700 browseable = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = Yes share modes = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers Thank you kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Forcing clients to use NTLMv2 in 3.6.12
All, I need to force XP clients to use NTLMv2 when mapping to samba 3.6.12. My config is: ntlm auth = No client NTLMv2 auth = Yes client lanman auth = No client plaintext auth = No lanman auth = No XP systems can still map shares with the above config. If I add: max protocol = SMB2 min protocol = SMB2 W7 systems map shares, XP systems cannot map shares even if I change LAN Manager authentication level to: Send NTLMv2 response only or Send NTLMv2 response only\refuse LM NTLM. Any ideas? -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 3.6.12 build
All, I'm still struggling to get samba 3.6.12 built on a Solaris 8 sparc system. I built openldap 2.4.35 with --disable-ipv6 --disable-bdb --disable-hdb --disab le-mdb --enable-passwd. I built samba with: ./configure -prefix=/opt/XRX --exec-prefix=/opt/XRX --with-configdir=/etc/samba --with-privatedir=/et c/samba/private --with-lockdir=/var/samba/locks --with-statedir=/var/samba/locks --with-cachedir=/var/samb a/locks --with-piddir=/var/run --with-logfilebase=/var/samba/log --with-static-modules=vfs_solarisacl --wi th-shared-modules=vfs_prealloc,vfs_cacheprime,vfs_commit,idmap_ldap,idmap_tdb2,idmap_rid,idmap_ad,idmap_ha sh,idmap_adex --enable-shared --with-readline --with-acl-support --with-aio-support --with-pam --with-auto mount --with-dnsupdate=no --with-ldap --with-winbind --with-ads Samba fails during configure: checking for LDAP support... yes checking ldap.h usability... yes checking ldap.h presence... yes checking for ldap.h... yes checking lber.h usability... yes checking lber.h presence... yes checking for lber.h... yes checking for ber_tag_t... yes checking for ber_scanf in -llber... no checking for ber_sockbuf_add_io... no checking for LDAP_OPT_SOCKBUF... yes checking for LBER_OPT_LOG_PRINT_FN... yes checking for ldap_init in -lldap... yes checking for ldap_set_rebind_proc... yes checking whether ldap_set_rebind_proc takes 3 arguments... 3 checking for ldap_initialize... no checking whether LDAP support is used... yes checking for Active Directory and krb5 support... yes checking for ldap_initialize... (cached) no configure: error: Active Directory support requires ldap_initialize -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Building 3.6.12
All, I'm trying to build Samba 3.6.12 on Solaris 8 sparc using studio 12. Is this the correct forum to ask questions? This is my first build so any tips/tricks are appreciated. What are the prerequisites to get samba to compile so that it will join an AD domain? TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Building 3.6.12
I can patch Solaris 10 to get Samba 3.6.12 and takes about 5 mins to complete. I know moving off Solaris 8 would be the best path to take however it's not my decision to make... -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Build 3.6.12 on Solaris 8
All, I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone accomplished this and willing to share tips, tricks, or notes? -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] wbinfo, wbinfo_group.pl, user missing from AD group
I'm not exactly sure how the mapping of uid, sid, maps to unix gid. We're using the wbinfo_group.pl script for our squid deployment. The issue I see is if I run the script, or a valid and a user that isn't working. On my system it returns a GID. Got 3kll Hardware from squid Username 3kll Groups Hardware User: -3kll- Group: -Hardware- SID: -S-1-5-21-1607859618-1323328405-3834754132-2828- GID: -16777237- Sending OK to squid OK Here's a failing one. Got 3lsr Hardware from squid Username 3lsr Groups Hardware User: -3lsr- Group: -Hardware- SID: -S-1-5-21-1607859618-1323328405-3834754132-2828- GID: -16777237- Sending ERR to squid ERR So, I run a wbinfo -r on 3lsr wbinfo -r 3lsr 16777217 16777221 16777222 16777277 16777279 16777230 16777232 16777267 GID 16777237 isn't listed. It is listed in 3kll. So, how do I get user 3lsr to report back that it's in group 16777237? Thanks -- Kevin Blackwell -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] /var/samba/locks/smb_krb5/krb5.conf.DOM
All, I am running Solaris 10 and Samba 3.6.6. We use intelligent DNS and have more than 10 ADs. In /etc/krb5/krb5.conf I configure kdc and admin_server to point to the IDNS server so any one of our functioning ADs can be used dynamically. I've noticed that /var/samba/locks/smb_krb5/krb5.conf.DOM get created when net ads join is run. I've also noticed that the kdc is set to an IP address and appears to be dynamic. Can someone tell me what/how this file is controlled and if there are smb.conf settings to manually control this file? TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Error creating host keytab
I am running Samba 3.0.35. When I run net ads join or net ads keytab create I see that the keytab file cannot be created. Here's a portion of the log: [2013/03/20 07:57:50, 3] libads/kerberos.c:(337) kerberos_secrets_store_des_salt: Storing salt host/pitviper.DOMAIN@REALM [2013/03/20 07:57:50, 2] libads/kerberos_keytab.c:(260) ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5/krb5.keytab [2013/03/20 07:57:50, 3] libads/kerberos_keytab.c:(184) smb_krb5_kt_add_entry: adding keytab entry for (host/pitviper.DOMAIN@REALM) with encryption type (1) and version (8) [2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(189) smb_krb5_kt_add_entry: adding entry to keytab failed (Cannot write to specified key table) [2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(346) ads_keytab_add_entry: Failed to add entry to keytab file [2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(508) ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'. [2013/03/20 07:57:50, 1] utils/net_ads.c:(1647) Error creating host keytab! Joined 'PITVIPER' to realm 'REALM' [2013/03/20 07:57:50, 2] utils/net.c:(1075) return code = 0 I've tried creating /etc/krb5/krb5.keytab with no luck. Any ideas? TIA -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.6.6 authentication
Can anyone tell me if Kerberos is a requirement for windows server 2008R2 AD NTLM or NTLMv2 authentication? TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Authentication in 2008R2 AD
What is the earliest version of Samba that will authenticate in a native 2008R2 AD? Is Kerberos a requirement to authenticate to native 2008R2 AD? TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] username map is not functioning
All, When the company upgraded AD from 2003 to 2008R2 users lost the ability to access Samba shares without being prompted for a password. I've upgraded Samba from 3.0.30 to 3.6.6. I would like to continue using username map to map my users however it appears the map is being ignored. The only way I can get this config to work is by adding an account that matches the unix account using smbpasswd. Any ideas? [global] bind interfaces only= Yes case sensitive = Yes comment = Global Definitions create mask = 0775 directory mask = 0775 follow symlinks = No guest account = ftp guest ok= No host msdfs = No hosts allow = 13.,127. hosts deny = ALL idmap config * : backend = tdb interfaces = nge0,lo0 kernel oplocks = No level2 oplocks = No map to guest= Bad UID max disk size = 131072 oplocks = No preserve case = Yes unix extensions = No lm announce = No local master= No max protocol= SMB2 min protocol= NT1 name resolve order = host,bcast,wins,lmhosts netbios name= TYRELL security= DOMAIN username map= /etc/samba/users.map wins server = xxx.xxx.xxx.xxx workgroup = DOMAINNAME log file= /var/samba/log/log.%m log level = 4 syslog = 2 [ColorQube] path= /ColorQube writeable = Yes browseable = Yes create mask = 666 directory mask = 777 directory security mask = 777 inherit permissions = Yes guest ok= Yes [read] fake oplocks= Yes path Thanks in advance. -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] username map is not functioning
This appears to be an IDMAP username mapping issue not an issue with the username map file. I think this is not an issue with the username map file. Thanks for the reply. -Kevin On Mon, 11 Mar 2013, Kevin Shaw wrote: When the company upgraded AD from 2003 to 2008R2 users lost the ability to access Samba shares without being prompted for a password. I've upgraded Samba from 3.0.30 to 3.6.6. I would like to continue using username map to map my users however it appears the map is being ignored. The only way I can get this config to work is by adding an account that matches the unix account using smbpasswd. Any ideas? This sounds to me like Samba bug 8881. It isn't clear to me that anyone in the Samba team cares enough about this bug to get it fixed. https://bugzilla.samba.org/show_bug.cgi?id=8881 -- 73, Ged. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trying to understand authentication
I am running Solaris 10 u8 running Samba 3.6.6. Windows server 2008R2 runs AD. I don't understand samba authentication and hope someone might be able to help me understand the process. The following configuration appears to be functional. NIS is running and Winbind is not. Pam.conf has not been touched. Nsswitch.conf has the default configuration for nis. Pdbedit -Lv shows no users. How are domain users authenticating to my Samba server? I'm guessing that net rpc join had something to do with it? [global] bind interfaces only= Yes case sensitive = Yes comment = Global Definitions create mask = 0775 directory mask = 0775 follow symlinks = No guest account = ftp guest ok= No host msdfs = No hosts allow = 13.,127. hosts deny = ALL idmap config * : backend = tdb interfaces = nge0,lo0 kernel oplocks = No level2 oplocks = No map to guest= Bad UID max disk size = 131072 oplocks = No preserve case = Yes unix extensions = No lm announce = No local master= No max protocol= SMB2 min protocol= NT1 name resolve order = host,bcast,wins,lmhosts netbios name= SERVER security= DOMAIN username map= /etc/samba/users.map wins server = xxx.xxx.xxx.xxx workgroup = DOMAINNAME log file= /var/samba/log/log.%m log level = 4 syslog = 2 [ColorQube] path= /ColorQube writeable = Yes browseable = Yes create mask = 666 directory mask = 777 directory security mask = 777 inherit permissions = Yes guest ok= Yes [read] fake oplocks= Yes path TIA, -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User is invalid on this system
A rejoin unfortunately did not fix this issue and interestingly enough Samba failed to find a domain controller by any of the standard lookup means (hosts, lmhosts, WINS and with a broadcast) so I had to use the -s argument to manually specify the server in the 'net ads join' command. This probably signifies deeper issues. Eventually I just used the current Sernet provided 3.6.9 packages which resolved the issue. What's so odd about this is that there is a nearly identical secondary host running the same version of Samba used for failover. No issues with the secondary. Go figure. --- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Friday, November 30, 2012 10:55 AM To: Kevin Elliott Cc: 'samba@lists.samba.org' Subject: Re: [Samba] User is invalid on this system With what I've read and what I've seen with the rebuilds, there's a good chance the rejoin could fix your problem. That being said, there are no guarantees with winbind. It's the part of the Samba suite that has given me the most problems over the years, breaking existing configs almost every time its internal workings are changed. I wish you good luck! Dale On 11/30/2012 12:57 PM, Kevin Elliott wrote: Dale, I was afraid of that. We we're forced to upgrade from 3.5.x because of a reoccurring Winbind issue but I'm a bit disappointed to see that 3.6.x introduces a idmap/rid issues. I guess we just traded one for another. Do you think un-joining and then re-joining the existing system could fix this? Thanks. --- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Friday, November 30, 2012 9:38 AM To: Kevin Elliott Cc: 'samba@lists.samba.org' Subject: Re: [Samba] User is invalid on this system Kevin, 3.6.x has had several issues with idmap rid. I was hit with this one: https://bugzilla.samba.org/show_bug.cgi?id=8676 . Searching for idmap rid issues with 3.6.x will reveal others as well. Someone indicated that rejoining the domain would fix this issue. As it so happened, I had to rebuild one of the servers. After joining the rebuilt system to the domain, it has worked flawlessly ever since. So, it appears the problem with rid and some of the other idmap backends is somehow related to upgrading, as newly joined systems work as expected. Dale On 11/29/2012 6:51 PM, Kevin Elliott wrote: Hello all. We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients: Here's an example from my workstation (logging verbosity set at 10): [2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 2517) conn 0x0 [2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 1680 [2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: kevin_elliott [Kevin Elliott] [2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL] [2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info) Username CBJ_NT+kevin_elliott is invalid on this system [2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET. [2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) However, I can successfully return login information with winbind: # wbinfo -i kevin_elliott kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false 'getent passwd' will only return the local users from /etc/passwd. And the relevant section of smb.conf: [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90
[Samba] Error with Windows AD tools GUI
Hi list, I try the Samba 4 RC6 on a CentOS 6 machine. It's compile and run fine, but I cannot use the administrator tools on Windows XP or 7. ON XP, it just saying Not specified error (I don't know if it's the good translation from french : Erreur non spécifée). I can see that computers I join to AD are'nt add in DNS (I use internal DNS). Any suggestions ? Thanks, Kevin C. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User is invalid on this system
) winbind_client_response_written[425:PING]: delivered response to client [2012/11/30 08:41:58.866817, 10] winbindd/winbindd.c:616(process_request) process_request: Handling async request 425:PING [2012/11/30 08:41:58.866937, 10] winbindd/winbindd.c:678(wb_request_done) wb_request_done[425:PING]: NT_STATUS_OK [2012/11/30 08:41:58.867034, 10] winbindd/winbindd.c:739(winbind_client_response_written) winbind_client_response_written[425:PING]: delivered response to client [2012/11/30 08:42:05.563565, 6] winbindd/winbindd.c:793(new_connection) accepted socket 29 [2012/11/30 08:42:05.563716, 10] winbindd/winbindd.c:643(process_request) process_request: request fn INTERFACE_VERSION [2012/11/30 08:42:05.563778, 3] winbindd/winbindd_misc.c:384(winbindd_interface_version) [ 453]: request interface version [2012/11/30 08:42:05.563884, 10] winbindd/winbindd.c:739(winbind_client_response_written) winbind_client_response_written[453:INTERFACE_VERSION]: delivered response to client [2012/11/30 08:42:05.563976, 10] winbindd/winbindd.c:643(process_request) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2012/11/30 08:42:05.564028, 3] winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir) [ 453]: request location of privileged pipe [2012/11/30 08:42:05.564112, 10] winbindd/winbindd.c:739(winbind_client_response_written) winbind_client_response_written[453:WINBINDD_PRIV_PIPE_DIR]: delivered response to client [2012/11/30 08:42:05.564201, 6] winbindd/winbindd.c:841(winbind_client_request_read) closing socket 29, client exited [2012/11/30 08:42:05.564274, 6] winbindd/winbindd.c:793(new_connection) accepted socket 29 [2012/11/30 08:42:05.564351, 10] winbindd/winbindd.c:616(process_request) process_request: Handling async request 453:PING [2012/11/30 08:42:05.564411, 10] winbindd/winbindd.c:678(wb_request_done) wb_request_done[453:PING]: NT_STATUS_OK [2012/11/30 08:42:05.564480, 10] winbindd/winbindd.c:739(winbind_client_response_written) winbind_client_response_written[453:PING]: delivered response to client [2012/11/30 08:42:05.585267, 10] winbindd/winbindd.c:616(process_request) process_request: Handling async request 453:PING [2012/11/30 08:42:05.585367, 10] winbindd/winbindd.c:678(wb_request_done) wb_request_done[453:PING]: NT_STATUS_OK [2012/11/30 08:42:05.585443, 10] winbindd/winbindd.c:739(winbind_client_response_written) winbind_client_response_written[453:PING]: delivered response to client [2012/11/30 08:42:10.081128, 6] winbindd/winbindd.c:841(winbind_client_request_read) closing socket 29, client exited [2012/11/30 08:42:12.146894, 6] winbindd/winbindd.c:841(winbind_client_request_read) closing socket 28, client exited If I'm reading the logs correctly it looks like winbind opens the Unix pipe for the client, the client re-establishes the connection and we get a NT_STATUS_OK at the end of it. Appreciate the help! -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Thomas Mueller Sent: Thursday, November 29, 2012 9:50 PM To: samba@lists.samba.org Subject: Re: [Samba] User is invalid on this system Am Thu, 29 Nov 2012 15:51:55 -0900 schrieb Kevin Elliott: Hello all. We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients: Here's an example from my workstation (logging verbosity set at 10): ... auth/user_krb5.c:162(get_user_from_kerberos_info) Username CBJ_NT+kevin_elliott is invalid on this system ... However, I can successfully return login information with winbind: # wbinfo -i kevin_elliott kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false 'getent passwd' will only return the local users from /etc/passwd. Any ideas? Anyone else see this? maybe the winbind in /etc/nsswitch.conf got lost? is getent -s winbind passwd $username returning something? is winbindd running (ps -C winbindd -f)? any log messages in /var/log/samba/log.winbindd ? - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User is invalid on this system
Dale, I was afraid of that. We we're forced to upgrade from 3.5.x because of a reoccurring Winbind issue but I'm a bit disappointed to see that 3.6.x introduces a idmap/rid issues. I guess we just traded one for another. Do you think un-joining and then re-joining the existing system could fix this? Thanks. --- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Friday, November 30, 2012 9:38 AM To: Kevin Elliott Cc: 'samba@lists.samba.org' Subject: Re: [Samba] User is invalid on this system Kevin, 3.6.x has had several issues with idmap rid. I was hit with this one: https://bugzilla.samba.org/show_bug.cgi?id=8676 . Searching for idmap rid issues with 3.6.x will reveal others as well. Someone indicated that rejoining the domain would fix this issue. As it so happened, I had to rebuild one of the servers. After joining the rebuilt system to the domain, it has worked flawlessly ever since. So, it appears the problem with rid and some of the other idmap backends is somehow related to upgrading, as newly joined systems work as expected. Dale On 11/29/2012 6:51 PM, Kevin Elliott wrote: Hello all. We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients: Here's an example from my workstation (logging verbosity set at 10): [2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 2517) conn 0x0 [2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 1680 [2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: kevin_elliott [Kevin Elliott] [2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL] [2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info) Username CBJ_NT+kevin_elliott is invalid on this system [2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET. [2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) However, I can successfully return login information with winbind: # wbinfo -i kevin_elliott kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false 'getent passwd' will only return the local users from /etc/passwd. And the relevant section of smb.conf: [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 192.0.2.87/32, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes password server = 192.0.2.25, 192.0.2.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 192.0.2.25 ldap ssl = no panic action = /usr/share/samba/panic-action %d winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config LIBRARY:range = 65535-7 idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:backend = rid idmap config * : range = 1-65533 idmap config * : base_rid = 0 idmap config * : backend = rid admin users = @CBJ_NT+admin veto files = /.*/ [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only
[Samba] User is invalid on this system
Hello all. We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map Samba shares from our Windows XP SP3 and Windows 7 clients: Here's an example from my workstation (logging verbosity set at 10): [2012/11/29 15:23:58.120087, 3] smbd/process.c:1467(switch_message) switch message SMBsesssetupX (pid 2517) conn 0x0 [2012/11/29 15:23:58.120212, 3] smbd/sesssetup.c:1333(reply_sesssetup_and_X) wct=12 flg2=0xc807 [2012/11/29 15:23:58.120258, 2] smbd/sesssetup.c:1279(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2012/11/29 15:23:58.120353, 3] smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego) Doing spnego session setup [2012/11/29 15:23:58.120409, 3] smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego) NativeOS=[] NativeLanMan=[] PrimaryDomain=[] [2012/11/29 15:23:58.120498, 3] smbd/sesssetup.c:660(reply_spnego_negotiate) reply_spnego_negotiate: Got secblob of size 1680 [2012/11/29 15:23:58.124198, 3] libads/authdata.c:332(decode_pac_data) Found account name from PAC: kevin_elliott [Kevin Elliott] [2012/11/29 15:23:58.124309, 3] auth/user_krb5.c:50(get_user_from_kerberos_info) Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL] [2012/11/29 15:23:58.124710, 1] auth/user_krb5.c:162(get_user_from_kerberos_info) Username CBJ_NT+kevin_elliott is invalid on this system [2012/11/29 15:23:58.124780, 3] smbd/error.c:81(error_packet_set) error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE [2012/11/29 15:24:12.583839, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 199.58.52.25 read error = NT_STATUS_CONNECTION_RESET. [2012/11/29 15:24:12.584072, 3] smbd/server_exit.c:181(exit_server_common) Server exit (failed to receive smb request) However, I can successfully return login information with winbind: # wbinfo -i kevin_elliott kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false 'getent passwd' will only return the local users from /etc/passwd. And the relevant section of smb.conf: [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 192.0.2.87/32, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes password server = 192.0.2.25, 192.0.2.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 192.0.2.25 ldap ssl = no panic action = /usr/share/samba/panic-action %d winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes idmap config LIBRARY:range = 65535-7 idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:backend = rid idmap config * : range = 1-65533 idmap config * : base_rid = 0 idmap config * : backend = rid admin users = @CBJ_NT+admin veto files = /.*/ [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Any ideas? Anyone else see this? --- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
I read the bugreport that Dale linked and ended up using the workaround listed there. Changes made to '/etc/samba/smb.conf' follow: @@ -28,9 +28,12 @@ winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d -idmap config CBJ_NT:backend = rid -idmap config CBJ_NT:base_rid = 0 -idmap config CBJ_NT:range = 1-65533 +idmap config * : backend = rid +idmap config * : base_rid = 0 +idmap config * : range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 Does anyone have any idea why not explictly specifying the domain fixes this issue? -Original Message- From: Dale Schroeder [mailto:d...@briannassaladdressing.com] Sent: Tuesday, July 10, 2012 11:18 To: Kevin Elliott Cc: samba@lists.samba.org Subject: Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND On 07/10/2012 12:56 PM, Kevin Elliott wrote: Hello all, I recently upgraded from Samba 3.5.6 (the version contained in Debian Stable) to Samba 3.6.5 (the version from Debian Backports) in an effort to closer track the current development to try and chase some long standing bugs out. I think I've resolved one problem but introduced another. I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to perform a SID to UID lookup much like so: city-liza-lnx:/var/log/samba# wbinfo -t checking the trust secret for domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba# wbinfo -n CBJ_NT+kevin_elliott S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1) city-liza-lnx:/var/log/samba# wbinfo -s S-1-5-21-505306839-1977890393-20515302-14949 CBJ_NT+kevin_elliott 1 city-liza-lnx:/var/log/samba# wbinfo -S S-1-5-21-505306839-1977890393-20515302-14949 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-505306839-1977890393-20515302-14949 to uid This looks like it has all the markings of following bugreport: https://bugzilla.samba.org/show_bug.cgi?id=8371#c5 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 Before I follow this upstream can someone sanity check my configs for me? I understand that much has changed between 3.5 and 3.6 regarding the idmaping. [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 199.58.55.87/22, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes passdb backend = tdbsam password server = 199.58.55.25, 199.58.55.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 10 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 199.58.55.25 ldap ssl = no winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d idmap config CBJ_NT:backend = rid idmap config CBJ_NT:base_rid = 0 idmap config CBJ_NT:range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 winbind separator = + winbind use default domain = Yes [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Thank you for your consideration. Kevin, With idmap rid, it could also be this one: https://bugzilla.samba.org/show_bug.cgi?id=8676 This bug has been in every version of 3.6. For me, a reboot of the system usually will fix the problem until the next samba/winbind restart is required; others have not been so fortunate. Dale -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND
Hello all, I recently upgraded from Samba 3.5.6 (the version contained in Debian Stable) to Samba 3.6.5 (the version from Debian Backports) in an effort to closer track the current development to try and chase some long standing bugs out. I think I've resolved one problem but introduced another. I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to perform a SID to UID lookup much like so: city-liza-lnx:/var/log/samba# wbinfo -t checking the trust secret for domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba# wbinfo -n CBJ_NT+kevin_elliott S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1) city-liza-lnx:/var/log/samba# wbinfo -s S-1-5-21-505306839-1977890393-20515302-14949 CBJ_NT+kevin_elliott 1 city-liza-lnx:/var/log/samba# wbinfo -S S-1-5-21-505306839-1977890393-20515302-14949 failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-21-505306839-1977890393-20515302-14949 to uid This looks like it has all the markings of following bugreport: https://bugzilla.samba.org/show_bug.cgi?id=8371#c5 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679 Before I follow this upstream can someone sanity check my configs for me? I understand that much has changed between 3.5 and 3.6 regarding the idmaping. [global] workgroup = CBJ_NT realm = CBJ.LOCAL netbios aliases = CITY-LIZA-L90, CITY-LIZA server string = External FTP Server interfaces = 199.58.55.87/22, lo bind interfaces only = Yes security = ADS obey pam restrictions = Yes passdb backend = tdbsam password server = 199.58.55.25, 199.58.55.50 passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . client NTLMv2 auth = Yes log level = 10 log file = /var/log/samba/log.%m max log size = 2500 printcap name = cups os level = 5 local master = No domain master = No wins server = 199.58.55.25 ldap ssl = no winbind enum users = Yes winbind enum groups = Yes panic action = /usr/share/samba/panic-action %d idmap config CBJ_NT:backend = rid idmap config CBJ_NT:base_rid = 0 idmap config CBJ_NT:range = 1-65533 idmap config LIBRARY:backend = rid idmap config LIBRARY:base_rid = 0 idmap config LIBRARY:range = 65535-7 winbind separator = + winbind use default domain = Yes [ftp] comment = FTP directory path = /var/ftp/pub/ valid users = @CBJ_NT+domain users read only = No create mask = 0775 directory mask = 0775 hide unreadable = Yes Thank you for your consideration. -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba(3.6.4), with LDAP backend and sambapasswordhistory issue
I'm still trying to track this down, to see if I can offer any further info. Increasing the log level shows that all of the history requests are happening in pdb_ldap.c, but I don't know that I saw where it was setting the history during a password change. I'm also seeing a lot of 'Failed to get password history for user' messages. I'm not sure why samba can't get that information. I don't see any errors in the ldap server logs, but I might try to read them a little closer to see if something is being blocked. Is there a samba command to display the user password history directly, and maybe I can see a different error? From: groucho.64...@hotmail.com To: samba@lists.samba.org Date: Fri, 4 May 2012 14:05:54 -0400 Subject: [Samba] samba(3.6.4),with LDAP backend and sambapasswordhistory issue We would like to have password history working in our setup which is samba with Sun Directory Services 7.0 on the backend. Everything else seems to be working ok, but I notice that the sambapasswordhistory entry for any particular user is filled with 0's. If I set the password for the account, then it's 16 0's, followed by a copy of the password hash, and the rest 0's. If I change the password to something else, the history entry stays the same. If I change the password back to the original, the second password hash that I entered isn't stored along with the original. It's 0's. I've seen online that someone had this issue in 2005, but I didn't see any responses to this. Has anyone seen this or have a suggestion of what I can try? Thanks for the help. we're using a history of 24 in case it matters...maybe that's a problem, should it be 23? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba(3.6.4), with LDAP backend and sambapasswordhistory issue
Ok, here's an update. I recreated a user account and started changing the password on it, and now I'm seeing passwords stored in the sambapasswordhistory field. Each time I change it another one is stored. Then, suddenly, the entire sambapasswordhistory entry is wiped clean and it's only storing the latest password. Each subsequent password change is only storing the latest password. Seems like a buffer overflow maybe? If I modify the history length in the password policy, it looks like it starts working again for a bit. I'm using Sun DSEE 7 as the ldap server and using the netscape5.ldif file. From: groucho.64...@hotmail.com To: samba@lists.samba.org Date: Tue, 8 May 2012 08:21:04 -0400 Subject: Re: [Samba] samba(3.6.4), with LDAP backend and sambapasswordhistory issue I'm still trying to track this down, to see if I can offer any further info. Increasing the log level shows that all of the history requests are happening in pdb_ldap.c, but I don't know that I saw where it was setting the history during a password change. I'm also seeing a lot of 'Failed to get password history for user' messages. I'm not sure why samba can't get that information. I don't see any errors in the ldap server logs, but I might try to read them a little closer to see if something is being blocked. Is there a samba command to display the user password history directly, and maybe I can see a different error? From: groucho.64...@hotmail.com To: samba@lists.samba.org Date: Fri, 4 May 2012 14:05:54 -0400 Subject: [Samba] samba(3.6.4), with LDAP backend and sambapasswordhistory issue We would like to have password history working in our setup which is samba with Sun Directory Services 7.0 on the backend. Everything else seems to be working ok, but I notice that the sambapasswordhistory entry for any particular user is filled with 0's. If I set the password for the account, then it's 16 0's, followed by a copy of the password hash, and the rest 0's. If I change the password to something else, the history entry stays the same. If I change the password back to the original, the second password hash that I entered isn't stored along with the original. It's 0's. I've seen online that someone had this issue in 2005, but I didn't see any responses to this. Has anyone seen this or have a suggestion of what I can try? Thanks for the help. we're using a history of 24 in case it matters...maybe that's a problem, should it be 23? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
Interesting. I'l try this and see what happens. Any idea why setting such an aggressive cache refresh time for the idmap issue could resovle this? -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of daniele Sent: Sunday, May 06, 2012 11:13 PM To: samba@lists.samba.org Subject: Re: [Samba] winbind stop working Il 04/05/2012 23:47, Kevin Elliott ha scritto: So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted? Here's my idmap cache values: idmap backend = tdb idmap alloc backend = idmap cache time = 604800 idmap negative cache time = 120 idmap uid = 1-7 idmap gid = 1-7 winbind separator = + winbind cache time = 300 winbind reconnect delay = 30 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind trusted domains only = No winbind nested groups = Yes winbind expand groups = 1 winbind nss info = template winbind refresh tickets = No winbind offline logon = No winbind normalize names = No After playing with parameters I found that lowering idmap cache time has some effects. Now, with a value of 300, looks good. I have to do other tests to understand what is happening, but it seems a good staring point. Daniele -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba(3.6.4), with LDAP backend and sambapasswordhistory issue
We would like to have password history working in our setup which is samba with Sun Directory Services 7.0 on the backend. Everything else seems to be working ok, but I notice that the sambapasswordhistory entry for any particular user is filled with 0's. If I set the password for the account, then it's 16 0's, followed by a copy of the password hash, and the rest 0's. If I change the password to something else, the history entry stays the same. If I change the password back to the original, the second password hash that I entered isn't stored along with the original. It's 0's. I've seen online that someone had this issue in 2005, but I didn't see any responses to this. Has anyone seen this or have a suggestion of what I can try? Thanks for the help. we're using a history of 24 in case it matters...maybe that's a problem, should it be 23? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
No one else has seen this issue? Should I move this to samba-technical? Or submit a bug report? Is there any other information that would be helpful in troubleshooting this? -Original Message- From: Kevin Elliott Sent: Monday, April 30, 2012 9:51 AM To: samba@lists.samba.org Subject: RE: [Samba] winbind stop working We're also seeing similar symptoms with our Squid proxy's winbindd as well. After an indeterminate amount of time (sometimes an hour, sometimes a day) the winbind process will lose the ability to resolve UID/GIDs to SIDS and authentication to the proxy will fail: [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. If we try doing a winbind -p we get a sucessful return however trying to lookup a SID from UID/GID fails. We're on Debian 6.0.4 and Samba 2.3.5.6. Has anyone else seen this issue? Any possible workarounds or patches? Here's an the debugging output for a particular user: [2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message) switch message SMBtconX (pid 15651) conn 0x0 [2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217062, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217085, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X) Client requested device type [?] for share [FTP] [2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection) making a connection to 'normal' service ftp [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. [2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup) Unable to get default yp domain, let's try without specifying it [2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup) looking for user CBJ_NT+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup) looking for user cbj_nt+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name) lookup_name: CBJ_NT\domain users = CBJ_NT (domain), domain users (name) [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name) lookup_name: flags = 0x077 [2012/04/27 11:04:52.217841, 10] passdb/util_wellknown.c:152(lookup_wellknown_name) map_name_to_wellknown_sid: looking up domain users [2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217966, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217987, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.219317, 5] smbd/share_access.c:117(token_contains_name) lookup_name CBJ_NT+domain users failed [2012/04/27 11:04:52.219365, 10] smbd/share_access.c:216(user_ok_token) User CBJ_NT+kevin_miller not in 'valid users' [2012/04/27 11:04:52.219394, 2] smbd/service.c:598(create_connection_server_info) user 'CBJ_NT+kevin_miller' (from session setup) not permitted to access this share (ftp) [2012/04/27 11:04:52.219420, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED [2012/04/27 11:04:52.219452, 3] smbd/error.c:80(error_packet_set) error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED Here's the debugging output from the winbindd-idmap.old log: 2012/04/27 10:58:37.616201, 10] winbindd/idmap_util.c:115(idmap_gid_to_sid) idmap_gid_to_sid: gid = [1004], domain = '' [2012/04/27 10:58:37.616243, 10] lib/gencache.c:334(gencache_get_data_blob) Cache entry with key = IDMAP/GID2SID/1004 couldn't be found [2012/04/27 10:58:37.616265, 10] winbindd/idmap.c:745(idmap_backends_unixid_to_sid) idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2) [2012/04/27 10:58:37.616331, 10] winbindd/idmap.c:475(idmap_find_domain) idmap_find_domain called for domain '' [2012/04/27 10:58:37.616352, 5] winbindd
Re: [Samba] winbind stop working
So what's happening is that the idmap cache is expiring but winbind is unable to create new entries until its restarted? Here's my idmap cache values: idmap backend = tdb idmap alloc backend = idmap cache time = 604800 idmap negative cache time = 120 idmap uid = 1-7 idmap gid = 1-7 winbind separator = + winbind cache time = 300 winbind reconnect delay = 30 winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes winbind trusted domains only = No winbind nested groups = Yes winbind expand groups = 1 winbind nss info = template winbind refresh tickets = No winbind offline logon = No winbind normalize names = No -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Friday, May 04, 2012 12:16 PM To: samba@lists.samba.org Subject: Re: [Samba] winbind stop working I had a problem with Samba 3.0.x on Solaris 10 some time back. The samba servers were DC's for the domain- they were not in an ADS domain. However I did have domain trusts set up so winbind was required.Winbind would allocate uid's and gid's. There is a cache time value for either winbind or idmap (testparm -v will tell you.) When the cache time expired the cached info was - obviously - invalid BUT samba/winbind would not refresh the cache. Thus users from the trusted domain would loose access. The cache files are local TDB files- even tho (in case) the idmap and other account info was in ldap. The cache issue was resolved when I upgraded to samba 3.4.x. However, it seems that winbind now can't even create new idmap entries. Since there is practically no personnel change in the trusted ADS domain this isn't really an issue- I can always add the idmap entries in ldap. Check your cache values. Backup and delete the idmap cache TBD files. (Maybe the winbind cache files as well) Restarting winbind and typing getent passwd and getent group should repopulate. TDBDump command is useful for looking at the contents of the file if you aren't sure what the file is for. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
) wbint_Gid2Sid: struct wbint_Gid2Sid out: struct wbint_Gid2Sid sid : * sid : S-0-0 result : NT_STATUS_NONE_MAPPED -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Daniele Sent: Sunday, April 29, 2012 11:50 PM To: samba@lists.samba.org Subject: [Samba] winbind stop working Hi, I am trying to use squid proxy with validation on win 2003 active directory to filter internet navigation and for it I installed an ubuntu 10.04 server 64 bit with samba. My installation looks ok, the server is joined to the AD, ntlm is able to validate user, wbinfo report corret information and squid works good. The problem arise after some hours: winbind become not able to resolv info for users and to retrieve info for groups, so squid become not able to know id a user belong to a group allowed to navigate and refuse connection. Restarting winbind solve the problem for some hours. wbinfo report no particular problem; just give back messages like could not get info for user xx and also setting debuglevel to various numbers reports (to me) no significant clues. I made a workaround scheduling a restart of winbind service at every half hour and it works, but is not so elegant ... Do you have any suggestion to solve this problem? Thank you Daniele samba/winbind version is 3.4.7 squid is 2.7.STABLE7 os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux smb.conf: [global] workgroup = CED realm = CED.AOS server string = Samba Server Version %v security = ADS password server = 172.18.10.24 172.18.10.23 name resolve order = lmhosts host bcast ldap ssl = no idmap uid = 15000-25000 idmap gid = 15000-25000 winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes cups options = raw [homes] comment = Home Directories read only = No browseable = No browsable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No browsable = No Le informazioni contenute in questa comunicazione e gli eventuali documenti allegati hanno carattere confidenziale e sono ad uso esclusivo del destinatario. Nel caso in cui questa comunicazione Vi sia pervenuta per errore, Vi informiamo che la sua diffusione e riproduzione e' contraria alla legge, pertanto Vi preghiamo di darci prontamente avviso e di cancellare quanto ricevuto. Grazie. This e-mail message and any files transmitted with it contain confidential information intended only for the person(s) to whom it is addressed. If you are not the intended recipient, you are hereby notified that any use or distribution of this e-mail is strictly prohibited: please notify the sender and delete the original message. Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind stop working
Correction. I was reading the Debian versioning numbers. We are on Samba/Winbind: 3.5.6 (Debian package: 2:3.5.6~dfsg-3squeeze6). -- Kevin Elliott Network Specialist City and Borough of Juneau, MIS (907) 586 - 0905 -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Kevin Elliott Sent: Monday, April 30, 2012 9:51 AM To: samba@lists.samba.org Subject: Re: [Samba] winbind stop working We're also seeing similar symptoms with our Squid proxy's winbindd as well. After an indeterminate amount of time (sometimes an hour, sometimes a day) the winbind process will lose the ability to resolve UID/GIDs to SIDS and authentication to the proxy will fail: [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. If we try doing a winbind -p we get a sucessful return however trying to lookup a SID from UID/GID fails. We're on Debian 6.0.4 and Samba 2.3.5.6. Has anyone else seen this issue? Any possible workarounds or patches? Here's an the debugging output for a particular user: [2012/04/27 11:04:52.217018, 3] smbd/process.c:1294(switch_message) switch message SMBtconX (pid 15651) conn 0x0 [2012/04/27 11:04:52.217041, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217062, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217085, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.217132, 5] smbd/uid.c:369(change_to_root_user) change_to_root_user: now uid=(0,0) gid=(0,0) [2012/04/27 11:04:52.217169, 4] smbd/reply.c:786(reply_tcon_and_X) Client requested device type [?] for share [FTP] [2012/04/27 11:04:52.217209, 5] smbd/service.c:1227(make_connection) making a connection to 'normal' service ftp [2012/04/27 11:04:52.217243, 3] lib/util_sid.c:228(string_to_sid) string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'. [2012/04/27 11:04:52.217268, 5] smbd/password.c:423(user_in_netgroup) Unable to get default yp domain, let's try without specifying it [2012/04/27 11:04:52.217289, 5] smbd/password.c:430(user_in_netgroup) looking for user CBJ_NT+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217316, 5] smbd/password.c:453(user_in_netgroup) looking for user cbj_nt+kevin_miller of domain (ANY) in netgroup CBJ_NT+domain users [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name) lookup_name: CBJ_NT\domain users = CBJ_NT (domain), domain users (name) [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name) lookup_name: flags = 0x077 [2012/04/27 11:04:52.217841, 10] passdb/util_wellknown.c:152(lookup_wellknown_name) map_name_to_wellknown_sid: looking up domain users [2012/04/27 11:04:52.217890, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217921, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2012/04/27 11:04:52.217945, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2012/04/27 11:04:52.217966, 5] auth/token_util.c:525(debug_nt_user_token) NT user token: (NULL) [2012/04/27 11:04:52.217987, 5] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2012/04/27 11:04:52.218079, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2012/04/27 11:04:52.219317, 5] smbd/share_access.c:117(token_contains_name) lookup_name CBJ_NT+domain users failed [2012/04/27 11:04:52.219365, 10] smbd/share_access.c:216(user_ok_token) User CBJ_NT+kevin_miller not in 'valid users' [2012/04/27 11:04:52.219394, 2] smbd/service.c:598(create_connection_server_info) user 'CBJ_NT+kevin_miller' (from session setup) not permitted to access this share (ftp) [2012/04/27 11:04:52.219420, 1] smbd/service.c:678(make_connection_snum) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED [2012/04/27 11:04:52.219452, 3] smbd/error.c:80(error_packet_set) error packet at smbd/reply.c(795) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED Here's the debugging output from the winbindd-idmap.old log: 2012/04/27 10:58:37.616201, 10] winbindd/idmap_util.c:115(idmap_gid_to_sid) idmap_gid_to_sid: gid = [1004], domain = '' [2012/04/27 10:58:37.616243, 10] lib/gencache.c:334(gencache_get_data_blob) Cache entry with key = IDMAP/GID2SID/1004 couldn't be found [2012/04/27 10:58:37.616265, 10] winbindd/idmap.c:745(idmap_backends_unixid_to_sid) idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2) [2012/04/27 10:58:37.616331, 10] winbindd
[Samba] passdb backend issue: setting other than 'smbpasswd' does not work
I'm currently running the samba3x packages on Centos 5.6. I recently switched to them from the SERnet Samba 3.3 packages to Centos Samba3x packages (smbd now reports Version 3.5.4-0.70.el5_6.1). At the same time, I switched to ldapsam as a backend. Everything seemed to be working fine until I tried to change a user's password with smbpasswd (as root). smbpasswd did not report any errors, and pdbedit shows the last update for that password to match when I ran smbpasswd. However, the updated password does not work to log in with smbclient. I then switched to tdbsam, assuming that I had screwed up part of the ldap setup. I saw the same issues. Switching to the smbpasswd backend has everything working, but I'd rather hoped to switch everything over to LDAP so I can integrate some of our other systems in one directory. I can pull logs, but I'm not sure which logs and debugging levels are most useful—there were no error messages even with the loglevel set to 5 during the smbpasswd run, and the access rejection comes up as NT_STATUS_WRONG_PASSWORD. It *seems* like smbd is reading from smbpasswd regardless of the passdb backend setting and that the smbpasswd utility is updating the correct backend based on the smb.conf setting. I did run a service smbd reload each time I changed the config file. Any suggestions? Kevin T. Broderick IT Communications Coordinator KILLINGTON MOUNTAIN SCHOOL E: kbroder...@killingtonmountainschool.org P: 802-422-5671 F: 802-422-5678 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Account locking synchronization between Linux and Windows (my solution)
We are using a Samba domain controller with a Sun Directory Server 7 LDAP backend and we observed that when an account was locked out on Windows, it would not lock the account on Linux as well. We are using Samba 3.0.33 on CentOS 5.3 and this is the change I made: To configure samba to perform proper windows lockout in conjunction with a linux lockout, we need to modify the samba source code to look for the pwdaccountlockedtime rather than sambaKickoffTime Download the source RPM for samba for the OS you're using. This example uses samba-3.0.33-3.7.el5.src.rpm from CentOS 5.3 rpm -ivh samba-3.0.33-3.7.el5.src.rpm cd /usr/src/redhat/SOURCES tar -xzf samba-3.0.33.tar.gz cd samba-3.0.33/source/lib edit smbldap.c:look for sambaKickoffTime and change to pwdaccountlockedtime (2 places) cd /usr/src/redhat/SOURCES rm samba-3.0.33.tar.gz tar -czf samba-3.0.33.tar.gz samba-3.0.33 rm -rf samba-3.0.33 rpmbuild -bb /usr/src/redhat/SPECS/samba.spec(install any dependencies i.e. cups-devel or do a --nodeps to ignore) cd /usr/src/redhat/RPMS/x86_64 rpm -Uvh --replacepkgs --force samba*.rpm I'm not sure if this issue was addressed in later versions of Samba. I'm just posting this in case someone finds it helpful, or knows of a better/safer way to accomplish the same thing. Thanks. Kevin Taylor -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Very slow write performance to RAID
These are XP clients. Date: Mon, 25 Jul 2011 13:28:33 -0700 From: j...@samba.org To: groucho.64...@hotmail.com CC: samba@lists.samba.org Subject: Re: [Samba] Very slow write performance to RAID On Mon, Jul 25, 2011 at 01:06:48PM -0400, Kevin Taylor wrote: We have a RAID set up as our main fileserver (running samba 3.0.33 on linux, CentOS 5). The main disk area is an XFS partition of about 8TB. I'm using iostat to monitor disk I/O since we've gotten complaints about speed and I'm noticing that when I write something to the samba share, the write speed is horrible. For a 15GB file it is reporting to finish in about 20 minutes. iostat reports very little write I/O...on the level of maybe 7 write i/o's every 5 seconds or so. If I were to read .5GB of data off of the samba share, it transfers quickly (and I see 300 reads/s through iostat)...which would be about normal. Any idea of why I'm getting such lousy write speed? Test using a modern (i.e. much later than 3.0.33) smbclient. This pipelines writes so you should see much greater throughput if it's the client that's at fault. What client are you using ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Very slow write performance to RAID
We have a RAID set up as our main fileserver (running samba 3.0.33 on linux, CentOS 5). The main disk area is an XFS partition of about 8TB. I'm using iostat to monitor disk I/O since we've gotten complaints about speed and I'm noticing that when I write something to the samba share, the write speed is horrible. For a 15GB file it is reporting to finish in about 20 minutes. iostat reports very little write I/O...on the level of maybe 7 write i/o's every 5 seconds or so. If I were to read .5GB of data off of the samba share, it transfers quickly (and I see 300 reads/s through iostat)...which would be about normal. Any idea of why I'm getting such lousy write speed? If generate some data to write on the fileserver itself (not going through samba) I can get some decent numbers. With the command: dd if=/dev/zero of=/data/testfile bs=1024k count=1 I saw the 10GB write with a speed of 270MB/s, which is decent, so I'm not thinking there's anything wrong with the disk or raid controller. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Very slow write performance to RAID
This system is a hardware RAID 6 with I believe 256k strip size set up on it, but a default xfs filesystem on it (mounted with nobarrier, noatime, nodiratime). We do have write-caching enabled on the RAID controller. From: cwe...@gmail.com Date: Mon, 25 Jul 2011 12:45:02 -0500 To: samba@lists.samba.org Subject: Re: [Samba] Very slow write performance to RAID On Mon, Jul 25, 2011 at 12:06 PM, Kevin Taylor groucho.64...@hotmail.com wrote: We have a RAID set up as our main fileserver (running samba 3.0.33 on linux, CentOS 5). The main disk area is an XFS partition of about 8TB. I'm using iostat to monitor disk I/O since we've gotten complaints about speed and I'm noticing that when I write something to the samba share, the write speed is horrible. For a 15GB file it is reporting to finish in about 20 minutes. With the command: dd if=/dev/zero of=/data/testfile bs=1024k count=1 I saw the 10GB write with a speed of 270MB/s, which is decent, so I'm not thinking there's anything wrong with the disk or raid controller. dd isn't really a great test since it's heavily uses caches, and it's about as sequential as you can get, where samba access is more likely to be highly random. iometer with dynamo can get you a more real workload type benchmark. That said, to me this sounds like a block size and alignment plus write-back type of issue. Here's some background and examples with xfs+lvm+mdadm, the base concept apply to hardware raid too http://www.linux.sgi.com/archives/xfs/2007-06/msg00411.html . Even if you are getting acceptable perf local, you may be able to get better if you aren't doing these things, and anything remote will amplify any latency greatly. Next toss in windows wanting to flush at 4k or 64k, which should pass on through to the disk, causing a 128K stripe to flush again with every 4K, and multiple 128K stripes if things aren't aligned just right. Then add in the read+modify+write+hash+write operation that raid5 does and you can start to see where performance can fail. Hardware raid with battery backed write cache can alleviate this since it won't wait for the disk spindles. Possibly Samba can be tweaked to match your stripe size, I don't know how off-hand. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Printing trouble with Windows XP clients; Windows 7 and Mac client work fine
I'm trying to switch our network from IP-based printing (directly to the printers) to using Samba printing via our existing server, both for Point-and-Print functionality and to be able to log print usage. I've followed the directions in the HOWTO and also the policy information in the WIKI (at http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba) to remove point-and-print restrictions. I've loaded the drivers on the server, apparently with success, via a Windows XP machine's Server Properties box (while logged in as a user with admin privileges on the domain). The drivers show up on the server and are automatically downloaded when I attempt to connect to a printer, whether on XP or Windows 7. (I may have tested a non-domain Vista machine, not sure, but definitely have tested several non-domain Windows 7 machines). Printing works fine from Windows 7 and Mac clients (although the latter are obviously not doing Point and Print). Printing does not work from XP clients, whether domain members or not. I have tried bumping the log level on a per-machine basis on one Windows 7 box and one Windows XP box, and the only difference that looks out of place is the Windows XP box apparently looking for shell32.dll on the server and not finding it. I can post the log files somewhere, but I'm not sure if there's something in particular (beyond an error condition) that I should be looking for—I've tried both log level 3 and log level 20, so I have a ton of information currently logging. I can see the printer drivers being found, printer settings being seen, etc. On the client, I've been trying the Print a test page button from the printer dialog box. The error I get is The test page failed to print. Would you like to view the print troubleshooter for assistance? Nothing useful (or even apparently related) appears in the System or Application logs on the client. Kevin T. Broderick IT Communications Coordinator KILLINGTON MOUNTAIN SCHOOL E: kbroder...@killingtonmountainschool.org P: 802-422-5671 F: 802-422-5678 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
I'm not making much progress over here. I agree with the pam_deny item you list below. Putting the pam_deny line in the account settings will definitely prevent me from letting the windows users authenticate. But the issue remains where if the account is locked through the LDAP server, whatever samba is looking for when it queries is enough to satisfy the pam_ldap module's account info. Removing the pam_ldap line from the account section doesn't make a difference to the linux user logging in, but it won't let samba throughlike you mention. We don't want to always fail the account, only when it's locked. Is there something in ldap.conf that can be remapped to read this correctly? Date: Fri, 14 Jan 2011 03:56:29 +0900 Subject: Re: [Samba] another question about account locking From: mo...@monyo.com To: groucho.64...@hotmail.com CC: samba@lists.samba.org 2011/1/14 Kevin Taylor groucho.64...@hotmail.com: I did give it a try with no luck. However, I'm not sure that the way the pam rules I have set out would cause that to trip anyway. On most of our linux machines, we'd have the system-auth looking like this (what is the default generated by system-config-authentication) authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so So, if the LDAP lookup of whatever authentication information fails, then the user will be denied. That's fine...but in practice, once the LDAP server locks out the account, samba still is able to read what it needs from the sambantpassword field, and thus approves the connection. Sorry, auth section will not work with Samba, as described in smb.conf(5). I put pam_deny.so into account section. For example, /etc/pam.d/common-account on my lenny box: - account requiredpam_unix.so account required pam_deny.so - This means always FAIL at account section. To check if an account is disabled is usually done at account section, I think. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Yet another question about account locking
Let me try asking something different. The field 'sambaKickoffTime' in LDAP (if set to a correct time) will prevent a user from logging into a windows system. The time format for 'pwdaccountlockedtime' is acceptable for the sambaKickoffTime field as well. If I modify the samba source,source3/lib/smbldap.c and change the 'sambaKickoffTime' items to 'pwdaccountlockedtime' and rebuild, everything works the way I would likeso samba is now looking at the same field in the LDAP server that the linux side is. yay. Howeverdoes anyone know of a way to accomplish the same thing without a code recompile? Can /etc/ldap.conf nss_map_attributes work for the same thing? (I didn't get this to work, but I may not have done it right)...or is there an obscure setting in the schema that I can use to have samba look at the other attribute? Thanks. Date: Fri, 14 Jan 2011 03:56:29 +0900 Subject: Re: [Samba] another question about account locking From: mo...@monyo.com To: groucho.64...@hotmail.com CC: samba@lists.samba.org 2011/1/14 Kevin Taylor groucho.64...@hotmail.com: I did give it a try with no luck. However, I'm not sure that the way the pam rules I have set out would cause that to trip anyway. On most of our linux machines, we'd have the system-auth looking like this (what is the default generated by system-config-authentication) authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so So, if the LDAP lookup of whatever authentication information fails, then the user will be denied. That's fine...but in practice, once the LDAP server locks out the account, samba still is able to read what it needs from the sambantpassword field, and thus approves the connection. Sorry, auth section will not work with Samba, as described in smb.conf(5). I put pam_deny.so into account section. For example, /etc/pam.d/common-account on my lenny box: - account requiredpam_unix.so account required pam_deny.so - This means always FAIL at account section. To check if an account is disabled is usually done at account section, I think. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] another question about account locking
Is there a way that we can increment the samba bad password count, when a user fails a password on a linux system? I'm looking for ways to get both Windows and Linux to simultaneously lock out accounts if they fail so many times. We're using an LDAP backend. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
Unfortunately, that doesn't work. Since we're using an LDAP backend, we had to turn on 'encrypt passwords=yes' which bypasses the pam checking. Date: Fri, 14 Jan 2011 02:51:58 +0900 Subject: Re: [Samba] another question about account locking From: mo...@monyo.com To: groucho.64...@hotmail.com CC: samba@lists.samba.org 2011/1/13 Kevin Taylor groucho.64...@hotmail.com: Is there a way that we can increment the samba bad password count, when a user fails a password on a linux system? I'm looking for ways to get both Windows and Linux to simultaneously lock out accounts if they fail so many times. We're using an LDAP backend. How about obey pam restrictions = yes ? obey pam restrictions = yes means Samba should obey PAM's restriction. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] another question about account locking
I did give it a try with no luck. However, I'm not sure that the way the pam rules I have set out would cause that to trip anyway. On most of our linux machines, we'd have the system-auth looking like this (what is the default generated by system-config-authentication) authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so So, if the LDAP lookup of whatever authentication information fails, then the user will be denied. That's fine...but in practice, once the LDAP server locks out the account, samba still is able to read what it needs from the sambantpassword field, and thus approves the connection. I'll have to reconfigure a couple of things to double check on share accesses, but it's really the interactive logins I need to lock. Sorry if I'm being difficult about it. :) Date: Fri, 14 Jan 2011 03:38:05 +0900 Subject: Re: [Samba] another question about account locking From: mo...@monyo.com To: groucho.64...@hotmail.com CC: samba@lists.samba.org 2011/1/14 Kevin Taylor groucho.64...@hotmail.com: Unfortunately, that doesn't work. Since we're using an LDAP backend, we had to turn on 'encrypt passwords=yes' which bypasses the pam checking. Have you actually tried it? To set obey pam restrictions = yes, Samba obeys PAM's restriction. For example, try: - [global] (encrypt passwords = yes) -- default value, so not to need to set explicitly obey pam restrictions = yes [homes] writeable = yes browseable = no - Usually, an user can access the homes share with valid password, but if you set pam_deny.so correctly in system-auth, common-account or such a file, then anyone can logon and you can see the error messages: - [2011/01/14 03:24:00, 0] auth/pampass.c:smb_pam_accountcheck(792) smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User monyo! - --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] another question about account locking
Ok. I'm still not able to lock out the account, but now that I've got the pam restrictions line in the smb.conf, I'm seeing messages appear in /var/log/secure related to samba:account and samba:session So, that means that the login session is doing SOMETHING with pam, but I'm not able to deny access at this point. If I'm not careful with the placement of pam_deny then I prevent everyone from logging on. I had that issue with my first test. What exactly is samba asking of the ldap server at this stage that would generate a failure that pam will recognize I wonder. If the account request is just asking if the account is there, and some basic samba ldap settings, then of course it will succeed. If the session is doing the same, then it will be ok. Just as a guaranteed verification of what PAM will do. I put the pam_deny line first thing in the session clause. I could still log in, but got errors downloading the profile. I moved the pam_deny into the account section, and I was not able to log into the windows machine. This is good...but that was a forced deny for everyone for everything Date: Fri, 14 Jan 2011 03:56:29 +0900 Subject: Re: [Samba] another question about account locking From: mo...@monyo.com To: groucho.64...@hotmail.com CC: samba@lists.samba.org 2011/1/14 Kevin Taylor groucho.64...@hotmail.com: I did give it a try with no luck. However, I'm not sure that the way the pam rules I have set out would cause that to trip anyway. On most of our linux machines, we'd have the system-auth looking like this (what is the default generated by system-config-authentication) authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_ldap.so use_first_pass authrequired pam_deny.so So, if the LDAP lookup of whatever authentication information fails, then the user will be denied. That's fine...but in practice, once the LDAP server locks out the account, samba still is able to read what it needs from the sambantpassword field, and thus approves the connection. Sorry, auth section will not work with Samba, as described in smb.conf(5). I put pam_deny.so into account section. For example, /etc/pam.d/common-account on my lenny box: - account requiredpam_unix.so account required pam_deny.so - This means always FAIL at account section. To check if an account is disabled is usually done at account section, I think. --- TAKAHASHI Motonobu mo...@samba.gr.jp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows and Linux account locking with an LDAP backend
I thought I would ask here to see if anyone has had a similar situation and a solution. We've got a SunOne Directory Server set up to authenticate our users on Linux. To get shared authentication with Windows, we set up Samba (2.0.33 as ships with CentOS 5) and the smbldap-tools. What we need to do is get account locking to work across the board...such that if a user fails 5 times on a Windows machine, they will be locked out on the Linux systems as welland vice versa. Here's what I'm seeing: On windows, failing authentication updates the Bad Password Count in Samba, additionally it adds a pwdfailuretime to the LDAP server. This is good, and is what we would like to see. Fail 2, similar Fail 3, similar Fail 4, similar On Fail 5, what seems to be happening is that the LDAP server puts in its 5th pwdfailuretime item, thereby locking the account, and essentially preventing Windows/samba from updating the final sambabadpasswordcount numberso Windows is eternally stuck at 4 failures. Entering a bad password on the Windows side says There is a problem with the account, but entering the correct password lets the user right in. That's problem one. I can clarify any of this if needed. The other thing we want to be able to do is that if a user fails 5 times on Linux that it will lock out the Windows accounts. Any idea how to do that? Thanks for any hints or conversations we can start about this. :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba on top of Windows?
There are numerous issues with the original poster's request. For one, he doesn't want to deal with the complexities of a Windows domain or home group - but considers ripping out the heart of Windows networking and replacing it with Samba. That's akin to taking your brand new Hybrid car to the shop and telling the mechanic the hybrid engine is too complex and something I don't want to deal with. Can't you just replace the engine with one from a 2010 Volkswagen, configure it to run in 1965 VW Beetle mode, and then simply install a computer to tune it for the Mercedes? For another, Windows 98 !? I hate to say it, but without a lot of fiddling, you won't get it to talk to Windows 7. Windows 98 is five major releases and a complete architecture change away. Microsoft stopped supporting Windows 98 almost five years ago. In computer terms, this is stone age. Microsoft has made major upgrades to the networking protocols in the meantime. In fact, the old versions of the networking protocols supported by Windows 98 are so insecure that they are disabled by default on Windows. Heck, Windows 7 uses IPv6 as the default protocol. That wasn't even INVENTED when Windows 98 came out. You are lucky if the two machines can ping each other! The network neighborhood works differently. File sharing uses encryption and authentication protocols that weren't even dreamt up when Windows 98 came out. For that matter, you would probably even have problems getting spare parts for the old Windows 98 machine. Have you tried buying floppy disk drives lately? Or a replacement hard disk for that machine? You can probably get the two machines to talk somehow, but it will take some major research to even find out how to do it. My recommendation: retire the Windows 98 machine and donate it to a museum. If you keep the Windows 98 floppies and CDs and manage to get them into your Windows 7 machine, you can even install Windows 98 into a virtual machine. All that said: yes, it's possible to run Samba on top of Windows. Simply buy and install VMWare workstation. Install Linux into a virtual machine. Install Samba into that Linux machine. Then spend a couple weeks tracking down how to configure Samba to talk to both Windows 7 and Windows 98 at the same time. Done. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Damien Dye Sent: Friday, May 07, 2010 2:24 AM To: Public Mailing Lists Cc: samba@lists.samba.org Subject: Re: [Samba] Samba on top of Windows? you turned off simple file sharing on the windows 7 host and enabled windows file sharing on the windows firewall ? -- Damien Dye BSC(hon) On 5 May 2010 16:28, Public Mailing Lists li...@lists.cichon.com wrote: Hi all, I just bought a brand new PC for my living room (Asus eee Box) that happens to come with Windows 7. I can nicely plug in large USB hard drives, any my intention was to share these harddrives on the network, for example with my old Windows 98 PC on which I still run some favorite computer games. And of course, I would also like to access the large harddrive occasionally from my linux box (e.g. to put backups on them). However, I had to learn that Windows 7 does not want to share my harddrive with the other computer on the network that are not Windows 7. All tried all different kinds of things: I switched off the home group, I switched off various encryption/security settings in the control panel. I even changed some registry settings that I googled from the web. All without success. I spare you the technical details on this... I can't understand why it has to be so hard to just export a simple harddisk on the network. With every single version upgrade of Windows, it breaks. From Windows 95 to Windows 98. From Windows 98 to Windows XP. And now with Windows 7, again. IMHO, the purpose of networking is to COMMUNICATE with whichever protocol is out there. I don't want to deal with neither Windows domain controllers, nor home groups, nor roaming profiles, nor encryption requirements, nor anything that Windows will come up with in the next release that breaks everything else. I would like just export a hard disk with a user- name and a password and use it with everything from Windows 3.1 to my Linux box without getting a headache. So, my question is: Is it possible to run Samba on top of Windows? Thanks for your help in advance. Cheers, G. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] disconnecting user from only one share
That is conceptually not possible, because logged in means that the user is authenticated - and that is always server-wide or even domain-wide (unless you use per-share authentication). If you did kill his smbd subprocess, he could connect right back. What you could do is change the permission on that particular share, or better yet, on the underlying directory, to deny him access. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of raveenpl Sent: Tuesday, May 04, 2010 2:18 PM To: samba@lists.samba.org Subject: [Samba] disconnecting user from only one share Hello, I would like to know if somebody knows any way to disconnect/logout user only from one share. One of my user is using serveral samba shares. I would like to disconnect him only from one share. I noticed that killing PID of smbd subprocess causes disconnecting from all used shares - I can not afford it, because other shares are used by critical for my user applications. Any suggestions? Thanks a lot! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Long Delay on Fresh Windows 7 Clients
It may also be network discovery, and/or an IPv6 issue. Windows 7 tries to default to IPv6. There is no NETBIOS or WINS in IPv6, so DNS is pretty much mandatory (there also is Network Discovery, which is basically UPnP renamed). My guess is that in your case, Windows 7 first tries to resolve 192.168.0.13 to an IPv6 address using DNS. Then it probably tries to look for it with UPnP. Only when those two fail would it use IPv4. Disabling IPv6 is really a bad idea, but with Samba it may be your only option. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of smba...@gmx.com Sent: Monday, May 03, 2010 3:52 PM To: samba@lists.samba.org; michele.petra...@unipex.it Subject: Re: [Samba] Long Delay on Fresh Windows 7 Clients Thank you very much Michele. Because it's not trivial for me to introduce DNS for the local Samba server, I just tried accessing the share by typing its static IP address: \\192.168.0.13\sharename. I still get the same delay. Perhaps it's not DNS resolution that's causing that? Thanks, Daniel mich...@unipex.it wrote: smba...@gmx.com wrote: When I type \\sambahost\sharename, a prompt for the username and password will eventually appear (and let me authenticate successfully) but it takes almost forever (i.e. 1-5 minutes) until that prompt dialog box appears. Last week week my customer call me for the same problem where I installed an old version of samba (like yours) without local dns. After some tests, a simple bind9 + master local zone and reversed one solved the problem. I don't know further technical details, but I presume that 7 _need_ a reply from a dns. If it not find a good one, before gone to timeout and switch to wins resolution, it took *a lot of time* -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
-Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Morty Sent: Tuesday, April 27, 2010 1:08 AM To: samba@lists.samba.org Subject: Re: [Samba] samba 4 for new authentication domain? On Tue, Apr 27, 2010 at 07:36:39PM +1200, David Harrison wrote: You should clarify what mechanisms those web apps use for authentication. I don't know. :) The apps are black-box COTS apps which use AD for authentication. You can usually find out simply by reading the documentation on how to set up authentication. Just as David said, almost all of them would use LDAP. The only exception is anything that supports Single-Sign-On via Internet Exploder. In that case, it's probably Kerberos. I didn't pick them, and don't have much insight into them. More apps might come later, so even if I can research and answer this question based on the current profiles, requirements might change. What I want to do is spec hardware and any necessary software to support authentication for the apps. I'd prefer to use free/open source software if it will work as a drop-in replacement for AD. You won't find true drop-in replacements anywhere. Even Samba 3 isn't a drop-in replacement for file sharing or NT domains; certain things won't work. For instance, some accounting packages (Quickbooks or Peachtree) also require a database component on the server. I'm sure there will be similar issues with Samba 4 vs. Active Directory. Generally most web apps use LDAP/NTML for authentication and LDAP for pulling user information. These two things you can achieve more reliably using Samba3 with an LDAP backend compared to Samba 4 (at this stage). I've played with samba3+openldap+kerberos+bind9 as a replacement for AD before. It was extremely complex to setup and maintain, so I don't want to do that in production. Agreed. Basically, that simplicity (and the tools to do it) is what you buy with the $$$ from Microsoft. Or with the $$$ to a RedHat consultant to make it all work for you. samba4 seemed like it would be simpler and more compatible with AD. Ah, well. :( What I found works exceedingly well (although not flawlessly) is a Windows AD Domain Controller, and then Samba servers for file and print sharing. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 for new authentication domain?
Exactly WHY do you need AD instead of NT domains? Without understanding that, I don't think your question can be answered. In some cases, you can use a stand-alone Kerberos and/or LDAP server. Or conversely, some application you use may require a Microsoft AD server, sometimes even a specific version. Basically, your tradeoff is between cost and risk. Windows 2008 R2 is all but guaranteed to work no matter what AD issue you throw at it, but it can get expensive, especially if you have many users. On the other hand, Samba is free, but Samba 4 is pretty unproven at this point. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Morty Sent: Monday, April 26, 2010 9:19 PM To: samba@lists.samba.org Subject: [Samba] samba 4 for new authentication domain? The various pages about samba 4 warn about rough edges, upgrade, file services, and print services. I have some domains that have never had a Windows domain that now need Windows AD authentication. I don't need file services and print services, and upgrade is not a problem. Is samba 4 ready for this use case, or should we still go with Microsoft's AD? Thanks! - Morty -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Allow Local System user on win2k3 access to Samba share
Greetings, I have a service running on a Windows Server 2003 box that I want to write to a Samba share running on Solaris 10. The Samba is not a DC. How can I give access to the Local System user on the Windows box without making the share writeable to any other user or system? Regards, KB Notice of Confidentiality: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Allow Local System user on win2k3 access to Samba share
It's a MS SQL database service. Our standard is to have it run as Local System. KB -Original Message- From: Damien Dye [mailto:damien.j@googlemail.com] Sent: Sunday, April 25, 2010 6:27 PM To: Kevin A. Brown; samba@lists.samba.org Subject: RE: [Samba] Allow Local System user on win2k3 access to Samba share You could run the service on the windows 2k3 box under another username thats allowed to access samba. As long as the usernames and password match i dont see any issues. -Original Message- From: Kevin A. Brown kevin.br...@digicelgroup.com Sent: 25 April 2010 10:58 PM To: samba@lists.samba.org samba@lists.samba.org Subject: [Samba] Allow Local System user on win2k3 access to Samba share Greetings, I have a service running on a Windows Server 2003 box that I want to write to a Samba share running on Solaris 10. The Samba is not a DC. How can I give access to the Local System user on the Windows box without making the share writeable to any other user or system? Regards, KB Notice of Confidentiality: The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by responding to this email and then delete it from your system. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba server file read size limit of 64MB for HDF files
Just to add a little info, we found that Windows XP has some sort of internal read buffer of around 67,076,095 bytes. There's a couple of references to a number like that on the internet. However, a windows 2008 server share seems to ignore, or account for that buffer and handles the reads properly, but a Samba share does not. Does anyone have any thoughts or ideas on a setting that might help? From: groucho.64...@hotmail.com To: samba@lists.samba.org Date: Wed, 7 Apr 2010 09:41:41 -0400 Subject: [Samba] samba server file read size limit of 64MB for HDF files Sorry if that's a vague subject, but this problem is a little weird and I'm just wondering if there are any suggestions out there. We've got a Samba server (3.0.23) running on a CentOS 5.3 server offering up a data share of 7TB on an XFS filesystem. The authentication all happens through a Samba PDC with an LDAP backend all on a different server. The system in question is just a domain member fileserver. On the data share are several HDF files that we try to read into a couple of different applications on XP. I'm using the Compaq Array Visualizer just to look at them. The files on the server are owned by root, and world read/writable. As a regular user on the XP client, if I look at one of the files that's ~30MB in size, I'm presented with all the numbers I expect to see. If I look at a file that's larger than 64MB (80MB for the specific ones I was testing, but we've found the problem after 64MB in size) I no longer see the numbers that I would expect...it's all zeroed out at the beginning. If I copy the 80MB HDF to my local XP workstation, it works fine, so it's not a corrupted file or anything. The weird part is that if I go onto the linux server and change the ownership of the file to my regular user account, it all works fine...I can read the 80MB file through samba and see all the numbers I should...but no other users can. If I change the ownership to someone else, they can then see it all, and I can't again. At one point all of these files were hosted from a Windows 2008 Server, and never experienced these problems, only after the move to the Samba server. The fact that anything smaller than 64MB works, starts to sound like a possible setting that I can change. Unfortunately I can't provide the HDF files I'm using, and if you want to see the smb.conf let me know and I can try to get that posted. If anyone has any insight or help to offer, it would be appreciated. Thanks. Kevin Taylor _ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba _ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba server file read size limit of 64MB for HDF files
Sorry if that's a vague subject, but this problem is a little weird and I'm just wondering if there are any suggestions out there. We've got a Samba server (3.0.23) running on a CentOS 5.3 server offering up a data share of 7TB on an XFS filesystem. The authentication all happens through a Samba PDC with an LDAP backend all on a different server. The system in question is just a domain member fileserver. On the data share are several HDF files that we try to read into a couple of different applications on XP. I'm using the Compaq Array Visualizer just to look at them. The files on the server are owned by root, and world read/writable. As a regular user on the XP client, if I look at one of the files that's ~30MB in size, I'm presented with all the numbers I expect to see. If I look at a file that's larger than 64MB (80MB for the specific ones I was testing, but we've found the problem after 64MB in size) I no longer see the numbers that I would expect...it's all zeroed out at the beginning. If I copy the 80MB HDF to my local XP workstation, it works fine, so it's not a corrupted file or anything. The weird part is that if I go onto the linux server and change the ownership of the file to my regular user account, it all works fine...I can read the 80MB file through samba and see all the numbers I should...but no other users can. If I change the ownership to someone else, they can then see it all, and I can't again. At one point all of these files were hosted from a Windows 2008 Server, and never experienced these problems, only after the move to the Samba server. The fact that anything smaller than 64MB works, starts to sound like a possible setting that I can change. Unfortunately I can't provide the HDF files I'm using, and if you want to see the smb.conf let me know and I can try to get that posted. If anyone has any insight or help to offer, it would be appreciated. Thanks. Kevin Taylor _ Hotmail is redefining busy with tools for the New Busy. Get more from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Not another SAMBA through a firewall post
I think part of your problem is that both of your NICs are on the same subnet. That will usually cause headaches; it confuses the routing table. It is entirely possible that Samba responds from IP 10.0.0.246 even when the connection goes to .245 - and you don't have firewall rules for that. Note that the interfaces statement isn't necessarily going to help - you should actually shut down the second NIC (ifdown eth1) to have it completely removed from Linux. Also, at least for testing, I would also simplify the setup - only use port 445, and only tcp. That way, you only have to debug one rule instead of eight. Use telnet to test if you can reach the Samba server from the outside world. Also, only use UDP and TCP, not both. 137 and 138 should be UDP; 139 and 445 should be TCP. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of randa...@bioinfo.wsu.edu Sent: Friday, March 05, 2010 1:42 PM To: samba@lists.samba.org Subject: [Samba] Not another SAMBA through a firewall post I suppose a few questions pop up on this list about access Samba through a firewall. I have been very successful running Samba through a firewall, until today. I hit a stumbling block. I have a Linux Firewall with the public IP Address of 134.x.x.140 it is not the exact ip address, but close. I am using NAT and port forwarding to send traffic destined for 137, 138,139, and 445 for BOTH TCP and IP to an internal host of 10.0.0.245. This internal host has two network interface cards, 10.0.0.245 and 10.0.0.246. Here are my firewall rules: $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 137 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 137 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 138 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 138 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 139 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 139 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 445 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445 $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 445 -d 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT --to-source 134.x.x.140 $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT --to-source 134.x.x.140 $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT --to-source 134.x.x.140 $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT --to-source 134.x.x.140 When I have both network cards activated, I am unable to access SAMBA through the firewall. However, I can access them on the local LAN. I try to tell Samba to use eth0 and lo using: interfaces = lo eth0 bind interfaces only = yes Still does not work. I can use tcpdump -i eth0 and I can packets going through the firewall: 13:36:10.904331 IP 134.x.x.19.34251 10.0.0.245.139: S 2273296206:2273296206(0) win 5840 mss 1460,sackOK,timestamp 4731872 0,nop,wscale 7 And also I can see the requests arriving on eth0 on the Samba server: 13:35:55.777985 IP 134.x.x.19.34251 10.0.0.245.139: Flags [S], seq 2273296206, win 5840, options [mss 1460,sackOK,TS val 4731872 ecr 0,nop,wscale 7], length 0 I am at a loss as to why this is happening. Anyone care to enlighten me? Randall Svancara -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to find Samba Server, Windows Network
It's probably an authentication or permission problem. Since you can see \\Server, name resolution is working, but the Samba server won't let your XP user have access to anything. To confirm that this is the problem, try turning on guest accounts with the setting (be careful with this setting; read man smb.conf for a pitfall warning!) Map to guest = bad password And then guest ok = yes in each of your shares. This will leave your Samba server wide open for everybody. If things now works, you know that the problem is related to Samba not recognizing the user. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Michael Johnston Sent: Sunday, February 28, 2010 8:56 PM To: samba Subject: [Samba] Unable to find Samba Server, Windows Network Hi, I am having some problems setting permissions to access a Samba share on my Windows XP box. So what follows is all the information I thought would be useful to helping me out. Firstly, neither box has a firewall running. Both computers are able to ping each other's IPs. When on my XP box, I go to Map Network Drive I am able to find my Samba computer \\Server in my workgroup MSHOME. I am able to expand the \\Server to see \\Server\Shared. However when I click finish, it tells me The network path \\Server\Shared could not be found. Here is the output of the command net view \\Server from my XP box: [CODE] Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\net view \\server Shared resources at \\server server server (Samba, Ubuntu) Share name Type Used as Comment --- Shared Disk Linux Home Server The command completed successfully. C:\ [/CODE]The line I find peculiar is server server (Samba, Ubuntu) - what is server server? Now here is my smb.conf file: [CODE]# # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Some options that are often worth tuning have been included as # commented-out examples in this file. # - When such options are commented with ;, the proposed setting #differs from the default Samba behaviour # - When commented with #, the proposed setting is the default #behaviour of Samba but the option is considered important #enough to be mentioned here # # NOTE: Whenever you modify this file you should run the command # testparm to check that you have not made any basic syntactic # errors. # A well-established practice is to name the original file # smb.conf.master and create the real config file with # testparm -s smb.conf.master smb.conf # This minimizes the size of the really used smb.conf file # which, according to the Samba Team, impacts performance # However, use this with caution if your smb.conf file contains nested # include statements. See Debian bug #483187 for a case # where using a master file is not a good idea. # #=== Global Settings === [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = MSHOME # server string is the equivalent of the NT Description field server string = %h server (Samba, Ubuntu) # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server # wins support = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no # What naming service and in what order should we use to resolve host names # to IP addresses ; name resolve order = lmhosts host wins bcast Networking # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ; interfaces = 127.0.0.0/8 eth0 # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself. However, this # option cannot handle dynamic or non-broadcast interfaces correctly. ; bind interfaces only = yes Debugging/Accounting # This tells Samba to use a separate log file for each machine #
Re: [Samba] Unwanted case sensitivity
First of all, Windows actually is case sensitive, too (at least on NTFS, not on FAT). You can actually create C:\tmp\foo and C:\tmp\Foo at the same time, just not in Explorer (or though most standard Windows APIs). Secondly, even with case sensitive = No , Samba is not truly case insensitive (neither is Windows). Samba is case PRESERVING. File names do have case, Samba simply prevents creating files that differ only in case. The case insensitivity is primarily implemented on the client side. And that's probably why you see the phenomenon: ls is built into bash (or whatever shell you are using). Sum isn't. Also, my guess is that sum /.SMB/aaabbb/fre?.txt will work as well - because the wildcard is expanded by your shell before handing it to sum. What you could do to solve this on the Linux side: sum $(ls /.SMB/AAAbbb/Fred.txt) That takes advantage of bash's understanding of case insensitivity even for other programs that don't natively understand it. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Jim Ramsey Sent: Wednesday, February 17, 2010 2:55 PM To: samba@lists.samba.org Subject: [Samba] Unwanted case sensitivity I have also posted this on IRC. I have a linux host running stock RHEL 5.4 Samba 3.0.33-3.15. The host acts both as a Samba server and does a CIFS mount of that same share. The reason for doing this is so that programs running on the Linux host have the same case insensitive view as the Windows clients. I have nocase set in the relevant line in /etc/fstab I have case sensitive = No set in the smb.conf. Still I get case sensitive responses though odd ones. Example: The native Linux directory that is share is named /srv/. There would be a directory /srv//AAAbbb which contains a file Fred.txt. The directory, /srv/, is shared as . The Linux host CIFS mounts it as //localhost/ on /.SMB. Generally, everyone accesses Fred.txt through /.SMB/AAAbbb. Nobody accesses it through /srv/. Here's where things get strange ls -l /.SMB/AAAbbb/Fred.txt and all variations works! but sum /.SMB/AAAbbb/Fred.txt only works if you get the case just right. Any ideas? Regards, Jim Ramsey -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA and Windows 2008 TSE licence Server
You are probably right. Remember that a Samba domain is based on a Windows NT technology, more than ten years old. Almost everything Microsoft now relies on Active Directory. Create an Active Directory domain with a Windows domain controller, and make your Samba Server a member. Samba works beautifully in an AD domain, just not as controller. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Mercier Sent: Friday, February 12, 2010 6:41 AM To: samba@lists.samba.org Subject: [Samba] SAMBA and Windows 2008 TSE licence Server Hi all! I can't use the TSE licence server in Windows 2008 server. This Server is member of my Samba Domain. My TSE licence server is actived and my licences added, but when i want configure the TSE service and launch the Licence diagnostic the diagnostic failed. I think my problem is due to my Windows Server is not an Active Directory controller. What are the solutions : quit the domain? Activate AD on the server with an other domain? I would like my licence diagnostic work when my server join my Samba Domain. Please do you have any idea? Thank you. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Quickbooks Idle Crash
Quite possibly, this is not actually a Samba problem. Quickbooks is pretty poorly written and goes very deep into the system; simple file sharing isn't enough to get it to work. In fact, the main reason Microsoft implemented UAC in Windows Vista was that Intuit had flat out refused to fix the Quickbooks problems for close to ten years, and continued insisting on administrator access. When Vista came out, Intuit finally was forced to fix that - but now instead you have to install a server component on the file server. There is a Linux version of this Quickbooks server component (on Intuit's Web site), but in my experience, it does not work reliably, though - or at least, it didn't when I tried it a couple years ago. The main problem was that it sometimes kept the file locked; whenever a user's Quickbooks crashed, we had to reboot the server to clear up the mess. We ended up having to designate a Windows workstation as Quickbooks server. If you try to access Quickbooks without that component installed, I am not surprised about any kind of problem; I'd only be surprised if it works at all. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of sa...@cwraig.id.au Sent: Sunday, February 07, 2010 3:40 PM To: samba@lists.samba.org Subject: [Samba] Samba + Quickbooks Idle Crash I have a samba server running on ubuntu 9.10 with windows (both Xp and vista) clients running quickbooks (accounting software). Quickbooks can connect to the samba server and get access to the data files with no problems, if the secretary uses quickbooks continuously there is never a problem the system works for hours on end. However if the secretary leaves the software running but doing nothing for a few mins (somewhere between 10 and 30mins) when she tries to perform the task quickbooks says it cannot find the server. I have been running this kind of setup for a number of years on deban etch and this bug has only showed up when I moved to ubuntu 9.10 this year. I am willing to do any kind of debugging to help resolve this issue. Below is a copy of /var/log/samba/log.deb-sfs start of log file## [2010/01/04 07:43:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:21, 1] smbd/service.c:1047(make_connection_snum) deb-sfs (:::192.168.0.53) connect to service data initially as user nobody (uid=65534, gid=65534) (pid 3372) [2010/01/04 07:43:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:21, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:22, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:22, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:22, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:22, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:23, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:23, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:23, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:23, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:23, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:23, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:24, 0] param/loadparm.c:8546(process_usershare_file) process_usershare_file: stat of /var/lib/samba/usershares/data failed. Permission denied [2010/01/04 07:43:24, 0]
Re: [Samba] Dual booted clients with different name drop each other out of domain
The problem with dual-booting is that you end up with two DNS records pointing to the same IP address. Active Directory regularly tries to contact the clients one by one (it does that for any number of administrative purposes). If the machine is turned off and isn't responding at all - no problem. But if the machine is booted into Linux while AD tries to reach the Windows machine on the same IP, you get an error (I believe it is Kerberos Error 4). Another issue is that one of the two DNS records wouldn't have a matching reverse DNS record (PTR record), since there can only be one PTR record per IP address. All this happens when dual-booting different Windows versions, as well. In my experience, though, it's not really deadly - in fact, the user usually doesn't even know this is happening. What, specifically, do you mean by drop each other out of the domain? In my very small network, the easiest solution was to use a static IP for one of the two OS. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Roman Muñoz Sent: Sunday, January 31, 2010 5:41 AM To: samba@lists.samba.org Subject: Re: [Samba] Dual booted clients with different name drop each other out of domain Thanks for your answers. Probably it would be not very difficult to change the MAC address. This has the advantage that could work even if IT staff doesn't want to do any change in their dhcpd configuration. On the other hand, it seems that reconfiguring dhcpd would be a nicer solution that could perhaps be accepted by IT staff. However the pointer given seems to be about linux dhcpd, not about windows dhcpd. After some googling I got the windows doc about vendor classes, but I wonder by just changing host's name is not enough. Could you guys give any pointer to dual boot problem between windows OSes? Thanks again, Roman Rob Townley(e)k dio: changing the MAC is not recommended. Same problem with dual booted win2k/winxp/winvista machines as well. Not just a Linux issue. Do u have control / influence over dhcpd? if so, Linux clients and MSFT clients can be detected by their dhcp vendor id and then given a different hostname and ip address even though the MAC IS THE SAME. drbl.sf.net has a good example of using dhcp vendor id when assigning an ip configuration. look at /etc/dhcp/dhcpd.conf report back and let us know. On 1/30/10, Roman Muñoz ta...@infonegocio.com wrote: Hi, I'm setting some Ubuntu Karmic clients on a school net. PDC is windows 2k3 r2. I realized that DHCP server sends only school, not school.net as domain name. I have been told that AD configuration was migrated as is from an older windows release. I used a supersede line on client's dhcp.conf to get a correct domain name. I'm not authorized to do any configuration change on PDC but could see the event log, etc. Client machines are dual booted: XP client and Ubuntu client on the same machine get different unique names. Ubuntu clients are configured following the guides available on the Net, and are working quite well: domain users can logon and shares are mounted. But XP and Ubuntu keep dropping each other out of domain. Any ideas? TIA Roman -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trouble with Samba on boot
When my server boots up, samba doesn't load itself at boot. I have to login Webmin and restart the Samba server, then everything works fine. Ubuntu Server edition 9.04 - 9.10 (its upgrading right now) Thanks -Kevin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba