[Samba] unclean shutdown

[Tamás Pisch]

Hi,

I noticed error messages in the smbd log:
[2011/11/29 09:40:25.848558,  1] smbd/server.c:240(cleanup_timeout_fn)
  Cleaning up brl and lock database after unclean shutdown
[2011/11/29 09:44:07.666599,  1] smbd/server.c:267(remove_child_pid)
  Scheduled cleanup of brl and lock database after unclean shutdown
It appears very frequently in the logs on the PDC (Samba 3.5.6) and on the
BDC (sernet-samba 3.5.9) too. Servers are Debian Squeeze on Xen. I googled
this message, but haven't find solution (the server signing option was
mentioned, but it is set to no on both servers). I use openldap backend.
Thanks, in advance.

Tamas.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] two PDCs

[Tamás Pisch]

As I see, when I send a reply, and I leave [samba] in the subject, the SaMBa
archive get confused. My topic is in several threads. Sorry.

Look, I'm not sure if my emails are getting through or not, but drop this
> multi PDC thing.  It's just more complexity.
>
> Dropped :)


> You need some sort of LDAP replication because you want authentication done
> locally.  Multi-master is more difficult to set up, but more flexible. There
> are other schemes.  I had some 16 servers setup this way and had very few
> difficulties.  It is quite resilient and reliable.  Here is a good primer:
>
> http://www.zytrax.com/books/ldap/ch7/
>
Thank you. It is important to me, if people answer me who have more
experience than me. Last year, when I set up my present system, I used
zytrax.com, and I found it very useful. At that time, I read all ldap
replication versions, and I finally chose master-slave configuration with
refreshAndPersist replication method.

>
>
>
> a. Master LDAP server in the HQ, and slave in the branch site,
> according
> to the SaMBa guide.
> b. Branch site uses master LDAP server too. It looks tepmting, but
> difficult/dangerous to me.
> 2. PDC on the HQ, BDC on the branch site
> a. branch site uses slave LDAP server.
> b. Branch site uses master LDAP server too.
> In 1/a and 2/a, the VPN outage could be problem. Am I right?
>
> No, the b's are the problem if the VPN is down.  They're calling the
> "master" which is at the other end of the VPN.  The a's have a slave copy.
> All is good, unless they need to write to LDAP.  How much LDAP writing goes
> on in the branch?
>
Very few. I think, users change their passwords very rarely. I manage users
with my own scripts, which call smbldap-tools scripts. One important thing
remains:  machine account passwords. It is automatic, and is repeated
periodically. A longer-than-some-minutes outage could be a serious problem.
Fortunately, it can be ruled:
http://support.microsoft.com/kb/175468/
I'm going to disable the machine account password change for the clients in
the branch office.

> As i know, only
> PDC writes to the LDAP database. Is that true?
>
> No.  If you're using smbldap-tools, the ldap calls are made via
> smbldap_bind.conf.  So with multi-master this whole dual PDC thing is fairly
> useless.  See, Multi-master...all are writable.
>

Now, I don't use smbldap-passwd for password change. I use pam-ldap for it.

Because in case of VPN
> outage, this situation has the same drawback.
> So, my main problem is the unreliable ADSL line. Can we live with slave
> server in the branch office?
>
>
> Yes, using Replication refreshOnly or Replication refreshAndPersist.  You
> can truly go apeshit with this stuff, making only pieces of the DIT
> available to branches.  Very nifty once you get it down.
>

So, I'm going to set up a slave ldap server in the branch site. It won't be
flexible, but I don't want troubles. If I would have much time, I made a
test system first, with multi-master replication.
Thanks all for your help, and if you have additional thoughts, they are
welcome.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] two PDCs

[Tamás Pisch]

>
> How did you get it working like that so quickly?  Did you get it
>
> working with two primary domain controllers? (As opposed to one PDC
> and two BDC's?)
>
> It shuld be some misunderstanding, because I didn't. I still planning the
setup.

>  Of course, my users only visited each others' offices "occasionally".
>
> If you have tons of movement between the offices, a one-domain
> solution may be forced upon you...
>
> Unfortunately, a lot of users are roaming users (teachers with laptop, and
>
> users). My plan is that I will set up separate profile shares on both side,
> but at least they can use their own username and even change their
> password.
> So, I would like to try the multi-PDC scenario with master and slave LDAP
> server, but I worry about a little.
>
>
> It makes very little sense to have multiple PDC's, and only adds to both
> administrative and user confusion IMHO.  Give the present workings of
> OpenLDAP, just pick a replication strategy the makes sense and use a single
> domain.   I've built and run a single domain on a 15 node VPN with
> multi-master OpenLDAP backend, and it is remarkably resilient.
>

About multi-master replication. Scott wrote that he had to deal with it a
lot, so he didn't recommended that. But, I need one domain, because a lot of
users uses both site. So, I have the following options:
1. PDCs on each site, with the same domain, as chapter 6 describes.
   a. Master LDAP server in the HQ, and slave in the branch site, according
to the SaMBa guide.
   b. Branch site uses master LDAP server too. It looks tepmting, but
difficult/dangerous to me.
2. PDC on the HQ, BDC on the branch site
   a. branch site uses slave LDAP server.
   b. Branch site uses master LDAP server too.
In 1/a and 2/a, the VPN outage could be problem. Am I right? As i know, only
PDC writes to the LDAP database. Is that true? Because in case of VPN
outage, this situation has the same drawback.
So, my main problem is the unreliable ADSL line. Can we live with slave
server in the branch office?

>
> How are you intending to keep roaming profiles in sync (the files on
> the server, not the stuff in LDAP)? Are you going to use rsync?
>
> Unless users jump from office to office, why bother.  I would set road
> warriors with local profiles and and sync their stuff in a manner
> appropriate to there schedules/primary location.
>

Students will have that problem, but they have to bow to it.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] two PDCs

[Tamás Pisch]

2010/7/12 Scott Grizzard 

> > Of course, my users only visited each others' offices "occasionally".
> >> If you have tons of movement between the offices, a one-domain
> >> solution may be forced upon you...
> >>
> >> Unfortunately, a lot of users are roaming users (teachers with laptop,
> and
> > users). My plan is that I will set up separate profile shares on both
> side,
> > but at least they can use their own username and even change their
> password.
> > So, I would like to try the multi-PDC scenario with master and slave LDAP
> > server, but I worry about a little.
> >
>
> How are you intending to keep roaming profiles in sync (the files on
> the server, not the stuff in LDAP)?  Are you going to use rsync?
>
> No, it won't be a 100% solution: the profiles will be independent (but it
will be a progress, comparing with the present situation: now, there is a
workgroup there, and no central server...). For laptop users it won't be a
problem: Windows syncs the locally stored profile to the server. For others,
it will be a little unconfortable: they will have two different profiles.
The SaMBa examples deal with relative small profiles, but here are bigger
profiles: 30-100MB, and even bigger for teachers. I excluded only the
Documents folder from the profile dir.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] two PDCs

[Tamás Pisch]

2010/7/9 Scott Grizzard 

Thank you for your detailed answer.

If I recall
> correctly, I think Chapter 6 refers to running BDC's in each remote
> office, and only one PDC...
>

In that chapter, there are two scenarios (one domain in all branches, or
separate domains with reduced traffic), and one more scenario mentioned as a
possible alternative with multiple PDCs:
"When Samba-3 is configured to use an LDAP backend, it stores the domain
account information in a directory entry. This account entry contains the
domain SID. An unintended but exploitable side effect is that this makes it
possible to operate with more than one PDC on a distributed network.
...
This concept has not been exhaustively validated, though we can see no
reason why this should not work..."


> I found it is much easier to set up two separate domains and have them
> trust each other, using different branches of the same LDAP tree.
> Then, let one server write to one branch, the other server write to
> the other branch, and do multi-master replication between them.  That
> way, there is no worrying about simultaneous updates or any of that
> jazz.  Not as cool...or as elegant, but it made my life easier by
> isolating problems.


Of course, my users only visited each others' offices "occasionally".
> If you have tons of movement between the offices, a one-domain
> solution may be forced upon you...
>
> Unfortunately, a lot of users are roaming users (teachers with laptop, and
users). My plan is that I will set up separate profile shares on both side,
but at least they can use their own username and even change their password.
So, I would like to try the multi-PDC scenario with master and slave LDAP
server, but I worry about a little.

>>> I have a PDC with master ldap backend and a BDC with slave ldap backend
>>> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional
>>> SaMBa
>>> server on an another site (on Debian Squeeze). The two sites is
connected
>>> with VPN (on not so reliable ADSL lines). I read an interesting network
>>> scenario in the Samba Guide chapter 6: theoretically it is possible to
>>> install one PDC on both site, with the same domain, server name, and
SID.
>>> I
>>> like this idea, but: is there anyone who tried that, have experience
with
>>> it?
>>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] two PDCs

[Tamás Pisch]

> I have a PDC with master ldap backend and a BDC with slave ldap backend
> (both are SaMBa 3.2 on Debian Lenny). I want to install an additional SaMBa
> server on an another site (on Debian Squeeze). The two sites is connected
> with VPN (on not so reliable ADSL lines). I read an interesting network
> scenario in the Samba Guide chapter 6: theoretically it is possible to
> install one PDC on both site, with the same domain, server name, and SID. I
> like this idea, but: is there anyone who tried that, have experience with
> it?
>
> No, but your best option is to simply use LDAP replication and install an
> LDAP server on the remote location server.  This way, auth traffic on the
> remote is always local (saving bandwidth) and is available regardless of the
> link being up or down.  Do the same with DNS, and you'll be quite happy with
> the results as will your users.
>
> Thanks. Of course, local LDAP and DNS is fundamental. My problem is the
modifications (user and machine account passwords). It is written to the
master LDAP server. As Scott wrote me, I could set up multi-master
replication, but it is very hard.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] two PDCs

[Tamás Pisch]

Hello,

I have a PDC with master ldap backend and a BDC with slave ldap backend
(both are SaMBa 3.2 on Debian Lenny). I want to install an additional SaMBa
server on an another site (on Debian Squeeze). The two sites is connected
with VPN (on not so reliable ADSL lines). I read an interesting network
scenario in the Samba Guide chapter 6: theoretically it is possible to
install one PDC on both site, with the same domain, server name, and SID. I
like this idea, but: is there anyone who tried that, have experience with
it?

Thank you, in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] default profile

[Tamás Pisch]

>
>  USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: User sid: S-1-5-19
>>
>
Sorry, but I haven't followed this thread. But *this* looks
> wrong. A user should never have S-1-5-19 as SID. It must be
> of the form S-1-5-21-a-b-c-d where a,b,c and d are 32-bit
> numbers.
>

I don't know, what is that ID, because I don't have SID which starts that.
t8's ID is:
S-1-5-21-1056419617-429938706-1326152232-4322
Interesting.

2009/9/2 Masao Garcia 

> There is a bug in Windows SP3 where if you change your password the first
> time logging into the domain on a computer, it will not copy down the
> Default User profile stored in the netlogon folder.  I believe there is a
> problem with roaming profiles as well, where changes are not saved back to
> the server where the profile is being saved.
>
>
> http://social.technet.microsoft.com/Forums/en-US/itproxpsp/thread/29d8987a-6
> 017-48bc-9972-dc8f8f80532c
>
> This was the solution for me. If a user don't change his/her password first
time, he/she gets the default profile from the netlogon share. XP clients
are with SP3 and have all updates, so congratulations for M$.

Thanks all answers.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] default profile

[Tamás Pisch]

I turned on profile debugging. When I logged in first time, I changed the
password.
Here is a part of the log (username is t8):

USERENV(2f0.3a0) 19:15:51:078 LoadUserProfile: Entering, hToken = <0x3d8>,
lpProfileInfo = 0x80f698
USERENV(2f0.3a0) 19:15:51:078 LoadUserProfile: lpProfileInfo->dwFlags =
<0x9>
USERENV(2f0.3a0) 19:15:51:078 LoadUserProfile: lpProfileInfo->lpUserName =

USERENV(2f0.3a0) 19:15:51:078 LoadUserProfile: NULL central profile path
USERENV(2f0.3a0) 19:15:51:078 LoadUserProfile: NULL default profile path
USERENV(2f0.3a0) 19:15:51:078 LoadUserProfile: NULL server name
USERENV(2f0.3a0) 19:15:51:078 GetInterface: Returning rpc binding handle
USERENV(2c4.3f4) 19:15:51:078 IProfileSecurityCallBack: client
authenticated.
USERENV(2c4.3f4) 19:15:51:078 DropClientContext: Got client token 04EC,
sid = S-1-5-18
USERENV(2c4.3f4) 19:15:51:093 MIDL_user_allocate enter
USERENV(2c4.3f4) 19:15:51:093 DropClientContext: load profile object
successfully made
USERENV(2c4.3f4) 19:15:51:093 DropClientContext: Returning 0
USERENV(2f0.3a0) 19:15:51:093 LoadUserProfile: Calling DropClientToken (as
self) succeeded
USERENV(2c4.2dc) 19:15:51:093 IProfileSecurityCallBack: client
authenticated.
USERENV(2c4.2dc) 19:15:51:093 In LoadUserProfileP
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: Running as client
USERENV(2c4.2dc) 19:15:51:093
=
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: Entering, hToken = <0x4f8>,
lpProfileInfo = 0xef0800
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: lpProfileInfo->dwFlags =
<0x9>
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: lpProfileInfo->lpUserName =

USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: NULL central profile path
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: NULL default profile path
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: NULL server name
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: User sid: S-1-5-19
USERENV(2c4.2dc) 19:15:51:093 CSyncManager::EnterLock 
USERENV(2c4.2dc) 19:15:51:093 CSyncManager::EnterLock: No existing entry
found
USERENV(2c4.2dc) 19:15:51:093 CSyncManager::EnterLock: New entry created
USERENV(2c4.2dc) 19:15:51:093 CHashTable::HashAdd: S-1-5-19 added in bucket
12
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: Wait succeeded. In critical
section.
USERENV(2c4.2dc) 19:15:51:093 TestIfUserProfileLoaded:  Profile already
loaded.
USERENV(2c4.2dc) 19:15:51:093 Profile Ref Count is 2
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: Leaving critical Section.
USERENV(2c4.2dc) 19:15:51:093 CSyncManager::LeaveLock 
USERENV(2c4.2dc) 19:15:51:093 CSyncManager::LeaveLock: Lock released
USERENV(2c4.2dc) 19:15:51:093 CHashTable::HashDelete: S-1-5-19 deleted
USERENV(2c4.2dc) 19:15:51:093 CSyncManager::LeaveLock: Lock deleted
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: Impersonated user: 04f8,
0118
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: Reverted to user: 
USERENV(2c4.2dc) 19:15:51:093 LoadUserProfile: Reverted back to user
<>
USERENV(2c4.2dc) 19:15:51:109 LoadUserProfile: Leaving with a value of 1.
USERENV(2c4.2dc) 19:15:51:109
=
USERENV(2c4.2dc) 19:15:51:109 LoadUserProfileI: returning 0
USERENV(2f0.3a0) 19:15:51:109 LoadUserProfile: Running as self
USERENV(2f0.3a0) 19:15:51:109 LoadUserProfile: Calling LoadUserProfileI (as
user) succeeded
USERENV(2f0.3a0) 19:15:51:109 LoadUserProfile:  Returning success.  Final
Information follows:
USERENV(2f0.3a0) 19:15:51:109 lpProfileInfo->UserName = 
USERENV(2f0.3a0) 19:15:51:109 lpProfileInfo->lpProfilePath = <>
USERENV(2f0.3a0) 19:15:51:109 lpProfileInfo->dwFlags = 0x9
USERENV(2c4.3f4) 19:15:51:109 IProfileSecurityCallBack: client
authenticated.
USERENV(2c4.3f4) 19:15:51:109 ReleaseClientContext: Releasing context
USERENV(2c4.3f4) 19:15:51:109 ReleaseClientContext_s: Releasing context
USERENV(2c4.3f4) 19:15:51:109 MIDL_user_free enter
USERENV(2f0.3a0) 19:15:51:109 ReleaseInterface: Releasing rpc binding handle
USERENV(2f0.3a0) 19:15:51:109 LoadUserProfile: Returning TRUE. hProfile =
<0x43c>
USERENV(2f0.3a0) 19:15:51:109 GetUserDNSDomainName:  Domain name is NT
Authority.  No DNS domain name available.
USERENV(f4.f8) 19:15:51:171 LibMain: Process Name:
C:\WINDOWS\System32\alg.exe
USERENV(47c.770) 19:15:51:281 GetProfileType:  Profile already loaded.
USERENV(47c.770) 19:15:51:281 LoadProfileInfo:  Failed to query central
profile with error 2
USERENV(47c.770) 19:15:51:281 GetProfileType: ProfileFlags is 0
USERENV(2fc.368) 19:16:06:656 LoadUserProfile: Yes, we can impersonate the
user. Running as self
USERENV(2fc.368) 19:16:06:656
=
USERENV(2fc.368) 19:16:06:656 LoadUserProfile: Entering, hToken = <0x644>,
lpProfileInfo = 0xb2fa0c
USERENV(2fc.368) 19:16:06:656 LoadUserProfile: lpProfileInfo->dwFlags =
<0x1>
USERENV(2fc.368) 19:16:06:656 LoadUserProfile: lpProfileInfo->lpUserName =

USERENV(2fc.368) 19:16:06:656 LoadUserPr

Re: [Samba] default profile

[Tamás Pisch]

2009/9/1 Adam Williams 

>
>
> Tamás Pisch wrote:
>
> 2009/8/31 Adam Williams  
> 
>
>my computer properties, advanced tab, user profiles.  is user set to local
> and not roaming? does it only happen to certain
>
>
>  local profile
>
>
>
>
> change local profile to roaming in the my computer properties, advanced,
> user profiles section.
>

I cannot, because it is inactive (grayed).
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] default profile

[Tamás Pisch]

2009/8/31 Adam Williams 

> my computer properties, advanced tab, user profiles.  is user set to local
> and not roaming? does it only happen to certain


local profile


> users?  or users that authenticate against the BDC?
>
> I stopped samba on bdc, but it didn't help. Login script runs, sytem
policies applied, but it don't want to use the default profile from the
netlogon share.



> Tamás Pisch wrote:
>
>> Hi,
>>
>> I installed a SaMBa PDC and a BDC. When I log in to an XP client with a
>> new
>> user, sometimes I get the initial profile settings from the netlogon
>> share,
>> but often from local. When I get the local default settings, it is not
>> syncronized to the server at logout. Even if I get the new profile from
>> the
>> server, on the same client, next time, with a new user, I get the new
>> profile from local. I don't understand why, and I didn't get error
>> message/log.
>> PDC's smb.conf:
>> [global]
>>dos charset = CP852
>>unix charset = UTF8
>>workgroup = PERCZELMOR
>>server string = %h - PERCZELMOR PDC
>>interfaces = 127.0.0.0/8, eth0
>>bind interfaces only = Yes
>>passdb backend = ldapsam:"ldap://127.0.0.1:389";
>>log level = 1 auth:2
>>log file = /var/log/samba/log.%m
>>max log size = 1000
>>smb ports = 139
>>name resolve order = wins host bcast
>>time server = Yes
>>printcap name = /etc/printcap
>>rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
>>add group script = /usr/sbin/smbldap-groupadd -p "%g"
>>delete group script = /usr/sbin/smbldap-groupdel "%g"
>>add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>>delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>>set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>>add machine script = /usr/sbin/smbldap-useradd -w "%u"
>>logon script = scripts\logon.cmd
>>logon path = \\SRV3\profiles\%U
>>logon drive = H:
>>logon home = \\SRV3\%U
>>domain logons = Yes
>>preferred master = Yes
>>wins support = Yes
>>ldap admin dn = cn=su,dc=perczelmor,dc=site
>>ldap group suffix = ou=Groups
>>ldap idmap suffix = ou=Idmap
>>ldap machine suffix = ou=People
>>ldap passwd sync = Yes
>>ldap suffix = dc=perczelmor,dc=site
>>ldap ssl = no
>>ldap user suffix = ou=People
>>eventlog list = Security, Application, Syslog
>>usershare max shares = 0
>>usershare path = /home/samba/usershares
>>panic action = /usr/share/samba/panic-action %d
>>idmap uid = 1-2
>>idmap gid = 1-2
>>create mask = 0777
>>map acl inherit = Yes
>>veto oplock files = /*.pdf/*.pst/
>>browseable = No
>>csc policy = disable
>>
>> [netlogon]
>>comment = Network Logon Service
>>path = /home/samba/netlogon
>>guest ok = Yes
>>fake oplocks = Yes
>>
>> [profiles]
>>comment = Users profiles
>>path = /home/samba/profiles
>>read only = No
>>create mask = 0600
>>directory mask = 0700
>>profile acls = Yes
>>
>> 
>>
>> BDC's smb.conf:
>> [global]
>>dos charset = CP852
>>unix charset = UTF8
>>workgroup = PERCZELMOR
>>server string = %h - PERCZELMOR BDC
>>interfaces = 127.0.0.0/8, eth0
>>bind interfaces only = Yes
>>passdb backend = ldapsam:"ldap://127.0.0.1:389";
>>syslog = 2
>>log file = /var/log/samba/log.%m
>>max log size = 1000
>>smb ports = 139
>>name resolve order = wins host bcast
>>time server = Yes
>>printcap name = /etc/printcap
>>logon script = scripts\logon.cmd
>>logon path = \\SRV3\profiles\%U
>>logon drive = H:
>>logon home = \\SRV3\%U
>>domain logons = Yes
>>domain master = No
>>dns proxy = No
>>wins server = 192.168.0.3
>>ldap admin dn = cn=su,dc=perczelmor,dc=site
>>ldap group suffix = ou=Groups
>>ldap idmap suffix = ou=Idmap
>>ldap machine suffix = ou=People
>>ldap passwd sync = Yes
>>ldap suffix = dc=perczelmor,dc=site
>>ldap ssl = no
>>ldap user suffix = ou=People
>>eventlog list = Security, Application, Syslog
>>usershare max shares = 0
>>panic action = /usr/share/samba/panic-action %d
>>idmap uid = 1-2
>>idmap gid = 1-2
>>map acl inherit = Yes
>>veto oplock files = /*.pdf/*.pst/
>>browseable = No
>>
>> [netlogon]
>>comment = Network Logon Service
>>path = /home/samba/netlogon
>>guest ok = Yes
>>fake oplocks = Yes
>>
>> Any idea? What can I check/change?
>> Thanks, in advance.
>>
>> Tamas.
>>
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] default profile

[Tamás Pisch]

Hi,

I installed a SaMBa PDC and a BDC. When I log in to an XP client with a new
user, sometimes I get the initial profile settings from the netlogon share,
but often from local. When I get the local default settings, it is not
syncronized to the server at logout. Even if I get the new profile from the
server, on the same client, next time, with a new user, I get the new
profile from local. I don't understand why, and I didn't get error
message/log.
PDC's smb.conf:
[global]
dos charset = CP852
unix charset = UTF8
workgroup = PERCZELMOR
server string = %h - PERCZELMOR PDC
interfaces = 127.0.0.0/8, eth0
bind interfaces only = Yes
passdb backend = ldapsam:"ldap://127.0.0.1:389";
log level = 1 auth:2
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139
name resolve order = wins host bcast
time server = Yes
printcap name = /etc/printcap
rename user script = /usr/sbin/smbldap-usermod -r '%unew' '%uold'
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = scripts\logon.cmd
logon path = \\SRV3\profiles\%U
logon drive = H:
logon home = \\SRV3\%U
domain logons = Yes
preferred master = Yes
wins support = Yes
ldap admin dn = cn=su,dc=perczelmor,dc=site
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap passwd sync = Yes
ldap suffix = dc=perczelmor,dc=site
ldap ssl = no
ldap user suffix = ou=People
eventlog list = Security, Application, Syslog
usershare max shares = 0
usershare path = /home/samba/usershares
panic action = /usr/share/samba/panic-action %d
idmap uid = 1-2
idmap gid = 1-2
create mask = 0777
map acl inherit = Yes
veto oplock files = /*.pdf/*.pst/
browseable = No
csc policy = disable

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = Yes
fake oplocks = Yes

[profiles]
comment = Users profiles
path = /home/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
profile acls = Yes



BDC's smb.conf:
[global]
dos charset = CP852
unix charset = UTF8
workgroup = PERCZELMOR
server string = %h - PERCZELMOR BDC
interfaces = 127.0.0.0/8, eth0
bind interfaces only = Yes
passdb backend = ldapsam:"ldap://127.0.0.1:389";
syslog = 2
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139
name resolve order = wins host bcast
time server = Yes
printcap name = /etc/printcap
logon script = scripts\logon.cmd
logon path = \\SRV3\profiles\%U
logon drive = H:
logon home = \\SRV3\%U
domain logons = Yes
domain master = No
dns proxy = No
wins server = 192.168.0.3
ldap admin dn = cn=su,dc=perczelmor,dc=site
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap passwd sync = Yes
ldap suffix = dc=perczelmor,dc=site
ldap ssl = no
ldap user suffix = ou=People
eventlog list = Security, Application, Syslog
usershare max shares = 0
panic action = /usr/share/samba/panic-action %d
idmap uid = 1-2
idmap gid = 1-2
map acl inherit = Yes
veto oplock files = /*.pdf/*.pst/
browseable = No

[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = Yes
fake oplocks = Yes

Any idea? What can I check/change?
Thanks, in advance.

Tamas.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] idmap problem

[Tamás Pisch]

Hi,

I configured a SaMBa PDC and a BDC with a master and a slave OpenLDAP. I set
up TLS, because I wanted secure syncrepl. Slapd runs with -h ldap://
127.0.0.1/ ldaps.///.
I successfully joined an XP client to the servers' domain, I see shares (but
I havent logged in as a domain user, because I have to create a default
profile first).
My problem is in the log.winbindd-idmap log file:
[2009/07/15 09:24:23,  1] winbindd/idmap.c:idmap_init(385)
  Initializing idmap domains
[2009/07/15 09:24:23,  0] winbindd/idmap.c:idmap_init(396)
  idmap_init: Ignoring domain MYDOMAIN
[2009/07/15 09:24:23,  0] winbindd/idmap.c:idmap_init(549)
  ERROR: Could not get methods for backend ldapsam
[2009/07/15 09:24:23,  0] winbindd/idmap.c:idmap_init(801)
  Aborting IDMAP Initialization ...

smb.conf:
netbios name = SRV3
dos charset = CP852
unix charset = UTF8
workgroup = MYDOMAIN
interfaces = 127.0.0.0/8, eth0
bind interfaces only = Yes
passdb backend = ldapsam:"ldap://127.0.0.1:389";
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
username map = /etc/samba/username.map
unix password sync = Yes
log level = 1 idmap:10
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
smb ports = 139
name resolve order = wins host bcast
time server = Yes
.
.
.
domain logons = Yes
preferred master = Yes
wins support = Yes
ldap admin dn = cn=adm,dc=mydomain,dc=site
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap passwd sync = Yes
ldap suffix = dc=mydomain,dc=site
ldap user suffix = ou=People
eventlog list = Security, Application, Syslog
usershare max shares = 0
usershare path = /home/samba/usershares
panic action = /usr/share/samba/panic-action %d
idmap backend = ldapsam:ldap://127.0.0.1:389
idmap uid = 1-2
idmap gid = 1-2
map acl inherit = Yes
veto oplock files = /*.pdf/*.pst/

/etc/ldap/ldap.conf:
host 127.0.0.1
base dc=mydomain,dc=site
logdir /var/lib/ldap/log
TLS_REQCERT  hard
TLS_CACERT /etc/ssl/certs/cacert.pem

slapd.conf:
###
# Global Directives:
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include/etc/ldap/schema/samba3.schema
pidfile /var/run/slapd/slapd.pid
argsfile/var/run/slapd/slapd.args
loglevelconns stats filter
idletimeout30
modulepath/usr/lib/ldap
moduleloadback_hdb
moduleloadsyncprov
sizelimit unlimited
tool-threads 1
TLSCertificateFile /etc/ssl/certs/srv3cert.pem
TLSCertificateKeyFile /etc/ssl/private/srv3key.pem
TLSCACertificateFile /etc/ssl/certs/cacert.pem
TLSVerifyClient never

###
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backendhdb
databasehdb
suffix"dc=mydomain,dc=site"
rootdn  "cn=adm,dc=mydomain,dc=site"
rootpw  {SSHA}...
directory   "/var/lib/ldap"
dbconfig set_cachesize 0 1 1
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
dbconfig set_lg_regionmax 262144
dbconfig set_lg_bsize 524288
dbconfig set_lg_dir /var/lib/ldap/log
dbconfig set_flags   DB_LOG_AUTOREMOVE
index objectClasseq
index cnpres,sub,eq
index snpres,sub,eq
index uid   pres,sub,eq
index displayName   pres,sub,eq
index uidNumber eq
index gidNumber eq
index memberUID eq
index sambaSID  eq
index sambaPrimaryGroupSID  eq
index sambaDomainName   eq
index default   sub
index sambaSIDList  eq
index sambaGroupTypeeq
index entryCSN,entryUUID eq
lastmod on
checkpoint  512 30

access to *
by dn.exact="cn=replicator,dc=mydomain,dc=site" tls_ssf=128 read
by * break

access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdCanChange
by dn="cn=admin,dc=mydomain,dc=site" write
by dn="cn=replicator,dc=mydomain,dc=site" read
by anonymous auth
by self write
by * none

access to dn.base="" by * read

access to *
by dn="cn=admin,dc=mydomain,dc=site" write
by dn="cn=replicator,dc=mydomain,dc=site" read
by self write
by * read

overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

libnss-ldap.conf:
host 127.0.0.1
base dc=mydomain,dc=site
timelimit 50
bind_timelimit 50
bind_policy hard
idle_timelimit 3600
nss

Re: [Samba] PAM LDAP password change error

[Tamás Pisch]

Hi,

thanks for your advice. I set it, and the unix passwd sync too. I restored
the original /etc/pam.d/passwd file. This way it seems to work. Soon I will
test the installation with a Windows client too. One additional info: I use
smbldap-passwd instead of smbpasswd.

2009/6/25 Adam Williams 

> why not just use ldap passwd sync = yes, and then change passwords with
> smbpasswd?
>
>
> Tamás Pisch wrote:
>
>> Hi,
>>
>> I go trough the SaMBa guide Making happy users secondly. I configure
>> Debian
>> Lenny on XEN.
>> I have problem with PAM. When i try to change a user's password with
>> smbldap-passwd it runs without error, but when i try to log in I get the
>> "Login incorrect" message. When I try to change a user's password with
>> passwd I get the "Authentication service cannot retrieve authentication
>> info" message.
>> I removed every ACLs from slapd.conf.
>> I tried to follow the second version of the PAM configuration, because as
>> I
>> see on Debian, the pam-unix2.so doesn't support ldap.
>> I didn't include pam_pwcheck.so, because it gave me an error about it
>> doesn't find that module.
>> /etc/pam.d/passwd:
>> auth sufficient  pam_ldap.so
>> account  sufficient  pam_ldap.so
>> password sufficientpam_ldap.so
>> password requiredpam_unix2.so   nullok use_first_pass use_authtok
>>
>> /etc/nsswitch.conf:
>> passwd: files ldap
>> group:  files ldap
>> shadow: files ldap
>>
>> Thanks, in advance.
>>
>>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] PAM LDAP password change error

[Tamás Pisch]

Hi,

I go trough the SaMBa guide Making happy users secondly. I configure Debian
Lenny on XEN.
I have problem with PAM. When i try to change a user's password with
smbldap-passwd it runs without error, but when i try to log in I get the
"Login incorrect" message. When I try to change a user's password with
passwd I get the "Authentication service cannot retrieve authentication
info" message.
I removed every ACLs from slapd.conf.
I tried to follow the second version of the PAM configuration, because as I
see on Debian, the pam-unix2.so doesn't support ldap.
I didn't include pam_pwcheck.so, because it gave me an error about it
doesn't find that module.
/etc/pam.d/passwd:
auth sufficient  pam_ldap.so
account  sufficient  pam_ldap.so
password sufficientpam_ldap.so
password requiredpam_unix2.so   nullok use_first_pass use_authtok

/etc/nsswitch.conf:
passwd: files ldap
group:  files ldap
shadow: files ldap

Thanks, in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] some question about BDCs

[Tamás Pisch]

Hi,

>>It will not interoperate with a PDC (NT4 or Samba) to synchronize
> >>the SAM from delta files that are held by BDCs.
>
> Samba3 BDCs can not do SAM sync with a Windows NT4 PDC.  Samba3 BDCs passe
> update requests to the Samba3 PDC - and the PDC will then apply the update
> to the LDAP directory.  It is possible to configure a Samba3 BDC to update
> LDAP directly - the choice is yours.
>
> > So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP),
> > can
> > BDC update machine and/or user information or not?
>
> Yes, when a BDC receives an update request it will pass it to the PDC.


>
> As I understood, only
>
 > the
> > LDAP solution is suitable for a PDC-BDC setup, because "domain member
> > servers and workstations periodically change the Machine Trust Account
> > password", so BDC has to update some data.
> > As I understood, BDC can change at least Machine Trust Account passwords.
> > Additional question: can a user change his/her login password, when
> he/she
> > connected to the BDC (in case PDC is available and in case PDC is
> > temporarily unavailable)?
>
> It depends on how the BDC is configured to integrate with LDAP.  It is
> possible to configure a Samba3 BDC to directly write to the LDAP master.
> This may not be an optimum solution, but it does work.
>

I would like to realize a configuration, where BDC can serve the network
even the PDC (with its master LDAP database) is temporarily unavailable.
Serving means at least password changes, but ideally the other user and
computer management tasks too. How can I do this? It is not good, when BDC
writes to the PDC's master LDAP, because the master LDAP will be on the PDC,
so, when SaMBa 3 PDC is out, the master LDAP is out too. Is multi-master
LDAP configuration the solution for this?


>
> > I read in TOSHARG2 too that in the BDC's smb.conf,
> > I don't need user/group modification scripts, so I guess, I cannot
> > add/modify them from the BDC.
>
> You can - IF the BDC is given direct write access to the LDAP directory.
>
> - John T.
>

To the master LDAP, so this is why I thinking about multi master setup, if
this scenario ensures the availability and consistency too.

Thanks, in advance

Tamas.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] some question about BDCs

[Tamás Pisch]

Hi,

I want to set up SaMBa PDC and BDC with LDAP. I read the TOSHARG2, but don't
understand something:

>Samba-3 cannot participate in true SAM replication and is therefore not
able to employ
>precisely the same protocols used by MS Windows NT4. A Samba-3 BDC will not
create
>SAM update delta files.

Ok, I understand until that, but:

>It will not interoperate with a PDC (NT4 or Samba) to synchronize
>the SAM from delta files that are held by BDCs.
>The BDC is said to hold a read-only of the SAM from which it is able to
process network
>logon requests and authenticate users. The BDC can continue to provide this
service,
>particularly while, for example, the wide-area network link to the PDC is
down.

So, when I have SaMBa PDC (with master LDAP) and BDC (with slave LDAP), can
BDC update machine and/or user information or not? As I understood, only the
LDAP solution is suitable for a PDC-BDC setup, because "domain member
servers and workstations periodically change the Machine Trust Account
password", so BDC has to update some data.
As I understood, BDC can change at least Machine Trust Account passwords.
Additional question: can a user change his/her login password, when he/she
connected to the BDC (in case PDC is available and in case PDC is
temporarily unavailable)? I read in TOSHARG2 too that in the BDC's smb.conf,
I don't need user/group modification scripts, so I guess, I cannot
add/modify them from the BDC.

Thanks.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Re: %L substitution error

[Tamás Pisch]

>>* as I wrote some weeks ago, I walk through on the SaMBa Guide/Making
happy*
>>* users. I struggled some days with roaming profiles. The client didn't
find*
>*> the default profile on the server (but it applied NTConfig.POL from that
*
>*> share). Finally I found in the windows roaming profile debug log an
error:*
>*> it always referred to \\%L\profiles. When I changed the When I set logon
*
>*> home parameter in smb.conf, it didn't help, but, when i used:*
>*> smbldap-usermod -F massive\\profiles\\bobj*
>>* The client applied the roaming profile successfully. I could change the*
>*> userProfile setting in smbldap.conf, but maybe it would be better to use
*
>*> the flexible %L substitution.*
>*> How can I avoid this fixed setting?*
>*> If you need detailed configuration info, please ask me to give it.*
>>

*>* Oh well, every backslash has to be escaped ... so a %L\\profiles should
> work  but better to use //%L/profiles instead.

Thanks for your answer. I tried out your suggestion, but it didn't
solve the problem. I tried the following:
smbldap-usermod -F %LOGONSERVER%\\profiles\\bobj bobj
It worked. %LOGONSERVER% is a windows environment variable. So, in
smb.conf, in the logon path parameter, I can use SaMBa variables, but
in the LDAP directory, in the sambaProfilePath parameter, I can use
Windows variables.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] %L substitution error

[Tamás Pisch]

Hi,

as I wrote some weeks ago, I walk through on the SaMBa Guide/Making happy
users. I struggled some days with roaming profiles. The client didn't find
the default profile on the server (but it applied NTConfig.POL from that
share). Finally I found in the windows roaming profile debug log an error:
it always referred to \\%L\profiles. When I changed the When I set logon
home parameter in smb.conf, it didn't help, but, when i used:
smbldap-usermod -F massive\\profiles\\bobj
The client applied the roaming profile successfully. I could change the
userProfile setting in smbldap.conf, but maybe it would be better to use the
flexible %L substitution.
How can I avoid this fixed setting?
If you need detailed configuration info, please ask me to give it.

Thanks.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] smbldap-useradd/getent group problem

[Tamás Pisch]

Hi,

I'm walking through Samba-Guide, chapter making happy users on Debian lenny.
It's hard to me, because I'm new to ldap. I add users with smbldap-useradd
-m -a xyz, smbldap-passwd xyz, smbpasswd xyz and they run without error.
getent passwd
xyz:x:1008:513:System User:/data/users/xyz:/bin/bash

id xyz
uid=1008(xyz) gid=513(Domain Users) groups=513(Domain Users)

Ok, so far, but:
getent group
...
Domain Users:*:513:
...

According to the Guide, it should look like:
Domain Users:*:513:xyz

Why it doesn't, and how can I correct it?

Thanks, in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba