Re: [Samba] Clients Windows not update record DNS on zone BIND9_DLZ
This issue frustrates a lot of people (myself included). I ended up having to ditch the Windows client DNS updates, and instead have my dhcp server update the records. Refer to a previous thread between Rowland and myself. In there he gives a very useful link for doing this. *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 2013/10/14 Jacó Ramos j4c0r4...@gmail.com Hi List, My clients windows not update record DNS on zones! Show my log: -- samba_dlz: starting transaction on zone jacoramos.net.br client 192.168.0.20#1080: update 'jacoramos.net.br/IN' denied samba_dlz: cancelling transaction on zone jacoramos.net.br -- Anyone have any ideas? Thanks! Jacó Ramos -- *O homem não foi criado para ser feliz nem para vencer, mas para viver para Deus. Quando vive para Deus é feliz e vence. Isaltino Gomes * * $whoami* - Perito Forense Computacional - Pentester - Esp. em Segurança de Redes de Computadores com enfâse a Perícia Forense Computacional - FACID - Bacharel em Ciência da Computação - UESPI - Administrador de Redes de Computadores - CCNA Modulo II - Lattes: *http://lattes.cnpq.br/1591329268136905* Esta mensagem pode conter informações confidenciais e/ou privilegiadas. Se você não for o destinatário ou a pessoa autorizada a receber esta mensagem, não deve usar, copiar ou divulgar as informações nela contida ou tomar qualquer ação baseada nessas informações. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Multiple A records on my parent domain name are confusing hosts
BTW, I commented out the first two lines in dns_update_list, then removed the spare entries from DNS. Now they don't refresh the bad entries. Problem solved. (really, I'm only interested in samba keeping the ms-specific dns entries up to date) *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Fri, Oct 11, 2013 at 12:43 PM, Gregory Sloop gr...@sloop.net wrote: AB On Tue, 2013-10-08 at 10:23 -0700, Scott Goodwin wrote: I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz My domain is example.com My Samba4 server is myserver.example.com myserver has two nics: 10.10.10.5 and 192.168.10.2 My externally hosted web site is www.example.com, and is hosted at 123.123.123.123 I have an A and CNAME in DNS like so: @ A 123.123.123.123 www CNAME example.com. The above allows internal web browsers to access the external site via www.example.com or example.com. This works great. The problem is that every ten minutes when samb's dns update happens, it keeps putting the following two entries in, which points internal hosts to the dns server, instead of the externally hosted web site: @ A 10.10.10.5 @ A 192.168.10.2 Why do these keep showing up? I'm sure there is a place that the info is coming from, but I don't know where, and I desperately need to prevent this from happening. I mean, don't get me wrong, I realize what the records mean, but what I'm trying to do is prevent them from repopulating and preventing my internal hosts from browsing the web site. I didn't have this problem when I could edit the bind files directly, but now that I'm using bind_dlz for samba, I'm a little lost. AB The issue is that Samba controls that name, and tries to set it to match AB the network interfaces of the DC, because AD clients may (few actually AB do, in this specific case) use this name to find a DC. See AB dns_update_list. AB I suggest breaking the CNAME and not using example.com to find your AB website internally. Wouldn't it make a lot of sense, provided one had the infrastructure [extra servers/hardware] to handle DNS like this: (And at a smaller site, you could do this in a VM like virtualbox on the same hardware as the S4/AD server - memory is cheap, and at a small site, I/O load is going to be trivial.) --- Setup a DNS+DHCP server, external to/outside of the AD. Say, mydomain.local DHCP and DDNS would apply against mydomain.local Put the S4/Windows AD in a 3rd level domain - say samba.mydomain.local. Point all queries for the 3rd level DNS [samba.mydomain.local] to the AD/ DNS controller. [i.e. A forward zone for samba.mydomain.local - S4AD server] This resolves issues with DHCP/DDNS - since you're not trying to make the AD controller handle it. Next by using something like .local as your 1st level domain, you don't have conflicts with real-world external domains. [And even if you did use something like .com - you could tweak the DNS server to handle it without messing with the AD domain - provided you didn't use anything in that 3rd level domain (samba.mydomain.local) out in the open/public internet.] I know it's extra work, but it just seems to make things a lot cleaner and keeps DNS from becoming such a tangle in AD, IMO Thoughts? -Greg -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Port 139 Not open on bootup...
That matches what I have been thinking. However the IPv6 is up, and isn't that the same interface? There is only one mac address device, the NIC. If this is the case, then how do I delay the smb start up? I've been using linux for decades, but only infrequently, soI have to relearn these things every couple of years. I know it's somewhere in the init.d scripts for run level 3 and 5 Thanks. -Scott On Sun, Oct 13, 2013 at 12:05 AM, Gregory Sloop gr...@sloop.net wrote: [I may be completely wrong, but I'm too lazy to look it up, but perhaps it's a place to start...] I seem to recall that if the interface isn't up and ready, Samba, when it comes up, won't listen on that interface unless it's explicitly defined. Is there a chance that the IPv4 interface isn't up when the Samba loads, but IPv6 is? [Or perhaps IPv6 gets treated differently...] Something to investigate - but remember, I'm not claiming to be right. :) -Greg SW I am running SUSE 12.0 I have had this problem on another machine months SW ago, but never solved it. I have done many searches, but have come up empty. SW When booted, port 139 is not open on IPv4. There os no 0.0.0.0:139 listening. SW HOWEVER: :::139 is listening. SO I know it is open on IPv6. SW When I try to gain remote access through a share, the machine is not found. SW When I try to telnet to port 139, the connection is refused. SW To solve it, I have to manually restart smb. So this is some kind of SW 'first bootup' problem. All the searches I came up with all describe a SW problem that it just isn't working at all. This is just that it doesn't SW work until I restart the daemon. SW It's annoying to work around, especially when I'm using a VM and SW starting/stopping the machine often. SW Can anyone advise on what this problem is, or how to fix it? SW -Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Port 139 Not open on bootup...
I am running SUSE 12.0 I have had this problem on another machine months ago, but never solved it. I have done many searches, but have come up empty. When booted, port 139 is not open on IPv4. There os no 0.0.0.0:139listening. HOWEVER: :::139 is listening. SO I know it is open on IPv6. When I try to gain remote access through a share, the machine is not found. When I try to telnet to port 139, the connection is refused. To solve it, I have to manually restart smb. So this is some kind of 'first bootup' problem. All the searches I came up with all describe a problem that it just isn't working at all. This is just that it doesn't work until I restart the daemon. It's annoying to work around, especially when I'm using a VM and starting/stopping the machine often. Can anyone advise on what this problem is, or how to fix it? -Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DNS frustration
I'm getting fed up with the whole DNS scenario with Samba4. I'm literally about to go insane. I've spent about 60 hours in the last two weeks and I can't seem to figure out a solution that meets my requirements. So what are my requirements? * A Samba4 AD domain. * A DHCP server for approx 100 windows clients/devices * A DNS server whose forward and reverse zones get updated when Windows clients' ip addresses change (I don't care if this is via signed updates between bind and isc-dhcp, via windows client kerberos updates to the AD controller, or via carrier pigeon). I am running Centos 6.4 x64, and sernet-samba 4.0.9 Simple, right? Good lord, I've grown gray hair trying to figure this out, so either I have a huge blind spot, or it really is complex! Here's what I've tried, and the problems I've had with each scenario: * Samba4 with Internal DNS. This, to my knowledge, addresses all my requirements except for onehttps://bugzilla.samba.org/show_bug.cgi?id=9409. An absolute deal breaker, since we use google apps, and I have to be able to CNAME mail.mydomain.com to ghs.google.com. Unless anyone can think of a workaround? I thought about installing bind on another server that Internal DNS would forward to, but this just seems silly. I really don't want the extra maintenance either. * Samba4 with BIND_DLZ (with windows clients updating AD via kerberos) Dammit this is so close! But Windows client dns updates do not work. Actually, they worked at first, then they stopped working. Errors like this: Oct 8 21:38:16 earl named[7695]: samba_dlz: starting transaction on zone mydomain.com Oct 8 21:38:16 earl named[7695]: client 10.2.2.227#52980: update ' mydomain.com/IN' denied Oct 8 21:38:16 earl named[7695]: samba_dlz: cancelling transaction on zone mydomain.com This is a decidedly ubiquitous problem out there, and one can google on this for hours, with no solid fixes or answers. Per this guy's advicehttp://article.gmane.org/gmane.network.samba.general/131081/match=I downloaded and compiled bind 9.8, and also 9.9 (just for good measure) using the proper flags ( --with-dlopen=yes, --with-gssapi=/usr/include/gssapi, and WITHOUT the flag --disable-isc-spnego). After I did this, it actually worked for a few hours! Then all of a sudden, stopped working with the above errors littering my named.log again. * So finally, I give up on windows clients using kerberos to update the DNS server. I'll tackle this by having dhcp update dns, right? OK, first off, I have dhcp served off of our Meraki MX60 security appliance. I like the easy management interface, but hell, I'm certainly not married to it. Mainly I like it because when dhcp goes down, all hell breaks loose, so I like to keep that off of the same server that everything else is on. So, ok, I disable dhcp on the meraki and install and configure isc-dhcp on my AD server. But now, I can't for the life of me figure out how to have it and bind work together, while at the same time, have bind serve as a back end for samba4. If samba4's dns stuff is all stored in the tdb files, and the dlz module is the glue between bind and AD, then where does isc-dhcp fit into the picture? I mean, the zone files aren't even in the picture, because they are in the tdb's. To be honest, I would really prefer to just have regular bind zone files to do my dns. This is a familiar format, and I don't mind the command line fu that goes along with it, but it seems like this is not possible now (has BIND9_FLATFILE backend been deprecated? Can I hack it to work?) I'm desperate now, and even considered this post: http://edoceo.com/howto/samba4 which has an old (probably outdated) script to allow dnsmasq to work with samba4. Frankly, I don't see that as a viable option, but I'd take it if it worked. I'm happy to give more detail on any configs, settings, etc, but I'm hoping this question is general enough that someone might be able to relay a scenario that worked for them. Have you been in my shoes, and can you suggest a solution that works? I can't imagine I'm the only one out there who is using samba4 with these requirements! Tell me I'm a dumb-a** and show me an obvious solution!! Thanks to all, Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS frustration
Thanks for the advice Steve. I had actually tried this before, and it did work temporarily, but after a few hours, the updates starting failing again. This is so weird! Why is this happening? I have nothing but respect for the samba team and all their hard work, but egads, I just can't figure out why such a critical issue is still running rampant. (Ok, so it's not critical in the sense that all your clients are down, and they can't work. But heck, every time a pc gets a new dhcp lease, I have to change it by hand, and that becomes a maintenance nightmare). I'm being completely serious when I say this: how do larger companies that have rolled out samba4 cope with this issue? Is there some workaround I'm not aware of? *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Tue, Oct 8, 2013 at 11:56 PM, steve st...@steve-ss.com wrote: On Tue, 2013-10-08 at 22:59 -0700, Scott Goodwin wrote: * Samba4 with BIND_DLZ (with windows clients updating AD via kerberos) Dammit this is so close! But Windows client dns updates do not work. Actually, they worked at first, then they stopped working. Errors like this: Oct 8 21:38:16 earl named[7695]: samba_dlz: starting transaction on zone mydomain.com Oct 8 21:38:16 earl named[7695]: client 10.2.2.227#52980: update ' mydomain.com/IN' denied Oct 8 21:38:16 earl named[7695]: samba_dlz: cancelling transaction on zone mydomain.com This is a decidedly ubiquitous problem out there, and one can google on this for hours, with no solid fixes or answers. Per this guy's advice http://article.gmane.org/gmane.network.samba.general/131081/match=I downloaded and compiled bind 9.8, and also 9.9 (just for good measure) using the proper flags ( --with-dlopen=yes, --with-gssapi=/usr/include/gssapi, and WITHOUT the flag --disable-isc-spnego). After I did this, it actually worked for a few hours! Then all of a sudden, stopped working with the above errors littering my named.log again. Hi Do you have CNAME's? If not, then it's just because you've tried different Samba versions but with the same dns records. Try deleting the old machine record so that a new one corresponding to your new install will recreate it at the next update request. I don't know your domain names and finding the DN for the machine took some working out, but I've an example here: http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba_upgradedns output
When I run: # samba_upgradedns --dns-backend=BIND9_DLZ I get the following: lpcfg_load: refreshing parameters from /etc/samba/smb.conf params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Reading domain information lpcfg_load: refreshing parameters from /etc/samba/smb.conf params.c:pm_process() - Processing configuration file /etc/samba/smb.conf DNS accounts already exist No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone DNS records will be automatically created DNS partitions already exist Adding dns-earl account See /var/lib/samba/private/named.conf for an example configuration include file for BIND and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS What does the line No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone mean? Or rather, I know what it means, but what is the file itself supposed to do? In all the Samba4 documentation, I don't see any indication on where this file is supposed to be created. I even see references here: https://wiki.samba.org/index.php/Dns-backend_bind#Interaction_with_AppArmor_or_SELinux (the SELinux settings) where this file is mentioned, but no other indication anywhere on what its purpose is, or what should be in it. I mean, obviously, it's a zone file, but for what? Aren't the zones kept in the tdb files now? Is this a relic from the BIND9_FLATFILE backend, and the documentation hasn't been updated? Any info appreciated. Thanks -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] DNS frustration
Ah, by golly, I think that may do it! I hadn't found that url yet, so mega thanks for the link. Because nsupdate will be run from the server (as opposed to the clients, which is where the failed kerberos dns updates are coming from), I think this will work. I mean, I can update dns records just fine if I do it from the command line on the server -- it's only when remote clients attempt updates that it fails. I'll give this a whirl and post my results. There is hope! *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Wed, Oct 9, 2013 at 1:36 PM, Rowland Penny rowlandpe...@googlemail.comwrote: On 09/10/13 20:15, Scott Goodwin wrote: Thanks for the advice Steve. I had actually tried this before, and it did work temporarily, but after a few hours, the updates starting failing again. This is so weird! Why is this happening? I have nothing but respect for the samba team and all their hard work, but egads, I just can't figure out why such a critical issue is still running rampant. (Ok, so it's not critical in the sense that all your clients are down, and they can't work. But heck, every time a pc gets a new dhcp lease, I have to change it by hand, and that becomes a maintenance nightmare). I'm being completely serious when I say this: how do larger companies that have rolled out samba4 cope with this issue? Is there some workaround I'm not aware of? *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Tue, Oct 8, 2013 at 11:56 PM, steve st...@steve-ss.com wrote: On Tue, 2013-10-08 at 22:59 -0700, Scott Goodwin wrote: * Samba4 with BIND_DLZ (with windows clients updating AD via kerberos) Dammit this is so close! But Windows client dns updates do not work. Actually, they worked at first, then they stopped working. Errors like this: Oct 8 21:38:16 earl named[7695]: samba_dlz: starting transaction on zone mydomain.com Oct 8 21:38:16 earl named[7695]: client 10.2.2.227#52980: update ' mydomain.com/IN' denied Oct 8 21:38:16 earl named[7695]: samba_dlz: cancelling transaction on zone mydomain.com This is a decidedly ubiquitous problem out there, and one can google on this for hours, with no solid fixes or answers. Per this guy's advice http://article.gmane.org/**gmane.network.samba.general/**131081/match=http://article.gmane.org/gmane.network.samba.general/131081/match= I downloaded and compiled bind 9.8, and also 9.9 (just for good measure) using the proper flags ( --with-dlopen=yes, --with-gssapi=/usr/include/**gssapi, and WITHOUT the flag --disable-isc-spnego). After I did this, it actually worked for a few hours! Then all of a sudden, stopped working with the above errors littering my named.log again. Hi Do you have CNAME's? If not, then it's just because you've tried different Samba versions but with the same dns records. Try deleting the old machine record so that a new one corresponding to your new install will recreate it at the next update request. I don't know your domain names and finding the DN for the machine took some working out, but I've an example here: http://linuxcostablanca.**blogspot.com.es/2013/09/** samba4-bind9dlz-stale-dns-**records-with.htmlhttp://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba Hi, try starting here: http://blog.michael.kuron-** germany.de/2011/02/isc-dhcpd-**dynamic-dns-updates-against-** secure-microsoft-dns/http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Multiple A records on my parent domain name are confusing hosts
I'm using Samba 4.0.9, Bind 9.9.4 w/ dlz My domain is example.com My Samba4 server is myserver.example.com myserver has two nics: 10.10.10.5 and 192.168.10.2 My externally hosted web site is www.example.com, and is hosted at 123.123.123.123 I have an A and CNAME in DNS like so: @ A 123.123.123.123 www CNAME example.com. The above allows internal web browsers to access the external site via www.example.com or example.com. This works great. The problem is that every ten minutes when samb's dns update happens, it keeps putting the following two entries in, which points internal hosts to the dns server, instead of the externally hosted web site: @ A 10.10.10.5 @ A 192.168.10.2 Why do these keep showing up? I'm sure there is a place that the info is coming from, but I don't know where, and I desperately need to prevent this from happening. I mean, don't get me wrong, I realize what the records mean, but what I'm trying to do is prevent them from repopulating and preventing my internal hosts from browsing the web site. I didn't have this problem when I could edit the bind files directly, but now that I'm using bind_dlz for samba, I'm a little lost. Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool classicupgrade throws uncaught exception
Actually, what I ended up doing to fix this was the following, in case it benefits the next person. On my samba3 doamin, I did: # net groupmap delete sid=S-1-5-21-XX-1066 # net groupmap add rid=513 unixgroup=users type=domain ntgroup=Domain Users # net groupmap delete sid=S-1-5-21-XX-1057 # net groupmap add rid=512 unixgroup=smbadmins type=domain ntgroup=Domain Admins Then on my Windows server (a separate member server of the domain, which has a few shares on it), I redid the sharing and Security permissions, since Windows had the old SID in there. Simply re-adding the proper group sufficed, and users were good to go. I then was able to successfully complete the classicupgrade tool on my resulting tdbs. --scott *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Tue, Aug 20, 2013 at 2:25 PM, Andrew Bartlett abart...@samba.org wrote: On Tue, 2013-08-20 at 11:33 -0700, Scott Goodwin wrote: Update: Upon further investigation, the group with SID ending in -1057 is my Domain Admins group, which is mapped to unix group smbadmins. SID ending in -1066 (see my original posting) is Domain Users, which I have mapped to unix group users. I suspect that if I remove these two mappings, the classic upgrade may succeed, at which point I can re-add them. Two things: 1) Is it a problem that my Domain Admins and Domain Users groups do not have the standard NT4 domain suffixes (I think Domain Admins typically ends with -512. Can't remember what the suffix for Domain Users is, but it isn't -1066). Yes. 2) Is there a way to remove these mappings from the .tdb files I have copied over to the new server? I know I can remove the mapping from my old server, then re-copy the tdb files over, then re-add the mapping on my samba3 server, but the Domain Users mapping would impact users (I'm pretty sure), and I want to avoid that if possible. So, I'm hoping there is a way to manually edit the tdb's in the test environment where my samba4 server is, or some tool that can assist in such. The 'Samba3' tools still work in Samba 4.0, so if you put the files in the 'expected' locations on in the new server, then you should be able to just edit them there, as if it was the original server. Then upgrade. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool classicupgrade throws uncaught exception
Update: Upon further investigation, the group with SID ending in -1057 is my Domain Admins group, which is mapped to unix group smbadmins. SID ending in -1066 (see my original posting) is Domain Users, which I have mapped to unix group users. I suspect that if I remove these two mappings, the classic upgrade may succeed, at which point I can re-add them. Two things: 1) Is it a problem that my Domain Admins and Domain Users groups do not have the standard NT4 domain suffixes (I think Domain Admins typically ends with -512. Can't remember what the suffix for Domain Users is, but it isn't -1066). 2) Is there a way to remove these mappings from the .tdb files I have copied over to the new server? I know I can remove the mapping from my old server, then re-copy the tdb files over, then re-add the mapping on my samba3 server, but the Domain Users mapping would impact users (I'm pretty sure), and I want to avoid that if possible. So, I'm hoping there is a way to manually edit the tdb's in the test environment where my samba4 server is, or some tool that can assist in such. Thanks for any advice. *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Mon, Aug 19, 2013 at 4:57 PM, Scott Goodwin sc...@mimicsimulation.comwrote: Update: I realized shortly after I sent the email that because I don't use winbind, I can (and should) delete the file winbindd_idmap.tdb. So, the second error is now the stopper. In essence, it's complaining that it can't find the user or group with sid ending in 1057. Adding users to groups ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: Could not add member 'S-1-5-21-XXX-1002' to group 'S-1-5-21-XXX-1057' as either group or user record doesn't exist: Base-DN 'SID=S-1-5-21-XXX-1057' not found File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 913, in upgrade_from_samba3 add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 316, in add_users_to_group raise ProvisioningError(Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s % (member_sid, group.sid, emsg)) *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Mon, Aug 19, 2013 at 3:01 PM, Scott Goodwin sc...@mimicsimulation.comwrote: I have a new server running CentOS 6.4 x64, which will serve as our new Samba4 server. It is set up in a test environment, and I've copied over the tdb files and the smb.conf file from our samba3 server (Same OS and version). I'm trying to do an in-place upgrade on the copied files, but keep hitting an assert / uncaught exception during the upgrade: # /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/root/smb3 --use-xattrs=yes --realm=MYDOMAIN.COM --verbose /root/smb3/smb.conf Reading smb.conf Provisioning Exporting account policy Exporting groups Exporting users Ignoring group memberships of 'testuser' S-1-5-21-XX-1065: Unable to enumerate group memberships, (-1073741724,No such user) Skipping wellknown rid=501 (for username=nobody) Ignoring group memberships of 'TEST-PC$' S-1-5-21-XX-1097: Unable to enumerate group memberships, (-1073741724,No such user) Ignoring group memberships of 'testuser2' S-1-5-21-XX-1075: Unable to enumerate group memberships, (-1073741724,No such user) Next rid = 9001 Exporting posix attributes Reading WINS database Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=mydomain,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Setting acl on sysvol skipped Adding DNS accounts
[Samba] samba-tool classicupgrade throws uncaught exception
be removed in favour of the Administrator user Adding users to groups ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: Could not add member 'S-1-5-21-XX-1002' to group 'S-1-5-21-XX-1057' as either group or user record doesn't exist: Base-DN 'SID=S-1-5-21-XX-1057' not found File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 913, in upgrade_from_samba3 add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 316, in add_users_to_group raise ProvisioningError(Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s % (member_sid, group.sid, emsg)) I'm wondering if my winbindd_idmap.tdb is invalid, as ldbdump winbindd_idmap.tdb returns nothing, and the tdb file is only 696 bytes. If this is the issue, can I rebuild it on the samba3 server? Here's the global section of my smb.conf: workgroup = MYDOMAIN netbios name = MYSERVER server string = Samba4 AD interfaces = 192.168.0.0/24 bind interfaces only = Yes passdb backend = tdbsam username map = /etc/samba/smbusers admin users = scott wins support = Yes smb ports = 139 time server = Yes client ntlmv2 auth = Yes log file = /var/log/samba/log.%m max log size = 1000 debug uid = Yes deadtime = 15 socket options = TCP_NODELAY IPTOS_LOWDELAY show add printer wizard = No load printers = no printing = bsd disable spoolss = yes printcap name = /dev/null printcap cache time = 0 add user script = /usr/sbin/useradd -m -g users %u logon script = logon.bat logon path = logon drive = H: domain logons = Yes os level = 65 preferred master = Yes domain master = Yes unix password sync = Yes passwd program = /usr/bin/passwd %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* pam password change = Yes Thanks ahead of time for any assistance, and if you need additional info, let me know. --scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool classicupgrade throws uncaught exception
Update: I realized shortly after I sent the email that because I don't use winbind, I can (and should) delete the file winbindd_idmap.tdb. So, the second error is now the stopper. In essence, it's complaining that it can't find the user or group with sid ending in 1057. Adding users to groups ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: Could not add member 'S-1-5-21-XXX-1002' to group 'S-1-5-21-XXX-1057' as either group or user record doesn't exist: Base-DN 'SID=S-1-5-21-XXX-1057' not found File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 913, in upgrade_from_samba3 add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 316, in add_users_to_group raise ProvisioningError(Could not add member '%s' to group '%s' as either group or user record doesn't exist: %s % (member_sid, group.sid, emsg)) *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Mon, Aug 19, 2013 at 3:01 PM, Scott Goodwin sc...@mimicsimulation.comwrote: I have a new server running CentOS 6.4 x64, which will serve as our new Samba4 server. It is set up in a test environment, and I've copied over the tdb files and the smb.conf file from our samba3 server (Same OS and version). I'm trying to do an in-place upgrade on the copied files, but keep hitting an assert / uncaught exception during the upgrade: # /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/root/smb3 --use-xattrs=yes --realm=MYDOMAIN.COM --verbose /root/smb3/smb.conf Reading smb.conf Provisioning Exporting account policy Exporting groups Exporting users Ignoring group memberships of 'testuser' S-1-5-21-XX-1065: Unable to enumerate group memberships, (-1073741724,No such user) Skipping wellknown rid=501 (for username=nobody) Ignoring group memberships of 'TEST-PC$' S-1-5-21-XX-1097: Unable to enumerate group memberships, (-1073741724,No such user) Ignoring group memberships of 'testuser2' S-1-5-21-XX-1075: Unable to enumerate group memberships, (-1073741724,No such user) Next rid = 9001 Exporting posix attributes Reading WINS database Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=mydomain,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Setting acl on sysvol skipped Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: myserver NetBIOS Domain:MYDOMAIN DNS Domain:mydomain.com DOMAIN SID:S-1-5-21-XX Importing WINS database Importing Account policy Importing idmap database ERROR(assert): uncaught exception File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py, line 1318, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 868, in upgrade_from_samba3 import_idmap(result.idmap, samba3, logger) File /usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py, line 214, in import_idmap samba3_idmap = samba3.get_idmap_db() File /usr/local/samba/lib64
Re: [Samba] Need support
On Aug 5, 2013, at 0:09, ketut.nur...@dexagroup.com wrote: dear Samba team, Today we have used samba ver. 3 as primary domain controller at my company. To improve the Samba technology and feature to support our business , we want to upgrade to Samba 4. Is there any tools or support to provide upgrade solution from Samba 3 to samba 4 ? For the information current Samba version we are used and running on Mandriva : samba-common-3.0.23b-7mdv2007.0 samba-server-3.0.23b-7mdv2007.0 samba-smbldap-tools-3.0.23b-7mdv2007.0 samba-client-3.0.23b-7mdv2007.0 samba-doc-3.0.23b-7mdv2007.0 Any suggestion or support please contact me. Although no longer technically supported, the upgrade provision script has done well for many people. Have you considered trying it in a virtual environment? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Need support
On Aug 10, 2013, at 4:22, Andrew Bartlett abart...@samba.org wrote: On Sat, 2013-08-10 at 03:19 -0400, Scott Lovenberg wrote: On Aug 5, 2013, at 0:09, ketut.nur...@dexagroup.com wrote: dear Samba team, Today we have used samba ver. 3 as primary domain controller at my company. To improve the Samba technology and feature to support our business , we want to upgrade to Samba 4. Is there any tools or support to provide upgrade solution from Samba 3 to samba 4 ? For the information current Samba version we are used and running on Mandriva : samba-common-3.0.23b-7mdv2007.0 samba-server-3.0.23b-7mdv2007.0 samba-smbldap-tools-3.0.23b-7mdv2007.0 samba-client-3.0.23b-7mdv2007.0 samba-doc-3.0.23b-7mdv2007.0 Any suggestion or support please contact me. Although no longer technically supported, the upgrade provision script has done well for many people. Have you considered trying it in a virtual environment? The upgradeprovision script is not for upgrades from Samba 3.x or classic domains, it is about old (very old) databases from the 4.0 alpha series. Use of the samba-tool domain classicupgrade command remains and will remain fully supported. Sorry, Andrew, you are correct. I meant classicupgrade instead of upgradeprovision (to be fair, it's 4:30 AM on this side of the pond :)) Although I thought that classic upgrade still had some issues to be worked out, IIRC from the mailing list/IRC discussions. Am I mistaken? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Upgrading samba3 to samba4 on a new server, and running them both at the same time
With relation to this page: https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO I would like to upgrade to samba4 on a new server, but would like to test it all out before finalizing the switch. My question is, can I copy over my tdb and smb.conf files (as mentioned in the above link), and then upgrade to samba4 on the new server, while staying on the same subnet of my network? In other words, have both servers live at the same time, on the same network? The domain name and SID would be the same, but the host (netbios) name of the two samba servers would be different. I've gotta say, this sounds like a Very Bad Idea, and I can't imagine anything good coming of it, but hey, maybe it would work? Or maybe I could make it work with some slight config changes on the new server, during or after the upgrade provisioning? What I'm trying to avoid is having to physically set up a test network that is completely isolated from our live samba3 network, in order to test everything out. If I can run them both on the same network, it would be so much easier for me. (Our server closet is pretty small, and the thought of physically wiring up a different switch with test workstations, etc, is not something I want to do if at all possible). Thanks for any input. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Debian 7.1 net user add etc returns exit code 255
I have a pristine Debian 7.1 system running Samba 3.6.6. root@tv:/etc/samba# apt-cache policy samba samba: Installed: 2:3.6.6-6 Candidate: 2:3.6.6-6 Version table: *** 2:3.6.6-6 0 500 http://ftp.debian.org/debian/ wheezy/main amd64 Packages 100 /var/lib/dpkg/status Between strace (-s 102400 -ffO for net user, and all pid's of smbd), log level = 5, man pages, and as much white noise as I've been able to wade through from Google and the mailing list, I think the initial tdb was never setup. I created a new one with tdbtool, but I suppose I do not know what values to inject to bootstrap this. I checked http://bugs.debian.org/samba , but did not find anything relevant. strace may as well be Greek, as I really only see smb/445 traffic by and large. The logs are more verbose ... but I just cannot seem to wrap my head around it or zero into where the issue may be. Is it safe (security wise) to attach the verbose /var/log/samba logs? (1.2mb right now). I just want my home share accessible when I authenticate from other systems (mac osx, windows 7, etc). Additionally, I would like / access as any non root user (authenticated). root@tv:/etc/samba# ls -laR /etc/samba/ /etc/samba/: total 88 drwxr-xr-x 2 root root75 Jul 21 21:18 . drwxr-xr-x 138 root root 8192 Jul 21 20:24 .. -rw-r--r-- 1 root root 8 Nov 10 2002 gdbcommands -rw--- 1 root root 696 Jul 21 21:18 secrets.tdb -rw-r--r-- 1 root root 12240 Jul 21 21:17 smb.conf -rw--- 1 root root 54016 Jul 21 20:58 traceit.txt testparam checks out. root@tv:/etc/samba# testparm Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [homes] Processing section [printers] Processing section [print$] Loaded services file OK. Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions [global] server string = %h server map to guest = Bad User obey pam restrictions = Yes pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 load printers = No dns proxy = No usershare allow guests = Yes panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb [homes] comment = Home Directories valid users = %S create mask = 0700 directory mask = 0700 browseable = No [printers] comment = All Printers path = /var/spool/samba create mask = 0700 printable = Yes print ok = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = No I'm not sure if this is success via smbclient, I would expect to see my home share, but maybe that needs browsable = yes ? (will this expose it to other users?) supaplex@tv:~$ smbclient -L 127.0.0.1 //tv/supaplex Enter supaplex's password: Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] Sharename Type Comment - --- IPC$IPC IPC Service (tv server) print$ Disk Printer Drivers Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.6.6] Server Comment ---- TV tv server WorkgroupMaster ---- WORKGROUPTV supaplex@tv:~$ echo $? 0 Interesting enough, the man page suggests the private dir = /etc/samba/private, though the default is /etc/samba (hence my creation of the secrets.tdb in /etc/samba). root@tv:/etc/samba# testparm -v | egrep '(tdb|priv)' private dir = /etc/samba Thanks and regards, Scott Edwards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] About NAS versus Samba
On Thu, Jul 11, 2013 at 12:55 PM, Fernando Lozano ferna...@lozano.eti.br wrote: But you know, everyone buys NASes today, it's getting harder to explaing a common PC would be better. Here a server box with a RAID controller and a hot-swappable disk bays is way more expensive than an iomega NAS in a rack form factory. I've found the performance of those cheap NAS boxes (even the cheap ones are relatively expensive) to be sub-par. Most of them max out at a few MB/second. A reasonable set of hardware in a 2U with hot-swap drives will absolutely smoke a cheap NAS and the price/performance ratio is much better. Plus, you can use ZFS/BTRFS/etc as your backing store if you'd like on your own dedicated box. -- Peace and Blessings, -Scott. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 (domain) dfs
On 5/26/2013 3:10 PM, Michael De Groote wrote: Hi all I'm trying to set up dfs for (among other things) profiles (i don't know if this is a good example, but that is out of the scope of my current question) I've been following these instructions: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/msdfs.html http://us.generation-nt.com/answer/samba-domain-dfs-samba-4-help-209347402.html as well as the hints given in the thread *'Samba4 DFS Support'* on this list [snip] *Questions:* 1. Am I misinterpreting the documentation? I was also under the impression that i would be able to access the subfolders inside the dfs-root directly... (which doesn't seme to be) 2. Does it just not work yet in samba4 and do i need to be patient? 3. Is there some other logger i need to turn on the see what is going wrong, and if so, what logger would that be? (i could also turn on all on level 10, but i fear i would be swamped...) 1.) You should be able to access sub directories inside a DFS root. 2.) This shouldn't be an issue since you're using the Samba-3 file server (smbd). I don't think the ntvfs file server in Samba-4 supports DFS though. 3.) I'd use the following logging options to get to the bottom of this: log level = 2 msdfs:8 auth:5 winbind:5 idmap:5 acls:3. Or something to that effect. You might even set log level to 1 and then only look at msdfs logging until you know what you want to take a closer look at. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4, DHCP and Bind
Hi All, I'm trying to integrate Samba 4 DHCPD and Bind 9.9 into a complete solution. I'm using the BIND/Samba 4 DLZ plugin. DHCP by itself works and hands out IP addresses. What I would like to have happen is the following: - PC is joined to the Samba 4 domain (this works) - PC gets an IP via DHCPD - DHCP or the PC registers the IP in BIND Network PC's should resolve cleanly when pinging pc01.office.local My logs are full of messges aalong the lines of: Feb 25 14:36:24 knottypine named[22655]: samba_dlz: starting transaction on zone office.local Feb 25 14:36:24 knottypine named[22655]: client 192.168.65.101#57781: update 'office.local/IN' denied Feb 25 14:36:24 knottypine named[22655]: samba_dlz: cancelling transaction on zone office.local Clearly I'm missing something but not sure what exactly. Thanks for any suggestions you might have. For reference... here are my various config files: == smb.conf --- # Global parameters [global] server role = active directory domain controller workgroup = OFFICE interfaces = eth0 bind interfaces only = yes realm = office.local netbios name = KNOTTYPINE passdb backend = samba4 idmap_ldb:use rfc2307 = yes allow dns updates = True [netlogon] path = /usr/local/samba/var/locks/sysvol/office.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [IPC$] path = /tmp read only = No [Data] path = /u0/sambashares/data read only = no == ddns-update-style ad-hoc; allow unknown-clients; subnet 192.168.65.0 netmask 255.255.255.0 { # --- default gateway option routers 192.168.65.1; option subnet-mask 255.255.255.0; option domain-name office.local; option domain-name-servers 192.168.65.2; option netbios-name-servers 192.168.65.2; option netbios-node-type 2; default-lease-time 21600; max-lease-time 43200; allow unknown-clients; range 192.168.65.100 192.168.65.150; } == // // sample BIND configuration file // acl mynet { 192.168.65.0/24; 127.0.0.1; }; options { listen-on { 127.0.0.1; 192.168.65.0/24; }; allow-query { 192.168.65.0/24; localhost; }; allow-recursion { 192.168.65.0/24; localhost; }; tkey-gssapi-keytab /usr/local/samba/private/dns.keytab; forwarders {8.8.8.8;}; }; // Where the localhost hostname is defined zone localhost IN { type master; file /etc/namedb/zone.localhost; allow-update { none; }; }; // Where the 127.0.0.0 network is defined zone 0.0.127.in-addr.arpa IN { type master; file /etc/namedb/revp.127.0.0; allow-update { none; }; }; zone 65.168.192.in-addr.arpa { type master; file /etc/namedb/192.168.65.0.rev; allow-query { mynet; }; allow-transfer { mynet; }; allow-update { mynet; }; }; include /usr/local/samba/private/named.conf; -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4.0 released - The First Free Software Active Directory Compatible Server is now available !
On Tue, Dec 11, 2012 at 12:32 PM, Jeremy Allison j...@samba.org wrote: Samba Team Releases Samba 4.0 = Congrats! -- Peace and Blessings, -Scott. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
On Tue, Oct 23, 2012 at 3:23 PM, steve st...@steve-ss.com wrote: Hi Scott, hi everyone Yeah, that's fine. Does this clear up the issue with the ':'? I should have made it clearer that I was referring to autofs and not mounting e.g. from fstab. I just tried the automounter on cifs without the ':' and it doesn't work. Would it perhaps help to put a message in the logs when it fails, rather than silence? Or maybe that's more of a question for the autofs guys. Cheers, Steve I've been at home thinking about this for a while tonight. I've checked the documentation for autofs and they do what they say what they'll do with that path (treat anything without a ':' as an NFS mount). On our side, (mount.cifs) we do what we say we'll do (support UNC paths). The most we could ask of them is to add/modify their documentation to include the case for CIFS instead of just SMB. This doesn't change anything on the mount.cifs side other than explicitly directing users to the correct syntax for CIFS shares when using autofs. Ultimately the autofs documentation implicitly states that CIFS shares should use a ':'. All that being said, the mount.cifs has never officially supported NFS path syntax. We aren't silently ignoring the issue; we're sending a warning to stdout that in a future version of the mount utility we won't support this undocumented behavior. To be fair, that's more than most code bases do for deprecating undocumented features. If anyone wants me to pursue the issue, I'll see what I can do about getting the documentation for autofs altered to explicitly mention CIFS paths. I think that is reasonable for everyone. It's after 2 AM in my part of the world, so I'll do this tomorrow after my first cup of coffee if anyone requests it. -- Peace and Blessings, -Scott. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
On 10/18/2012 2:07 PM, scott.lovenb...@gmail.com wrote: This patch adds a warning when using NFS mounting syntax (server:/share), instead of the usual UNC syntax (//server/share || \\server\share), that support for NFS style mounts will be removed in version 6.0 of the mount.cifs utility. The reasoning for this is simple. Support for NFS syntax is undocumented and increases maintenance overhead. This came up recently on the cifs-utils list when discussing how to handle mounting a share NFS style using an IPv6 address. Since the ':' character is valid in a POSIX file path or share name it is an ambiguous delimiter. Consider the following valid server share : dead:beef::1:iSCSIExportedByIQN:storage. Instead of adding complicated code to the parser to support an undocumented feature, we're optin g to remove the feature in the mount utility in version 6.0 if there is no objection. Jeff, it's been a few days and no one has objected (or really said anything). Can we merge this patch? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
On Tue, Oct 23, 2012 at 12:47 PM, steve st...@steve-ss.com wrote: On 10/23/2012 05:56 PM, Scott Lovenberg wrote: On 10/18/2012 2:07 PM, scott.lovenb...@gmail.com wrote: no one has objected (or really said anything). Can we merge this patch? -- Hi I'm just trying to represent users. Can we take this to user level by giving an example of what will work and what will not work after the patch? I should clarify, this patch doesn't change the behavior of the mount utility, it just warns the user that in future releases the syntax that they are using will be removed. The patch to remove the behavior is going to be in a later release. What will work is any path that begins with // or \\ which is a normal UNC. So your normal //server/share path is fine. NFS syntax allows for you to specify the path like server:/share. That syntax will no longer work in cifs-utils 6.0. For example, the Linux automounter. Currently, we have this map: * -fstype=cifs,rw,sec=krb5 ://myserver/myshare/ Are you talking about the difference between that and this: * -fstype=cifs,rw,sec=krb5 myserver:/myshare/ Question: will I need to change anything due to this patch? Quite the opposite, the //myserver/myshare is correct, myserver:/myshare will no longer work. The ':' is part of the automounter's map syntax. It will use the path //myserver/myshare. -- Peace and Blessings, -Scott. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
On Tue, Oct 23, 2012 at 1:22 PM, steve st...@steve-ss.com wrote: On 10/23/2012 07:02 PM, Jeff Layton wrote: On Tue, 23 Oct 2012 18:47:37 +0200 steve st...@steve-ss.com wrote: On 10/23/2012 05:56 PM, Scott Lovenberg wrote: Currently, we have this map: * -fstype=cifs,rw,sec=krb5 ://myserver/myshare/ Does that really work? What purpose does the ':' serve there? Yes. They always put a ':' before the mount except for the default NFS. I took a look at the example /etc/auto.misc which comes (commented out) with openSUSE. They always put a ':'. I double checked this. The ':' is a token for the automounter that tells it that it's a local device. You could probably remove that character. http://www.faqs.org/docs/Linux-mini/Automount.html#s4 -- Peace and Blessings, -Scott. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
The following patch adds a warning when using NFS mounting syntax (server:/share), instead of the usual UNC syntax (//server/share || \\server\share), that support for NFS style mounts will be removed in version 6.0 of the mount.cifs utility. The reasoning for this is simple. Support for NFS syntax is undocumented and increases maintenance overhead. This came up recently on the cifs-utils list when discussing how to handle mounting a share NFS style using an IPv6 address. Since the ':' character is valid in a POSIX file path or share name it is an ambiguous delimiter. Consider the following valid server share : dead:beef::1:iSCSIExportedByIQN:storage. Instead of adding complicated code to the parser to support an undocumented feature, we're optin g to remove the feature in the mount utility in version 6.0 if there is no objection. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Add warning that NFS syntax is deprecated and will be removed in cifs-utils-6.0.
From: Scott Lovenberg scott.lovenb...@gmail.com Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com --- mount.cifs.c |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/mount.cifs.c b/mount.cifs.c index 756fce2..061ce32 100644 --- a/mount.cifs.c +++ b/mount.cifs.c @@ -1335,6 +1335,7 @@ static int parse_unc(const char *unc_name, struct parsed_mount_info *parsed_info } /* Set up host and share pointers based on UNC format. */ + /* TODO: Remove support for NFS syntax as of cifs-utils-6.0. */ if (strncmp(unc_name, //, 2) strncmp(unc_name, , 2)) { /* * check for nfs syntax (server:/share/prepath) @@ -1351,6 +1352,9 @@ static int parse_unc(const char *unc_name, struct parsed_mount_info *parsed_info share++; if (*share == '/') ++share; + fprintf(stderr, WARNING: using NFS syntax for mounting CIFS + shares is deprecated and will be removed in cifs-utils + -6.0. Please migrate to UNC syntax.); } else { host = unc_name + 2; hostlen = strcspn(host, /\\); -- 1.7.5.4 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Add warning that NFS syntax is deprecated and will be removed in cifs-utils-6.0.
On 10/18/2012 1:50 PM, scott.lovenb...@gmail.com wrote: From: Scott Lovenbergscott.lovenb...@gmail.com Signed-off-by: Scott Lovenbergscott.lovenb...@gmail.com --- mount.cifs.c |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/mount.cifs.c b/mount.cifs.c index 756fce2..061ce32 100644 --- a/mount.cifs.c +++ b/mount.cifs.c @@ -1335,6 +1335,7 @@ static int parse_unc(const char *unc_name, struct parsed_mount_info *parsed_info } /* Set up host and share pointers based on UNC format. */ + /* TODO: Remove support for NFS syntax as of cifs-utils-6.0. */ if (strncmp(unc_name, //, 2) strncmp(unc_name, , 2)) { /* * check for nfs syntax (server:/share/prepath) @@ -1351,6 +1352,9 @@ static int parse_unc(const char *unc_name, struct parsed_mount_info *parsed_info share++; if (*share == '/') ++share; + fprintf(stderr, WARNING: using NFS syntax for mounting CIFS + shares is deprecated and will be removed in cifs-utils + -6.0. Please migrate to UNC syntax.); } else { host = unc_name + 2; hostlen = strcspn(host, /\\); Sorry, git send-email just blew up in my face. It was supposed to send a first email that explained the patch. Of course it worked perfectly when I tested it to my own email address. I'll figure out why the first message is missing and repost. Sorry for the noise. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] CIFS: Deprecating NFS mounting syntax in mount.cifs
This patch adds a warning when using NFS mounting syntax (server:/share), instead of the usual UNC syntax (//server/share || \\server\share), that support for NFS style mounts will be removed in version 6.0 of the mount.cifs utility. The reasoning for this is simple. Support for NFS syntax is undocumented and increases maintenance overhead. This came up recently on the cifs-utils list when discussing how to handle mounting a share NFS style using an IPv6 address. Since the ':' character is valid in a POSIX file path or share name it is an ambiguous delimiter. Consider the following valid server share : dead:beef::1:iSCSIExportedByIQN:storage. Instead of adding complicated code to the parser to support an undocumented feature, we're optin g to remove the feature in the mount utility in version 6.0 if there is no objection. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] [PATCH] Add warning that NFS syntax is deprecated and will be removed in cifs-utils-6.0.
From: Scott Lovenberg scott.lovenb...@gmail.com Signed-off-by: Scott Lovenberg scott.lovenb...@gmail.com --- mount.cifs.c |4 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/mount.cifs.c b/mount.cifs.c index 756fce2..061ce32 100644 --- a/mount.cifs.c +++ b/mount.cifs.c @@ -1335,6 +1335,7 @@ static int parse_unc(const char *unc_name, struct parsed_mount_info *parsed_info } /* Set up host and share pointers based on UNC format. */ + /* TODO: Remove support for NFS syntax as of cifs-utils-6.0. */ if (strncmp(unc_name, //, 2) strncmp(unc_name, , 2)) { /* * check for nfs syntax (server:/share/prepath) @@ -1351,6 +1352,9 @@ static int parse_unc(const char *unc_name, struct parsed_mount_info *parsed_info share++; if (*share == '/') ++share; + fprintf(stderr, WARNING: using NFS syntax for mounting CIFS + shares is deprecated and will be removed in cifs-utils + -6.0. Please migrate to UNC syntax.); } else { host = unc_name + 2; hostlen = strcspn(host, /\\); -- 1.7.5.4 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [Announce] Samba 4.0.0rc1 Available for Download
On Thu, Sep 13, 2012 at 6:40 AM, Karolin Seeger ksee...@samba.org wrote: [...] - Domain member support in the 'samba' binary is in it's infancy, and is not comparable to the support found in winbindd. As such, do not use the 'samba' binary (provided for the AD server) on a member server. Stupid bug report, its should be used above, not it's. You want the possessive, not the contraction. Just for future RC release notes (it's been bothering me since the later beta release notes). :) -- Peace and Blessings, -Scott. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd fails to start - rpc_srv_register: Failed to call the svcctl init function!
On Sep 7, 2012, at 3:34 PM, Andrew Bartlett wrote: fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb My guess is that you are running the wrong 'smbpasswd' binary, and it isn't setting it in the the right tdb. You were exactly right. Apparently 'yum erase samba' did dot remove smbpasswd, and I was using the older 3.0.33 version. When I make the secrets.tdb file with the proper version of smbpasswd samba starts right up. Thanks for your help. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbd starts but terminates with - failed to receive smb request
Hello, I start smbd interactively from the command line and then attempt to issue an smbtree command from another terminal and smbd immediately terminates. Here is the output. It looks like the initial authentication is working, but the termination happens after string_to_sid: SID root is not in a valid format Any idea what might be going on here? Thanks [root]# /usr/local/samba/sbin/smbd -i -d 3 Maximum core file size limits now 16777216(soft) -1(hard) smbd version 3.6.7 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 uid=0 gid=0 euid=0 egid=0 lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] Registered MSG_REQ_POOL_USAGE Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file /etc/samba/smb.conf Processing section [global] Processing section [homes] Processing section [data] loaded services smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=BLAH))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server Forcing Primary Group to 'Domain Users' for root init_group_from_ldap: Entry found for group: 544 Forcing Primary Group to 'Domain Users' for nobody init_group_from_ldap: Entry found for group: 513 Initialise the svcctl registry keys if needed. Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Closed policy Initialise the eventlog registry keys if needed. Closed policy reloading printcap cache reload status: ok waiting for connections Printcap cache time expired. reloading printcap cache reload status: ok Allowed connection from xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) init_oplocks: initializing messages. Linux kernel oplocks enabled Transaction 0 of length 72 (0 toread) Transaction 0 of length 194 (0 toread) switch message SMBnegprot (pid 7116) conn 0x0 Requested protocol [PC NETWORK PROGRAM 1.0] Requested protocol [MICROSOFT NETWORKS 1.03] Requested protocol [MICROSOFT NETWORKS 3.0] Requested protocol [LANMAN1.0] Requested protocol [LM1.2X002] Requested protocol [DOS LANMAN2.1] Requested protocol [LANMAN2.1] Requested protocol [Samba] Requested protocol [NT LANMAN 1.0] Requested protocol [NT LM 0.12] using SPNEGO Selected protocol NT LANMAN 1.0 Transaction 1 of length 164 (0 toread) switch message SMBsesssetupX (pid 7116) conn 0x0 wct=12 flg2=0xc801 Doing spnego session setup NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] reply_spnego_negotiate: Got secblob of size 44 Got NTLMSSP neg_flags=0x60088215 Transaction 2 of length 264 (0 toread) switch message SMBsesssetupX (pid 7116) conn 0x0 wct=12 flg2=0xc801 Doing spnego session setup NativeOS=[Unix] NativeLanMan=[Samba] PrimaryDomain=[] Got user=[classen] domain=[BLAH] workstation=[BLAHBLAH] len1=24 len2=24 check_ntlm_password: Checking password for unmapped user [BLAH]\[classen]@[BLAHBLAH] with the new password interface check_ntlm_password: mapped user is: [BLAH]\[classen]@[BLAHBLAH] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: classen Forcing Primary Group to 'Domain Users' for classen check_ntlm_password: sam authentication for user [classen] succeeded check_ntlm_password: authentication for user [classen] - [classen] - [classen] succeeded NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60088215 register_existing_vuid: User name: classen Real name: The Classen register_existing_vuid: UNIX uid is UNIX user classen, and will be vuid 100 Adding homes service for user 'classen' using home directory: '/home/classen' adding home's share [classen] for user 'classen' at '/home/classen' Transaction 3 of length 90 (0 toread) switch message SMBtconX (pid 7116) conn 0x0 Allowed connection from 131.243.78.105 (131.243.78.105) string_to_sid: SID root is not in a valid format Connect path is '/tmp' for service [IPC$] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] string_to_sid: SID root is not in a valid format myserver (xxx.xxx.xxx.xxx) connect to service IPC$ initially as user classen (uid=, gid=1234) (pid 7116) tconX service=IPC$ myserver (131.243.78.105) closed connection to service IPC$ Yielding connection to IPC$ Server exit (failed to receive smb request) Terminated -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] smbd fails to start - rpc_srv_register: Failed to call the svcctl init function!
On Sep 6, 2012, at 8:14 PM, Andrew Bartlett wrote: On Thu, 2012-09-06 at 12:21 -0700, Scott Classen wrote: I am attempting to upgrade from the samba version distributed with = CentOS 5 to the latest stable samba release CentOS version is 3.0.33 I removed the distro version and then: cd /usr/local/src wget http://www.samba.org/samba/ftp/stable/samba-3.6.7.tar.gz tar -zxvf samba-3.6.7.tar.gz cd samba-3.6.7/source3 ./configure --with-configdir=3D/etc/samba make make install I am using my original smb.conf file which has some deprecated options, = but still passed the testparm test Given you have such major failure, stripping back the smb.conf to exactly what you need would be a good start. Specifically give attention to 'unix charset'. Andrew Bartlett I deleted the line: unix charset = LOCALE from the [global] sections and now smb starts. This is a good first step. yeah! I fixed the deprecated idmap settings so my smb.conf file passes muster. smb now seems to be having problems connecting to openldap. Here are the steps I've taken so far: # copy over slightly newer ldap samab.schema file cp ../examples/LDAP/samba.schema /usr/local/etc/openldap/schema/samba.schema # restart openldap /etc/init./slapd restart # copy over a useful ldap.conf file as it appears smb is looking in /usr/local/etc/openldap cp /etc/openldap/ldap.conf /usr/local/etc/openldap/ldap.conf # store password for samba_server in secrets.tdb smbpasswd -w mysoopersecretpassword # attempt to start smb on command line /usr/local/samba/sbin/smbd -i -d 2 # I also added debugging flag to smb.conf (ldap debug level = -1) #here is output smbd version 3.6.7 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 uid=0 gid=0 euid=0 egid=0 rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) ldap_url_parse_ext(ldap://localhost/) ldap_init: trying /usr/local/etc/openldap/ldap.conf ldap_init: using /usr/local/etc/openldap/ldap.conf ldap_init: HOME env is /root ldap_init: trying /root/ldaprc ldap_init: trying /root/.ldaprc ldap_init: trying ldaprc ldap_init: LDAPCONF env is NULL ldap_init: LDAPRC env is NULL [snip…snip] smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] smbldap_open_connection: connection opened fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP server failed for the 1 try! smbldap_open_connection: connection opened fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP server failed for the 2 try! smbldap_open_connection: connection opened fetch_ldap_pw: neither ldap secret retrieved! ldap_connect_system: Failed to retrieve password from secrets.tdb Connection to LDAP server failed for the 3 try! # The various ldap_url and ldap_init values above look completely wrong. Particularly ldap_url_parse_ext(ldap://localhost/) # I'm not sure where those are coming from since my various ldap.conf files are all set up properly. # from slapd.log it appears that smb is connecting via TLS connection, but that's about it. Sep 7 10:34:06 bl1231 slapd[28318]: conn=1130 fd=44 ACCEPT from IP=131.243.78.105:47723 (IP=0.0.0.0:389) Sep 7 10:34:06 bl1231 slapd[28318]: conn=1130 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 7 10:34:06 bl1231 slapd[28318]: conn=1130 op=0 STARTTLS Sep 7 10:34:06 bl1231 slapd[28318]: conn=1130 op=0 RESULT oid= err=0 text= Sep 7 10:34:06 bl1231 slapd[28318]: conn=1130 fd=44 TLS established tls_ssf=256 ssf=256 Sep 7 10:34:06 bl1231 slapd[28318]: conn=1130 op=1 UNBIND Sep 7 10:34:06 bl1231 slapd[28318]: conn=1130 fd=44 closed Regards. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] smbd fails to start - rpc_srv_register: Failed to call the svcctl init function!
I am attempting to upgrade from the samba version distributed with CentOS 5 to the latest stable samba release CentOS version is 3.0.33 I removed the distro version and then: cd /usr/local/src wget http://www.samba.org/samba/ftp/stable/samba-3.6.7.tar.gz tar -zxvf samba-3.6.7.tar.gz cd samba-3.6.7/source3 ./configure --with-configdir=/etc/samba make make install I am using my original smb.conf file which has some deprecated options, but still passed the testparm test when I attempt to start smbd from the command line /usr/local/samba/sbin/smbd -i -d 1 I get the following output and smbd does not start/ smbd version 3.6.7 started. Copyright Andrew Tridgell and the Samba Team 1992-2011 convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. ndr_push_error(5): Bad character push conversion with flags 0x8400040 convert_string_talloc: Conversion not supported. ndr_push_error(5): Bad character push conversion with flags 0x8400040 convert_string_talloc: Conversion not supported. ndr_push_error(5): Bad character push conversion with flags 0x8400040 convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. convert_string_talloc: Conversion not supported. ndr_pull_error(5): Bad character conversion svcctl_init_winreg: Could not open SYSTEM\CurrentControlSet\Services - NT_STATUS_RPC_CALL_FAILED rpc_srv_register: Failed to call the svcctl init function! Whazzup with that?-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] join domain from different subnet (VPN)
Just a thought. Does the firewall on the OpenVPN routers allow for the samba traffic? open ports and all. I have the same configuration. multiple site-to-site VPN using openVPN. I do not have a problem joining to a domain that is on a remote site. Does the smb.conf have an interfaces option that is limiting which networks it listens on? Hope this helps Scott Swaim I.T. Specialist TotalCare On 8/30/2012 8:21 AM, real-men-dont-cl...@gmx.net wrote: Hi, I already tried that, no success. The VPN connects two subnets via OpenVPN with dedicated routers on each side. thx Carsten -Original message- To: samba@lists.samba.org; From: Gaiseric Vandal gaiseric.van...@gmail.com Sent: Thu 30-08-2012 14:58 Subject:Re: [Samba] join domain from different subnet (VPN) Did you try a packet capture on the samba server? Try adding a entry for the XP machine in the server's /etc/hosts file. I am guessing there is some sort of weird name resolution issue going on with the server.I don't think there is any reason the server should need to resolve the name of the client machine but I have had weird issues with VPN connections before. This is a site-to-site VPN? On 08/30/12 05:34, real-men-dont-cl...@gmx.net wrote: Hello everybody, we have a problem joining a domain from a remote location. The remote location is connected via VPN. Everything is working as exspected but joining the samba domain from the remote location does not work. - Server Samba Version is 3.5.10 - Windows Client is XP SP3 - Joining the domain locally works without problems - ping does work in both directions - WINS is running on the local PDC and resolves across VPN (I tested with a Linux client using nbmlookup) - the WINS server is configured on the client - NetBIOS over TCP/IP is enabled on the client - Windows on the client firewall is OFF - even adding entries to the client's lmhosts file didn't solve the problem Any suggestions? thx Carsten -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba share an NFS import?
Is it a problem to share a folder via Samba that is actually an NFS import from another machine? Looking at Samba documentation, it seems it shouldn't be. But I find only this one reference to re-exporting an NFS import via Samba (this is under Samba 3.6 Features added/changed): http://wiki.samba.org/index.php/Samba_3.6_Features_added/changed#NFS_quota_backend_on_Linux which says A new nfs quota backend for Linux has been added that is based on the existing Solaris/FreeBSD implementation. This allows samba to communicate correct diskfree information for nfs imports that are re-exported as samba shares. But googling the problem, I find numerous discussions, where most contain something along the lines of this: http://serverfault.com/questions/68330/samba-sharing-an-nfs-mount-point which says, The Samba manual mentions that re-exporting a NFS mountpoint over Samba does not work correctly. NFS is not 100% POSIX compatible, so some things work differently than what Samba expects. I.e. you should run Samba on the same server where you run the NFS service, exporting the local disks directly. I also came across various folks claiming one needs to play with the timing parameters in smb.conf. We're currently running Samba 3.5.10, under RHEL 6.2 (3.5.10 is the version currently supplied with RHEL 6.2). Machine Q nfs-mounts machine M's data disks, and re-exports them via Samba for users to access. We are experiencing problems with the NFS share occasionally becoming very slow (both for machine Q and the machines that mount them via Samba), and I'm wondering if the re-export is the problem. Question 1: When was samba re-export of NFS import considered stable? I.e., Do I need to update to 3.6 (move ahead of RHEL distribution) for this to be OK? Question 2: Can someone point me to more official Samba documentation on exporting? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Video Interview with tridge from last years SambaXP.
On 3/9/2012 2:05 PM, Jeremy Allison wrote: From both the shameless self-promotion and better late than never departments here at Samba towers :-). http://google-opensource.blogspot.com/2012/03/geek-time-with-andrew-tridgell.html It's a fun interview (at least I think so :-). Enjoy !!! Jeremy. Thanks, Jeremy. Still waiting for you to do another Google Techtalk for Samba-4.0. :) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba with dns error Failed to connect to our DC
Hi, I just installed Ubuntu Server and Ubuntu classic desktop. Now I am trying to join active directory and I get this DNS error and failed to connect to the DC. How to fix this error plus I noticed on my windows 2008 Server that my Ubuntu server showed up as a Computer and not a domain controller. Is this correct? I would think it would show up as a DC just as it does when I joined my 2003 Server to my 2008 Server. Thanks Scott root@FreeRadius:/home/sqauser# net ads join -U Administrator Enter Administrator's password: Using short domain name -- SQA Joined 'FREERADIUS' to realm 'SQA.net' [2012/02/09 16:48:09.744544, 0] utils/net_ads.c:1147(net_update_dns_internal) net_update_dns_internal: Failed to connect to our DC! DNS update failed! root@FreeRadius:/home/sqauser# wbinfo -u FREERADIUS\nobody FREERADIUS\sqauser SQA\administrator SQA\guest SQA\krbtgt SQA\00-01-88-00-00-00 SQA\00-01-88-00-00-01 SQA\00-01-88-00-00-02 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Joining Active Directory wbinfo -u
Hi, I was able to join the domain correctly and from what I Understand I should see it added as A computer on my Windows 2008 Server PC. Is this true? But when I do a wbinfo -u I do not see my domain users listed. I was wondering if this is because we installed winbind4 rather than winbind? I installed samba4 and winbind4 in Ubuntu 11.04 LTS Thanks for everyones help, Scott root@FreeRadius:/etc/init.d#mailto:root@FreeRadius:/etc/init.d# net ads testjoin Join is OK root@FreeRadius:/etc/init.d#mailto:root@FreeRadius:/etc/init.d# net ads info LDAP server: 20.1.180.55 LDAP server name: 2008ServerR2.SQA.net Realm: SQA.NET Bind Path: dc=SQA,dc=NET LDAP port: 389 Server time: Thu, 02 Feb 2012 09:27:31 EST KDC server: 20.1.180.55 Server time offset: -124 root@FreeRadius:/etc/init.d#mailto:root@FreeRadius:/etc/init.d# wbinfo -u Error looking up domain users root@FreeRadius:/etc/init.d#mailto:root@FreeRadius:/etc/init.d# -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] sgilm...@enterasys.com
sgilm...@enterasys.commailto:sgilm...@enterasys.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Help adding RHEL 5.x workstation to Win2008R2 DC
We have a Windows 2008 R2 w/Service Pack 1 domain controller and a RHEL 5.7 workstation. Part of the required security settings on the domain controller are: Network Access: Allow anonymous SID/Name translation: Disabled Network access: Do not allow anonymous enumeration of SAM accounts: Enabled Network Access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled We would like to add the RHEL 5.7 workstation to the domain controller for user authentication, thus no local accounts in /etc/passwd. But, due to the security mentioned above, conventional methods of adding the RHEL 5.7 workstation to the domain controller result in failures - I've tried both net ads join and the newer Likewise client, both of which fail. Since the domain controller's settings cannot be changed, what options do I have on the RHEL 5.7 workstation side? Are there other products/methods, outside of net ads join and likewise, that might do the job? Thanks. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SELinux Invalid Context for Samba
We are running samba3 on a RHEL SELinux server and are constantly receiving (approximately a new one per every 6 to 12 seconds) invalid context message in /var/log/messages. This message disappears when setting SELinux to permissive. At no time is there an AVC entry being written to the audit.log file. I tried increasing the debug level for samba, but that didn't generate any additional information in the log file regarding this invalid context issue. The PID being reported with each log entry is ever changing and it does not run long enough to catch. Red Hat Enterprise Linux Server release 5.6 (Tikanga) Samba version: Version 3.5.4-0.70.el5_6.1 (installed samba3x rpm using yum) smbd[]: file_contexts: invalid context system_u:object_r:samba_var_t:s0 The only entries I found with this samba_var_t set under /var were: system_u:object_r:samba_var_t./spool/samba system_u:object_r:samba_var_t./lib/samba system_u:object_r:samba_var_t./lib/samba/browse.dat system_u:object_r:samba_var_t./lib/samba/private I verified that all the required Boolean settings were in place and functioning as expected. Does anyone have any suggestions on how to resolve this issue? Or even how to actually force additional information be provided in order to track down and find a resolution? Thanks in advance, Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] The RPC server is unavailable
I have used the Samba4 Howto as a guide. I am using OpenSuse 11.3 and the Samba version is: 4.0.0alpha15-GIT-61f7d7c. Everything was working as intended after installation. I did a fresh install on another computer of Windows 7. Joined my freshly made domain. Installed the remote administration tools. Created three users for testing with the remote admin tool - Active Directory Users and Computers All users log in fine. I install OpenSuse 11.3 on another computer and during install I select the Windows Active Directory for user information. This works and my three users can sign in on the OpenSuse machine. I noticed that the computer was not set up in Bind like my Windows 7 machine was automatically. First Question: Is the best way to correct this to Stop bind, enter machine into zone file and start bind? Or is this something that is expected to work like the Windows 7 machine? I then went back to the Windows 7 machine and tried to change one of the users passwords. No matter what I tried, I can not get passed the message that the password is unable to change due to the strength ( The value provided does not meet the length, complexity ... etc ). I am pretty sure this is due to the minimum duration of a password. After I waited a day I was able to change the password once and then not again ( need another day ). The first time I could not change my password I decided to see if I could change the minimum duration with the remote tool Active Directory Users and Computers. But now when I run this I get the error: Naming information cannot be located because: The RPC server is unavailable. Contact you system administrator ... Running using the command: samba -i -M single -d 3 Gives this error when trying to use the remote admin tool: using SPNEGO Selected protocol [5][NT LM 0.12] Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_ DISCONNECTED' single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Question 2: What is the cause of this? Is the domain corrupt or is there a fix other than reinstall? Any other debug information I can provide that would be useful? From the Windows 7 machine running: dcdiag /v /s: ... results are below. Thank you for any help, Scott Directory Server Diagnosis Performing initial setup: * Connecting to directory service on server base.mytestdomain.ca. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=mytestdomain,DC=ca,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mytestdomain,DC=ca Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=mytestdomain,DC=ca,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),... The previous call succeeded The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=BASE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mytestdomain,DC=ca objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. Got error while checking if the DC is using FRS or DFSR. Error: There is no such object on the server.The VerifyReferences, FrsEvent and DfsrEvent tests might fail because of this error. * Found 1 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\BASE Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity * Active Directory RPC Services Check . BASE passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\BASE Starting test: Advertising Fatal Error:DsGetDcName (BASE) call failed, error 1722 The Locator could not find the server. Printing RPC Extended Error Info: Error Record 1, ProcessID is 1996 (DcDiag) System Time is: 1/24/2011 14:58:43:619 Generating component is 2 (RPC runtime) Status is 1722 The RPC server is unavailable. Detection location is 193 Error Record 2, ProcessID is 1996 (DcDiag) System Time is: 1/24/2011 14:58:43:619 Generating component is 5 (redirector) Status is 1359 An internal error occurred. Detection location is 190 NumberOfParameters is 2 Long val: 1441792 Unicode string: \\BASE\PIPE\NETLOGON
[Samba] The RPC server is unavailable
I have used the Samba4 Howto as a guide. I am using OpenSuse 11.3 and the Samba version is: 4.0.0alpha15-GIT-61f7d7c. Everything was working as intended after installation. I did a fresh install on another computer of Windows 7. Joined my freshly made domain. Installed the remote administration tools. Created three users for testing with the remote admin tool - Active Directory Users and Computers All users log in fine. I install OpenSuse 11.3 on another computer and during install I select the Windows Active Directory for user information. This works and my three users can sign in on the OpenSuse machine. I noticed that the computer was not set up in Bind like my Windows 7 machine was automatically. First Question: Is the best way to correct this to Stop bind, enter machine into zone file and start bind? Or is this something that is expected to work like the Windows 7 machine? I then went back to the Windows 7 machine and tried to change one of the users passwords. No matter what I tried, I can not get passed the message that the password is unable to change due to the strength ( The value provided does not meet the length, complexity ... etc ). I am pretty sure this is due to the minimum duration of a password. After I waited a day I was able to change the password once and then not again ( need another day ). The first time I could not change my password I decided to see if I could change the minimum duration with the remote tool Active Directory Users and Computers. But now when I run this I get the error: Naming information cannot be located because: The RPC server is unavailable. Contact you system administrator ... Running using the command: samba -i -M single -d 3 Gives this error when trying to use the remote admin tool: using SPNEGO Selected protocol [5][NT LM 0.12] Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_ DISCONNECTED' single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Question 2: What is the cause of this? Is the domain corrupt or is there a fix other than reinstall? Any other debug information I can provide that would be useful? From the Windows 7 machine running: dcdiag /v /s: ... results are below. Thank you for any help, Scott Directory Server Diagnosis Performing initial setup: * Connecting to directory service on server base.mytestdomain.ca. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=mytestdomain,DC=ca,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mytestdomain,DC=ca Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=mytestdomain,DC=ca,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),... The previous call succeeded The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=BASE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mytestdomain,DC=ca objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. Got error while checking if the DC is using FRS or DFSR. Error: There is no such object on the server.The VerifyReferences, FrsEvent and DfsrEvent tests might fail because of this error. * Found 1 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\BASE Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity * Active Directory RPC Services Check . BASE passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\BASE Starting test: Advertising Fatal Error:DsGetDcName (BASE) call failed, error 1722 The Locator could not find the server. Printing RPC Extended Error Info: Error Record 1, ProcessID is 1996 (DcDiag) System Time is: 1/24/2011 14:58:43:619 Generating component is 2 (RPC runtime) Status is 1722 The RPC server is unavailable. Detection location is 193 Error Record 2, ProcessID is 1996 (DcDiag) System Time is: 1/24/2011 14:58:43:619 Generating component is 5 (redirector) Status is 1359 An internal error occurred. Detection location is 190 NumberOfParameters is 2 Long val: 1441792 Unicode string: \\BASE\PIPE\NETLOGON
[Samba] Samba, id, uid, Active Directory and CentOS 5
I have some CentOS 5 systems that are part of an Active Directory Windows 2003 domain (using natively configured files - not likewise open). getent passwd my_account reveals uid and gid are both 1:1. Thus, typing: % id reveals a uid of 1. /etc/passwd does NOT have my local account created - credentials are strictly from the Active Directory domain. The username is of the format se123456. I want my uid to be of the format 123456 (numeric part of the username. I have looked at many options for smb.conf configurations. At this point, I'm starting to believe that if getent passwd provides 1:1 fior uid/gid then id is providing the correct details. My SID from the domain controller is correct when queried from CentOS. usermod will not work to change the id since there is no entry in /etc/passwd. Might a shell script of some kind help convert my uid from 1 to 123456? It should not be static calculation, since anyone logging in to that system should have their id equal the numeric portion of their username, and the numeric part may be a smaller value than 1. The numeric part of the username matches no part of the SID from Windows. Thanks. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Linux, Windows AD domain, and IDs
I have a Windows 200x AD Server and have a Linux box as a client connected to the Windows domain having modified the native Kerberos, smb.conf, and other files (not using Likewise). It logs in to the domain fine and everything is happy. There are NO local accounts in /etc/passwd except for the defaults out of the box. Authentication relies on the accounts of the Windows server. I have no authority on the server except to add or remove computers. Login accounts take the form, for example, initials and a number: se123456 I want my uid to reflect 123456. I spent about an hour or two playing with various configurations and options of idmap and winbind. Along the way, some testing revealed: getent passwd my_ad_account returned almost all appropriate values, but the uid and gid were both 1, clearly not correct. wbinfo -n my_ad_account returned my correct sid (I think that was the wbinfo syntax used. In any event, whatever syntax I used for me returned the correct sid. So we know the system can see me - I just need the uid to be accurate. As an update, I need the uid to return the numeric portion of my ad_account username, so if I am se123456, I need the uid to return 123456, thus getent passwd would show se123456:x:123456:blah Thanks. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Help with sharing folder - string_to_sid error
I have a CentOS 5 box that is joined to a genuine Windows domain controller and users can easily log into that box with their AD credentials. I configured the Linux box' native config files (smb.conf, krb conf files, etc) instead of using a third-party app. Logins work fine. I visit the smb.conf file to try and create an smb share of a mounted volume, and I get prompted for credentials. No matter what I enter, I cannot gain access. I use my Windows box to select Start Run \\server\share and get challenged. The same is true from my Mac with CMD-k. The Samba logs show string_to_sid: Sid my_ad_username does not start with 'S-'. No amount of googling has found an answer, only many people with the same issue. The box was recently updated via yum update -y, so all packages are up-to-date. Any help/insights appreciated. Thanks. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] can Samba 2.2 join Windows 2003 R2 DC?
I have a Solaris 8 box with very old Samba 2.2.8a. It would be very convenient to join a Windows Domain with a 2003 R2 DC. (saving about 1 month of bureaucratic busy work - replacing the server) I've followed the docs on joining a Windows 2K AD, but no success: [r...@box samba-2.2.8a]# smbpasswd -D 2 -j FOO -U me added interface ip=10.1.4.31 bcast=10.1.5.255 nmask=255.255.254.0 Password: Got a positive name query response from 10.1.4.88 ( 10.1.4.88 ) session setup ok Domain=[FOO] OS=[Windows Server 2003 R2 3790 Service Pack 2] Server=[Windows Server 2003 R2 5.2] service: IPC$service_type: IPC failed tcon_X Error connecting to FOOSERV1 - NT_STATUS_ACCESS_DENIED Unable to join domain FOO. Is it even possible for Samba 2.2 to join a 2003 network? Thanks! -Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] login with email
I think there is some way to mangle usernames so that there is a + or other symbol where the @ is now... So the user would login as user+MyDomain.com.br, and the Windows domain name could be something completely different... Then, when you query the LDAP database for that user, you can replace the + with the @ symbol... On Fri, Jul 16, 2010 at 10:39 AM, Gaiseric Vandal gaiseric.van...@gmail.com wrote: The @ sign means you are specifying the domain. With Active Directory server you can have an internet-type domain name. Which means, as you saw, can simplify login experience for the user. I would guess the solution is to have your Samba server emulate an AD server. I don't think there is a way to change the client side behaviour but you could run gpedit.msc on an XP machine and see what settings exist. On 07/16/2010 10:05 AM, Flávio Fonseca wrote: Hello, I'm trying to implement samba with ldap using email as user login. But on windows XP clients when I insert a user with @ in the user name it removes the Domain field from the login dialog box and what ever comes after @ is the login its gonna look for. Anyone knows a way to either be able to use @ in the user name and be able to select the domain to join or any other sugestion to make it work, something to configure on windows station or samba server? In my case I have a domain named MyDomain and a email domain MyDomain.com.br. I'd like to have a login like u...@mydomain.com.br and be able to select the windows domain MyDomain at login. Thanks you all for your attention. Any suggestion is very welcome. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Scott Grizzard sc...@scottgrizzard.com http://www.ScottGrizzard.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] two PDCs
Of course, my users only visited each others' offices occasionally. If you have tons of movement between the offices, a one-domain solution may be forced upon you... Unfortunately, a lot of users are roaming users (teachers with laptop, and users). My plan is that I will set up separate profile shares on both side, but at least they can use their own username and even change their password. So, I would like to try the multi-PDC scenario with master and slave LDAP server, but I worry about a little. How are you intending to keep roaming profiles in sync (the files on the server, not the stuff in LDAP)? Are you going to use rsync? Scott Grizzard sc...@scottgrizzard.com http://www.ScottGrizzard.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] two PDCs
I think the multi-master replication sort-of defeats the purpose of the PDC in the remote office - multi-master replication means the information must be sent to both servers anyway. If I recall correctly, I think Chapter 6 refers to running BDC's in each remote office, and only one PDC... I played with this once, and I got it working by setting up a PDC and BDC in the main office, a BDC (not PDC) in the remote office, and using LDAP's new multi-master replication to keep everything in sync. Throw in your DNS database, and It works, it's cool, but I think it was so not worth the effort (unless you have nothing better to do with your 20% time). I spent a whole lot of time making sure the configs were perfect for the mult-master replication. The thing that threw the monkey-wrench is DNS and DHCP...I ended up putting all the DHCP information into the LDAP as well, with defined IP addresses for every MAC, because DHCPd updates the DNS when a new user requests an IP address. Since I put a DHCP server on both sides of the VPN, I needed multi-master replication for the DNS information so the computers could find each other. In the end, I dumped the MAC addresses from my hardware catalog into the LDAP, and preassigned all the IP's to reduce the number of writes to the LDAP server. I found it is much easier to set up two separate domains and have them trust each other, using different branches of the same LDAP tree. Then, let one server write to one branch, the other server write to the other branch, and do multi-master replication between them. That way, there is no worrying about simultaneous updates or any of that jazz. Not as cool...or as elegant, but it made my life easier by isolating problems. I did the same for the DNS information, setting up separate zones for each physical office. Since the information was in the same tree, it was much easier to configure mail servers and other services needing directory information, and since I did not delegate the branches, the mail server (only in the main office) did not need to read off my remote directories over VPN. Of course, my users only visited each others' offices occasionally. If you have tons of movement between the offices, a one-domain solution may be forced upon you... On Fri, Jul 9, 2010 at 8:58 AM, t...@tms3.com wrote: On Friday 09/07/2010 at 4:36 am, Tamás Pisch wrote: Hello, I have a PDC with master ldap backend and a BDC with slave ldap backend (both are SaMBa 3.2 on Debian Lenny). I want to install an additional SaMBa server on an another site (on Debian Squeeze). The two sites is connected with VPN (on not so reliable ADSL lines). I read an interesting network scenario in the Samba Guide chapter 6: theoretically it is possible to install one PDC on both site, with the same domain, server name, and SID. I like this idea, but: is there anyone who tried that, have experience with it? No, but your best option is to simply use LDAP replication and install an LDAP server on the remote location server. This way, auth traffic on the remote is always local (saving bandwidth) and is available regardless of the link being up or down. Do the same with DNS, and you'll be quite happy with the results as will your users. Thank you, in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Scott Grizzard sc...@scottgrizzard.com http://www.ScottGrizzard.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] two PDCs
How did you get it working like that so quickly? Did you get it working with two primary domain controllers? (As opposed to one PDC and two BDC's?) How did you manage to resolve the DNS update issue? On Fri, Jul 9, 2010 at 12:58 PM, t...@tms3.com wrote: SNIP I think the multi-master replication sort-of defeats the purpose of the PDC in the remote office - multi-master replication means the information must be sent to both servers anyway. If I recall correctly, I think Chapter 6 refers to running BDC's in each remote office, and only one PDC... I played with this once, and I got it working by setting up a PDC and BDC in the main office, a BDC (not PDC) in the remote office, and using LDAP's new multi-master replication to keep everything in sync. Throw in your DNS database, and It works, it's cool, but I think it was so not worth the effort (unless you have nothing better to do with your 20% time). I spent a whole lot of time making sure the configs were perfect for the mult-master replication. I found it quite simple. But I had a rather extensive use of NTLM auth stuff going on as well. The thing that threw the monkey-wrench is DNS and DHCP...I ended up putting all the DHCP information into the LDAP as well, with defined IP addresses for every MAC, because DHCPd updates the DNS when a new user requests an IP address. Since I put a DHCP server on both sides of the VPN, I needed multi-master replication for the DNS information so the computers could find each other. In the end, I dumped the MAC addresses from my hardware catalog into the LDAP, and preassigned all the IP's to reduce the number of writes to the LDAP server. Well, I'll just say there are many ways to skin a cat, and leave it at that. I found it is much easier to set up two separate domains and have them trust each other, using different branches of the same LDAP tree. Then, let one server write to one branch, the other server write to the other branch, and do multi-master replication between them. That way, there is no worrying about simultaneous updates or any of that jazz. Not as cool...or as elegant, but it made my life easier by isolating problems. I did the same for the DNS information, setting up separate zones for each physical office. Since the information was in the same tree, it was much easier to configure mail servers and other services needing directory information, and since I did not delegate the branches, the mail server (only in the main office) did not need to read off my remote directories over VPN. Of course, my users only visited each others' offices occasionally. If you have tons of movement between the offices, a one-domain solution may be forced upon you... On Fri, Jul 9, 2010 at 8:58 AM, t...@tms3.com wrote: On Friday 09/07/2010 at 4:36 am, Tamás Pisch wrote: Hello, I have a PDC with master ldap backend and a BDC with slave ldap backend (both are SaMBa 3.2 on Debian Lenny). I want to install an additional SaMBa server on an another site (on Debian Squeeze). The two sites is connected with VPN (on not so reliable ADSL lines). I read an interesting network scenario in the Samba Guide chapter 6: theoretically it is possible to install one PDC on both site, with the same domain, server name, and SID. I like this idea, but: is there anyone who tried that, have experience with it? No, but your best option is to simply use LDAP replication and install an LDAP server on the remote location server. This way, auth traffic on the remote is always local (saving bandwidth) and is available regardless of the link being up or down. Do the same with DNS, and you'll be quite happy with the results as will your users. Thank you, in advance. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Scott Grizzard sc...@scottgrizzard.com http://www.ScottGrizzard.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Scott Grizzard sc...@scottgrizzard.com http://www.ScottGrizzard.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] setuids mount option broke
On Fri, May 28, 2010 at 4:12 PM, Derek Simkowiak der...@realloc.net wrote: I can mount it using these options in /etc/fstab... note the use of setuids here: //cst6/testhome /testhome cifs iocharset=utf8,credentials=/root/cst6_password.txt,setuids 0 0 Does it work if you change 'setuids' to 'suid'? Is there anything else I can try? Looking at this earlier post, it seems like maybe setuids is not even a supported option anymore...? http://lists.samba.org/archive/linux-cifs-client/2010-March/005600.html The client code has been moved out of the samba package recently. In the current release of the client (the client is now released separately from the samba suite, but the two aren't in sync yet) the setuid functionality is deprecated (but can still be enabled at compile time). At the moment the option is being called 'legacy'; I don't know if the functionality is being dropped or upgraded/redesigned, though. -- Peace and Blessings, -Scott. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] setuids mount option broke
On Sat, May 29, 2010 at 8:11 AM, Scott Lovenberg scott.lovenb...@gmail.comwrote: The client code has been moved out of the samba package recently. In the current release of the client (the client is now released separately from the samba suite, but the two aren't in sync yet) the setuid functionality is deprecated (but can still be enabled at compile time). At the moment the option is being called 'legacy'; I don't know if the functionality is being dropped or upgraded/redesigned, though. Sorry, I should have been more clear about this. I'm referring to the mount.cifs (cifs-utils) part of the client, not the whole samba client. -- Peace and Blessings, -Scott. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] URGENT! Issues after upgrade from Ubuntu Dapper to Lucid
do your users still have Samba rights? http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html On May 29, 2010 5:06 PM, Igor R. igor.rak...@gmx.com wrote: hello! I need urgent help. I upgraded from dapper to lucid (samba version 3.0 - 3.4). Now I cannot log in to domain anymore (domain controller not available message), also new clients cannot join domain (semaphore timeout message after typing root username and password). If I take LAN cable out, so i can login, then shares work normally. What could have changed so i have issues? My smb.conf is same as before (samba 3.0): [global] log level = 2 interfaces=eth0 smb ports = 139 passwd program = /usr/bin/passwd %u passdb backend = smbpasswd log file = /var/log/samba/log.%m logon drive = H: null passwords = no domain master = yes encrypt passwords = true netbios name = LINUX server string = PROCESS Linux Server hosts allow = 10.0.0. 127.0.0. 192.168.1. 5.16.0.42 5.16.9.205 5.23.148.49 5.115.69.13 5.141.108.161 5.184.75.181 5.177.169.242 #hosts deny = 0.0.0.0/0 load printers = yes max log size = 50 dos charset = CP852 UNIX charset = CP852 display charset = CP852 #client code page = 852 #valid chars = ÄŤ:ÄŚ,š:Ĺ ,Ĺľ:Ĺ˝,ć:Ć,Ä‘:Ä create mask = 0770 directory mask = 0770 force create mode = 0770 force group = smbacc logon script = %U.bat #wins support = yes socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 unix password sync = yes local master = yes workgroup = PROCESS os level = 99 add user script = /usr/sbin/useradd %u add machine script=/usr/sbin/useradd -g machines -c Machine -s /bin/false %u security = user preferred master = yes #domain admin group = @samadm domain logons = yes smb passwd file = /etc/samba/smbpasswd hide unreadable = yes vfs objects = full_audit full_audit:failure = none full_audit:success = mkdir rename unlink rmdir open pwrite full_audit:prefix = %u|%I|%m|%S [netlogon] path = /mnt/data1/netlogon public = no browsable = no read only = yes guest ok = yes admin users = root And else are shares so I dont paste here! Any help would be greatly appreciated!! Thank you very much! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trust between Samba PDC and AD domain
I've pored through the documentation, wiki, lists, etc, and I can't seem to come to a concise conclusion on how to accomplish this. My specific scenario is the following. I have a samba PDC domain called domainA, and an AD domain called domainB. domainA and domainB are different named domains, and they each authenticate logins and credentials on their own turf. The users on domainA need to access resources on domainB, so we set up each user with a separate account in domainB (but they are not the same name). For example, my user name in domainA is sgoodwin, but in domainB it is goodwsb. I have to enter domainB\goodwsb + password every time I access a different server in domainB (and there are many servers -- domainB is a very large domain). Obviously, I need an interdomain trust set up, but I am unclear on some of the finer points mentioned in the samba docs. First off, I am hoping it is possible (and simple) to set it up so that the user accounts in domainA map to their domainB accounts, so that no extra authentication is needed. So, SSO between both domains. Is this possible even though the account names are different? Second, am I supposed to join my samba PDC to the AD domain as a member server, or is that even possible when keeping the two domains separately controlled? Some of the docs seem to imply this, but maybe I'm misinterpreting? Without dumping all my configuration info, logs, etc, in the post, can someone give me some hints on how I would set this up? I don't need a full hand-holding... just the direction to go in. NOTE: before you link me to http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html, http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html, or http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html, I've already read through these entirely, and am still unsure which scenario I need to follow. Thanks for any help. --scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Trust between Samba PDC and AD domain
Sorry, I sent this through the wrong email address a few minutes ago; apologies if its a duplicate. I've pored through the documentation, wiki, lists, etc, and I can't seem to come to a concise conclusion on how to accomplish this. My specific scenario is the following. I have a samba PDC domain called domainA, and an AD domain called domainB. domainA and domainB are different named domains, and they each authenticate logins and credentials on their own turf. The users on domainA need to access resources on domainB, so we set up each user with a separate account in domainB (but they are not the same name). For example, my user name in domainA is sgoodwin, but in domainB it is goodwsb. I have to enter domainB\goodwsb + password every time I access a different server in domainB (and there are many servers -- domainB is a very large domain). Obviously, I need an interdomain trust set up, but I am unclear on some of the finer points mentioned in the samba docs. First off, I am hoping it is possible (and simple) to set it up so that the user accounts in domainA map to their domainB accounts, so that no extra authentication is needed. So, SSO between both domains. Is this possible even though the account names are different? Second, am I supposed to join my samba PDC to the AD domain as a member server, or is that even possible when keeping the two domains separately controlled? Some of the docs seem to imply this, but maybe I'm misinterpreting? Without dumping all my configuration info, logs, etc, in the post, can someone give me some hints on how I would set this up? I don't need a full hand-holding... just the direction to go in. NOTE: before you link me to http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html, http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html, or http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/InterdomainTrusts.html, I've already read through these entirely, and am still unsure which scenario I need to follow. Thanks for any help. --scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind offline logon = yes - stored credentials questions
If I set winbind offline logon = yes in my smb.conf file and I have my Linux box authenticating directly against an AD controller, where, and how, does samba store the user's credentials? And are the credentials encrypted? If yes, use what scheme? I could read more on this, too, but for how long are they cached? Thanks. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] (no subject)
Sent from my iPhone -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Cups 2200 Laserjet printer
When i go to http://192.168.1.1:631/ i get a 403. Any idea's? Ive changed the localhost to the ip of the server (.1 as above). On Sun, Dec 20, 2009 at 10:03 PM, Scott Marshall s.dwag...@gmail.comwrote: Sorry about that, used gmal's reply without thinking. On Sun, Dec 20, 2009 at 8:42 PM, Jack Downes j...@nwmt.us wrote: First off, please reply to the list. Okay, so you'll need to make sure that your cups.conf is setup to not listen only to localhost. you'll several sections on making cups listen to what port and which IP... you'll see Listen localhost:631 near the top of your cups.conf file which is in /etc/cups (on several distros anyway), edit that to match your IP. Cups.org has tons of info how to do this. As to the groups and such that I'm talking about... Here's what i have setup for our outfit: [printers] comment = Cupsys based printer path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/KRH_drivers valid users = @wheel, jax, admincis force user = nobody force group = nogroup read only = No So, as you can see, I've got it set so that anyone can print, but that only admins and myself can update/change drivers. Makes it easy and keeps the general users away from the drivers. I'd suggest you put a valid users = scott in your [printers] section and make sure that your windows username/password matches the username/password in your linux setup. Make sure that you create the same user with smbpasswd as well. you can sync those together pretty easily. I'm pretty sure you can also limit by IP if you like: hosts deny = 10.17.1.0/24, 10.6.27.5 or whatever ... Hopefully this helps. Jack Scott Marshall wrote: I tried the address you stated (editing it where needed). It didnt seem to work for me. Is there some thing i should be doing to activate/get this address to work? As for samba, the printer is under the right group and i have installed the drivers manually on the machines yet i still cannot print. Cheers for the help Scott On Sun, Dec 20, 2009 at 7:23 AM, Jack Downes j...@nwmt.us mailto:j...@nwmt.us wrote: So, unless you are using windows 2k or older, is there really a point to installing the printer via //server/hplj2200 ? Just use the windows[XP|Vista|7] printer wizard dialog and add a network printer. At that point you can use the url which if the name is the same, would be http://server:631/printers/hplj2200. If you are the only one doing this, then it'll be fine. You'll need to have the drivers handy though. And you can lock CUPS down via client IP, or client username, or it can depend on SAMBA auth as well. If you still want to use SAMBA for printing, take a look at groups. As I recall you can specify which users which groups can read/write/see/whatever the printer much the same as you can for regular shares. I think there's a PrinterAdmins group that you'll need to setup if you want to push a driver to the printer. Good luck! Jack Scott Marshall wrote: Hi all, Hoping some one can help me out here. I have a 2200dn laser printer working on a centos 5 server (using webmin for configuration). I have added it via webmin as a samba printer share with permissions to my account. Security is set to user level not share level (the default). I can access my samba shares fine, download and upload to them. I can also see the printer, but what i cannot do is print. When i try and add the printer via my general PCL5 drivers it asks me for a username and password. I am currently logged into the computer so i would of thought it didn't need it and i cannot enter in the username or password because i am already logged in. I cannot figure out if it is possible to have the samba server share my printer by default to everyone with any security level yet not open up my shares to everyone. Cheers Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba + Cups 2200 Laserjet printer
Well, i think its time for me to go back to server 08. Just got another issue with my backup batch script. It cant seem to check if the files have changed it just copies them all across on each boot. Cheers for the help though, much appreciated. On Sun, Dec 20, 2009 at 10:23 PM, Scott Marshall s.dwag...@gmail.comwrote: When i go to http://192.168.1.1:631/ i get a 403. Any idea's? Ive changed the localhost to the ip of the server (.1 as above). On Sun, Dec 20, 2009 at 10:03 PM, Scott Marshall s.dwag...@gmail.comwrote: Sorry about that, used gmal's reply without thinking. On Sun, Dec 20, 2009 at 8:42 PM, Jack Downes j...@nwmt.us wrote: First off, please reply to the list. Okay, so you'll need to make sure that your cups.conf is setup to not listen only to localhost. you'll several sections on making cups listen to what port and which IP... you'll see Listen localhost:631 near the top of your cups.conf file which is in /etc/cups (on several distros anyway), edit that to match your IP. Cups.org has tons of info how to do this. As to the groups and such that I'm talking about... Here's what i have setup for our outfit: [printers] comment = Cupsys based printer path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/KRH_drivers valid users = @wheel, jax, admincis force user = nobody force group = nogroup read only = No So, as you can see, I've got it set so that anyone can print, but that only admins and myself can update/change drivers. Makes it easy and keeps the general users away from the drivers. I'd suggest you put a valid users = scott in your [printers] section and make sure that your windows username/password matches the username/password in your linux setup. Make sure that you create the same user with smbpasswd as well. you can sync those together pretty easily. I'm pretty sure you can also limit by IP if you like: hosts deny = 10.17.1.0/24, 10.6.27.5 or whatever ... Hopefully this helps. Jack Scott Marshall wrote: I tried the address you stated (editing it where needed). It didnt seem to work for me. Is there some thing i should be doing to activate/get this address to work? As for samba, the printer is under the right group and i have installed the drivers manually on the machines yet i still cannot print. Cheers for the help Scott On Sun, Dec 20, 2009 at 7:23 AM, Jack Downes j...@nwmt.us mailto:j...@nwmt.us wrote: So, unless you are using windows 2k or older, is there really a point to installing the printer via //server/hplj2200 ? Just use the windows[XP|Vista|7] printer wizard dialog and add a network printer. At that point you can use the url which if the name is the same, would be http://server:631/printers/hplj2200. If you are the only one doing this, then it'll be fine. You'll need to have the drivers handy though. And you can lock CUPS down via client IP, or client username, or it can depend on SAMBA auth as well. If you still want to use SAMBA for printing, take a look at groups. As I recall you can specify which users which groups can read/write/see/whatever the printer much the same as you can for regular shares. I think there's a PrinterAdmins group that you'll need to setup if you want to push a driver to the printer. Good luck! Jack Scott Marshall wrote: Hi all, Hoping some one can help me out here. I have a 2200dn laser printer working on a centos 5 server (using webmin for configuration). I have added it via webmin as a samba printer share with permissions to my account. Security is set to user level not share level (the default). I can access my samba shares fine, download and upload to them. I can also see the printer, but what i cannot do is print. When i try and add the printer via my general PCL5 drivers it asks me for a username and password. I am currently logged into the computer so i would of thought it didn't need it and i cannot enter in the username or password because i am already logged in. I cannot figure out if it is possible to have the samba server share my printer by default to everyone with any security level yet not open up my shares to everyone. Cheers Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https
Re: [Samba] Samba + Cups 2200 Laserjet printer
I had already setup the allowed hosts and read a few different tutorials. I didn't find samba hard as such, it just seemed to be missing some thing permissions wise. In the end there was getting to be too many problems with Linux when i do not know enough about them so I have now shifted back to Windows server 08. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba + Cups 2200 Laserjet printer
Hi all, Hoping some one can help me out here. I have a 2200dn laser printer working on a centos 5 server (using webmin for configuration). I have added it via webmin as a samba printer share with permissions to my account. Security is set to user level not share level (the default). I can access my samba shares fine, download and upload to them. I can also see the printer, but what i cannot do is print. When i try and add the printer via my general PCL5 drivers it asks me for a username and password. I am currently logged into the computer so i would of thought it didn't need it and i cannot enter in the username or password because i am already logged in. I cannot figure out if it is possible to have the samba server share my printer by default to everyone with any security level yet not open up my shares to everyone. Cheers Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba and ACL and automatic inheriting
Karl Koch wrote: hello, i use samba with acl bound into a w2k3 ads domain. i have set the option inherit acls = yes and when i change a acl on a folder the new folders i create have the same acls. But when i change the acl on a folder the subdirectorys of this folder wont update automatic like under a win ntfs system. i controll the acls through a windows machine an so it is not so good that i musst inherit the acls manually. Is there any option i can do this? And yes i know setfacl -R :-) But i want i more comfortable so other useres can controll it. Have you set a default ACL entry for the top level directory? ie, setfacl d:user:perm -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] working file server, but logs filling with NT_STATUS_ACCESS_DENIED
Volker Lendecke wrote: On Sat, May 02, 2009 at 11:35:55PM +0100, Barnaby Scott wrote: I have a Samba server (Samba 3.3.3 running under FreeBSD 7.1-RELEASE), with 3 Windows workstations all running XP Professional and 3 laptops (1 XP home,1 XP professional, 1 Vista). There is no Windows domain invloved, just a workgroup. Everything works absolutely fine, except that my logs are filling up with errors similar to this: [2009/05/02 18:40:10, 0] smbd/service.c:make_connection_snum(740) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED I cannot trace this to any particlaur activity by any user - in fact many of these errors occur at a similar time at around 3am every night, when there is certainly no user activity. Obviously to troubleshoot this properly you will need logs etc. I have copied my smb.conf below, but to save me posting all sorts of irrelevant stuff, perhaps a first step would be to let me know what else is needed in order to look into this further. Or perhaps there is something obvious I have done wrong already! I can find literally only 2 Google hits for the exact string create_connection_server_info failed: NT_STATUS_ACCESS_DENIED, neither of which are relevant to my situation. Any help would therefore be very gratefully received! Please send at least a debug level 2 log. And, probably we should increase the level of that debug message. Volker I tried sending a log but it was too large for the list. This is another excerpt, which is hopefully not too big. It is clipped to include only the activity that started at 03:36:30. It is from a different workstation to the last one, and is again logging at level 3. I hope you can spot what I've done wrong! Thanks Barnaby [2009/05/04 03:36:30, 3] smbd/process.c:process_smb(1554) Transaction 0 of length 137 (0 toread) [2009/05/04 03:36:30, 3] smbd/process.c:switch_message(1378) switch message SMBnegprot (pid 67144) conn 0x0 [2009/05/04 03:36:30, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/04 03:36:30, 3] smbd/negprot.c:reply_negprot(569) Requested protocol [PC NETWORK PROGRAM 1.0] [2009/05/04 03:36:30, 3] smbd/negprot.c:reply_negprot(569) Requested protocol [LANMAN1.0] [2009/05/04 03:36:30, 3] smbd/negprot.c:reply_negprot(569) Requested protocol [Windows for Workgroups 3.1a] [2009/05/04 03:36:30, 3] smbd/negprot.c:reply_negprot(569) Requested protocol [LM1.2X002] [2009/05/04 03:36:30, 3] smbd/negprot.c:reply_negprot(569) Requested protocol [LANMAN2.1] [2009/05/04 03:36:30, 3] smbd/negprot.c:reply_negprot(569) Requested protocol [NT LM 0.12] [2009/05/04 03:36:30, 3] smbd/negprot.c:reply_nt1(392) using SPNEGO [2009/05/04 03:36:30, 3] smbd/negprot.c:reply_negprot(674) Selected protocol NT LM 0.12 [2009/05/04 03:36:30, 3] smbd/process.c:process_smb(1554) Transaction 1 of length 240 (0 toread) [2009/05/04 03:36:30, 3] smbd/process.c:switch_message(1378) switch message SMBsesssetupX (pid 67144) conn 0x0 [2009/05/04 03:36:30, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/04 03:36:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1412) wct=12 flg2=0xc807 [2009/05/04 03:36:30, 2] smbd/sesssetup.c:setup_new_vc_session(1368) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/05/04 03:36:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1175) Doing spnego session setup [2009/05/04 03:36:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1210) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/05/04 03:36:30, 3] smbd/sesssetup.c:reply_spnego_negotiate(802) reply_spnego_negotiate: Got secblob of size 40 [2009/05/04 03:36:30, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(62) Got NTLMSSP neg_flags=0xa2088207 [2009/05/04 03:36:30, 3] smbd/process.c:process_smb(1554) Transaction 2 of length 252 (0 toread) [2009/05/04 03:36:30, 3] smbd/process.c:switch_message(1378) switch message SMBsesssetupX (pid 67144) conn 0x0 [2009/05/04 03:36:30, 3] smbd/sec_ctx.c:set_sec_ctx(324) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2009/05/04 03:36:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1412) wct=12 flg2=0xc807 [2009/05/04 03:36:30, 2] smbd/sesssetup.c:setup_new_vc_session(1368) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2009/05/04 03:36:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1175) Doing spnego session setup [2009/05/04 03:36:30, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1210) NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2009/05/04 03:36:30, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(747) Got user=[] domain=[] workstation=[OAK] len1=1 len2=0 [2009/05/04 03:36:30, 3] auth/auth.c:check_ntlm_password(220) check_ntlm_password: Checking password
Re: [Samba] working file server, but logs filling with NT_STATUS_ACCESS_DENIED
On Mon, May 04, 2009 at 10:18:43AM +0100, Barnaby Scott wrote: I tried sending a log but it was too large for the list. This is another excerpt, which is hopefully not too big. It is clipped to include only the activity that started at 03:36:30. It is from a different workstation to the last one, and is again logging at level 3. I hope you can spot what I've done wrong! There's nothing wrong, it's just that this debug message has a silly debug level of 0. I'm changing that to 1 now. Volker Many thanks for looking into this. I confess it took me a minute or two to understand your reply! Now that (I think) I do understand it, can I just ask why you are changing it to debug level 1, rather than higher? I notice that there are other kinds of NT_STATUS_ACCESS_DENIED errors at level 3 - e.g.: [2009/05/04 03:36:30, 3] smbd/error.c:error_packet_set(61) error packet at smbd/reply.c(729) cmd=117 (SMBtconX) NT_STATUS_ACCESS_DENIED I only ask because my understanding is that level 1 still constitutes a 'warning', and yet you say there is nothing wrong with my configuration (and, as I said, it works great :)). The way I have syslog configured, though I will in future be spared these warnings breaking through to the console, I will still have my 'messages' log fill up with these 'warnings'. I am completely unskilled in the inner workings of Samba, so I am certainly *not* saying I know better than you!! But if my configuration really *is* OK, then these warning really are unnecessary - is there I way I can silence them? Thanks again Barnaby -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] working file server, but logs filling with NT_STATUS_ACCESS_DENIED
Hi, I wonder if anyone can help with this. I have a Samba server (Samba 3.3.3 running under FreeBSD 7.1-RELEASE), with 3 Windows workstations all running XP Professional and 3 laptops (1 XP home,1 XP professional, 1 Vista). There is no Windows domain invloved, just a workgroup. Everything works absolutely fine, except that my logs are filling up with errors similar to this: [2009/05/02 18:40:10, 0] smbd/service.c:make_connection_snum(740) create_connection_server_info failed: NT_STATUS_ACCESS_DENIED I cannot trace this to any particlaur activity by any user - in fact many of these errors occur at a similar time at around 3am every night, when there is certainly no user activity. Obviously to troubleshoot this properly you will need logs etc. I have copied my smb.conf below, but to save me posting all sorts of irrelevant stuff, perhaps a first step would be to let me know what else is needed in order to look into this further. Or perhaps there is something obvious I have done wrong already! I can find literally only 2 Google hits for the exact string create_connection_server_info failed: NT_STATUS_ACCESS_DENIED, neither of which are relevant to my situation. Any help would therefore be very gratefully received! Thanks ==smb.conf=== [global] workgroup = CHADLINGTON server string = Samba Server map to guest = Bad User passdb backend = tdbsam log level = 3 log file = /var/log/samba/log.%m max log size = 50 smb ports = 139 dns proxy = No hosts allow = 192.168.1., 127.0.0.1 hosts deny = ALL [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [music] comment = shared music path = /home/music write list = @samba-clients guest ok = Yes = -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Update on bugzilla.samba.org
jerry wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Fyi... We can into some db connection issues last night (about 10pm GMT-5 I think). This issue has been temporarily resolved, but I expect that we'll be taking the server offline for a short period sometime this week for further db maintenance. Also Deryck and I will be exploring some potential improvements to Samba's bugzilla service in the coming weeks. I'll try to keep everyone updated. cheers, jerry - -- = What man is a man who does not make the world better? --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJ20t1IR7qMdg1EfYRAv2HAJ47xw8Kn5co40X7do0UPcczvM2+LgCg5bPZ P10yo+Wy/Co8DuActPbosUQ= =imcZ -END PGP SIGNATURE- I figure this request dovetails the bugzilla maintenance, sorry if it seems like I'm thread hijacking. Would it be possible to turn on the 'vote for bug' feature (or remove the reference to it all together)? I wanted to flag a bug the other week and followed the bugzilla link to vote for it, only to find out it was disabled. Would enabling this be a productive use of resources? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Query related to samba-3.2.6 and Last Access Time stamp.
As well as nodiratime. --Original Message-- From: Miguel Medalha Sender: samba-bounces+scott.lovenberg=gmail@lists.samba.org To: naga_kishore_komm...@yahoo.com Cc: samba@lists.samba.org Subject: Re: [Samba] Query related to samba-3.2.6 and Last Access Time stamp. Sent: Apr 6, 2009 08:49 I want to avoid this and I do not have administrator permission of the windows machine. Is there any client side setting that I can change to avoid the updation of 'last access date' on the server? Mount the server's filesystem with the noatime option? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Sent from my Verizon Wireless BlackBerry -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Is Samba 4alpha7 sufficient for this project?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am a longtime Samba 3 sysadmin, and I am trying to revisit an old problem. For a while, I have been using Heimdal Kerberos and Samba 3 together using OpenLDAP as the shared backend. For Linux users, this is perfect: they log in once using Kerberos and they can access all of their applications - IMAP, SMTP, Intranet, SVN, calendar - using their single ticket. For Windows users, I installed MIT Kerberos on the client machines, and they log into the Samba domain, and then log into the Kerberos Realm using the MIT client. However, they can't access SVN using a non-Windows ticket, and the calendar doesn't work in Lightning. This is getting on enough people's nerves that I need to go to single sign on. Is Samba4 Alpha 7 sufficiently along to support this environment? All of our servers are Linux based, and I need to support Kerberos through Apache (intranet, svn, calendar) and Dovecot (IMAP, SMTP auth). Are there any good How-to's to ease me into Samba 4? - - Scott Grizzard -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkm/7ugACgkQARR1QiSWUG4aCACeNgkTpqjfWkaueXpiiRiVivZG twMAoKVYubM4DTjqZ+5EbLSW0G0NS9LN =zGBe -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] The referenced account is currently locked out...
I recently changed the subnet of several computers on an isolated LAN, that LAN utilizing RHEL 5.0 server (out-of-box, no patches) with Samba and several Windows XP w/SP2 systems. After the subnet change, if I log in as local admin to any of the Windows systems, and try Start Run \\any_other_host\some_share I get \\any_other_host\some_share The referenced account is currently locked out and may not be logged on to. Doesn't matter if I try to access any available share on the samba server or directly to another Windows box on the network. All systems on the network have been rebooted. All Windows systems are able to log into the samba domain without a problem. I just can't gain UNC access to any other host as local admin on a box. I was able to do so without a problem before the network change. What am I missing? Thanks. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] XP local policy vs Samba pdbedit?
If I set up a room of Win XP Pro w/SP2 systems, hardened via local policy and gpedit.msc, and add them to a samba domain running from an unpatched, out-of-box install of RHEL 5.0, how will the local XP policies differ from any changes I make to pdbedit on the Samba side? Which takes priority/preference? Thanks. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Help with Samba, RHEL 5.0, and policies
I have an isolated LAN with an out-of-box installation of RHEL 5.0 Server 64-bit running samba, with some CentOS 5.0 systems and Windows XP w/SP2 machines. The XP machines are part of a domain via the RHEL Samba setup. I want to be able to control such things as the XP Event Viewer loggings - the catagories Application, System, and Security, have options to let the log sizes: - Overwrite events as neededed - Overwrite events older than x days - Do not overwrite events (clear log manually) If I log in as local admin and select, for example, Do not overwrite, then reboot, that same machine will switch to Overwrite events as needed. This occurs on all the Windows XP machines on this samba domain. Is the version of samba that comes with RHEL 5.0 out-of-box, unpatched, capable of managing this kind of setting? If so, how? Said Windows machines were new installs that were built up by me and this is the only domain they have been on. So, how do I control this? Thanks. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Windows patching from Linux samba server?
I have an out-of-box, unpatched RedHat Enterprise 5 server acting as a samba PDC for a handful of Windows XP systems on a domain. This is on an isolated network - no Internet connectivity. Is there a way to configure the samba server to act as a Windows SUS server for patch pushing? If so, specifically, how? If not, other than manually installing patches on systems or buying a Windows Server license, what other options are there? Thanks. Scott -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] sharing samba smbpasswd
There are four ways, off the top of my head, to get this done: 1) LDAP where one server runs ldap and all servers authenticate against it. Advantages: easy to replicate and easily extendable for other uses. Disadvantages: difficult to set up if you don't know what you are doing. 2) rsync the smbpasswd file. Advantages: simple and easy. Disadvantages: no one does this, so you will wind up with a very weird setup which will be difficult to debug and which no one can help you with. 3) Kerberos. Advantages: Very cool; single sign-on. Disadvantages: pain in the ankle to set up. 4) Set up one samba server as a Domain Controller with a tdbsam backend, and join the other samba servers to that domain. It is relatively easy to do, gives you single sign-on and one password file, and the computers don't need any special configuration to use the shares. Disadvantages: the PDC becomes a single point of failure for all four file servers. I recommend using the last option and setting up the Domain Controller. Follow along with chapter 4 from Samba by Example (http://us1.samba.org/samba/docs/man/Samba-Guide/Big500users.html ). Do backups of your password files, and live with the single point of failure. If the single point of failure is impossible to live with, you are back into replicating ldap. - Scott Grizzard On Dec 29, 2008, at 9:54 AM, Adam Williams wrote: openldap. read chapter 5 of samba 3 by example.pdf. Dean Clapper wrote: Is there a way to share smbpasswd (samba user name and password file) between multiple servers. The servers are not on a domain controller, NIS nor ldap. We have 2 - 3 redhat samba servers just for network share drives. Instead of managing passwords and user names on multiple systems, I'm trying to leverage one machine and use its logins and passwords for all samba machines. Is there a good way to implement this strategy configuring the smb.conf file or is this going to require a different mechanism? Thanks Dean -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] sharing samba smbpasswd
I agree completely. LDAP is the right way to go. However, openldap is a bit daunting for first time users, and the slapd.d way of configuring openldap is not well documented for beginners. If the samba servers can go down for a few hours without causing too big of a headache, and you are not doing domain authentications for workstations, I wouldn't bother with ldap. It will take you a month to get LDAP working the first time out, and if anything breaks, it is much groping in the dark to get it working again. Bottom line: LDAP is the right way to do it, but the learning curve is pretty steep. If you can live with the single point of failure, live with it. If you can't, hire a consultant to walk you through it the first time or buy a Mac X-Server, or invest in several bottles of Malox and kiss a month of weekends goodbye. (On the plus side, doing it yourself will teach you a lot about linux, ldap, and samba: knowledge which you can lord over Microsoft techs that don't know the first thing about the protocols and logic underlying Active Directory,) - Scott Grizzard On Dec 29, 2008, at 10:56 AM, John Drescher wrote: 1) LDAP where one server runs ldap and all servers authenticate against it. Advantages: easy to replicate and easily extendable for other uses. Disadvantages: difficult to set up if you don't know what you are doing. With syncrepl pretty easy to add more ldap servers. I generally use 1 master and several read only replicas. I would never run a network (of more than 3 machines) with only 1 ldap server. http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-ro On the subject of domain controllers using LDAP. Since I have been doing this for 5 years, I have a few comments. The ldap servers do not have to be on the same machine as the PDC or BDC. At work I have 3 LDAP servers. All 3 of them are on VIRTUAL machines. I have 1 my PDC on xen and my BDC on openvz. And the PDC and BDC do not have any samba file shares on them. One nice thing about this is moving the LDAP servers or domain controllers in this case becomes trivial. And also I do have backup servers on other virtual machines that are offline and can be turned on as needed and in less than 5 minutes any of these virtual machines can be the PDC and/or be the master ldap server. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Any Known Share limitations or performance issues with large file systems
I have user directories with thousands of files in multiple directories, just not single directories. The file system is EXT3 managed by LVM. -Original Message- From: Volker Lendecke [mailto:volker.lende...@sernet.de] Sent: Monday, December 22, 2008 10:32 PM To: Scott Elliott Cc: samba@lists.samba.org Subject: Re: [Samba] Any Known Share limitations or performance issues with large file systems On Mon, Dec 22, 2008 at 02:33:56PM -0800, Scott Elliott wrote: I am running samba-3.0.28-1.el5_2.1.x86_64.rpm on RHEL 5 x64. I am sharing out approximately 7TB via samba and a 'few' of my users are complaining of latency when accessing their shares via Windows Explorer. Mind you the disk is about 93% full which I am sure is a factor but before I go into battle I wanted to make sure there were no known limitations or issues. Do you have directories with many files in a single directory? Many as in thousands? What file system is this? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Any Known Share limitations or performance issues with large file systems
All, I am running samba-3.0.28-1.el5_2.1.x86_64.rpm on RHEL 5 x64. I am sharing out approximately 7TB via samba and a 'few' of my users are complaining of latency when accessing their shares via Windows Explorer. Mind you the disk is about 93% full which I am sure is a factor but before I go into battle I wanted to make sure there were no known limitations or issues. Thanks in advance -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Do I need a WINS server if I want to browse?
What is the advantage of NOT running a WINS server? I always thought that if the WINS server was down (even if it is listed in the dhcp that the clients get), the Windows and Clients revert to broadcast for name recognition - so there is no reason not to run one on the network. Is that not correct? - Scott Grizzard On Dec 17, 2008, at 10:22 PM, Michael Heydon wrote: Uriel Avalos wrote: So why do you not recommend UPD broadcasting? too much extra network traffic? but for a small network (max 5 computers) isn't that extra traffic insignificant The extra traffic is insignificant even in a much larger network (50-100 machines) assuming a 100mbit network. Broadcast resolution is unreliable. With just 5 machines which don't get rebooted much you might never notice it, but then again maybe you will. I run WINS on my home network of 3 machines, maybe it's not necessary but it takes a whole 2 lines in config files to make it work (In the time it took to ask if it was necessary you could have set it up several times over). Why not do it properly now rather than risk things breaking later? *Michael Heydon - IT Administrator * micha...@jaswin.com.au mailto:micha...@jaswin.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Samba
Ross, Brian wrote: Yes, another newbie asking for help. Please bear with me. I don't doubt my problem has a simple solution but it has me stumped. I have a solaris server which carries some confidential financial information on it. I have been asked to install samba on it to share out a particular directory. They obviously want to restrict access to this information. We run a Windows 2003 domain as well. My problem is that I cannot get my samba server to ask for user authentication (or rather, I can, if I slightly change the smb.conf file but then it asks for Guest rather than the user designated). My smb.conf file is: ___ [global] workgroup = CALM server string = calm-kens-27 security = DOMAIN password server = 192.147.114.4, 192.147.114.17 username map = /etc/samba/smbusers log file = /var/log/samba max log size = 200 ; min protocol = NT1 ; preferred master = No ; local master = No ; domain master = No ; browse list = No ; enhanced browsing = No dns proxy = No wins server = 192.147.114.4 ; ldap ssl = no hosts allow = localhost,calm-kens-27,192.147.114.,192.147.114.54,10.20.201.59,10.20.200.119,10.20.201.88,10.20.201.175 hosts deny = All ;hosts allow = all encrypt passwords = yes browseable = no ;smb passwd file = /etc/samba/smbpasswd [CBA] path = /u02/prod/clmfinpr/clmfinprappl/calm/11.5.0/secure comment = DEC read only share read only = Yes guest ok = no ;force user = finance ;force group = sw_user hide dot files = No inherit permissions = Yes ___ On another not unrelated problem, I am unable to get SWAT to work. I keep getting the message: This document contains no data, Try again later or contact the domain's administrator Any idea about how to get it working (this I suspect will help me to cure my configuration problem). Cheers Brian ___ Brian Ross Do you have the winbind service running and the nscd service off? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Netbios : Network Browsing on multiple subnets
Scott Lovenberg wrote: [EMAIL PROTECTED] wrote: Hi all ! I have a PDC and a BDC in 2 differents subnets. I would like to sync their browse list but it doesn't seem to work. Actually here are a part my smb.conf files : PDC -- ... remote browse sync = 10.10.20.10 remote announce = 10.10.20.10 security = user encrypt passwords = true domain logons = Yes os level = 70 preferred master = yes domain master = yes local master = yes wins support = Yes ... --- BDC ... remote announce = 10.10.10.1 remote browse sync = 10.10.10.1 wins support = yes security = user encrypt passwords = yes domain logons = Yes os level = 69 preferred master =no domain master = no ... --- The BDC is unable to find the Domain Master Browser nmblookup -U venise -R 'DOMAIN#1B' ... name_query failed to find name domain#1b nmblookup -U BDC -S PDC name_query failed to find name PDC log.nmbd --- [2008/11/14 11:55:51, 0] nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(351) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name DOMAIN1b for the workgroup DOMAIN. ... [2008/11/14 12:03:59, 0] nmbd/nmbd_incomingdgrams.c:process_master_browser_announce(383) process_master_browser_announce: Not configured as domain master - ignoring master announce. I really need help, the BDC has to be moved in another place. Thank you ! Smaine I believe you want the 'wins server =' and/or 'wins proxy' settings instead of the 'wins support' setting. Table of wins settings from Using Samba, ch07 http://de4.samba.org/samba/docs/using_samba/ch07.html#samba2-CHP-7-TABLE-1 The entry on 'wins server =' and 'wins proxy' is just under this table. Unless I'm mistaken, wins proxy/wins server combination is the only one that will allow cross subnet wins replication (other than DNS/LDAP combination). IIRC, you'll want the wins servers to be master browsers on their respective subnets, as well. Sorry, I realized right after posting that last sentence might not have been clear; I meant each should be the local master browser. A domain can only have one domain master browser. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Netbios : Network Browsing on multiple subnets
[EMAIL PROTECTED] wrote: Hi all ! I have a PDC and a BDC in 2 differents subnets. I would like to sync their browse list but it doesn't seem to work. Actually here are a part my smb.conf files : PDC -- ... remote browse sync = 10.10.20.10 remote announce = 10.10.20.10 security = user encrypt passwords = true domain logons = Yes os level = 70 preferred master = yes domain master = yes local master = yes wins support = Yes ... --- BDC ... remote announce = 10.10.10.1 remote browse sync = 10.10.10.1 wins support = yes security = user encrypt passwords = yes domain logons = Yes os level = 69 preferred master =no domain master = no ... --- The BDC is unable to find the Domain Master Browser nmblookup -U venise -R 'DOMAIN#1B' ... name_query failed to find name domain#1b nmblookup -U BDC -S PDC name_query failed to find name PDC log.nmbd --- [2008/11/14 11:55:51, 0] nmbd/nmbd_browsesync.c:find_domain_master_name_query_fail(351) find_domain_master_name_query_fail: Unable to find the Domain Master Browser name DOMAIN1b for the workgroup DOMAIN. ... [2008/11/14 12:03:59, 0] nmbd/nmbd_incomingdgrams.c:process_master_browser_announce(383) process_master_browser_announce: Not configured as domain master - ignoring master announce. I really need help, the BDC has to be moved in another place. Thank you ! Smaine I believe you want the 'wins server =' and/or 'wins proxy' settings instead of the 'wins support' setting. Table of wins settings from Using Samba, ch07 http://de4.samba.org/samba/docs/using_samba/ch07.html#samba2-CHP-7-TABLE-1 The entry on 'wins server =' and 'wins proxy' is just under this table. Unless I'm mistaken, wins proxy/wins server combination is the only one that will allow cross subnet wins replication (other than DNS/LDAP combination). IIRC, you'll want the wins servers to be master browsers on their respective subnets, as well. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] performance problem with access database
Scheidegger Patrick wrote: Hello I have problem with a access application, when I try to start the application then I must wait 5 minutes ago before he started. I do this from a WinXp Workstation to a Linux Debian Etch and samba 3.0.24 installation. What can I do for better performance. best regards pat If you've got more than a handful of users at any given moment, you can disable op-locks and reduce locking overhead. You can do this via registry, Samba, or both. Also, a database (and I use that in the loosest sense of the term!) compact and repair never hurt ;) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba join a domain?
We have a Windows file server that I want to connect to with my Fedora 9 box. When I try and mount that via samba I get: mount error 13 = Permission denied I know the username and password are correct. I'm pretty sure you have to join the domain before you can mount/authenticate against it. Is it possible to do that with samba so I can mount this file system? -- Scott Baker - Canby Telcom RHCE - System Administrator - 503.266.8253 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Compiling 3.2.4 --with-krb5=/usr/lib/krb5, not working
Jake Carroll wrote: Scott, Thanks for the link. I had a poke around, substituting my paths et al with the instructions here, and, unfortunately, it still just doesn't seem to see my krb libraries. I am wondering if there is something generically _wrong_ with Solaris/Sun shipped Krb that samba doesn't like? Any other ideas? Thanks for the input! */JC/* On Oct 5, 2008, at 11:13 AM, Scott Lovenberg wrote: Jake Carroll wrote: Hi all, I'm currently attempting to compile Samba 3.2.4 for Solaris 10 x86. I require krb5 support and I realised that it would not look in the correct default location, under Solaris 10. Example, from ./configure --help: --with-krb5=base-dirLocate Kerberos 5 support (default=/usr) In vanilla Solaris 10 x86, Kerberos libraries are stored in /usr/lib/krb5. I thought it best to attempt to specifically, rather, explicitly state the base dir like so, because using the default is not working: ./configure --with-aio-support --with-krb5=/usr/lib/krb5 I felt that this would give the linker/compiler the best chance of finding what it needed. Apparently, this is not the case. When I look in the config.log: configure:55103: checking for Active Directory and krb5 support KRB5CONFIG='' KRB5_LIBS='' WINBIND_KRB5_LOCATOR='' So then, if we do a make # less config.h | grep -i krb /* Whether the krb5_address struct has a addrtype property */ /* #undef HAVE_ADDRTYPE_IN_KRB5_ADDRESS */ /* Whether the krb5_address struct has a addr_type property */ /* #undef HAVE_ADDR_TYPE_IN_KRB5_ADDRESS */ /* Whether the krb5_checksum struct has a checksum property */ /* #undef HAVE_CHECKSUM_IN_KRB5_CHECKSUM */ ...all left untouched. Any thoughts? The libraries are definitely and obviously there: [EMAIL PROTECTED]:/usr/lib/krb5] $ ls -als total 3338 2 drwxr-xr-x 4 root bin 1024 May 3 10:15 . 64 drwxr-xr-x 122 root bin32256 Aug 16 20:57 .. 2 -r--r--r-- 1 root bin 700 Jan 22 2005 HelpIndex.html 2 drwxr-xr-x 2 root bin 512 May 3 10:15 ListResourceBundle 2 -r--r--r-- 1 root bin 412 Jan 22 2005 README.db2 4 -r--r--r-- 1 root bin 1962 Jan 22 2005 SunLogo.4c.gif 2 drwxr-xr-x 2 root bin 512 May 3 10:15 amd64 2 lrwxrwxrwx 1 root root 8 May 3 10:15 db2.so - db2.so.1 144 -rwxr-xr-x 1 root bin73088 Mar 19 2008 db2.so.1 416 -r--r--r-- 1 root bin 204145 Mar 12 2008 gkadmin.jar 122 -r-x-- 1 root bin62100 Mar 19 2008 kadmind 2 lrwxrwxrwx 1 root root 10 May 3 10:15 kldap.so - kldap.so.1 80 -rwxr-xr-x 1 root bin40684 Mar 19 2008 kldap.so.1 38 -r-xr-xr-x 1 root bin18488 Mar 19 2008 kprop 2 -r-xr-xr-x 1 root bin 300 Jan 22 2005 kprop_script 70 -r-xr-xr-x 1 root bin35136 Mar 19 2008 kpropd snip. Thanks all. JC Erm, sorry for the double post. Here's a reference for crle with samba. Here's a recipe for Samba+Active Directory on Solaris 9 http://lists.samba.org/archive/samba-technical/2006-May/046971.html Sorry, I'm tapped for good ideas. I'm trying to duplicate this on a VM... and remembering why I stopped using OpenSolaris :) I just have to keep it stable for long enough to update. So far, Solaris is winning by restarting the window manager every fifteen minutes or so. The only other thing I could think of is manually entering the path in the configuration variable and trying to compile. I'm not sure that it would help at all, but it can't hurt to give it a shot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Lost most data on Windows XP machine switching to domain
Jesse Stone wrote: I'm wondering if anyone has run across that and MUCH more importantly, if the data can be recovered somehow. I'll put as much details as I can at the bottom but here's the gist of the problem: I added my wives computer (which contains 8 years worth of pictures) to the domain. When I logged into the new domain account it was empty and my wives domain users had no access so I did the following: 1) Logged out of the domain account and back into the machine account 2) Added the domain user to the administrative group 3) MOVED (yes, I'm an idiot) everything from my wive's standard profile to the domain profile 4) Logged back in with the domain account Here's what happens: a few random things where in the new domain. For example, 1 bookmark (out of about 50) was in my wive's favorites folder. The My Pictures folder contained Sample Pictures only. My guess is that 1 of 2 things happened: 1) Samba didn't expect there to be data yet so started out with a fresh new profile. This doesn't explain how some (less than 1% of her data) is available 2) My wive is connecting to the domain via wireless. Somehow, mid-copy the wireless shut off and the data never made it to the roaming profile. Please someone give me good news like just do this and the data will be recovered! OK, here's the details (which will show my lack of understanding): I followed the following article when setting up Samba: http://www.howtoforge.com/samba_setup_ubuntu_5.10_p4 The only changes I made are that I commented out the following lines (believing this would STOP roaming profiles. I did not actually want roaming profiles and was only planning on setting the My Documents folder to use server storage. #logon drive = H:-- May use later for roaming profiles #logon path = \\%N\profile\%U-- May use later for roaming profiles (Note, the only thing this did is stop the drive letter from being set. The profile directly was still created, only under the /home/%user%/ directory instead of /home/samba/profiles/) Here's the entire smb.conf I am using: [global] workgroup = domaintest netbios name = server3200 server string = File Server passdb backend = tdbsam security = user username map = /etc/samba/smbusers name resolve order = wins bcast hosts domain logons = yes preferred master = yes wins support = yes # Set CUPS for printing printcap name = CUPS printing = CUPS # Default logon #logon drive = H: #logon script = scripts/logon.bat #logon path = \\%N\profile\%U # Useradd scripts add user script = /usr/sbin/useradd -m %u delete user script = /usr/sbin/userdel -r %u add group script = /usr/sbin/groupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false/ -d /var/lib/nobody %u idmap uid = 15000-2 idmap gid = 15000-2 # sync smb passwords with linux passwords passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n . passwd chat debug = yes unix password sync = yes # set the loglevel log level = 3 [homes] comment = Home valid users = %S read only = no browsable = no [printers] comment = All Printers path = /var/spool/samba printable = yes guest ok = yes browsable = no [netlogon] comment = Network Logon Service path = /home/samba/netlogon admin users = Administrator valid users = %U read only = no [profile] comment = User profiles path = /home/samba/profiles valid users = %U create mode = 0600 directory mode = 0700 writable = yes browsable = no Please understand that my wife may well divorce me if I can't recover this stuff. -Jesse I'm a little mixed up about about the steps that you took... Am I interpreting this correctly: 1.) You signed on with your wifes domain account, then logged out 2.) You then logged in as a local admin and added her domain account to the Domain Administrators group 3.) Before logging out of the local admin account, you moved all of her files to the default domain profile (in the netlogon share) (with permissions 0600 as per your profile share configuration) 4.) You then logged out of your local admin account and logged back in with your wifes domain account 5.) Everything is missing at this point. I'm fairly sure that Windows handles dropped connections during a sign on/off with a file that contains successfully transferred files. The fact that you have some of her files makes me wonder if you've got a permissions issue going on. Are you sure that the files aren't on the domain controller with permissions that keep her account from seeing them? If I were you, I'd remount that drive read only 60 seconds ago and make a copy of it right away. Even if you deleted the files, you can probably get a dd_rescue image before you actually blow them away. I've had success with that before after fat-fingering an effective rm -rf /. while logged in as root. The Samba team will be happy to know
Re: [Samba] Compiling 3.2.4 --with-krb5=/usr/lib/krb5, not working
Jake Carroll wrote: Hi all, I'm currently attempting to compile Samba 3.2.4 for Solaris 10 x86. I require krb5 support and I realised that it would not look in the correct default location, under Solaris 10. Example, from ./configure --help: --with-krb5=base-dirLocate Kerberos 5 support (default=/usr) In vanilla Solaris 10 x86, Kerberos libraries are stored in /usr/lib/krb5. I thought it best to attempt to specifically, rather, explicitly state the base dir like so, because using the default is not working: ./configure --with-aio-support --with-krb5=/usr/lib/krb5 I felt that this would give the linker/compiler the best chance of finding what it needed. Apparently, this is not the case. When I look in the config.log: configure:55103: checking for Active Directory and krb5 support KRB5CONFIG='' KRB5_LIBS='' WINBIND_KRB5_LOCATOR='' So then, if we do a make # less config.h | grep -i krb /* Whether the krb5_address struct has a addrtype property */ /* #undef HAVE_ADDRTYPE_IN_KRB5_ADDRESS */ /* Whether the krb5_address struct has a addr_type property */ /* #undef HAVE_ADDR_TYPE_IN_KRB5_ADDRESS */ /* Whether the krb5_checksum struct has a checksum property */ /* #undef HAVE_CHECKSUM_IN_KRB5_CHECKSUM */ ...all left untouched. Any thoughts? The libraries are definitely and obviously there: [EMAIL PROTECTED]:/usr/lib/krb5] $ ls -als total 3338 2 drwxr-xr-x 4 root bin 1024 May 3 10:15 . 64 drwxr-xr-x 122 root bin32256 Aug 16 20:57 .. 2 -r--r--r-- 1 root bin 700 Jan 22 2005 HelpIndex.html 2 drwxr-xr-x 2 root bin 512 May 3 10:15 ListResourceBundle 2 -r--r--r-- 1 root bin 412 Jan 22 2005 README.db2 4 -r--r--r-- 1 root bin 1962 Jan 22 2005 SunLogo.4c.gif 2 drwxr-xr-x 2 root bin 512 May 3 10:15 amd64 2 lrwxrwxrwx 1 root root 8 May 3 10:15 db2.so - db2.so.1 144 -rwxr-xr-x 1 root bin73088 Mar 19 2008 db2.so.1 416 -r--r--r-- 1 root bin 204145 Mar 12 2008 gkadmin.jar 122 -r-x-- 1 root bin62100 Mar 19 2008 kadmind 2 lrwxrwxrwx 1 root root 10 May 3 10:15 kldap.so - kldap.so.1 80 -rwxr-xr-x 1 root bin40684 Mar 19 2008 kldap.so.1 38 -r-xr-xr-x 1 root bin18488 Mar 19 2008 kprop 2 -r-xr-xr-x 1 root bin 300 Jan 22 2005 kprop_script 70 -r-xr-xr-x 1 root bin35136 Mar 19 2008 kpropd snip. Thanks all. JC Doesn't Solaris have their own version of something like a 'ldconfig'... I remember having to run it once a year or two ago to get a compile to function properly (it may have been Samba, I can't recall). I believe 'crle' is the one. Have you tried this already? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Compiling 3.2.4 --with-krb5=/usr/lib/krb5, not working
Jake Carroll wrote: Hi all, I'm currently attempting to compile Samba 3.2.4 for Solaris 10 x86. I require krb5 support and I realised that it would not look in the correct default location, under Solaris 10. Example, from ./configure --help: --with-krb5=base-dirLocate Kerberos 5 support (default=/usr) In vanilla Solaris 10 x86, Kerberos libraries are stored in /usr/lib/krb5. I thought it best to attempt to specifically, rather, explicitly state the base dir like so, because using the default is not working: ./configure --with-aio-support --with-krb5=/usr/lib/krb5 I felt that this would give the linker/compiler the best chance of finding what it needed. Apparently, this is not the case. When I look in the config.log: configure:55103: checking for Active Directory and krb5 support KRB5CONFIG='' KRB5_LIBS='' WINBIND_KRB5_LOCATOR='' So then, if we do a make # less config.h | grep -i krb /* Whether the krb5_address struct has a addrtype property */ /* #undef HAVE_ADDRTYPE_IN_KRB5_ADDRESS */ /* Whether the krb5_address struct has a addr_type property */ /* #undef HAVE_ADDR_TYPE_IN_KRB5_ADDRESS */ /* Whether the krb5_checksum struct has a checksum property */ /* #undef HAVE_CHECKSUM_IN_KRB5_CHECKSUM */ ...all left untouched. Any thoughts? The libraries are definitely and obviously there: [EMAIL PROTECTED]:/usr/lib/krb5] $ ls -als total 3338 2 drwxr-xr-x 4 root bin 1024 May 3 10:15 . 64 drwxr-xr-x 122 root bin32256 Aug 16 20:57 .. 2 -r--r--r-- 1 root bin 700 Jan 22 2005 HelpIndex.html 2 drwxr-xr-x 2 root bin 512 May 3 10:15 ListResourceBundle 2 -r--r--r-- 1 root bin 412 Jan 22 2005 README.db2 4 -r--r--r-- 1 root bin 1962 Jan 22 2005 SunLogo.4c.gif 2 drwxr-xr-x 2 root bin 512 May 3 10:15 amd64 2 lrwxrwxrwx 1 root root 8 May 3 10:15 db2.so - db2.so.1 144 -rwxr-xr-x 1 root bin73088 Mar 19 2008 db2.so.1 416 -r--r--r-- 1 root bin 204145 Mar 12 2008 gkadmin.jar 122 -r-x-- 1 root bin62100 Mar 19 2008 kadmind 2 lrwxrwxrwx 1 root root 10 May 3 10:15 kldap.so - kldap.so.1 80 -rwxr-xr-x 1 root bin40684 Mar 19 2008 kldap.so.1 38 -r-xr-xr-x 1 root bin18488 Mar 19 2008 kprop 2 -r-xr-xr-x 1 root bin 300 Jan 22 2005 kprop_script 70 -r-xr-xr-x 1 root bin35136 Mar 19 2008 kpropd snip. Thanks all. JC Erm, sorry for the double post. Here's a reference for crle with samba. Here's a recipe for Samba+Active Directory on Solaris 9 http://lists.samba.org/archive/samba-technical/2006-May/046971.html -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba with 2 NICs
Avery Payne wrote: hamacker wrote: I did that. I test, and everything is OK. It's not misconfiguration. When 2 NICs bonded (or 2 NICs only enabled), WinXP can logon into domain and win95/98 can not. If I disable one NIC then any OS can logon into domain. I can't understand why WinXP can logon and win95/98 is not, if enable 2 NICs on my system. The TCP/IP stack in Win95/98 was not exactly, um, state of the art (ping of doom anyone?). It could be something as simple as the Win95/98 stack doesn't support multihomed hosts properly. Try the following: * Make Win95/98 point to just ONE address only; use an LMHOSTS file with just ONE IP entry specified for the Samba server. * Make your Samba install a WINS server, and point the Win95/98 boxes at it. This isn't supposed to matter, but then again, I've seen modern Win2k3 networks running WINS to help things along... Another thought; are you using a managed switch? A simple layer 2 switch will get very confused if it sees the same MAC address twice on different ports, and will usually start multicasting over every switch port. You might be getting duplicates/already ACKed packets twice or something to that effect. I'm agreeing with parent post that the XP stack is probably better able to handle it when strange things start happening at the layer 2 level because you're bonding at layer 3. My Win XP box seems to ACK both channels on an unmanaged switch with a bonded server feeding it. I have no proof to back that up, but I find it fitting when the connection always maxes out at 50% like it's hit a glass ceiling. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba write performance in kernel
Lin Mac wrote: hi, I would like to know is it possible to make writing file to samba completely in kernel? I'm using a slow CPU (FA526) , and the memory copy is even slower. The reading performance is over 7 MB/s, with mmap and sendfile enabled, while writing is only 4-5 MB/s. Without mmap and sendfile, reading from samba is also about 4-5 MB/s. I use Oprofile to profile writing file to samba and found that CPU takes over 30% CPU time on copy_from/to_user, so I think going to user space and back again is the bottleneck. Since there is sendfile, why is'nt there counterpart on write path? Is there some difficalties or what? Is it implementable? Please give me some advice. Best Regards, Mac Lin Are you using DMA, or are you copying byte by byte through the CPU? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] shadow_copy for homes share
Cory Coager wrote: So its not possible to use variables for the 'subpath' option? Damien Dye wrote: I don't think that will work because homes is dynamic I believe that the snapshots have to be mounted at the root of the share and homes has the root of the share at /home/username you have the snapshots mounted at /home hope this helps Damien Cory Coager wrote: I have successfully setup shadow_copy for normal shares on our samba test server. However, I cannot get it working for the homes share because of its uniqueness. Here is the homes share: [homes] comment = Home Directories read only = No create mask = 0700 directory mask = 0700 browseable = no fstype = XFS 1.2 vfs object = shadow_copy shadow_copy: path = /samba/homes/ shadow_copy: subpath = %D+%U The users authenticate against Active Directory. The path to the snapshots is located at /samba/homes/@GMT-.MM.DD-HH.MM.SS Using the subpath each individual files should be located at /samba/homes/@GMT-.MM.DD-HH.MM.SS/DOMAIN+user but the previous versions tab is missing on this share. What am I doing wrong? ~Cory Coager Hrm... could you symlink it to a known, non-variable path? I have absolutely no idea if that would work, but I figured I'd throw it out there. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Supporting large file transfers
Jeff L wrote: Samba version 3.0.25b-1.1.cc I cant seem to transfer files over 40gb from a windows machine -- samba share. as far as socket options im using socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE Is there any other tweaks I can use to help make this system more reliable? I get random errors..network path not found or something similar.. Those are nerfed socket buffer settings. You can remove the SO_*BUF=8192, and it should improve performance. Is the connection collapsing on you? (you can check with netstat -s) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Successfully running NT4 type domain on Samba 3.0 as PDC?
Jason A. Nunnelley wrote: Is anyone here running Samba 3.0 successfully with an NT4 style domain, with the Samba box operating as the PDC? Yes, indeed. For a little over two years now. CentOS-4.X based, Slackware-10.2 - 12.0, and at one point Debian Sarge. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbclient does not connect anonymously localy on fresh install
[EMAIL PROTECTED] wrote: Hello. I have some problem, with a new configuration on a new PC. I want to setup a SAMBA PDC using an HOWTO. This howto was working on OPENSUSE 10.1 with a X86 processor and I have used it a lot of time. Now I use OPENSUSE 10.3. The new PC run a X64 processor. After the fresh install and following : http://samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html I could not make smbclient connecting samba anonymously from the server (localy). I use ldap, but for the moment ldap is not configured and not started. But smb.conf is configured for using ldap : passdb backend = ldapsam:ldap://127.0.0.1 I was thinking that smbclient can connect localy anonymously even if ldap is not running. What is wrong? . uname -r . 2.6.22.18-0.2-default . . . rpm -aq | grep samba . samba-client-3.2.0-24.1.123 samba-doc-3.2.0-24.1.123 samba-krb-printing-3.2.0-24.1.123 yast2-samba-client-2.15.11-33 samba-3.2.0-24.1.123 yast2-samba-server-2.15.7-57 samba-python-3.0.26a-3.7 samba-devel-3.2.0-24.1.123 kdebase3-samba-3.5.7-87.5 samba-winbind-3.2.0-24.1.123 . . . rpm -aq | grep ldap . --- python-ldap-2.3.1-18 perl-ldap-0.33-81 pam_ldap-184-48 yast2-ldap-2.15.1-83 openldap2-devel-2.3.41-2.1 ldapcpplib-0.0.4-95 yast2-ldap-client-2.15.12-37 php5-ldap-5.2.6-0.1 openldap2-client-2.3.41-2.1 ldap-account-manager-2.3.0-0.pm.0 yast2-ldap-server-2.15.5-76 openldap2-2.3.41-1.1 ldapsmb-1.34b-110.8.123 nss_ldap-257-17 perl-ldap-ssl-0.33-81 . . . iptables -L -v . -- Chain INPUT (policy ACCEPT 402K packets, 24M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 401K packets, 17M bytes) pkts bytes target prot opt in out source destination . . . ping -c 5 127.0.0.1 . --- PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.077 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.091 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.043 ms 64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.056 ms 64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.043 ms --- 127.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4003ms rtt min/avg/max/mdev = 0.043/0.062/0.091/0.019 ms . . . ping -c 5 LINUX-SRV . --- PING LINUX-SRV.HATHOR.NWK (127.0.0.2) 56(84) bytes of data. 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=1 ttl=64 time=0.098 ms 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=2 ttl=64 time=0.067 ms 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=3 ttl=64 time=0.055 ms 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=4 ttl=64 time=0.067 ms 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=5 ttl=64 time=0.052 ms --- LINUX-SRV.HATHOR.NWK ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4001ms rtt min/avg/max/mdev = 0.052/0.067/0.098/0.019 ms . . . ping -c 5 192.168.169.100 . - PING 192.168.169.100 (192.168.169.170) 56(84) bytes of data. 64 bytes from 192.168.169.170: icmp_seq=1 ttl=64 time=0.078 ms 64 bytes from 192.168.169.170: icmp_seq=2 ttl=64 time=0.082 ms 64 bytes from 192.168.169.170: icmp_seq=3 ttl=64 time=0.041 ms 64 bytes from 192.168.169.170: icmp_seq=4 ttl=64 time=0.061 ms 64 bytes from 192.168.169.170: icmp_seq=5 ttl=64 time=0.038 ms --- 192.168.169.170 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4002ms rtt min/avg/max/mdev = 0.038/0.060/0.082/0.018 ms . . . netstat -an | egrep '(:137|:138|:139|:445)' . --- tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN udp0 0 192.168.169.170:137 0.0.0.0:* udp0 0 0.0.0.0:137 0.0.0.0:* udp0 0 192.168.169.170:138 0.0.0.0:* udp0 0 0.0.0.0:138 0.0.0.0:* . . . nmap -p 1-65535 localhost . - Starting Nmap 4.20 ( http://insecure.org ) at 2008-07-23 12:10 CEST Interesting ports on localhost (127.0.0.1): Not shown: 65526 closed ports PORTSTATE SERVICE 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp 901/tcp open samba-swat Nmap finished: 1 IP address (1 host up) scanned in 4.782 seconds . . . testparm . [global] dos charset = 850 unix charset = ISO8859-1 workgroup = HATHOR.NWK server string = HATHOR Samba-LDAP PDC Server interfaces = eth0, lo passdb backend = ldapsam:ldap://127.0.0.1 username map = /etc/samba/smbusers
Re: [Samba] smbclient does not connect anonymously localy on fresh install
[EMAIL PROTECTED] wrote: Hi. Have try. No change. smbclient -L localhost -N does not connect. OK, humor me on this one, but can you ping 'localhost'? I see that 127.0.0.1 works, but does it resolve to the name 'localhost', as well? If so, would you be able to provide smb logs during access attempts? Selon Scott Lovenberg [EMAIL PROTECTED]: I believe you need a |map to guest = bad user and/or guest account = nobody for anonymous access to be automated.| [EMAIL PROTECTED] wrote: Hello. I have some problem, with a new configuration on a new PC. I want to setup a SAMBA PDC using an HOWTO. This howto was working on OPENSUSE 10.1 with a X86 processor and I have used it a lot of time. Now I use OPENSUSE 10.3. The new PC run a X64 processor. After the fresh install and following : http://samba.org/samba/docs/man/Samba-HOWTO-Collection/diagnosis.html I could not make smbclient connecting samba anonymously from the server (localy). I use ldap, but for the moment ldap is not configured and not started. But smb.conf is configured for using ldap : passdb backend = ldapsam:ldap://127.0.0.1 I was thinking that smbclient can connect localy anonymously even if ldap is not running. What is wrong? . uname -r . 2.6.22.18-0.2-default . . . rpm -aq | grep samba . samba-client-3.2.0-24.1.123 samba-doc-3.2.0-24.1.123 samba-krb-printing-3.2.0-24.1.123 yast2-samba-client-2.15.11-33 samba-3.2.0-24.1.123 yast2-samba-server-2.15.7-57 samba-python-3.0.26a-3.7 samba-devel-3.2.0-24.1.123 kdebase3-samba-3.5.7-87.5 samba-winbind-3.2.0-24.1.123 . . . rpm -aq | grep ldap . --- python-ldap-2.3.1-18 perl-ldap-0.33-81 pam_ldap-184-48 yast2-ldap-2.15.1-83 openldap2-devel-2.3.41-2.1 ldapcpplib-0.0.4-95 yast2-ldap-client-2.15.12-37 php5-ldap-5.2.6-0.1 openldap2-client-2.3.41-2.1 ldap-account-manager-2.3.0-0.pm.0 yast2-ldap-server-2.15.5-76 openldap2-2.3.41-1.1 ldapsmb-1.34b-110.8.123 nss_ldap-257-17 perl-ldap-ssl-0.33-81 . . . iptables -L -v . -- Chain INPUT (policy ACCEPT 402K packets, 24M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 401K packets, 17M bytes) pkts bytes target prot opt in out source destination . . . ping -c 5 127.0.0.1 . --- PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data. 64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.077 ms 64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.091 ms 64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.043 ms 64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.056 ms 64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.043 ms --- 127.0.0.1 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4003ms rtt min/avg/max/mdev = 0.043/0.062/0.091/0.019 ms . . . ping -c 5 LINUX-SRV . --- PING LINUX-SRV.HATHOR.NWK (127.0.0.2) 56(84) bytes of data. 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=1 ttl=64 time=0.098 ms 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=2 ttl=64 time=0.067 ms 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=3 ttl=64 time=0.055 ms 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=4 ttl=64 time=0.067 ms 64 bytes from LINUX-SRV.HATHOR.NWK (127.0.0.2): icmp_seq=5 ttl=64 time=0.052 ms --- LINUX-SRV.HATHOR.NWK ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4001ms rtt min/avg/max/mdev = 0.052/0.067/0.098/0.019 ms . . . ping -c 5 192.168.169.100 . - PING 192.168.169.100 (192.168.169.170) 56(84) bytes of data. 64 bytes from 192.168.169.170: icmp_seq=1 ttl=64 time=0.078 ms 64 bytes from 192.168.169.170: icmp_seq=2 ttl=64 time=0.082 ms 64 bytes from 192.168.169.170: icmp_seq=3 ttl=64 time=0.041 ms 64 bytes from 192.168.169.170: icmp_seq=4 ttl=64 time=0.061 ms 64 bytes from 192.168.169.170: icmp_seq=5 ttl=64 time=0.038 ms --- 192.168.169.170 ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4002ms rtt min/avg/max/mdev = 0.038/0.060/0.082/0.018 ms . . . netstat -an | egrep '(:137|:138|:139|:445)' . --- tcp0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:445 0.0.0.0:* LISTEN udp0 0 192.168.169.170:137 0.0.0.0:* udp0 0 0.0.0.0:137 0.0.0.0:* udp0 0 192.168.169.170:138 0.0.0.0:* udp0 0 0.0.0.0:138 0.0.0.0:* . . . nmap -p 1-65535 localhost . - Starting Nmap 4.20 ( http://insecure.org ) at 2008-07-23 12:10 CEST Interesting ports on localhost (127.0.0.1): Not shown: 65526 closed ports PORT
Re: [Samba] Replacing a Samba server
If you are using an LDAP backend, just slapcat all of the data out of the old server, and dump it into the new one. The new Samba will read the SID from LDAP, and your clients shouldn't notice the difference. - Scott Grizzard [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I am setting up a new samba server that is going to replace my old one. Here is the question that I have. Am I going to have to go around to each computer on campus and have it rejoin the domain when I put the new server in place? If that is the case, can I set the SID on the new samba server to be the same as the old samba server and will that do the trick so that I do have to go around to each computer? Thanks for any info. I also might add this. I have software on some of my labs that will not let the user make any changes to the computer. If they change backgrounds, settings, software, etc. then upon a reboot, the changes will be gone. I don't know if this would have any affect on the computers joining the domain or not. I will keep the domain name the same as what I have now. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Distributed Setup Suggestions
What types of files are you trying to share? If they are primarily small (under 100meg) files that you need read/write access to (especially documents), you might want to adopt some type of document management system like KnowledgeTree instead of using Samba. I suggest this not only because you get document management features, but KnowlegeTree works over http, and if you are using webdav you already have an Apache infrastructure set up. At my last job, we used Subversion for the same purpose: distributed document management. However, using it for distributed document management requires training the staff to use TortoiseSVN (and disciplining them to use locks), and the Subversion experience is not intuitive to the non-developer. KnowlegeTree has a much more intuitive flow for documents. However, Subversion can use WebDav as its interface, so the transition may not be too rough. Subversion is very traffic efficient (in my opinion). The latest version of Subversion (1.5.x) allows you to mirror your repositories. Since most of the traffic is of a read nature, mirroring your repositories will drastically reduce your WAN traffic. In fact, the only traffic across your WAN (if I understand the technology correctly) is the diff between the old document version and the new document version. Because both of these solutions (Subversion and KnowlegeTree) work with Apache, you can authenticate to them using your Windows user base (either through mod_auth_kerb if you are using Active Directory or another Kerberos), or through mod_authnz_ldap to your Samba PDC (if you are using NT, there is also some way to authenticate to it, but I have never used it). However, fine grained file permissions in Subversion are a pain to set up and maintain, so if your ACL's run 40 lines each and are different for every file, stick to something else. If you do go with Subversion, I recommend using Insurrection as a front-end to mod_dav_svn. Insurrection is very difficult to set up, especially if you need SSL support for it. But the time is worth it, since it gives a great user front-end for repo browsing. Throw in the Firefox TortoiseSVN menu plug-in, and you are good to go. If the files are large and primarily read-only, set up a master server at one office, and mirror it to the other offices using rsync. Set up the remote samba servers as read-only, and the problem is solved efficiently. I don't know if rsync preserves ACL's, but I heard there was a patch in the wild somewhere... I was very pleased how the Subversion solution came out, but I never set up remote mirrors for anything other than read-only backups. We added Trac for project and issue management, and made the non-developer staff use it. The working-copy thing was tough for them to get used to, but the webdav access worked well for them. I just think straight Samba servers may be the wrong tool for what you are trying to do, though they may appear to be the simplest solution. - Scott Bill Baird wrote: My company is approx 200 users. We have 10 offices each with 5-30 users each. A few offices work independently, but there has been a lot more inter-office work lately. I am looking for a way to provide fast local access to files stored in the same office as the user, but also acceptable performance for inter-office file transfers. We are currently using Oracle Drive for a central file server, it utilizes WebDAV and has good performance over the WAN. There are samba adaptec snap servers for local file access, but these are currently only accessible when in the same office as the local server. - I have done a lot of research and demoing of OpenAFS (even went to their conference last month!). While it is a true distributed filesystem; it is very complex to setup, requires client software, requires a kerberos server and seems to have a lot of quirks of its own. I don't think I am ready to trust that... - I have been trying to figure out a way to have Samba servers in each office that would mount remote servers/folders via NFS. This would provide access from the local server with hopefully better speeds for remote files (NFS is my experience has been much faster over WAN links). But I'm not sure how file locking will work. From searching, it seems that samba/nfs locking isn't reliable. What is the current status of this? I also saw in Samba 3.2, the CTDB project is becoming more mature. Would this be a possibility? Or is that really only for clusters on a fast local network? - There is MS DFS, but we really don't want to implement MS servers. - ?? I have been searching and searching, but haven't found anything that would solve our problem...so I'm hoping someone can help! Any suggestions would be greatly appreciated. Thank you! --Bill -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Distributed Setup Suggestions
What types of files are you trying to share? If they are primarily small (under 100meg) files that you need read/write access to (especially documents), you might want to adopt some type of document management system like KnowledgeTree instead of using Samba. I suggest this not only because you get document management features, but KnowlegeTree works over http, and if you are using webdav you already have an Apache infrastructure set up. At my last job, we used Subversion for the same purpose: distributed document management. However, using it for distributed document management requires training the staff to use TortoiseSVN (and disciplining them to use locks), and the Subversion experience is not intuitive to the non-developer. KnowlegeTree has a much more intuitive flow for documents. However, Subversion can use WebDav as its interface, so the transition may not be too rough. Subversion is very traffic efficient (in my opinion). The latest version of Subversion (1.5.x) allows you to mirror your repositories. Since most of the traffic is of a read nature, mirroring your repositories will drastically reduce your WAN traffic. In fact, the only traffic across your WAN (if I understand the technology correctly) is the diff between the old document version and the new document version. Because both of these solutions (Subversion and KnowlegeTree) work with Apache, you can authenticate to them using your Windows user base (either through mod_auth_kerb if you are using Active Directory or another Kerberos), or through mod_authnz_ldap to your Samba PDC (if you are using NT, there is also some way to authenticate to it, but I have never used it). However, fine grained file permissions in Subversion are a pain to set up and maintain, so if your ACL's run 40 lines each and are different for every file, stick to something else. If you do go with Subversion, I recommend using Insurrection as a front-end to mod_dav_svn. Insurrection is very difficult to set up, especially if you need SSL support for it. But the time is worth it, since it gives a great user front-end for repo browsing. Throw in the Firefox TortoiseSVN menu plug-in, and you are good to go. If the files are large and primarily read-only, set up a master server at one office, and mirror it to the other offices using rsync. Set up the remote samba servers as read-only, and the problem is solved efficiently. I don't know if rsync preserves ACL's, but I heard there was a patch in the wild somewhere... I was very pleased how the Subversion solution came out, but I never set up remote mirrors for anything other than read-only backups. We added Trac for project and issue management, and made the non-developer staff use it. The working-copy thing was tough for them to get used to, but the webdav access worked well for them. I just think straight Samba servers may be the wrong tool for what you are trying to do, though they may appear to be the simplest solution. - Scott Bill Baird wrote: My company is approx 200 users. We have 10 offices each with 5-30 users each. A few offices work independently, but there has been a lot more inter-office work lately. I am looking for a way to provide fast local access to files stored in the same office as the user, but also acceptable performance for inter-office file transfers. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Slackware 12.1 + Samba 3.0.28a + a lot of users (Slightly OT)
[...] If you don't want LDAP you have to use the smbpasswd way. (and LDAP leads to other problems ...) Also, the same users have their home directories shared via AFP (which works fine) and I can't complicate the setup with an additional smbpasswd file. How and where does AFP manage the authentification for Windows clients? Viele Gruesse! Helmut Yeah, FWIW, I just setup LDAP on Slackware-12.0, and it's a bear to build it from source. Depending on what libraries you require, of course. I took the kitchen sink approach and I think I ended up chasing about a dozen libraries for dependencies. My only advice if you decide to go this route is to use Slackware's makepkg utility as you compile sources and keep all the packages in subversion or some other form of revision control. Also, the default Samba add machine script needs to be modified slightly, IIRC. That being said, it's very doable if you have patience and a Starbucks near by. Also, a hard copy of John Terpstra and Jelmer Vernooij's The Official Samba-3 HOWTO and Reference Guide as well as Jerry Carter's LDAP System Administration are worth their weight in gold for such an undertaking. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba