Re: [Samba] Correct NTP Settings for Samba 4.0.6?

2013-07-31 Thread Murray Fraser 
Hi Andrew

Did you comile NTP with --enable-ntp-signd ?

If you run 'ntpd -d' as root do you see:

transmit ntp_signd packet: at 44 XX.XX.XX.XX->XX.XX.XX.XX mode 4 keyid
5004 len 68

- Murray



On Sun, Jul 28, 2013 at 2:43 PM, Andrew Martin  wrote:

> - Original Message -
> > From: "Thomas Simmons" 
> > To: "Andrew Martin" 
> > Cc: samba@lists.samba.org
> > Sent: Saturday, July 27, 2013 7:07:59 PM
> > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> >
> > Your Windows client is not able to access the NTP server, which is
> > why
> > w32tm /resync fails and the reason for the "NTP: ERROR_TIMEOUT - no
> > response from server in 1000ms" error when running w32tm /monitor.
> > Why? I
> > can't say. Can you setup a Linux box to use this server for NTP and
> > run
> > ntpdate as a test? I've seen this when there is a flaky network
> > connection
> > (traffic, wifi, or when the DC is a VMware VM under certain
> > situations).
> > Your DC is not a VM is it?
> >
> >
> > On Sat, Jul 27, 2013 at 4:15 PM, Andrew Martin 
> > wrote:
> >
> > > - Original Message -
> > > > From: "Andrew Martin" 
> > > > To: "Thomas Simmons" 
> > > > Cc: samba@lists.samba.org
> > > > Sent: Saturday, July 27, 2013 2:31:21 PM
> > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > > >
> > > > - Original Message -
> > > > > From: "Thomas Simmons" 
> > > > > To: "Andrew Martin" 
> > > > > Cc: samba@lists.samba.org
> > > > > Sent: Saturday, July 27, 2013 12:26:57 PM
> > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > > > >
> > > > > Running "w32tm /config /update /syncfromflags:DOMHIER && net
> > > > > stop
> > > > > w32time
> > > > > && net start w32time" should make the client query the
> > > > > directory
> > > > > for
> > > > > it's
> > > > > time server. You can verify the configuration with "w32tm
> > > > > /query
> > > > > /configuration" and look for the "Type" to be NT5DS. This means
> > > > > it's
> > > > > using
> > > > > AD. You can also run w32tm /monitor and the Windows time
> > > > > service
> > > > > will
> > > > > go
> > > > > through the processes of querying the directory to find a time
> > > > > server, then
> > > > > verify it's accessible. If that works, all is working. I found
> > > > > w32tm
> > > > > /monitor will fail if you have your domain functional level at
> > > > > 2008
> > > > > or
> > > > > 2008_R2. I don't know if this is a bug in Samba as I haven't
> > > > > had
> > > > > time
> > > > > to
> > > > > test against a real 2008+ server. Just know it's to be
> > > > > expected.
> > > > >
> > > > >
> > > > > On Sat, Jul 27, 2013 at 12:58 PM, Andrew Martin
> > > > > 
> > > > > wrote:
> > > > >
> > > > > > - Original Message -
> > > > > > > From: "Thomas Simmons" 
> > > > > > > To: "Andrew Martin" 
> > > > > > > Cc: samba@lists.samba.org
> > > > > > > Sent: Saturday, July 27, 2013 11:03:49 AM
> > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba 4.0.6?
> > > > > > >
> > > > > > >
> > > > > > > The ls -l command you ran shows the ntp_signd directory is
> > > > > > > empty,
> > > > > > > so
> > > > > > > it looks like samba is not creating the socket (at least in
> > > > > > > that
> > > > > > > location). Do you have the "ntp signd socket directory"
> > > > > > > option
> > > > > > > in
> > > > > > > your smb.conf? If not, try manually it to smb.conf:
> > > > > > >
> > > > > > > ntp signd socket directory = /var/run/samba/ntp_signd
> > > > > > >
> > > > > > >
> > > > > > > Apart from that, my suggestion would be to stop apparmor
> > > > > > > and
> > > > > > > iptables
> > > > > > > for testing and run ntp and samba with verbose logging on
> > > > > > > and
> > > > > > > see
> > > > > > > what it says. Also, what does "w32tm /query /source" and
> > > > > > > "w32tm
> > > > > > > /monitor" show on the client?
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Sat, Jul 27, 2013 at 11:39 AM, Andrew Martin <
> > > > > > > amar...@xes-inc.com
> > > > > > > > wrote:
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > - Original Message -
> > > > > > > > From: "Thomas Simmons" < twsn...@gmail.com >
> > > > > > > > To: "Andrew Martin" < amar...@xes-inc.com >
> > > > > > > > Cc: samba@lists.samba.org
> > > > > > > > Sent: Saturday, July 27, 2013 10:33:49 AM
> > > > > > > > Subject: Re: [Samba] Correct NTP Settings for Samba
> > > > > > > > 4.0.6?
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > On Sat, Jul 27, 2013 at 2:26 AM, Andrew Martin <
> > > > > > > > amar...@xes-inc.com
> > > > > > > > > wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > I recently compiled Samba 4.0.6 (as an AD DC) and am
> > > > > > > > running
> > > > > > > > it
> > > > > > > > on
> > > > > > > > Ubuntu 12.04.
> > > > > > > > I followed the instructions on the Samba wiki (
> > > > > > > > https://wiki.samba.org/index.p

Re: [Samba] NIS to SAMBA4 Migration

2012-11-24 Thread Murray Fraser 
I am also struggling to find up to date information on using Samba 4 with
linux clients. I have managed to get the RFC 2307 fields by installing the
'NIS tools' feature on a W2k8 DC, and creating a 'NIS domain'. Previously I
could see the fields, but could not select a NIS domain in the ADUC tool to
make the RFC 2307 fields enabled.

I'm also trying to find out the correct way to add the autohome nis map. I
have tried:

ldbmodify -H /usr/local/samba/private/sam.ldb automount_template.ldif
--option="dsdb:schema update allowed"=true

But this seemed to fail. I have thought I might need to use the Microsoft
schema management tool to add the automount schema.


On Sat, Nov 24, 2012 at 4:01 PM, Gémes Géza  wrote:

> Hi,
>
>  Hello Steve,
>>
>> The only way I have found to enable those options is to provision with
>> "--use-rfc2307". We are performing an upgrade from Samba3 and I noticed
>> that the options were not grayed out after performing a classicupgrade,
>> but
>> were grayed out after a "clean" provision. I finally figured out that the
>> classicupgrade always uses the "--use-rfc2307" flag. This flag will add
>> the
>> option "idmap_ldb:use rfc2307 = yes" to your smb.conf, however, it has
>> been
>> my experience that adding that to smb.conf post-provision does not enable
>> the UNIX Attributes options, so the provision option must do something
>> else. I would like to know if there is a way to enable this after the
>> fact,
>> but I've not come up with anything yet. I need to complete further testing
>> on the actual authentication of Linux clients, Apache, RADIUS and OpenVPN,
>> but have run into a show-stopper with DNS replication and have moved all
>> my
>> efforts to this for the time being. I was able to get Linux clients
>> authenticating via winbind, but this was before I found out about the
>> "--use-rfc2307" option and winbind was using auto-generated UIDs and GIDs.
>> Any notes you come up with would be greatly appreciated. Thanks, Thomas.
>>
>>  Provisioning with --use-rfc2307 also loads the "NIS" schema into AD and
> thus allows you to set that attributes via ADUC.
> To do the same after provision you would need to import the schema after
> provision. The skeleton of it is in /usr/local/samba/share/setup/**
> ypServ30.ldif
> on a default install.
>
> Regards
>
> Geza Gemes
>
>  On Fri, Nov 23, 2012 at 10:38 AM, Steve van Maanen > >wrote:
>>
>>  Hello everyone,
>>>
>>> I am trying to figure out a way to migrate NIS maps to SAMBA4 (I want to
>>> replace NIS with SAMAB4 for a Linux domain. I have researched a fair bit
>>> on
>>> the web but have not found out any solutions and was hoping I could find
>>> some help here. What I have found so far pertains to Windows
>>> implementations of Active Directory.
>>>
>>> Here are my questions.
>>>
>>> 1) Is it possible with a default install of SAMBA4 or do I need to extend
>>> the schema?
>>> 2) I notice there is a Unix attributes tab for users, when using Active
>>> Directory users and groups to administer the Samba4 AD, but I am unable
>>> to
>>> change the properties. Is there any way I can enable this?
>>> 3) Has anyone done this and if so, can you offer me some pointers?
>>>
>>> Many thanks!
>>>
>>> Steve
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  
>>> https://lists.samba.org/**mailman/options/samba
>>>
>>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Refusing to replicate from a read-only repilca into a read-write replica.

2012-11-21 Thread Murray Fraser 
Testing with Samba4 rc5, I ran into the following problem trying to join
samba 4 to an existing (parent) domain.

# /usr/local/samba/bin/samba-tool domain join example.com DC
-Uadministrator --realm=example.com
Finding a writeable DC for domain 'example.com'
Found DC server01.example.com
Password for [example\administrator]:
workgroup is example
realm is example.com
checking sAMAccountName
Adding CN=SAMBADC1,OU=Domain Controllers,DC=example,DC=com,DC=au
Adding
CN=SAMBADC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com,DC=au
Adding CN=NTDS
Settings,CN=SAMBADC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com,DC=au
Adding SPNs to CN=SAMBADC1,OU=Domain Controllers,DC=example,DC=com,DC=au
Setting account password for SAMBADC1$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=example,DC=com,DC=au
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com,DC=au] objects[402]
linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com,DC=au] objects[804]
linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com,DC=au] objects[1206]
linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=example,DC=com,DC=au] objects[1521]
linked_values[0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=example,DC=com,DC=au] objects[402]
linked_values[0]
Partition[CN=Configuration,DC=example,DC=com,DC=au] objects[804]
linked_values[0]
Partition[CN=Configuration,DC=example,DC=com,DC=au] objects[1206]
linked_values[0]
Partition[CN=Configuration,DC=example,DC=com,DC=au] objects[1608]
linked_values[5]
Partition[CN=Configuration,DC=example,DC=com,DC=au] objects[1669]
linked_values[101]
Replicating critical objects from the base DN of the domain
Partition[DC=example,DC=com,DC=au] objects[103] linked_values[32]
Partition[DC=example,DC=com,DC=au] objects[389] linked_values[36]
Refusing to replicate DC=child,DC=example,DC=com,DC=au from a read-only
repilca into a read-write replica!
Failed to convert object DC=child,DC=example,DC=com,DC=au:
WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA
Failed to convert objects: WERR_DS_DRA_SOURCE_IS_PARTIAL_REPLICA
Join failed - cleaning up
checking sAMAccountName
Deleted CN=SAMBADC1,OU=Domain Controllers,DC=example,DC=com,DC=au
Deleted CN=NTDS
Settings,CN=SAMBADC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com,DC=au
Deleted
CN=SAMBADC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com,DC=au
ERROR(): uncaught exception - Failed to
process chunk: NT code 0xc0002111
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1104, in join_DC
ctx.do_join()
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1009, in do_join
ctx.join_replicate()
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
748, in join_replicate
replica_flags=ctx.domain_replica_flags)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
line 252, in replicate
schema=schema, req_level=req_level, req=req)

I don't know where in Active Directory I should be checking for a
'read-only' replica of the child domain (child.example.com), or how to
disable it.

Also there is a typo in the spelling of 'repilca' in the error message.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba