Re: [Samba] Dynamic DNS updates not working with BIND DLZ
Hi Lucas, Thanks for the suggestion but, unfortunately, it's not that. I am aware of the kerberos sensitivity to time differences. When I installed Samba4 I built a custom ntp rpm as the version shipped with RHEL/CentOS does not support signed ntp. I tested this by shifting the clock on the client and it worked its way back again. Out of interest I decided to try this again, some months after the initial install. My laptop's clock was about 10 sec off the DC. I changed it to 2 min, and it stays there. Running 'w32tm /resync /rediscover' just reports "no time data was available". So I actually have 2 problems. Dynamic dns updates, that DID work before, now do not, and ntp updates, that DID work before, now also do not. Nothing has changed on the server with dns or ntp configuration. There is only the upgrade of Samba from 4.0.0 to 4.0.1. It would seem that there is some problem with kerberos that the signed requests fail. Yet I can use kinit to authenticate and get a valid ticket. Kerberos is buried inside Samba so I have no idea what is wrong with it and why, nor do I have any idea how to fix it. I have trawled the web for hours on this. I read plenty of similar problems, but no solutions other than the obvious stuff I already checked. It's really very frustrating. Regards, Stephen Jones On Tue, Apr 23, 2013, at 01:30 AM, ?icro MEGAS wrote: Hey there, had a similar problem in the past and resolved it today. The error was caused by time mismatch between the host and the client. Did you check that ntp is working fine and your time between samba4 and windows host is in sync (<5min) ? Lucas. Птн 12 Апр 2013 03:00:41 +0400, Stephen Jones написал: Hi Thomas, Thanks for the information. I did as you suggested and ran named in debug mode and issued 'ipconfig /registerdns' from the client. The output was similar to your post: failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Success. gss-api source name (accept) is client_pc$@EXAMPLE.LOCAL process_gsstkey(): dns_tsigerror_noerror Looks like the server does not believe the client update request is signed appropriately. Strange, since I know Kerberos is setup fine and works. I can use nsupdate with Kerberos to edit the AD domain from the command line. Run 'kinit Administrator@EXAMPLE.LOCAL' gets a ticket, then 'nsupdate -g' and I can add/remove DNS entries. I know dynamic updates from the client worked before when I first setup Samba4. I don't know at what point it decided to stop working. The only thing I have done that I consider may have influence is upgrading Samba to 4.0.1. I don't really want to use the Samba internal DNS. The server runs an external domain as well as the internal AD domain with a split DNS setup, and I may not be able to run BIND and Samba DNS together. And if MX and CNAME in the Samba DNS is broken then it's no good to me running a mail server. The BIND DLZ seems a much better option to me. I certainly hope there is a fix for this problem. Regards, Stephen Jones On Thu, Apr 11, 2013, at 09:01 PM, Thomas Simmons wrote: On Wed, Apr 10, 2013 at 10:22 PM, Stephen Jones <[1]lloydsyst...@fastmail.com.au> wrote: Hi, A while ago I setup Samba4 on CentOS 6. Samba version was 4.0.0 using the RPM from SOGo. I used the DLZ BIND backend with BIND 9.8. I tested with a Windows 7 VM client. When I joined the client to the domain it was automatically added to the AD DNS and appeared in the Windows DNS Manager. The VM had a static IP, but if I changed the IP address that change was automatically reflected in the DNS entry. I am now adding new real clients to the domain and find that they are not added to the AD domain DNS. The client has a dynamic IP, but I have tried changing to a fixed IP address and it makes no difference. The only changes I can recall between the initial setup and now are: 1. Samba upgrade to 4.0.1. After upgrading I followed the procedure and ran samba-tool dbcheck --cross-ncs --fix samba-tool ntacl sysvolreset The upgrade changed the permissions of /var/lib/samba4/private back to root:root 700, which is no good, so I changed back to root:named 750. I also added "server services = -dns" to smb.conf as per the instructions because internal DNS is now default. 2. Tested OpenChange. But, prior to doing anything I backed up entire /var/lib/samba4 directory. When I removed OpenChange (as it is just not stable yet) I removed /var/lib/samba4 and replaced it with the backup. So this should not have any effect. I have checked everything against my notes made when installing Samba4 and can't find anything wrong. In terms of DNS, /etc/named.conf contains include "/var/lib/samba4/private
Re: [Samba] Dynamic DNS updates not working with BIND DLZ
Hi Thomas, Thanks for the information. I did as you suggested and ran named in debug mode and issued 'ipconfig /registerdns' from the client. The output was similar to your post: failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Success. gss-api source name (accept) is client_pc$@EXAMPLE.LOCAL process_gsstkey(): dns_tsigerror_noerror Looks like the server does not believe the client update request is signed appropriately. Strange, since I know Kerberos is setup fine and works. I can use nsupdate with Kerberos to edit the AD domain from the command line. Run 'kinit Administrator@EXAMPLE.LOCAL' gets a ticket, then 'nsupdate -g' and I can add/remove DNS entries. I know dynamic updates from the client worked before when I first setup Samba4. I don't know at what point it decided to stop working. The only thing I have done that I consider may have influence is upgrading Samba to 4.0.1. I don't really want to use the Samba internal DNS. The server runs an external domain as well as the internal AD domain with a split DNS setup, and I may not be able to run BIND and Samba DNS together. And if MX and CNAME in the Samba DNS is broken then it's no good to me running a mail server. The BIND DLZ seems a much better option to me. I certainly hope there is a fix for this problem. Regards, Stephen Jones On Thu, Apr 11, 2013, at 09:01 PM, Thomas Simmons wrote: On Wed, Apr 10, 2013 at 10:22 PM, Stephen Jones <[1]lloydsyst...@fastmail.com.au> wrote: Hi, A while ago I setup Samba4 on CentOS 6. Samba version was 4.0.0 using the RPM from SOGo. I used the DLZ BIND backend with BIND 9.8. I tested with a Windows 7 VM client. When I joined the client to the domain it was automatically added to the AD DNS and appeared in the Windows DNS Manager. The VM had a static IP, but if I changed the IP address that change was automatically reflected in the DNS entry. I am now adding new real clients to the domain and find that they are not added to the AD domain DNS. The client has a dynamic IP, but I have tried changing to a fixed IP address and it makes no difference. The only changes I can recall between the initial setup and now are: 1. Samba upgrade to 4.0.1. After upgrading I followed the procedure and ran samba-tool dbcheck --cross-ncs --fix samba-tool ntacl sysvolreset The upgrade changed the permissions of /var/lib/samba4/private back to root:root 700, which is no good, so I changed back to root:named 750. I also added "server services = -dns" to smb.conf as per the instructions because internal DNS is now default. 2. Tested OpenChange. But, prior to doing anything I backed up entire /var/lib/samba4 directory. When I removed OpenChange (as it is just not stable yet) I removed /var/lib/samba4 and replaced it with the backup. So this should not have any effect. I have checked everything against my notes made when installing Samba4 and can't find anything wrong. In terms of DNS, /etc/named.conf contains include "/var/lib/samba4/private/named.conf"; which loads the DLZ module for BIND 9.8. The /etc/named.conf also has in the options tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab"; Permissions of files: /var/lib/samba4/private/named.conf root:named 640 /var/lib/samba4/private/dns.keytab root:named 640 /var/lib/samba4/private/dns/ root:named 770 It all seems OK (I think), but no dynamic DNS updates. There is nothing in the samba.log file to suggest a problem. The system log has messages client : update 'example.local/IN' denied samba_dlz: cancelling transaction on zone example.local Is there something I need to set in smb.conf? I see there are new options like "allow dns updates" and "dns update command", which I do not have specifically set, but I don't know if these only apply to Samba internal DNS. There is still really no documentation about smb.conf for Samba4. Can someone please explain what might be wrong or what I should look for. Hello Stephen, I have been experiencing the same problem for the past month or so. Unfortunately, I have been unable to find a solution. I was able to dig back through my logs and found that the last DNS update occurred very early in the morning, so for some reason it just stopped updating. You can start bind in debugging mode "named -u named -g -d 5", then run "ipconfig /registerdns" on the Windows client. If you see the following, then you are experiencing the same issue: 28-Mar-2013 08:26:15.759 failed gss_inquire_cred: GSSAPI error: Major = Unspecif ied GSS failure. Minor code may provide more information, Minor = Success. 28-Mar-2013 08:26:15.760 failed gss_accept_sec_context: GSSAPI error: Major = Un specified GSS
[Samba] Dynamic DNS updates not working with BIND DLZ
Hi, A while ago I setup Samba4 on CentOS 6. Samba version was 4.0.0 using the RPM from SOGo. I used the DLZ BIND backend with BIND 9.8. I tested with a Windows 7 VM client. When I joined the client to the domain it was automatically added to the AD DNS and appeared in the Windows DNS Manager. The VM had a static IP, but if I changed the IP address that change was automatically reflected in the DNS entry. I am now adding new real clients to the domain and find that they are not added to the AD domain DNS. The client has a dynamic IP, but I have tried changing to a fixed IP address and it makes no difference. The only changes I can recall between the initial setup and now are: 1. Samba upgrade to 4.0.1. After upgrading I followed the procedure and ran samba-tool dbcheck --cross-ncs --fix samba-tool ntacl sysvolreset The upgrade changed the permissions of /var/lib/samba4/private back to root:root 700, which is no good, so I changed back to root:named 750. I also added "server services = -dns" to smb.conf as per the instructions because internal DNS is now default. 2. Tested OpenChange. But, prior to doing anything I backed up entire /var/lib/samba4 directory. When I removed OpenChange (as it is just not stable yet) I removed /var/lib/samba4 and replaced it with the backup. So this should not have any effect. I have checked everything against my notes made when installing Samba4 and can't find anything wrong. In terms of DNS, /etc/named.conf contains include "/var/lib/samba4/private/named.conf"; which loads the DLZ module for BIND 9.8. The /etc/named.conf also has in the options tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab"; Permissions of files: /var/lib/samba4/private/named.conf root:named 640 /var/lib/samba4/private/dns.keytab root:named 640 /var/lib/samba4/private/dns/ root:named 770 It all seems OK (I think), but no dynamic DNS updates. There is nothing in the samba.log file to suggest a problem. The system log has messages client : update 'example.local/IN' denied samba_dlz: cancelling transaction on zone example.local Is there something I need to set in smb.conf? I see there are new options like "allow dns updates" and "dns update command", which I do not have specifically set, but I don't know if these only apply to Samba internal DNS. There is still really no documentation about smb.conf for Samba4. Can someone please explain what might be wrong or what I should look for. Regards, Stephen Jones -- Stephen Jones lloydsyst...@fastmail.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SaMBa 4.0 - homedir mapping
The short answer is yes. Do it from Active Directory Users & Computers when creating the user account. ADUC is available by installing the RSAT tools on a Windows client joined to the domain. Initial setup is to create the share for user home directories. For example, create the directory /home/DOMAIN and share this as 'users' by adding the share definition to smb.conf file. Only required settings are the path and read only = no. Login to Windows as Administrator. It is important to set the permissions right first. Browse to \\server\users and open the security properties. Remove any entries other than Administrator. Add an entry for Domain Users with read and execute permissions for this folder only. You can optionally add an entry for Domain Admins with full control for this folder, subfolders and files. Now open ADUC and add a user account. In the profile tab, under home folder, select a drive letter and enter the path \\server\users\username. This will create the folder with the correct permissions and will be automatically mapped when the user logs in. Regards, Stephen Jones Lloyd Systems Engineering On Mon, Jan 7, 2013, at 09:45 AM, Celso Viana wrote: > Hi all, > > In Samba 4.0 is possible to map the user's home directory > automatically without user intervention? > > Thanks > > -- > Celso Vianna > BSD User: 51318 > http://www.bsdcounter.org > Palmas/TO > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 and phpLdapAdmin
Hi, My advice would be to steer clear of phpLdapAdmin with Samba4 AD. When I first setup my Samba4 DC I did install phpLdapAdmin and connected to the AD domain. Just browsing the directory produced some strange errors that made me rather nervous. I dared not to edit anything because it would probably break AD. I removed phpLdapAdmin. I was actually not surprised by this. Although MS say AD is LDAP compliant, the word 'compliant' is rather subjective. MS included 'other' things in AD and have done some things differently to a *normal* LDAP directory. Any tool used on AD has to be designed to work with AD. The best way to manage users in Samba4 is with the ADUC tool included with the MS RSAT pack. Install RSAT on a Windows client joined to the domain. It works beautifully. Regards, Stephen Jones Lloyd Systems Engineering On Wed, Dec 19, 2012, at 05:21 AM, Thiago Parolin wrote: > Hi, > > i'm using samba4.0.0 and phpLdapAdmin 1.2.2 in Debian Wheezy server. > Can anyone point me a direction to create AD users using PLA? > My installation has only samba3 template. > > Thanks. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 Domain UP, but no roaming profiles
Hi, The problem is your smb.conf [profiles]. The only options you need are the path and read only = no. Control access from Windows with an ACL applied to the profiles share security properties rather than forcing permissions from Samba. S4 is different from S3. I'm not sure if those mask options work in S4 but, if they do, those values will deny all access set through extended ACLs because those are applied through the group class. Fix smb.conf and start with an empty profiles directory with drwxr-xr-x. root:root. Browse to the profiles share from a Windows client in the domain and open the security properties (as Administrator). You can remove entries for Everyone, CREATOR OWNER, CREATOR GROUP, etc. Leave the entry for Administrator. Add an entry for Domain Users with read/execute/write permissions for this folder only. If you look at the profiles directory from linux it will now look like drwxrwx---+ root:root. getfacl will show you the Posix ACLs created from Windows. >From Windows ADUC add the roaming profiles path to the user's profile. When you login as the user his profile folder will be created automatically. If you browse the profiles share again and look at the security settings of the user's folder it will show only the user and SYSTEM, both with full control. This gives the access control you are trying to achieve. Tip: There is a GPO setting under computer-policies-templates-system-user profiles to add the administrators group to roaming profiles. This is a good idea, otherwise administrators cannot browse the profile folders. Regards, Stephen Jones Lloyd Systems Engineering On Sat, Dec 15, 2012, at 01:57 PM, Adam Tauno Williams wrote: > I've performed a *successful* domain migration from S3/LDAPSAM to > S4.0.0. Yay! I can browse and connect to the server from a > workstation [logged in as a local account]. DNS looks good. kinit & > klist work. I was able to *add* a workstation to the domain. > > But I can't get roaming profiles to work. On the server the roaming > profile looks like - > > [profiles] > path = /opt/s4/var/profiles > read only = No > profile acls = Yes > writeable = yes > create mask = 0600 > directory mask = 0700 > > -- > Adam Tauno Williams GPG D95ED383 > Systems Administrator, Python Developer, LPI / NCLA > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Building NTP RPM Fails on CentOS 6.3
Hi, I built ntp-4.2.6p5 on CentOS 6.3 for my Samba4 server. The instructions in the HowTo are not quite right (at least for CentOS). Make only the following changes to the ntp.spec file: 1. Update the version/release numbers 2. Comment out all 'patch' lines 3. Add the '--enable-ntp-signd' option after '--enable-linuxcaps' 4. Add the line '%{_sbindir}/sntp' after the '%{_ntptime}' line Ignore the suggested edits related to 'man' entries or it will not compile, as you have found. With the above changes rpmbuild will work. It seems in the latest version of the HowTo they have removed the rpmbuild instructions altogether. Regards, Stephen Jones Lloyd Systems Engineering On Thu, Dec 13, 2012, at 06:50 AM, Thomas Simmons wrote: > Hello, > > I am trying to build an NTP v4.2.6p5 RPM using the instructions in the S4 > how-to, however rpmbuild fails with the following error: > > error: File not found by glob: > /home/thomas/rpmbuild/BUILDROOT/ntp-4.2.6p5-2.el6.x86_64/usr/share/man/man8/ntpdtime.8* > > > RPM build errors: > File not found by glob: > /home/thomas/rpmbuild/BUILDROOT/ntp-4.2.6p5-2.el6.x86_64/usr/share/man/man8/ntpdtime.8* > > I have updated my ntp.spec by updating the version and commenting out all > lines that begin with %patch. I have also made the following changes, as > directed in the how-to. I assume the error is coming from the line > addition > "%{_mandir}/man8/ntpdtime.8*", however I'm not sure of the fix. It seems > like that should be included in the source RPM? > > < --enable-linuxcaps > --- > > --enable-linuxcaps --enable-ntp-signd > 330a331 > > %{_sbindir}/sntp > 348,349c349,350 > < %{_mandir}/man8/ntptime.8* > < %{_mandir}/man8/tickadj.8* > --- > > %{_mandir}/man8/ntpdtime.8* > > #%{_mandir}/man8/tickadj.8* > 355c356 > < %{_mandir}/man8/ntp-wait.8* > --- > > #%{_mandir}/man8/ntp-wait.8* > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Fwd: Re: Samba4 on CentOS 6.3 - IPTABLES how-to???
I should update this list with another port I discovered: 3268, TCP (MSFT-GC) Used by global catalog - a LDAP service to browse the AD forest. Found this with Wireshark when trying to add a new user from ADUC. Stephen Jones Lloyd Systems Engineering - Original message - From: Stephen Jones To: samba@lists.samba.org Subject: Re: [Samba] Samba4 on CentOS 6.3 - IPTABLES how-to??? Date: Tue, 27 Nov 2012 04:46:09 +1100 Hi, Here is an extract from my post on installing Samba4 on CentOS6. I have iptables working - I used netstat and Wireshark to monitor the packets. - The ports needed are: 53, TCP & UDP (DNS) 88, TCP & UDP (Kerberos authentication) 135, TCP (MS RPC) 137, UDP (NetBIOS name service) 138, UDP (NetBIOS datagram service) 139, TCP (NetBIOS session service) 389, TCP & UDP (LDAP) 445, TCP (MS-DS AD) 464, TCP & UDP (Kerberos change/set password) 1024, TCP (this is a strange one but AD is using it) Add these to iptables: # iptables -A INPUT -p tcp --dport 53 -j ACCEPT # iptables -A INPUT -p udp --dport 53 -j ACCEPT # iptables -A INPUT -p udp --dport 137:138 -j ACCEPT # iptables -A INPUT -p tcp --dport 139 -j ACCEPT # iptables -A INPUT -p tcp --dport 445 -j ACCEPT # iptables -A INPUT -p tcp --dport 135 -j ACCEPT # iptables -A INPUT -p tcp --dport 88 -j ACCEPT # iptables -A INPUT -p udp --dport 88 -j ACCEPT # iptables -A INPUT -p tcp --dport 464 -j ACCEPT # iptables -A INPUT -p tcp --dport 389 -j ACCEPT # iptables -A INPUT -p udp --dport 389 -j ACCEPT # iptables -A INPUT -p tcp --dport 1024 -j ACCEPT - Looking at your rules, they are close to this. I believe it's the missing RPC (135) that's blocking RSAT. Cheers, Stephen Jones Lloyd Systems Engineering On Tue, Nov 27, 2012, at 12:39 AM, Andreas Krupp wrote: > Hello, > > I do appologize if this is something that was already discussed somewhere > else... but for now I was not able to find the appropriate How-To. > Would anybody know what the IPTABLES entries are to have working Samba4 > Domain Controller? > I tried the following: > > -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 749 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT > -A INPUT -d SERVERIP/32 -p udp -m udp --sport 1024:65535 --dport 53 -m > state --state NEW,ESTABLISHED -j ACCEPT > -A INPUT -d SERVERIP/32 -p udp -m udp --sport 53 --dport 53 -m state > --state NEW,ESTABLISHED -j ACCEPT > -A INPUT -p udp -m udp --dport 137 -j ACCEPT > -A INPUT -p udp -m udp --dport 138 -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT > > With the above I was not able to connect via remote Administration tools > to the Active Directory Service. > Does anybody have a comprehensive list of ports/protocols one has to > "open" in IPTABLES to get DNS, Samba, Fileshares, Active Directory, etc. > working? > > Cheers & thank you very much for your help! > Best, > Andreas > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Trouble with file shares on Samba 4
Hi, Have you checked the ACLs on the shared directories from the unix side? Samba takes the Windows ACLs and converts them to Posix ACLs which are 'similar' in nature but not exactly the same. You can view the Posix ACLs using getfacl: # getfacl /shared/directory I don't think you mentioned whether it was working at some point and stopped, or has never worked. Have you changed the ownership or permissions of these shared directories from unix? If so this may alter the effective permissions of the ACL entries. In directories with ACLs applied, the permissions of the named users and groups are applied through the group class permissions, so they don't have the same meaning as with standard unix DAC. Regards, Stephen Jones On Tue, Nov 27, 2012, at 01:10 PM, Michael B. Trausch wrote: > On 11/26/2012 11:07 AM, Michael B. Trausch wrote: > > Any assistance or advice on what to look for would be awesome. > > One additional note that I've been able to put together. > > Windows reports that the permissions that I've set on the server match > my expectations of what Windows thinks the permissions should be. That > is, I added ACLs to allow user X to access the share with "Full > Control", and Windows see this. Windows attempts to access the share, > but then says that access is denied. Windows won't even show space > utilization on the share, though Windows *can* see the ACLs and, again, > they match what we think they should be. > > I am _not_ an expert on Samba 4. I do know that this functionality > worked in a beta release, though I don't recall which one. I'm actually > in the process of setting up a test network to replicate the problem, as > I cannot officially submit a bug report based on the network I'm > discussing at present. I fully expect to be able to have enough > information within 24 hours to create a bug report. I also plan on > testing with git master to see if anything changed since rc5 that might > fix the problem, but it essentially seems that while the permissions are > correct, they're not being correctly interpreted or honored. > > --- MIke > > -- > Michael B. Trausch > President, Naunet Corporation > > Web: https://www.naunetcorp.com > Telephone: +1-678-287-0693 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 AD DNS zone corrupted
Hi, If you want to delete the TXT record my suggestion would be to use nsupdate. This tool is part of BIND. My advice would be to avoid samba-tool, or at least the dns part of it. When I tried to use it I just got errors. I think it's still rather experimental. But nsupdate works. One catch. DNS update requests to AD must be kerberos authenticated. This means you need the krb5 tool kinit. I use CentOS, and this is part of the krb5-workstation package. I don't know what you are using so I can't advise there. Run kinit and authenticate as the domain administrator: # kinit Administrator Response: Password for Administrator at MYDOMAIN.LOCAL: mypassword Then launch nsupdate: # nsupdate -g To delete the TXT record: update delete mydomain.local TXT send If you still have problems you could use nsupdate to update all the main zone entry records for the AD domain. To update a record just enter it again with the new values. Therefore: update add mydomain.local 3600 SOA server.mydomain.local hostmaster.mydomain.local serial-no 900 600 86400 3600 update add mydomain.local 3600 NS server.mydomain.local update add mydomain.local 3600 A 192.168.0.1 update add server.mydomain.local 3600 A 192.168.0.1 send These are the records created by Samba when provisioning the domain. Obviously adjust values to suit your hostname and IP address and increment the serial. You can use dig to report everything you currently have: # dig -t ANY mydomain.local For the record, I have a TXT record in my AD domain and it doesn't cause a problem. I can't recall whether I added it with nsupdate or the Windows DNS Manager, but I think it was the latter. Good luck. Regards, Stephen Jones Lloyd Systems Engineering On Thu, Nov 29, 2012, at 10:59 AM, Johannes Schmid wrote: > On 11/27/2012 08:32 PM, Matthieu Patou wrote: > >On 11/27/2012 02:56 PM, Johannes Schmid wrote: > >> > >> # samba-tool dns query sambapdc.mydomain.local mydomain.local @ ALL > >> > >> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR') > >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > >> line 162, in _run > >> return self.run(*args, **kwargs) > >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line > >> 925, in run > > > > Can you restart samba ? > > Also can you rerun this command with -d 10 and post the log on the > > list ? > > Restarting samba did not help (I already tried that multiple times). > > But thanks for the hint. I should have tried that myself! Anyway, I > found what the problem is. Basically the problem cannot be seen in the > samba-tool dns query debug output, but it can be seen on the samba > *server* debug output. It look like the problem is an invalid record in > the DNS zone: > > [2012/11/29 00:30:46, 2] > ../source4/rpc_server/dnsserver/dnsdb.c:136(dnsserver_db_enumerate_zones) >dnsserver: Found DNS zone . > [2012/11/29 00:30:46, 2] > ../source4/rpc_server/dnsserver/dnsdb.c:136(dnsserver_db_enumerate_zones) >dnsserver: Found DNS zone mydomain.local > [2012/11/29 00:30:46, 2] > ../source4/rpc_server/dnsserver/dnsdb.c:136(dnsserver_db_enumerate_zones) >dnsserver: Found DNS zone 122.168.192.in-addr.arpa > [2012/11/29 00:30:46, 2] > ../source4/rpc_server/dnsserver/dnsdb.c:136(dnsserver_db_enumerate_zones) >dnsserver: Found DNS zone _msdcs.mydomain.local > [2012/11/29 00:30:46, 1] ../librpc/ndr/ndr.c:411(ndr_pull_error) >ndr_pull_error(11): Pull bytes 10 (../librpc/ndr/ndr_basic.c:420) > [2012/11/29 00:30:46, 0] > ../source4/rpc_server/dnsserver/dnsdata.c:782(dns_fill_records_array) >dnsserver: Unable to parse dns record > (DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local)Terminating > > connection - 'NT_STATUS_CONNECTION_DISCONNECTED' > [2012/11/29 00:30:46, 5] > ../source4/lib/messaging/messaging.c:554(imessaging_cleanup) >imessaging: cleaning up /var/lib/samba/private/smbd.tmp/msg/msg.0:0.43 > [2012/11/29 00:30:46, 3] > ../source4/smbd/process_single.c:104(single_terminate) >single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED] > > I now remember that I added the _kerberos.mydomain.local TXT record in > the Windows DNS administration MSC GUI. I now know that it is not > necessary at all and that it shouldn't be there :) > > But I get an error when trying to delete the record: > > # samba-tool dns delete sambapdc.mydomain.local mydomain.local _kerberos > TXT MYDOMAIN.LOCAL > ERROR: Deleting record of type TXT is not supported > > Looks like samba isn't ready for handling TXT records in DNS :-( > Unfortunately, I s
Re: [Samba] Samba4 on CentOS 6.3 - IPTABLES how-to???
Hi, Here is an extract from my post on installing Samba4 on CentOS6. I have iptables working - I used netstat and Wireshark to monitor the packets. - The ports needed are: 53, TCP & UDP (DNS) 88, TCP & UDP (Kerberos authentication) 135, TCP (MS RPC) 137, UDP (NetBIOS name service) 138, UDP (NetBIOS datagram service) 139, TCP (NetBIOS session service) 389, TCP & UDP (LDAP) 445, TCP (MS-DS AD) 464, TCP & UDP (Kerberos change/set password) 1024, TCP (this is a strange one but AD is using it) Add these to iptables: # iptables -A INPUT -p tcp --dport 53 -j ACCEPT # iptables -A INPUT -p udp --dport 53 -j ACCEPT # iptables -A INPUT -p udp --dport 137:138 -j ACCEPT # iptables -A INPUT -p tcp --dport 139 -j ACCEPT # iptables -A INPUT -p tcp --dport 445 -j ACCEPT # iptables -A INPUT -p tcp --dport 135 -j ACCEPT # iptables -A INPUT -p tcp --dport 88 -j ACCEPT # iptables -A INPUT -p udp --dport 88 -j ACCEPT # iptables -A INPUT -p tcp --dport 464 -j ACCEPT # iptables -A INPUT -p tcp --dport 389 -j ACCEPT # iptables -A INPUT -p udp --dport 389 -j ACCEPT # iptables -A INPUT -p tcp --dport 1024 -j ACCEPT - Looking at your rules, they are close to this. I believe it's the missing RPC (135) that's blocking RSAT. Cheers, Stephen Jones Lloyd Systems Engineering On Tue, Nov 27, 2012, at 12:39 AM, Andreas Krupp wrote: > Hello, > > I do appologize if this is something that was already discussed somewhere > else... but for now I was not able to find the appropriate How-To. > Would anybody know what the IPTABLES entries are to have working Samba4 > Domain Controller? > I tried the following: > > -A INPUT -p tcp -m state --state NEW -m tcp --dport 88 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 749 -j ACCEPT > -A INPUT -p udp -m state --state NEW -m udp --dport 88 -j ACCEPT > -A INPUT -p tcp -m state --state NEW -m tcp --dport 389 -j ACCEPT > -A INPUT -d SERVERIP/32 -p udp -m udp --sport 1024:65535 --dport 53 -m > state --state NEW,ESTABLISHED -j ACCEPT > -A INPUT -d SERVERIP/32 -p udp -m udp --sport 53 --dport 53 -m state > --state NEW,ESTABLISHED -j ACCEPT > -A INPUT -p udp -m udp --dport 137 -j ACCEPT > -A INPUT -p udp -m udp --dport 138 -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT > -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT > > With the above I was not able to connect via remote Administration tools > to the Active Directory Service. > Does anybody have a comprehensive list of ports/protocols one has to > "open" in IPTABLES to get DNS, Samba, Fileshares, Active Directory, etc. > working? > > Cheers & thank you very much for your help! > Best, > Andreas > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Installation and Setup of Samba4 AD DC on CentOS6
s and apply them to the Samba4 installation. To list these contexts: # semanage fcontext -l | grep -e samba -e smbd I modified these to suit the Samba4 installation and defined a set of rules to relabel the Samba4 directories acordingly. These are applied as follows: # semanage fcontext -a -t samba_initrc_exec_t "/etc/rc\.d/init\.d/samba4" # semanage fcontext -a -t samba_etc_t "/etc/samba4(/.*)?" # semanage fcontext -a -t samba_var_t "/var/lib/samba4(/.*)?" # semanage fcontext -a -t named_var_run_t "/var/lib/samba4/private/dns(/.*)?" # semanage fcontext -a -t named_conf_t "/var/lib/samba4/private/named.conf.*" # semanage fcontext -a -t named_conf_t "/var/lib/samba4/private/dns.keytab" # semanage fcontext -a -t samba_unconfined_script_exec_t "/var/lib/samba4/sysvol/[^/]*/scripts(/.*)?" # semanage fcontext -a -t winbind_var_run_t "/var/lib/samba4/winbindd_privileged(/.*)?" # semanage fcontext -a -t samba_log_t "/var/log/samba4(/.*)?" # semanage fcontext -a -t smbd_var_run_t "/var/lock/samba4(/.*)?" # semanage fcontext -a -t smbd_var_run_t "/var/run/samba4(/.*)?" # semanage fcontext -a -t ntpd_var_run_t "/var/run/samba4/ntp_signd(/.*)?" # semanage fcontext -a -t winbind_var_run_t "/var/run/samba4/winbindd(/.*)?" # semanage fcontext -a -t winbind_var_run_t "/var/run/samba4/winbindd_privileged(/.*)?" Then apply the new contexts: # restorecon -v /etc/rc.d/init.d/samba4 # restorecon -R -v /etc/samba4 # restorecon -R -v /var/lib/samba4 # restorecon -R -v /var/log/samba4 # restorecon -R -v /var/lock/samba4 # restorecon -R -v /var/run/samba4 Locally defined file contexts are stored in /etc/selinux/targeted/contexts/files/file_contexts.local but this file cannot be edited by hand. Be aware that the order these are entered IS important. With pre-defined policies SELinux will apply the rules in a logical order with more specific rules taking preference over less specific ones. This is not the case with locally created rules. They are applied sequentially as they are entered, so if the order is wrong you get the wrong result. That means having to delete some or all of the rules and enter them again in the correct order. I actually created a script to do this tedious task. With the new file contexts in place I allowed SELinux to gather log data for a while, then used audit2allow to produce a file for generating a policy module # ausearch -m avc -ts dd/mm/yy | audit2allow -m samba4local > samba4local.te I edited the samba4local.te file to remove the unwanted commentary. The result looked like this: ---***--- module samba4local 1.0; require { type initrc_t; type named_t; type named_var_run_t; type ntpd_t; type ntpd_var_run_t; type smbd_t; type samba_unconfined_script_exec_t; type urandom_device_t; type var_lock_t; class unix_stream_socket connectto; class unix_dgram_socket sendto; class sock_file write; class chr_file write; class file { read write getattr open lock }; class dir { read search }; } #= named_t == allow named_t urandom_device_t:chr_file write; #= ntpd_t == allow ntpd_t initrc_t:unix_stream_socket connectto; allow ntpd_t ntpd_var_run_t:sock_file write; #= smbd_t == allow smbd_t initrc_t:unix_dgram_socket sendto; allow smbd_t initrc_t:unix_stream_socket connectto; allow smbd_t named_var_run_t:file { read write getattr open lock }; allow smbd_t samba_unconfined_script_exec_t:dir read; allow smbd_t urandom_device_t:chr_file write; allow smbd_t var_lock_t:dir search; ---***--- Compile the module and create the policy package: # checkmodule -M -m -o samba4local.mod samba4local.te # semodule_package -o samba4local.pp -m samba4local.mod Load the module: # semodule -i samba4local.pp With this policy in place SELinux should be able to run in enforcing mode without affecting Samba. I also enabled the following SELinux booleans: # setsebool -P samba_domain_controller on # setsebool -P samba_enable_home_dirs on SUMMARY Overall I would like to say that I am very impressed with Samba4 and would like to thank the developers for this great software. Having AD and group policy is a massive improvement. I hope this feedback will be helpful to them and to others keen to implement Samba4. It really works! -- Stephen Jones Lloyd Systems Engineering -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Re: Help with: "Cannot copy Filename: The specified network name is no longer available" error
Hello All, I am encountering the exact same error message when accessing SMB shares through a pptp tunnel (using the linux pptp client on a SmoothWall gateway). The linux pptp folks pointed me towards the samba lists as this appears to be the source for SMB/NMB gurus where linux is involved. I have a pptp tunnel to a remote SMB share that is accessible to clients behind the gateway. I don't experience any problems (so far) when accessing the file shares or transferring files across the ppp link from a single client. As soon as a second client initates any kind of SMB traffic across the ppp tunnel, the first clients session halts with the "Cannot copy {filename}: the specified network resource is no longer available." message (exactly like the author of this thread describes.) The traffic started by the second client continues, until another client intiates SMB traffic, and so on. The ppp tunnel does not freeze or hang, or die, only the SMB session is terminated. The SMB shares are immediately accessible from the first client, but doing so kills the second session, etc. A tcpdump capture on the gateway reveals a series of 4-6 packets described like this: [SMB] [Short Frame] In a row. The packets after the series of [Short Frame] packets are what appears to be "normal" SMB traffic headed for the second client. I don't know enough about what I am looking at in the tcpdump log to make heads or tails of it. I have tried every known mtu and mss trick in the book, and so far, all to no avial. Does anyone have any ideas of where I should look next? Kernel: 2.4.26 + mppe patch and pptp/gre conntrack patches ppp: 2.4.2 (including mppe support) pptp client: 1.4.0 - 1.5.0 rc1 iptables 1.2.9 + pptp/gre conntrack patches. Thank you very much for your time and input. SJ -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba