Re: [Samba] kinit user works, kinit user@domain.local doesn't

2013-10-13 Thread Rob Townley 
Try appending a dot character to the end and put it in domain_realm
mapping.  Let us know.

kinit user@domain.local.
 On Oct 13, 2013 11:08 AM, "Danny Fedor"  wrote:

> I'm running Samba 4.0.10 on Ubuntu Server 12.04.3 x64
> Samba was installed from source and provisioned with internal DNS as PDC of
> the domain domain.local. Users were mapped through pam.
>
> I created a new user (user@domain.local) and joined a winxp workstation
> (workstation.domain.local). It seems kerberos is working since user can log
> to workstation without any problem using user@domain.local. Same with DNS;
> if I try to "ping pdc.domain.local", I get name resolved correctly, as well
> as with just "ping pdc".
>
> However, if I run "ping workstation.domain.local" from pdc, I get "unknown
> host", though "ping workstation" works. Similarly, if I run "kinit user", I
> get a ticket, but
> "kinit user@domain.local"
> produces
> "Cannot contact any KDC for realm 'domain.local' while getting initial
> credentials".
>
> Probably related issue is with samba_dnsupdate. Running
> "sudo /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names"
> gives
> "RuntimeError: kinit for PDC$@DOMAIN.LOCAL failed (Cannot contact any KDC
> for requested realm)".
> "sudo host -t SRV _kerberos._udp.domain.local."
> gives
> "_kerberos._udp.domain.local has SRV record 0 100 88 pdc.domain.local."
> so it seems there is a correct record for kdc in dns. I've read that this
> issue can be caused by wrong dns setting in resolv.conf.
> My /etc/resolv.conf (and /etc/resolvconf/resolv.conf.d/tail) is:
> domain domain.local
> nameserver 127.0.0.1
>
> and my /etc/hosts:
> 127.0.0.1   localhost.localdomain   localhost
> 127.0.1.1   pdc.domain.localpdc
> #network interface eth0:
> 192.168.1.67pdc.domain.localpdc
>
> So even here everything looks ok
>
> My krb5.conf:
> [libdefaults]
> default_realm = DOMAIN.LOCAL
> dns_lookup_realm = false
> dns_lookup_kdc = true
> forwardable = true
>
> [realms]
> DOMAIN.LOCAL = {
> kdc = pdc.domain.local
> admin_server = pdc.domain.local
> }
>
> [domain_realm]
> .domain.local = DOMAIN.LOCAL
> domain.local = DOMAIN.LOCAL
>
> My smb.conf:
> [global]
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> netbios name = PDC
> server role = active directory domain controller
> server role check:inhibit = yes
> server services = s3fs, rpc, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc, dnsupdate, dns
> template shell = /bin/bash
> security = user
> map to guest = bad user
> guest account = nobody
> encrypt passwords = yes
> allow dns updates = True
> dns forwarder = 217.119.113.244
> interfaces = 127.0.1.1/8 eth0 lo
> bind interfaces only = yes
> logon path = \\%L\profiles\%U\%a
> logon drive = P:
> wins support = yes
> name resolve order = wins host bcast
> load printers = yes
> printing = cups
> printcap name = cups
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/domain.local/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
>
> --
> View this message in context:
> http://samba.2283325.n4.nabble.com/kinit-user-works-kinit-user-domain-local-doesn-t-tp4654989.html
> Sent from the Samba - General mailing list archive at Nabble.com.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

2013-02-21 Thread Rob Townley 
On Thu, Feb 21, 2013 at 5:45 PM, Rob Townley  wrote:
>
>
> On Thursday, February 21, 2013, Jeremy Allison  wrote:
>> On Thu, Feb 21, 2013 at 04:38:13PM -0600, Rob Townley wrote:
>>> On Wednesday, February 20, 2013, Jeremy Allison  wrote:
>>> > On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote:
>>> >>
>>> >> What we have here is a problem of two incompatible text fields, and
>>> >> it does not make a difference if that incompatibility is a filenames
>>> >> in a file system or some table in some kind of non-filesytem media
>>> >> library. If you can't fix the incompatibility and if you can't
>>> >> change the underlying process that generates the data to only create
>>> >> names that fit the lowest common denominator all systems can handle,
>>> >> the obvious solution is to put in some kind of translation rule.
>>> >
>>> > The only question is whether that translation rule belongs in Samba
>>> > :-).
>>> >
>>> > It used to, but now I think it's better for it to be done externally
>>> > :-).
>>> >
>>> > Jeremy.
>>> > --
>>>
>>>
>>> Could there be an add-on module such as
>>> samba-enforce-dumb-filefolder-names ?
>>> Is Samba written in a modular enough way to add in a filesystem layer?
>>
>> Samba is *designed* to allow this :-). Check out the VFS
>> module interface. You'd have to catch all the path-based
>> calls.
>>
>> Jeremy.
>>

Sorry i fat fingered gmail on my smartphone web browser.

Now, i am thinking it would be better as an ext2/3/4 module for those
cases the Linux users are accessing the same file hierarchy but not
via Samba.
Maybe it has to be in Samba as well to satisfy all the different file
systems available to Linux servers.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

2013-02-21 Thread Rob Townley 
On Thursday, February 21, 2013, Jeremy Allison  wrote:
> On Thu, Feb 21, 2013 at 04:38:13PM -0600, Rob Townley wrote:
>> On Wednesday, February 20, 2013, Jeremy Allison  wrote:
>> > On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote:
>> >>
>> >> What we have here is a problem of two incompatible text fields, and
>> >> it does not make a difference if that incompatibility is a filenames
>> >> in a file system or some table in some kind of non-filesytem media
>> >> library. If you can't fix the incompatibility and if you can't
>> >> change the underlying process that generates the data to only create
>> >> names that fit the lowest common denominator all systems can handle,
>> >> the obvious solution is to put in some kind of translation rule.
>> >
>> > The only question is whether that translation rule belongs in Samba
:-).
>> >
>> > It used to, but now I think it's better for it to be done externally
:-).
>> >
>> > Jeremy.
>> > --
>>
>>
>> Could there be an add-on module such as
>> samba-enforce-dumb-filefolder-names ?
>> Is Samba written in a modular enough way to add in a filesystem layer?
>
> Samba is *designed* to allow this :-). Check out the VFS
> module interface. You'd have to catch all the path-based
> calls.
>
> Jeremy.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

2013-02-21 Thread Rob Townley 
On Wednesday, February 20, 2013, Jeremy Allison  wrote:
> On Wed, Feb 20, 2013 at 11:30:37AM +0100, Sven Tegethoff wrote:
>>
>> What we have here is a problem of two incompatible text fields, and
>> it does not make a difference if that incompatibility is a filenames
>> in a file system or some table in some kind of non-filesytem media
>> library. If you can't fix the incompatibility and if you can't
>> change the underlying process that generates the data to only create
>> names that fit the lowest common denominator all systems can handle,
>> the obvious solution is to put in some kind of translation rule.
>
> The only question is whether that translation rule belongs in Samba :-).
>
> It used to, but now I think it's better for it to be done externally :-).
>
> Jeremy.
> --


Could there be an add-on module such as
samba-enforce-dumb-filefolder-names ?
Is Samba written in a modular enough way to add in a filesystem layer?


> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

2013-02-19 Thread Rob Townley 
i bookmarked the #Reserved_characters_and_words section of that wiki article.
However, the point is, there are times that the end user is not naming
the files directly, but the OS or an application is doing so.

wget will put escaped ? into filenames, but a windows machine will not
be able to read it.
mkdir "`date`"  allows one to make a folder name based on the time
with slashes and colons, but of course windows chokes on that.

Further, file systems need to save time, not consume a weekend.  The
problem is mostly with NTFS, but we can not control that.  If there
was a filesystem layer in a samba share that prevented the creation of
files / folders incompatible with windows, that would save time.  A
windows filenaming compatibility mode or just get rid of windows and
Macs altogether.  i prefer the latter, but that would entail getting
rid of family members and my job.


On Tue, Feb 19, 2013 at 2:50 AM, L.P.H. van Belle  wrote:
> wel ... just look here whats allowed.
> http://en.wikipedia.org/wiki/Filename
>
> The discussion of * or ? etc, in naming is bad should not be done here.
>
> I had the same with my collection, what is did was, add a new options in my 
> tagging.
> artist and albumartist.  where artist is the person whos singing it, and the 
> albumartist is the
> person/groep who released it, and i dont use strang ( not allowed )  
> characters in the albumartist.
>
> thats how you can fix it pretty easy.
>
> and yes, i have "some" special characters in filenames, but only the allowed 
> ones.
> and no, i dont have problems with windows and unix with these files.
>
>
> Louis
>
>
>>-Oorspronkelijk bericht-----
>>Van: rob.town...@gmail.com
>>[mailto:samba-boun...@lists.samba.org] Namens Rob Townley
>>Verzonden: dinsdag 19 februari 2013 0:34
>>Aan: Jonathan Buzzard
>>CC: samba@lists.samba.org
>>Onderwerp: Re: [Samba] Question marks, asterisks, colons in filenames
>>
>>On Mon, Feb 18, 2013 at 4:56 PM, Jonathan Buzzard
>> wrote:
>>> On 18/02/13 19:16, Ray wrote:
>>>>
>>>> Hi,
>>>>
>>>> I suppose this question must have been posted a hundred times, but
>>>> Google brings up nothing useful:
>>>>
>>>> Consider "The Wall" from Pink Floyd in an MP3 collection.
>>There's "In
>>>> The Flesh.mp3" and "In The Flesh?.mp3" as tracks. Or,
>>another example in
>>>> an MP3 collection: There's a Band called "Stellar", but
>>there's also a
>>>> band called "Stellar*". Naming files like this is no
>>problem in Linux.
>>>>
>>>
>>> Anyone putting "special" characters in file names has a
>>special place in
>>> hell reserved for them. It is plain stupid, just don't do it.
>>>
>>> Personally I would name them all wall01.mp3, wall02.mp3 etc.
>>and add ID3
>>> tags to them. Any decent graphical file manager and/or music
>>player will
>>> display the tag information. Stop abusing the filename to
>>store metadata
>>> when there is a standard for storing that metadata in the file.
>>>
>>> JAB.
>>>
>>> --
>>> Jonathan A. Buzzard Email: jonathan (at)
>>buzzard.me.uk
>>> Fife, United Kingdom.
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>JAB, have you ever pulled down a website with wget?  Have you ever
>>looked at  www.dropbox.com/bad_files_check  which shows all the native
>>files on your Linux box that will never make it to windows.
>>
>>Is there some kind of regular expression transliterate functionality?
>>A way to force windows only characters for samba shares?
>>
>>Ray, on more than one occasion swat has documentation that is
>>nowhere else.
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Question marks, asterisks, colons in filenames

2013-02-18 Thread Rob Townley 
On Mon, Feb 18, 2013 at 4:56 PM, Jonathan Buzzard
 wrote:
> On 18/02/13 19:16, Ray wrote:
>>
>> Hi,
>>
>> I suppose this question must have been posted a hundred times, but
>> Google brings up nothing useful:
>>
>> Consider "The Wall" from Pink Floyd in an MP3 collection. There's "In
>> The Flesh.mp3" and "In The Flesh?.mp3" as tracks. Or, another example in
>> an MP3 collection: There's a Band called "Stellar", but there's also a
>> band called "Stellar*". Naming files like this is no problem in Linux.
>>
>
> Anyone putting "special" characters in file names has a special place in
> hell reserved for them. It is plain stupid, just don't do it.
>
> Personally I would name them all wall01.mp3, wall02.mp3 etc. and add ID3
> tags to them. Any decent graphical file manager and/or music player will
> display the tag information. Stop abusing the filename to store metadata
> when there is a standard for storing that metadata in the file.
>
> JAB.
>
> --
> Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
> Fife, United Kingdom.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

JAB, have you ever pulled down a website with wget?  Have you ever
looked at  www.dropbox.com/bad_files_check  which shows all the native
files on your Linux box that will never make it to windows.

Is there some kind of regular expression transliterate functionality?
A way to force windows only characters for samba shares?

Ray, on more than one occasion swat has documentation that is nowhere else.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PROPOSAL: Remove SWAT in Samba 4.1

2013-02-17 Thread Rob Townley 
This is why it is smart to use a dedicated Firefox profile for banking,
another profile just for email, another profile for web browsing.And of
course, another dedicated profile for internal systems only such as
for managing dd-wrt, switches, iLO,  DRAC, webcams, webmin and swat.

Safer is to have a dedicated swat xulrunner app.

If you want to be safest, use Qubes-OS.

Every user on the internet should know the following commands:
Firefox -no-remote -CreateProfile swatUseOnly
Firefox -no-remote -P swatUseOnly

I use swat when I want to find the new config options because it is often
the only documentation.  Keep swat.  It is not swan's fault, it is the
users.

On Sunday, February 17, 2013, Andrew Bartlett  wrote:
> On Sun, 2013-02-17 at 20:52 -0500, Nico Kadel-Garcia wrote:
>> On Sun, Feb 17, 2013 at 7:02 PM, Andrew Bartlett 
wrote:
>> > As most of you would have noticed, we have now had 3 CVE-nominated
>> > security issues for SWAT in the past couple of years.
>>
>> Has "webmin" kept up to date with the latest structural changes in
>> smb.conf? I'll admit that I've long preferred the "webmin" module
>> structure over the dedicated add-on structures of "swat".
>
> It seems webmin has much the same challenges, perhaps because it's a
> package of a similar age.  Or web security is just hard...
> http://www.webmin.com/security.html
>
> smb.conf hasn't changed structure in a long time, but we do add/remove
> options each release.  Neither is likely to do the AD DC stuff very well
> right now.
>
> Andrew Bartlett
>
> --
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Fwd: correction - Frustrated with "there are currently no logon servers available"

2013-02-01 Thread Rob Townley 
Win7 by default will only use 445


On Friday, February 1, 2013, Morgan Toal  wrote:
> OK,
>
> How do I confirm the sid that the windows box is using?
>
> I can get the domain sid from net getlocalsid
> I can get the user sid of a local user no problem
>
> In reference to unjoining and rejoining...
> does this require something more than :
> 1) userdel machine$
> 2) pdbedit --delete machine$
>
> ADditional Information:
>
> when I join the domain, and the message "welcome to the domain" appears I
get the following message immediately appear inb my logs:
>
>  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client WIN7 machine account WIN7$
>
> Agh!
>
>
>
> On 2/1/2013 10:44 AM, Mike Howard wrote:
>>
>> On 01/02/2013 15:59, Morgan Toal wrote:
>>>
>>> On 2/1/2013 8:54 AM, Morgan Toal wrote:
>>>
>>> OK I feel even dumber now...  I pasted the wrong text into my email due
to my frustration level.
>>>
>>> The error is: "there are currently no logon servers available"
>>> as opposed to: "the network name is no longer available"
>>>
>> That error has always meant to me that the client in question has
somehow become unjoined (for all intents and purposes). That is, it's SID
no longer matches that held by the PDC.
>>
>> Have you tried unjoining the domain, ensuring the client record has
actually been removed and rejoining?
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 AD DC Sites / Rename Default-First-Site-Name and internal DNS

2012-12-31 Thread Rob Townley 
On Sun, Dec 30, 2012 at 10:06 PM, Matthieu Patou  wrote:

> On 12/30/2012 07:10 PM, Achim Gottinger wrote:
>
>> As you have noticed, we are very good at adding DNS records, but never
>>> remove the old ones.  What you have done seems reasonable, if you have
>>> renamed the site, removing the remaining DNS references seems entirely
>>> reasonable.
>>>
>>> Please file a bug about the left-behind DNS stuff, we really should
>>> clean that up.
>>>
>>> Andrew Bartlett
>>>
>>
>> There is this menu option "cleanup old resource entries" in the DNS
>> snap-in, guess it's normal AD behaviour.  :-)
>>
> Not it's not, there is KB about DNS server about how to clean old records
> that were set by a client via DDNS
>
>  This does not yet work against an Samba4 AD DC. But I'll file an
>> bugreport.
>>
>>  I'm not 100% sure that we implement everything that is needed for a
>>> client to pickup the correct site, so you might see some issues still.
>>>
>> It had happened in very seldom cases with the samba3/bind/openldap
>> before. In the Samba4 test environment it happened only once after i had
>> removed the mentioned SRV records pointig to site2's dc in site1 folders.
>> I'll report back if it happens on an regular basis.
>>
>>> As an last step i renamed the site "Default-First-Site-Name" into
 "site1". Restarted the samba services at both sites check replication. But
 there are still a few DNS entries left whom i deleted manual.

>>> It's really not a good idea to delete rename the default-First site lots
>>> of Windows admins don't advise to do so, you'd better leave it empty.
>>> Matthieu
>>>
>>
>> So to be on the safe side you recommend i create two new sites and assign
>> the two servers to them, leaving Default-First-Site-Name with on assigned
>> server.
>> I thought it is safer to leave the first server in that default site
>> because i had read the sites thing is a work in progress. Renaming it was
>> somethin i did after abit of online research which mentioned it is safe and
>> not forbidden. Beside that now empty structure elements in dns the test
>> environment is still work functional.
>>
>> http://social.technet.**microsoft.com/Forums/en-US/**
>> winserverNIS/thread/2afc3cf5-**7389-4368-bdeb-887e60c0081f
>>
>> Beside all that for me samba4 is a great step forward an will simplify
>> things alot compared to the previous samba3/bind/openldap solution
>>
> Ok good to know.
>
> Matthieu.
>
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>




MS ADS utilities would demand restoring from backups for deleting dns
records.

Assuming you are trying to have two different sites in the same domain,
you would not want to delete DNS records at all, but change the dns SRV
record such that the remote site has a lower priority (higher number) and
the local site has a better priority (lower number).   In many computer
systems, higher priority is represented by a lower number.  zero is often
the highest priority.  Weight is different than priority.  More Weight is
represented by a higher number.   You may want to leave weight alone
because rfc2782 says WEIGHT zero is a special case.  rfc2782 is a little
confusing as to what weight zero implies.  It also states the order of
ResourceRecords returned matters in the selection process.  Details are in
the URLs below.  i would recommend reading about PRIORITY and WEIGHT in
2782.



http://en.wikipedia.org/wiki/SRV_record
http://tools.ietf.org/html/rfc2782
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Failing to get uids from AD

2012-07-17 Thread Rob Townley 
Precisely what ldap attribute are you setting user id numbers in AD?  You
may want to check.  There are numerous attribute names that include uid and
gid, but you need the correct one.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Grant computer account access to share?

2011-11-20 Thread Rob Townley 
On Thu, Nov 10, 2011 at 8:48 AM, Chris Weiss  wrote:

> On Thu, Nov 10, 2011 at 2:24 AM, Andrew Lyon 
> wrote:
> > Hi,
> >
> > I have a Microsoft application (SCCM) which I need to grant access to
> > a samba share, however the service which reads the files can only
> > authenticate using the computer account, there is option to configure
> > it to use a domain account.
>
> do you mean to say that it's a windows service that's Log On tab is
> set to local system?  because "authenticate using the computer
> account" isn't a "thing".  A windows service running as local system
> does not have permissions to access network resources at all.  This is
> a windows restriction, you have to have the account log on as a local
> or domain user if you want it to be able to access the network.
>

On a Win7 64bit windows system, bits and "Windows Update" both run as
"Local System" and i can guarantee you i have had numerous reboots the last
few weeks to finish applying updates.  You are probably confused by User
Account Control changes. Like he said, COMPUTER$ can be added on a Windows
share.  The windows security descriptor language may be needed for some
services.  See "sc.exe sdset /?"

man smb.conf may not be up-to-date like the web page configuration that
enumerates all the current parameters.  Going totally from memory, i
believe there was an option in the samba webpage program that allows you to
configure computer account access for a share.  Sorry, blanking on the
package name.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] possible to deactivate pre-authentification on the Linux (or windows)- Please help

2011-03-15 Thread Rob Townley 
On Wed, Mar 9, 2011 at 12:33 AM, Sharik M  wrote:
> Dear Friend,
>
>
> Is it possible to deactivate pre-authentification on the Linux (or
>
> Windows) side to avoid these messages ?
>
> Becouse i am getting lot of erro in windows 2003 domain.
>
> Hi,
>
> When validating users on my Linux system against an ActiveDirectory,
> the Windows event log are filled with messages like these (Windows
> Event ID 675):
>
> Pre-authentication failed:
> User Name: linux$
> User ID: KK\linux$
> Service Name: krbtgt/KK.LOCAL
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 1.2.3.4
>
>
> (1.2.3.4 is the IP address of the Linux machine, LINUX the hostname of
> the Linux machine).
>
> The message above comes at every request from the Linux machine (every 5
> minutes on this installation). If I am validating a user, the same
> message is shown for the user like this (user name validated=test):
>
> Pre-authentication failed:
> User Name: test$
> User ID: KK\test$
> Service Name: krbtgt/KK.LOCAL
> Pre-Authentication Type: 0x0
> Failure Code: 0x19
> Client Address: 1.2.3.4
>
> Messages logged on behalf of a user may be disabled by deactivating
> pre-authentification for each user. But I cannot find any place in
> ActiveDirectory to disable it for the machine account.
>
> What is missing ?
>
> Is it possible to deactivate pre-authentification on the Linux (or
> Windows) side to avoid these messages ?
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Although annoying, these are not necessarily all that bad of audit
entries because it may be trying different methods of authenticating.
First one fails so it tries a more difficult one.
i wonder if it would be better to attempt a reset of the machine
account password from AD, then setting DONT_REQ_PREAUTH.

You can change it via adsiedit or adexplorer.exe
DONT_REQ_PREAUTH

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B305144
ms-DS-User-Account-Control-Computed

p.s. i typed this 5 days ago and just found it was not sent.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Managing win7 machines..

2011-01-28 Thread Rob Townley 
FusionInventory.org  OPSI.org

On Fri, Jan 28, 2011 at 2:47 PM,   wrote:
>
>>
>> Ok, i get it...   so both options are horror...
>>
>> so basically i have to use samba4 for the policies and all.
>> and use samba3 on a different machine for the network browsing and
>> printing.
>> must be do-able
>>
>> just 1 question, can i use samba3 for the masterbrowser/wins and make
>> samba4
>> use that.. (as for as i know the network browse support isn't ready for
>> samba4)
>
> Yes
>>
>>
>>
>> Cheers, and thanx..
>>
>> Collen
>>
>>
>>
>> On 21-1-2011 8:48, Daniel Müller wrote:
>>>
>>> No ntconfig.pol anymore. You may use kixtart or other tools. Or
>>> Registry-files. But be aware
>>> Some registry-things can only be done by administrator and no one else.
>>> If
>>> you have the most win 7 clients
>>> It is better to switch over to samba4. You can then manage your group
>>> policies with Microsoft tools on the fly.
>>> With things that samba4 does not support at this moment use a samba 3
>>> domain
>>> member.
>>>
>>> Good Luck
>>> Daniel
>>>
>>> ---
>>> EDV Daniel Müller
>>>
>>> Leitung EDV
>>> Tropenklinik Paul-Lechler-Krankenhaus
>>> Paul-Lechler-Str. 24
>>> 72076 Tübingen
>>>
>>> Tel.: 07071/206-463, Fax: 07071/206-499
>>> eMail: muel...@tropenklinik.de
>>> Internet: http://www.tropenklinik.de
>>> ---
>>>
>>> -Ursprüngliche Nachricht-
>>> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
>>> Im
>>> Auftrag von Collen Blijenberg
>>> Gesendet: Freitag, 21. Januar 2011 08:35
>>> An: samba@lists.samba.org
>>> Betreff: Re: [Samba] Managing win7 machines..
>>>
>>> I did that, but that doesn't make win7 obey  the ntconfig.pol (nt4
>>> policies)
>>>
>>> as far as i know win7 can't handle these policies, so i think
>>> i need an other way to apply policies to win7.
>>>
>>> thx. Collen.
>>>
>>> On 20-1-2011 17:17, Wagg, Dave wrote:

 I don't know about version 3 but have you made the following changes to
>>>
>>> the

 Control Panel à Admin Tools à Local Security Policy  à Local Policies  à
>>>
>>> Security options

 Change the Network Security: LAN Manager authentication level to "Send
 LM&
>>>
>>> NTLM responses"

 Remove 128 bit encryption on the following 2 items as well:

 Network security: Minimum session security for NTLM SSP based CLIENTS
  and

 Network security: Minimum session security for NTLM SSP based SERVERS




 -Original Message-
 From: samba-boun...@lists.samba.org
 [mailto:samba-boun...@lists.samba.org]
>>>
>>> On Behalf Of Collen Blijenberg

 Sent: Thursday, January 20, 2011 10:42 AM
 To: samba@lists.samba.org
 Subject: [Samba] Managing win7 machines..


 I'm curious how others manage their windows 7 machines
 on a samba 3.x.x domain ..

 especial the part of policies and scripts.

 i got the win7 running in the samba domain, but i'm
 stuck in the policies part.. and i don't want to use nitrobit for this.

 how do other users do this.. ?!

 thx, Collen

 --
>>
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Win7 cannot net use z: Samba share

2010-10-05 Thread Rob Townley 
On Tue, Oct 5, 2010 at 9:26 AM, John Hendrix  wrote:
> Hi all
>
> The symptom is:
>
>> C:\Windows\system32>net USE z: \\10.10.23.219\share /USER:SMBUSER
>> [password]
>>
>> System error 1326 has occurred.
>>
> My situation
>
> I am using VirtualBox.  Windows 7 Home is the host.  Fedora 13 is the guest.
>
>
> My goal is to cause the Fedora guest to expose an smb share to the Win 7
> host and have the Win 7 host mount the share as a drive.
>
> My procedure:
>
>   1. I followed the instructions I found here (http://tinyurl.com/347xcym)
>   to configure the Fedora guest.
>   2. I disabled iptables via the following command: service iptables stop
>   3. I configured the Fedora Guest’s VirtualBox networking for “bridged
>   mode”  This caused the guest to appear as just another computer on the
>   network
>
> At this point, when I attempt to mount the smb share on the Win 7 host I get
> the following:
>
>> C:\Windows\system32>net USE z: \\10.10.23.219\share /USER:SMBUSER
>> [password]
>>
>> System error 1326 has occurred.
>>
>> At this point I cranked smb debugging to the max and attempted to change
>> the ‘smbusers’ password.
>>
>> [r...@localhost fi]# smbpasswd -D 10 smbuser
>>
>> Netbios name list:-
>>
>> my_netbios_names[0]="SMBSERVER"
>>
>> Attempting to register passdb backend ldapsam
>>
>> Successfully added passdb backend 'ldapsam'
>>
>> Attempting to register passdb backend ldapsam_compat
>>
>> Successfully added passdb backend 'ldapsam_compat'
>>
>> Attempting to register passdb backend NDS_ldapsam
>>
>> Successfully added passdb backend 'NDS_ldapsam'
>>
>> Attempting to register passdb backend NDS_ldapsam_compat
>>
>> Successfully added passdb backend 'NDS_ldapsam_compat'
>>
>> Attempting to register passdb backend smbpasswd
>>
>> Successfully added passdb backend 'smbpasswd'
>>
>> Attempting to register passdb backend tdbsam
>>
>> Successfully added passdb backend 'tdbsam'
>>
>> Attempting to register passdb backend wbc_sam
>>
>> Successfully added passdb backend 'wbc_sam'
>>
>> Attempting to find a passdb backend to match tdbsam (tdbsam)
>>
>> Found pdb backend tdbsam
>>
>> pdb backend tdbsam has a valid init
>>
>> New SMB password:
>>
>> Retype new SMB password:
>>
>> tdbsam_open: successfully opened /var/lib/samba/private/passdb.tdb
>>
>> pdb_set_username: setting username smbuser, was
>>
>> pdb_set_domain: setting domain SMBSERVER, was
>>
>> pdb_set_nt_username: setting nt username , was
>>
>> pdb_set_full_name: setting full name , was
>>
>> Home server: smbserver
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> Substituting charset 'UTF-8' for LOCALE
>>
>> pdb_set_homedir: setting home dir \\smbserver\smbuser, was
>>
>> pdb_set_dir_drive: setting dir drive , was NULL
>>
>> pdb_set_logon_script: setting logon script , was
>>
>> Home server: smbserver
>>
>> pdb_set_profile_path: setting profile path \\smbserver\smbuser\profile, was
>>
>>
>> pdb_set_workstations: setting workstations , was
>>
>> account_policy_get: name: password history, val: 0
>>
>> pdb_set_user_sid: setting user sid
>> S-1-5-21-2780852000-3232352013-1934734775-1004
>>
>> pdb_set_user_sid_from_rid:
>>
>>                setting user sid
>> S-1-5-21-2780852000-3232352013-1934734775-1004 from rid 1004
>>
>> account_policy_get: name: maximum password age, val: -1
>>
>> Finding user smbuser
>>
>> Trying _Get_Pwnam(), username as lowercase is smbuser
>>
>> Get_Pwnam_internals did find user [smbuser]!
>>
>> Opening cache file at /var/lib/samba/gencache.tdb
>>
>> Opening cache file at /var/lib/samba/gencache_notrans.tdb
>>
>> *Cache entry with key = IDMAP/GID2SID/501 couldn't be found *
>>
>> *gid_to_sid: winbind failed to find a sid for gid 501*
>>
>> *LEGACY: gid 501 -> sid S-1-22-2-501*
>>
>> account_policy_get: name: password history, val: 0
>>
>> pdb_set_username: setting username smbuser, was
>>
>> pdb_set_domain: setting domain SMBSERVER, was
>>
>> pdb_set_nt_username: setting nt username , was
>>
>> pdb_set_full_name: setting full name , was
>>
>> Home server: smbserver
>>
>> pdb_set_homedir: setting home dir \\smbserver\smbuser, was
>>
>> pdb_set_dir_drive: setting dir drive , was NULL
>>
>> pdb_set_logon_script: setting logon script , was
>>
>> Home server: smbserver
>>
>> pdb_set_profile_path: setting profile path \\smbserver\smbuser\profile, was
>>
>>
>> pdb_set_workstations: setting workstations , was
>>
>> account_policy_get: name: password history, val: 0
>>
>> pdb_set_user_sid:

Re: [Samba] Change of kerberos encryption from DES to AES

2010-08-27 Thread Rob Townley 
On Thu, Aug 26, 2010 at 10:41 AM, Masopust, Christian
 wrote:
> Hello all,
>
> as our Windows DCs will switch off DES encryption in the near future I
> have to change our
> Samba-Server to AES encryption.
>
> If I understand it correctly I have to change kerberos-configuration to
> new encryption type
> (aes256-cts-hmac-sha1-96) and then re-join my Samba-Server to the
> domain.
>
> Is this correct?  Any other things to consider?
>
> Thanks a lot,
> Christian
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

i don't know how helpful this will be, but i will need to do the same.

i believe the samba server should generate the supported encryption
types from AD.
Not sure you have to manually change it, but the following blog posts
i have found helpful.
http://blogs.msdn.com/b/alextch/archive/tags/ad+interop/

This is one 2006 howto video on migrating from DES to RC4.
http://blogs.msdn.com/b/alextch/archive/2006/07/18/MITtoADRC4.aspx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba and ms server 2008

2010-08-09 Thread Rob Townley 
On Mon, Aug 9, 2010 at 2:07 PM, Gaiseric Vandal
 wrote:
> http://wiki.samba.org/index.php/Windows7
>
>
> I would be pretty sure that if Windows 7 doesn't work with Samba 3.0.x that
> Windows 2008 won't either.   Rather than compiling samba 3.4 or 3.5 from
> source I would go with Fedora Core 11 (samba 3.3.x) or  some other more
> up-to-date linux distro that has a newer version of samba included.   I
> wouldn't start anything with 3.0.xx.
>
> I would (maybe stating the obvious) set up a test environment 1st.     I did
> start playing with FC13 (samba 3.5)-  not sure it behaved properly.    I
> personally would stick with FC12 which I think had samba 3.4.x included-
>  since I am pretty familiar with 3.4.x but not 3.5.x.  There were definately
> some config changes between 3.0.x and 3.4.x (group mapping, domain trusts.)
>
>
>
>
> On 08/09/2010 02:56 PM, Peter Lawrie wrote:
>>
>> Hi
>> I am about to set up a Centos server with samba and an MS server 2008 for
>> a
>> new customer.
>> The MS server is required because he has an MSSQL application. The samba
>> shares will be for everything else.
>> I've previously set up centos and redhat servers as domain members with a
>> 2003 pdc
>> before I get stuck, are there any issues I should worry about with server
>> 2008?
>> What release of samba should I run?
>> Are there any differences in configuration compared with samba3.0.33 which
>> comes with centos5.5
>> Peter
>> No virus found in this outgoing message.
>> Checked by AVG - www.avg.com
>> Version: 9.0.851 / Virus Database: 271.1.1/3059 - Release Date: 08/09/10
>> 07:35:00
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

If you want to use CentOS, then your best bet would probably be :
http://enterprisesamba.com/index.php?id=123

They do have a 64 bit packages, but you have to click on the 386
packages and navigate up and down to see the x86_64 packages.   Better
yet, simply add this repo file as /etc/yum.repos.d/sernet-samba.repo
and then yum install samba3*.  Not samba, but samba3 as they name
packages differently.

http://ftp.sernet.de/pub/samba/3.5/rhel/5/sernet-samba.repo
[sernet-samba]
name=SerNet Samba Team packages (RedHat Enterprise Linux 5)
type=rpm-md
baseurl=http://ftp.sernet.de/pub/samba/3.5/rhel/5
enabled=1
gpgcheck=0


Let us know how it goes.  Are you using 2008 or 2008R2?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Need suggestion for domain controller

2010-08-01 Thread Rob Townley 
Please elaborate on why you do not like OpenLDAP and SambaPDC same machine?

RedHat sponsored FreeIPA.org does Samba, 389 ldap, Dns, pki all on one
machine.  So does win ads.

On 7/31/10, John Drescher  wrote:
>>     I wish to establish domain controller based on Centos 5.x.I am
>> considering below setups.
>>
>> 1) Samba PDC
>> 2) OpenLDAP
>> 3) Combination of Samba PDC + LDAP
>>
>>     I am confused to select one among above.Can anyone please suggest me?
>
> All are valid. I mean when setting up a samba domain with open ldap
> you should have at least 1 machine that is a PDC and at least 1
> machine that has openldap on it. Unless this is a home install I
> believe you should have at least 2 of each. The choice of how to
> combine these services is up to the user. For my department (of less
> than 50 users but 30TB of raid on a 100% gigabit network) I have 3 DCs
> and 3 openldap servers. At the moment they are PDC + Openldap. Also
> since I have no user shares on the domain controllers (all data is on
> dual / quad core domain member servers) I have these as guests under a
> vps (openvz or lxc).
>
> John
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Default Hidden Disk Shares

2010-07-02 Thread Rob Townley 
Sharing of complete$ drives may  no longer be a default in WinVista / 2008.

Some of the other$ shares such as IPC$ and ADMIN$ may be needed to
manage your Linux shares remotely using windows compmgmt.msc and
remote registry.


http://book.opensourceproject.org.cn/sysadmin/samba/sambao3rd/opensource/0596007698/samba3-chp-9-sect-7.html

On 7/2/10, Gaiseric Vandal  wrote:
> I think I missed part of the conversation, but what would be the purpose
> of this feature?  (I am not even sure why Windows does this.)
>
>
>
> On 07/02/2010 02:15 PM, Robert LeBlanc wrote:
>> On Fri, Jul 2, 2010 at 2:05 AM, Atkinson,
>> Robertwrote:
>>
>>
>>> Interesting to see you say it's dangerous. The way the Windows version
>>> works
>>> is that you have to be part of the Administrator group to be able to see
>>> them, which I would have thought secure enough?
>>>
>>>
>> This is not true, the share is advertised to anyone who asks. The Windows
>> client only hides shares that end with a '$'. By default Windows gives
>> access only to administrators (by default), but they are by no means
>> hidden.
>>
>> Robert LeBlanc
>> Life Sciences&  Undergraduate Education Computer Support
>> Brigham Young University
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems with SID

2010-06-04 Thread Rob Townley 
On Fri, Jun 4, 2010 at 10:10 AM, Gerard Hooton  wrote:
> Can anyone help me with this, I am badly stuck on this?
>
> //Ger
>
>
> --
> Gerard Hooton.
> Department of Microelectronic Engineering U.C.C.
> Butler Building,
> Enterprise Centre,
> North Mall.
> Cork.
>
> Tel: +353 21 4904576
> Fax: +353 21 4904573
> http://www.ue.ucc.ie/
>
>
> -Original Message-
> From: Gerard Hooton 
> Reply-to: g.hoo...@ucc.ie
> To: samba@lists.samba.org
> Subject: Problems with SID
> Date: Fri, 04 Jun 2010 12:35:49 +0100
> Mailer: Evolution 2.28.3
>
> Hello All,
>
> Problem
> ==
> /var/log/samba/log.smbd has the following
>
> smbd version 3.2.5 started.
>  Copyright Andrew Tridgell and the Samba Team 1992-2008
> [2010/06/04 12:22:41,  1]
> passdb/pdb_interface.c:pdb_default_uid_to_rid(1228)
>  Could not peek rid out of sid
> S-1-5-21-1025115222-3498510805-2498371278-1000


>From what i understand, the rid in this case is 1000 (Administrator
level account).   Domain Controllers should have the same SID as your
SCOIL sid, but this is clearly different.  So maybe the mapping from
userids in winbind is messed up?


>
> More info:
> ===
> net getlocalsid yeilds :-
> SID for domain SCOIL is: S-1-5-21-399018149-2014173726-3152914669
>
> In the LDAP DB I have :-
> sambaDomainName=BBNS,ou=domains,dc=bbns,dc=ie
>        sambaSID=S-1-5-21-399018149-2014173726-3152914669
>
> I am using Debian 5
>
> Any help to debug this is welcome
>
> //Ger
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

You should read the thread in the last couple of weeks on messed up
uid/gid/rid mappings in this thread from May 21:
[Samba] Moving to another idmap backend
http://lists-archives.org/samba/53183-moving-to-another-idmap-backend.html


Does the client happen to be Win7?   Mark Russinovich of SysInternals,
now Microsoft does not see the need for SIDs and was pushing for them
to be removed, but i doubt that has happened yet.


http://msdn.microsoft.com/en-us/library/aa379649%28VS.85%29.aspx
SECURITY_NT_NON_UNIQUE  S-1-5-21SIDS are not unique.

Mark Russinovich on sids
http://blogs.technet.com/b/markrussinovich/archive/2009/11/03/3291024.aspx
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smbclient -k works; mount -t cifs does not

2010-05-04 Thread Rob Townley 
On Tue, May 4, 2010 at 1:01 PM, Jeff Layton  wrote:
> On Mon, 03 May 2010 23:25:13 -0400
> Mike Leone  wrote:
>
>> I am confused (nothing new there ...). I have 2 Ubuntu 9.10 Samba
>> servers. I am trying to mount a share from the other (i.e., "workhorse"
>> is trying to mount a share on "dual-booter"). If I specify a smbmount
>> command with a -k option, I can mount the share:
>>
>> tur...@workhorse:~$ klist
>> Ticket cache: FILE:/tmp/krb5cc_1000
>> Default principal: tur...@dacrib.local
>>
>> Valid starting     Expires            Service principal
>> 05/03/10 18:55:31  05/04/10 04:55:31  krbtgt/dacrib.lo...@dacrib.local
>>       renew until 05/09/10 22:56:03
>> 05/03/10 23:07:07  05/04/10 04:55:31
>> cifs/dual-booter.dacrib.lo...@dacrib.local
>>       renew until 05/09/10 22:56:03
>>
>>
>> tur...@workhorse:~$ smbclient //dual-booter/TestShare /mnt -k
>> Domain=[DACRIB] OS=[Unix] Server=[Samba 3.4.0]
>> smb: \> ls
>>   .                              D        0  Sat May  1 19:27:48 2010
>>   ..                             D        0  Mon May  3 19:58:00 2010
>>   TestFile                                0  Sat May  1 19:27:48 2010
>>
>>               37555 blocks of size 524288. 22379 blocks available
>>
>> However, I can't seem to mount it using mount -t cifs:
>>
>> $ sudo mount -t cifs //dual-booter/TestShare /mnt -o username=DACRIB+turgon
>> [sudo] password for turgon:
>> Password:
>> mount error(13): Permission denied
>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>
>> What I'd like to do is to set this in /etc/fstab. But there seems to be
>> no way to use Kerberos to authenticate the mounting, and it's only
>> Kerberos (and smbmount) that seems to work. And using the "-o sec=krb5"
>> options on mount doesn't seem to work, either.
>>
>> $ sudo mount -t cifs //dual-booter/TestShare /mnt -o sec=krb5
>> mount error(2): No such file or directory
>> Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)
>>
>
> Try using the FQDN of the server in the UNC. For instance:
>
>   //dual-booter.dacrib.local/TestShare
>
>> Anyone? I really don't want to have to make a script that uses smbmount
>> -k, running on login, rather than in /etc/fstab.
>>
>> Thanks
>
>
> --
> Jeff Layton 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

First, i use Fedora / Centos.

mount.cifs is actually a different mailing list - linux-cifs-client
http://lists.samba.org/pipermail/linux-cifs-client

mount.cifs has had changes when it comes to setuid security issues.
You may have to do something special.

The files under /proc/fs/cifs/ are your best bet for debugging
mount.cifs. Verbosity can be turned up and extensions turned on.

i feel the pain.  There are at least 3 seemingly totally different
ways to mount a remote  samba filesystem and always have a hard time
remembering where to look for troubleshooting info.  Would have
thought a single open source core would have arrived but now it seems
more splintered than ever.

  1.) mount.cifs  -  intertwined with linux kernel -
linux-cifs-cli...@lists.samba.org
  2.) smbclient  - separated from kernel - samba@lists.samba.org
  3.) fuse-smb
  4.) gvfs-smb / gigolo / gvfs-fuse  - gtk.org
  5.) kde analogues to gvfs
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Encryption

2010-04-17 Thread Rob Townley 
On Sat, Apr 17, 2010 at 6:24 AM, Andrew Malton
 wrote:
> I want to (continue to) use Samba code to obtain data needed by my Linux
> client.  This is currently done by calls into Samba's libraries.
>  Unfortunately the resulting rpc traffic is unencrypted.  I think this has
> to do with the configuration of encryption mechanisms on both sides, but
> perhaps (since when talking to older Windows systems, e.g. Windows 2000)
> encryption (with NTLM SSP I suppose) is used.
>
> Does Samba always use encryption  when it can?  or are there mechanisms that
> Windows can now insist on that Samba cannot use?
>
> If the latter, is improved support for protocol encryption a future plan for
> Samba development?
>
> Thanks for any help (in the form of pointers to documentation if there are
> things I've missed).
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Are you talking about calling mount -t cifs //samba/share /mnt/win ?
Are you talking about kerberos user login?

Linux kerberos can talk any of the encryption protocols, including
aes256.  Fact is, WinXP cannot do AES for this, but it can talk the
less secure RC4.

At a win2000 domain level, you can talk RC4 or DES which was broken in
1998 by the EFF.  A win2000 domain will offer DES as a kerberos option
but will tell winclients via Group Policy Objects to never user DES.

http://blogs.msdn.com/alextch/archive/tags/AD+Interop/default.aspx

Watch this video.
http://blogs.msdn.com/alextch/archive/2006/07/18/MITtoADRC4.aspx
Samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]

2010-02-23 Thread Rob Townley 
On Sat, Feb 13, 2010 at 8:57 PM, Jeremy Allison  wrote:
> On Sat, Feb 13, 2010 at 01:35:12PM -0600, d...@briannassaladdressing.com 
> wrote:
>> Alex,
>>
>> I've been a victim of this since Day 1.  After a lot of reading and 
>> emailing, it comes down to this.  libkrb5-3 version 1.8x by default 
>> disallows DES encryption.  /etc/krb5.conf can be changed to allow weak 
>> encryption, but as it relates to Samba, is only effective in letting the 
>> system join the domain.  For it's internal functioning, winbind uses an 
>> autogenerated krb5.conf that resides in /var/run/samba.  This krb5.conf has 
>> no knowledge of allow_weak_crypto=true.  Sam Hartman, the maintainer of 
>> libkrb5-3 in Debian, has taken over the responsibility of fixing that 
>> package, rather than the Samba maintainers doing a change there.  In the 
>> interim, winbind is broken with libkrb5-3 version 1.8x.  We can only hope 
>> this fix is soon coming.
>
> In Samba 3.5.0 there is a parameter "create krb5 conf" that controls
> if this private krb5.conf file is created or not. Would it be helpful
> for this to be back ported to earlier versions ?
>
> Jeremy.

i do not want any weak encryption on my systems.

If "create krb5 conf = no"in smb.conf means, that i can
specify RC4 and AES in /etc/krb5.conf and then winbind will honor and
not create a ghost krb5.conf.NEBIOSDOMAINNAME, i would greatly
appreciate it being backported.
Of course, i run CentOS 5 and that uses 3.0.33.  How far back is realistic?

> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]

2010-02-16 Thread Rob Townley 
On Sat, Feb 13, 2010 at 1:35 PM,  wrote:

> Alex,
>
> I've been a victim of this since Day 1.  After a lot of reading and
> emailing, it comes down to this.  libkrb5-3 version 1.8x by default
> disallows DES encryption.  /etc/krb5.conf can be changed to allow weak
> encryption, but as it relates to Samba, is only effective in letting the
> system join the domain.  For it's internal functioning, winbind uses an
> autogenerated krb5.conf that resides in /var/run/samba.  This krb5.conf has
> no knowledge of allow_weak_crypto=true.  Sam Hartman, the maintainer of
> libkrb5-3 in Debian, has taken over the responsibility of fixing that
> package, rather than the Samba maintainers doing a change there.  In the
> interim, winbind is broken with libkrb5-3 version 1.8x.  We can only hope
> this fix is soon coming.
>
> Dale
>
>
Instead of lowering the encryption level to something broken 12 years ago,
why not just remove DES from everywhere and replace with stronger encryption
types?

Microsoft is phasing out winbind for 2008, so i wonder what that means for
SaMBa winbind.  i would hope to use an all kerberos/ldap solution for
authentication in order to continue Linux ADS interoperability.

Does anyone have a winbind_krb5_locator.so file?  All i have on my system is
a docbook/manpage but no binary file.   If it was there, it seems like it
would use /etc/krb5.conf instead of another.
http://samba.org/samba/docs/man/manpages-3/winbind_krb5_locator.7.html

Under Fedora, the referenced file winbind_krb5_locator.so  is non
existant.


Another poster emailed that they tried changing the krb5.conf manually on
Debian Squeeze
(edited /var/run/samba/smb_krb5/krb5.conf.NETBIOSNAME) and when I
restart winbind, the file is clobbered back to the original. I think this is
in conjunction with a bug from Kerberos where if DES is specified as a
supported type, even if something else better is specified, Kerberos refuses
to play.

Here is what 3.4.5 is showing:
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

It would be nice to have some sort of fix/workaround for this, it seems to
have blindsided us.

I just noticed Jeremy's post, yes it would be helpful to have a config
option to have all kerberos related options in /etc/krb5.conf and i wonder
if that is what the winbind_krb5_locator.so file is meant to do?




>
> -Original message-
> From: "Wilkinson, Alex" alex.wilkin...@dsto.defence.gov.au
> Date: Fri, 12 Feb 2010 21:54:26 -0600
> To: samba@lists.samba.org
> Subject: Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks
> supportfor encryption type [SEC=UNCLASSIFIED]
>
> > Anyone ?
> >
> >-Alex
> >
> > 0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote:
> >
> > >Hi all,
> > >
> > >According to this bug report:
> > >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
> > >
> > >This particular error is actually a bug in the samba code.
> > >
> > >Does anyone know if there are patches that fix this ?
> > >
> > >Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve
> this for me :(
> > >
> > >Has anyone got a working solution for this ?
> > >
> > >   -Alex
> >
> > IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the CRIMES
> ACT 1914.  If you have received this email in error, you are requested to
> contact the sender and delete the email.
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]

2010-02-12 Thread Rob Townley 
On Fri, Feb 12, 2010 at 8:25 PM, Wilkinson, Alex <
alex.wilkin...@dsto.defence.gov.au> wrote:

> Anyone ?
>
>   -Alex
>
>0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote:
>
>>Hi all,
>>
>>According to this bug report:
>>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977
>>
>>This particular error is actually a bug in the samba code.
>>
>>Does anyone know if there are patches that fix this ?
>>
>>Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this
> for me :(
>>
>>Has anyone got a working solution for this ?
>>
>>   -Alex
>
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the CRIMES
> ACT 1914.  If you have received this email in error, you are requested to
> contact the sender and delete the email.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


DES was broken in 1998 by the eff.  Shouldn't be used but it often is in the
list of allowed encryption types.  Won't go into the conspiracy theory now.


The short answer would probably be to delete any reference to DES and
probably DES3 encryption types in all krb5.conf* files on your machine.  i
use RedHat derivatives, but i bet this is the same problem.  Do a find for
all krb5.conf* as it may not be in the same location on debian.

cat /var/cache/samba/smb_krb5/krb5.conf.*
and i bet you will find DES encryption accepted.

You think it would be from /etc/krb5.conf, but no it isn't as evidenced by:
*  Arnaud Lesauvage* arnaud.listes at
codata.eu.
among others.
  http://lists.samba.org/archive/samba/2009-March/146858.html

Change the file /var/lib/samba/smb_krb5/krb5.conf.YOURNETBIOSNAME
  Add either rc4-hmac or arcfour-hmac
  Replace any reference to DES-CBC-CRC encryption with
aes128-cts-hmac-sha1-96.
  Or at the very least, put the AES types further up the list.

 default_tgs_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
 default_tkt_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96
 preferred_enctypes = RC4-HMAC aes128-cts-hmac-sha1-96
aes256-cts-hmac-sha1-96

After restarting, check that
/var/cache/samba/smb_krb5/krb5.conf.YOURNETBIOSNAME does not have any DES
remnants.

Very good annotated reference on encryption and hashing:

http://www.gnu.org/software/shishi/manual/html_node/Cryptographic-Overview.html

Decent references on what is encryption type 17 in the domain controller
event log:
  https://blogs.msdn.com/alextch/archive/2006/07/18/etypes.aspx
  http://www.ietf.org/rfc/rfc3961.txt
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] tree connect failed: NT_STATUS_BAD_NETWORK_NAME

2009-12-28 Thread Rob Townley 
On Mon, Dec 28, 2009 at 4:03 AM, Michael Adam  wrote:
> Hi Dominic,
>
> Dominic Gamble wrote:
>> Hi,
>>
>> I can't get access to any shares when running "smbclient //DUCK/test -U
>> Dominic". I'm getting the message:
>> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
>>
>> I'm pretty sure it's authenticating properly as it says "session setup ok"
>> in the debug output. If I enter the wrong password I get:
>> "session setup failed: NT_STATUS_LOGON_FAILURE"
>
> This is correct.

Starting from a fresh boot up, try to use the /test share first, does it work?
Does /tmp then fail?
If so, look under /var/cache/samba/

i don't remember exactly what i came across the
NT_STATUS_BAD_NETWORK_NAME error on CentOS 5.4 and what i did to fix
it, but do remember it wasn't what i expected.

>
>> I'm running CentOS 5.4 with the following samba packages
>>
>> samba-common-3.0.33-3.15.el5_4.1
>> samba-3.0.33-3.15.el5_4.1
>> samba-swat-3.0.33-3.15.el5_4.1
>> samba-client-3.0.33-3.15.el5_4.1
>>
>> My samba setup uses LDAP for authentication. All logging seems to indicate
>> that authentication and LDAP is working well.
>>
>> My /etc/samba/smb.conf was generated with SWAT and has the following shares:
>>
>> [tmp]
>>         comment = temporary files
>>         path = /tmp
>>         hosts allow =
>>         hosts deny =
>>
>> [test]
>>         comment = test files
>>         path = /test
>>         hosts allow =
>>         hosts deny =
>>
>>
>> Both shares contain a file called myfile.txt.
>>
>> When I connect to the "tmp" share, I don't get the "tree connect failed:
>> NT_STATUS_BAD_NETWORK_NAME", but I can't list any files:
>>
>> [r...@duck cache]# smbclient //DUCK/tmp -U dominic
>> Password:
>> Domain=[ORANDA] OS=[Unix] Server=[Samba 3.0.33-3.15.el5_4.1]
>> smb: \> ls
>>   .                                   D        0  Mon Dec 28 04:02:13 2009
>>   ..                                  D        0  Sun Dec 27 21:16:53 2009
>>
>>                 36224 blocks of size 8388608. 34082 blocks available
>> smb: \>
>>
>> When I connect to the "test" share I get the "tree connect failed:
>> NT_STATUS_BAD_NETWORK_NAME":
>> [r...@duck cache]# smbclient //DUCK/test -U dominic
>> Password:
>> Domain=[ORANDA] OS=[Unix] Server=[Samba 3.0.33-3.15.el5_4.1]
>> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
>>
>> The permissions on the /tmp and /test folders are the same:
>>
>> drwxrwxrwt 2 root root 4096 Dec 27 21:35 test
>> drwxrwxrwt 4 root root 4096 Dec 28 04:02 tmp
>>
>> There are no complex acls on them either:
>>
>> [r...@duck /]# getfacl tmp
>> # file: tmp
>> # owner: root
>> # group: root
>> user::rwx
>> group::rwx
>> other::rwx
>>
>> [r...@duck /]# getfacl test
>> # file: test
>> # owner: root
>> # group: root
>> user::rwx
>> group::rwx
>> other::rwx
>>
>> I've tried getting more debug info by setting log levels to 10 in both
>> smb.conf and using the -d10 parameter on the command line, but it gives me
>> nothing useful in the logs or in the output.
>>
>> I've been through 'The Samba Checklist'
>> (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html)
>> and had no other problems.
>>
>> Here is the rest of my smb.conf:
>>
>> [global]
>>         workgroup = ORANDA
>>         server string = Duck
>>         passdb backend = ldapsam:ldap://localhost/
>>         pam password change = Yes
>>         passwd program = /usr/sbin/smbldap-passwd %u
>>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>> *all*authentication*tokens*updated*
>>         unix password sync = Yes
>>         log level = 10
>>         log file = /var/log/samba/log.%m
>>         load printers = No
>>         printcap name = /dev/null
>>         disable spoolss = Yes
>>         add user script = /usr/sbin/smbldap-useradd -m "%u"
>>         delete user script = /usr/sbin/smbldap-userdel "%u"
>>         add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>         delete group script = /usr/sbin/smbldap-groupdel "%g"
>>         add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>>         delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
>> "%g"
>>         set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>>         add machine script = /usr/sbin/smbldap-useradd -w "%u"
>>         logon script = login.cmd
>>         logon path = \\%N\profiles\%U
>>         logon drive = H:
>>         domain logons = Yes
>>         os level = 127
>>         wins support = Yes
>>         ldap admin dn = cn=admin,dc=oranda,dc=internal
>>         ldap delete dn = Yes
>>         ldap group suffix = ou=Group
>>         ldap idmap suffix = ou=Idmap
>>         ldap machine suffix = ou=Computers
>>         ldap passwd sync = Yes
>>         ldap suffix = dc=oranda,dc=internal
>>         ldap user suffix = ou=People
>>         panic action = /usr/share/samba/panic-action %d
>>         admin users = dominic
>>         hosts allow = 192.168.10., 127.
>>         hosts deny = ALL
>>         printing = bsd
>>      

Re: [Samba] dns lookups for SRV kerberos

2009-12-15 Thread Rob Townley 
On Thu, Dec 10, 2009 at 9:21 AM,   wrote:
> Hi,
>
>
> I have raised this question on the kerberos mailing list, but have been told 
> that Samba has it's own behavior regarding SRV lookups.
>
> My configuration uses the following :
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>
> [realms]
>  EXAMPLE.DOM = {
>  kdc = 10.0.0.1:88
>  kdc = 10.0.0.2:88
>  admin_server = 10.0.0.1:749
>  default_domain = example.dom
>  }
>
> but I still see the DNS lookups for SRV _kerberos-master_udp
> ( same with kdc = adserver1.example.dom.:88 )
>
> To be precise, the following happens (We don't have these records in the DNS
> system) :
>
> ASREQ ->
>  <- KRBERR PREAUTH
> DNS SRV _kerberos-master ->
>  <- no such name
> ASREQ ->
>  <- AS REP OK
> DNS SRV _kerberos-master ->
>  <- no such name
> TGSREQ ->
>  <- TGSREP
> DNS SRV _kerberos-master ->
>  <- no such name
>
> that makes 3 DNS lookups per TGS.
>
> As I have excplicitly configured :
> A) dns_lookups to false
> B) numerical IP addresses for the KDC's
> I would expect dns lookups to be completely *non-existant*.
> Are my expectations correct, or is there something in the protocol that I 
> missed
> , that would need to enforce dns lookups even if configured not to ? Or maybe 
> I
> have misconfigured krb5.conf ? It seems that Samba would not look into this 
> file.
> Can it be configured elsewhere ?
> Same behaviour with numerical ipp addresses for "password server"
>
>
> Why I am looking into this is because I use kerberos for AD authentication,
> through winbind.
> Our configuration (typical for an AD infrastructure) is to have 2 DC's, which
> are KDC's as well as DNS servers.
> What happens when the primary DC is unavailable is that both the primary KDC 
> and
> the primary DNS are down.
> Timeouts summing up, the result in a default RHEL5 configuration is to have
> "wbinto -t" take 21 seconds to accomplish.
> (3*5s DNS timeouts + 3*2s KDC timeouts)
> For the moment, DNS Timeout can be lowered to 1s but not less.
>
> Still, I don't understand why these DNS lookups are made at all with this
> configuration.
> Has anyone an explanation ?
>
> using
> krb5-libs-1.6.1-36.el5
> samba-3.0.33-3.15.el5_4
> on RHEL 5.4
>
>
>
> Regards,
>
> Andrew
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Interesting.  Does the samba generated cached version of krb5.conf
have dns records?  This is an altogether different file than
/etc/krb5.conf.

On my CentOS 5.4 box, samba caches its krb5 config here:
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME

In my experience, some of these samba generated cached entries can be
altogether different than /etc/krb5.conf !
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] kerberos configuration in samba

2009-12-15 Thread Rob Townley 
On Tue, Dec 15, 2009 at 4:48 AM, Rajesh Ghanekar
 wrote:
> Hi All,
>  I am using samba-3.2.11-0.1.145 in my setup. I have multiple domain
> controllers
> for a domain. I am confused on do I need to edit /etc/krb5.conf or not. I am
> using
> MIT kerberos (krb5-1.4.3-19.34) on SLES10.
>
> Here is what I got from Samba HOWTO:
>
> 1. Adding entries in /etc/krb5.conf for "kdc =", "admin server =" and
> "password server ="
>  is only necessary if SRV records are not there in DNS server. If SRV
> records are there,
>  no need to configure /etc/krb5.conf.
>
> 2. /etc/samba/smb.conf should contain the list of domain controllers in
> "password server =" line
> (space separated) or can contain *, which will get the list from DNS SRV
> records.
>
> 3. If SRV records are not present (may be I migrated my DNS server to linux
> box), then
> I need to manually enter "kdc =", etc, lines in /etc/krb5.conf.

Why not put put the SRV records into your own Linux DNS?

>
> 4. I can have multiple "kdc = " entries in /etc/krb5.conf, if I need to
> manually configure
> /etc/krb5.conf, but only single "admin server =" and "password server ="
> line.
> How does this /etc/krb5.conf entry for admin server and password server
> becomes
> HA if the machine specified in admin server and password server goes down?
>
> Any help appreciated.
>
> Thanks,
> Rajesh
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba caching a broken krb5.conf.NETBIOSDOMAINNAME

2009-12-14 Thread Rob Townley 
i am in a mixed win2000 and win2003 R1 ActiveDirectory environment.
Have always had ntlmv2 server and client required.  LM and NTLM have
always been rejected.  That is how it has been for 10 years.

Mounting from CentOS 5 to the windows servers has not been an issue
for years.  However, using ADS credentials for Linux workstation
logons has always been a issue.  If using ADS credentials to logon to
a Linux workstation worked once, it would stop working for no apparent
reason very quickly.  The problem seems to be that samba kerberos
wants to revert to using very old encryption technology that is
probably on par with plain LM.

How can i force samba to use and _KEEP_USING_ the better security
enctypes?  i am no expert, but you don't have to be an expert to know
that aes is better than des-cbc-crc .   des was broken in 1998, why is
samba kerberos trying to use it?  Win 95 LM uses DES -- look at
lmHash() documented at http://davenport.sourceforge.net/ntlm.html.

We have been using our CentOS clients to mount with ntlmv2i so why
would attempts at joining the ADS domain fail with "stronger
authentication required"?
mount -t cifs //ADScontroller/share /mnt/ntlmv2iprotected  --verbose
-o username=u...@dnsdomainname.com,sec=ntlmv2i

Success with "kinit ad...@dnsdomainname.com"

But then "net -d 10 ads join -U ad...@dnsdomainname.com" would fail
with "stronger authentication required."   I wondering why stronger
auth would be needed by ADS when i am already mounting a file share on
the ADS domain controller using ntlmv2i?

The answer is in "klist -e" and
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME:
  default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
  preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

Deleted the samba cache and added the following to /etc/krb5.conf and
it worked once to join the domain and logon a CentOS box with ADS
credentials.
i could even map a drive letter from our Win2003 box to the CentOS
share using ADS credentials.
  default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
  default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5
  permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1
des-cbc-crc des-cbc-md5

The samba cached krb5.conf.NETBIOSDOMAINNAME would come back populated
with weak and incompatible encryption types while /etc/krb5.conf would
still have decent enctypes.  Then my account is locked out in ADS.

So how can i permanently force samba to use the better enctypes?
Disable it from ever using weak encryption such as DES?   Triple DES
des3-hmac-sha1 would be ok.
How does one find the exact enctypes ADS will accept?  There must be a
command or ldap location but i had many problems finding it.




The following are all previously documented problems related to this.
Symptoms left here for when others search.

kinit succeeded but ads_sasl_spnego_krb5_bind failed

[Samba] winbind and smb tries to auth as pdc$ rather than local name
when using ADS
http://lists.samba.org/archive/samba/2009-October/150849.html

>From a debug level 10 using smbclient,
lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory
tree connect failed: NT_STATUS_ACCESS_DENIED

CentOS 5
samba-common 3.0.33-3.15.el5_4

A HPUX guy reverted his net binary to an older version.

Sorry for the long post, but blogger is giving me some issues and i
will need this as reference material.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba