[Samba] Powerpoint 2007 not advancing slides

[Kevin Hall]

Hi Everyone

Samba 3.6.7 on OpenSuse 12.2 x86_64

I have an unusual problem for which I have not been able to find a 
solution on the Internet.


With Powerpoint 2003, there was no issue. With Powerpoint 2007, the user 
cannot advance slides unless the file is saved locally on the client 
(Windows XP SP3, ntfs filesystem).


When the file is loaded from the samba share, the user can edit and save 
their powerpoint. They simply cannot run a slideshow. Regardless of the 
slideshow settings, you cannot advance to the next slide.


Any assistance would be appreciated.

Kevin Hall
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] name mangling makes 8.3 unreadable unlike Windows fileserver

[Kevin Field]

Hi,

I'm cross-posting here from serverfault.com in case anyone can help.  I 
just found a similar question on askubuntu.com also without an answer.


Switched recently from W2K3 to Samba4.0.9/CentOS6.4 for our fileshare 
for WinXP clients.


Have an ancient (1995!) piece of software that uses 8.3 filename format. 
After the switch, long filenames became useless in the context of the 
File-Open dialog box. Instead of the first few characters, we get maybe 
1 character the same if we're lucky, which in a directory of thousands 
makes it impossible to find. For example, instead of S:\Air 
conditioning control system becoming S:\AIRCON~1 like it would 
before, it's displayed in this program as S:\A51FHG~S.


In our directory of client identifiers with their contact names 
appended, formerly directory mangling would leave enough characters 
intact that client identifiers could still be used. Not anymore.


None of the settings in the docs seem to talk about this exact problem. 
In fact, they seem to show it the way we were used to. Our smb.conf 
doesn't use any of the settings because the defaults seem to be what we 
want, according to the docs. Any hints?


(If you want to answer on serverfault feel free: 
http://serverfault.com/questions/543320/samba-name-mangling-too-mangled-to-be-practical 
)


Thanks for any help,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] name mangling makes 8.3 unreadable unlike Windows fileserver

[Kevin Field]

On 2013-10-03 2:38 PM, Jeremy Allison wrote:

On Thu, Oct 03, 2013 at 10:17:18AM -0400, Kevin Field wrote:

Hi,

I'm cross-posting here from serverfault.com in case anyone can help.
I just found a similar question on askubuntu.com also without an
answer.

Switched recently from W2K3 to Samba4.0.9/CentOS6.4 for our
fileshare for WinXP clients.

Have an ancient (1995!) piece of software that uses 8.3 filename
format. After the switch, long filenames became useless in the
context of the File-Open dialog box. Instead of the first few
characters, we get maybe 1 character the same if we're lucky, which
in a directory of thousands makes it impossible to find. For
example, instead of S:\Air conditioning control system becoming
S:\AIRCON~1 like it would before, it's displayed in this program
as S:\A51FHG~S.

In our directory of client identifiers with their contact names
appended, formerly directory mangling would leave enough characters
intact that client identifiers could still be used. Not anymore.

None of the settings in the docs seem to talk about this exact
problem. In fact, they seem to show it the way we were used to. Our
smb.conf doesn't use any of the settings because the defaults seem
to be what we want, according to the docs. Any hints?


This is the mangling method that changed to hash2 (gives
better protection against duplicates).

Use the smb.conf parameter mangling method = hash
to change it back to the way it used to be.

Jeremy.



Thanks Jeremy!  I'm not sure how I missed that in the docs.  Anyway, it 
is much, much better than before, but still not exactly like Windows. 
For example, we have two folders beginning with C-FZP.  Instead of 
C-FZPD~1 and C-FZPP~1, which in our context is exactly enough to tell 
which one we want, it's a bit (or in this case...a byte) more aggressive 
in hashing and makes it C-FZP~59 and C-FZP~A5, so that we can no longer 
tell and have to guess.


Oh but wait, now I see:

The minimum value is 1 and the maximum value is 6.

mangle prefix is effective only when mangling method is hash2.

This does exactly what we want!  And now I also see how I think I missed 
it: this parameter isn't in the NAME MANGLING section.


Thanks!
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] magic user mapping

[Kevin Field]

Hi,

Samba 4.0.9 on CentOS 6.4 serving Windows XP clients here.  I still 
haven't sat down and figured out Windows-RID-to-unix-ID maps yet. 
However, I noticed that I can put a person's lowercased name in a 'valid 
users' list for a share and it works, even though they don't have a unix 
account.  But doing this for lowercased custom group names (we have a 
'MYDOM\Supervisors' group, so I tried @supervisors or supervisors) 
didn't seem to have any effect.  Why is that?


I also tried to figure out the unix ID that that group maps to by taking 
a test file in Windows and going to the Advanced part of security and 
changing the owner to MYDOM\Supervisors.  In ls -l on CentOS it shows up 
as 314.  So I tried 314 with or without @ in front of it in 
'valid users' for a share, but to no effect.  That I understand even 
less.  :)


Thanks for any illumination here,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] vfs_recycle folder limit management

[Kevin Field]

Hi all,

Running SerNet Samba 4.0.9 on CentOS 6.4 serving as an AD DC and 
fileshare for XP clients.


Added recycler per the example at 
https://wiki.samba.org/index.php/Frequently_Asked_Questions to my 
smb.conf.  Works great.


My concern is that the recycle dir will eventually grow large. 
vfs_recycle's docs mention a parameter for limiting individual file 
sizes, but what's a best practice to prevent the whole recycle folder 
from growing too large?  Cronjob to delete old files when the total is 
past a certain size?  Anyone have a script handy?  (I'm hoping I'm not 
the only one with this problem :)  Seems like it would be a common 
concern...)


Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] vfs_recycle folder limit management

[Kevin Field]

On 2013-09-26 10:20 AM, Taylor, Jonn wrote:

On 09/26/2013 08:47 AM, Kevin Field wrote:

Hi all,

Running SerNet Samba 4.0.9 on CentOS 6.4 serving as an AD DC and
fileshare for XP clients.

Added recycler per the example at
https://wiki.samba.org/index.php/Frequently_Asked_Questions to my
smb.conf.  Works great.

My concern is that the recycle dir will eventually grow large.
vfs_recycle's docs mention a parameter for limiting individual file
sizes, but what's a best practice to prevent the whole recycle folder
from growing too large?  Cronjob to delete old files when the total is
past a certain size?  Anyone have a script handy?  (I'm hoping I'm not
the only one with this problem :) Seems like it would be a common
concern...)

Thanks,
Kev

I use a script to cleanup the deleted files and run it daily with cron.

cat /usr/bin/cleanupold

#!/bin/bash
find /var/share/.recycle/* -mtime +30 -exec rm {} \;

In /var/spool/cron/root

@daily/usr/bin/cleanupold  /dev/null 21 #Cleanup old audio files


Jonn


Thanks John, but I meant more so is there a way to have it look at the 
total size of the recycle dir too?  I.e. only delete stale files when it 
needs to to stay within a limit, and also even delete not-so-stale files 
if it needs to because there have been too many GB deleted lately to 
keep 30 days worth (or whatever) around?


Thanks again,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] vfs_recycle folder limit management

[Kevin Field]

On 2013-09-26 10:37 AM, Taylor, Jonn wrote:

On 09/26/2013 09:24 AM, Kevin Field wrote:



On 2013-09-26 10:20 AM, Taylor, Jonn wrote:

On 09/26/2013 08:47 AM, Kevin Field wrote:

Hi all,

Running SerNet Samba 4.0.9 on CentOS 6.4 serving as an AD DC and
fileshare for XP clients.

Added recycler per the example at
https://wiki.samba.org/index.php/Frequently_Asked_Questions to my
smb.conf.  Works great.

My concern is that the recycle dir will eventually grow large.
vfs_recycle's docs mention a parameter for limiting individual file
sizes, but what's a best practice to prevent the whole recycle folder
from growing too large?  Cronjob to delete old files when the total is
past a certain size?  Anyone have a script handy?  (I'm hoping I'm not
the only one with this problem :) Seems like it would be a common
concern...)

Thanks,
Kev

I use a script to cleanup the deleted files and run it daily with cron.

cat /usr/bin/cleanupold

#!/bin/bash
find /var/share/.recycle/* -mtime +30 -exec rm {} \;

In /var/spool/cron/root

@daily/usr/bin/cleanupold  /dev/null 21 #Cleanup old audio files


Jonn


Thanks John, but I meant more so is there a way to have it look at the
total size of the recycle dir too?  I.e. only delete stale files when
it needs to to stay within a limit, and also even delete not-so-stale
files if it needs to because there have been too many GB deleted
lately to keep 30 days worth (or whatever) around?

Thanks again,
Kev

This will find files larger than 50MB.

find /var/share/.recycle/* -type f -size +5k -exec rm {} \;

Look at the man pages for find to get more options.

Jonn


Hmm...that's a bit closer, but not exactly.  Maybe I described it better 
on stackexchange...let me copy:



I found tmpwatch, but it's only time-based. What I'd like the system to
do is keep files as long as it reasonably can, i.e., without too much
space being taken up. The flip side is that I also don't want it keeping
files too long if it means running out of space. Thus I'm looking for
something with roughly this thinking:

1. if bin_size  limit then quit
2. delete oldest file in bin
3. goto 1.

Of course there may be a more efficient algorithm, and it could be
tweaked to prefer deleting bigger files unless they're past a certain
age so that a big delete doesn't unnecessarily result in the pruning of
a bunch of older-but-not-too-old small files.
[/quote]

Maybe I'm getting too complicated?

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings

[Kevin Field]

On 2013-09-25 8:03 PM, Kevin Field wrote:



On 2013-09-25 2:47 PM, Johan Hendriks wrote:

Kevin Field wrote:

Hi,

I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these
global settings (not overridden):

read only = No
force create mode = 0777
force directory mode = 0777
inherit acls = yes
inherit owner = yes
inherit permissions = yes

On a Windows client, I have Thunderbird 24.0 storing its profile and
mail on the Samba share.  The perms on everything in the share were
chmod -R 777'd.

Then I get mail, compact a folder, whatever, and it looks like this:


...

-rwxrwxrwx. 1 1128 513 2684 Sep 25 13:20 Templates.msf
-rwxrwx---+ 1 1128 5130 Sep 25 13:50 Trash
-rwxrwx---+ 1 1128 513 2223 Sep 25 13:50 Trash.msf

Whatever it touches is now 770.  How can that be, when the parent of
this folder is 777, Samba is set to inherit and force 0777?  Is this
Samba misbehaving, or Thunderbird?

Thanks,
Kev

It looks like the you have acl's active, hence the + after the
permissions rwxrwx---+ .
These acls overrule the local permissions set by samba.

Not samba not thundebird is misbehaving.

regards
Johan Hendriks


I only partially understand.  I get that + means some extended ACLs.  I
don't get why Samba/Thunderbird makes the file 770 instead of 777.  What
I really don't get, though, is--since you mentioned ACLs I went and
checked some example files in Windows--that despite the 777 files having
Everyone with no settings, the 770 files have Everyone with Full
Control, not inherited!  I certainly didn't intend that for a user's
mail profile :)  (Really though, I didn't set things up that way from
the Windows side--this is someone's home drive, in which they have full
control, and I didn't touch the defaults, but I certainly didn't put
Everyone in there, and certainly not with Full Control.)

Where did this come from?

possibility a) smb.conf, in which case I don't understand the settings I
posted here
possibility b) ACLs set by me, which I can't see being the case because
our setup is so simple*
possibility c) ?

* Now just in case, and barring any Group Policy suggestions, what's the
easiest way to, either from Windows or Linux, set it up so that admins
have Full Control over every file, and home drives additionally have
Full Control of the user having the same name as the home dir, and the
'shared' drive has Everyone having Full Control?  So far, because our
network is so small, I had done this manually in the past, but it's a
bit of a PITA to do again at this point, since each user's home dir
takes a few minutes to propagate ACL changes through if I use Windows
GUI tools and meanwhile semi-hangs the UI.  I don't really care how the
perms look on the Linux end of things, since users only have access via
Windows clients.

 From what you said about ACLs overruling, to me it would seem that our
setup is simple enough that we shouldn't need +/Windows ACLs at all,
because the normal unix ACLs are more than enough for our purposes,
except that currently, Windows users don't get properly mapped, mainly
because their Linux equivalents don't necessarily exist (e.g. for most
users they don't have a CentOS login, but I do and the users group and
such could map from Domain Users, I guess.)  Or even if Linux perms
were the same everywhere, and smb.conf enforced the rules so they came
out right on the Windows side.  If someone could lay this out for me,
I'd really find it helpful--I've been trying to make sense of the docs
and tutorials and mailing lists and QA sites, and for what I would
think is a fairly common setup, I can't seem to get something working
without glitches for us.

It's just that, somehow, since we recently switched home drives from
W2K3 to Samba serving them up, this has suddenly started happening, and
is somehow causing strange side effects like Thunderbird much more often
deciding to rebuild summary files of mailboxes, and mail not coming in
right away (perhaps due to an un-indicated summary rebuild conflicting
with a too-often mail check), and, well, these strange permissions that
we never had before appearing on most files that Thunderbird modifies.

More help/hints/examples would be much appreciated :)

Thanks Johan,
Kev


As one of my users reports:

I updated to 24.0.
I went offline, then hit Compact Folders in the File menu.  (It 
appeared to compact all my folders.)

Then I rebooted my computer.

Now it is the afternoon, and 2 or 3 of my folders are Building Summary 
again !


---


This behaviour has only happened since switching from W2K3 to Samba for 
our home drives where Thunderbird profiles live.


What have I done wrong here?

Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings

[Kevin Field]

Hi,

I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these 
global settings (not overridden):


read only = No
force create mode = 0777
force directory mode = 0777
inherit acls = yes
inherit owner = yes
inherit permissions = yes

On a Windows client, I have Thunderbird 24.0 storing its profile and 
mail on the Samba share.  The perms on everything in the share were 
chmod -R 777'd.


Then I get mail, compact a folder, whatever, and it looks like this:

-rwxrwxrwx. 1 1128 5130 Oct 18  2012 Archives
-rwxrwxrwx. 1 1128 513 3158 Sep 25 13:20 Archives.msf
drwxrwxrwx. 2 1128 513 4096 Sep 25 09:12 Archives.sbd
-rwxrwx---+ 1 1128 5130 Sep 25 13:49 Drafts
-rwxrwx---+ 1 1128 513 2450 Sep 25 13:50 Drafts.msf
-rwxrwx---+ 1 1128 5130 Sep 25 13:08 Inbox
-rwxrwx---+ 1 1128 513 2317 Sep 25 13:50 Inbox.msf
drwxrwxrwx. 3 1128 513 4096 May 28 09:26 Inbox.sbd
-rwxrwxrwx. 1 1128 513 1268 Apr 12  2007 Junk.msf
-rwxrwxrwx. 1 1128 513   28 Oct  2  2012 msgFilterRules.dat
-rwxrwxrwx  1 1128 51313736 Sep 25 13:50 popstate.dat
-rwxrwxrwx  1 1128 513 96061164 Sep 25 13:21 Sent
-rwxrwx---+ 1 1128 513  2988277 Sep 25 13:21 Sent.msf
-rwxrwxrwx. 1 1128 5130 Mar 25  2010 Templates
-rwxrwxrwx. 1 1128 513 2684 Sep 25 13:20 Templates.msf
-rwxrwx---+ 1 1128 5130 Sep 25 13:50 Trash
-rwxrwx---+ 1 1128 513 2223 Sep 25 13:50 Trash.msf

Whatever it touches is now 770.  How can that be, when the parent of 
this folder is 777, Samba is set to inherit and force 0777?  Is this 
Samba misbehaving, or Thunderbird?


Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Thunderbird 24.0 for Windows seems to ignore Samba4.0.9 permissions settings

[Kevin Field]

On 2013-09-25 2:47 PM, Johan Hendriks wrote:

Kevin Field wrote:

Hi,

I have a CentOS 6.4 fileserver running SerNet Samba 4.0.9 with these
global settings (not overridden):

read only = No
force create mode = 0777
force directory mode = 0777
inherit acls = yes
inherit owner = yes
inherit permissions = yes

On a Windows client, I have Thunderbird 24.0 storing its profile and
mail on the Samba share.  The perms on everything in the share were
chmod -R 777'd.

Then I get mail, compact a folder, whatever, and it looks like this:


...

-rwxrwxrwx. 1 1128 513 2684 Sep 25 13:20 Templates.msf
-rwxrwx---+ 1 1128 5130 Sep 25 13:50 Trash
-rwxrwx---+ 1 1128 513 2223 Sep 25 13:50 Trash.msf

Whatever it touches is now 770.  How can that be, when the parent of
this folder is 777, Samba is set to inherit and force 0777?  Is this
Samba misbehaving, or Thunderbird?

Thanks,
Kev

It looks like the you have acl's active, hence the + after the
permissions rwxrwx---+ .
These acls overrule the local permissions set by samba.

Not samba not thundebird is misbehaving.

regards
Johan Hendriks


I only partially understand.  I get that + means some extended ACLs.  I 
don't get why Samba/Thunderbird makes the file 770 instead of 777.  What 
I really don't get, though, is--since you mentioned ACLs I went and 
checked some example files in Windows--that despite the 777 files having 
Everyone with no settings, the 770 files have Everyone with Full 
Control, not inherited!  I certainly didn't intend that for a user's 
mail profile :)  (Really though, I didn't set things up that way from 
the Windows side--this is someone's home drive, in which they have full 
control, and I didn't touch the defaults, but I certainly didn't put 
Everyone in there, and certainly not with Full Control.)


Where did this come from?

possibility a) smb.conf, in which case I don't understand the settings I 
posted here
possibility b) ACLs set by me, which I can't see being the case because 
our setup is so simple*

possibility c) ?

* Now just in case, and barring any Group Policy suggestions, what's the 
easiest way to, either from Windows or Linux, set it up so that admins 
have Full Control over every file, and home drives additionally have 
Full Control of the user having the same name as the home dir, and the 
'shared' drive has Everyone having Full Control?  So far, because our 
network is so small, I had done this manually in the past, but it's a 
bit of a PITA to do again at this point, since each user's home dir 
takes a few minutes to propagate ACL changes through if I use Windows 
GUI tools and meanwhile semi-hangs the UI.  I don't really care how the 
perms look on the Linux end of things, since users only have access via 
Windows clients.


From what you said about ACLs overruling, to me it would seem that our 
setup is simple enough that we shouldn't need +/Windows ACLs at all, 
because the normal unix ACLs are more than enough for our purposes, 
except that currently, Windows users don't get properly mapped, mainly 
because their Linux equivalents don't necessarily exist (e.g. for most 
users they don't have a CentOS login, but I do and the users group and 
such could map from Domain Users, I guess.)  Or even if Linux perms 
were the same everywhere, and smb.conf enforced the rules so they came 
out right on the Windows side.  If someone could lay this out for me, 
I'd really find it helpful--I've been trying to make sense of the docs 
and tutorials and mailing lists and QA sites, and for what I would 
think is a fairly common setup, I can't seem to get something working 
without glitches for us.


It's just that, somehow, since we recently switched home drives from 
W2K3 to Samba serving them up, this has suddenly started happening, and 
is somehow causing strange side effects like Thunderbird much more often 
deciding to rebuild summary files of mailboxes, and mail not coming in 
right away (perhaps due to an un-indicated summary rebuild conflicting 
with a too-often mail check), and, well, these strange permissions that 
we never had before appearing on most files that Thunderbird modifies.


More help/hints/examples would be much appreciated :)

Thanks Johan,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] gpresult returns ERROR: The RPC server is unavailable.

[Kevin Field]

Hi,

I have a CentOS 6.4 box running SerNet Samba 4.0.9 as an AD DC 
replicating from a W2k3 box.


If I run gpresult /s OLDDC /user MYDOM\Me on a command prompt on 
OLDDC, I get a normal output, listing which GPOs are applied.


If I run gpresult /s NEWDC /user MYDOM\Me in the same place, I get 
ERROR: The RPC server is unavailable.  This is after a fresh restart 
of Samba.


log.samba says (starting at last restart):

  samba: using 'standard' process model
[2013/09/21 20:01:30.191185,  0] ../source4/smbd/server.c:121(sig_term)
[2013/09/21 20:01:30.191208,  0] ../source4/smbd/server.c:121(sig_term)
[2013/09/21 20:01:30.191223,  0] ../source4/smbd/server.c:121(sig_term)
[2013/09/21 20:01:30.191223,  0] ../source4/smbd/server.c:121(sig_term)
  Exiting pid 30885 on SIGTERM
  Exiting pid 30882 on SIGTERM
[2013/09/21 20:01:30.191221,  0] ../source4/smbd/server.c:121(sig_term)
[2013/09/21 20:01:30.191225,  0] ../source4/smbd/server.c:121(sig_term)
  Exiting pid 30877 on SIGTERM
  Exiting pid 30876 on SIGTERM
  Exiting pid 30879 on SIGTERM
  Exiting pid 30880 on SIGTERM
[2013/09/21 20:01:30.191674,  0] ../source4/smbd/server.c:121(sig_term)
  Exiting pid 30878 on SIGTERM
[2013/09/21 20:01:30.194399,  0] ../source4/smbd/server.c:121(sig_term)
  Exiting pid 30881 on SIGTERM
[2013/09/21 20:01:30.201604,  0] ../source4/smbd/server.c:121(sig_term)
[2013/09/21 20:01:30.201604,  0] ../source4/smbd/server.c:121(sig_term)
[2013/09/21 20:01:30.201685,  0] ../source4/smbd/server.c:121(sig_term)
[2013/09/21 20:01:30.201685,  0] ../source4/smbd/server.c:121(sig_term)
  Exiting pid 30871 on SIGTERM
  Exiting pid 30874 on SIGTERM
[2013/09/21 20:01:30.201713,  0] ../source4/smbd/server.c:121(sig_term)
  Exiting pid 30873 on SIGTERM
  Exiting pid 30872 on SIGTERM
  Exiting pid 30875 on SIGTERM
[2013/09/21 20:01:30.213640,  0] ../source4/smbd/server.c:116(sig_term)
  SIGTERM: killing children
[2013/09/21 20:01:30.214204,  0] ../source4/smbd/server.c:121(sig_term)
[2013/09/21 20:01:30.213612,  0] ../source4/smbd/server.c:121(sig_term)
  Exiting pid 30867 on SIGTERM
  Exiting pid 30870 on SIGTERM
[2013/09/21 20:01:30.343028,  0] 
../source4/smbd/server.c:370(binary_smbd_main)

  samba version 4.0.9-SerNet-RedHat-4.el6 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/09/21 20:01:30.607037,  0] 
../source4/smbd/server.c:482(binary_smbd_main)

  samba: using 'standard' process model


...and log.smbd doesn't have anything from recent days.  smb.conf has 
this for its global section:


[global]
workgroup = MYDOM
realm = mydom.lan
netbios name = NEWDC
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, smb, dns

allow dns updates = true
dns forwarder = 192.168.0.1
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver, winreg, srvsvc



My question is, if I down OLDDC, will NEWDC be able to successfully 
serve Group Policy to our WinXPSP3 clients, or does this error indicate 
otherwise?


If it won't work, what can I do to fix it?  I see a couple recent-ish 
threads about this but no answer to the one, and the other I've already 
seemed to incorporate the answer of into smb.conf.


Thanks,
Kev

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] AD DC eventually not browsable without restart, RPC server unavailable for user selection

[Kevin Field]

I'm now getting another error in a different spot that I hadn't tried 
before.  If I go to a share \\newdc\\whatever, right-click a folder in 
it, go Properties, then the Security tab, then Advanced, then Effective 
Permissions, then Select, I get this:


The program cannot open the required dialog box because it cannot 
determine whether the computer named newdc is joined to a domain. 
Close this message, and try again.  [Close]


And upon clicking Close:

---
Security
---
Unable to display the user selection dialog.

The RPC server is unavailable.
---
OK
---

I'm using this particular share in production at the moment so I'll have 
to wait until after-hours to try restarting Samba to see if it goes away.


Has anyone else come across either of these errors?  Why does Samba's 
equivalent of the RPC server seem to function fine and then after some 
amount of time no longer seem to be available?


Thanks,
Kev

On 2013-09-06 2:49 PM, Kevin Field wrote:

Nothing too interesting:

$ sudo tail -n 50 /var/log/samba/log.smbd
   smbd version 4.0.8-SerNet-RedHat-4.el6 started.
   Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/08/15 17:56:21.535409,  0] ../source3/smbd/server.c:1253(main)
   server role = 'active directory domain controller' not compatible
with running smbd standalone.
   You should start 'samba' instead, and it will control starting smbd
if required
[2013/08/15 22:57:15,  0] ../source3/smbd/server.c:1201(main)
   smbd version 4.0.8-SerNet-RedHat-4.el6 started.
   Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/08/15 22:57:15,  0] ../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 22:57:15.902304,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 22:57:15.909854,  0] ../source3/smbd/server.c:1281(main)
   standard input is not a socket, assuming -D option
[2013/08/15 22:57:16.631301,  0]
../source3/printing/print_cups.c:151(cups_connect)
   Unable to connect to CUPS server localhost:631 - Connection refused
[2013/08/15 22:57:16.632045,  0]
../source3/printing/print_cups.c:528(cups_async_callback)
   failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
[2013/08/15 22:58:16.689780,  0]
../source3/printing/print_cups.c:151(cups_connect)
   Unable to connect to CUPS server localhost:631 - Connection refused
[2013/08/15 22:58:16.690368,  0]
../source3/printing/print_cups.c:528(cups_async_callback)
   failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
[2013/08/15 23:00:37.725980,  0]
../source3/param/loadparm.c:3033(lp_set_enum_parm)
   WARNING: Ignoring invalid value 'unsecure' for parameter 'allow dns
updates'
[2013/08/15 23:00:37.726249,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:00:37.772626,  0]
../source3/param/loadparm.c:3033(lp_set_enum_parm)
   WARNING: Ignoring invalid value 'unsecure' for parameter 'allow dns
updates'
[2013/08/15 23:00:37.772883,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:00:38.037790,  0]
../source3/param/loadparm.c:3033(lp_set_enum_parm)
   WARNING: Ignoring invalid value 'unsecure' for parameter 'allow dns
updates'
[2013/08/15 23:00:38.038080,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:02:35.872174,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:02:35.935461,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:02:36.200408,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:02:39.710286,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:02:39.792444,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:02:40.054341,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:02:55.374983,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries
[2013/08/15 23:04:13.125656,  0]
../source3/param/loadparm.c:3121(lp_do_parameter)
   Ignoring unknown parameter dns recursive queries


And:

top - 14:47:13 up 14 days, 22:05,  1 user,  load average: 0.13, 0.12, 0.09
Tasks: 222 total,   1 running, 221 sleeping,   0 stopped,   0 zombie
Cpu(s):  0.0%us,  0.0%sy,  0.0%ni,100.0%id,  0.0%wa,  0.0%hi,  0.0%si,
0.0%st
Mem:  12194316k total,  6204420k used,  5989896k free,   810524k buffers
Swap:  6168568k total, 2784k used,  6165784k free

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

Yep, that's exactly it.  Thanks!

Kev

On 2013-09-06 10:16 AM, Ricky Nance wrote:

Have you disabled syslinux? That is what that change looks like to me.

Ricky


On Thu, Sep 5, 2013 at 3:26 PM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

I just noticed something interesting, since I have /etc under
version control: /etc/mtab changed thusly:

-tmpfs /dev/shm tmpfs
rw,rootcontext=system_u:__object_r:tmpfs_t:s0 0 0
+tmpfs /dev/shm tmpfs rw 0 0

Does this mean anything to our troubleshooting?

Thanks,
Kev


On 2013-09-04 2:02 PM, Kevin Field wrote:

Yeah, it's still

tmpfs 5.9G 0  5.9G   0% /dev/shm

The really odd thing is, currently, it's telling me this if I try to
access it from OLDDC, running Windows Server 2003.  But if I
remote into
another computer (GEYSER) on the network that's running Windows
XP, I
can access \\NEWDC just fine.  Back to OLDDC and it still
doesn't work.

Besides the OS I noticed another difference, running echo
%logonserver% from GEYSER, it reports \\G5, whereas running that on
OLDDC reports \\OLDDC.  I know this is normal behaviour, but I
wonder if
it has anything to do with it.  I also wonder if, if I leave GEYSER
logged in long enough, I'll have the same result on it as I do
on OLDDC.

So nobody else is having this browsability problem, eh?

Kev

On 2013-08-24 1:41 PM, Kevin Field wrote:

Hmm...it hasn't been long enough since a restart yet,
because it's not
doing it ATM, but nonetheless if it's a question of an extra
45 mb I
think we have it covered:

tmpfs 5.9G 0  5.9G   0% /dev/shm

But I'll check anyway next opportunity and report back if it's a
positive.

Kev

On 2013-08-24 11:51 AM, Ricky Nance wrote:

I wonder if your hitting the /run/lock fill up that
another user
reported on a week or two ago (they are using ubuntu). I
think the
solution was to make that tmpfs partition bigger (like
50 mb instead of
5 mb). next time it is unresponsive check and see what
the output of 'df
-h' is.

Ricky


On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field
k...@brantaero.com mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com
wrote:

 I've upgraded to 4.0.9 and this behaviour persists.

 Should I file a bug report, do you think? �Is
nobody else
 experiencing this?

 Thanks,

 Kev

 On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote:

 You may want to see if it is this bug, which is
fixed in 4.0.9:
https://bugzilla.samba.org/show_bug.cgi?id=9820
https://bugzilla.samba.org/__show_bug.cgi?id=9820

https://bugzilla.samba.org/__show_bug.cgi?id=9820
https://bugzilla.samba.org/show_bug.cgi?id=9820





--__--__



 *From: *Kevin Field k...@brantaero.com
mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com
 *To: *samba@lists.samba.org
mailto:samba@lists.samba.org
mailto:samba@lists.samba.org
mailto:samba@lists.samba.org
 *Sent: *Tuesday, August 20, 2013 9:38:32 AM
 *Subject: *[Samba] AD DC eventually not
browsable without
restart


 I have a SerNet Samba 4.0.8 AD DC running on
CentOS 6.4 (newdc)
 replicating from a W2K3 DC (olddc). �When I
first launch Samba
using
 `sudo samba`, I can go to the Windows server
and browse to
 \\newdc in
 Explorer, and I see mytestshare, netlogon,
printers, sysvol, and
 Printers and Faxes.

 After a while (I'm not sure how long precisely,
but under 24
 hours) I
 could not navigate to \\newdc without the
following error:

 ---
 \\newdc
 ---
 \\newdc

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

 000 S  0.0  0.0   0:00.47 watchdog/2
   15 root  RT   0 000 S  0.0  0.0   0:00.81 migration/3
   16 root  RT   0 000 S  0.0  0.0   0:00.00 migration/3
   17 root  20   0 000 S  0.0  0.0   0:03.78 ksoftirqd/3
   18 root  RT   0 000 S  0.0  0.0   0:00.48 watchdog/3
   19 root  RT   0 000 S  0.0  0.0   0:00.25 migration/4
   20 root  RT   0 000 S  0.0  0.0   0:00.00 migration/4
   21 root  20   0 000 S  0.0  0.0   0:03.81 ksoftirqd/4
   22 root  RT   0 000 S  0.0  0.0   0:00.46 watchdog/4
   23 root  RT   0 000 S  0.0  0.0   0:00.23 migration/5
   24 root  RT   0 000 S  0.0  0.0   0:00.00 migration/5
   25 root  20   0 000 S  0.0  0.0   0:03.56 ksoftirqd/5


On 2013-09-06 2:03 PM, Ricky Nance wrote:

What about log.smbd ... also what does samba-tool processes output?

Ricky


On Fri, Sep 6, 2013 at 12:57 PM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

(Just for the record, I haven't restarted samba in a couple weeks now.)

That's very interesting: via the IP, it is browsable.

As for the outputs:

$ sudo netstat -anp | grep samba\|smb
tcp0  0 0.0.0.0:139 http://0.0.0.0:139
0.0.0.0:* LISTEN  5714/samba
tcp0  0 0.0.0.0:464 http://0.0.0.0:464
0.0.0.0:* LISTEN  19028/samba
tcp0  0 0.0.0.0:53 http://0.0.0.0:53
  0.0.0.0:* LISTEN  19035/samba
tcp0  0 0.0.0.0:88 http://0.0.0.0:88
  0.0.0.0:* LISTEN  19028/samba
tcp0  0 0.0.0.0:636 http://0.0.0.0:636
0.0.0.0:* LISTEN  19026/samba
tcp0  0 0.0.0.0:445 http://0.0.0.0:445
0.0.0.0:* LISTEN  19034/samba
tcp0  0 0.0.0.0:1024 http://0.0.0.0:1024
  0.0.0.0:* LISTEN  19023/samba
tcp0  0 0.0.0.0:3268 http://0.0.0.0:3268
  0.0.0.0:* LISTEN  19026/samba
tcp0  0 0.0.0.0:3269 http://0.0.0.0:3269
  0.0.0.0:* LISTEN  19026/samba
tcp0  0 0.0.0.0:389 http://0.0.0.0:389
0.0.0.0:* LISTEN  19026/samba
tcp0  0 0.0.0.0:135 http://0.0.0.0:135
0.0.0.0:* LISTEN  19023/samba
tcp0  0 10.0.1.2:445 http://10.0.1.2:445 10.0.1.1:1777
http://10.0.1.1:1777 ESTABLISHED 19044/samba
tcp0  0 10.0.1.2:1024 http://10.0.1.2:1024
10.0.1.1:3024 http://10.0.1.1:3024 ESTABLISHED 19023/samba
tcp0  0 10.0.1.2:445 http://10.0.1.2:445 10.0.1.1:2130
http://10.0.1.1:2130 ESTABLISHED 5714/samba
tcp0  0 10.0.1.2:58561 http://10.0.1.2:58561
10.0.1.1:1025 http://10.0.1.1:1025 ESTABLISHED 19029/samba
udp0  0 10.0.1.2:389 http://10.0.1.2:389
  0.0.0.0:* 19027/samba
udp0  0 0.0.0.0:389 http://0.0.0.0:389
0.0.0.0:* 19027/samba
udp0  0 10.0.1.2:137 http://10.0.1.2:137
  0.0.0.0:* 19024/samba
udp0  0 10.255.255.255:137 http://10.255.255.255:137
0.0.0.0:* 19024/samba
udp0  0 0.0.0.0:137 http://0.0.0.0:137
0.0.0.0:* 19024/samba
udp0  0 10.0.1.2:138 http://10.0.1.2:138
  0.0.0.0:* 19024/samba
udp0  0 10.255.255.255:138 http://10.255.255.255:138
0.0.0.0:* 19024/samba
udp0  0 0.0.0.0:138 http://0.0.0.0:138
0.0.0.0:* 19024/samba
udp0  0 0.0.0.0:53 http://0.0.0.0:53
  0.0.0.0:* 19035/samba
udp0  0 10.0.1.2:464 http://10.0.1.2:464
  0.0.0.0:* 19028/samba
udp0  0 0.0.0.0:464 http://0.0.0.0:464
0.0.0.0:* 19028/samba
udp0  0 10.0.1.2:88 http://10.0.1.2:88
0.0.0.0:* 19028/samba
udp0  0 0.0.0.0:88 http://0.0.0.0:88
  0.0.0.0:* 19028/samba
unix  2  [ ] DGRAM 1900834 5714
tel:1900834%205714/samba
/var/lib/samba/private/smbd.__tmp/msg/msg.5714
unix  2  [ ACC ] STREAM LISTENING 413329 19023/samba
  /var/run/samba/ncalrpc/np/__dnsserver
unix  2  [ ACC ] STREAM LISTENING 413331 19023/samba
  /var/run/samba/ncalrpc/np/__ntsvcs
unix  2  [ ACC ] STREAM LISTENING 413334 19023/samba
  /var/run/samba/ncalrpc/np/__browser
unix  2  [ ACC ] STREAM LISTENING 413336 19023/samba
  /var/run/samba/ncalrpc/np/__unixinfo
unix  2  [ ACC ] STREAM LISTENING 413339 19023/samba
  /var/run/samba/ncalrpc/np/__protected_storage
unix  2  [ ACC ] STREAM LISTENING 413344 19023/samba
  /var/run

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

/util.c:3118: WARNING: forestFunctionality not 
setup
[2013/09/06 13:53:21.498801,  0] 
../source4/smb_server/smb/service.c:127(make_connection)
  make_connection: couldn't find service *.: 
NT_STATUS_OBJECT_NAME_NOT_FOUND
[2013/09/06 13:53:23.152701,  0] 
../source4/smb_server/smb/service.c:127(make_connection)
  make_connection: couldn't find service DESKTOP.INI: 
NT_STATUS_OBJECT_NAME_NOT_FOUND


The forestFunctionality errors are from the Windows AD replication 
status tool.


Thanks,
Kev


On 2013-09-06 1:46 PM, Ricky Nance wrote:

Next time its unresponsive, try hitting it with \\ip.to.new.dc and see
if its browsable, also get the output of netstat -anp | grep
samba\|smbd  as well as tail -n 50 /usr/local/samba/var/log.samba and
tail -n 50 usr/local/samba/var/log.smbd (adjust the path as needed),
also I am interested if top has anything to say about samba or smbd (as
for processor and memory usage).

Ricky


On Fri, Sep 6, 2013 at 12:12 PM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

Yep, that's exactly it.  Thanks!

Kev


On 2013-09-06 10:16 AM, Ricky Nance wrote:

Have you disabled syslinux? That is what that change looks like
to me.

Ricky


On Thu, Sep 5, 2013 at 3:26 PM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com wrote:

 I just noticed something interesting, since I have /etc under
 version control: /etc/mtab changed thusly:

 -tmpfs /dev/shm tmpfs
 rw,rootcontext=system_u:object_r:tmpfs_t:s0 0 0

 +tmpfs /dev/shm tmpfs rw 0 0

 Does this mean anything to our troubleshooting?

 Thanks,
 Kev


 On 2013-09-04 2:02 PM, Kevin Field wrote:

 Yeah, it's still

 tmpfs 5.9G 0  5.9G   0% /dev/shm

 The really odd thing is, currently, it's telling me
this if I try to
 access it from OLDDC, running Windows Server 2003.  But
if I
 remote into
 another computer (GEYSER) on the network that's running
Windows
 XP, I
 can access \\NEWDC just fine.  Back to OLDDC and it still
 doesn't work.

 Besides the OS I noticed another difference, running echo
 %logonserver% from GEYSER, it reports \\G5, whereas
running that on
 OLDDC reports \\OLDDC.  I know this is normal
behaviour, but I
 wonder if
 it has anything to do with it.  I also wonder if, if I
leave GEYSER
 logged in long enough, I'll have the same result on it
as I do
 on OLDDC.

 So nobody else is having this browsability problem, eh?

 Kev

 On 2013-08-24 1:41 PM, Kevin Field wrote:

 Hmm...it hasn't been long enough since a restart yet,
 because it's not
 doing it ATM, but nonetheless if it's a question of
an extra
 45 mb I
 think we have it covered:

 tmpfs 5.9G 0  5.9G   0% /dev/shm

 But I'll check anyway next opportunity and report
back if it's a
 positive.

 Kev

 On 2013-08-24 11:51 AM, Ricky Nance wrote:

 I wonder if your hitting the /run/lock fill up that
 another user
 reported on a week or two ago (they are using
ubuntu). I
 think the
 solution was to make that tmpfs partition
bigger (like
 50 mb instead of
 5 mb). next time it is unresponsive check and
see what
 the output of 'df
 -h' is.

 Ricky


 On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field
 k...@brantaero.com mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com
 mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com
mailto:k...@brantaero.com

 wrote:

  I've upgraded to 4.0.9 and this behaviour
persists.

  Should I file a bug report, do you think? �Is
 nobody else
  experiencing this?

  Thanks,

  Kev

  On 2013-08-20 11:40 AM, Kristofer
Pettijohn wrote:

  You may want

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

I just noticed something interesting, since I have /etc under version 
control: /etc/mtab changed thusly:


-tmpfs /dev/shm tmpfs rw,rootcontext=system_u:object_r:tmpfs_t:s0 0 0
+tmpfs /dev/shm tmpfs rw 0 0

Does this mean anything to our troubleshooting?

Thanks,
Kev

On 2013-09-04 2:02 PM, Kevin Field wrote:

Yeah, it's still

tmpfs 5.9G 0  5.9G   0% /dev/shm

The really odd thing is, currently, it's telling me this if I try to
access it from OLDDC, running Windows Server 2003.  But if I remote into
another computer (GEYSER) on the network that's running Windows XP, I
can access \\NEWDC just fine.  Back to OLDDC and it still doesn't work.

Besides the OS I noticed another difference, running echo
%logonserver% from GEYSER, it reports \\G5, whereas running that on
OLDDC reports \\OLDDC.  I know this is normal behaviour, but I wonder if
it has anything to do with it.  I also wonder if, if I leave GEYSER
logged in long enough, I'll have the same result on it as I do on OLDDC.

So nobody else is having this browsability problem, eh?

Kev

On 2013-08-24 1:41 PM, Kevin Field wrote:

Hmm...it hasn't been long enough since a restart yet, because it's not
doing it ATM, but nonetheless if it's a question of an extra 45 mb I
think we have it covered:

tmpfs 5.9G 0  5.9G   0% /dev/shm

But I'll check anyway next opportunity and report back if it's a
positive.

Kev

On 2013-08-24 11:51 AM, Ricky Nance wrote:

I wonder if your hitting the /run/lock fill up that another user
reported on a week or two ago (they are using ubuntu). I think the
solution was to make that tmpfs partition bigger (like 50 mb instead of
5 mb). next time it is unresponsive check and see what the output of 'df
-h' is.

Ricky


On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

I've upgraded to 4.0.9 and this behaviour persists.

Should I file a bug report, do you think? �Is nobody else
experiencing this?

Thanks,

Kev

On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote:

You may want to see if it is this bug, which is fixed in 4.0.9:
https://bugzilla.samba.org/__show_bug.cgi?id=9820
https://bugzilla.samba.org/show_bug.cgi?id=9820




--__--__



*From: *Kevin Field k...@brantaero.com
mailto:k...@brantaero.com
*To: *samba@lists.samba.org mailto:samba@lists.samba.org
*Sent: *Tuesday, August 20, 2013 9:38:32 AM
*Subject: *[Samba] AD DC eventually not browsable without
restart


I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc)
replicating from a W2K3 DC (olddc). �When I first launch Samba
using
`sudo samba`, I can go to the Windows server and browse to
\\newdc in
Explorer, and I see mytestshare, netlogon, printers, sysvol, and
Printers and Faxes.

After a while (I'm not sure how long precisely, but under 24
hours) I
could not navigate to \\newdc without the following error:

---
\\newdc
---
\\newdc is not accessible. You might not have permission to
use this
network resource. Contact the administrator of this server to
find out
if you have access permissions.

The Server service is not started.
---
OK
---

But in the interim, I had not been doing anything in the system,
so I'm
not sure what might have caused it. �One time it even happened
on a
weekend when no backup or anything particularly special is
scheduled
while I was away.

Anyway, running `sudo killall samba` and then `sudo samba`
makes it
suddenly browsable again.

This is happening every day. �I guess it would be best to figure
this
problem out before we make Samba the only DC.

Here's my smb.conf, mostly set up by samba-tool, and now a
work in
progress to add the extras we will use:

# Global parameters
[global]
� � � � � workgroup = MYDOMAIN
� � � � � realm = mydomain.lan
� � � � � netbios name = NEWDC
� � � � � server role = active directory domain controller
� � � � � server services = rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
winbind, ntp_signd, kcc, dnsupdate, smb, dns
� � � � � allow dns updates = true
� � � � � dns forwarder = 192.168.1.1
# � � � �dns recursive queries = yes
� � � � � dcerpc endpoint servers = epmapper, wkssvc, rpcecho,
samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
# � � � dcerpc endpoint servers = winreg srvsvc
� � � � � load printers = yes
� � � � � printing

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

Yeah, it's still

tmpfs 5.9G 0  5.9G   0% /dev/shm

The really odd thing is, currently, it's telling me this if I try to 
access it from OLDDC, running Windows Server 2003.  But if I remote into 
another computer (GEYSER) on the network that's running Windows XP, I 
can access \\NEWDC just fine.  Back to OLDDC and it still doesn't work.


Besides the OS I noticed another difference, running echo 
%logonserver% from GEYSER, it reports \\G5, whereas running that on 
OLDDC reports \\OLDDC.  I know this is normal behaviour, but I wonder if 
it has anything to do with it.  I also wonder if, if I leave GEYSER 
logged in long enough, I'll have the same result on it as I do on OLDDC.


So nobody else is having this browsability problem, eh?

Kev

On 2013-08-24 1:41 PM, Kevin Field wrote:

Hmm...it hasn't been long enough since a restart yet, because it's not
doing it ATM, but nonetheless if it's a question of an extra 45 mb I
think we have it covered:

tmpfs 5.9G 0  5.9G   0% /dev/shm

But I'll check anyway next opportunity and report back if it's a positive.

Kev

On 2013-08-24 11:51 AM, Ricky Nance wrote:

I wonder if your hitting the /run/lock fill up that another user
reported on a week or two ago (they are using ubuntu). I think the
solution was to make that tmpfs partition bigger (like 50 mb instead of
5 mb). next time it is unresponsive check and see what the output of 'df
-h' is.

Ricky


On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

I've upgraded to 4.0.9 and this behaviour persists.

Should I file a bug report, do you think? �Is nobody else
experiencing this?

Thanks,

Kev

On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote:

You may want to see if it is this bug, which is fixed in 4.0.9:
https://bugzilla.samba.org/__show_bug.cgi?id=9820
https://bugzilla.samba.org/show_bug.cgi?id=9820




--__--__


*From: *Kevin Field k...@brantaero.com
mailto:k...@brantaero.com
*To: *samba@lists.samba.org mailto:samba@lists.samba.org
*Sent: *Tuesday, August 20, 2013 9:38:32 AM
*Subject: *[Samba] AD DC eventually not browsable without restart


I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc)
replicating from a W2K3 DC (olddc). �When I first launch Samba
using
`sudo samba`, I can go to the Windows server and browse to
\\newdc in
Explorer, and I see mytestshare, netlogon, printers, sysvol, and
Printers and Faxes.

After a while (I'm not sure how long precisely, but under 24
hours) I
could not navigate to \\newdc without the following error:

---
\\newdc
---
\\newdc is not accessible. You might not have permission to
use this
network resource. Contact the administrator of this server to
find out
if you have access permissions.

The Server service is not started.
---
OK
---

But in the interim, I had not been doing anything in the system,
so I'm
not sure what might have caused it. �One time it even happened
on a
weekend when no backup or anything particularly special is
scheduled
while I was away.

Anyway, running `sudo killall samba` and then `sudo samba`
makes it
suddenly browsable again.

This is happening every day. �I guess it would be best to figure
this
problem out before we make Samba the only DC.

Here's my smb.conf, mostly set up by samba-tool, and now a
work in
progress to add the extras we will use:

# Global parameters
[global]
� � � � � workgroup = MYDOMAIN
� � � � � realm = mydomain.lan
� � � � � netbios name = NEWDC
� � � � � server role = active directory domain controller
� � � � � server services = rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
winbind, ntp_signd, kcc, dnsupdate, smb, dns
� � � � � allow dns updates = true
� � � � � dns forwarder = 192.168.1.1
# � � � �dns recursive queries = yes
� � � � � dcerpc endpoint servers = epmapper, wkssvc, rpcecho,
samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
# � � � dcerpc endpoint servers = winreg srvsvc
� � � � � load printers = yes
� � � � � printing = cups

[netlogon]
� � � � � path = /var/lib/samba/sysvol/__mydomain.lan/scripts
� � � � � read only = No

[sysvol]
� � � � � path = /var/lib/samba/sysvol
� � � � � read only = No

[printers]
� � � �comment = All Printers
� � � �path

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

I've upgraded to 4.0.9 and this behaviour persists.

Should I file a bug report, do you think?  Is nobody else experiencing this?

Thanks,
Kev

On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote:

You may want to see if it is this bug, which is fixed in 4.0.9:
https://bugzilla.samba.org/show_bug.cgi?id=9820




*From: *Kevin Field k...@brantaero.com
*To: *samba@lists.samba.org
*Sent: *Tuesday, August 20, 2013 9:38:32 AM
*Subject: *[Samba] AD DC eventually not browsable without restart

I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc)
replicating from a W2K3 DC (olddc).  When I first launch Samba using
`sudo samba`, I can go to the Windows server and browse to \\newdc in
Explorer, and I see mytestshare, netlogon, printers, sysvol, and
Printers and Faxes.

After a while (I'm not sure how long precisely, but under 24 hours) I
could not navigate to \\newdc without the following error:

---
\\newdc
---
\\newdc is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find out
if you have access permissions.

The Server service is not started.
---
OK
---

But in the interim, I had not been doing anything in the system, so I'm
not sure what might have caused it.  One time it even happened on a
weekend when no backup or anything particularly special is scheduled
while I was away.

Anyway, running `sudo killall samba` and then `sudo samba` makes it
suddenly browsable again.

This is happening every day.  I guess it would be best to figure this
problem out before we make Samba the only DC.

Here's my smb.conf, mostly set up by samba-tool, and now a work in
progress to add the extras we will use:

# Global parameters
[global]
  workgroup = MYDOMAIN
  realm = mydomain.lan
  netbios name = NEWDC
  server role = active directory domain controller
  server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb, dns
  allow dns updates = true
  dns forwarder = 192.168.1.1
#dns recursive queries = yes
  dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
#   dcerpc endpoint servers = winreg srvsvc
  load printers = yes
  printing = cups

[netlogon]
  path = /var/lib/samba/sysvol/mydomain.lan/scripts
  read only = No

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = Yes
   read only = No
   printable = Yes

[print$]
   comment = Point and Print Printer Drivers
   path = /var/lib/samba/printing
   read only = No

[mytestshare]
  path = /srv/mytestshare/
  read only = No


Any ideas?

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

Hmm...it hasn't been long enough since a restart yet, because it's not 
doing it ATM, but nonetheless if it's a question of an extra 45 mb I 
think we have it covered:


tmpfs 5.9G 0  5.9G   0% /dev/shm

But I'll check anyway next opportunity and report back if it's a positive.

Kev

On 2013-08-24 11:51 AM, Ricky Nance wrote:

I wonder if your hitting the /run/lock fill up that another user
reported on a week or two ago (they are using ubuntu). I think the
solution was to make that tmpfs partition bigger (like 50 mb instead of
5 mb). next time it is unresponsive check and see what the output of 'df
-h' is.

Ricky


On Sat, Aug 24, 2013 at 10:02 AM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

I've upgraded to 4.0.9 and this behaviour persists.

Should I file a bug report, do you think? �Is nobody else
experiencing this?

Thanks,

Kev

On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote:

You may want to see if it is this bug, which is fixed in 4.0.9:
https://bugzilla.samba.org/__show_bug.cgi?id=9820
https://bugzilla.samba.org/show_bug.cgi?id=9820




--__--__

*From: *Kevin Field k...@brantaero.com mailto:k...@brantaero.com
*To: *samba@lists.samba.org mailto:samba@lists.samba.org
*Sent: *Tuesday, August 20, 2013 9:38:32 AM
*Subject: *[Samba] AD DC eventually not browsable without restart


I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc)
replicating from a W2K3 DC (olddc). �When I first launch Samba using
`sudo samba`, I can go to the Windows server and browse to
\\newdc in
Explorer, and I see mytestshare, netlogon, printers, sysvol, and
Printers and Faxes.

After a while (I'm not sure how long precisely, but under 24
hours) I
could not navigate to \\newdc without the following error:

---
\\newdc
---
\\newdc is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to
find out
if you have access permissions.

The Server service is not started.
---
OK
---

But in the interim, I had not been doing anything in the system,
so I'm
not sure what might have caused it. �One time it even happened on a
weekend when no backup or anything particularly special is scheduled
while I was away.

Anyway, running `sudo killall samba` and then `sudo samba` makes it
suddenly browsable again.

This is happening every day. �I guess it would be best to figure
this
problem out before we make Samba the only DC.

Here's my smb.conf, mostly set up by samba-tool, and now a work in
progress to add the extras we will use:

# Global parameters
[global]
� � � � � workgroup = MYDOMAIN
� � � � � realm = mydomain.lan
� � � � � netbios name = NEWDC
� � � � � server role = active directory domain controller
� � � � � server services = rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,
winbind, ntp_signd, kcc, dnsupdate, smb, dns
� � � � � allow dns updates = true
� � � � � dns forwarder = 192.168.1.1
# � � � �dns recursive queries = yes
� � � � � dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
# � � � dcerpc endpoint servers = winreg srvsvc
� � � � � load printers = yes
� � � � � printing = cups

[netlogon]
� � � � � path = /var/lib/samba/sysvol/__mydomain.lan/scripts
� � � � � read only = No

[sysvol]
� � � � � path = /var/lib/samba/sysvol
� � � � � read only = No

[printers]
� � � �comment = All Printers
� � � �path = /var/spool/samba
� � � �browseable = Yes
� � � �read only = No
� � � �printable = Yes

[print$]
� � � �comment = Point and Print Printer Drivers
� � � �path = /var/lib/samba/printing
� � � �read only = No

[mytestshare]
� � � � � path = /srv/mytestshare/
� � � � � read only = No


Any ideas?

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions: �https://lists.samba.org/__mailman/options/samba
https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: �https://lists.samba.org/__mailman/options/samba
https://lists.samba.org/mailman

[Samba] CUPS working but errors from Windows clients accessing printer

[Kevin Field]

Hi,

On CentOS 6.4 (newdc), I have CUPS 1.4.2-50.el6_4.5 installed, can 
access its web interface.  There I set up our main shared printer, an 
OCE Imagistics cm2520, and successfully printed a test page.


With SerNet Samba 4.0.9 on the same box configured every which example 
way I could find, I cannot seem to get it to the point where 
double-clicking the printer in Windows (W2K3, OLDDC) opens up the print 
queue (as it does from \\olddc).  The closest I get, by manually 
defining the printer in smb.conf, is that it shows up in \\newdc in 
Windows Explorer, but double-clicking the BackOfficeCopier printer gives 
this error:


---
Printers
---
Operation could not be completed. Either the printer name was typed 
incorrectly, or the specified printer has lost its connection to the 
server.  For more information, click Help.

---
OK   Help
---

If I double-click the printers share, I get:

---
\\newdc
---
\\newdc\printers is not accessible. You might not have permission to use 
this network resource. Contact the administrator of this server to find 
out if you have access permissions.


Incorrect function.

---
OK
---

Neither of these causes an entry to appear in log.samba.  However, 
double-clicking on Printers and Faxes shows me a folder containing just 
Add Printer and generates this log entry in log.samba:


[2013/08/23 09:18:39.921226,  0] 
../source4/smb_server/smb/service.c:127(make_connection)
  make_connection: couldn't find service 
::{2227A280-3AEA-1069-A2DE-08002B30309D}: NT_STATUS_OBJECT_NAME_NOT_FOUND
[2013/08/23 09:18:39.935896,  0] 
../source4/rpc_server/spoolss/dcesrv_spoolss.c:1189(dcesrv_spoolss_RemoteFindFirstPrinterChangeNotifyEx)

  unable to call back to \\OLDDC
[2013/08/23 09:18:39.952321,  0] 
../source4/rpc_server/spoolss/dcesrv_spoolss.c:1189(dcesrv_spoolss_RemoteFindFirstPrinterChangeNotifyEx)

  unable to call back to \\OLDDC

If I then try Add Printer and click Next, my only choice is the top 
one and there are no ports listed.  Trying Next again at that point 
just gives:


---
Add Printer Wizard
---
Operation could not be completed.
---
OK
---

About the first error, the queue name in CUPS is OCE, and in smb.conf I 
have this:


[global]
workgroup = MYDOMAIN
realm = mydomain.lan
netbios name = NEWDC
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, smb, dns

allow dns updates = true
dns forwarder = 192.168.1.1
#dns recursive queries = yes
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver, winreg, srvsvc

#   dcerpc endpoint servers = winreg srvsvc
load printers = yes
printing = cups
printcap name = cups

[netlogon]
path = /var/lib/samba/sysvol/mydomain.lan/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[printers]
 comment = All Printers
 path = /var/spool/samba/
guest ok = Yes
 browseable = Yes
 read only = No
 printable = Yes
create mask = 0700

[print$]
 comment = Point and Print Printer Drivers
 path = /var/lib/samba/printing
 read only = No

[BackOfficeCopier]
 path = /var/spool/samba/
 browseable = yes
 printable = yes
 printer name = OCE

[mytest]
path = /home/srv/samba-test-share
read only = No

As far as ACL goes for the second error, etc.:

$ sudo ls -l /var/spool/
...
drwxrwxrwt.  2 root   root   4096 Aug 15 18:10 samba

$ sudo ls -l /var/lib/samba/
...
drwxr-xr-x.  4 root root4096 Aug 22 22:19 printing

I copied everything from \\olddc\print$ to \\newdc\print$ before 
chmodding printing back to 755.


I'm not sure what I'm missing here.  I tried following the HOWTO to the 
letter, and then I started trying configurations mentioned on various 
help sites, and nothing seems to do the trick yet.


Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] share permissions

[Kevin Field]

I can understand that.

However, I'm a bit confused about how this is supposed to be practical 
in the case of Samba.  Samba runs as root, so it can see everything. 
I'm telling it to share a particular folder.  Why should it look at the 
ACLs of folders above that, when there's no way they will be otherwise 
accessible via Samba?


The reason I bother with this question is that /home and /srv are on two 
different partitions.  I set it up so that the bulk of space would be 
available under /home.  Okay, so it sounds like links can come to rescue 
here.  I dig around and it seems that hard links on directories have not 
been allowed since the 70's.  Symbolic links could work, but if you 
enable the following of symbolic links in smb.conf, it can open up 
security holes.  So to me it seems there's no workaround for a design 
that doesn't make sense in the first place (checking the ACLs of parent 
directories even if you're root and they're irrelevant to the 
application of sharing the given directory.)


Am I missing something?

Thanks,
Kev

On 2013-08-20 11:22 AM, Ricky Nance wrote:

Permissions are hard to explain (possibly because I don't fully
understand them myself I guess), but if you have a directory (say /srv)
and you give it 0700 permissions, then only the person that owns that
directory is able to see anything under it, however if you give it 0755,
then ANYONE can see (the second 5 is R-X for everyone) whats in there,
now you have a directory under that, lets call it share, (so /srv/share)
and you give it permissions of 0777, then everyone can read/write in the
share folder, but no one can write to the /srv folder except the owner.
So when you had a share under /home/user (which is typically /home is
755, and the /home/user is 0700) then no one had access to the
underlying directories (even if the underlying directory is 777, because
the user simply can't get to that point)...

If anyone disagree's or could explain this better please feel free to do
so, I am not opposed to learning new things :)

Ricky


On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

Aha!  Moving it worked.  I can now see it from Windows.  If I chmod
777 on the directory I can also add files to it from Windows.

However, I don't quite understand why the parent of the share
directory affects it.  BTW /home/me has 700 permissions and /srv has
755.  If the +x on /srv allows the +x on my test share directory to
allow Windows to browse it, why doesn't the -w on /srv prevent the
+w on my test share directory from allowing Windows to create files
there?  I always thought negative permissions took precedence in
ACL, generally?

Thanks,
Kev


On 2013-08-20 10:22 AM, Kevin Field wrote:

Hi Ricky,

I don't think I should have to reboot.  setenforce is documented
to work
without rebooting.  If I need to reboot a Linux server to
troubleshoot
something like this--and I hear SELinux is often a first thing
to try
disabling to troubleshoot--then it's worse than Windows for
rebooting
requirements.  But I'm pretty sure that's simply not true.

Otherwise this is meaningless:

$ sudo setenforce 0
$ sudo getenforce
Permissive

Also I'm a bit confused as to why the permissions on /home
should affect
/home/me if I've explicitly set them on /home/me and haven't defined
some kind of ACL inheritance policy.  Is it the default that higher
directories' permissions override lower ones in CentOS?  Or is it a
Samba fileshare thing?  I would like to know exactly how this
works, but
in any case, I'll try moving the share and see how it goes.

Thanks,
Kev

On 2013-08-17 9:47 AM, Ricky Nance wrote:

Have a look at

http://www.centos.org/docs/5/__html/5.2/Deployment_Guide/sec-__sel-enable-disable.html

http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html
and
you will probably have to reboot after making the changes. I
have seen
this cause more problems then not, so I would start with
disabling it
and see if it fixes your problem. Also since you are using a
/home/me
before your share, you need to make sure you have at least 755
permissions in both /home and /home/me, it might be a good
idea to make
a directory named /srv/mytestshare instead.

Ricky


On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field
k...@brantaero.com mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com wrote:

 Interestingly, I couldn't turn off selinux using their
method:

 $ sudo echo 0  /selinux

Re: [Samba] share permissions

[Kevin Field]

Oh, so it only looks at the immediate parent's permissions?  Not the 
grandparent?  I find that even more bewildering but a whole lot easier 
to work with if that's the case :)


Thanks,
Kev

On 2013-08-22 11:44 AM, Ricky Nance wrote:

No, you can use /home/srv/share as long as srv (under home) is 755
permissions. Samba does run as root, but it also still obeys the rules
underlying file system.

Ricky


On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

I can understand that.

However, I'm a bit confused about how this is supposed to be
practical in the case of Samba.  Samba runs as root, so it can see
everything. I'm telling it to share a particular folder.  Why should
it look at the ACLs of folders above that, when there's no way they
will be otherwise accessible via Samba?

The reason I bother with this question is that /home and /srv are on
two different partitions.  I set it up so that the bulk of space
would be available under /home.  Okay, so it sounds like links can
come to rescue here.  I dig around and it seems that hard links on
directories have not been allowed since the 70's.  Symbolic links
could work, but if you enable the following of symbolic links in
smb.conf, it can open up security holes.  So to me it seems there's
no workaround for a design that doesn't make sense in the first
place (checking the ACLs of parent directories even if you're root
and they're irrelevant to the application of sharing the given
directory.)

Am I missing something?

Thanks,
Kev


On 2013-08-20 11:22 AM, Ricky Nance wrote:

Permissions are hard to explain (possibly because I don't fully
understand them myself I guess), but if you have a directory
(say /srv)
and you give it 0700 permissions, then only the person that owns
that
directory is able to see anything under it, however if you give
it 0755,
then ANYONE can see (the second 5 is R-X for everyone) whats in
there,
now you have a directory under that, lets call it share, (so
/srv/share)
and you give it permissions of 0777, then everyone can
read/write in the
share folder, but no one can write to the /srv folder except the
owner.
So when you had a share under /home/user (which is typically
/home is
755, and the /home/user is 0700) then no one had access to the
underlying directories (even if the underlying directory is 777,
because
the user simply can't get to that point)...

If anyone disagree's or could explain this better please feel
free to do
so, I am not opposed to learning new things :)

Ricky


On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com wrote:

 Aha!  Moving it worked.  I can now see it from Windows.  If
I chmod
 777 on the directory I can also add files to it from Windows.

 However, I don't quite understand why the parent of the share
 directory affects it.  BTW /home/me has 700 permissions and
/srv has
 755.  If the +x on /srv allows the +x on my test share
directory to
 allow Windows to browse it, why doesn't the -w on /srv
prevent the
 +w on my test share directory from allowing Windows to
create files
 there?  I always thought negative permissions took
precedence in
 ACL, generally?

 Thanks,
 Kev


 On 2013-08-20 10:22 AM, Kevin Field wrote:

 Hi Ricky,

 I don't think I should have to reboot.  setenforce is
documented
 to work
 without rebooting.  If I need to reboot a Linux server to
 troubleshoot
 something like this--and I hear SELinux is often a
first thing
 to try
 disabling to troubleshoot--then it's worse than Windows for
 rebooting
 requirements.  But I'm pretty sure that's simply not true.

 Otherwise this is meaningless:

 $ sudo setenforce 0
 $ sudo getenforce
 Permissive

 Also I'm a bit confused as to why the permissions on /home
 should affect
 /home/me if I've explicitly set them on /home/me and
haven't defined
 some kind of ACL inheritance policy.  Is it the default
that higher
 directories' permissions override lower ones in CentOS?
  Or is it a
 Samba fileshare thing?  I would like to know exactly
how this
 works

Re: [Samba] share permissions

[Kevin Field]

Oh, I see.  At first I read it as /home/me/srv.  Gotcha.  It works! 
Thanks very much Ricky!  -K


On 2013-08-22 12:49 PM, Ricky Nance wrote:

It looks at all of them, but the important thing is that its 0755 all
the way to the folder being used (if there is any XXX0 permissions on
the way to the folder it will cause things to fail, which is the case
with the 'me' part of /home/me/share as it has 0700 permissions).


On Thu, Aug 22, 2013 at 10:54 AM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

Oh, so it only looks at the immediate parent's permissions?  Not the
grandparent?  I find that even more bewildering but a whole lot
easier to work with if that's the case :)

Thanks,
Kev


On 2013-08-22 11:44 AM, Ricky Nance wrote:

No, you can use /home/srv/share as long as srv (under home) is 755
permissions. Samba does run as root, but it also still obeys the
rules
underlying file system.

Ricky


On Thu, Aug 22, 2013 at 10:19 AM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com wrote:

 I can understand that.

 However, I'm a bit confused about how this is supposed to be
 practical in the case of Samba.  Samba runs as root, so it
can see
 everything. I'm telling it to share a particular folder.
  Why should
 it look at the ACLs of folders above that, when there's no
way they
 will be otherwise accessible via Samba?

 The reason I bother with this question is that /home and
/srv are on
 two different partitions.  I set it up so that the bulk of
space
 would be available under /home.  Okay, so it sounds like
links can
 come to rescue here.  I dig around and it seems that hard
links on
 directories have not been allowed since the 70's.  Symbolic
links
 could work, but if you enable the following of symbolic
links in
 smb.conf, it can open up security holes.  So to me it seems
there's
 no workaround for a design that doesn't make sense in the first
 place (checking the ACLs of parent directories even if
you're root
 and they're irrelevant to the application of sharing the given
 directory.)

 Am I missing something?

 Thanks,
 Kev


 On 2013-08-20 11:22 AM, Ricky Nance wrote:

 Permissions are hard to explain (possibly because I
don't fully
 understand them myself I guess), but if you have a
directory
 (say /srv)
 and you give it 0700 permissions, then only the person
that owns
 that
 directory is able to see anything under it, however if
you give
 it 0755,
 then ANYONE can see (the second 5 is R-X for everyone)
whats in
 there,
 now you have a directory under that, lets call it
share, (so
 /srv/share)
 and you give it permissions of 0777, then everyone can
 read/write in the
 share folder, but no one can write to the /srv folder
except the
 owner.
 So when you had a share under /home/user (which is
typically
 /home is
 755, and the /home/user is 0700) then no one had access
to the
 underlying directories (even if the underlying
directory is 777,
 because
 the user simply can't get to that point)...

 If anyone disagree's or could explain this better
please feel
 free to do
 so, I am not opposed to learning new things :)

 Ricky


 On Tue, Aug 20, 2013 at 10:10 AM, Kevin Field
k...@brantaero.com mailto:k...@brantaero.com
 mailto:k...@brantaero.com mailto:k...@brantaero.com
 mailto:k...@brantaero.com mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com wrote:

  Aha!  Moving it worked.  I can now see it from
Windows.  If
 I chmod
  777 on the directory I can also add files to it
from Windows.

  However, I don't quite understand why the parent
of the share
  directory affects it.  BTW /home/me has 700
permissions and
 /srv has
  755.  If the +x on /srv allows the +x on my test share
 directory to
  allow Windows to browse it, why doesn't the -w on /srv

Re: [Samba] share permissions

[Kevin Field]

Hi Ricky,

I don't think I should have to reboot.  setenforce is documented to work 
without rebooting.  If I need to reboot a Linux server to troubleshoot 
something like this--and I hear SELinux is often a first thing to try 
disabling to troubleshoot--then it's worse than Windows for rebooting 
requirements.  But I'm pretty sure that's simply not true.


Otherwise this is meaningless:

$ sudo setenforce 0
$ sudo getenforce
Permissive

Also I'm a bit confused as to why the permissions on /home should affect 
/home/me if I've explicitly set them on /home/me and haven't defined 
some kind of ACL inheritance policy.  Is it the default that higher 
directories' permissions override lower ones in CentOS?  Or is it a 
Samba fileshare thing?  I would like to know exactly how this works, but 
in any case, I'll try moving the share and see how it goes.


Thanks,
Kev

On 2013-08-17 9:47 AM, Ricky Nance wrote:

Have a look at
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html
 and
you will probably have to reboot after making the changes. I have seen
this cause more problems then not, so I would start with disabling it
and see if it fixes your problem. Also since you are using a /home/me
before your share, you need to make sure you have at least 755
permissions in both /home and /home/me, it might be a good idea to make
a directory named /srv/mytestshare instead.

Ricky


On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

Interestingly, I couldn't turn off selinux using their method:

$ sudo echo 0  /selinux/enforce
-bash: /selinux/enforce: Permission denied

Perhaps it's a CentOS thing.  Anyway, `sudo setenforce 0` seemed to
work in that it didn't give me an error message, but OTOH didn't
seem to work in that the output of ls -alhDZ was the same:

drwxrwxr-x. me   me  unconfined_u:object_r:samba___share_t:s0
mytestshare

But in any case, it still gives me the same error from Windows.

Also something strange happened, after a while I could not navigate
to \\newdc without a similar error, but I had not been doing
anything in the system, so I'm not sure what might have caused it.
  Running `sudo killall samba` and then `sudo samba` made it
suddenly be browseable again.  Maybe not related...not sure...

Anyway thanks for your help, Ricky.  Any other ideas?  BTW I had set
up the selinux permissions on the mytestshare dir per the HOWTO at
http://wiki.centos.org/HowTos/__SetUpSamba
http://wiki.centos.org/HowTos/SetUpSamba .  I'm pretty sure that's
why it says samba_share_t on the ls output above.

Kev


On 2013-08-16 11:52 AM, Ricky Nance wrote:

Temporarily turn off selinux, if that fixes your issue you will
need to
adjust the selinux rules to take care of the problem (or just
completely
disable selinux). Also if you do a ls -alhDZ
/home/me/mytestshare before
you turn it off it can tell you if selinux is on, then run that
again
after its turned off to confirm. You can read about
disabling/turning
off selinux
at�http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html
http://www.revsys.com/writings/quicktips/turn-off-selinux.html

Ricky


On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com wrote:

 I have a share setup on a Samba 4.0.8 / CentOS 6.4 box that is
 successfully replicating with a W2K3 server. �I'm following the
 HOWTO here:
https://wiki.samba.org/index.php/Setup_and_configure_file_shares
https://wiki.samba.org/index.__php/Setup_and_configure_file___shares


https://wiki.samba.org/index.__php/Setup_and_configure_file___shares
https://wiki.samba.org/index.php/Setup_and_configure_file_shares

 [mytest]
 � � � � path = /home/me/mytestshare -- with or without
trailing slash
 � � � � read only = No

 On the W2K3 box, I can browse to \\newdc and I see my test
share
 listed there. �I can also see it if I connect to newdc in
Computer
 Management. �However, what I can't get from either of those
places
 is a Security tab if I right-click the share and go to
Properties.
 �There's a Share Permissions tab in CM only that says that
Everyone
 has Full Control. Despite that, if I try to double-click
the share
 in Explorer, I get:

 ---
 \\newdc
 ---
 \\newdc\mytest is not accessible. You might not have
permission to
 use this network resource. Contact the administrator

[Samba] AD DC eventually not browsable without restart

[Kevin Field]

I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) 
replicating from a W2K3 DC (olddc).  When I first launch Samba using 
`sudo samba`, I can go to the Windows server and browse to \\newdc in 
Explorer, and I see mytestshare, netlogon, printers, sysvol, and 
Printers and Faxes.


After a while (I'm not sure how long precisely, but under 24 hours) I 
could not navigate to \\newdc without the following error:


---
\\newdc
---
\\newdc is not accessible. You might not have permission to use this 
network resource. Contact the administrator of this server to find out 
if you have access permissions.


The Server service is not started.
---
OK
---

But in the interim, I had not been doing anything in the system, so I'm 
not sure what might have caused it.  One time it even happened on a 
weekend when no backup or anything particularly special is scheduled 
while I was away.


Anyway, running `sudo killall samba` and then `sudo samba` makes it 
suddenly browsable again.


This is happening every day.  I guess it would be best to figure this 
problem out before we make Samba the only DC.


Here's my smb.conf, mostly set up by samba-tool, and now a work in 
progress to add the extras we will use:


# Global parameters
[global]
workgroup = MYDOMAIN
realm = mydomain.lan
netbios name = NEWDC
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate, smb, dns

allow dns updates = true
dns forwarder = 192.168.1.1
#dns recursive queries = yes
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, 
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, 
eventlog6, backupkey, dnsserver, winreg, srvsvc

#   dcerpc endpoint servers = winreg srvsvc
load printers = yes
printing = cups

[netlogon]
path = /var/lib/samba/sysvol/mydomain.lan/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[printers]
 comment = All Printers
 path = /var/spool/samba
 browseable = Yes
 read only = No
 printable = Yes

[print$]
 comment = Point and Print Printer Drivers
 path = /var/lib/samba/printing
 read only = No

[mytestshare]
path = /srv/mytestshare/
read only = No


Any ideas?

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] share permissions

[Kevin Field]

Aha!  Moving it worked.  I can now see it from Windows.  If I chmod 777 
on the directory I can also add files to it from Windows.


However, I don't quite understand why the parent of the share directory 
affects it.  BTW /home/me has 700 permissions and /srv has 755.  If the 
+x on /srv allows the +x on my test share directory to allow Windows to 
browse it, why doesn't the -w on /srv prevent the +w on my test share 
directory from allowing Windows to create files there?  I always thought 
negative permissions took precedence in ACL, generally?


Thanks,
Kev

On 2013-08-20 10:22 AM, Kevin Field wrote:

Hi Ricky,

I don't think I should have to reboot.  setenforce is documented to work
without rebooting.  If I need to reboot a Linux server to troubleshoot
something like this--and I hear SELinux is often a first thing to try
disabling to troubleshoot--then it's worse than Windows for rebooting
requirements.  But I'm pretty sure that's simply not true.

Otherwise this is meaningless:

$ sudo setenforce 0
$ sudo getenforce
Permissive

Also I'm a bit confused as to why the permissions on /home should affect
/home/me if I've explicitly set them on /home/me and haven't defined
some kind of ACL inheritance policy.  Is it the default that higher
directories' permissions override lower ones in CentOS?  Or is it a
Samba fileshare thing?  I would like to know exactly how this works, but
in any case, I'll try moving the share and see how it goes.

Thanks,
Kev

On 2013-08-17 9:47 AM, Ricky Nance wrote:

Have a look at
http://www.centos.org/docs/5/html/5.2/Deployment_Guide/sec-sel-enable-disable.html
and
you will probably have to reboot after making the changes. I have seen
this cause more problems then not, so I would start with disabling it
and see if it fixes your problem. Also since you are using a /home/me
before your share, you need to make sure you have at least 755
permissions in both /home and /home/me, it might be a good idea to make
a directory named /srv/mytestshare instead.

Ricky


On Fri, Aug 16, 2013 at 8:14 PM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

Interestingly, I couldn't turn off selinux using their method:

$ sudo echo 0  /selinux/enforce
-bash: /selinux/enforce: Permission denied

Perhaps it's a CentOS thing.  Anyway, `sudo setenforce 0` seemed to
work in that it didn't give me an error message, but OTOH didn't
seem to work in that the output of ls -alhDZ was the same:

drwxrwxr-x. me   me  unconfined_u:object_r:samba___share_t:s0
mytestshare

But in any case, it still gives me the same error from Windows.

Also something strange happened, after a while I could not navigate
to \\newdc without a similar error, but I had not been doing
anything in the system, so I'm not sure what might have caused it.
  Running `sudo killall samba` and then `sudo samba` made it
suddenly be browseable again.  Maybe not related...not sure...

Anyway thanks for your help, Ricky.  Any other ideas?  BTW I had set
up the selinux permissions on the mytestshare dir per the HOWTO at
http://wiki.centos.org/HowTos/__SetUpSamba
http://wiki.centos.org/HowTos/SetUpSamba .  I'm pretty sure that's
why it says samba_share_t on the ls output above.

Kev


On 2013-08-16 11:52 AM, Ricky Nance wrote:

Temporarily turn off selinux, if that fixes your issue you will
need to
adjust the selinux rules to take care of the problem (or just
completely
disable selinux). Also if you do a ls -alhDZ
/home/me/mytestshare before
you turn it off it can tell you if selinux is on, then run that
again
after its turned off to confirm. You can read about
disabling/turning
off selinux

at�http://www.revsys.com/__writings/quicktips/turn-off-__selinux.html
http://www.revsys.com/writings/quicktips/turn-off-selinux.html

Ricky


On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com
mailto:k...@brantaero.com mailto:k...@brantaero.com wrote:

 I have a share setup on a Samba 4.0.8 / CentOS 6.4 box
that is
 successfully replicating with a W2K3 server. �I'm
following the
 HOWTO here:

https://wiki.samba.org/index.php/Setup_and_configure_file_shares

https://wiki.samba.org/index.__php/Setup_and_configure_file___shares



https://wiki.samba.org/index.__php/Setup_and_configure_file___shares

https://wiki.samba.org/index.php/Setup_and_configure_file_shares

 [mytest]
 � � � � path = /home/me/mytestshare -- with or without
trailing slash
 � � � � read only = No

 On the W2K3 box, I can browse to \\newdc and I see my test
share
 listed there. �I can also see it if I connect to newdc in
Computer
 Management. �However, what I can't get from either of those

[Samba] chmod + remote save denied = file wiped?

[Kevin Field]

I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc) 
replicating from a W2K3 DC (olddc).  newdc also has a test share.


I'm experiencing something strange whereby chmod and then an attempted 
file save causes a shared file to become zero bytes (despite the save 
not being blank, and also being denied):


At olddc:

1) open \\newdc\testshare\yay.txt


At newdc:

$ ls -l
total 8
-rw-rw-rw-. 1 me  me  9 Aug 20 10:59 yay.txt
$ cat yay.txt
It works!$ chmod 664 yay.txt


At olddc:

1) add a space to yay.txt and attempt to save.  popup:

---
TextPad
---
Access to \\newdc\testshare\yay.txt was denied.
---
OK
---

2) (optional) click OK to close the popup

At newdc*:

$ ls -l
total 4
-rw-rw-r--. 1 kev kev 0 Aug 20 11:12 yay.txt

* Alternatively, without touching newdc, I can shift focus from the 
TextPad window and back to it, and it will say that the file has 
changed.  If I choose to reload it, it's now blank.



Isn't this a bug?  I would expect a write that fails due to lack of 
write permissions to not actually affect the content of the file.


Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] chmod + remote save denied = file wiped?

[Kevin Field]

BTW, I just confirmed this also happens with SELinux disabled.  -K

On 2013-08-20 11:23 AM, Kevin Field wrote:

I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc)
replicating from a W2K3 DC (olddc).  newdc also has a test share.

I'm experiencing something strange whereby chmod and then an attempted
file save causes a shared file to become zero bytes (despite the save
not being blank, and also being denied):

At olddc:

1) open \\newdc\testshare\yay.txt


At newdc:

$ ls -l
total 8
-rw-rw-rw-. 1 me  me  9 Aug 20 10:59 yay.txt
$ cat yay.txt
It works!$ chmod 664 yay.txt


At olddc:

1) add a space to yay.txt and attempt to save.  popup:

---
TextPad
---
Access to \\newdc\testshare\yay.txt was denied.
---
OK
---

2) (optional) click OK to close the popup

At newdc*:

$ ls -l
total 4
-rw-rw-r--. 1 kev kev 0 Aug 20 11:12 yay.txt

* Alternatively, without touching newdc, I can shift focus from the
TextPad window and back to it, and it will say that the file has
changed.  If I choose to reload it, it's now blank.


Isn't this a bug?  I would expect a write that fails due to lack of
write permissions to not actually affect the content of the file.

Thanks,
Kev

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

Thanks for the lead!  The discussion there is a bit beyond me ATM but 
I'll try a `wbinfo -g` next time it stops working and see whether it's 
crashed or what.  -K


On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote:

You may want to see if it is this bug, which is fixed in 4.0.9:
https://bugzilla.samba.org/show_bug.cgi?id=9820




*From: *Kevin Field k...@brantaero.com
*To: *samba@lists.samba.org
*Sent: *Tuesday, August 20, 2013 9:38:32 AM
*Subject: *[Samba] AD DC eventually not browsable without restart

I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc)
replicating from a W2K3 DC (olddc).  When I first launch Samba using
`sudo samba`, I can go to the Windows server and browse to \\newdc in
Explorer, and I see mytestshare, netlogon, printers, sysvol, and
Printers and Faxes.

After a while (I'm not sure how long precisely, but under 24 hours) I
could not navigate to \\newdc without the following error:

---
\\newdc
---
\\newdc is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find out
if you have access permissions.

The Server service is not started.
---
OK
---

But in the interim, I had not been doing anything in the system, so I'm
not sure what might have caused it.  One time it even happened on a
weekend when no backup or anything particularly special is scheduled
while I was away.

Anyway, running `sudo killall samba` and then `sudo samba` makes it
suddenly browsable again.

This is happening every day.  I guess it would be best to figure this
problem out before we make Samba the only DC.

Here's my smb.conf, mostly set up by samba-tool, and now a work in
progress to add the extras we will use:

# Global parameters
[global]
  workgroup = MYDOMAIN
  realm = mydomain.lan
  netbios name = NEWDC
  server role = active directory domain controller
  server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb, dns
  allow dns updates = true
  dns forwarder = 192.168.1.1
#dns recursive queries = yes
  dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
#   dcerpc endpoint servers = winreg srvsvc
  load printers = yes
  printing = cups

[netlogon]
  path = /var/lib/samba/sysvol/mydomain.lan/scripts
  read only = No

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = Yes
   read only = No
   printable = Yes

[print$]
   comment = Point and Print Printer Drivers
   path = /var/lib/samba/printing
   read only = No

[mytestshare]
  path = /srv/mytestshare/
  read only = No


Any ideas?

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

Okay, I'm not sure, but I don't *think* it's that bug.  First, I don't 
know much about winbind, and never meant to set it up (although it's 
possible I did by accident) but I'm not using NetBIOS, if that makes a 
difference.  Second, wbinfo still worked after \\newdc ceased to be 
browsable.


Some more detail from log.samba.

I was not here for this and I'm not sure when browsability ceased, but 
it's the only other entry:


../source4/dsdb/repl/drepl_out_helpers.c:833(dreplsrv_update_refs_done)
  UpdateRefs failed with WERR_DS_DRA_BUSY/NT code 0xc00020f6 for 
fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan 
CN=Configuration,DC=mydomain,DC=lan


After I logged in and tried to browse \\newdc -- it does this every time 
I try to browse right now:


 ../source4/smb_server/smb/service.c:127(make_connection)
  make_connection: couldn't find service *.: 
NT_STATUS_OBJECT_NAME_NOT_FOUND

 ../source4/smb_server/smb/service.c:127(make_connection)
  make_connection: couldn't find service DESKTOP.INI: 
NT_STATUS_OBJECT_NAME_NOT_FOUND


The bug linked to doesn't mention either of these error codes, so I 
think it might not be related.


I also found that whenever I run the AD Replication Status Tool on the 
Windows server, everything succeeds even right now while browsability is 
broken, but the log says this (also from times when browsability wasn't 
broken and I ran it):


 ../source4/dsdb/common/util.c:3118(dsdb_forest_functional_level)
  ../source4/dsdb/common/util.c:3118: WARNING: forestFunctionality not 
setup

 ../source4/dsdb/common/util.c:3118(dsdb_forest_functional_level)
  ../source4/dsdb/common/util.c:3118: WARNING: forestFunctionality not 
setup


I guess the errors are fine.  It's strange the status tool says 
replication is fine even though the log says it had problems.  But maybe 
it just had one problem, and now replication is working again but 
whatever that problem was somehow put Samba in a state where browsing 
\\newdc would not work.


Kev

On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote:

You may want to see if it is this bug, which is fixed in 4.0.9:
https://bugzilla.samba.org/show_bug.cgi?id=9820




*From: *Kevin Field k...@mydomain.com
*To: *samba@lists.samba.org
*Sent: *Tuesday, August 20, 2013 9:38:32 AM
*Subject: *[Samba] AD DC eventually not browsable without restart

I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc)
replicating from a W2K3 DC (olddc).  When I first launch Samba using
`sudo samba`, I can go to the Windows server and browse to \\newdc in
Explorer, and I see mytestshare, netlogon, printers, sysvol, and
Printers and Faxes.

After a while (I'm not sure how long precisely, but under 24 hours) I
could not navigate to \\newdc without the following error:

---
\\newdc
---
\\newdc is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find out
if you have access permissions.

The Server service is not started.
---
OK
---

But in the interim, I had not been doing anything in the system, so I'm
not sure what might have caused it.  One time it even happened on a
weekend when no backup or anything particularly special is scheduled
while I was away.

Anyway, running `sudo killall samba` and then `sudo samba` makes it
suddenly browsable again.

This is happening every day.  I guess it would be best to figure this
problem out before we make Samba the only DC.

Here's my smb.conf, mostly set up by samba-tool, and now a work in
progress to add the extras we will use:

# Global parameters
[global]
  workgroup = MYDOMAIN
  realm = mydomain.lan
  netbios name = NEWDC
  server role = active directory domain controller
  server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb, dns
  allow dns updates = true
  dns forwarder = 192.168.1.1
#dns recursive queries = yes
  dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
#   dcerpc endpoint servers = winreg srvsvc
  load printers = yes
  printing = cups

[netlogon]
  path = /var/lib/samba/sysvol/mydomain.lan/scripts
  read only = No

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = Yes
   read only = No
   printable = Yes

[print$]
   comment = Point and Print Printer Drivers
   path = /var/lib/samba/printing
   read only = No

[mytestshare]
  path = /srv/mytestshare/
  read only = No


Any ideas?

Thanks,
Kev
--
To unsubscribe from this list go to the following URL

Re: [Samba] AD DC eventually not browsable without restart

[Kevin Field]

One other thing, I just noticed that while \\newdc is still unbrowsable, 
\\newdc\mytestshare works fine, as does \\newdc\netlogon.


Kev

On 2013-08-20 9:49 PM, Kevin Field wrote:

Okay, I'm not sure, but I don't *think* it's that bug.  First, I don't
know much about winbind, and never meant to set it up (although it's
possible I did by accident) but I'm not using NetBIOS, if that makes a
difference.  Second, wbinfo still worked after \\newdc ceased to be
browsable.

Some more detail from log.samba.

I was not here for this and I'm not sure when browsability ceased, but
it's the only other entry:

../source4/dsdb/repl/drepl_out_helpers.c:833(dreplsrv_update_refs_done)
   UpdateRefs failed with WERR_DS_DRA_BUSY/NT code 0xc00020f6 for
fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan
CN=Configuration,DC=mydomain,DC=lan

After I logged in and tried to browse \\newdc -- it does this every time
I try to browse right now:

  ../source4/smb_server/smb/service.c:127(make_connection)
   make_connection: couldn't find service *.:
NT_STATUS_OBJECT_NAME_NOT_FOUND
  ../source4/smb_server/smb/service.c:127(make_connection)
   make_connection: couldn't find service DESKTOP.INI:
NT_STATUS_OBJECT_NAME_NOT_FOUND

The bug linked to doesn't mention either of these error codes, so I
think it might not be related.

I also found that whenever I run the AD Replication Status Tool on the
Windows server, everything succeeds even right now while browsability is
broken, but the log says this (also from times when browsability wasn't
broken and I ran it):

  ../source4/dsdb/common/util.c:3118(dsdb_forest_functional_level)
   ../source4/dsdb/common/util.c:3118: WARNING: forestFunctionality not
setup
  ../source4/dsdb/common/util.c:3118(dsdb_forest_functional_level)
   ../source4/dsdb/common/util.c:3118: WARNING: forestFunctionality not
setup

I guess the errors are fine.  It's strange the status tool says
replication is fine even though the log says it had problems.  But maybe
it just had one problem, and now replication is working again but
whatever that problem was somehow put Samba in a state where browsing
\\newdc would not work.

Kev

On 2013-08-20 11:40 AM, Kristofer Pettijohn wrote:

You may want to see if it is this bug, which is fixed in 4.0.9:
https://bugzilla.samba.org/show_bug.cgi?id=9820




*From: *Kevin Field k...@mydomain.com
*To: *samba@lists.samba.org
*Sent: *Tuesday, August 20, 2013 9:38:32 AM
*Subject: *[Samba] AD DC eventually not browsable without restart

I have a SerNet Samba 4.0.8 AD DC running on CentOS 6.4 (newdc)
replicating from a W2K3 DC (olddc).  When I first launch Samba using
`sudo samba`, I can go to the Windows server and browse to \\newdc in
Explorer, and I see mytestshare, netlogon, printers, sysvol, and
Printers and Faxes.

After a while (I'm not sure how long precisely, but under 24 hours) I
could not navigate to \\newdc without the following error:

---
\\newdc
---
\\newdc is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find out
if you have access permissions.

The Server service is not started.
---
OK
---

But in the interim, I had not been doing anything in the system, so I'm
not sure what might have caused it.  One time it even happened on a
weekend when no backup or anything particularly special is scheduled
while I was away.

Anyway, running `sudo killall samba` and then `sudo samba` makes it
suddenly browsable again.

This is happening every day.  I guess it would be best to figure this
problem out before we make Samba the only DC.

Here's my smb.conf, mostly set up by samba-tool, and now a work in
progress to add the extras we will use:

# Global parameters
[global]
  workgroup = MYDOMAIN
  realm = mydomain.lan
  netbios name = NEWDC
  server role = active directory domain controller
  server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb, dns
  allow dns updates = true
  dns forwarder = 192.168.1.1
#dns recursive queries = yes
  dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver, winreg, srvsvc
#   dcerpc endpoint servers = winreg srvsvc
  load printers = yes
  printing = cups

[netlogon]
  path = /var/lib/samba/sysvol/mydomain.lan/scripts
  read only = No

[sysvol]
  path = /var/lib/samba/sysvol
  read only = No

[printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = Yes
   read only = No
   printable = Yes

[print$]
   comment = Point and Print Printer Drivers
   path = /var/lib/samba/printing
   read only

Re: [Samba] share permissions

[Kevin Field]

Interestingly, I couldn't turn off selinux using their method:

$ sudo echo 0  /selinux/enforce
-bash: /selinux/enforce: Permission denied

Perhaps it's a CentOS thing.  Anyway, `sudo setenforce 0` seemed to work 
in that it didn't give me an error message, but OTOH didn't seem to work 
in that the output of ls -alhDZ was the same:


drwxrwxr-x. me   me  unconfined_u:object_r:samba_share_t:s0 mytestshare

But in any case, it still gives me the same error from Windows.

Also something strange happened, after a while I could not navigate to 
\\newdc without a similar error, but I had not been doing anything in 
the system, so I'm not sure what might have caused it.  Running `sudo 
killall samba` and then `sudo samba` made it suddenly be browseable 
again.  Maybe not related...not sure...


Anyway thanks for your help, Ricky.  Any other ideas?  BTW I had set up 
the selinux permissions on the mytestshare dir per the HOWTO at 
http://wiki.centos.org/HowTos/SetUpSamba .  I'm pretty sure that's why 
it says samba_share_t on the ls output above.


Kev

On 2013-08-16 11:52 AM, Ricky Nance wrote:

Temporarily turn off selinux, if that fixes your issue you will need to
adjust the selinux rules to take care of the problem (or just completely
disable selinux). Also if you do a ls -alhDZ /home/me/mytestshare before
you turn it off it can tell you if selinux is on, then run that again
after its turned off to confirm. You can read about disabling/turning
off selinux
at�http://www.revsys.com/writings/quicktips/turn-off-selinux.html

Ricky


On Thu, Aug 15, 2013 at 10:44 PM, Kevin Field k...@brantaero.com
mailto:k...@brantaero.com wrote:

I have a share setup on a Samba 4.0.8 / CentOS 6.4 box that is
successfully replicating with a W2K3 server. �I'm following the
HOWTO here:
https://wiki.samba.org/index.__php/Setup_and_configure_file___shares
https://wiki.samba.org/index.php/Setup_and_configure_file_shares

[mytest]
� � � � path = /home/me/mytestshare -- with or without trailing slash
� � � � read only = No

On the W2K3 box, I can browse to \\newdc and I see my test share
listed there. �I can also see it if I connect to newdc in Computer
Management. �However, what I can't get from either of those places
is a Security tab if I right-click the share and go to Properties.
�There's a Share Permissions tab in CM only that says that Everyone
has Full Control. Despite that, if I try to double-click the share
in Explorer, I get:

---
\\newdc
---
\\newdc\mytest is not accessible. You might not have permission to
use this network resource. Contact the administrator of this server
to find out if you have access permissions.

Access is denied.

---
OK
---

My account has all privileges I can think of, including the
SeDiskOperatorPrivilege as laid out in the HOWTO.

Even if I chmod 777 /home/me/mytestshare I get this error.

What am I missing?

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions: �https://lists.samba.org/__mailman/options/samba
https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Trying to Join a Working W2K3 AD

[Kevin Field]

Hi Marc,

On 2013-08-15 4:18 AM, Marc Muehlfeld wrote:

Hello Kevin, hello Eli,

Am 15.08.2013 05:48, schrieb Kevin Field:

I get to the step /usr/local/samba/bin/samba-tool dns add
192.168.1.252 _msdcs.domain.co.il 2d59ac49-1175-4656-943e-d556baa242cb
CNAME DC2.domain.co.il -Uadministrator

I get the following error message:

ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
   File
/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py,


line 175, in _run
 return self.run(*args, **kwargs)
   File
/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py,
line 1053, in run
 0, server, zone, name, add_rec_buf, None)



Is 192.168.1.252 is the already existing DNS on your W2k3 Server or is
it the IP of your Samba DC? It should be the IP of your existing DNS
server, because Samba isn't up at that time.


In my case, it is the IP of the W2k3 server which has a working DNS. 
I've also tried replacing the IP with its hostname instead as I had 
found suggested somewhere, but it doesn't change the outcome.



You can also add the record through the MS DNS Console on windows.


Thanks for the suggestion...okay, I've done that.  It seemed to work:

$ host -t CNAME fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan.
fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan is an alias for 
newdc.mydomain.lan.


However, I run sudo samba, and then check the log.samba file, and it says:

[2013/08/15 08:02:33.285448,  0] 
../source4/lib/tls/tlscert.c:166(tls_cert_generate)

  TLS self-signed keys generated OK
[2013/08/15 08:02:34.371461,  0] 
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)

  /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure

This latter error it repeats about 15-20 times. 
https://lists.samba.org/archive/samba/2013-February/171688.html says it 
may be just cosmetic.  The Windows AD Replication Status Tools, after a 
refresh, says:


NEWDC.mydomain.lan,Failed to collect data against Node 
'NEWDC.mydomain.lan'.  It was retried 0 time(s). The following error 
occurred:


	Domain controller NEWDC.mydomain.lan does not exist or cannot be 
contacted..

Type=Microsoft.Sirona.Collection.CollectionException

...but it's been saying that since I ran samba-tool successfully to join 
the AD.  (The LDAP query succeeds, but the Get Domain Controller 
Replication Status is where it's failing.)  ps -A | grep samba shows a 
bunch of samba threads running that weren't before.  samba-tool drs kcc 
says Consistency check [...] successful.


samba-tools drs showrepl gives all successes for inbound neighbours, and 
then just this:


 OUTBOUND NEIGHBORS 

 KCC CONNECTION OBJECTS 

Connection --
Connection name: 90c120f5-b240-4771-a4d6-673927d63b84
Enabled: TRUE
Server DNS name : olddc.mydomain.lan
Server DN name  : CN=NTDS 
Settings,CN=IN,CN=Servers,CN=mydomain-office,CN=Sites,CN=Configuration,DC=mydomain,DC=lan

TransportType: RPC
options: 0x0001
Warning: No NC replicated for Connection!


Although, this also could just be 'cosmetic': 
https://lists.samba.org/archive/samba-technical/2011-November/080377.html


Okay, so I'll try adding a user.  samba-tool user add worked fine, says 
it added successfully, and I can see info about it with wbinfo. 
However, it doesn't show up in Active Directory Users and Computers on 
the old DC.


Are these errors all really cosmetic?  If so, why doesn't it replicate 
to the old dc?


Thanks for your help,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 and iptables

[Kevin Field]

Hi everyone,

I had posted recently about getting Samba4 to work on CentOS 6.4 but 
having changes only replicating in one direction, from the Win2k3 AD but 
not back to it.  I solved the problem, this time, by disabling iptables. 
 I find it a bit hard to understand.  These are the rules I have set up:


*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [52:5888]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -m udp -p udp --dport 53 -m comment --comment DNS -j ACCEPT
-A INPUT -m udp -p udp --dport 123 -m comment --comment NTP -j ACCEPT
-A INPUT -m udp -p udp --dport 135 -m comment --comment RPC UDP -j ACCEPT
-A INPUT -m udp -p udp --dport 389 -m comment --comment LDAP UDP -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment 
--comment Kerberos -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment 
--comment Kerberos Password Management -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment 
--comment SMB CIFS -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment 
--comment LDAP TCP -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment 
--comment LDAP SSL -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment 
--comment LDAP Global Catalog -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment 
--comment LDAP Global Catalog SSL -j ACCEPT

-A INPUT -p udp -m udp --dport 631 -m comment --comment CUPS -j ACCEPT
-A INPUT -p tcp -m tcp --dport 631 -m comment --comment CUPS -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Additionally, I used to have -s 10.0.0.0/8 on all of the samba-related 
ones, but then I couldn't connect to the new DC via the Windows AD Users 
and Computers tool.  Take away -s, and it works.  So the above is now 
what I have, but when iptables is enabled, I get Warning: No NC 
replicated for Connection! on outbound when I run samba-tool drs 
showrepl and I get errors like this in Windows Event Viewer:


Event Type: Warning
Event Source:   NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID:   1925
Date:   2013-08-15
Time:   10:21:27 AM
User:   NT AUTHORITY\ANONYMOUS LOGON
Computer:   OLDDC
Description:
The attempt to establish a replication link for the following writable 
directory partition failed.


Directory partition:
DC=mydomain,DC=lan
Source domain controller:
CN=NTDS 
Settings,CN=NEWDC,CN=Servers,CN=mydomain-office,CN=Sites,CN=Configuration,DC=mydomain,DC=lan 


Source domain controller address:
fb9ec5fd-28a7-44a0-a784-933a41dd830a._msdcs.mydomain.lan
Intersite transport (if any):


This domain controller will be unable to replicate with the source 
domain controller until this problem is corrected.


User Action
Verify if the source domain controller is accessible or network 
connectivity is available.


Additional Data
Error value:
1722 The RPC server is unavailable.

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp.


- (end quote)

Also, the AD Replication Status Viewer tool will say that NEWDC cannot 
be contacted.  Disable iptables, and voila, it starts reporting 
successful replication.


IIUC it's the port 135 that allows RPC contact, which I believe my 
iptables config above should correctly open.  If not, could someone show 
me where I've gone wrong here?


Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] users don't replicate from W2K3 to CentOS 6.4

[Kevin Field]

With iptables disabled until I can figure out appropriate rules ( 
http://www.spinics.net/lists/samba/msg104592.html -- what do you do 
then? ) I added a user using samba-tool user add.  If I go to the 
Windows box and fire up ADUC, the user is not there, even though the AD 
Replication Status tool reports successful replication.  If I 
right-click the domain in ADUC, and choose Connect to Domain Controller, 
I can connect to the CentOS/SerNet Samba 4.0.8 DC.  When I do that, I 
see the same list but with my added test user, too.


Unlike with iptables, drs showrepl gives a few success entries just 
after  OUTBOUND NEIGHBORS , but then under  KCC CONNECTION 
OBJECTS  it gives the same warning as before, Warning: No NC 
replicated for Connection!.  Nonetheless, samba-tool drs kcc from the 
new DC still reports a successful consistency check when given either 
the new DC or the old DC.


(Every step of the HOWTO or other help seems to end in a new error. 
Since we don't make extensive use of policies, I'm tempted to set up 
Samba as a non-AD fileserver and just map drives from the clients.)


Any help would be greatly appreciated.

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 and iptables

[Kevin Field]

Thanks for your help, Thomas.

I think it was the missing state part of some of the lines.  When I 
use your example, it replicates, even in both directions this time! 
Which is quite odd, since without iptables running, I still had problems 
getting my Samba test user to replicate over to the Windows DC.


Also in case it helps anyone else who is not using NetBIOS, even if I 
cut the NetBIOS ports, it still works fine.  Same with SSL ports.  So 
now I have for the main part of it:


-A INPUT -m comment --comment DNS -p tcp -m state --state NEW -m tcp 
--dport 53 -j ACCEPT
-A INPUT -m comment --comment DNS -p udp -m state --state NEW -m udp 
--dport 53 -j ACCEPT
-A INPUT -m comment --comment Kerberos -p tcp -m state --state NEW -m 
tcp --dport 88 -j ACCEPT
-A INPUT -m comment --comment Kerberos -p udp -m state --state NEW -m 
udp --dport 88 -j ACCEPT
-A INPUT -m comment --comment End Point Mapper (DCE/RPC Locator 
Service) -p tcp -m state --state NEW -m tcp --dport 135 -j ACCEPT
-A INPUT -m comment --comment LDAP -p tcp -m state --state NEW -m tcp 
--dport 389 -j ACCEPT
-A INPUT -m comment --comment LDAP -p udp -m state --state NEW -m udp 
--dport 389 -j ACCEPT
-A INPUT -m comment --comment SMB -p tcp -m state --state NEW -m tcp 
--dport 445 -j ACCEPT
-A INPUT -m comment --comment Kerberos kpasswd -p tcp -m state --state 
NEW -m tcp --dport 464 -j ACCEPT
-A INPUT -m comment --comment Kerberos kpasswd -p udp -m state --state 
NEW -m udp --dport 464 -j ACCEPT
-A INPUT -m comment --comment CUPS -p tcp -m state --state NEW -m tcp 
--dport 631 -j ACCEPT
-A INPUT -m comment --comment CUPS -p udp -m state --state NEW -m udp 
--dport 631 -j ACCEPT
-A INPUT -m comment --comment RPC -p tcp -m state --state NEW -m tcp 
--dport 1024 -j ACCEPT
-A INPUT -m comment --comment Global Catalog -p tcp -m state --state 
NEW -m tcp --dport 3268 -j ACCEPT
-A INPUT -m comment --comment Multicast DNS -p tcp -m state --state 
NEW -m tcp --dport 5353 -j ACCEPT
-A INPUT -m comment --comment Multicast DNS -p udp -m state --state 
NEW -m udp --dport 5353 -j ACCEPT


Just tested adding a second user and it replicated immediately.

Yay!

Thanks again,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] share permissions

[Kevin Field]

I have a share setup on a Samba 4.0.8 / CentOS 6.4 box that is 
successfully replicating with a W2K3 server.  I'm following the HOWTO 
here: https://wiki.samba.org/index.php/Setup_and_configure_file_shares


[mytest]
path = /home/me/mytestshare -- with or without trailing slash
read only = No

On the W2K3 box, I can browse to \\newdc and I see my test share listed 
there.  I can also see it if I connect to newdc in Computer Management. 
 However, what I can't get from either of those places is a Security 
tab if I right-click the share and go to Properties.  There's a Share 
Permissions tab in CM only that says that Everyone has Full Control. 
Despite that, if I try to double-click the share in Explorer, I get:


---
\\newdc
---
\\newdc\mytest is not accessible. You might not have permission to use 
this network resource. Contact the administrator of this server to find 
out if you have access permissions.


Access is denied.

---
OK
---

My account has all privileges I can think of, including the 
SeDiskOperatorPrivilege as laid out in the HOWTO.


Even if I chmod 777 /home/me/mytestshare I get this error.

What am I missing?

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] File timestamp mismatch using smbclient on share from Win 2K Server...

[Kevin Lister]

Hi Samba Peeps!

Perhaps someone can shed some light on a peculiar problem I'm seeing.

I have files located in a share on a Win2K server.

When using smbclient on my HP-UX system to look at the files on the Win2K 
server I see that the timestamps are off by 1 hour.

When looking at the same files on a Win XP client I see that the timestamps are 
correct.

When looking at the same files on a Win 7 client I see that the timestamps are 
off by 1 hour and agree with the smbclient running on HP-UX.

I have checked the timezone settings on all systems involved and they are all 
correct.

I have verified that all systems involved have the correct current time as they 
are all using NTP based timekeeping.

I'm using Samba 3 on the HP-UX server.

I would certainly appreciate it if someone could offer a solution to the 
problem with respect to smbclient.

We use smbclient in our production file processing endeavors and I need the 
timestamp from smbclient to be accurate.

Any advice is greatly appreciated! :o)

Thanks!

kev
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Failed to find a writeable DC for domain joining to win2k3 AD DC

[Kevin Field]

Sorry, I didn't realize we were carrying on off-list.  Figured it 
out--had been giving samba-tool the hostname for both domain and realm, 
rather than, hmm, the domain and realm.  (I think because in my case my 
domain and realm have two parts, unlike the HOWTO where they have 
three...confusion.)  Works great now!  Even without the new DC in 
resolv.conf nor domain ... in there either, just search ... and 
nameserver [olddc].  Thanks for your help Daniel, hope this point 
helps someone else too.


On 2013-08-14 1:51 AM, � wrote:

Look at your /etc/resolv.conf
There should be an entry of your existing DC in it ex.: nameserver
your.existing.dc
And you should be able to ping the existing DC.

Greetings
Daniel

---
EDV Daniel M�ller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 T�bingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Urspr�ngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Kevin Field
Gesendet: Dienstag, 13. August 2013 16:15
An: samba@lists.samba.org
Betreff: [Samba] �Failed to find a writeable DC for domain� joining to
win2k3 AD DC

I have a CentOS 6.4 box with SerNet's Samba 4.0.8 installed and no smb.conf
file yet, as it should be. I want it to become an AD DC in my existing
Windows domain, replicating from the existing Windows Server
2003 box. I have SELinux enabled and want it to stay that way.

I'm getting this error trying to run samba-tool:

$ sudo samba-tool domain join currentwindowsadserver.mydomain.lan DC
-Uadministrator --realm=currentwindowsadserver.mydomain.lan
Finding a writeable DC for domain 'currentwindowsadserver.mydomain.lan'
ERROR(exception): uncaught exception - Failed to find a writeable DC for
domain 'currentwindowsadserver.mydomain.lan'
File /usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py,
line 175, in _run
  return self.run(*args, **kwargs)
File /usr/lib64/python2.6/site-packages/samba/netcmd/domain.py,
line 552, in run
  machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File /usr/lib64/python2.6/site-packages/samba/join.py, line 1082, in
join_DC
  machinepass, use_ntvfs, dns_backend, promote_existing)
File /usr/lib64/python2.6/site-packages/samba/join.py, line 73, in
__init__
  ctx.server = ctx.find_dc(domain)
File /usr/lib64/python2.6/site-packages/samba/join.py, line 246, in
find_dc
  raise Exception(Failed to find a writeable DC for domain '%s' %
domain)

I have a StackExchange thread open with all the things I've tried changing
and all the things I've verified so far:

http://unix.stackexchange.com/questions/86516/samba-4-gives-failed-to-find-a
-writeable-dc-for-domain-on-samba-tool-domain-jo

I'd appreciate any pointers.  I seem to have run out of things to try.

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Trying to Join a Working W2K3 AD

[Kevin Field]

Hi Eli,


I'm trying to join a freshly compiled 4.0.3 installation as an
additional DC to an existing W2K3 AD according to:

https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC

I have built samba 4.0.3 on CentOS 6.3 x86_64. I am using the method
that describes using the built in dns.

I get to the step /usr/local/samba/bin/samba-tool dns add
192.168.1.252 _msdcs.domain.co.il 2d59ac49-1175-4656-943e-d556baa242cb
CNAME DC2.domain.co.il -Uadministrator

I get the following error message:

ERROR(runtime): uncaught exception - (9601,
'WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST')
   File
/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py,
line 175, in _run
 return self.run(*args, **kwargs)
   File
/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/dns.py,
line 1053, in run
 0, server, zone, name, add_rec_buf, None)

And, of course, without proper DNS configuration I can not get
replication to work.

Have I done something wrong? How can I resolve this?

Thanks

Eli


I'm in a very similar situation, trying to get a SerNet Samba 4.0.8 on 
CentOS 6.4 to join a working Win2k3 AD domain, and am now stuck at the 
same error message.  I see there were no replies on-list to your 
question.  Did you get it sorted out in the end?  If so, what helped?


Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] “Failed to find a writeable DC for domain” joining to win2k3 AD DC

[Kevin Field]

I have a CentOS 6.4 box with SerNet's Samba 4.0.8 installed and no 
smb.conf file yet, as it should be. I want it to become an AD DC in my 
existing Windows domain, replicating from the existing Windows Server 
2003 box. I have SELinux enabled and want it to stay that way.


I'm getting this error trying to run samba-tool:

$ sudo samba-tool domain join currentwindowsadserver.mydomain.lan DC 
-Uadministrator --realm=currentwindowsadserver.mydomain.lan

Finding a writeable DC for domain 'currentwindowsadserver.mydomain.lan'
ERROR(exception): uncaught exception - Failed to find a writeable DC for 
domain 'currentwindowsadserver.mydomain.lan'
  File /usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py, 
line 175, in _run

return self.run(*args, **kwargs)
  File /usr/lib64/python2.6/site-packages/samba/netcmd/domain.py, 
line 552, in run

machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File /usr/lib64/python2.6/site-packages/samba/join.py, line 1082, 
in join_DC

machinepass, use_ntvfs, dns_backend, promote_existing)
  File /usr/lib64/python2.6/site-packages/samba/join.py, line 73, in 
__init__

ctx.server = ctx.find_dc(domain)
  File /usr/lib64/python2.6/site-packages/samba/join.py, line 246, in 
find_dc
raise Exception(Failed to find a writeable DC for domain '%s' % 
domain)


I have a StackExchange thread open with all the things I've tried 
changing and all the things I've verified so far:


http://unix.stackexchange.com/questions/86516/samba-4-gives-failed-to-find-a-writeable-dc-for-domain-on-samba-tool-domain-jo

I'd appreciate any pointers.  I seem to have run out of things to try.

Thanks,
Kev
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] nmbd is not running

[Kevin Sha]

I have change the broadcast ip (172.17.255.255)  of the server.
now nmbd is working.

Thank you
kevin



On Wed, Jul 31, 2013 at 7:26 PM, Gaiseric Vandal
gaiseric.van...@gmail.comwrote:

  It looks like you have are using a block of private class B's as a
 contiguous CIDR range including 172.16.x.x and 172.17.x.x

 I played around with the IP's using various on line subnet calculators

 http://jodies.de/ipcalc?host=172.16.30.4mask1=15mask2=

 Address:   172.16.30.4
 Netmask:   255.254.0.0 = 15
 Network:   172.16.0.0/15
 Broadcast: 172.17.255.255
 HostMin:   172.16.0.1
 HostMax:   172.17.255.254


 It looks to me like the broadcast address is wrong.


 Or are you trying to treat 172.16.x.x and 172.17.x.x as separate class B
 subnets?



 On 07/31/13 08:54, Kevin Sha wrote:


  root@srv:~# ifconfig -a
  eth0 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.17.30.4 Bcast:172.31.255.255 Mask:255.254.0.0
 inet6 addr: fe80::bc27:29ff:fed3:c733/64 Scope:Link
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
 RX packets:48965895 errors:0 dropped:0 overruns:0 frame:0
 TX packets:1460501 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:1888712573 (1.7 GiB) TX bytes:785972618 (749.5 MiB)

 eth0:1 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.3 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:2 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.5 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:3 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.6 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:4 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.17 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:5 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.8 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:6 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.30 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:7 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.4 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:8 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.6.10 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:9 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.6.11 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:10 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.18 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:11 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.20 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:12 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.21 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:13 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.29 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:14 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.6.13 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:15 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.2.0 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 eth0:16 Link encap:Ethernet HWaddr be:27:29:d3:c7:33
 inet addr:172.16.6.14 Bcast:172.31.255.255 Mask:255.254.0.0
 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

 lo Link encap:Local Loopback
 inet addr:127.0.0.1 Mask:255.0.0.0
 inet6 addr: ::1/128 Scope:Host
 UP LOOPBACK RUNNING MTU:16436 Metric:1
 RX packets:5532 errors:0 dropped:0 overruns:0 frame:0
 TX packets:5532 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:0
 RX bytes:369954 (361.2 KiB) TX bytes:369954 (361.2 KiB)



 On Wed, Jul 31, 2013 at 6:18 PM, Gaiseric Vandal 
 gaiseric.van...@gmail.com wrote:

 Can you show the ifconfig -a output on your server (or whatever the
 appropriate  command for your OS .)

 The bind failed on ... 255 suggests the IP of the server is set wrong.



 On 07/31/13 05:17, Kevin Sha wrote:

 Hi

 I have samba domain controller in my network. and recently I have changed
 the netmask of the network. Then nmbd is not working


 could you please help me to solve this issue


 

 nmbd -i
 nmbd version 3.5.6 started.
 Copyright Andrew Tridgell and the Samba Team 1992-2010
 Unknown parameter encountered: wide symlinks
 Ignoring unknown parameter wide symlinks
 Unknown parameter encountered: wide

[Samba] nmbd is not running

[Kevin Sha]

Hi

I have samba domain controller in my network. and recently I have changed
the netmask of the network. Then nmbd is not working


could you please help me to solve this issue




nmbd -i
nmbd version 3.5.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2010
Unknown parameter encountered: wide symlinks
Ignoring unknown parameter wide symlinks
Unknown parameter encountered: wide symlinks
Ignoring unknown parameter wide symlinks
standard input is not a socket, assuming -D option
bind failed on port 137 socket_addr = 172.17.255.255.
Error = Cannot assign requested address
nmbd_subnetdb:make_subnet()
Failed to open nmb bcast socket on interface 172.17.255.255 for port 137.
Error was Cannot assign requested address
ERROR: Failed when creating subnet lists. Exiting.

-
/etc/init.d/samba status
nmbd is not running ... failed!
smbd is running.



My samba configuration file
---

[global]
workgroup = KEVIN
netbios name = KEVINDC
server string = KEVIN Domain controller
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
%n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
name resolve order = lmhosts host wins bcast
unix extensions = No
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos 
%u
add group script = /usr/sbin/addgroup --force-badname %g
add machine script = /usr/sbin/useradd -g machines -c %u machine account
-d /var/lib/samba -s /bin/false %u
logon path =
logon home =
domain logons = Yes
os level = 33
preferred master = Auto
domain master = Yes
dns proxy = No
panic action = /usr/share/samba/panic-action %d

[homes]
comment = Home Directories
valid users = %S
create mask = 0700
directory mask = 0700
browseable = No

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = Yes
share modes = No

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers




Thank you
kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Forcing clients to use NTLMv2 in 3.6.12

[Shaw, Kevin]

All,

I need to force XP clients to use NTLMv2 when mapping to samba 3.6.12. My 
config is:

ntlm auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
lanman auth = No

XP systems can still map shares with the above config.

If I add:

max protocol = SMB2
min protocol = SMB2


W7 systems map shares, XP systems cannot map shares even if I change LAN 
Manager authentication level to: Send NTLMv2 response only or Send NTLMv2 
response only\refuse LM  NTLM.

Any ideas?

-Kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] 3.6.12 build

[Shaw, Kevin]

All,

I'm still struggling to get samba 3.6.12 built on a Solaris 8 sparc system. I 
built openldap 2.4.35 with --disable-ipv6 --disable-bdb --disable-hdb --disab
le-mdb --enable-passwd.

I built samba with:

./configure -prefix=/opt/XRX --exec-prefix=/opt/XRX  
--with-configdir=/etc/samba --with-privatedir=/et
c/samba/private --with-lockdir=/var/samba/locks 
--with-statedir=/var/samba/locks --with-cachedir=/var/samb
a/locks --with-piddir=/var/run --with-logfilebase=/var/samba/log 
--with-static-modules=vfs_solarisacl --wi
th-shared-modules=vfs_prealloc,vfs_cacheprime,vfs_commit,idmap_ldap,idmap_tdb2,idmap_rid,idmap_ad,idmap_ha
sh,idmap_adex --enable-shared --with-readline --with-acl-support 
--with-aio-support --with-pam --with-auto
mount --with-dnsupdate=no --with-ldap --with-winbind --with-ads

Samba fails during configure:

checking for LDAP support... yes
checking ldap.h usability... yes
checking ldap.h presence... yes
checking for ldap.h... yes
checking lber.h usability... yes
checking lber.h presence... yes
checking for lber.h... yes
checking for ber_tag_t... yes
checking for ber_scanf in -llber... no
checking for ber_sockbuf_add_io... no
checking for LDAP_OPT_SOCKBUF... yes
checking for LBER_OPT_LOG_PRINT_FN... yes
checking for ldap_init in -lldap... yes
checking for ldap_set_rebind_proc... yes
checking whether ldap_set_rebind_proc takes 3 arguments... 3
checking for ldap_initialize... no
checking whether LDAP support is used... yes
checking for Active Directory and krb5 support... yes
checking for ldap_initialize... (cached) no
configure: error: Active Directory support requires ldap_initialize

-Kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Building 3.6.12

[Shaw, Kevin]

All,

I'm trying to build Samba 3.6.12 on Solaris 8 sparc using studio 12. Is this 
the correct forum to ask questions?

This is my first build so any tips/tricks are appreciated.

What are the prerequisites to get samba to compile so that it will join an AD 
domain?

TIA,
-Kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Building 3.6.12

[Shaw, Kevin]

I can patch Solaris 10 to get Samba 3.6.12 and takes about 5 mins to complete. 
I know moving off Solaris 8 would be the best path to take however it's not my 
decision to make...

-Kevin

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Build 3.6.12 on Solaris 8

[Shaw, Kevin]

All,

I need to build samba 3.6.12 on solaris 8 using studio 12. Has anyone 
accomplished this and willing to share tips, tricks, or notes?

-Kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] wbinfo, wbinfo_group.pl, user missing from AD group

[Kevin Blackwell]

I'm not exactly sure how the mapping of uid, sid, maps to unix gid.

We're using the wbinfo_group.pl script for our squid deployment.

The issue I see is if I run the script, or a valid and a user that
isn't working. On my system it returns a GID.

Got 3kll Hardware from squid
Username 3kll
Groups Hardware
User:  -3kll-
Group: -Hardware-
SID:   -S-1-5-21-1607859618-1323328405-3834754132-2828-
GID:   -16777237-
Sending OK to squid
OK

Here's a failing one.


Got 3lsr Hardware from squid
Username 3lsr
Groups Hardware
User:  -3lsr-
Group: -Hardware-
SID:   -S-1-5-21-1607859618-1323328405-3834754132-2828-
GID:   -16777237-
Sending ERR to squid
ERR

So, I run a wbinfo -r on 3lsr

wbinfo -r 3lsr
16777217
16777221
16777222
16777277
16777279
16777230
16777232
16777267

GID 16777237 isn't listed.

It is listed in 3kll.

So, how do I get user 3lsr to report back that it's in group 16777237?

Thanks
--
Kevin Blackwell
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] /var/samba/locks/smb_krb5/krb5.conf.DOM

[Shaw, Kevin]

All,

I am running Solaris 10 and Samba 3.6.6. We use intelligent DNS and have more 
than 10 ADs. In /etc/krb5/krb5.conf I configure kdc and admin_server to point 
to the IDNS server so any one of our functioning ADs can be used dynamically. 
I've noticed that /var/samba/locks/smb_krb5/krb5.conf.DOM get created when net 
ads join is run. I've also noticed that the kdc is set to an IP address and 
appears to be dynamic. Can someone tell me what/how this file is controlled and 
if there are smb.conf settings to manually control this file?

TIA,
-Kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Error creating host keytab

[Shaw, Kevin]

I am running Samba 3.0.35. When I run net ads join or net ads keytab create I 
see that the keytab file cannot be created. Here's a portion of the log:

[2013/03/20 07:57:50, 3] libads/kerberos.c:(337)
  kerberos_secrets_store_des_salt: Storing salt host/pitviper.DOMAIN@REALM
[2013/03/20 07:57:50, 2] libads/kerberos_keytab.c:(260)
  ads_keytab_add_entry: Using default system keytab: FILE:/etc/krb5/krb5.keytab
[2013/03/20 07:57:50, 3] libads/kerberos_keytab.c:(184)
  smb_krb5_kt_add_entry: adding keytab entry for (host/pitviper.DOMAIN@REALM) 
with encryption type (1) and version (8)
[2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(189)
  smb_krb5_kt_add_entry: adding entry to keytab failed (Cannot write to 
specified key table)
[2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(346)
  ads_keytab_add_entry: Failed to add entry to keytab file
[2013/03/20 07:57:50, 1] libads/kerberos_keytab.c:(508)
  ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.
[2013/03/20 07:57:50, 1] utils/net_ads.c:(1647)
  Error creating host keytab!
Joined 'PITVIPER' to realm 'REALM'
[2013/03/20 07:57:50, 2] utils/net.c:(1075)
  return code = 0

I've tried creating /etc/krb5/krb5.keytab with no luck. Any ideas?

TIA
-Kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 3.6.6 authentication

[Shaw, Kevin]

Can anyone tell me if Kerberos is a requirement for windows server 2008R2 AD 
NTLM or NTLMv2 authentication?

TIA,
-Kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Authentication in 2008R2 AD

[Shaw, Kevin]

What is the earliest version of Samba that will authenticate in a native 2008R2 
AD?

Is Kerberos a requirement to authenticate to native 2008R2 AD?

TIA,
-Kevin 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] username map is not functioning

[Shaw, Kevin]

All,

When the company upgraded AD from 2003 to 2008R2 users lost the ability to 
access Samba shares without being prompted for a password. I've upgraded Samba 
from 3.0.30 to 3.6.6. I would like to continue using username map to map my 
users however it appears the map is being ignored. The only way I can get this 
config to work is by adding an account that matches the unix account using 
smbpasswd. Any ideas?


[global]
bind interfaces only= Yes
case sensitive  = Yes
comment = Global Definitions
create mask = 0775
directory mask  = 0775
follow symlinks = No
guest account   = ftp
guest ok= No
host msdfs  = No
hosts allow = 13.,127.
hosts deny  = ALL
idmap config * : backend = tdb
interfaces  = nge0,lo0
kernel oplocks  = No
level2 oplocks  = No
map to guest= Bad UID
max disk size   = 131072
oplocks = No
preserve case   = Yes
unix extensions = No
lm announce = No
local master= No
max protocol= SMB2
min protocol= NT1
name resolve order  = host,bcast,wins,lmhosts
netbios name= TYRELL
security= DOMAIN
username map= /etc/samba/users.map
wins server = xxx.xxx.xxx.xxx
workgroup   = DOMAINNAME
log file= /var/samba/log/log.%m
log level   = 4
syslog  = 2

[ColorQube]
path= /ColorQube
writeable   = Yes
browseable  = Yes
create mask = 666
directory mask  = 777
directory security mask = 777
inherit permissions = Yes
guest ok= Yes

[read]
fake oplocks= Yes
path

Thanks in advance.
-Kevin
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] username map is not functioning

[Shaw, Kevin]

This appears to be an IDMAP username mapping issue not an issue with the 
username map file.

I think this is not an issue with the username map file. Thanks for the reply.

-Kevin

On Mon, 11 Mar 2013,  Kevin Shaw wrote:

 When the company upgraded AD from 2003 to 2008R2 users lost the
 ability to access Samba shares without being prompted for a
 password. I've upgraded Samba from 3.0.30 to 3.6.6. I would like to
 continue using username map to map my users however it appears the
 map is being ignored. The only way I can get this config to work is
 by adding an account that matches the unix account using smbpasswd.
 Any ideas?

This sounds to me like Samba bug 8881.  It isn't clear to me that
anyone in the Samba team cares enough about this bug to get it fixed.

https://bugzilla.samba.org/show_bug.cgi?id=8881

--

73,
Ged.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Trying to understand authentication

[Shaw, Kevin]

I am running Solaris 10 u8 running Samba 3.6.6. Windows server 2008R2 runs AD.

I don't understand samba authentication and hope someone might be able to help 
me understand the process. The following configuration appears to be 
functional. NIS is running and Winbind is not. Pam.conf has not been touched. 
Nsswitch.conf has the default configuration for nis. Pdbedit -Lv shows no 
users. How are domain users authenticating to my Samba server? I'm guessing 
that net rpc join had something to do with it?


[global]
bind interfaces only= Yes
case sensitive  = Yes
comment = Global Definitions
create mask = 0775
directory mask  = 0775
follow symlinks = No
guest account   = ftp
guest ok= No
host msdfs  = No
hosts allow = 13.,127.
hosts deny  = ALL
idmap config * : backend = tdb
interfaces  = nge0,lo0
kernel oplocks  = No
level2 oplocks  = No
map to guest= Bad UID
max disk size   = 131072
oplocks = No
preserve case   = Yes
unix extensions = No
lm announce = No
local master= No
max protocol= SMB2
min protocol= NT1
name resolve order  = host,bcast,wins,lmhosts
netbios name= SERVER
security= DOMAIN
username map= /etc/samba/users.map
wins server = xxx.xxx.xxx.xxx
workgroup   = DOMAINNAME
log file= /var/samba/log/log.%m
log level   = 4
syslog  = 2

[ColorQube]
path= /ColorQube
writeable   = Yes
browseable  = Yes
create mask = 666
directory mask  = 777
directory security mask = 777
inherit permissions = Yes
guest ok= Yes

[read]
fake oplocks= Yes
path

TIA,
-Kevin

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] User is invalid on this system

[Kevin Elliott]

A rejoin unfortunately did not fix this issue and interestingly enough Samba 
failed to find a domain controller by any of the standard lookup means (hosts, 
lmhosts, WINS and with a broadcast) so I had to use the -s argument to manually 
specify the server in the 'net ads join' command. This probably signifies 
deeper issues.

Eventually I just used the current Sernet provided 3.6.9 packages which 
resolved the issue. 

What's so odd about this is that there is a nearly identical secondary host 
running the same version of Samba used for failover. No issues with the 
secondary. Go figure.


---
Kevin Elliott

Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905




-Original Message-
From: Dale Schroeder [mailto:d...@briannassaladdressing.com] 
Sent: Friday, November 30, 2012 10:55 AM
To: Kevin Elliott
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] User is invalid on this system

With what I've read and what I've seen with the rebuilds, there's a good 
chance the rejoin could fix your problem.  That being said, there are no 
guarantees with winbind. It's the part of the Samba suite that has given 
me the most problems over the years, breaking existing configs almost 
every time its internal workings are changed.

I wish you good luck!

Dale


On 11/30/2012 12:57 PM, Kevin Elliott wrote:
 Dale,

 I was afraid of that. We we're forced to upgrade from 3.5.x because of a 
 reoccurring Winbind issue but I'm a bit disappointed to see that 3.6.x 
 introduces a idmap/rid issues. I guess we just traded one for another.

 Do you think un-joining and then re-joining the existing system could fix 
 this?

 Thanks.


 ---
 Kevin Elliott

 Network Specialist
 City and Borough of Juneau, MIS
 (907) 586 - 0905




 -Original Message-
 From: Dale Schroeder [mailto:d...@briannassaladdressing.com]
 Sent: Friday, November 30, 2012 9:38 AM
 To: Kevin Elliott
 Cc: 'samba@lists.samba.org'
 Subject: Re: [Samba] User is invalid on this system

 Kevin,

 3.6.x has had several issues with idmap rid.  I was hit with this one:
 https://bugzilla.samba.org/show_bug.cgi?id=8676 .  Searching for idmap rid 
 issues with 3.6.x will reveal others as well.

 Someone indicated that rejoining the domain would fix this issue. As it so 
 happened, I had to rebuild one of the servers.  After joining the rebuilt 
 system to the domain, it has worked flawlessly ever since.  So, it appears 
 the problem with rid and some of the other idmap backends is somehow related 
 to upgrading, as newly joined systems work as expected.

 Dale


 On 11/29/2012 6:51 PM, Kevin Elliott wrote:
 Hello all.

 We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade 
 from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability 
 to map Samba shares from our Windows XP SP3 and Windows 7 clients:


 Here's an example from my workstation (logging verbosity set at 10):

 [2012/11/29 15:23:58.120087,  3] smbd/process.c:1467(switch_message)
 switch message SMBsesssetupX (pid 2517) conn 0x0
 [2012/11/29 15:23:58.120212,  3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
 wct=12 flg2=0xc807
 [2012/11/29 15:23:58.120258,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
 setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
 all old resources.
 [2012/11/29 15:23:58.120353,  3] 
 smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
 Doing spnego session setup
 [2012/11/29 15:23:58.120409,  3] 
 smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
 NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
 [2012/11/29 15:23:58.120498,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
 reply_spnego_negotiate: Got secblob of size 1680
 [2012/11/29 15:23:58.124198,  3] libads/authdata.c:332(decode_pac_data)
 Found account name from PAC: kevin_elliott [Kevin Elliott]
 [2012/11/29 15:23:58.124309,  3] 
 auth/user_krb5.c:50(get_user_from_kerberos_info)
 Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL]
 [2012/11/29 15:23:58.124710,  1] 
 auth/user_krb5.c:162(get_user_from_kerberos_info)
 Username CBJ_NT+kevin_elliott is invalid on this system
 [2012/11/29 15:23:58.124780,  3] smbd/error.c:81(error_packet_set)
 error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX)
 NT_STATUS_LOGON_FAILURE
 [2012/11/29 15:24:12.583839,  1] smbd/process.c:457(receive_smb_talloc)
 receive_smb_raw_talloc failed for client 199.58.52.25 read error = 
 NT_STATUS_CONNECTION_RESET.
 [2012/11/29 15:24:12.584072,  3] smbd/server_exit.c:181(exit_server_common)
 Server exit (failed to receive smb request)



 However, I can successfully return login information with winbind:

 # wbinfo -i kevin_elliott
 kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false

 'getent passwd' will only return the local users from /etc/passwd.


 And the relevant section of smb.conf:

 [global]
   workgroup = CBJ_NT
   realm = CBJ.LOCAL
   netbios aliases = CITY-LIZA-L90

[Samba] Error with Windows AD tools GUI

[Kevin COUSIN]

Hi list,

I try the Samba 4 RC6 on a CentOS 6 machine. It's compile and run fine, but I 
cannot use the administrator tools on Windows XP or 7. ON XP, it just saying 
Not specified error (I don't know if it's the good translation from french : 
Erreur non spécifée). I can see that computers I join to AD are'nt add in DNS 
(I use internal DNS). 

Any suggestions ?

Thanks,



   Kevin C.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] User is invalid on this system

[Kevin Elliott]

)
  winbind_client_response_written[425:PING]: delivered response to client
[2012/11/30 08:41:58.866817, 10] winbindd/winbindd.c:616(process_request)
  process_request: Handling async request 425:PING
[2012/11/30 08:41:58.866937, 10] winbindd/winbindd.c:678(wb_request_done)
  wb_request_done[425:PING]: NT_STATUS_OK
[2012/11/30 08:41:58.867034, 10] 
winbindd/winbindd.c:739(winbind_client_response_written)
  winbind_client_response_written[425:PING]: delivered response to client
[2012/11/30 08:42:05.563565,  6] winbindd/winbindd.c:793(new_connection)
  accepted socket 29
[2012/11/30 08:42:05.563716, 10] winbindd/winbindd.c:643(process_request)
  process_request: request fn INTERFACE_VERSION
[2012/11/30 08:42:05.563778,  3] 
winbindd/winbindd_misc.c:384(winbindd_interface_version)
  [  453]: request interface version
[2012/11/30 08:42:05.563884, 10] 
winbindd/winbindd.c:739(winbind_client_response_written)
  winbind_client_response_written[453:INTERFACE_VERSION]: delivered response to 
client
[2012/11/30 08:42:05.563976, 10] winbindd/winbindd.c:643(process_request)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2012/11/30 08:42:05.564028,  3] 
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
  [  453]: request location of privileged pipe
[2012/11/30 08:42:05.564112, 10] 
winbindd/winbindd.c:739(winbind_client_response_written)
  winbind_client_response_written[453:WINBINDD_PRIV_PIPE_DIR]: delivered 
response to client
[2012/11/30 08:42:05.564201,  6] 
winbindd/winbindd.c:841(winbind_client_request_read)
  closing socket 29, client exited
[2012/11/30 08:42:05.564274,  6] winbindd/winbindd.c:793(new_connection)
  accepted socket 29
[2012/11/30 08:42:05.564351, 10] winbindd/winbindd.c:616(process_request)
  process_request: Handling async request 453:PING
[2012/11/30 08:42:05.564411, 10] winbindd/winbindd.c:678(wb_request_done)
  wb_request_done[453:PING]: NT_STATUS_OK
[2012/11/30 08:42:05.564480, 10] 
winbindd/winbindd.c:739(winbind_client_response_written)
  winbind_client_response_written[453:PING]: delivered response to client
[2012/11/30 08:42:05.585267, 10] winbindd/winbindd.c:616(process_request)
  process_request: Handling async request 453:PING
[2012/11/30 08:42:05.585367, 10] winbindd/winbindd.c:678(wb_request_done)
  wb_request_done[453:PING]: NT_STATUS_OK
[2012/11/30 08:42:05.585443, 10] 
winbindd/winbindd.c:739(winbind_client_response_written)
  winbind_client_response_written[453:PING]: delivered response to client
[2012/11/30 08:42:10.081128,  6] 
winbindd/winbindd.c:841(winbind_client_request_read)
  closing socket 29, client exited
[2012/11/30 08:42:12.146894,  6] 
winbindd/winbindd.c:841(winbind_client_request_read)
  closing socket 28, client exited


If I'm reading the logs correctly it looks like winbind opens the Unix pipe for 
the client, the client re-establishes the connection and we get a NT_STATUS_OK 
at the end of it.

Appreciate the help!


-Original Message-
From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On 
Behalf Of Thomas Mueller
Sent: Thursday, November 29, 2012 9:50 PM
To: samba@lists.samba.org
Subject: Re: [Samba] User is invalid on this system

Am Thu, 29 Nov 2012 15:51:55 -0900 schrieb Kevin Elliott:

 Hello all.
 
 We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the 
 upgrade from 3.6.5 to 3.6.5 about a week ago and ever since we have 
 lost the ability to map Samba shares from our Windows XP SP3 and 
 Windows 7
 clients:
 
 
 Here's an example from my workstation (logging verbosity set at 10):
 
...
 auth/user_krb5.c:162(get_user_from_kerberos_info)
   Username CBJ_NT+kevin_elliott is invalid on this system
...
 
 
 However, I can successfully return login information with winbind:
 
 # wbinfo -i kevin_elliott
 kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
 
 'getent passwd' will only return the local users from /etc/passwd.
 

 
 Any ideas? Anyone else see this?

maybe the winbind in /etc/nsswitch.conf got lost? 

is getent -s winbind passwd $username returning something?

is winbindd running (ps -C winbindd -f)?

any log messages in /var/log/samba/log.winbindd ?

- Thomas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] User is invalid on this system

[Kevin Elliott]

Dale,

I was afraid of that. We we're forced to upgrade from 3.5.x because of a 
reoccurring Winbind issue but I'm a bit disappointed to see that 3.6.x 
introduces a idmap/rid issues. I guess we just traded one for another.

Do you think un-joining and then re-joining the existing system could fix this?

Thanks.


---
Kevin Elliott

Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905




-Original Message-
From: Dale Schroeder [mailto:d...@briannassaladdressing.com] 
Sent: Friday, November 30, 2012 9:38 AM
To: Kevin Elliott
Cc: 'samba@lists.samba.org'
Subject: Re: [Samba] User is invalid on this system

Kevin,

3.6.x has had several issues with idmap rid.  I was hit with this one: 
https://bugzilla.samba.org/show_bug.cgi?id=8676 .  Searching for idmap rid 
issues with 3.6.x will reveal others as well.

Someone indicated that rejoining the domain would fix this issue. As it so 
happened, I had to rebuild one of the servers.  After joining the rebuilt 
system to the domain, it has worked flawlessly ever since.  So, it appears the 
problem with rid and some of the other idmap backends is somehow related to 
upgrading, as newly joined systems work as expected.

Dale


On 11/29/2012 6:51 PM, Kevin Elliott wrote:
 Hello all.

 We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 
 3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to 
 map Samba shares from our Windows XP SP3 and Windows 7 clients:


 Here's an example from my workstation (logging verbosity set at 10):

 [2012/11/29 15:23:58.120087,  3] smbd/process.c:1467(switch_message)
switch message SMBsesssetupX (pid 2517) conn 0x0
 [2012/11/29 15:23:58.120212,  3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
wct=12 flg2=0xc807
 [2012/11/29 15:23:58.120258,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all 
 old resources.
 [2012/11/29 15:23:58.120353,  3] 
 smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
Doing spnego session setup
 [2012/11/29 15:23:58.120409,  3] 
 smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
 [2012/11/29 15:23:58.120498,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
reply_spnego_negotiate: Got secblob of size 1680
 [2012/11/29 15:23:58.124198,  3] libads/authdata.c:332(decode_pac_data)
Found account name from PAC: kevin_elliott [Kevin Elliott]
 [2012/11/29 15:23:58.124309,  3] 
 auth/user_krb5.c:50(get_user_from_kerberos_info)
Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL]
 [2012/11/29 15:23:58.124710,  1] 
 auth/user_krb5.c:162(get_user_from_kerberos_info)
Username CBJ_NT+kevin_elliott is invalid on this system
 [2012/11/29 15:23:58.124780,  3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) 
 NT_STATUS_LOGON_FAILURE
 [2012/11/29 15:24:12.583839,  1] smbd/process.c:457(receive_smb_talloc)
receive_smb_raw_talloc failed for client 199.58.52.25 read error = 
 NT_STATUS_CONNECTION_RESET.
 [2012/11/29 15:24:12.584072,  3] smbd/server_exit.c:181(exit_server_common)
Server exit (failed to receive smb request)



 However, I can successfully return login information with winbind:

 # wbinfo -i kevin_elliott
 kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false

 'getent passwd' will only return the local users from /etc/passwd.


 And the relevant section of smb.conf:

 [global]
  workgroup = CBJ_NT
  realm = CBJ.LOCAL
  netbios aliases = CITY-LIZA-L90, CITY-LIZA
  server string = External FTP Server
  interfaces = 192.0.2.87/32, lo
  bind interfaces only = Yes
  security = ADS
  obey pam restrictions = Yes
  password server = 192.0.2.25, 192.0.2.50
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
 *Retype\snew\sUNIX\spassword:* %n\n .
  client NTLMv2 auth = Yes
  log level = 3
  log file = /var/log/samba/log.%m
  max log size = 2500
  printcap name = cups
  os level = 5
  local master = No
  domain master = No
  wins server = 192.0.2.25
  ldap ssl = no
  panic action = /usr/share/samba/panic-action %d
  winbind separator = +
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  idmap config LIBRARY:range = 65535-7
  idmap config LIBRARY:base_rid = 0
  idmap config LIBRARY:backend = rid
  idmap config * : range = 1-65533
  idmap config * : base_rid = 0
  idmap config * : backend = rid
  admin users = @CBJ_NT+admin
  veto files = /.*/

 [ftp]
  comment = FTP directory
  path = /var/ftp/pub/
  valid users = @CBJ_NT+domain users
  read only

[Samba] User is invalid on this system

[Kevin Elliott]

Hello all.

We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade from 
3.6.5 to 3.6.5 about a week ago and ever since we have lost the ability to map 
Samba shares from our Windows XP SP3 and Windows 7 clients:


Here's an example from my workstation (logging verbosity set at 10):

[2012/11/29 15:23:58.120087,  3] smbd/process.c:1467(switch_message)
  switch message SMBsesssetupX (pid 2517) conn 0x0
[2012/11/29 15:23:58.120212,  3] smbd/sesssetup.c:1333(reply_sesssetup_and_X)
  wct=12 flg2=0xc807
[2012/11/29 15:23:58.120258,  2] smbd/sesssetup.c:1279(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old 
resources.
[2012/11/29 15:23:58.120353,  3] 
smbd/sesssetup.c:1065(reply_sesssetup_and_X_spnego)
  Doing spnego session setup
[2012/11/29 15:23:58.120409,  3] 
smbd/sesssetup.c:1107(reply_sesssetup_and_X_spnego)
  NativeOS=[] NativeLanMan=[] PrimaryDomain=[]
[2012/11/29 15:23:58.120498,  3] smbd/sesssetup.c:660(reply_spnego_negotiate)
  reply_spnego_negotiate: Got secblob of size 1680
[2012/11/29 15:23:58.124198,  3] libads/authdata.c:332(decode_pac_data)
  Found account name from PAC: kevin_elliott [Kevin Elliott]
[2012/11/29 15:23:58.124309,  3] 
auth/user_krb5.c:50(get_user_from_kerberos_info)
  Kerberos ticket principal name is [kevin_elliott@CBJ.LOCAL]
[2012/11/29 15:23:58.124710,  1] 
auth/user_krb5.c:162(get_user_from_kerberos_info)
  Username CBJ_NT+kevin_elliott is invalid on this system
[2012/11/29 15:23:58.124780,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(359) cmd=115 (SMBsesssetupX) 
NT_STATUS_LOGON_FAILURE
[2012/11/29 15:24:12.583839,  1] smbd/process.c:457(receive_smb_talloc)
  receive_smb_raw_talloc failed for client 199.58.52.25 read error = 
NT_STATUS_CONNECTION_RESET.
[2012/11/29 15:24:12.584072,  3] smbd/server_exit.c:181(exit_server_common)
  Server exit (failed to receive smb request)



However, I can successfully return login information with winbind:

# wbinfo -i kevin_elliott
kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false

'getent passwd' will only return the local users from /etc/passwd.


And the relevant section of smb.conf:

[global]
workgroup = CBJ_NT
realm = CBJ.LOCAL
netbios aliases = CITY-LIZA-L90, CITY-LIZA
server string = External FTP Server
interfaces = 192.0.2.87/32, lo
bind interfaces only = Yes
security = ADS
obey pam restrictions = Yes
password server = 192.0.2.25, 192.0.2.50
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
client NTLMv2 auth = Yes
log level = 3
log file = /var/log/samba/log.%m
max log size = 2500
printcap name = cups
os level = 5
local master = No
domain master = No
wins server = 192.0.2.25
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
winbind separator = +
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
idmap config LIBRARY:range = 65535-7
idmap config LIBRARY:base_rid = 0
idmap config LIBRARY:backend = rid
idmap config * : range = 1-65533
idmap config * : base_rid = 0
idmap config * : backend = rid
admin users = @CBJ_NT+admin
veto files = /.*/

[ftp]
comment = FTP directory
path = /var/ftp/pub/
valid users = @CBJ_NT+domain users
read only = No
create mask = 0775
directory mask = 0775
hide unreadable = Yes


Any ideas? Anyone else see this?

---
Kevin Elliott

Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND

[Kevin Elliott]

I read the bugreport that Dale linked and ended up using the workaround listed 
there.

Changes made to '/etc/samba/smb.conf' follow:
  @@ -28,9 +28,12 @@
   winbind enum users = Yes
   winbind enum groups = Yes
   panic action = /usr/share/samba/panic-action %d
  -idmap config CBJ_NT:backend = rid
  -idmap config CBJ_NT:base_rid = 0
  -idmap config CBJ_NT:range = 1-65533
  +idmap config * : backend = rid
  +idmap config * : base_rid = 0
  +idmap config * : range = 1-65533
   idmap config LIBRARY:backend = rid
   idmap config LIBRARY:base_rid = 0
   idmap config LIBRARY:range = 65535-7  

Does anyone have any idea why not explictly specifying the domain fixes this 
issue?




 -Original Message-
 From: Dale Schroeder [mailto:d...@briannassaladdressing.com] 
 Sent: Tuesday, July 10, 2012 11:18
 To: Kevin Elliott
 Cc: samba@lists.samba.org
 Subject: Re: [Samba] Samba 3.6.5, idmap configuration and 
 WBC_ERR_DOMAIN_NOT_FOUND
 
 On 07/10/2012 12:56 PM, Kevin Elliott wrote:
  Hello all,
 
  I recently upgraded from Samba 3.5.6 (the version contained 
 in Debian Stable) to Samba 3.6.5 (the version from Debian 
 Backports) in an effort to closer track the current 
 development to try and chase some long standing bugs out.
 
  I think I've resolved one problem but introduced another. 
 I'm getting the WBC_ERR_DOMAIN_NOT_FOUND when I try to 
 perform a SID to UID lookup much like so:
 
  city-liza-lnx:/var/log/samba# wbinfo -t checking the trust 
 secret for 
  domain CBJ_NT via RPC calls succeeded city-liza-lnx:/var/log/samba# 
  wbinfo -n CBJ_NT+kevin_elliott
  S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1) 
  city-liza-lnx:/var/log/samba# wbinfo -s 
  S-1-5-21-505306839-1977890393-20515302-14949
  CBJ_NT+kevin_elliott 1
  city-liza-lnx:/var/log/samba# wbinfo -S 
  S-1-5-21-505306839-1977890393-20515302-14949
  failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could 
 not convert 
  sid S-1-5-21-505306839-1977890393-20515302-14949 to uid
 
 
  This looks like it has all the markings of following bugreport:
 
  https://bugzilla.samba.org/show_bug.cgi?id=8371#c5
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679
 
 
 
  Before I follow this upstream can someone sanity check my 
 configs for me? I understand that much has changed between 
 3.5 and 3.6 regarding the idmaping.
 
 
  [global]
   workgroup = CBJ_NT
   realm = CBJ.LOCAL
   netbios aliases = CITY-LIZA-L90, CITY-LIZA
   server string = External FTP Server
   interfaces = 199.58.55.87/22, lo
   bind interfaces only = Yes
   security = ADS
   obey pam restrictions = Yes
   passdb backend = tdbsam
   password server = 199.58.55.25, 199.58.55.50
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
 *Retype\snew\sUNIX\spassword:* %n\n .
   client NTLMv2 auth = Yes
   log level = 10
   log file = /var/log/samba/log.%m
   max log size = 2500
   printcap name = cups
   os level = 5
   local master = No
   domain master = No
   wins server = 199.58.55.25
   ldap ssl = no
   winbind enum users = Yes
   winbind enum groups = Yes
   panic action = /usr/share/samba/panic-action %d
   idmap config CBJ_NT:backend = rid
   idmap config CBJ_NT:base_rid = 0
   idmap config CBJ_NT:range = 1-65533
   idmap config LIBRARY:backend = rid
   idmap config LIBRARY:base_rid = 0
   idmap config LIBRARY:range = 65535-7
   winbind separator = +
   winbind use default domain = Yes
 
  [ftp]
   comment = FTP directory
   path = /var/ftp/pub/
   valid users = @CBJ_NT+domain users
   read only = No
   create mask = 0775
   directory mask = 0775
   hide unreadable = Yes
 
 
 
  Thank you for your consideration.
 
 
 Kevin,
 
 With idmap rid, it could also be this one:
 
 https://bugzilla.samba.org/show_bug.cgi?id=8676
 
 This bug has been in every version of 3.6.  For me, a reboot 
 of the system usually will fix the problem until the next 
 samba/winbind restart is required; others have not been so fortunate.
 
 Dale
 
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 3.6.5, idmap configuration and WBC_ERR_DOMAIN_NOT_FOUND

[Kevin Elliott]

Hello all,

I recently upgraded from Samba 3.5.6 (the version contained in Debian Stable) 
to Samba 3.6.5 (the version from Debian Backports) in an effort to closer track 
the current development to try and chase some long standing bugs out.

I think I've resolved one problem but introduced another. I'm getting the 
WBC_ERR_DOMAIN_NOT_FOUND when I try to perform a SID to UID lookup much like 
so:

city-liza-lnx:/var/log/samba# wbinfo -t
checking the trust secret for domain CBJ_NT via RPC calls succeeded
city-liza-lnx:/var/log/samba# wbinfo -n CBJ_NT+kevin_elliott
S-1-5-21-505306839-1977890393-20515302-14949 SID_USER (1)
city-liza-lnx:/var/log/samba# wbinfo -s 
S-1-5-21-505306839-1977890393-20515302-14949
CBJ_NT+kevin_elliott 1
city-liza-lnx:/var/log/samba# wbinfo -S 
S-1-5-21-505306839-1977890393-20515302-14949
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-505306839-1977890393-20515302-14949 to uid


This looks like it has all the markings of following bugreport:

https://bugzilla.samba.org/show_bug.cgi?id=8371#c5
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679



Before I follow this upstream can someone sanity check my configs for me? I 
understand that much has changed between 3.5 and 3.6 regarding the idmaping.


[global]
workgroup = CBJ_NT
realm = CBJ.LOCAL
netbios aliases = CITY-LIZA-L90, CITY-LIZA
server string = External FTP Server
interfaces = 199.58.55.87/22, lo
bind interfaces only = Yes
security = ADS
obey pam restrictions = Yes
passdb backend = tdbsam
password server = 199.58.55.25, 199.58.55.50
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
client NTLMv2 auth = Yes
log level = 10
log file = /var/log/samba/log.%m
max log size = 2500
printcap name = cups
os level = 5
local master = No
domain master = No
wins server = 199.58.55.25
ldap ssl = no
winbind enum users = Yes
winbind enum groups = Yes
panic action = /usr/share/samba/panic-action %d
idmap config CBJ_NT:backend = rid
idmap config CBJ_NT:base_rid = 0
idmap config CBJ_NT:range = 1-65533
idmap config LIBRARY:backend = rid
idmap config LIBRARY:base_rid = 0
idmap config LIBRARY:range = 65535-7
winbind separator = +
winbind use default domain = Yes

[ftp]
comment = FTP directory
path = /var/ftp/pub/
valid users = @CBJ_NT+domain users
read only = No
create mask = 0775
directory mask = 0775
hide unreadable = Yes



Thank you for your consideration.

-- 
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba(3.6.4), with LDAP backend and sambapasswordhistory issue

[Kevin Taylor]

I'm still trying to track this down, to see if I can offer any further info. 
Increasing the log level shows that all of the history requests are happening 
in pdb_ldap.c, but I don't know that I saw where it was setting the history 
during a password change.

I'm also seeing a lot of 'Failed to get password history for user' messages. 
I'm not sure why samba can't get that information. I don't see any errors in 
the ldap server logs, but I might try to read them a little closer to see if 
something is being blocked.

Is there a samba command to display the user password history directly, and 
maybe I can see a different error?



 From: groucho.64...@hotmail.com
 To: samba@lists.samba.org
 Date: Fri, 4 May 2012 14:05:54 -0400
 Subject: [Samba] samba(3.6.4),with LDAP backend and 
 sambapasswordhistory issue
 
 
 
 We would like to have password history working in our setup which is samba 
 with Sun Directory Services 7.0 on the backend. Everything else seems to be 
 working ok, but I notice that the sambapasswordhistory entry for any 
 particular user is filled with 0's.
 
 If I set the password for the account, then it's 16 0's, followed by a copy 
 of the password hash, and the rest 0's.
 
 If I change the password to something else, the history entry stays the same.
 
 If I change the password back to the original, the second password hash that 
 I entered isn't stored along with the original. It's 0's.
 
 I've seen online that someone had this issue in 2005, but I didn't see any 
 responses to this. Has anyone seen this or have a suggestion of what I can 
 try?
 
 Thanks for the help. 
 
 
 we're using a history of 24 in case it matters...maybe that's a problem, 
 should it be 23?
 
 
 
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba(3.6.4), with LDAP backend and sambapasswordhistory issue

[Kevin Taylor]

Ok, here's an update. I recreated a user account and started changing the 
password on it, and now I'm seeing passwords stored in the sambapasswordhistory 
field. Each time I change it another one is stored.

Then, suddenly, the entire sambapasswordhistory entry is wiped clean and it's 
only storing the latest password. Each subsequent password change is only 
storing the latest password.

Seems like a buffer overflow maybe? If I modify the history length in the 
password policy, it looks like it starts working again for a bit.

I'm using Sun DSEE 7 as the ldap server and using the netscape5.ldif file. 



 From: groucho.64...@hotmail.com
 To: samba@lists.samba.org
 Date: Tue, 8 May 2012 08:21:04 -0400
 Subject: Re: [Samba] samba(3.6.4), with LDAP backend and sambapasswordhistory 
 issue
 
 
 
 I'm still trying to track this down, to see if I can offer any further info. 
 Increasing the log level shows that all of the history requests are happening 
 in pdb_ldap.c, but I don't know that I saw where it was setting the history 
 during a password change.
 
 I'm also seeing a lot of 'Failed to get password history for user' messages. 
 I'm not sure why samba can't get that information. I don't see any errors in 
 the ldap server logs, but I might try to read them a little closer to see if 
 something is being blocked.
 
 Is there a samba command to display the user password history directly, and 
 maybe I can see a different error?
 
 
 
  From: groucho.64...@hotmail.com
  To: samba@lists.samba.org
  Date: Fri, 4 May 2012 14:05:54 -0400
  Subject: [Samba] samba(3.6.4),  with LDAP backend and 
  sambapasswordhistory issue
  
  
  
  We would like to have password history working in our setup which is samba 
  with Sun Directory Services 7.0 on the backend. Everything else seems to be 
  working ok, but I notice that the sambapasswordhistory entry for any 
  particular user is filled with 0's.
  
  If I set the password for the account, then it's 16 0's, followed by a copy 
  of the password hash, and the rest 0's.
  
  If I change the password to something else, the history entry stays the 
  same.
  
  If I change the password back to the original, the second password hash 
  that I entered isn't stored along with the original. It's 0's.
  
  I've seen online that someone had this issue in 2005, but I didn't see any 
  responses to this. Has anyone seen this or have a suggestion of what I can 
  try?
  
  Thanks for the help. 
  
  
  we're using a history of 24 in case it matters...maybe that's a problem, 
  should it be 23?
  
  

  -- 
  To unsubscribe from this list go to the following URL and read the
  instructions:  https://lists.samba.org/mailman/options/samba
 
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind stop working

[Kevin Elliott]

Interesting.

I'l try this and see what happens.

Any idea why setting such an aggressive cache refresh time for the idmap issue 
could resovle this?

-- 
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 


 -Original Message-
 From: samba-boun...@lists.samba.org 
 [mailto:samba-boun...@lists.samba.org] On Behalf Of daniele
 Sent: Sunday, May 06, 2012 11:13 PM
 To: samba@lists.samba.org
 Subject: Re: [Samba] winbind stop working
 
 Il 04/05/2012 23:47, Kevin Elliott ha scritto:
 
  So what's happening is that the idmap cache is expiring but 
 winbind is unable to create new entries until its restarted?
 
 
  Here's my idmap cache values:
 
   idmap backend = tdb
   idmap alloc backend =
   idmap cache time = 604800
   idmap negative cache time = 120
   idmap uid = 1-7
   idmap gid = 1-7
   winbind separator = +
   winbind cache time = 300
   winbind reconnect delay = 30
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind trusted domains only = No
   winbind nested groups = Yes
   winbind expand groups = 1
   winbind nss info = template
   winbind refresh tickets = No
   winbind offline logon = No
   winbind normalize names = No
 
 
 After playing with parameters I found that lowering idmap 
 cache time has some effects.
 Now, with a value of 300, looks good.
 I have to do other tests to understand what is happening, but 
 it seems a good staring point.
 
 Daniele
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba(3.6.4), with LDAP backend and sambapasswordhistory issue

[Kevin Taylor]

We would like to have password history working in our setup which is samba with 
Sun Directory Services 7.0 on the backend. Everything else seems to be working 
ok, but I notice that the sambapasswordhistory entry for any particular user is 
filled with 0's.

If I set the password for the account, then it's 16 0's, followed by a copy of 
the password hash, and the rest 0's.

If I change the password to something else, the history entry stays the same.

If I change the password back to the original, the second password hash that I 
entered isn't stored along with the original. It's 0's.

I've seen online that someone had this issue in 2005, but I didn't see any 
responses to this. Has anyone seen this or have a suggestion of what I can try?

Thanks for the help. 


we're using a history of 24 in case it matters...maybe that's a problem, should 
it be 23?


  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind stop working

[Kevin Elliott]

No one else has seen this issue? 

Should I move this to samba-technical? Or submit a bug report?


Is there any other information that would be helpful in troubleshooting this? 


 -Original Message-
 From: Kevin Elliott 
 Sent: Monday, April 30, 2012 9:51 AM
 To: samba@lists.samba.org
 Subject: RE: [Samba] winbind stop working
 
 We're also seeing similar symptoms with our Squid proxy's 
 winbindd as well.
 
 After an indeterminate amount of time (sometimes an hour, 
 sometimes a day) the winbind process will lose the ability to 
 resolve UID/GIDs to SIDS and authentication to the proxy will fail:
 
 [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
 
 
 If we try doing a winbind -p we get a sucessful return 
 however trying to lookup a SID from UID/GID fails.
 
 We're on Debian 6.0.4 and Samba 2.3.5.6.
 
 
 Has anyone else seen this issue? Any possible workarounds or patches?
 
 
 
 
 Here's an the debugging output for a particular user:
 
 [2012/04/27 11:04:52.217018,  3] smbd/process.c:1294(switch_message)
   switch message SMBtconX (pid 15651) conn 0x0
 [2012/04/27 11:04:52.217041,  3] smbd/sec_ctx.c:310(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
 [2012/04/27 11:04:52.217062,  5] 
 auth/token_util.c:525(debug_nt_user_token)
   NT user token: (NULL)
 [2012/04/27 11:04:52.217085,  5] 
 auth/token_util.c:551(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
 [2012/04/27 11:04:52.217132,  5] smbd/uid.c:369(change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
 [2012/04/27 11:04:52.217169,  4] smbd/reply.c:786(reply_tcon_and_X)
   Client requested device type [?] for share [FTP]
 [2012/04/27 11:04:52.217209,  5] smbd/service.c:1227(make_connection)
   making a connection to 'normal' service ftp
 [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
 [2012/04/27 11:04:52.217268,  5] smbd/password.c:423(user_in_netgroup)
   Unable to get default yp domain, let's try without specifying it
 [2012/04/27 11:04:52.217289,  5] smbd/password.c:430(user_in_netgroup)
   looking for user CBJ_NT+kevin_miller of domain (ANY) in 
 netgroup CBJ_NT+domain users
 [2012/04/27 11:04:52.217316,  5] smbd/password.c:453(user_in_netgroup)
   looking for user cbj_nt+kevin_miller of domain (ANY) in 
 netgroup CBJ_NT+domain users
 [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
   lookup_name: CBJ_NT\domain users = CBJ_NT (domain), domain 
 users (name)
 [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
   lookup_name: flags = 0x077
 [2012/04/27 11:04:52.217841, 10] 
 passdb/util_wellknown.c:152(lookup_wellknown_name)
   map_name_to_wellknown_sid: looking up domain users
 [2012/04/27 11:04:52.217890,  3] smbd/sec_ctx.c:210(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
 [2012/04/27 11:04:52.217921,  3] smbd/uid.c:429(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
 [2012/04/27 11:04:52.217945,  3] smbd/sec_ctx.c:310(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
 [2012/04/27 11:04:52.217966,  5] 
 auth/token_util.c:525(debug_nt_user_token)
   NT user token: (NULL)
 [2012/04/27 11:04:52.217987,  5] 
 auth/token_util.c:551(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
 [2012/04/27 11:04:52.218079,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
 [2012/04/27 11:04:52.219317,  5] 
 smbd/share_access.c:117(token_contains_name)
   lookup_name CBJ_NT+domain users failed
 [2012/04/27 11:04:52.219365, 10] 
 smbd/share_access.c:216(user_ok_token)
   User CBJ_NT+kevin_miller not in 'valid users'
 [2012/04/27 11:04:52.219394,  2] 
 smbd/service.c:598(create_connection_server_info)
   user 'CBJ_NT+kevin_miller' (from session setup) not 
 permitted to access this share (ftp)
 [2012/04/27 11:04:52.219420,  1] 
 smbd/service.c:678(make_connection_snum)
   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
 [2012/04/27 11:04:52.219452,  3] smbd/error.c:80(error_packet_set)
   error packet at smbd/reply.c(795) cmd=117 (SMBtconX) 
 NT_STATUS_ACCESS_DENIED
 
 
 Here's the debugging output from the winbindd-idmap.old log:
 
 2012/04/27 10:58:37.616201, 10] 
 winbindd/idmap_util.c:115(idmap_gid_to_sid)
   idmap_gid_to_sid: gid = [1004], domain = ''
 [2012/04/27 10:58:37.616243, 10] 
 lib/gencache.c:334(gencache_get_data_blob)
   Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
 [2012/04/27 10:58:37.616265, 10] 
 winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
   idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
 [2012/04/27 10:58:37.616331, 10] 
 winbindd/idmap.c:475(idmap_find_domain)
   idmap_find_domain called for domain ''
 [2012/04/27 10:58:37.616352,  5] 
 winbindd

Re: [Samba] winbind stop working

[Kevin Elliott]

 
So what's happening is that the idmap cache is expiring but winbind is unable 
to create new entries until its restarted?


Here's my idmap cache values:

idmap backend = tdb
idmap alloc backend = 
idmap cache time = 604800
idmap negative cache time = 120
idmap uid = 1-7
idmap gid = 1-7
winbind separator = +
winbind cache time = 300
winbind reconnect delay = 30
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind trusted domains only = No
winbind nested groups = Yes
winbind expand groups = 1
winbind nss info = template
winbind refresh tickets = No
winbind offline logon = No
winbind normalize names = No

-- 
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 



 -Original Message-
 From: samba-boun...@lists.samba.org 
 [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal
 Sent: Friday, May 04, 2012 12:16 PM
 To: samba@lists.samba.org
 Subject: Re: [Samba] winbind stop working
 
 I had a problem with Samba 3.0.x on Solaris 10 some time 
 back.  The samba servers were DC's for the domain-  they were 
 not in an ADS domain.  However I did have domain trusts set 
 up so winbind was
 required.Winbind would allocate uid's and gid's.   There 
 is a cache
 time value for either winbind or idmap (testparm -v will tell 
 you.) When the cache time expired the cached info was -  
 obviously -  invalid BUT samba/winbind would not refresh the 
 cache. Thus users from the
 trusted domain would loose access.   The cache files are local TDB
 files-  even tho (in case) the idmap and other account info 
 was in ldap.
 
 
 The cache issue was resolved when I upgraded to samba 3.4.x.  
  However,
 it seems that winbind now can't even create new idmap entries.   Since
 there is practically no personnel change in the trusted ADS 
 domain this
 isn't really an issue-  I can always add the idmap entries in ldap. 
 
 Check your cache values.  Backup and delete the idmap cache 
 TBD files. 
 (Maybe the winbind cache files as well)  Restarting winbind and typing
 getent passwd and getent group should repopulate.
 TDBDump command
 is useful for looking at the contents of the file if you aren't sure
 what the file is for.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind stop working

[Kevin Elliott]

)
   wbint_Gid2Sid: struct wbint_Gid2Sid
  out: struct wbint_Gid2Sid
  sid  : *
  sid  : S-0-0
  result   : NT_STATUS_NONE_MAPPED


-- 
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 




 -Original Message-
 From: samba-boun...@lists.samba.org 
 [mailto:samba-boun...@lists.samba.org] On Behalf Of Daniele
 Sent: Sunday, April 29, 2012 11:50 PM
 To: samba@lists.samba.org
 Subject: [Samba] winbind stop working
 
 Hi, I am trying to use squid proxy with validation on win 
 2003 active directory to filter internet navigation and for 
 it I installed an ubuntu
 10.04 server 64 bit with samba.
 My installation looks ok, the server is joined to the AD, 
 ntlm is able to validate user, wbinfo report corret 
 information and squid works good.
 The problem arise after some hours: winbind become not able 
 to resolv info for users and to retrieve info for groups, so 
 squid become not able to know id a user belong to a group 
 allowed to navigate and refuse connection.
 Restarting winbind solve the problem for some hours.
 wbinfo report no particular problem; just give back messages 
 like could not get info for user xx and also setting 
 debuglevel to various numbers reports (to me) no significant clues.
 I made a workaround scheduling a restart of winbind service 
 at every half hour and it works, but is not so elegant ...
 Do you have any suggestion to solve this problem?
 Thank you
 Daniele
 
 samba/winbind version is 3.4.7
 squid is 2.7.STABLE7
 os is 2.6.32-41-server #88-Ubuntu x86_64 GNU/Linux
 
 smb.conf:
 [global]
  workgroup = CED
  realm = CED.AOS
  server string = Samba Server Version %v
  security = ADS
  password server = 172.18.10.24 172.18.10.23
  name resolve order = lmhosts host bcast
  ldap ssl = no
  idmap uid = 15000-25000
  idmap gid = 15000-25000
  winbind separator = +
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind use default domain = Yes
  cups options = raw
 [homes]
  comment = Home Directories
  read only = No
  browseable = No
  browsable = No
 
 [printers]
  comment = All Printers
  path = /var/spool/samba
  printable = Yes
  browseable = No
  browsable = No
 
 
 
 Le informazioni contenute in questa comunicazione e gli 
 eventuali documenti allegati hanno carattere confidenziale e 
 sono ad uso esclusivo del destinatario. Nel caso in cui 
 questa comunicazione Vi sia pervenuta per errore, Vi 
 informiamo che la sua diffusione e riproduzione e' contraria 
 alla legge, pertanto Vi preghiamo di darci prontamente avviso 
 e di cancellare quanto ricevuto.
 Grazie.
 
 This e-mail message and any files transmitted with it contain 
 confidential information intended only for the person(s) to 
 whom it is addressed. If you are not the intended recipient, 
 you are hereby notified that any use or distribution of this 
 e-mail is strictly prohibited: please notify the sender and 
 delete the original message.
 Thank you.
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind stop working

[Kevin Elliott]

Correction. I was reading the Debian versioning numbers.

We are on Samba/Winbind: 3.5.6 (Debian package:  2:3.5.6~dfsg-3squeeze6).

-- 
Kevin Elliott
 
Network Specialist
City and Borough of Juneau, MIS
(907) 586 - 0905
 


 -Original Message-
 From: samba-boun...@lists.samba.org 
 [mailto:samba-boun...@lists.samba.org] On Behalf Of Kevin Elliott
 Sent: Monday, April 30, 2012 9:51 AM
 To: samba@lists.samba.org
 Subject: Re: [Samba] winbind stop working
 
 We're also seeing similar symptoms with our Squid proxy's 
 winbindd as well.
 
 After an indeterminate amount of time (sometimes an hour, 
 sometimes a day) the winbind process will lose the ability to 
 resolve UID/GIDs to SIDS and authentication to the proxy will fail:
 
 [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
 
 
 If we try doing a winbind -p we get a sucessful return 
 however trying to lookup a SID from UID/GID fails.
 
 We're on Debian 6.0.4 and Samba 2.3.5.6.
 
 
 Has anyone else seen this issue? Any possible workarounds or patches?
 
 
 
 
 Here's an the debugging output for a particular user:
 
 [2012/04/27 11:04:52.217018,  3] smbd/process.c:1294(switch_message)
   switch message SMBtconX (pid 15651) conn 0x0
 [2012/04/27 11:04:52.217041,  3] smbd/sec_ctx.c:310(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
 [2012/04/27 11:04:52.217062,  5] 
 auth/token_util.c:525(debug_nt_user_token)
   NT user token: (NULL)
 [2012/04/27 11:04:52.217085,  5] 
 auth/token_util.c:551(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
 [2012/04/27 11:04:52.217132,  5] smbd/uid.c:369(change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
 [2012/04/27 11:04:52.217169,  4] smbd/reply.c:786(reply_tcon_and_X)
   Client requested device type [?] for share [FTP]
 [2012/04/27 11:04:52.217209,  5] smbd/service.c:1227(make_connection)
   making a connection to 'normal' service ftp
 [2012/04/27 11:04:52.217243,  3] lib/util_sid.c:228(string_to_sid)
   string_to_sid: Sid @CBJ_NT+domain users does not start with 'S-'.
 [2012/04/27 11:04:52.217268,  5] smbd/password.c:423(user_in_netgroup)
   Unable to get default yp domain, let's try without specifying it
 [2012/04/27 11:04:52.217289,  5] smbd/password.c:430(user_in_netgroup)
   looking for user CBJ_NT+kevin_miller of domain (ANY) in 
 netgroup CBJ_NT+domain users
 [2012/04/27 11:04:52.217316,  5] smbd/password.c:453(user_in_netgroup)
   looking for user cbj_nt+kevin_miller of domain (ANY) in 
 netgroup CBJ_NT+domain users
 [2012/04/27 11:04:52.217342, 10] passdb/lookup_sid.c:69(lookup_name)
   lookup_name: CBJ_NT\domain users = CBJ_NT (domain), domain 
 users (name)
 [2012/04/27 11:04:52.217363, 10] passdb/lookup_sid.c:70(lookup_name)
   lookup_name: flags = 0x077
 [2012/04/27 11:04:52.217841, 10] 
 passdb/util_wellknown.c:152(lookup_wellknown_name)
   map_name_to_wellknown_sid: looking up domain users
 [2012/04/27 11:04:52.217890,  3] smbd/sec_ctx.c:210(push_sec_ctx)
   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
 [2012/04/27 11:04:52.217921,  3] smbd/uid.c:429(push_conn_ctx)
   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
 [2012/04/27 11:04:52.217945,  3] smbd/sec_ctx.c:310(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
 [2012/04/27 11:04:52.217966,  5] 
 auth/token_util.c:525(debug_nt_user_token)
   NT user token: (NULL)
 [2012/04/27 11:04:52.217987,  5] 
 auth/token_util.c:551(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
 [2012/04/27 11:04:52.218079,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
 [2012/04/27 11:04:52.219317,  5] 
 smbd/share_access.c:117(token_contains_name)
   lookup_name CBJ_NT+domain users failed
 [2012/04/27 11:04:52.219365, 10] 
 smbd/share_access.c:216(user_ok_token)
   User CBJ_NT+kevin_miller not in 'valid users'
 [2012/04/27 11:04:52.219394,  2] 
 smbd/service.c:598(create_connection_server_info)
   user 'CBJ_NT+kevin_miller' (from session setup) not 
 permitted to access this share (ftp)
 [2012/04/27 11:04:52.219420,  1] 
 smbd/service.c:678(make_connection_snum)
   create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
 [2012/04/27 11:04:52.219452,  3] smbd/error.c:80(error_packet_set)
   error packet at smbd/reply.c(795) cmd=117 (SMBtconX) 
 NT_STATUS_ACCESS_DENIED
 
 
 Here's the debugging output from the winbindd-idmap.old log:
 
 2012/04/27 10:58:37.616201, 10] 
 winbindd/idmap_util.c:115(idmap_gid_to_sid)
   idmap_gid_to_sid: gid = [1004], domain = ''
 [2012/04/27 10:58:37.616243, 10] 
 lib/gencache.c:334(gencache_get_data_blob)
   Cache entry with key = IDMAP/GID2SID/1004 couldn't be found
 [2012/04/27 10:58:37.616265, 10] 
 winbindd/idmap.c:745(idmap_backends_unixid_to_sid)
   idmap_backend_unixid_to_sid: domain = '', xid = 1004 (type 2)
 [2012/04/27 10:58:37.616331, 10] 
 winbindd

[Samba] passdb backend issue: setting other than 'smbpasswd' does not work

[Kevin Broderick]

I'm currently running the samba3x packages on Centos 5.6.  I recently switched 
to them from the SERnet Samba 3.3 packages to Centos Samba3x packages (smbd now 
reports Version 3.5.4-0.70.el5_6.1).

At the same time, I switched to ldapsam as a backend.  Everything seemed to be 
working fine until I tried to change a user's password with smbpasswd (as 
root).  smbpasswd did not report any errors, and pdbedit shows the last 
update for that password to match when I ran smbpasswd.  However, the updated 
password does not work to log in with smbclient.

I then switched to tdbsam, assuming that I had screwed up part of the ldap 
setup.  I saw the same issues.

Switching to the smbpasswd backend has everything working, but I'd rather hoped 
to switch everything over to LDAP so I can integrate some of our other systems 
in one directory.

I can pull logs, but I'm not sure which logs and debugging levels are most 
useful—there were no error messages even with the loglevel set to 5 during the 
smbpasswd run, and the access rejection comes up as NT_STATUS_WRONG_PASSWORD.  
It *seems* like smbd is reading from smbpasswd regardless of the passdb backend 
setting and that the smbpasswd utility is updating the correct backend based on 
the smb.conf setting.  I did run a service smbd reload each time I changed 
the config file.

Any suggestions?


Kevin T. Broderick
IT  Communications Coordinator
KILLINGTON MOUNTAIN SCHOOL
E: kbroder...@killingtonmountainschool.org
P: 802-422-5671
F: 802-422-5678





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Account locking synchronization between Linux and Windows (my solution)

[Kevin Taylor]

We are using a Samba domain controller with a Sun Directory Server 7 LDAP 
backend and we observed that when an account was locked out on Windows, it 
would not lock the account on Linux as well. 

We are using Samba 3.0.33 on CentOS 5.3 and this is the change I made:

 





To configure samba to perform proper windows lockout in conjunction 
with a linux lockout, we need to modify the samba source code to look 
for the pwdaccountlockedtime rather than sambaKickoffTime


Download the source RPM for samba for the OS you're using. This example 
uses samba-3.0.33-3.7.el5.src.rpm from CentOS 5.3

rpm -ivh samba-3.0.33-3.7.el5.src.rpm
cd /usr/src/redhat/SOURCES
tar -xzf samba-3.0.33.tar.gz
cd samba-3.0.33/source/lib
edit smbldap.c:look for sambaKickoffTime and change to 
pwdaccountlockedtime (2 places)
cd /usr/src/redhat/SOURCES
rm samba-3.0.33.tar.gz
tar -czf samba-3.0.33.tar.gz samba-3.0.33
rm -rf samba-3.0.33
rpmbuild -bb /usr/src/redhat/SPECS/samba.spec(install any 
dependencies  i.e.  cups-devel or do a --nodeps to ignore)
cd /usr/src/redhat/RPMS/x86_64
rpm -Uvh --replacepkgs --force samba*.rpm
I'm not sure if this issue was addressed in later versions of Samba. I'm just 
posting this in case someone finds it helpful, or knows of a better/safer way 
to accomplish the same thing.

Thanks.

Kevin Taylor
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Very slow write performance to RAID

[Kevin Taylor]

These are XP clients.

 Date: Mon, 25 Jul 2011 13:28:33 -0700
 From: j...@samba.org
 To: groucho.64...@hotmail.com
 CC: samba@lists.samba.org
 Subject: Re: [Samba] Very slow write performance to RAID
 
 On Mon, Jul 25, 2011 at 01:06:48PM -0400, Kevin Taylor wrote:
  
  We have a RAID set up as our main fileserver (running samba 3.0.33 on 
  linux, CentOS 5). The main disk area is an XFS partition of about 8TB. I'm 
  using iostat to monitor disk I/O since we've gotten complaints about speed 
  and I'm noticing that when I write something to the samba share, the write 
  speed is horrible. For a 15GB file it is reporting to finish in about 20 
  minutes.
  
  iostat reports very little write I/O...on the level of maybe 7 write i/o's 
  every 5 seconds or so.
  
  If I were to read .5GB of data off of the samba share, it transfers quickly 
  (and I see 300 reads/s through iostat)...which would be about normal.
  
  Any idea of why I'm getting such lousy write speed? 
 
 Test using a modern (i.e. much later than 3.0.33) smbclient.
 
 This pipelines writes so you should see much greater
 throughput if it's the client that's at fault. What
 client are you using ?
 
 Jeremy.
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Very slow write performance to RAID

[Kevin Taylor]

We have a RAID set up as our main fileserver (running samba 3.0.33 on linux, 
CentOS 5). The main disk area is an XFS partition of about 8TB. I'm using 
iostat to monitor disk I/O since we've gotten complaints about speed and I'm 
noticing that when I write something to the samba share, the write speed is 
horrible. For a 15GB file it is reporting to finish in about 20 minutes.

iostat reports very little write I/O...on the level of maybe 7 write i/o's 
every 5 seconds or so.

If I were to read .5GB of data off of the samba share, it transfers quickly 
(and I see 300 reads/s through iostat)...which would be about normal.

Any idea of why I'm getting such lousy write speed? 

If generate some data to write on the fileserver itself (not going through 
samba) I can get some decent numbers.

With the command:   dd if=/dev/zero of=/data/testfile bs=1024k count=1

I saw the 10GB write with a speed of 270MB/s, which is decent, so I'm not 
thinking there's anything wrong with the disk or raid controller.





  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Very slow write performance to RAID

[Kevin Taylor]

This system is a hardware RAID 6 with I believe 256k strip size set up on it, 
but a default xfs filesystem on it (mounted with nobarrier, noatime, 
nodiratime). We do have write-caching enabled on the RAID controller.



 From: cwe...@gmail.com
 Date: Mon, 25 Jul 2011 12:45:02 -0500
 To: samba@lists.samba.org
 Subject: Re: [Samba] Very slow write performance to RAID
 
 On Mon, Jul 25, 2011 at 12:06 PM, Kevin Taylor
 groucho.64...@hotmail.com wrote:
 
  We have a RAID set up as our main fileserver (running samba 3.0.33 on 
  linux, CentOS 5). The main disk area is an XFS partition of about 8TB. I'm 
  using iostat to monitor disk I/O since we've gotten complaints about speed 
  and I'm noticing that when I write something to the samba share, the write 
  speed is horrible. For a 15GB file it is reporting to finish in about 20 
  minutes.
 
  With the command:   dd if=/dev/zero of=/data/testfile bs=1024k count=1
 
  I saw the 10GB write with a speed of 270MB/s, which is decent, so I'm not 
  thinking there's anything wrong with the disk or raid controller.
 
 
 dd isn't really a great test since it's heavily uses caches, and it's
 about as sequential as you can get, where samba access is more likely
 to be highly random.  iometer with dynamo  can get you a more real
 workload type benchmark.
 
 That said, to me this sounds like a block size and alignment plus
 write-back type of issue.  Here's some background and examples with
 xfs+lvm+mdadm, the base concept apply to hardware raid too
 http://www.linux.sgi.com/archives/xfs/2007-06/msg00411.html .  Even if
 you are getting acceptable perf local, you may be able to get better
 if you aren't doing these things, and anything remote will amplify any
 latency greatly.
 Next toss in windows wanting to flush at 4k or 64k, which should pass
 on through to the disk, causing a 128K stripe to flush again with
 every 4K, and multiple 128K stripes if things aren't aligned just
 right.  Then add in the read+modify+write+hash+write operation that
 raid5 does and you can start to see where performance can fail.
 Hardware raid with battery backed write cache can alleviate this since
 it won't wait for the disk spindles.
 
 Possibly Samba can be tweaked to match your stripe size, I don't know
 how off-hand.
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Printing trouble with Windows XP clients; Windows 7 and Mac client work fine

[Kevin Broderick]

I'm trying to switch our network from IP-based printing (directly to the 
printers) to using Samba printing via our existing server, both for 
Point-and-Print functionality and to be able to log print usage.  I've followed 
the directions in the HOWTO and also the policy information in the WIKI (at 
http://wiki.samba.org/index.php/Implementing_System_Policies_with_Samba) to 
remove point-and-print restrictions.

I've loaded the drivers on the server, apparently with success, via a Windows 
XP machine's Server Properties box (while logged in as a user with admin 
privileges on the domain).  The drivers show up on the server and are 
automatically downloaded when I attempt to connect to a printer, whether on XP 
or Windows 7.  (I may have tested a non-domain Vista machine, not sure, but 
definitely have tested several non-domain Windows 7 machines).

Printing works fine from Windows 7 and Mac clients (although the latter are 
obviously not doing Point and Print).

Printing does not work from XP clients, whether domain members or not.  I have 
tried bumping the log level on a per-machine basis on one Windows 7 box and one 
Windows XP box, and the only difference that looks out of place is the Windows 
XP box apparently looking for shell32.dll on the server and not finding it.  I 
can post the log files somewhere, but I'm not sure if there's something in 
particular (beyond an error condition) that I should be looking for—I've tried 
both log level 3 and log level 20, so I have a ton of information currently 
logging.  I can see the printer drivers being found, printer settings being 
seen, etc.

On the client, I've been trying the Print a test page button from the printer 
dialog box.  The error I get is The test page failed to print.  Would you like 
to view the print troubleshooter for assistance?  Nothing useful (or even 
apparently related) appears in the System or Application logs on the client.


Kevin T. Broderick
IT  Communications Coordinator
KILLINGTON MOUNTAIN SCHOOL
E: kbroder...@killingtonmountainschool.org
P: 802-422-5671
F: 802-422-5678





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] another question about account locking

[Kevin Taylor]

I'm not making much progress over here. I agree with the pam_deny item you list 
below. Putting the pam_deny line in the account settings will definitely 
prevent me from letting the windows users authenticate. But the issue remains 
where if the account is locked through the LDAP server, whatever samba is 
looking for when it queries is enough to satisfy the pam_ldap module's account 
info.

Removing the pam_ldap line from the account section doesn't make a difference 
to the linux user logging in, but it won't let samba throughlike you 
mention. 

We don't want to always fail the account, only when it's locked.

Is there something in ldap.conf that can be remapped to read this correctly?




 Date: Fri, 14 Jan 2011 03:56:29 +0900
 Subject: Re: [Samba] another question about account locking
 From: mo...@monyo.com
 To: groucho.64...@hotmail.com
 CC: samba@lists.samba.org
 
 2011/1/14 Kevin Taylor groucho.64...@hotmail.com:
 
  I did give it a try with no luck. However, I'm not sure that the way the 
  pam rules I have set out would cause that to trip anyway.
 
  On most of our linux machines, we'd have the system-auth looking like this 
  (what is the default generated by system-config-authentication)
 
  authrequired  pam_env.so
  authsufficientpam_unix.so nullok try_first_pass
  authrequisite pam_succeed_if.so uid = 500 quiet
  authsufficientpam_ldap.so use_first_pass
  authrequired  pam_deny.so
 
  So, if the LDAP lookup of whatever authentication information fails, then 
  the user will be denied. That's fine...but in practice, once the LDAP 
  server locks out the account, samba still is able to read what it needs 
  from the sambantpassword field, and thus approves the connection.
 
 Sorry, auth section will not work with Samba, as described in smb.conf(5).
 I put pam_deny.so into account section. For example,
 /etc/pam.d/common-account on
 my lenny box:
 
 -
 account requiredpam_unix.so
 account required   pam_deny.so
 -
 
 This means always FAIL at account section.
 
 To check if an account is disabled is usually done at account section, I 
 think.
 
 ---
 TAKAHASHI Motonobu mo...@samba.gr.jp
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Yet another question about account locking

[Kevin Taylor]

Let me try asking something different.

The field 'sambaKickoffTime' in LDAP (if set to a correct time) will prevent a 
user from logging into a windows system. The time format for 
'pwdaccountlockedtime' is acceptable for the sambaKickoffTime field as well.

If I modify the samba source,source3/lib/smbldap.c and change the 
'sambaKickoffTime' items to 'pwdaccountlockedtime' and rebuild, everything 
works the way I would likeso samba is now looking at the same field in the 
LDAP server that the linux side is. yay.

Howeverdoes anyone know of a way to accomplish the same thing without a 
code recompile? Can /etc/ldap.conf nss_map_attributes work for the same thing? 
(I didn't get this to work, but I may not have done it right)...or is there an 
obscure setting in the schema that I can use to have samba look at the other 
attribute?

Thanks.






 Date: Fri, 14 Jan 2011 03:56:29 +0900
 Subject: Re: [Samba] another question about account locking
 From: mo...@monyo.com
 To: groucho.64...@hotmail.com
 CC: samba@lists.samba.org
 
 2011/1/14 Kevin Taylor groucho.64...@hotmail.com:
 
  I did give it a try with no luck. However, I'm not sure that the way the 
  pam rules I have set out would cause that to trip anyway.
 
  On most of our linux machines, we'd have the system-auth looking like this 
  (what is the default generated by system-config-authentication)
 
  authrequired  pam_env.so
  authsufficientpam_unix.so nullok try_first_pass
  authrequisite pam_succeed_if.so uid = 500 quiet
  authsufficientpam_ldap.so use_first_pass
  authrequired  pam_deny.so
 
  So, if the LDAP lookup of whatever authentication information fails, then 
  the user will be denied. That's fine...but in practice, once the LDAP 
  server locks out the account, samba still is able to read what it needs 
  from the sambantpassword field, and thus approves the connection.
 
 Sorry, auth section will not work with Samba, as described in smb.conf(5).
 I put pam_deny.so into account section. For example,
 /etc/pam.d/common-account on
 my lenny box:
 
 -
 account requiredpam_unix.so
 account required   pam_deny.so
 -
 
 This means always FAIL at account section.
 
 To check if an account is disabled is usually done at account section, I 
 think.
 
 ---
 TAKAHASHI Motonobu mo...@samba.gr.jp
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] another question about account locking

[Kevin Taylor]

Is there a way that we can increment the samba bad password count, when a user 
fails a password on a linux system? I'm looking for ways to get both Windows 
and Linux to simultaneously lock out accounts if they fail so many times. We're 
using an LDAP backend.

  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] another question about account locking

[Kevin Taylor]

Unfortunately, that doesn't work. Since we're using an LDAP backend, we had to 
turn on 'encrypt passwords=yes' which bypasses the pam checking.



 Date: Fri, 14 Jan 2011 02:51:58 +0900
 Subject: Re: [Samba] another question about account locking
 From: mo...@monyo.com
 To: groucho.64...@hotmail.com
 CC: samba@lists.samba.org
 
 2011/1/13 Kevin Taylor groucho.64...@hotmail.com:
 
  Is there a way that we can increment the samba bad password count, when a 
  user fails a password on a linux system? I'm looking for ways to get both 
  Windows and Linux to simultaneously lock out accounts if they fail so many 
  times. We're using an LDAP backend.
 
 How about obey pam restrictions = yes ?
 
 obey pam restrictions = yes means Samba should obey PAM's restriction.
 
 ---
 TAKAHASHI Motonobu mo...@samba.gr.jp
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] another question about account locking

[Kevin Taylor]

I did give it a try with no luck. However, I'm not sure that the way the pam 
rules I have set out would cause that to trip anyway.

On most of our linux machines, we'd have the system-auth looking like this 
(what is the default generated by system-config-authentication)

authrequired  pam_env.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid = 500 quiet
authsufficientpam_ldap.so use_first_pass
authrequired  pam_deny.so

So, if the LDAP lookup of whatever authentication information fails, then the 
user will be denied. That's fine...but in practice, once the LDAP server locks 
out the account, samba still is able to read what it needs from the 
sambantpassword field, and thus approves the connection. 

I'll have to reconfigure a couple of things to double check on share accesses, 
but it's really the interactive logins I need to lock.

Sorry if I'm being difficult about it. :)



 Date: Fri, 14 Jan 2011 03:38:05 +0900
 Subject: Re: [Samba] another question about account locking
 From: mo...@monyo.com
 To: groucho.64...@hotmail.com
 CC: samba@lists.samba.org
 
 2011/1/14 Kevin Taylor groucho.64...@hotmail.com:
  Unfortunately, that doesn't work. Since we're using an LDAP backend, we had 
  to turn on 'encrypt
  passwords=yes' which bypasses the pam checking.
 
 Have you actually tried it?
 
 To set obey pam restrictions = yes,  Samba obeys PAM's restriction.
 
 For example, try:
 
 -
 [global]
  (encrypt passwords = yes) -- default value, so not to need to set explicitly
   obey pam restrictions = yes
 
 [homes]
   writeable = yes
   browseable = no
 -
 
 Usually, an user can  access the homes share with valid password, but if you
 set pam_deny.so correctly in system-auth, common-account or such a file, then
 anyone can logon and you can see the error messages:
 
 -
 [2011/01/14 03:24:00,  0] auth/pampass.c:smb_pam_accountcheck(792)
   smb_pam_accountcheck: PAM: Account Validation Failed - Rejecting User monyo!
 -
 
 ---
 TAKAHASHI Motonobu mo...@samba.gr.jp
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] another question about account locking

[Kevin Taylor]

Ok. I'm still not able to lock out the account, but now that I've got the pam 
restrictions line in the smb.conf, I'm seeing messages appear in 
/var/log/secure related to samba:account and samba:session

So, that means that the login session is doing SOMETHING with pam, but I'm not 
able to deny access at this point. If I'm not careful with the placement of 
pam_deny then I prevent everyone from logging on. I had that issue with my 
first test.

What exactly is samba asking of the ldap server at this stage that would 
generate a failure that pam will recognize I wonder.

If the account request is just asking if the account is there, and some basic 
samba ldap settings, then of course it will succeed. If the session is doing 
the same, then it will be ok. 

Just as a guaranteed verification of what PAM will do. I put the pam_deny line 
first thing in the session clause. I could still log in, but got errors 
downloading the profile. I moved the pam_deny into the account section, and I 
was not able to log into the windows machine. This is good...but that was a 
forced deny for everyone for everything




 Date: Fri, 14 Jan 2011 03:56:29 +0900
 Subject: Re: [Samba] another question about account locking
 From: mo...@monyo.com
 To: groucho.64...@hotmail.com
 CC: samba@lists.samba.org
 
 2011/1/14 Kevin Taylor groucho.64...@hotmail.com:
 
  I did give it a try with no luck. However, I'm not sure that the way the 
  pam rules I have set out would cause that to trip anyway.
 
  On most of our linux machines, we'd have the system-auth looking like this 
  (what is the default generated by system-config-authentication)
 
  authrequired  pam_env.so
  authsufficientpam_unix.so nullok try_first_pass
  authrequisite pam_succeed_if.so uid = 500 quiet
  authsufficientpam_ldap.so use_first_pass
  authrequired  pam_deny.so
 
  So, if the LDAP lookup of whatever authentication information fails, then 
  the user will be denied. That's fine...but in practice, once the LDAP 
  server locks out the account, samba still is able to read what it needs 
  from the sambantpassword field, and thus approves the connection.
 
 Sorry, auth section will not work with Samba, as described in smb.conf(5).
 I put pam_deny.so into account section. For example,
 /etc/pam.d/common-account on
 my lenny box:
 
 -
 account requiredpam_unix.so
 account required   pam_deny.so
 -
 
 This means always FAIL at account section.
 
 To check if an account is disabled is usually done at account section, I 
 think.
 
 ---
 TAKAHASHI Motonobu mo...@samba.gr.jp
  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Windows and Linux account locking with an LDAP backend

[Kevin Taylor]

I thought I would ask here to see if anyone has had a similar situation and a 
solution.

We've got a SunOne Directory Server set up to authenticate our users on Linux. 
To get shared authentication with Windows, we set up Samba (2.0.33 as ships 
with CentOS 5) and the smbldap-tools.

What we need to do is get account locking to work across the board...such that 
if a user fails 5 times on a Windows machine, they will be locked out on the 
Linux systems as welland vice versa.

Here's what I'm seeing:

On windows, failing authentication updates the Bad Password Count in Samba, 
additionally it adds a pwdfailuretime to the LDAP server. This is good, and 
is what we would like to see.

Fail 2, similar
Fail 3, similar
Fail 4, similar

On Fail 5, what seems to be happening is that the LDAP server puts in its 5th 
pwdfailuretime item, thereby locking the account, and essentially preventing 
Windows/samba from updating the final sambabadpasswordcount numberso 
Windows is eternally stuck at 4 failures. Entering a bad password on the 
Windows side says There is a problem with the account, but entering the 
correct password lets the user right in.

That's problem one. I can clarify any of this if needed.

The other thing we want to be able to do is that if a user fails 5 times on 
Linux that it will lock out the Windows accounts. Any idea how to do that?

Thanks for any hints or conversations we can start about this. :)


  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba on top of Windows?

[Kevin Keane]

There are numerous issues with the original poster's request.

For one, he doesn't want to deal with the complexities of a Windows domain or 
home group - but considers ripping out the heart of Windows networking and 
replacing it with Samba. That's akin to taking your brand new Hybrid car to the 
shop and telling the mechanic the hybrid engine is too complex and something I 
don't want to deal with. Can't you just replace the engine with one from a 2010 
Volkswagen, configure it to run in 1965 VW Beetle mode, and then simply install 
a computer to tune it for the Mercedes?

For another, Windows 98 !? I hate to say it, but without a lot of fiddling, you 
won't get it to talk to Windows 7. Windows 98 is five major releases and a 
complete architecture change away. Microsoft stopped supporting Windows 98 
almost five years ago. In computer terms, this is stone age.

Microsoft has made major upgrades to the networking protocols in the meantime. 
In fact, the old versions of the networking protocols supported by Windows 98 
are so insecure that they are disabled by default on Windows. Heck, Windows 7 
uses IPv6 as the default protocol. That wasn't even INVENTED when Windows 98 
came out. You are lucky if the two machines can ping each other! The network 
neighborhood works differently. File sharing uses encryption and authentication 
protocols that weren't even dreamt up when Windows 98 came out.

For that matter, you would probably even have problems getting spare parts for 
the old Windows 98 machine. Have you tried buying floppy disk drives lately? Or 
a replacement hard disk for that machine?

You can probably get the two machines to talk somehow, but it will take some 
major research to even find out how to do it. 


My recommendation: retire the Windows 98 machine and donate it to a museum. If 
you keep the Windows 98 floppies and CDs and manage to get them into your 
Windows 7 machine, you can even install Windows 98 into a virtual machine.


All that said: yes, it's possible to run Samba on top of Windows. Simply buy 
and install VMWare workstation. Install Linux into a virtual machine. Install 
Samba into that Linux machine. Then spend a couple weeks tracking down how to 
configure Samba to talk to both Windows 7 and Windows 98 at the same time. Done.


 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of Damien Dye
 Sent: Friday, May 07, 2010 2:24 AM
 To: Public Mailing Lists
 Cc: samba@lists.samba.org
 Subject: Re: [Samba] Samba on top of Windows?
 
 you turned off simple file sharing on the windows 7 host and enabled
 windows file sharing on the windows firewall ?
 
 
 --
 Damien Dye BSC(hon)
 
 
 
 
 On 5 May 2010 16:28, Public Mailing Lists li...@lists.cichon.com
 wrote:
  Hi all,
 
  I just bought a brand new PC for my living room (Asus eee Box) that
  happens to come with Windows 7. I can nicely plug in large USB hard
  drives, any my intention was to share these harddrives on the
 network,
  for example with my old Windows 98 PC on which I still run some
 favorite
  computer games. And of course, I would also like to access the large
  harddrive occasionally from my linux box (e.g. to put backups on
 them).
 
  However, I had to learn that Windows 7 does not want to share my
  harddrive with the other computer on the network that are not Windows
 7.
  All tried all different kinds of things: I switched off the home
  group, I switched off various encryption/security settings in the
  control panel. I even changed some registry settings that I googled
 from
  the web. All without success. I spare you the technical details on
 this...
 
  I can't understand why it has to be so hard to just export a simple
  harddisk on the network. With every single version upgrade of
 Windows,
  it breaks. From Windows 95 to Windows 98. From Windows 98 to Windows
 XP.
  And now with Windows 7, again. IMHO, the purpose of networking is to
  COMMUNICATE with whichever protocol is out there.
 
  I don't want to deal with neither Windows domain controllers, nor
 home
  groups, nor roaming profiles, nor encryption requirements, nor
 anything
  that Windows will come up with in the next release that breaks
  everything else. I would like just export a hard disk with a user-
 name
  and a password and use it with everything from Windows 3.1 to my
 Linux
  box without getting a headache.
 
  So, my question is:
  Is it possible to run Samba on top of Windows?
 
  Thanks for your help in advance.
 
  Cheers,
  G.
 
 
  --
  To unsubscribe from this list go to the following URL and read the
  instructions:  https://lists.samba.org/mailman/options/samba
 
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] disconnecting user from only one share

[Kevin Keane]

That is conceptually not possible, because logged in means that the user is 
authenticated - and that is always server-wide or even domain-wide (unless you 
use per-share authentication).

If you did kill his smbd subprocess, he could connect right back. What you 
could do is change the permission on that particular share, or better yet, on 
the underlying directory, to deny him access. 

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of raveenpl
 Sent: Tuesday, May 04, 2010 2:18 PM
 To: samba@lists.samba.org
 Subject: [Samba] disconnecting user from only one share
 
 
 Hello,
 
 I would like to know if somebody knows any way to disconnect/logout
 user
 only from one share.
 
 One of my user is using serveral samba shares. I would like to
 disconnect
 him only from one share. I noticed that killing PID of smbd subprocess
 causes disconnecting from all used shares - I can not afford it,
 because
 other shares are used by critical for my user applications.
 
 Any suggestions?
 
 Thanks a lot!

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Long Delay on Fresh Windows 7 Clients

[Kevin Keane]

It may also be network discovery, and/or an IPv6 issue. Windows 7 tries to 
default to IPv6. There is no NETBIOS or WINS in IPv6, so DNS is pretty much 
mandatory (there also is Network Discovery, which is basically UPnP renamed).

My guess is that in your case, Windows 7 first tries to resolve 192.168.0.13 to 
an IPv6 address using DNS. Then it probably tries to look for it with UPnP. 
Only when those two fail would it use IPv4.

Disabling IPv6 is really a bad idea, but with Samba it may be your only option.

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of smba...@gmx.com
 Sent: Monday, May 03, 2010 3:52 PM
 To: samba@lists.samba.org; michele.petra...@unipex.it
 Subject: Re: [Samba] Long Delay on Fresh Windows 7 Clients
 
 Thank you very much Michele. Because it's not trivial for me to
 introduce DNS for the local Samba server, I just tried accessing the
 share by typing its static IP address: \\192.168.0.13\sharename.
 
 I still get the same delay.
 
 Perhaps it's not DNS resolution that's causing that?
 
 Thanks,
 Daniel
 
 mich...@unipex.it wrote:
  smba...@gmx.com wrote:
  When I type \\sambahost\sharename, a prompt for the username and
  password will eventually appear (and let me authenticate
  successfully) but it takes almost forever (i.e. 1-5 minutes) until
  that prompt dialog box appears.
 
 Last week week my customer call me for the same problem where I
 installed an old version of samba (like yours) without local dns.
 After some tests, a simple bind9 + master local zone and reversed one
 solved the problem.
 I don't know further technical details, but I presume that 7 _need_ a
 reply from a dns. If it not find a good one, before gone to timeout and
 switch to wins resolution, it took *a lot of time*
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 for new authentication domain?

[Kevin Keane]

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of Morty
 Sent: Tuesday, April 27, 2010 1:08 AM
 To: samba@lists.samba.org
 Subject: Re: [Samba] samba 4 for new authentication domain?
 
 On Tue, Apr 27, 2010 at 07:36:39PM +1200, David Harrison wrote:
 
  You should clarify what mechanisms those web apps use for
 authentication.
 
 I don't know.  :)  The apps are black-box COTS apps which use AD for
 authentication.

You can usually find out simply by reading the documentation on how to set up 
authentication. Just as David said, almost all of them would use LDAP. The only 
exception is anything that supports Single-Sign-On via Internet Exploder. In 
that case, it's probably Kerberos.

 I didn't pick them, and don't have much insight into
 them.  More apps might come later, so even if I can research and
 answer this question based on the current profiles, requirements might
 change.  What I want to do is spec hardware and any necessary software
 to support authentication for the apps.  I'd prefer to use free/open
 source software if it will work as a drop-in replacement for AD.

You won't find true drop-in replacements anywhere. Even Samba 3 isn't a drop-in 
replacement for file sharing or NT domains; certain things won't work. For 
instance, some accounting packages (Quickbooks or Peachtree) also require a 
database component on the server.

I'm sure there will be similar issues with Samba 4 vs. Active Directory.

  Generally most web apps use LDAP/NTML for authentication and LDAP for
  pulling user information.
  These two things you can achieve more reliably using Samba3 with an
 LDAP
  backend compared to Samba 4 (at this stage).
 
 I've played with samba3+openldap+kerberos+bind9 as a replacement for
 AD before.  It was extremely complex to setup and maintain, so I don't
 want to do that in production.

Agreed. Basically, that simplicity (and the tools to do it) is what you buy 
with the $$$ from Microsoft. Or with the $$$ to a RedHat consultant to make it 
all work for you.

 samba4 seemed like it would be
 simpler and more compatible with AD.  Ah, well.  :(

What I found works exceedingly well (although not flawlessly) is a Windows AD 
Domain Controller, and then Samba servers for file and print sharing.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 for new authentication domain?

[Kevin Keane]

Exactly WHY do you need AD instead of NT domains? Without understanding that, I 
don't think your question can be answered. In some cases, you can use a 
stand-alone Kerberos and/or LDAP server. Or conversely, some application you 
use may require a Microsoft AD server, sometimes even a specific version.

Basically, your tradeoff is between cost and risk. Windows 2008 R2 is all but 
guaranteed to work no matter what AD issue you throw at it, but it can get 
expensive, especially if you have many users.

On the other hand, Samba is free, but Samba 4 is pretty unproven at this point.

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of Morty
 Sent: Monday, April 26, 2010 9:19 PM
 To: samba@lists.samba.org
 Subject: [Samba] samba 4 for new authentication domain?
 
 The various pages about samba 4 warn about rough edges, upgrade, file
 services, and print services.  I have some domains that have never had
 a Windows domain that now need Windows AD authentication.  I don't
 need file services and print services, and upgrade is not a problem.
 Is samba 4 ready for this use case, or should we still go with
 Microsoft's AD?
 
 Thanks!
 
 - Morty
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Allow Local System user on win2k3 access to Samba share

[Kevin A. Brown]

Greetings,

I have a service running on a Windows Server 2003 box that I want to write to a 
Samba share running on Solaris 10. The Samba is not a DC. How can I give access 
to the Local System user on the Windows box without making the share writeable 
to any other user or system?

Regards,
KB




Notice of Confidentiality:

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. If 
you are not the intended recipient you are hereby notified that any disclosure, 
copying, distribution or taking any action in reliance on the contents of this 
information is strictly prohibited and may be unlawful. If you have received 
this communication in error, please notify us immediately by responding to this 
email and then delete it from your system.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Allow Local System user on win2k3 access to Samba share

[Kevin A. Brown]

It's a MS SQL database service. Our standard is to have it run as Local System.

KB

-Original Message-
From: Damien Dye [mailto:damien.j@googlemail.com]
Sent: Sunday, April 25, 2010 6:27 PM
To: Kevin A. Brown; samba@lists.samba.org
Subject: RE: [Samba] Allow Local System user on win2k3 access to Samba share

You could run the service on the windows 2k3 box under another username thats  
allowed to access  samba. As long as the usernames and password match i dont 
see any issues.

-Original Message-
From: Kevin A. Brown kevin.br...@digicelgroup.com
Sent: 25 April 2010 10:58 PM
To: samba@lists.samba.org samba@lists.samba.org
Subject: [Samba] Allow Local System user on win2k3 access to Samba share

Greetings,

I have a service running on a Windows Server 2003 box that I want to write to a 
Samba share running on Solaris 10. The Samba is not a DC. How can I give access 
to the Local System user on the Windows box without making the share writeable 
to any other user or system?

Regards,
KB


Notice of Confidentiality:

The information contained in this communication is intended solely for the use 
of the individual or entity to whom it is addressed and others authorized to 
receive it. It may contain confidential or legally privileged information. If 
you are not the intended recipient you are hereby notified that any disclosure, 
copying, distribution or taking any action in reliance on the contents of this 
information is strictly prohibited and may be unlawful. If you have received 
this communication in error, please notify us immediately by responding to this 
email and then delete it from your system.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba server file read size limit of 64MB for HDF files

[Kevin Taylor]

Just to add a little info, we found that Windows XP has some sort of internal 
read buffer of around 67,076,095 bytes. There's a couple of references to a 
number like that on the internet.

However, a windows 2008 server share seems to ignore, or account for that 
buffer and handles the reads properly, but a Samba share does not.

Does anyone have any thoughts or ideas on a setting that might help?



 From: groucho.64...@hotmail.com
 To: samba@lists.samba.org
 Date: Wed, 7 Apr 2010 09:41:41 -0400
 Subject: [Samba] samba server file read size limit of 64MB for HDF files
 
 
 Sorry if that's a vague subject, but this problem is a little weird and I'm 
 just wondering if there are any suggestions out there.
 
 We've got a Samba server (3.0.23) running on a CentOS 5.3 server offering up 
 a data share of 7TB on an XFS filesystem. The authentication all happens 
 through a Samba PDC with an LDAP backend all on a different server. The 
 system in question is just a domain member fileserver.
 
 On the data share are several HDF files that we try to read into a couple of 
 different applications on XP. I'm using the Compaq Array Visualizer just to 
 look at them. The files on the server are owned by root, and world 
 read/writable. As a regular user on the XP client, if I look at one of the 
 files that's ~30MB in size, I'm presented with all the numbers I expect to 
 see. If I look at a file that's larger than 64MB (80MB for the specific ones 
 I was testing, but we've found the problem after 64MB in size) I no longer 
 see the numbers that I would expect...it's all zeroed out at the beginning.
 
 If I copy the 80MB HDF to my local XP workstation, it works fine, so it's not 
 a corrupted file or anything.
 
 The weird part is that if I go onto the linux server and change the ownership 
 of the file to my regular user account, it all works fine...I can read the 
 80MB file through samba and see all the numbers I should...but no other users 
 can. If I change the ownership to someone else, they can then see it all, and 
 I can't again.
 
 At one point all of these files were hosted from a Windows 2008 Server, and 
 never experienced these problems, only after the move to the Samba server.
 
 The fact that anything smaller than 64MB works, starts to sound like a 
 possible setting that I can change.
 
 Unfortunately I can't provide the HDF files I'm using, and if you want to see 
 the smb.conf let me know and I can try to get that posted.
 
 If anyone has any insight or help to offer, it would be appreciated.
 
 Thanks.
 
 Kevin Taylor
 
 _
 Hotmail is redefining busy with tools for the New Busy. Get more from your 
 inbox.
 http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2
 -- 
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
  
_
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_1
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba server file read size limit of 64MB for HDF files

[Kevin Taylor]

Sorry if that's a vague subject, but this problem is a little weird and I'm 
just wondering if there are any suggestions out there.

We've got a Samba server (3.0.23) running on a CentOS 5.3 server offering up a 
data share of 7TB on an XFS filesystem. The authentication all happens through 
a Samba PDC with an LDAP backend all on a different server. The system in 
question is just a domain member fileserver.

On the data share are several HDF files that we try to read into a couple of 
different applications on XP. I'm using the Compaq Array Visualizer just to 
look at them. The files on the server are owned by root, and world 
read/writable. As a regular user on the XP client, if I look at one of the 
files that's ~30MB in size, I'm presented with all the numbers I expect to see. 
If I look at a file that's larger than 64MB (80MB for the specific ones I was 
testing, but we've found the problem after 64MB in size) I no longer see the 
numbers that I would expect...it's all zeroed out at the beginning.

If I copy the 80MB HDF to my local XP workstation, it works fine, so it's not a 
corrupted file or anything.

The weird part is that if I go onto the linux server and change the ownership 
of the file to my regular user account, it all works fine...I can read the 80MB 
file through samba and see all the numbers I should...but no other users can. 
If I change the ownership to someone else, they can then see it all, and I 
can't again.

At one point all of these files were hosted from a Windows 2008 Server, and 
never experienced these problems, only after the move to the Samba server.

The fact that anything smaller than 64MB works, starts to sound like a possible 
setting that I can change.

Unfortunately I can't provide the HDF files I'm using, and if you want to see 
the smb.conf let me know and I can try to get that posted.

If anyone has any insight or help to offer, it would be appreciated.

Thanks.

Kevin Taylor
  
_
Hotmail is redefining busy with tools for the New Busy. Get more from your 
inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_2
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Not another SAMBA through a firewall post

[Kevin Keane]

I think part of your problem is that both of your NICs are on the same subnet. 
That will usually cause headaches; it confuses the routing table. It is 
entirely possible that Samba responds from IP 10.0.0.246 even when the 
connection goes to .245 - and you don't have firewall rules for that. Note that 
the interfaces statement isn't necessarily going to help - you should actually 
shut down the second NIC (ifdown eth1) to have it completely removed from Linux.

Also, at least for testing, I would also simplify the setup - only use port 
445, and only tcp. That way, you only have to debug one rule instead of eight. 
Use telnet to test if you can reach the Samba server from the outside world. 
Also, only use UDP and TCP, not both. 137 and 138 should be UDP; 139 and 445 
should be TCP. 

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of randa...@bioinfo.wsu.edu
 Sent: Friday, March 05, 2010 1:42 PM
 To: samba@lists.samba.org
 Subject: [Samba] Not another SAMBA through a firewall post
 
 I suppose a few questions pop up on this list about access Samba
 through a firewall.  I have been very successful running Samba through
 a firewall, until today.  I hit a stumbling block.
 
 I have a Linux Firewall with the public IP Address of 134.x.x.140 it
 is not the exact ip address, but close.  I am using NAT and port
 forwarding to send traffic destined for 137, 138,139, and 445 for BOTH
 TCP and IP to an internal host of 10.0.0.245.  This internal host has
 two network interface cards, 10.0.0.245 and 10.0.0.246.
 
 Here are my firewall rules:
 
   $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 137 -d
 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137
   $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 137 -d
 134.x.x.140 -j DNAT --to-destination 10.0.0.245:137
 
   $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 138 -d
 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138
   $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 138 -d
 134.x.x.140 -j DNAT --to-destination 10.0.0.245:138
 
   $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 139 -d
 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139
   $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 139 -d
 134.x.x.140 -j DNAT --to-destination 10.0.0.245:139
 
   $IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 445 -d
 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445
   $IPTABLES -A PREROUTING -t nat -i $EXTIF -p udp --dport 445 -d
 134.x.x.140 -j DNAT --to-destination 10.0.0.245:445
 
   $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT
 --to-source 134.x.x.140
   $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT
 --to-source 134.x.x.140
   $IPTABLES -t nat -A POSTROUTING -o eth0 -p tcp -s 10.0.0.245 -j SNAT
 --to-source 134.x.x.140
   $IPTABLES -t nat -A POSTROUTING -o eth0 -p udp -s 10.0.0.245 -j SNAT
 --to-source 134.x.x.140
 
 When I have both network cards activated, I am unable to access SAMBA
 through the firewall.  However, I can access them on the local LAN.  I
 try to tell Samba to use eth0 and lo using:
 
 interfaces = lo eth0
 bind interfaces only = yes
 
 Still does not work.  I can use tcpdump -i eth0 and I can packets going
 through the firewall:
 13:36:10.904331 IP 134.x.x.19.34251  10.0.0.245.139: S
 2273296206:2273296206(0) win 5840 mss 1460,sackOK,timestamp 4731872
 0,nop,wscale 7
 
 And also I can see the requests arriving on eth0 on the Samba server:
 13:35:55.777985 IP 134.x.x.19.34251  10.0.0.245.139: Flags [S], seq
 2273296206, win 5840, options [mss 1460,sackOK,TS val 4731872 ecr
 0,nop,wscale 7], length 0
 
 I am at a loss as to why this is happening.  Anyone care to enlighten
 me?
 
 Randall Svancara
 
 
 
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Unable to find Samba Server, Windows Network

[Kevin Keane]

It's probably an authentication or permission problem. Since you can see 
\\Server, name resolution is working, but the Samba server won't let your XP 
user have access to anything. To confirm that this is the problem, try turning 
on guest accounts with the setting

(be careful with this setting; read man smb.conf for a pitfall warning!)
Map to guest = bad password

And then guest ok = yes in each of your shares.

This will leave your Samba server wide open for everybody.

If things now works, you know that the problem is related to Samba not 
recognizing the user.

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of Michael Johnston
 Sent: Sunday, February 28, 2010 8:56 PM
 To: samba
 Subject: [Samba] Unable to find Samba Server, Windows Network

 Hi, I am having some problems setting permissions to access a Samba
 share on my Windows XP box. So what follows is all the information I
 thought would be useful to helping me out.

 Firstly, neither box has a firewall running. Both computers are able
 to ping each other's IPs. When on my XP box, I go to Map Network
 Drive I am able to find my Samba computer \\Server in my workgroup
 MSHOME. I am able to expand the \\Server to see \\Server\Shared.
 However when I click finish, it tells me The network path
 \\Server\Shared could not be found.

 Here is the output of the command net view \\Server from my XP box:

 [CODE]   Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\net view \\server
Shared resources at \\server

server server (Samba, Ubuntu)

Share name  Type  Used as  Comment


 ---
Shared  Disk   Linux Home Server
The command completed successfully.


C:\
 [/CODE]The line I find peculiar is server server (Samba, Ubuntu) -
 what is server server?

 Now here is my smb.conf file:

 [CODE]#
 # Sample configuration file for the Samba suite for Debian GNU/Linux.
 #
 #
 # This is the main Samba configuration file. You should read the
 # smb.conf(5) manual page in order to understand the options listed
 # here. Samba has a huge number of configurable options most of which
 # are not shown in this example
 #
 # Some options that are often worth tuning have been included as
 # commented-out examples in this file.
 #  - When such options are commented with ;, the proposed setting
 #differs from the default Samba behaviour
 #  - When commented with #, the proposed setting is the default
 #behaviour of Samba but the option is considered important
 #enough to be mentioned here
 #
 # NOTE: Whenever you modify this file you should run the command
 # testparm to check that you have not made any basic syntactic
 # errors.
 # A well-established practice is to name the original file
 # smb.conf.master and create the real config file with
 # testparm -s smb.conf.master smb.conf
 # This minimizes the size of the really used smb.conf file
 # which, according to the Samba Team, impacts performance
 # However, use this with caution if your smb.conf file contains nested
 # include statements. See Debian bug #483187 for a case
 # where using a master file is not a good idea.
 #

 #=== Global Settings ===

 [global]

 ## Browsing/Identification ###

 # Change this to the workgroup/NT-domain name your Samba server will
 part of
workgroup = MSHOME

 # server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)

 # Windows Internet Name Serving Support Section:
 # WINS Support - Tells the NMBD component of Samba to enable its WINS
 Server
 #   wins support = no

 # WINS Server - Tells the NMBD components of Samba to be a WINS Client
 # Note: Samba can be either a WINS Server, or a WINS Client, but NOT
 both
 ;   wins server = w.x.y.z

 # This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no

 # What naming service and in what order should we use to resolve host
 names
 # to IP addresses
 ;   name resolve order = lmhosts host wins bcast

  Networking 

 # The specific set of interfaces / networks to bind to
 # This can be either the interface name or an IP address/netmask;
 # interface names are normally preferred
 ;   interfaces = 127.0.0.0/8 eth0

 # Only bind to the named interfaces and/or networks; you must use the
 # 'interfaces' option above to use this.
 # It is recommended that you enable this feature if your Samba machine
 is
 # not protected by a firewall or is a firewall itself.  However, this
 # option cannot handle dynamic or non-broadcast interfaces correctly.
 ;   bind interfaces only = yes



  Debugging/Accounting 

 # This tells Samba to use a separate log file for each machine
 # 

Re: [Samba] Unwanted case sensitivity

[Kevin Keane]

First of all, Windows actually is case sensitive, too (at least on NTFS, not on 
FAT). You can actually create C:\tmp\foo and C:\tmp\Foo at the same time, just 
not in Explorer (or though most standard Windows APIs).

Secondly, even with case sensitive = No , Samba is not truly case insensitive 
(neither is Windows). Samba is case PRESERVING. File names do have case, Samba 
simply prevents creating files that differ only in case.

The case insensitivity is primarily implemented on the client side. And that's 
probably why you see the phenomenon: ls is built into bash (or whatever shell 
you are using). Sum isn't. Also, my guess is that sum /.SMB/aaabbb/fre?.txt 
will work as well - because the wildcard is expanded by your shell before 
handing it to sum.

What you could do to solve this on the Linux side:

sum $(ls /.SMB/AAAbbb/Fred.txt)

That takes advantage of bash's understanding of case insensitivity even for 
other programs that don't natively understand it.

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of Jim Ramsey
 Sent: Wednesday, February 17, 2010 2:55 PM
 To: samba@lists.samba.org
 Subject: [Samba] Unwanted case sensitivity
 
 I have also posted this on IRC.
 
 I have a linux host running stock RHEL 5.4 Samba 3.0.33-3.15. The host
 acts
 both as a Samba server and does a CIFS mount of that same share. The
 reason for doing this is so that programs running on the Linux host
 have
 the same case insensitive view as the Windows clients.
 
 I have nocase set in the relevant line in /etc/fstab
 I have case sensitive = No set in the smb.conf.
 
 Still I get case sensitive responses though odd ones.
 
 Example:
   The native Linux directory that is share is named /srv/.
   There would be a directory /srv//AAAbbb which contains
   a file Fred.txt.
   The directory, /srv/, is shared as . The Linux host
   CIFS mounts it as //localhost/ on /.SMB.
   Generally, everyone accesses Fred.txt through /.SMB/AAAbbb.
   Nobody accesses it through /srv/.
 
   Here's where things get strange
   ls -l /.SMB/AAAbbb/Fred.txt and all variations works!
   but
   sum /.SMB/AAAbbb/Fred.txt only works if you get the
   case just right.
 
 Any ideas?
 
 Regards,
 
 Jim Ramsey
 
 
 
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] SAMBA and Windows 2008 TSE licence Server

[Kevin Keane]

You are probably right. Remember that a Samba domain is based on a Windows NT 
technology, more than ten years old. Almost everything Microsoft now relies on 
Active Directory.

Create an Active Directory domain with a Windows domain controller, and make 
your Samba Server a member. Samba works beautifully in an AD domain, just not 
as controller.

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of Mercier
 Sent: Friday, February 12, 2010 6:41 AM
 To: samba@lists.samba.org
 Subject: [Samba] SAMBA and Windows 2008 TSE licence Server
 
 Hi all!
 
 I can't use the TSE licence server in Windows 2008 server. This Server
 is member of my Samba Domain. My TSE licence server is actived and my
 licences added, but when i want configure the TSE service and launch
 the Licence diagnostic the diagnostic failed.
 
 
 I think my problem is due to my Windows Server is not an Active
 Directory controller.
 What are the solutions : quit the domain? Activate AD on the server
 with an other domain? I would like my licence diagnostic work when my
 server join my Samba Domain.
 
 Please do you have any idea?
 
 Thank you.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba + Quickbooks Idle Crash

[Kevin Keane]

Quite possibly, this is not actually a Samba problem. Quickbooks is pretty 
poorly written and goes very deep into the system; simple file sharing isn't 
enough to get it to work. In fact, the main reason Microsoft implemented UAC in 
Windows Vista was that Intuit had flat out refused to fix the Quickbooks 
problems for close to ten years, and continued insisting on administrator 
access.

When Vista came out, Intuit finally was forced to fix that - but now instead 
you have to install a server component on the file server.

There is a Linux version of this Quickbooks server component (on Intuit's Web 
site), but in my experience, it does not work reliably, though - or at least, 
it didn't when I tried it a couple years ago. The main problem was that it 
sometimes kept the file locked; whenever a user's Quickbooks crashed, we had to 
reboot the server to clear up the mess. We ended up having to designate a 
Windows workstation as Quickbooks server.

If you try to access Quickbooks without that component installed, I am not 
surprised about any kind of problem; I'd only be surprised if it works at all.

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of sa...@cwraig.id.au
 Sent: Sunday, February 07, 2010 3:40 PM
 To: samba@lists.samba.org
 Subject: [Samba] Samba + Quickbooks Idle Crash
 
 I have a samba server running on ubuntu 9.10 with windows (both Xp and
 vista) clients running quickbooks (accounting software).
 
 Quickbooks can connect to the samba server and get access to the data
 files with no problems, if the secretary uses quickbooks continuously
 there is never a problem the system works for hours on end. However if
 the
 secretary leaves the software running but doing nothing for a few mins
 (somewhere between 10 and 30mins) when she tries to perform the task
 quickbooks says it cannot find the server.
 
 I have been running this kind of setup for a number of years on deban
 etch
 and this bug has only showed up when I moved to ubuntu 9.10 this year.
 I
 am willing to do any kind of debugging to help resolve this issue.
 
 Below is a copy of /var/log/samba/log.deb-sfs
 
 
 start of log file##
 
 [2010/01/04 07:43:21,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:21,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:21,  1] smbd/service.c:1047(make_connection_snum)
   deb-sfs (:::192.168.0.53) connect to service data initially as
 user
 nobody (uid=65534, gid=65534) (pid 3372)
 [2010/01/04 07:43:21,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:21,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:22,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:22,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:22,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:22,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:23,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:23,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:23,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:23,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:23,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:23,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:24,  0] param/loadparm.c:8546(process_usershare_file)
   process_usershare_file: stat of /var/lib/samba/usershares/data
 failed.
 Permission denied
 [2010/01/04 07:43:24,  0] 

Re: [Samba] Dual booted clients with different name drop each other out of domain

[Kevin Keane]

The problem with dual-booting is that you end up with two DNS records pointing 
to the same IP address. Active Directory regularly tries to contact the clients 
one by one (it does that for any number of administrative purposes). If the 
machine is turned off and isn't responding at all - no problem. But if the 
machine is booted into Linux while AD tries to reach the Windows machine on the 
same IP, you get an error (I believe it is Kerberos Error 4).

Another issue is that one of the two DNS records wouldn't have a matching 
reverse DNS record (PTR record), since there can only be one PTR record per IP 
address.

All this happens when dual-booting different Windows versions, as well.

In my experience, though, it's not really deadly - in fact, the user usually 
doesn't even know this is happening. What, specifically, do you mean by drop 
each other out of the domain?

In my very small network, the easiest solution was to use a static IP for one 
of the two OS.

 -Original Message-
 From: samba-boun...@lists.samba.org [mailto:samba-
 boun...@lists.samba.org] On Behalf Of Roman Muñoz
 Sent: Sunday, January 31, 2010 5:41 AM
 To: samba@lists.samba.org
 Subject: Re: [Samba] Dual booted clients with different name drop each
 other out of domain
 
 Thanks for your answers.
 
 Probably it would be not very difficult to change the MAC address. This
 has the advantage that could work even if IT staff doesn't want to do
 any change in their dhcpd configuration.
 
 On the other hand, it seems that reconfiguring dhcpd would be a nicer
 solution that could perhaps be accepted by IT staff. However the
 pointer
 given seems to be about linux dhcpd, not about windows dhcpd. After
 some
 googling I got the windows doc about vendor classes, but I wonder by
 just changing host's name is not enough.
 
 Could you guys give any pointer to dual boot problem between windows
 OSes?
 
 Thanks again,
 Roman
 
 Rob Townley(e)k dio:
  changing the MAC is not recommended.
 
  Same problem with dual booted win2k/winxp/winvista machines as well.
  Not just a Linux issue.
 
  Do u have control / influence over dhcpd?  if so, Linux clients and
  MSFT clients can be detected by their dhcp vendor id and then given a
  different hostname and ip address even though the MAC IS THE SAME.
 
  drbl.sf.net has a good example of using dhcp vendor id when assigning
  an ip configuration.
  look at /etc/dhcp/dhcpd.conf
 
  report back and let us know.
 
  On 1/30/10, Roman Muñoz ta...@infonegocio.com wrote:
  Hi,
 
  I'm setting some Ubuntu Karmic clients on a school net. PDC is
 windows
  2k3 r2. I realized that DHCP server sends only school, not
  school.net as domain name. I have been told that AD configuration
 was
  migrated as is from an older windows release. I used a supersede
  line on client's dhcp.conf to get a correct domain name. I'm not
  authorized to do any configuration change on PDC but could see the
 event
  log, etc.
 
  Client machines are dual booted: XP client and Ubuntu client on the
 same
  machine get different unique names. Ubuntu clients are configured
  following the guides available on the Net, and are working quite
 well:
  domain users can logon and shares are mounted.
 
  But XP and Ubuntu keep dropping each other out of domain. Any ideas?
 
  TIA
  Roman
 
  --
  To unsubscribe from this list go to the following URL and read the
  instructions:  https://lists.samba.org/mailman/options/samba
 
 
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Trouble with Samba on boot

[Kevin Hill]

When my server boots up, samba doesn't load itself at boot. I have to 
login Webmin and restart the Samba server, then everything works fine.

Ubuntu Server edition 9.04 - 9.10 (its upgrading right now)
Thanks
-Kevin
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba