Re: [Samba] [samba] DNS update failed!
Alexander R. Fahrutdinov wrote: В сообщении от 30 июля 2010 09:39:05 автор Alexander R. Fahrutdinov написал: В сообщении от 29 июля 2010 17:05:53 автор k.maksimov написал: Alexander R. Fahrutdinov wrote: В сообщении от 29 июля 2010 09:08:29 автор Alexander R. Fahrutdinov написал: В сообщении от 28 июля 2010 18:10:29 автор k.maksimov написал: Alexander R. Fahrutdinov wrote: В сообщении от 28 июля 2010 10:15:25 автор k.maksimov написал: Anton wrote: On 28 July 2010 01:45, k.maksimov k.maksi...@butb.by wrote: I have two networks: 192.168.1.0 with netmask 255.255.255.0 and 172.16.0.0 with netmask 255.255.254.0, when I join in domain in first network hostname registered successfully, but in second network: sudo net ads join -U admin Enter admin's password: Using short domain name -- BUTB Joined 'TH-2-011' to realm 'butb.by' DNS update failed! As far as I can tell (I'm not entirely certain though) this is an Active Directory / Windows Server configuration issue around loosening permissions enough for the DHCP service to update the DNS records. I don't know exactly what settings need to be configured though, as I didn't manage to get it working either. In the end I decided to keep the standard security and just use static IPs and DNS records for winbind machines. I'm use static IP and I haven't DHCP. and this problem not an AD: Windows machines successfully update DNS. also I have ~200 machines and I can't add every DNS record manually. It seems, secure DNS update has broken in samba. I tried to use different versions of samba (3.2.4, 3.4.4, 3.5.4, etc), but always got an error during DNS update, in spite of wbinfo -t and net ads info commands output was OK. Secure DNS update via nss-update script has sucssefully completed, but it requires a domain admin creditionals. Guys from http://rc.quest.com/topics/ddns/old.php create a patch for nss- update and GSSAPI library to use machine account instead admin one, but I don't try this. So, I don't promise to disable the secure DNS update, because it decrease AD security. Perghaps, somebody tell us, what we doing wrong? Earlier I tested DNS update on samba package included in Debian Etch, Lenny and testing Debian branch. Now I download CentOS distribution and try to update DNS via net ads dns register -P command. I'm surprised when command reports Successfully registered hostname with DNS with samba 3.0.33 and 3.5.4 versions. So, it isn't samba problem, but problem of specific distribution. And what's your distribution? I'm use Linux Mint 9 (based on Ubuntu 10.4), samba is 3.4.7, and in network 192.168.1.0/24 dns updated successfully via net ads dns register -P. So, it's samba problem:) Now I trying to update DNS from CentOS with two NICs: 192.168.33.131 and 10.0.3.15, and both addresses is being added to DNS sucsessfully. PS: net ads dns register -P So, my tests: Debian Etch: samba winbind 3.2.5-4~bpo41+1 libkrb531.4.4-7etch6 .net ads dns register -P .Successfully registered hostname with DNS Debian Lenny: samba winbind 3.4.8~dfsg-2~bpo50+1 and 3.2.5-4lenny12 (work with both) libkrb531.6.dfsg.4~beta1-5lenny4 .net ads dns register -P .Successfully registered hostname with DNS Debian Sid/Unstable (my case) samba winbind 3.4.8~dfsg-2 and 3.5.4~dfsg-1 (not work with both) libkrb531.8.1+dfsg-5 .net ads dns register -P .DNS update failed! I try CentOS, Suse and Slackware, and ever, in second network, DNS wasn't update. :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changing password on unix client joined to AD
Lorenzo Milesi wrote: - Messaggio originale - GDM not support this feature: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/114620 if you want, you can hack gdm) This sounds strange, because Googling around I found some infos about GDM allowing password change... I don't know if this could be a problem of the new GDM or what... oh sorry, I was inattentive. mb this can fix problem: echo auth required pam_deny.so/etc/pam.d/common-auth echo password required pam_deny.so/etc/pam.d/common-password ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Changing password on unix client joined to AD
k.maksimov wrote: Lorenzo Milesi wrote: - Messaggio originale - GDM not support this feature: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/114620 if you want, you can hack gdm) This sounds strange, because Googling around I found some infos about GDM allowing password change... I don't know if this could be a problem of the new GDM or what... oh sorry, I was inattentive. mb this can fix problem: echo auth required pam_deny.so/etc/pam.d/common-auth echo password required pam_deny.so/etc/pam.d/common-password ? sorry, s/required/requisite/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba] DNS update failed!
Alexander R. Fahrutdinov wrote: В сообщении от 29 июля 2010 09:08:29 автор Alexander R. Fahrutdinov написал: В сообщении от 28 июля 2010 18:10:29 автор k.maksimov написал: Alexander R. Fahrutdinov wrote: В сообщении от 28 июля 2010 10:15:25 автор k.maksimov написал: Anton wrote: On 28 July 2010 01:45, k.maksimov k.maksi...@butb.by wrote: I have two networks: 192.168.1.0 with netmask 255.255.255.0 and 172.16.0.0 with netmask 255.255.254.0, when I join in domain in first network hostname registered successfully, but in second network: sudo net ads join -U admin Enter admin's password: Using short domain name -- BUTB Joined 'TH-2-011' to realm 'butb.by' DNS update failed! As far as I can tell (I'm not entirely certain though) this is an Active Directory / Windows Server configuration issue around loosening permissions enough for the DHCP service to update the DNS records. I don't know exactly what settings need to be configured though, as I didn't manage to get it working either. In the end I decided to keep the standard security and just use static IPs and DNS records for winbind machines. I'm use static IP and I haven't DHCP. and this problem not an AD: Windows machines successfully update DNS. also I have ~200 machines and I can't add every DNS record manually. It seems, secure DNS update has broken in samba. I tried to use different versions of samba (3.2.4, 3.4.4, 3.5.4, etc), but always got an error during DNS update, in spite of wbinfo -t and net ads info commands output was OK. Secure DNS update via nss-update script has sucssefully completed, but it requires a domain admin creditionals. Guys from http://rc.quest.com/topics/ddns/old.php create a patch for nss- update and GSSAPI library to use machine account instead admin one, but I don't try this. So, I don't promise to disable the secure DNS update, because it decrease AD security. Perghaps, somebody tell us, what we doing wrong? Earlier I tested DNS update on samba package included in Debian Etch, Lenny and testing Debian branch. Now I download CentOS distribution and try to update DNS via net ads dns register -P command. I'm surprised when command reports Successfully registered hostname with DNS with samba 3.0.33 and 3.5.4 versions. So, it isn't samba problem, but problem of specific distribution. And what's your distribution? I'm use Linux Mint 9 (based on Ubuntu 10.4), samba is 3.4.7, and in network 192.168.1.0/24 dns updated successfully via net ads dns register -P. So, it's samba problem:) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba] DNS update failed!
Anton wrote: On 28 July 2010 01:45, k.maksimov k.maksi...@butb.by wrote: I have two networks: 192.168.1.0 with netmask 255.255.255.0 and 172.16.0.0 with netmask 255.255.254.0, when I join in domain in first network hostname registered successfully, but in second network: sudo net ads join -U admin Enter admin's password: Using short domain name -- BUTB Joined 'TH-2-011' to realm 'butb.by' DNS update failed! As far as I can tell (I'm not entirely certain though) this is an Active Directory / Windows Server configuration issue around loosening permissions enough for the DHCP service to update the DNS records. I don't know exactly what settings need to be configured though, as I didn't manage to get it working either. In the end I decided to keep the standard security and just use static IPs and DNS records for winbind machines. I'm use static IP and I haven't DHCP. and this problem not an AD: Windows machines successfully update DNS. also I have ~200 machines and I can't add every DNS record manually. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [samba] DNS update failed!
Alexander R. Fahrutdinov wrote: В сообщении от 28 июля 2010 10:15:25 автор k.maksimov написал: Anton wrote: On 28 July 2010 01:45, k.maksimov k.maksi...@butb.by wrote: I have two networks: 192.168.1.0 with netmask 255.255.255.0 and 172.16.0.0 with netmask 255.255.254.0, when I join in domain in first network hostname registered successfully, but in second network: sudo net ads join -U admin Enter admin's password: Using short domain name -- BUTB Joined 'TH-2-011' to realm 'butb.by' DNS update failed! As far as I can tell (I'm not entirely certain though) this is an Active Directory / Windows Server configuration issue around loosening permissions enough for the DHCP service to update the DNS records. I don't know exactly what settings need to be configured though, as I didn't manage to get it working either. In the end I decided to keep the standard security and just use static IPs and DNS records for winbind machines. I'm use static IP and I haven't DHCP. and this problem not an AD: Windows machines successfully update DNS. also I have ~200 machines and I can't add every DNS record manually. Please show output for command net ads dns register -P -d 4. PC must be already added to domain sudo net ads dns register -P -d 4 [2010/07/28 14:21:32, 3] param/loadparm.c:9039(lp_load_ex) lp_load_ex: refreshing parameters [2010/07/28 14:21:32, 3] param/loadparm.c:4848(init_globals) Initialising global parameters [2010/07/28 14:21:32, 2] param/loadparm.c:4707(max_open_files) rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) [2010/07/28 14:21:32, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2010/07/28 14:21:32, 3] param/loadparm.c:7726(do_section) Processing section [global] doing parameter workgroup = BUTB doing parameter netbios name = %h [2010/07/28 14:21:32, 4] param/loadparm.c:7088(handle_netbios_name) handle_netbios_name: set global_myname to: TH-3-059 doing parameter dos charset = cp866 doing parameter unix charset = UTF8 doing parameter server string = %h server (Samba, Linux) doing parameter dns proxy = no doing parameter name resolve order = lmhosts wins bcast host doing parameter log file = /var/log/samba/log.%m doing parameter max log size = 1000 doing parameter syslog = 0 doing parameter panic action = /usr/share/samba/panic-action %d doing parameter security = ADS doing parameter encrypt passwords = true doing parameter passdb backend = tdbsam doing parameter obey pam restrictions = yes doing parameter unix password sync = yes doing parameter password server = ad, ad2 doing parameter passwd program = /usr/bin/passwd %u doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . doing parameter pam password change = yes doing parameter map to guest = bad user doing parameter idmap uid = 1-2 doing parameter idmap gid = 1-2 doing parameter winbind uid = 1-2 doing parameter winbind gid = 1-2 doing parameter template shell = /bin/bash doing parameter template homedir = /home/%U doing parameter winbind separator = / doing parameter winbind offline logon = true doing parameter winbind cache time = 86400 doing parameter passdb backend = tdbsam doing parameter realm = butb.by doing parameter winbind use default domain = yes doing parameter usershare allow guests = yes [2010/07/28 14:21:32, 4] param/loadparm.c:9074(lp_load_ex) pm_process() returned Yes [2010/07/28 14:21:32, 2] lib/interface.c:340(add_interface) added interface eth0 ip=fe80::201:2eff:fe2b:3ff6%eth0 bcast=fe80:::::%eth0 netmask=::::: [2010/07/28 14:21:32, 2] lib/interface.c:340(add_interface) added interface eth0 ip=172.16.0.101 bcast=172.16.1.255 netmask=255.255.254.0 [2010/07/28 14:21:32, 4] libsmb/namequery_dc.c:73(ads_dc_name) ads_dc_name: domain=BUTB [2010/07/28 14:21:32, 3] libsmb/namequery.c:1972(get_dc_list) get_dc_list: preferred server list: ad.butb.by, ad, ad2 [2010/07/28 14:21:32, 4] libsmb/namequery.c:2105(get_dc_list) get_dc_list: returning 2 ip addresses in an ordered list [2010/07/28 14:21:32, 4] libsmb/namequery.c:2106(get_dc_list) get_dc_list: 192.168.1.2:389 192.168.1.5:389 [2010/07/28 14:21:32, 3] libads/ldap.c:621(ads_connect) Successfully contacted LDAP server 192.168.1.2 [2010/07/28 14:21:32, 3] libsmb/namequery.c:1972(get_dc_list) get_dc_list: preferred server list: ad.butb.by, ad, ad2 [2010/07/28 14:21:32, 4] libsmb/namequery.c:2105(get_dc_list) get_dc_list: returning 2 ip addresses in an ordered list [2010/07/28 14:21:32, 4] libsmb/namequery.c:2106(get_dc_list) get_dc_list: 192.168.1.2:389 192.168.1.5:389 [2010/07/28 14:21:32, 3] libsmb/namequery.c:1972(get_dc_list) get_dc_list: preferred server list: ad.butb.by, ad, ad2 [2010/07/28 14:21:32, 4] libsmb/namequery.c:2105(get_dc_list) get_dc_list: returning 2 ip addresses
Re: [Samba] Changing password on unix client joined to AD
Lorenzo Milesi wrote: Hi. I've set up a Samba PDC on Debian, working fine with XP Clients. I'm now trying to have a linux client join the domain. I managed to do that, but I cannot handle password expiration. When the domain pass is expired, in GDM I see a message Your password is expired but the user can log in anyway. I used the following guide to configure my Linux client, which is an Ubuntu 10.04: https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto Configured PAM using pam-auth-update. common-auth is: auth[success=2 default=ignore] pam_unix.so nullok_secure auth[success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login use_first_pass common-password password[success=2 default=ignore] pam_unix.so obscure sha512 password[success=1 default=ignore] pam_winbind.so use_authtok use_first_pass nsswitch.conf passwd: files winbind group: files winbind shadow: files winbind hosts: files dns What should I change? thanks GDM not support this feature: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/114620 if you want, you can hack gdm) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [samba] DNS update failed!
I have two networks: 192.168.1.0 with netmask 255.255.255.0 and 172.16.0.0 with netmask 255.255.254.0, when I join in domain in first network hostname registered successfully, but in second network: sudo net ads join -U admin Enter admin's password: Using short domain name -- BUTB Joined 'TH-2-011' to realm 'butb.by' DNS update failed! dpkg -l | grep samba ii samba 2:3.4.7~dfsg-1ubuntu3 lsb_release -a Description:Linux Mint 9 Isadora sudo net ads dns register -d 9 -U admin [2010/07/27 12:35:32, 5] lib/debug.c:407(debug_dump_status) INFO: Current debug levels: all: True/9 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 quota: False/0 acls: False/0 locking: False/0 msdfs: False/0 dmapi: False/0 registry: False/0 [2010/07/27 12:35:32, 3] param/loadparm.c:9039(lp_load_ex) lp_load_ex: refreshing parameters [2010/07/27 12:35:32, 3] param/loadparm.c:4848(init_globals) Initialising global parameters [2010/07/27 12:35:32, 2] param/loadparm.c:4707(max_open_files) rlimit_max: rlimit_max (1024) below minimum Windows limit (16384) [2010/07/27 12:35:32, 3] ../lib/util/params.c:550(pm_process) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf [2010/07/27 12:35:32, 3] param/loadparm.c:7726(do_section) Processing section [global] doing parameter workgroup = BUTB doing parameter netbios name = %h [2010/07/27 12:35:32, 4] param/loadparm.c:7088(handle_netbios_name) handle_netbios_name: set global_myname to: TH-2-011 doing parameter dos charset = cp866 [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset UCS-2LE [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset UCS-2LE [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset UTF-16LE [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset UTF-16LE [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset UCS-2BE [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset UCS-2BE [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset UTF-16BE [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset UTF-16BE [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset UTF8 [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset UTF8 [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset UTF-8 [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset UTF-8 [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset ASCII [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset ASCII [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset 646 [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset 646 [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset ISO-8859-1 [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset ISO-8859-1 [2010/07/27 12:35:32, 5] lib/iconv.c:104(smb_register_charset) Attempting to register new charset UCS2-HEX [2010/07/27 12:35:32, 5] lib/iconv.c:112(smb_register_charset) Registered charset UCS2-HEX [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting charset 'UTF-8' for LOCALE [2010/07/27 12:35:32, 5] lib/charcnv.c:82(charset_name) Substituting