Re: [Samba] Testing Directory Replication issue
On 09/10/2013 05:26 AM, 郁苗成 wrote: Every thing is ok except that samba-tool drs showrepl shows: Warning: No NC replicated for Connection! Hi there, not sure, but as far as I know this seems to be the default behavior [1]. i have this message on every samba4 setup I have deployed. As long as there are 0 consecutive failures it's ok (I think...) Regards Peter [1] https://lists.samba.org/archive/samba-technical/2011-November/080377.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4/Windows DNS replication and administration issue
Hi all, I am having trouble with DNS replication between a Linux/Samba 4.0.9 box and Windows Server 2012 domain controller, as well as administering the Linux DNS from the Windows DNS Manager snap-in. First a little background. I am trying to integrate a Samba 4.0.9 server as a domain controller in an existing Windows Active Directory domain. The domain and forest are at Windows 2008R2 functional level with a single domain controller which was upgraded from Windows Server 2008 R2 to Windows Server 2012. I am running CentOS 6.4 x64, patched to current levels. I downloaded and installed the Sernet binaries for Samba 4.0.9 but ran into problems joining the domain. It failed with the following error: ERROR: no subClassOf 'top' for 'samDomain' I found a bug report for this error at https://bugzilla.samba.org/show_bug.cgi?id=8680 and rebuilt the Sernet RPMs with the patches implemented. This time I was able to successfully join the domain. Replication seems to be working but I do get a warning from samba-tool drs showrepl: KCC CONNECTION OBJECTS Connection -- Connection name: 3c20a62a-ad94-40ef-b346-ba8b15f829f8 Enabled: TRUE Server DNS name : server.example.com Server DN name : CN=NTDS Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com TransportType: RPC options: 0x0001 Warning: No NC replicated for Connection! The inbound and outbound neighbors all appear to be ok. I started out with internal DNS but when I was unable to get it working correctly, I switched to bind (Centos package bind-9.8.2-0.17.rc1.el6_4.6.x86_64). The problem is that when I try to administer DNS through the Windows DNS Manager snap-in, my forward domain fails to load, with an error indicating zone data may be corrupt (it opens fine on the Windows DNS server). Additionally, my reverse zone does not appear to have replicated to the Linux server. When I click on the forward zone in DNS Manager, I see the following in /var/log/messages: smbd[24043]: [2013/09/01 15:30:21.091035, 0] ../source3/rpc_server/svcctl/srv_svcctl_nt.c:326(_svcctl_OpenServiceW) smbd[24043]: _svcctl_OpenServiceW: Failed to get a valid security descriptorfree_pipe_context: destroying talloc pool of size 275 samba[19596]: [2013/09/01 15:30:25.505483, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1068(dnsserver_query_zone) samba[19596]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record type=49ndr_push_error(2): Bad switch value 49 at default/librpc/gen_ndr/ndr_dnsserver.c:544 samba[19596]: [2013/09/01 15:30:26.272723, 0] ../source4/rpc_server/dnsserver/dnsdata.c:354(dnsp_to_dns_copy) samba[19596]: dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record type=49ndr_push_error(2): Bad switch value 49 at default/librpc/gen_ndr/ndr_dnsserver.c:544 Querying DNS via nslookup/dig/host works fine but querying through samba-tool gives an error: # samba-tool dns query server.domain.com domain.com @ ALL GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Using binding ncacn_ip_tcp:server.example.com[,sign] ERROR(runtime): uncaught exception - (-1073545204, 'NT_STATUS_RPC_BAD_STUB_DATA') File /usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib64/python2.6/site-packages/samba/netcmd/dns.py, line 974, in run None, record_type, select_flags, None, None) and I see the following in /var/log/messages: samba[19596]: [2013/09/01 15:31:55.207112, 0] ../source4/rpc_server/dnsserver/dnsdata.c:354(dnsp_to_dns_copy) samba[19596]: dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record type=49ndr_push_error(2): Bad switch value 49 at default/librpc/gen_ndr/ndr_dnsserver.c:544 Any help would be much appreciated. Thanks, Pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 domain trust
Hi there, I know domain trusts are currently not finished (as far as I know you can trust a Samba4 domain but not the other way). Is that still correct ? And my main question: Does it matter if it is a Samba4-Only Domain or Samba4/Windows DC domain ? In my case it's Samba4 only with two different domains i would like to trust each other... Best Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling Samba 4.0.7 - make test results
Thank You Dňa 24.07.2013 15:38, L.P.H. van Belle wrote / napísal(a): Hai, Just look here http://www.enterprisesamba.com/samba/ make an account so you can use the packages of sernet samba. and use this one for very basic setup. ( this also works for debian, since ubuntu is based on debian ) http://www.ferrara.com.au/mediawiki/index.php/Ubuntu:_Samba_4_Active_Directory_Domain_Master Best regards, Louis -Oorspronkelijk bericht- Van: tuhar...@misbb.sk [mailto:samba-boun...@lists.samba.org] Namens Mgr. Peter Tuharsky, MsU Banska Bystrica Verzonden: woensdag 24 juli 2013 14:08 Aan: samba@lists.samba.org Onderwerp: Re: [Samba] Compiling Samba 4.0.7 - make test results The tests eventually finished, however several errors have been reported. Sincerely, I don't understand them. I'm sending the st/summary file in attachment. Please, is there anybody capable telling me, what's the problem with my compilation? Am I missing some package, or is there some lack of information on Wiki, or...? Or should I better contact the technical mailing list? I'm not eager to compile samba myself, however Debian packages are rather old even in experimental branch... Peter D?a 23.07.2013 14:17, Mgr. Peter Tuharsky, MsU Banska Bystrica wrote / napísal(a): Hallo, I'm new here. Doing compilation of Samba 4.0.7 on Debian Wheezy accordingly to Samba Wiki page. I have used configure parameters --enable-debug --enable-selftest and after make, I ran make test. Now I'm puzzled, because it apparently stops at step 96 (after 15 minutes, CPU still running at full speed), and I don't know how to interpret the results. I'm sending the output in attachment. Please, is my samba ready to go or not? What is the 1 error reported about? And why the test dosen't end up correctly? Or how long should one normally wait for test to complete? Sincerely, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Win 2003 DC Demotion
On 07/23/2013 10:49 PM, Garth Keesler wrote: Sorry, I forgot to mention. This ONLY occurs when I join Samba 4.x to an existing Windows domain. When I join a Windows DC to an existing Samba 4.x domain, all works correctly including Forest and Domain bi-directional DNS repl. Thanx, Garth Hi Garth, It was once working in my test environment, but I do not know why. We had a little discussion some months ago [1]. But most of the time I was also having issues demoting Windows DCs (mostly with the samba-internal DNS database which told me the database is inconsistent as soon as I tried to add new records). As we do have small environments with about 30 users and we do use puppet for deployment, I have chosen not do to migration/demoting of existing Windows domains. I am starting now from scratch with new Samba4 domains which seems to work very well with single or multiple domain controllers. Sorry, not really helpful but I do not have an answer to the question. It's just my experience. Maybe it's because I'm using the old version which is used with Debian Wheezy, I don't know. Regards Peter [1] https://lists.samba.org/archive/samba/2013-February/171583.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling Samba 4.0.7 - make test results
The tests eventually finished, however several errors have been reported. Sincerely, I don't understand them. I'm sending the st/summary file in attachment. Please, is there anybody capable telling me, what's the problem with my compilation? Am I missing some package, or is there some lack of information on Wiki, or...? Or should I better contact the technical mailing list? I'm not eager to compile samba myself, however Debian packages are rather old even in experimental branch... Peter Dňa 23.07.2013 14:17, Mgr. Peter Tuharsky, MsU Banska Bystrica wrote / napísal(a): Hallo, I'm new here. Doing compilation of Samba 4.0.7 on Debian Wheezy accordingly to Samba Wiki page. I have used configure parameters --enable-debug --enable-selftest and after make, I ran make test. Now I'm puzzled, because it apparently stops at step 96 (after 15 minutes, CPU still running at full speed), and I don't know how to interpret the results. I'm sending the output in attachment. Please, is my samba ready to go or not? What is the 1 error reported about? And why the test dosen't end up correctly? Or how long should one normally wait for test to complete? Sincerely, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Compiling Samba 4.0.7 - make test results
Hallo, I'm new here. Doing compilation of Samba 4.0.7 on Debian Wheezy accordingly to Samba Wiki page. I have used configure parameters --enable-debug --enable-selftest and after make, I ran make test. Now I'm puzzled, because it apparently stops at step 96 (after 15 minutes, CPU still running at full speed), and I don't know how to interpret the results. I'm sending the output in attachment. Please, is my samba ready to go or not? What is the 1 error reported about? And why the test dosen't end up correctly? Or how long should one normally wait for test to complete? Sincerely, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Recently joined 2k3, shut down primary, seized roles, now have slight dns (maybe) problem.
On 05/03/2013 04:27 PM, Caio Zanolla wrote: Everything seems to be working fine except for dns management. Hi Caio, this is exactly the same issue I am facing and no solution so far. It even resolves perfectly for existing dns records on the Samba4 server, but no chance to add new records or connect with the windows mmc. I am also very interested how to solve such issues. Or in general - how to handle samba integrated dns issues in a production environment. Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DNS questions
Hi there, When adding an additional Samba4 domain controller to an existing Windows domain, it is (as far as I know) not possible to use bind for DNS. Is that correct ? Is it possible to change to Bind after adding the domain controller ? Or a more generic question: are there any tasks to reconfigure DNS (for example if there are issues). A non-working DNS is the most scary thing to me... I've did some test scenarios adding a Samba4 dc to an existing domain, then demoting the windows server and usually most of my issues were DNS related - it was working but somehow I was unable to add new records... Hope someone can give me a hint...or an idea to prevent such issues... Thanks and best Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dns zone type (primary,ad integrated)
Amitay Isaacs ami...@gmail.com quatschte am Tue, Feb 26, 2013 at 11:20:48AM +1100: Hi Peter, Hi Amitay, What windows version are you running on windows DC? Depending on the windows version you will have to choose the --client-version. As far as I can remember I've had this issue on a 2003 and 2008R2 test server, but maybe it's also related to my samba version (debian wheezy) Samba-tool dns command is used to manipulate DNS zones in AD and those zones will be replicated to other DCs. So it does not matter on which DNS server the modification was made, if I understand correct, which also makes sense to me. Thanks Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc]
Sérgio Henrique ser...@gmail.com quatschte am Mon, Feb 25, 2013 at 04:26:30PM +: Solved. I have sucessfully migrated a windows 2008R2 domain to samba4 and then create a new samba domain as a replica. A lot of steps i had to introduce. Hi Sérgio, 1- Working on DNS add samba dc to forest and domain dns _ldap values change DNS SOA to samba4 and add samba4 as NS are you talking about these records: _ldap._tcp.DomainDnsZones.example.local _ldap._tcp.ForestDnsZones.example.local _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.example.local _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.example.local ? I'd like to add that to my checklist... ;-) 2- Working on fsmo run script fixfsmo.vbs samba-tool transfer all roles run adsedit and change samba dc fsMORoleOwner to samba dc But you had to do that because of your dcpromo command was failing, correct ? What is fixfsmo.vbs ? Is that a Server 2008 script? OUTBOUND NEIGHBORS DC=DomainDnsZones,DC=lisboa,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) DC=ForestDnsZones,DC=lisboa,DC=local Default-First-Site-Name\DC2 via RPC DSA object GUID: 1f42942d-4d0f-4075-b681-f09f5ed8c95b Last attempt @ NTTIME(0) was successful 0 consecutive failure(s). Last success @ NTTIME(0) and you got these outbound neighbors after adding the DNS SRV records mentioned above ? Somehow these two entries are also missing in my test environment with Server 2003... Thanks Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] dns zone type (primary,ad integrated)
hi guys, is there a possibility to change dns zone options with samba-tool ? if I create a zone with samba-tool on the Windows Dc, I need to set --client-version=w2k, otherwise the command fails. But with that option I get a primary zone (not ad integrated) on the Windows server. I know it's possible to change that manually, but if there is an option to fix that with samba-tool, i would prefer samba-tool to manage. The same command (without --client-version) against the samba-server works and creates an Active-Directory-integrated zone. Is this by design ? Or in other words: does it matter if the zone is created on the samba server ? as it is ad-integrated it gets replicated anyway, or am I wrong ? I am using samba-internal dns. Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Sérgio Henrique ser...@gmail.com quatschte am Mon, Feb 25, 2013 at 10:27:17AM +: Hi Peter, I am unable to demote windows DC, i get always error when demoting windows AD on ForestDNSzones and DomainDNSzones, i have tried a lot of things. Raise forest level, keep at 2003, add samba to nameservers,etc... Hi Sérgio, do you get this message: http://tinypic.com/view.php?pic=140itd4s=6 ? This message is also shown in my test environment each time I run dcpromo to demote the Windows server. As far as I have seen it's no issue, if the replication is up to date. I had issues if the operation levels were lower than 2003 and Samba was already joined to the domain. Then the only change that was possible for me was to raise to Windows 2000 native, but not 2003 anymore. What I am doing after joining Samba to the domain: * check the operation levels (before joining) * check all the SRV records (usually added automatically) * create a reverse zone if not already there * add ns record for samba to all zones * drink some coffee to ensure everything gets replicated * check everything again, drink some more coffee * again ;-) * disable GC on the win server, running dcpromo but I am still testing the whole migration, no long term experience, most of the time I reset my virtual machine and try again to ensure it still works... What i can see is that if i create a new samba4 as primary root domain and then add windows AD i have no problems. But my objective is to migrate current windows domain to samba4 and not the opposite. I am sure that is working very good, but the problem is, our customers usually already have a working Windows environment (I think a lot of us have exactly this problem) and we need to takeover these domainsand do not want to create everything from scratch ;-) Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Hi guys, I did some more testing: --- Scenario 1: Server 2003 with Forest Operation Level 'Windows 2000' and domain operation Level 'Windows 2000 mixed' (which seems to be the default when setting up Server 2003): After joining Samba4 to the domain I was unable to raise the level. Samba-tool just had an error, when trying to showing the levels: ERROR: Could not retrieve the actual domain, forest level and/or lowest DC function level! And on the Windows DC the only change that was possible was to raise up the domain operating level to Windows 2000 native. No other changes were possible [cannot raise ...because this domain includes domain controllers that are not running the appropriate version of Windows] I also got issues with replicate: samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local ERROR(class 'samba.drs_utils.drsException'): DsReplicaSync failed - drsException: DsReplicaSync failed (8440, 'WERR_DS_DRA_BAD_NC') File /usr/lib/python2.7/dist-packages/samba/netcmd/drs.py, line 331, in run drs_utils.sendDsReplicaSync(self.drsuapi, self.drsuapi_handle,source_dsa_guid, NC, req_options) File /usr/lib/python2.7/dist-packages/samba/drs_utils.py, line 83, in sendDsReplicaSync raise drsException(DsReplicaSync failed %s % estr) with option --local: samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local --local Partition[dc=domaindnszones,dc=adlab,dc=local] objects[26] linked_values[0] the same behaviour with forestdnszones. --- Scenario 2: Then the same setup again, but _before_ joining Samba, the Domain and Forest level were raised up to 2003. After joining the samba server, the levels were shown without issues: samba-tool was able to list the levels: Domain and forest function level for domain 'DC=adlab,DC=local' Forest function level: (Windows) 2003 Domain function level: (Windows) 2003 Lowest function level of a DC: (Windows) 2003 Also replicating seems (after restart of samba) to work successfull (with all its options like full-sync, local,etc): samba-tool drs replicate lab07 lab03 dc=domaindnszones,dc=adlab,dc=local Replicate from lab03 to lab07 was successful. samba-tool drs replicate lab07 lab03 dc=forestdnszones,dc=adlab,dc=local Replicate from lab03 to lab07 was successful. I was able do demote the Windows server like the times before. My conclusion is to ensure the forest and domain operating levels _before_ joining the Samba server to the domain and do not hurry with replacing to ensure the replication was done completely prevents from lots of issues and headache... I think the next test will be with Server 2008... Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Federico Nan feder...@nantec.com.ar quatschte am Fri, Feb 22, 2013 at 08:36:56AM -0300: Wouw! And how do you handle the GPO and sysvol volumes? Did you copy them to the samba sysvol? I´ve been trying and it always fails in the fsmo transferring. Did you do this on the Windows MMC? Hi Federico, It was just a very basic test with a naked Windows 2003 DC and I did not test GPO/Sysvol transfers (only checked adding a GPO to the samba dc after removing the Windows DC, which was working perfect) If transferred the fsmo rules with samba-tool. fsmo seize did not work on my machine, there were always errors (can't remember excatly at the moment), transfer had a timeout the first try, but the second run was successful. I've also tried it with ntdsutil from Windows, exact the same behaviour (first try - timeout) so i think this is normal. From what I have seen it's also working with samba-tool the first time, even when there is a timeout message (I've used --role=all). After one run I left the computer to get some coffee and when I came back and checked the roles I could see that every role was now transferred... The only thing I'm unsure is with dcpromo when demoting the Windows DC - I always get a message with holds the last replication of Application Directory Partitions - usually ForestDNS and DomainDNS partitions. I've just selected delete them and so far there was no issue. But as mentioned, I'm also doing this in a little test environment and have often switched back to an earlier snapshot to try again...no long term experience.. ;-) I'm still testing... Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Dustin C. Hatch admiraln...@gmail.com quatschte am Fri, Feb 22, 2013 at 12:31:05PM -0600: On 2/22/2013 11:13, Sérgio Henrique wrote: I guess the comunication beetween MS AD and Samba4 is by kerberos, i have copied the /opt/samba/private/krb5.conf to /etc after joined to domain I have installed a windows server at 2003 forest level as PDC then installed samba4.0.3 join domain but everytime i am getting problems with forest and domain dns zones... I have the same issue. I've tried countless times to add a Samba DC to my (test) AD environment, but every time, it fails to add and outbound connection for the DomainDnsZones and ForestDnsZones directory partitions. In addition, the Samba server is not listed as a name server for either the root zone or the _msdcs zone. yes, the basic setup is like it's written down in the Wiki pages at https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC. I get kerberos tickets without any issue. I think the domain forest level is also important to raise up to 2003 (I can remember I also had issues earlier and then I've just raised the domain operation level). The forest operation level was something I've changed later... After raising up the operation level I always reboot the Windows Dc. Not sure if that is really needed... I for one will in future raise both levels up to 2003 _before_ I start deploying samba. my krb.conf looks like this: [libdefaults] default_realm = ADLAB.LOCAL dns_lookup_realm = true dns_lookup_kdc = true and this is my smb.conf, not sure if allow dns updates is need or not. # Global parameters [global] server role = active directory domain controller workgroup = ADLAB realm = adlab.local netbios name = LAB07 passdb backend = samba4 dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver, winreg, srvsvc server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns dns recursive queries = yes allow dns updates = true dns forwarder = 8.8.8.8 [netlogon] path = /var/lib/samba/sysvol/adlab.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No The samba server is not configured as nameserver by default. you can at it either on windows if you right click the zone and add it to the nameserver tab or if you use samba-tool dns add. I prefer the second one. to add it for example to the zone adlab.local you can use samba-tool dns add winserver adlab.local adlab.local NS sambaserver.adlab.local this will add an ns record for the zone adlab.local which looks like the existing entry for the windows dns (same as parent folder) and it will also automatically add the sambaserver into the nameserver tab of the zone. after adding these records / checking other dns records (_ldap._tcp, _kerberos etc) I've just did samba-tool drs replicate samba-dc win-dc dc=adlab,dc=local --local samba-tool drs replicate samba-dc win-dc dc=forestdnszones,dc=adlab,dc=local --local samba-tool drs replicate samba-dc win-dc dc=domaindnszones,dc=adlab,dc=local --local if everything is well (which was the case each time I've tested it), i moved the fsmo roles with samba-tool fsmo transfer --role= But as I mentioned before - I am also still testing at the moment ;-) hope that helps Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [SOLVED] replace Windows 2003 dc
Dustin C. Hatch admiraln...@gmail.com quatschte am Fri, Feb 22, 2013 at 05:58:51PM -0600: On 2/22/2013 15:22, Peter Beck wrote: Dustin C. Hatch admiraln...@gmail.com quatschte am Fri, Feb 22, 2013 at 12:31:05PM -0600: My samba server works perfectly fine for all AD DC roles (including Kerberos) except DNS. In my real and test environments, the forest and domain functional levels are 2008 R2. I've just tried again, but still with 2003 functional levels and it was working again, after removing the windows domain I was able to add new users, change password policies, remove and change dns records. This time I installed Exchange 2003 on the Windows DC first (just to check if there are issues if Exchange is running on the dc. Exchange did not start after demoting the dc, btw). In productive environments we do not install Exchange, it was just to test if there are issues with replicating the schema or dcpromo fails while demoting.. after removing the windows dc I also rebooted the Samba server and tried to get a kerberos ticket, which was working as expected. Same as mine, as defined in the wiki article. did you change your resolv.conf to the samba dc after removing the windows domain controller ? Silly question, but sometimes little things like that are the solution... I don't see a list of values for this property in smb.conf(5); where did you find this setting? server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, smb, dns According to smb.conf(5), this is the default value for `server services`, less s3fs and plus smb. I don't think either of these would matter in this case. the only value i have changed was adding +dns to the server services. the provision command was samba-tool domain join adlab.local DC -Uadministrator%password --realm=$hostname.$realm --use-ntvfs --use-ntvfs because I am running debian wheezy dns forwarder = 8.8.8.8 Again, this only affects queries outside the AD domain, so it shouldn't matter. I do have it set, though. I know, just posted the complete config Yes, that adds the NS records to the domain, and I've tried that. Since the Samba server is a DNS server, this should be done automatically anyway. In any case, it doesn't help. nameserver records for the samba dc are not automatically created in my test environments, I always have to add them manually. after adding these records / checking other dns records (_ldap._tcp, _kerberos etc) I've just did These also should be added automatically if the Samba server is to be a DNS server, but adding them manually doesn't help either. Yes, they are automatically added, but for me it's more safe to check before removing the windows domain controller ;-) samba-tool drs replicate samba-dc win-dc dc=adlab,dc=local --local This works fine samba-tool drs replicate samba-dc win-dc dc=forestdnszones,dc=adlab,dc=local --local samba-tool drs replicate samba-dc win-dc dc=domaindnszones,dc=adlab,dc=local --local These both fail because there is no outbound connection from the Samba server to the Windows server for these directory partitions. Adding them manually with repadmin works temporarily, but the KCC eventually removes them. Never had issues like yours (at least - I can't remember). On the Windows dc in active directory sites and services it takes about 15 minutes until the replication is visible, but replicating from samba was never an issue on my machine. if everything is well (which was the case each time I've tested it), i moved the fsmo roles with samba-tool fsmo transfer --role= Since Samba 4.0.3, which has a fix for the timeout problem, I have had no trouble moving the FSMO roles around. Regardless, until the DomainDnsZones and ForestDnsZones are replicated correctly, I cannot demote the Windows DC. When demoting the Windows DC I get the message, that this DC holds the last replica for DomainDnsZones and ForestDnsZones, I've just checked remove them (otherwise dcpromo will cancel). So far everything still seems to work. I think this is because Windows still has the DNS server installed (?). I use the debian package version from wheezy, which holds an older version, 4.0.0~beta2+dfsg1-3.1. transferring seems to be a cosmetic issue because even if there is a timeout message if you check 15 minutes later all roles are transferred correct. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] replace Windows 2003 dc / dns issues
Peter Beck pe...@datentraeger.li quatschte am Thu, Feb 14, 2013 at 03:04:40AM +0100: After lots of 'trial and error' I have done following scenario * setup samba4 as additional dc (samba internal dns) * added +dns to smb.conf server services, dns recursive queries = yes and allow dns updates = true * on the windows dc I've added a recursive zone for my network and the samba4-dc in the nameservers-tab of each zone. Replication changed to All dns servers. (still not sure if this is needed with ad integrated zones ?) * replication with samba-tool/repadmin - no issues * samba-tool drs replicate s4dc w2k3dc dc=domaindnszones,dc..- no errors * samba-tool drs replicate s4dc w2k3dc dc=forestdnszones,dc..- no errors * samba_dnsupdate --verbose - no errors * dns was replicated completely now, including the entries inside the zones * transferring the fsmo roles to samba4 - no issues * disable global catalog for the windows dc * dcpromo demote the windows server I am still able to read the existing dns entries, but as soon as I try to update an existing entry or add an additional I get the local security authority database contains an internal inconsistency from Windows MMC-Snapin and samba-tool is reporting uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') But adding additional zones and entries for them seems to work. It seems it's just dns related as adding groups and users is working fine. Any ideas ? If there is a best practice to replace an existing dc i would like to contribute that to the samba Wiki... Best Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] S4 file server and DNS
Hervé Hénoch h.hen...@isc84.org quatschte am Tue, Feb 19, 2013 at 02:56:43PM +0100: Hello The problem seems to be with DNS dynamic updates. I insist on the fact that my DNS server is working (all tests were successful). Bind version is 9.8.1. Debian Wheeze. Maybe it's related to bug 692416 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692416 The plan is to get bind 9.8.4.dfsg.P1-3 migrated to wheezy, which should support dynamic updates. As far as I know it's not working with the current version in wheezy. hope that helps Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [SOLVED] replace Windows 2003 dc
Hi guys, weehoo! Samba4 rocks ! Great work! if someone is interested - I finally managed to replace a Windows DC successfully. (at least i hope so ;-) this is what I have done: * Windows DC: Domain and Forest Operation Level = 2003 * Reboot Windows DC (always a good idea on Windows ;-) * joining the Samba Domain Controller to the existing 2003 domain * adding a Reverse zone for my network in DNS (on Windows) * replicating forestdnszones, domaindnszones * on the Windows DC i've changed the nameserver for each zone to the samba domain controller (which automatically added an NS-record to dns) * samba_dnsupdate --all-names --verbose * removing the Global Catalog on the Windows DC (including reboot ;-) * transferring all fsmo roles to the samba dc (what's the differnce to seizing ? for me transfer seems to work more reliable..) * demote the windows server Now I am able to add or remove records in dns (with samba tool and on Windows with the MMC-Snapin) and it looks very good. Now I think I just need to do some cleaning (removing dns entries for the replaced windows dc, etc). Regards Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Centos samba-3x / samba-3.6.6 - win7 will not join domain
Thanks all for the advice I tried again this morning, having made a couple of small changes (I think!) I ran smbpasswd -a plawrie first and entered my password - but surely that was already done using swat? Now it joins! I did notice that using the control panel/system / change settings when I put the domain name in lower case, I get an Active Directory could not be contacted In upper case, previously it responded with 'network path not found' This time it finally worked. - I've never had this bother with XP clients. My smb.conf is below, The main change is to enable winbind, but I'm sure I tried that yesterday. I also seem to have included 'password server = none', but can't remember doing that! [root@centos55 samba]# cat /etc/samba/smb.conf # Samba config file created using SWAT # from UNKNOWN (0.0.0.0) # Date: 2013/02/18 10:57:39 [global] workgroup = GLENDISC server string = Samba Server Version %v obey pam restrictions = Yes password server = none pam password change = Yes passwd program = /usr/bin/passwd %u unix password sync = Yes lanman auth = Yes log file = /var/log/samba/%m.log max log size = 50 name resolve order = wins bcast host lmhosts time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 printcap name = cups logon script = scripts\%U.bat logon path = logon drive = z: domain logons = Yes os level = 64 preferred master = Yes domain master = Yes wins support = Yes preload = global idmap config * : range = idmap config * : backend = tdb cups options = raw [homes] valid users = %S read only = No browseable = No [netlogon] comment = netlogon path = /datastore/netlogon valid users = @adm, @users read only = No [company] comment = company share path = /datastore/company valid users = @adm, @users force group = users read only = No create mask = 0775 force create mode = 0775 directory mask = 0775 force directory mode = 0775 inherit permissions = Yes use sendfile = Yes [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No [root@centos55 samba]# On 18 February 2013 07:36, Daniel Müller muel...@tropenklinik.de wrote: Did you join the win7 client to the samba3 domain using smbpasswd -m. Did you set the registry hacks on the win 7 client. Sometimes the win 7 machines need to set the wins server to your Samba/pdc and netbios enabled. Good luck Daniel --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von peter lawrie Gesendet: Montag, 18. Februar 2013 00:59 An: Thomas Simmons Cc: samba@lists.samba.org Betreff: Re: [Samba] Centos samba-3x / samba-3.6.6 - win7 will not join domain Hi Thanks, but I've already done that. Now I'm getting active directory domain controller could not be contacted. I have renamed my win7 PC as pjl-win7 and restarted PC, server and router to ensure all match I also changed the workgroup in Samba from Glendiscovery to glendisc, my PC is still on the windows workgroup and can access the shares. There is also an XP machine, computer1 on 'workgroup', once I've fixed the win7 problem, I'll be checking it can also join the domain. browse.dat has: GLENDISCc0001000 CENTOS55GLENDISC CENTOS55408c9a23 Samba Server Version 3.6.6-0.129.el5 GLENDISC WORKGROUP c0001000 COMPUTER1 WORKGROUP GLENDISCOVERY c0001000 PJL-WIN7 GLENDISCOVERY I was recommended to add some lines to smb.conf, so it now has [root@centos55 samba]# cat smb.conf # Samba config file created using SWAT # from UNKNOWN (0.0.0.0) # Date: 2013/02/17 23:16:46 [global] lanman auth = yes log file = /var/log/samba/%m.log name resolve order = bcast host lmhosts wins socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 obey pam restrictions = Yes client ntlmv2 auth = yes logon drive = z: ntlm auth = Yes domain master = Yes idmap config * : range = time server = Yes wins proxy = No passwd program = /usr/bin/passwd %u wins support = true netbios name = centos55 cups options = raw server
[Samba] upgrade samba (3.0.33) to samba-3x (3.6.6) on Centos5
Hi Related to my previous posting on joining win7 to a domain with samba-3.6.6 (which I finally managed to do!) With Centos5 one has the option of installing either Samba which is 3.0.33 or Samba3x which is 3.6.6 with the latest updates to centos5.9 My own server was set up with samba3x and hence was able to attempt connection of win7 PC I have several customers with older installations using samba3.0.33. Last year I tried updating one of them and it appeared the only way was to remove samba (3.0.33) and then install samba3x. This meant recreating all the shares and samba configuration and rejoining everyone to the domain. Is there an easier way of upgrading? Regards Peter Lawrie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Centos samba-3x / samba-3.6.6 - win7 will not join domain
Hi Some advice needed on samba-3.6.6 for win7 Since getting my win7 ultimate pc, I've only used my centos server with samba for a workgroup connection. Previously I had an XP client on this domain. I've updated today (17 feb 2013) to the latest centos5.9 (Linux 2.6.18-348.1.1.el5.centos.plus on i686) which includes samba3x with samba-3.6.600.129_el5 passdb backend has to be tdbsam now for win7, not smbpasswd I've tried repeatedly to join the domain without success. My win7 ultimate machine supposedly has the ability to join a domain Provided I ensure that nmbd as well as smbd is running, it gives the username and password login form and then The following error occurred attempting to join the domain glendisc The specified domain either does not exist or could not be contacted Since getting the win7 PC I have been connecting to workgroup 'glendiscovery' by the server IP address, so it has not previously been on the domain. I deliberately changed the name to glendisc to avoid possible issues. I can still connect to my workgroup shares I noted that the samba user root had disappeared so I added new user 'root' and 'plawrie' and enabled them in swat password. That's presumably for the tdbsam database, instead of smbpasswd Still no difference. I have several customers who have introduced win7 machines, so I will have to get this working before I try it on their business networks. For reference here is my smb.conf [root@centos55 ~]# cat /etc/samba/smb.conf | more # Samba config file created using SWAT # from UNKNOWN (0.0.0.0) # Date: 2013/02/17 19:56:06 [global] workgroup = GLENDISC server string = Samba Server Version %v obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u unix password sync = Yes log file = /var/log/samba/%m.log max log size = 50 time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 printcap name = cups logon script = scripts\%U.bat logon path = logon drive = z: domain logons = Yes os level = 64 domain master = Yes idmap config * : range = idmap config * : backend = tdb cups options = raw [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No [company] comment = company share path = /datastore/company valid users = @adm, @users force group = users read only = No create mask = 0775 force create mode = 0775 directory mask = 0775 force directory mode = 0775 inherit permissions = Yes use sendfile = Yes [netlogon] comment = netlogon path = /datastore/netlogon valid users = @adm, @users read only = No [homes] writeable = yes path = /home/plawrie -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Centos samba-3x / samba-3.6.6 - win7 will not join domain
Hi Thanks, but I've already done that. Now I'm getting active directory domain controller could not be contacted. I have renamed my win7 PC as pjl-win7 and restarted PC, server and router to ensure all match I also changed the workgroup in Samba from Glendiscovery to glendisc, my PC is still on the windows workgroup and can access the shares. There is also an XP machine, computer1 on 'workgroup', once I've fixed the win7 problem, I'll be checking it can also join the domain. browse.dat has: GLENDISCc0001000 CENTOS55GLENDISC CENTOS55408c9a23 Samba Server Version 3.6.6-0.129.el5 GLENDISC WORKGROUP c0001000 COMPUTER1 WORKGROUP GLENDISCOVERY c0001000 PJL-WIN7 GLENDISCOVERY I was recommended to add some lines to smb.conf, so it now has [root@centos55 samba]# cat smb.conf # Samba config file created using SWAT # from UNKNOWN (0.0.0.0) # Date: 2013/02/17 23:16:46 [global] lanman auth = yes log file = /var/log/samba/%m.log name resolve order = bcast host lmhosts wins socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192 SO_RCVBUF=8192 obey pam restrictions = Yes client ntlmv2 auth = yes logon drive = z: ntlm auth = Yes domain master = Yes idmap config * : range = time server = Yes wins proxy = No passwd program = /usr/bin/passwd %u wins support = true netbios name = centos55 cups options = raw server string = Samba Server Version %v password server = none logon script = scripts\%U.bat unix password sync = Yes idmap config * : backend = tdb workgroup = GLENDISC logon path = os level = 64 auto services = global printcap name = cups preferred master = yes max log size = 50 pam password change = Yes [homes] valid users = %S read only = No browseable = No [netlogon] comment = netlogon path = /datastore/netlogon valid users = @adm, @users read only = No [company] comment = company share path = /datastore/company valid users = @adm, @users force group = users read only = No create mask = 0775 force create mode = 0775 directory mask = 0775 force directory mode = 0775 inherit permissions = Yes use sendfile = Yes [printers] comment = All Printers path = /var/spool/samba printable = Yes print ok = Yes browseable = No On 17 February 2013 23:47, Thomas Simmons twsn...@gmail.com wrote: Have you made the necessary registry changes on the Win7 workstation (see link)? If properly configured, Win7 works perfectly fine with current versions of Samba 3. https://wiki.samba.org/index.php/Windows7 On Sun, Feb 17, 2013 at 3:40 PM, peter lawrie peter.law...@glendiscovery.co.uk wrote: Hi Some advice needed on samba-3.6.6 for win7 Since getting my win7 ultimate pc, I've only used my centos server with samba for a workgroup connection. Previously I had an XP client on this domain. I've updated today (17 feb 2013) to the latest centos5.9 (Linux 2.6.18-348.1.1.el5.centos.plus on i686) which includes samba3x with samba-3.6.600.129_el5 passdb backend has to be tdbsam now for win7, not smbpasswd I've tried repeatedly to join the domain without success. My win7 ultimate machine supposedly has the ability to join a domain Provided I ensure that nmbd as well as smbd is running, it gives the username and password login form and then The following error occurred attempting to join the domain glendisc The specified domain either does not exist or could not be contacted Since getting the win7 PC I have been connecting to workgroup 'glendiscovery' by the server IP address, so it has not previously been on the domain. I deliberately changed the name to glendisc to avoid possible issues. I can still connect to my workgroup shares I noted that the samba user root had disappeared so I added new user 'root' and 'plawrie' and enabled them in swat password. That's presumably for the tdbsam database, instead of smbpasswd Still no difference. I have several customers who have introduced win7 machines, so I will have to get this working before I try it on their business networks. For reference here is my smb.conf [root@centos55 ~]# cat /etc/samba/smb.conf | more # Samba config file created using SWAT # from UNKNOWN (0.0.0.0) # Date: 2013/02/17 19:56:06 [global] workgroup = GLENDISC server string = Samba Server Version %v obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u unix password sync = Yes log file = /var/log/samba/%m.log max log size = 50 time server = Yes socket
[Samba] replace Windows 2003 dc / dns issues
Hi guys, I'm about to replace an existing Windows Server 2003 Active Directory domain with Samba4 (package from Debian Wheezy). Joining the Samba4 dc according the Samba Wiki[1] is working great, replication works without errors from both worlds (windows or samba). After transferring the fsmo roles with ntdsutil to the samba4 domain controller (btw: does it matter if ntdsutil or samba-tool fsmo transfer is being used ?), I would like to demote the windows server and use samba4 only. But if I shutdown the Windows DC, all DNS entries are empty on the samba side (the forward zones are created on the Samba server, but the only entries are the global catalog entries.) The domain functional level was set to Server 2003 (the highest available option with 2003) before adding the new Samba4 dc. If I run samba_dnsupdate --verbose there are no errors - everything seems to be fine. samba-tool dns zonelist samba-testserver shows me following zones 2 zone(s) found pszZoneName : adlab.local Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType: DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.adlab.local pszZoneName : _msdcs.adlab.local Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType: DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED pszDpFqdn : ForestDnsZones.adlab.local My question now is, if the Windows Server will be demoted, do I need to add dns to the server services section in smb.conf ? (I would like to use Samba internal DNS) IMO it's needed when Samba is the only dc in the network. Is that correct ? Do I also need to add the nsupdate command parameter to smb.conf after demoting the windows dc ? How do I correctly move dns to the Samba Server and replace the Windows DC finally ? Is it needed to configure zone transfers from the Windows DC to the Samba Server ? (even if both dns are active directory integrated ?) But even if I enable transfers, there is no content on the samba server dns... do I need to disable Global Catalog on the Windows DC before demoting the server ? Lots of questions... There are lots of manuals how to add an additional DC, but somehow I am missing a howto for _replacing_ an existing DC with Samba4. Thanks in advance Peter [1] https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Odd Mac OSX 10.6 error on Samba share
Hi All, I've done quite a bit of research on this one and if I'm honest about the cause of this fault it's probably because I'm trying to do too much outside the box :) Nevertheless I enjoy the challenge so here is the scenario: I have a Samba Service (v3.2.5) providing file shares running on Debian 2.6. The samba server uses a Windows Domain server for authentication There are many shares available from the server and all use the Domain for authentication - with each group having an appropriate permission on each share (none, read only, read/write) All shares are local mount points (except for a new share below) I had to force the file and directory perms because the macs didn't create nice file and directories The shares are accessed by Macs and Windows PCs and all has been working fine for over a year until... Here is the change and the problem: A new mount point with fstab entry has been added on the linux server connecting the linux server to a share on a remote windows server (also on the Windows Domain) A service account has been created on the Windows Domain for the linux box to access the windows share - this account has been given full rights on the windows share and file system A new samba share has been added, settings configured as above, forced perms, using the windows domain, etc. Windows clients have no issues whatsoever. However, the Macs all of which are Snow Leopard do have show stopping issues; When creating a file we get this error: The Finder can’t complete the operation because some data in FILENAME can’t be read or written. (Error code -36) The file that should have appeared on the windows share is there but 0B in size, the mac turd ._ file is present, 4096B in size, and looks good? (apologies for the turd expression but macs do s**t all over the file system!) here is a dump of the ls for the directory (sensitive stuff removed): debian01:/mnt/remotedata/Jobs/Current/79700 NOSS Reports/Original# ls -la total 636 drwxrwxrwx 1 root root 0 2012-10-03 12:24 . drwxrwxrwx 1 root root 0 2012-09-27 06:46 .. -rwxrwSrwx 1 root root 4886 2012-08-30 09:30 BAP.csv -rwxrwSrwx 1 root root 143503 2012-08-30 09:30 BAP_August 2012.docx -rwxrwSrwx 1 root root 200296 2012-09-05 10:04 BAP_August 2012.pdf -rwxrwSrwx 1 root root 91557 2012-08-30 09:29 CC.csv -rwxrwSrwx 1 root root 6148 2012-09-04 11:43 .DS_Store -rwxrwSrwx 1 root root 4096 2012-10-03 12:26 ._TEST.pdf -rwxrwSrwx 1 root root 0 2012-10-03 12:24 TEST.pdf -rwxrwSrwx 1 root root 59852 2012-08-30 09:29 NOSS Report August 2012.docx -rwxrwSrwx 1 root root 126390 2012-09-05 10:04 NOSS Report August 2012.pdf Note the files *TEST.pdf - these are the files created by the Mac (the other files have been created by windows clients. More info can be provided, of course - but I'm not sure where to look first! Any help will be appreciated. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd crashes
Hi all, I managed to fix the problem. The solution was to apply this patch http://www.opensource.apple.com/source/samba/samba-235/patches/ignore-tdb-sp inlock-flag to libtdb sources. Maybe this helps someone facing the same problem... With best regards, P. Trifonov -Original Message- From: samba-boun...@lists.samba.org [mailto:samba- boun...@lists.samba.org] On Behalf Of Peter Trifonov Sent: Thursday, February 09, 2012 12:57 AM To: samba@lists.samba.org Subject: Re: [Samba] smbd crashes Hello folks, After upgrading from samba 3.4.9 to samba 3.6.1 on a FreeBSD 8.1 x86 system smbd stopped working. It starts successfully, but crashes as soon as someone tries to connect to a share. Log file contains a lot of entries like the following: [2012/02/06 11:05:13, 1] lib/util_tdb.c:521(tdb_wrap_log) tdb(unnamed): tdb_open_ex: spinlocks no longer supported [2012/02/06 11:05:13, 0] lib/messages_local.c:112(messaging_tdb_init) ERROR: Failed to initialise messages database: Unknown error: 0 The problem still remains after upgrading to samba 3.6.3. It appears that spinlocks are somehow automatically enabled for any newly created database. Is there any way to avoid this behavior? With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd crashes
Hello folks, After upgrading from samba 3.4.9 to samba 3.6.1 on a FreeBSD 8.1 x86 system smbd stopped working. It starts successfully, but crashes as soon as someone tries to connect to a share. Log file contains a lot of entries like the following: [2012/02/06 11:05:13, 1] lib/util_tdb.c:521(tdb_wrap_log) tdb(unnamed): tdb_open_ex: spinlocks no longer supported [2012/02/06 11:05:13, 0] lib/messages_local.c:112(messaging_tdb_init) ERROR: Failed to initialise messages database: Unknown error: 0 The problem still remains after upgrading to samba 3.6.3. It appears that spinlocks are somehow automatically enabled for any newly created database. Is there any way to avoid this behavior? With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbd crashes
Hello everyone! After upgrading from samba 3.4.9 to samba 3.6.1 on a FreeBSD 8.1 x86 system smbd stopped working. It starts successfully, but crashes as soon as someone tries to connect to a share. Log file contains a lot of entries like the following: [2012/02/06 11:05:13, 1] lib/util_tdb.c:521(tdb_wrap_log) tdb(unnamed): tdb_open_ex: spinlocks no longer supported [2012/02/06 11:05:13, 0] lib/messages_local.c:112(messaging_tdb_init) ERROR: Failed to initialise messages database: Unknown error: 0 [2012/02/06 11:05:13, 0] lib/messages.c:245(messaging_reinit) messaging_tdb_init failed: NT_STATUS_UNSUCCESSFUL [2012/02/06 11:05:13, 0] lib/util.c:961(reinit_after_fork) messaging_reinit() failed: NT_STATUS_UNSUCCESSFUL [2012/02/06 11:05:13, 0] smbd/server.c:388(smbd_accept_connection) reinit_after_fork() failed [2012/02/06 11:05:13, 0] lib/util.c:1480(smb_panic) PANIC (pid 50503): reinit_after_fork() failed [2012/02/06 11:05:13, 0] lib/util.c:1584(log_stack_trace) BACKTRACE: 8 stack frames: #0 0x12ec7cd smb_panic+93 at /usr/local/sbin/smbd #1 0x15b164d main+5437 at /usr/local/sbin/smbd #2 0x12fc401 run_events+385 at /usr/local/sbin/smbd #3 0x12fc62e event_add_to_select_args+526 at /usr/local/sbin/smbd #4 0x12fcc45 _tevent_loop_once+149 at /usr/local/sbin/smbd #5 0x15b1247 main+4407 at /usr/local/sbin/smbd #6 0x107a12b _start+203 at /usr/local/sbin/smbd #7 0x107a075 _start+21 at /usr/local/sbin/smbd [2012/02/06 11:05:13, 0] lib/fault.c:370(dump_core) dumping core in /var/log/samba34/cores/smbd It seems that something is wrong with the messages.tdb file. I have tried removing it, it was re-created but nothing has changed. Please let me know how can this be fixed? Many thanks in advance. With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd crashes
Hi Volker, It seems that something is wrong with the messages.tdb file. I have tried removing it, it was re-created but nothing has changed. Please let me know how can this be fixed? Please also upgrade the libtdb from ports. It was upgraded automatically to version 1.2.9 while building samba. The problem affects only smbd, winbind seems to work properly. With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
Hi Simo, Thanks for your email. (It is good to get some reassurances I am on the right track...:) My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials. This is how I have set it up (as per samba ctdb wiki documentation) using clusterpub but it just refuses to let me map \\clusterpub\share on my windows client. I can hit the individual node's share using IP: \\10.101.4.16\share \\10.101.4.17\share and these work fine (which is really working as per your option two). As given before, incredibly I am able to successfully connect to \\clusterpub\share using smbclient from one of the linux nodes using my window domain login. I am confident winbind is working ok. It looks like Kerberos is having a problem. When trying to map from windows I get the following error in /var/log/messages (on the node that dns happens to send me to): krb5_rd_req failed (Key table entry not found). # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 2 host/clusterpub.mydomain...@mydomain.au (DES cbc mode with CRC-32) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub@ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 CLUSTERPUB$@ MYDOMAIN.AU (ArcFour with HMAC/md5) Cheers, Peter Tan -Original Message- From: simo [mailto:i...@samba.org] Sent: Monday, 23 January 2012 1:40 AM To: Peter Tan Cc: samba@lists.samba.org Subject: Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin On Fri, 2012-01-20 at 16:38 +1000, Peter Tan wrote: I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san storage. I have configured ctdb, samba and Kerberos and am able to map the share on my windows workstation when I hit the ip of each of the two nodes. I am able to mount this share via nfs on other linux servers ok. However it does not appear to be authenticating when I try to map to the DNS hostname that has been set up to round robins across the two ip's - I keep getting prompted for a login and password and I get the following in /var/log/messages: krb5_rd_req failed (Key table entry not found) Node 1: 10.101.4.16 Node 2: 10.101.4.17 DNS A Name: clusterpub 10.101.4.16 DNS A Name: clusterpub 10.101.4.17 I have set the netbios name = clusterpub in smb.conf on both nodes Interestingly, I am able to successfully connect to the clusterpub share from one of the nodes via smbclient. # smbclient //clusterpub/archive -U user Enter user password: Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5] smb: \ dir . D0 Fri Jan 20 14:28:01 2012 ..D0 Wed Jan 18 13:56:46 2012 hello-from-samba 0 Fri Jan 20 14:28:01 2012 64000 blocks of size 16777216. 63805 blocks available smb: \ What am I missing? You have 2 ways to solve this issue. My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials. Another way I like a lot less is to make sure you have PTR records set up so that they point to the respective private names, and join each node with these names. I like this less because it relies on reverse address resolution and kinda breaks the fact you are trying to present a single service to the clients. Simo. -- Simo Sorce Samba Team GPL Compliance Officer s...@samba.org Principal Software Engineer at Red Hat, Inc. s...@redhat.com The information contained in this email and any attachments is privileged and confidential and is intended for use only by the addressee. Copying, distributing, or disclosing the information contained in this email and any attachments is prohibited unless expressly authorised by the sender. If you are not the intended recipient, and you have received this message in error - do not read, copy or distribute this email. If you have received this message in error, please delete all copies of this message from your system and notify the sender by return email. It is recommended that you scan this email and any attachments for viruses. Ipswich City Council does not accept liability for any loss or damage incurred directly or indirectly caused by opening this email and/or any attachments. -- To unsubscribe from this list go to the following URL and read
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
Hi Simo, Thanks again for your reply. I'm not sure which keys are missing? Should there be an entry for cifs? How do I add the missing key(s)? Thanking you in advance. Peter Tan -Original Message- From: simo [mailto:i...@samba.org] Sent: Monday, 23 January 2012 11:07 AM To: Peter Tan Cc: samba@lists.samba.org Subject: Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin On Mon, 2012-01-23 at 09:58 +1000, Peter Tan wrote: Hi Simo, Thanks for your email. (It is good to get some reassurances I am on the right track...:) My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials. This is how I have set it up (as per samba ctdb wiki documentation) using clusterpub but it just refuses to let me map \\clusterpub\share on my windows client. I can hit the individual node's share using IP: \\10.101.4.16\share \\10.101.4.17\share and these work fine (which is really working as per your option two). As given before, incredibly I am able to successfully connect to \\clusterpub\share using smbclient from one of the linux nodes using my window domain login. I am confident winbind is working ok. It looks like Kerberos is having a problem. When trying to map from windows I get the following error in /var/log/messages (on the node that dns happens to send me to): krb5_rd_req failed (Key table entry not found). # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 2 host/clusterpub.mydomain...@mydomain.au (DES cbc mode with CRC-32) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub@ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 CLUSTERPUB$@ MYDOMAIN.AU (ArcFour with HMAC/md5) I think you are missing keys for cifs/fqdn@REALM Simo. -- Simo Sorce Samba Team GPL Compliance Officer s...@samba.org Principal Software Engineer at Red Hat, Inc. s...@redhat.com The information contained in this email and any attachments is privileged and confidential and is intended for use only by the addressee. Copying, distributing, or disclosing the information contained in this email and any attachments is prohibited unless expressly authorised by the sender. If you are not the intended recipient, and you have received this message in error - do not read, copy or distribute this email. If you have received this message in error, please delete all copies of this message from your system and notify the sender by return email. It is recommended that you scan this email and any attachments for viruses. Ipswich City Council does not accept liability for any loss or damage incurred directly or indirectly caused by opening this email and/or any attachments. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
Hi Simo, It's ok I've worked it out. You were spot on wrt missing 'cifs' keytab entries. I kinda expected these to be added when creating the keytab but I guess not the case. All the doco I had read revolved around keytab 'host' entries so I couldn't see what was missing (probably just my ignorance!:) I had to add them afterwards using: net ads keytab add cifs -U spn and this did the trick! Is this a bug? The following link suggests it is a bug too? -- https://bugzilla.samba.org/show_bug.cgi?id=8004 Anyway thank you very much for pointing me in the right direction! Cheers, Peter Tan Technical Specialist Enterprise Business Solutions Branch IPSWICH CITY COUNCIL PO Box 191 Ipswich Queensland 4305 T| 07 3810 7327 E: p...@ipswich.qld.gov.au W: www.ipswich.qld.gov.au Please consider the environment before printing this email -Original Message- From: Peter Tan Sent: Monday, 23 January 2012 11:21 AM To: 'simo' Cc: samba@lists.samba.org Subject: RE: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin Hi Simo, Thanks again for your reply. I'm not sure which keys are missing? Should there be an entry for cifs? How do I add the missing key(s)? Thanking you in advance. Peter Tan -Original Message- From: simo [mailto:i...@samba.org] Sent: Monday, 23 January 2012 11:07 AM To: Peter Tan Cc: samba@lists.samba.org Subject: Re: [Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin On Mon, 2012-01-23 at 09:58 +1000, Peter Tan wrote: Hi Simo, Thanks for your email. (It is good to get some reassurances I am on the right track...:) My preferred one is to join the cluster to the domain with the public name (clusterpub) in your case, and share the keytab between the 2 nodes. They are logically a single server and need to share the same credentials. This is how I have set it up (as per samba ctdb wiki documentation) using clusterpub but it just refuses to let me map \\clusterpub\share on my windows client. I can hit the individual node's share using IP: \\10.101.4.16\share \\10.101.4.17\share and these work fine (which is really working as per your option two). As given before, incredibly I am able to successfully connect to \\clusterpub\share using smbclient from one of the linux nodes using my window domain login. I am confident winbind is working ok. It looks like Kerberos is having a problem. When trying to map from windows I get the following error in /var/log/messages (on the node that dns happens to send me to): krb5_rd_req failed (Key table entry not found). # klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal -- 2 host/clusterpub.mydomain...@mydomain.au (DES cbc mode with CRC-32) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub. mydomain.au @ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 host/clusterpub@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 host/clusterpub@ MYDOMAIN.AU (ArcFour with HMAC/md5) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with CRC-32) 2 CLUSTERPUB$@ MYDOMAIN.AU (DES cbc mode with RSA-MD5) 2 CLUSTERPUB$@ MYDOMAIN.AU (ArcFour with HMAC/md5) I think you are missing keys for cifs/fqdn@REALM Simo. -- Simo Sorce Samba Team GPL Compliance Officer s...@samba.org Principal Software Engineer at Red Hat, Inc. s...@redhat.com The information contained in this email and any attachments is privileged and confidential and is intended for use only by the addressee. Copying, distributing, or disclosing the information contained in this email and any attachments is prohibited unless expressly authorised by the sender. If you are not the intended recipient, and you have received this message in error - do not read, copy or distribute this email. If you have received this message in error, please delete all copies of this message from your system and notify the sender by return email. It is recommended that you scan this email and any attachments for viruses. Ipswich City Council does not accept liability for any loss or damage incurred directly or indirectly caused by opening this email and/or any attachments. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem Accessing Samba share from Windows workstation via DNS Round Robin
I have set up a 2 node linux cluster and wish to share a ocfs2 mount on san storage. I have configured ctdb, samba and Kerberos and am able to map the share on my windows workstation when I hit the ip of each of the two nodes. I am able to mount this share via nfs on other linux servers ok. However it does not appear to be authenticating when I try to map to the DNS hostname that has been set up to round robins across the two ip's - I keep getting prompted for a login and password and I get the following in /var/log/messages: krb5_rd_req failed (Key table entry not found) Node 1: 10.101.4.16 Node 2: 10.101.4.17 DNS A Name: clusterpub 10.101.4.16 DNS A Name: clusterpub 10.101.4.17 I have set the netbios name = clusterpub in smb.conf on both nodes Interestingly, I am able to successfully connect to the clusterpub share from one of the nodes via smbclient. # smbclient //clusterpub/archive -U user Enter user password: Domain=[COUNCIL] OS=[Unix] Server=[Samba 3.5.4-0.83.el5] smb: \ dir . D0 Fri Jan 20 14:28:01 2012 ..D0 Wed Jan 18 13:56:46 2012 hello-from-samba 0 Fri Jan 20 14:28:01 2012 64000 blocks of size 16777216. 63805 blocks available smb: \ What am I missing? Peter Tan The information contained in this email and any attachments is privileged and confidential and is intended for use only by the addressee. Copying, distributing, or disclosing the information contained in this email and any attachments is prohibited unless expressly authorised by the sender. If you are not the intended recipient, and you have received this message in error - do not read, copy or distribute this email. If you have received this message in error, please delete all copies of this message from your system and notify the sender by return email. It is recommended that you scan this email and any attachments for viruses. Ipswich City Council does not accept liability for any loss or damage incurred directly or indirectly caused by opening this email and/or any attachments. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] guest share writable but unable to delete
On Mon, 2011-11-21 at 16:26 +0100, Günter Kukkukk wrote: On Sunday 20 November 2011 18:21:58 Peter Baranyi wrote: hi, I set up a share with writeable = yes, guest only = yes, guest ok = yes, so I can connect without password and create files in the name of the specified guest account unix user . but I am unable to delete the created file! I can only delete the file if the parent directory has other permissions set to +w it seems that samba is creating the file using the guest account user, but deletion is done with user nobody! how can this be? did I do a configuration error? which samba version? Cheers, Günter tried with 3.5.9~dfsg-1 and 3.5.11~dfsg-4 (debian) with same results. using: security = share Regards, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] guest share writable but unable to delete
hi, I set up a share with writeable = yes, guest only = yes, guest ok = yes, so I can connect without password and create files in the name of the specified guest account unix user . but I am unable to delete the created file! I can only delete the file if the parent directory has other permissions set to +w it seems that samba is creating the file using the guest account user, but deletion is done with user nobody! how can this be? did I do a configuration error? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba shows each file several times in the same folder
Hi! I have a Samba 3.5.11 on Debian/kFreeBSD (sid) with ZFS filesystem. The error come up yesterday, I opened of the dirs and the same file camed up several times. Picasa.ini IMG_1377.JPG IMG_1378.JPG IMG_13*80*.JPG IMG_13*80*.JPG IMG_1384.JPG IMG_1385.JPG IMG_13*86*.JPG IMG_13*86*.JPG IMG_13*87*.JPG IMG_13*87*.JPG IMG_13*88*.JPG IMG_13*88*.JPG With the same name, they are the same files (same size, same content, etc.) If I open on the linuxbox with Midnight Commander, everything is ok, no doubleing the files. In some cases no doubling, but in some dirs each files showed up more than 10 times, which froozed Total Commander, by then. On Windows If I open Total Commander, of Windows Explorer, the same effect. I also tested samba 3.6.1 from Debian experimental repo, same effect. I don't know where to start debugging, or what can be the problem. Thanks for your help! Peter Torok -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Winbind restrictions with AD communication
Hi all I have two freeradius servers with ntlm_auth and local auth The point is that sometimes ntlm_auth stops to work on the primary server. When I test it from the command line with command /usr/bin/ntlm_auth , it says No logon servers I noticed in the logs that there were 10 attempts per minute with wrong password from one of our routers. When I applied ACL on the router to block this attempts, ntlm_auth started to work During this time standby radius with its ntlm_auth was able to communicate with AD So the question is if there are some restrictions in samba ( winbind ) when it will stop to communicate with AD in some special cases ? It happened few times with the same scenario I'm using samba3x-3.5.4-0.70.el5 Thanks pet -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] No admin privileges after upgrade from 3.5.8 to 3.6.0rc3
Hi, since I was bitten badly by this today, I take the additional time to report this issue here. After upgrading from samba 3.5.8 to 3.6.0rc3, Administrator on the xp clients (yes, still xp sp3, no vista, no win7 clients here) lost its admin privileges. My Samba PDC setup evolved over about a decade now, but since it still needs to support a small environment only (20 xp, 30 users), I kept the security = user approach, mainly because it allows different passwords for the linux and windows environment. [global] security = user domain master = yes preferred master = yes local master = yes domain logons = yes wins support = yes admin users = root @ntadmin My admin is called admin: $ id admin uid=1002(admin) gid=71(ntadmin) Gruppen=71(ntadmin),512(domadmin) $ cat /etc/samba/smbusers admin = administrator nobody = guest pcguest smbguest $ getent group domadmin:*:512:admin domuser:*:513:u1,u2,... domguest:*:514: ntadmin:*:71: $ net groupmap list Domänen Benutzer (S-1-5-21-884593593-3352586541-3369792858-513) - domuser Domänen Administratoren (S-1-5-21-884593593-3352586541-3369792858-512) - domadmin Domänen Gäste (S-1-5-21-884593593-3352586541-3369792858-514) - domguest $ net rpc user u1 u2 admin ... $ net rpc user info admin Domänen Benutzer Domänen Administratoren Users and admin can domain login just fine, but with 3.6.0rc3, the admin lost his privileges, simply downgrading samba to 3.5.8 fixed this. openSUSE Build Service internals Here's my samba build: https://build.opensuse.org/package/show?package=sambaproject=home%3Afrispete%3Asamba%3ASTABLE That's linked to project network:samba:STABLE. If somebody from this project there is reading here: Doesn't the term STABLE and the project description imply stable released packages? IMHO, a release candidate doesn't match this criteria, but others might disagree. /openSUSE Build Service internals Since this is a productive environment, I can perform tests during the weekend only (as long as my family permits..). Pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID mapping
original message- From: Jonathan Buzzard jonat...@buzzard.me.uk To: Martin Rootes m.j.roo...@shu.ac.uk CC: Samba samba@lists.samba.org Date: Tue, 14 Jun 2011 23:28:49 +0100 - Martin Rootes wrote: Hi, I'm trying to convert an old system on Solaris 10 that uses the smbpasswd file authentication method to a system that authenticates against Active Directory. I've managed to get winbind working but of course this just allocates UIDs as it sees fit whereas the smbpasswd file method used the UID from the /etc/passwd file. The user codes on the Solaris server match the user codes in AD but if I just switch over to winbind the UIDs will not match. If there were only a small number of users I could simply change the ownership of the users home directories to match the winbind allocated UID but unfortunately there are thousands of users and so this would be a mammoth task. I've has a look at various bits of documentation but can't get my head around the best strategy. Has anyone needed to do something similar and if so how did you go about it? Also the users' home directories are distributed around multiple directories and I would prefer to continue to use the home directory information from /etc/passwd as opposed to using template homedir (although I assume that I could leave the directories in place and just set up links to them). I've had also had a look at the PADL nss_ldap stuff but can't get it to compile, it seems to be looking for SASL, would the SASL version on the Sun Freeware site work? Would not filling out the rfc2307 information in the AD not be the way forward? Then winbind would not be allocating UID's but using what was set in the AD which you could match with your current settings. In addition you could have your home directories wherever you want on a per user basis depending on what you have set in the AD. If you are going to be using AD then it is best not to fight it, and any AD server after 2003 R2 has the rfc2307 scheme extensions activated, you just need to populate the fields. Though I appreciate that sometimes this can be easier said than done if you don't have control over the AD servers. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba I have been working on exactly this problem. I looked into the rfc2307scheme extensions and it looked like a lot of trouble. The samba HowTo has this to say about it. The use of this method is messy. The information provided in the following is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance. see http://samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html I also noticed that, to quote the HowTo again If winbindd is not running, smbd (which calls winbindd) will fall back to using purely local information from /etc/passwd and /etc/group and no dynamic mapping will be used. On an operating system that has been enabled with the NSS, the resolution of user and group information will be accomplished via NSS. see http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html. This is the solution that I am now implementing. It looks to be working but I still have some testing to do. This is the way that another system works here and we have had no trouble with it. If you have multiple domains then you have to be vary careful doing this. We have one master OpenLDAP server and we create accounts on all domains from that. We know that John on one domain is the same person as John on all the others. The linux samba servers are just setup so that nss gets account info from the master LDAP server but the smb.conf gets Auth info from the AD Domian controller. Password changing on the windows and linux machines have been disabled and all password changes are done through a website. This site then updates the LDAP and AD passwords. Peter -- -- Peter Shevchenko Ph: +61 2 6125 1548 Email: peter.shevche...@anu.edu.au IT Administrator ANU College of Engineering and Computer Science -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] UID mapping
On Tue, 14 Jun 2011 23:28:49 +0100, Jonathan Buzzard wrote: Martin Rootes wrote: Hi, I'm trying to convert an old system on Solaris 10 that uses the smbpasswd file authentication method to a system that authenticates against Active Directory. I've managed to get winbind working but of course this just allocates UIDs as it sees fit whereas the smbpasswd file method used the UID from the /etc/passwd file. The user codes on the Solaris server match the user codes in AD but if I just switch over to winbind the UIDs will not match. If there were only a small number of users I could simply change the ownership of the users home directories to match the winbind allocated UID but unfortunately there are thousands of users and so this would be a mammoth task. I've has a look at various bits of documentation but can't get my head around the best strategy. Has anyone needed to do something similar and if so how did you go about it? Also the users' home directories are distributed around multiple directories and I would prefer to continue to use the home directory information from /etc/passwd as opposed to using template homedir (although I assume that I could leave the directories in place and just set up links to them). I've had also had a look at the PADL nss_ldap stuff but can't get it to compile, it seems to be looking for SASL, would the SASL version on the Sun Freeware site work? Would not filling out the rfc2307 information in the AD not be the way forward? Then winbind would not be allocating UID's but using what was set in the AD which you could match with your current settings. In addition you could have your home directories wherever you want on a per user basis depending on what you have set in the AD. If you are going to be using AD then it is best not to fight it, and any AD server after 2003 R2 has the rfc2307 scheme extensions activated, you just need to populate the fields. Though I appreciate that sometimes this can be easier said than done if you don't have control over the AD servers. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. I have been working on exactly this problem. I looked into the rfc2307scheme extensions and it looked like a lot of trouble. The samba HowTo has this to say about it. The use of this method is messy. The information provided in the following is for guidance only and is very definitely not complete. This method does work; it is used in a number of large sites and has an acceptable level of performance. see samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html I also noticed that, to quote the HowTo again If winbindd is not running, smbd (which calls winbindd) will fall back to using purely local information from /etc/passwd and /etc/group and no dynamic mapping will be used. On an operating system that has been enabled with the NSS, the resolution of user and group information will be accomplished via NSS. see www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html . This is the solution that I am now implementing. It looks to be working but I still have some testing to do. This is the way that another system works here and we have had no trouble with it. If you have multiple domains then you have to be vary careful doing this. We have one master OpenLDAP server and we create accounts on all domains from that. We know that John on one domain is the same person as John on all the others. The linux samba servers are just setup so that nss gets account info from the master LDAP server but the smb.conf gets Auth info from the AD Domian controller. Password changing on the windows and linux machines have been disabled and all password changes are done through a website. This site then updates the LDAP and AD passwords. Peter -- -- Peter Shevchenko Email:peter.shevche...@rsise.anu.edu.au IT Administrator ANU College of Engineering and Computer Science -- /home/users/petershev/signature-file.txt -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SMB + Active Directory And No Ability To Delete Files And Folders
On Wed, 01 Jun 2011 16:35:05 -0400, Jenkins, Mack wrote: The 3.5.8 release is not in the yum repo provided by RHEL6. We are trying to stay within the RHEL yum repo if possible. But at this point, if there is a repo that has a 3.5.8 release, I'd be more than happy to give it a try. -- Mack J. Jenkins, II 404-385-1591 mack.jenk...@eas.gatech.edu System Support Engineer II Earth Atmospheric Sciences - Original Message - From: Jeremy Allison j...@samba.org To: Mack Jenkins mack.jenk...@eas.gatech.edu Cc: samba@lists.samba.org Sent: Friday, May 27, 2011 7:39:21 PM Subject: Re: [Samba] SMB + Active Directory And No Ability To Delete Files And Folders On Fri, May 27, 2011 at 03:21:17PM -0400, Jenkins, Mack wrote: I hope that everyone is doing well. I'm new to the list and look forward to participating in the community. I've been using Samba for a long time and have always preached the samba gospel. :-) I find myself with a peculiar problem. I have a RHEL6 install running Samba Version 3.5.4-68.el6_0.2 acting a local file server and it is tied into an Active Directory server for the user management. When a user on a Windows box supplies their Active Directory credentials, my Samba server validates them against the Active Directory server, creates a directory on the local server, which the user then mounts on their Windows machine. The problem is this. The users can create files and folders, but can not delete them. Has anyone seen this behavior before? Sounds somewhat like an old bug that got fixed... Have you tried a 3.5.8. release ? This sounds like a problem that I have been having. It looks to me like the open bug 7521. My situation is: 1) Two different windows AD domains one windows 2000 the other 2008R2. 2) Three separate Samba servers one (ubuntu 10.04 LTS with samba 3.4.7 and I have also tried 3.5.8) joined to the 2008r2 domain. On the other domain I have an old samba 3.0.14 server and a new samba 3.4.7 (also tried 3.5.8) joined to it. Out of the three samba servers only the 3.0.14 works as expected with file deletes. The problem is if I have a share in which there is a directory that is owned by a group say foo with permissions drwxrwxr-x. Then user X who is a member of foo mounts the drive they are able to create files in that directory but they can't delete or change the name of that file. I have been trying to find documentation of how samba handles the translation of permissions in terms of windows ACLs, linux ACLs and POSIX permissions but have not found much that is at all current. I have also looked in the code and the problem looks to be in the se_access_check function in lib/util_seaccess.c but there are all these big structures being passed around and I am really struggling to understand what they all mean. I also don't understand enough about Windows ACLs and how samba is storing them to get much further. I had a look at http:// samba.org/samba/docs/man/Samba-Developers-Guide/ but it appears to be very out of date. It looks like with samba 3.3 permissions are handled totally differently from older releases? Any ideas? Peter. This is the smb.conf [global] workgroup = BLAH realm = BLAH.BLAH.BLAH preferred master = no server string = Linux Samba Server security = ADS encrypt passwords = yes log level = 10 log file = /var/log/samba/%m max log size = 500 winbind use default domain = Yes winbind nested groups = Yes template shell = /bin/bash map untrusted to domain = Yes [homes] comment = Home Direcotries read only = No browsable = No writable = yes create mask = 0644 directory mask = 0755 path = /home/users/%S store dos attributes = yes [test] comment = Test Direcotries read only = No browseable = yes writable = yes create mask = 0644 directory mask = 0755 path = /home/test This is a level 10 debug log of some testing I did. [2011/05/06 09:44:03, 10] ../lib/util/util.c:304(_dump_data) [] 00 5C 00 63 00 6D 00 62 00 72 00 5C 00 76 00 62 .\.c.m.b .r. \.v.b [0010] 00 6E 00 6D 00 76 00 62 00 6E 00 6D 00 00 00 .n.m.v.b .n.m... [2011/05/06 09:44:03, 3] smbd/process.c:1273(switch_message) switch message SMBntcreateX (pid 13841) conn 0x7fa151fea970 [2011/05/06 09:44:03, 4] smbd/uid.c:256(change_to_user) change_to_user: Skipping user change - already user [2011/05/06 09:44:03, 10] smbd/nttrans.c:484(reply_ntcreate_and_X) reply_ntcreate_and_X: flags = 0x10, access_mask = 0x110080 file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1 create_options = 0x20 root_dir_fid = 0x0, fname = cmbr/vbnmvbnm [2011/05/06 09:44:03, 10] smbd/open.c:3365(create_file_default) create_file: access_mask = 0x110080 file_attributes = 0x0, share_access = 0x7, create_disposition = 0x1 create_options = 0x20 oplock_request = 0x0 root_dir_fid = 0x0, ea_list = 0x(nil), sd = 0x(nil
[Samba] Error message after samba upgrade
Hi I had to upgrade samba because we upgrade DC windows to 2008. My current samba version is 3.5.4-0.70.el5 . I'm using RHE Server release 5.4 After the upgrade this message started to appear: Feb 27 20:52:26 mailgate winbindd[316]: [2011/02/27 20:52:26.682422, 0] libsmb/cliconnect.c:1051(cli_session_setup_spnego) Feb 27 20:52:26 mailgate winbindd[316]: Kinit failed: Cannot contact any KDC for requested realm Feb 27 21:24:37 mailgate winbindd[316]: [2011/02/27 21:24:37.243211, 0] libsmb/smb_signing.c:96(smb_signing_good) Feb 27 21:24:37 mailgate winbindd[316]: smb_signing_good: BAD SIG: seq 1 Feb 27 21:24:37 mailgate winbindd[316]: [2011/02/27 21:24:37.244111, 0] libsmb/clientgen.c:279(cli_receive_smb) Feb 27 21:24:37 mailgate winbindd[316]: SMB Signature verification failed on incoming packet! Feb 27 21:24:37 mailgate winbindd[316]: [2011/02/27 21:24:37.259390, 0] libsmb/cliconnect.c:1051(cli_session_setup_spnego) Feb 27 21:24:37 mailgate winbindd[316]: Kinit failed: Cannot contact any KDC for requested realm Feb 27 21:35:41 mailgate winbindd[316]: [2011/02/27 21:35:41.870499, 0] libsmb/smb_signing.c:96(smb_signing_good) Feb 27 21:35:41 mailgate winbindd[316]: smb_signing_good: BAD SIG: seq 1 Feb 27 21:35:41 mailgate winbindd[316]: [2011/02/27 21:35:41.871435, 0] libsmb/clientgen.c:279(cli_receive_smb) Feb 27 21:35:41 mailgate winbindd[316]: SMB Signature verification failed on incoming packet! Feb 27 21:35:41 mailgate winbindd[316]: [2011/02/27 21:35:41.887275, 0] libsmb/cliconnect.c:1051(cli_session_setup_spnego) Feb 27 21:35:41 mailgate winbindd[316]: Kinit failed: Cannot contact any KDC for requested realm Point is that samba doesn'at authenticate, then i need to restart it. After a couple of days i need to restart it again Do you have any ideas ? Thanks pet -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba upgrade HowTo requested
Hi Willy, Last weekend I decided to upgrade the samba server. We were running Samba 3.3 something and FreeBSD portupgrade was complaining that this version should be removed and assumingly replaced by the newest version. I removed the package via portupgrade and installed the 3.5.6 version. The Are you running winbindd on this server? If yes, does it work properly? In my case it failed to communicate group IDs to the system, so I had to rollback to v. 3.4.9. And specifically for FreeBSD users: How should we deal with an upgrade of samba via portupgrade? I have upgraded it many times before, and in most cases it was just make deinstall make reinstall. With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Missing secondary groups
Hi Timur, Just a wild guess - could it be the result of moving lockdir in Samba3.5 port from /var/db/samba34 back to /var/db/samba ? Can you check, that, by renaming appropriate directory? I have installed Samba 3.4.9, and it started working immediately. So it seems that nss_winbind FreeBSD interface is broken somehow in version 3.5.6. With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Missing secondary groups
Hi, idmapping does not work perfectly for me. idmap_ad backend means it should use active directory info to determine the unix uid and gid. It may bypass the issues with local tdb files. In my case Samba is able to allocate UID and GID itself. However, it seems not to be able to communicate it to the OS properly. I have the following: 1. getent passwd and getent group show only local users and groups. 2. getent recognizes domain users and groups, if their names or IDs are given explicitly. For example: heap# getent group domain users domain users:x:10009 heap# getent group 10012 wifi:x:10012 heap# getent passwd petert petert:*:1:10009:Peter V. Trifonov:/home/DOMAIN/petert:/usr/local/bin/bash It can be seen that UID and GID were allocated properly. However, all non-primary groups are lost: 3. heap# wbinfo -r petert 10009 10010 10011 10012 10013 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Missing secondary groups
Hi Timur, Just a wild guess - could it be the result of moving lockdir in Samba3.5 port from /var/db/samba34 back to /var/db/samba ? Can you check, that, by renaming appropriate directory? I have created a symlink /var/db/samba34 pointing to /var/db/samba, but it still does not work. With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Missing secondary groups
Hi, getent group to pull the information from winbind. First of all, you need to make sure that winbind itself is showing users and/or groups from the Windows server wbinfo -u wbinfo -g wbinfo does provide the correct information. Then you need to make sure that /etc/nsswitch.conf has been updated for My nsswitch.conf looks as follows: group: files winbind group_compat: nis hosts: files dns networks: files passwd: files winbind passwd_compat: nis shells: files services: compat services_compat: nis protocols: files rpc: files I have another FreeBSD server running Samba 3.4.5, which works correctly. With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining Windows 7 to Samba PDC
Hi folks, I've spent more than a week trying to get Windows 7 Pro workstations to work with a Samba PDC ver. 3.5.x (without LDAP). I've studied thousands of lines, the Samba documentation, forums, etc. No problem joining machines to the domain, but the users cannot logon, with the error There is currently no logon servers available. I've tried most 3.5.x versions, all with the same behavior. I've tried different configurations options (incl. server signing = no), nothing helped. As a last resort, I installed Samba ver. 3.4.9. Works like a charm :-). So, I'll give you all a good piece of advice: Send Samba 3.5.x to /dev/null and install 3.4.9 instead. Saves you tons of frustration... Regards, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Missing secondary groups
Hi, The problem seems to be with idmapping.In you smb.conf file do you have a section for idmap- this tells samba which unix user id and group id ranges can be used to correspond to windows users and id's. the docs on samba.org may be a little out of date so you should also check the man pages for smb.conf and idmap_ad. I have the following in my smb.conf: idmap uid = 1-2 idmap gid = 1-2 As far as I understand, Samba used tdb backend by default. I do not need idmap_ad, so it is not configured. ID mapping seems to works, since the command Id petert correctly reports UID and GID of a domain user. However, it shows only a single entry in the group list. The key to the problem seems to be the message getgrent failed: NT_STATUS_NO_MORE_ENTRIES, which is logged by winbind every time I run the id command. With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] networking problem/Domain not available
Hi, The problem is when I do this, none of the workstations (XP based) can find the domain controller any more (domain not available). I switch the cables you should check network connectivity. Try pinging the servers from each other and client computers. There may be also firewall issues. With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Missing secondary groups
Hi, Does getent group show the Windows groups? No, it does not. However, the id command displays only the primary group for domain users. Furthermore, domain users are not able to access any files owned by their non-primary domain groups. For example, running $ id petert results in the following output: uid=1(petert) gid=10009(domain users) groups=10009(domain users) With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Missing secondary groups
Hello all, There is a FreeBSD 8.1 system with Samba 3.5.6. It is a member of Active Directory domain (domain controllers are WinSrv2008R2 and WinSrv2008). wbinfo correctly provides user and group lists, as well as group membership information. It is possible to use domain user and group names in commands like chown and chgrp. However, the id command displays only the primary group for domain users. Furthermore, domain users are not able to access any files owned by their non-primary domain groups. For example, running $ id petert results in the following output: uid=1(petert) gid=10009(domain users) groups=10009(domain users) There is also an error message failed: NT_STATUS_NO_MORE_ENTRIES in the log.winbind file: [2010/11/27 19:47:43.856773, 6] winbindd/winbindd.c:768(new_connection) accepted socket 29 [2010/11/27 19:47:43.856837, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam petert [2010/11/27 19:47:43.856966, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 28, client exited [2010/11/27 19:47:43.859876, 3] winbindd/winbindd_getgrent.c:51(winbindd_getgrent_send) [69874]: getgrent [2010/11/27 19:47:43.859904, 5] winbindd/winbindd_getgrent.c:149(winbindd_getgrent_recv) getgrent failed: NT_STATUS_NO_MORE_ENTRIES [2010/11/27 19:47:43.860164, 3] winbindd/winbindd_getgrgid.c:50(winbindd_getgrgid_send) getgrgid 10009 [2010/11/27 19:47:43.872512, 3] winbindd/winbindd_getgrgid.c:50(winbindd_getgrgid_send) getgrgid 10009 [2010/11/27 19:47:43.872770, 6] winbindd/winbindd.c:816(winbind_client_request_read) closing socket 29, client exited Please let me know how can this be fixed? With best regards, P. Trifonov -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Windows 7 machine trust accounts expiring
On 2010-10-04 16:23, John Drescher wrote: On Thu, Jul 15, 2010 at 11:52 AM, Peter Rindfussrindf...@wzb.eu wrote: There was an earlier thread about failing trust relationships between Windows 7 and Samba. Since we occasionally experience the same problem with Win 7 clients against a Samba 3.5.4 server, I investigated this a bit further. I think it happens when - the time to change the machine password has arrived - the Win 7 machine is up, but no one is logged on (login box is shown on the screen). To reproduce this, I reduced the machine password change interval to one day on a test computer, then let the login prompt sit there for a day or so - and indeed I could not log in anymore because of a trust relationship failure. I will try this a couple more times. I hope this helps to find a remedy. Did you ever solve this issue? How did you change the machine password change interval? I just had a single windows 7 box fail trust relationship and I saw that the last modify time in ldap for that account was August 30, 2010. John Our solution: We disabled the machine password change on all win7 clients by setting HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange = dword:1 We never had a single issue after that. The machine password change interval can be set in the client's registry with HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters MaximumPasswordAge = dword:n, n being a number of days. Default is 30. Instead DisablePasswordChange = 1 we might have tried MaximumPasswordAge = 100, a million days. Finally, we might have tried against an MS server HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters RefusePasswordChange = dword:1 Note that this is a server setting, not a client setting. In Samba, it should translate to sambaRefuseMachinePwdChange = 1 in LDAP. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Automatic change of machine passwords seems to brake trust relationship for Windows 7 clients
On 2010-08-09 14:18, Stefan Oberwahrenbrock wrote: We are observing the following phenomenon: After 30 days our Windows 7 clients lose their trust relationship with the samba domain. We think, that the automatic machine password change on these clients fails. I posted a message about the very same problem on July 15. I think it does not always happen after 30 days (or whatever the change interval is set to), but only occurs when the machine password change time has arrived and the computer is on, but not no one is logged on (i.e. the login box is shown). Since we are only starting to deploy Windows 7, we simply turned the machine password change off in the registry of our imaged installation and the few real installations. We had no more problems afterwards. There are three ways to change the machine password behavior: Client-Registry: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters DisablePasswordChange = dword:1 or Client-Registry: HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters MaximumPasswordAge = dword:100 or Server-Registry (if you have a Windows server) HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters RefusePasswordChange = dword:1 With Samba + OpenLDAP, set sambaRefuseMachinePwdChange = 1 in the sambaDomainName= entry. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba and ms server 2008
Hi I am about to set up a Centos server with samba and an MS server 2008 for a new customer. The MS server is required because he has an MSSQL application. The samba shares will be for everything else. I've previously set up centos and redhat servers as domain members with a 2003 pdc before I get stuck, are there any issues I should worry about with server 2008? What release of samba should I run? Are there any differences in configuration compared with samba3.0.33 which comes with centos5.5 Peter No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 9.0.851 / Virus Database: 271.1.1/3059 - Release Date: 08/09/10 07:35:00 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows 7 machine trust accounts expiring
There was an earlier thread about failing trust relationships between Windows 7 and Samba. Since we occasionally experience the same problem with Win 7 clients against a Samba 3.5.4 server, I investigated this a bit further. I think it happens when - the time to change the machine password has arrived - the Win 7 machine is up, but no one is logged on (login box is shown on the screen). To reproduce this, I reduced the machine password change interval to one day on a test computer, then let the login prompt sit there for a day or so - and indeed I could not log in anymore because of a trust relationship failure. I will try this a couple more times. I hope this helps to find a remedy. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba authentication fails with trusted domain
We are using samba with domain authentication against a windows AD. The account domain is AA. All our hosts (windows and samba systems) and a few generic user accounts are in a domain TT which trust the accounts from AA. In Short our smbd.conf has: . . . security = domain workgroup = TT . . . Normally a user logs on with the user account from AA as AA\userID. We use users.map to map UXlogon = AA\userID With Redhat EL5, Ubuntu Karmic (and also Lucid) these users have no problem to access shares. The samba daemon properly authenticates against the domain controller and allows access to the local share UXlogon without any login dialog. Things are different though if a user is logged in as TT\userID and tries to access a samba share. With Redhat things work like before. With Ubuntu though I do not see any authentication dialog with the domain controller and smbd tries to find the user in smbpasswd which of course is not there. Thus the user is denied to access. I do not understand why there is no request to the domain controller. As a workaround I issued smbpasswd -a TTuserID and the user from TT can now also access the share as expected. Although this has solved the problem for me I still regard it as a bug. If security = domain is used the correct behaviour should be to authenticate all requests against the domain controller . Because Redhat does it correctly I think that there was something wrong in Ubuntu. Unfortunately there is no Ubuntu forum for samba, launchpad bug tracking just points to the samba team. I hope that someone here can shine a light on this problem and it does not become a game of back and forth between samba and ubuntu guys. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Occasional printing to /dev/null with Windows 7
Hello! I'm looking after a small office with several PCs that is using Samba for many years now; however it was Samba 3.2.x with Windows 2000 clients. Now they bought entirely new PCs, of course with Windows 7 pre-installed. I managed to successfully move the setup over to Samba 3.3.10, 3.4.5 and now 3.4.6. Everything is working fine, however one problem stubbornly resists to go away: Ghost Printing. That phrase means that a print job sent to a samba printer is just spooled normally, it appears in the print job list of the Windows client, seemingly is printed and vanishes from the print job list. No error is displayed, the printer is shown as ready and can be seen in the Network Neighborhood just normally. However, the print job that was spooled never gets printed. Printing system is CUPS and it can be deduced from the CUPS logs that the job was never given to CUPS. What drives me mad is that this behavior is sporadic and somehow connected to the logon session of the user. It may happen that the user can print just fine several days in a row and it stops working the next day. Often it helps to just reboot the Windows client PC (just logging the user off and on again leads to The User Profile Service failed the logon - User profile cannot be loaded error in 80% of the cases). Well; of course i combed through the samba smbd.log file at several log levels but honestly, i did not really recognize a error message that is related to cups printing (Samba logs are a bit too much on the chatty side for me...). So, did anybody see similar problems? Or anything i could try to close in on the error? Regards, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] deploy policies for win7 ?
hello, I skipped Vista and was using WinXP on all clients until now. I deployed my policies using a file ntconfig.pol in the [netlogon]-share, but this does not work with win7 any more. How do you deploy your policies with Vista or Win7 ? I use recent samba 3.4.6 and hope there is some way. Every experience welcome. I think thousands of readers here might have similar problems somehow :) Even OT-tips are welcome (ie: clone local policies on win7-client to import it on a different machine) if there is no way to do it with samba3. And I dont dare to use samba4 yet ... thnx, peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Options for responding to this group?
Is the only option for responding to posts in this group to receive ALL of the messages posted in this group by email? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Options for responding to this group?
On Fri, Jan 15, 2010 at 8:42 AM, John H Terpstra j...@samba.org wrote: On 01/15/2010 07:54 AM, Peter Olcott wrote: Is the only option for responding to posts in this group to receive ALL of the messages posted in this group by email? 1) Subscribers to the samba mailing list can control whether or not they receive messages that are posted to the list. This is an on/off setting in the subscribers' optional settings. 2) Subscribers who elect to receive messages posted to the list will receive ALL messages postings. 3) There is no option to filter on message subject. 4) List subscribers can post to the list. Messages sent by a subscriber will be sent directly to the list. 5) Non-subscribers can also post to the list. Messages sent by a non-subscriber will be held for moderation. It is up to the moderator to determine what will be accepted or rejected. 6) There are a number of moderators, each exercises his/her own discretion. 7) There have been (and possibly still are) subscribers who elect not to receive postings to the mailing list. 8) Subscribers who elect not to receive postings CAN post to the list. - John Terpstra a list moderator How do subscribers that elect to NOT receive email postings respopnd to s specific message such as this one? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Given up on Fedora Ubuntu is 1000-folder simpler
I spent several days (at least 20 hours) tying to get Fedora 11 Samba server going. I consulted every resource that I knew including this list. When I discovered that Fedora 11 Samba could be browsed immediately upon installation, and a simple reboot disabled this, I gave up. I decided to try Ubuntu. After intallation it took only five minutes of editing the smb.conf file to make my share fully operational. In terms of total cost of ownership Fedora and Red Hat have become big losers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] net join issues with 2 domains with a trust relationship
I am trying to join a machine to one domain using the credentials from another.. Yes .. I do have the privileges :-) kinit works. It used to work (3.0.28a) but with later revs I get this sort of error. Bit irritating, as I have to ask somebody with admin privs to do it for me ... r...@curric4182-07:/home/peter# net ads join -U e2052...@admin4182.internal Enter e2052...@admin4182.internal's password: [2010/01/08 17:08:57, 0] libads/kerberos.c:332(ads_kinit_password) kerberos_kinit_password e2052...@admin4182.internal@CURRIC4182.INTERNAL failed: Malformed representation of principal Failed to join domain: failed to connect to AD: Malformed representation of principal -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Setting up Samba with broadcast based name resolution (not WINS)++++++++++++++++++++
I am still trying to get my Fedora 11 based Samba 3.4 share to show up on windows My Red Hat 9.0 Samba share must be using broadcast based name resolution because the hosts file is empty, and none of the windows clients has a fixed IP address. Also ping shows that both the sever and the clients can find each other based on their name. It looks like broadcast name resolution is the best for my needs. Can anyone point me me to documentation on how to do this for Fedora 11? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Can't get share to show up on windows
I have successfully set of two Samba servers under Red Hat Linux 6.0 and 9.0. I am having trouble getting Samba 3.0 Fedora Linux Samba to show up on the windows machine. I can't find the solution in either of the two books that I bought, or the online resources after spending several days working on this. I only need a relatively simple network, yet I also want it to be reasonably secure. With my first server I set up fixed IP addresses and edited the etc/hosts file. Somehow my second server can connect to my XP clients without changes to the etc/hosts file, and without fixed IP addresses set up on the windows XP side. I don't know how it does this. I probably want this new server to work this same way. I must have two Samba servers and three Windows XP boxes all connected. The Red Hat Linux 9.0 samba box is currently working correctly with the three XP boxes. Appreciate you help. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.3 for opensuse 10.2
At Dienstag, 29. Dezember 2009 08:23, Karolin Seeger has wisely spoken thusly: Hi Karolin, Hi Peter, On Mon, Dec 28, 2009 at 07:09:40PM +0100, peter grotz wrote: JM On Mon, Dec 28, 2009 at 5:54 AM, peter grotz peter.gr...@grotz.org wrote: I need the rpm-files of samba 3.3 or later for opensuse 10.2. The repo isn´t available any more, so can anybody help me here? JM You need 3.3 or _later_ ? It shipped with 3.4.2, so that would be JM later. Or do you specifically need 3.3? no, you´re wrong! It´s shipped wigth 3.0.23! I hav here opensuse 10.2 and it´s really 3.0.23!! you can find a lot of Samba versions for opensuse 10.2 e.g. on http://ftp.sernet.de/pub/samba/. thanks for the link. In the meantime I found it by myself, but in past I was avoiding it because these builds work somehow differently from the normal suse-rpms. But I´ll give it a try again. Thanks again, Karolin! Cheers, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.3 for opensuse 10.2
Hi Robert, I think this might be a good idea but for the 10.2 would it be better to take the SLES 10? -Peter At Dienstag, 29. Dezember 2009 13:35, Robert Schetterer has wisely spoken thusly: RS Am 29.12.2009 11:33, schrieb peter grotz: At Dienstag, 29. Dezember 2009 08:23, Karolin Seeger has wisely spoken thusly: Hi Karolin, Hi Peter, On Mon, Dec 28, 2009 at 07:09:40PM +0100, peter grotz wrote: JM On Mon, Dec 28, 2009 at 5:54 AM, peter grotz peter.gr...@grotz.org wrote: I need the rpm-files of samba 3.3 or later for opensuse 10.2. The repo isn´t available any more, so can anybody help me here? JM You need 3.3 or _later_ ? It shipped with 3.4.2, so that would be JM later. Or do you specifically need 3.3? no, you´re wrong! It´s shipped wigth 3.0.23! I hav here opensuse 10.2 and it´s really 3.0.23!! you can find a lot of Samba versions for opensuse 10.2 e.g. on http://ftp.sernet.de/pub/samba/. thanks for the link. In the meantime I found it by myself, but in past I was avoiding it because these builds work somehow differently from the normal suse-rpms. But I´ll give it a try again. Thanks again, Karolin! Cheers, Peter RS you may also try recompile from source rpm taken out of the enterprise RS suse 9 or 10 rep , i did this last time for having recent samba versions RS for an old 9.3 server , it worked without problems -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.3 for opensuse 10.2
Thanks Robert, I´ll try it! At Dienstag, 29. Dezember 2009 16:52, Robert Schetterer has wisely spoken thusly: RS Am 29.12.2009 13:47, schrieb peter grotz: Hi Robert, I think this might be a good idea but for the 10.2 would it be better to take the SLES 10? -Peter RS yes try first sles 10 rpm src recompile RS download from RS http://download.opensuse.org/repositories/network:/samba:/STABLE/SLE_10/src/ RS http://download.opensuse.org/repositories/network:/samba:/STABLE/SLE_10/src/samba-3.4.3-10.1.src.rpm RS do rpmbuild --rebuild samba-3.4.3-10.1.src.rpm etc RS you might need to download more additional libs for recompile too RS but after all sernet rpms should work too At Dienstag, 29. Dezember 2009 13:35, Robert Schetterer has wisely spoken thusly: RS Am 29.12.2009 11:33, schrieb peter grotz: At Dienstag, 29. Dezember 2009 08:23, Karolin Seeger has wisely spoken thusly: Hi Karolin, Hi Peter, On Mon, Dec 28, 2009 at 07:09:40PM +0100, peter grotz wrote: JM On Mon, Dec 28, 2009 at 5:54 AM, peter grotz peter.gr...@grotz.org wrote: I need the rpm-files of samba 3.3 or later for opensuse 10.2. The repo isn´t available any more, so can anybody help me here? JM You need 3.3 or _later_ ? It shipped with 3.4.2, so that would be JM later. Or do you specifically need 3.3? no, you´re wrong! It´s shipped wigth 3.0.23! I hav here opensuse 10.2 and it´s really 3.0.23!! you can find a lot of Samba versions for opensuse 10.2 e.g. on http://ftp.sernet.de/pub/samba/. thanks for the link. In the meantime I found it by myself, but in past I was avoiding it because these builds work somehow differently from the normal suse-rpms. But I´ll give it a try again. Thanks again, Karolin! Cheers, Peter RS you may also try recompile from source rpm taken out of the enterprise RS suse 9 or 10 rep , i did this last time for having recent samba versions RS for an old 9.3 server , it worked without problems -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 3.3 for opensuse 10.2
Hallo and Merry Christmas to all! I need the rpm-files of samba 3.3 or later for opensuse 10.2. The repo isn´t available any more, so can anybody help me here? Thanks in advance! Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 3.3 for opensuse 10.2
JM On Mon, Dec 28, 2009 at 5:54 AM, peter grotz peter.gr...@grotz.org wrote: I need the rpm-files of samba 3.3 or later for opensuse 10.2. The repo isn´t available any more, so can anybody help me here? JM You need 3.3 or _later_ ? It shipped with 3.4.2, so that would be JM later. Or do you specifically need 3.3? no, you´re wrong! It´s shipped wigth 3.0.23! I hav here opensuse 10.2 and it´s really 3.0.23!! Cheers Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samab unable to contact ldap or something else
vishesh kumar wrote: [global] ldap suffix = dc=abp=,dc=del There is an extra = sign in there. I'd say this should be ldap suffix = dc=abp,dc=del Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map acl inherit stopped working
On 2009-10-22 19:23, Jeremy Allison wrote: On Thu, Oct 22, 2009 at 10:46:40AM +0200, Peter Rindfuss wrote: On 2009-10-22 01:36, Jeremy Allison wrote: OPk, this is where you log a bug on it with *exact* details on how to reproduce, and I fix it for you :-). Ok, I have added bug 6841: https://bugzilla.samba.org/show_bug.cgi?id=6841 Please let me know what else may be needed. Best, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map acl inherit stopped working
On 2009-10-22 01:36, Jeremy Allison wrote: I'm guessing this is the version 1 to version 2 upgrade. (From posix_acls.c) Thank you for your reply. The posix_acls.c code says that version 2 SAMBA_PAI is always written now. But apparently it is not interpreted correctly as opposed to existing version 1 entries. As far as I can tell, it is not the mix of v1 and v2 that causes the problems. It also happens on a fresh empty share with no v1. So what can I do about it (if I can) ? Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] map acl inherit stopped working
On 2009-10-19 23:04, Jeremy Allison wrote: On Sat, Oct 17, 2009 at 12:40:10AM +0200, Peter Rindfuss wrote: Hi, It seems that at some point map acl inherit = yes stopped working for me. I now have Samba 3.4.2, but this problem started with an earlier version, possibly some 3.2.x or 3.3.x. No SAMBA_PAI extended attributes are created anymore, but existing ones are still honored. OS is Suse 11.0, file system is XFS. What could be wrong? Not sure, can you log a bug and upload logs please ? Hi Jeremy, I will file a bug, if necessary, but perhaps my further investigations can help. My statement no SAMBA_PAI extended attributes are created anymore is wrong, I apologize. But it is interesting what really happens to SAMBA_PAI: I looked at an old existing folder: Windows security tab shows that rights are inherited from the folder above. SAMBA_PAI is 0x01000300039a750151c302009a750151c302 When I remove and (try to) set inheritance again, SAMBA_PAI becomes 0x02048d030003009a75000151c303020b009a750b0151c30302 and inheritance is gone, same as if SAMBA_PAI were not there at all. When I manually set SAMBA_PAI to the first value, inherited rights are back there again. One more interesting observation: The acl_xattr VFS module seems to work fine with respect to inheritance (on a test share). BTW, the SAMBA_PAI created with acl_xattr looks similar to the non-working one above. Cheers, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] openldap error messages after upgrade 3.3.6 - 3.4.2
Hi, I just upgraded Samba from 3.3.6 to 3.4.2. We use it as PDC with OpenLDAP 2.4.19. After the upgrade, I see occasional log messages coming from OpenLDAP like: Oct 16 16:19:31 selene slapd[10158]: conn=71 op=2 do_search: invalid dn (sambaDomainName=,sambaDomainName=WZB,ou=accounts,dc=wzb,dc=eu) There were no such messages with 3.3.6. So far, it doesn't seem to cause problems, but who knows. Any idea what could be causing this? Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] map acl inherit stopped working
Hi, It seems that at some point map acl inherit = yes stopped working for me. I now have Samba 3.4.2, but this problem started with an earlier version, possibly some 3.2.x or 3.3.x. No SAMBA_PAI extended attributes are created anymore, but existing ones are still honored. OS is Suse 11.0, file system is XFS. What could be wrong? Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Wrong ACL in subdir
Hi, I've noticed the following ACL problem in a newly created subfolder: Let a folder have full rights for the owner, no rights for the primary group, no rights for everyone, no further rights defined. Add, from WinXP, an ACL for another user with ReadExecute rights and the option This folder only. Now create a subfolder: in the new subfolder, the parent group has Full control although it had no rights in the parent. In the log I can find the entry change_dir_owner_to_parent: device/inode/mode on directory ... changed. Refusing to chown ! Happens with Samba 3.2.7, 3.3.5, 3.3.6 (no other versions tested) Details on this are in https://bugzilla.samba.org/show_bug.cgi?id=6507 Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] can samba keep uid/gid/permission on a per-file-base?
Is there a trick to copy files via smbfs and keep uid/gid/permissions? Usually uid/gid/permission of a transfered file depends on the uid used when mounting the remote share. But maybe there is a trick/patch whatever ... background: I'd like to use a linux-based NAS to backup loads of files *including their permissions and uid/gid*. The NAS supports NFS (which can do what I want) but the NFS-connections breaks all the time. So smbfs/cifs is my available option. * I need to backup the files on a per-file-base (and not in a tar-container) to make the backup-files easily and fast accessible from any thinkable client. * rsync via ssh would be my last option, but ssh has lot of overhead and invokes a key-managment-strategy for automatic backup thnx, peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] user cannot logon to domain although log says auth succeeded
I have a very strange problem and I'm doomed. In a samba-domain with XP-clients certain users cannot logon to some computers. The user tries to logon but *immediately* gets the message you cant get logged on. please check username and domain and retype your password (translated from german) on the XP-machine. In the samba-logs (Loglevel=2) it says: [2009/05/19 16:47:16, 2] lib/access.c:check_access(406) Allowed connection from (192.168.1.77) [2009/05/19 16:47:16, 2] smbd/reply.c:reply_special(492) netbios connect: name1=SERVER name2=VOEV12 [2009/05/19 16:47:16, 2] smbd/reply.c:reply_special(499) netbios connect: local=server remote=voev12, name type = 0 [2009/05/19 16:47:26, 2] auth/auth.c:check_ntlm_password(308) check_ntlm_password: authentication for user [ingrid] - [ingrid] - [ingrid] succeeded I used samba 3.0.28 that comes with ubuntu 8.10 but now I compiled recent 3.3.4 and have the same problem, so its either a problem on WinXP-side or in the config itself. A more detailed log at Loglevel=15 can be viewed at : http://www.goldfisch.at/temp/smb.log.txt (~150kB) I'm kind of desperate here and I'm really looking forward for any hint/tip/help ... thnx, peter here is my config [global] interfaces = eth4 127.0.0.1 bind interfaces only = yes workgroup = VOEV netbios name = server server string = Freire2 wins support = yes wins proxy = yes ; wins server = w.x.y.z dns proxy = no log file = /data/log/samba/log.%m log level=15 security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes ; guest account = nobody ; invalid users = root hosts allow = 127.0.0.1/32 192.168.1.0/255.255.255.0 domain logons = yes domain master = yes preferred master = yes logon path = \\%L\profiles\%U logon drive = O: logon home = \\%L\%U logon script = startup.bat %U %G %h %m %L %M %R %d %a %I %i %T %D %w time server = yes load printers = no printcap name = /dev/null disable spoolss = yes socket options = TCP_NODELAY unix charset = UTF-8 display charset = UTF-8 add machine script = /usr/sbin/useradd -g machines -c Machine -s /bin/false %u message command = echo %t %f %s /opt/msg.txt [profiles] comment = NT Profiles path = /data/samba/profiles/%a browseable = Yes csc policy = manual directory mode = 0700 profile acls = yes read only = No [homes] comment = PRIVATE home browseable = No read only = No path = /data/samba/user/%U create mask = 0700 directory mask = 0700 force group = users [netlogo] # to avoid netlogo-errors in the log comment = wannabe NTserver path = /data/samba/netlogon browseable = No writeable = No [netlogon] comment = wannabe NTserver path = /data/samba/netlogon browseable = No writeable = No [daten] comment = Daten path = /data/samba/daten create mode = 6777 directory mode = 6777 read only = No -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC and group question
Am Mittwoch, den 06.05.2009, 12:31 -0700 schrieb MargoAndTodd: Hi All, I just upgraded a workstation server to a PDC server. I am using tbdsam as my user database. Question 1: As a workgroup server, I created my groups in /etc/group (groupadd). Is this still the case? Do I also need to tell Samba about a different database for groups? I am not quite sure, I understand your question correctly: probably you will want to use commands like # net groupmap add ntgroup=Domain Admins unixgroup=wheel type=d rid=512 which would map the Windows group Domain Admins to the local UNIX group wheel and so on. See the documentation on samba.org for more details examples. Greetings Uli. Question 2: occasionally I get asked for the user with administrator's privileges. Do I need to create a group called administrators (with an s) and populate it with root, todd (me), etc.? Many thanks, -T -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Release Planning 3.4] 3.4.0pre1 will be delayed
On 15.04.2009 15:12, Karolin Seeger wrote: The code change between 3.2.9 is really small and it was not the intention to introduce the bug, but maybe it happened. I went from 3.2.8 to 3.2.10, i.e. the bug could have been introduced either in 3.2.9 or 3.2.10. In the meantime, I reverted to 3.2.8, and things are ok again. Best, Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Release Planning 3.4] 3.4.0pre1 will be delayed
Remy Zandwijk wrote: Peter Rindfuss wrote: On 15.04.2009 15:12, Karolin Seeger wrote: The code change between 3.2.9 is really small and it was not the intention to introduce the bug, but maybe it happened. I went from 3.2.8 to 3.2.10, i.e. the bug could have been introduced either in 3.2.9 or 3.2.10. In the meantime, I reverted to 3.2.8, and things are ok again. FWIW: I've setup a virgin PDC based on 3.2.10 and I could join a XP-SP2 machine without problems. -Remy Remy, I can confirm this. For testing purposes, I installed a fresh WinXP SP2 on a PC. I had no problems to join this machine to 3.2.10, but after the next login, the problems showed up as described. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 3.2.10: WinXP SP2 trouble
Hi, Yesterday I upgraded our PDC and BDC from Samba 3.2.8 to 3.2.10 (OpenSUSE 11.0). Now all WinXP SP3 clients are still working fine, but those (fortunately few) clients with only SP2 or SP1 cannot correctly login anymore. After login, a lsass.exe error shows up, and Windows starts shutting down (60 seconds left) If one stops the shutdown, all file access to the PDC works nicely, but the system control panel shows the domain name as *unknown*, and a message pops up telling that the RPC server is not available. If I do a local login instead of a domain login, no problem occurs, and I even can map a network drive in explorer with no bad consequences. What could be wrong? Thanks for hints Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ntlm hashes..
On 03.04.2009 10:29, Collen Blijenberg wrote: Hello, How can i make an lm/ntlm hash from a plain text password ?? i need a way to generate a ntlm password to put into an external database. we make the users and there passwords on a machine that is not direct connected to the samba domain. we can export the database, so the only prob i have left is, how to get the samba passwords (lm/nt) in the database. You could use perl and the Crypt::SMBHash module. Peter Rindfuss -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ntlm hashes..
On 03.04.2009 12:05, Collen Blijenberg wrote: Thx, found both packages. and they fit my needs... (-: Greets, Collen Peter Rindfuss wrote: On 03.04.2009 10:29, Collen Blijenberg wrote: Hello, How can i make an lm/ntlm hash from a plain text password ?? i need a way to generate a ntlm password to put into an external database. we make the users and there passwords on a machine that is not direct connected to the samba domain. we can export the database, so the only prob i have left is, how to get the samba passwords (lm/nt) in the database. You could use perl and the Crypt::SMBHash module. I forgot to mention: I also have some C/C++ code that creates a ntlm passwd using ms windows crypto functions. Let me know if you want it. Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] new user cannot logon to one computer in the domain
I run a NT-Domain with samba 3.0.28a and WinXP-Clients (SP3) Everything is fine. But now I created a new user and this new user can logon to all machines in the Domain but one. On this machine the user gets the message user cannot login. check username/password/domain and be aware that username/password are casesensitive (I translated this from german) Other users can login fine. I applied the sign-seal-regahck on this machine again and the domain-reghack, but it didnt help (see below for details) In the log-files I dont see anything suspicious but from the logfiles it seems that the user is authenticated sucessfully: check_ntlm_password: authentication for user [assistance] - [assistance] - [assistance] succeeded The eventlog on XP also didnt reveal anything interesting (like it would when its the sign/seal-problem) The full smb-log at LogLevel=3 can be found at: http://www.goldfisch.at/temp/smb.log the smb-log at LogLevel=15 (~400kb) can be found at: http://www.goldfisch.at/temp/smb.level15.log If posting any other log might help please let me know. I would do anything do solve this problem cause it drives me nuts not being able to logon a simple user in my small domain. smb.conf : --- [global] interfaces = eth4 127.0.0.1 bind interfaces only = yes workgroup = VOEV netbios name = server server string = xxx wins support = yes wins proxy = yes dns proxy = no security = user encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes hosts allow = 127.0.0.1/32 192.168.1.0/255.255.255.0 domain logons = yes domain master = yes preferred master = yes logon path = \\%L\profiles\%U logon drive = O: logon home = \\%L\%U logon script = startup.bat %U %G %h %m %L %M %R %d %a %I %i %T %D %w time server = yes .. - and finally the reghack I applied (its standard procedure in this network - every machine gets it): --- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] requiresignorseal=dword: signsecurechannel=dword: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] CompatibleRUPSecurity=dword:0001 --- any help appretiated !! thnx a lot !! peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: smbclient with Kerberos works, smbclient with NTLM does not?
It turned out that my problem was caused by LMCompatibilityLevel on Windows being set to 5. I have set this to 3 and now smbclient NTLM authentication works. Setting client ntlmv2 auth = yes also allowed smbclient NTLM authentication to work while LMCompatibilityLevel was still set to 5. My question is: shouldn't Samba have negotiated a working protocol regardless of the client ntlmv2 auth setting in smb.conf? The windows server in question is Windows 2003 R2. 2009/3/20 Peter Rosenthal voipers...@gmail.com If someone could at least give me an idea of how to go about debugging this problem (relevant log files/debug levels/errors on windows itself) I would be very grateful. 2009/3/16 Peter Rosenthal voipers...@gmail.com Hello, I am investigating some strange authentication problems with our network. I am attempting to access a share on a DC with smbclient. If I authenticate with kerberos (kinit, then smbclient -k) then everything works fine. If, instead I use -U administrator -W DOMAIN, or just -U administrator, I get session setup failed: NT_STATUS_LOGON_FAILURE This is samba 3.3.2. Here is the d5 output from smbclient: INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] doing parameter workgroup = TESTDOMAIN doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = ads doing parameter realm = TESTDOMAIN.COM doing parameter encrypt passwords = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind use default domain = yes doing parameter winbind separator = / doing parameter winbind nested groups = yes doing parameter winbind refresh tickets = true doing parameter winbind nss info = rfc2307 doing parameter use kerberos keytab = yes doing parameter idmap config TESTDOMAIN : backend = ad doing parameter idmap config TESTDOMAIN : range = 1-99 doing parameter idmap config TESTDOMAIN : schema_mode = rfc2307 doing parameter winbind offline logon = yes doing parameter template homedir = /home/%U pm_process() returned Yes Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE added interface eth0 ip=X bcast=X:::: netmask=::::: added interface eth0 ip=X bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.0.7 bcast=192.168.0.255 netmask=255.255.255.0 Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Netbios name list:- my_netbios_names[0]=EL5 Client started (version 3.3.2). Opening cache file at /var/lib/samba/gencache.tdb tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only. sitename_fetch: Returning sitename for TESTDOMAIN.COM
Re: [Samba] trouble with winbind on Centos 5.2
I'm might be wrong but it looks like the rpm binary you have is not compatible. I built my own from source easily enough. Grab the tarball from samba.org and extract: samba-3.3.2/packaging/RHEL ./makerpms.sh You'll obviously need compiler, rpm-build package and any dependencies the rpm build process complains about. 2009/3/21 Matthias Grimm eiso...@eisofen.de -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, currently I'm testing samba authenticating against ADS. Samba is joined to that domain, getent passwd and wbinfo -u works as expected, but when I try to ssh to the samba server with an account in AD it failes. I've turned debug on for pam_winbind.so in /etc/pam.d/system-auth. When I try to connect I get the following in /var/log/secure Mar 21 16:10:35 samba-ads sshd[20542]: PAM unable to dlopen(/lib64/security/pam_winbind.so) Mar 21 16:10:35 samba-ads sshd[20542]: PAM [error: /lib64/security/pam_winbind.so: undefined symbol: talloc_asprintf] Mar 21 16:10:35 samba-ads sshd[20542]: PAM adding faulty module: /lib64/security/pam_winbind.so Mar 21 16:10:37 samba-ads sshd[20542]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=mgr2.nic.isb.d e.renzel.net user=mgr1 Mar 21 16:10:39 samba-ads sshd[20542]: Failed password for mgr1 from 10.2.0.5 port 55762 ssh2 I've installed the recent sernet-samba (samba3-3.3.2-38 ff) packages from repo. User's homedir is created manually with the right UID:GID from getent passwd, changing 'winbind use default domain' doesn't change anything. Cheers Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAknFCFYACgkQf3LySRiTg2xl0wCgjVTF3cgfEt5bGA2cuPZh0/p6 3vQAnR/1h58J0SkhJ3x1cNLVg/xLpSof =4iIR -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ads_sasl_spnego_krb5_bind failed: Ticket not yet valid
Looks like you have a time-sync problem. 2009/3/17 Mark Casey ma...@unifiedgroup.com Hello, I have a samba server set up as a member server in a native 2003 domain. Its ubuntu server 8.4.02 LTS. Any idea what causes this when I try to leave the domain? u...@dordal:/home/backups$ sudo net ads leave -U administra...@domain.com administra...@domain.com's password: [2009/03/17 17:41:02, 0] libads/sasl.c:ads_sasl_spnego_bind(330) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet valid [2009/03/17 17:41:02, 0] libads/sasl.c:ads_sasl_spnego_bind(330) kinit succeeded but ads_sasl_spnego_krb5_bind failed: Ticket not yet valid u...@dordal:/home/backups$ I'm hoping there is some sort of known cause for this, but I can send my confs if needed. BTW: The time on the DC and the time on this server are matched to within 1 second. I've seen gaps in system time as a cause of this, but I'd be surprised to learn how it applies here. TIA, Mark -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: smbclient with Kerberos works, smbclient with NTLM does not?
If someone could at least give me an idea of how to go about debugging this problem (relevant log files/debug levels/errors on windows itself) I would be very grateful. 2009/3/16 Peter Rosenthal voipers...@gmail.com Hello, I am investigating some strange authentication problems with our network. I am attempting to access a share on a DC with smbclient. If I authenticate with kerberos (kinit, then smbclient -k) then everything works fine. If, instead I use -U administrator -W DOMAIN, or just -U administrator, I get session setup failed: NT_STATUS_LOGON_FAILURE This is samba 3.3.2. Here is the d5 output from smbclient: INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] doing parameter workgroup = TESTDOMAIN doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = ads doing parameter realm = TESTDOMAIN.COM doing parameter encrypt passwords = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind use default domain = yes doing parameter winbind separator = / doing parameter winbind nested groups = yes doing parameter winbind refresh tickets = true doing parameter winbind nss info = rfc2307 doing parameter use kerberos keytab = yes doing parameter idmap config TESTDOMAIN : backend = ad doing parameter idmap config TESTDOMAIN : range = 1-99 doing parameter idmap config TESTDOMAIN : schema_mode = rfc2307 doing parameter winbind offline logon = yes doing parameter template homedir = /home/%U pm_process() returned Yes Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE added interface eth0 ip=X bcast=X:::: netmask=::::: added interface eth0 ip=X bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.0.7 bcast=192.168.0.255 netmask=255.255.255.0 Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Netbios name list:- my_netbios_names[0]=EL5 Client started (version 3.3.2). Opening cache file at /var/lib/samba/gencache.tdb tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only. sitename_fetch: Returning sitename for TESTDOMAIN.COM: SITE1 no entry for dc1#20 found. resolve_lmhosts: Attempting lmhosts lookup for name dc10x20 getlmhostsent: lmhost entry: 127.0.0.1 localhost resolve_wins: Attempting wins lookup for name dc10x20 resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name dc10x20 namecache_store: storing 1 address for dc1#20: 192.168.0.4 Connecting to 192.168.0.4 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST
[Samba] smbclient with Kerberos works, smbclient with NTLM does not?
Hello, I am investigating some strange authentication problems with our network. I am attempting to access a share on a DC with smbclient. If I authenticate with kerberos (kinit, then smbclient -k) then everything works fine. If, instead I use -U administrator -W DOMAIN, or just -U administrator, I get session setup failed: NT_STATUS_LOGON_FAILURE This is samba 3.3.2. Here is the d5 output from smbclient: INFO: Current debug levels: all: True/5 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 lp_load_ex: refreshing parameters Initialising global parameters params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] doing parameter workgroup = TESTDOMAIN doing parameter server string = Samba Server Version %v doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 50 doing parameter security = ads doing parameter realm = TESTDOMAIN.COM doing parameter encrypt passwords = yes doing parameter winbind enum users = yes doing parameter winbind enum groups = yes doing parameter winbind use default domain = yes doing parameter winbind separator = / doing parameter winbind nested groups = yes doing parameter winbind refresh tickets = true doing parameter winbind nss info = rfc2307 doing parameter use kerberos keytab = yes doing parameter idmap config TESTDOMAIN : backend = ad doing parameter idmap config TESTDOMAIN : range = 1-99 doing parameter idmap config TESTDOMAIN : schema_mode = rfc2307 doing parameter winbind offline logon = yes doing parameter template homedir = /home/%U pm_process() returned Yes Attempting to register new charset UCS-2LE Registered charset UCS-2LE Attempting to register new charset UTF-16LE Registered charset UTF-16LE Attempting to register new charset UCS-2BE Registered charset UCS-2BE Attempting to register new charset UTF-16BE Registered charset UTF-16BE Attempting to register new charset UTF8 Registered charset UTF8 Attempting to register new charset UTF-8 Registered charset UTF-8 Attempting to register new charset ASCII Registered charset ASCII Attempting to register new charset 646 Registered charset 646 Attempting to register new charset ISO-8859-1 Registered charset ISO-8859-1 Attempting to register new charset UCS2-HEX Registered charset UCS2-HEX Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE added interface eth0 ip=X bcast=X:::: netmask=::::: added interface eth0 ip=X bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.0.7 bcast=192.168.0.255 netmask=255.255.255.0 Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Substituting charset 'UTF-8' for LOCALE Netbios name list:- my_netbios_names[0]=EL5 Client started (version 3.3.2). Opening cache file at /var/lib/samba/gencache.tdb tdb(unnamed): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied gencache_init: Opening cache file /var/lib/samba/gencache.tdb read-only. sitename_fetch: Returning sitename for TESTDOMAIN.COM: SITE1 no entry for dc1#20 found. resolve_lmhosts: Attempting lmhosts lookup for name dc10x20 getlmhostsent: lmhost entry: 127.0.0.1 localhost resolve_wins: Attempting wins lookup for name dc10x20 resolve_wins: WINS server resolution selected and no WINS servers listed. resolve_hosts: Attempting host lookup for name dc10x20 namecache_store: storing 1 address for dc1#20: 192.168.0.4 Connecting to 192.168.0.4 at port 445 socket option SO_KEEPALIVE = 0 socket option SO_REUSEADDR = 0 socket option SO_BROADCAST = 0 socket option TCP_NODELAY = 1 socket option TCP_KEEPCNT = 9 socket option TCP_KEEPIDLE = 7200 socket option TCP_KEEPINTVL = 75 socket option IPTOS_LOWDELAY = 0 socket option IPTOS_THROUGHPUT = 0 socket option SO_SNDBUF = 16384 socket option SO_RCVBUF = 87380 socket option SO_SNDLOWAT = 1 socket option SO_RCVLOWAT = 1 socket option
[Samba] Raising DomainAdmin privileges
I have the following problem: As DomainAdmin I want to be able to mount a Windows directory, do a complete directory listing, read and possibly write all files in that directory. And all that even if the user has not included the DomainAdmin in the list of permitted users. To do this properly, I need to raise the following DomainAdmin privileges: SE_CHANGE_NOTIFY_NAME SE_BACKUP_NAME SE_RESTORE_NAME Is is possible to add these privileges in samba, and if so, does anyone know how? Thanks, Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Off Domain Login Problem
At the small non-profit I support I have a Mac OS X Server (10.4) supporting about 15 Windows XP clients. I use Open Directory for user management and the OS X Server is the PDC for the Windows domain. I have it set-up to use remote home folders on the server so any user can log in from any machine on the network. After a bumpy start, this is working very well. The users are not power users but have come to embrace the concept of there stuff not being tied to a specific machine. Now I have two Windows XP laptops to add to the domain. They work fine while connected to the domain but can not authenticate while being used off site (e.g. disconnected from the domain). The local security policy on the laptop is set to cache the domain login but it always says it can not find the domain. Is there something in the Samba config I am missing? If possible I want to avoid setting up the user as a local user on the laptop since they would now have stuff in two places. If I do manage to get disconnected authentication to work, I also wonder what would happen with file synchronization. Will the two sets of use files merge? Will one folder overwrite the other? What about same name/diff modified dates? Any thoughts/advice from someone who has tried a similar set-up that would be greatly appreciated. Thanks. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Users not able to change password [SOLVED]
Adam Williams wrote: take these out of your smb.conf, you don't need them since you have ldap passwd sync = yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . Hi Adam / Mario, Thank you for the hints. The LDAP config was correct access to attrs=userPassword,sambaLMPassword,sambaNTPassword,deliveryMode,mailRe plyText by dnattr=administrator write by self write by anonymous auth by * none access to * by * read Adam pointed me into the right direction I had 2x passwd program passwd chat in my config. Kind'a unbelievable that I didn't see that... :-s I left the smbldap-passwd lines but took out the 'default' and again MAGIC... all working :-) (The default were below the LDAP lines so they 'overruled' what was defined first.) Thanks for the help! Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba + Vista Issue
Adam Stirk wrote: I'm experiencing a problem with samba v3.2.4 and windows vista. If I access my samba share via the ip address e.g. \\192.168.0.1\share file:///\\192.168.0.1\share windows will authenticate against the samba server and bring the share up, but if I use the dns name e.g. \\server.domain.local\share file:///\\server.domain.local\share i'm faced with the logon box. I guess that name resolution is not working properly. Please open the command line interface on your Vista box and type the following commands: ping server.domain.local ping server If that is successful, try the 'net use' command: net use server Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Users not able to change password
-- Can somebody point me into the right direction please? Is this a windows issue/setting or samba or both ... Thanks Peter -- Hi list, My brand new samba network is working pretty good, ironing out some glitches. Win XP users cannot change their password. I use SaMBa as a domain-controller with an LDAP backend. A stripped down version of the config is below. I set minimum password length to 8, trying to change the password to a 7 char long gives me the messages that the password does not meet requirements. So that part seems to be working. However using an 8 char long pass (with numbers etc) gives me the msg that I don't have enough permissions to change the passwd. This is going to be an issue in 30 days, when users are required to change their passwd... Used pdbedit to set those requirements Tips and hints are welcome. The log shows: 2008/11/13 12:54:19, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2008/11/13 12:54:19, 0] lib/util_sock.c:read_socket_with_timeout(497) read_socket_with_timeout: timeout read. read error = Input/output error. [2008/11/13 12:54:19, 0] lib/util_sock.c:read_socket_with_timeout(497) read_socket_with_timeout: timeout read. read error = Input/output error. [2008/11/13 12:55:02, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2008/11/13 12:55:02, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users Thanks Peter [global] workgroup = ENGIN server string = fileserver dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://localhost/ obey pam restrictions = no ldap admin dn = cn=xxx,dc=xxx,dc=xxx ldap suffix = dc=xxx, dc=xxx ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u domain logons = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . logon path = logon script = allusers.bat load printers = yes printcap name = cups printing = cups use client driver = yes cups options = raw socket options = TCP_NODELAY [homes] comment = Home directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %S hide dot files = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes read only = yes share modes = no [shared] comment = Shared by all path = /data/shares/shared create mask = 0770 directory mask = 0770 users = %S force group = Domain users read only = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Users not able to change password
Hi list, My brand new samba network is working pretty good, ironing out some glitches. Win XP users cannot change their password. I use SaMBa as a domain-controller with an LDAP backend. A stripped down version of the config is below. I set minimum password length to 8, trying to change the password to a 7 char long gives me the messages that the password does not meet requirements. So that part seems to be working. However using an 8 char long pass (with numbers etc) gives me the msg that I don't have enough permissions to change the passwd. This is going to be an issue in 30 days, when users are required to change their passwd... Used pdbedit to set those requirements Tips and hints are welcome. The log shows: 2008/11/13 12:54:19, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2008/11/13 12:54:19, 0] lib/util_sock.c:read_socket_with_timeout(497) read_socket_with_timeout: timeout read. read error = Input/output error. [2008/11/13 12:54:19, 0] lib/util_sock.c:read_socket_with_timeout(497) read_socket_with_timeout: timeout read. read error = Input/output error. [2008/11/13 12:55:02, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2008/11/13 12:55:02, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users Thanks Peter [global] workgroup = ENGIN server string = fileserver dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d security = user encrypt passwords = true passdb backend = ldapsam:ldap://localhost/ obey pam restrictions = no ldap admin dn = cn=xxx,dc=xxx,dc=xxx ldap suffix = dc=xxx, dc=xxx ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users ldap passwd sync = Yes passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u domain logons = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . logon path = logon script = allusers.bat load printers = yes printcap name = cups printing = cups use client driver = yes cups options = raw socket options = TCP_NODELAY [homes] comment = Home directories browseable = no read only = no create mask = 0700 directory mask = 0700 valid users = %S hide dot files = yes [netlogon] comment = Network Logon Service path = /home/samba/netlogon guest ok = yes read only = yes share modes = no [shared] comment = Shared by all path = /data/shares/shared create mask = 0770 directory mask = 0770 users = %S force group = Domain users read only = no -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] OpenLDAP integration
Brad Nielsen wrote: I've followed the OpenLDAP + SAMBA Domain Controller tutorial step-by-step: http://ubuntuforums.org/showthread.php?t=640760 And after long hours, and enless googling, I've yet to find a solution. LDAP works great SAMBA works great. But the intergration between them don't work. Here is the samba log: root:/etc# tail /var/log/samba/log.smbd smbd version 3.0.28a started. Copyright Andrew Tridgell and the Samba Team 1992-2008 [2008/11/10 22:11:32, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2008/11/10 22:11:32, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users [2008/11/10 22:11:47, 0] auth/auth_util.c:create_builtin_administrators(792) create_builtin_administrators: Failed to create Administrators [2008/11/10 22:11:47, 0] auth/auth_util.c:create_builtin_users(758) create_builtin_users: Failed to create Users I've tried to net groupmap the group's, but they've already been mapped, and still no luck. I'm running Ubuntu 8.04, samba version 3.0.28a-1ubuntu4.5 When i try to access the share from the local machine with smbclient, I get: root:/etc# smbclient //hostname/Storage -U ricky Password: session setup failed: NT_STATUS_LOGON_FAILURE (Note: I renamed hostname with the original hostname, i don't want to post any internal info.) And if I do a ldapsearch, it brings up all of the right information. My LDAP configuration in the smb.conf looks like this: passdb backend = ldapsam:ldap://localhost/ ldap admin dn = cn=admin,dc=domain,dc=com ldap user suffix = ou=Users ldap suffix = dc=domain,dc=com ldap idmap suffix = ou=Users ldap passwd sync = Yes ldap delete dn = Yes ldap machine suffix = ou=Computers ldap group suffix = ou=Groups (Note: I renamed domain com with the original domain, I don't want to post any internal info.) I've double, triple, quad triple, and had someone else look at it, and we are not seeing what could be going wrong. If there is anyone who can shine some light on this, it'd be greatly appreciated! Thanks! - Bradley Looks like you are hitting the same stone-wall I encountered couple days ago. Try creating a user using -m and not -a This is what I use: smbldap-useradd -c ${fname} ${lname} -M ${email} -N ${fname} -S ${lname} -A 1 -a -D H: -E allusers.bat -m -d /data/home/${uid} ${uid} Let me know if that fixes it, because I did 'a lot' trying to get this going and I am still not 100% convinced that this is the solution that does it all... Regards Peter -- Peter Van den Wildenbergh Owner Principal I.T. Consultant meta-logica 13 Cimarron Meadows Close Okotoks AB T1S 1T5 SREC office E-mail : [EMAIL PROTECTED] Phone : 403.984.9591 (ext. 591) meta-logica office E-mail : [EMAIL PROTECTED] Web: www.meta-logica.com Phone : (403) 478-META [6382] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Access Denied to Printers / Same thing here
Daniel L. Miller wrote: Hi! Trying to trace down a problem with printer sharing. I don't see anything glaringly obvious with my smb.conf. I am using LDAP and CUPS. Using a Windoze client, accessing a printer I receive the friendly Access denied, unable to connect. Checking the Samba logs, I find: [2008/11/07 18:26:08, 0] param/loadparm.c:process_usershare_file(8268) process_usershare_file: share name ::{2227a280-3aea-1069-a2de-08002b30309d} contains invalid characters (any of %*?|/\+=;:,) [2008/11/07 18:26:08, 0] param/loadparm.c:process_usershare_file(8268) process_usershare_file: share name ::{2227a280-3aea-1069-a2de-08002b30309d} contains invalid characters (any of %*?|/\+=;:,) [2008/11/07 18:26:08, 0] smbd/service.c:make_connection(1362) daniel (192.168.0.60) couldn't find service ::{2227a280-3aea-1069-a2de-08002b30309d} I don't HAVE any shares with invalid characters - that I'm aware of. Is it possible there's something hiding in a corrupted tdb file? I've tried deleting ntprinters.tdb without improvement. Hi Daniel, I can only offer moral support, I got the same problem but no solution (yet). Samba 3.0.28a on Ubuntu 8.04 LTS with OpenLDAP slapd 2.4.9 I read through this : http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/classicalprinting.html#id2620623 But no luck and I want to avoid the whole rpcclient thing. somebody here (http://lists.samba.org/archive/samba/2006-January/116695.html) pointed to http://www.extremetech.com/article2/0,1697,1722545,00.asp Not sure what it has to do with it but I tried deleting the task thing (no change) (It explained where the 2227a280-3aea-1069-a2de-08002b30309d key comes from) Parts of my smb.conf: [global] load printers = yes printcap name = cups printing = cups [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no write list = root, @Domain Admins, @Domain Users[print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no write list = root, @Domain Admins, @Domain Users # Remove @Domain Users asap !!! Need printer setup working for Big Xerox 7328 MFC drwxrwxrwx 2 root Domain Admins 4096 2008-11-09 10:48 printers (I will chmod this back to 775 ASAP) The printer works in CUPS root = part of Domain Admins User root already member of the group Domain Admins. What else did I do ? Read man 8 cupsaddsmb Step 6 here fails: http://de.samba.org/samba/docs/man/Samba-Guide/happy.html#id2575750 rebooted everything one more time, to give it another try... Posted this 'cry for help' msg... Do I need cupsaddsmb? I do NOT use RAW printing. Thanks Peter -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba