Re: [Samba] Problem with Kerberos in Samba4
Am Sat, 08 Dec 2012 18:03:31 +0100 schrieb Börje Johnsson: > Hi > > I have a problem when setting up samba4. > The server is Ubuntu 12.04 and the version of samba is 4.0.0rc6. I use a > clean install of samba. built from git or installed with ubuntu packages? > I think that samba is configured correctly according to the HOWTO. > > Samba is provisioned like this: > $ samba-tool domain provision --realm=hrm.local --domain=HRM > --adminpass='' --server-role=dc > > resolv.conf: > domain hrm.local nameserver 172.20.10.19 > > Every test in the HOWTO works until Kerberos is tested: > > $ kinit administrator@HRM.LOCAL kinit: Cannot contact any KDC for realm > 'HRM.LOCAL' while getting initial credentials did you actually start samba after the provision? (check: ps -C samba -f) any messages in the samba.log file? > > $ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: > administra...@samba.example.com > > Valid starting Expires Service principal 2012-12-08 > 16:38:15 2012-12-09 02:38:15 krbtgt/ > samba.example@samba.example.com renew until 2012-12-15 16:38:15 > 2012-12-08 16:38:15 2012-12-09 02:38:15 > LOCALADMEMBER$@SAMBA.EXAMPLE.COM maybe a leftover from old tests? run "kdestroy" to clean up kerberos credentials cache. - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] User is invalid on this system
Am Thu, 29 Nov 2012 15:51:55 -0900 schrieb Kevin Elliott:
> Hello all.
>
> We are running Samba 3.6.6 on a Debian 6.0.6 server. We made the upgrade
> from 3.6.5 to 3.6.5 about a week ago and ever since we have lost the
> ability to map Samba shares from our Windows XP SP3 and Windows 7
> clients:
>
>
> Here's an example from my workstation (logging verbosity set at 10):
>
...
> auth/user_krb5.c:162(get_user_from_kerberos_info)
> Username CBJ_NT+kevin_elliott is invalid on this system
...
>
>
> However, I can successfully return login information with winbind:
>
> # wbinfo -i kevin_elliott
> kevin_elliott:*:24949:10513::/home/CBJ_NT/kevin_elliott:/bin/false
>
> 'getent passwd' will only return the local users from /etc/passwd.
>
>
> Any ideas? Anyone else see this?
maybe the "winbind" in /etc/nsswitch.conf got lost?
is "getent -s winbind passwd $username" returning something?
is winbindd running ("ps -C winbindd -f")?
any log messages in /var/log/samba/log.winbindd ?
- Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 not list ldap
Am Fri, 30 Nov 2012 01:07:37 -0200 schrieb Clodonil Trigo: > Hi, > > I have a problem. After several tests with Samba4, put into production. > With one week working began to fill the files with HD / > usr/local/samba4/var/cores/smb. I went into that directory and deleted > some files to free up space. > > More Samba4 now no longer starts the ldap. When I start giving the > error: > > [root @ new-lost sbin] #. / samba-i-M single-d 1 Samba version > 4.1.0pre1-GIT-05a5974 started. > Copyright Andrew Tridgell and the Samba Team 1992-2012 samba: using > 'single' process model Started with smbd server config file / > usr/local/samba4-migracao/private/smbd.tmp/fileserver.conf Failed to > listen on 0.0.0.0:636 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED ldapsrv > failed to bind to 0.0.0.0:636 - NT_STATUS_ADDRESS_ALREADY_ASSOCIATED > task_server_terminate: [Failed to startup ldap server task] > / usr/local/samba4-migracao/sbin/smbd: smbd version > 4.1.0pre1-GIT-05a5974 started. > / usr/local/samba4-migracao/sbin/smbd: Copyright Andrew Tridgell and the > Samba Team 1992-2012 / usr/local/samba4-migracao/sbin/smbd: standard > input is not a socket, assuming-D option > ../source4/dsdb/dns/dns_update.c: 294: Failed DNS update - > NT_STATUS_UNSUCCESSFUL > > Any idea? I would check with "netstat -nalp | grep 636" which process occupies the port 636. - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DFS and Namespaces
Am Tue, 20 Nov 2012 11:27:48 -0700 schrieb Zane Zakraisek: > I understand that the sysvol folder gets replicated between the > different DCs. Does Samba 4 have the ability to perform DFS replication > of other shares. If so, does Samba 4 support namespaces at this time? there is IMHO no replication included in samba4. you have to use scripts to do that. - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Additional Zones with Samba4 DNS
Am Wed, 14 Nov 2012 09:28:25 +0100 schrieb Michael Hildenbrand: > we plan to migrate to Samba4 from Samba3 and also from Bind9 to Samba4 > DNS. One question is open, everything else works really great. > > > > We need multiple domains for virtual hosts in our development > enviroment. > to add zones: samba-tool dns zonecreate --help to add records: samba-tool dns add --help - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambar4: user creation with ldap and initial password
Am 05.11.2012 04:31, schrieb Andrew Bartlett:
On Thu, 2012-11-01 at 12:44 +, Thomas Mueller wrote:
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "2035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
LDIF:
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
i was using the following command to address this utf16-le requirement:
echo \"PASSWORD\" | iconv -t UTF16LE | base64
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)
Just tried it. Problems:
1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)
- Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sambar4: user creation with ldap and initial password
Am 05.11.2012 08:28, schrieb Andrew Bartlett:
On Mon, 2012-11-05 at 08:18 +0100, Thomas Mueller wrote:
Am 05.11.2012 04:31, schrieb Andrew Bartlett:
On Thu, 2012-11-01 at 12:44 +, Thomas Mueller wrote:
hi
trying to create a user with ldap from a remote server. The user is
created successfully. I'm failing setting the initial password.
Setting the unicodePwd with kerberos administrator credentials with
ldbmodify and the ldif below results in "2035: setup_io: it's not
allowed to set the NT hash password directly".
searching the web I've found s4 mailinglist entries telling "do not set
unicodePwd with ldap". this KB article tells in AD it's possible to set
it: http://support.microsoft.com/kb/263991/en-us
Is there a supported method to supply the initial user password with s4
and ldap?
- Thomas
LDIF:
dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing
changetype: modify
replace: unicodePwd
unicodePwd:: $IlRlc3QxMjMtLSIK
To set it via unicodePwd, you need to have it as UTF16, not ascii/utf8.
i was using the following command to address this utf16-le requirement:
echo \"PASSWORD\" | iconv -t UTF16LE | base64
Either way, the base64 string just doesn't look long enough for that.
This seems closer:
//4iAFQAZQBzAHQAMQAyADMALQAtACIA
See however the userPassword, which is a normal, utf8 unquoted string
(ie, sane :-)
Just tried it. Problems:
1) the userPassword attribute is plaintext readable with ldap afterwards
2) the kerberos password is not set ("kinit user" fails)
You may not have the userPassword feature enabled. It's odd that we let
it stick in ldap however - can you confirm exactly what AD does here, so
I can match it?
I do not have a AD available today , i'll try tomorrow. i've found this
about the userPassword attribute on msdn:
http://msdn.microsoft.com/en-us/library/cc223249(prot.20).aspx
<http://msdn.microsoft.com/en-us/library/cc223249%28prot.20%29.aspx>
searching the sourcecode about userPassword i've found this comment in
password_hash.c:
* Notice: unlike the real AD which only supports the UTF16 special based
* 'unicodePwd' and the UTF8 based 'userPassword' plaintext attribute we
* understand also a UTF16 based 'clearTextPassword' one.
* The latter is also accessible through LDAP so it can also be set by
external
* tools and scripts. But be aware that this isn't portable on non
SAMBA 4 ADs!
"The latter is also accessible through LDAP" implies that unicodePwd and
userPassword aren't.
- Thomas
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] sambar4: user creation with ldap and initial password
hi trying to create a user with ldap from a remote server. The user is created successfully. I'm failing setting the initial password. Setting the unicodePwd with kerberos administrator credentials with ldbmodify and the ldif below results in "2035: setup_io: it's not allowed to set the NT hash password directly". searching the web I've found s4 mailinglist entries telling "do not set unicodePwd with ldap". this KB article tells in AD it's possible to set it: http://support.microsoft.com/kb/263991/en-us Is there a supported method to supply the initial user password with s4 and ldap? - Thomas LDIF: dn: CN=Thomas Mueller,OU=Users,DC=test,DC=testing changetype: modify replace: unicodePwd unicodePwd:: $IlRlc3QxMjMtLSIK -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4: audit logs
hi I can see some vfs audit module for shares. is there something compareable for authentications and/or ldap access/modifications? at least I'd like to see successfull or failed authentications attempts. with "log level = 2" I can't find these in the logfile. - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Change DNS method?
Am Sun, 14 Oct 2012 15:02:32 + schrieb Steve: > Is it possible to change from the internal name server to BIND once you've > provisioned a domain? > > I set mine up with the internal since it seemed easier, but then discovered > the only way for my DHCP clients to update their names in DNS is via BIND, > so I'd rather use that instead. > > Thanks in advance for any advice! just some hints - use it on your own risk and take a backup before. * command: samba_upgradedns --dns-backend=BIND9_DLZ --migrate=no * add "server services = -dns" to the smb.conf "[global]" section * configure bind9 like described in private/named.txt * restart samba & bind - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba/LDAP appliance recommendation
Am Mon, 17 Sep 2012 04:35:39 +0800 schrieb Jeffrey Chan: > Hi all, > > What's a good Samba+LDAP appliance these days for a small business? not using it myself: http://www.univention.de/ http://www.zentyal.org/ - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 & kpasswd: refuses to change
Am Thu, 30 Aug 2012 14:07:00 + schrieb Thomas Mueller: > Am Thu, 30 Aug 2012 13:45:50 + schrieb Thomas Mueller: > > >> # kpasswd Password for user@TEST.DOMAIN: >> Enter new password: >> Enter it again: >> Password change rejected: Password must be at least 7 characters long, >> and cannot match any of your 24 previous passwords > > OK, it's not a kpasswd problem. Changing the password from windows (ctrl > - > alt -del -> change password) brings up the same message. > > - Thomas and finally found the root cause: the default password policy is set to a minimal password age of 1 day - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 & kpasswd: refuses to change
Am Thu, 30 Aug 2012 13:45:50 + schrieb Thomas Mueller: > # kpasswd Password for user@TEST.DOMAIN: > Enter new password: > Enter it again: > Password change rejected: Password must be at least 7 characters long, > and cannot match any of your 24 previous passwords OK, it's not a kpasswd problem. Changing the password from windows (ctrl - alt -del -> change password) brings up the same message. - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba4 & kpasswd: refuses to change
hi after kpasswd paniced samba4 (debian wheezy packages, beta2) i've compiled the latest from git (Version 4.0.0beta8-GIT-5131359). It does not panic anymore but tells me the following: # kpasswd Password for user@TEST.DOMAIN: Enter new password: Enter it again: Password change rejected: Password must be at least 7 characters long, and cannot match any of your 24 previous passwords The new password hasn't been used before on this account. Complexety criteria are met too (otherwise it correctly fails and tells that they are not met). Is kpasswd supposed to work with samba4? - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] rsync folder permissions
Am Mon, 23 Jul 2012 13:57:56 +0200 schrieb steve: > H Yes. I was missing the -a switch: > rsync -auzv source destination works fine but I found that the owner and > group are not synced until the last moment. Impatience perhaps. > Cheers, > Steve you should also consider -X (xatters) -H (hardlinks) and -A (ACL's). - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Group Home Shares?
Am Sun, 04 Mar 2012 18:16:30 -0800 schrieb Christ Schlacta: > Is it possible to create a share like the Homes share, but that > functions for groups rather than users, such that any user who is a > member of the group will see the share, and any user who is not a member > will not see the share? have a look at man smb.conf keyword "access based share enum". mayb it's what your looking for. (http://www.samba.org/samba/docs/man/manpages-3/smb.conf.5.html#id2533492) - Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
