Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
What backend are you using? I can't get a single authentication to work
whether I reboot or not.
The new or old syntax for hash does not work for me. I get a segfault in
the hash module when compiled as shared modules. I've mentioned all that in
the bug report.
Robert
On Thu, Dec 22, 2011 at 9:31 AM, Dale Schroeder <
d...@briannassaladdressing.com> wrote:
> That is correct - it did not fix the problem - old or new idmap syntax.
> Any time I restart the processes, such as after a config change, winbind
> auth fails.
> "getent group" yields the syslog error shown in the original post.
> "wbinfo -i user" fails even though "user" appears in "getent passwd".
> Reboot the system and everything is functioning again until the next time
> nmbd/smbd/winbind are restarted, after which winbind is nonfunctioning once
> again.
>
> Dale
>
>
>
> On 12/22/2011 9:02 AM, David Roid wrote:
>
> Didn't work? I just installed another opensuse 12.1, with Samba 3.6.1
> using following idmap settings:
>
> idmap config * : range = ...
> idmap config * : backend = ...
> idmap config DOM : range = ...
> idmap config DOM : default = yes
> idmap config DOM : backend = ...
>
> then join the domain, no problem at all.
>
> 2011/12/22 Dale Schroeder
>
>> David, thanks for the help, but I'm afraid that workaround does not work
>> for me either.
>> Robert, thanks for furnishing all that useful info to bugzilla.
>> Jeremy, thanks for for the update on
>> https://bugzilla.samba.org/show_bug.cgi?id=8384.
>>
>> I feel like I'm at the Academy Awards.
>> Merry Christmas to all. <[];o{P>
>>
>> Dale
>>
>>
>>
>> On 12/21/2011 11:42 PM, Robert LeBlanc wrote:
>>
>> I tried to add "idmap config DOMAIN : default = yes" and it does not
>> help. I'm using hash. I've found some interesting things that I've included
>> in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676.
>>
>> Robert
>>
>> On Wed, Dec 21, 2011 at 5:33 PM, David Roid wrote:
>>
>>> Been there, you can try to add either "idmap config DOMAIN : default =
>>> yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap
>>> gid = ..." to replace "idmap config * : ...", I don't know which one
>>> actually fixed it.
>>>
>>> 2011/12/22 Dale Schroeder
>>>
>>>> Originally filed by Robert LeBlanc as Debian Bug # 652679 - <
>>>> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679>
>>>>
>>>>
>>>>
>>>> Package: winbind
>>>> Version: 2:3.6.1-3
>>>> Severity: important
>>>>
>>>> Dear Maintainer,
>>>>
>>>> After upgrading to 3.6.1 I am no longer able to login to Debian using
>>>> my Active Directory account.
>>>> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but
>>>> 'winbind -i user' returns
>>>> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get
>>>> info for user user'. Changing
>>>> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306
>>>> (fork_domain_child) fork_domain_child
>>>> called without domain.'. The previous wbint_Sid2Uid struct printout
>>>> shows that dom_name is NULL,
>>>> but has the correct domain SID. I believe the problem may exist around
>>>> there. I did upgrade the
>>>> 'idmap backend = hash' to the new format 'idmap config * : backend =
>>>> hash' as specifed in the man
>>>> page without any luck. Name to SID and SID to name works along with
>>>> user-domgroups, but user-groups
>>>> does not work. 'wbinifo --group-info=group' fails with a similar error
>>>> as 'wbinfo -i user'. I'm
>>>> going to try to get back to 3.5.11.
>>>>
>>>> -- System Information:
>>>> Debian Release: wheezy/sid
>>>> APT prefers testing
>>>> APT policy: (500, 'testing')
>>>> Architecture: amd64 (x86_64)
>>>>
>>>> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores)
>>>> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
>>>> Shell: /bin/sh linked to /bin/dash
>>>>
>>>> Versions of packages winbind depends on:
>>>> ii adduser 3.113
>>>
Re: [Samba] Winbind authentication and wbinfo -i user no longer work after uprading to 3.6.1
I tried to add "idmap config DOMAIN : default = yes" and it does not help. I'm using hash. I've found some interesting things that I've included in bug 8676 https://bugzilla.samba.org/show_bug.cgi?id=8676. Robert On Wed, Dec 21, 2011 at 5:33 PM, David Roid wrote: > Been there, you can try to add either "idmap config DOMAIN : default = > yes", or use old-fashion "idmap backend = ..." + "idmap uid = ..." + "idmap > gid = ..." to replace "idmap config * : ...", I don't know which one > actually fixed it. > > 2011/12/22 Dale Schroeder > >> Originally filed by Robert LeBlanc as Debian Bug # 652679 - < >> http://bugs.debian.org/cgi-**bin/bugreport.cgi?bug=652679<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652679> >> > >> >> >> >> Package: winbind >> Version: 2:3.6.1-3 >> Severity: important >> >> Dear Maintainer, >> >> After upgrading to 3.6.1 I am no longer able to login to Debian using my >> Active Directory account. >> 'winbind -u', 'winbind -g', 'winbind -t' and many others work fine, but >> 'winbind -i user' returns >> 'failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND Could not get info >> for user user'. Changing >> the verbosity of the logs, I find 'winbindd/winbindd_dual.c:1306 >> (fork_domain_child) fork_domain_child >> called without domain.'. The previous wbint_Sid2Uid struct printout shows >> that dom_name is NULL, >> but has the correct domain SID. I believe the problem may exist around >> there. I did upgrade the >> 'idmap backend = hash' to the new format 'idmap config * : backend = >> hash' as specifed in the man >> page without any luck. Name to SID and SID to name works along with >> user-domgroups, but user-groups >> does not work. 'wbinifo --group-info=group' fails with a similar error as >> 'wbinfo -i user'. I'm >> going to try to get back to 3.5.11. >> >> -- System Information: >> Debian Release: wheezy/sid >> APT prefers testing >> APT policy: (500, 'testing') >> Architecture: amd64 (x86_64) >> >> Kernel: Linux 3.1.0-1-amd64 (SMP w/8 CPU cores) >> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) >> Shell: /bin/sh linked to /bin/dash >> >> Versions of packages winbind depends on: >> ii adduser 3.113 >> ii libc6 2.13-21 >> ii libcap2 1:2.22-1 >> ii libcomerr21.42-1 >> ii libgssapi-krb5-2 1.10+dfsg~alpha1-6 >> ii libk5crypto3 1.10+dfsg~alpha1-6 >> ii libkrb5-3 1.10+dfsg~alpha1-6 >> ii libldap-2.4-2 2.4.25-4+b1 >> ii libpam0g 1.1.3-6 >> ii libpopt0 1.16-1 >> ii libtalloc22.0.7-3 >> ii libtdb1 1.2.9-4+b1 >> ii libwbclient0 2:3.6.1-3 >> ii lsb-base 3.2-28 >> ii samba-common 2:3.6.1-3 >> ii zlib1g1:1.2.3.4.dfsg-3 >> >> Versions of packages winbind recommends: >> ii libpam-winbind 2:3.6.1-3 >> >> winbind suggests no packages. >> >> -- no debconf information >> >> >> >> I also have this error, and reported as follows: >> >> Robert, >> >> Same problem here, and I have not seen anyone mention this on the Samba >> list. Systems are fully updated and testparm does not return any >> errors. idmap backend is rid notated in the new format. All deprecated >> parameters have been removed. >> >> On my systems, I have found that full functionality returns after a >> reboot; however, if samba/winbind processes are restarted for any >> reason, AD authentication again no longer works. As with you, wbinfo >> -u/-g continues to work, as does getent passwd. getent group only >> returns linux groups. Another reboot will return winbind once again to >> full functionality. >> >> Even at log level 10, error messages have been hard to find among the >> many winbind logs. At the time of failure, the one I consistently find >> is in syslog: >>winbindd[4186]: ads_ranged_search failed with: Time limit exceeded. >> >> --**--**-- >> >> This morning, I recreated the error by restarting Samba/winbind at 07:47. >> The only suspicious level 10 log entries found from that timeframe are: >> >> >> Dec 21 07:47:25 debinsp3200 winbindd[3489]: [2011/12/21 07:47:25.660769, >> 0] winbindd/wi
Re: [Samba] Default Hidden Disk Shares
The Windows client will hide any share that ends with a '$' whether or not it is an administrator share, it's doesn't know or care. In this case there is no difference between hidden and normal because to Windows they are both hidden. Give it a try sometime. If you hit the server with a Mac client, it shows all the shares (at least it used to, I haven't tried in a long time), even the c$, d$, etc. I think the Linux SMB clients also do the same. So to rely on 'server' to 'hide' these shares, is a very false sense of security. It's the actual client that does the hiding from normal users. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Mon, Jul 5, 2010 at 2:43 AM, Atkinson, Robert wrote: > Robert, the discussion was around the hidden ‘$’ shares, not normal ones. > > > > Rob. > > > > *From:* Robert LeBlanc [mailto:rob...@leblancnet.us] > *Sent:* 02 July 2010 19:15 > *To:* Atkinson, Robert > *Cc:* Jeremy Allison; samba@lists.samba.org > > *Subject:* Re: [Samba] Default Hidden Disk Shares > > > > On Fri, Jul 2, 2010 at 2:05 AM, Atkinson, Robert > wrote: > > Interesting to see you say it's dangerous. The way the Windows version > works > is that you have to be part of the Administrator group to be able to see > them, which I would have thought secure enough? > > > > This is not true, the share is advertised to anyone who asks. The Windows > client only hides shares that end with a '$'. By default Windows gives > access only to administrators (by default), but they are by no means hidden. > > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > > *** > > Any opinions expressed in email are those of the individual and not > necessarily those of the company. This email and any files transmitted with > it are confidential and solely for the use of the intended recipient or > entity to whom they are addressed. It may contain material protected by > attorney-client privilege. If you are not the intended recipient, or a > person responsible for delivering to the intended recipient, be advised that > you have received this email in error and that any use is strictly > prohibited. > > > > Random House Group + 44 (0) 20 7840 8400 > > http://www.randomhouse.co.uk > > http://www.booksattransworld.co.uk > > http://www.kidsatrandomhouse.co.uk > > Generic email address - enquir...@randomhouse.co.uk > > > > Name & Registered Office: > > THE RANDOM HOUSE GROUP LIMITED > > 20 VAUXHALL BRIDGE ROAD > > LONDON > > SW1V 2SA > > Random House Group Ltd is registered in the United Kingdom with company No. > 00954009, VAT number 102838980 > > > *** > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Default Hidden Disk Shares
On Fri, Jul 2, 2010 at 2:05 AM, Atkinson, Robert wrote: > Interesting to see you say it's dangerous. The way the Windows version > works > is that you have to be part of the Administrator group to be able to see > them, which I would have thought secure enough? > This is not true, the share is advertised to anyone who asks. The Windows client only hides shares that end with a '$'. By default Windows gives access only to administrators (by default), but they are by no means hidden. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba packages for debian squeeze
On Tue, Jun 15, 2010 at 10:40 PM, Christian PERRIER wrote: > If they don't fail, actions made in postinst scripts are not > logged. If they fail, the "apt-get install" or "aptitude install" > command is expected to fail... > > You mention a machine that has 3.4.8 backproted package and no > alternative. > > Can you try to manually run the command I mentioned in my previous > post (as root, of course)? > > Can you also run "dpkg -L samba-common-bin" on that machine? > > The update-alternative completed without any errors and the net command is now successful. Here is the output from dpkg. /. /usr /usr/share /usr/share/doc /usr/share/doc/samba-common-bin /usr/share/doc/samba-common-bin/NEWS.Debian.gz /usr/share/doc/samba-common-bin/README.build.gz /usr/share/doc/samba-common-bin/changelog.Debian.gz /usr/share/doc/samba-common-bin/copyright /usr/share/man /usr/share/man/man7 /usr/share/man/man7/samba.7.gz /usr/share/man/man8 /usr/share/man/man8/net.samba3.8.gz /usr/share/man/man8/smbpasswd.8.gz /usr/share/man/man5 /usr/share/man/man5/smb.conf.5.gz /usr/share/man/man5/smbpasswd.5.gz /usr/share/man/man5/lmhosts.5.gz /usr/share/man/man1 /usr/share/man/man1/testparm.samba3.1.gz /usr/share/man/man1/nmblookup.samba3.1.gz /usr/bin /usr/bin/smbpasswd /usr/bin/net.samba3 /usr/bin/testparm.samba3 /usr/bin/nmblookup.samba3 Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba packages for debian squeeze
On Tue, Jun 15, 2010 at 2:43 PM, Christian PERRIER wrote: > Quoting Robert LeBlanc (rob...@leblancnet.us): > > > I have had 'net' not correctly registered on some squeeze machines. Since > I > > don't use the net command often, I just run net.samba3. I'm sure you > could > > do an `update-alternatives --config net` as root and choose to use > > net.samba3 to restore the use of just 'net'. > > Thanks for your input, Robert. > > The command that's run in samba-common-bin's postinst script is: > > update-alternatives --install /usr/bin/net net /usr/bin/net.samba3 10 \ >--slave /usr/share/man/man8/net.8.gz net.8.gz > /usr/share/man/man8/net.samba3.8.gz > > It's surprising to hear that the "net" alternative wasn't properly > registered after installing samba-common-bin. More details about this > would be in any case appreciated. And a reproducible test case is > certainly worth a bug report in Debian against samba-common-bin. > > > I haven't run into the problem on Squeeze recently, personally, so it may have gotten fixed in the last couple of releases. I did have a lenny box with 3.4.8 from backports that had the problem a couple of days ago, but I did two today without any problems. I just chalked it up as a fluke and used the full command and went on with my life. The server does not have any net entries in /etc/alternatives. Is there a log I can look at and see what may have failed? If there is, I can submit a bug, but I can't reproduce it on demand. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Microsoft OneNote 2007 painfully slow
On Tue, Jun 15, 2010 at 4:07 PM, Andrew Masterson < andrew.master...@nuvistaenergy.com> wrote: > > -Original Message- > From: samba-boun...@lists.samba.org > [mailto:samba-boun...@lists.samba.org] On Behalf Of Robert LeBlanc > Sent: Monday, June 07, 2010 2:45 PM > To: samba@lists.samba.org > Subject: [Samba] Microsoft OneNote 2007 painfully slow > > We have a user trying to share a OneNote 2007 notebook and it takes > minutes > to load a 20 KB notebook. I've opened a 500 KB Excel spreadsheet from > the > same share and it took seconds. Has anyone else run into this problem? > We > are running Samba 3.4.8 on Debian Squeeze. > > Thanks, > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > > --- > > When I have run into stuff like this it is because an application is > trying to modify security permissions on the files that it doesn't have > the right to (like with creater\owner, etc.). Given that M$ is fond of > creating temporary lock files, etc. you may want to start looking there > first. > > -=Andrew > I don't recall seeing any temp files like Word/Excel/etc 2007 (we ran into that problem, in fact I still have a script running every 15 minutes to scan the file system and 'fix' the permissions). I'll watch the directory as I open up the NoteBook and see if I can see any funny business. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba packages for debian squeeze
On Tue, Jun 15, 2010 at 1:47 PM, Christian PERRIER wrote:
> Quoting Matthew Delves (m.del...@ballarat.edu.au):
> > Hey all,
> > I'm trying to hook a debian squeeze server up to a windows active
> directory domain, though the packages provided with Debian Squeeze don't
> have the net command. Is there a package available that I can use to install
> the net command from?
>
> net (indeed /usr/bin/net.samba3, /usr/bin/net being provided through
> Debian alternatives system) is included in Debian's samba-common-bin
> package. This package is recommended by samba-common, so a standard
> Debian install with the "samba" binary package should have it.
>
> If you don't have it installed, this is probably because the "install
> Recommends" option of apt ('APT::Install-Recommends "false";' in
> /etc/apt/apt.conf)
>
I have had 'net' not correctly registered on some squeeze machines. Since I
don't use the net command often, I just run net.samba3. I'm sure you could
do an `update-alternatives --config net` as root and choose to use
net.samba3 to restore the use of just 'net'.
Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pam_winbind and krb5_auth
On Tue, Jun 8, 2010 at 10:48 PM, Matthew Delves wrote: > > > >>> On 9/06/2010 at 1:22 pm, Robert LeBlanc wrote: > > If you configure SSH and NFS, you get passwords logins and mounts. I > think > > mount.smb can use it as well as smbclient. I know that KDE auto logs me > into > > Samba/WIndows file shares without a password just like Windows. If you > have > > Kerberos websites, you can configure your browser to pass tickets and get > > single-signon. There are quiet a few things you can do. If you have to > enter > > a password, there is usually a way to enable Kerberos for it. > > > > Thanks for that explanation. That's more when using Linux as a workstation. > I'm using Linux as a server and am wanting to use Kerberos authentication as > a way of achieving SSO. > > Currently I have the linux server setup so that it retrieves a kerberos > ticket when a user logs in via ssh, though when I tell PuTTY to authenticate > using kerberos, it still asks for a password. > > Is there a way to track down just what is going on there? > > It took me a long time to get Kerberos SSH working. My best friends were ssh - and running sshd in debug mode. It will take a while, but the passwordless login is very nice. I was able to do if from Mac and Linux, I think I got Putty working on one Window's machine, but it required a special version of Putty from what I remember. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] pam_winbind and krb5_auth
If you configure SSH and NFS, you get passwords logins and mounts. I think mount.smb can use it as well as smbclient. I know that KDE auto logs me into Samba/WIndows file shares without a password just like Windows. If you have Kerberos websites, you can configure your browser to pass tickets and get single-signon. There are quiet a few things you can do. If you have to enter a password, there is usually a way to enable Kerberos for it. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Tue, Jun 8, 2010 at 9:17 PM, Matthew Delves wrote: > Hey list, > I'm wondering if there is any advantage to be gained by using kerberos with > pam_winbind. > > I've configured pam_winbind and enabled krb5_auth though apart from being > granted a ticket, I'm unsure as to any advantage that would be gained by > enabling Kerberos. > > Thanks, > Matt Delves > -- > > - > Matthew Delves > System Administrator > Information Systems > Networks & Infrastructure > University of Ballarat > ph: 03 5327 9732 > email: m.del...@ballarat.edu.au > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Microsoft OneNote 2007 painfully slow
On Tue, Jun 8, 2010 at 9:16 AM, Jeremy Allison wrote: > Use smbstatus to find out the process id, then use smbcontrol > to set a specific process to a different debuglevel on the fly. > That is really cool, thanks for sharing! I could not get the debuging to work with just smb:10, I had to set all the logs to level 10 to get anything, and then the log kept disappearing. I changed the 10M limit in smb.conf to 100M and reloaded smbd, but for some reason, the log would still get wiped and started over again. I can't get a good log, if I watch the size of the log, it's all over the place, I don't know how to get a good log file. I moved the OneNote Notebook to a Windows server and when I launch it, it would take about 6 seconds to load (OneNote does not have the notebook, I browse to the share and open it. When I'm done, I right-click the notebook and close it, otherwise OneNote would open really fast and then sync the notebook in the background). On the Samba share, it consistently takes 2 minutes and 10 seconds. From some of the logs, it looks like the whole smbd process is restarted as it gets all the information about my user (SIDs, groups, etc). I'm still at a loss as to what to do. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Microsoft OneNote 2007 painfully slow
On Mon, Jun 7, 2010 at 6:06 PM, Jeremy Allison wrote: > On Mon, Jun 07, 2010 at 02:44:50PM -0600, Robert LeBlanc wrote: > > We have a user trying to share a OneNote 2007 notebook and it takes > minutes > > to load a 20 KB notebook. I've opened a 500 KB Excel spreadsheet from the > > same share and it took seconds. Has anyone else run into this problem? We > > are running Samba 3.4.8 on Debian Squeeze. > > Minutes is very strange. Can you set the user's smbd > to debug level 10 and look into the timestamped log > and see where there are gaps in the timestamp record ? > > That should give you a clue as to what might be going > on. > > Jeremy. > How can I set a single user's smbd process to debug 10? We have hundreds of users on this system so I don't want to fill up the disks with logs from everyone. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Microsoft OneNote 2007 painfully slow
We have a user trying to share a OneNote 2007 notebook and it takes minutes to load a 20 KB notebook. I've opened a 500 KB Excel spreadsheet from the same share and it took seconds. Has anyone else run into this problem? We are running Samba 3.4.8 on Debian Squeeze. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] resolve KDC network address error
On Mon, Jun 7, 2010 at 2:31 AM, Daniel Mueller wrote:
> Hello Samba-List-Users
>
> I have a problem with KDC network name resolution. I tried to google it and
> sought help on IRC#samba, to no avail. So I'll post my problem here.
>
> In the spirit of privacy and normalization all server names in this post
> are replaced. CAPTIAL server names are actually capitalized in the
> configuration files.
>
> Setup:
> 1x Debian5 x64 server running samba 3.2.5
> 2x Windows Server 2008R2 domain controllers (Active Directory running in
> native mode)
> some Windows7 Clients
>
> here are my configuration files:
>
> smb.conf (global section)
>
> 8<--
> # Global parameters
> [global]
> netbios name = SAMBASERVER01
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> preferred master = no
> server string = Productive Datastore
> interfaces = eth0 172.16.1.15
> map to guest = bad user
> security = ADS
> encrypt passwords = yes
> log level = 2
> syslog = 2
> winbind separator = +
> printcap name = /etc/printcap
> printing =
> load printers = no
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> idmap uid = 1-2
> idmap gid = 1-2
> usershare allow guests = no
> hide files = /$RECYCLE.BIN/desktop.ini/
> vfs objects = full_audit
> full_audit:prefix = %u|%I|%m|%S
> full_audit:success = mkdir rename unlink rmdir pwrite
> full_audit:failure = none
> #full_audit:facility = LOCAL7
> full_audit:priority = NOTICE
>
> 8<--
>
> krb5.conf
>
> 8<--
> [libdefaults]
>default_realm = DOMAIN.LOCAL
>
> [realms]
>DOMAIN.LOCAL = {
># dc01 is FSMO server
>kdc = dc01.domain.local
>kdc = dc02.domain.local
>admin_server = dc01.megasol.local
>default_domain = domain.local
>}
>
> [domain_realm]
>.domain.local = DOMAIN.LOCAL
>domain.local = DOMAIN.LOCAL
>
> 8<--
>
> the domain join ran without errors:
>
> SAMBASERVER01:~# net ads join -U Administrator
> Enter Administrator's password:
> Using short domain name -- DOMAIN
> Joined 'SAMBASERVER01' to realm 'domain.local'
>
> kinit is contempt, too:
>
> SAMBASERVER01:~# kinit -V Administrator
> Password for administra...@domain.local:
> Authenticated to Kerberos v5
>
> I logged into DC01 using the domain administrator account:
> I can connect to the samba server; no problems.
>
> I logged into a windows7 client using a domain user:
> I can connect to the samba server; no problems.
>
> I logged into a windows7 client user local admin (no domain login):
> I can't connect to the samba server
>
> I use smbclient on SAMBASERVER01:
> SAMBASERVER01:~# smbclient //SAMBASERVER01/SHARE -U Administrator
> Enter Administrator's password:
> session setup failed: NT code 0x0721
>
> I use smbclient on SAMBASERVER01 again:
> SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -U Administrator
> Enter Administrator password:
> session setup failed: NT_STATUS_PIPE_DISCONNECTED
>
> I use smbclient using Kerberos authentication:
> SAMBASERVER01:~# smbclient //SAMBASERVER01/IT -k
> OS=[Unix] Server=[Samba 3.2.5]
> smb: \>
> that works!
>
> the smbd and nmbd logs are clean
> but it seems that winbind ist struggling:
>
> log.winbindd
>
> 8<--
> [2010/06/07 10:17:59, 2]
> libsmb/cliconnect.c:cli_session_setup_kerberos(619)
> Doing kerberos session setup
> [2010/06/07 10:17:59, 1] libsmb/clikrb5.c:ads_krb5_mk_req(680)
> ads_krb5_mk_req: krb5_get_credentials failed for dc...@domain (Cannot
> resolve network address for KDC in requested realm)
> [2010/06/07 10:17:59, 1]
> libsmb/cliconnect.c:cli_session_setup_kerberos(626)
> cli_session_setup_kerberos: spnego_gen_negTokenTarg failed: Cannot resolve
> network address for KDC in requested realm
> [2010/06/07 10:17:59, 1] winbindd/winbindd_util.c:trustdom_recv(260)
> Could not receive trustdoms
>
> 8<--
>
> I'm at a loss here... can anyone help? Or point me into the right
> direction?
>
> Cheers
>
> Daniel
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://
Re: [Samba] Regression of 5616?
On Sat, Jun 5, 2010 at 6:36 PM, Andrew Bartlett wrote: > > Can you put winbindd under valgrind and post the results? I wonder if > we have of uninitialised/freed values here somewhere? > > Sure, I'm not a programmer so if you have a link to an easy how-to, I'll get you the info. I looked at the code and much of it is the same betweek 3.2 and 3.3, only some variable renames which all match up ok and the use of a different object for some of the initial information (that part is way over my head). Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Regression of 5616?
On Thu, Jun 3, 2010 at 11:21 AM, Robert LeBlanc wrote: > On Thu, Jun 3, 2010 at 11:18 AM, Robert LeBlanc wrote: > >> On Wed, Jun 2, 2010 at 5:04 PM, Robert LeBlanc wrote: >> >>> I'm wondering if I'm seeing a regression of 5616 with 3.4.8. I'm trying >>> to set-up pptpd with winbind, which I'm doing on two machines on Debian >>> lenny, and I'm trying on Debian Squeeze now. The Windows client is saying >>> "Error 778: It was not possible to verify the identity of the server." The >>> logs say that everything is ok, and that the client is hanging up the >>> connection. Is something not getting passed correctly like in bug 5616? >>> >>> Jun 2 16:56:05 debian pppd[17472]: pppd 2.4.4 started by root, uid 0 >>> Jun 2 16:56:05 debian pppd[17472]: using channel 17 >>> Jun 2 16:56:05 debian pppd[17472]: Using interface ppp0 >>> Jun 2 16:56:05 debian pppd[17472]: Connect: ppp0 <--> /dev/pts/2 >>> Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfReq id=0x1 >> 0x0>] >>> Jun 2 16:56:05 debian pptpd[17470]: GRE: Bad checksum from pppd. >>> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x0 >>>] >>> Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfRej id=0x0 >> CBCP>] >>> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfAck id=0x1 >> 0x0>] >>> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x1 >>> ] >>> Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfAck id=0x1 >>> ] >>> Jun 2 16:56:05 debian pppd[17472]: sent [LCP EchoReq id=0x0 >>> magic=0xa2912b7] >>> Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Challenge id=0x75 >>> , name = "debian"] >>> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x2 >>> magic=0x648b71fd "MSRASV5.10"] >>> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x3 >>> magic=0x648b71fd "MSRAS-0-WINCOMP"] >>> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP EchoRep id=0x0 >>> magic=0x648b71fd] >>> Jun 2 16:56:05 debian pppd[17472]: rcvd [CHAP Response id=0x75 >>> <69dbcaab0e152ea056654a46c4ca7bae6d7bcc32ef97cfafde7c34570aaa0c55e83b8475da22923300>, >>> name = "DOMAIN\\user"] >>> Jun 2 16:56:05 debian pptpd[17470]: CTRL: Ignored a SET LINK INFO packet >>> with real ACCMs! >>> Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Success id=0x75 >>> "S=B68D646C4DC626290C5BCD1148AE833C004B1E70 M=Access granted"] >>> Jun 2 16:56:05 debian pppd[17472]: sent [CCP ConfReq id=0x1 >> +S -L -D -C>] >>> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP TermReq id=0x4 >>> "d\3777613q\375\000<\315t\000\000\003\n"] >>> Jun 2 16:56:05 debian pppd[17472]: LCP terminated by peer >>> (dM-^KqM-}^@>> Jun 2 16:56:05 debian pppd[17472]: sent [LCP TermAck id=0x4] >>> Jun 2 16:56:05 debian pptpd[17470]: CTRL: Reaping child PPP[17472] >>> Jun 2 16:56:05 debian pppd[17472]: Modem hangup >>> Jun 2 16:56:05 debian pppd[17472]: Connection terminated. >>> Jun 2 16:56:05 debian pppd[17472]: Connect time 0.0 minutes. >>> Jun 2 16:56:05 debian pppd[17472]: Sent 10 bytes, received 0 bytes. >>> Jun 2 16:56:06 debian pppd[17472]: Exit. >>> >>> Any ideas? I'm not sure what else to try, I'm coming up empty handed with >>> Google. >>> >>> >> I forgot to try this using chap_secrets and include that. When using >> chap_secrets I can log in and everything works as expected. When I include >> the winbind.so plug-in, I can't login. Here is the logs from a sucessful >> PPTP connection using chap_secrets. >> >> Jun 3 11:10:35 debian pppd[17826]: Connect: ppp0 <--> /dev/pts/1 >> Jun 3 11:10:35 debian pppd[17826]: sent [LCP ConfReq id=0x1 > 0x0>] >> Jun 3 11:10:35 debian pptpd[17825]: GRE: Bad checksum from pppd. >> Jun 3 11:10:35 debian pppd[17826]: rcvd [LCP ConfReq id=0x0 >>] >> Jun 3 11:10:35 debian pppd[17826]: sent [LCP ConfRej id=0x0 > CBCP>] >> Jun 3 11:10:35 debian pppd[17826]: rcvd [LCP ConfReq id=0x1 >> ] >> Jun 3 11:10:35 debian pppd[17826]: sent [LCP ConfAck id=0x1 >> ] >> Jun 3 11:10:38 debian pppd[17826]: sent [LCP ConfReq id=0x1 > 0x0>] >> Jun 3 11:10:38 debian pptpd[17825]: CTRL: Ignored a SET LINK INFO packet >> with real ACCMs! >> Jun 3 11:10:38 debian pppd[17826]: rcvd [LCP ConfAck id=0x1 > 0x0>] >&
Re: [Samba] Regression of 5616?
On Thu, Jun 3, 2010 at 11:18 AM, Robert LeBlanc wrote: > On Wed, Jun 2, 2010 at 5:04 PM, Robert LeBlanc wrote: > >> I'm wondering if I'm seeing a regression of 5616 with 3.4.8. I'm trying to >> set-up pptpd with winbind, which I'm doing on two machines on Debian lenny, >> and I'm trying on Debian Squeeze now. The Windows client is saying "Error >> 778: It was not possible to verify the identity of the server." The logs say >> that everything is ok, and that the client is hanging up the connection. Is >> something not getting passed correctly like in bug 5616? >> >> Jun 2 16:56:05 debian pppd[17472]: pppd 2.4.4 started by root, uid 0 >> Jun 2 16:56:05 debian pppd[17472]: using channel 17 >> Jun 2 16:56:05 debian pppd[17472]: Using interface ppp0 >> Jun 2 16:56:05 debian pppd[17472]: Connect: ppp0 <--> /dev/pts/2 >> Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfReq id=0x1 > 0x0>] >> Jun 2 16:56:05 debian pptpd[17470]: GRE: Bad checksum from pppd. >> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x0 >>] >> Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfRej id=0x0 > CBCP>] >> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfAck id=0x1 > 0x0>] >> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x1 >> ] >> Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfAck id=0x1 >> ] >> Jun 2 16:56:05 debian pppd[17472]: sent [LCP EchoReq id=0x0 >> magic=0xa2912b7] >> Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Challenge id=0x75 >> , name = "debian"] >> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x2 >> magic=0x648b71fd "MSRASV5.10"] >> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x3 >> magic=0x648b71fd "MSRAS-0-WINCOMP"] >> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP EchoRep id=0x0 >> magic=0x648b71fd] >> Jun 2 16:56:05 debian pppd[17472]: rcvd [CHAP Response id=0x75 >> <69dbcaab0e152ea056654a46c4ca7bae6d7bcc32ef97cfafde7c34570aaa0c55e83b8475da22923300>, >> name = "DOMAIN\\user"] >> Jun 2 16:56:05 debian pptpd[17470]: CTRL: Ignored a SET LINK INFO packet >> with real ACCMs! >> Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Success id=0x75 >> "S=B68D646C4DC626290C5BCD1148AE833C004B1E70 M=Access granted"] >> Jun 2 16:56:05 debian pppd[17472]: sent [CCP ConfReq id=0x1 > +S -L -D -C>] >> Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP TermReq id=0x4 >> "d\3777613q\375\000<\315t\000\000\003\n"] >> Jun 2 16:56:05 debian pppd[17472]: LCP terminated by peer >> (dM-^KqM-}^@> Jun 2 16:56:05 debian pppd[17472]: sent [LCP TermAck id=0x4] >> Jun 2 16:56:05 debian pptpd[17470]: CTRL: Reaping child PPP[17472] >> Jun 2 16:56:05 debian pppd[17472]: Modem hangup >> Jun 2 16:56:05 debian pppd[17472]: Connection terminated. >> Jun 2 16:56:05 debian pppd[17472]: Connect time 0.0 minutes. >> Jun 2 16:56:05 debian pppd[17472]: Sent 10 bytes, received 0 bytes. >> Jun 2 16:56:06 debian pppd[17472]: Exit. >> >> Any ideas? I'm not sure what else to try, I'm coming up empty handed with >> Google. >> >> > I forgot to try this using chap_secrets and include that. When using > chap_secrets I can log in and everything works as expected. When I include > the winbind.so plug-in, I can't login. Here is the logs from a sucessful > PPTP connection using chap_secrets. > > Jun 3 11:10:35 debian pppd[17826]: Connect: ppp0 <--> /dev/pts/1 > Jun 3 11:10:35 debian pppd[17826]: sent [LCP ConfReq id=0x1 >] > Jun 3 11:10:35 debian pptpd[17825]: GRE: Bad checksum from pppd. > Jun 3 11:10:35 debian pppd[17826]: rcvd [LCP ConfReq id=0x0 >] > Jun 3 11:10:35 debian pppd[17826]: sent [LCP ConfRej id=0x0 CBCP>] > Jun 3 11:10:35 debian pppd[17826]: rcvd [LCP ConfReq id=0x1 > ] > Jun 3 11:10:35 debian pppd[17826]: sent [LCP ConfAck id=0x1 > ] > Jun 3 11:10:38 debian pppd[17826]: sent [LCP ConfReq id=0x1 >] > Jun 3 11:10:38 debian pptpd[17825]: CTRL: Ignored a SET LINK INFO packet > with real ACCMs! > Jun 3 11:10:38 debian pppd[17826]: rcvd [LCP ConfAck id=0x1 >] > Jun 3 11:10:38 debian pppd[17826]: sent [LCP EchoReq id=0x0 > magic=0x122bc19f] > Jun 3 11:10:38 debian pppd[17826]: sent [CHAP Challenge id=0xb6 > , name = "debian"] > Jun 3 11:10:38 debian pppd[17826]: rcvd [LCP Ident id=0x2 magic=0x1f614592 > "MSRASV5.10"] > Jun 3 11:10:38 debian pppd[17826]: rcvd [LCP Ident id=0x3 magic=0x1f614592 > "MSRAS-0-WINCOM
Re: [Samba] Regression of 5616?
On Wed, Jun 2, 2010 at 5:04 PM, Robert LeBlanc wrote: > I'm wondering if I'm seeing a regression of 5616 with 3.4.8. I'm trying to > set-up pptpd with winbind, which I'm doing on two machines on Debian lenny, > and I'm trying on Debian Squeeze now. The Windows client is saying "Error > 778: It was not possible to verify the identity of the server." The logs say > that everything is ok, and that the client is hanging up the connection. Is > something not getting passed correctly like in bug 5616? > > Jun 2 16:56:05 debian pppd[17472]: pppd 2.4.4 started by root, uid 0 > Jun 2 16:56:05 debian pppd[17472]: using channel 17 > Jun 2 16:56:05 debian pppd[17472]: Using interface ppp0 > Jun 2 16:56:05 debian pppd[17472]: Connect: ppp0 <--> /dev/pts/2 > Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfReq id=0x1 >] > Jun 2 16:56:05 debian pptpd[17470]: GRE: Bad checksum from pppd. > Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x0 >] > Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfRej id=0x0 CBCP>] > Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfAck id=0x1 >] > Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x1 > ] > Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfAck id=0x1 > ] > Jun 2 16:56:05 debian pppd[17472]: sent [LCP EchoReq id=0x0 > magic=0xa2912b7] > Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Challenge id=0x75 > , name = "debian"] > Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x2 magic=0x648b71fd > "MSRASV5.10"] > Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x3 magic=0x648b71fd > "MSRAS-0-WINCOMP"] > Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP EchoRep id=0x0 > magic=0x648b71fd] > Jun 2 16:56:05 debian pppd[17472]: rcvd [CHAP Response id=0x75 > <69dbcaab0e152ea056654a46c4ca7bae6d7bcc32ef97cfafde7c34570aaa0c55e83b8475da22923300>, > name = "DOMAIN\\user"] > Jun 2 16:56:05 debian pptpd[17470]: CTRL: Ignored a SET LINK INFO packet > with real ACCMs! > Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Success id=0x75 > "S=B68D646C4DC626290C5BCD1148AE833C004B1E70 M=Access granted"] > Jun 2 16:56:05 debian pppd[17472]: sent [CCP ConfReq id=0x1 -L -D -C>] > Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP TermReq id=0x4 > "d\3777613q\375\000<\315t\000\000\003\n"] > Jun 2 16:56:05 debian pppd[17472]: LCP terminated by peer > (dM-^KqM-}^@ Jun 2 16:56:05 debian pppd[17472]: sent [LCP TermAck id=0x4] > Jun 2 16:56:05 debian pptpd[17470]: CTRL: Reaping child PPP[17472] > Jun 2 16:56:05 debian pppd[17472]: Modem hangup > Jun 2 16:56:05 debian pppd[17472]: Connection terminated. > Jun 2 16:56:05 debian pppd[17472]: Connect time 0.0 minutes. > Jun 2 16:56:05 debian pppd[17472]: Sent 10 bytes, received 0 bytes. > Jun 2 16:56:06 debian pppd[17472]: Exit. > > Any ideas? I'm not sure what else to try, I'm coming up empty handed with > Google. > > I forgot to try this using chap_secrets and include that. When using chap_secrets I can log in and everything works as expected. When I include the winbind.so plug-in, I can't login. Here is the logs from a sucessful PPTP connection using chap_secrets. Jun 3 11:10:35 debian pppd[17826]: Connect: ppp0 <--> /dev/pts/1 Jun 3 11:10:35 debian pppd[17826]: sent [LCP ConfReq id=0x1 ] Jun 3 11:10:35 debian pptpd[17825]: GRE: Bad checksum from pppd. Jun 3 11:10:35 debian pppd[17826]: rcvd [LCP ConfReq id=0x0 ] Jun 3 11:10:35 debian pppd[17826]: sent [LCP ConfRej id=0x0 ] Jun 3 11:10:35 debian pppd[17826]: rcvd [LCP ConfReq id=0x1 ] Jun 3 11:10:35 debian pppd[17826]: sent [LCP ConfAck id=0x1 ] Jun 3 11:10:38 debian pppd[17826]: sent [LCP ConfReq id=0x1 ] Jun 3 11:10:38 debian pptpd[17825]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Jun 3 11:10:38 debian pppd[17826]: rcvd [LCP ConfAck id=0x1 ] Jun 3 11:10:38 debian pppd[17826]: sent [LCP EchoReq id=0x0 magic=0x122bc19f] Jun 3 11:10:38 debian pppd[17826]: sent [CHAP Challenge id=0xb6 , name = "debian"] Jun 3 11:10:38 debian pppd[17826]: rcvd [LCP Ident id=0x2 magic=0x1f614592 "MSRASV5.10"] Jun 3 11:10:38 debian pppd[17826]: rcvd [LCP Ident id=0x3 magic=0x1f614592 "MSRAS-0-WINCOMP"] Jun 3 11:10:38 debian pppd[17826]: rcvd [LCP EchoRep id=0x0 magic=0x1f614592] Jun 3 11:10:38 debian pppd[17826]: rcvd [CHAP Response id=0xb6 <4d9f569d005db37bc1a3fd0475dd288ff7a35e82608b4ba7e6137ef1dbd642f03341be46e2c763bf00>, name = "chap_user"] Jun 3 11:10:38 debian pppd[17826]: sent [CHAP Success id=0xb6 "S=5BB1A4A6F2B0B1915352569321C0E90C7F2D0A50 M=Access granted"] Jun 3 11:10:38 debian pppd[17826]: sent [CC
[Samba] Regression of 5616?
I'm wondering if I'm seeing a regression of 5616 with 3.4.8. I'm trying to set-up pptpd with winbind, which I'm doing on two machines on Debian lenny, and I'm trying on Debian Squeeze now. The Windows client is saying "Error 778: It was not possible to verify the identity of the server." The logs say that everything is ok, and that the client is hanging up the connection. Is something not getting passed correctly like in bug 5616? Jun 2 16:56:05 debian pppd[17472]: pppd 2.4.4 started by root, uid 0 Jun 2 16:56:05 debian pppd[17472]: using channel 17 Jun 2 16:56:05 debian pppd[17472]: Using interface ppp0 Jun 2 16:56:05 debian pppd[17472]: Connect: ppp0 <--> /dev/pts/2 Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfReq id=0x1 ] Jun 2 16:56:05 debian pptpd[17470]: GRE: Bad checksum from pppd. Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x0 ] Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfRej id=0x0 ] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfAck id=0x1 ] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP ConfReq id=0x1 ] Jun 2 16:56:05 debian pppd[17472]: sent [LCP ConfAck id=0x1 ] Jun 2 16:56:05 debian pppd[17472]: sent [LCP EchoReq id=0x0 magic=0xa2912b7] Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Challenge id=0x75 , name = "debian"] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x2 magic=0x648b71fd "MSRASV5.10"] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP Ident id=0x3 magic=0x648b71fd "MSRAS-0-WINCOMP"] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP EchoRep id=0x0 magic=0x648b71fd] Jun 2 16:56:05 debian pppd[17472]: rcvd [CHAP Response id=0x75 <69dbcaab0e152ea056654a46c4ca7bae6d7bcc32ef97cfafde7c34570aaa0c55e83b8475da22923300>, name = "DOMAIN\\user"] Jun 2 16:56:05 debian pptpd[17470]: CTRL: Ignored a SET LINK INFO packet with real ACCMs! Jun 2 16:56:05 debian pppd[17472]: sent [CHAP Success id=0x75 "S=B68D646C4DC626290C5BCD1148AE833C004B1E70 M=Access granted"] Jun 2 16:56:05 debian pppd[17472]: sent [CCP ConfReq id=0x1 ] Jun 2 16:56:05 debian pppd[17472]: rcvd [LCP TermReq id=0x4 "d\3777613q\375\000<\315t\000\000\003\n"] Jun 2 16:56:05 debian pppd[17472]: LCP terminated by peer (dM-^KqM-}^@https://lists.samba.org/mailman/options/samba
Re: [Samba] samba.org has been revised!
I really love how all this criticism comes from someone who's website looks like something out of the 90's. Animated gifs are 20 years old now! The design on your pages suck, it is not easy on the eyes, I'm not drawn to what is important. Yes I can read it (the text is legible), but just barely because the layout does not flow and I can't find anything. There is more to design than just the text px (which I highly discourage as well). Using too many fonts, having unbalanced portions of the page, etc. Please before you go slamming someone else's work, fix your own site so you have some credibility! Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Wed, May 19, 2010 at 8:48 AM, Felix Miata wrote: > On 2010/05/19 09:12 (GMT-0400) David Eisner composed: > > > On Tue, May 18, 2010 at 11:22 PM, Felix Miata > wrote: > > >> Not even close. Arguably it's attractive, as long as you don't actually > need > >> to use it or read anything on it. Pray your eyes are as good as a 15 > year old > >> or you aren't using a high resolution device to access it if so. > > > I like the new design. I'm not particularly young, and I don't have a > > particularly fancy monitor. I do wear glasses, though. > > Many people, regardless of age, even with correction, don't see > particularly > well, but quite well enough to use web pages that respect their defaults. > These aren't the only people now being disrespected. All, regardless of > eyesight, should be respected. Web designers as a group either don't > understand the meaning of that word, or don't think it a necessary part of > designing for the web. > > http://fm.no-ip.com/Inet/shame.html > > > The CSS sizes the fonts in px, though, which is a problem. > > Exactly. > > > The issue > > isn't that your monitor has too low a resolution, it's that it's "too" > > high. > > Hogwash: > > 1-The technology to design web pages with resolution independence is more > than a decade old. http://fm.no-ip.com/Auth/Sites/Ksc/ is a very simple > example of how it can be done. Apply zoom, or change your default larger or > smaller to see how well it can work. > > 2-High resolution == high quality. Therefore, higher resolution _should_ > mean > a higher quality web experience. Web fonts are famous for marginal to poor > quality. That lack of quality is proportional to DPI. The higher the DPI, > the > higher the quality, as each character of any given physical size has more > px > to be rendered with. My default of 24px has nominally 576 px per character, > compared to samba's 13px at nominal 169px, which is several orders of > magnitude higher quality. > > 3-A major reason still higher resolution isn't widely available yet is the > usability factor. Web pages and software are still being designed as if > people were using display hardware manufactured two decades ago. Were page > and software designers incorporating resolution independence, even more > advanced (still higher DPI) hardware to take advantage of it would be here > already. IOW, hardware technology is being held back by anachronistic > software and web page design. > > > Have you tried Ctrl-+ a few times? > > Of course. But it's necessary on virtually every page, because virtually > every page is designed either without regard to user defaults (in px), or > by > setting some base size at a fraction of the defaults (assuming the defaults > are incorrectly set "too large"). > > Both behaviors (without regard, and assuming wrongly large) are offensive. > Ctrl-+ (and minimum font size) are _defensive_ features provided by browser > makers. Absent an offense, a defense needn't be applied. > > Poor legibility, caused primarily by too small fonts, besides being > offensive, is a widespread usability problem: > > http://www.useit.com/alertbox/designmistakes.html > -- > "The wise are known for their understanding, and pleasant > words are persuasive." Proverbs 16:21 (New Living Translation) > > Team OS/2 ** Reg. Linux User #211409 > > Felix Miata *** http://fm.no-ip.com/ > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.4 & Windows 7 offline folders
On Fri, Jan 22, 2010 at 12:54 AM, Martin Hochreiter wrote: > Am 2010-01-21 23:42, schrieb Jeremy Allison: > > On Thu, Jan 21, 2010 at 07:50:53PM +, nf-vale wrote: >> >> >>> Is this issue only related with Windows 7 clients or does it affect other >>> Windows versions too (I'm using Samba 3.4.3 version)? >>> >>> >> The offline files bug was only reported against >> a specific version of Windows Vista, but I wouldn't >> be surprised if it affected other versions too. >> >> Jeremy. >> >> > Hi to all! > > I can only tell report the issue on Windows 7 32 bit only. We don't use > vista and > Windows XP is still working without problems. > > As I told you - with 3.4.5 we didn't had any issues yet. > > regards > Martin > > I'm having problems with Samba 3.4.7 from Debian Testing. XP is not having any problems, but Windows 7 32-bit and 64-bit are having issues. What can I send to help pinpoint the problem? Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Snow Leopard and Samba
On Tue, Apr 20, 2010 at 12:22 PM, jjrowan wrote: > A customer has an expanding number of Mac computers. Last Friday and > existing machine started having problems writing files to a Samba share on a > CentOS 5.x server. They had no problems prior to Friday. They are getting > permission failure errors in creating files and folders. I made the sare > owned by the user and group with group write enabled. Even with him as the > owner he can not write to the share. I stopped / started Samba, same > problem. I had him reconnect, same problem. Even had him reboot his Mac > but problem persists. I ran Wireshark traces but the session generates 30 > to 40 thousand packets and I am unable to find the packets that might > pinpoint why he now has problems writing to the server. I just ran a yum > update of the CentOS server and it downloaded samba-common-3.0.33-3.15. I > don't know if this release fixes my problem. Has anyone else had problems > with OS/X writing to a Samba share AFTER it's been working for for a while > (in my case 2 months)? > > For us, the fix was to add "unix extensions = no" in the global section. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ideas for distributed Samba servers
On Sun, Apr 11, 2010 at 10:18 PM, Adam wrote: > Ever heard of glusterfs? > Yes, I don't think it works well in a geography diverse clusters though. Lustre has this same problem. I could be wrong. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ideas for distributed Samba servers
On Sun, Apr 11, 2010 at 7:47 PM, Stan Hoeppner wrote: > > I would think it would be cheaper and more straight forward to replace the > GbE port on each end of the fiber link with a 10GbE port than to deal with > the complexity of caching and replication, or other such options, > especially > for two buildings on the same campus. The fiber link is on campus and thus > you control any right-of-way issues, correct? > > If this is the case, upgrading the link speed on the fiber is definitely > the > way to go. If multiple pairs were run when the line was originally > trenched, as is customary, setup ISL bonding of two 10GbE links between the > two buildings' switches. Problem solved. Make sure you have at least one > 10GbE NIC (preferably two NICs bonded) in the Samba server that exports the > data on the disk array or the fat pipe between the buildings won't matter > much. > > It will be interesting to see what Samba bottlenecks you run into after you > get the big phat pipes setup. > > Although the buildings are on the same campus (multiple buildings about 8 total that we occupy and only parts of building for most of the buildings) we don't have control over the network. That is in the hands of the campus IT organization and they like things done a certain way. We can light some fibre, but it's only point to point and we don't have that much fibre running to our building to connect all the buildings, plus the expense would be astronomical as we can't tie into their network and so connection in the other buildings would be limited. Since they are finally deciding to upgrade the core switching to 10GbE, they are possibly putting our building on the list to get a 10GbE link first. I think that would alleviate the biggest part of the problem, as we suspect that most of the storage will sit idle and not really accessed. Since all the desktops are only running 100 Mb connections, it gives us enough concurrent connections that we feel comfortable with. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ideas for distributed Samba servers
On Sun, Apr 11, 2010 at 9:03 AM, ravi channavajhala < ravi.channavajh...@dciera.com> wrote: > WAFS (Wide Area File System) appliances can be very well deployed for this > sort of thing precisely. Unfortunately, I don't know of any opensource > project for WAFS. However, commercial solutions such as Riverbed, Expand > Networks, CISCO/WAFS, Juniper/Peribit do exist. > > So far, this is the direction that we may go. We have looked at a Riverbed product, it's good to know alternatives. This may not be as much of an issue as it was in the past as I believe we my get a network upgrade that will negate the need for this. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ideas for distributed Samba servers
On Sat, Apr 10, 2010 at 11:14 AM, Eric Shubert wrote: > Robert LeBlanc wrote: > >> I'm trying to think about how to setup a Samba system and would like to >> pick >> the brains of some experts. We are looking up put a large amount of >> storage >> ~75TB in a central data center. We have some remote (ok, not remote, but >> across slower links, ok if you consider several hundred clients over 1Gb >> to >> be slow) locations that we would like to set up samba servers that 'cache' >> the file system and serve it up to the clients in the building and sync >> with >> the main data center storage. The idea is have a couple of TB that are >> located in the building that serve up the Samba share. When a client >> requests a file, if it's in the local cache it is served up from there, if >> not then the Samba server grabs the file from the main data center and >> serves it to the client. When a file is written, something like rsync is >> used to transfer only difference back to the main data center. The problem >> is that I'm not sure of a file system that does this. We are using Lustre >> on >> our HPC, but this won't do what we want. >> >> Any suggestions are welcome. >> >> Robert LeBlanc >> Life Sciences & Undergraduate Education Computer Support >> Brigham Young University >> > > I'm curious to know what you came up with for this. Care you share? > TIA. > > We haven't come up with anything yet. We are still thinking this over. It's not pressing yet as we don't have the storage yet. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Force Winbind Domain
On Tue, Mar 30, 2010 at 1:36 PM, Diego Lima wrote: > Hi all, > > Is there any way to force Winbind to auhenticate against a certain > domain even if another was specified? I'm currently having problems > authenticating some users on squid as they seem to inform the wrong > domain. I can see messages like these on my cache log: > > Login for user [proxy1]\[userna...@[wrkstation] failed due to [No such > user] > > The problem is that our domain is not called proxy1 (that is our proxy > DNS name) and we can see some (not all) users unable to authenticate > due to this. So my question is, can I force the domain to be MYDOMAIN > instead of PROXY1? > > Thank you! > > I think you are looking for use default domain in smb.conf. That should allow users to just use their sAMAccountName, otherwise they could use DOMAIN\sAMAccountName without the use default domain setting configured. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] 3.5 in Debian Squeeze?
On Wed, Mar 24, 2010 at 12:21 AM, Christian PERRIER wrote: > Quoting Robert LeBlanc (rob...@leblancnet.us): > > What is the milestone that will get 3.5 into Debian Squeeze? > > > We're still in the process of deciding whether we'll go for 3.4.* or > 3.5 for squeeze. > > There are arguments for both: > > - 3.4.* releases are now rock solid and the risk of "important" issues > to be discovered that would make these versions unsuitable for > production servers is not very high while 3.5.* are fairly young as of > now. > > - Strong support by the Samba Team for 3.4.* releases will be > decreasing rapidly in the upcoming months and it might become hard to > make this release alive for the planned two years of lifetime (at > minimum) that squeeze will have after it's released. There are also > several improvements bringed by 3.5 which our users would benefit from. > > > My own stance is to go for 3.5 and, as one of the maintainers, I'll > push for it. However, I want to ask to the Debian release team about > their feeling for pushing point releases (3.5.2, 3.5.3, etc.) in > squeeze during the time squeeze is frozenIt would help a lot if > they agree that we can do this even late in the release process but > you can imagine that they can't say "yes" to all such > requests...otherwise the freeze is no longer a freeze. > > A key point is having my co-maintainer (Steve Langasek) advice about > this. Other co-maintainers have agreed for having 3.5 in squeeze > (particularly Matthieu Parent, who maintains ctdb) > > Thank you for taking the time, this is very helpful. I fully understand both sides of the argument as I take both positions on a regular basis. I do like 3.4 as it has worked quite well for us, as we move to Windows 7, we have uncovered problems which we hope 3.5 will resolve. Winbind has also given us problems in 3.4, and with the large rework in 3.5 we hope it's solved a lot of those pain points. I haven't heard when the freeze will be for Squeeze, but if it would be helpful, I can try to carve out some time to pull 3.5 from experimental on a test box and try it in our environment for feedback. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ?: winbind dont start
On Wed, Mar 24, 2010 at 4:12 AM, Mistofeles wrote: > I have two similar PC with similar Ubuntu 9.10 srv installation. > In the beginning both authenticated fine against our AD with Samba. > I changed the NIC to another PC and moved it to another subdomain. > Old IP changed from XXX.XXX.104.187 to XXX.XXX.41.32. > The other PC works OK. > SSH works in both. So the network is up. > > kinit myn...@mydomain > - OK > klist > - OK > /etc/init.d/samba restart > - OK > net ads join -U myname > - OK > > STEP 1: > > /etc/init.d/winbind start > - The system stops here. > If I open another SSH window, this is the last lines in > /var/log/samba/log.winbind: > > [2010/03/23 15:57:18, 2] param/loadparm.c:7736(do_section) > Processing section "[WWW_BCK_oldest]" > [2010/03/23 15:57:18, 3] param/loadparm.c:6190(lp_add_ipc) > adding IPC service > > STEP 2: > > I apt-get purge all of these: > samba, samba-common, samba-common-bin, smbfs, winbind > - OK > > Then I apt-get install samba > - OK > > apt-get install winbind > - Everything freezes in the middle of the installation, while restarting > winbind. > > Please tell me where I can find help. Google, RTFM and FAQ have not given > any help so far. > > You didn't mention if you updated your smb.conf and krb5.conf file (if necessary) to reflect the new subdomain (unless by subdomain you don't mean an Active directory subdomain and you are talking about a subnet). If you have, then I would try a net ads leave and then a net ads join again. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 3.5 in Debian Squeeze?
What is the milestone that will get 3.5 into Debian Squeeze? Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.7 on Debian Squeeze does not allow Vista machines to connect to shares XP users can connect though
On Tue, Mar 23, 2010 at 3:31 AM, Siju George wrote: > Hi, > > The following > > ii samba2:3.4.7~dfsg-1 > SMB/CIFS file, print, and login server for Unix > ii samba-common 2:3.4.7~dfsg-1 > common files used by both the Samba server and client > ii samba-common-bin 2:3.4.7~dfsg-1 > common files used by both the Samba server and client > > are installed on a squeeze ( 2.6.32-3-686 #1 SMP Thu Feb 25 06:14:20 > UTC 2010 i686 GNU/Linux ) > > but when I connect from Vista Systems to the shares I am unable to do it. > With the same username and password I can connect the users from > Windows XP systems though. > > ( ***There is another samba server on OpenBSD 4.6 ( samba-3.0.34p1-ads > ) which allows the users to connect from Vista Systems without any > trouble*** ) > [snip] > > What could be the trouble? > > Thanks > > --Siju > > I am seeing similar troubles. We started testing Windows 7 and I thought the problems were related to that and since 3.5.1 is in Experimental, I just put off the project a little bit. However on the only Vista machine I have, I am noticing problems there as well. XP is working fine here. I haven't had the time to try any troubleshooting. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]
On Tue, Feb 23, 2010 at 8:32 PM, Rob Townley wrote: > On Sat, Feb 13, 2010 at 8:57 PM, Jeremy Allison wrote: > > On Sat, Feb 13, 2010 at 01:35:12PM -0600, > > d...@briannassaladdressing.comwrote: > >> Alex, > >> > >> I've been a victim of this since Day 1. After a lot of reading and > emailing, it comes down to this. libkrb5-3 version 1.8x by default > disallows DES encryption. /etc/krb5.conf can be changed to allow weak > encryption, but as it relates to Samba, is only effective in letting the > system join the domain. For it's internal functioning, winbind uses an > autogenerated krb5.conf that resides in /var/run/samba. This krb5.conf has > no knowledge of allow_weak_crypto=true. Sam Hartman, the maintainer of > libkrb5-3 in Debian, has taken over the responsibility of fixing that > package, rather than the Samba maintainers doing a change there. In the > interim, winbind is broken with libkrb5-3 version 1.8x. We can only hope > this fix is soon coming. > > > > In Samba 3.5.0 there is a parameter "create krb5 conf" that controls > > if this private krb5.conf file is created or not. Would it be helpful > > for this to be back ported to earlier versions ? > > > > Jeremy. > > i do not want any weak encryption on my systems. > >If "create krb5 conf = no"in smb.conf means, that i can > specify RC4 and AES in /etc/krb5.conf and then winbind will honor and > not create a ghost krb5.conf.NEBIOSDOMAINNAME, i would greatly > appreciate it being backported. > Of course, i run CentOS 5 and that uses 3.0.33. How far back is realistic? > > With the latest update on Debian, you don't have to enable weak encryption types. Kerberos now silently ignores the DES options and only uses the RC4 to communicate with the domain controllers. I do not have 'enable_weak_crypto' in my krb5.conf files and it works fine now. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [FIXED on Debian] Re: ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
On Wed, Feb 17, 2010 at 6:39 AM, Wilkinson, Alex < alex.wilkin...@dsto.defence.gov.au> wrote: > >0n Wed, Feb 17, 2010 at 07:49:25AM -0600, Dale Schroeder wrote: > >> >>> Reply to list/user gets me again! Anyway, we are at 2008 functional > level, >>> so I don't think our domain is even accepting DES. It looks like > Debian has >>> a fix in libkrb5 that has another two days in sid, then will be > migrated to >>> Squeeze. >>That's the best news I've had in days. I noticed that the original >>reporter of the bug had success with >>1.8 alpha1-6, and the version soon to be in squeeze is already beyond >>that at alpha 1-7. > > Here is the patch: > > > http://packages.debian.org/changelogs/pool/main/k/krb5/krb5_1.8+dfsg~alpha1-7/changelog<http://packages.debian.org/changelogs/pool/main/k/krb5/krb5_1.8+dfsg%7Ealpha1-7/changelog> > > krb5 (1.8+dfsg~alpha1-6) unstable; urgency=medium > > * Import upstream fixes including: > - A non-conformance with RFC 4120 that causes enc_padata to be > included when the client may not support it > - Weak crypto acts as a filter and does not reject if DES is > included in krb5.conf, fixes Samba net ads join, Closes: #566977 > * Medium urgency because of the samba bug fix. If the samba > maintainers > request the release team to bump to high I'd support that. > * Update libkdb5 symbols for new upstream internal interface > > I have just tested the new package from Debian and it indeed does solve the problem and you don't need the weak_crypto option in krb5.conf. Thanks to all who got us through this bump in the road. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
On Tue, Feb 16, 2010 at 2:48 PM, Rob Townley wrote: > On Tue, Feb 16, 2010 at 12:30 PM, Robert LeBlanc wrote: > >> >> I tired this on Debian Squeeze (edited >> /var/run/samba/smb_krb5/krb5.conf.NETBIOSNAME) and when I restart winbind, >> the file is clobbered back to the original. I think this is in conjunction >> with a bug from Kerberos where if DES is specified as a supported type, even >> if something else better is specified, Kerberos refuses to play. >> >> Here is what 3.4.5 is showing: >> default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 >> default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 >> preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 >> >> It would be nice to have some sort of fix/workaround for this, it seems to >> have blindsided us. >> >> Robert LeBlanc >> Life Sciences & Undergraduate Education Computer Support >> Brigham Young University >> >> > i assume you meant to post to the list, not just me. But since some IT > people would be uncomfortable letting the general public know they use DES, > i didn't forward your name to the list. > > i had the same problem and thought i had it licked by disabling the winbind > service, but i have so many machines i am not sure which machine i may have > got the config to stick. If your domain functional level is WIn2000, not > Win2003, then i am not sure it will take anything better than DES. i would > hope so, but i don't know for certain. Using the windows kerberos tools > like kerbtray.exe would tell you what your ADS accepts. Watch that MSDN > video. > > i have a suspicion that ADS will list DES as acceptable but tells Windows > Workstations to never request DES through Group Policy Objects. So the > problem never surfaces on windows. In the ADS Active Directory Users and > Computers, clicking on the details of a user and maybe a machine, at the > very bottom of a long scroll down list, there is a place to allow DES. > Unless that is checked,. i don't see any reason for ADS to ever offer DES, > but i suspect it does. > > My ADS is messed up now and needs to be redone. Until then and when i can > do some extensive testing, i am not going to blame MS. > > > Reply to list/user gets me again! Anyway, we are at 2008 functional level, so I don't think our domain is even accepting DES. It looks like Debian has a fix in libkrb5 that has another two days in sid, then will be migrated to Squeeze. I think that will fix the problem (crossing fingers) as RC4-HMAC is listed as an acceptable encryption type and the bug in kerberos was dropping the entire ecnryption request if DES was one of the encryption types. I think the fix now only drops the DES encryption types out of the available list. So in my krb5.conf.NETBIOSNAME example above, if the DCs don't like RC4-HMAC, then I'm out of luck as it won't try DES even though it is listed. Thanks for the reply. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DC failover not working?
We are running a Samba 3.4.3 file server against a 2008 Active Directory. We had a domain controller go down over the weekend and Samba just choked. The server was running over 90 smbd processes and no one was able to connect to the file shares. In fact we mount the drives on login and many people were not able to log in for 20+ minutes. We have three domain controllers and two of them are Global catalogs. The server that went down was a GC. How does/is Samaba handling DC failures? It seems that if a DC is unreachable it should not try it again for some time, if it is still unreachable, keep doubling that time to a maximum until it comes back online all the while using a different DC. I worked around the problem by setting the password server to a good DC, but this should be automatic. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 3.5.0rc2 Available for Download
On Sun, Jan 31, 2010 at 11:05 PM, Christian PERRIER wrote: > Quoting Karolin Seeger (ksee...@samba.org): > > Release Announcements > > = > > > > This is the second release candidate of Samba 3.5. This is *not* > > > Debian packages for 3.5.0rc2 were uploaded to Debian experimental as > of Sunday Jan 31st. > > Many special thanks to Michael Adam for bringing a new configure > option for the *.dat files location. That allowed us, Debian > maintainers, to drop the very last bit of code changes meant to deal > with file locations that were not fitting the Debian view of the FHS. > > The Debian diff is now very minimally restricted to Debian specific > changes that are not suitable for upstream inclusion (mostly > documentation stuff). > > The Debian packaging team for Samba will now discuss the opportunity > to bring 3.5 packages in Debian unstable: > > - release Debian squeeze with 3.5 instead of the now quite rock solid > 3.4? > > - consequences for Ubuntu? > > Anyway, we again renew public thanks to Karolin's for her tremendous > job in release management. The entire Samba Team also deserves thanks > for their commitment to follow their release manager. A predictable > upstream release policy is the best that can happen to distro > packagers. > This is very exciting, thank you all for your hard work. We would like to see 3.5 in Squeeze soon as we will most likely be deploying Windows 7 2nd quarter this year. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/Winbind uid/gid
On Mon, Jan 18, 2010 at 3:09 AM, JC wrote: > Hi, > > I actually have to install another samba server connected to Active > directory by using winbind. > > All works ok, but i have a little problem. > > In fact if i use getent |grep user on server1, the output is the following: > server1:~# getent |grep user > user:*:20083:20040:USER:/home/user:/bin/bash > server1:~# > > on the second one server which use the same AD and the same > configuration file exept for netbios i obtain: > server2:~# getent |grep user > user:*:20018:20110:USER:/home/user:/bin/bash > server2:~# > > Is there a solution to abtain the same uid/gid on both server for all > users? > > You didn't specify what version of Samba you are using. If you are using 3.4.x, I suggest idmap_hash, if you are using something earlier, than I would suggest idmap_rid. There are man pages for both. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to access shares via HTTP (apache2)
On Fri, Jan 1, 2010 at 8:10 AM, Daniel Müller wrote: > Why do you need to access your shares via HTTP???!! > THe only thing this might be usefull is from outside your lan over > internet?! > If you plan this, there ist the linux opensource solution OPENVPN!! With > this mighty software > you work with your shares and outlook from outside as if you were in your > bureau. > Take a look at it and give it a try! > Daniel > In our case, we already have a VPN solution (Cisco, definatly not our choice) in place. We wanted a solution that is cross-platform and didn't require anything to be intalled on the OS and would never be blocked by any firewall. WebDav fit the bill alhough it sucks prety bad on Windows, it is still there. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] How to access shares via HTTP (apache2)
On Thu, Dec 31, 2009 at 7:35 AM, Martin Balint wrote: > Hello, > I configured samba fileserver as a member of samba domain. PDC and > fileserver are different machines. > It works great using windows sharing. > Now, I need to set up apache to serve my shares, but I am having > problem with permissions. Apache runs as www-user, and doesn't see > content in shares. > So I would like to ask, what is the proper way to use apache (or > another http server) to serve files on file server. > Using Ubuntu 9.10 and Samba 3.4.0-3ubuntu5.1. > > Thanks for help, > Martin > > Right now, my configuration is: > smb.conf > [global] >workgroup = DOMAIN.EU >netbios name = share2 >server string = %h server (Samba, Ubuntu) >log file = /var/log/samba/log.%m >max log size = 1000 >syslog = 0 >panic action = /usr/share/samba/panic-action %d > > winbind separator = + > idmap uid = 1-2 > idmap gid = 1-2 > winbind enum users = yes > winbind enum groups = yes > >security = domain >password server = * > > [software] > comment = Shared software > path = /srv/fileserver/software > force group = "DOMAIN.EU+domain users" > create mask = 0660 > directory mask = 0770 > writable = yes > > /etc/nsswitch.conf: > passwd: compat winbind > group: compat winbind > > # ls -la /srv/fileserver/software/ > total 20 > drwxrwxrwx 5 root root 4096 2009-12-31 12:12 > . > drwxr-xr-x 3 root root 4096 2009-12-31 00:08 > .. > drwxrwx--- 2 DOMAIN.EU+martin DOMAIN.EU+domain users 4096 2009-12-31 00:24 > test2 > drwxrwx--- 2 DOMAIN.EU+martin DOMAIN.EU+domain users 4096 2009-12-31 12:11 > test3 > drwxrwx--- 2 DOMAIN.EU+martin DOMAIN.EU+domain users 4096 2009-12-31 12:12 > test4 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > I guess you are trying to do this with wedav. I've looked and have not found a good Linux solution. To use Apache, you would have to write a listener that forks an Apache process as the user. That is expensive and there is no pre-built solution out there. We finally gave up and used Windows 2008 with IIS 7 which can do this natively. We set-up a web site who's root is our samba share (we only have one share and specify all permissions through ACLs). This preserves permissions and owners so that quotas are not thrown off. We initially did some nasty group member things to get it to work with Apache, but the management overhead was a nightmare and went with the Windows solution even though we wanted to go Linux. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS update via trusted machine account
Not sure if you need to export the key. If you run 'net ads dns register -P' it will use the machine account. You can put that in the script that runs when there is a network change. I'm not near a machine right now, but Debian has it in /etc/network/. Robert LeBlanc On Dec 29, 2009 7:48 AM, "Александр Р. Фахрутдинов" wrote: As is known, Samba creates or updates AD DNS record only when it has joining to domain. When OS gets a new IP address via DHCP, there is no method for automatically DNS upgate with Samba. It's possible to update DNS with nsupdate-gss script, but it requests Kerberos TKEY, derived through kinit utility or pam_winbind module. In both cases, a domain admin password requests. However, Windows updates DNS using machine account. I think, if Samba exports a machine key somehow, it may be used for automatically DNS update via nsupdate-gss. Is someone knows how to export a machine key from Samba? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PPTP ntlm_auth-helper problem?
I wonder if I am seeing the problem mentioned here http://old.nabble.com/samba-3.2-breaks-ppp-winbind-plugin-td18715806.html. I can connect a WIndows PPTP client just fine if using chap-secrets, but when I use the winbind plugin, the client says that it can not authenticate the server (both are on the same domain). They said it was resolved in 3.2, but we are using 3.4.3. Is it possible this bug reappeared? Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Configure a linux client to be a member of a Samba Domain and allow users from Domain to sign on.
On Thu, Dec 17, 2009 at 10:57 AM, Ryan Davis wrote: > here is the output of testparm: > > ~$ testparm > Load smb config files from /etc/samba/smb.conf > Processing section "[printers]" > Processing section "[print$]" > Loaded services file OK. > Server role: ROLE_DOMAIN_MEMBER > Press enter to see a dump of your service definitions > > [global] >workgroup = GO >server string = %h server (Samba, Ubuntu) >security = DOMAIN >map to guest = Bad User >obey pam restrictions = Yes >passdb backend = tdbsam >pam password change = Yes >passwd program = /usr/bin/passwd %u >passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . >unix password sync = Yes >syslog = 0 >log file = /var/log/samba/log.%m >max log size = 1000 >name resolve order = wins lmhosts host bcast >dns proxy = No >wins server = 152.xx.xxx.xx >usershare allow guests = Yes >panic action = /usr/share/samba/panic-action %d > > [printers] >comment = All Printers >path = /var/spool/samba >create mask = 0700 >printable = Yes >browseable = No > > [print$] >comment = Printer Drivers >path = /var/lib/samba/printers > > > On Thu, Dec 17, 2009 at 4:02 AM, wrote: > > > Hi Davis, > > > > would be great if you could post your SMB.conf client file. So we can see > > what you missed, if you did. > > > > 2009/12/17 Ryan Davis > > > >> Hi, > >> > >> I have a Samba server setup as a PDC. I have a mostly Windows client in > >> the > >> domain. I have one linux client that I configured and joined the > domain. > >> However, after joining the domain, I can't login with any of the domain > >> users. > >> I have the SMB.conf configured on the client side as security=domain > >> What else do I have to do to allow smb users to login to the linux box? > I > >> searched google but the most I find is how to configure PDCs > >> > > I suggest you check the thread titled "how to join to AD ? -Annoyed", I just recently posted a very detailed post about getting interactive logins using Samba. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ? -Annoyed
On Thu, Dec 17, 2009 at 8:23 AM, mistofeles wrote: > > > Robert LeBlanc wrote: > > > > You seem to be having a lot more trouble with this than it should be. > > > Yes, I know, I'm stupid ;) > And after reading hundreds of pages of Samba documentation I still feel > stupid. > > - I didn't find line 'password server = KDC' in your smb.conf. I tought it > must be there. > Login/access is OK. Here my troubles begin. > Password server by default will query the domain for servers to use, you may override it and specify an order or pin it to specific servers. I choose to leave the default so that I don't have to worry about which DCs are up and if any more are added or removed in the future. I left it out to use the defaults, check the man page for more info. > Robert LeBlanc wrote: > > > > As far as file security, Samba will honor Linux's file permissions > > including ACLs. > > > It seems that I do not understand the system Samba handles the permissions. > > It seems that in terminal Linux 'User' permissions (rwx--) are used but > in Samba the access is determined with 'World' (--rwx), if group is nol > valid AD group. Or it is determine by 'Group' (---rwx---), if the group is > valid 'domain users'. > Linux and Samba will try the user's permissions, then group and then other. This makes permission fall though more easily as generally you will give more permissions to users and less permissions to other (world). Since we usually use ACLs, user and group are given all permissions (usually they need all permissions in most cases) and then give more restricted access using ACL to other users and groups. The world permissions are set as normal since ACLs don't make much sense in this situation. I usually map this to the Everyone group in Windows in my head. Basically, our linux users that login to the system has the same exact access as they do over Samba. Maybe one of my share defs can help: [users] comment = Life Sciences user share browseable = yes path = /ls/users guest ok = no read only = no admin users = lfsci-csr create mask = 0770 directory mask = 0770 veto files = /.forward/.bash*/.profile/ dos filemode = yes posix locking = no hide unreadable = yes vfs objects = shadow_copy2 shadow:snapdir = /ls/snapshots/users shadow:basedir = /ls/users shadow:fixinodes = yes We have one share and users have folders that only they can see. drwxr-sr-x 57 root root 4.0K 2009-12-17 03:14 users A user folder: drwxrws--- 18 rleblanclfsci-csr 4.0K 2009-12-14 10:05 rleblanc When someone with no access connects to the share, they see a blank screen, When I access the same share (I'm a member of lfsci-csr), I see everyone's folder. When a regular user logs in, they only see their folder. This allows me to quickly help someone when they are having data problems, as that share is already mapped on my machines. > After reading your message twice I made some tuning and found that this > line > in [homes] made the permissions work: > path = /home/%U > Note %U. With %S it left users directories wide open RW if d---rwx--- > My conf's are still mostly as I have laid them. > > Now there is some funny behaviour. If I query \\myserver\somebody (somebody > is a member of AD) on the WinXP MyComputer address line, I get my own > directory \\myserver\myself in window. > This doesn't matter, it happends in my old samba 2 server too. > > Another funny thing is that in Win there is both: 'homes' and 'myself' and > they both are connected to 'homes'. > > After all this hacking my smb.conf is full of carbage, but it works. I will > collect my conf's to my WWW page ASAP. > > I've cut out as much stuff as I could from my smb.conf file, and the defaults work great most of the time. If you have time, you might want to see what can be thrown out to make reading your conf a little easier. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] how to join to AD ? -Annoyed
e time to understand how each option listed above works, it's a lot easier to troubleshoot. Don't get discouraged if things are not working right away, be sure you are restarting the winbind and samba services, check the logs, they help a lot (/var/log/samba/*) in finding where problems lie. Every environment is different, so you may run into things that others have not. We can try to help where we can, but be patient, you may have to be the one that figures it out. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Starting from scratch... and Active Directory
On Fri, Dec 11, 2009 at 12:57 PM, Joel Therrien wrote: > Hello, > > Due to a couple of circumstances, I am rebuilding my file server. In the > process > I want to see if I can iron out the last few issues I have had with getting > active directory > authentication to work. Ideally I would appreciate it if anyone can provide > a link to a > website that gives decently detailed instructions for setting up samba with > user authentication > via Active Directory running on a windows server 2008 box. If it matters, I > will be installing > Debian squeeze, since I believe that version has a version of samba that is > able to work with > 2008 (our IT department upgraded over the weekend and thus broke my > authentication). > > On top of that, one other question: Is it absolutely necessary to enable > enum users and groups? > I ask because with a student population of more that 13,000 I do not want > to choke either my > server or the university's server by making a request for that large a > number of people. And if one > can get away without, what are the side effects? For example, the > university's server has faculty > and staff in a separate group from the students, such that an > authentication call via wbinfo > requires specifying for example FACULTY+John_Doe and STUDENT+Dave_Smith to > work correctly. This was the one remaining hitch I did have, I used an > account in the FACULTY > group to bind my server to the AD server and thereafter had no issues with > authenticating myself > with samba, but I could not get it to work for any students. > > This works very well in our environment (Windows 2008 DCs) with trusted domains. I would suggest using idmap backend = hash over anything else if you are using 3.4.x, it is consistent across machines without having to worry about much configuration. You will be able to login both your FACULTY+user and STUDENT+user without any problem in this configuration. Beware that if you are doing AD logins to the box that you may have to disable the kerberos method = system keytab. There is a bug that prevents password challenges if you don't have a Kerberos ticket on your machine (if you have a kerberos ticket on your machine and ssh in, then it works fine because it doesn't challenge for a password. It is suspected that the cause of this the the cache file option in PAM, you could probably disable that instead (for more info see https://bugzilla.samba.org/show_bug.cgi?id=6833for more info). If you are not using Kerberos for login, just comment out the line in smb.conf regular file share requests will still use Kerberos. Our AD domain is delegated by our campus DNS servers, we don't have to change the DHCP settings to get things to work. If your campus has not delegated the AD DNS domain, it might be wise to have them look into it. All that needs to happen is they put in the DC addresses as the NS for that domain or sub-domain. #=== Global Settings === [global] workgroup = ad realm = AD.LOCAL preferred master = no server string = %h server dns proxy = no Debugging/Accounting log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d ### Authentication ### security = ADS encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes invalid users = root unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes guest account = nobody map to guest = bad user ## Printing ## load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes Misc idmap backend = hash winbind nss info = hash winbind use default domain = yes winbind separator = + winbind enum groups = no winbind enum users = no winbind nested groups = yes template homedir = /ls/users/%U template shell = /bin/bash winbind refresh tickets = yes kerberos method = system keytab winbind offline logon = yes # get quota command = /root/sambaquota.sh #=== Share Definitions === Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Limit users storing BIG files
On Fri, Dec 11, 2009 at 4:44 AM, S.Kani wrote: > Hi All, > > I am using Samaba for my network users and I run out of space soon as so > many users store BIG files on the share folders. > > Is there a way to specify the max size for a file that can be stored using > Samaba? > > Or At least max size for a folder will also help. > > The only thing I'm aware of is file systems quotas. That will restrict a user's space usage, but will let them store big files up to the size of their quota. If you are using a simple set-up where every person uses the same username and password, it will restrict all users to the same space. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo / Could not convert sid to gid / uid
On Thu, Dec 10, 2009 at 6:21 AM, Georg Roelli wrote > > Hello > > I have something very interesting, which would confirm the statement from > Robert. > Until now I have made all the tests on a virtual clone. Now I have > reproduced the installation on the productive system. > Here I get a GID for the group nobadurl. Possibly I run out of gids > allocated to groups. > > How do I find out, how great my range for GID must be and how can I change > this value. I now there exist to values in the smb.conf. > Idmap uid and Idmap gid are now 1-2. I have changed these values > one time but without success. I got no GID for the group nobadurl. > > Who can help me? > > Kind regards, G. > > The logs didn't seem to give any additional info. Do you have less than 10,000 groups in your AD? You can set that as high as you want. You will need to restart the winbind service. You probably do NOT want to clear the id cache, this will mess up your old rids. We use idmap_hash which has 10 digits in the id and gid, so you can go very high, you just have to be careful that some apps don't have problems. We only found a problem with a database that stored the uid and it wasn't wide enough. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.2 with Solaris ZFS Snaphots
On Tue, Dec 8, 2009 at 7:41 AM, Ralf Hornik Mailings wrote: > Volker Lendecke wrote: > > Can you please try 3.4.3? If that's not possible, you might >> want to apply the patch >> >> https://bugzilla.samba.org/attachment.cgi?id=4894&action=view >> > > Sorry, I didn't notice the subject line. I tested it with 3.4.3. Now, with > your patch supplied (to 3.4.3) it works. > > BTW, with 3.5pre1 and windows 7 I can see the shadow copies, but on top of > the share I see the snapshot name insteed of the sharename: > > http://www.ralf-hornik.de/pub/shadow_client_s35_w7.jpg > > :-) > > We aren't using Windows 7 yet, and Volker said that the patch is already in 3.5, so I think we are going to hold off until 3.5 is released. Thanks for doing some early testing for us! :) Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] wbinfo / Could not convert sid to gid / uid
On Tue, Dec 8, 2009 at 7:55 AM, Georg Roelli wrote: > > Hello > > My is environment: Ubuntu 8.04 LTS, Squid 2.6.18, Samba 3.0.28a > > For Squid I need the query of a global group from Active Directory 2003. > This works beautifully, but unfortunately not always. There are global > groups which works to transform and others where it does not work. > > Here are my entries for test: > > # wbinfo -n nobadurl > S-1-5-21-986273330-1409306274-1541874228-9965 Domain Group (2) > > # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-9965 > Could not convert sid S-1-5-21-986273330-1409306274-1541874228-9965 to gid > > # wbinfo -n www-Access > S-1-5-21-986273330-1409306274-1541874228-2514 Domain Group (2) > > # wbinfo -Y S-1-5-21-986273330-1409306274-1541874228-2514 > 10011 > > I am a little confused. Why the conversion goes for one group but for the > other one not? > I've tried a lot, unfortunately without success. > > Is there a log I can turn on what can help me? > What is the value wbinfo take out of the AD to convert the SID to UID or > GID? > Is there another way I can figure out why the conversion does not work? > > Thanks for your help. > > Kind regards, G. > > I would check /var/log/samba/log.winbindd or /var/log/samba/log.wb.. I would suspect that you may have run out of gids allocated to groups (your rang is not big enough). The logs should help you pinpoint the problem though. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A question about samba and quote
On Fri, Dec 4, 2009 at 12:59 AM, Alexander Födisch wrote:
> Hi Robert,
>
> how did you implement the quota script in smb.conf? with parameter "dfree"?
> can you show us your quota script, please?
>
> thanks very much!
> alex
>
> Here is my script, place it at /root/bin/sambaquota.sh
8<8<-
#! /bin/bash
if [ "$2" == "4" ]; then
echo "2 0 0 0 0 0 0"
exit 0
fi
DIRECTORY=`/bin/pwd`
if [ "$DIRECTORY" == "/ls/users" ]; then
QUOTA=`quota -w -v $3 | awk
'{if(/^\/dev\/mapper\/ldrive-users/){sub(/\*/,"");sub(//," 0");print
$2,$3,$4,$6,$7,$8}}'`
elif [ "$DIRECTORY" == "/ls/groups" ]; then
USER=`wbinfo --uid-info=$3 | awk -F ":" '{ print $1 }'`
groups $USER | grep lfsci-csr > /dev/null
EXIT=$?
if [ $EXIT -ne "0" ]; then
QUOTA=`wbinfo -r $USER | xargs quota -w -g | awk
'{if(/\/dev\/mapper\/ldrive-groups/){sub(//," 0"); tbused+=$2;
tbsoft+=$3; tbhard+=$4; tfused+=$6; tfsoft+=$7; tfhard+=$8 }} END {print
tbused,tbsoft,tbhard,tfused,tfsoft,tfhard}'`
if [ "${#QUOTA}" -lt "6" ]; then
QUOTA="1 1 1 0 0 0"
fi
else
QUOTA="0 0 0 0 0 0"
fi
fi
echo "2 "$QUOTA
8<--8<---
The first case is if samba is asking for default quotas, really don't know
how a default quota works so we send back nothing. The second case get where
the script if being run from (the share being accessed), then if it's the
user's share, send back the output from the quota command. The quota command
is not very nice in that if the user is over quota it adds an extra field in
the middle of the output, that is what the blank space in the awk commands
does is inserts that field if it is missing. If they are accessing the group
space, then add up all the quotas of all the groups the person belongs to
and use that, otherwise send back an empty quota. The only problem with this
script is that when a person does not have access to the share, it show the
entire disk status (free and size) which I really don't want people seeing.
The reason for this is that we open up the share at the share level and use
ACLs to manage access (much easier than managing hundreds of shares and with
"hide unreadable = true" it seems just as good.
Then in smb.conf add/edit this line:
get quota command = /root/bin/sambaquota.sh
Hope that helps.
Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Active Directory DNS Registration
On Thu, Dec 3, 2009 at 9:34 AM, Casey Allen Shobe wrote: > On Thu, Dec 3, 2009 at 10:55 AM, Robert LeBlanc wrote: > >> When you use net ads join to join the computer to the domain, it should >> register the machine in DNS as well. >> > > Well, prior to reading this I actually got things changed over to use > security = ads insead of domain, and re-joined the domain using kerberos. > The DNS issue was exactly the same. > > Since you say that the machine object shows the name in lowercase, I assume >> you did not create the object previously. >> > > No, I did not. I deleted it using active directory users and groups before > rejoining with kerberos also. > > >> If looking in DNS management does not show you machine in the forward >> zone, >> > > How can I check for sure? wbinfo -I and -N work, btw, but not DNS > resolution. I do not have any access to the Windows DNS stuff as it runs on > servers I cannot log in to. Well, actually, I have a non-admin login right > on one of them, but I don't think I can do anything useful with that. > I don't have login access to our DCs, but have been granted access to DNS. I open up DNS management on my Windows XP workstation, then select one of the DCs as the DNS server, I can then do any DNS work without having to login to the DC. If this is still not an option, then I would make heavy use of the dig command on Linux. > try on the Samba server "sudo net ads dns register -P" That will try to >> register the machine again in DNS. >> > > That command hung for long time, then finally returned: > "DNS update failed!" > I wonder if this may have to do with the domain requiring secure updates, it seems that this would work since you have Kerberos working correctly. I would look through the logs, maybe bumping up the debug level while running the above command. You won't need to disjoin or rejoin to see the DNS errors. I haven't had to do much in the way of DNS debugging here as it works just fine in our environment. > I'm not sure if pre-creating the object will cause problems as I have not >> pre-created objects in my domain. >> > > I deleted the computer from AD, and pre-created it using uppercase letters, > then re-joined the domain using net ads join. Now DNS resolution seems to > work! > This seems fishy and doesn't make sense, as we don't have to so this here. I would try some of the above things as it may help pinpoint the real problem and fix it for future Samba installs. > > If you need additional IP's or CNAMEs, you may have to enter those > > manually in DNS management. > > I'm assuming this is something on the Windows DC that is outside of my > control. Is it possible to set up a (linux-based) DNS server for our site > that can resolve some custom things I put in, but passes anything it doesn't > know an answer for (e.g. any Windows hostname) to the Windows DNS? > > Please see my above comment, you AD admin may feel comfortable delegating certian DNS rights to get your job done. I would much prefer that over a split horizon DNS, or delegated zone if your site has it's own sub-domain. It get too difficult to manage multiple DNS servers. We have a delegated DNS zone for our AD domain, and our clients all use our Linux DNS servers by default. The reason, that DNS was set-up a long time ago and not everyone on campus uses the Active Directory. Client | Linux DNS (school.edu, delegates school.local to AD DCs) | Windows DNS (school.local) Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.2 with Solaris ZFS Snaphots
On Thu, Dec 3, 2009 at 8:12 AM, Ed Plese wrote: > On Wed, Dec 2, 2009 at 3:13 AM, Ralf Hornik Mailings > wrote: > > Ed Plese wrote: > >> What patches are currently pending? Do any of them eliminate the need > >> for some of the ZFS patches? > > > > Obviously none. The patches from > http://www.edplese.com/samba-with-zfs.html > > do actually work with some modifications. But with 3.5 after compiling > well > > the module doesn't work at all, and breaks folder sharing: > > > > [2009/12/01 14:14:55.967820, 0] > smbd/service.c:1009(make_connection_snum) > > '/data/daten' is not a directory, when connecting to [Daten] > > > >> Has anyone else started merging these patches to the shadow_copy2 > >> module? If not, I'll get started with it. > > > > Is there any documentation about this modules (resp. shadow_copy2) ? I > need > > some hints how to configure e.g. the location of the snapdir, format, ... > > Regards > > Yesterday, I posted a patch to the samba-technical list that works > with the shadow_copy2 module in Samba 3.4.3. It's also available > here: > > http://www.edplese.com/blog/2009/12/02/samba-shadow_copy2-enhancements/ > > Although we are not using ZFS, I'm excited about a couple of the extensions in this patch. Thanks for the work! Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Active Directory DNS Registration
On Thu, Dec 3, 2009 at 7:31 AM, Casey Allen Shobe wrote: > Hi, > > I'm using a domain where the DNS is hosted by a couple of domain > controllers > on the network, outside of my control. I do have ability to work with > group > policy and active directory users and computers. > > I was able to join a samba/linux computer to the domain using 'net rpc join > -S '. > > This caused an entry for the computer to show up in Active Directory, > however the name is in lower-case letters whereas all the Windows computers > show up in upper-case, and if I view properties on the object, it doesn't > show any details like an O/S or anything else. > > I am then able to resolve the samba host by name just like I can for > Windows > computers *from a Windows computer only*. > > While a linux computer is capable of resolving windows hosts by name since > it's using the Windows DC as the DNS server, for whatever reason it cannot > resolve samba hosts by name. > > Can anybody please point out what I'm doing wrong or what else I need to do > to get this working? Also, is it possible to register multiple names in > Windows DNS for an IP with Samba? > > When you use net ads join to join the computer to the domain, it should register the machine in DNS as well. Since you say that the machine object shows the name in lowercase, I assume you did not create the object previously. I'm not sure if pre-creating the object will cause problems as I have not pre-created objects in my domain. If looking in DNS management does not show you machine in the forward zone, try on the Samba server "sudo net ads dns register -P" That will try to register the machine again in DNS. If you need additional IP's or CNAMEs, you may have to enter those manually in DNS management. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] A question about samba and quote
On Thu, Dec 3, 2009 at 5:08 AM, ARPAV\atomelleri in locale < atomell...@arpa.veneto.it> wrote: > > Hi, > > We've a Samba server as purely fileserver in AD windows enviroment with > a 2k3 server as bdc. > Our goal is implement quote to manage disk space usage on samba server. > Is it supported by samba ?! if not, which is the best way to approach it ? > I did a little search on google but I've not found a clear way or > documentation about it, so any advice is really appreciated. > > thx in advance, Alessio > > We do exactly this in our area. Using the linux quota commands enforce quotas for Samba as well. We wrote a pam_exec script to set default quotas for people on our server. We also wrote a quota script (specified in smb.conf) to return the quotas to Windows so that it shows their quota and not the entire disk when they look at the mount point in detail view. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Centos with Shadowcopy
On Thu, Nov 26, 2009 at 7:27 AM, Bruno Steven wrote: > Hello > > I want use shadow copy for Linux , but I don´t found any document for > implementation in Centos only Debian, somebody have any document about this > ? > > I recently used http://wiki.samba.org/index.php/Shadow_Copies_with_Snapshots, although I did do it on Debian, I remember it being pretty distro agnostic. I did make some changes like using shadow_copy2 instead and putting my snapshots in a snapshot folder to not clutter up my regular share. You may have to read the documentation a few times to understand it. There is no easy step by step for shadow copy, you need to understand how it will impact your environment when you set it up. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] reverse name resolving of winbind 3.4.x
On Wed, Nov 25, 2009 at 6:15 AM, Alexander Födisch wrote: > Does nobody have the same problem? Same behaviour w/ 3.4.3 > It also takes a "long" time resolving names: > > # date; id ; date > Mi Nov 25 14:08:55 CET 2009 > uid=<...> Gruppen=<...> > Mi Nov 25 14:09:01 CET 2009 > > Sometimes it tooks more than 10 seconds... > > Sometimes users get an error message "Access denied", even filesystem > permissions and samba settings are correct. I think samba /winbind is > running in a timout while resolving names and so samba cannot grant access > to files / folders. > > > Any ideas what we can do? > Can you find any hints in the log.winbindd log or the log.wb- log. I had problems like that in the past, but they sem to be resolved in 3.4.2. You may have a different problem. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shadow Copy and Windows 7
On Sat, Nov 14, 2009 at 5:30 AM, Volker Lendecke wrote: > On Fri, Nov 13, 2009 at 11:40:38AM -0600, Robert LeBlanc wrote: > > > Also, I've seen patches for having the snapshots using local time > instead > > of GMT. Has this been implemented, I could not find in the docs. This > would > > really be helpful for us as we are presenting the snapshots in raw for to > > Mac and Linux clients. > > Do you have URLs to those patches? > > http://www.edplese.com/samba-with-zfs.html http://lists.samba.org/archive/samba-technical/2007-May/053474.html The patches seem mostly for ZFS, but somethings like the local time should apply to any fs. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shadow Copy and Windows 7
On Fri, Nov 13, 2009 at 10:46 AM, Robert LeBlanc wrote: > > On Fri, Nov 13, 2009 at 10:17 AM, Volker Lendecke < > volker.lende...@sernet.de> wrote: > >> That is fixed in master and will be in 3.5: >> >> http://git.samba.org/?p=samba.git;a=commitdiff;h=f0fd5df7fd702ae >> >> The patch applies with some fudge to 3.4 as well. If you >> want it in official 3.4.4, please open a bug report at >> https://bugzilla.samba.org/ >> >> > We are possibly rolling out Windows 7 around Q2 next year. Will 3.5 be > production by then? If not, I'll put in a bug. > > > Also, I've seen patches for having the snapshots using local time instead of GMT. Has this been implemented, I could not find in the docs. This would really be helpful for us as we are presenting the snapshots in raw for to Mac and Linux clients. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Shadow Copy and Windows 7
On Fri, Nov 13, 2009 at 10:17 AM, Volker Lendecke wrote: > That is fixed in master and will be in 3.5: > > http://git.samba.org/?p=samba.git;a=commitdiff;h=f0fd5df7fd702ae > > The patch applies with some fudge to 3.4 as well. If you > want it in official 3.4.4, please open a bug report at > https://bugzilla.samba.org/ > > We are possibly rolling out Windows 7 around Q2 next year. Will 3.5 be production by then? If not, I'll put in a bug. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Shadow Copy and Windows 7
Before I beat myself over this... Iv'e set-up shadow_copy2 and it works great for XP,2003,Vista and 2008. Windows 7 however does not find any previous versions of the files. Anyone aware of a problem or a solution? We are running 3.4.2 on Debian Squeeze. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap_rid/idmap_hash collisions?
On Wed, Nov 11, 2009 at 10:18 AM, Gerald Carter wrote: > Robert LeBlanc wrote: > > > So if I understand right, hash does not hash the SID, it does the > > same as rid and takes the last section directly from the SID > > and uses that withou modification (rid adds that number to the > > lower range number). > > idmap_hash *does* the SID. > > That is what I initially thought. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap_rid/idmap_hash collisions?
On Wed, Nov 11, 2009 at 9:52 AM, Gerald Carter wrote: > Robert LeBlanc wrote: > > > Does it suffer from the same collision problem as rid? > > idmap_rid doesn't have a collision problem that I'm aware of > as long as you set it up properly. Did I misunderstand something? > > > Our AD will have a couple of hundred thousand objects in > > the not too near future. > > Depending on account turnover and number of trusted domains, > I think you should be fine with idmap_hash. But if you only > have a single domain, then idmap_rid is equivalent I think. > > I think I may have not woken up completely this morning. I thought the original question was regarding idamp_rid and basically interger rollover. After rereading the first post, it sounds like they want to use RID and Hash at the same time. I don't know why one want to do that, but ok. I much prefer hash because I don't have to specify a range and hope it is large enough. I also don't have to worry about all my machines having the same lower end starting number so that they are the same on all machines. We have some trusts, but they are only intended to be temporay as we transitition to a central AD. So if I understand right, hash does not hash the SID, it does the same as rid and takes the last section directly from the SID and uses that withou modification (rid adds that number to the lower range number). Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmap_rid/idmap_hash collisions?
On Wed, Nov 11, 2009 at 7:52 AM, Gerald Carter wrote: > Hey Nick, > > Nick wrote: > > Is it possible for the uid/gid numbers that are generated by the > > idmap_rid and idmap_hash to collide if there are a large number of > > users or groups? I cannot seem to find any documentation on the > > limitations of these plugins. Before using I want to make absolutely > > sure that there won't be any collisions. > > There is a small chance of collision based on the domain sid. > In testing the mean average was about40 trusted domains but I've > see it much lower on rare occasions. Also, if the highest RID > in your domain is > (as Volker points out) 2^19, the plugin will > suffer from integer overflow. > > There's a slide or two outlining the algorithm in this slide deck > from LInuxWorld SF '08 > > <http://archives.likewiseopen.org/%7Egcarter/presentations/likewise_open_first_class_citizen_lwsf08.pdf> How does this compare with idmap hash? I can't seem to find the doc that I found sometime ago regarding it's details. My understanding is that it uses 31 bit uid/gid that is generated from a hash of the domain on certain bits and a hash of the SID on certain bits. I don't recall how many bit were allocated to each. Does it suffer from the same collision problem as rid? Our AD will have a couple of hundred thousand objects in the not too near future. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [bounce] Problem with pam_winbind
On Thu, Nov 5, 2009 at 2:32 PM, Alex Samad wrote: > > I haven't used any of the ldap stuff that you are using so it's beyond me > at > > this point. I wish I could help more, I know how it is to be in that > > position. Is this just a member workstation/server or is it trying to be > a > > DC? To me if it is just a member, I can't see why you would need all the > > LDAP stuff. Security should also probably be ADS as well. Here is my conf > > not sure what you mean by all that ldap stuff I have, I understand ads > is stored in M$ ldap > > Indeed, Active Directory is ldap, but the link on pastbin is much different than what you posted here. For most of what I need, I don't have to do LDAP stuff. I just finished writing a script to query AD for a user's e-mail address and I had to do that over LDAP because winbind dosen't provide it. It would be nice to have winbind provide things like that (makes note to self when things slow down, to look at patching that in). > > [global] > workgroup = AD > server string = %h server > dns proxy = no > interfaces = 192.168.5.10/24 > bind interfaces only = yes > log file = /var/log/samba/log.%m > max log size = 1000 > syslog = 0 > panic action = /usr/share/samba/panic-action %d > encrypt passwords = true > passdb backend = tdbsam > obey pam restrictions = yes > unix password sync = yes > passwd program = /usr/bin/passwd %u > passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* > %n\n *password\supdated\ssuccessfully* . > pam password change = yes > netbios name = bblx01 > realm = > ad.barbarast.samad.com.au > security = ADS > encrypt passwords = true > password server = * > winbind separator = + > idmap uid = 1-2 > idmap gid = 1-2 > winbind enum users = yes > winbind enum groups = yes > template homedir = /home/%D/%U > template shell = /bin/false > winbind use default domain = > yes > socket options = TCP_NODELAY > SO_RCVBUF=8192 SO_SNDBUF=8192 > > So, a couple things that I notice that may/may not help. Your realm is lower case, it needs to be uppercase. You are missing an idmap_backend type (I'm pretty sure you need this so that winbind knows how to map your users' SID to UIDs). You can choose from hash, rid or ads. See my example for hash (you don't need ranges ie. idmap uid = 1-2). Rid, you need to specify the domain (tusted domains may not work, although I think you can specify different ranges for different domains) and you will need the ranges that you currently have. Ads, needs to have the Active Directory schema extended, you don't need the ranges, but the schema will need to be populated (I think Samaba can do that for you, but I don't have experience). Each one comes with it's pros and cons, if your schema is not extended and you don't have other *NIXs that rely on it, I'd suggest using hash, but it is only in 3.4.x. Other than that things look ok. Also, if a home directory is not created for the user, they probably won't be able to log in due to the template shel = /bin/false. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Ideas for distributed Samba servers
I'm trying to think about how to setup a Samba system and would like to pick the brains of some experts. We are looking up put a large amount of storage ~75TB in a central data center. We have some remote (ok, not remote, but across slower links, ok if you consider several hundred clients over 1Gb to be slow) locations that we would like to set up samba servers that 'cache' the file system and serve it up to the clients in the building and sync with the main data center storage. The idea is have a couple of TB that are located in the building that serve up the Samba share. When a client requests a file, if it's in the local cache it is served up from there, if not then the Samba server grabs the file from the main data center and serves it to the client. When a file is written, something like rsync is used to transfer only difference back to the main data center. The problem is that I'm not sure of a file system that does this. We are using Lustre on our HPC, but this won't do what we want. Any suggestions are welcome. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmapping changes from 3.0.10 to 3.4.2.
On Mon, Nov 2, 2009 at 6:06 PM, Wayne Rasmussen wrote: > Backendwise, it has to be local, we don't have any write permission to AD > or > LDAP. > > If I do: wbinfo -n knixon, I get the ssid back. Taking it to the next > level > with: > wbinfo -S `wbinfo -n knixon` gets me: > Could not convert sid S-1-5-21-1606980848-1644491937-839522115-152478 to > uid > So it looks like we are getting what we need from AD and that I just have > some kind of issue with the smb.conf configuration. > > > Just FYI, hash and rid does not write anything to AD. In fact, I don't think either write anything anywhere, they are generated on the fly. Hash takes the 31-bit uid/gid and for the higher end bits, hashes the domain, on the lower end of the bits, it hashes the user/group part of the SID to make the UID/GID. In RID, it takes a portion of the user/group sid and adds it to the low end of the range, up to the max end that you specify. That is very high level, but the jest of it. I personally like the hash as I don't have to make sure my ranges are the same across boxes (or that my max is high enough) and it works well with trusted domains, a downfall of rid. I do think you need a backend of some sort though. I haven't tried without it, but it really seems to be needed. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with pam_winbind
Ok, it was a shot in the dark since there was no smb.conf included. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Mon, Nov 2, 2009 at 12:47 AM, Alex Samad wrote: > On Sun, Nov 01, 2009 at 11:02:07PM -0600, Robert LeBlanc wrote: > > Does this bug describe what you are seeing? > > https://bugzilla.samba.org/show_bug.cgi?id=6833 > > no, I am not using "kerberos method" > > > > > > Robert LeBlanc > > Life Sciences & Undergraduate Education Computer Support > > Brigham Young University > > > > > > On Sun, Nov 1, 2009 at 9:01 PM, Alex Samad wrote: > > > > > Hi > > > > > > my setup debian amd64 with > > > ii samba 2:3.4.2-1 > > > SMB/CIFS file, print, and login server for Unix > > > ii samba-common2:3.4.2-1 > > > common files used by both the Samba server and > > > ii samba-common-bin2:3.4.2-1 > > > common files used by both the Samba server and > > > ii samba-doc 2:3.2.5-4lenny7 > > > Samba documentation > > > ii samba-tools 2:3.4.2-1 > > > Samba testing utilities > > > > > > installed. > > > > > > I have a working connection config, I can > > > > > > net ads testjoin - result okay > > > and wbinfo -u i& wbinfo -g work > > > > > > wbinfo -a test%password > > > wbinfo -K test%password > > > > > > work. > > > > > > I have /etc/pam.d/imap-test setup to loo like > > > authrequired pam_winbind.so > > > authrequired pam_deny.so > > > accountrequired pam_winbind.so > > > accountrequired pam_deny.so > > > > > > when i try testsaslauthd -u test -p password -s imap-test > > > I get > > > 0: NO "authentication failed" > > > > > > if I change imap-test config file to remove pam_winbind and use shadow > > > and then retest with a shadow userid/password it works. > > > > > > I have tried setting debug for pam_winbind but I don't see anything > > > > > > Thanks > > > Alex > > > > > > > > > -BEGIN PGP SIGNATURE- > > > Version: GnuPG v1.4.10 (GNU/Linux) > > > > > > iEYEARECAAYFAkruS5gACgkQkZz88chpJ2MlwQCgrEomsmpSNIzMllnt0NmUyH7b > > > chcAn0HmmMRUWo9bBKj23CfeoLYc3IrD > > > =bpwe > > > -END PGP SIGNATURE- > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > "I promise you I will listen to what has been said here, even though I > wasn't here." > >- George W. Bush > 08/13/2002 > Waco, TX > Speaking at the President's Economic Forum > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAkrugHkACgkQkZz88chpJ2N2BwCgg8vw7XGfCl4LqyxAYuZAd1Rx > OqkAoO485C1j1V9LNAeO7Jat/u0LeMiM > =r32j > -END PGP SIGNATURE- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problem with pam_winbind
Does this bug describe what you are seeing? https://bugzilla.samba.org/show_bug.cgi?id=6833 Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Sun, Nov 1, 2009 at 9:01 PM, Alex Samad wrote: > Hi > > my setup debian amd64 with > ii samba 2:3.4.2-1 > SMB/CIFS file, print, and login server for Unix > ii samba-common2:3.4.2-1 > common files used by both the Samba server and > ii samba-common-bin2:3.4.2-1 > common files used by both the Samba server and > ii samba-doc 2:3.2.5-4lenny7 > Samba documentation > ii samba-tools 2:3.4.2-1 > Samba testing utilities > > installed. > > I have a working connection config, I can > > net ads testjoin - result okay > and wbinfo -u i& wbinfo -g work > > wbinfo -a test%password > wbinfo -K test%password > > work. > > I have /etc/pam.d/imap-test setup to loo like > authrequired pam_winbind.so > authrequired pam_deny.so > accountrequired pam_winbind.so > accountrequired pam_deny.so > > when i try testsaslauthd -u test -p password -s imap-test > I get > 0: NO "authentication failed" > > if I change imap-test config file to remove pam_winbind and use shadow > and then retest with a shadow userid/password it works. > > I have tried setting debug for pam_winbind but I don't see anything > > Thanks > Alex > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.10 (GNU/Linux) > > iEYEARECAAYFAkruS5gACgkQkZz88chpJ2MlwQCgrEomsmpSNIzMllnt0NmUyH7b > chcAn0HmmMRUWo9bBKj23CfeoLYc3IrD > =bpwe > -END PGP SIGNATURE- > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] idmapping changes from 3.0.10 to 3.4.2.
You seem to be missing an idmap backend entry. If you are going to 3.4, you may want to look at hash, there is also RID. If you already have an extended schema, you may want to look at ads. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Fri, Oct 30, 2009 at 4:37 PM, Wayne Rasmussen wrote: > idmapping changes from 3.0.10 to 3.4.2. > > Trying to transition from 3.0.10 to 3.4.2 with a minimal change to the > system > meaning it would be nice to only change the smb.conf file if possible. > > The new version doesn't seem to properly work. getent passwd only produces > entries from /etc/passwd. Sometimes, getent passwd user will get results > but usually they don't. > > Also, when winbindd (ves 3.0.10) started it would have a heavy load for > about > 15 minutes while it loaded information. This version (3.4.2) seems to have > very little load so it seems to act differently or it is having a problem. > > Any suggestions on how to change the global section below quickly and > easily > to make this a transparent tranision? > > Below is the global section of our smb.conf for 3.0.10. > Note: I changed the workgroup/realm for posting. I just want it to work > like > the previous system worked. > > [global] >workgroup = XX >realm = XX.YYY.ZZZ >security = ADS >encrypt passwords = yes >log level = 1 >idmap uid = 2000-90 >idmap gid = 2000-90 >winbind enum users = yes >winbind enum groups = yes >template homedir = /u/%U >template shell = /bin/false >winbind use default domain = yes >winbind cache time = 1800 >wins server = 143.231.3.194 143.231.40.66 >client schannel = no > #starting to add stuff to see how things are working > #username map = /usr/local/samba/lib/users.map > #guestaccount = NULL > #load printers = yes > log file = /usr/local/samba/var/log.%m > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind + Active Directory + email
Ok, I can't seem to search for the right thing to get what I need. I'm looking for a solution where if quota or some other mailing system needs to send an email to an Active Directory user, that it uses the email address listed in Active Directory for that user. We are connected to Active Directory using winbind, on one system we are using pam_winbind, on another we are not. Of course, I'm looking for the simplest option. It seems that mail is being sent to user_at_hostname right now. Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)
On Fri, Oct 23, 2009 at 2:45 PM, Jeremy Allison wrote: > On Fri, Oct 23, 2009 at 02:34:45PM -0600, Robert LeBlanc wrote: > > 3.4.2 > > Ok, what does your smb.conf look like. What is the > configured winbindd backend ? > We have switched to hash for the increased flexibility. I have flushed the idmap cache and everything resolves perfectly when a DC is contactable. #=== Global Settings === [global] workgroup = byu realm = BYU.LOCAL preferred master = no server string = %h server dns proxy = no Debugging/Accounting log file = /cluster/log/samba/log.%m max log size = 1000 syslog = 0 panic action = /usr/share/samba/panic-action %d ### Authentication ### security = ADS encrypt passwords = true passdb backend = tdbsam obey pam restrictions = yes invalid users = root unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes ## Printing ## load printers = no printing = bsd printcap name = /dev/null show add printer wizard = no disable spoolss = yes Misc socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 # allow trusted domains = No # idmap backend = rid:BYU=1-1 # idmap config BYU:backend = rid # idmap config BYU:range = 1-1 # idmap uid = 1-1 # idmap gid = 1-1 idmap backend = hash winbind nss info = hash winbind use default domain = yes winbind separator = + winbind enum groups = no winbind enum users = no winbind nested groups = yes template homedir = /home/%U template shell = /bin/bash winbind refresh tickets = yes # use kerberos keytab = yes # kerberos method = system keytab # should work after bug is fixed winbind offline logon = yes #=== Share Definitions =========== Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)
3.4.2 Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Fri, Oct 23, 2009 at 1:23 PM, Jeremy Allison wrote: > On Fri, Oct 23, 2009 at 01:19:46PM -0600, Robert LeBlanc wrote: > > Here is a capture of top at the time: > > > > PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND > > 5842 root 20 0 873m 6912 4612 S 0.0 0.4 0:01.20 winbindd > > 5848 root 20 0 872m 3260 2272 S 0.0 0.2 0:00.08 winbindd > > 5849 root 20 0 872m 3640 2652 S 0.0 0.2 0:00.06 winbindd > > 5850 root 20 0 872m 3320 2200 S 0.0 0.2 0:00.06 winbindd > > 5859 root 20 0 874m 2684 1448 S 0.0 0.2 0:00.00 winbindd > > 5954 root 20 0 872m 3740 2284 S 0.0 0.2 0:00.02 winbindd > > 5955 root 20 0 872m 3804 2348 S 0.0 0.2 0:00.04 winbindd > > 6025 root 20 0 873m 15444 S 0.0 0.1 0:00.00 winbindd > > 6026 root 20 0 873m 15484 S 0.0 0.1 0:00.00 winbindd > > 6518 root 20 0 873m 5048 3476 S 0.0 0.3 0:00.00 winbindd > > 6576 root 20 0 873m 6228 4232 S 0.0 0.4 0:00.00 winbindd > > 5 root RT -5 000 S 0.0 0.0 0:00.00 watchdog/0 > > 529 root 16 -4 21076 6320 S 0.0 0.0 0:00.16 udevd > > 6574 root 20 0 18824 1264 940 R 0.0 0.1 0:00.10 top > > 1761 root 20 0 5904 320 184 S 0.0 0.0 0:00.06 syslogd > > 1805 root 20 0 48868 720 216 S 0.0 0.0 0:00.00 sshd > > 5768 root 20 0 78572 916 200 S 0.0 0.1 0:00.14 sshd > > Well 873m is a little excessive, even for virtual memory :-). > That's a memory leak I'd guess. What winbindd version is this ? > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)
Here is a capture of top at the time: PID USER PR NI VIRT RES SHR S %CPU %MEMTIME+ COMMAND 5842 root 20 0 873m 6912 4612 S 0.0 0.4 0:01.20 winbindd 5848 root 20 0 872m 3260 2272 S 0.0 0.2 0:00.08 winbindd 5849 root 20 0 872m 3640 2652 S 0.0 0.2 0:00.06 winbindd 5850 root 20 0 872m 3320 2200 S 0.0 0.2 0:00.06 winbindd 5859 root 20 0 874m 2684 1448 S 0.0 0.2 0:00.00 winbindd 5954 root 20 0 872m 3740 2284 S 0.0 0.2 0:00.02 winbindd 5955 root 20 0 872m 3804 2348 S 0.0 0.2 0:00.04 winbindd 6025 root 20 0 873m 15444 S 0.0 0.1 0:00.00 winbindd 6026 root 20 0 873m 15484 S 0.0 0.1 0:00.00 winbindd 6518 root 20 0 873m 5048 3476 S 0.0 0.3 0:00.00 winbindd 6576 root 20 0 873m 6228 4232 S 0.0 0.4 0:00.00 winbindd 5 root RT -5 000 S 0.0 0.0 0:00.00 watchdog/0 529 root 16 -4 21076 6320 S 0.0 0.0 0:00.16 udevd 6574 root 20 0 18824 1264 940 R 0.0 0.1 0:00.10 top 1761 root 20 0 5904 320 184 S 0.0 0.0 0:00.06 syslogd 1805 root 20 0 48868 720 216 S 0.0 0.0 0:00.00 sshd 5768 root 20 0 78572 916 200 S 0.0 0.1 0:00.14 sshd Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Fri, Oct 23, 2009 at 1:17 PM, Robert LeBlanc wrote: > I also see this in the syslog sometimes: > > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.132286] rsync invoked oom-killer: > gfp_mask=0x201d2, order=0, oomkilladj=0 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.132649] Pid: 6516, comm: rsync > Not tainted 2.6.26-2-amd64 #1 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.132916] > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.132917] Call Trace: > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.133470] [] > oom_kill_process+0x57/0x1dc > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.133746] [] > __capable+0x9/0x1c > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.133993] [] > badness+0x188/0x1c7 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.134245] [] > out_of_memory+0x1f5/0x28e > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.140836] [] > __alloc_pages_internal+0x31d/0x3bf > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141048] [] > generic_file_aio_read+0x3b7/0x4ae > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141279] [] > do_sync_read+0xc9/0x10c > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141472] [] > autoremove_wake_function+0x0/0x2e > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141682] [] > vfs_read+0xaa/0x152 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141864] [] > sys_read+0x45/0x6e > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142046] [] > system_call_after_swapgs+0x8a/0x8f > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142254] > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142376] Mem-info: > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142511] Node 0 DMA per-cpu: > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142662] CPU0: hi:0, > btch: 1 usd: 0 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142844] Node 0 DMA32 per-cpu: > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142998] CPU0: hi: 186, > btch: 31 usd: 173 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.143183] Active:189862 > inactive:179626 dirty:0 writeback:0 unstable:0 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.143184] free:3011 slab:7697 > mapped:76 pagetables:1122 bounce:0 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.143592] Node 0 DMA free:6020kB > min:32kB low:40kB high:48kB active:3012kB inactive:2676kB present:10724kB > pages_scanned:9007 all_unreclaimable? yes > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.144711] lowmem_reserve[]: 0 1499 > 1499 1499 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.144894] Node 0 DMA32 free:6024kB > min:4936kB low:6168kB high:7404kB active:756436kB inactive:715828kB > present:1535136kB pages_scanned:626785 all_unreclaimable? no > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.145479] lowmem_reserve[]: 0 0 0 0 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.145648] Node 0 DMA: 3*4kB 1*8kB > 1*16kB 5*32kB 3*64kB 2*128kB 3*256kB 1*512kB 0*1024kB 0*2048kB 1*4096kB = > 6020kB > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.146045] Node 0 DMA32: 162*4kB > 28*8kB 9*16kB 7*32kB 1*64kB 1*128kB 0*256kB 1*512kB 0*1024kB 0*2048kB > 1*4096kB = 6040kB > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.155603] 364394 total pagecache > pages > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.155831] Swap cache: add 0, delete > 0, find 0/0 > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.156064] Free swap = 0kB > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.156064] Total swap = 0kB > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.164049] 393200 pages of RAM > Oct 23 13:09:35 lsbeast-i2 kernel: [74133.164049] 6902 reserved pages > Oct
Re: [Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)
I also see this in the syslog sometimes: Oct 23 13:09:35 lsbeast-i2 kernel: [74133.132286] rsync invoked oom-killer: gfp_mask=0x201d2, order=0, oomkilladj=0 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.132649] Pid: 6516, comm: rsync Not tainted 2.6.26-2-amd64 #1 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.132916] Oct 23 13:09:35 lsbeast-i2 kernel: [74133.132917] Call Trace: Oct 23 13:09:35 lsbeast-i2 kernel: [74133.133470] [] oom_kill_process+0x57/0x1dc Oct 23 13:09:35 lsbeast-i2 kernel: [74133.133746] [] __capable+0x9/0x1c Oct 23 13:09:35 lsbeast-i2 kernel: [74133.133993] [] badness+0x188/0x1c7 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.134245] [] out_of_memory+0x1f5/0x28e Oct 23 13:09:35 lsbeast-i2 kernel: [74133.140836] [] __alloc_pages_internal+0x31d/0x3bf Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141048] [] generic_file_aio_read+0x3b7/0x4ae Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141279] [] do_sync_read+0xc9/0x10c Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141472] [] autoremove_wake_function+0x0/0x2e Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141682] [] vfs_read+0xaa/0x152 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.141864] [] sys_read+0x45/0x6e Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142046] [] system_call_after_swapgs+0x8a/0x8f Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142254] Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142376] Mem-info: Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142511] Node 0 DMA per-cpu: Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142662] CPU0: hi:0, btch: 1 usd: 0 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142844] Node 0 DMA32 per-cpu: Oct 23 13:09:35 lsbeast-i2 kernel: [74133.142998] CPU0: hi: 186, btch: 31 usd: 173 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.143183] Active:189862 inactive:179626 dirty:0 writeback:0 unstable:0 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.143184] free:3011 slab:7697 mapped:76 pagetables:1122 bounce:0 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.143592] Node 0 DMA free:6020kB min:32kB low:40kB high:48kB active:3012kB inactive:2676kB present:10724kB pages_scanned:9007 all_unreclaimable? yes Oct 23 13:09:35 lsbeast-i2 kernel: [74133.144711] lowmem_reserve[]: 0 1499 1499 1499 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.144894] Node 0 DMA32 free:6024kB min:4936kB low:6168kB high:7404kB active:756436kB inactive:715828kB present:1535136kB pages_scanned:626785 all_unreclaimable? no Oct 23 13:09:35 lsbeast-i2 kernel: [74133.145479] lowmem_reserve[]: 0 0 0 0 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.145648] Node 0 DMA: 3*4kB 1*8kB 1*16kB 5*32kB 3*64kB 2*128kB 3*256kB 1*512kB 0*1024kB 0*2048kB 1*4096kB = 6020kB Oct 23 13:09:35 lsbeast-i2 kernel: [74133.146045] Node 0 DMA32: 162*4kB 28*8kB 9*16kB 7*32kB 1*64kB 1*128kB 0*256kB 1*512kB 0*1024kB 0*2048kB 1*4096kB = 6040kB Oct 23 13:09:35 lsbeast-i2 kernel: [74133.155603] 364394 total pagecache pages Oct 23 13:09:35 lsbeast-i2 kernel: [74133.155831] Swap cache: add 0, delete 0, find 0/0 Oct 23 13:09:35 lsbeast-i2 kernel: [74133.156064] Free swap = 0kB Oct 23 13:09:35 lsbeast-i2 kernel: [74133.156064] Total swap = 0kB Oct 23 13:09:35 lsbeast-i2 kernel: [74133.164049] 393200 pages of RAM Oct 23 13:09:35 lsbeast-i2 kernel: [74133.164049] 6902 reserved pages Oct 23 13:09:35 lsbeast-i2 kernel: [74133.164049] 2124 pages shared Oct 23 13:09:35 lsbeast-i2 kernel: [74133.164247] 0 pages swap cached Oct 23 13:09:35 lsbeast-i2 kernel: [74133.164396] Out of memory: kill process 5842 (winbindd) score 76798 or a child Oct 23 13:09:35 lsbeast-i2 kernel: [74133.164850] Killed process 5847 (winbindd) Looks like winbind is running out of memory? Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Fri, Oct 23, 2009 at 9:33 AM, Robert LeBlanc wrote: > Just out of curiosity, do any of you have mdns4_minimal or mdsn4 in your > /etc/nsswitch.conf file? I think mdns4 doesn't work too well and I usually > take it out, but it was alive and well on these machines. Does removing > those items help anyone? > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > > On Thu, Oct 22, 2009 at 4:45 PM, Robert LeBlanc wrote: > >> I'm using 3.4.2 right now and I'm seeing a similar problem. We are using >> winbind to authenticate our users on our Linux cluster. The worker and >> interactive nodes are on a private subnet that is NATed to the local LAN. >> Two head nodes provide failover for the NATing. When failover is happening, >> winbind whacks out. The system is not unusable, but no authentication >> happens for about 30 minutes after the failover. I'm going to see if I can >> get iptables to share state between machines to help prevent this, but there >> needs to be a faster reconnection after domain controllers seem to be down. >> >> Robert LeBlanc >> Life Sciences & Undergraduate Education Computer
Re: [Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)
Just out of curiosity, do any of you have mdns4_minimal or mdsn4 in your /etc/nsswitch.conf file? I think mdns4 doesn't work too well and I usually take it out, but it was alive and well on these machines. Does removing those items help anyone? Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Thu, Oct 22, 2009 at 4:45 PM, Robert LeBlanc wrote: > I'm using 3.4.2 right now and I'm seeing a similar problem. We are using > winbind to authenticate our users on our Linux cluster. The worker and > interactive nodes are on a private subnet that is NATed to the local LAN. > Two head nodes provide failover for the NATing. When failover is happening, > winbind whacks out. The system is not unusable, but no authentication > happens for about 30 minutes after the failover. I'm going to see if I can > get iptables to share state between machines to help prevent this, but there > needs to be a faster reconnection after domain controllers seem to be down. > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > > > On Thu, Oct 22, 2009 at 1:55 AM, Clayton Hill wrote: > >> Hi Jason, >> >> Yup you got the same problem - just going about it a sorta different way >> - ouch that must really suck having winbind\ADdomain own the account you >> are logged in as. bummer! >> My problem is slightly less serious as I am trying to use my local >> accounts (such as root) and I just use samba as a domain member to host >> files with AD ACLs in the filesystem permissions... but we see the same bug. >> because winbind (even caching) kills access to my local accounts. >> I hope this is fixed in 3.4 (I just installed it yesterday) I haven't had >> a chance to run the same test on 3.4 >> >> possibilities: >> winbind is not caching right to allow smooth operation when the DC is >> offline and the system is virtually locked up >> winbind doesnt know the moment it cant connect to the DC that it should >> really use cache or just buzz off and die somehow >> winbind may or may not connect back up to the DC immediately >> >> I need to play with parameters and see what the new winbind options in 3.4 >> do. I have been on 3.2 until yesterday. >> >> >> Thanks for the info on the bug report.. >> >> Cheers, >> -Clayton >> >> Jason Haar wrote: >> >>> Just a FYI, but this looks an awful lot like the bug I reported months >>> ago >>> >>> https://bugzilla.samba.org/show_bug.cgi?id=6103 >>> >>> Basically I'm running Fedora11 with no local accounts (beyond root) - >>> relying on winbind. On occasion winbind appears to "hang" - and no local >>> access works - including root - which shouldn't need winbind to succeed! >>> Normally I have to reboot to fix, however if I was lucky enough for it >>> to happen before my screensaver kicked in, then simply restarting >>> winbind fixes the problem. >>> >>> >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind lookup performance
On Thu, Oct 22, 2009 at 12:29 PM, Matthew J. Salerno < vagabond_k...@yahoo.com> wrote: > > I removed winbind enum users = Yes and winbind enum groups = Yes and it > seems to be much faster. Now I just need ot make sure everything else is > still working as expected. > > When dealing with a large amount of objects, you will want enum users and groups off. We don't use it here and everything works fine. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind causes Linux to lockup when connectivity to AD is lost (subject line edited for clarity)
I'm using 3.4.2 right now and I'm seeing a similar problem. We are using winbind to authenticate our users on our Linux cluster. The worker and interactive nodes are on a private subnet that is NATed to the local LAN. Two head nodes provide failover for the NATing. When failover is happening, winbind whacks out. The system is not unusable, but no authentication happens for about 30 minutes after the failover. I'm going to see if I can get iptables to share state between machines to help prevent this, but there needs to be a faster reconnection after domain controllers seem to be down. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Thu, Oct 22, 2009 at 1:55 AM, Clayton Hill wrote: > Hi Jason, > > Yup you got the same problem - just going about it a sorta different way > - ouch that must really suck having winbind\ADdomain own the account you > are logged in as. bummer! > My problem is slightly less serious as I am trying to use my local accounts > (such as root) and I just use samba as a domain member to host files with AD > ACLs in the filesystem permissions... but we see the same bug. because > winbind (even caching) kills access to my local accounts. > I hope this is fixed in 3.4 (I just installed it yesterday) I haven't had a > chance to run the same test on 3.4 > > possibilities: > winbind is not caching right to allow smooth operation when the DC is > offline and the system is virtually locked up > winbind doesnt know the moment it cant connect to the DC that it should > really use cache or just buzz off and die somehow > winbind may or may not connect back up to the DC immediately > > I need to play with parameters and see what the new winbind options in 3.4 > do. I have been on 3.2 until yesterday. > > > Thanks for the info on the bug report.. > > Cheers, > -Clayton > > Jason Haar wrote: > >> Just a FYI, but this looks an awful lot like the bug I reported months ago >> >> https://bugzilla.samba.org/show_bug.cgi?id=6103 >> >> Basically I'm running Fedora11 with no local accounts (beyond root) - >> relying on winbind. On occasion winbind appears to "hang" - and no local >> access works - including root - which shouldn't need winbind to succeed! >> Normally I have to reboot to fix, however if I was lucky enough for it >> to happen before my screensaver kicked in, then simply restarting >> winbind fixes the problem. >> >> >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Convert idmap_rid to idmap_hash?
On Mon, Oct 19, 2009 at 7:09 AM, Gerald Carter wrote: > Robert, > > Robert LeBlanc wrote: > > I was looking through the change log of 3.3.0 and noticed that a new > > idmap_hash was introduced that seems to play well with trusted domains. > What > > means are available to convert all my rids to this new hash so I can > update > > file permissions? > > You mean updating the file permissions on disk? That would be > a manual (but scriptable) process. You will need to flush the > winbind idmap cache when swapping to the new plugin in order to > see the new uid and gid values though. > > How would I access the old mapping after flushing and changing to the new mapping? Is the old mapping accessible somehow that I can use chown and chgrp after inspecting each file and directory with all their ACLs? Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Convert idmap_rid to idmap_hash?
I was looking through the change log of 3.3.0 and noticed that a new idmap_hash was introduced that seems to play well with trusted domains. What means are available to convert all my rids to this new hash so I can update file permissions? Thanks, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Linux 2.6.31, samba server no longer working
I wonder if this is similar to what I was seeing with 3.4.2 today. Are you bound to AD or is it stand alone? I kept seeing a permission denied message in the log files when trying to access the Kerberos keytab file. I coughed it up to backporting 3.4.2 to Debian Lenny and there was a problem with using krb5 1.6 instead of 1.7. I didn't feel like backporting Kerberos too to test that threory, I need to get these machines up, so I just installed my patched version of 3.2.5. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Fri, Oct 16, 2009 at 7:35 PM, Timothy Normand Miller wrote: > Sorry. Not the kernel. Samba 3.3.7 worked (with a bug fix I had > added). It's version 3.4.2 that doesn't work. I've checked the > config files. I can't figure out why it doesn't work. I just get > connection refused. > > On Fri, Oct 16, 2009 at 12:26 PM, Timothy Normand Miller > wrote: > > Hi, > > > > Since upgrading to Linux 2.6.31, smb shares on my linux box are no > > longer mountable by other computers. As far as the client is > > concerned, it looks like authentication is failing. But when I look > > in /var/log/samba, I find absolutely nothing about any attempted or > > failed connections. Both smbd and nmbd are still running, so they > > didn't crash. I just can't find anything to help me diagnose the > > problem. > > > > Can anyone give me some suggestions about where to start looking for > > the cause of the trouble? > > > > Thanks! > > > > -- > > Timothy Normand Miller > > http://www.cse.ohio-state.edu/~millerti<http://www.cse.ohio-state.edu/%7Emillerti> > > Open Graphics Project > > > > > > -- > Timothy Normand Miller > http://www.cse.ohio-state.edu/~millerti<http://www.cse.ohio-state.edu/%7Emillerti> > Open Graphics Project > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?
On Fri, Oct 16, 2009 at 6:27 AM, Matthew J. Salerno wrote: > Looking at your post, there doesn't seem to be anything in the krb5.conf > file that would make it work. Do you know which setting was the "magic" one? > I would be interested to know. We use RID for ID mapping since we only had a > few ID hard coded in our AD and it works fine with a minimal krb5.conf file. > --- > > If that's the case, then you should probably be falling back on the > template settings. > template homedir & template shell > > All I did was configure my krb5.conf based on the hundreds of > wiki/howto/faq's and forum posts I read. I'm not sure what the "magic" one > is, but I know that it works when I do the kinit. > > What issues are you having? > > > I am not have any issues, Samba is working exactly how I would like it to. I'm just really confused by your statment that krb5.conf is required to retreive rfc2307 attributes. What stumps me more is the fact that I really don't see anything in your krb5.conf file that is drastically different from the defaults or what AD provides using the DNS SRV records. That tells me that even if you didn't have a krb5.conf file then it 'should' work still. I'm able to kinit against my AD without a krb5.conf file, I just can't use the short form and have to use the full form ( u...@domain.com ). So I have a krb5.conf file that sets the default realm to use the short version and that's about it. That is why I'm asking which setting is the 'magical' setting that worked for you. In my experience when I've have Kerberos issues, it wound up being something else I did to muck things up and when I went back and cleaned up all the changes (there are usually a lot), the issue was something small and usually because I did it the wrong way. Most of my issues came from hostname, DNS or resolve.conf misconfigurations more than Kerberos misconfigurations. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?
On Thu, Oct 15, 2009 at 8:29 AM, Matthew J. Salerno wrote: > I found out that in order for the idmap_ad to be able to pull in the > rfc2307 attributes, you need to have the krb5,conf setup. Auth was working > fine, but without the krb5.conf, that was all that was working. > > http://lists.samba.org/archive/samba/2009-October/151144.html > > > Looking at your post, there doesn't seem to be anything in the krb5.conf file that would make it work. Do you know which setting was the "magic" one? I would be interested to know. We use RID for ID mapping since we only had a few ID hard coded in our AD and it works fine with a minimal krb5.conf file. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is it EVER needed to set up kerberos manually if you use samba to join an ADS domain as a domain member?
I beleive that if you are using msDNS in some fashion (as your DNS or delegated domain) or have something like Bind updated with the SVR records for the AD domain, then there is little configuration needed in krb5.conf as the libraries will query DNS for a KDC. If your DNS is not set-up with the SVR records then you will need to enter the domain and KDC information in krb5.conf. We have a delegated AD domain from Bind and I used to enter all the info in krb5.conf, I then started taking stuff out until I got to an empty krb5.conf file and it still worked. Our krb5.conf does have a few lines for options that we override the defaults, but they are not needed. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Wed, Oct 14, 2009 at 5:03 PM, wrote: > Hi folks, > > In a scenerio where you are just joining samba to an existing windows 2003 > AD as a member server, I have been told that in some unknown/unsubscribed > conditions you need to manually need to set up kerberos and use kinit > before joining the active directory with net ads join. > > I think this is untrue personally because from what I understand about > samba joining a domain, is that samba/winbind/net ads join command > automatically uses kerberos libraries to autogenerate its tickets upon a > successful domain join. > Additionally AFAIK tickets are refreshed by winbind automatically so you > really never need to run kinit or set up krb5.conf if you use samba to join > the AD as a domain member server. > > Could someone please clarify this so I can make this myth go away? Could I > be wrong? Is there a special circumstance where this applies that i dont > know about? Some magic non default active directory configuration that > insists kerberos be set up differently than samba can muster to do > automatically?? > > > Thanks! > -Clayton > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba directory level security
We don't use the force user/group option at all. Whoever writes the file will be the owner. If another user or group should have access to the file, we specify that using the default ACL option. Another reason for this is that we can enforce user and group quotas on the Samba share. On 10/6/09, Poulter, Dale wrote: > Robert, > > ACLs may be possible. Do I understand correctly that you only have the one > share and you still force the user to be the webserver user? > > From: Robert LeBlanc [mailto:rob...@leblancnet.us] > Sent: Tuesday, October 06, 2009 9:12 AM > To: Poulter, Dale > Cc: samba@lists.samba.org > Subject: Re: [Samba] Samba directory level security > > Is the use of ACLs a possibility? Iv'e explained to someone yesterday how to > use ACLs in Samba with ADS. It works very well for us and we are doing > exactly what you want except that we only share out the root (www directory > in your instance) and control everything using ACLs. > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > On Tue, Oct 6, 2009 at 7:03 AM, Poulter, Dale > mailto:dale.poul...@vanderbilt.edu>> wrote: > Good morning all, > > We are moving our web server from novell to unix (solaris) and will be using > samba to allow users to edit web pages. Our samba instance authenticates > using ADS and the users do not necessarily have accounts on the server > itself. We are attempting to allow users to map a single samba share but > only see the directories they have read access to (see configuration below). > Any suggestions? > > > We have > > /www (main share) > /www/dir1 > /www/dir2 > /www/dir3 > > everyone should map to /www > > group should see something like > dir1 > dir2 > dir3 > > group2 > dir1 > dir2 > > > [www] > path = /www > read only = yes > browseable = no > guest ok = no > write list= @Domain\All_Editors > public = no > force user=web > hide unreadable=yes > [dir1] > path = /www/dir1 > read only = no > browseable = no > guest ok = no > write list= @Domain\DIR1_Editors > public = no > force user=web > hide unreadable=yes > > --Dale > > --- > Dale Poulter > Automation Coordinator > Library Information Technology Services > Vanderbilt University > Suite 700 > 110 21st Avenue South > Nashville, TN 37240 > (615)343-5388 > (615)343-8834 (fax) > (615)207-9705 (cell) > dale.poul...@vanderbilt.edu<mailto:dale.poul...@vanderbilt.edu><mailto:dale.poul...@vanderbilt.edu<mailto:dale.poul...@vanderbilt.edu>> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba directory level security
Is the use of ACLs a possibility? Iv'e explained to someone yesterday how to use ACLs in Samba with ADS. It works very well for us and we are doing exactly what you want except that we only share out the root (www directory in your instance) and control everything using ACLs. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Tue, Oct 6, 2009 at 7:03 AM, Poulter, Dale wrote: > Good morning all, > > We are moving our web server from novell to unix (solaris) and will be > using samba to allow users to edit web pages. Our samba instance > authenticates using ADS and the users do not necessarily have accounts on > the server itself. We are attempting to allow users to map a single samba > share but only see the directories they have read access to (see > configuration below). Any suggestions? > > > We have > > /www (main share) > /www/dir1 > /www/dir2 > /www/dir3 > > everyone should map to /www > > group should see something like > dir1 > dir2 > dir3 > > group2 > dir1 > dir2 > > > [www] > path = /www > read only = yes > browseable = no > guest ok = no > write list= @Domain\All_Editors > public = no > force user=web > hide unreadable=yes > [dir1] > path = /www/dir1 > read only = no > browseable = no > guest ok = no > write list= @Domain\DIR1_Editors > public = no > force user=web > hide unreadable=yes > > --Dale > > --- > Dale Poulter > Automation Coordinator > Library Information Technology Services > Vanderbilt University > Suite 700 > 110 21st Avenue South > Nashville, TN 37240 > (615)343-5388 > (615)343-8834 (fax) > (615)207-9705 (cell) > dale.poul...@vanderbilt.edu<mailto:dale.poul...@vanderbilt.edu> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as fileserver on Active Directory domain
wbinfo needs to work all the time or you will have problems, getent does not need to (we have enum users and groups to no because we have so many objects in our AD). I would look at the winbind logs to get an idea of what is wrong Debian has this at /var/log/samba/log.winbindd. I usually get several connection reset by peer lines, and some Could not receive trustdoms, but it seems to recover and retty and things work. What you are looking for is failure to connect to a server, or trying to connect to a bad server ro something. It sounds like you are getting close, the last mile is always the hardest. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Mon, Oct 5, 2009 at 5:49 PM, Ivan Ordonez wrote: > I was able to set ACL with local username but can't do it on domain > username or groups. > > hostname ~ # getfacl /shared/drive > getfacl: Removing leading '/' from absolute path names > # file: shared/drive > # owner: mylocalusername > # group: root > user::rwx > group::r-x > other::r-x > default:user::rwx > default:group::rwx > default:other::r-x > > When I tried to set ACLs for domain account or groups, it was invalid > option. > > hostname ~ #setfacl -m g:"DOMAIN+Domain Admins":rwx /shared/drive > setfacl: Option -m: Invalid argument near character 3 > > hostname ~ #setfacl -m g:"DOMAIN+myusername":rwx /shared/drive > setfacl: Option -m: Invalid argument near character 3 > > I believe the drive is mounted and ACL is enable. > > hostname ~ # mount > /dev/hda3 on / type ext3 (rw,noatime,acl) > > Here is my /etc/fstab > /dev/hda3/ext3noatime,acl0 1 > > What I find odd is running wbinfo and getent command to be very > inconsistent. I would sometimes get result and sometimes not. > hostname ~ # wbinfo -u > Error looking up domain users > > Any other suggestions? > > Thanks. > > > > > > > > > > > Robert LeBlanc wrote: > > Sorry, my bad, 3.3.8 was the security release. It sounds like it is working > however. As far as ACLs, make sure that ACLs are turned on on your file > system (mount -o acl for most filesystems) and the make sure you have the > ACL packages for your distro installed (Debian apt-get install acl). Then > it's a matter of using the setfacl command like `setfacl -m > d:u::rwx,u::rwx,d:g::rx,g::rx > /my/shared/dir. > > You can add as many ACLs as you want, remember that the linux default rwx > perms sets the max for ACL users and groups. If the linux user (owner) ACL > is rx, then even though an ACL specifies another user with rwx, they will > only have rx. The second thing to remember is that the default ACL is not > needed, but if specified will set those ACLs on all new files and > directories and act much like Windows. If you set the permissions using > Windows, the default ACL will be set. Thidly, only Linux user and group have > the file counted against their quota, permissions assigned in ACLs do not > affect thoes user and groups quotas. Fourtly, some applications are not ACL > aware, Apache for instance does not look at ACLs on Linux. To check your set > ACLs, use getfacl /this/is/my/file. > > Hope that helps. > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > > On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez wrote: > >> I was able to install 3.3.8 version of Samba. I am running it now. I can >> see shares, but could not write at all. >> >> ACL seems simple but I can't get it to work. Any help or advise would be >> greatly appreciated. >> >> Robert LeBlanc wrote: >> >> The changes have not made it into a 3.3.x release yet, 3.3.7 was a >> security release, ideally 3.3.8 should have the fix. There were quiet a >> number of configuration changes from 3.0.x to 3.3.x in regards to Active >> Directory, you may not be able to use you old config without updating some >> things. >> >> Robert LeBlanc >> Life Sciences & Undergraduate Education Computer Support >> Brigham Young University >> >> >> On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez wrote: >> >>> >>> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some >>> "realm" complaints when I run testparm and some "ADS" related error. The >>> 3.3.7 version is masked by Gentoo portage and not sure if it will be >>> available soon. >>> >>> Thanks, >>> -Ivan >>> >>> Robert LeBlanc wrote: >>> >>> What version of samba are you using? I submitted a p
Re: [Samba] Samba as fileserver on Active Directory domain
Sorry, my bad, 3.3.8 was the security release. It sounds like it is working however. As far as ACLs, make sure that ACLs are turned on on your file system (mount -o acl for most filesystems) and the make sure you have the ACL packages for your distro installed (Debian apt-get install acl). Then it's a matter of using the setfacl command like `setfacl -m d:u::rwx,u::rwx,d:g::rx,g::rx /my/shared/dir. You can add as many ACLs as you want, remember that the linux default rwx perms sets the max for ACL users and groups. If the linux user (owner) ACL is rx, then even though an ACL specifies another user with rwx, they will only have rx. The second thing to remember is that the default ACL is not needed, but if specified will set those ACLs on all new files and directories and act much like Windows. If you set the permissions using Windows, the default ACL will be set. Thidly, only Linux user and group have the file counted against their quota, permissions assigned in ACLs do not affect thoes user and groups quotas. Fourtly, some applications are not ACL aware, Apache for instance does not look at ACLs on Linux. To check your set ACLs, use getfacl /this/is/my/file. Hope that helps. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Mon, Oct 5, 2009 at 2:34 PM, Ivan Ordonez wrote: > I was able to install 3.3.8 version of Samba. I am running it now. I can > see shares, but could not write at all. > > ACL seems simple but I can't get it to work. Any help or advise would be > greatly appreciated. > > > Robert LeBlanc wrote: > > The changes have not made it into a 3.3.x release yet, 3.3.7 was a security > release, ideally 3.3.8 should have the fix. There were quiet a number of > configuration changes from 3.0.x to 3.3.x in regards to Active Directory, > you may not be able to use you old config without updating some things. > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > > On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez wrote: > >> >> I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some >> "realm" complaints when I run testparm and some "ADS" related error. The >> 3.3.7 version is masked by Gentoo portage and not sure if it will be >> available soon. >> >> Thanks, >> -Ivan >> >> Robert LeBlanc wrote: >> >> What version of samba are you using? I submitted a patch to Samba that is >> in 3.4.1 and slated for the next version of 3.3.x that fixes the >> workgroup/realm thing. It falls back to SPEGO without the patch, but it >> takes a little while, the patch speeds things up. >> >> Robert LeBlanc >> Life Sciences & Undergraduate Education Computer Support >> Brigham Young University >> >> >> On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson < >> jpeters...@garnser.se> wrote: >> >>> How did you solve the kerberos portion how things, when winbind tries >>> to connect to my server the kerberos sessions fails as it tries to >>> connect with the workgroup instead of the realm. >>> >>> Thanks >>> >>> /Jonathan >>> >>> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez >>> wrote: >>> > >>> > >>> > Jonathan Petersson wrote: >>> >> >>> >> Hi Ivan, >>> >> >>> >> I'm working on a similar thing but is having some issues with the >>> >> kerberos sessions between samba and AD. Is your Samba server a member >>> >> of a Win2k8R2 or a Win2k3 domain? >>> >> >>> >> Thanks >>> >> >>> >> /Jonathan >>> >> >>> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez >>> >> wrote: >>> >> >>> >>> >>> >>> Robert LeBlanc wrote: >>> >>> >>> >>>> >>> >>>> What are the permissions on /shared/drive? We use ACLs to control >>> access >>> >>>> rather than smb.conf. This gives us great flexability and you can >>> kind >>> >>>> of >>> >>>> manage it using a Windows machine. If you have Kerberos keytab >>> >>>> generated, >>> >>>> you can smbmount on Linux using the -o sec=krb5 and no passwords are >>> >>>> needed, >>> >>>> it also obeys ACL. The only catch is that you need to use RID or >>> LDAP >>> >>>> for >>> >>>> uid/gid mapping
Re: [Samba] Samba as fileserver on Active Directory domain
The changes have not made it into a 3.3.x release yet, 3.3.7 was a security release, ideally 3.3.8 should have the fix. There were quiet a number of configuration changes from 3.0.x to 3.3.x in regards to Active Directory, you may not be able to use you old config without updating some things. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Mon, Oct 5, 2009 at 10:02 AM, Ivan Ordonez wrote: > > I am using Samba version 3.0.36. When I upgraded to 3.3.7, I got some > "realm" complaints when I run testparm and some "ADS" related error. The > 3.3.7 version is masked by Gentoo portage and not sure if it will be > available soon. > > Thanks, > -Ivan > > > Robert LeBlanc wrote: > > What version of samba are you using? I submitted a patch to Samba that is > in 3.4.1 and slated for the next version of 3.3.x that fixes the > workgroup/realm thing. It falls back to SPEGO without the patch, but it > takes a little while, the patch speeds things up. > > Robert LeBlanc > Life Sciences & Undergraduate Education Computer Support > Brigham Young University > > > On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson > wrote: > >> How did you solve the kerberos portion how things, when winbind tries >> to connect to my server the kerberos sessions fails as it tries to >> connect with the workgroup instead of the realm. >> >> Thanks >> >> /Jonathan >> >> On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez >> wrote: >> > >> > >> > Jonathan Petersson wrote: >> >> >> >> Hi Ivan, >> >> >> >> I'm working on a similar thing but is having some issues with the >> >> kerberos sessions between samba and AD. Is your Samba server a member >> >> of a Win2k8R2 or a Win2k3 domain? >> >> >> >> Thanks >> >> >> >> /Jonathan >> >> >> >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez >> >> wrote: >> >> >> >>> >> >>> Robert LeBlanc wrote: >> >>> >> >>>> >> >>>> What are the permissions on /shared/drive? We use ACLs to control >> access >> >>>> rather than smb.conf. This gives us great flexability and you can >> kind >> >>>> of >> >>>> manage it using a Windows machine. If you have Kerberos keytab >> >>>> generated, >> >>>> you can smbmount on Linux using the -o sec=krb5 and no passwords are >> >>>> needed, >> >>>> it also obeys ACL. The only catch is that you need to use RID or LDAP >> >>>> for >> >>>> uid/gid mapping or else your permissions won't line up. >> >>>> >> >>>> Robert LeBlanc >> >>>> Life Sciences & Undergraduate Education Computer Support >> >>>> Brigham Young University >> >>>> >> >>>> >> >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez > >>>> <mailto:iordo...@berkeley.edu>> wrote: >> >>>> >> >>>> Hello, >> >>>> >> >>>> We have a Gentoo box running Samba and is a member of the Active >> >>>> Directory domain. This Gentoo box will be a fileserver when >> >>>> everything is completed and setup as it should. I want our users >> >>>> to login to their computer (Computers are all members of the same >> >>>> Active Directory domain) using Active Directory accounts/domain >> >>>> for authentication. I am using Winbind for Active Directory >> >>>> authentication/integration. I'm almost done except file permission >> >>>> issue. All is working smoothly (ie. wbinfo, smbclient, getent, >> >>>> etc.). I can access/map the shared drive on the Gentoo box from >> >>>> any Windows computer, login to a machine without a problem using >> >>>> Active Directory accounts. The Active Directory authentication >> >>>> with Winbind is working as it should. >> >>>> >> >>>> For some odd reason, I can't figure out how to give permissions to >> >>>> all users the ability to make changes/add new folders on the >> >>>> shared drive. I am getting access denied even when the users or >> >>>> group are valid users of the shared drive per smb.conf. Bel
Re: [Samba] Samba as fileserver on Active Directory domain
What version of samba are you using? I submitted a patch to Samba that is in 3.4.1 and slated for the next version of 3.3.x that fixes the workgroup/realm thing. It falls back to SPEGO without the patch, but it takes a little while, the patch speeds things up. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Fri, Oct 2, 2009 at 11:09 AM, Jonathan Petersson wrote: > How did you solve the kerberos portion how things, when winbind tries > to connect to my server the kerberos sessions fails as it tries to > connect with the workgroup instead of the realm. > > Thanks > > /Jonathan > > On Fri, Oct 2, 2009 at 9:36 AM, Ivan Ordonez > wrote: > > > > > > Jonathan Petersson wrote: > >> > >> Hi Ivan, > >> > >> I'm working on a similar thing but is having some issues with the > >> kerberos sessions between samba and AD. Is your Samba server a member > >> of a Win2k8R2 or a Win2k3 domain? > >> > >> Thanks > >> > >> /Jonathan > >> > >> On Fri, Oct 2, 2009 at 9:00 AM, Ivan Ordonez > >> wrote: > >> > >>> > >>> Robert LeBlanc wrote: > >>> > >>>> > >>>> What are the permissions on /shared/drive? We use ACLs to control > access > >>>> rather than smb.conf. This gives us great flexability and you can kind > >>>> of > >>>> manage it using a Windows machine. If you have Kerberos keytab > >>>> generated, > >>>> you can smbmount on Linux using the -o sec=krb5 and no passwords are > >>>> needed, > >>>> it also obeys ACL. The only catch is that you need to use RID or LDAP > >>>> for > >>>> uid/gid mapping or else your permissions won't line up. > >>>> > >>>> Robert LeBlanc > >>>> Life Sciences & Undergraduate Education Computer Support > >>>> Brigham Young University > >>>> > >>>> > >>>> On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez >>>> <mailto:iordo...@berkeley.edu>> wrote: > >>>> > >>>> Hello, > >>>> > >>>> We have a Gentoo box running Samba and is a member of the Active > >>>> Directory domain. This Gentoo box will be a fileserver when > >>>> everything is completed and setup as it should. I want our users > >>>> to login to their computer (Computers are all members of the same > >>>> Active Directory domain) using Active Directory accounts/domain > >>>> for authentication. I am using Winbind for Active Directory > >>>> authentication/integration. I'm almost done except file permission > >>>> issue. All is working smoothly (ie. wbinfo, smbclient, getent, > >>>> etc.). I can access/map the shared drive on the Gentoo box from > >>>> any Windows computer, login to a machine without a problem using > >>>> Active Directory accounts. The Active Directory authentication > >>>> with Winbind is working as it should. > >>>> > >>>> For some odd reason, I can't figure out how to give permissions to > >>>> all users the ability to make changes/add new folders on the > >>>> shared drive. I am getting access denied even when the users or > >>>> group are valid users of the shared drive per smb.conf. Below is > >>>> my smb.conf shared configuration: > >>>> > >>>> [shared] > >>>> comment = shared > >>>> path = /shared/drive > >>>> read only = no > >>>> inherit permissions = yes > >>>> create mask = 755 > >>>> directory mask = 755 > >>>> valid users = @"MYDOMAIN+mygroup" > >>>> browseable = yes > >>>> writable = yes > >>>> > >>>> Any help would be greatly appreciated. > >>>> > >>>> -Ivan > >>>> --To unsubscribe from this list go to the following URL and read > >>>> the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>>> > >>> > >>> Hi, > >>> > >>> The files and folders on the shared drive are owned by local Linux > >>> account. > >>> The permissions are read, write and execute by the owner, read and > write > >>> by > >>> group and all. I was hoping that smb.conf will control the shared > drive > >>> access but having a hard time doing so. I would like to use ACL if > that > >>> is > >>> the best way to make it work. Would you mind giving me few pointers > or > >>> point me to the right direction to get started on ACL? I am no LDAP > >>> expert > >>> but I think I can get by if I have to use it. > >>> > >>> Thanks! > >>> > >>> -Ivan > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > > > > Hi Jonathan, > > > > Our Samba server is a member of Win2k8R2 domain. > > Thanks, > > -Ivan > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba as fileserver on Active Directory domain
What are the permissions on /shared/drive? We use ACLs to control access rather than smb.conf. This gives us great flexability and you can kind of manage it using a Windows machine. If you have Kerberos keytab generated, you can smbmount on Linux using the -o sec=krb5 and no passwords are needed, it also obeys ACL. The only catch is that you need to use RID or LDAP for uid/gid mapping or else your permissions won't line up. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Thu, Oct 1, 2009 at 10:14 AM, Ivan Ordonez wrote: > Hello, > > We have a Gentoo box running Samba and is a member of the Active Directory > domain. This Gentoo box will be a fileserver when everything is completed > and setup as it should. I want our users to login to their computer > (Computers are all members of the same Active Directory domain) using Active > Directory accounts/domain for authentication. I am using Winbind for Active > Directory authentication/integration. I'm almost done except file permission > issue. All is working smoothly (ie. wbinfo, smbclient, getent, etc.). I can > access/map the shared drive on the Gentoo box from any Windows computer, > login to a machine without a problem using Active Directory accounts. The > Active Directory authentication with Winbind is working as it should. > > For some odd reason, I can't figure out how to give permissions to all > users the ability to make changes/add new folders on the shared drive. I am > getting access denied even when the users or group are valid users of the > shared drive per smb.conf. Below is my smb.conf shared configuration: > > [shared] > comment = shared > path = /shared/drive > read only = no > inherit permissions = yes > create mask = 755 > directory mask = 755 > valid users = @"MYDOMAIN+mygroup" > browseable = yes > writable = yes > > Any help would be greatly appreciated. > > -Ivan > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] folder/users privileges
I've found that you can not change the ugo permissions that are default on Linux systems. You have to use extended ACLs and with Windows you can manage those to your heart's content. Typically, what we do is set permissions that will not ever be changed using the Linux ugo permissions, and then more detailed ones we use extended ACLs. I have not found a way to manage the Linux ugo permissions from Windows. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University On Tue, Aug 4, 2009 at 10:30 AM, Surendil wrote: > I've tried to set ACLs but have the same results as before, definitly i'm > doing something wrong. > I just thought i could manage privileges like Windows 2003 file server. > > On Tue, Aug 4, 2009 at 1:29 PM, Surendil wrote: > > > I've tried to set ACLs but have the same results as before, definitly i'm > > doing something wrong. > > I just thought i could manage privileges like Windows 2003 file server. > > > > > > > > On Tue, Aug 4, 2009 at 12:23 PM, Robert LeBlanc >wrote: > > > >> Samba respect file system ACLs. We use them all the time. We have our > >> share declarations wide open (relatively speaking) and control all the > rest > >> of the permissions by ACLs. We use XFS and usually mount the file system > to > >> respect gid bit setting on folders to give a Windows like environment > (we > >> also set the umask appropriately in smb.conf) > >> > >> Robert LeBlanc > >> Life Sciences & Undergraduate Education Computer Support > >> Brigham Young University > >> > >> > >> On Tue, Aug 4, 2009 at 8:47 AM, Surendil wrote: > >> > >>> The users ale and jvillar are windows XP users trying to get into samba > >>> shared folder > >>> will acl work? > >>> > >>> On Tue, Aug 4, 2009 at 11:31 AM, Eero Volotinen >>> >wrote: > >>> > >>> > I got a folder named "BACKUP" > >>> >> users ale and jvillar can read/write this folder > >>> >> inside "BACKUP" is another folder named "MAIL BACKUP" > >>> >> i want user ale to read/write this folder and user jvillar only > read. > >>> >> Even though i tried everything i could think of nothing worked out > the > >>> way > >>> >> i > >>> >> wanted too. > >>> >> Did anyone solved this? > >>> >> > >>> > > >>> > Use acl on filesystem ? > >>> > > >>> > -- > >>> > Eero > >>> > > >>> > >>> > >>> > >>> -- > >>> Alejandro Debussy > >>> Konexion Urbana > >>> Tel: 02322-426468 > >>> -- > >>> To unsubscribe from this list go to the following URL and read the > >>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >> > >> > > > > > > -- > > Alejandro Debussy > > Konexion Urbana > > Tel: 02322-426468 > > > > > > -- > Alejandro Debussy > Konexion Urbana > Tel: 02322-426468 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.4.0 in Debian unstable
On Tue, Jul 7, 2009 at 10:46 PM, Christian Perrier wrote: > Quoting Karolin: > > > Release Announcements > > = > > > > > > This is the first stable release of Samba 3.4. > > > As of yesterday, Samba 3.4.0 is now available in Debian unstable. It > means that the next release of Debian (codename "squeeze", due > out...when it's ready, probably around the end of 2010) will have at > least this version. > > Besides everything that's new in Samba 3.4 and which Samba Team > members are more qualified than me to talk about, I'd like to point > out that, again, the gap between Samba packages in Debian/Ubuntu and > upstream code has shrinked again. There is nearly no more code patch > in our package that hasn't been integrated upstream. > > The efforts of the samba package maintainers in Debian are now focused > on getting this package to enter Debian "testing", which is what will > become the final Debian release. That requires other packages samba is > depending upon to enter testing themselves...which might take > time..but will happen within the next weeks, I hope. > > For Ubuntu users, it means that the next Ubuntu release will have > Samba 3.4.something. > > We would like to express public thanks to the Samba Team for > publishing such good quality code and very specific thanks to Karolin > Seeger for managing to assemble the pieces and succeed in publishing > releases on a timely manner, and to Michael Adam for his work work > integrating the Debian patches, particularly in the build system. The > good work we're (hopefully) doing in publishing packages is because > you are doing such good work. > > I would also like to add my appreciation to the Debian Samba team for providing excellent packages and having it released and patched soon after a release. Thank you, Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Word and Excel files are read-only when opening
I have not been able to resolve this problem, but I need to have default
ACLs, so, I've croned a script to "fix" the permissions. I run this every 15
minutes and usually people don't notice it. When they call me, I ask them to
wait until after the script runs again. I would really like to see Office
fixed for this issue. Another weird thing is that it seems that for us,
after the second person edits the file and saves it, the problem really
doesn't show up again, at least in our testing.
Here is my scripts:
# fixfiles.sh
#! /bin/bash
/root/filecheck.sh | awk '{ print "\42"$0"\42" }' | xargs --no-run-if-empty
chmod -v u+w
# filecheck.sh
#! /bin/bash
/usr/bin/find /ls/groups/ -perm -u+r ! -perm /u+w -printf "%p\n"
It is pretty quick on our files system and only changes the files that are
wrong.
Robert LeBlanc
Life Sciences & Undergraduate Education Computer Support
Brigham Young University
On Mon, Jul 6, 2009 at 7:10 AM, Frank Bonnet wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hello
>
> Well I have checked I there is no default ACL on the considered files
>
>
>
> d...@briannassaladdressing.com wrote:
> > Frank,
> >
> > Another thing worth checking is default acl's. If default acl's exist,
> they can override the posix permissions. Run getfacl on the directory/file
> in question to see if there are any listings with "default" in them.
> >
> > The setting of default acl's has caused word/excel/access read-only
> problems for me more than once.
> >
> > Dale
> >
> > -Original message-
> > From: Frank Bonnet f.bon...@esiee.fr
> > Date: Fri, 03 Jul 2009 08:04:54 -0500
> > To: John Drescher dresche...@gmail.com
> > Subject: Re: [Samba] Word and Excel files are read-only when opening
> >
> > John Drescher wrote:
> >>>>> Since we started our new Samba + LDAP backend server yesterday
> >>>>> some (not all) PC we have a problem with Word and Excel files
> >>>>> that are marked "read-only" when users are trying to open
> >>>>> them from their Samba network shares.
> >>>>>
> >>>>> This happen ONLY for *.doc and *.xls files , if we open
> >>>>> and save a *.html file with Word it works ...
> >>>>>
> >>>>> Any info/help greatly appreciated.
> >>>>>
> >>>>> Thank you
> >>>>>
> >>>> This probably is due to the fact that when Office saves a file it
> >>>> creates a new file it creates a temp file then deletes the old file
> >>>> then renames the temp file to the same name as the old file and in
> >>>> this case the os magically sets the permissions of the renamed temp
> >>>> file to what the old file had. The problem is that Linux does not have
> >>>> this weird filesystem behavior built in so you have to emulate this
> >>>> with samba. I believe some versons of samba required a create mask of
> >>>> 2777 to get this to work. BTW, this is discussed many times in the
> >>>> archives.
> >>>>
> >>>> John
> > Hello John
> >
> > I've tried but it did not work for me .
> >
> > Frank
> >
> - --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2.0.11 (FreeBSD)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkpR9+EACgkQ6f7UMO5oSsUE/gCdEK3qJs2ELkwqD3EAiR/a2kfn
> H0AAnA+3YVAFjY4zQUIHaN1c1HDLsecd
> =wKVV
> -END PGP SIGNATURE-
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS Problems on `net ads join`
On Mon, Jun 29, 2009 at 11:27 AM, Mala Dibbs wrote: > Hi, > > im having Problems joining my ubuntu-Machine to a Win2k3 Active Directory. > > I tryed > m...@ubuntu-05:/home$ sudo net ads join -U domainadmin > domainadmin's password: > Using short domain name -- INTRANET > No DNS domain configured for localhost. Unable to perform DNS Update. > DNS update failed! > Joined 'UBUNTU-05' to realm 'INTRANET.LAN' > > What bothers my the most ist the line with 'localhost'. Where does this > come from? The ubuntu-Machine or the Windows-Directory? I want the machine > joined as ubuntu-05.intranet.lan. But after the join above, its DNS Name is > listed as 'localhost' instead of 'ubuntu-05.intranet.lan'. > Is this a Problem of the Client (ubuntu-05) or the AD- and DNS-Server? > > Greets, mala > > This is a problem with the client identity. Please edit /etc/hostname with the short name, also edit /etc/hosts with the fully qualified domain name of the machine. Since we have a disjoined DNS space for our AD, I put a line like the following in my /etc/hosts file 127.0.0.1 hostname.domain.local hostname.domain.com hostname Test your edits using the `hostname` command. Check both the short name and the FQDN using the -f flag. You may want to reboot for good measure to be sure the hostname is changed and sticks through reboots. Then try to join again, the DNS update should work in that case now that FQDN of the client now matches the AD domain. Robert LeBlanc Life Sciences & Undergraduate Education Computer Support Brigham Young University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Kerberos with delegated domain
On Wed, Jun 3, 2009 at 10:35 AM, Robert LeBlanc wrote: > > > On Fri, May 29, 2009 at 5:38 PM, Robert LeBlanc wrote: > >> >> On Fri, May 29, 2009 at 2:33 PM, Robert LeBlanc wrote: >> >>> Ok, here is the set-up. We have a domain that is the main domain, it >>> handles DHCP and DNS for domain.edu. The DNS for domain.edu has NS >>> records to delegate domain.local to our Active Directory. >>> >>> I am able to bind a machine just fine to the Active Directory without >>> having to change any of the client DNS settings (which poing to >>> domain.edu). File services work fine. I'm trying to work out single >>> sign-on with OpenSSH server. I can get it working to itself just fine using >>> either hostname, hostname.domain.local and hostname.edu where hostname >>> is the name of the machine that is sshing to itself. When I have two >>> machines set-up exactly the same, it doesn't work. >>> >>> I've sniffed the traffic and I can see that Kerberos goes through both >>> domains looking for a principle that matches. The problem is that the >>> reverse DNS always sends back hostname.domain.edu, but the service >>> principles are hostname.domain.local. I'm guessing Kerberos uses the rDNS to >>> generate the service principle. >>> >>> Is there some way to have winbind register both FQDNs as service >>> principals automatically on join? If not, how would I add a service >>> principal to the keytab that winbind generates? Or, how can I get Kerberos >>> to use the short version of principal that does not include >>> domain.[edu|local]. I'mreally new to Kerberos at this level and I've spent >>> about a week getting this far. >>> >>> Thanks, >>> Robert >>> >> >> I've tried setting up a mapping in the domain_realm section of >> /etc/krb5.conf like: >> >> .domain.com = DOMAIN.LOCAL >> >> but that didn't help. Then I found for the libdefaults section: >> >> rdns = no >> >> and that seems to work. It seems to use just the short name which winbind >> does populate in the keytab. I don't think anyone outside of our area could >> spoof the short name because they won't have access to the computer object >> in the AD. A computer with the same name would have a different key so it >> wouldn't match. Is there anything I'm missing that I should be conserned >> about? >> >> Thanks, >> Robert >> >> >> The saga continues > > I've found that I can add service principals to the keytab using net ads > keytab add host/hostname.domain.edu and according to everything that I've > read this should edit the servicePrincipalName field of the computer > account. This is not the case for us however. When a computer is joined to > the domain using net ads join -U administrator, it seems to create the SPNs, > issuing the add command results in no new SPNs being added to the computer > account. I performed a net ads keytab flush -U administrator and it removed > all the SPNs from the computer account, now I can't get them back. A net ads > keytab create -U administrator regenerated a local keytab, but no SPNs were > added to the computer account. > > The administrator account is not a domain admin account, but has full > control over the computer object. I've added the SPN manually into the > computer account and everything was working fine, but I'd like to do this > client side. The domain is a MS 2008 AD running in 2003 mode. > > Anyone have suggestions of what I may try to figure this problem out? > > Thanks, > Robert LeBlanc > This seems to be quite the one sided conversation, but I hope that it will help someone, or that someone can help me. I've set-up an new Debian Lenny machine and joined it to a MS 2003 Domain that I am Domain Admin on, still no luck. I'm guess that it is something that I'm doing wrong rather than a problem with Samba. Now to figure what it is that I'm doing wrong. Tried Samba 3.2.5 against MS 2003 domain as Domain Admin Tried Samba 3.3.4 against MS 2008 domain (not domain Admin) and MS 2003 domain as Domain Admin The next reply will probably be from me, see me soon! Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Kerberos with delegated domain
On Fri, May 29, 2009 at 5:38 PM, Robert LeBlanc wrote: > > On Fri, May 29, 2009 at 2:33 PM, Robert LeBlanc wrote: > >> Ok, here is the set-up. We have a domain that is the main domain, it >> handles DHCP and DNS for domain.edu. The DNS for domain.edu has NS >> records to delegate domain.local to our Active Directory. >> >> I am able to bind a machine just fine to the Active Directory without >> having to change any of the client DNS settings (which poing to >> domain.edu). File services work fine. I'm trying to work out single >> sign-on with OpenSSH server. I can get it working to itself just fine using >> either hostname, hostname.domain.local and hostname.edu where hostname is >> the name of the machine that is sshing to itself. When I have two machines >> set-up exactly the same, it doesn't work. >> >> I've sniffed the traffic and I can see that Kerberos goes through both >> domains looking for a principle that matches. The problem is that the >> reverse DNS always sends back hostname.domain.edu, but the service >> principles are hostname.domain.local. I'm guessing Kerberos uses the rDNS to >> generate the service principle. >> >> Is there some way to have winbind register both FQDNs as service >> principals automatically on join? If not, how would I add a service >> principal to the keytab that winbind generates? Or, how can I get Kerberos >> to use the short version of principal that does not include >> domain.[edu|local]. I'mreally new to Kerberos at this level and I've spent >> about a week getting this far. >> >> Thanks, >> Robert >> > > I've tried setting up a mapping in the domain_realm section of > /etc/krb5.conf like: > > .domain.com = DOMAIN.LOCAL > > but that didn't help. Then I found for the libdefaults section: > > rdns = no > > and that seems to work. It seems to use just the short name which winbind > does populate in the keytab. I don't think anyone outside of our area could > spoof the short name because they won't have access to the computer object > in the AD. A computer with the same name would have a different key so it > wouldn't match. Is there anything I'm missing that I should be conserned > about? > > Thanks, > Robert > > > The saga continues I've found that I can add service principals to the keytab using net ads keytab add host/hostname.domain.edu and according to everything that I've read this should edit the servicePrincipalName field of the computer account. This is not the case for us however. When a computer is joined to the domain using net ads join -U administrator, it seems to create the SPNs, issuing the add command results in no new SPNs being added to the computer account. I performed a net ads keytab flush -U administrator and it removed all the SPNs from the computer account, now I can't get them back. A net ads keytab create -U administrator regenerated a local keytab, but no SPNs were added to the computer account. The administrator account is not a domain admin account, but has full control over the computer object. I've added the SPN manually into the computer account and everything was working fine, but I'd like to do this client side. The domain is a MS 2008 AD running in 2003 mode. Anyone have suggestions of what I may try to figure this problem out? Thanks, Robert LeBlanc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Kerberos with delegated domain
On Fri, May 29, 2009 at 2:33 PM, Robert LeBlanc wrote: > Ok, here is the set-up. We have a domain that is the main domain, it > handles DHCP and DNS for domain.edu. The DNS for domain.edu has NS records > to delegate domain.local to our Active Directory. > > I am able to bind a machine just fine to the Active Directory without > having to change any of the client DNS settings (which poing to domain.edu). > File services work fine. I'm trying to work out single sign-on with OpenSSH > server. I can get it working to itself just fine using either hostname, > hostname.domain.local and hostname.edu where hostname is the name of the > machine that is sshing to itself. When I have two machines set-up exactly > the same, it doesn't work. > > I've sniffed the traffic and I can see that Kerberos goes through both > domains looking for a principle that matches. The problem is that the > reverse DNS always sends back hostname.domain.edu, but the service > principles are hostname.domain.local. I'm guessing Kerberos uses the rDNS to > generate the service principle. > > Is there some way to have winbind register both FQDNs as service principals > automatically on join? If not, how would I add a service principal to the > keytab that winbind generates? Or, how can I get Kerberos to use the short > version of principal that does not include domain.[edu|local]. I'mreally new > to Kerberos at this level and I've spent about a week getting this far. > > Thanks, > Robert > I've tried setting up a mapping in the domain_realm section of /etc/krb5.conf like: .domain.com = DOMAIN.LOCAL but that didn't help. Then I found for the libdefaults section: rdns = no and that seems to work. It seems to use just the short name which winbind does populate in the keytab. I don't think anyone outside of our area could spoof the short name because they won't have access to the computer object in the AD. A computer with the same name would have a different key so it wouldn't match. Is there anything I'm missing that I should be conserned about? Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Kerberos with delegated domain
Ok, here is the set-up. We have a domain that is the main domain, it handles DHCP and DNS for domain.edu. The DNS for domain.edu has NS records to delegate domain.local to our Active Directory. I am able to bind a machine just fine to the Active Directory without having to change any of the client DNS settings (which poing to domain.edu). File services work fine. I'm trying to work out single sign-on with OpenSSH server. I can get it working to itself just fine using either hostname, hostname.domain.local and hostname.edu where hostname is the name of the machine that is sshing to itself. When I have two machines set-up exactly the same, it doesn't work. I've sniffed the traffic and I can see that Kerberos goes through both domains looking for a principle that matches. The problem is that the reverse DNS always sends back hostname.domain.edu, but the service principles are hostname.domain.local. I'm guessing Kerberos uses the rDNS to generate the service principle. Is there some way to have winbind register both FQDNs as service principals automatically on join? If not, how would I add a service principal to the keytab that winbind generates? Or, how can I get Kerberos to use the short version of principal that does not include domain.[edu|local]. I'mreally new to Kerberos at this level and I've spent about a week getting this far. Thanks, Robert -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Best Way to Securely Mount SMB/CIFS Shares
On Thu, May 21, 2009 at 12:05 PM, wrote: > Although I am comfortable mounting smbf/cifs shares for myself, as root, > I am trying to determine the optimal way to have users get specific > mounts, without having to put in any user account details in fstab, and > specific mounts for specific users. I know I can create a .credentials > file in each users /home/user folder and point to that in fstab. But I > dont want to have multiple lines in fstab for each user. > > Can a mount line be added to a users bash_profile and using a hidden/hashed > > credentials file? or something similar so that only those mounts needed > for any particular user are mounted when they log in. Rather than in > fstab and mounted for everyone? > > > Or maybe there is another way to securely create different windows share > mounts for different users without having them in fstab? > > CentOS 5.3, x86 > Samba: 3.033375 > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > If you have a Kerberos realm set-up, you could leverage that so that no password is needed. Active Directory uses Kerberos if that is available. A user on Debian can call smbmount without having to be root. Robert LeBlanc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Kerberos and 2008 AD troubles
Ok, setting up from scratch work perfectly with both FQDN and the short
name. I did not need to specify the AD DNS servers either. Thanks for all
the help.
Robert
On Mon, May 18, 2009 at 3:30 PM, Robert LeBlanc wrote:
> Sorry to take so long to get back with you, but I've finally got it working
> between two computers if I use their FQDN. Is there any way to use the short
> name (i.e. instead of computer.domain.local, just use computer)?
>
> I think DHCP was fouling me up with this, so I edited /etc/hosts and made
> sue the correct FQDN was in there. I edited /etc/dhcp/dhclient.conf and
> added the following two lines:
>
> supersede domain-name "domain.local domain.com";
> supersede domain-name-servers 10.x.x.1, 10.x.x.2;
>
> and ran dhclient to update and check /etc/resolv.conf. I then joined the
> computer again to the domain (twice as the first time always seems to give
> me a kerberos error). I then ran
>
> net ads keytab create
>
> to create a keytab file for Kerberos. Now that I know it works, I'm going
> to set it up again from scratch to make sure I can replicate it and document
> it and to see what configurations I can get away with not doing (it would be
> nice to not have to override the DNS for laptops, the .com DNS has entries
> for the .local).
>
> If I can just get it to work with the FQDN, i will be VERY happy.
>
> Thanks,
> Robert LeBlanc
>
>
>
>
> On Thu, May 7, 2009 at 12:17 PM, Robert Foreman
> wrote:
>
>> If kinit is not working then I'm pretty sure Kerberos is not actually
>> working. You will probably want to double check the contents of your
>> krb5.conf file. If resolve.conf is using your domain controllers for name
>> resolution then the krb5.conf file is about the only thing you need
>> configured in order to test kinit.
>>
>> I use dns lookup for realm and kdc and my krb5.conf file looks something
>> like this:
>>
>> ===
>> [logging]
>> default = FILE:/var/log/krb5libs.log
>> kdc = FILE:/var/log/krb5kdc.log
>> admin_server = FILE:/var/log/kadmind.log
>>
>> [libdefaults]
>> default_realm = DOMAIN.LOCAL
>> dns_lookup_realm = true
>> dns_lookup_kdc = true
>>
>> [domain_realm]
>> .domain.local = DOMAIN.LOCAL
>> domain.local = DOMAIN.LOCAL
>>
>> [kdc]
>> profile = /var/kerberos/krb5kdc/kdc.conf
>>
>> [appdefaults]
>> pam = {
>>debug = false
>>ticket_lifetime = 36000
>>renew_lifetime = 36000
>>forwardable = true
>>krb4_convert = false
>>validate = true
>> }
>> ===
>>
>> And you will probably find that you DO want the keytab file, but it's not
>> necessary for testing the kinit command.
>>
>> I recommend the following value in your smb.conf:
>>
>> use kerberos keytab = Yes
>>
>> That should pull the keytab file automatically when using the net ads join
>> command. There were previous issues with that not working for w2k8, but I
>> believe that has been resolved.
>>
>> You will also probably want to use the krb5_auth = yes and
>> krb5_ccache_type = FILE options in your pam_winbind configuration. Those can
>> be set in the pam config files, or in RHEL systems in
>> /etc/security/pam_winbind.conf. If you used the authconfig tool it probably
>> set the krb5_auth option, but not the cache_type. Without the cache_type it
>> will use Kerberos for authentication, but you won't get a Kerberos token
>> which is used for the next ssh connection to another host.
>>
>> You will also want the following in your ssh_config file
>>
>> GSSAPIAuthentication yes
>> GSSAPIDelegateCredentials yes
>>
>> and the following in your sshd_config file.
>>
>> GSSAPIAuthentication yes
>> GSSAPICleanupCredentials yes
>> UsePAM yes
>>
>> It took me a while to sort out Kerberos SSO with winbnd also, but it's
>> been great ever since. Good luck!
>>
>> On Wed, May 6, 2009 at 12:11 PM, Robert LeBlanc wrote:
>>
>>> I've been trying to get Kerberos to work for the last couple of days so
>>> that we can use SSO. I can't seem to get past a roadblock and Google
>>> doesn't seem to provide any answers. I've got Samba connected to the AD
>>> and running. I can wbinfo everything and can login to the machine using
>>> PAM with the pam_winbind modules just fine. I can get user tickets just
>>> fine. When I try to get ssh between two AD joined machines to use
>>&
