Re: [Samba] Samba4 - PDC - RHEL6 - Slow browsing from Mac clients

[Ryan Bair]

I've been running netatalk for my OS X clients with great success. The
performance isn't as good as Windows to Samba, but its a HUGE improvement
over any version of OS X with any SMB server. 30 seconds with wireshark
will tell you why OS X's browsing performance is so horrible.

Another point of OS X/Samba misinformation is that Apple dropped Samba
which is an SMB server. OS X's SMB client never shared any code with Samba
any did not change as a result of the Samba purge.

Here's hoping 10.9's SMB driver is as improved as Apple is claiming it to
be.

On Oct 11, 2013 12:40 PM, "Jeremy Allison"  wrote:

> On Fri, Oct 11, 2013 at 04:15:35PM +, Paul Older wrote:
> > On 11/10/2013 17:04, "Jeremy Allison"  wrote:
> >
> >
> > >On Fri, Oct 11, 2013 at 11:36:41AM +, Paul Older wrote:
> > >>   *   A few years ago, Samba made changes to their licensing meaning
> > >>Apple could apparently no longer use it in a commercial release (so
> I've
> > >>read)
> > >
> > >No No No !
> > >
> > >"Apple could apparently no longer use it in a commercial release"
> > >
> > >I *hate* this myth, it's *completely* untrue. Where
> > >did you read this ?
> >
> > Apologies - my source is quite unofficial and now also apparently wrong.
> > For info, I read it here:
> >
> >
> http://www.tuaw.com/2011/03/24/apple-to-drop-samba-networking-tools-from-li
> > on
> >
> > As Mac OS X adopted more of Samba's tools, the team behind Samba
> gradually
> > transformed the open source licensing for its software. The latest
> version
> > of Samba is offered only with General Public License Version 3 (GPLv3
> > ) licensing, which includes
> > restrictions that essentially prevent Apple from incorporating it into
> > commercially packaged software like Mac OS X.
>
> "essentially prevent" == "Stops Apple from suing Samba or Samba users over
> their patents".
>
> Is how you have to read that.
>
> Jeremy.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] write problem from mac osx 10.8.5 clients to samba 4

[Ryan Bair]

I'm not sure if this is still an issue in modern versions of OS X, but in
past you have had to disable unix extensions on the server if UID/GIDs
didn't match up with what the client had. It really sucks that there's not
another workaround, especially for off-domain Macs.

Personally, I've been running netatalk for OS X clients. While it sucks to
have to maintain another service, the OS X SMB driver has always been
pretty awful and the improvement in performance has been well worth the
cost.


On Thu, Oct 3, 2013 at 8:04 AM, Athan DE JONG  wrote:

> Hi
>
> I have setup a samba 4 DC with mixed client environment.
> My problem is that the mac osx client are unable to write to a samba 4
> share.
>
> I tested mac osx clients on a normal windows 7 share and it works fine
> I tested mac osx clients on a samba 3.5 .. share and everything works fine.
>
> As i am in a professional environment and all the windows clients are
> already binded to the samba 4 domain i can not step back to samba3.
>
> My mac osx clients are binded and im able to view/edit active directory
> from the mac.
>
> My only issue is that i can not write to the samba 4 shares. i have
> verified all about permissions, and my thought is that mac osx confuses
> unix and acl rights.
>
> Is there a workaround or a special thing to do regarding UID map GUID map
>
> please be aware that i'm not a mac specialist, but have to handlwith it
> because of professional reasons.
>
> i am searching a solution for weeks now and really need some help !
>
> Kind regards
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 failed with kerberos error (ubuntu)

[Ryan Bair]

It looks like you're not pointing to yourself for DNS. Check to make sure
DNS is working correctly (especially the SRV kerberos records for this
issue).


On Mon, Sep 9, 2013 at 4:31 AM, Alexander Busam <
a.bu...@hofmann-foerdertechnik.com> wrote:

> Hello!
>
> I tried to install samba 4 as described in the samba AD DC HOWTO.
>
> Here my configuration:
>
> ubuntu 12.04 server 64 bit server
>
> /etc/network/interfaces:
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> auto eth0
> iface eth0 inet static
> address 192.168.1.19
> netmask 255.255.252.0
> up route add default gw 192.168.1.4
> dns-search hofmann-intern.de
> dns-nameservers 192.168.1.26
>
> /etc/hosts:
>
> 127.0.0.1   localhost
> 192.168.1.19hmsmbctx.hofmann-intern.de  hmsmbctx
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> I installed required software:
>
> apt-get install build-essential libacl1-dev libattr1-dev \
>   libblkid-dev libgnutls-dev libreadline-dev python-dev \
>   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
>   dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>
> and run the provisioning script:
>
> samba-tool domain provision --use-rfc2307 --interactive
>
> with internal-dns
>
> Copied  /var/lib/samba/private/krb5.**conf to /etc/
>
>
> When i start samba with samba -i -M single
>
> I got the following error:
>
>
> root@hmsmbctx:/home/**administrator# samba -i -M single
> samba version 4.0.9-SerNet-Ubuntu-6.precise started.
> Copyright Andrew Tridgell and the Samba Team 1992-2012
> samba: using 'single' process model
> Attempting to autogenerate TLS self-signed keys for https for hostname '
> HMSMBCTX.hfmctx.hofmann-**intern.de
> '
> TLS self-signed keys generated OK
> /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
> /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 506,
> in 
> /usr/sbin/samba_dnsupdate: get_credentials(lp)
> /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 119,
> in get_credentials
> /usr/sbin/samba_dnsupdate: creds.get_named_ccache(lp, ccachename)
> /usr/sbin/samba_dnsupdate: RuntimeError: kinit for HMSMBCTX$@
> HFMCTX.HOFMANN-**INTERN.DE  failed
> (Cannot contact any KDC for requested realm)
> /usr/sbin/samba_dnsupdate:
> ../source4/dsdb/dns/dns_**update.c:294: Failed DNS update -
> NT_STATUS_ACCESS_DENIED
>
> Whats going wrong ?
>
> Thx in advance.
>
> Alex
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Inexplicable rejection of credentials

[Ryan Bair]

Did you smbpasswd the user on that machine?


On Thu, Aug 29, 2013 at 5:27 PM, Paul D. DeRocco wrote:

> I have a Windows home network with a bunch of Windows boxes and two Ubuntu
> boxes. Everything can access shares on everything else, with one
> exception: no one can get to the one share on the second Ubuntu box which
> I just added to the system.
>
> All my machines have one user account (admin privileges in Windows) with
> the name "pauld" and the same password. In an effort to solve this problem
> on the second Ubuntu box, I even copied the smb.conf file from the first
> Ubuntu box and edited its "netbios name" parameter. The only difference I
> can see in the configuration of the two boxes is the different computer
> names, which are reflected both in their hostnames and their netbios
> names. Oh, and I've rebooted everything several times.
>
> Yet when I attempt to access the sole share on this machine, either from a
> Windows machine or from the other Ubuntu box, it rejects the
> username/password. (One difference: Windows boxes fail on trying to open
> the machine; the older Ubuntu box can see open the machine and see the
> share name, but fail on trying to open the share. Dunno if that means
> anything.)
>
> For reference, here's the smb.conf from the offending machine:
>
> ---
> [global]
> workgroup = WORKGROUP
> netbios name = BUILD
> server string = %h server (Samba, Ubuntu)
> dns proxy = no
> name resolve order = bcast wins
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> encrypt passwords = true
> passdb backend = tdbsam
> obey pam restrictions = yes
> unix password sync = yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> pam password change = yes
> map to guest = bad user
> usershare allow guests = yes
> [printers]
> comment = All Printers
> browseable = no
> path = /var/spool/samba
> printable = yes
> guest ok = no
> read only = yes
> create mask = 0700
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> browseable = yes
> read only = yes
> guest ok = no
> [all]
> comment = Everything
> read only = no
> path = /
> browsable = yes
> create mask = 755
> ---
>
> Most of this stuff was created automatically by installing Samba, so I
> don't really know what it means, or even if it's necessary. I stripped out
> all the comments, and manually added the [all] share at the end. (And I
> don't need any lectures about providing write access to root, please.) The
> ONLY difference between this file and the one on the working Ubuntu
> machine is the netbios name.
>
> There are no other mysterious files in /etc/samba that could be confusing
> things. No logs in /var/log/samba show any failures. So my general
> question is: how do I fix this? And a more specific question is: is there
> any other file somewhere that could be getting into the act, and screwing
> this machine up? If there isn't an answer forthcoming, how about this: how
> do I go about debugging this?
>
> --
>
> Ciao,   Paul D. DeRocco
> Paulmailto:pdero...@ix.netcom.com
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NT4 clients

[Ryan Bair]

OK. I got all excited and ran the test against a 2008 DC this morning.
After allowing NT4 crypto through group policy, it worked seamlessly.

Here's what I saw through wireshark:
1. same old failed extended security negotiation ..
2. Win7 sends DC TGS-REQ for cifs/nt4test
3. DC replies KRB-ERROR: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

Just for grins, I then added HOST entries for the NT4 box in AD and tested
again. The result was exactly the same as with the Samba DC, Windows issued
a ticket and Win7 rejected the connection to the NT4 box.

In summary, the evidence strongly points to CIFS being a mapped alias to
the HOST SPN. If HOST exists, we can map it to CIFS, if it does not, we
should tell the client that the principal does not exist.

I will open a bug for this.




On Tue, Jul 30, 2013 at 9:44 PM, Ryan Bair  wrote:

> Last bit of info.
>
> This article, http://support.microsoft.com/kb/258503, indicates that
> Windows should indeed be setting up its own default SPNs (host and machine
> name).
>
> http://support.microsoft.com/kb/320187 states that the pre-Windows 2000
> checkbox is ADUC assigns the machine password based on the machine name. I
> haven't found any information indicating that it does anything more than
> this.
>
> I'll try to confirm the behavior against a Win2008 DC this week, but right
> now I'm leaning towards the CIFS SPN being dependent upon a HOST SPN being
> present.
>
>
> On Tue, Jul 30, 2013 at 8:58 PM, Ryan Bair  wrote:
>
>> I've noticed that Win2k+ clients have filled in their
>> servicePrincipalName attribute in AD. I know that the cifs SPN is implicit,
>> but are you certain the host SPN is also implicit? If cifs was only meant
>> to be implicit off of the host (and the host not implicit itself), that
>> could be a way to determine if the request should be fulfilled.
>>
>> I have not tried against a Windows DC. I may set up a test DC to see what
>> the behavior is.
>>
>> Connecting by IP address does work. I'll try using an alternative name,
>> that sounds promising as well.
>>
>> In ADUC, there is a checkbox for pre-Windows 2000 when creating a new
>> machine account. I wonder what this does and if we could use it somehow. I
>> know it's not stored anywhere directly, but I'd suspect its there for a
>> reason.
>>
>>
>> On Tue, Jul 30, 2013 at 6:02 PM, Andrew Bartlett wrote:
>>
>>> On Tue, 2013-07-30 at 05:33 -0400, Ryan Bair wrote:
>>> > Hi Andrew,
>>> >
>>> >
>>> > To clarify, it is the Win7 client sending the TGS request to the DC
>>> > and the DC responds positively. I now have a more complete
>>> > understanding of what's going on:
>>> >
>>> >
>>> > 1. Win7 initiates a session with NT4. Nothing interesting.
>>> >
>>> > 2. Win7 sends the negotiate protocol response. Of note, we state that
>>> > we support extended security.
>>> >
>>> > 3. NT4 responds that it does not support extended security. More
>>> > precisely, when NT4 dinosaurs roamed the earth, that bit was likely
>>> > still reserved.
>>> >
>>> > 4. Win7 issues a TGS request to the _DC_ to see if the host with that
>>> > name really doesn't support extended security, or if the NT4 machine
>>> > is trying to subject it to some sort of elaborate ruse. (i)
>>> >
>>> > 5. DC responds positively to the TGS req. (!!!)
>>> >
>>> > 6. Win7 closes the connection, and displays the error to the user.
>>> >
>>> >
>>> > i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx
>>> > state:
>>> > <94> Section 3.2.5.2: When the server completes negotiation and
>>> > returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB
>>> > clients query the Key Distribution Center (KDC) to verify whether a
>>> > service ticket is registered for the given security principal name
>>> > (SPN). If the query indicates that the SPN is registered with the KDC,
>>> > then the SMB client terminates the connection and returns an
>>> > implementation-specific security downgrade error to the caller.
>>> >
>>> >
>>> > Since the Samba DC replies that the SPN is available (by fulfilling
>>> > the request), I'm assuming we're triggering this documented behavior
>>> > in the Win7 client.
>>>
>>> Indeed.
>>>
>>> > Also of note, `klist` on the client has an entry for cifs/nt4tes

Re: [Samba] NT4 clients

[Ryan Bair]

Last bit of info.

This article, http://support.microsoft.com/kb/258503, indicates that
Windows should indeed be setting up its own default SPNs (host and machine
name).

http://support.microsoft.com/kb/320187 states that the pre-Windows 2000
checkbox is ADUC assigns the machine password based on the machine name. I
haven't found any information indicating that it does anything more than
this.

I'll try to confirm the behavior against a Win2008 DC this week, but right
now I'm leaning towards the CIFS SPN being dependent upon a HOST SPN being
present.


On Tue, Jul 30, 2013 at 8:58 PM, Ryan Bair  wrote:

> I've noticed that Win2k+ clients have filled in their servicePrincipalName
> attribute in AD. I know that the cifs SPN is implicit, but are you certain
> the host SPN is also implicit? If cifs was only meant to be implicit off of
> the host (and the host not implicit itself), that could be a way to
> determine if the request should be fulfilled.
>
> I have not tried against a Windows DC. I may set up a test DC to see what
> the behavior is.
>
> Connecting by IP address does work. I'll try using an alternative name,
> that sounds promising as well.
>
> In ADUC, there is a checkbox for pre-Windows 2000 when creating a new
> machine account. I wonder what this does and if we could use it somehow. I
> know it's not stored anywhere directly, but I'd suspect its there for a
> reason.
>
>
> On Tue, Jul 30, 2013 at 6:02 PM, Andrew Bartlett wrote:
>
>> On Tue, 2013-07-30 at 05:33 -0400, Ryan Bair wrote:
>> > Hi Andrew,
>> >
>> >
>> > To clarify, it is the Win7 client sending the TGS request to the DC
>> > and the DC responds positively. I now have a more complete
>> > understanding of what's going on:
>> >
>> >
>> > 1. Win7 initiates a session with NT4. Nothing interesting.
>> >
>> > 2. Win7 sends the negotiate protocol response. Of note, we state that
>> > we support extended security.
>> >
>> > 3. NT4 responds that it does not support extended security. More
>> > precisely, when NT4 dinosaurs roamed the earth, that bit was likely
>> > still reserved.
>> >
>> > 4. Win7 issues a TGS request to the _DC_ to see if the host with that
>> > name really doesn't support extended security, or if the NT4 machine
>> > is trying to subject it to some sort of elaborate ruse. (i)
>> >
>> > 5. DC responds positively to the TGS req. (!!!)
>> >
>> > 6. Win7 closes the connection, and displays the error to the user.
>> >
>> >
>> > i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx
>> > state:
>> > <94> Section 3.2.5.2: When the server completes negotiation and
>> > returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB
>> > clients query the Key Distribution Center (KDC) to verify whether a
>> > service ticket is registered for the given security principal name
>> > (SPN). If the query indicates that the SPN is registered with the KDC,
>> > then the SMB client terminates the connection and returns an
>> > implementation-specific security downgrade error to the caller.
>> >
>> >
>> > Since the Samba DC replies that the SPN is available (by fulfilling
>> > the request), I'm assuming we're triggering this documented behavior
>> > in the Win7 client.
>>
>> Indeed.
>>
>> > Also of note, `klist` on the client has an entry for cifs/nt4test
>> > which `setspn -Q cifs/nt4test` confirms does not exist. I can't
>> > confirm the behavior in #5 is a bug, but it certainly seems suspect.
>>
>> The cifs/nt4test SPN is implicit, from the implicit host/nt4test SPN
>> that comes from nt4test being the machine's name.
>>
>> The issue for us as a KDC is that there is no flag that I know of that
>> can be set to say that this domain member should not be issued a ticket,
>> and the downgrade protection is an important part of the security of the
>> network.  (that protection isn't useful if the member server can still
>> negotiate for only NTLM without protection, but waiting for that is for
>> another day).
>>
>> Have you tested and shows windows behaves any differently?
>>
>> Finally, as a workaround try connecting to the machine by IP or by a
>> name the KDC doesn't know.
>>
>> Andrew Bartlett
>>
>>
>> --
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Team   http://samba.org
>> Samba Developer, Catalyst IT   http://catalyst.net.nz
>>
>>
>>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NT4 clients

[Ryan Bair]

Sorry Andrew, that message was intended towards Gaiseric's comment.

I will try to get you a trace against Windows 2008, but it may take me a
while to get a test environment set up for that. I've also noticed that
this happens as far back as Windows 2000 clients, so not isolated to Win7.


On Tue, Jul 30, 2013 at 9:31 PM, Andrew Bartlett  wrote:

> On Tue, 2013-07-30 at 21:25 -0400, Ryan Bair wrote:
> > Understood. The machine I'm trying to connect is just a member, not a
> > DC. This is something which was well supported in earlier versions of
> > Windows with AD (NT4 didn't die overnight), and reportedly still works
> > in 2012.  I'm not expecting any Kerberos to come out of NT4, nor do I
> > see any.
> >
> > The issue is that the Samba DC is fulfilling a TGS request when it
> > really should not. I spelled this out in a bit more detail a few
> > messages back.
>
> What I need you to do is show how this is different with Windows 2008,
> rather than Samba 4.0 as an AD DC.  Then I might be able to assist,
> otherwise, the only 'buggy' part of this would seem to be the new
> security behavior of Windows 7, which you may be able to disable.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> Samba Developer, Catalyst IT   http://catalyst.net.nz
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NT4 clients

[Ryan Bair]

Understood. The machine I'm trying to connect is just a member, not a DC.
This is something which was well supported in earlier versions of Windows
with AD (NT4 didn't die overnight), and reportedly still works in 2012.
I'm not expecting any Kerberos to come out of NT4, nor do I see any.

The issue is that the Samba DC is fulfilling a TGS request when it really
should not. I spelled this out in a bit more detail a few messages back.

Thank you for pointing out the security issues. I'm well aware of the
issues with having an OS so old hanging around. The machine is involved in
ultimately driving a piece of equipment, but the set up requires several
other clients to have access via named pipe and SMB share. It's presently
isolated as best it can be given all the constraints. It's far from ideal
on several fronts, but the solution has been extremely reliable for a long
time and we realistically have at least 12 months until replacing the
solution is feasible.

On Tue, Jul 30, 2013 at 6:12 PM, Gaiseric Vandal
wrote:

>  For what it is worth -  it looks like NT4 does NOT use kerberos even
> with the Active Directory client installed.
>
> http://www.petri.co.il/dsclient_for_win98_nt.htm#
>
>
> Windows 2003 Active Directory had some compatibility with NT4 domain
> controllers. I don't think Samba 4 does.Your best bet may be to try
> putting the NT4 machine in a separate NT4/Samba 3 domain and establishing
> trusts.   Or more realistically take it OUT of the domain and just create
> local user accounts with same passwords as the network accounts.
>
> The only legit reason I could see  to be running NT4 is if it is managing
> a specialized piece of equipment (e.g. on a manufacturing floor.)In
> that case the machine(s) should be airgapped from any regular network with
> internet access.   If you follow security news you can imagine why it
> is important to keep unpatched systems physically isolated from the
> internet or other networks.
>
>
>
>
>
> On 07/30/13 05:33, Ryan Bair wrote:
>
>  Hi Andrew,
>
>  To clarify, it is the Win7 client sending the TGS request to the DC and
> the DC responds positively. I now have a more complete understanding of
> what's going on:
>
>  1. Win7 initiates a session with NT4. Nothing interesting.
>  2. Win7 sends the negotiate protocol response. Of note, we state that we
> support extended security.
>  3. NT4 responds that it does not support extended security. More
> precisely, when NT4 dinosaurs roamed the earth, that bit was likely still
> reserved.
>  4. Win7 issues a TGS request to the _DC_ to see if the host with that
> name really doesn't support extended security, or if the NT4 machine is
> trying to subject it to some sort of elaborate ruse. (i)
>  5. DC responds positively to the TGS req. (!!!)
>  6. Win7 closes the connection, and displays the error to the user.
>
>  i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspxstate:
> <94> Section 3.2.5.2:
> <http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94>When
> the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag
> as not set, Windows-based SMB clients query the Key Distribution Center
> (KDC)<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>to
>  verify whether a service ticket is registered for the given security
> principal name 
> (SPN)<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>.
> If the query indicates that the 
> SPN<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>is
>  registered with the
> KDC<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>,
> then the SMB client terminates the connection and returns an
> implementation-specific security downgrade error to the caller.
>
>  Since the Samba DC replies that the SPN is available (by fulfilling the
> request), I'm assuming we're triggering this documented behavior in the
> Win7 client.
>
>  Also of note, `klist` on the client has an entry for cifs/nt4test which
> `setspn -Q cifs/nt4test` confirms does not exist. I can't confirm the
> behavior in #5 is a bug, but it certainly seems suspect.
>
> On Jul 30, 2013 1:07 AM, "Andrew Bartlett"  wrote:
>
>> On Mon, 2013-07-29 at 19:29 -0400, Ryan Bair wrote:
>> > Yes, AD has explicit support for pre-2000 clients.
>> >
>> > WINS is alive and well and name resolution is working.
>> >
>> > I really think the bogus TGS reply is messing things up,  but I'd like
>> to
>> > have someo

Re: [Samba] NT4 clients

[Ryan Bair]

I've noticed that Win2k+ clients have filled in their servicePrincipalName
attribute in AD. I know that the cifs SPN is implicit, but are you certain
the host SPN is also implicit? If cifs was only meant to be implicit off of
the host (and the host not implicit itself), that could be a way to
determine if the request should be fulfilled.

I have not tried against a Windows DC. I may set up a test DC to see what
the behavior is.

Connecting by IP address does work. I'll try using an alternative name,
that sounds promising as well.

In ADUC, there is a checkbox for pre-Windows 2000 when creating a new
machine account. I wonder what this does and if we could use it somehow. I
know it's not stored anywhere directly, but I'd suspect its there for a
reason.


On Tue, Jul 30, 2013 at 6:02 PM, Andrew Bartlett  wrote:

> On Tue, 2013-07-30 at 05:33 -0400, Ryan Bair wrote:
> > Hi Andrew,
> >
> >
> > To clarify, it is the Win7 client sending the TGS request to the DC
> > and the DC responds positively. I now have a more complete
> > understanding of what's going on:
> >
> >
> > 1. Win7 initiates a session with NT4. Nothing interesting.
> >
> > 2. Win7 sends the negotiate protocol response. Of note, we state that
> > we support extended security.
> >
> > 3. NT4 responds that it does not support extended security. More
> > precisely, when NT4 dinosaurs roamed the earth, that bit was likely
> > still reserved.
> >
> > 4. Win7 issues a TGS request to the _DC_ to see if the host with that
> > name really doesn't support extended security, or if the NT4 machine
> > is trying to subject it to some sort of elaborate ruse. (i)
> >
> > 5. DC responds positively to the TGS req. (!!!)
> >
> > 6. Win7 closes the connection, and displays the error to the user.
> >
> >
> > i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx
> > state:
> > <94> Section 3.2.5.2: When the server completes negotiation and
> > returns the CAP_EXTENDED_SECURITY flag as not set, Windows-based SMB
> > clients query the Key Distribution Center (KDC) to verify whether a
> > service ticket is registered for the given security principal name
> > (SPN). If the query indicates that the SPN is registered with the KDC,
> > then the SMB client terminates the connection and returns an
> > implementation-specific security downgrade error to the caller.
> >
> >
> > Since the Samba DC replies that the SPN is available (by fulfilling
> > the request), I'm assuming we're triggering this documented behavior
> > in the Win7 client.
>
> Indeed.
>
> > Also of note, `klist` on the client has an entry for cifs/nt4test
> > which `setspn -Q cifs/nt4test` confirms does not exist. I can't
> > confirm the behavior in #5 is a bug, but it certainly seems suspect.
>
> The cifs/nt4test SPN is implicit, from the implicit host/nt4test SPN
> that comes from nt4test being the machine's name.
>
> The issue for us as a KDC is that there is no flag that I know of that
> can be set to say that this domain member should not be issued a ticket,
> and the downgrade protection is an important part of the security of the
> network.  (that protection isn't useful if the member server can still
> negotiate for only NTLM without protection, but waiting for that is for
> another day).
>
> Have you tested and shows windows behaves any differently?
>
> Finally, as a workaround try connecting to the machine by IP or by a
> name the KDC doesn't know.
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> Samba Developer, Catalyst IT   http://catalyst.net.nz
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Slow FIND_FIRST2 response

[Ryan Bair]

I'm running Samba 4.0.7 on CentOS 6.4 running double duty as DC and file
server.

OS X clients are taking a _long_ time to list long directories. One
directory with 10K entries is taking 3-4 minutes to display the entries in
Finder.

I captured a few seconds worth of packets and noticed that it's doing three
requests per file:
1. NTCreateAndX - just opens the file
2. Close
3. FIND_FIRST2 - to look for the resource fork

The first two happen extremely fast, the 3rd one is the kicker. Samba is
taking about 0.025 seconds to return a response to the client (usually no
such file status). Multiple that by 10K requests and you have a few minutes
on your hands.

I'm guessing the problem is that Samba must honor case-insensitivity for
the lookup which is likely an expensive operation. Is there anyway to speed
this up?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NT4 clients

[Ryan Bair]

Hi Andrew,

To clarify, it is the Win7 client sending the TGS request to the DC and the
DC responds positively. I now have a more complete understanding of what's
going on:

1. Win7 initiates a session with NT4. Nothing interesting.
2. Win7 sends the negotiate protocol response. Of note, we state that we
support extended security.
3. NT4 responds that it does not support extended security. More precisely,
when NT4 dinosaurs roamed the earth, that bit was likely still reserved.
4. Win7 issues a TGS request to the _DC_ to see if the host with that name
really doesn't support extended security, or if the NT4 machine is trying
to subject it to some sort of elaborate ruse. (i)
5. DC responds positively to the TGS req. (!!!)
6. Win7 closes the connection, and displays the error to the user.

i. The notes on http://msdn.microsoft.com/en-us/library/cc246806.aspx state:
<94> Section 3.2.5.2:
<http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94>When
the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag
as not set, Windows-based SMB clients query the Key Distribution Center
(KDC)<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>to
verify whether a service ticket is registered for the given security
principal name 
(SPN)<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>.
If the query indicates that the
SPN<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>is
registered with the
KDC<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>,
then the SMB client terminates the connection and returns an
implementation-specific security downgrade error to the caller.

Since the Samba DC replies that the SPN is available (by fulfilling the
request), I'm assuming we're triggering this documented behavior in the
Win7 client.

Also of note, `klist` on the client has an entry for cifs/nt4test which
`setspn -Q cifs/nt4test` confirms does not exist. I can't confirm the
behavior in #5 is a bug, but it certainly seems suspect.

On Jul 30, 2013 1:07 AM, "Andrew Bartlett"  wrote:

> On Mon, 2013-07-29 at 19:29 -0400, Ryan Bair wrote:
> > Yes, AD has explicit support for pre-2000 clients.
> >
> > WINS is alive and well and name resolution is working.
> >
> > I really think the bogus TGS reply is messing things up,  but I'd like to
> > have someone more knowledgeable confirm the behavior is incorrect.
>
> NT4 doesn't know about Kerberos, I think any TGS traffic is highly
> likely a red herring.  Are you really sure the client is issuing it, and
> you have not additional software installed on the NT4 machine?
>
> Andrew Bartlett
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> Samba Developer, Catalyst IT   http://catalyst.net.nz
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NT4 clients

[Ryan Bair]

Yes, AD has explicit support for pre-2000 clients.

WINS is alive and well and name resolution is working.

I really think the bogus TGS reply is messing things up,  but I'd like to
have someone more knowledgeable confirm the behavior is incorrect.


On Mon, Jul 29, 2013 at 5:23 PM, Gaiseric Vandal
wrote:

> I wouldn't  have even guessed that NT4 would join a modern AD domain.   It
> looks like MS did provide client software to join a Windows 2000 AD domain.
>Or does the NT4 machine think it is in an NT4 / Samba3 type domain?
>
>
> Presumably you can see the domain users in the local user manager program
> on the NT4 machine?   And verify the security options.
>
> http://www.windowsnetworking.**com/articles-tutorials/**
> windows-nt/nt4user.html<http://www.windowsnetworking.com/articles-tutorials/windows-nt/nt4user.html>
>
>
> Do you have a a WINS server running?  With XP/Windows 7 when you
> join an AD domain, the machine name usually gets set to a fully qualified
> domain name.  e.g. mypc.mydomain.com. Does the host name of the NT4
> machine match the expected AD fully qualified domain name (does nslookup
> ip_address on the NT4 machine return the expected hostname? )   Are all
> machines in DNS? I think a hostname or dns mismatch could cause  problems
> validating AD kerberos tickets.
>
> I am running Samba 3, not 4, but found that using a WINS server and making
> sure key systems were in DNS helped solve some issues.
>
>
>
>
>
>
>
> On 07/29/13 17:05, Ryan Bair wrote:
>
>> Oh, forgot to mention. Samba 4.0.7-4 Sernet packages running on CentOS
>> 6.4.
>>
>>
>> On Mon, Jul 29, 2013 at 5:00 PM, Ryan Bair  wrote:
>>
>>  I'm attempting to get an old NT4 client participating in a Samba4 domain.
>>> Users can logon to the machine locally and access network shares on other
>>> machines in the network. However, no one can access shares on the NT4
>>> machine using the machine name. Attempting this results in an error "The
>>> account is not authorized to log in from this station." Using the IP
>>> address does work however.
>>>
>>> The clients are configured to allow no smb signing and NTLMv1, I think I
>>> have all the security settings covered.
>>>
>>> I noticed while looking at wireshark though that the client is doing
>>> TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This
>>> feels
>>> very odd to me since there is no such SPN cifs/nt4test on the network.
>>> 'setspn -Q cifs/nt4test' confirms this.
>>>
>>> I've also noticed that the MS docs state:
>>> <94> Section 3.2.5.2:
>>> <http://msdn.microsoft.com/en-**us/library/d367854f-5eee-45e8-**
>>> a588-eed596a1a521#endNote94<http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94>
>>> >**When
>>>
>>> the server completes negotiation and returns the CAP_EXTENDED_SECURITY
>>> flag
>>> as not set, Windows-based SMB clients query the Key Distribution Center
>>> (KDC)<http://msdn.microsoft.**com/en-us/library/0aa17e1f-**
>>> b3c1-478a-9bf0-2d826888d081#**key_distribution_center_KDC<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>>to
>>> verify whether a service ticket is registered for the given security
>>> principal name (SPN)<http://msdn.microsoft.**com/en-us/library/54af12e1-
>>> **fcc1-4d62-bd47-c80514ac2615#**spn<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>
>>> >.
>>> If the query indicates that the SPN<http://msdn.microsoft.com/**
>>> en-us/library/54af12e1-fcc1-**4d62-bd47-c80514ac2615#spn<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>>is
>>> registered with the
>>> KDC<http://msdn.microsoft.com/**en-us/library/0aa17e1f-b3c1-**
>>> 478a-9bf0-2d826888d081#key_**distribution_center_KDC<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>
>>> >,
>>>
>>> then the SMB client terminates the connection and returns an
>>> implementation-specific security downgrade error to the caller.
>>>
>>> The client does have CAP_EXTENDED_SECURITY set and I'm guessing the
>>> TGS-REQ is how Windows is testing the presence of the SPN. Since the test
>>> is succeeding and the server doesn't advertise the extended security
>>> capability, Windows disconnects.
>>>
>>> Can someone confirm my hypothesis?
>>>
>>>
>>>
>>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] NT4 clients

[Ryan Bair]

Oh, forgot to mention. Samba 4.0.7-4 Sernet packages running on CentOS 6.4.


On Mon, Jul 29, 2013 at 5:00 PM, Ryan Bair  wrote:

> I'm attempting to get an old NT4 client participating in a Samba4 domain.
> Users can logon to the machine locally and access network shares on other
> machines in the network. However, no one can access shares on the NT4
> machine using the machine name. Attempting this results in an error "The
> account is not authorized to log in from this station." Using the IP
> address does work however.
>
> The clients are configured to allow no smb signing and NTLMv1, I think I
> have all the security settings covered.
>
> I noticed while looking at wireshark though that the client is doing
> TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This feels
> very odd to me since there is no such SPN cifs/nt4test on the network.
> 'setspn -Q cifs/nt4test' confirms this.
>
> I've also noticed that the MS docs state:
> <94> Section 3.2.5.2:
> <http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94>When
> the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag
> as not set, Windows-based SMB clients query the Key Distribution Center
> (KDC)<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>to
>  verify whether a service ticket is registered for the given security
> principal name 
> (SPN)<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>.
> If the query indicates that the 
> SPN<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>is
>  registered with the
> KDC<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>,
> then the SMB client terminates the connection and returns an
> implementation-specific security downgrade error to the caller.
>
> The client does have CAP_EXTENDED_SECURITY set and I'm guessing the
> TGS-REQ is how Windows is testing the presence of the SPN. Since the test
> is succeeding and the server doesn't advertise the extended security
> capability, Windows disconnects.
>
> Can someone confirm my hypothesis?
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] NT4 clients

[Ryan Bair]

I'm attempting to get an old NT4 client participating in a Samba4 domain.
Users can logon to the machine locally and access network shares on other
machines in the network. However, no one can access shares on the NT4
machine using the machine name. Attempting this results in an error "The
account is not authorized to log in from this station." Using the IP
address does work however.

The clients are configured to allow no smb signing and NTLMv1, I think I
have all the security settings covered.

I noticed while looking at wireshark though that the client is doing
TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This feels
very odd to me since there is no such SPN cifs/nt4test on the network.
'setspn -Q cifs/nt4test' confirms this.

I've also noticed that the MS docs state:
<94> Section 3.2.5.2:
When
the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag
as not set, Windows-based SMB clients query the Key Distribution Center
(KDC)to
verify whether a service ticket is registered for the given security
principal name 
(SPN).
If the query indicates that the
SPNis
registered with the
KDC,
then the SMB client terminates the connection and returns an
implementation-specific security downgrade error to the caller.

The client does have CAP_EXTENDED_SECURITY set and I'm guessing the TGS-REQ
is how Windows is testing the presence of the SPN. Since the test is
succeeding and the server doesn't advertise the extended security
capability, Windows disconnects.

Can someone confirm my hypothesis?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 migration issues (wbinfo errors and UPNs)

[Ryan Bair]

I migrated over a Samba 3/LDAP domain to Samba 4 in a test environment.
After a few bumps due to not having all my machine accounts as
posixAccounts and clashing user/group names, the migration went relatively
smoothly. Great work, Samba team!

I have a few standing issues that I haven't been able to shake out:

1. wbinfo returns various errors when run on the DC.

wbinfo -D MYDOMAIN returns a SID of S-1-2-3-4. Typing gibberish for the
domain name yields the same results.

wbinfo --dc-info= returns "Could not find dc info example.com". Using the
short name doesn't work either.

wbinfo -u/-g does work. As does getent passwd/group for domain users.

The `net` command generally works for the equivalent queries however. For
instance `net ads info` returns the correct information.

Running wbinfo queries from a member server DOES seem to always work.


2. UPNs don't work on the DC (wbinfo -i, getent, pam, etc). wbinfo -i
user@domain fails with:

failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user u...@example.com

UPNs do work on Samba 4 members however.

I did spotted this interesting bit in the log:
[2013/07/16 12:37:05.642113,  6, pid=6033, effective(0, 0), real(0, 0)]
../lib/u
til/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=ad,DC=tsasinc,DC=com (&(sAMAccountName=
rb...@example.com
)(objectSid=*)) -> 0
[2013/07/16 12:37:05.642192,  1, pid=6033, effective(0, 0), real(0, 0)]
../librp
c/ndr/ndr.c:282(ndr_print_function_debug)
   lsa_LookupNames: struct lsa_LookupNames
  out: struct lsa_LookupNames
  domains  : *
  domains  : *
  domains: struct lsa_RefDomainList
  count: 0x (0)
  domains  : NULL
  max_size : 0x (0)
  sids : *
  sids: struct lsa_TransSidArray
  count: 0x0001 (1)
  sids : *
  sids: ARRAY(1)
  sids: struct lsa_TranslatedSid
  sid_type :
SID_NAME_UNKNOWN (8
)
  rid  : 0x (0)
  sid_index: 0x
(4294967
295)
  count: *
  count: 0x (0)
  result   : NT_STATUS_NONE_MAPPED


That message only comes up when running wbinfo -i on the server, not on a
member. It feels a little off that its searching for the UPN in
sAMAccountName.

I'm using the sernet 4.0.7-4 packages on Centos 6.4 64bit, no Samba 3
binaries in sight. Samba logs all look clean. DNS, LDAP and Kerberos all
works as expected. I have a feeling that both issues have a common cause,
but have been unable to find it.

Any ideas on either of these issues?

Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 not honoring setgid

[Ryan Bair]

Thank you for confirming. I do have g+s on the directory. I'll file a bug
about this issue today.


On Thu, Jul 25, 2013 at 3:30 AM, steve  wrote:

> On Wed, 2013-07-24 at 22:34 -0400, Ryan Bair wrote:
> > I'm running Samba 4.0.7 on CentOS 6.4 as a AD DC with s3fs.
> >
> > I have a shared directory with the setgid bit set. From the shell on the
> > server, new files and directories inherit the group as expected. However,
> > new items created through samba get the user's primary group instead.
> >
> > Config for the share is super simple:
> >
> > [test]
> > path = /srv/test
> > read only = no
> >
> >
> > Sounds like a bug. Has any one else experienced this?
>
> Hi
> openSUSE 12.3 DC 4.0.7 also tested with latest git
>
> Not sure what /srv/test has but am guessing that you have set chmod g+s?
>
> If so, I can reproduce what you see. The g+s is ignored when accessed on
> a cifs mounted share and instead the primaryGroupID is used.
>
> Cheers,
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 not honoring setgid

[Ryan Bair]

I'm running Samba 4.0.7 on CentOS 6.4 as a AD DC with s3fs.

I have a shared directory with the setgid bit set. From the shell on the
server, new files and directories inherit the group as expected. However,
new items created through samba get the user's primary group instead.

Config for the share is super simple:

[test]
path = /srv/test
read only = no


Sounds like a bug. Has any one else experienced this?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] AD caching with Samba?

[Ryan Bair]

No, this is not possible. Samba3 cannot act domain controller for AD
domains, nor can it act as a BDC for NT domains.

Samba4, which is currently in alpha, will have the ability to serve as
an AD domain controller as well as a read-only domain controller along
side Windows servers. Some people are using Samba4 in production
today, but I'm not aware of anyone using Samba4 as a domain controller
(read-only or otherwise) with Windows domain controllers in
production.

In short, its still alpha.

On Wed, Aug 25, 2010 at 1:18 PM, Ryan Whelan  wrote:
> I'm not sure this is possible, I'm sort of leaning to the negative, but I
> thought i would ask anyway. (I am not a windows or domain networking guy)
>
> We have a large (and growing) number of windows servers. Many of them are
> DCs. While I read Samba can't serve as a BDC to a Windows PDC, can it just
> forward requests to the windows DC and just cache the results for future
> look ups? (with an adjustable cache time out of course)
>
> We have a bunch of remote locations that don't need to be able to make
> changes to the domain and just replacing their DCs with something that will
> cache queries to the main DC would be ideal.
>
> Like I said, not my area of expertise.
>
> Thanks!
>
> Ryan
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Synchronisation using LDAP

[Ryan Bair]

Unfortunately I'm not seeing a similar extension point on s4. I
wouldn't imagine adding one would be too terrible though.

On Mon, Jul 5, 2010 at 3:58 PM, Jorijn Schrijvershof  wrote:
> Hi,
>
> On Jul 5, 2010, at 21:52 :42, Michael Wood wrote:
>
>> No, I don't think so.  From Jorijn's e-mail I thought Google's LDAP
>> server stored in these formats.  Perhaps I misunderstood.
>>
>> I think it depends on which direction the sync is supposed to happen.
>> From google to Samba or the other way or both ways.
>
>
> It is supposed to be sync'ed from samba to google. Google accepts passwords 
> stored in sha1, md5 or plaintext. So I need a way to make samba additionally 
> store these passwords in a separate LDAP attribute. I know there is a DLL for 
> windows so theoretically it would be possible.
>
> --
> Jorijn Schrijvershof
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Synchronisation using LDAP

[Ryan Bair]

It looks like the new sync module also supports SHA1 and MD5 hashed passwords.

"To synchronize passwords from LDAP, you will need an LDAP attribute that stores
passwords in plain text, MD5 or SHA1 format. "

Not sure if Samba4 stores in these formats or not though...

On Mon, Jul 5, 2010 at 3:28 AM, Jorijn Schrijvershof  wrote:
> Hi,
>
> On Mon, Jul 5, 2010 at 9:03 AM, Michael Wood  wrote:
>
>> Hi
>>
>> Sorry, I accidentally did not send my initial reply to the list.
>>
>> I am not sure this will be possible unless you use plain text
>> passwords because I believe Windows uses its own hashing algorithms.
>> I don't know anything about Google's LDAP server/schema, but if you
>> authenticate as an admin user I think you should be able to access the
>> passwords.  You might need to fiddle with the access control settings
>> if you have access to that.
>>
>> --
>> Michael Wood 
>>
>
> Thanks for your reply, I don't mind using plain text passwords, I tend to
> protect the database carefully and syncronisation is a must, since we're
> deploying google apps to all our users. When logging in with the built in
> administrator the passwords attributes seems empty (userPassword,
> unicodePwd, etc.). Any ideas?
>
> --
> Jorijn Schrijvershof
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] New samba server

[Ryan Bair]

Have you migrated the user data to the new ldap server? Unless Samba
knows about the users, they won't be able to log in.

On Tue, Jul 14, 2009 at 1:28 PM,  wrote:
>
> sgm...@mail.bloomfield.k12.mo.us wrote:
>> I did not get this finished last summer, so decided to just wait and do it
>> this summer.  I have setup my new samba server and was trying to get some
>> things tweaked to the way that I want them.  I thought that I had asked
>> this before and that I could do it, but it seems that it does not work.
>>
>> My new server is running as a domain server just like the old.  It has the
>> same domain name and I change the the SID using net setlocalsid to the
>> same sid number as my old server.  This new server is in a test
>> environment right now.
>>
>> I was hoping that my old machines could just log into this server without
>> having to get out of the domain and then rejoin it, but that does not
>> work.  It tells me that the domain is not there until I get out of the old
>> one and then rejoin the new one.  Is that how it has to work?  I was
>> hoping I would not have to do that if I left the domain name the same and
>> set the SID on the new server.  I just want to make sure I am not missing
>> something before I go around to all 400 computers on campus and have them
>> removed and rejoined to the domain.
>
> Mr. Terpstra gave me a bit of help.  I had done nothing to set my
> domainsid, but after doing the following:
>
> net getlocalsid
> net getdomainsid
>
> The values are the same on both the old and the new samba server.  This
> new server will take the place of my old one.  Right now it is on a
> network with nothing else on it besides one of my old windows clients.  If
> I remove one of my old clients from the domain and then re-add it, then it
> logs in just fine.  If I take an old client from my current network and
> put it on this new network and try to login to the new samba server then
> it gives me the typical:
>
> "Windows cannot connect to the domain either because the domain controller
> is down or otherwise unavailable, or because your computer account was not
> found. Please try again later. If this message continues to appear contact
> your System Administrator for assistance."
>
> The name of the Windows machine is business18 so I did an 'smbldap-adduser
> -w business18$' to make sure the machine account was added in to the
> directory, but the error was the same.  I even changed the uid of the
> machine account to match the old one in case that was coming into play.
>
> Here is my samba config in case someone sees something that I don't.
> Which is quite possible since I forget more than I learn it seems. :)
> I'll be reading on the How-To to see if I can pick anything else up.
>
> [global]
>        workgroup = BES
>        server string = Samba Server Version %v
>        netbios name = SCHOOL
>
>        interfaces = lo eth0
>        hosts allow = 127. 10.0. 19 2.168.0. localhost
>        ldap passwd sync = Yes
>        ldap admin dn = cn=Manager,dc=school,dc=bloomfield.k12.mo.us
>        ldap suffix = dc=school1,dc=bloomfield.k12.mo.us
>        ldap group suffix = ou=Groups
>        ldap user suffix = ou=Users
>        ldap machine suffix = ou=Computers
>        ldap idmap suffix = ou=Users
>        add machine script = /usr/sbin/smbldap-useradd -w "%u"
>        add user script = /usr/sbin/smbldap-useradd -m "%u"
>        ldap delete dn = Yes
>        add group script = /usr/sbin/smbldap-groupadd -p "%g"
>        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>
>        Dos charset = 850
>        Unix charset = ISO8859-1
>
>
>        log file = /var/log/samba/log.%m
>        max log size = 50
>
>        security = user
>        passdb backend = ldapsam:ldap://127.0.0.1
>
>        domain master = yes
>        domain logons = yes
>
>        local master = yes
>        os level = 65
>        preferred master = yes
>
>        wins support = yes
>        dns proxy = no
>
>        load printers = yes
>        cups options = raw
>
> [homes]
>        comment = Home Directories
>        browseable = no
>        writable = yes
>
> [printers]
>        comment = All Printers
>        path = /var/spool/samba
>        browseable = no
>        guest ok = no
>        writable = no
>        printable = yes
>
>
> --
> Scott Mayo - System Administrator
> Bloomfield Schools
> PH: 573-568-5669  FA: 573-568-4565
>
> Question: Because it reverses the logical flow of conversation.
> Answer: Why is putting a reply at the top of the message frowned upon?
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba AD auth - Backup?

[Ryan Bair]

Everything should be looked up by DNS. There's no notion of a PDC/BDC
in AD (although 2008 has readonly slaves I believe).

On Fri, Feb 27, 2009 at 7:26 AM, Mark Adams  wrote:
> Hi All,
>
> I haven't been able to track down any info on this so would be
> appreciative of any input. Links to any info on this would also be
> appreciated.
>
> Samba 3.2.5, Debian 5.0
>
> Question 1;
> Is there any way of setting up a "backup" windows domain controller in
> the samba config? so if they main dc is not available, it automatically
> queries the backup?
>
> Question 2;
> What is the best way to back up the UID/GID map? and can it be easily
> imported back to a new install if the server fails for any reason.
>
> Thanks
> Mark
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Any Known Share limitations or performance issues with large file systems

[Ryan Bair]

You may want to try switching to the deadline I/O scheduler. I had
issues with slow directory listings using the CFQ scheduler when the
server was under even the slightest load. I tried tweaking some of the
CFQ settings but ultimately gave up as I could never beat the
responsiveness of the deadline scheduler.

On Mon, Dec 22, 2008 at 5:33 PM, Scott Elliott  wrote:
> All,
>
> I am running samba-3.0.28-1.el5_2.1.x86_64.rpm on RHEL 5 x64.  I am sharing 
> out approximately 7TB via samba and a 'few' of my users are complaining of 
> latency when accessing their shares via Windows Explorer.  Mind you the disk 
> is about 93% full which I am sure is a factor but before I go into battle I 
> wanted  to make sure there were no known limitations or issues.
>
>
>
> Thanks in advance
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] How to port samba to ARM?

[Ryan Bair]

Samba should run fine on ARM. Debian even has a package for it.
http://packages.debian.org/lenny/arm/samba

On Sun, Dec 14, 2008 at 8:00 PM, Jerry Dong  wrote:
> Hi everyone,
>
> I am tying to port samba to ARM ( AT91SAM9260 ), could you please tell
> me some idea or articals about it?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: Re: [Samba] How to create users accounts with already encrypted passwords ?

[Ryan Bair]

You can't create the UNIX hash from the NT hash as they are different
1 way transformations. As an alternative, you could have PAM
authenticate using winbind which would probably give the desired
effect.

On Thu, Nov 27, 2008 at 2:11 PM,  <[EMAIL PROTECTED]> wrote:
> I don't have the plain password for creating users in Samba only Lanman Hash 
> and NT hash from the text file !
>
> C.
>
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Clemence wrote:
>> > Hi, i need to create users accounts into Samba with already encrypted
>> > passwords from a file. I use tdbsam backend and Samba 3.0.24 (Debian Etch)
>> >
>> > The file format is quite easy :
>> > login1|Unix_passwd|Lanman Password Hash|NT Password Hash
>> >
>> > First, i create the unix users with their already encrypted password :
>> > useradd -p Unix_passwd login1.
>> > Fine.
>> >
>> > But can i do the same thing with smbpasswd or pdbedit ? I haven't found
>> > anything about this.
>> > How can i do ?
>>
>> Look at the -s flag in man smbpasswd to accept STDIN as the input method
>> for the password change. If I recall correctly, you end up with
>> something like:
>>
>> echo password\npassword\n | smbpasswd -s
>>
>> Good?
>>
>> - --
>>   _  _ _  _ ___  _  _  _
>>  |Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Systems Programmer II
>>  |$&| |__| |  | |__/ | \| _| |[EMAIL PROTECTED] - 973/972.0922 (2-0922)
>>  \__/ Univ. of Med. and Dent.|IST/AST - NJMS Medical Science Bldg - C630
>> -BEGIN PGP SIGNATURE-
>> Version: GnuPG v1.4.6 (GNU/Linux)
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>>
>> iD8DBQFJLuJLmb+gadEcsb4RAsuXAKC9Mv0p5m5SnSQnH5rh2Qw76TiFMACgq910
>> I1eAaqcGzfEIwRK0KI/tjkA=
>> =1r8B
>> -END PGP SIGNATURE-
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] samba 4

[Ryan Bair]

Samba4 is currently in Alpha state and under active development.

The most recent Alpha was alpha5, release about 4 months ago. The
current source is in the main samba Git repository in the source4
directory. As is noted all over the place, the software is alpha
quality and should not be used in testing.

On Sat, Nov 15, 2008 at 6:38 PM, Ansar Mohammed <[EMAIL PROTECTED]> wrote:
> Is samba 4 still under development?
> It seems that the last release was in 2006.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: Interdomain trust between Samba and W2003 ADS in native mode

[Ryan Bair]

Samba3 cannot act as an AD domain controller and therefore cannot
operate in a trust with a native mode AD domain. Samba4 will be able
to do this but it is still under heavy development.

If you put your AD domain in mixed mode, you should be able to create
the trust although I'm not sure if you can convert a native to mixed
mode or not...

On Fri, Oct 24, 2008 at 1:20 PM, Sébastien Prud'homme
<[EMAIL PROTECTED]> wrote:
> After using "log level = 10" it seems that Samba is trying to resolv
> DNS special names to find the ADS domain controler. But my Samba
> server is not using the ADS DNS infrastructure. I guess i need to
> declare at least these DNS names in /etc/hosts.
>
> 2008/10/23 Sébastien Prud'homme <[EMAIL PROTECTED]>:
>> Hi,
>>
>> I try to setup a two-way interdomain trust relationship between Samba
>> 3.2.4 and W2003 ADS in native mode (not mixed-mode).
>>
>> I follow this Samba HOWTO without success:
>> http://us6.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html
>>
>> All is working fine if i use a Windows NT4 Server instead of W2003 ADS.
>>
>> Is there something to do on Samba or ADS so that it works ? Security
>> tunings in Windows registry for instance?
>>
>> Thanks!
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] recursibve listing of file owner, possible?

[Ryan Bair]

You just need the owner of the files? You can do this quite easily
using the find utility with the -printf option.

--Ryan

On Thu, Oct 23, 2008 at 3:21 PM, Steve Hanselman <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I'm writing a utility that needs to smbmount various shares from servers in 
> numerous domains (no problem, all working) and then list the contents of the 
> directories (no problem again) and obtain the windows file owner in a textual 
> form.
>
> Any ideas how I can achieve the last part efficiently?
>
> I see that smbcacls can do it 1 file at a time, I really need  a way of doing 
> it recursively.
>
>
>
> The information contained in this email is intended for the personal and 
> confidential use
> of the addressee only. It may also be privileged information. If you are not 
> the intended
> recipient then you are hereby notified that you have received this document 
> in error and
> that any review, distribution or copying of this document is strictly 
> prohibited. If you have
> received  this communication in error, please notify Brendata immediately on:
>
> +44 (0)1268 466100, or email '[EMAIL PROTECTED]'
>
> Brendata (UK) Ltd
> Nevendon Hall, Nevendon Road, Basildon, Essex. SS13 1BX  UK
> Registered Office as above. Registered in England No. 2764339
>
> See our current vacancies at www.brendata.co.uk
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba with more than one Active Directory

[Ryan Bair]

There's no trusts between them? If not that's completely bizarre.

On Mon, Oct 20, 2008 at 3:27 AM,  <[EMAIL PROTECTED]> wrote:
> We have more than ten different domains in our network but we don't want to 
> use more than ten servers for this.
> Is there no possibility to use only one server for all domains?
>
> F. Niedernolte
>
>
> -Ursprüngliche Nachricht-
> Von: Ryan Bair [mailto:[EMAIL PROTECTED]
> Gesendet: Samstag, 18. Oktober 2008 00:41
> An: Niedernolte, Frederik, D-CS-IT ICS
> Cc: samba@lists.samba.org
> Betreff: Re: [Samba] Samba with more than one Active Directory
>
> Typically you would want the two domains to trust each other and you
> would only be a member of one. If you had multiple Sambas running you
> might be able to join two domains, but it wouldn't be pretty.
>
> On Fri, Oct 17, 2008 at 3:25 AM,  <[EMAIL PROTECTED]> wrote:
>> I want to use Samba together with freeRADIUS in an Active Directory
>> network.
>>
>> I successfully followed these instructions for that:
>> http://deployingradius.com/documents/configuration/active_directory.html
>>
>> Now my question is: How can I use Samba with more than one Active
>> Directory?
>>
>> Because it must work with A D "Example 1", "Example 2" etc. and not only
>> with "Example 1".
>> Thanks for help.
>>
>> Best regards,
>>
>>
>>
>> F. Niedernolte
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba with more than one Active Directory

[Ryan Bair]

Typically you would want the two domains to trust each other and you
would only be a member of one. If you had multiple Sambas running you
might be able to join two domains, but it wouldn't be pretty.

On Fri, Oct 17, 2008 at 3:25 AM,  <[EMAIL PROTECTED]> wrote:
> I want to use Samba together with freeRADIUS in an Active Directory
> network.
>
> I successfully followed these instructions for that:
> http://deployingradius.com/documents/configuration/active_directory.html
>
> Now my question is: How can I use Samba with more than one Active
> Directory?
>
> Because it must work with A D "Example 1", "Example 2" etc. and not only
> with "Example 1".
> Thanks for help.
>
> Best regards,
>
>
>
> F. Niedernolte
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] High CPU usage on 3.2.3

[Ryan Bair]

I just noticed I'm getting some pretty extreme CPU usage on my Samba
server when transferring files. The Samba server has a quad core
2.0gHz Core2. During transfers, CPU use spikes to 100-200% with a
throughput around 30MB/s.

I'm using the registry config backend.

[global]
use kerberos keytab = True
server string = X
dns proxy = yes
log file = /var/log/samba/log.%m
syslog = 0
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
load printers = yes
printing = cups
socket options = TCP_NODELAY
idmap uid = 1-2
idmap gid = 1-2
template shell = /bin/bash
winbind offline logon = yes
winbind refresh tickets = yes
netbios name = TIVFS01
template homedir = X/%D/%U
printcap name = cups
max log size = 4000
workgroup = X
security = ads
realm = X

There's nothing notable in the log files.

Any ideas?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: smbclient kerberos issue

[Ryan Bair]

Nope, it's got a real .com to it. The behavior was the hostname
returned the hostname and hostname -f also returned just the
shortname. If it had returned an error instead of just the hostname, I
think it would have been ok from my quick view of the Samba source.

On Tue, Oct 7, 2008 at 2:51 PM, James Zuelow
<[EMAIL PROTECTED]> wrote:
> This is just a guess:
>
> Does your domain end in .local?
>
> If so, avahi would hijack DNS lookups for anything like
> domain_controller.company.local -- and since your DC probably doesn't
> have Bonjour installed on it, it gets no answer and reports back with a
> host not found.  Unfortunately that's a valid DNS response, so your
> system does not then fall back to regular DNS.
>
> James ZuelowCBJ MIS (907)586-0236
> Network Specialist...Registered Linux User No. 186591
>
>> -Original Message-
>> From:
>> [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]
> .org] On Behalf Of Ryan Bair
>> Sent: Sunday, 05 October, 2008 10:44
>> To: Gerald (Jerry) Carter
>> Cc: samba@lists.samba.org
>> Subject: Re: [Samba] Re: smbclient kerberos issue
>>
>>
>> It seems like it was a problem avahi which mistakenly made its way
>> into my nsswitch.conf. After removing mdns4_minimal and mdns4, I
>> rejoined to the domain and everything works great. I'm a bit confused
>> as to how this caused the problem, but I'm very happy to have it
>> fixed!
>>
>> Thanks
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Cannot get shares to show up

[Ryan Bair]

Sorry, meant to reply all on that.

On Sun, Oct 5, 2008 at 10:22 PM, Ryan Bair <[EMAIL PROTECTED]> wrote:
> By showing up I assume you mean showing up in the listing of shares
> for the computer?
>
> The "browsable = no" would be your problem. It makes the share not
> browsable. :-)
>
> --Ryan
>
> On Sun, Oct 5, 2008 at 6:50 PM, Jesse Stone <[EMAIL PROTECTED]> wrote:
>> I apologize if this is a really silly question but I've been messing with
>> this for awhile now and cannot see any typos that would prevent these shares
>> from showing up.
>>
>> I'm trying two things I've never done before so I want to make sure to point
>> them out:
>>
>> 1)  I am using groups in the "valid users" section
>> 2)  I am using preexec and postexec on each share
>>
>> Example:
>>
>> [Media]
>> comment = Media(Non-kid)!
>> path = /mnt/media1
>> read only = yes
>> browsable = no
>> valid users = @mediausers
>> preexec = /bin/mount /mnt/media1
>> postexec = /bin/umount /mnt/media1
>>
>> I've done nothing with the /mnt/media1 folder so I expect my next issue will
>> be permissiones related but I would expect the shares to at least show up
>> for all users within the @mediausers group.
>>
>> I'm using preexec ect from the cd-rom example contained within the default
>> smb.conf file.
>>
>> -Jesse
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Re: smbclient kerberos issue

[Ryan Bair]

It wasn't so much that the records weren't in the keytab as much as
the fact that the SPNs just weren't being created. Even when I added
additional principals, I was only getting the shortname version.

In my initial test environment, I wasn't able to replicate the
problem. I ended up cloning the problem system to my test environment
and I was able to reproduce the error.

It seems like it was a problem avahi which mistakenly made its way
into my nsswitch.conf. After removing mdns4_minimal and mdns4, I
rejoined to the domain and everything works great. I'm a bit confused
as to how this caused the problem, but I'm very happy to have it
fixed!

Thanks

On Sat, Oct 4, 2008 at 2:45 PM, Gerald (Jerry) Carter <[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Ryan Bair wrote:
>> This seems to be related to this entry on the list in 2004-2005. As
>> far as I see, the issue was never fixed. This is a pretty big issue if
>> it is indeed the same bug as it effectively stops *nix clients from
>> using Kerberos authentication.
>>
>> http://lists.samba.org/archive/samba-technical/2005-April/040338.html
>>
>> I will try to work around using "setspn -A host/fqdn computer". Will
>> "net ads keytab create" pull all the SPNs available for the client or
>> is it set only do load the default ones?
>
> We don't add cifs/... entries to the system keytab anymore.
> If I understand you correctly, you are using smbclient to connect
> from one Unix box to a Samba server.  Correct?  If so, smbd
> validates the service ticket using the machine trust account
> password stored in secrets.tdb so the keytab entries don't
> generally come into play.
>
> The keytab is provided to support non-Samba kerberized applications
> such as sshd.
>
>
>
> cheers, jerry
> - --
> =
> Samba--- http://www.samba.org
> Likewise Software  -  http://www.likewisesoftware.com
> "What man is a man who does not make the world better?"  --Balian
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFI57nTIR7qMdg1EfYRAuKPAJ9Z9bP0QJchsYJ6laQJODFAgu2vQwCg3F1+
> LjrMmz7trKtLBdsEOvzK8ww=
> =jy1l
> -END PGP SIGNATURE-
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: smbclient kerberos issue

[Ryan Bair]

This seems to be related to this entry on the list in 2004-2005. As
far as I see, the issue was never fixed. This is a pretty big issue if
it is indeed the same bug as it effectively stops *nix clients from
using Kerberos authentication.

http://lists.samba.org/archive/samba-technical/2005-April/040338.html

I will try to work around using "setspn -A host/fqdn computer". Will
"net ads keytab create" pull all the SPNs available for the client or
is it set only do load the default ones?

On Sat, Oct 4, 2008 at 11:36 AM, Ryan Bair <[EMAIL PROTECTED]> wrote:
> Running Samba 3.2.3 on Debian Lenny, amd64.
>
> I'm joined to an AD realm, authentication works fine for Windows
> clients. I'm able to see that the clients are using Kerberos, not NTLM
> to authenticate to the shares. However when I look at the keytab, my
> entries have the short names like "service/[EMAIL PROTECTED]" instead of
> "service/[EMAIL PROTECTED]". Looking at Windows servers on the same domain it
> seems to be a bit of a mix between fqdn and short names with the
> majority using short names.
>
> So the problem with that is when I try to use smbclient to connect, I
> get a "Server not found in Kerberos database" error because its
> looking for the cifs/[EMAIL PROTECTED], where it only exists in the form of
> cifs/[EMAIL PROTECTED] I haven't found a way to force AD to give me the
> fqdn style SPNs.
>
> Any pointers?
> Thanks
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] smbclient kerberos issue

[Ryan Bair]

Running Samba 3.2.3 on Debian Lenny, amd64.

I'm joined to an AD realm, authentication works fine for Windows
clients. I'm able to see that the clients are using Kerberos, not NTLM
to authenticate to the shares. However when I look at the keytab, my
entries have the short names like "service/[EMAIL PROTECTED]" instead of
"service/[EMAIL PROTECTED]". Looking at Windows servers on the same domain it
seems to be a bit of a mix between fqdn and short names with the
majority using short names.

So the problem with that is when I try to use smbclient to connect, I
get a "Server not found in Kerberos database" error because its
looking for the cifs/[EMAIL PROTECTED], where it only exists in the form of
cifs/[EMAIL PROTECTED] I haven't found a way to force AD to give me the
fqdn style SPNs.

Any pointers?
Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Print drivers in 3.2

[Ryan Bair]

>From what I'm reading, in 3.2 you need to have the
SePrintOperatorPrivilege in order to install drivers. Is there anyway
around this to allow certain users/groups to install without requiring
the privilege?  I've tried using the printer admin option, but it
doesn't seem to have any effect.

Thanks
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Very Slow!

[Ryan Bair]

The newest Samba for RHEL 5.2 should be 3.0.28. Is there a reason this box
isn't up to date?

On Fri, Aug 29, 2008 at 6:16 PM, Brian D. McGrew <[EMAIL PROTECTED]>wrote:

> So now after I've been playing around with the configuration and such, it
> seems that the SMB server has become less usable.  Now, all the shares are
> visible but as soon as I try to access anything or copy anything I get "The
> network path is not valid".  Again, trying from XP, 2003 and 2008.
>
> I've put the original smb.conf and krb5.conf back in place and rebooted.
>  Still no difference!!!
>
> Now, I really need help because it's unusable and there's about 4TB of data
> out there that people need!!!
>
> Thanks,
>
> -brian
>
>
> > I am going to go with a bad samba build.
> >
> > Won't be the first time.
> >
> > Try different rpm versions from Red.
> > Update or Backrev
> >
> > If that still doesn't work, try putting both the client and the server
> > on a unmanaged gigabit switch and try the test again.
> >
> > -gc
> >
> >
> > Brian McGrew wrote:
> >> System info:
> >> Red Hat Enterprise Linux Server release 5 (Tikanga)
> >> Kerlen 2.6.18-8.el5 SMP x86_64
> >> Samba version 3.0.23c-2
> >> Eth0 && Eht1 bonded to bond0, 2Gbps.
> >>
> >> /etc/samba/smb.conf attached below...
> >>
> >> I¹m seeing very slow transfers from Samba  I¹m not sure how else to
> >> describe it.  If I try and copy a 4GB DVD image from the server to any
> >> Windows box (XP, 2003, 2008, MacOS) it estimates more than 4 hours to
> >> copy.
> >> However, if I FTP to the server from any given client I can move the
> >> whole
> >> file in less than 2 minutes...
> >>
> >> I¹m not a Samba expert, so anything is helpful at this point!!!
> >>
> >> -brian
> >>
> >> [global]
> >> netbios name = mvppvt125
> >> realm = MACHINEVISIONPRODUCTS.COM
> >> security = ads
> >> preferred master = no
> >> encrypt passwords = yes
> >> wins server = 10.0.0.119
> >> workgroup = MVP
> >> password server = *
> >> server string = Dell PowerVault Server
> >> log level = 3
> >> log file = /var/log/samba/smbd.log
> >> max log size = 50
> >> winbind use default domain = yes
> >> winbind nested groups = yes
> >> winbind separator = +
> >> client ntlmv2 auth = yes
> >> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >> username map = /etc/samba/smbusers
> >> template shell = /bin/bash
> >>
> >> [filevault]
> >> comment = File Vault
> >> path = /filevault
> >> browseable = yes
> >> writable = yes
> >> create mode = 0777
> >> force create mode = 0777
> >> force directory mode = 0777
> >>
> >> [data]
> >> comment = MVP Data
> >> path = /data
> >> browseable = yes
> >> writable = yes
> >> create mode = 0777
> >> force create mode = 0777
> >> force directory mode = 0777
> >>
> >>
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba + LDAP integration

[Ryan Bair]

Were the user accounts created with smbldap-tools or were the
pre-existing? If they were preexisting did you reset the passwords
with smbldap-passwd? You will need to do so to set the appropiate
hashes in LDAP.

Have you looked at the logs at all? Posting some samples from there
showing the server startup and failed login would probably be helpful.

--Ryan

On Sat, Jul 26, 2008 at 10:36 AM, Mugo Martin <[EMAIL PROTECTED]> wrote:
> Hi people,
>
> Been doing a server installation with Samba as a primary PDC that uses an
> LDAP backend on CentOS 5.
> The thing is that I cannot be able to get Samba and LDAP to talk as they
> should and now Im really stuck.
> Below are my dumps for /etc/samba/smb.conf, ldap.conf (copied its contents
> to /etc/openldap/ldap.conf too), and smbldap.conf.
> Excuse my long post; trying to be as elaborate as possible.
>
> smb.conf
> **
> [global]
>workgroup = MYDOMAIN
>netbios name = MYDOMAIN
>server string = mydomain_office
>passdb backend = ldapsam:ldap://server.example.org
>passwd program = /usr/local/sbin/smbldap-passwd %u
>passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *all*authentication*tokens*updated*
>username map = /etc/samba/smbusers
>log file = /var/log/samba/%m.log
>max log size = 100
>add user script = /usr/local/sbin/smbldap-useradd "%u" -n -g users
>delete user script = /usr/local/sbin/smbldap-userdel "%u"
>add group script = /usr/local/sbin/smbldap-groupadd "%g"
>delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> "%g"
>delete user from group script = /usr/local/sbin/smbldap-userdel "%u"
> "%g"
>set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> "%u"
>add machine script = /usr/local/sbin/smbldap-useradd -n -c
> "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
>logon script = %m.bat
>logon path = \\server.example.org\%U\profile
>domain logons = Yes
>os level = 33
>preferred master = Yes
>domain master = Yes
>wins support = Yes
>ldap admin dn = cn=config
>ldap delete dn = Yes
>ldap group suffix = ou=groups
>ldap machine suffix = ou=machines
>ldap passwd sync = Yes
>ldap suffix = dc=example,dc=org
>ldap user suffix = ou=people
>idmap uid = 1000-1
>idmap gid = 1000-1
> [homes]
>comment = Home Directories
>valid users = DOMAIN\%S
>read only = No
>browseable = No
> [printers]
>comment = All Printers
>path = /var/spool/samba
>printable = Yes
>browseable = No
> [netlogon]
>comment = Network Logon Service
>path = /var/lib/samba/netlogon
>guest ok = Yes
>share modes = No
>
> smbldap.conf
> 
> sambaDomain="MYDOMAIN"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> suffix="dc=example,dc=org"
> usersdn="ou=people,${suffix}"
> computersdn="ou=machines,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> scope="one"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userScript="logon.bat"
> mailDomain="example.org"
> with_smbpasswd="0"
> with_slappasswd="0"
>
> /etc/ldap.conf
> **
> host server.example.org
> base dc=example,dc=org
> binddn cn=config
> bindpw 1w2345FJ
> rootbinddn cn=zimbra,dc=example,dc=org
>
> timelimit 120
> bind_timelimit 120
> bind_policy soft
> idle_timelimit 3600
>
> nss_base_passwd ou=people,dc=example,dc=org?one
> nss_base_shadow ou=people,dc=example,dc=org?one
>
> nss_base_group  ou=groups,dc=example,dc=org?one
> nss_base_hosts  ou=machines,dc=example,dc=org?one
>
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
>
> uri ldap://server.example.org
> ssl no
> tls_cacertdir /etc/openldap/cacerts
> pam_password md5
>
> smbldap.conf
> 
> sambaDomain="MYDOMAIN"
> slaveLDAP="127.0.0.1"
> slavePort="389"
> masterLDAP="127.0.0.1"
> masterPort="389"
> ldapTLS="0"
> suffix="dc=example,dc=org"
> usersdn="ou=people,${suffix}"
> computersdn="ou=machines,${suffix}"
> groupsdn="ou=groups,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
> scope="one"
> hash_encrypt="SSHA"
> crypt_salt_format="%s"
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
>

Re: [Samba] samba with pam: ad accounts ok, local ones not

[Ryan Bair]

Did you create NT passwords for the local users with smbpasswd -a?

Also, why is your security setting on share? That seems a bit odd for
AD integration.

--Ryan

On Thu, Jun 26, 2008 at 6:06 AM, alex.blackbit
<[EMAIL PROTECTED]> wrote:
>
> hi,
>
> my smb.conf looks like this:
>
>...
>security = share
>
>update encrypted = yes
>encrypt passwords = no
>...
>
> /etc/pam.d/samba:
>
>#%PAM-1.0
>auth   required pam_nologin.so
>auth   required pam_stack.so service=system-auth
>accountrequired pam_stack.so service=system-auth
>sessionrequired pam_stack.so service=system-auth
>password   required pam_stack.so service=system-auth
>
>
> pam is configured so that local and active directory accounts can login
> (e.g. with ssh).
> samba works correctly with ad accounts, but does not with local accounts.
> what could be the problem?
>
> thanks for the help.
> --
> View this message in context: 
> http://www.nabble.com/samba-with-pam%3A-ad-accounts-ok%2C-local-ones-not-tp18130507p18130507.html
> Sent from the Samba - General mailing list archive at Nabble.com.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba, Kerberos and LDAP Question

[Ryan Bair]

How will the users be authenticating? If you're going to be adding the
machines to an NT domain and you want users to authenticate against
that at login you will need to store all the samba account information
including the nt password hash in there. So although you can still
store your user info in LDAP, Kerberos won't be used for
authentication.

If you don't care about domain stuff, then you can put the samba
server into ADS mode and the Windows users can use their Kerberos
tickets to get access. I'm not sure if this will work with MIT
Kerberos on the client or if Microsoft Kerberos is required. The
biggest pain with this is then managing local users on all the
desktops whereas they are one in the same with an NT or AD domain. You
might be able to use some pGina or scripting magic to help compensate
for this last part.

As a last thought, I seem to remember that you can have samba in user
mode, set the domain, and it will still accept Kerberos credentials. I
have not done this however.

Hope this helps a bit,
--Ryan

On Tue, Jun 24, 2008 at 2:31 PM, Alex <[EMAIL PROTECTED]> wrote:
> Hello Everyone,
>
> I have a question regarding Samba, Kerberos, and LDAP. Specifically, I would
> like to have users authenticate through Samba using the existing information
> stored in Kerberos and LDAP. According to the documents I have read, this is
> similar to the mechanism used by Microsoft's Active Directory, which Samba
> supports. However, I am completely confused on this issue: can MIT Kerberos
> and OpenLDAP be used as a backend to Samba? I have no Windows servers on the
> network, and attempts to authenticate against Kerberos have left all of the
> smb tools responding "cannot find DC for domain"
>
> If necessary, I will post the configuration information, but at this point,
> I only wish to find out if such a set up is currently possible. (I appolize
> if this question is common, but I could not find any clear answer after 72
> hours of searching).
>
> Sincerely,
> Alex
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Migrate samba+LDAP to MS AD

[Ryan Bair]

Although I have not done it, you can migrate the Samba domain similar
to how you would migrate an NT4 domain.

On Tue, Jun 10, 2008 at 8:20 AM, Luciano Andre Baramarchi
<[EMAIL PROTECTED]> wrote:
> Hi,
>
> I need to migrate a domain with Samba+ LDAP (openLDAP) to MS AD+ Exchange
> ... Is possible?
>
> Thanks.
>
> Luciano
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] NetBIOS Hostname

[Ryan Bair]

Definitely an OpenSUSE issue. That's a really terrible GUI design.

On Fri, May 30, 2008 at 3:48 PM, William W. Hammond <[EMAIL PROTECTED]> wrote:
> At 12:14 PM 5/30/2008, John H Terpstra wrote:
>>
>> On Friday 30 May 2008 12:54:33 William W. Hammond wrote:
>> > I was setting up Samba on an OpenSuSE 10.3 i386 computer.
>> >
>> > At the last minute I decided to enter a NetBIOS Hostname, big mistake.
>> > A message popped up warning me that entering a NetBIOS Hostname would
>> > create a new UID and Clients may no longer be able to connect.
>> > The Message was correct
>> >
>> > However, (Design Flaw) at that point there was no way for me to back out
>> > or
>> > cancel, so the deed was done.
>>
>> The issue is not whether or not Samba has a NetBIOS name, but rather that
>> a
>> change of the NetBIOS name will generate a new SID for the system.  If
>> that
>> system is a PDC, you will end up with a new Domain SID, and hence your
>> Windows clients will no longer belong to the same domain your PDC is now
>> in.
>>
>> > How or where do you remove or change that option...?
>>
>> You can find out the original domain SID from your Samba log files
>> in /var/log/samba.  Then reset the domain SID using:
>>a) Stop Samba
>>b) Execute: net setlocalsid "S-1-5-21--xx-xxx"
>>c) Restart Samba
>>
>> That should restore things so long as you have not messed around with
>> things
>> too much, in which case it would be easier to rejoin your Windows clients
>> to
>> the current Samba domain setup.
>
> Thanks, that is what I needed, goes in my "Tech Save" box...
> I still think I should have been able to opt out once I saw the warning,
> Is that a Samba Issue or an OpenSuSE YaST issue...?
>
>
>> PS: By default Samba finds the hostname of the system it is running on and
>> uses that to generate the machine SID (and the domain SID if it is a PDC).
>>
>> - John T.
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
> Performance Technology Systems Design
>
> "Never Promise more than you can deliver...
> Always Deliver more than you promise.."
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Unix ADS group membership or vice versa

[Ryan Bair]

You can't make a local user a member of an AD group since AD needs to
know about them.

You can however add an AD user to a local group just like you would
for a local user.

This is true with normal LDAP accounts as well.

On Fri, Apr 18, 2008 at 8:09 PM, TC Hough <[EMAIL PROTECTED]> wrote:
> Hello,
>
>  I have a Samba server set up as a member of an Active Directory domain.
>  Authentication works great and my Windows users are able to log on to the
>  Linux workstation without any problems.
>
>  What I'd like to do is set up some of my local Unix accounts as members of
>  ADS groups.  Is this possible with Samba?  If not, would it be possible to
>  make an ADS account a member of a local Unix group?
>
>  I'm running Samba 3.0.22 that comes with Ubuntu 6.06.
>
>  Thanks in advance!
>  TC Hough
>  --
>  To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba 3: bad read performance

[Ryan Bair]

I've been doing just fine with my broadcoms on my server. The
performance killer is probably CIFS module on the client. That has
never had very good performance, but it has come a long way. I use
NFSv4 on my Linux clients and Samba for Windows.

On Fri, Apr 18, 2008 at 1:40 PM, Adam Williams
<[EMAIL PROTECTED]> wrote:
> Broadcom cards are known to be not so great (on Dell Poweredge servers
> anyway).  I'd probably replace them with some gigabit intel NICs in the
> server and make sure the client's tcp/ip packets are flowing out of the
> intel NICs to it also and see if that helps.
>
>
>
>  Dmitry V Shurupov wrote:
>
> > Hi all!
> >
> >
> > We use Samba 3 server for some video stuff (editing, rendering, and so
> > on) -- that's why performance is critical. We've tried a lot smb.conf
> > options, but Samba can't satisfy our requirements.
> >
> >
> > Our server configuration is as following:
> > * Hard drive: RAID5 (8 x Seagate 7200.10), 3ware 9550SX-8LP controller
> > * NICs (trunked): 2 x Broadcom NetXtreme BCM5704
> > * Processor: Opteron 270
> > * RAM: 4 Gb
> > * File system: XFS
> > * Operating system: Gentoo Linux (kernel 2.6.24-r3)
> > * Samba version: 3.0.28, 3.0.28a
> >
> > Our client configuration is as following:
> > * Processor: 2 x Opteron 270
> > * RAM: 4 Gb
> > * NICs (trunked): 2 x Broadcom NetXtreme BCM5704, 4 x NIC Intel
> > Corporation 82546GB.
> > * Operating system: Gentoo Linux (kernel 2.6.23-r9)
> >
> > (We test Samba with our router to get better results.)
> >
> > Our server & client are connected with Allied Telesis AT-9448T/SP.
> >
> >
> > And... Our testing results (MByte/s):
> >
> >   Read   Write
> >  disk   190 135
> >  ftp111 111
> >  samba   23  90
> >
> > (With 5 connections we get the same: 5 x 23 MByte/s.)
> >
> > We've tested our Samba server with:
> >
> > 1) time cat file > /dev/null (on mounted SMB directory)
> > 2) bonnie & bonnie++ (on mounted SMB directory)
> > 3) time cp file /tmp/file (on mounted SMB directory)
> > 4) smbclient
> >
> > We've tried SMBFS and CIFS, different oplock and socket options ("read"
> > performance varies from 17 to 25 MByte/s).
> >
> >
> > Samba HOWTO tells:
> >
> >
> > > The Samba server uses TCP to talk to the client, so if you are trying
> > >
> > >
> > to see if it performs well, you should really compare it to programs
> > that use the same protocol. The most readily available programs for file
> > transfer that use TCP are ftp or another TCP-based SMB server.
> (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/speed.html#id2687128)
> >
> > So, our Samba "read" results are really sad. What can we do to make
> > Samba perform better?
> >
> >
> >
> >
>  --
>
>  To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba Restrictions

[Ryan Bair]

I have single directories with over 100,000 entries and about 4
million files on the system total spanning about 15TB. I don't think
you should have a problem. Only problem I have is that directory
listings take a while with 100K entries but that's to be expected.

On Mon, Mar 31, 2008 at 9:11 AM,  <[EMAIL PROTECTED]> wrote:
> Hi,
>
>  I'm hopping you can give me some advice,  I work for a Financial Institute
>  and we are very interested in implementing Samba as a file server running on
>  AIX 5.3.  Before we can think about implementing this we need to no if Samba
>  has any limitation on number of folders, files and shares.  The current file
>  storage system is running on Windows 2003 server and has somewhere in the
>  region of 51,000 folders and 450,000 files taking up 200GB would samba be
>  able to cope with this?
>
>  Your feedback would be appreciated.
>
>  Thanks
>  Tim
>
>
>  This e-mail and any attachments are confidential and intended solely for the 
> addressee and may also be privileged or exempt from disclosure under 
> applicable law. If you are not the addressee, or have received this e-mail in 
> error, please notify the sender immediately, delete it from your system and 
> do not copy, disclose or otherwise act upon any part of this e-mail or its 
> attachments.
>
>  Internet communications are not guaranteed to be secure or virus-free.
>  The Barclays Group does not accept responsibility for any loss arising from 
> unauthorised access to, or interference with, any Internet communications by 
> any third party, or from the transmission of any viruses. Replies to this 
> e-mail may be monitored by the Barclays Group for operational or business 
> reasons.
>
>  Any opinion or other information in this e-mail or its attachments that does 
> not relate to the business of the Barclays Group is personal to the sender 
> and is not given or endorsed by the Barclays Group.
>
>  Barclays Bank PLC.Registered in England and Wales (registered no. 1026167).
>  Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
>
>  Barclays Bank PLC is authorised and regulated by the Financial Services 
> Authority.
>  --
>  To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Desktops for non-roaming profiles

[Ryan Bair]

I'd recommend trying USMT ( user state migration tool ) from
Microsoft. It has options specifically for migrating local account
data and settings to domain accounts. I have not used it for the
purpose so more research would be advised before diving in.

On Mon, Mar 24, 2008 at 7:39 PM, Dennis McLeod <[EMAIL PROTECTED]> wrote:
> Yeah, in my domain, it's simply a matter of logging on as the domain user,
>  then doing the profile copy as described.
>  I get all of the user settings, documents, Outlook Profile, etc.
>  Just not cookies, passwords, etc.
>  I can open Outlook, but have to re-enter their login information do download
>  email (POP, not Exchange...).
>  Same on some websites.
>  Then there are permission issues, too.
>  I made a group, (other than domainusers) put my users in there, and made
>  that group part of the local administrators group.
>  Does the test user have Administrator permissions on the machine.
>  Not that you want to run this way, but a good way to test.
>  How about a domain user with NO local account.
>  Does that get you a new profile based off of the default profile? With or
>  without the other issues?
>  Good luck
>  Dennis
>
>  The whole thread I gave may be better than that particular message I pointed
>  you at.:
>
>  http://groups.google.com/group/linux.samba/browse_thread/thread/42370eda9bdb
>  3ef0/9c8b4de804545326?#9c8b4de804545326
>
>
>
>
>
>
>  -Original Message-
>  From: [EMAIL PROTECTED]
>  [mailto:[EMAIL PROTECTED] On Behalf Of
>  Ryan Steele
>
> Sent: Monday, March 24, 2008 4:19 PM
>  To: samba@lists.samba.org
>
>
> Subject: Re: [Samba] Desktops for non-roaming profiles
>
>  Hi Dennis,
>
>
>  Dennis McLeod wrote:
>  > Are you trying to use the EXISTING profile on the machine?
>
>  Yeah...
>
>  > It's not going to be as seamless as you would like.
>  >
>
>  Darn.  :-)
>
>  > Basically, you will have to sit in front of each machine, join it to
>  > the domain, log in as the user into the domain to create the local
>  > profile), reboot (to free up the user profile - logging out doesn't
>  > work), log in as administrator, look at c:\documents and settings to
>  > get the name of the new profile (usually the username appended with a
>  > .domainname), then right click on My computer, properties, advanced,
>  > user profiles, highlight the old profile, copy to button, point it at
>  > the new user profile, change permissions to the new user (or if it's a
>  generic profile, use "everyone").
>  > Then, log back out, and in as the NEW domain user, and see what you get.
>  >
>
>  It does seem to copy the desktop items (and probably other things as well),
>  but drops me in to C:\, and I get weird behaviors.  It's unable to load the
>  Windows Classic theme (I get the error "The theme could not load.
>  Unspecified error."), and exhibits odd behaviors (loading the XP theme turns
>  the XP theme off, for example).  The permissions look right to me...
>
>  > It will not copy cookies or passwords (Outlook) so those will need to
>  > be fixed.
>  >
>
>  How about background, appearance, etc.?  None of those are preserved in my
>  tests, though it probably has to do with the aforementioned problem
>  (defaulting to C:\).
>
>  > Microsoft has a user migration tool which is supposed to do this, but
>  > it doesn't work, IMHO.
>  >
>  > I chose to migrate a few, and rebuild a few. It might take me a year,
>  > but they'll get moved, eventually.
>  >
>  > Also, I had to set local machine policy to "Only allow local profiles"
>  > and "Prevent Roaming profile changes from Propagating to the server":
>  >
>
>  Yeah, that helped.
>
>  > Start, Run, gpedit.msc, "Computer Configuration", "Administrative
>  > Templates", "system", User Profiles".
>  > registry string:
>  >
>  > Windows Registry Editor Version 5.00
>  >
>  > [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
>  > "LocalProfile"=dword:0001
>  > "ReadOnlyProfile"=dword:0001
>  >
>  >
>  > This might be why it's going to \TEMP. XP want's to pull down a
>  > roaming policy, but there exists none.
>  >
>  >
>
>  I think that may be the case as well.
>
>  > If that's the case I would suspect you won't have the second
>  > (.domainname) profile in c:\documents and settings
>  >
>
>  Until I changed those two entries, you're right I didn't.
>
>  >
>  > If you have a local user named bob, and a domain user named bob, and
>  > bob already has a local profile, if you log into the domain as bob,
>  > you should get a second profile named bob.domainname..
>  >
>  >
>  > HTH,
>  > Dennis
>  >
>  >
>  > Here's another reference:
>  > http://groups.google.com/group/linux.samba/msg/9c8b4de804545326
>  >
>  >
>  >
>
>  That didn't seem to fly for me either.
>
>  I'm interested to hear what you think with regards to it dropping me to C:\.
>  The user DOMAINNAME\bob has privileges to access C:\Documents and
>  Settings\bob.DOMAINNAME, which I overwrote with the existing profile using
>  the W

Re: [Samba] Samba 3 vs 4, User Maintenance

[Ryan Bair]

Samba 4 could eat your children and is still pretty incomplete
(printing isn't there at all last I checked). I'd highly recommend
sticking with 3.

For Samba 4, the AD toolkit can be used but again probably not ready
for primetime.

In Samba 3 I believe the NT Domain user manager can be used, but I
have no experience with it. Personally, I have been pretty happy with
gosa.

--Ryan

On Mon, Feb 25, 2008 at 4:25 PM, Volker Lendecke
<[EMAIL PROTECTED]> wrote:
> On Mon, Feb 25, 2008 at 03:54:04PM -0500, Richard Hurt wrote:
>  > So, I am going to set up my own stand-along Samba box (Debian 4) to
>  > replace the old XServe.  My question is should I use Samba 3 or 4?  I
>
>  Being biased a bit, I'd say that probably Samba4 will be the
>  more bumpy ride.
>
>  Volker
>
> --
>  To unsubscribe from this list go to the following URL and read the
>  instructions:  https://lists.samba.org/mailman/listinfo/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Moving / Copying files inside server across different shares

[Ryan Bair]

That all happens client side. The only way to work around it is to
make a share that encloses both shares and use that on the clients.
You will also have this problem with Windows clients.

Sorry Juan, I accidentally replied only to you in that last email.

On Feb 19, 2008 8:37 AM, Juan Ignacio Garzón
<[EMAIL PROTECTED]> wrote:
> Hi guys!
>
> when I move a file inside a share (for example, from
> \\server\myshare\dir1 to \\server\myshare\dir2), Samba manages it in
> order to make the move inside the server. That is, its very fast
> because the file never gets downloaded to the client.
>
> My problem is that when moving a file across different shares, it gets
> first downloaded to the client and then copied back to the new
> location. For example, if I move a file from \\server\myshare1 to
> \\server\myshare2, it takes 30 minutes, but if it's moved inside the
> share it takes seconds. This happened me using Nautilus as client,
> maybe its a client issue?
>
> Is there something I can do in order to override this in the server?
>
> Thanks in advance!
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] User not really in group

[Ryan Bair]

I have a Debian Etch AMD64 server running Samba 3.0.24. It is joined
to an active directory domain. Most everything works quite well.

I had set up a user for a scanner but forgot to add it to a group so
that it could access the target folder, so the scans failed. I then
added the account to the group, but for some reason it is still denied
access to the directory.

I su'ed to the user, and they are unable to enter the directory. Every
other member of the group is able to enter the directory without an
issue, even members that were added afterwords.

If I do a "getent group scanned docs", I can see all the users in the
group including the scanner account. However if I issue the groups
command as the copier user, the scanned docs group does not show up in
the listing. The groups command returns the expected list with every
other user.

Any ideas?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba