[Samba] Failover

[Robert Gurdon]

Hi guys,


I have a domain with Samba 4.0.5 domain controllers and also a failover
DRBD shared disk, where the "active" DC controlls the access to the disk.
DOMAINC01 - 10.48.16.150
DOMAINC02 - 10.48.16.151
DOMAINCHA - 10.48.16.155 << this would be the failover IP, which works
perfectly on Windows XP clients.
I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users
has the proper credentials they can write open etc.
But when I try to do the same on a Windows 7 client I simply get an error
message " You dont have the proper rights to open the directory"
I guess because of the DOMAINCHA "virtual" controller is not in the AC, but
shall I add a computer to the AC so my win7 clients could open the
available shares?

Thanks,

Robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Failover

[Robert Gurdon]

2013-10-07 21:11 keltezéssel, Andrew Bartlett írta:

On Mon, 2013-10-07 at 15:36 +0200, Sandbox wrote:

Hi guys,


I have a domain with Samba 4.0.5 domain controllers and also a failover
DRBD shared disk, where the "active" DC controlls the access to the disk.
DOMAINC01 - 10.48.16.150
DOMAINC02 - 10.48.16.151
DOMAINCHA - 10.48.16.155 << this would be the failover IP, which works
perfectly on Windows XP clients.
I can see the shares, just like on DOMAINC01 or DOMAINC02 and if the users
has the proper credentials they can write open etc.
But when I try to do the same on a Windows 7 client I simply get an error
message " You dont have the proper rights to open the directory"
I guess because of the DOMAINCHA "virtual" controller is not in the AC, but
shall I add a computer to the AC so my win7 clients could open the
available shares?

Please don't use DRDB with Samba as an AD DC.  You don't need it (you
should have two DRS replicating DCs).  The reason I am so strongly
against this is that I had to work very hard to recover a corrupt
database at such a site.  We suspect that barriers were either not
enabled or not passed down to the OS in this case, followed by a
unexpected loss of power.  The corrupt database was then perfectly
mirrored to the DRDB clone, resulting in two corrupt mirrors.  DRS
replication likely would have detected the corruption (because the
database would not have been valid) and failed the replica, saving the
data.

Andrew Bartlett


Hi,

You misunderstood me, I don't use DRBD as database storage (only for 
users documents and stuffs) my servers database are sitting on their 
"private" place :)


--
Kind regards:

Robert



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] setting permissions for unix users on samba shares

[Robert Watson]

I'm trying to grant permissions for linux system users (apache,mysql...) to
have permissions on samba shares. I've established domain users permissions
while logged in as the domain admin and thought the SYSTEM account would
cover these types of usersbut apparently not.
Is there a built in linux group that maps to a windows domain group or do I
have to establish this manually.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Bind9 AD SDLZ driver failed to load

[Robert Millott]

 9 are
11-Sep-2013 11:29:11.243 available at https://www.isc.org/support
11-Sep-2013 11:29:11.243

11-Sep-2013 11:29:11.243 adjusted limit on open files from 4096 to 1048576
11-Sep-2013 11:29:11.243 found 2 CPUs, using 2 worker threads
11-Sep-2013 11:29:11.243 using 2 UDP listeners per interface
11-Sep-2013 11:29:11.243 using up to 4096 sockets
11-Sep-2013 11:29:11.244 Registering DLZ_dlopen driver
11-Sep-2013 11:29:11.244 Registering SDLZ driver 'dlopen'
11-Sep-2013 11:29:11.244 Registering DLZ driver 'dlopen'
11-Sep-2013 11:29:11.245 decrement_reference: delete from rbt:
0x7f916c147068 .
11-Sep-2013 11:29:11.252 loading configuration from '/etc/bind/named.conf'
11-Sep-2013 11:29:11.252 reading built-in trusted keys from file
'/etc/bind/bind.keys'
11-Sep-2013 11:29:11.252 set maximum stack size to 18446744073709551615:
success
11-Sep-2013 11:29:11.252 set maximum data size to 18446744073709551615:
success
11-Sep-2013 11:29:11.252 set maximum core size to 18446744073709551615:
success
11-Sep-2013 11:29:11.253 set maximum open files to 18446744073709551615:
success
11-Sep-2013 11:29:11.253 using default UDP/IPv4 port range: [1024, 65535]
11-Sep-2013 11:29:11.253 using default UDP/IPv6 port range: [1024, 65535]
11-Sep-2013 11:29:11.255 listening on IPv4 interface lo, 127.0.0.1#53
11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: create
11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: createclients
11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: get client
11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: create new
11-Sep-2013 11:29:11.255 clientmgr @0x7f916c16b010: clientmctx
11-Sep-2013 11:29:11.255 client @0x7f9160091b30: create
11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b010: get client
11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b010: create new
11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b010: clientmctx
11-Sep-2013 11:29:11.256 client @0x7f916009fd40: create
11-Sep-2013 11:29:11.256 binding TCP socket: address in use
11-Sep-2013 11:29:11.256 listening on IPv4 interface eth0,
192.168.217.144#53
11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b458: create
11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b458: createclients
11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b458: get client
11-Sep-2013 11:29:11.256 clientmgr @0x7f916c16b458: create new
11-Sep-2013 11:29:11.257 clientmgr @0x7f916c16b458: clientmctx
11-Sep-2013 11:29:11.257 client @0x7f91600af020: create
11-Sep-2013 11:29:11.257 clientmgr @0x7f916c16b458: get client
11-Sep-2013 11:29:11.257 clientmgr @0x7f916c16b458: create new
11-Sep-2013 11:29:11.257 clientmgr @0x7f916c16b458: clientmctx
11-Sep-2013 11:29:11.257 client @0x7f91600bd230: create
11-Sep-2013 11:29:11.257 binding TCP socket: address in use
11-Sep-2013 11:29:11.258 generating session key for dynamic DNS
11-Sep-2013 11:29:11.258 sizing zone task pool based on 5 zones
11-Sep-2013 11:29:11.259 decrement_reference: delete from rbt:
0x7f916c147850 .
11-Sep-2013 11:29:11.259 Loading 'AD DNS Zone' using driver dlopen
11-Sep-2013 11:29:11.259 Loading SDLZ driver.
11-Sep-2013 11:29:11.277 dlz_dlopen of 'AD DNS Zone' failed
11-Sep-2013 11:29:11.278 SDLZ driver failed to load.
11-Sep-2013 11:29:11.278 DLZ driver failed to load.
11-Sep-2013 11:29:11.278 client @0x7f9160091b30: udprecv
11-Sep-2013 11:29:11.278 client @0x7f916009fd40: udprecv
11-Sep-2013 11:29:11.278 client @0x7f91600af020: udprecv
11-Sep-2013 11:29:11.279 client @0x7f91600bd230: udprecv
11-Sep-2013 11:29:11.279 zone_shutdown: zone 0.in-addr.arpa/IN: shutting
down
11-Sep-2013 11:29:11.279 zone_shutdown: zone 127.in-addr.arpa/IN: shutting
down
11-Sep-2013 11:29:11.279 zone_shutdown: zone 255.in-addr.arpa/IN: shutting
down
11-Sep-2013 11:29:11.279 zone_shutdown: zone localhost/IN: shutting down
11-Sep-2013 11:29:11.279 calling free_rbtdb(.)
11-Sep-2013 11:29:11.279 done free_rbtdb(.)
11-Sep-2013 11:29:11.279 load_configuration: out of memory
11-Sep-2013 11:29:11.279 loading configuration: out of memory
11-Sep-2013 11:29:11.279 exiting (due to fatal error)
-- 
Robert Millott
President, Millott and Associates
(443) 255-3588
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 upgradeprovision

[Robert Watson]

I have the latest samba4 4.2 git running on centos6.4 but when I originally
provisioned it I didn't include the --use-rfc2307 for AD posix attributes.
I'd like to map certain AD users to unix users so should I do a samba-tool
upgradeprovision --use-rfc2307 to add this option?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Win 7 slow browsing issue to SAMBA share

[Robert Guerero]

Hi Team,

Is there a workaround to fix this slow browsing issue to samba share.

we have a ver 3 samba on a solaris box and two users upgraded to win7 from xp 
and now they have issues on slow browsing to their samba home dirs.

Robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Local login

[Robert Gurdon]

Hi,

I tested my failover yesterday and a strange problem came up.
While my dc01 was down I could not login on dc02 with any of my local 
accounts.

After dc01 was online again, login was OK.

My nsswitch.conf is a "regular" file:

passwd: compat winbind
group:  compat winbind
shadow: compat

As I read about nsswitch, with this config it should try to authenticate 
the user from the local files, passwd, group etc and after the search 
isn't succes goes to search in winbind.
Looks like cant find the users in the local files and try to search in 
winbind but that neither have local accounts information.


Shall I change compat to files? Since I dont use +- for NIS database in 
passwd and group files.


--
Kind regards:

    Robert



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Shares on failover IP

[Robert Gurdon]

Hi,

Anyone has any thought why I could not acces the shares on the failover IP?

Robert

2013-07-18 14:46 keltezéssel, Sandbox írta:

Hi,


I have a failover configuration.

The domain controller's IP: 10.23.14.150 as dc01
The failover IP is: 10.23.14.155 as dcha

I added an A and a CNAME record to the dns for the failover IP.


It is working, i can see the shares, but I could not enter to any 
share as user, as Administrator it works.
I tried to add the interface variable (i am not sure this is available 
in samba4), that wasn't helped.


Thanks, Robert


--
Kind regards:

    Robert



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] What great things can a non-windows user do with Samba

[Robert Heller]

At Thu, 11 Jul 2013 11:52:49 -0400 Steve Litt  wrote:

> 
> Hi all,
> 
> I ask this question about once a decade.
> 
> I have about 7 computers, all Linux or BSD. Are there any cool things I
> can do with Samba, even though I have no Windows computers?

Not really.  Samba is just a tool to deal with pesky mess-windows machines.  
On a pure UNIX (Linux, BSD, Solaris, AIX, etc.) LAN, Samba is about as useful 
as Air Conditioners in Antartica in the middle of the Antartic winter.

> 
> Thanks,
> 
> SteveT
> 
> Steve Litt*  http://www.troubleshooters.com/
> Troubleshooting Training  *  Human Performance

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] smb.conf sync

[Robert Gurdon]

Hi,

I already have a clustered config between my servers data partitions, is 
it possible to move my tdb files there and tell samba those tdb files 
are there?

Is this meet the requirements of ctdb solution?
I think I can give a try to syncronise my sysvol directory  like this 
way, since the users and IDs should be identical.


What are you think about this?

Regards, Robert


2013-05-29 14:21 keltezéssel, Andrew Bartlett írta:

On Wed, 2013-05-29 at 14:14 +0200, Michael Wood wrote:

Hi Andrew

On 29 May 2013 03:19, Andrew Bartlett  wrote:

On Tue, 2013-05-28 at 12:45 +0200, Sandbox wrote:

I solved the shared data problem with heartbeat+drbd combo so that should
not be a problem. TDB files data should be syncronized between my domain
members or am I wrong?

Please synchronise TDB files except by using using real CTDB (which
doesn't provide an AD DC).  I spent much of a week trying to reconstruct
a database lost this way.

I assume you mean "Please DO NOT synchronise TDB file except by using
real CTDB."

Indeed.  The only other way to safely access a tdb from 'under' a
running process is via tdbbackup.  I know that the tdb should eventually
end up the same if every change is replicated, and it was probably the
lack of barriers in the FS that caused the pain I saw, but direct block
replication doesn't do any checks, while tdbbackup and (better) DRS
replication will fail and show errors if the DB is corrupt, rather than
forward the corruption on to the 'backup'.

Andrew Bartlett



--
Kind regards:

Robert



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] pdbedit error

[Robert Steinmetz AIA]

Samba Version 3.6.3 on Ubuntu 12.04 tbdsam back end.

I discovered a couple of accounts we created before the Domain was 
configured was was an account named "administrator" intended to be the 
Smaba Administrator account. In order to change the domain ai ran this 
command


# pdbedit -I "DOMAINNAME" -U username

it worked on a number of accounts when I tried it on administrator I get the

# pdbedit -I "DOMAINNAME" -u administrator
Unable to modify TDB passwd: NT_STATUS_UNSUCCESSFUL!
Unable to modify entry!

# pdbedit -v -u administrator gives the following output

Unix username:administrator
NT username:
Account Flags:[U  ]
User SID: S-1-5-21-1504512832-3249319461-1142831928-500
Primary Group SID:S-1-5-21-1504512832-3249319461-1142831928-513
Full Name:Samba Administrator,,,
Home Directory:   \\hamlet\administrator
HomeDir Drive:U
Logon Script:
Profile Path:deleted for privacy
Domain:   HAMLET
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  never
Kickoff time: never
Password last set:Fri, 30 Dec 2005 17:29:27 CST
Password can change:  Fri, 30 Dec 2005 17:29:27 CST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

I don't see anything here that looks out of place but I don't know what 
it all means.


--
rob steinmetz
Signature
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] netlogon & homes with Samba4 DC

[Robert Gurdon]

Hi,

1) Windows 7 logs should say something about your netlogon script.

2) I think you have to create the home directories via RSAT or make a 
pam script and login with the newly created user.
I would suggest the second option, since as I discovered when you 
make your home directories with RSAT you will have getfacl and winbind 
problems. Well, if you try to use getfacl on a RSAT made directory 
samba's winbind part dies.


2013-06-01 22:38 keltezéssel, spamv...@googlemail.com írta:

hi all,

ive setup Samba4 as DC on Ubuntu Server LTS and have two problems right now:

1) netlogon

smb.conf
[netlogon]
 path = /usr/local/samba/var/locks/sysvol/asta-wh.de/scripts
 read only = No

I can access the folder and execute the script as user, but it gets not
executed automaticly

Ive added to [netlogon]
 preexec = echo %u is in %G >> /tmp/netlogon

to see if netlogon is executed, and its not.
Client PC is a new installed Windows 7 Pro.
And Ive added \\SMB4SRV\netlogon\userf00.bat via M$ AD Tools to the User.
Roaming Prifiles are also enabled and working.

2) homes

smb.conf
[homes]
 comment = Home Directories
 path = /home/HOME/%S
 valid users = %S
 read only = No
 browseable = Yes

Home directorys are not created.

Im happy with every hint to the right direction

Hans


--
Kind regards:

    Robert

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SID problemRe: Moving a computer from a down domain to a new domain

[Robert Moskowitz]

OK, this is a SID problem.  I built an new XP system, installed SP3 then 
tried to use the wizard to connect to the domain:


cat homebase-dectop1
[2013/04/12 16:21:44.899424,  1] auth/server_info.c:386(samu_to_SamInfo3)
  The primary group domain 
sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the 
domain sid(S-1-5-21-4240919292-2417995422-4236335894) for 
rgm(S-1-5-21-4240919292-2417995422-4236335894-1000)

[2013/04/12 16:21:44.899608,  0] auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'

[root@homebase samba]# cat homebase-dectop1
[2013/04/12 16:21:44.899424,  1] auth/server_info.c:386(samu_to_SamInfo3)
  The primary group domain 
sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the 
domain sid(S-1-5-21-4240919292-2417995422-4236335894) for 
rgm(S-1-5-21-4240919292-2417995422-4236335894-1000)

[2013/04/12 16:21:44.899608,  0] auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'

[2013/04/12 16:23:30.110032,  1] auth/server_info.c:386(samu_to_SamInfo3)
  The primary group domain 
sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the 
domain sid(S-1-5-21-4240919292-2417995422-4236335894) for 
winadmin(S-1-5-21-4240919292-2417995422-4236335894-302)

[2013/04/12 16:23:30.110200,  0] auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'


How do you figure out a SID problem and fix it?  This was a clean Samba 
install.



On 04/11/2013 08:39 PM, Robert Moskowitz wrote:
I had been running a samba server, the AMAHI F12 distro, that has 
samba 3.4.9.  It ran well enough, but I was planning on replacing it 
with ClearOS.  Well monday night I lost my server harddrive, so now it 
is crunch time to update/upgrade.


I think I have ClearOS configured properly, it is running samba 3.6.10 
(Redhat 6.4 based).  So far I have tried to add two of my XP systems 
to the new domain.  The process I have been using (and what I did 4 
years ago when I moved them from a REAL NT domain to the samba domain) 
was to first login locally as administrator and using System 
Properties > Computer Name >Domain Change to move the computer to a 
workgroup called SELF.  I then reboot and use the same dialog to join 
the new domain, HOME.  The old domain was HDA, but a prior domain was 
also HOME.  This fails and in the samba logs I see:


[2013/04/11 20:22:29.563127,  0] 
auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'

[2013/04/11 20:26:01.504397,  1] auth/server_info.c:386(samu_to_SamInfo3)
  The primary group domain 
sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the 
domain sid(S-1-5-21-4240919292-2417995422-4236335894) for 
winadmin(S-1-5-21-4240919292-2417995422-4236335894-302)
[2013/04/11 20:26:01.504589,  0] 
auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'

[2013/04/11 20:26:44.676638,  1] auth/server_info.c:386(samu_to_SamInfo3)
  The primary group domain 
sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the 
domain sid(S-1-5-21-4240919292-2417995422-4236335894) for 
rgm(S-1-5-21-4240919292-2417995422-4236335894-1000)
[2013/04/11 20:26:44.676804,  0] 
auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'


rgm is a user on the system that has admin priv, and a user on the 
samba server that is in the domain_admin group.


What is with the SID problem?  How do I clean this up?




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Moving a computer from a down domain to a new domain

[Robert Moskowitz]

I had been running a samba server, the AMAHI F12 distro, that has samba 
3.4.9.  It ran well enough, but I was planning on replacing it with 
ClearOS.  Well monday night I lost my server harddrive, so now it is 
crunch time to update/upgrade.


I think I have ClearOS configured properly, it is running samba 3.6.10 
(Redhat 6.4 based).  So far I have tried to add two of my XP systems to 
the new domain.  The process I have been using (and what I did 4 years 
ago when I moved them from a REAL NT domain to the samba domain) was to 
first login locally as administrator and using System Properties > 
Computer Name >Domain Change to move the computer to a workgroup called 
SELF.  I then reboot and use the same dialog to join the new domain, 
HOME.  The old domain was HDA, but a prior domain was also HOME.  This 
fails and in the samba logs I see:


[2013/04/11 20:22:29.563127,  0] auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'

[2013/04/11 20:26:01.504397,  1] auth/server_info.c:386(samu_to_SamInfo3)
  The primary group domain 
sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the 
domain sid(S-1-5-21-4240919292-2417995422-4236335894) for 
winadmin(S-1-5-21-4240919292-2417995422-4236335894-302)

[2013/04/11 20:26:01.504589,  0] auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'

[2013/04/11 20:26:44.676638,  1] auth/server_info.c:386(samu_to_SamInfo3)
  The primary group domain 
sid(S-1-5-21-3360932306-476405-2840157550-513) does not match the 
domain sid(S-1-5-21-4240919292-2417995422-4236335894) for 
rgm(S-1-5-21-4240919292-2417995422-4236335894-1000)

[2013/04/11 20:26:44.676804,  0] auth/check_samsec.c:491(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_UNSUCCESSFUL'


rgm is a user on the system that has admin priv, and a user on the samba 
server that is in the domain_admin group.


What is with the SID problem?  How do I clean this up?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Making users local administrators

[Robert Schetterer]

Am 21.03.2013 16:39, schrieb Terry Austin:
> There is no good reason to have users logging in daily as Administrator 
> anymore

however its not a good idea, its wide practise that road warrior users
are local admins on their laptops, what must not mean ,they are working
as such ever, but have the chance to fix stuff if their support is far away.

For sure there are tons of "workflows" around this, but at the end its
a security policy decision, which may handled different elsewhere.


Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PROPOSAL: Remove SWAT in Samba 4.1

[Robert Schetterer]

Am 18.02.2013 01:02, schrieb Andrew Bartlett:
> As most of you would have noticed, we have now had 3 CVE-nominated
> security issues for SWAT in the past couple of years.
> 
> At the same time, while I know many of our users use SWAT, we just don't
> have anybody to maintain it inside the Samba Team.  Kai has made a
> valiant effort to at least apply the XSS and CSRF guidelines when folks
> make security reports, but by his own admission he isn't a web developer
> - none of us are!
> 
> There are many other parts of Samba that have not been substantially
> maintained in years, but few have the level of security exposure that
> SWAT does (most are bits of library and utility code that we apply
> elsewhere, but which just quietly does it's own job). 
> 
> The issue isn't that we can't write secure code, but that writing secure
> Web code where we can't trust the authenticated actions of our user's
> browser is a very different modal to writing secure system code.
> Frankly it just isn't our area.
> 
> Therefore, it was suggested on a private list that we just drop SWAT.  I
> want to start a public discussion on that point, prompted by
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700729 which reminds us
> why we didn't apply the specific CSRF hardening we applied in 4.0.2 to
> SWAT in the first place.
> 
> Thanks,
> 
> Andrew Bartlett
> 

Hi Andrew , i am not up2date with current
samba module in webmin, but however, what about remove swat,
and help webmin people for coding stuff there, so samba people
dont need to care about the webmin framework security, only i.e helping
at integrate new or changed parameters in the samba webmin module.



Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 - Logging data entry as LDIF?

[Robert Moggach]

Without knowing the process by which data is added to the directory,
is there any logging output that shows LDIF data as entries are added?
... Or is the LDIF component more of a
translation layer? I've been scripting some tools to more easily
automate some of the Linux things I need but I invariably corrupt my
test directory on a daily basis. I'd like to be able to add entries on
Windows and see the logging on Linux so I can more easily reconcile
where I'm making mistakes. I have a hunch it's something to do with
primary Group ID or gidNumber or uidNumber in combination with a
missing posixAccount or msSFU30NisDomain attribute.

Sent from my iPhone
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] DHCP & Dynamic DNS

[Robert Moggach]

+1 for posting your howto

Sent from my iPhone.

On 2013-01-14, at 8:36 AM, Rowland Penny  wrote:

> On 14/01/13 13:00, Benedict White wrote:
>> I have followed the Wiki here 
>> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>> On setting up Samba $ as a DC in it's own real. So far so good and all looks 
>> to be working well.
>>
>> What this document seems to be missing is a "how to" on DHCP dynamically 
>> updating Samba 4's
>> Integrated DNS server (which is the one I am using).
>>
>> Does anyone know of a how to on this?
>
> Hi, I could not get DHCP to update the internal DNS server, but the same 
> dhcpd.conf and bash script updates Bind9 perfectly, so if you are interested, 
> I could probably write you a Samba 4/Bind9/DHCP howto.
>
> Rowland
>
>>
>> PS:
>>
>> So far, very well done to the Samba 4 team, looks very good.
>>
>> Kindest regards,
>>
>> Benedict White
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] DNS updates working Windows only

[Robert Moggach]

I'm using BIND9_FLATFILE and able to join windows machines and have DNS
updates working but Linux machines join with DNS update errors. Is there
additional configuration necessary on Linux for the machines' NICs to be
seen as valid?

-- 
Sent from Gmail Mobile
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 "Services for UNIX"? [SOLVED]

[Robert Moggach]

OK. So I now no longer 'CORRUPT' my database. Thanks to Andrew for pointing
this out as it didn't seem to have caused problems until I tried to edit
attributes.

The following is my latest attempt. Given the errors I was getting were all
related to an invalid rdn I moved to change to a schema that was a little
more generic and uses OU and CN instead. In hindsight it was the missing
rdnAttId that was probably causing this error so you can probably try
adding that to the previous schema definition instead. Not sure what's
ideal.

The following schema and corresponding data load without issue using the
documented ldbmodify command...

It's now 3 ldif files... one for the attribute, one for the automountMap
class, one for the automount class. It wouldn't do it for me otherwise as
it needed to see the preceding attribute or class before being added.

Split these into three separate files...

01_autofs_attr.ldif

dn: CN=automountInformation,CN=Schema,CN=Configuration,
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.25
cn: automountInformation
name: automountInformation
lDAPDisplayName: automountInformation
description: Information used by the autofs automounter
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

02_autofs_map.ldif

dn: CN=automountMap,CN=Schema,CN=Configuration,
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.4.1.2312.4.2.2
rdnAttId: ou
cn: automountMap
name: automountMap
lDAPDisplayName: automountMap
subClassOf: top
objectClassCategory: 1
mustContain: ou
defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,
defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU)
defaultHidingValue: TRUE
systemOnly: FALSE
systemPossSuperiors: organizationalUnit

03_autofs_mount.ldif

dn: CN=automount,CN=Schema,CN=Configuration,
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.1.13
rdnAttId: cn
cn: automount
name: automount
lDAPDisplayName: automount
subClassOf: top
objectClassCategory: 1
mustContain: cn
mustContain: automountInformation
mayContain: description
defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,
defaultSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU)
defaultHidingValue: TRUE
systemOnly: FALSE
systemPossSuperiors:
automountMap


Add them as documented in the wiki

ldbmodify -H /usr/local/samba/private/sam.ldb /root/01_autofs_attr.ldif
...etc...etc...etc

Modify the actual data accordingly to remove automountKey and
automountMapName attributes and change as needed.
These work for me and I can edit them without issue.



On Wed, Jan 9, 2013 at 7:50 PM, Robert Moggach  wrote:

>  To get the automount schema to work with the git checkout of samba 4 I
> had to modify the automount schema files and separate the attributes from
> the classes. I also discovered that it's required to have the
> ntSecurityDescriptor , instanceType, and objectCategory attributes. Without
> these it will crash whenever you try to browse... I did alot of stopping
> samba, tarring of /usr/local/samba and untarring to finally get here...
>
> Here's the ldif for the automount attributes I used:
>
> dn: CN=automountMapName,CN=Schema,CN=Configuration,
> objectClass: top
> objectClass: attributeSchema
> attributeID: 1.3.6.1.1.1.1.31
> cn: automountMapName
> name: automountMapName
> lDAPDisplayName: automountMapName
> description: automount Map Name
> attributeSyntax: 2.5.5.5
> oMSyntax: 22
> isSingleValued: TRUE
> systemOnly: FALSE
>
> dn: CN=automountKey,CN=Schema,CN=Configuration,
> objectClass: top
> objectClass: attributeSchema
> attributeID: 1.3.6.1.1.1.1.32
> cn: automountKey
> name: automountKey
> lDAPDisplayName: automountKey
> description: Automount Key value
> attributeSyntax: 2.5.5.5
> oMSyntax: 22
> isSingleValued: TRUE
> systemOnly: FALSE
>
> dn: CN=automountInformation,CN=Schema,CN=Configuration,
> objectClass: top
> objectClass: attributeSchema
> attributeID: 1.3.6.1.1.1.1.33
> cn: automountInformation
> name: automountInformation
> lDAPDisplayName: automountInformation
> description: Automount information
> attributeSyntax: 2.5.5.5
> oMSyntax: 22
> isSingleValued: TRUE
> systemOnly: FALSE
>
>  Here's the ldif for the automount classes:
>
> dn: CN=automountMap,CN=Schema,CN=Configuration,
> objectClass: top
> objectClass: classSchema
> governsID: 1.3.6.1.1.1.2.16
> cn: automountMap
> name: automountMap
> lDAPDisplayName: automountMap
> subClassOf: top
> objectClassCategory: 1
> mustContain: automountMapName
> mayContain: description
> mustContain: instanceType
> mustContain: ntSecurityDescriptor
> mustContain: objectCategory
>

Re: [Samba] Samba 4 "Services for UNIX"? [SOLVED]

[Robert Moggach]

To get the automount schema to work with the git checkout of samba 4 I had
to modify the automount schema files and separate the attributes from the
classes. I also discovered that it's required to have the
ntSecurityDescriptor , instanceType, and objectCategory attributes. Without
these it will crash whenever you try to browse... I did alot of stopping
samba, tarring of /usr/local/samba and untarring to finally get here...

Here's the ldif for the automount attributes I used:

dn: CN=automountMapName,CN=Schema,CN=Configuration,
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.31
cn: automountMapName
name: automountMapName
lDAPDisplayName: automountMapName
description: automount Map Name
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

dn: CN=automountKey,CN=Schema,CN=Configuration,
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.32
cn: automountKey
name: automountKey
lDAPDisplayName: automountKey
description: Automount Key value
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

dn: CN=automountInformation,CN=Schema,CN=Configuration,
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.1.1.1.33
cn: automountInformation
name: automountInformation
lDAPDisplayName: automountInformation
description: Automount information
attributeSyntax: 2.5.5.5
oMSyntax: 22
isSingleValued: TRUE
systemOnly: FALSE

 Here's the ldif for the automount classes:

dn: CN=automountMap,CN=Schema,CN=Configuration,
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.2.16
cn: automountMap
name: automountMap
lDAPDisplayName: automountMap
subClassOf: top
objectClassCategory: 1
mustContain: automountMapName
mayContain: description
mustContain: instanceType
mustContain: ntSecurityDescriptor
mustContain: objectCategory
defaultObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,
defaultHidingValue: TRUE
systemOnly: FALSE

dn: CN=automount,CN=Schema,CN=Configuration,
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.1.1.2.17
cn: automount
name: automount
lDAPDisplayName: automount
subClassOf: top
objectClassCategory: 1
description: Automount information
mustContain: automountKey
mustContain: automountInformation
mayContain: description
mustContain: instanceType
mustContain: ntSecurityDescriptor
mustContain: objectCategory
defaultObjectCategory: CN=automount,CN=Schema,CN=Configuration,
defaultHidingValue: TRUE
systemOnly: FALSE

 These were added to the directory using the following commands:

ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/01_attr.ldif --option="dsdb:schema update
allowed"=true
ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/02_class.ldif --option="dsdb:schema update
allowed"=true

 Now here's what I did for the actual records. First I created a new OU
tree called Automounts and then three OU's beneath that for Mac, Linux,
Homeless. Mac uses auto_master and linux uses auto.master but I prefer to
have them in separate branches.

Here's a sample record:

dn: automountMapName=auto_master,OU=Mac,OU=Automounts,
objectClass: automountMap
objectClass: top
automountMapName: auto_master
description: Mac OS X Master Autofs map
ntSecurityDescriptor:O:BAG:SYD:(A;;0xf01ff;;;S-1-5-21-1698313198-1485347608-3860200556-500)(A;;0xf01ff;;;SY)(A;;0x20094;;;AU)
ObjectCategory: CN=automountMap,CN=Schema,CN=Configuration,
instanceType: 4


These couldn't be added with the above string so instead I used the
following:

 ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=.ldb -U
administrator 03_smb_maps.ldif

 To understand the ntSecurityDescriptor attribute I had to learn all about
SDDL syntax and then by trial and error realize I needed to use hex format.
The following links were invaluable.

http://www.netid.washington.edu/documentation/domains/sddl.aspxhttp://networkadminkb.com/KB/a152/how-to-read-a-sddl-string.aspxhttp://www.windowsitpro.com/article/security/defining-an-ad-object-s-default-security-descriptor

 Further... this little python snippet helped me remember how to add hex


#!/usr/bin/python

GA=int('0x1000',0)
GR=int('0x1000',0)
GW=int('0x1000',0)
GX=int('0x1000',0)
RC=int('0x2',0)
SD=int('0x1',0)
WD=int('0x4',0)
WO=int('0x8',0)
RP=int('0x0010',0)
WP=int('0x0020',0)
CC=int('0x0001',0)
DC=int('0x0002',0)
LC=int('0x0004',0)
SW=int('0x0008',0)
LO=int('0x0080',0)
DT=int('0x0040',0)
CR=int('0x0100',0)

PERMS = {
'All Perms ': RC+SD+WD+WO+RP+WP+CC+DC+LC+SW+LO+DT+CR,
'Read Only ': RP+LC+LO+RC
}

for key,value in PERMS.items():
print key, value, hex(value)


I hope this helps others to avoid frustration.

Rob




On Wed, Jan 9

Re: [Samba] Samba 4 "Services for UNIX"?

[Robert Moggach]

I have a little more information about the issues I'm having:

When I try to create automountMap or automount objects in the directory
using Apache Directory Studio it fails because I need to add the following
attributes:

instanceType
ntSecurityDescriptor
objectCategory

Can someone enlighten me on the correct value for these attributes?

thanks,

Rob


On Tue, Jan 8, 2013 at 6:43 PM, Robert Moggach  wrote:

> I've solved getting the schema into the directory... and I thought I
> populated my automount maps...
> but the directory is unbrowseable -
>
> Getting closer... I keep getting the following error:
>
> *acl_read: cannot get descriptor of automountMap... etc. etc.*
>
>
> Steps I took...
> 1) I had changed the Default-First-Site-Name to something more appropriate
> and changing that back seemed like a good place to start even though fsmo
> was showing me as the SchemaMaster -
>
> 2) At this point I was able to get the schema loaded... almost... ldapadd
> didn't like attributes and class in the same ldif... and then I had to
> restart samba to add the class file... ugh... use ldbmodify! I edited the
> automount.ldif schema file to be two files - one for the attributes and a
> second for the classes
>
> I added the schema using the following two commands:
>
> ldbmodify -H /usr/local/samba/private/sam.ldb
> /root/SAMBA4/automount/autofs_attr.ldif --option="dsdb:schema update
> allowed"=true
>
> ldbmodify -H /usr/local/samba/private/sam.ldb
> /root/SAMBA4/automount/autofs_class.ldif --option="dsdb:schema update
> allowed"=true
>
> 4) I then tried to add the automount records with ldbmodify with no luck
> ...
> ldbmodify -H /usr/local/samba/private/sam.ldb
> /root/SAMBA4/automount/03_autofs_maps.ldif
> ...
> Sorting rpmd with attid exception 3 rDN=CN
> DN=CN=linux,CN=autofs,CN=Services,DC=MYDOMAIN
> ERR: (Naming violation) "objectclass: Invalid RDN 'AUTOMOUNTMAPNAME' for
> objectclass 'automountMap'!" on DN
> automountMapName=auto_master,CN=mac,CN=autofs,CN=Services,DC=MYDOMAIN at
> block before line 41
> Modify failed after processing 5 records
>
> Weird... solved that by doing the following, but now i have all kinds of
> acl_read errors
>
> ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=MYDOMAIN.ldb
> 03_autofs_maps.ldif
>
> ldapsearch gives me the following:
>
> result: 1 Operations errorsearch: 5
> result: 1 Operations error
> text: acl_read: cannot get descriptor of automountMapName=...
>
> weird? how do I add acls?
>
> The following shows the whole directory as expected... but I need ldap to
> work for autofs!
>
> ldbsearch -H /usr/local/samba/private/sam.ldb
>
> So can someone tell me how to get acls added for my objects?
>
>
>
>
> Samba version: 4.1.0pre1-GIT-94f11e9
> Build environment:
>Build host:  Linux crawford 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec
> 19 07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
>
>
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Help with 'samba-tool dsacl set ...'

[Robert Moggach]

I've tried setting default object permissions for the automountMap and
automount objects when they're added to my schema but I'm still getting acl
errors. I would assume that the 'samba-tool dsacl set' command could help
me but I have no clue where to start with syntax and I looked at the python
to see if I could find it but to no avail.

>From using MMC on the windows side I assume I need the following
permissions...

Authenticated Users: View
SYSTEM: Full
Domain Admins: Full

so without knowing how...

samba-tool dsacl set -URL=ldap://sambaserver.mydomain \
--action=allow \
--objectdn='automountMapName=auto.master,DC=MYDOMAIN' \
--trusteedn='CN=Administrator,CN=Users,DC=MYDOMAIN' \
-U Administrator \
--sddl=

probably miles away...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 "Services for UNIX"?

[Robert Moggach]

I've solved getting the schema into the directory... and I thought I
populated my automount maps...
but the directory is unbrowseable -

Getting closer... I keep getting the following error:

*acl_read: cannot get descriptor of automountMap... etc. etc.*


Steps I took...
1) I had changed the Default-First-Site-Name to something more appropriate
and changing that back seemed like a good place to start even though fsmo
was showing me as the SchemaMaster -

2) At this point I was able to get the schema loaded... almost... ldapadd
didn't like attributes and class in the same ldif... and then I had to
restart samba to add the class file... ugh... use ldbmodify! I edited the
automount.ldif schema file to be two files - one for the attributes and a
second for the classes

I added the schema using the following two commands:

ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/autofs_attr.ldif --option="dsdb:schema update
allowed"=true

ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/autofs_class.ldif --option="dsdb:schema update
allowed"=true

4) I then tried to add the automount records with ldbmodify with no luck ...
ldbmodify -H /usr/local/samba/private/sam.ldb
/root/SAMBA4/automount/03_autofs_maps.ldif
...
Sorting rpmd with attid exception 3 rDN=CN
DN=CN=linux,CN=autofs,CN=Services,DC=MYDOMAIN
ERR: (Naming violation) "objectclass: Invalid RDN 'AUTOMOUNTMAPNAME' for
objectclass 'automountMap'!" on DN
automountMapName=auto_master,CN=mac,CN=autofs,CN=Services,DC=MYDOMAIN at
block before line 41
Modify failed after processing 5 records

Weird... solved that by doing the following, but now i have all kinds of
acl_read errors

ldbmodify -H /usr/local/samba/private/sam.ldb.d/DC\=MYDOMAIN.ldb
03_autofs_maps.ldif

ldapsearch gives me the following:

result: 1 Operations errorsearch: 5
result: 1 Operations error
text: acl_read: cannot get descriptor of automountMapName=...

weird? how do I add acls?

The following shows the whole directory as expected... but I need ldap to
work for autofs!

ldbsearch -H /usr/local/samba/private/sam.ldb

So can someone tell me how to get acls added for my objects?




Samba version: 4.1.0pre1-GIT-94f11e9
Build environment:
   Build host:  Linux crawford 2.6.32-279.19.1.el6.x86_64 #1 SMP Wed Dec 19
07:05:20 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 "Services for UNIX"?

[Robert Moggach]

yes as far as I can tell I have the SchemaMasterRole

[root@crawford ~]# samba-tool fsmo show
InfrastructureMasterRole owner: CN=NTDS
Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain
RidAllocationMasterRole owner: CN=NTDS
Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain
PdcEmulationMasterRole owner: CN=NTDS
Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain
DomainNamingMasterRole owner: CN=NTDS
Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain
SchemaMasterRole owner: CN=NTDS
Settings,CN=CRAWFORD,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=mydomain

When I try to seize I get the following:

[root@crawford ~]# samba-tool fsmo seize --role=all
Attempting transfer...
FSMO transfer of 'rid' role successful
ERROR: Failed to initiate role seize of 'rid' role: objectclass: modify
message must have elements/attributes!

[root@crawford ~]# samba-tool fsmo seize --role=schema
Attempting transfer...
FSMO transfer of 'schema' role successful
ERROR: Failed to initiate role seize of 'schema' role: objectclass: modify
message must have elements/attributes!


On Tue, Jan 8, 2013 at 3:07 PM, Gémes Géza  wrote:

> please check with samba-tool fsmo show, that the SchemaMasterRole is hold
> by the DC you are pointing your ldbmodify command (schema master role is
> one of the five roles which can be had on only one dc in a domain)
>
>>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 "Services for UNIX"?

[Robert Moggach]

I've been back and forth with Andrew on this offlist and a few notes to
share.
I still don't have full success:

*1) How to install the necessary schema etc for UNIX connectivity*
>

The part I was missing here, which isn't part of the howto, is that to get
Windows to see the UNIX attributes (Services for UNIX etc.) you need to
have an NIS domain.
When provisioning you need to add the following option:

--use-rfc2307

This will add records to create an NIS domain that the Windows side will
recognize, allowing you to change UIDs,GIDs etc. in the GUI.
It's all possible with ldbmodify but I wanted to get the GUI working.


> *2) How to install/manage UNIX friendly users, groups, etc.*
>

I found this site which was indispensable in getting back to a familiar
place.

http://linuxcostablanca.blogspot.ca/p/samba-4.html

There are a few places in his howto that I got caught on but in the end I
have multiple OSs authenticating against Samba AD DC.
It's for OpenSUSE but I had little issue translating for CentOS 6.x.


> *3) How to successfully add the automount schema (the wiki doesn't seem
> to work for me)*
>

This ISN'T working yet. :(
Regardless of how I've tried using ldapadd or ldbadd or ldbmodify I can't
get past the following error:

"schema_data_add: we are not master: reject request"

This is with "dsdb:schema update allowed = yes" used as an option on the
command line and also in the smb.conf, separately and together.


> * 4) How to add automount maps*
>

This seems to be an easy task once the schema is added.
http://phaedrus77.blogspot.**com.es/2010/04/samba4-ad-**
domain-controller-to-serve.**html


So if anyone has some insight on the "we are not master" error I'd love it.
I'm only running one server so I'm not sure why it's not able to add the
records.

Rob
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 "Services for UNIX"?

[Robert Moggach]

I have a working Samba 4.0.0 AD DC running and am able to manage users etc
using the Windows tools. Great.
Now I want to as much as possible eliminate the need for an additional
directory service (OpenLDAP and/or Open Directory) if not entirely. I need
automount working and Posix users. I believe it's possible to set this up
but haven't been able to find any solid documentation -
Can someone point me in the right direction?

Specifically I'm looking for:
1) How to install the necessary schema etc for UNIX connectivity
2) How to install/manage UNIX friendly users, groups, etc.
3) How to successfully add the automount schema (the wiki doesn't seem to
work for me)
4) How to add automount maps

Thanks!

Rob
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Update A Compiled Version

[Robert Heller]

At Thu, 20 Dec 2012 11:20:40 -0700 Zane Zakraisek  wrote:

> 
> I'm pretty new to compiling software, although I would rather compile my
> own Samba 4.0.0 server rather than wait for it to become available in the
> repositories of my distribution. How do you update compiled software. Like
> if I compile and install Samba 4.0.0, and then 4.0.1 comes out, Is there a
> way to update to that without starting from scratch and having to rebuild
> my domain? Thanks

Most (all?) Linux distributions include a compiled version of Samba as
part of the distriution's software repository.  Check to see what your
distribution makes available.


-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments



  
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] So no conversion from group_mapping.ldb to group_mapping.tdb?

[Robert M. Martel - CSU]

Greetings,

I recently upgraded an AD member server from Samba 3.5.15 to Samba 3.6.9 
and found that I had lost all the existing local group mappings.


I see that the group mapping file has gone from group_mapping.ldb to 
group_mapping.tdb.


I asked on this list as well as searching the web, Samba documentation 
(which still seems focused on version 3.5), and Samba Wiki and found 
nothing on a method to convert/migrate information stores in the 
group_mapping.ldb file to the new group_mapping.tdb - is that correct?


Because of the way Active Directory is managed at out site I store 
dozens of local groups and their memberships in that file.


I found NOTHING in the Samba 3.6.x release notes warning me of the 
change to the group_mapping file.


Just wanted to confirm that there is no conversion utility that I missed 
and that I am on my own to migrate that information.


Thank you
Bob Martel


--
***
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs   But she is an IBM
Cleveland State University   -Jeff Lynne
(216) 687-2214
r.mar...@csuohio.edu
***
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Lost group mappings going from Samba 3.5 to Samba 3.6

[Robert M. Martel - CSU]

Greetings,

I recently upgraded an AD member server from Samba 3.5.15 to Samba 3.6.9 
and found that I had lost all the existing local group mappings.


I see that the group mapping file has gone from group_mapping.ldb to 
group_mapping.tdb.


Was there a conversion/upgrade procedure I should have found and used? 
Online documentation I can find says it is for the 3.5 series of samba, 
does updated documentation for 3.6 exist somewhere?


Does a group mapping migration procedure exist, or will I need to 
recreate it from scratch?  On this initial trial of Samba 3.6 only a few 
groups existed, on the larger production machines the story is different 
and recreating the groups and memberships will be a chore.


Thanks!
Bob Martel

--
***
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs   But she is an IBM
Cleveland State University   -Jeff Lynne
(216) 687-2214
r.mar...@csuohio.edu
***
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Domain DFS on samba 4

[Robert Schetterer]

 shares must be in all lowercase.

In addition to regular network shares, you can use symbolic links of
this type to reference Dfs shares on other Dfs servers. However,
referencing printer shares does not work. Dfs is for sharing files only.
Load balancing

To set up a load-balancing Dfs share, create the symbolic link like this:

# ln -s 'msdfs:toltec\data,msdfs:mixtec\data' lb-data

That is, simply use a list of shares separated by commas as the
reference. Remember, it is up to you to make sure the shared folders
remain identical. Set up permissions on the servers to make the shares
read-only to users.

The last thing we need to do is to modify the smb.conf file to define
the Dfs root share and add Dfs support. The Dfs root is added as a share
definition:

[dfs]
path = /usr/local/samba/dfs
msdfs root = yes

You can use any name you like for the share. The path is set to the Dfs
root directory we just set up, and the parameter msdfs root = yes tells
Samba that this share is a Dfs root.

To enable support for Dfs in the server, we need to add one line to the
[global] section:

[global]
host msdfs = yes

Restart the Samba daemons—or just wait a minute for them to reread the
configuration file—and you will see the new share from Windows clients.
If you have trouble accessing any of the remote shares in the Dfs share,
recheck your symbolic links to make sure they were created correctly.


.

Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Joerg Heidrich
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable

[Robert M. Martel - CSU]

On 10/22/2012 05:10 PM, Andrew Bartlett wrote:

On Mon, 2012-10-22 at 14:51 -0400, Robert M. Martel - CSU wrote:



[2012/10/22 14:23:07.353280,  0] libads/kerberos.c:333(ads_kinit_password)
kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients
credentials have been revoked
Join to domain is not valid: Access denied


The Active Directory admins are still saying that they have not changed
anything on their side.


It seems unlikely if you just re-joined, but in case we are talking
about multiple machines, could the password have been expired?


The problem existed for multiple machines.

After Brian Campbell's note I double-checked the clock-sync on the 
servers and found it to be okay.


The Active Directory (AD) admins that "did not change anything" finally 
reported having some vague problem with their domain server replication 
that only seem to affect *my* Samba servers (I may be the only person on 
campus running Samba servers that are members of the university's Active 
Directory system.)


There was some more hand waving, reports of trying to get some support 
out of Microsoft, and finally a mention that *someone* had been making 
some changes to AD config in preparation of moving from Lotus Notes 
Email to MS Exchange.


The AD admins then "did something else" and now the problem no longer 
exists.  I am still trying to get some real information as to what happened.


If I (ever) find out I will note it here.  I always hate seeing problem 
reports in Email archives that never talk about resolution.


Thank you!

At least I got my Samba versions less out of date.  Have to see if 
building 3.6 is as much of a pain on Solaris as 3.5 has been.




--
*******
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs   But she is an IBM
Cleveland State University   -Jeff Lynne
(216) 687-2214
r.mar...@csuohio.edu
***
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable

[Robert M. Martel - CSU]

Greetings,

More responding to my own thread - but no solution in sight.

Still having the problem with Samba 3.5.18.  New and different error 
message from net ads testjoin:


#webdevel#  net ads testjoin
[2012/10/22 14:23:07.317109,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients 
credentials have been revoked

[2012/10/22 14:23:07.353280,  0] libads/kerberos.c:333(ads_kinit_password)
  kerberos_kinit_password WEBDEVEL$@CSUNET.CSUOHIO.EDU failed: Clients 
credentials have been revoked

Join to domain is not valid: Access denied


The Active Directory admins are still saying that they have not changed 
anything on their side.




On 10/22/2012 11:48 AM, Robert M. Martel - CSU wrote:

Greetings,

something to add.

Had one of the Solaris 9 machines just stop working.  I stopped samba
and restarted it, found the following in smblog.smbd

[2012/10/22 11:37:00.299787,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid
credentials

I removed the machine from Active Directory and immediately re-added it
- I did NOT run kinit to get new credentials.  started Samba and the
machine works fine...for now.


On 10/22/2012 11:29 AM, Robert M. Martel - CSU wrote:

Greetings,

I have an elderly installation of Samba 3.5.8 running on 10 Sparc
servers (and 3.5.12 on Solaris 9 servers with the same issue)  set up as
Active Directory member servers.  Since we've laid-off everyone else
around here I have not had the opportunity to update the Samba
installation - and have not needed to as it has been very solid.

Suddenly last Friday the Samba servers started having authentication
problems for the active directory users.  Users were unable to map
drives, looking at files on the server I was seeing UID numbers rather
that the user's login ID for the files.  Stopping and restarting Samba
did not help.

I took the machines out of Active Directory, and then re-added them -
which they did without a problem.  After restarting Samba all was well,
for awhile.

This morning some folks that had left themselves looked in over the
weekend were okay, but others could not map their drives.  interactive
logins for AD users did not work.  I again left and rejoined the AD
domain and all was well for a bit, then I had to repeat the cycle.

I do not maintain or have access to the Active Directory servers or
configuration.  The central IT people claim that they have not made any
changes to the AD servers...but they don't always tell me the whole
truth.

I am building Samba 3.5.18 right now in the hope that it will make a
difference.

I've never had a problem like this since first "playing" with Samba and
Active directory more than 5 years ago - and certainly no issue like
this since putting it into production.




--
*******
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs   But she is an IBM
Cleveland State University   -Jeff Lynne
(216) 687-2214
r.mar...@csuohio.edu
***
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable

[Robert M. Martel - CSU]

Greetings,

something to add.

Had one of the Solaris 9 machines just stop working.  I stopped samba 
and restarted it, found the following in smblog.smbd


[2012/10/22 11:37:00.299787,  0] libads/sasl.c:823(ads_sasl_spnego_bind)
  kinit succeeded but ads_sasl_spnego_krb5_bind failed: Invalid credentials

I removed the machine from Active Directory and immediately re-added it 
- I did NOT run kinit to get new credentials.  started Samba and the 
machine works fine...for now.



On 10/22/2012 11:29 AM, Robert M. Martel - CSU wrote:

Greetings,

I have an elderly installation of Samba 3.5.8 running on 10 Sparc
servers (and 3.5.12 on Solaris 9 servers with the same issue)  set up as
Active Directory member servers.  Since we've laid-off everyone else
around here I have not had the opportunity to update the Samba
installation - and have not needed to as it has been very solid.

Suddenly last Friday the Samba servers started having authentication
problems for the active directory users.  Users were unable to map
drives, looking at files on the server I was seeing UID numbers rather
that the user's login ID for the files.  Stopping and restarting Samba
did not help.

I took the machines out of Active Directory, and then re-added them -
which they did without a problem.  After restarting Samba all was well,
for awhile.

This morning some folks that had left themselves looked in over the
weekend were okay, but others could not map their drives.  interactive
logins for AD users did not work.  I again left and rejoined the AD
domain and all was well for a bit, then I had to repeat the cycle.

I do not maintain or have access to the Active Directory servers or
configuration.  The central IT people claim that they have not made any
changes to the AD servers...but they don't always tell me the whole truth.

I am building Samba 3.5.18 right now in the hope that it will make a
difference.

I've never had a problem like this since first "playing" with Samba and
Active directory more than 5 years ago - and certainly no issue like
this since putting it into production.


--
*******
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs   But she is an IBM
Cleveland State University   -Jeff Lynne
(216) 687-2214
r.mar...@csuohio.edu
***
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Old, reliable samba 3.5 and Active directory suddenly not reliable

[Robert M. Martel - CSU]

Greetings,

I have an elderly installation of Samba 3.5.8 running on 10 Sparc 
servers (and 3.5.12 on Solaris 9 servers with the same issue)  set up as 
Active Directory member servers.  Since we've laid-off everyone else 
around here I have not had the opportunity to update the Samba 
installation - and have not needed to as it has been very solid.


Suddenly last Friday the Samba servers started having authentication 
problems for the active directory users.  Users were unable to map 
drives, looking at files on the server I was seeing UID numbers rather 
that the user's login ID for the files.  Stopping and restarting Samba 
did not help.


I took the machines out of Active Directory, and then re-added them - 
which they did without a problem.  After restarting Samba all was well, 
for awhile.


This morning some folks that had left themselves looked in over the 
weekend were okay, but others could not map their drives.  interactive 
logins for AD users did not work.  I again left and rejoined the AD 
domain and all was well for a bit, then I had to repeat the cycle.


I do not maintain or have access to the Active Directory servers or 
configuration.  The central IT people claim that they have not made any 
changes to the AD servers...but they don't always tell me the whole truth.


I am building Samba 3.5.18 right now in the hope that it will make a 
difference.


I've never had a problem like this since first "playing" with Samba and 
Active directory more than 5 years ago - and certainly no issue like 
this since putting it into production.

--
*******
Robert M. Martel I met someone who looks a lot like you
System Administrator She does the things you do
Levin College of Urban Affairs   But she is an IBM
Cleveland State University   -Jeff Lynne
(216) 687-2214
r.mar...@csuohio.edu
***
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Windows 7 Clients Slow/Unresponsive with some file types

[Robert Adkins II]

I have added the socket options of SO_RCVBUFF=65536 and SO_SNDBUFF=65536 and
while that has greatly increased file transfer speed, it's instantaneous to
transmit an 11mb file from the server to a Windows 7 desktop, there has been
no increase in performance for opening up that particular file from the
server.

Additionally, I should add that we also have other binary file types that
can be equally or significantly larger than the IGS files that open up
nearly as fast over the network as they do on the local system. These files
are the native format for the CAD System that we utilize. The files are not
plain text, like the IGES files are.



--

Regards,
Robert Adkins 
 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II
> Sent: Tuesday, September 18, 2012 8:44 AM
> To: samba@lists.samba.org
> Subject: [Samba] Windows 7 Clients Slow/Unresponsive with 
> some file types
> 
> I am having some unresponsive and very slow performance with 
> a couple of different file types with Samba and Windows 7 clients.
>  
> The problems manifest in the following manners:
>  
> IGES files, these are CAD files. When opening up certain 
> IGES files from the server, the application can take upwards 
> of 10 minutes to open up the file. If I copy the same file 
> from the server to the desktop, the file will open up in a 
> few seconds. This is most noticable with files in sizes over 
> a few megabytes.
>  
> Quickbooks. Logging into the Quickbooks file can take 
> longer than normal, upwards of 30 seconds, instead of 5 or 
> fewer seconds. Once in, the application operates normally, 
> until a reconcile action is taken. What happens is that the 
> reconcile action goes through, but the application appears to 
> be processing the reconcile for an inordinate amount of time.
> This has been left sitting for upwards of 10 to 15 minutes 
> without returning control to the user. Killing the 
> application and then reopening and checking confirms that the 
> reconcile operation was succesful. The file size for the 
> Quickbooks file is over 200 megabytes in size.
>  
> I have a feeling that this is mostly an optimization 
> issue more than anything else.
>  
> Any suggestions or pointers towards rectifying this would 
> be most appreciated.
>  
> Thank you.
> 
> 
> 
> -- 
> 
> Regards,
> Robert
> 
> 
>  
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Windows 7 Clients Slow/Unresponsive with some file types

[Robert Adkins II]

I am having some unresponsive and very slow performance with a couple of
different file types with Samba and Windows 7 clients.
 
The problems manifest in the following manners:
 
IGES files, these are CAD files. When opening up certain IGES files from
the server, the application can take upwards of 10 minutes to open up the
file. If I copy the same file from the server to the desktop, the file will
open up in a few seconds. This is most noticable with files in sizes over a
few megabytes.
 
Quickbooks. Logging into the Quickbooks file can take longer than
normal, upwards of 30 seconds, instead of 5 or fewer seconds. Once in, the
application operates normally, until a reconcile action is taken. What
happens is that the reconcile action goes through, but the application
appears to be processing the reconcile for an inordinate amount of time.
This has been left sitting for upwards of 10 to 15 minutes without returning
control to the user. Killing the application and then reopening and checking
confirms that the reconcile operation was succesful. The file size for the
Quickbooks file is over 200 megabytes in size.
 
I have a feeling that this is mostly an optimization issue more than
anything else.
 
Any suggestions or pointers towards rectifying this would be most
appreciated.
 
Thank you.



-- 

Regards, 
Robert


 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Changed PDC IP, all hell broke lose

[Robert Adkins II]

Great to see!

--

Regards,
Robert Adkins 
 

> -Original Message-
> From: Paul Raines [mailto:rai...@nmr.mgh.harvard.edu] 
> Sent: Thursday, September 06, 2012 9:45 AM
> To: Robert Adkins II
> Cc: samba@lists.samba.org
> Subject: RE: [Samba] Changed PDC IP, all hell broke lose
> 
> 
> I emailed the admins and they said they "removed the old IP address"
> from the WINS server and that seemed to fix things.
> 
> -- Paul Raines (http://help.nmr.mgh.harvard.edu)
> 
> 
> 
> On Thu, 6 Sep 2012 9:37am, Robert Adkins II wrote:
> 
> > I think you can/should have them remove the PDC from their 
> WINS entry 
> > on their end and then you can rejoin the network with the 
> new IP Address.
> >
> > Outside of that, I can only suggest looking into how to 
> send an update 
> > to a record on a WINS server from a Samba PDC. I'm unsure 
> if that is 
> > possible as I have only run a fully Windows or a Linux/Samba with 
> > Windows Clients as a network.
> >
> >
> > --
> >
> > Regards,
> > Robert Adkins
> >
> >
> >
> >> -Original Message-
> >> From: samba-boun...@lists.samba.org
> >> [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines
> >> Sent: Tuesday, September 04, 2012 2:24 PM
> >> To: samba@lists.samba.org
> >> Subject: Re: [Samba] Changed PDC IP, all hell broke lose
> >>
> >>
> >> It is definitely an issue with the WINS server which 
> returns the old 
> >> IP address
> >>
> >> # nmblookup -U 172.27.88.81 -R 'MRIRESEARCH#1b'
> >> querying MRIRESEARCH on 172.27.88.81
> >> 132.183.202.95 MRIRESEARCH<1b>
> >>
> >> SO it is not automatically picking up the IP change which 
> happened 4 
> >> days ago and I have restarted samba on my PDC several 
> times.  The old 
> >> IP is definitely not in /etc/hosts anymore or anywhere in 
> smb.conf.  
> >> It only shows up in gencache.tdb in the files /var/lib/samba even 
> >> though I keep deleting that file when I restart.
> >>
> >> WINS is a total mystery to me.  How is this supposed to work?
> >>
> >> -- Paul Raines (http://help.nmr.mgh.harvard.edu)
> >>
> >>
> >>
> >> On Tue, 4 Sep 2012 12:00pm, Paul Raines wrote:
> >>
> >>> I have no idea what the WINS server is except that I am sure it 
> >>> running on Windows since they are totally Windows-based
> >> organization.
> >>> So the WINS server is definitely the problem?  When I talk
> >> to them and
> >>> mention I am using Samba on Linux they may totally just say
> >> "we don't support it" and hang up.
> >>>
> >>> It seems a strange design that a WINS server can take
> >> precedence over
> >>> my explicit "password server" setting in my smb.conf file.
> >>>
> >>> -- Paul Raines (http://help.nmr.mgh.harvard.edu)
> >>>
> >>>
> >>>
> >>> On Tue, 4 Sep 2012 11:21am, Robert Adkins II wrote:
> >>>
> >>>> More information is required.
> >>>>
> >>>> What is the WINS server running OS wise? Can you work 
> with the IT 
> >>>> Staff in charge of that WINS Server?
> >>>>
> >>>> --
> >>>>
> >>>> Regards,
> >>>> Robert Adkins
> >>>>
> >>>>
> >>>>
> >>>>> -Original Message-
> >>>>> From: Paul Raines [mailto:rai...@nmr.mgh.harvard.edu]
> >>>>> Sent: Tuesday, September 04, 2012 11:16 AM
> >>>>> To: Robert Adkins II
> >>>>> Cc: samba@lists.samba.org
> >>>>> Subject: RE: [Samba] Changed PDC IP, all hell broke lose
> >>>>>
> >>>>>
> >>>>> I am not running winbindd on the server.  I am using the
> >> WINS server
> >>>>> of my hospital which I have no control over.
> >>>>>
> >>>>> I have already tried deleting browse.dat (I do not see
> >> the other two
> >>>>> files anywhere) to no avail.
> >>>>>
> >>>>> So my fear is that this is all happening because the WINS
> >> server is
> >>>>> refusing to recognize the change since I cannot do 
> anything about 
> >>>>> it. Is that the issue?  Is there anyway to force

Re: [Samba] Changed PDC IP, all hell broke lose

[Robert Adkins II]

I think you can/should have them remove the PDC from their WINS entry on
their end and then you can rejoin the network with the new IP Address.

Outside of that, I can only suggest looking into how to send an update to a
record on a WINS server from a Samba PDC. I'm unsure if that is possible as
I have only run a fully Windows or a Linux/Samba with Windows Clients as a
network.


--

Regards,
Robert Adkins

 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines
> Sent: Tuesday, September 04, 2012 2:24 PM
> To: samba@lists.samba.org
> Subject: Re: [Samba] Changed PDC IP, all hell broke lose
> 
> 
> It is definitely an issue with the WINS server which returns 
> the old IP address
> 
> # nmblookup -U 172.27.88.81 -R 'MRIRESEARCH#1b'
> querying MRIRESEARCH on 172.27.88.81
> 132.183.202.95 MRIRESEARCH<1b>
> 
> SO it is not automatically picking up the IP change which 
> happened 4 days ago and I have restarted samba on my PDC 
> several times.  The old IP is definitely not in /etc/hosts 
> anymore or anywhere in smb.conf.  It only shows up in 
> gencache.tdb in the files /var/lib/samba even though I keep 
> deleting that file when I restart.
> 
> WINS is a total mystery to me.  How is this supposed to work?
> 
> -- Paul Raines (http://help.nmr.mgh.harvard.edu)
> 
> 
> 
> On Tue, 4 Sep 2012 12:00pm, Paul Raines wrote:
> 
> > I have no idea what the WINS server is except that I am sure it 
> > running on Windows since they are totally Windows-based 
> organization.  
> > So the WINS server is definitely the problem?  When I talk 
> to them and 
> > mention I am using Samba on Linux they may totally just say 
> "we don't support it" and hang up.
> >
> > It seems a strange design that a WINS server can take 
> precedence over 
> > my explicit "password server" setting in my smb.conf file.
> >
> > -- Paul Raines (http://help.nmr.mgh.harvard.edu)
> >
> >
> >
> > On Tue, 4 Sep 2012 11:21am, Robert Adkins II wrote:
> >
> >> More information is required.
> >> 
> >> What is the WINS server running OS wise? Can you work with the IT 
> >> Staff in charge of that WINS Server?
> >> 
> >> --
> >> 
> >> Regards,
> >> Robert Adkins
> >> 
> >> 
> >> 
> >>> -Original Message-
> >>> From: Paul Raines [mailto:rai...@nmr.mgh.harvard.edu]
> >>> Sent: Tuesday, September 04, 2012 11:16 AM
> >>> To: Robert Adkins II
> >>> Cc: samba@lists.samba.org
> >>> Subject: RE: [Samba] Changed PDC IP, all hell broke lose
> >>> 
> >>> 
> >>> I am not running winbindd on the server.  I am using the 
> WINS server 
> >>> of my hospital which I have no control over.
> >>> 
> >>> I have already tried deleting browse.dat (I do not see 
> the other two 
> >>> files anywhere) to no avail.
> >>> 
> >>> So my fear is that this is all happening because the WINS 
> server is 
> >>> refusing to recognize the change since I cannot do anything about 
> >>> it. Is that the issue?  Is there anyway to force a WINS server to 
> >>> change the IP it has a for domain master browser?
> >>> 
> >>> -- Paul Raines (http://help.nmr.mgh.harvard.edu)
> >>> 
> >>> 
> >>> 
> >>> On Tue, 4 Sep 2012 10:59am, Robert Adkins II wrote:
> >>> 
> >>>> It's most likely that your server has the old IP Address
> >>> Cached in the
> >>>> wins.dat, browse.dat, browse.tdb.
> >>>> 
> >>>> I recommend the following:
> >>>> 
> >>>> Shutdown the windbind, nmbd and smbd services.
> >>>> 
> >>>> Back up each of the above mentioned files.
> >>>> 
> >>>> Delete the original above named files.
> >>>> 
> >>>> Restart your services and then see if you can connect.
> >>>> 
> >>>> You may also need to edit your samba configuration file 
> to point to 
> >>>> the new server IP Address as the PDC Master Browser. 
> (Assuming you 
> >>>> didn't already do
> >>>> that.)
> >>>> 
> >>>> The problem is that your server is telling clients to
> >>> attempt to find
> >>>> it on a network that no longer exists.
> >>>> 
> >>&

Re: [Samba] Changed PDC IP, all hell broke lose

[Robert Adkins II]

More information is required.

What is the WINS server running OS wise? Can you work with the IT Staff in
charge of that WINS Server?

--

Regards,
Robert Adkins 

 

> -Original Message-
> From: Paul Raines [mailto:rai...@nmr.mgh.harvard.edu] 
> Sent: Tuesday, September 04, 2012 11:16 AM
> To: Robert Adkins II
> Cc: samba@lists.samba.org
> Subject: RE: [Samba] Changed PDC IP, all hell broke lose
> 
> 
> I am not running winbindd on the server.  I am using the WINS 
> server of my hospital which I have no control over.
> 
> I have already tried deleting browse.dat (I do not see the 
> other two files anywhere) to no avail.
> 
> So my fear is that this is all happening because the WINS 
> server is refusing to recognize the change since I cannot do 
> anything about it. Is that the issue?  Is there anyway to 
> force a WINS server to change the IP it has a for domain 
> master browser?
> 
> -- Paul Raines (http://help.nmr.mgh.harvard.edu)
> 
> 
> 
> On Tue, 4 Sep 2012 10:59am, Robert Adkins II wrote:
> 
> > It's most likely that your server has the old IP Address 
> Cached in the 
> > wins.dat, browse.dat, browse.tdb.
> >
> > I recommend the following:
> >
> > Shutdown the windbind, nmbd and smbd services.
> >
> > Back up each of the above mentioned files.
> >
> > Delete the original above named files.
> >
> > Restart your services and then see if you can connect.
> >
> > You may also need to edit your samba configuration file to point to 
> > the new server IP Address as the PDC Master Browser. (Assuming you 
> > didn't already do
> > that.)
> >
> > The problem is that your server is telling clients to 
> attempt to find 
> > it on a network that no longer exists.
> >
> > --
> >
> > Regards,
> > Robert Adkins II
> >
> >
> >
> >> -Original Message-
> >> From: samba-boun...@lists.samba.org
> >> [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines
> >> Sent: Tuesday, September 04, 2012 10:41 AM
> >> To: samba@lists.samba.org
> >> Subject: [Samba] Changed PDC IP, all hell broke lose
> >>
> >>
> >> I had to move my RedHat 5 box acting as a PDC to a new IP 
> address. It 
> >> is running samba 3.5.10.  After the move, none of my 
> windows or linux 
> >> samba clients worked anymore.  I tried rejoining some to 
> the domain, 
> >> but would get error
> >>
> >> Unable to find a suitable server
> >> Join to domain 'MRIRESEARCH' is not valid
> >>
> >>
> >> The old PDC IP address is 132.183.202.95 and nothing is at that IP 
> >> anymore (for 4 days now).  The new IP is 172.21.21.35
> >>
> >> I ran 'net -d 10 join' and would see it was still trying 
> to connect 
> >> to the old IP address.  I tried 'net cache flush' to no avail.  I 
> >> shut down samba, removed every file in /var/cache/samba 
> and still no 
> >> change.
> >> It tries to go to the old IP address.
> >>
> >> On the PDC box, I increase 'os level' from 60 to 70, 
> stopped the nmbd 
> >> and smbd processes, did a 'net flush cache' and restarted nmbd and 
> >> smbd. Still it fails and the nmbd log as the following.
> >>
> >> ==
> >> [2012/09/04 10:09:25,  0] nmbd/nmbd.c:857(main)
> >>nmbd version 3.5.10-0.110.el5_8 started.
> >>Copyright Andrew Tridgell and the Samba Team 1992-2010
> >> [2012/09/04 10:09:25.716397,  0]
> >> nmbd/nmbd_logonnames.c:160(add_logon_names)
> >>add_domain_logon_names:
> >>Attempting to become logon server for workgroup MRIRESEARCH on 
> >> subnet 172.21.21.35
> >> [2012/09/04 10:09:25.716599,  0]
> >> nmbd/nmbd_logonnames.c:160(add_logon_names)
> >>add_domain_logon_names:
> >>Attempting to become logon server for workgroup MRIRESEARCH on 
> >> subnet 192.168.0.150
> >> [2012/09/04 10:09:25.716671,  0]
> >> nmbd/nmbd_logonnames.c:160(add_logon_names)
> >>add_domain_logon_names:
> >>Attempting to become logon server for workgroup MRIRESEARCH on 
> >> subnet UNICAST_SUBNET
> >> [2012/09/04 10:09:25.716768,  0]
> >> nmbd/nmbd_become_dmb.c:337(become_domain_master_browser_wins)
> >>become_domain_master_browser_wins:
> >>Attempting to become domain master browser on workgroup 
> >> MRIRESEARCH, subnet UNICAST_SUBNET.
> >> [2012/09/04 10:09:25.71682

Re: [Samba] Changed PDC IP, all hell broke lose

[Robert Adkins II]

It's most likely that your server has the old IP Address Cached in the
wins.dat, browse.dat, browse.tdb.

I recommend the following:

Shutdown the windbind, nmbd and smbd services.

Back up each of the above mentioned files.

Delete the original above named files.

Restart your services and then see if you can connect.

You may also need to edit your samba configuration file to point to the new
server IP Address as the PDC Master Browser. (Assuming you didn't already do
that.)

The problem is that your server is telling clients to attempt to find it on
a network that no longer exists.

--

Regards,
Robert Adkins II

 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Paul Raines
> Sent: Tuesday, September 04, 2012 10:41 AM
> To: samba@lists.samba.org
> Subject: [Samba] Changed PDC IP, all hell broke lose
> 
> 
> I had to move my RedHat 5 box acting as a PDC to a new IP 
> address. It is running samba 3.5.10.  After the move, none of 
> my windows or linux samba clients worked anymore.  I tried 
> rejoining some to the domain, but would get error
> 
> Unable to find a suitable server
> Join to domain 'MRIRESEARCH' is not valid
> 
> 
> The old PDC IP address is 132.183.202.95 and nothing is at 
> that IP anymore (for 4 days now).  The new IP is 172.21.21.35
> 
> I ran 'net -d 10 join' and would see it was still trying to 
> connect to the old IP address.  I tried 'net cache flush' to 
> no avail.  I shut down samba, removed every file in 
> /var/cache/samba and still no change.
> It tries to go to the old IP address.
> 
> On the PDC box, I increase 'os level' from 60 to 70, stopped 
> the nmbd and smbd processes, did a 'net flush cache' and 
> restarted nmbd and smbd. Still it fails and the nmbd log as 
> the following.
> 
> ==
> [2012/09/04 10:09:25,  0] nmbd/nmbd.c:857(main)
>nmbd version 3.5.10-0.110.el5_8 started.
>Copyright Andrew Tridgell and the Samba Team 1992-2010
> [2012/09/04 10:09:25.716397,  0] 
> nmbd/nmbd_logonnames.c:160(add_logon_names)
>add_domain_logon_names:
>Attempting to become logon server for workgroup 
> MRIRESEARCH on subnet 172.21.21.35
> [2012/09/04 10:09:25.716599,  0] 
> nmbd/nmbd_logonnames.c:160(add_logon_names)
>add_domain_logon_names:
>Attempting to become logon server for workgroup 
> MRIRESEARCH on subnet 192.168.0.150
> [2012/09/04 10:09:25.716671,  0] 
> nmbd/nmbd_logonnames.c:160(add_logon_names)
>add_domain_logon_names:
>Attempting to become logon server for workgroup 
> MRIRESEARCH on subnet UNICAST_SUBNET
> [2012/09/04 10:09:25.716768,  0] 
> nmbd/nmbd_become_dmb.c:337(become_domain_master_browser_wins)
>become_domain_master_browser_wins:
>Attempting to become domain master browser on workgroup 
> MRIRESEARCH, subnet UNICAST_SUBNET.
> [2012/09/04 10:09:25.716828,  0] 
> nmbd/nmbd_become_dmb.c:351(become_domain_master_browser_wins)
>become_domain_master_browser_wins: querying WINS server 
> from IP 0.0.0.0 for domain master browser name 
> MRIRESEARCH<1b> on workgroup MRIRESEARCH
> [2012/09/04 10:09:25.722744,  0] 
> nmbd/nmbd_logonnames.c:121(become_logon_server_success)
>become_logon_server_success: Samba is now a logon server 
> for workgroup MRIRESEARCH on subnet UNICAST_SUBNET
> [2012/09/04 10:09:25.722928,  0] 
> nmbd/nmbd_become_dmb.c:235(become_domain_master_query_success)
>become_domain_master_query_success:
>There is already a domain master browser at IP 
> 132.183.202.95 for workgroup MRIRESEARCH registered on subnet 
> UNICAST_SUBNET.
> [2012/09/04 10:09:29.096239,  0] 
> nmbd/nmbd_logonnames.c:121(become_logon_server_success)
>become_logon_server_success: Samba is now a logon server 
> for workgroup MRIRESEARCH on subnet 172.21.21.35
> [2012/09/04 10:09:29.096382,  0] 
> nmbd/nmbd_logonnames.c:121(become_logon_server_success)
>become_logon_server_success: Samba is now a logon server 
> for workgroup MRIRESEARCH on subnet 192.168.0.150
> [2012/09/04 10:09:49.731244,  0] 
> nmbd/nmbd_become_lmb.c:395(become_local_master_stage2)
>*
> 
>Samba name server PDC-NMR is now a local master browser 
> for workgroup MRIRESEARCH on subnet 172.21.21.35
> 
>*
> [2012/09/04 10:09:49.731468,  0] 
> nmbd/nmbd_become_lmb.c:395(become_local_master_stage2)
>*
> 
>Samba name server PDC-NMR is now a local master browser 
> for workgroup MRIRESEARCH on subnet 192.168.0.150
> 
>*
> [2012/09/04 10:10:10.732440,  0] 
> nmbd/nmbd_browsesync.c:247(domain_master_node_status_fail)
>domain_master_node_status_fail:
>Doing a node status r

Re: [Samba] Phantom Domain Master Browser

[Robert Adkins II]

Two things:

1. There is no active hosts on my network using that IP Address.

2. There are entries for the Phantom Domain Master Browser, they are
pointing to the following:

"[Domain Name]#1c" {string of #'s} -Phantom Server IP Address-
*Current Samba Server IP Address*

"[Domain Name]#1b" {string of #'s} -Phantom Server IP Address-
*Current Samba Server IP Address*

There are no single entries with the phantom IP Address.

I have also run an nmap scan of the entire network, there is nothing
listed as using the Phantom IP Address, we do not use Wireless and there is
nothing plugged into any of the network jacks that I am unaware of, every
port is accounted for.

--

Regards,
Robert Adkins 

 

> -Original Message-
> From: Dale Schroeder [mailto:d...@briannassaladdressing.com] 
> Sent: Wednesday, August 29, 2012 1:33 PM
> To: Robert Adkins II
> Cc: Samba
> Subject: Re: [Samba] Phantom Domain Master Browser
> 
> Robert,
> 
> Assuming one of the files you found was wins.dat, is there an 
> entry for the offending IP with a corresponding hostname?
> Knowing the source should surely help with troubleshooting.
> 
> Dale
> 
> 
> On 08/29/2012 10:08 AM, Robert Adkins II wrote:
> > Nevermind. I found them.
> >
> > I also performed the below suggestions and the phantom IP 
> address is 
> > still there, fighting for control of the network.
> >
> >
> > --
> >
> > Regards,
> > Robert Adkins
> >
> >   
> >
> >> -Original Message-
> >> From: Robert Adkins II [mailto:radk...@impelind.com]
> >> Sent: Wednesday, August 29, 2012 10:54 AM
> >> To: 'gaiseric.van...@gmail.com'; 'samba@lists.samba.org'
> >> Subject: RE: [Samba] Phantom Domain Master Browser
> >>
> >> There is no "wins.dat" or "browse.dat" anywhere on my server.
> >>
> >> I am surprised to find this to be the case.
> >>
> >> I do not have a machine on my network with the IP Address 
> in question.
> >>
> >> Regards,
> >> Robert
> >>   
> >>
> >>> -Original Message-
> >>> From: samba-boun...@lists.samba.org
> >>> [mailto:samba-boun...@lists.samba.org] On Behalf Of 
> Gaiseric Vandal
> >>> Sent: Tuesday, July 31, 2012 9:46 AM
> >>> To: samba@lists.samba.org
> >>> Subject: Re: [Samba] Phantom Domain Master Browser
> >>>
> >>> In the /var/samba/locks directory you may have browse.dat file  or
> >>> wins.*  (if this is a WINS server) files that have
> >> incorrect info.
> >>> You should be able to name/backup these  files and restart nmbd.
> >>>
> >>> Is the phantom master browser a samba server or a Windows machine?
> >>> the Samba DC normally should win browser elections but it is not 
> >>> always the case.
> >>>
> >>>   
> >>>
> >>>
> >>> On 07/20/12 09:08, Robert Adkins II wrote:
> >>>> I brought up the old server and have been reviewing the 
> log files.
> >>>>
> >>>> There is no indication of the phantom master browser
> >>> existing in the
> >>>> old log files.
> >>>>
> >>>> --
> >>>>
> >>>> Regards,
> >>>> Robert Adkins II
> >>>> IT Manager/Buyer
> >>>> Impel Industries, Inc.
> >>>> 586-254-5800
> >>>>
> >>>>   
> >>>>
> >>>>> -Original Message-
> >>>>> From: samba-boun...@lists.samba.org 
> >>>>> [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert
> >>> Adkins II
> >>>>> Sent: Friday, July 20, 2012 8:50 AM
> >>>>> To: samba@lists.samba.org
> >>>>> Subject: [Samba] Phantom Domain Master Browser
> >>>>>
> >>>>> There's a phantom domain master browser showing up in my Samba 
> >>>>> nmbd.log file.
> >>>>>   
> >>>>> I keep thinking that maybe it is left over in one of the
> >>> files that I
> >>>>> transferred over from the old server to the new server and
> >>> it isn't
> >>>>> clearing itself out. Is there a way to clear that and is
> >>> it possible
> >>>>> to have a phantom browser fighting over the Domain from a
> >>> copied over
> >>>>> file?
> >>>>>   
> >>>>> I transferred all of the Samba files found in /etc/samba
> >>> to the new
> >>>>> server.
> >>>>>   
> >>>>> This was also an upgrade from Samba 3.2.7 to Samba 3.6.3
> >>>>>   
> >>>>> I have noticed some additional files in the /var/log/Samba
> >>> directory
> >>>>> as well as some additional files in the /etc/samba
> >>> directory on the
> >>>>> new server.
> >>>>>   
> >>>>>   
> >>>>>   
> >>>>>
> >>>>>
> >>>>> --
> >>>>>
> >>>>> Regards,
> >>>>> Robert Adkins II
> >>>>> IT Manager/Buyer
> >>>>> Impel Industries, Inc.
> >>>>> 586-254-5800
> >>>>>
> >>>>>   
> >>>>> --
> >>>>> To unsubscribe from this list go to the following URL
> >> and read the
> >>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Phantom Domain Master Browser

[Robert Adkins II]

Nevermind. I found them.

I also performed the below suggestions and the phantom IP address is still
there, fighting for control of the network.


--

Regards,
Robert Adkins

 

> -Original Message-
> From: Robert Adkins II [mailto:radk...@impelind.com] 
> Sent: Wednesday, August 29, 2012 10:54 AM
> To: 'gaiseric.van...@gmail.com'; 'samba@lists.samba.org'
> Subject: RE: [Samba] Phantom Domain Master Browser
> 
> There is no "wins.dat" or "browse.dat" anywhere on my server.
> 
> I am surprised to find this to be the case.
> 
> I do not have a machine on my network with the IP Address in question.
> 
> Regards,
> Robert
>  
> 
> > -Original Message-
> > From: samba-boun...@lists.samba.org
> > [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal
> > Sent: Tuesday, July 31, 2012 9:46 AM
> > To: samba@lists.samba.org
> > Subject: Re: [Samba] Phantom Domain Master Browser
> > 
> > In the /var/samba/locks directory you may have browse.dat file  or
> > wins.*  (if this is a WINS server) files that have 
> incorrect info.   
> > You should be able to name/backup these  files and restart nmbd.  
> > 
> > Is the phantom master browser a samba server or a Windows machine?  
> > the Samba DC normally should win browser elections but it is not 
> > always the case.
> > 
> >  
> > 
> > 
> > On 07/20/12 09:08, Robert Adkins II wrote:
> > > I brought up the old server and have been reviewing the log files.
> > >
> > > There is no indication of the phantom master browser
> > existing in the
> > > old log files.
> > >
> > > --
> > >
> > > Regards,
> > > Robert Adkins II
> > > IT Manager/Buyer
> > > Impel Industries, Inc.
> > > 586-254-5800
> > >
> > >  
> > >
> > >> -Original Message-
> > >> From: samba-boun...@lists.samba.org 
> > >> [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert
> > Adkins II
> > >> Sent: Friday, July 20, 2012 8:50 AM
> > >> To: samba@lists.samba.org
> > >> Subject: [Samba] Phantom Domain Master Browser
> > >>
> > >> There's a phantom domain master browser showing up in my Samba 
> > >> nmbd.log file.
> > >>  
> > >> I keep thinking that maybe it is left over in one of the
> > files that I
> > >> transferred over from the old server to the new server and
> > it isn't
> > >> clearing itself out. Is there a way to clear that and is
> > it possible
> > >> to have a phantom browser fighting over the Domain from a
> > copied over
> > >> file?
> > >>  
> > >> I transferred all of the Samba files found in /etc/samba
> > to the new
> > >> server.
> > >>  
> > >> This was also an upgrade from Samba 3.2.7 to Samba 3.6.3
> > >>  
> > >> I have noticed some additional files in the /var/log/Samba
> > directory
> > >> as well as some additional files in the /etc/samba
> > directory on the
> > >> new server.
> > >>  
> > >>  
> > >>  
> > >>
> > >>
> > >> --
> > >>
> > >> Regards,
> > >> Robert Adkins II
> > >> IT Manager/Buyer
> > >> Impel Industries, Inc. 
> > >> 586-254-5800
> > >>
> > >>  
> > >> --
> > >> To unsubscribe from this list go to the following URL 
> and read the
> > >> instructions:  https://lists.samba.org/mailman/options/samba
> > >>
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Phantom Domain Master Browser

[Robert Adkins II]

There is no "wins.dat" or "browse.dat" anywhere on my server.

I am surprised to find this to be the case.

I do not have a machine on my network with the IP Address in question.

Regards,
Robert
 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal
> Sent: Tuesday, July 31, 2012 9:46 AM
> To: samba@lists.samba.org
> Subject: Re: [Samba] Phantom Domain Master Browser
> 
> In the /var/samba/locks directory you may have browse.dat file  or
> wins.*  (if this is a WINS server) files that have incorrect info.   
> You should be able to name/backup these  files and restart nmbd.  
> 
> Is the phantom master browser a samba server or a Windows 
> machine?  the Samba DC normally should win browser elections 
> but it is not always the case.
> 
>  
> 
> 
> On 07/20/12 09:08, Robert Adkins II wrote:
> > I brought up the old server and have been reviewing the log files.
> >
> > There is no indication of the phantom master browser 
> existing in the 
> > old log files.
> >
> > --
> >
> > Regards,
> > Robert Adkins II
> > IT Manager/Buyer
> > Impel Industries, Inc.
> > 586-254-5800
> >
> >  
> >
> >> -Original Message-
> >> From: samba-boun...@lists.samba.org
> >> [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert 
> Adkins II
> >> Sent: Friday, July 20, 2012 8:50 AM
> >> To: samba@lists.samba.org
> >> Subject: [Samba] Phantom Domain Master Browser
> >>
> >> There's a phantom domain master browser showing up in my Samba 
> >> nmbd.log file.
> >>  
> >> I keep thinking that maybe it is left over in one of the 
> files that I 
> >> transferred over from the old server to the new server and 
> it isn't 
> >> clearing itself out. Is there a way to clear that and is 
> it possible 
> >> to have a phantom browser fighting over the Domain from a 
> copied over 
> >> file?
> >>  
> >> I transferred all of the Samba files found in /etc/samba 
> to the new 
> >> server.
> >>  
> >> This was also an upgrade from Samba 3.2.7 to Samba 3.6.3
> >>  
> >> I have noticed some additional files in the /var/log/Samba 
> directory 
> >> as well as some additional files in the /etc/samba 
> directory on the 
> >> new server.
> >>  
> >>  
> >>  
> >>
> >>
> >> --
> >>
> >> Regards,
> >> Robert Adkins II
> >> IT Manager/Buyer
> >> Impel Industries, Inc. 
> >> 586-254-5800
> >>
> >>  
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] CIFS mount intermitte​ntly unavailabl​e: cifs_mount failed w/return code = -5

[Robert S]

I have a debian machine called "debian" and a windows XP machine
called "server".  I have a permanent mounted read-only share called
\\server\doc.  My /etc/fstab looks like this:

//server/doc/opt/chroot/mnt/server cifs
credentials=/root/.smbmount,username=medical,uid=medical,file_mode=0755,dir_mode=0755,noserverino
0 0

This works well most of the time but at times I get a input/output
error when I try to access this share.  My syslog shows the following:

Aug 16 15:36:35 debian kernel: [1289131.676869] Status code returned
0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED
Aug 16 15:36:35 debian kernel: [1289131.676875]  CIFS VFS: Send error
in SessSetup = -5
Aug 16 15:36:35 debian kernel: [1289131.676899]  CIFS VFS: cifs_mount
failed w/return code = -5
Aug 16 15:36:46 debian kernel: [1289142.653770] Status code returned
0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED
Aug 16 15:36:46 debian kernel: [1289142.653775]  CIFS VFS: Send error
in SessSetup = -5
Aug 16 15:36:46 debian kernel: [1289142.653799]  CIFS VFS: cifs_mount
failed w/return code = -5
Aug 16 15:37:01 debian kernel: [1289158.491697] Status code returned
0xc0d0 NT_STATUS_REQUEST_NOT_ACCEPTED
Aug 16 15:37:01 debian kernel: [1289158.491703]  CIFS VFS: Send error
in SessSetup = -5
Aug 16 15:37:01 debian kernel: [1289158.491727]  CIFS VFS: cifs_mount
failed w/return code = -5

Does anyone have any suggestions?  Can somebody explain what return
code -5 means?

I have tried replacing "server" with its fixed IP address
(192.168.0.32), but this does not help.  I have even moved all the
files to another location on the Windows box and recreated the share,
but it still occurs.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Phantom Domain Master Browser

[Robert Adkins II]

I brought up the old server and have been reviewing the log files.

There is no indication of the phantom master browser existing in the old log
files.

--

Regards,
Robert Adkins II
IT Manager/Buyer
Impel Industries, Inc.
586-254-5800

 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II
> Sent: Friday, July 20, 2012 8:50 AM
> To: samba@lists.samba.org
> Subject: [Samba] Phantom Domain Master Browser
> 
> There's a phantom domain master browser showing up in my 
> Samba nmbd.log file.
>  
> I keep thinking that maybe it is left over in one of the 
> files that I transferred over from the old server to the new 
> server and it isn't clearing itself out. Is there a way to 
> clear that and is it possible to have a phantom browser 
> fighting over the Domain from a copied over file?
>  
> I transferred all of the Samba files found in /etc/samba to 
> the new server.
>  
> This was also an upgrade from Samba 3.2.7 to Samba 3.6.3
>  
> I have noticed some additional files in the /var/log/Samba 
> directory as well as some additional files in the /etc/samba 
> directory on the new server.
>  
>  
>  
> 
> 
> -- 
> 
> Regards,
> Robert Adkins II
> IT Manager/Buyer
> Impel Industries, Inc. 
> 586-254-5800 
> 
>  
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Phantom Domain Master Browser

[Robert Adkins II]

There's a phantom domain master browser showing up in my Samba nmbd.log
file.
 
I keep thinking that maybe it is left over in one of the files that I
transferred over from the old server to the new server and it isn't clearing
itself out. Is there a way to clear that and is it possible to have a
phantom browser fighting over the Domain from a copied over file?
 
I transferred all of the Samba files found in /etc/samba to the new server.
 
This was also an upgrade from Samba 3.2.7 to Samba 3.6.3
 
I have noticed some additional files in the /var/log/Samba directory as well
as some additional files in the /etc/samba directory on the new server.
 
 
 


-- 

Regards, 
Robert Adkins II
IT Manager/Buyer 
Impel Industries, Inc. 
586-254-5800 

 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Migrated Server Hardware - Now Experiencing Some Client Drops

[Robert Adkins II]

I have recently upgrade the hardware that the Samba server was running on.
 
This also included an OS and Samba version upgrade.
 
Old Server
OpenSuSe 11.1
Samba 3.2.7
 
New Server
OpenSuSe 12.1
Samba 3.6.3
 
I moved over everything located in the /etc/samba directory from the old
hardware to the new hardware.
 
I set the new server to use the same IP Address, services, hostname. The
only difference between the two servers (besides hardware) is the OS and the
Samba revision.
 
It's been about two weeks now and since the switch, I have had between none
and upwards of three clients "losing" connection to the server for a short
period of time. The clients do not show anything beyond themselves and maybe
one other workstation on the network for upwards of 5 minutes. I have seen
the following error in the log.nmbd file:
 
[2012/07/13 10:55:06,  0]
nmbd/nmbd_browsesync.c:486(get_domain_master_name_node_status_fail)
  get_domain_master_name_node_status_fail:
  Doing a node status request to the domain master browser at IP
192.168.254.57 failed.
 
Which has not repeated for several hours. In searching through my DHCP lease
log, ip address 192.168.254.57 is no longer leased and it is not holding the
hostname of the PC that had that address.
 
My smb.conf file has the OS Level set to 65, which should be high enough to
be the master browser for the network. I also have the DHCP server providing
the server's address as the WINS Server and the smb.conf file has WINS
Support active and I am running the Winbind server.
 
Is there a log level that may show me more information as to what might be
duking it out with the new Samba Server? (The old server is not longer
connected to the network, it is "available" only as a last resort back-up at
this time.)



-- 

Regards, 
Robert Adkins

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Can't get idmap connected to AD unix attribs

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nick,

I think what you may be looking for is the ad backend:

https://www.samba.org/samba/docs/man/manpages-3/idmap_ad.8.html

Since you are using tdb in your config, it is using a local database
and allocates UID/GIDs on the fly...first come, first served.  So a
user may not get the same UID from one machine to the next.

Robert

On 07/10/2012 12:20 AM, Nick Triantos wrote:
> Hi,
> 
> I'm trying to get an Ubuntu 12.04 system's Samba (3.6.3) and
> Winbind to map userids and groups to the unix attributes in an AD
> 2008 server. I can see that when I perform an ldapsearch, I'm able
> to read the attributes, and for one of my accounts, the id should
> be 1001. However, when I run 'wbinfo -i ', I get back
> something like 920.
> 
> At one point, I was setting the idmap range to start at 900, but
> I've since removed that from my config, and restarted winbindd and
> smbd. I've also tried to 'net cache flush'.
> 
> I also see wbinfo -i  usually returns: failed to call
> wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for user
> 
> 
> The relevant parts of my smb.conf are below. I've tried patching
> this together from various tuts and help pages. Any guidance would
> be very helpful.
> 
> thanks! -Nick
> 
> [global] workgroup = CORP security = ADS password server =
> 192.168.77.251 realm = CORP.MYCOMPANY.COM allow trusted domains =
> yes winbind use default domain = yes winbind nested groups = YES 
> idmap config CORP : backend = tdb idmap config CORP : default =
> yes idmap config CORP : schema_mode = rfc2307 idmap config CORP :
> range = 1000 -  idmap config * : backend = tdb encrypt
> passwords = true obey pam restrictions = yes client use spnego =
> yes client ntlmv2 auth = yes encrypt passwords = true restrict
> anonymous = 2 unix password sync = yes winbind enum groups = yes 
> winbind enum users = yes winbind nss info = rfc2307
> 
> 


- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/8O4QACgkQup357T5MfTZprwCeJ7iMF7NcxUctOd7bOAFqT4ZZ
AAgAoMqnWGK5E5LWZxxMxsUaVhfbil9Y
=yLz3
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] speed of samba vs Windows

[Robert Heller]

At Thu, 28 Jun 2012 13:46:07 -0500 "Todor Fassl"  wrote:

> 
> > is it possible that unix file timestamps having a greater precision
> > than ntfs is causing windows to see a "change"?  I know rsync has an
> > option to combat this.
> 
> 
> Well, I have no reason to believe that our Windows guy is correct and that
> Windows downloads only changed files and samba downloads the whole profile.
> I'm guessing he is basing that on how slow logins are. I can guarantee that
> he hasn't actually checked it out. He either thought it up himself or he
> heard it somewhere. Does anyone know if Windows does download only files
> that have changed?
> 
> Something just occured to me... Well, maybe this is a bug in samba but
> probably not. When you join a machine to a domain where a time server is
> configured, it doesn't automatically configure the time servers on the
> client machine.
> 
> On our network, the file server is the PDC. We have redundant BDCs which are
> configured as time servers in samba and are also ntp servers for the linux
> machines. If I boot a linux machine, I can use "ntpq -p" to make sure that
> the machine is getting data from our ntp servers. But if I go into the
> Windows control panel and look at "Date and Time", the server listed there
> is time.windows.com. [Which, as it occurs to me, is also bogus in that what
> the heck is windows.com? If its Microsoft, why isn't the default time server
> time.microsoft.com?]

dig time.windows.com =>

;; ANSWER SECTION:
time.windows.com.   3482IN  CNAME  time.microsoft.akadns.net.
time.microsoft.akadns.net. 158  IN  A   65.55.21.13

Yes. windows.com is a real live domain name, (owned by Microsoft), and
time.windows.com is a real host name with actual records.  And it
appears to be a legit time server.

> 
> Anyway, it seems to me that if you join a machine to a domain with a time
> server configured, it should show up in "Date and Time" -> Internet Time ->
> Server. But our BDCs aren't even listed there.
> 
> Gawd, I hate Windows. I don't hate Microsoft or Bill Gates. He seems like a
> nice enough guy to me. And I don't blame him for getting to be a
> bzillionaire even though his software kinda sucks. But, still, I hate
> Windows.
> 

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] speed of samba vs Windows

[Robert Adkins II]

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Steve Thompson
> Sent: Thursday, June 28, 2012 11:07 AM
> To: Todor Fassl
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] speed of samba vs Windows
> 
> On Thu, 28 Jun 2012, Todor Fassl wrote:
> 
> > Is there any reason to believe that a samba server would be slower 
> > when serving up roaming profiles than a real Windows server?
> 
> In my experience, Samba is much faster than Windows on 
> comparable hardware. From 3 to 5 times faster, depending on function.
> 

Samba is also far more versatile and configurable than Windows
Server.

For instance, built into Samba it's possible to configure a "Recycle
Bin" into each and every share. This is accomplished through adding a single
line to the share. To do that on Windows, it requires a registry hack, on
each workstation. Maybe that can be automated, but it doesn't have anything
to do with the server, it's all done on the workstation, forget to implement
the registry hack, then you forget about having a Recycle Bin on that share.

I can't tell you how many times that Samba configuration has saved a
piece of critical data.

> > Our Windows guy insists samba is slow but I don't believe it.  He 
> > claims that when you load a roamng profile, Windows downloads only 
> > files that have changed and samba downloads everything. But 
> he doesn't 
> > know anything about samba and I don't know where he got that from.
> 
> Indeed he doesn't know anything about Samba; he's wrong.
> 
> Steve

  I concur.

-Rob

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Migrating to new hardware

[Robert Adkins II]

Yeah, my plan is to scoot over the netlogin and the profiles directories as
well (and all of the data currently shared on the fileserver too).

Thanks.

--

Regards,
Robert Adkins II

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal
> Sent: Monday, June 04, 2012 10:07 AM
> To: samba@lists.samba.org
> Subject: Re: [Samba] Migrating to new hardware
> 
> Run "testparm -v" -  you will probably want to copy over the 
> /var/samba/locks directory
> 
> lock directory = /var/samba/locks
> state directory = /var/samba/locks
> cache directory = /var/samba/locks
> pid directory = /var/samba/locks
> 
> 
> You also want to make sure your netlogon and profile 
> directories are replicated.
> 
> I ran into some issues migrating from 3.0.x to 3.4.x.  I am 
> not sure if these changes are already in placed in 3.2.x.  In 
> 3.4.x. I needed to explicitly defined a unix "nobody" user.
> 
> guest account = smb_nobody
>
> 
> I also had to explicitly grant admin perms to the domain 
> admins group so that they had sufficient privileges on local 
> PC's.  But I think I had made some error somewhere else, so I 
> don't think you will encounter this.
> 
> I have an ldap backend, and I found with 3.4.x or 3.5.x. that 
> joining the machine to the domain had some issues relating to 
> ldap attributes being created or set properly. 
> 
> 
> 
> 
> 
> 
> 
> On 06/04/12 09:30, Robert Adkins II wrote:
> > I'm looking for confirmation that what I am about to do will work.
> >  
> > My intent is to decommission the existing Samba PDC 
> hardware and put 
> > in its place the new hardware. I intend on having the users see no 
> > difference, in terms of what they have/had and will 
> continue to have available.
> >  
> > Right now I will be copying everything from the /etc/samba 
> directory 
> > into the same on the new server, moving from Samba 3.2x to 
> Samba 3.6x
> >  
> > I also intend on copying over the passwd, shadow and group files.
> >  
> > Am I missing anything?
> >
> > Thanks.
> >
> >
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Migrating to new hardware

[Robert Adkins II]

I'm looking for confirmation that what I am about to do will work.
 
My intent is to decommission the existing Samba PDC hardware and put in its
place the new hardware. I intend on having the users see no difference, in
terms of what they have/had and will continue to have available.
 
Right now I will be copying everything from the /etc/samba directory into
the same on the new server, moving from Samba 3.2x to Samba 3.6x 
 
I also intend on copying over the passwd, shadow and group files.
 
Am I missing anything?

Thanks.


-- 

Regards, 
Robert Adkins II

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] NT_STATUS_ACCESS_DENIED on previously created files

[Robert Fitzpatrick]

On Ubuntu, I have upgraded to the latest LTS version, which upgraded my
Samba to 3.6.3 and now getting NT_STATUS_ACCESS_DENIED when trying to
remove files and folders. This server MEDIA is setup as a member server
to a FreeBSD PDC called MAIL using LDAP for authentication. All been
working great for a long time, now from the PDC, I try

mail# smbclient -U robert //media/robert
WARNING: The "enable privileges" option is deprecated
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
WARNING: The "idmap backend" option is deprecated
Enter robert's password:
Domain=[WEBTENT] OS=[Unix] Server=[Samba 3.6.3]
smb: \> mkdir test
smb: \> rmdir test
NT_STATUS_ACCESS_DENIED removing remote directory file \test

I know I have some work to do to get rid of the warnings, but I can
login to MAIL (PDC) and other Win workstations, create and remove files
with no issue. It is only when logging into this member server locally
or from a remote workstation. Getting this sort of thing in the logs...

[2012/05/10 14:24:33.711345, 10] smbd/posix_acls.c:3412(posix_get_nt_acl)
  posix_get_nt_acl: called for file test
[2012/05/10 14:24:33.711404, 10] smbd/posix_acls.c:2537(canonicalise_acl)
  canonicalise_acl: Access ace entries before arrange :
[2012/05/10 14:24:33.711447, 10] smbd/posix_acls.c:2550(canonicalise_acl)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r-x
[2012/05/10 14:24:33.711496, 10] smbd/posix_acls.c:2550(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-22-2-512 gid 512 (Domain
Admins) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
[2012/05/10 14:24:33.713525, 10] smbd/posix_acls.c:2550(canonicalise_acl)
  canon_ace index 2. Type = allow SID =
S-1-5-21-684728786-369066487-751336906-33290 uid 16145 (robert)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2012/05/10 14:24:33.715245, 10] smbd/posix_acls.c:848(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID =
S-1-5-21-684728786-369066487-751336906-33290 uid 16145 (robert)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-22-2-512 gid 512 (Domain
Admins) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms r-x
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms r-x
[2012/05/10 14:24:33.718539, 10] smbd/posix_acls.c:1124(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
[2012/05/10 14:24:33.718585, 10] smbd/posix_acls.c:1124(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2012/05/10 14:24:33.718627, 10] smbd/posix_acls.c:1124(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
[2012/05/10 14:24:33.718676, 10] smbd/file_access.c:76(can_access_file_acl)
  can_access_file_acl for file test access_mask 0x1, access_granted
0x1 access DENIED

I've googled stuff like this...

https://bugzilla.samba.org/show_bug.cgi?id=7521

I even tried upgrading my PDC to the latest available, 3.6.5, but
nothing seems to help. Has anyone had this issue?

Thanks, Robert
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba authenticating against Windows Active Directory

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 05/08/2012 04:38 PM, Marcelo Pereira wrote:
> Hello all,
> 
> I have a question regarding the integration between Samba and the
> Active Directory (Windows 2008).
> 
> Current setup:
> 
> 1. We have been using a Samba server to offer shared folder to the
> user in my institution. 2. The users have any kind of operational
> system on their machines, and they don't log in any domain server 
> 3. The users simply map their shares at the Samba server, using
> their samba usernames and password.
> 
> The future:
> 
> 1. We have a main LDAP server (Windows 2008 Active Directory) that
> we want to integrate with our Samba server. 2. We would like to
> keep the "modus operandi" of the usage (i.e.: The users simply
> point to their shares, enter their usernames/passwords and access 
> their files). 3. We don't want to have the "samba
> usernames/passwords". Instead, we want the Samba to authenticate
> using the Active Directory.
> 
> The final situation would be:
> 
> 1. User turn his computer on (doesn't matter the operational system
> that he is using). 2. User map his samba share 3. User enter his
> credentials to the Samba Share 4. Samba ask the Active Directory if
> these credentials are valid 5. If the username/password is
> authenticate successfully against the Active Directory, then Samba
> let the user access his files.
> 
> The questions:
> 
> 1. At this point, the linux server has joined the domain (it's ok
> at this point).
> 
> How can I accomplish the Samba+AD integration?? Is there any
> specific documentation??
> 
> Thanks, Marcelo

Marcelo,

I good start may be to send the list your smb.conf file.  Possibly
your krb5.conf as well.

This is a good start doc-wise, but is a bit dated:
https://wiki.samba.org/index.php/Samba_&_Active_Directory
- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+qdjMACgkQup357T5MfTaGSACfbGSzUKoOK/qbgZ9rwW2ul+85
x70AnRWAQIv2t794eDa28leSL0d61MrW
=H1/g
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Preventing brute force password attacks

[Robert Heller]

At Tue, 17 Apr 2012 20:32:05 + (UTC) era...@panix.com (Ed Ravin) wrote:

> 
> I was hoping to set up fail2ban to block IP addresses that generate
> too many Samba password failures, but it needs a syslog message with
> the IP address of the computer that failed password authentication.
> 
> Unfortunately, Samba doesn't seem to do this in my environment.  Here's
> a sample error message:
> 
> smbd[312]:  smb_pam_passcheck: PAM: smb_pam_auth failed - Rejecting User 
> brutus !
> 
> I tried turning on full_audit, and I see the audit messages for successful
> connections, but there aren't any audit messages for login failures.  I
> used these settings:
> 
>full_audit:failure = connect
>full_audit:success = connect disconnect
>full_audit:facility = local5
>full_audit:priority = notice
> 
> Can Samba be configured to log authentication errors with IP addresses?
> Or do we need to change the source?

You do understand that fail2ban works with your firewall and is meant
for public internet services, such as Mail (eg Sendmail or Postfix) or
HTTP or DNS.  Since NETBIOS services are NOT services that should ever
be used over the public internet.  You should only have smbd/nmbd
listening on you local LAN and not on your WAN / public Internet
connection. Since your LAN will have only known local IP addresses
(either statically assigned or from a limited pool of IP address), it
really isn't meaningful to block these addresses.

What *exactly* do you want to accomplish here?  Do you really want to
ban machines on your LAN from accessing your (office) server?

-- 
Robert Heller -- 978-544-6933 / hel...@deepsoft.com
Deepwoods Software-- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments


   
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] UID/GID mapping consistency across at least two Linux machines

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/09/2012 04:09 PM, bakytn wrote:
> Here ist he global section of my smb.conf:
> 
> I am not sure if I am using Winbind (I guess yes).
> 
> [global]
>workgroup = DOMAIN
>realm = DOMAIN.LOCAL
>preferred master = no
> 
>server string = SAMBA
>security = ADS
>encrypt passwords = yes
>log level = 1
>log file = /var/log/samba/log.%m
>max log size = 1000
> 
>idmap uid = 3000-2
>idmap gid = 3000-2
>template shell = /bin/bash
> 
>winbind enum groups = yes
>winbind enum users = yes
>winbind separator = +
>winbind use default domain = Yes
>winbind nested groups = Yes
> 
>template homedir = "/data/files/%U"
> 
>syslog = 0
> 
>panic action = /usr/share/samba/panic-action %d
>passdb backend = tdbsam
> 
>obey pam restrictions = yes
> 
>unix password sync = yes
> 
>passwd program = /usr/bin/passwd %u
>passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
> %n\n *password\supdated\ssuccessfully* .
> 
>pam password change = yes
> 
>map to guest = bad user
> 
>usershare allow guests = yes
> 
> 
> --
> View this message in context: 
> http://samba.2283325.n4.nabble.com/UID-GID-mapping-consistency-across-at-least-two-Linux-machines-tp4543255p4543701.html
> Sent from the Samba - General mailing list archive at Nabble.com.

I have some notes on what I have done with my machines.  I hope it may
help you out.  Just read it all over and the template files closely
before just jumping on into it.

https://uisapp2.iu.edu/confluence-prd/display/~rmday/Linux+Integration+with+Active+Directory

- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+DiG4ACgkQup357T5MfTaMKQCg0HMM00tuKtxZUMWwzWC1lOSM
fxkAoLd8HO0otegVuye7dIf2c/UO1dc/
=lgc5
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Offline Caching

[Robert Schetterer]

Am 05.02.2012 00:12, schrieb Jeremy Allison:
> On Sat, Feb 04, 2012 at 04:33:59PM +0100, Volker Lendecke wrote:
>> On Sat, Feb 04, 2012 at 02:54:13PM +, Mike Howard wrote:
>>> I'm sure this has been asked before but I can't find anything recent. 
>>> Using Samba4 and windows clients, the client logs include lots off 
>>> 'windows has detected that offline caching is enabled on the roaming 
>>> profile share...' messages. Is this an issue and if so, how do I 
>>> sort it? I've found references to 'csc policy = disable' but this is not 
>>> recognised in samba4 smb.conf.
>>
>> Probably someone needs to take the time to port this feature
>> from the Samba3 based fileserver to the Samba4 based one.
>> Patches welcome :-)
> 
> Now, now Volker :-). This will get fixed when the source3
> fileserver replaces the source4 one, which is a mandatory
> fix before final release of Samba4.
> 
> Cheers,
> 
>   Jeremy.

any way offline caching can be configured on the client too ( policies etc)
as far i know/remember

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1

[Robert LeBlanc]

What backend are you using? I can't get a single authentication to work
whether I reboot or not.

The new or old syntax for hash does not work for me. I get a segfault in
the hash module when compiled as shared modules. I've mentioned all that in
the bug report.

Robert

On Thu, Dec 22, 2011 at 9:31 AM, Dale Schroeder <
d...@briannassaladdressing.com> wrote:

>  That is correct - it did not fix the problem - old or new idmap syntax.
> Any time I restart the processes, such as after a config change, winbind
> auth fails.
> "getent group" yields the syslog error shown in the original post.
> "wbinfo -i user"  fails even though "user" appears in "getent passwd".
> Reboot the system and everything is functioning again until the next time
> nmbd/smbd/winbind are restarted, after which winbind is nonfunctioning once
> again.
>
> Dale
>
>
>
> On 12/22/2011 9:02 AM, David Roid wrote:
>
> Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1
> using following idmap settings:
>
> idmap config * : range = ...
> idmap config * : backend = ...
> idmap config DOM : range = ...
> idmap config DOM : default = yes
> idmap config DOM : backend = ...
>
> then join the domain, no problem at all.
>
> 2011/12/22 Dale Schroeder 
>
>>  David, thanks for the help, but I'm afraid that workaround does not work
>> for me either.
>> Robert, thanks for furnishing all that useful info to bugzilla.
>> Jeremy, thanks for for the update on
>> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>>
>> I feel like I'm at the Academy Awards.
>> Merry Christmas to all.  <[];o{P>
>>
>> Dale
>>
>>
>>
>> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>>
>> I tried to add "idmap config DOMAIN : default = yes" and it does not
>> help. I'm using hash. I've found some interesting things that I've included
>> in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>
>>  Robert
>>
>> On Wed, Dec 21, 2011 at 5:33 PM, David Roid  wrote:
>>
>>> Been there, you can try to add either "idmap config DOMAIN : default =
>>> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
>>> gid = ..." to replace "idmap config * : ...", I don't know which one
>>> actually fixed it.
>>>
>>> 2011/12/22 Dale Schroeder 
>>>
>>>>  Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>>
>>>> 
>>>>
>>>> Package: winbind
>>>> Version: 2:3.6.1-3
>>>> Severity: important
>>>>
>>>> Dear Maintainer,
>>>>
>>>> After upgrading to 3.6.1 I am no longer able to login to Debian using
>>>> my Active Directory account.
>>>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>>>> 'winbind -i user' returns
>>>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get
>>>> info for user user'. Changing
>>>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>>>> (fork_domain_child) fork_domain_child
>>>> called without domain.'. The previous wbint_Sid2Uid struct printout
>>>> shows that dom_name is NULL,
>>>> but has the correct domain SID. I believe the problem may exist around
>>>> there. I did upgrade the
>>>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>>>> hash' as specifed in the man
>>>> page without any luck. Name to SID and SID to name works along with
>>>> user-domgroups, but user-groups
>>>> does not work. 'wbinifo --group-info=group' fails with a similar error
>>>> as 'wbinfo -i user'. I'm
>>>> going to try to get back to 3.5.11.
>>>>
>>>> -- System Information:
>>>> Debian Release: wheezy/sid
>>>>  APT prefers testing
>>>>  APT policy: (500, 'testing')
>>>> Architecture: amd64 (x86_64)
>>>>
>>>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>>>> Shell: /bin/sh linked to /bin/dash
>>>>
>>>> Versions of packages winbind depends on:
>>>> ii  adduser   3.113
>>>

Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1

[Robert LeBlanc]

I tried to add "idmap config DOMAIN : default = yes" and it does not help.
I'm using hash. I've found some interesting things that I've included in
bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.

Robert

On Wed, Dec 21, 2011 at 5:33 PM, David Roid  wrote:

> Been there, you can try to add either "idmap config DOMAIN : default =
> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
> gid = ..." to replace "idmap config * : ...", I don't know which one
> actually fixed it.
>
> 2011/12/22 Dale Schroeder 
>
>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>> http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>> >
>>
>> 
>>
>> Package: winbind
>> Version: 2:3.6.1-3
>> Severity: important
>>
>> Dear Maintainer,
>>
>> After upgrading to 3.6.1 I am no longer able to login to Debian using my
>> Active Directory account.
>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>> 'winbind -i user' returns
>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info
>> for user user'. Changing
>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>> (fork_domain_child) fork_domain_child
>> called without domain.'. The previous wbint_Sid2Uid struct printout shows
>> that dom_name is NULL,
>> but has the correct domain SID. I believe the problem may exist around
>> there. I did upgrade the
>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>> hash' as specifed in the man
>> page without any luck. Name to SID and SID to name works along with
>> user-domgroups, but user-groups
>> does not work. 'wbinifo --group-info=group' fails with a similar error as
>> 'wbinfo -i user'. I'm
>> going to try to get back to 3.5.11.
>>
>> -- System Information:
>> Debian Release: wheezy/sid
>>  APT prefers testing
>>  APT policy: (500, 'testing')
>> Architecture: amd64 (x86_64)
>>
>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>> Shell: /bin/sh linked to /bin/dash
>>
>> Versions of packages winbind depends on:
>> ii  adduser   3.113
>> ii  libc6 2.13-21
>> ii  libcap2   1:2.22-1
>> ii  libcomerr21.42-1
>> ii  libgssapi-krb5-2  1.10+dfsg~alpha1-6
>> ii  libk5crypto3  1.10+dfsg~alpha1-6
>> ii  libkrb5-3 1.10+dfsg~alpha1-6
>> ii  libldap-2.4-2 2.4.25-4+b1
>> ii  libpam0g  1.1.3-6
>> ii  libpopt0  1.16-1
>> ii  libtalloc22.0.7-3
>> ii  libtdb1   1.2.9-4+b1
>> ii  libwbclient0  2:3.6.1-3
>> ii  lsb-base  3.2-28
>> ii  samba-common  2:3.6.1-3
>> ii  zlib1g1:1.2.3.4.dfsg-3
>>
>> Versions of packages winbind recommends:
>> ii  libpam-winbind  2:3.6.1-3
>>
>> winbind suggests no packages.
>>
>> -- no debconf information
>>
>> 
>>
>> I also have this error, and reported as follows:
>>
>> Robert,
>>
>> Same problem here, and I have not seen anyone mention this on the Samba
>> list.  Systems are fully updated and testparm does not return any
>> errors.  idmap backend is rid notated in the new format.  All deprecated
>> parameters have been removed.
>>
>> On my systems, I have found that full functionality returns after a
>> reboot; however, if samba/winbind processes are restarted for any
>> reason, AD authentication again no longer works.  As with you, wbinfo
>> -u/-g continues to work, as does getent passwd.  getent group only
>> returns linux groups.  Another reboot will return winbind once again to
>> full functionality.
>>
>> Even at log level 10, error messages have been hard to find among the
>> many winbind logs.  At the time of failure, the one I consistently find
>> is in syslog:
>>winbindd[4186]:  ads_ranged_search failed with: Time limit exceeded.
>>
>> --**--**--
>>
>> This morning, I recreated the error by restarting Samba/winbind at 07:47.
>> The only suspicious level 10 log entries found from that timeframe are:
>>
>> 
>> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769,
>>  0] winbindd/wi

Re: [Samba] Samba 4 success on openSUSE 12.1

[Robert Schetterer]

Am 29.11.2011 20:50, schrieb steve:
> 
>>
>> studied some faqs , this file should be autocreated
>> if the related dir is writable
>> restart bind  ( named ) and look if the log shows the failure up again
>>
> 
> 
> Yep. Still there:
> 
> Nov 29 20:49:23 hh3 named[5000]: managed-keys-zone ./IN: loading from
> master file managed-keys.bind failed: file not found
> Nov 29 20:49:23 hh3 named[5000]: managed-keys-zone ./IN: loaded serial 0
> Nov 29 20:49:23 hh3 named[4952]: Starting name server BIND ..done
> Nov 29 20:49:23 hh3 named[5000]: running
> 
> What is the directory that should be writeable?
> Cheers
> Steve.

named11828  3.2  1.5 116332 48032 ?Ssl  Nov22 360:27
/usr/sbin/named -t /var/lib/named -u named

sorry i have only a older suse to look at
try look/cd at /var/lib/named if using chroot

then try
touch managed-keys-zone or in there or some subfolder
( depend on your conf )
perhaps you need chmod named:named  managed-keys-zone

after all , try ask on a suse list, suse people should easy answer this
stuff
-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 success on openSUSE 12.1

[Robert Schetterer]

Am 29.11.2011 20:37, schrieb Robert Schetterer:
> Am 29.11.2011 19:58, schrieb steve:
>> samba -b
>> Samba version: 4.0.0alpha18-GIT-5c53926
>> Build environment:
>>Build host:  Linux hh3 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3
>> 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux
>>
>> openSUSE 12.1 i586
>>
>> Hi everyone.
>> After.
>> ./source4/setup/provision --realm=hh3.site --domain=HH1
>> --adminpass=SOMEPASSWORD --server-role='domain controller'
>>
>> The wiki howto is for DNS seems to be wrong. I had to do this:
>>
>> Copy
>> /usr/local/samba/private/named.conf
>> to
>> /etc/named.conf.samba4
>>
>> Copy
>> /usr/local/samba/private/dns/hh3.site.zone
>> to
>> /var/lib/named/master
>>
>> edit
>> /etc/named.conf.samba4 to point to /var/lib/named:
>> one "hh3.site." IN {
>> type master;
>>  file "/var/lib/named/master/hh3.site.zone";
>>
>> edit /etc/named.conf to include:
>> include "/etc/named.conf.samba4";
>> as the last line in the file.
>>
>> Is this correct?
>>
>> On restarting bind there are still errors:
>>
>> Nov 29 19:54:15 hh3 named[4038]: command channel listening on 127.0.0.1#953
>> Nov 29 19:54:15 hh3 named[4038]: couldn't add command channel ::1#953:
>> address not available
>> Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loading from
>> master file managed-keys.bind failed: file not found
> 
> looks like pure bind failure perhaps related to dnssec
> are youre running a chroot bind ? perhaps its looking on the wrong place
> for the file, try locate managed-keys.bind( if locate is installed )
> to find it, or try to create it
> 
> http://o-o-s.de/?p=2966
> says for i.e. for  debian
> 
> echo "include \"/etc/bind/bind.keys\"; ">> /etc/bind/named.conf
> touch /var/cache/bind/managed-keys.bind
> 
> but that may different with suse attention !
> 
> look other bind sites

studied some faqs , this file should be autocreated
if the related dir is writable
restart bind  ( named ) and look if the log shows the failure up again

> 
>> Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loaded serial 0
>>
>> DNS and Kerberos are working fine. Are these errors to do with Samba4?
>>
>> Thanks
>> Steve.
>>
>>
>>
>>
>>
>>
>>
> 
> 


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 success on openSUSE 12.1

[Robert Schetterer]

Am 29.11.2011 19:58, schrieb steve:
> samba -b
> Samba version: 4.0.0alpha18-GIT-5c53926
> Build environment:
>Build host:  Linux hh3 3.1.0-1.2-desktop #1 SMP PREEMPT Thu Nov 3
> 14:45:45 UTC 2011 (187dde0) i686 i686 i386 GNU/Linux
> 
> openSUSE 12.1 i586
> 
> Hi everyone.
> After.
> ./source4/setup/provision --realm=hh3.site --domain=HH1
> --adminpass=SOMEPASSWORD --server-role='domain controller'
> 
> The wiki howto is for DNS seems to be wrong. I had to do this:
> 
> Copy
> /usr/local/samba/private/named.conf
> to
> /etc/named.conf.samba4
> 
> Copy
> /usr/local/samba/private/dns/hh3.site.zone
> to
> /var/lib/named/master
> 
> edit
> /etc/named.conf.samba4 to point to /var/lib/named:
> one "hh3.site." IN {
> type master;
>  file "/var/lib/named/master/hh3.site.zone";
> 
> edit /etc/named.conf to include:
> include "/etc/named.conf.samba4";
> as the last line in the file.
> 
> Is this correct?
> 
> On restarting bind there are still errors:
> 
> Nov 29 19:54:15 hh3 named[4038]: command channel listening on 127.0.0.1#953
> Nov 29 19:54:15 hh3 named[4038]: couldn't add command channel ::1#953:
> address not available
> Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loading from
> master file managed-keys.bind failed: file not found

looks like pure bind failure perhaps related to dnssec
are youre running a chroot bind ? perhaps its looking on the wrong place
for the file, try locate managed-keys.bind( if locate is installed )
to find it, or try to create it

http://o-o-s.de/?p=2966
says for i.e. for  debian

echo "include \"/etc/bind/bind.keys\"; ">> /etc/bind/named.conf
touch /var/cache/bind/managed-keys.bind

but that may different with suse attention !

look other bind sites

> Nov 29 19:54:15 hh3 named[4038]: managed-keys-zone ./IN: loaded serial 0
> 
> DNS and Kerberos are working fine. Are these errors to do with Samba4?
> 
> Thanks
> Steve.
> 
> 
> 
> 
> 
> 
> 


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Re : Problem with Winbind

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 11/17/2011 06:09 AM, djamel boussebha wrote:
> Hi;
>  
> I would like to set the file /etc/krb5.keytab  for apache :
>  
> # net ads keytab add HTTP -U compte_admin_dom1
> Processing principals to add...
> Enter administrateur's password:
> # ktutil
> ktutil:  l
> slot KVNO Principal
>   
> -
> ktutil:
> 
> The file is empty ?
> May be that this problem is linked to the command "net ads" ? because when I 
> try to join the AD :
> # net ads join -U administrat...@p9bis.neoplus.laposte.poc
> Enter administrat...@p9bis.neoplus.laposte.poc's password:
> Failed to join domain: failed to find DC for domain P9BIS.NEOPLUS.LAPOSTE.POC
>  
> But with "rpc" it works :
>  
> # net rpc join -U administrat...@p9bis.neoplus.laposte.poc
> Enter administrat...@p9bis.neoplus.laposte.poc's password:
> Joined domain P9BIS.
>  
> When I execute :  # net ads info - U administrateur
> Failed to get server's current time!
> LDAP server: 187.0.17.104
> LDAP server name: CINVW067.p9bis.neoplus.laposte.poc
> Realm: P9BIS.NEOPLUS.LAPOSTE.POC
> Bind Path: dc=P9BIS,dc=NEOPLUS,dc=LAPOSTE,dc=POC
> LDAP port: 389
> Server time: Thu, 01 Jan 1970 01:00:00 CET
> KDC server: 187.0.17.104
> 
> And # net rpc info -U administrateur
> Enter administrateur's password:
> Domain Name: P9BIS
> Domain SID: S-1-5-21-254703050-2859693384-3493432365
> Sequence number: 1
> Num users: 50
> Num domain groups: 0
> Num local groups: 12
>  
> The 2 commands # wbinfo -u  and wbinfo -g no returns any values for 
> users/groups ?
> The kinit works fine :
>  # kinit administrat...@p9bis.neoplus.laposte.poc
> Password for administrat...@p9bis.neoplus.laposte.poc:
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrat...@p9bis.neoplus.laposte.poc
> Valid starting ExpiresService principal
> 11/17/11 12:05:00  11/17/11 22:05:03  
> krbtgt/p9bis.neoplus.laposte@p9bis.neoplus.laposte.poc
> renew until 11/18/11 12:05:00
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
>  
> Impossible to join the AD serveur with "ads" :
> # net ads testjoin
> Join to domain is not valid: Operations error
> # net rpc testjoin
> Join to 'P9BIS' is OK
>  
> How make work correctly the "ads" and how get the list of users of the AD 
> domain ?
> 
> Any help would be very appreciated.
>  
> Regards
> 
>  
> 
> 
>  
>  
>  
>  
> 
> 
> --- En date de : Mer 16.11.11, djamel boussebha  a écrit 
> :
> 
> 
> De: djamel boussebha 
> Objet: Problem with Winbind
> À: "samba@lists.samba.org" , "foedi...@eva.mpg.de" 
> , "AndrewPhilipoff" 
> Date: Mercredi 16 novembre 2011, 17h24
> 
> 
> 
> 
> 
> 
> 
> Hi;
>  
> wbinfo can not get the user names and group names of my AD domain (Windows 
> 2008 SP2)
> The result for "wbinfo -t" is ok :
> "checking the trust secret for domain P9BIS via RPC calls succeeded"
> But when i try to get wbinfo -n "USER1" or wbinfo -r "USER1" it shows this 
> error message:  "Could not lookup name USER1"
> I use Samba version : 3.5.12.
> 
> Any help would be very appreciated... thanks to anyone!
> 
I noticed the server time has the year 1970.  The ads methods use
kerberos and that is time sensitive.  Get the accurate date/time and
things should start working for you.  Perhaps have it sync with a time
server.

Robert

- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7FOnEACgkQup357T5MfTZ5IgCg0kqoEoWaDT2ayt2XjKW5RJs0
+LEAnAgyCHQw5JtlXHxrX6EuZ2VHaBbC
=tSUp
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] R: Re: Dos/Unix newline translating

[Robert Grasso]

on Debian it is possible that you are using the orginal VI. On RedHat you must 
be using ViM (VI Improved). Do you have vim on Debian
?

---
Robert GRASSO – System engineer

CEDRAT S.A.
15 Chemin de Malacher - Inovallée - 38246 MEYLAN cedex - FRANCE 
Phone: +33 (0)4 76 90 50 45 - Fax: +33 (0)4 56 38 08 30
mailto:robert.gra...@cedrat.com - http://www.cedrat.com  

> -Message d'origine-
> De : samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] De la part de Riccardo 
> Castellani
> Envoyé : 9 novembre 2011 11:56
> À : jd...@yahoo.com; samba@lists.samba.org
> Objet : [Samba] R: Re: Dos/Unix newline translating
> 
> But I have another server with RedHat and Samba 3.0.10 
> configured in the same way, but I can view correctly text 
> files which I move to RedHat server.
> 
> 
> 
> 
> Messaggio originale
> Da: jd...@yahoo.com
> Data: 9-nov-2011 11.42
> A: "samba@lists.samba.org"
> Ogg: Re: [Samba] Dos/Unix newline translating
> 
> From: Riccardo Castellani 
> > if I create a text file in my Windows XP client and I copy it to 
> > /temporary folder, then I open it by VI editor into my 
> Debian server and 
> > I see '^M' at the end of every row.
> > How can I solve problem ? Problem references to Dos/Unix newline 
> > translating  ?
> 
> Windows uses '\r\n' and Unix uses '\n'...
> Either configure your Windows text editor to use \n, 
> or use dos2unix or use sed, etc...
> A simple google search would have pointed to you to something like:
> http://www.cyberciti.biz/faq/howto-unix-linux-convert-dos-newl
> ines-cr-lf-unix-text-format/
> 
> JD
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] R: Re: Dos/Unix newline translating

[Robert Grasso]

on Debian it is possible that you are using the orginal VI. On RedHat you must 
be using ViM (VI Improved). Do you have vim on Debian
?

---
Robert GRASSO – System engineer

CEDRAT S.A.
15 Chemin de Malacher - Inovallée - 38246 MEYLAN cedex - FRANCE 
Phone: +33 (0)4 76 90 50 45 - Fax: +33 (0)4 56 38 08 30
mailto:robert.gra...@cedrat.com - http://www.cedrat.com  

> -Message d'origine-
> De : samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] De la part de Riccardo 
> Castellani
> Envoyé : 9 novembre 2011 11:56
> À : jd...@yahoo.com; samba@lists.samba.org
> Objet : [Samba] R: Re: Dos/Unix newline translating
> 
> But I have another server with RedHat and Samba 3.0.10 
> configured in the same way, but I can view correctly text 
> files which I move to RedHat server.
> 
> 
> 
> 
> Messaggio originale
> Da: jd...@yahoo.com
> Data: 9-nov-2011 11.42
> A: "samba@lists.samba.org"
> Ogg: Re: [Samba] Dos/Unix newline translating
> 
> From: Riccardo Castellani 
> > if I create a text file in my Windows XP client and I copy it to 
> > /temporary folder, then I open it by VI editor into my 
> Debian server and 
> > I see '^M' at the end of every row.
> > How can I solve problem ? Problem references to Dos/Unix newline 
> > translating  ?
> 
> Windows uses '\r\n' and Unix uses '\n'...
> Either configure your Windows text editor to use \n, 
> or use dos2unix or use sed, etc...
> A simple google search would have pointed to you to something like:
> http://www.cyberciti.biz/faq/howto-unix-linux-convert-dos-newl
> ines-cr-lf-unix-text-format/
> 
> JD
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbac ked PDC and MS Exchange 5.5 still

[Robert Schetterer]

Am 28.10.2011 20:00, schrieb Chris Smith:
> On Fri, Oct 28, 2011 at 1:51 PM, Derek Werthmuller
>  wrote:
>> I did consider this, though the issue is what do I do with the existing NT4
>> PDC - I can demote this to BDC but from the samba docs samba PDC and Windows
>> BDC is not supported.  And I don't think it can demote the PDC to server
>> role.
> 
> There is no supported NT4 PDC demotion scenario. But via registry hack
> I think you can demote to server and then become a member server. And
> Exchange 5.5 can run on member server.

for info
long time ago i tested exchange 5.5 / win2000 server working with a
samba pdc controller
it worked like charme, but thats years ago

these days you shouldnt use such setups, there are a lot of other
solutions, based on open source or ms solutions
exchange 5.5 is too much outdated


> 
>> I'm also trying to be very careful not to make substantial changes to the
>> exchange host - I need that working for a short while longer.
> 
> That's one reason for dealing with the VM's. I'll be able to test
> these changes in a separate virtual environment. Just would be nice to
> know if anyone has actually done this and, if doable, what the caveats
> and gotchas were.


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba with nfs mount in "path" and MS Office App's

[Robert Adkins II]

Review all of your permissions and confirm that those permissions are the
same for all users having this issues on the server that is sharing the NFS
share.

I have a feeling that this is a share/permissions issue as much as it could
be an NFS share issue.


--

Regards,
Robert Adkins
 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of free...@gmx.ch
> Sent: Wednesday, October 12, 2011 10:30 AM
> To: samba@lists.samba.org
> Subject: [Samba] samba with nfs mount in "path" and MS Office App's
> 
> Hi Listmembers
> 
> 
> Problem:
> Windows Clients having problems with Microsoft Office App's 
> (Excel, Word) when the files are on the Samba Share 
> "documents" (which is mapped through a Windows Drive Letter 
> on the client). Two clients have MS Office 2003. They can 
> open doc Documents but when they want to save it error 
> messages are appearing (message about to less space on drive, 
> but this is a false errormessage). Saving of documents does 
> not work and MS Office crashes. Sometimes Word is crashing 
> already when the user opens a document. Same with XLS 
> document. One client has MS Office 2010. He can open and save 
> changes in Microsoft Office Documents. But saving changes, 
> even small ones, are taking 30 seconds.
> 
> Clients which are using Open Office having no problems. They 
> can even open and saving the MS Office document without 
> Problem. Also with other Applications there are no problems 
> (ex. opening pdf documents, txt documents with notepad etc.).
> 
> So the problems occurs only while working with this share 
> "documents" and using Microsoft Office. I've got another 
> share on the same Samba Server named "personal". The 
> Microsoft Office clients have no problems on this share. The 
> only difference is that the "path" from "personal" share in 
> smb.conf is not a NFS Mount but a location on the harddisk of 
> the server itselve (ext3 partition).
> 
> So the problem has something to do with using Samba shares 
> which have their path on NFS Mounts.
> 
> 
> 
> 
> System environment:
> 
> 
> Centos 5.x Server
> Samba Version  3.0.33
> 
> 
> 
> ***Samba Config
> [global]
> workgroup = OfficeLAN
> server string = qube2
> lanman auth = Yes
> client NTLMv2 auth = Yes
> time server = Yes
> add machine script = /usr/sbin/useradd -d /dev/null 
> -g samba-clients -s /bin/false -M %u
> logon script = %U.bat
> logon drive = M:
> logon home = \\%N\profiles\%U
> logon path =
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins server = 10.0.10.12
> wins support = Yes
> ldap ssl = no
> admin users = @sysadmin
> printer admin = @sysadmin
> cups options = raw
> 
> 
> [documents]
> comment = documents
> path = /home/nfs_qube2/documents
> force user = admin
> read only = No
> guest ok = Yes
> 
> ***
> 
> 
> The "documents" share is on a NFS Mount which is mounted in 
> /etc/fstab 
> 10.0.10.13:/vol/nfs_qube2/office-data /home/nfs_qube2 nfs 
> rw,bg,vers=3,tcp,timeo=600,rsize=32768,wsize=32768,hard,intr
> 
> 
> 
> Thanks for any advice
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> NEU: FreePhone - 0ct/min Handyspartarif mit 
> Geld-zurück-Garantie! 
> Jetzt informieren: http://www.gmx.net/de/go/freephone
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba and AD integration

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2011 10:16 AM, Bruno Martins wrote:
> Hello everyone.
> 
> I am running Samba on a Debian system, and I'm currently getting the 
> following error on the logs:
> 
> [2011/09/19 15:06:36.708281,  1] smbd/sesssetup.c:454(reply_spnego_kerberos)
>   Username GALILEU-F\bmartins is invalid on this system
> 
> Being GALILEU-F my Windows domain and bmartins my username.
> 
> However, both 'wbinfo -g' and 'wbinfo -u' are working fine. Also, 'kinit 
> (...)' works.
> 
> My smb.conf:
> [global]
> workgroup = GALILEU-F
> realm = GALILEU-F.GALILEU.PT
> server string = Samba Server
> security = ADS
> auth methods = winbind
> password server = 192.168.0.2
> username map = /etc/samba/smbusers
> client NTLMv2 auth = Yes
> log file = /var/log/samba/log.%m
> max log size = 50
> socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384
> printcap name = cups
> dns proxy = No
> wins server = 192.168.0.2
> idmap uid = 20-30
> idmap gid = 20-30
> winbind use default domain = Yes
> winbind trusted domains only = Yes
> cups options = raw
> 
> My krb5.conf:
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
> default_realm = GALILEU-F.GALILEU.PT
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> forwardable = yes
> 
> [realms]
> GALILEU-F.GALILEU.PT = {
>kdc = jupiter.galileu-f.galileu.pt
>admin_server = jupiter.galileu-f.galileu.pt
>default_domain = galileu-f.galileu.pt
> }
> 
> [domain_realm]
> .jupiter.galileu-f.galileu.pt = GALILEU-F.GALILEU.PT
> .galileu-f.galileu.pt = GALILEU-F.GALILEU.PT
> 
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
> 
> [appdefaults]
> pam = {
>debug = false
>ticket_lifetime = 36000
>renew_lifetime = 36000
>forwardable = true
>krb4_convert = false
> }
> 
> And... /etc/nsswitch.conf:
> # /etc/nsswitch.conf
> #
> # Example configuration of GNU Name Service Switch functionality.
> # If you have the `glibc-doc-reference' and `info' packages installed, try:
> # `info libc "Name Service Switch"' for information about this file.
> 
> passwd: compat  winbind
> group:  compat  winbind
> shadow: compat
> 
> hosts:  files mdns4_minimal [NOTFOUND=return] dns mdns4
> networks:   files
> 
> protocols:  db files
> services:   db files
> ethers: db files
> rpc:    db files
> 
> netgroup:   nis
> 
> Can someone please give me a light on this?
> 
> Best regards,
> 
> Bruno Martins

Bruno,

You are using the option "winbind use default domain = Yes", so AD users
should be able to access with just their username and there should be no
need to pre-pend the domain and backslash.

Robert

- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk53XnMACgkQup357T5MfTZcugCgvNMoqvTIPIlHdkov7i/ThBvK
x94AniXBk960e1L4ompA1nW+Wm+qZvAI
=yDia
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Dual Authentication: Local and Active Directory

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Yes, linux should be able to auth local and AD users.  You would need to
make sure "/etc/nsswitch.conf" and your pam modules are configured
correctly.

At the very least, nsswitch should look similar to this:

passwd: compat winbind
group:  compat winbind
shadow: compat winbind

Pam is a bit more complicated and you should read up on your
distribution's documentation or really know what you are doing.

However if you are running RHEL/Fedora, you could get it going with one
command (all on one line):

authconfig --update --enablepamaccess --enablelocauthorize --enablekrb5
- --enablewinbind --enablewinbindauth --enablewinbindoffline
--enablemkhomedir

So, this command sets up pam access with local
authentication/authorization as well as AD kerberized authentication and
AD winbind authorizaton.  New users will have a home directory created
and it allows the opening for cached "offline" logins for AD people.

Hope that gets you started,
Robert

On 09/16/2011 06:59 PM, Aaron Clausen wrote:
> I was wondering if it was possible to get a Samba server that was
> acting as an AD member server to also be able to authenticate local
> users, or is stuck just serving AD users?
> 


- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk52AaIACgkQup357T5MfTYGJgCdH5PcP2f6a9eGLqnwmnDrV8By
4rsAn3dYjulQzNfuvwCpW9/O9QHHONMq
=esal
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Bash completion file(s) for samba utils...

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Though this is a pretty nifty start ease things regarding the "net"
commands, I think the man pages need to have all the commands documented
in it first.  I know that even with the completion files, I would still
need to refer to the man pages or the googles for specific syntax.

I know some functions I would like to see documented more are things
like keytab management.

Robert

On 09/10/2011 07:56 PM, Linda Walsh wrote:
> 
> 
> I was wondering if anyone already had completion files for samba utils like
> 'net' wbinfo...etc...  I can never remember all the params, I keep wanting
> to hit  to autocomplete for options like I can on many other sys
> utils.
> 
> So I started looking at examples of existing completion files and started
> cobbling one together...  if no one else has some (which would be great!),
> I'll probably continue work on this in a spare cycle every once in a while,
> or if anyone wants to add to it, I'd appreciate additions...
> 
> Other utils do host and user name lookup when the param or field being
> auto-completed needs such -- similar features would be nice in this one,
> but it's my first attempt at writing autocompletion for anything,
> 
> To use it, just 'source it' (i.e.: ". " or "source ").
> 
> It just has 1st level and a few 2nd level cmds at this point, so it's
> pretty basic, but it's already helpful, so I thought I toss it out for
> others to use/enhance/abuse..  etc.
> 
> I'm working w/samba 3.5.11 and bash 4.1, so it's may have some specifics to
> those versions.  It doesn't have any of the ads sub commands in it, as my
> current version doesn't have ads compiled in.  I don't know if
> alphabetizing the compgen lists is needed (would certainly allow search
> optimizations optimization if so), but am trying for alphabetizing the
> response lists...(but it may be unnecessary).
> 
> ---
> -linda
> 
> 
> 
> 
> 
> 


- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5suaYACgkQup357T5MfTbjPwCgi7XDeh+BS77K1hZ0bucWzr98
OnkAnjysXRNjug0QEMoSjxjN09eM65Sl
=Yq8A
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] cant see data in share

[Robert Adkins II]

On my home Samba server, I had to switch the authentication from Share Level
to User Level. When I did that, my MacBook Pro with OSX 10.7 (Lion) was able
to enter the shares and access all of the files.

Prior to that, I could see that the shares existed, but was unable to access
them. All that I received was a cryptic error message.


--

Regards,
Robert Adkins II
 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of John Kappeser
> Sent: Wednesday, August 24, 2011 1:05 PM
> To: samba@lists.samba.org
> Subject: [Samba] cant see data in share
> 
> Hi all,
> 
> i have a little problem. I installed on openSuse 11.4 samba 
> 3.5.7 with standard config and only one share:
> 
> [tools]
>  path = /tools
>  read only = No
>  writable = Yes
> 
> So, i can connect via my imac osx 10.6 to my home Dir and see 
> the files in there. I can connect to the share "tools" too, 
> but all data in there i cant see. The same from Windows pc.
> 
> Here a snippet from log.smbd:
> 
> [2011/08/24 18:44:14.359785,  0] smbd/dir.c:304(dptr_close)
>Invalid key 0 given to dptr_close
> 
> 
> What does it mean?
> 
> I know samba very good, but with this version (3.5.7) i have 
> a lot of trouble...
> 
> Thanx a lot.
> 
> Diese E-Mail und eventuell beigefügte Anhänge enthalten 
> vertrauliche Informationen, die rechtlich besonders geschützt 
> sein können. Diese Informationen sind ausschließlich für die 
> als Adressaten genannten Personen bestimmt.
> Wenn Sie nicht der angeschriebene Empfänger sind oder diese 
> E-Mail durch einen Übertragungsfehler erhalten haben, 
> informieren Sie uns bitte sofort per E-Mail, Telefon oder Fax 
> und löschen danach vorliegende E-Mail. Das unbefugte Kopieren 
> dieser E-Mail, ihrer eventuell beigefügten Anhänge sowie die 
> unbefugte Weitergabe der enthaltenen Informationen an Dritte 
> sind nicht gestattet. Wir danken für Ihre Hilfe.
> 
> This e-mail message together with its attachments, if any, is 
> confidential and may contain information subject to legal 
> privilege. The information contained in this e-mail or its 
> attachments is intended solely for the persons named as 
> addressees. If you are not the intended recipient or have 
> received this e-mail in error, please advise us immediately 
> by e-mail, telephone or fax and delete this message. Any 
> unauthorised copying of this message or unauthorised 
> distribution of the information contained herein is 
> prohibited. Thank you for your co-operation.
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] windows 7 cannot connect

[Robert Adkins II]

No, you do not need to turn off all of that on Windows 7. I have had no
issues with connecting 7 different Windows 7 Professional workstations into
my network. Most of the systems here are running Windows XP Professional and
are joined to the domain.

The only issue that I have had is joining the Windows 7 systems into the
domain. I understand that it might be possible, but I haven't had the time
to really dig into that.

There might be some authentication elements within smb.conf to adjust to
allow the Windows 7 systems to authenticate users on the network, but I may
have made those adjustments quite some time ago in order to allow Windows
95, 98, NT 4.0 and Windows 2000 to all join the domain in their various
ways.

All you need is to have the Windows 7 machines in the workgroup of the
Domain or the workgroup, then create individual user accounts on the Windows
7 machines that mirror the account user IDs and passwords on the Samba
server.

Regards,
Robert Adkins II
 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Gregory Carter
> Sent: Tuesday, August 09, 2011 2:51 PM
> To: samba@lists.samba.org
> Subject: Re: [Samba] windows 7 cannot connect
> 
> On 08/09/2011 01:42 PM, Marc Fromm wrote:
> > I just set up my first windows 7 desktop.
> My condolences.
> 
> >   When I try to map a drive to the red hat linux samba 
> share it complains that the "server cannot perform the 
> requested operation." Windows XP machines work with no problem.
> First, I would remove all security contexts from the Windows 7 
> workstation.  Turn the firewall off.   Turn off your virus 
> software/security software.
> 
> Try again.
> > The linux samba information:
> > [root@finaid45 samba]$ rpm -qa | grep smb
> > pam_smb-1.1.7-7.2.1
> > libsmbclient-3.0.33-3.29.el5_6.2
> > gnome-vfs2-smb-2.16.2-8.el5
> >
> > [root@finaid45 samba]$ rpm -qa | grep samba
> > samba-client-3.0.33-3.29.el5_6.2
> > samba-common-3.0.33-3.29.el5_6.2
> > samba-3.0.33-3.29.el5_6.2
> > system-config-samba-1.2.41-5.el5
> >
> >
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Very slow samba performance on Centos 6

[Robert Adkins II]

Wouldn't it be better to rerun these tests, not from the Ramdisk, but from a
network connection to more closely resemble what the results will be when in
a production environment?

Doing such tests years back did show that FTP will typically be faster than
Samba, due to the difference in overhead costs. Samba isn't a service like
FTP, it has to negotiate SMB packets, interpret the requests/commands and
then communicate that to the system it is running on. I haven't played with
CIFS, but I imagine that it to would have a similar or potentially greater
overhead than Samba itself.

--

Regards,
Robert Adkins II

 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of vg_ us
> Sent: Thursday, August 04, 2011 2:12 PM
> To: volker.lende...@sernet.de
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Very slow samba performance on Centos 6
> 
> --
> From: "Volker Lendecke" 
> Sent: Thursday, August 04, 2011 11:01 AM
> To: "vg_ us" 
> Cc: 
> Subject: Re: [Samba] Very slow samba performance on Centos 6
> 
> > On Thu, Aug 04, 2011 at 10:49:50AM -0400, vg_ us wrote:
> >> I have 2 identical Dell r510 servers with 10gig card, 
> running centos
> >> 6 with samba-3.5.4-68.el6_0.2.x86_64.
> >> I setup 16G ramdisk samba share on both and ran cp from 
> local ramdisk 
> >> to samba ramdisk mount.
> >> If I cp 12 1-gig files, I get combined 100MB/s transfer 
> rate. Single 
> >> file cp maxes out at about 15MB/s.
> >> Ftp transfer give me over 300MB/s.
> >>
> >> Running with 9000 MTU. Most smb.conf is default. I even disabled 
> >> atime and tried ext2 and xfs on ramdisk.
> >>
> >> Any help will be greatly appreciated.
> >
> > What client application are you using? If it is a cifsfs 
> kernel mount, 
> > you might see such artifacts. Please retry with the smbclient(1) 
> > application. If that is also slow, we need to investigate further.
> >
> 
> I re-ran some of the tests with following result:
> 
> Ftp ramdisk-to-ramdisk:
> 13572 MB, 32.8 secs - 413.8 MB/s
> 
> Ftp ramdisk-to-hardisk:
> 13572 MB, 62.8 secs - 222.4 MB/s
> 
> Smbclient ramdisk-to-ramdisk:
> 13572 MB 40 secs - 339 MB/s
> 
> Smbclient ramdisk-to-harddisk:
> 13572 MB 64 secs - 212 MB/s
> 
> cifsfs mount ramdisk-to-ramdisk:
> 13572 MB 289.8 - 47MB/s
> 
> cifsfs mounts are really slow, so what happens when linux, 
> windows and mac clients map/mount the share? Are they gonna 
> be this slow? Any way to speed it up?
> 
> Thanks
> 
> - Vadim 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] VFS Objects Recycle questions / Round Two

[Robert Adkins II]

It's working, for at least three user accounts, but it isn't working for all
user accounts.

If I attempt to delete a file through Samba while using my login, the file
just disappears, it isn't relinked into the RecycleBin. However, if other
accounts perform a delete through Samba, the file is relinked into the
RecycleBin.

Any ideas?

--

Regards,
Robert Adkins II
 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II
> Sent: Wednesday, July 27, 2011 1:22 PM
> To: samba@lists.samba.org
> Subject: Re: [Samba] VFS Objects Recycle questions
> 
> Please disregard.
> 
> It started working, out of the blue. (Yes, I had previously 
> initiated my changes, forced a restart and even waited a good 
> handful of minutes before performing a test delete.)
> 
> --
> 
> Regards,
> Robert Adkins II
> 
>  
> 
> > -Original Message-
> > From: samba-boun...@lists.samba.org
> > [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II
> > Sent: Wednesday, July 27, 2011 9:27 AM
> > To: samba@lists.samba.org
> > Subject: [Samba] VFS Objects Recycle questions
> > 
> > I have a need to setup the recycle vfs object on our server. 
> >  
> > On  my test server, I have all of the shares on a single drive and 
> > have put the following into each share:
> >  
> > vfs_objects = recycle
> > recycle:repository = [Actual Path and Partition that the share is 
> > located] recycle:directory_mode = 770 recycle:keeptree = Yes 
> > recycle:touch_mtime = Yes recycle:versions = Yes
> >  
> > It works like a charm. All of the files when deleted from 
> each share 
> > are dumped into the RecycleBin share, I have created a new 
> share just 
> > for the RecycleBin that I have also mounted that I can 
> perform a final 
> > delete on the files located within.
> >  
> > On the live server, there are several partitions with shares split 
> > across the several partitions. The setup is the same, in terms of 
> > having the above entered into the individual shares and the 
> RecycleBin 
> > for each share is located on the same partition/mount point 
> that the 
> > share is located.
> >  
> > Example:
> >  
> > [share1]
> > wide links = no
> > writeable = yes
> > path = /mnt/disk2/share1
> > write list = @share1
> > force group = share1
> > comment = Job Files and Related
> > valid users = @share1
> > create mode = 770
> > user = @share1
> > directory mode = 770
> > vfs_objects = recycle
> > recycle:repository = /mnt/disk2/sharebin/%u
> > recycle:directory_mode = 770
> > recycle:keeptree = Yes
> > recycle:touch_mtime = Yes
> > recycle:versions = Yes
> > 
> > [sharebin]
> > wide links = no
> > writeable = yes
> > path = /mnt/disk2/sharebin
> > write list = @share1
> > force directory mode = 770
> > force group = share1
> > sync always = yes
> > force create mode = 770
> > comment = Location of Recycle Bin
> > valid users = @share1
> > create mode = 770
> > user = @share1
> > directory mode = 770
> > 
> > Everything else matches, the folders exist, the folder 
> permissions are 
> > the same, it's just a no go on relinking the files on a 
> delete command 
> > from the "share1" share.
> > 
> > 
> > 
> > 
> > --
> > 
> > Regards,
> > Robert
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] VFS Objects Recycle questions

[Robert Adkins II]

Please disregard.

It started working, out of the blue. (Yes, I had previously initiated my
changes, forced a restart and even waited a good handful of minutes before
performing a test delete.)

--

Regards,
Robert Adkins II

 

> -Original Message-
> From: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert Adkins II
> Sent: Wednesday, July 27, 2011 9:27 AM
> To: samba@lists.samba.org
> Subject: [Samba] VFS Objects Recycle questions
> 
> I have a need to setup the recycle vfs object on our server. 
>  
> On  my test server, I have all of the shares on a single 
> drive and have put the following into each share:
>  
> vfs_objects = recycle
> recycle:repository = [Actual Path and Partition that the 
> share is located] recycle:directory_mode = 770 
> recycle:keeptree = Yes recycle:touch_mtime = Yes 
> recycle:versions = Yes
>  
> It works like a charm. All of the files when deleted from 
> each share are dumped into the RecycleBin share, I have 
> created a new share just for the RecycleBin that I have also 
> mounted that I can perform a final delete on the files located within.
>  
> On the live server, there are several partitions with shares 
> split across the several partitions. The setup is the same, 
> in terms of having the above entered into the individual 
> shares and the RecycleBin for each share is located on the 
> same partition/mount point that the share is located.
>  
> Example:
>  
> [share1]
> wide links = no
> writeable = yes
> path = /mnt/disk2/share1
> write list = @share1
> force group = share1
> comment = Job Files and Related
> valid users = @share1
> create mode = 770
> user = @share1
> directory mode = 770
> vfs_objects = recycle
> recycle:repository = /mnt/disk2/sharebin/%u
> recycle:directory_mode = 770
> recycle:keeptree = Yes
> recycle:touch_mtime = Yes
> recycle:versions = Yes
> 
> [sharebin]
> wide links = no
> writeable = yes
> path = /mnt/disk2/sharebin
> write list = @share1
> force directory mode = 770
> force group = share1
> sync always = yes
> force create mode = 770
> comment = Location of Recycle Bin
> valid users = @share1
> create mode = 770
> user = @share1
> directory mode = 770
> 
> Everything else matches, the folders exist, the folder 
> permissions are the same, it's just a no go on relinking the 
> files on a delete command from the "share1" share.
> 
> 
> 
> 
> -- 
> 
> Regards,
> Robert
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] VFS Objects Recycle questions

[Robert Adkins II]

I have a need to setup the recycle vfs object on our server. 
 
On  my test server, I have all of the shares on a single drive and have put
the following into each share:
 
vfs_objects = recycle
recycle:repository = [Actual Path and Partition that the share is located]
recycle:directory_mode = 770
recycle:keeptree = Yes
recycle:touch_mtime = Yes
recycle:versions = Yes
 
It works like a charm. All of the files when deleted from each share are
dumped into the RecycleBin share, I have created a new share just for the
RecycleBin that I have also mounted that I can perform a final delete on the
files located within.
 
On the live server, there are several partitions with shares split across
the several partitions. The setup is the same, in terms of having the above
entered into the individual shares and the RecycleBin for each share is
located on the same partition/mount point that the share is located.
 
Example:
 
[share1]
wide links = no
writeable = yes
path = /mnt/disk2/share1
write list = @share1
force group = share1
comment = Job Files and Related
valid users = @share1
create mode = 770
user = @share1
directory mode = 770
vfs_objects = recycle
recycle:repository = /mnt/disk2/sharebin/%u
recycle:directory_mode = 770
recycle:keeptree = Yes
recycle:touch_mtime = Yes
recycle:versions = Yes

[sharebin]
wide links = no
writeable = yes
path = /mnt/disk2/sharebin
write list = @share1
force directory mode = 770
force group = share1
sync always = yes
force create mode = 770
comment = Location of Recycle Bin
valid users = @share1
create mode = 770
user = @share1
directory mode = 770

Everything else matches, the folders exist, the folder permissions are the
same, it's just a no go on relinking the files on a delete command from the
"share1" share.




-- 

Regards, 
Robert

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Integrating samba with existing AD

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/20/2011 04:44 AM, Thibaut POUZET wrote:
> Hi everyone,
> 
>  
> 
> I am currently trying to set-up a samba server in my network in order to
> replace the existing windows samba server. It's been now two weeks that I am
> struggling with a vicious problem, and I cannot see any issue right now.
> Before I loose all my hairs, I am sharing with you this problem : hopefully,
> someone will have a tip for me.
> 
>  
> 
> The software involved : 
> 
> Server Linux CentOS 5.6
> 
> Windows 2003 Serveur R2 with working AD and another DNS server working just
> fine.
> 
> # rpm -qa | grep samba
> 
> samba-3.0.33-3.29.el5_6.2
> 
> samba-common-3.0.33-3.29.el5_6.2
> 
> samba-client-3.0.33-3.29.el5_6.2
> 
> # rpm -qa | grep krb
> 
> pam_krb5-2.2.14-18.el5
> 
> pam_krb5-2.2.14-18.el5
> 
> krb5-libs-1.6.1-55.el5_6.1
> 
> krb5-devel-1.6.1-55.el5_6.1
> 
> krb5-workstation-1.6.1-55.el5_6.1
> 
> krb5-libs-1.6.1-55.el5_6.1
> 
>  
> 
> The smb.conf
> 
> http://pastebin.com/9iCd1meR
> 
>  
> 
> The krb5.conf
> 
> http://pastebin.com/nJ2DuBFi
> 
>  
> 
> In the nsswich.conf
> 
> passwd: files ldap winbind
> 
> shadow: files ldap
> 
> group:  files ldap winbind
> 
>  
> 
> The problem (Everything seems to work just fine ): 
> 
> # kinit -V thibaut
> 
> Password for thib...@work-network.com:
> 
> Authenticated to Kerberos v5
> 
>  
> 
> # net join -S pwdsrv -U Thibaut
> 
> Thibaut's password:
> 
> Using short domain name -- WORK
> 
> DNS update failed!
> 
> Joined 'smbsrv' to realm 'WORK-NETWORK.COM'
> 
>  
> 
> wbinfo -u
> 
> wbinfo -g
> 
> getent passwd
> 
> getent group
> 
> => All of them returns all I want (users and groups, with locals for the
> last two commands)
> 
>  
> 
> # smbclient -L localhost -U Thibaut
> 
> Password:
> 
> Domain=[WORK] OS=[Unix] Server=[Samba 3.0.33-3.29.el5_6.2]
> 
>  
> 
> Sharename   Type  Comment
> 
> -     ---
> 
> IPC$IPC   IPC Service (Server blabla)
> 
> thibaut Disk  Home Directories
> 
> Domain=[WORK] OS=[Unix] Server=[Samba 3.0.33-3.29.el5_6.2]
> 
>  
> 
> Server   Comment
> 
> ----
> 
> SMBSRVServeur blabla
> 
>  
> 
> WorkgroupMaster
> 
> ----
> 
> WORK
> 
>  
> 
> . and that's all. The windows clients can connect and see some shares (I
> guess thank's to passthru), for instance I can see my home folder and the
> printers folders, but not the others as with smbclient. Furthermore, Even if
> I can see the roots folders, I cannot parse them : I am prompted a
> login+password form when I try to enter the "Thibaut" folder, for instance.
> I think I am connected as a guest user, but I am not sure of that.
> 
> And when I try to access the folder Thibaut, I got some logs : 
> 
>  
> 
> [2011/07/20 09:50:38, 2] lib/access.c:check_access(323)
> 
>   Allowed connection from  (a.b.c.d)
> 
> [2011/07/20 09:50:38, 2] smbd/service.c:make_connection_snum(617)
> 
>   user 'WORK\thibaut' (from session setup) not permitted to access this
> share (thibaut)
> 
>  
> 
> So where am I going wrong ? L 
> 
>  
> 
> Thibaut.
> 
I would first migrate from the no longer supported 3.0.x codebase to
something supported by the samba team:

http://wiki.samba.org/index.php/Samba3_Release_Planning

I wrote up a quicky migration how-to so that people can move from the
samba packages to RHEL's introduced samba3x packages.  Perhaps that can
help you move over:

https://uisapp2.iu.edu/iukc-prd/pages/viewpage.action?pageId=137093

Robert

- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4m2m4ACgkQup357T5MfTY6QQCfQMi/ZzNbOIGu7VnAzkbEPWO9
bpIAoJ2bEMrax0GftjvG618//WNCc23W
=1eYc
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Integrate Samba with Active Directory

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/19/2011 07:12 PM, Jonathan Buzzard wrote:
> Bruno Martins wrote:
> 
> [SNIP]
> 
>>
>> Good night Robert,
>>
>> My Domain Controller is running Windows Server 2003 R2 X64, so I may not
>> be affected by those bulletins
>>
>> By the way, thanks for noticing.
>>
> 
> Unless I am reading the release notes incorrectly, if you use the
> samba3x packages in CentOS 5.6 which gets you 3.5.4 with security
> patches as opposed to the plain samba packages which only get you a
> hideously old 3.0.x then the NTLM V2 issue goes away as samba supports it.
> 
> If you are doing anything with AD and are using CentOS 5.x, then I
> cannot stress the value in upgrading to 5.6 and swapping the samba
> packages for the samba3x packages. Basically the samba3x packages get
> you the same samba as RHEL/CentOS 6, which makes shifting your file
> servers to CentOS 6 in due course much easier.
> 
> 
> JAB.
> 

JAB is right on that one.  There are still NTLMv2 issues with even 2003
and samba 3.0.x.  Besides, people should use a currently supported
version anyway (...thanking RH for FINALLY stopping backport of patches
to the ancient 3.0.x code!!!):

http://wiki.samba.org/index.php/Samba3_Release_Planning

Robert

- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4m1y4ACgkQup357T5MfTaPhwCdE9llnvFepXUcvkArqLR7nplz
IdAAniPEMRQyo+3L0oEl4cQibTpX8ODp
=CW3P
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Integrate Samba with Active Directory

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/19/2011 01:11 PM, Jonathan Buzzard wrote:
> Bruno Martins - GALILEU LISBOA wrote:
>> Hello guys,
>>
>>  
>>
>> I am setting up a Samba server (based on CentOS 5.6) on my company which
>> will act as a print and file server. Also, it has dropbox installed.
>>
>>  
>>
>> I have set up everything regarding to CUPS and Samba itself, but I'm not
>> being able to integrate my shares with Active Directory.
>>
>>  
>>
>> All I want is that access control to Samba shares is made through Active
>> Directory users and their respective passwords, and not through
>> Unix-style users and groups. Is this possible?
>>
>>  
>>
>> Some configuration files:
>>
>> /etc/nsswitch.conf - http://pastebin.com/rPgXSL6G
>>
>> /etc/samba/smb.conf - http://pastebin.com/9uffAyjV
>>
>> /etc/krb5.conf - http://pastebin.com/9zJFQR6J
>>
>>  
>>
>> Can someone please give me some lights on this?
>>
> 
> A quick looks shows a lack of an idmap setup in the smb.conf. You say
> you are using CentOS 5.6, in which case I strongly recommend that you
> use the samba3x packages over the plain samba packages if you are not
> doing so already
> 
> Here is a example based on what I use with CentOS 5.6 using the samba3x
> packages. Note that I have the rfc2307 information set in the AD for all
> the users. I have a whole bunch of other options as well to do with
> CTDB, GPFS and other bits and bobs as well. However these are not
> relevant to getting it working.
> 
> On the AD side you need to set the UID, home directory and primary group
> in the Unix Attributes tab, and then in the Member Of tab you need to
> add the user to the primary group that you set in the Unix Attriubutes
> tab and make that their primary group. All the groups need a GID setting
> in their Unix Attributes tab as well.
> 
> The important thing about the idmap setting is that you must have a
> plain tdb backend (or something else that is allocatable) and the range
> must not overlap with the range for the domain or it does not work. Not
> quite sure why that is because in my setting all accounts exist in the
> AD with appropriate Unix attributes. Took me ages to work that nugget of
> information out.
> 
> 
> JAB.
> 
> 
> [global]
> netbios name = nemo
> security = ads
> workgroup = CAMPUS
> realm = CAMPUS.MYCORP.COM
> password server = *
> preferred master = no
> encrypt passwords = yes
> kerberos method = secrets only
> 
> # deal with NSS and the whole UID/SID id mapping stuff
> idmap backend = tdb
> idmap uid = 200 - 299
> idmap gid = 200 - 299
> idmap config CAMPUS : backend = ad
> idmap config CAMPUS : schema_mode = rfc2307
> idmap config CAMPUS : readonly = yes
> idmap config CAMPUS : range = 500 - 199
> idmap cache time = 120
> idmap negative cache time = 20
> winbind nss info = rfc2307
> winbind expand groups = 2
> winbind nested groups = yes
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind offline logon = false
> 
> 
You will also want to keep in mind some incompatibilities if your AD is
pretty new (2008 or higher).

See the following for more info:
http://support.microsoft.com/kb/954387
http://support.microsoft.com/kb/957441

- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4lzhgACgkQup357T5MfTZlEACgnzh2dDdLA/NImyeKAtSmNwp+
YakAmwU54AxIcvpDyBBKB9INYQ4p0J+F
=5w+q
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Connecting to domain authenticated share from non-domain machine

[Robert Horton]

On Thu, 2011-07-07 at 10:48 +0100, Robert Horton wrote:
> I've got a domain controller and two file servers (A & B) connected to
> a
> domain using the ldapsam backend. The domain controller and fileserver
> A
> are running Samba 3.5.4 (from RHEL6) and fileserver B is running Samba
> 3.0.33 (from RHEL5).
> 
> Other machines are able to join the domain as expected and between
> machines in the domain I am able to connect to shares as expected. The
> problem is with connecting to shares from a machine which is not part
> of
> the domain - this works with the Samba 3.0.33 fileserver but not with
> the Samba 3.5.4 one. Any ideas why this might be? 

Turns out you need to specify the domain as part of the username, eg

smbclient -U DOMAIN\user '\\server\share'

Rob

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba and Active Directory 2008

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 07/11/2011 10:09 AM, Keith wrote:
> I was wondering if anyone has had any luck getting samba working with a
> Windows 2008 domain? I've got mine working for the most part except for UID
> lookups. I've got identity management for unix installed on on the windows
> box and have several users configured with custom home directories, login
> shell, and UID on the Unix attributes tab. My samba server is joined to the
> domain, wbinfo -u and -g both provide a list of users and groups. When i run
> getent passwd i get a list of local users and domain users. With the domain
> users it pulls the home directory and login shell just fine from active
> directory, but i cant get it to pull the UID.
> 
> I've got it setup and working using RID, which is ok, but we would rather
> get it working with the UID. I'm using samba version 3.5.4 and here is a
> copy of the global settings
> 
> workgroup=test
> realm=pizza.com
> security=ads
> password server = password-server.pizza.com
> idmap uid = 1 - 2
> idmap guid = 1 - 2
> idmap backend = rid:pizza.com=1-2
> winbind use default domain = yes
> winbind enum users = yes
> winbind refresh tickets = yes
> client use spnego = yes
> client ntlmv2 auth = yes
> encrypt passwords = yes
> restrict anonymous = 2
> winbind nss info = rfc2307
> client ldap sasl wrapping = sign
> 
> Any help would be greatly appreciated.
> 
> Thanks
> 
> Keith

Have you also edited your /etc/nsswitch.conf file to pull those entries
properly?  You should at least have it looking like below:

   passwd: compat winbind
   group:  compat winbind
   shadow: compat


- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4bEVYACgkQup357T5MfTbSqQCcDtAAg1/PR4mc4Q5urgUoOcP4
LCEAn10m5/LFF/Ttvu/13OGYUvD3AbOM
=zDL1
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Connecting to domain authenticated share from non-domain machine

[Robert Horton]

Hi,

I've got a domain controller and two file servers (A & B) connected to a
domain using the ldapsam backend. The domain controller and fileserver A
are running Samba 3.5.4 (from RHEL6) and fileserver B is running Samba
3.0.33 (from RHEL5).

Other machines are able to join the domain as expected and between
machines in the domain I am able to connect to shares as expected. The
problem is with connecting to shares from a machine which is not part of
the domain - this works with the Samba 3.0.33 fileserver but not with
the Samba 3.5.4 one. Any ideas why this might be?

I also notice that things like "net rpc user" produce no output on
machines other than the domain controller - does this indicate a problem
or is it normal?

Thanks,
Rob

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] net ads user info .vs. wbinfo -g ?

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/20/2011 12:44 PM, John McNulty wrote:
> The group names from these two commands display differently.   For example:
> 
> $  net ads user info my-name -U my-name
>  .
>  .
> Systems Engineering EU
> 
> 
> $ wbinfo -g
>  .
>  .
> systemsengineeringeu.write
> 
> 
> Why is this different?
> 
> Regards,
> 
> John

John,

The "net" command is a close relative to the "net" command for windows.
 It will display information in a format more like windows or ldap-like
output.

If you do this type of "net" command on your samba install:

net ads search "(SAMAccountName=adusername)" -P

you will get all the entries from active directory, similar to the
output from ADSIedit.  The "-P" allows you to use your samba machine's
credentials (if it is joined to the domain).

net ads search "(&(objectCategory=computer)(name=*rhel*))" -P

Allows ldap-like searching.

"wbinfo" and "winbindd" allow translation from windows account formats
to unix-like account formats.  This is why the outputs are different.

If you were to do a "getent passwd aduser" you will get a direct entry
that is as if it was from /etc/passwd.  It is actually getting info from
"winbindd" and translating it on the fly.

Hope that helps differentiate them.

Robert
- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4Af7EACgkQup357T5MfTZE2wCfbOebJzIGvrlJp+vSNJ/MOKv+
QF8An3NOKExf9gusbJfsZr/R13Heemwt
=bdGG
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] UID mapping

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/15/2011 10:29 AM, Jonathan Buzzard wrote:
> 
> On Tue, 2011-06-14 at 23:41 +, Peter Shevchenko wrote:
> 
> [SNIP]
> 
>> I have been working on exactly this problem. I looked into the 
>> rfc2307scheme extensions and it looked like a lot of trouble. The samba 
>> HowTo has this to say about it.
>>
>> "The use of this method is messy. The information provided in the 
>> following is for guidance only and is very definitely not complete. This 
>> method does work; it is used in a number of large sites and has an 
>> acceptable level of performance." see
>> samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
> 
> That is *not* the method I was suggesting to use. I was suggesting using
> the idmap_ad backend and winbind directly. No ldap or similar in sight
> excepting that AD is ldap.
> 
> This is the configuration that I use in smb.conf
> 
> # deal with NSS and the whole UID/SID id mapping stuff
> idmap backend = tdb
> idmap uid = 200 - 299 
> idmap gid = 200 - 299
> idmap config LIFESCI-AD : backend = ad
> idmap config LIFESCI-AD : schema_mode = rfc2307
> idmap config LIFESCI-AD : readonly = yes
> idmap config LIFESCI-AD : range = 500 - 199
> idmap cache time = 120
> idmap negative cache time = 20
> winbind nss info = rfc2307
> winbind expand groups = 2
> winbind nested groups = yes
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> winbind refresh tickets = yes
> winbind offline logon = false
> 
> With nsswitch.conf looking like
> 
> passwd: files winbind
> shadow: files
> group:  files winbind
> 
> 
> I would say the documentation on how to get his working is not great,
> the biggest stumbling block being the need for the non overlapping range
> for the plain tdb backend which is all required despite the fact it is
> never used.
> 
> Yes you need to have winbind running at all times for it to work but it
> does work.
> 
> 
> JAB.
> 

The environment I work in did not fully implement the rfc schema.  I
would use the hash idmap backend:
http://www.samba.org/samba/docs/man/manpages-3/idmap_hash.8.html

- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk35BYAACgkQup357T5MfTYwFACgtaTV82agesB7NdUOskJJtP3V
il8AoIEzjcTbql+mrbqGeprErmJZCN0c
=xjsP
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Braindead Autoreply filters... WAS Re: samba Digest, Vol 102, Issue 8

[Robert Schetterer]

Am 09.06.2011 21:46, schrieb Charles Marcus:
> On 2011-06-09 2:00 PM, Robert Schetterer  wrote:
>> Am 09.06.2011 15:46, schrieb Charles Marcus:
>>> It would be nice if one of the list moms would immediately unsubscribe
>>> AND PERMANENTLY BAN idiots who use braindead autoreply filters.
>>>
>>> This should be official list policy for ALL email lists...
> 
>> just like "do not top post" *g ?
> 
> Don't be stupid Robert... there are times when top-posting is perfectly
> acceptable, and that was one of them (ie, when the content of the quote
> is irrelevant).
> 

that was a joke, i am not a fantic ,"do no top poster",
but related to autoresponders,

i am sure list/mailadmins everywhere do their best to avoid
spreading unneeded or unwanted mail, but in real world, there will never
be a way to catch it all
so everybody should be cooled about that,

ok wish idiots to hell , perhaps gives sombody  fresh air sometimes
but in real world ,spread this anger over mail list may also be an
unwanted mail

so i recommend, mail the listadmin, and accept the world as it is
go fishing etc sometimes... ( Joke ! )
-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Braindead Autoreply filters... WAS Re: samba Digest, Vol 102, Issue 8

[Robert Schetterer]

Am 09.06.2011 15:46, schrieb Charles Marcus:
> It would be nice if one of the list moms would immediately unsubscribe
> AND PERMANENTLY BAN idiots who use braindead autoreply filters.
> 
> This should be official list policy for ALL email lists...

just like "do not top post" *g ?

> 
> On 2011-06-08 2:00 PM, samba-requ...@lists.samba.org wrote:
>> Subject: Re: [Samba] samba Digest, Vol 102, Issue 7
>> From:> "Andrew McNaughton" 
>>
>> I am currently on annual leave. I will be back in the office on Friday
>> 10th June 2011.
>>
>> If you have an urgent matter needing attention, it may be prudent to
>> contact the ITSC main number 01236 757600.
>>
>>
>> Thanks.
>> --
>> Andrew McNaughton
>> ICT Network Support Officer
>> Learning & Leisure Services
>> North Lanarkshire Council
> 
> 


-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba vs Linux file permissions

[Robert W. Smith]

John,

Were you using Samba 3.4.6 prior to this? If so, here is the release
note for 3.4.7:

  =
   Release Notes for Samba 3.4.7
March 8, 2010
   =


This is a security release in order to address CVE-2010-0728.


o  CVE-2010-0728:
   In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code
   was added to fix a problem with Linux asynchronous IO handling.
   This code introduced a bad security flaw on Linux platforms if the
   binaries were built on Linux platforms with libcap support.
   The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
   capabilities, allowing all file system access to be allowed
   even when permissions should have denied access.

Regardless if it was working under 3.4.6 you may have had a different
and more serious kind of security problem >:-0

Unfortunately I do not see this as a simple mis-configuration of your
server at this point. The error is being emitted after the smbd/open.c
call to try and open the file. It errors out on trying to open the file
for renaming. 


> [2011/06/03 13:29:55,  3] smbd/vfs.c:974(check_reduced_name)
>   reduce_name: jmaher/orig_name reduced to /labs/chemgroup/jmaher/orig_name
> [2011/06/03 13:29:55,  3] smbd/reply.c:6030(rename_internals)
>   Could not open rename source jmaher/orig_name: NT_STATUS_ACCESS_DENIED


Unfortunately as I do not have an Ubuntu Server 10.04 I can not
experiment with this to help pinpoint an answer for you. Sorry.

BTW, what is shown under the workstations Properties-->Security tab for
the file in question (and when the directory perms are drwxr-x---)? Do
all of the SIDs resolve properly? You may also try posting the error log
using log level = 9 for even more detail--this might also show the SID
to UID/GID mappings.

Bob
--bs


>On 06/03/2011 01:18 PM, Robert W. Smith wrote:
>
>...
>
>> John,
>> 
>> To get back to your issue at hand...Can we see the output of your
>> logs--the entire delete/rename transactions? 
>
>Bob, thanks for your continued interest and help.
>
>Here is log level = 3 output when trying to change a file within the
>/labs/chemgroup/jmaher directory from the name "orig_name" to
"new_name":
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba vs Linux file permissions

[Robert W. Smith]

>> Quoting John Maher (john at chem.umass.edu):
>>> -BEGIN PGP SIGNED MESSAGE-
>>> Hash: SHA1
>>>
>>> Hello,
>>>
>>> I cannot find anything in the documentation or mailing list that
>>> addresses this oddity.
>>>
>>> I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm
>>> utterly confused by samba's behavior regarding permissions.
>>>
>>> Users on the server have home directories
in /home/chemgroup/username.
>>> (chemgroup is actually a symlink to another volume mounted at
>>> /labs/chemgroup.) Permissions on /lab/chemgroup are:
>> 
>> 
>> How about looking in logfiles (first with log level to 3)?
>
>Thanks for responding.
>
>I changed log level to 3 and was able to see an NT_STATUS_ACCESS_DENIED
>error when trying to change the name of a file I just created.

John,

To get back to your issue at hand...Can we see the output of your
logs--the entire delete/rename transactions? 

Is this server a PDC, BDC or other? Are there any Windows server part of
this domain? Are you using winbind? What is the output of wbinfo -i
username?

Bob
--bs


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba vs Linux file permissions

[Robert W. Smith]

John,

Yes, I agree that you should not install from source--I meant to imply
if you could get a deb package for your Ubuntu Server 10.10. 

I did not enable ACLs and User Extended Attributes until I installed the
first iteration of the Samba 3.5 branch on my Fedora 13 server (I'm
about to upgrade to Fedora 15) so I am not sure what issues you might
have using Samba 3.4.7.

Using the User Extended Attributes are convenient for two purposes: 
1) it allows Samba to store the DOS Attributes (ReadOnly, Archive,
Hidden, and I think a few others) in a separate xattr. This frees you
from having to manage these attributes using the Linux permission bits. 
2) It allows Samba to store the full NT ACLs as an xattr. The initial NT
ACLs will be based on the POSIX ACLs which should also be enabled.

You can enable ACLs and User Extended Attributes on a share-by-share
basis. I would start off by creating a test volume (if you can carve one
out of your LVM) and creating a test share with it in Samba. For
example, here my my configuration for a group share:

[Shared]
comment = Public Share on %h
path = /home/shared
valid users = +domadmins, +domusers, +domguests
write list = +domadmins, +domusers
force group = domusers
;   create mask = 0664
;   force create mode = 0660
;   directory mask = 0002
;   force directory mode = 0770
inherit permissions = yes
inherit acls = yes
map acl inherit = yes
acl group control = yes
ea support = yes
vfs object = acl_xattr recycle
store dos attributes = yes
map archive = no
map hidden = no
map system = no
map readonly = no

The mount configuration in /etc/fstabs is:

/dev/mapper/vg1-home/home   ext3defaults,acl,user_xattr 1 2

And the POSIX ACls on /home/shared:

# getfacl shared
# file: shared
# owner: root
# group: users
# flags: -s-
user::rwx
group::rwx
group:users:rwx
group:domadmins:rwx
group:domusers:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:users:rwx
default:group:domadmins:rwx
default:group:domusers:rwx
default:mask::rwx
default:other::---

I like the fact that I no longer have to give the Linux Other group any
permission whatsoever even for my public shared group.

There is alot here that you will need to bone-up on but give it a try
and let us know if you run into any problems.

Good luck,
Bob
--bs


On Thu, 2011-06-02 at 10:36 -0400, John Maher wrote:
John Maher john at chem.umass.edu 
Fri Jun 3 09:37:14 MDT 2011 


>> And, is /lab/chemgroup a local disk volume or a remote NSF volume?
Doing
>> a double mount SMB --> NFS --> Local Vol is not recommended owing to
the
>> way NFS itself handles permissions.

>Bob, I forgot to respond to this part. No, I'm not using NSF. That
mount
>point is an LVM logical volume on a single RAID5 array.

>> 
>> Also I would recommend that you consider upgrading to the latest
3.5.X
>> branch of Samba and consider enabling ACLs and extended User
Attributes
>> on the underlying volumes. Although adding Posix ACls does add
>> complexity to the mix in the end you get a more secure environment
and
>> less Windows-to-Linux permission problems and confusion.
>
>There's resistance in my department to install applications using
source
>rather than Ubuntu packages. For now, I need to stick with the version
>we have unless it becomes clear that the version change would make the
difference.
>
>I've been wondering about extended User Attributes and whether or not
>they are worth the effort.  It sounds like you believe they are worth
>it.  I'll look into it. Thanks.
>
>John

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba vs Linux file permissions

[Robert W. Smith]

John,

For the [chemgroup] share try

[chemgroup]
comment = Chemistry Group Share
path = /home/chemgroup
valid users = @chemgroup
write list = @chemgroup
browseable = no
;;writeable = yes
;;printable = no
force group = @chemgroup ;; note your post left out the '@'-sign
create mask = 0660
directory mask = 0770

and for the [homes] share try

[homes]
comment = Home Directories
browseable = no
;;read only = no
create mask = 0640
directory mask = 0750
;;valid users = %S
valid users = %U
write list = %U

I found that using %U works best so long as you don't have older Windows
(e.g. Wfwg). Also specifying write list specifically gives 'username'
write capabilities consistent with your security policy on the
underlying volume.

And, is /lab/chemgroup a local disk volume or a remote NSF volume? Doing
a double mount SMB --> NFS --> Local Vol is not recommended owing to the
way NFS itself handles permissions.

Also I would recommend that you consider upgrading to the latest 3.5.X
branch of Samba and consider enabling ACLs and extended User Attributes
on the underlying volumes. Although adding Posix ACls does add
complexity to the mix in the end you get a more secure environment and
less Windows-to-Linux permission problems and confusion.

Bob
--bs

On Thu, 2011-06-02 at 10:36 -0400, John Maher wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hello,
> 
> I cannot find anything in the documentation or mailing list that
> addresses this oddity.
> 
> I've installed Samba Version 3.4.7 on Ubuntu Server 10.04, and I'm
> utterly confused by samba's behavior regarding permissions.
> 
> Users on the server have home directories in /home/chemgroup/username.
> (chemgroup is actually a symlink to another volume mounted at
> /labs/chemgroup.) Permissions on /lab/chemgroup are:
> 
>drwxrwx---username chemgroup   /labs/chemgroup
> 
> Permissions on /lab/group/username are:
> 
>drwxr-x---username chemgroup   /labs/chemgroup/username
> 
> Clearly, username has rights to write to /home/chemgroup/username, and
> can do so just fine via ssh.
> 
> The Samba share is configured as follows:
> 
>[chemgroup]
>   comment = Chemistry Group Share
>   path = /home/chemgroup
>   valid users = @chemgroup
>   public = no
>   browseable = no
>   writeable = yes
>   printable = no
>   force group = chemgroup
>   create mask = 0660
>   directory mask = 0770
> 
> Note, username is a member of chemgroup.
> 
> username can connect to \\server\chemgroup and can create new files and
> directories there.  And username can navigate to the username folder
> within chemgroup.  BUT, here's where it gets weird . . . username can
> create a new file within the chemgroup\username folder, but they cannot
> even change the name of the file they just created.  And they can't
> delete the file they just created (and couldn't rename).
> 
> This same behavior is even presented with Home directories, with the
> homes section looking like this:
> 
>[homes]
>   comment = Home Directories
>   browseable = no
>   read only = no
>   create mask = 0640
>   directory mask = 0750
>   valid users = %S
> 
> Thank you for any help or guidance.
> 
> John
> 
> - -- 
> * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - * - - - - *
> John Maher
> Senior Systems and Network Administrator
> Department of Biochemistry & Molecular Biology and
> Department of Chemistry
> University of Massachusetts - Amherst
> voice: 413-577-3120  fax: 413-545-4490
> OpenPGP Key ID: 0x2970A144
> 
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk3nn9kACgkQG+X1pClwoUQ4MwCaA0LA6XGt9mkOtkHwUfOrkrud
> 184AoKf+YL0oNNB3caqtEyvbLFe07i/H
> =Q2wx
> -END PGP SIGNATURE-
> 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] winbind issue with Windows 2008 R2 - domain trusts

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 06/01/2011 04:24 PM, Terry wrote:
> On Wed, Jun 1, 2011 at 3:21 PM, Terry  wrote:
>> Hello,
>>
>> I have a problem that just propped up after our windows admin did some
>> work. �He introduced some new domain controllers and upgraded the
>> domain to 2008 R2. �The primary domain that our linux boxes are in
>> seems to work, it's trusted domains. �Here's an example domain:
>>
>> FOO.BAR.LOCAL
>>
>> The boxes are in the FOO domain and I can getent passwd and see
>> accounts in there fine. �I used to be able see accounts in BAR as well
>> but now can't.
>>
>> I am using samba-3.0.33-3.29.el5_5.1 on RHEL5.2.
>>
>> Here's an error I see in the logs. �Not sure
>>
>> Jun �1 15:16:01 omadvdss01a winbindd[10772]: [2011/06/01 15:16:01, 0]
>> rpc_client/cli_pipe.c:rpc_api_pipe(790)
>> Jun �1 15:16:01 omadvdss01a winbindd[10772]: � rpc_api_pipe: Remote
>> machine foodc03.foo.bar.local pipe \NETLOGON fnum 0x3returned critical
>> error. Error was NT_STATUS_PIPE_DISCONNECTED
>>
>> That domain controller referenced in the logs is a new DC he added.
>> All windows operations appear to be normal.
>>
>> Thoughts?
>> Thanks!
>>
> 
> Sorry for replying to my own post so early here.  I removed that
> domain controller from my smb.conf and that appears to have fixed
> things.  Anyone have an idea on what the issue could be?
Terry,

The version of samba is quite old and unsupported upstream by the samba
team.  There were many issues with that version and 2008 AD controllers.

RHEL 5.5 on up uses a more up to date version of samba and you can
migrate to that.  Red Hat's release notes detail it a bit more.

There still may be ntlmv2 issues, but as long as there is kerberos
access, things should be okay.
- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk3nk9IACgkQup357T5MfTawZwCfedWvHYQC1SPwqHmw8QPB9n+h
a6oAoLnslQNyG24ipnFxfoiefI+g2gX+
=1au8
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] winbind problem with BUILTIN?

[Robert Fitzpatrick]

I shut my Samba PDC and all members down for some PC rearranging and now 
having an issue with one member server on Ubuntu 10.12 with Samba 3.5.4 
after restarting all. It would not connect, I tried to remove the 
computer name from LDAP and re-join the domain, that was successfully 
joined and the entry reappears in LDAP, but it times out when trying to 
connect to that host via the network or smbclient on the local box. All 
other workstations (Win2003, WinXP) and the PDC (FreeBSD Unix) are 
working perfectly. Since it is timing out, I tried the IP address with 
smbclient and browsing  and it works. For some reason, my 
/etc/resolv.conf was empty, so I fixed, but still timing out. So, I 
looked at Winbind and found a potential issue with BUILTIN?...


[2011/04/12 17:37:49.028871, 10] 
winbindd/winbindd_util.c:846(find_lookup_domain_from_sid)

  calling find_domain_from_sid
[2011/04/12 17:37:49.029439, 10] 
winbindd/winbindd_cache.c:418(wcache_fetch_seqnum)

  wcache_fetch_seqnum: BUILTIN not found
[2011/04/12 17:37:49.029462, 10] 
winbindd/winbindd_cache.c:4709(wcache_store_ndr)

  could not fetch seqnum for domain BUILTIN
[2011/04/12 17:37:56.047749,  6] winbindd/winbindd.c:768(new_connection)
  accepted socket 22
[2011/04/12 17:37:56.047883, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn INTERFACE_VERSION
[2011/04/12 17:37:56.047909,  3] 
winbindd/winbindd_misc.c:352(winbindd_interface_version)

  [ 5304]: request interface version
[2011/04/12 17:37:56.047952, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[5304:INTERFACE_VERSION]: deliverd 
response to client

[2011/04/12 17:37:56.048022, 10] winbindd/winbindd.c:620(process_request)
  process_request: request fn WINBINDD_PRIV_PIPE_DIR
[2011/04/12 17:37:56.048045,  3] 
winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir)

  [ 5304]: request location of privileged pipe
[2011/04/12 17:37:56.048101, 10] 
winbindd/winbindd.c:716(winbind_client_response_written)
  winbind_client_response_written[5304:WINBINDD_PRIV_PIPE_DIR]: 
deliverd response to client
[2011/04/12 17:37:56.048191,  6] 
winbindd/winbindd.c:816(winbind_client_request_read)

  closing socket 22, client exited
[2011/04/12 17:37:56.048233,  6] winbindd/winbindd.c:768(new_connection)
  accepted socket 22
[2011/04/12 17:37:56.048276, 10] winbindd/winbindd.c:593(process_request)
  process_request: Handling async request 5304:SID_TO_GID
[2011/04/12 17:37:56.048298,  3] 
winbindd/winbindd_sid_to_gid.c:47(winbindd_sid_to_gid_send)

  sid to gid S-1-5-21-4199262639-1984306771-3339216219-512
[2011/04/12 17:37:56.048347, 10] lib/gencache.c:345(gencache_get_data_blob)
  Returning expired cache entry: key = 
IDMAP/SID2GID/S-1-5-21-4199262639-1984306771-3339216219-512, value = , 
timeout = Wed Dec 31 19:00:00 1969
[2011/04/12 17:37:56.048387, 10] 
winbindd/winbindd_util.c:843(find_lookup_domain_from_sid)


find_lookup_domain_from_sid(S-1-5-21-4199262639-1984306771-3339216219-512)
[2011/04/12 17:37:56.048414, 10] 
winbindd/winbindd_util.c:853(find_lookup_domain_from_sid)

  calling find_our_domain
[2011/04/12 17:37:57.609408,  0] 
winbindd/winbindd.c:195(winbindd_sig_term_handler)

  Got sig[15] terminate (is_parent=1)

I tried emptying the contents of /var/cache/samba, still no help. Here 
is smb.conf on the problem PC, which noting has changed since it last 
worked...


[global]
netbios name = MEDIA
server string = Media Server %v - Music, Videos and Photos
workgroup = WEBTENT
realm = WEBTENT
security = DOMAIN
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
wins server = 192.168.1.21
ldap suffix = dc=webtent,dc=org
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=webtent,dc=org
idmap backend = ldap:ldap://mail.webtent.org
idmap uid = 1-2
idmap gid = 1-2


Can someone help me determine the next step in tracking down this issue? 
Or, how I could start all over with this box (already tried re-join)?


Thanks, Robert

--
Robert 
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba+kerberos problem

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 04/10/2011 11:58 PM, Jian Li wrote:
> Hi, I get some problem with samba when working on kerberos, would you
> give me some advise? thanks
> 
> /etc/samba/smb.conf:
> [global]
> workgroup = EXAMPLE
> #use kerberos keydtab = yes
> realm =LAB.BOS.REDHAT.COM
> security = ads
> #security = user
> server signing = auto
> kerberos method = system keytab
> [public]
> path = /tmp/test
> read only = no
> writable = yes
> 
> 
>> [root@hp-xw6600-01 ~]# kinit -k root
>> [root@hp-xw6600-01 ~]# mount.cifs 
>> //intel-sugarbay-dh-01.rhts.eng.rdu.redhat.com/public /mnt -o 
>> sec=krb5,user=root,uid=root
>> [root@hp-xw6600-01 ~]# ls /mnt
>> ls: reading directory /mnt: Permission denied
>>

We should get some extra info about your environment:

What version of Samba/mount.cifs is hp-xw6600-01 using?  What is the
cifs server running, Win (version) or Lin and if Lin, what version of
Samba?  Finally, what is the KDC, Win (version) or Lin?

- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk2i+pwACgkQup357T5MfTYzNACff3BFZw2418ckVT5ruFaZtqOx
vaIAn0RbUyLm5Sru17LQoDR2am+saNF9
=FmRE
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security Re leases Available

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Bob,

A good thing I do is search the release history.  I do a google search
similar to this one:

"smb.conf changes" site:samba.org/samba/history

This, in combination with "testparm -sv"  Gives me a good idea of what
is up.

Thanks,
Robert

On 03/18/2011 09:27 AM, Hoover, Tony wrote:
>  
> When I upgrade a major revision (3.4.x -> 3.5.x ), I always get a listing
> from "testparm -v" before and after the upgrade to make sure that a
> parameter (that I didn't specify in the config) didn't change it's default
> setting.
> 
> --
> Tony Hoover, Network Administrator
> KSU - Salina, College of Technology and Aviation
> (785) 826-2660
> 
> "Don't Blend in..."
> --
>  
> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org]
> On Behalf Of Eckert, Robert D
> Sent: Thursday, March 17, 2011 11:01 AM
> To: 'Jeremy Allison'; 'Chris Smith'
> Cc: 'sa...@samba.org'; 'samba-annou...@samba.org';
> 'samba-techni...@samba.org'
> Subject: Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security
> Releases Available
> 
> Greetings,
> 
> Can I go directly from 3.4.7 to the new 3.5.8 without installing any
> intermediate versions? Or is there a different route I should follow?
> 
> Thank you for your help,
> 
> -Bob
> 
> 
> %%
> Bob Eckert
> Principal Applications/Systems Analyst
> Indiana University Information Technology Services WebTech Team
> 2711 East 10th Street - E5 150.25
> Bloomington, IN 47408
> Email: eck...@indiana.edu
> Voice: (812) 855-7209 Fax: (812) 856-5242
> �
> 
> 
> -Original Message-
> From: samba-announce-boun...@lists.samba.org
> [mailto:samba-announce-boun...@lists.samba.org] On Behalf Of Jeremy Allison
> Sent: Monday, February 28, 2011 11:37 AM
> To: Chris Smith
> Cc: sa...@samba.org; samba-annou...@samba.org; samba-techni...@samba.org
> Subject: Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security
> Releases Available
> 
> On Mon, Feb 28, 2011 at 10:15:23AM -0500, Chris Smith wrote:
>> On Mon, Feb 28, 2011 at 8:35 AM, Karolin Seeger  wrote:
>>> Samba 3.5.7, 3.4.12 and 3.3.15 are security releases in order to 
>>> address CVE-2011-0719.
>>
>> Will there be a new 3.5.7 Jumbo Patch available for those using it 
>> with 3.5.6 and strict allocate? Or does the current 3.5.6 Jumbo Patch 
>> work fine with 3.5.7 (I'm assuming it's not included as there was no 
>> mention of any other fixes in the release notes)?
> 
> Both patches should work fine together. As per our policy, security fix
> releases contain no other changes than the security bugfix.
> 
> Just take the 3.5.7 release and apply the jumbo patch on top of it, as you
> did with 3.5.6.
> 
> A 3.5.8 will be released soon with all the pending patches we were planning
> the next release before it got preempted by the security fix.
> 
> Hope this helps,
> 
> Jeremy.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

- -- 


Robert Freeman-Day
LSP Services - UNIX/Linux
2711 E. 10th St.
Bloomington, IN 47405

GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk2DZIkACgkQup357T5MfTZhMQCghdARSoepZCVuUmTP3/xO9A0d
a08An3trNZV0ql+Toi811oysa6UTmj4a
=Ihlq
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security Releases Available

[Eckert, Robert D]

Greetings,

Can I go directly from 3.4.7 to the new 3.5.8 without installing
any intermediate versions? Or is there a different route I should
follow?

Thank you for your help,

-Bob


%%
Bob Eckert
Principal Applications/Systems Analyst
Indiana University Information Technology Services
WebTech Team
2711 East 10th Street - E5 150.25
Bloomington, IN 47408
Email: eck...@indiana.edu
Voice: (812) 855-7209 Fax: (812) 856-5242
 


-Original Message-
From: samba-announce-boun...@lists.samba.org 
[mailto:samba-announce-boun...@lists.samba.org] On Behalf Of Jeremy Allison
Sent: Monday, February 28, 2011 11:37 AM
To: Chris Smith
Cc: sa...@samba.org; samba-annou...@samba.org; samba-techni...@samba.org
Subject: Re: [Samba] [Announce] Samba 3.5.7, 3.4.12 and 3.3.15 Security 
Releases Available

On Mon, Feb 28, 2011 at 10:15:23AM -0500, Chris Smith wrote:
> On Mon, Feb 28, 2011 at 8:35 AM, Karolin Seeger  wrote:
> > Samba 3.5.7, 3.4.12 and 3.3.15 are security releases in order to
> > address CVE-2011-0719.
> 
> Will there be a new 3.5.7 Jumbo Patch available for those using it
> with 3.5.6 and strict allocate? Or does the current 3.5.6 Jumbo Patch
> work fine with 3.5.7 (I'm assuming it's not included as there was no
> mention of any other fixes in the release notes)?

Both patches should work fine together. As per our policy, security
fix releases contain no other changes than the security bugfix.

Just take the 3.5.7 release and apply the jumbo patch on top of
it, as you did with 3.5.6.

A 3.5.8 will be released soon with all the pending patches we
were planning the next release before it got preempted by the
security fix.

Hope this helps,

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Should krb.conf and krb5.conf have entries for multiple domain controllers?

[Robert Freeman-Day]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/28/2011 09:29 PM, Robinson, Eric wrote:
> There are three DCs in my Windows AD domain, but I have 
> noticed that only one of them is referenced in my krb.conf 
> and krb5.conf. Should there be a reference to one or two of 
> the other domain controllers? If the DC goes down, how will 
> my Samba/Winbind servers authenticate?
>  
> 
> --
> Eric Robinson
> 
> 
Eric,

There should be no problem putting each DC in your krb.conf file.  It
does allow for failover for kerberos.  In your smb.conf file you will
also want to list the servers in your "password server" parameter,
separated by spaces.

Depending on how your samba/winbind is implemented, and the default way
most windows domain member machines work, is that they will go to
kerberos first then go to lanman/ntlm/ntlmv2.

Robert

- -- 


Robert Freeman-Day

https://launchpad.net/~presgas
GPG Public Key:
http://keyserver.ubuntu.com:11371/pks/lookup?op=get&search=0xBA9DF9ED3E4C7D36
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk1s+8AACgkQup357T5MfTavTQCgtr2iYkBpIaAGwGvgu0ZwCb5t
45cAoIePLwkKfp/+SXR6IS+6iXH+AoUj
=2sXL
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Is it a good idea/required to run winbind

[Robert Cohen]

We've been running a samba service for many years but have stuck  using
3.0.24. Every version I tried after 3.0.24 seemed to have reliability
problems.

But if every version since 3.0.24 was broken I assume someone would have
noticed by now :-). So I'm guessing we're doing somethng idiosyncratic
and/or stupid..


The config we have is that our samba server (solaris) is getting uid/gid
info using NSS from ldap.

But all the users are also in an ADS domain which is synchronised with the
ldap servers by an identity management system.

So we do authentication from ADS.

The relevant parts of the config are

  netbios name = xxx
  security = ADS
  realm = yyy.domain

  password level = 0
  local master = no
  domain master = no
  encrypt passwords = yes

The samba server was joined to the domain using "net ads join".

We were running smbd and nmbd but not winbind (since  we werent using samba
for NSS).
 
And that worked fine up through 3.0.24
After 3.0.24, it stopped  working reliably.
>From memory the server kept dropping out of the domain.

I enquired on this list about the problems we were having and the best
advice I received was that winbind was now a required service.

So I tried using winbind and it seemed to work better, but still not
completely reliably. So we just stayed on 3.0.24

Recently changes to the domain mean that we will need to run a recent
version of samba. So I've been looking into upgrading.

I ran up a copy of 3.5.6 using winbind.
But testing indicated that it didn't appear to be respecting secondary
groups for the users. It was picking up the primary group for a user ie the
one in the password file. But not the secondary groups (specified in
/etc/group).

Then someone suggested trying without winbind.
And that seems to be working OK.


But my question is, is there something that I need to be using winbind for.
The documentation is a little confusing.

I can't find anything that says categorically that winbind is necessary.
But the winbind man page says

Even if winbind is not used for nsswitch, it still provides a service to
smbd, ntlm_auth and the pam_winbind.so PAM module, by managing connections
to domain controllers

And chapter 24 of the how to says

Fact: Winbind is needed to handle users who use workstations that are NOT
part of the local domain.

But that appears to be to avoid name clashes. Here we're using a unified
namespace (from NSS) so name clashes shouldn't be a problem.


So was the earlier recommendation I received that winbind was compulsory
either incorrect or outdated?

Various documentation implies that using winbind without idmap guid (in
netlogon proxy only mode) should work the same as not using winbind. In both
cases they will pick up user info via NSS.

So why is the behaviour different when using winbind and not using winbind




===
Robert Cohen
Systems & Desktop Services
Division of Information
R.G Menzies Building
Building 2
The Australian National University
Canberra ACT 0200 Australia
 
T: +61 2 6125 8389
F: +61 2 6125 7699
http://www.anu.edu.au
 
CRICOS Provider #00120C
===


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Trouble Using Samba 3.5.6 in ADS Domain

[Robert Einsle]

Hy List,

i try to use a newly installed Samba 3.5.6 in an ADS Domain.

firstly i configured kerberos, it works. I can "kinit administrator",
"klist", works.

secondly i configured samba:

smb.conf:

--- cut ---
   workgroup = KINDER
   netbios name = DSCHUNGEL
   realm = KINDER.LAN
   security = ADS
   wins server = 192.168.120.15
   passdb backend = tdbsam
   load printers = yes
   printing = cups
   printcap name = cups
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   create mask = 0775
   directory mask = 0775
   dos charset = ISO8859-1
   idmap backend = ad
   winbind nss info = rfc2307
   winbind enum users = Yes
   winbind enum groups = Yes
   winbind use default domain = Yes
   winbind nested groups = Yes
   idmap uid = 2500-2
   idmap gid = 2500-2
   template shell = /bin/bash
   dns proxy = no
   encrypt passwords = true
   preferred master = no
   template homedir = /home/%U
   enhanced browsing = no
--- cut ---

After "net ads join -U administrator" i can query Users from ads with
"wbinfo -u" and groups witch "wbinfo -g"

The next step will be that Users can login to the Server.

nsswitch.conf:
--- cut ---
passwd: compat winbind
group:  compat winbind
shadow: compat winbind
--- cut ---

But a "getent passwd" dont shows me users from the ADS.

Is anything missing?

I've done it with this article:
http://www.enterprisenetworkingplanet.com/netos/article.php/3487081/Join-Samba-3-to-Your--Active-Directory-Domain.htm

Any hints?

Thanks a lot

Robert

-- 

Robert Einsle
rob...@einsle.de
http://www.einsle.de 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Initializing a Samba3 ldapsam

[Robert W. Smith]

On Mon, 2011-02-21 at 21:08 +1300, Mike Brady wrote:

> I have spent the last few days attempting to get a Samba3 PDC/BDC  
> setup with an LDAP SAM and need some clarification on exactly what  
> should/can be initialized in the LDAP SAM.
> 
> As my main sources of information/inspiration I have been using  
> http://http://wiki.samba.org/index.php/Replicated_Failover_Domain_Controller_and_file_server_using_LDAP
>  and the smbldap-tools source code, but have also been reading "Samba by 
> Example" and the Samba How-tos.  Unfortunately there are inconsistencies that 
> I can not  
> resolve.
> 
> The short version of the question is - is there a full specification  
> (preferably in the form of an LDIF file) of everything that can/should  
> be initialized in the LDAP SAM?
> 
> The longer version is:
> 
> 1) Both the Wiki and smbldap-tools have sambaGroupType set to 5 for  
> the BUILTIN groups.  I found this reference saying that the  
> sambaGroupType should be 4 for BUILTIN groups.
> http://samba.2283325.n4.nabble.com/LDAP-backend-and-sambaGroupType-for-builtin-groups-td2446893.html
> Which is correct?
> 
> 2) The Wiki page has all the BUILTIN groups with "full domain" SIDs,  
> but smbldap-tools has what I think are the correct SID for these  
> groups.  Which is correct?
> 
> e.g. for Account Operators the Wiki has  
> S-1-5-21-3809161173-2687474671-1432921517-548 and smbldap-tools has  
> S-1-5-32-548.
> 
> 3) http://support.microsoft.com/kb/243330  has a long list of the well  
> known SIDs, many of which do not make sense in a Samba domain, but is  
> there a full list of all the ones that do make sense for Samba and  
> what the LDAP SAM should be initialized to to implement them?
> 
> 
> Thanks
> 
> Mike
> 
> 
> 
> 
> This message was sent using IMP, the Internet Messaging Program.
> 
> 

Mike,

Try this from the Official Samba How-To

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html

In the section in the section, "Default Users, Groups, and Relative
Identifiers". The only three _required_  groups are: 
  Domain Admins, RID=512
  Domain Users, RID=513
  Domain Guests, RID=514

In addition to these groups I also have the following domain users just
for completeness: 
  Domain Administrator, RID=500
  Domain Guest, RID=501


The builtin groups (RIDS=544 through 533) are not listed as required,
but you can put them in your ldapsam backend. You will have to add them
with, sambaGroupType=4, if you want them to show up in usermgr.exe.

If I have got the correct understanding, SIDs that start with S-1-2-21
will be domain SIDs and will be followed by the domain sid and then a
RID. The SIDs that start with S-1-2-32 are for local SIDs (machine local
users and groups) and should be put in a machine local backend (at least
when I get the time I will look into putting them into a local tdbsam on
the local server).

Unfortunately, as you have found, you have to piece together a lot of
different sources to find the correct working solution for your specific
situation. Although I have a working ldapsam backend I wish I could take
the time and recreate and redo my Samba Domain with the knowledge that I
have gained over the past three plus years (that I have incorporated
LDAP). 

However, I can find the time to try and normalize my old LDIF files and
format them with what I think a "minimal" Samba Domain should contain
and send them to you but these will most likely be specific just to a
Samba3+LDAP domain (I have no intention of going to Samba4 any time
soon).

Bob
--bs

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba