Re: [Samba] ????: Could not build Samba with ADS support on Solaris 10 [SEC=UNCLASSIFIED]
0n Wed, Jul 06, 2011 at 11:13:54PM +0800, youngjohn04 wrote: >With these environment variables set, same error appeared. > >To avoid using bundled ldap, I removed SUNWlldap, keep only Openldap, but >this also made no difference. >I also tried using Sun Studio12, failed too. Try something like: 1. Dependencies #pkg-get -i autoconf automake berkeleydb4 binutils bison common flex gcc3 gcc3core gcc3corert gcc3g++ gcc3g++rt gcc3rt ggettext gmake gnupg gnutls krb5_lib krb5_lib_dev krb5_user openldap openldap_client openldap_rt sasl zlib 2. $PATH At a minimum: /usr/sbin:/usr/bin:/usr/ccs/bin:/opt/csw/bin:/opt/csw/gcc3/bin 3. /bin/sh variables Use /bin/sh when doing the build. you then need to set the following variables: CC=gcc CPPFLAGS="-I/opt/csw/include -I/usr/include -I/usr/sfw/include" LDFLAGS="-L/opt/csw/lib -L/usr/sfw/lib -R/opt/csw/lib:/usr/sfw/lib" LD_LIBRARY_PATH="/opt/csw/lib" export CC LDFLAGS LD_LIBRARY_PATH CPPFLAGS 4. ld(1) hack This is the only hack that hack to be done. samba likes to use GNU ld and not the native solaris linker. This is the hack you will need: #mv /usr/ccs/bin/ld /usr/ccs/bin/ld.orig #ln -s /opt/csw/bin/gld /usr/ccs/bin/ld 5. Build #./configure --prefix=/export/server_apps/SAMBA_3_0_32/ --with-ldap --with-ads --with-krb5=/opt/csw --with-winbind --with-pam --disable-cups --with-acl-support --with-krb5=/opt/csw --with-shared-modules=idmap_rid #make #make install The aforementioned recipe has worked for me many times in the past. I havent tried recently though. -Alex IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbindd(8)-> groups: cannot find name for group ID ... [SEC=UNCLASSIFIED]
Hi all, On one of my Linux AD clients (Ubuntu 10.04.1 LTS - 2.6.32-24-generic) when i log in via ssh i get the following errors: groups: cannot find name for group ID 1 groups: cannot find name for group ID 10001 groups: cannot find name for group ID 10002 groups: cannot find name for group ID 10003 groups: cannot find name for group ID 10004 The login still succeeds perfectly fine i.e via winbindd(8) + Samba 3.4.7. Looking at the debug output for an interactive winbindd(8) session i see: [ 2797]: gid 1 to sid Could not find domain for sid S-1-5-21-xx-xx-xx-x [ 2877]: getgrgid 10001 child daemon request 55 [ 2797]: gid 10001 to sid Could not find domain for sid S-1-5-21-xx-xx-xx- [ 2877]: getgrgid 10002 child daemon request 55 [ 2797]: gid 10002 to sid Could not find domain for sid S-1-5-21-xx-xx-xx-x [ 2877]: getgrgid 10003 child daemon request 55 [ 2797]: gid 10003 to sid Could not find domain for sid S-1-5-21-xx-xx-xx- [ 2877]: getgrgid 10004 child daemon request 55 [ 2797]: gid 10004 to sid Could not find domain for sid S-1-5-21-x-x-xx- relevant smb.conf entry looks like: idmap backend = tdb idmap uid = 1-50 idmap gid = 1-50 idmap config DOMAIN:backend = rid idmap config DOMAIN:range = 1-50 Can anyone suggest what is wrong here or how to debug further ? Thanks -Alex IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Share permission problem if user is member in more than 16 groups on AD [SEC=UNCLASSIFIED]
0n Thu, Jul 15, 2010 at 12:26:05AM +0300, M??rcis Lielturks wrote: >Can anybody share experience on compiling samba on OpenSolaris? What's the >most painless way? I'm considering to use latest 3.5.5 but maybe I should >use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2 >servers, which already replicate storage, so ID mapping must be consistent >between both Samba servers. Servers have to provide shares also to trusted >domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not >supported to provide mappings for more than one domain, so anything newer >than 3.0.37 sounds like the right choice. You could try using http://www.blastwave.org/ seems to have samba 3.4 in the repo: [http://www.blastwave.org/jir/pkgcontents.ftd?software=samba&style=brief&state=5&arch=i386] -Alex IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changing ACLs via windows dialgue box ? Is it possible ? [SEC=UNCLASSIFIED]
0n Sun, Jun 20, 2010 at 04:43:13PM -0400, Gaiseric Vandal wrote: >Which platform? > >The idmap suggestion seems to make sense. I had the same problem with >member servers until I set up idmap (even though the unix id's were >consistent between all machines.) I did not have a problem though on the >PDC. Is this a domain controller? Platform is: Linux 2.6.23.12-52.fc7 (fedora7). The server in question is an AD client is already using idmap+winbindd: ldap ssl= no idmap domains = the_domain idmap config the_domain:backend = rid idmap config the_domain:range = 1-50 template shell = /bin/tcsh template homedir= /home/%U winbind use default domain = yes allow trusted domains = no winbind enum users = no winbind enum groups = no winbind nested groups = yes winbind cache time = 600 winbind offline logon = yes -Alex IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Changing ACLs via windows dialgue box ? Is it possible ? [SEC=UNCLASSIFIED]
Hi all, so im scratching my head wondering if i have ever had this working before ... (usually i go all changes on the unix side with chown(1) or setfacl(1)). Is it possible to accurately add/remove/modify acls via the windows dialgue box on a samba share ? When i do and then hit "apply" the original acls come straight back. Is this intended behaviour ? I have the uderlying fs mounted with acl support and I have "nt acl support = yes" in smb.conf(5). Thanks! -Alex IMPORTANT: This email remains the property of the Department of Defence and is subject to the jurisdiction of section 70 of the Crimes Act 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
0n Wed, Feb 17, 2010 at 07:49:25AM -0600, Dale Schroeder wrote: > >> Reply to list/user gets me again! Anyway, we are at 2008 functional level, >> so I don't think our domain is even accepting DES. It looks like Debian has >> a fix in libkrb5 that has another two days in sid, then will be migrated to >> Squeeze. >That's the best news I've had in days. I noticed that the original >reporter of the bug had success with >1.8 alpha1-6, and the version soon to be in squeeze is already beyond >that at alpha 1-7. Here is the patch: http://packages.debian.org/changelogs/pool/main/k/krb5/krb5_1.8+dfsg~alpha1-7/changelog krb5 (1.8+dfsg~alpha1-6) unstable; urgency=medium * Import upstream fixes including: - A non-conformance with RFC 4120 that causes enc_padata to be included when the client may not support it - Weak crypto acts as a filter and does not reject if DES is included in krb5.conf, fixes Samba net ads join, Closes: #566977 * Medium urgency because of the samba bug fix. If the samba maintainers request the release team to bump to high I'd support that. * Update libkdb5 symbols for new upstream internal interface -- -- /* Please Dont Blame Me For The Below Text */ IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks supportfor encryption type [SEC=UNCLASSIFIED]
0n Sat, Feb 13, 2010 at 06:57:52PM -0800, Jeremy Allison wrote: >In Samba 3.5.0 there is a parameter "create krb5 conf" that controls >if this private krb5.conf file is created or not. Would it be helpful >for this to be back ported to earlier versions ? Would this parameter work in 4.x also ? -Alex IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
Anyone ? -Alex 0n Thu, Feb 11, 2010 at 08:00:57PM +0800, Wilkinson, Alex wrote: >Hi all, > >According to this bug report: >http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977 > >This particular error is actually a bug in the samba code. > >Does anyone know if there are patches that fix this ? > >Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this for me :( > >Has anyone got a working solution for this ? > > -Alex IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ads_sasl_spnego_krb5_bind failed: Program lacks support for encryption type [SEC=UNCLASSIFIED]
Hi all, According to this bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566977 This particular error is actually a bug in the samba code. Does anyone know if there are patches that fix this ? Adding "allow_weak_crypto = true" to /etc/krb5.conf does not solve this for me :( Has anyone got a working solution for this ? -Alex IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Winbind problem
0n Fri, Oct 05, 2007 at 06:45:21AM +0800, mail wrote: >I have a Centos 4.4 Linux server that setup Winbind with windows 2003AD >integration, the winbind suddenly can't receive AD accounts, I can use >wbinfo -u to show AD user name and group etc, but getent passwd isn't >pulling across all of the domain accounts. Is your idmap range large enough ? Try increaing it. e.g. idmap config dsto:range = 1-50 -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD + winbindd(8): group permissions being ignored ? WTF ?
0n Tue, Aug 14, 2007 at 05:13:10PM -0700, Doug VanLeuven wrote: >I don't use FreeBSD, but it looks like the make first applies FreeBSD >patches against the main samba release. What's failing is the patch against >the very same file that you patched with "group_fix_patch.txt". You need to >look at "smbd/sec_ctx.c.rej" and see if what is failing is an attempt to >apply the very same patch a second time. Got the patch to work. I was doing things in the wrong order :( Group permissions via chown(1) actually work now! Yay! (At least the first 16). One thing that I notice is that group permissions DONT work if I turn off winbind user and group enumertaion. Which is bizarre. Thanks for your assistance Doug! -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] "winbind enum = yes" ... oreilly samba books says "turn off" ... but things break. confused :-(
Hi all, In the Oreilly "Using Samba" book pg 292 it is recommended to turn off Winbindd(8) user and group enumeration (very expensive operation). However, when doing this on FreeBSD -CURRENT the groups that users are in are not recognised. When I enable user and group enumeration group permissions work (at least for the first 16 groups) i.e. via chown(1). So my question is: From peoples' experience what do you do ? Turn "enum" on or off ? And do you experience the same problem I do ? Or is this just a FreeBSD issue ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] AD + winbindd(8): group permissions being ignored ? WTF ?
0n Mon, Aug 13, 2007 at 01:44:19AM -0700, Doug VanLeuven wrote: >Have a look and see if this report is relevant in your case (it's fairly >long): >https://bugzilla.samba.org/show_bug.cgi?id=3990 This is my *exact* problem. I am using version 3.0.25a,1.1. And looking at work/samba-3.0.25a/source/smbd/sec_ctx.c it looks like Björn Jacke's patch has not been included. So I proceed to apply the patch myself and run into: # patch -p0 < group_fix_patch.txt Hmm... Looks like a unified diff to me... The text leading up to this was: -- |Index: source/smbd/sec_ctx.c |=== |--- source/smbd/sec_ctx.c (Revision 23033) |+++ source/smbd/sec_ctx.c (Arbeitskopie) -- Patching file source/smbd/sec_ctx.c using Plan A... Hunk #1 succeeded at 248 (offset 2 lines). done # #cd /usr/ports/net/samba3/ #make install ===> Patching for samba-3.0.25a_1,1 ===> Applying FreeBSD patches for samba-3.0.25a_1,1 1 out of 5 hunks failed--saving rejects to smbd/sec_ctx.c.rej => Patch patch-smbd_sec_ctx.c failed to apply cleanly. => Patch(es) patch-Makefile.in patch-client_client.c patch-configure.in patch-include_includes.h patch-lib_ico nv.c patch-lib_replace_libreplace_cc.m4 patch-nsswitch_pam_winbind.c patch-nsswitch_winbindd.c patch-pam_smbpa ss_pam_smb_auth.c patch-pam_smbpass_pam_smb_passwd.c patch-pam_smbpass_support.c patch-script_installbin.sh.in patch-script_installswat.sh patch-smbd_aio.c applied cleanly. *** Error code 1 I *really* need this patch so that I can manage shared data via AD groups. Can anyone lend a helping hand in making samba compile in FreeBSD ports with the following patch [http://marc.info/?l=samba-technical&m=117976475614078&w=2] ? Or can the FreeBSD net/samba3 port maintainer get this patch included into the port ASAP ? Thanks -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] AD + winbindd(8): group permissions being ignored ? WTF ?
Hi all, I am successfully authenticating "FreeBSD 7.0-CURRENT #1: Wed Jul 25 17:31:15 WST 2007" against AD. Users can log in succesfully with home directories being served via amd(8) and NFS. However, I have discovered a potential "show-stopper" that will force me to abort this mission :( The problem -~-~-~-~-~- In a nutshell: Simple group permissions set with chown(1) are not being honoured. e.g. #touch testing.txt #ls -l !$ -rw-r--r-- 1 root wheel 0 Aug 12 17:49 testing #chmod 770 !$ #ls -l testing.txt -rwxrwx--- 1 root wheel 0 Aug 12 17:49 testing.txt #chown root:"scis stl admins" testing.txt #ls -l !$ ls -l testing.txt -rwxrwx--- 1 root scis stl admins 0 Aug 12 17:49 testing.txt #su - my_username my__shell>echo "this sux" > /var/tmp/testing.txt testing.txt: Permission denied. And I KNOW 150% I am in the the group "scis stl admins". The odd thing is, is that chown(1) allows me to give the file testing.txt group memebership, but users in the actual group are not given these permissions. I'm getting kinda desparate now. Have I missed something concetually ? Any insights into this problem whatsoever will be greatly appreciated. Thanks -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba winbind and nsswith.conf
0n Fri, Aug 10, 2007 at 02:23:37PM -0400, Mark Campbell wrote: >when I run wbinfo -u or -g it returns users and groups from AD. >When I do a getent passwd I get the results for /etc/passwd and nothing from AD. >When I auth to the samba server the permissions set based on groups do not work. This makes 2 of us. On FreeBSD 7.0-CURRENT #1: Wed Jul 25 17:31:15 WST 2007. e.g. #wbinfo -u | wc -l 9150 #getent passwd | wc -l 24 -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD domains ? [SOLUTION]
When putting winbindd(8) into debug mode I finally saw the following: id S-1-5-21-1957994488-1326574676-725345543-35301 is neither ours, a Unix SID, nor builtin error converting unix gid to sid The hard part was identifying what part of the puzzle I needed to debug in the first place! Was it AD? NSS? PAM? Winbind? Samba? ACLs ? Solution: Well that was easy when I actually knew the problem. Increase my idmap_rid range. From: idmap config dsto:range = 1-2 To: idmap config dsto:range = 1-50 All works now! -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD domains ?
0n Mon, Aug 06, 2007 at 04:09:37PM +0200, Greg Byshenk wrote: > sambaserver# setfacl -m u:ADDOMAIN\\gbytest:rwx,g:ADDOMAIN\\domain\ users:rx z-test/ > sambaserver# getfacl z-test/ > #file:z-test/ > #owner:1361 > #group:100 > user::rwx > user:gbytest:rwx > group::r-x > group:domain users:r-x > mask::rwx > other::r-x > sambaserver# > >This is on 6-STABLE, but it has worked on CURRENT also (though I don't have a >machine running now), configured using idmap_rid (and 'winbind use default domain = yes'). > >At some point in the past when I was testing, I saw the same sort of errors >as above. This was before I set idmap_rid (and configured samba with experimental >modules), so it may have been related to this change. > >Do the domain users/groups show up using 'id' and 'wbinfo'? OK, well this is interesting because after extensive testing of setting group permissions with setfacl(1) some groups work ... and some don't. And yes I can enumerate all the groups in AD e.g. #wbinfo -g | wc -l 2574 And id(1) does print the GIDs e.g #id -a uid=13340(myusername) gid=10513(domain users) groups=10513(domain users) So I am suspecting not all groups in the AD world are the same ? And why would I be able to assign group ACLs using some AD groups but not others ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] setfacl(1) - Can FreeBSD's ACLs contain groups from NT/AD domains ?
Hi all, I have "FreeBSD 7.0-CURRENT #1: Wed Jul 25" authenticating successfully against active directory via samba's winbindd(8). I need to manage samba shares via FreeBSD ACLs and CIFS ACLs. From my reading of setfacl(1) I should be able to set group permissions using the syntax of DOMAIN\group-name. For example: #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test However, when I do this on FreeBSD -CURRENT I get the following error: #setfacl -d -m g:"MYDOMAIN\mygroupname":rwx test setfacl: g:MYDOMAIN\mygroupname: Invalid argument >From a quick Google it looks like Linux ACLs can do the aforementioned [http://www.techtutorials.net/blogs/index.php?mode=viewuser&user_id=7]. Is anyone successfully managing there Samba shares via NT/AD groups using FreeBSD ACLs ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba