Re: [Samba] acl's, Samba4 and rw shares
On 02/16/2012 03:48 PM, Aaron E. wrote: The permissions are slightly different for s4, as in you will be setting most of the folder perissions at the windows level. Youll need to make sure that user_xattr and acl is enabled for the filesystem. That seems OK: mount | grep xattr /dev/sda1 on / type ext4 (rw,errors=remount-ro,user_xattr,commit=0) You can't really chmod per say, youll need to access the security tab for the share and apply permissions you need at that level... you can view the permissions using the samba-tool for the share at the nix level like so samba-tool ntacl folder/file you'll see this gives a bunch of jibberish but you will see it working.. If you havn't assigned perms through windows yet it will return stating no permissions or something to that effect.. I tried this: -rw-r- 1 steve2 debusers 0 2012-02-16 14:47 /home/dropbox/s2 samba-tool ntacl get /home/dropbox/s2 ERROR(): uncaught exception - (61, 'No data available') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 162, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 106, in run acl = getntacl(lp, file, xattr_backend, eadb_file) File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 62, in getntacl xattr.XATTR_NTACL_NAME) samba-tool ntacl set /home/dropbox/s2 Usage: samba-tool ntacl set [options] But I can't find that documented anywhere. Would I need to look in the source to get a list of options? Basically I'm trying not to have to tie up a windows box to do his stuff. Youneed to set the setfacl -m default:user:xxx folder for inheritance in linux but windows users will always use ntacls I believe I've done a few ldbsearch's in /usr/local/samba/private but I can't find anything to do with the dropbox share I have defined. Any ideas? Thanks On 02/16/2012 06:37 AM, steve wrote: Hi I'm trying to make a share called dropbox rw for members of a group. /usr/local/samba/etc/smb.conf [global] server role = domain controller workgroup = CACTUS realm = hh3.site netbios name = HH3 passdb backend = samba4 template shell = /bin/bash [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] path = /home/CACTUS/%USERNAME% read only = No [profiles] path = /home/CACTUS/profiles%USERNAME% read only = No [dropbox] path = /home/dropbox read only = No I have mkdir -m 0770 /home/dropbox chown steve:debusers /home/dropbox chmod g+s /home/dropbox/ setfacl -Rm g:debusers:rw,d:g:debusers:rw /home/dropbox/ getfacl /home/dropbox/ getfacl: Removing leading '/' from absolute path names # file: home/dropbox/ # owner: steve # group: debusers # flags: -s- user::rwx group::rwx group:debusers:rw- mask::rwx other::--- default:user::rwx default:group::rwx default:group:debusers:rw- default:mask::rwx default:other::--- If I create a file in the share using touch (or right click on the share > new in explorer), no problem: steve2@hh3:~$ touch /home/dropbox/hola steve2@hh3:~$ ls -l /home/dropbox/hola -rw-rw+ 1 steve2 debusers 0 2012-02-16 12:11 /home/dropbox/hola But, if I create the file in my home folder (or the mapped home folder drive on Windows) and then copy or drag it to the share, I don't get group rw: steve2@hh3:~$ touch hola2 steve2@hh3:~$ cp hola2 /home/dropbox/ steve2@hh3:~$ ls -la /home/dropbox/hola2 -rw-r-+ 1 steve2 debusers 0 2012-02-16 12:12 /home/dropbox/hola2 None of the smb.conf force group nor acl commands are recognised. I could cron the setfacl as a workaround or get the users to chmod it to 660 but, well. . . 1. Is it possible to copy a file to a folder and have it inherit the parent folder permissions? 2. How do you chmod 660 on windows? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Build Active Directory with Samba
On 01/28/2012 05:28 PM, Agharinma EHIEDU wrote: Hello, Please, which release of Samba can one build Active Directory Domain with. I know that with 3.0 one can have a PDC but I want to build AD with Samba. Your help will be appreciated. Ehiedu Agharinma Try Samba4: http://wiki.samba.org/index.php/Samba4/HOWTO HTH, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Error in provisioning Samba4 Alpha 18 from git
On 02/02/2012 09:51 PM, Mathias Friman wrote:
Hi,
I have a problem. The prerequisites are:
* Vanilla Ubuntu 10.04 install
* Followed the http://wiki.samba.org/index.php/Samba4/HOWTO
In step 4, after running the command:
./source4/setup/provision --realm=samdom.example.com --domain=SAMDOM
--adminpass=SOMEPASSWORD --server-role='domain controller'
i get the following error when the provisioning run tdbbackup from the script
"bin/python/samba/provision/sambadns.py":
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=samdom,DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Populating CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones partition
Populating ForestDnsZones partition
bin/tdbbackup:
/home/administrator/source/samba-master/bin/shared/private/libtdb.so: version
`SAMBA_4.0.0ALPHA18_DEVELOPERBUILD' not found (required by bin/tdbbackup)
Failed to setup database for BIND, AD based DNS cannot be used
Traceback (most recent call last):
File "./source4/setup/provision", line 256, in
useeadb=eadb, next_rid=opts.next_rid, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1757, in provision
am_rodc=am_rodc, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1491, in provision_fill
targetdir=targetdir, site=DEFAULTSITE)
File "bin/python/samba/provision/sambadns.py", line 990, in setup_ad_dns
create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid)
File "bin/python/samba/provision/sambadns.py", line 751, in create_samdb_copy
os.path.join(dns_dir, "sam.ldb"))
File "bin/python/samba/provision/sambadns.py", line 688, in tdb_copy
raise Exception("Error copying %s" % file1)
Exception: Error copying /usr/local/samba/private/sam.ldb
The file /home/administrator/source/samba-master/bin/shared/private/libtdb.so
does exist.
What can/should I do? I tried this on Ubuntu 11.10 desktop as well, with the
exact same result.
Kindest regards,
Mathias
PS. I'm not part of the samba mailinglist. DS.
Run make again. Make install deletes stuff in the build. Then the
provision will work.
HTH,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] error with provisionsing
On 02/03/2012 04:10 PM, Eric J. Stewart wrote:
I found the samba4 HOW-TO on the wiki and I have followed it to using Ubuntu
server versions 11.10 and 10.04. I have been unsuccessful at step 4 running
the provision script. I have run the following commands to get to get to this
point:
$ sudo git clone git://git.samba.org/samba.git samba-master; cd samba-master
$ sudo apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev
libreadline5-dev python-dev autoconf python-dnspython gdb pkg-config bind9utils
libpopt-dev
When this command was run on 11.10 I received an error that the package
libreadline5-dev was not found. As an alternative the libreadline-gplv2-dev or
lib64readline-gplv2-dev were suggested, I chose the libreadline-gplv2-dev,
because it was a 32 bit install, as the replacement.
$ sudo ./configure.developer
$ sudo make
$ sudo make install
$ sudo ./source4/setup/provision --realm=home.com --domain=HOME
--adminpass=P@ssw0rd --server-role='domain controller'
The following is the output of I am receiving on both editions.
bin/tdbbackup: /home/administrator/samba-master/bin/shared/private/libtdb.so:
version `SAMBA_4.0.0ALPHA18_DEVELOPERBUILD' not found (required by
bin/tdbbackup)
Failed to setup database for BIND, AD based DNS cannot be used
Traceback (most recent call last):
File "./source4/setup/provision", line 256, in
useeadb=eadb, next_rid=opts.next_rid, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1757, in provision
am_rodc=am_rodc, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1491, in provision_fill
targetdir=targetdir, site=DEFAULTSITE)
File "bin/python/samba/provision/sambadns.py", line 990, in setup_ad_dns
create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid)
File "bin/python/samba/provision/sambadns.py", line 751, in create_samdb_copy
os.path.join(dns_dir, "sam.ldb"))
File "bin/python/samba/provision/sambadns.py", line 688, in tdb_copy
raise Exception("Error copying %s" % file1)
Exception: Error copying /usr/local/samba/private/sam.ldb
I am fairly new to working with samba and I do not know where to look to get
this working and any suggestions would be greatly appreciated.
Eric
You need to run make again as make install messes up the previous build.
Then the provision will work. What are you using for DNS?
I documented the 11.10 install here:
http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html
HTH,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba winbind and nfsv4 krb5
On 02/13/2012 10:48 AM, Oliver Weinmann wrote: Hi All, I'm struggling since weeks to get samba winbind and a kerberized nfs mount running. We have a Netapp SAN exporting the nfs share with sec=krb5 and a Linux Client Ubuntu 10.04 Server trying to access the exported share. Accessing the share without krb5 (sec=sys) works fine. The linux machine is joined to an Windows 2008R2 domain and user/group lookups login via ssh etc. work fine. I have read many articles about using winbind to aquire the Kerberos tickets on login. What I have done so far is join the linux machine to our AD: net ads join -U Administrator After this my krb5.keytab file is filled with the following: root@ubuntu100432:~# klist -kte Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal - 2 02/13/12 09:34:59 host/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:34:59 host/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:34:59 host/ubuntu100432.a.space.c...@a.space.corp (ArcFour with HMAC/md5) 2 02/13/12 09:34:59 host/ubuntu100...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:34:59 host/ubuntu100...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:34:59 host/ubuntu100...@a.space.corp (ArcFour with HMAC/md5) 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with CRC-32) 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (DES cbc mode with RSA-MD5) 2 02/13/12 09:34:59 UBUNTU100432$@A.SPACE.CORP (ArcFour with HMAC/md5) Then I add the nfs principal: net ads keytab add nfs -U Administrator This adds the princ to the keytab file: 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.c...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:36:11 nfs/ubuntu100432.a.space.c...@a.space.corp (ArcFour with HMAC/md5) 2 02/13/12 09:36:11 nfs/ubuntu100...@a.space.corp (DES cbc mode with CRC-32) 2 02/13/12 09:36:11 nfs/ubuntu100...@a.space.corp (DES cbc mode with RSA-MD5) 2 02/13/12 09:36:11 nfs/ubuntu100...@a.space.corp (ArcFour with HMAC/md5) I restart the portmap service (this restarts statd idmapd and gssd) Service portmap restart Now when I try to mount the share I always get an access denied: Looking at /var/log/daemon.log reveals: handling krb5 upcall Full hostname for 'ds-san-02.a.space.corp' is 'ds-san-02.a.space.corp' Full hostname for 'ubuntu100432.a.space.corp' is 'ubuntu100432.a.space.corp' Key table entry not found while getting keytab entry for 'root/ubuntu100432.a.space.c...@a.space.corp' Success getting keytab entry for 'nfs/ubuntu100432.a.space.c...@a.space.corp' WARNING: Client not found in Kerberos database while getting initial ticket for principal 'nfs/ubuntu100432.a.space.c...@a.space.corp' using keytab 'WRFILE:/etc/krb5.keytab' ERROR: No credentials found for connection to server ds-san-02.a.space.corp doing error downcall destroying client clnt13 destroying client clnt12 I checked the host in AD with setspn -L and this lists the following: Registered ServicePrincipalNames for CN=ubuntu100432 ace,DC=corp: NFS/ubuntu100432.a.space.corp NFS/ubuntu100432 HOST/ubuntu100432.a.space.corp HOST/UBUNTU100432 So there is no principal 'nfs/ubuntu100432.a.space.c...@a.space.corp'. Is there something special about Windows 2008 R2? Regards, Oliver Hi I don't think AD supports either DES nor arcfour out of the box. We have the same setup with Samba 4 which does and we can mount sec=krb5. I don't think that this will make any difference in your case, but it may be woth a try. as unless you're running an old distro, you don't need the nfs principal in the client's keytab. See the man rpc.gssd(8). There's an up to date copy here: http://linux.die.net/man/8/rpc.gssd We also tried to produce some readable kerberized nfs4 documentation: http://linuxcostablanca.blogspot.com/2012/02/nfsv4-myths-and-legends.html HTH, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] acl's, Samba4 and rw shares
Hi I'm trying to make a share called dropbox rw for members of a group. /usr/local/samba/etc/smb.conf [global] server role = domain controller workgroup = CACTUS realm = hh3.site netbios name = HH3 passdb backend = samba4 template shell = /bin/bash [netlogon] path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No [home] path = /home/CACTUS/%USERNAME% read only = No [profiles] path = /home/CACTUS/profiles%USERNAME% read only = No [dropbox] path = /home/dropbox read only = No I have mkdir -m 0770 /home/dropbox chown steve:debusers /home/dropbox chmod g+s /home/dropbox/ setfacl -Rm g:debusers:rw,d:g:debusers:rw /home/dropbox/ getfacl /home/dropbox/ getfacl: Removing leading '/' from absolute path names # file: home/dropbox/ # owner: steve # group: debusers # flags: -s- user::rwx group::rwx group:debusers:rw- mask::rwx other::--- default:user::rwx default:group::rwx default:group:debusers:rw- default:mask::rwx default:other::--- If I create a file in the share using touch (or right click on the share > new in explorer), no problem: steve2@hh3:~$ touch /home/dropbox/hola steve2@hh3:~$ ls -l /home/dropbox/hola -rw-rw+ 1 steve2 debusers 0 2012-02-16 12:11 /home/dropbox/hola But, if I create the file in my home folder (or the mapped home folder drive on Windows) and then copy or drag it to the share, I don't get group rw: steve2@hh3:~$ touch hola2 steve2@hh3:~$ cp hola2 /home/dropbox/ steve2@hh3:~$ ls -la /home/dropbox/hola2 -rw-r-+ 1 steve2 debusers 0 2012-02-16 12:12 /home/dropbox/hola2 None of the smb.conf force group nor acl commands are recognised. I could cron the setfacl as a workaround or get the users to chmod it to 660 but, well. . . 1. Is it possible to copy a file to a folder and have it inherit the parent folder permissions? 2. How do you chmod 660 on windows? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 gid-to-sid question
On 02/16/2012 06:58 AM, Gémes Géza wrote: 2012-02-16 02:01 keltezéssel, steve írta: Hi. We used info from a SID created using samba-tool group add to posix-ify it and then add a posix-ifed domain user to it. The AD doco defines two sorts of SID. Ones that change, and ones that don't. Here is a search on our posix-ified group: ldbsearch --url=/usr/local/samba/private/idmap.ldb 'xidnumber=312' objectSid: S-1-5-21-980186919-4150830324-975011627-1121 We set the primaryGroupID of the user to 1121, his gidNumber to 312 and his uidNumber from wbinfo. He becomes visible to Linux via nss-ldapd, whilst retaing his Domain User status on the windows side:-) My question is, to which category of SID does S-1-5-21-980186919-4150830324-975011627-1121 belong? Can we assume that this is fixed for the life of the domain? Under what circustances could s4 change it, and if id did, would we be given warning? Thanks, Steve Hi SIDs over S-1-5-21-.-1000 are "ordinary" SIDs used by windows for users and groups. The M$ docs describe modifying the SID as a very dangerous, unsupported operation with unpredictable consequences, so yes SIDs can be considered as something "carved in stone". Regards Geza Hi Geza Thanks for the confirmation. Will s4 follow the carved in stone m$ guidelines? So far, the schema has allowed my addition of POSIX objects and attributes to the ldb's. Indeed, some of them such as posixAccount are already there, just waiting to be pulled in. Will there be any changes made which will negate this? e.g. I have a user with primaryGroupID: 1121, uidnumber: 300, unixhomedirectory: /home/workgroup/user. Will the user always have those attributes? Now? After the next git? After a s4 release? Maybe the question should be, will there be any changes made to the schema which would disallow rfc2307 attributes to be included? It's almost Friday. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 PAM and xscreensaver
On 01/09/2012 08:42 AM, steve wrote: Hi I have a Linux client running XFCE and authenticating against Samba 4. When trying to return to the session after xscreensaver has kicked in, authentication fails. Sorry to bump, but I've just seen this in the xscreensaver doco: XScreenSaver Dependencies Required Optional libjpeg-8c, libgnome-2.32.1, GLE, Netpbm, XDaliClock, Linux-PAM-1.1.5, _MIT Kerberos V5-1.6 (built with Kerberos V4 backwards compatibility), and krb4 and Heimdal-1.4 (Kerberos authentication requires having Kerberos V4 and V5 on the system)_ Does Samba 4 have this? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 gid-to-sid question
Hi. We used info from a SID created using samba-tool group add to posix-ify it and then add a posix-ifed domain user to it. The AD doco defines two sorts of SID. Ones that change, and ones that don't. Here is a search on our posix-ified group: ldbsearch --url=/usr/local/samba/private/idmap.ldb 'xidnumber=312' objectSid: S-1-5-21-980186919-4150830324-975011627-1121 We set the primaryGroupID of the user to 1121, his gidNumber to 312 and his uidNumber from wbinfo. He becomes visible to Linux via nss-ldapd, whilst retaing his Domain User status on the windows side:-) My question is, to which category of SID does S-1-5-21-980186919-4150830324-975011627-1121 belong? Can we assume that this is fixed for the life of the domain? Under what circustances could s4 change it, and if id did, would we be given warning? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba4 provision error
On 02/15/2012 11:30 PM, fe...@epepm.cupet.cu wrote:
git checkout dd5868d
when I try to provision I get the following:
Populating ForestDnsZones partition
bin/tdbbackup: /home/samba-master/bin/shared/private/libtdb.so: version
`SAMBA_4.0.0ALPHA18_DEVELOPERBUILD' not found (required by bin/tdbbackup)
Failed to setup database for BIND, AD based DNS cannot be used
Traceback (most recent call last):
File "./source4/setup/provision", line 262, in
useeadb=eadb, next_rid=opts.next_rid, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1757, in provision
am_rodc=am_rodc, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1491, in provision_fill
targetdir=targetdir, site=DEFAULTSITE)
File "bin/python/samba/provision/sambadns.py", line 990, in setup_ad_dns
create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid)
File "bin/python/samba/provision/sambadns.py", line 751, in
create_samdb_copy
os.path.join(dns_dir, "sam.ldb"))
File "bin/python/samba/provision/sambadns.py", line 688, in tdb_copy
raise Exception("Error copying %s" % file1)
Exception: Error copying /usr/local/samba/private/sam.ldb
Run make again and then it should provision OK.
HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 ldbmodify Unwilling to perform error 53
On 15/02/12 14:35, Andrew Bartlett wrote: On Tue, 2012-02-14 at 16:56 +0100, steve wrote: Hi everyone samba --version Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 If I do this: ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site dn: CN=steve6,CN=Users,DC=hh3,DC=site changetype: modify add: objectclass objectclass: posixaccount - replace: primarygroupid primarygroupid: 1134 I get an error something like: ERR: (Unwilling to perform) error 53 If however I do the ldbmodify in 2 stages: ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site dn: CN=steve6,CN=Users,DC=hh3,DC=site changetype: modify add: objectclass objectclass: posixaccount and then: ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site dn: CN=steve6,CN=Users,DC=hh3,DC=site changetype: modify replace: primarygroupid primarygroupid: 1134 It works. primaryGroupID is special, but you may have found a bug in the handler for it. We have to confirm that the value being selected does not conflict with the existing group memberships. Andrew Bartlett Hi Andrew I chopped the 1134 from the end of the group SID: samba-tool group add suseusers wbinfo --group-info=suseusers suseusers:*:328: wbinfo --gid-to-sid 328 S-1-5-21-2395500911-3560017633-4088823418-1134 Previous to this it was 513 (Domain Users I think) Here is the script we made to POSIX-ify the group: e.g. ./s4group suseusers #!/bin/sh echo "Creating s4 posix group "$1 samba-tool group add $1 strgid=$(wbinfo --group-info=$1) gid=$(echo $strgid | cut -d ":" -f 3) echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add:objectclass objectclass: posixGroup - add: gidnumber gidnumber: $gid" > /tmp/$1 ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f /tmp/$1 -Y GSSAPI rm /tmp/$1 echo $1 "rfc2307-ified" and here is the script to POSIX-ify the user and add him to the group: e.g. ./s4user steve6 suseusers #!/bin/sh echo "Creating s4 posix user "$1 echo "Pls enter pwd for "$1 samba-tool user add $1 sleep 2 #get the uid struid=$(wbinfo -i $1) uid=$(echo $struid | cut -d ":" -f 3) #get the gid strgid=$(wbinfo --group-info=$2) gid=$(echo $strgid | cut -d ":" -f 3) #get the group from the sid strsid=$(wbinfo --gid-to-sid=$gid) primarygid=$(echo $strsid | cut -d "-" -f 8) strwg=$(echo $struid | cut -d "\\" -f 1) #add the posix attributes to the user echo "dn: CN=$1,CN=Users,DC=hh3,DC=site changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: $uid - add: gidnumber gidnumber: $gid - add:unixhomedirectory unixhomedirectory: /home/CACTUS/$1 - add: loginshell loginshell: /bin/bash" > /tmp/$1 ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1 samba-tool group addmembers $2 $1 #set the user to the posix group echo "dn: CN=$1,CN=Users,DC=hh3,DC=site changetype: modify replace: primarygroupid primarygroupid: $primarygid" > /tmp/$1 echo "sleeping. . ." sleep 5 ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1 mkdir /home/$strwg/$1 chown -R $1:$2 /home/$strwg/$1 rm /tmp/$1 echo "New user: " $1 "POSIX-ified" It works OK. The users have SSO to Linux (nss-pam-ldapd/kerberized NFS4) and Windows. It's difficult to find documentation for ldbmodify. I worked this out from ldbmodify --help. I just wondered why we had to do the ldbmodify in 2 stages. In particular, why we have to 'sleep 5' before going ahead with the primaryGroupID. BTW, it doesn't matter which way round you do it. You can do the primaryGroupID first if you like, but you still then have to wait to add the POSIX stuff. If the scripts may be in anyway useful, I could try to idiot proof them up a bit. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 ldbmodify Unwilling to perform error 53
Hi everyone samba --version Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 If I do this: ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site dn: CN=steve6,CN=Users,DC=hh3,DC=site changetype: modify add: objectclass objectclass: posixaccount - replace: primarygroupid primarygroupid: 1134 I get an error something like: ERR: (Unwilling to perform) error 53 If however I do the ldbmodify in 2 stages: ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site dn: CN=steve6,CN=Users,DC=hh3,DC=site changetype: modify add: objectclass objectclass: posixaccount and then: ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site dn: CN=steve6,CN=Users,DC=hh3,DC=site changetype: modify replace: primarygroupid primarygroupid: 1134 It works. I tried with ldapmodify too. Same result. Actually, I'm doing the ldbmodify stuff in a script. Still the same. I have to do: ldbmodify sleep 5 ldbmodify What am I doing wrong? Maybe my slow hardware? Is it possible to add and replace in one go? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4, where is wbinfo 'info' stored?
On 14/02/12 10:50, steve wrote: On 02/14/2012 06:47 AM, Gémes Géza wrote: Hi On 02/13/2012 07:53 PM, Gémes Géza wrote: Hi, See comments/questions below: Hi When I type this: getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash I can see that the info is coming from LDAP by looking at the ldif for cn=steve6 What is your /etc/nsswitch.conf file like? passwd files ldap group files ldap When I type this: wbinfo -i steve6 CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false Is this on the samba4 box? wbinfo is the samba4 wbinfo or a samba3 one? samba4 box wbinfo = samba4 No s3 installed on this box. Where is the info coming from now? Thanks, Steve Samba4 stores idmap information under an idmap.ldb named ldb file which is NOT exported to AD. So you could modify things by ldbediting it directly. Geza, I'm really struggling with ldbsearch. The doco is almost non existent. As you suggest, the primaryGroupID attribute I'm looking for must be in idmap.ldb as I can't find it using ldapsearch until _after_ I add a user to my posix group using dsa.msc in windows. Afterwards, I see that the primaryGroupID attribute has been added to the user. What i want to do is find out what that primaryGroupID is _before_ I run my posix script so I can add the attribute myself without having to do it from windows. All I can find on ldapsearch is: ldbsearch [-h] [-s base|one|sub] [-b basedn] [-i] [-H LDB-URL] [expression] [attributes] 1. Could you help me with the ldbsearch syntax to have a look inside idmap.ldb? 2. Which database am I consulting when I run ldapsearch? Thanks, Steve Hi I got into /usr/local/samba/private/idmap.ldb by rtfm'ing on ldbsearch --help:-) There I and found the group to sid mappings. Turns out we don't need it. Looking at this: samba-tool group add suseusers then wbinfo --group-info=suseusers suseusers:*:328: I then posixify the group and then: wbinfo --gid-to-sid=328 S-1-5-21-2395500911-3560017633-4088823418-1134 Doing a ldbsearch on 'cn=steve6' gives primaryGroupID: 513 Conclusion: to set the primaryGroupID without using windows, I need to replace the 513 with my posix group, 1134 So I chop off the end using cut and ldbmodify it. For some reason, ldbmodify will not let me do that in one stage. I had to separate the writes into 2 stages: 1. add the posix attributes 2. modify the primaryGroupID Annoying. I've automated the script a bit more it ooks like this: cat s4user #!/bin/sh echo "Creating s4 posix user "$1 echo "Pls enter pwd for "$1 samba-tool user add $1 sleep 2 #get the uid struid=$(wbinfo -i $1) uid=$(echo $struid | cut -d ":" -f 3) #get the gid strgid=$(wbinfo --group-info=$2) gid=$(echo $strgid | cut -d ":" -f 3) get the group from the sid strsid=$(wbinfo --gid-to-sid=$gid) primarygid=$(echo $strsid | cut -d "-" -f 8) strwg=$(echo $struid | cut -d "\\" -f 1) #add the posix attributes to the user echo "dn: CN=$1,CN=Users,DC=hh3,DC=site changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: $uid - add: gidnumber gidnumber: $gid - add:unixhomedirectory unixhomedirectory: /home/CACTUS/$1 - add: loginshell loginshell: /bin/bash" > /tmp/$1 ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1 samba-tool group addmembers $2 $1 #set the user to the posix group echo "dn: CN=$1,CN=Users,DC=hh3,DC=site changetype: modify replace: primarygroupid primarygroupid: $primarygid" > /tmp/$1 sleep 5 ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=hh3,dc=site /tmp/$1 mkdir /home/$strwg/$1 chown $1:$2 /home/$strwg/$1 rm /tmp/$1 echo $1 "rfc2307-ified" It's still a bit of a mess, no error checking, no user friendly stuff etc. Any suggestions for tidying up the script? Any ideas why ldbmodify will not take the add and replace in one go? My slow laptop? Cheers and thanks again for your help. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4, where is wbinfo 'info' stored?
On 02/14/2012 06:47 AM, Gémes Géza wrote: Hi On 02/13/2012 07:53 PM, Gémes Géza wrote: Hi, See comments/questions below: Hi When I type this: getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash I can see that the info is coming from LDAP by looking at the ldif for cn=steve6 What is your /etc/nsswitch.conf file like? passwd files ldap group files ldap When I type this: wbinfo -i steve6 CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false Is this on the samba4 box? wbinfo is the samba4 wbinfo or a samba3 one? samba4 box wbinfo = samba4 No s3 installed on this box. Where is the info coming from now? Thanks, Steve Samba4 stores idmap information under an idmap.ldb named ldb file which is NOT exported to AD. So you could modify things by ldbediting it directly. Geza, I'm really struggling with ldbsearch. The doco is almost non existent. As you suggest, the primaryGroupID attribute I'm looking for must be in idmap.ldb as I can't find it using ldapsearch until _after_ I add a user to my posix group using dsa.msc in windows. Afterwards, I see that the primaryGroupID attribute has been added to the user. What i want to do is find out what that primaryGroupID is _before_ I run my posix script so I can add the attribute myself without having to do it from windows. All I can find on ldapsearch is: ldbsearch [-h] [-s base|one|sub] [-b basedn] [-i] [-H LDB-URL] [expression] [attributes] 1. Could you help me with the ldbsearch syntax to have a look inside idmap.ldb? 2. Which database am I consulting when I run ldapsearch? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4, where is wbinfo 'info' stored?
On 02/13/2012 08:03 PM, steve wrote: On 02/13/2012 07:53 PM, Gémes Géza wrote: Hi, See comments/questions below: Hi When I type this: getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash I can see that the info is coming from LDAP by looking at the ldif for cn=steve6 What is your /etc/nsswitch.conf file like? passwd files ldap group files ldap When I type this: wbinfo -i steve6 CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false Is this on the samba4 box? wbinfo is the samba4 wbinfo or a samba3 one? samba4 box wbinfo = samba4 No s3 installed on this box. Where is the info coming from now? Thanks, Steve Regards Geza Everything is OK. Login and uid:gid mapping are fine on both Linux and win7 clients. I'm just trying to script all this from the Linux side without having to tie up a win7 box to do it. The other thread explains why I know there must be a difference between wbinfo and getent: Re: [Samba] samba-tool set default group Cheers, BTW here are the posix scripts based on Geza's idea. Saves a helluva lot of fiddling: _But_ I need primaryGroupID to complete the user script. Hence this thread. cat s4group #!/bin/sh echo "Creating s4 posix group "$1 samba-tool group add $1 strgid=$(wbinfo --group-info=$1) gid=$(echo $strgid | cut -d ":" -f 3) echo "dn: cn=$1,cn=Users,dc=hh3,dc=sit changetype: modify add: objectclass objectclass: posixaccount - add:objectclass objectclass: posixGroup - add: gidnumber gidnumber: $gid" > /tmp/$1 ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f /tmp/$1 -Y GSSAPI rm /tmp/$1 echo $1 "posix-ified" e.g. ./s4group suseusers cat s4user (needs the primaryGroupID adding to it) #!/bin/sh echo "Creating s4 posix user "$1 echo "Pls enter pwd for "$1 samba-tool user add $1 struid=$(wbinfo -i $1) uid=$(echo $struid | cut -d ":" -f 3) strgid=$(wbinfo --group-info=$2) gid=$(echo $strgid | cut -d ":" -f 3) echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: $uid - add: gidnumber gidnumber: $gid - add:unixhomedirectory unixhomedirectory: /home/CACTUS/$1 - add: loginshell loginshell: /bin/bash" > /tmp/$1 ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f /tmp/$1 -Y GSSAPI samba-tool group addmembers $2 $1 mkdir /home/CACTUS/$1 chown $1:$2 /home/CACTUS/$1 rm /tmp/$1 echo $1 "posix-ified" e.g. ./s4user steve6 suseusers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4, where is wbinfo 'info' stored?
On 02/13/2012 07:53 PM, Gémes Géza wrote: Hi, See comments/questions below: Hi When I type this: getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash I can see that the info is coming from LDAP by looking at the ldif for cn=steve6 What is your /etc/nsswitch.conf file like? passwd files ldap group files ldap When I type this: wbinfo -i steve6 CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false Is this on the samba4 box? wbinfo is the samba4 wbinfo or a samba3 one? samba4 box wbinfo = samba4 No s3 installed on this box. Where is the info coming from now? Thanks, Steve Regards Geza Everything is OK. Login and uid:gid mapping are fine on both Linux and win7 clients. I'm just trying to script all this from the Linux side without having to tie up a win7 box to do it. The other thread explains why I know there must be a difference between wbinfo and getent: Re: [Samba] samba-tool set default group Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4, where is wbinfo 'info' stored?
Hi When I type this: getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash I can see that the info is coming from LDAP by looking at the ldif for cn=steve6 When I type this: wbinfo -i steve6 CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false Where is the info coming from now? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool set default group
On 10/02/12 18:28, Gémes Géza wrote: 2012-02-10 12:11 keltezéssel, steve írta: On 02/10/2012 12:08 PM, steve wrote: On 02/09/2012 07:17 PM, Gémes Géza wrote: 2012-02-09 14:21 keltezéssel, steve írta: Hi How do I set the default group for a user? e.g. samba-tool group add opensuse samba-tool group addusers opensuse steve But steve's default group is still Users. I'm looking for soething like this: 'samba-tool group setdefaultgroup steve opensuse' But here isn't that command. I have to do it in Windows. Is there a command I'm missing? Cheers, Steve IMHO currently your best bet is ldbmodify. Regards Geza I tried using phpldapadmin: http://4.bp.blogspot.com/-oeTty-Y6HFo/TzT49_mZe3I/ALE/zGb00l_WMC4/s320/ldapadmin.png Same. I can add the user to the group but I can't find where the default group attribute or object is in ldap. What shoud I be looking for? Thanks, Steve Sorry: http://4.bp.blogspot.com/-oeTty-Y6HFo/TzT49_mZe3I/ALE/zGb00l_WMC4/s1600/ldapadmin.png Hi, You need to modify the user, not the group. The attribute you are looking for is: primaryGroupID Regards Geza Hi again Thanks for that. So, e.g. posix-ified user steve6 in group suseusers: wbinfo --group-info=suseusers suseusers:*:316: getent group suseusers suseusers:*:316: Before: wbinfo -i steve6 CACTUS\steve6:*:315:100::/home/CACTUS/steve6:/bin/false getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash (note the 100) After adding steve6 to suseusers, there is no primaryGroupID attribute set. On Windows dsa.msc, I go and change the default group: http://2.bp.blogspot.com/-oDBqT03MB78/Tzk2-FN9C6I/ALU/4Ihs7VgK2Yk/s1600/s6-steve6user.png After: wbinfo -i steve6 CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash (note the 316) ldapsearch on cn=steve6 now gives me: primaryGroupID: 1112 Question, without using windows, how can I get at the primaryGroupID: attribute to be able to set it to 1112 for cn=steve6 via a script? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 provision fails [solved]
On 02/12/2012 07:01 PM, Matthieu Patou wrote: Steve Ubuntu no longer ships with libreadline5-dev The apt-get line in the wiki should read: apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev libreadline-gplv2-dev python-dev autoconf python-dnspython gdb pkg-config bind9utils libpopt-dev Maybe someone who has a wiki account could check this and update the info? Also, having to rerun make could be mentioned there too. Go on the wiki create an account, ask lars (in copy of this email) for write rights on your account. Then you will be able to fix the wiki. Cheers. I'd never be good enough to edit the wiki! As the problem was Ubuntu specific (I don't think anyone would use Ubuntu as a DC would they?) maybe it's best left as it is. I've documented it here anyway: http://linuxcostablanca.blogspot.com/2012/01/samba-4-ubuntu.html It should help others with the same problem find this solution after Google crawls it. Saludos, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 no longer accepts SASL GSSAPI?
Version 4.0.0alpha18-GIT-567f05e Ubuntu 11.10 Attempting to bind from nss-ldapd: ldb_wrap open of secrets.ldb GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2 The call is from here: base dc=hh3,dc=site mappasswd uid samAccountName mappasswd homeDirectoryunixHomeDirectory sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 There is a ticket cache in /tmp/krb5cc_0 A conventional bind works fine. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 provision fails [solved]
On 02/11/2012 12:16 PM, steve wrote:
On 02/11/2012 09:07 AM, steve wrote:
Version 4.0.0alpha18-GIT-389bb4f
Ubuntu 11.10
Provision fails with:
Setting up sam.ldb users and groups
Traceback (most recent call last):
File "./source4/setup/provision", line 262, in
useeadb=eadb, next_rid=opts.next_rid, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1757, in provision
am_rodc=am_rodc, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1455, in
provision_fill
next_rid=next_rid, dc_rid=dc_rid) Hi
File "bin/python/samba/provision/__init__.py", line 1288, in
fill_samdb
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
File "bin/python/samba/provision/common.py", line 52, in
setup_add_ldif
ldb.add_ldif(data, controls)
File "bin/python/samba/__init__.py", line 221, in add_ldif
self.add(msg, controls)
_ldb.LdbError: (1, 'operations error at
../source4/dsdb/samdb/ldb_modules/password_hash.c:2163')
Any ideas?
Thanks,
Steve
Hi again
Tried running make again after make install. Same error.
Could someone on samba-technical forward this there?
Thanks,
Steve
Ubuntu no longer ships with libreadline5-dev
The apt-get line in the wiki should read:
apt-get install build-essential libattr1-dev libblkid-dev libgnutls-dev
libreadline-gplv2-dev python-dev autoconf python-dnspython gdb
pkg-config bind9utils libpopt-dev
Maybe someone who has a wiki account could check this and update the
info? Also, having to rerun make could be mentioned there too.
Thanks and hth,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba4 internal dns server cannot find ldap
Version 4.0.0alpha18-GIT-567f05e Ubuntu 11.10 ../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT dns child failed to find name '_ldap._tcp.HH3.SITE' of type SRV finddcs: Failed to find SRV record for _ldap._tcp.HH3.SITE Is there anything I need to configure in the internal server? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool set default group
On 02/11/2012 11:07 PM, Matthieu Patou wrote: On 02/09/2012 05:21 AM, steve wrote: Hi How do I set the default group for a user? e.g. samba-tool group add opensuse samba-tool group addusers opensuse steve But steve's default group is still Users. I'm looking for soething like this: 'samba-tool group setdefaultgroup steve opensuse' But here isn't that command. I have to do it in Windows. Is there a command I'm missing? Cheers, Steve Do you know that you can use the windows admin tools again samba 4 also, Administration pack for Windows XP/2003 or Vista/2008 are working very well against samba. With those tool changing the default group is just a breath. Matthieu. Hi Yes, but it seems overkill to have to tie up a whole Windows client when all we need is a 3 line ldif to change primaryGroupID (Thanks to Geza for pointing us at the correct attribute). Having said that, are there any plans to include the (rather nice) Resara front end for Samba4 with any official release? Thanks for your time, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 provision fails
On 02/11/2012 09:07 AM, steve wrote:
Version 4.0.0alpha18-GIT-389bb4f
Ubuntu 11.10
Provision fails with:
Setting up sam.ldb users and groups
Traceback (most recent call last):
File "./source4/setup/provision", line 262, in
useeadb=eadb, next_rid=opts.next_rid, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1757, in provision
am_rodc=am_rodc, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1455, in
provision_fill
next_rid=next_rid, dc_rid=dc_rid) Hi
File "bin/python/samba/provision/__init__.py", line 1288, in fill_samdb
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
File "bin/python/samba/provision/common.py", line 52, in setup_add_ldif
ldb.add_ldif(data, controls)
File "bin/python/samba/__init__.py", line 221, in add_ldif
self.add(msg, controls)
_ldb.LdbError: (1, 'operations error at
../source4/dsdb/samdb/ldb_modules/password_hash.c:2163')
Any ideas?
Thanks,
Steve
Hi again
Tried running make again after make install. Same error.
Could someone on samba-technical forward this there?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 4 provision fails
Version 4.0.0alpha18-GIT-389bb4f
Ubuntu 11.10
Provision fails with:
Setting up sam.ldb users and groups
Traceback (most recent call last):
File "./source4/setup/provision", line 262, in
useeadb=eadb, next_rid=opts.next_rid, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1757, in provision
am_rodc=am_rodc, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1455, in
provision_fill
next_rid=next_rid, dc_rid=dc_rid)
File "bin/python/samba/provision/__init__.py", line 1288, in fill_samdb
"KRBTGTPASS_B64": b64encode(krbtgtpass.encode('utf-16-le'))
File "bin/python/samba/provision/common.py", line 52, in setup_add_ldif
ldb.add_ldif(data, controls)
File "bin/python/samba/__init__.py", line 221, in add_ldif
self.add(msg, controls)
_ldb.LdbError: (1, 'operations error at
../source4/dsdb/samdb/ldb_modules/password_hash.c:2163')
Any ideas?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] latest Samba 4 does not look in keytab
On 02/10/2012 07:24 PM, Gémes Géza wrote: 2012-02-10 17:58 keltezéssel, steve írta: Hi After upgrading to Version 4.0.0alpha18-GIT-24ed8c5 on Ubuntu 11.10, Samba 4 no longer looks in the keytab for my nfs server entry: mount -t nfs4 foo bar --o sec=krb5 Kerberos: AS-REQ nfs/hh3.hh3.s...@hh3.site from ipv4:192.168.1.3:53213 for krbtgt/hh3.s...@hh3.site Kerberos: UNKNOWN -- nfs/hh3.hh3.s...@hh3.site: no such entry found in hdb The nfs entry is in the keytab: klist -ke /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 nfs/hh3.hh3.s...@hh3.site (des-cbc-crc) 1 nfs/hh3.hh3.s...@hh3.site (des-cbc-md5) 1 nfs/hh3.hh3.s...@hh3.site (arcfour-hmac) How do I tell this new version to look in the keytab? or, How do I add the nfs internally? Thanks, Steve Hi, First some basics, sorry if it is boring ;-) Nope. Please keep reminding me:) /etc/krb5.keytab is the "password file" your nfs service is using in order to be able to authenticate itself with samba4's kerberos service; it could be on a completely different machine and would work in the same way. Samba4 stores the same "password" in its internal database (ldb) and when connected it looks it up there. Yep. Got it. Now back on your situation: Have you re-provisioned after upgrade? No. If yes you need to recreate the principal and the spn for nfs, and reexport the keytab for it. If not you may need to do an upgradeprovision in order to apply the expected directory changes. Good Luck! Geza Unfortunately, upgradeprovision fails. There are other issues with this latest git because instead of installing everything under /usr/local/samba it leaves stuff in samba-master which it still uses after it has installed. Problem is that make install messes up samba-master. Running make again fixes most of it but leaves the dns files with the wrong permissions if you are using bind9 and the samba dns server falls over after a restart if you provision with the internal. That is on Ubuntu. I keep my old checkout under openSUSE to fall back on. Time for a clean start on Ubuntu I think. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 samba-tool user add fails
samba-tool user add nfs-u New Password: ERROR(ldb): Failed to add user 'nfs-u': - operations error at ../source4/dsdb/samdb/ldb_modules/password_hash.c:2163 Anyone? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] latest Samba 4 does not look in keytab
Hi After upgrading to Version 4.0.0alpha18-GIT-24ed8c5 on Ubuntu 11.10, Samba 4 no longer looks in the keytab for my nfs server entry: mount -t nfs4 foo bar --o sec=krb5 Kerberos: AS-REQ nfs/hh3.hh3.s...@hh3.site from ipv4:192.168.1.3:53213 for krbtgt/hh3.s...@hh3.site Kerberos: UNKNOWN -- nfs/hh3.hh3.s...@hh3.site: no such entry found in hdb The nfs entry is in the keytab: klist -ke /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Principal -- 1 nfs/hh3.hh3.s...@hh3.site (des-cbc-crc) 1 nfs/hh3.hh3.s...@hh3.site (des-cbc-md5) 1 nfs/hh3.hh3.s...@hh3.site (arcfour-hmac) How do I tell this new version to look in the keytab? or, How do I add the nfs internally? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool set default group
On 02/10/2012 12:08 PM, steve wrote: On 02/09/2012 07:17 PM, Gémes Géza wrote: 2012-02-09 14:21 keltezéssel, steve írta: Hi How do I set the default group for a user? e.g. samba-tool group add opensuse samba-tool group addusers opensuse steve But steve's default group is still Users. I'm looking for soething like this: 'samba-tool group setdefaultgroup steve opensuse' But here isn't that command. I have to do it in Windows. Is there a command I'm missing? Cheers, Steve IMHO currently your best bet is ldbmodify. Regards Geza I tried using phpldapadmin: http://4.bp.blogspot.com/-oeTty-Y6HFo/TzT49_mZe3I/ALE/zGb00l_WMC4/s320/ldapadmin.png Same. I can add the user to the group but I can't find where the default group attribute or object is in ldap. What shoud I be looking for? Thanks, Steve Sorry: http://4.bp.blogspot.com/-oeTty-Y6HFo/TzT49_mZe3I/ALE/zGb00l_WMC4/s1600/ldapadmin.png -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba-tool set default group
On 02/09/2012 07:17 PM, Gémes Géza wrote: 2012-02-09 14:21 keltezéssel, steve írta: Hi How do I set the default group for a user? e.g. samba-tool group add opensuse samba-tool group addusers opensuse steve But steve's default group is still Users. I'm looking for soething like this: 'samba-tool group setdefaultgroup steve opensuse' But here isn't that command. I have to do it in Windows. Is there a command I'm missing? Cheers, Steve IMHO currently your best bet is ldbmodify. Regards Geza I tried using phpldapadmin: http://4.bp.blogspot.com/-oeTty-Y6HFo/TzT49_mZe3I/ALE/zGb00l_WMC4/s320/ldapadmin.png Same. I can add the user to the group but I can't find where the default group attribute or object is in ldap. What shoud I be looking for? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4 user mapping into filesystem
- Winbind isn't installed. I followed the HOWTO, but didn't see a step about installing winbind. If you installed S4 you already have it. But s4 winbind doesn't seem to map uid:gid correctly at te mo:( We used nss-ldapd with nfs4 to do the mapping for the Linux side. See the: Re: [Samba] RFC2307 & Samba4 [Was: Linux users and Samba 4] thread. Just posted an update to it so it's prob. in your inbox now. HTH, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba-tool set default group
Hi How do I set the default group for a user? e.g. samba-tool group add opensuse samba-tool group addusers opensuse steve But steve's default group is still Users. I'm looking for soething like this: 'samba-tool group setdefaultgroup steve opensuse' But here isn't that command. I have to do it in Windows. Is there a command I'm missing? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307 & Samba4 [Was: Linux users and Samba 4]
On 13/01/12 16:59, Adam Tauno Williams wrote: On Fri, 2012-01-13 at 10:32 -0500, Adam Tauno Williams wrote: On Fri, 2012-01-13 at 02:51 +0100, steve wrote: On 12/01/12 23:02, Adam Tauno Williams wrote: Quoting steve: Samba4's winbind does not support RFC2307, so doing this is pretty rough. I think you need to either use CIFS + winbind everywhere or somehow maintain an external idmap. Yea, it is horrible. We are staring down the barrell of the same gun. As Jeremy said, they are discussing what needs to be done before releasing Samba 4.0.0 and how to reconcile Samba 3's winbind and Samba 4's winbind etc., so if something that is critical for you does not currently work, you should file a bug report. Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone with my issue. I think I should be easy to fix now before it goes beta. https://bugzilla.samba.org/show_bug.cgi?id=8635 Holy awesome; it got better. I just tested an upgrade of our production domain and it appears that Samba4 took [and kept] the UID number from the existing account. Production - [root@littleboy ~]# id adam uid=437(adam) gid=230(cis) groups=230(cis) Test Server barbel:~ # wbinfo -i adam BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false Home directory is a bit wierd, and the gidNumber didn't stick. But at least I have the uidNumber. 4.0.0alpha18-GIT-103c1cb [openSUSE 12.1 x86_64] transitioned via "samba-tool domain samba3upgrade" from Samba S3w/LDAPSAM. Nice find you have there. Meanwhile I've got it working. Very rough. But working for 10 hour Kerberos sessions at a time;) http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html Steve What I'm puzzled by [and maybe this is a deficiency in Samba4 still] is that while the LDAP modify works the wbinfo output doesn't change. dn: CN=adam,CN=Users,DC=micore,DC=us changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 437 - add: gidnumber gidnumber: 230 - add:unixhomedirectory unixhomedirectory: /home/adam - add: loginshell loginshell: /bin/ksh barbel:~ # wbinfo -i adam BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false I am able to get my home-directory path back to the previous value [ based on the useful information from this link - <https://lists.samba.org/archive/samba/2010-May/156051.html> ] Setting: template homedir = /home/%ACCOUNTNAME% The old %U type variables aren't supported. But the above results in the same thing - barbel:/opt/s4 # wbinfo -i adam BACKBONE\adam:*:437:100:Adam Williams:/home/adam:/bin/false I found a list of Windows environment variables here <http://vlaurie.com/computers2/Articles/environment.htm> According the old 2010 thread these are now expanded on the client side in Microsoft fashion rather than expanded on the serve [in the config backend??]. You have to rfc2307-ify the group too. e.g.: samba-tool group add suseusers samba-tool group addmembers suseusers steve6 wbinfo --group-info=suseusers suseusers:*:316: kinit Administrator ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -Y GSSAPI dn: cn=suseusers,sn=Users,dc=hh3,dc=site changetype: modify add: objectClass objectClass: posixAccount - add: objectClass objectClass: posixGroup Then, Use nslcd to map uid:gid from LDAP: /etc/nsswitch.conf passwd:files ldap group: files ldap and then: hh3:/home/steve # getent passwd steve6 steve6:*:315:316:steve6:/home/CACTUS/steve6:/bin/bash hh3:/home/steve # getent group suseusers suseusers:*:316: hh3:/home/steve # wbinfo -i steve6 CACTUS\steve6:*:315:316::/home/CACTUS/steve6:/bin/false Linux= nfs4/idmapd. w7= out of the box. Server: hh3:/tmp # id steve6 uid=315(steve6) gid=316(suseusers) groups=316(suseusers) Client: steve6@hh6:~> id uid=315(steve6) gid=316(suseusers) groups=316(suseusers) steve6@hh6:~> echo "Hola" > file steve6@hh6:~> ls -l file -rw-r--r-- 1 steve6 suseusers 5 Feb 9 13:52 file Maybe I should add this to the bug report. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 latest git failed to provision: DNS
On 02/08/2012 01:33 AM, steve wrote:
On 07/02/12 23:45, steve wrote:
This:
https://lists.samba.org/archive/samba-technical/2012-February/081535.html
fixes this:
More dns problems:
samba --version
Version 4.0.0alpha18-GIT-e32ad9b
bin/tdbbackup: /home/steve/samba-master/bin/shared/private/libtdb.so:
version `SAMBA_4.0.0ALPHA18_DEVELOPERBUILD' not found (required by
bin/tdbbackup)
Failed to setup database for BIND, AD based DNS cannot be used
Traceback (most recent call last):
File "./source4/setup/provision", line 262, in
useeadb=eadb, next_rid=opts.next_rid, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1757, in provision
am_rodc=am_rodc, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1491, in
provision_fill
targetdir=targetdir, site=DEFAULTSITE)
File "bin/python/samba/provision/sambadns.py", line 990, in
setup_ad_dns
create_samdb_copy(samdb, logger, paths, names, domainsid,
domainguid)
File "bin/python/samba/provision/sambadns.py", line 751, in
create_samdb_copy
os.path.join(dns_dir, "sam.ldb"))
File "bin/python/samba/provision/sambadns.py", line 688, in tdb_copy
raise Exception("Error copying %s" % file1)
Exception: Error copying /usr/local/samba/private/sam.ldb
Any ideas anyone?
Thanks,
Steve
But not this:
Provisioning with the internal dns doesn't work either:
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 487, in
/usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp)
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 119, in get_credentials
/usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp,
ccachename)
/usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for
HH3$@HH3.SITE failed (Cannot contact any KDC for requested realm)
/usr/local/samba/sbin/samba_dnsupdate:
Not my lucky day:(
It produces this error after a restart.
I've wasted quite a bit of time with cases like this. Would it be OK for
one of us here to subscribe to samba-technical if we promise not to post?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Any news on Samba 4 winbind?
On 02/08/2012 09:43 AM, steve wrote: Hi I have nfs4 with idmapd working perfectly via the S4 LDAP. For Linux clients that is. I can specify uid:gid and name mapping works fine between server and client. If I want to map the Linux users to a windows 7 box, I'm stuck with the values that winbind allocates when I create the samba4 user i.e. everyone has to have a uid of 100 ***if they want a choice of workstation:( The last thing I want to appear to be is demanding. I just wanted to know if there were any workarounds available so I could use nfs on the linux side but keep the uid:gid I had added to LDAP on the windows side. Thanks, Steve *** correction: gid of 100 IOW the uid:gid that wbinfo -i gives you. Sorry. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Any news on Samba 4 winbind?
Hi I have nfs4 with idmapd working perfectly via the S4 LDAP. For Linux clients that is. I can specify uid:gid and name mapping works fine between server and client. If I want to map the Linux users to a windows 7 box, I'm stuck with the values that winbind allocates when I create the samba4 user i.e. everyone has to have a uid of 100 if they want a choice of workstation:( The last thing I want to appear to be is demanding. I just wanted to know if there were any workarounds available so I could use nfs on the linux side but keep the uid:gid I had added to LDAP on the windows side. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and new Kerberos version
On 07/02/12 20:52, Gémes Géza wrote: 2012-02-07 16:07 keltezéssel, steve írta: On 07/02/12 12:01, Andrew Bartlett wrote: On Tue, 2012-02-07 at 10:24 +0100, steve wrote: I just got this from the mit list: DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting "allow_weak_crypto = true" to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. Does/will this apply to us? Heimdal did this a long time ago, so yes. If you wish to use DES, you have to set that in your krb5.conf. Andrew Bartlett Hi I'm using S4 out of the box on openSUSE 12.1. All the Kerberos transactions seem to choose arcfour. Does the des stuff apply to me? Thanks, Steve Hi, You need to enable weak crypto if you want to use kerberos with apps which depends on des (e.g nfs, openafs). Regards Geza Mmm. That's what I thought. I added that line to krb5.conf before using nfs. I commented it and it still works. The s4 nfs transactions seem to choose arcfour, not des. I can't find this documented anywhere but noises on the nfs kernel list suggest that the weak crypto is not now necessary. Will leave the line commented until nfs explodes at some stage. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 latest git failed to provision: DNS
On 07/02/12 23:45, steve wrote:
More dns problems:
samba --version
Version 4.0.0alpha18-GIT-e32ad9b
bin/tdbbackup: /home/steve/samba-master/bin/shared/private/libtdb.so:
version `SAMBA_4.0.0ALPHA18_DEVELOPERBUILD' not found (required by
bin/tdbbackup)
Failed to setup database for BIND, AD based DNS cannot be used
Traceback (most recent call last):
File "./source4/setup/provision", line 262, in
useeadb=eadb, next_rid=opts.next_rid, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1757, in provision
am_rodc=am_rodc, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1491, in
provision_fill
targetdir=targetdir, site=DEFAULTSITE)
File "bin/python/samba/provision/sambadns.py", line 990, in
setup_ad_dns
create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid)
File "bin/python/samba/provision/sambadns.py", line 751, in
create_samdb_copy
os.path.join(dns_dir, "sam.ldb"))
File "bin/python/samba/provision/sambadns.py", line 688, in tdb_copy
raise Exception("Error copying %s" % file1)
Exception: Error copying /usr/local/samba/private/sam.ldb
Any ideas anyone?
Thanks,
Steve
Provisioning with the internal dns doesn't work either:
/usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last):
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 487, in
/usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp)
/usr/local/samba/sbin/samba_dnsupdate: File
"/usr/local/samba/sbin/samba_dnsupdate", line 119, in get_credentials
/usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp,
ccachename)
/usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for
HH3$@HH3.SITE failed (Cannot contact any KDC for requested realm)
/usr/local/samba/sbin/samba_dnsupdate:
Not my lucky day:(
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 latest git failed to provision: DNS
More dns problems:
samba --version
Version 4.0.0alpha18-GIT-e32ad9b
bin/tdbbackup: /home/steve/samba-master/bin/shared/private/libtdb.so:
version `SAMBA_4.0.0ALPHA18_DEVELOPERBUILD' not found (required by
bin/tdbbackup)
Failed to setup database for BIND, AD based DNS cannot be used
Traceback (most recent call last):
File "./source4/setup/provision", line 262, in
useeadb=eadb, next_rid=opts.next_rid, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1757, in provision
am_rodc=am_rodc, lp=lp)
File "bin/python/samba/provision/__init__.py", line 1491, in
provision_fill
targetdir=targetdir, site=DEFAULTSITE)
File "bin/python/samba/provision/sambadns.py", line 990, in setup_ad_dns
create_samdb_copy(samdb, logger, paths, names, domainsid, domainguid)
File "bin/python/samba/provision/sambadns.py", line 751, in
create_samdb_copy
os.path.join(dns_dir, "sam.ldb"))
File "bin/python/samba/provision/sambadns.py", line 688, in tdb_copy
raise Exception("Error copying %s" % file1)
Exception: Error copying /usr/local/samba/private/sam.ldb
Any ideas anyone?
Thanks,
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and new Kerberos version
On 07/02/12 12:01, Andrew Bartlett wrote: On Tue, 2012-02-07 at 10:24 +0100, steve wrote: I just got this from the mit list: DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting "allow_weak_crypto = true" to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. Does/will this apply to us? Heimdal did this a long time ago, so yes. If you wish to use DES, you have to set that in your krb5.conf. Andrew Bartlett Hi I'm using S4 out of the box on openSUSE 12.1. All the Kerberos transactions seem to choose arcfour. Does the des stuff apply to me? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
Hi Geza, hi everyone I had a go at the script: s4user where is a posiixGroup'ified group from samba-tool group add. cat s4user #!/bin/sh echo "Creating s4 posix user "$1 echo "Pls enter pwd for "$1 samba-tool user add $1 echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: $2 - add: gidnumber gidnumber: $3 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/$1 - add: loginshell loginshell: /bin/bash" > $1 #ldbmodify -f /some/temporary-file ###can't get the syntax!### ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f $1 -Y GSSAPI samba-tool group addmembers $4 $1 mkdir /home/CACTUS/$1 chown $1:$4 /home/CACTUS/$1 rm $1 echo $1 "rfc2307-ified" and: ./s4user steve6 330 2000 suseusers Creating s4 posix user steve6 Pls enter pwd for steve6 New Password: User 'steve6' created successfully SASL/GSSAPI authentication started SASL username: administra...@hh3.site SASL SSF: 56 SASL data security layer installed. modifying entry "cn=steve6,cn=Users,dc=hh3,dc=site" Added members to group suseusers steve6 rfc2307-ified hh3:/home/steve # exit exit steve@hh3:~> su steve6 Password: Warning: Your password will expire in 41 days on Tue 20 Mar 2012 14:52:02 CET steve6@hh3:/home/steve> cd ../CACTUS/steve6 steve6@hh3:~> touch hola steve6@hh3:~> ls -la total 12 drwxr-xr-x 2 steve6 suseusers 4096 Feb 7 14:53 . drwxr-xr-x 10 root root 4096 Feb 7 14:52 .. -rw-r--r-- 1 steve6 suseusers0 Feb 7 14:53 hola -rw--- 1 steve6 suseusers 48 Feb 7 14:52 .xauthoa0jlX steve6@hh3:~> Yeah! I need to tidy the script up a bit and particularly look for the nslcd pid before continuing. As usual, a few qns. Sorry. 1. As this ignores winbind, is there any need to use winbind like uid's? 2. I can't get the syntax for ldbmodify:( 3. Is there a cheap way to get the next available uid from ldap? I thought of sticking a base id in a file and incrementing it each time s4user was called. Then pulling it back from the file when the script was called for the next user. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
Hi, I use Samba3/OpenLDAP in production and create my users using similar scripts, so no it shouldn't be difficult, something like: #!/bin/sh samba-tool user add $1 .. echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: $2 - add: gidnumber gidnumber: $3 - add:unixhomedirectory unixhomedirectory: $4 - add: loginshell loginshell: $5">/some/temporary-file ldbmodify -f /some/temporary-file rm /some/temporary-file Please take into account that it is just a very rough example I've put up in less than a minute. Regards Geza We use Samba3/openldap in real life too:) When I'm not there, they use The Yast GUI which has quite a nice point and click LDAP user and group module which links to the samba3 schema. Your echo ...> /some/temporary-file is a good idea. Would you include a default group for the user perhaps? e.g. samba-tool group addmembers $6 $1 ($6 would already exist) Looking good. Thanks for your time. Will report back. Cheers, Steve Hi Geza, hi everyone. I had a go at the script. I called it s4user and got it down to 4 parameters: s4user chmod +x s4user cat s4user #!/bin/sh echo "Creating s4 posix user "$1 echo "Pls enter pwd for "$1 samba-tool user add $1 echo "dn: cn=$1,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: $2 - add: gidnumber gidnumber: $3 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/$1 - add: loginshell loginshell: /bin/bash" > $1 #ldbmodify -f /some/temporary-file ldapmodify -h 192.168.1.3 -D cn=Administrator,cn=Users,dc=hh3,dc=site -f $1 -Y GSSAPI samba-tool group addmembers $4 $1 mkdir /home/CACTUS/$1 chown $1:$4 /home/CACTUS/$1 ./s4user steve6 330 2000 suseusers Creating s4 posix user steve6 Pls enter pwd for steve6 New Password: User 'steve6' created successfully SASL/GSSAPI authentication started SASL username: administra...@hh3.site SASL SSF: 56 SASL data security layer installed. modifying entry "cn=steve6,cn=Users,dc=hh3,dc=site" Added members to group suseusers hh3:/home/steve # exit exit steve@hh3:~> su steve6 Password: Warning: Your password will expire in 41 days on Tue 20 Mar 2012 14:52:02 CET steve6@hh3:/home/steve> cd ../CACTUS/steve6 steve6@hh3:~> touch hola steve6@hh3:~> ls -la total 12 drwxr-xr-x 2 steve6 suseusers 4096 Feb 7 14:53 . drwxr-xr-x 10 root root 4096 Feb 7 14:52 .. -rw-r--r-- 1 steve6 suseusers0 Feb 7 14:53 hola -rw--- 1 steve6 suseusers 48 Feb 7 14:52 .xauthoa0jlX steve6@hh3:~> Yeah! I need to tidy the script up a bit and maybe put some stuff in like checking for the nslcd pid and put a 'usage:' message. Just a couple of qns. 1. I couldn't get ldbmodify to work, which is why I used ldapmodify instead. Any idea of the syntax? 2. This now bypasses winbind completely. I just happened to use a uid in the range that winbind uses. Are there any rules for choosing uid numbers? 4. Is there an easy way to find the next free uid or reuse one from a deleted user? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 git pull error
steve@hh3:~/samba-master> git pull Updating bfc7481..e32ad9b error: Your local changes to the following files would be overwritten by merge: auth/common_auth.h auth/credentials/credentials_ntlm.c auth/credentials/credentials_samba3.c source3/lib/util_cmdline.c source3/libads/dns.c source3/libads/k Aborting I haven't changed any files under samba-master. I have a backup of /usr/local/samba and samba-master. Do I delete and start again? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 and new Kerberos version
I just got this from the mit list: DES transition == The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting "allow_weak_crypto = true" to communicate with existing Kerberos infrastructures if they do not support stronger ciphers. Does/will this apply to us? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 posixGroup mapping
On 07/02/12 06:57, Gémes Géza wrote: 2012-02-06 23:58 keltezéssel, steve írta: On 02/06/2012 08:10 PM, Gémes Géza wrote: 2012-02-06 09:29 keltezéssel, steve írta: On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve I'm ot sure but maybe you should change how nslcd.conf maps group memberships (by default it looks at membership expecting stock posixaccount and posixgroup objectclasses, while AD uses member and memberoff which are close but not the same). You can safely ignore anything shadowaccont related, because you would be better authenticating via kerberos anyway. Regards Geza Hi Geza, hi everyone This looks like good news. I asked the nslcd author directly: My question is, how do I extract the gid from the ldap? I've tried: map group gid gidnumber You shouldn't need to map the gidNumber attribute because nslcd already uses that attribute by default. In any case if you're trying to find the primary group of a user you should do: map passwd gidNumber XXX (where XXX is the attribute in your LDAP server) The passwd map is what defines the output of getent passwd, the group map defines the information on groups. That seems true. The posixGroup I defined is mapped without me doing anything in nslcd and map passwd gidNumber gidNumber would seem pointless as it's already got the gidNumber. You are right about the shadowaccount. This also solves the x and *. I removed the objectclass shadowaccount from ldap and the map shadow uid from nslcd and hey: getent passwd steve4 steve4:*:319:2000:steve4:/home/CACTUS/steve4:/bin/bash I interpret that as 'it's an x if there's a shadow entry, a * if there isn't' This is getting to the stage where it's not worth waiting for a working winbind. i.e. leave the windows side as it is and go with nfs4 and rpc.idmapd for the the Linux side. How difficult do you think it would be to script the adding of the user posix attributes after creating the s4 user? I envisage something like: samba-tool user add steve --posix --defaultgroup=somegr
Re: [Samba] Samba 4 posixGroup mapping
On 02/06/2012 08:10 PM, Gémes Géza wrote: 2012-02-06 09:29 keltezéssel, steve írta: On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve I'm ot sure but maybe you should change how nslcd.conf maps group memberships (by default it looks at membership expecting stock posixaccount and posixgroup objectclasses, while AD uses member and memberoff which are close but not the same). You can safely ignore anything shadowaccont related, because you would be better authenticating via kerberos anyway. Regards Geza Hi Geza, hi everyone This looks like good news. I asked the nslcd author directly: My question is, how do I extract the gid from the ldap? I've tried: map group gid gidnumber You shouldn't need to map the gidNumber attribute because nslcd already uses that attribute by default. In any case if you're trying to find the primary group of a user you should do: map passwd gidNumber XXX (where XXX is the attribute in your LDAP server) The passwd map is what defines the output of getent passwd, the group map defines the information on groups. That seems true. The posixGroup I defined is mapped without me doing anything in nslcd and map passwd gidNumber gidNumber would seem pointless as it's already got the gidNumber. You are right about the shadowaccount. This also solves the x and *. I removed the objectclass shadowaccount from ldap and the map shadow uid from nslcd and hey: getent passwd steve4 steve4:*:319:2000:steve4:/home/CACTUS/steve4:/bin/bash I interpret that as 'it's an x if there's a shadow entry, a * if there isn't' This is getting to the stage where it's not worth waiting for a working winbind. i.e. leave the windows side as it is and go with nfs4 and rpc.idmapd for the the Linux side. How difficult do you think it would be to script the adding of the user posix attributes after creating the s4 user? I envisage something like: samba-tool user add steve --posix --defaultgroup=somegroup Also, a startup script for samba4 and nslcd which I think should just b
Re: [Samba] Samba 4 posixGroup mapping
On 02/06/2012 07:19 AM, Gémes Géza wrote: 2012-02-06 01:27 keltezéssel, steve írta: Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve For an answer we would need some configuration details, first of all nsswitch.conf, then depending on that maybe other files Regards Geza Hi /etc/nsswitch.conf passwd: files ldap group: files ldap shadow: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files dns services: files protocols: files rpc:files ethers: files netmasks: files Ah, maybe this has something to do with it. For the user ldapmodify I have: dn: cn=steve4,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 321 - add: gidnumber gidnumber: 2000 - add:unixhomedirectory unixhomedirectory: /home/CACTUS/steve2 - add: loginshell loginshell: /bin/bash and for the group I have: dn: cn=suseusers,cn=Users,dc=hh3,dc=site changetype: modify add: objectclass objectclass: posixGroup - add: gidnumber gidnumber: 2000 /etc/nslcd.conf: uid nslcd-user gid nslcd-user uri ldap://192.168.1.3 base dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName #mappasswd gidNumbergidNumber sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 Then: samba-tool group addmembers suseusers steve4 getent group suseusers suseusers:*:2000: Comes out with the * But steve4 comes out correctly, as a local user would: getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash The only difference I see is that steve4 has a shadowaccount object which can't be mapped for the group (because it doesn't have one). Is there anything else here? Any other files needed? In fact, I don't think I need shadowaccount mappings at all do I? Isn't that where the unix passwords are stored? But that's probably another thread. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 posixGroup mapping
Hi I've created a Samba 4 group called suseusers and mixed in posixGroup and gidNumber using samba-tool group add as a basis. It works, e.g. when I added an existing user to the group: getent group suseusers suseusers:*:2000: and getent passwd steve4 steve4:x:319:2000:steve4:/home/CACTUS/steve4:/bin/bash and id uid=319(steve4) gid=2000(suseusers) groups=2000(suseusers) but there seems to be something wrong with getent group. A local group gives this: getent group users users:x:100:machine x not * This happens both on the Samba 4 machine and a client with his /home directory on nfs4. The uid:gid mappings and permissions are perfect at both ends:) But what is the difference between the group info coming from Samba 4 and the group info coming from /etc/group? I'm sure that this is an error on my part, but I can't force it into failing no matter what I throw at it. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 wbinfo -i question
Hi In this example, wbinfo -i steve CACTUS\steve:*:319:100:steve4:/home/CACTUS/steve4:/bin/bash where is the '100' stored? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba4: Incorrect version of dlz_bind9.so
On 05/02/12 04:09, Andrew Bartlett wrote: On Sat, 2012-02-04 at 21:22 +0100, Mathias Friman wrote: Hi list! I follow the Samba 4 HOWTO on Ubuntu 10.04, git ok make ok make install ok make ok (needed for provision to work, even though i use the installed provision) /usr/local/samba/sbin/provision --realm=samdom.example.com --domain=SAMDOM --adminpass=SOMEPASSWORD --server-role='domain controller' ok added "domain samdom.example.com" to resolv.conf When starting Bind 9.9.0b1 installed from http://ppa.launchpad.net/hauke/bind9/ I get: Version of "/usr/local/samba/lib/bind9/dlz_bind9.so" should be 2. I'm stumped, what should I do? Clearly the bind9 folks have revved the interface. Use bind 9.8 for now. Andrew Bartlett There's no decent bind 9.8 for ubuntu unless you roll your own:( The beta that the op has works fine, but you need to change some stuff: In: source4/dns_server/dlz_minimal.h edit out #define DLZ_DLOPEN_VERSION 1 and add #define DLZ_DLOPEN_VERSION 2 Then rebuild: ./configure.developer. . . HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba machine$ accounts
Hi Is there anything special about accounts ending in $? I ask because I've just installed the whole of Samba 3.6 just to get the net command to join a Linux box to a Samba 4 domain. Afterwards, the machine will be using Samba 4 for authentication and filesharing with win 7 clients. net ads join prepares a keytab with host/fqdn@REALM host/hostname@REALM hostname$@REALM entries. 1. Can I have the net command without installing the whole of Samba? 2. Is this part of what happens during net ads join -Uxxx? net ads keytab add hostname$ openSUSE 12.1 Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] samba 4 PAM and xscreensaver
On 01/09/2012 08:42 AM, steve wrote: Hi I have a Linux client running XFCE and authenticating against Samba 4. When trying to return to the session after xscreensaver has kicked in, authentication fails. Sorry to bump, but I've just seen this in the xscreensaver doco: XScreenSaver Dependencies Required Optional libjpeg-8c, libgnome-2.32.1, GLE, Netpbm, XDaliClock, Linux-PAM-1.1.5, _MIT Kerberos V5-1.6 (built with Kerberos V4 backwards compatibility), and krb4 and Heimdal-1.4 (Kerberos authentication requires having Kerberos V4 and V5 on the system)_ Does Samba 4 have this? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4 [solved]
On 01/31/2012 05:13 PM, steve wrote: On 01/29/2012 10:20 AM, steve wrote: On 29/01/12 08:17, steve wrote: On 29/01/12 07:32, Gémes Géza wrote: 2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: As the nfs4 is writeable without the krb5, that's why I thought it may be related to the S4 Kerbreros. Thanks for your patience, Steve Unfortunately I can't be of real help here (I don't remember anything similar from when I was using nfs4 with krb5) and it seems to be very nfs4 specific, the kerberos (samba4) part has done its job (obtaining machine ticket at mount time, and user ticket when you cd-ed into the mount. What goes on from then is nfs4s own business :-( . I would suggest to ask for help at (I don't know if there is one :-( ) a nfs4 mailing list/forum.Good Luck! Regards Geza Hi Thanks for the confirmation. There is a nfs list: linux-...@vger.kernel.org It's a high tension version of samba-technical, and there is a three headed dog guarding its entrance, but I've been courageous enough to subscribe and post there. Maybe they'll suggest I use cifs! Cheers, Steve Let's see if openSUSE can help. Must be worth a try. https://bugzilla.novell.com/show_bug.cgi?id=743976 Cheers, Steve It _must_ be a bug in openSUSE. I worked through the nfs4 stuff with Ubuntu 11.10 and it worked fine. Kerberized mounts, the lot. It looks like this: http://linuxcostablanca.blogspot.com/2012/01/important-samba-4-update.html Cheers, Steve /etc/idmapd.conf must contain Domain=your.domain NOT the fqdn, the short hostname nor the domain you specified when provisioning Samba. Duh! Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 01/29/2012 10:20 AM, steve wrote: On 29/01/12 08:17, steve wrote: On 29/01/12 07:32, Gémes Géza wrote: 2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: As the nfs4 is writeable without the krb5, that's why I thought it may be related to the S4 Kerbreros. Thanks for your patience, Steve Unfortunately I can't be of real help here (I don't remember anything similar from when I was using nfs4 with krb5) and it seems to be very nfs4 specific, the kerberos (samba4) part has done its job (obtaining machine ticket at mount time, and user ticket when you cd-ed into the mount. What goes on from then is nfs4s own business :-( . I would suggest to ask for help at (I don't know if there is one :-( ) a nfs4 mailing list/forum.Good Luck! Regards Geza Hi Thanks for the confirmation. There is a nfs list: linux-...@vger.kernel.org It's a high tension version of samba-technical, and there is a three headed dog guarding its entrance, but I've been courageous enough to subscribe and post there. Maybe they'll suggest I use cifs! Cheers, Steve Let's see if openSUSE can help. Must be worth a try. https://bugzilla.novell.com/show_bug.cgi?id=743976 Cheers, Steve It _must_ be a bug in openSUSE. I worked through the nfs4 stuff with Ubuntu 11.10 and it worked fine. Kerberized mounts, the lot. It looks like this: http://linuxcostablanca.blogspot.com/2012/01/important-samba-4-update.html Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 29/01/12 08:17, steve wrote: On 29/01/12 07:32, Gémes Géza wrote: 2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: As the nfs4 is writeable without the krb5, that's why I thought it may be related to the S4 Kerbreros. Thanks for your patience, Steve Unfortunately I can't be of real help here (I don't remember anything similar from when I was using nfs4 with krb5) and it seems to be very nfs4 specific, the kerberos (samba4) part has done its job (obtaining machine ticket at mount time, and user ticket when you cd-ed into the mount. What goes on from then is nfs4s own business :-( . I would suggest to ask for help at (I don't know if there is one :-( ) a nfs4 mailing list/forum.Good Luck! Regards Geza Hi Thanks for the confirmation. There is a nfs list: linux-...@vger.kernel.org It's a high tension version of samba-technical, and there is a three headed dog guarding its entrance, but I've been courageous enough to subscribe and post there. Maybe they'll suggest I use cifs! Cheers, Steve Let's see if openSUSE can help. Must be worth a try. https://bugzilla.novell.com/show_bug.cgi?id=743976 Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 29/01/12 07:32, Gémes Géza wrote: 2012-01-28 21:44 keltezéssel, steve írta: On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: As the nfs4 is writeable without the krb5, that's why I thought it may be related to the S4 Kerbreros. Thanks for your patience, Steve Unfortunately I can't be of real help here (I don't remember anything similar from when I was using nfs4 with krb5) and it seems to be very nfs4 specific, the kerberos (samba4) part has done its job (obtaining machine ticket at mount time, and user ticket when you cd-ed into the mount. What goes on from then is nfs4s own business :-( . I would suggest to ask for help at (I don't know if there is one :-( ) a nfs4 mailing list/forum.Good Luck! Regards Geza Hi Thanks for the confirmation. There is a nfs list: linux-...@vger.kernel.org It's a high tension version of samba-technical, and there is a three headed dog guarding its entrance, but I've been courageous enough to subscribe and post there. Maybe they'll suggest I use cifs! Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 28/01/12 20:29, Gémes Géza wrote: 2012-01-28 18:41 keltezéssel, steve írta: On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: Summary: 1. kerberized /etc/exports /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access 2. conventional /etc/exports /export*(rw,fsid=0,insecure,no_subtree_check,async) /export/home*(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt write access OK 3. kerberized variation on /etc/exports /export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async,sec=krb5) /export/home*(rw,insecure,no_subtree_check,async,sec=krb5) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access I have tried all combos of crossmnt and nohide idmapd seems to be mapping correctly and id gives what getent gives Any ideas? Why does the kerberized mount not allow rw access? Steve Geza, do you think it's worth sticking this on samba technical? To me it seems an nfs4 related problem so no samba-technical is not the right place to ask In the meantime please tell us a little more about your environment: pam config idmapd config klist (of user) right after login, before trying to do anything on nfs and after (e.g an ls) I'm not an nfs4 expert myself, but before migration (a few years ago) to openafs I've had a working nfs4 gss/krb5 setup (it just kernel panic-ed every other day, until I've got fed up and migrated away from it) maybe I can remember. Regards Geza Hi again The share mounts rw conventionally but olnt ro when exported gss/krb5 Here is the output and some files: /etc/pam.d/common-auth (the other pam files are OK and pam is working) authrequiredpam_env.so authoptionalpam_gnome_keyring.so authsufficientpam_unix2.so authsufficientpam_krb5.souse_first_pass authrequiredpam_deny.so /etc/idmapd.conf [General] Verbosity=0 Pipefs-Directory=/var/lib/nfs/rpc_pipefs Domain=CACTUS [Mapping] Nobody-User=nobody Nobody-Group=nobody idmapd seems to be working fine. Mappings are perfect client/server Here is some output, which looks OK except for the mount being read only. # mount -t nfs4:/home /mnt -o sec=krb5 produces a lot of activity in Samba 4 including: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:45825 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T21:16:16 starttime: 2012-01-28T21:16:16 endtime: 2012-01-29T07:16:16 renew till: 2012-01-29T21:16:16 nd a ticket cache appears called krb5cc_machine_HH3.SITE and klist krb5cc_machine_HH3.SITE Ticket cache: FILE:krb5cc_machine_HH3.SITE Default principal: HH3$@HH3.SITE Valid starting ExpiresService principal 01/28/12 18:57:25 01/29/12 04:57:25 krbtgt/hh3.s...@hh3.site renew until 01/29/12 18:57:25 01/28/12 18:57:25 01/29/12 04:57:25 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 18:57:25 I got some rpc stuff during the mount: # rpc.gssd -vvvf beginning poll dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt13) process_krb5_upcall: service is '' Full hostname for 'hh3.hh3.site' is 'hh3.hh3.site' Full hostname for 'hh3.hh3.site' is 'hh3.hh3.site' Success getting keytab entry for 'HH3$@HH3.SITE' Successfully obtained machine credentials for principal 'HH3$@HH3.SITE' stored in ccache 'FILE:/tmp/krb5cc_machine_HH3.SITE' INFO: Credentials in CC 'FILE:/tmp/krb5cc_machine_HH3.SITE' are good until 1327817776 using FILE:/tmp/krb5cc_machine_HH3.SITE as credentials cache for machine creds using environment variable to select krb5 ccache FILE:/tmp/krb5cc_machine_HH3.SITE creating context using fsuid 0 (save_uid 0) creating tcp client for server hh3.hh3.site DEBUG: port already set to 2049 creating context with server n...@hh3.hh3.site DEBUG: serialize_krb5_ctx: lucid version! prepare_krb5_rfc4121_buffer: protocol 1 prepare_krb5_rfc4121_buffer: serializing key with enctype 18 and size 32 doing downcall dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc dir_notify_handler: sig 37 si 0xbfbd324c data 0xbfbd32cc destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt14 user steve5 logs in: # su steve5 (passwd etc...) Kerberos: AS-REQ ste...@hh3.site from ipv4:192.168.1.3:50182 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent paty
Re: [Samba] nfs4 with Samba 4
On 28/01/12 17:12, Gémes Géza wrote: 2012-01-28 12:21 keltezéssel, steve írta: On 28/01/12 11:03, Gémes Géza wrote: 2012-01-28 10:40 keltezéssel, steve írta: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS="yes" I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve root can enter, because (you don't have no_root_squash) it is mapped to the nobody user and thus has the basic rights I would check if the user account you are trying to read/write/list/etc the /mnt dir has got the nfs tickets, with a klist Regards Geza Hi Geza, hi everyone A bit of progress: Yes, the /mnt dir got the nfs ticket when I issued the mount command. Also, authenticated Samba 4 users can enter /mnt but only if they do a kinit first. IOW they have to authenticate twice. Once in his home folder (now under /mnt) he only has read access to his files. klist looks OK: Ticket cache: FILE:/tmp/krb5cc_320 Default principal: ste...@hh3.site Valid starting ExpiresService principal 01/28/12 11:57:35 01/28/12 21:57:35 krbtgt/hh3.s...@hh3.site renew until 01/29/12 11:57:29 01/28/12 11:57:40 01/28/12 21:57:35 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 11:57:29 I think I'd need root_squash to prevent root no? But no worries. Just trying to get nfs write access for a user. The Kerberos seems to be working in that a local user gets 'Pemission denied when trying to cd to /mnt and gets this when ls'ing: d? ? ???? mnt A doubly authenticated Samba 4 user gets: drwxr-xr-x 5 root root 4096 Dec 23 00:15 mnt but no write access to his nfs mounted home folder. Why is the double authentication needed? How can we get rw access to the share? Thanks, Steve Hi, It seems that your authentication scheme (pam) doesn't involve kerberos. You can check after login with klist if you have any tickets. If not you would probably need to setup pam in order to use kerberos for authentication (from my memories it was pretty easy using yast) Regards Geza Thanks for that. I've got the pam stuff going now. Next think is the write access. OK by conventional nfs4 but not with kerberized mounts. The latter mount read only. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 28/01/12 12:21, steve wrote: On 28/01/12 11:03, Gémes Géza wrote: Summary: 1. kerberized /etc/exports /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access 2. conventional /etc/exports /export*(rw,fsid=0,insecure,no_subtree_check,async) /export/home*(rw,nohide,insecure,no_subtree_check,async) then: mount -t nfs4 hh3:/home /mnt write access OK 3. kerberized variation on /etc/exports /export *(rw,fsid=0,crossmnt,insecure,no_subtree_check,async,sec=krb5) /export/home*(rw,insecure,no_subtree_check,async,sec=krb5) then: mount -t nfs4 hh3:/home /mnt -o sec=krb5 no write access I have tried all combos of crossmnt and nohide idmapd seems to be mapping correctly and id gives what getent gives Any ideas? Why does the kerberized mount not allow rw access? Steve Geza, do you think it's worth sticking this on samba technical? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] nfs4 with Samba 4
On 28/01/12 11:03, Gémes Géza wrote: 2012-01-28 10:40 keltezéssel, steve írta: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS="yes" I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve root can enter, because (you don't have no_root_squash) it is mapped to the nobody user and thus has the basic rights I would check if the user account you are trying to read/write/list/etc the /mnt dir has got the nfs tickets, with a klist Regards Geza Hi Geza, hi everyone A bit of progress: Yes, the /mnt dir got the nfs ticket when I issued the mount command. Also, authenticated Samba 4 users can enter /mnt but only if they do a kinit first. IOW they have to authenticate twice. Once in his home folder (now under /mnt) he only has read access to his files. klist looks OK: Ticket cache: FILE:/tmp/krb5cc_320 Default principal: ste...@hh3.site Valid starting ExpiresService principal 01/28/12 11:57:35 01/28/12 21:57:35 krbtgt/hh3.s...@hh3.site renew until 01/29/12 11:57:29 01/28/12 11:57:40 01/28/12 21:57:35 nfs/hh3.hh3.s...@hh3.site renew until 01/29/12 11:57:29 I think I'd need root_squash to prevent root no? But no worries. Just trying to get nfs write access for a user. The Kerberos seems to be working in that a local user gets 'Pemission denied when trying to cd to /mnt and gets this when ls'ing: d? ? ???? mnt A doubly authenticated Samba 4 user gets: drwxr-xr-x 5 root root 4096 Dec 23 00:15 mnt but no write access to his nfs mounted home folder. Why is the double authentication needed? How can we get rw access to the share? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] nfs4 with Samba 4
Hi everyone Version 4.0.0alpha18-GIT-bfc7481 openSUSE 12.1 Conventional nfs4 export works fine, but I'm having trouble kerberizing it for Samba 4 for my Samba 4 users. I've setup the nfs4 pseudo stuff like this: hh3:/ # mkdir /export hh3:/ # mkdir /export/home hh3:/ # mount --bind /home /export/home Here is /etc/exports: /exportgss/krb5(rw,fsid=0,insecure,no_subtree_check,async) /export/homegss/krb5(rw,nohide,insecure,no_subtree_check,async) /etc/sysconfig/nfs has: NFS_SECURITY_GSS="yes" I have used samba-tool to make an nfs service principal and it responds: Kerberos: TGS-REQ HH3$@HH3.SITE from ipv4:192.168.1.3:35191 for nfs/hh3.hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-28T09:31:37 starttime: 2012-01-28T09:31:37 endtime: 2012-01-28T19:31:37 renew till: 2012-01-29T09:31:37 when I: mount -t nfs4 hh3:/home /mnt -o sec=krb5 It mounts OK and mount shows: hh3:/home/ on /mnt type nfs4 (rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=krb5,clientaddr=192.168.1.3,minorversion=0,local_lock=none,addr=192.168.1.3) Autenticated Samba 4 users get 'Permission denied when trying to cd to /mnt. Only root can enter. The permissions using ls -la are: d? ? ???? mnt You can see that /home has indeed been mounted but with strange permissions. Has anyone tried nfs with Samba 4 Kerberos? Why the permissions? What am I missing? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 01/27/2012 05:37 AM, Andrew Bartlett wrote: On Sun, 2012-01-22 at 15:32 +0100, steve wrote: even though I've made a ldap/hh3.site principal: hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site Why do I get the Decrypt integrity check failed error? Why do you keep doing this? What makes you think this is the right thing to do (so I can correct whatever gave you this misconception). Samba will not read /etc/ldap.keytab. Samba uses the private keytab containing it's own machine account only. Samba should not be contacted via the dns domain name, it should be contacted by the fully qualified domain name. The fact the dns domain name (hh3.site) resolves is an artefact of the default AD DNS zone, but should not be used. If your client uses the fully qualified name (dc.hh3.site), it will collect the correct ticket, and Samba will decrypt it. Thanks, Andrew Bartlett Hi Thanks for pointing this out. It turned out that when I provisioned, I had the fqdn wrong. Duh! I set that correctly in /etc/hosts, reprovisioned and everything sprang to life. ldapsearch -Y GSSAPI worked and I could extract stuff I'd put into the s4 LDAP database so our Linux users could connect. I have still not been able to get winbind nor the fileserver working, so I've added nfs4 for the Linux clients and there I did need to add a principal for the kerberized nfs, otherwise the nfs server would not start. It's a bit of a hack but it's good enough for us at the moment. I got around the user id mappings as described here: http://linuxcostablanca.blogspot.com/p/samba-4.html Thanks for your time, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba 3 a 4 with kerberized nfs4
Hi openSUSE 12.1 server and client. I can't get the s4 fileserver nor uid:gid mappings working with s4. I used nfs and idmapd instead. It's working, but I've a couple of qns. 1. Server fqdn hh3.hh3.site Samba 4, DNS and NFS4 I set up the nfs server with GSSAPI as in this screenshot: http://2.bp.blogspot.com/-IspbLnfxizc/Txsp-Z1z1tI/ADk/lsgel498elg/s1600/yastnfs1.png The nfs server would not start until I had made a nfs principal and stuck it in the keytab. Then I could mount the share and users were mapped correctly, home directory permissions OK etc. (I'd previously adder Linux attributes to LDAP). Everything fine so far. klist -k /etc/krb5.keytab 1 nfs/hh3.hh3.s...@hh3.site 1 nfs/hh3.hh3.s...@hh3.site 1 nfs/hh3.hh3.s...@hh3.site 2. Client. fqdn hh6.hh3.site, Samba 3.6 smb.conf: workgroup = CACTUS realm = HH3.SITE security = ADS kerberos method = system keytab Join the domain: net ads join -U Administrator net ads keytab add nfs klist -k /etc/krb5.keytab 1 host/hh6.hh3.s...@hh3.site 1 host/hh6.hh3.s...@hh3.site 1 host/hh6.hh3.s...@hh3.site 1 host/h...@hh3.site 1 host/h...@hh3.site 1 host/h...@hh3.site 1 HH6$@HH3.SITE 1 HH6$@HH3.SITE 1 HH6$@HH3.SITE 1 nfs/hh6.hh3.s...@hh3.site 1 nfs/hh6.hh3.s...@hh3.site 1 nfs/hh6.hh3.s...@hh3.site 1 nfs/h...@hh3.site 1 nfs/h...@hh3.site 1 nfs/h...@hh3.site mount -t nfs4 hh3:/ /home Amazingly still OK. Samba 4 users can login, get correctly mapped files, edit etc. I now mv the keytab and recreate it _without_ nfs. It still mounts! Why does the server(s4) need the nfs principal but the client(s3) not? How can I tell if Kerberos is working? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 GSSAPI problem
On 23/01/12 15:37, Raffael Sahli wrote: On 01/23/2012 02:24 PM, steve wrote: Hi Same checkout, same provision, same machine. openSUSE samba --version Version 4.0.0alpha18-GIT-c3a7573 hh3:/home/steve # ldapsearch -H ldap://192.168.1.3 cn=steve2 -b "dc=hh3,dc=site" -Y GSSAPI SASL/GSSAPI authentication started and all is OK. Ubuntu samba --version Version 4.0.0alpha18-GIT-c3a7573 root@hh3:/tmp# ldapsearch -H ldap://192.168.1.3 cn=steve2 -b "dc=hh3,dc=site" -Y GSSAPI ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Maybe I'm missing an Ubuntu package? If so, what could it be? Thanks, Steve libsasl2-modules-gssapi-mit MIT Kerberos / libsasl2-modules-gssapi-heimdal Heimdal Kerberos Yep. That did it. I apt-get install'd libsasl2-modules-gssapi-mit and it sprang to life. Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 GSSAPI problem
Hi Same checkout, same provision, same machine. openSUSE samba --version Version 4.0.0alpha18-GIT-c3a7573 hh3:/home/steve # ldapsearch -H ldap://192.168.1.3 cn=steve2 -b "dc=hh3,dc=site" -Y GSSAPI SASL/GSSAPI authentication started and all is OK. Ubuntu samba --version Version 4.0.0alpha18-GIT-c3a7573 root@hh3:/tmp# ldapsearch -H ldap://192.168.1.3 cn=steve2 -b "dc=hh3,dc=site" -Y GSSAPI ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found Maybe I'm missing an Ubuntu package? If so, what could it be? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 20/01/12 18:19, steve wrote: On 01/20/2012 04:09 PM, Michael Wood wrote: On 20 January 2012 15:23, steve wrote: On 20/01/12 12:41, Michael Wood wrote: [...] I did this: samba-tool user add nslcd-service New Password: User 'nslcd-service' created successfully kinit nslcd-service Password for nslcd-service@SITE: Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012 hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0 rcnslcd restart redirecting to systemctl hh3:/tmp # getent passwd steve2 steve2:x:300:100:steve2:/home/CACTUS/steve2:/bin/bash Seems to work OK. OK. I know I should use a keytab, then presumably I'd not need to keep refreshing the ticket using k5start. I really would like like to find out how to do that. I'm starting to think that maybe a keytab is not the answer and k5start is. Maybe someone that knows more about Kerberos will enlighten us, but it might make more sense to ask the question on a Kerberos mailing list/forum. I've tried before. Thinking out loud, maybe this: with getent passwd, samba gives this: ldb_wrap open of secrets.ldb Kerberos: TGS-REQ nslcd-service@SITE from ipv4:192.168.1.3:50765 for ldap/hh3.site@SITE [canonicalize, renewable] I tried removing /tmp/krbcc_0 and doing this: hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab But: Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found) So the next qn. would be how do I tell nslcd to look in the keytab rather than the cache file? I don't know. Maybe it can't use a keytab. Perhaps the nslcd developers could clarify this? Or maybe go the k5start way. Don't know! Since the ticket cache works, I think k5start should work too, but I've not tried it myself. Next stage: getting nslcd-user to be able to read the ticket and keep the ticket up to date. Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running nslcd as "nslcd-user", that's not the ticket cache you should be using. Actually, kinit nslcd-service produced a file with the same name. That's because you were logged in as root when you ran kinit. That's what I meant when I said it was "root's ticket cache". This seems to be better: Extracted the keytab using samba-tool spn and k5start'ed from it: k5start -v -f /etc/nslcd.keytab -U -o nslcd-user -K 360 -k /tmp/krb5cc_0 -v verbose -f use keytab, not password -o the user the file should be chown'ed to -U Use the first principal in the keytab as the client principal -K run as daemon -k name of ticket cache The alternative would be: k5start -v -u nslcd-service -U -o nslcd-user -K 360 -k /tmp/krb5cc_0 -u the user who needs to get the ticket But this prompts for a password. I suppose the power of the keytab is the kerberos magic that does it for you. Next episode: How to create the keytab on a Linux client without samba-tool installed. Cheers, Steve However, this only works if the realm is NOT the dns name. This is with: realm=site rather than realm=hh3.site and the kerberized bind to the ldap works but nothing else on the network. e.g. you cannot join machines to the domain because dns does not find the realm. Is it a rule that the Kerberos realm has to be the same as the dns name? Back provisioning with realm=hh3.site (the fqdn), dns is working again and I can join boxes to the domain again BUT the kerberized bind will not work anymore and I'm back to: ldb_wrap open of secrets.ldb Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:48616 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime: 2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till: 2012-01-21T07:47:56 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed even though I've made a ldap/hh3.site principal: hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site Why do I get the Decrypt integrity check failed error? (I can still connect un-kerberized by simply specifying the binddn and bindpw in /etc/nslcd.conf) Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 Cannot contact any KDC for requested realm
On 22/01/12 10:19, Gémes Géza wrote: 2012-01-21 09:42 keltezéssel, steve írta: Version 4.0.0alpha18-GIT-957ec28 with dns hh3.site realm SITE After starting samba -i -d3, wbinfo -i someuser gives this: ldb_wrap open of secrets.ldb using SPNEGO Selected protocol [8][NT LANMAN 1.0] Cannot reach a KDC we require to contact cifs/hh3.site@SITE : kinit for HH3$@SITE failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS ldb_wrap open of secrets.ldb schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/HH3 Cannot reach a KDC we require to contact host/hh3.site@SITE : kinit for HH3$@SITE failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS wbinfo -u works fine and shows a list of users. Subsequent calls to wbinfo do not produce this error. It only happens the first time after samba is started. This may coincide with yesterday's bind 9 update from openSUSE This seems OK no? Calling DNS name update script Calling SPN name update script Completed SPN update check OK Completed DNS update check OK and all the dns and kinit test stuff on the wiki checks out too. Any ideas? Thanks, Steve Glad you have mentioned bind, in my experience 90% of kerberos related problems were caused by failure to look up names. On my test system (I haven't used Samba4 in production yet) I use bind9.8 with thedlz backend. After I restart samab4 I have to restart bind9 as well, because otherwise there is no name resolution possible. Hope that helps Geza Yes. That was it. named doesn't survive a samba restart here either. openSUSE 12.1 rpm -q bind bind-9.8.1P1-87.1.i586 Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba-tool and net ads
Hi 1. How do I do this: samba-tool domain exportkeytab anyold.keytab --principal=samba4user on a box without samba-tool? 2. Is anyold.keytab, valid only for the machine upon which it was created? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 Cannot contact any KDC for requested realm
Version 4.0.0alpha18-GIT-957ec28 with dns hh3.site realm SITE After starting samba -i -d3, wbinfo -i someuser gives this: ldb_wrap open of secrets.ldb using SPNEGO Selected protocol [8][NT LANMAN 1.0] Cannot reach a KDC we require to contact cifs/hh3.site@SITE : kinit for HH3$@SITE failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS ldb_wrap open of secrets.ldb schannel_fetch_session_key_tdb: restored schannel info key SECRETS/SCHANNEL/HH3 Cannot reach a KDC we require to contact host/hh3.site@SITE : kinit for HH3$@SITE failed (Cannot contact any KDC for requested realm) SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_NO_LOGON_SERVERS wbinfo -u works fine and shows a list of users. Subsequent calls to wbinfo do not produce this error. It only happens the first time after samba is started. This may coincide with yesterday's bind 9 update from openSUSE This seems OK no? Calling DNS name update script Calling SPN name update script Completed SPN update check OK Completed DNS update check OK and all the dns and kinit test stuff on the wiki checks out too. Any ideas? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 01/20/2012 04:09 PM, Michael Wood wrote: On 20 January 2012 15:23, steve wrote: On 20/01/12 12:41, Michael Wood wrote: [...] I did this: samba-tool user add nslcd-service New Password: User 'nslcd-service' created successfully kinit nslcd-service Password for nslcd-service@SITE: Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012 hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0 rcnslcd restart redirecting to systemctl hh3:/tmp # getent passwd steve2 steve2:x:300:100:steve2:/home/CACTUS/steve2:/bin/bash Seems to work OK. OK. I know I should use a keytab, then presumably I'd not need to keep refreshing the ticket using k5start. I really would like like to find out how to do that. I'm starting to think that maybe a keytab is not the answer and k5start is. Maybe someone that knows more about Kerberos will enlighten us, but it might make more sense to ask the question on a Kerberos mailing list/forum. I've tried before. Thinking out loud, maybe this: with getent passwd, samba gives this: ldb_wrap open of secrets.ldb Kerberos: TGS-REQ nslcd-service@SITE from ipv4:192.168.1.3:50765 for ldap/hh3.site@SITE [canonicalize, renewable] I tried removing /tmp/krbcc_0 and doing this: hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab But: Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found) So the next qn. would be how do I tell nslcd to look in the keytab rather than the cache file? I don't know. Maybe it can't use a keytab. Perhaps the nslcd developers could clarify this? Or maybe go the k5start way. Don't know! Since the ticket cache works, I think k5start should work too, but I've not tried it myself. Next stage: getting nslcd-user to be able to read the ticket and keep the ticket up to date. Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running nslcd as "nslcd-user", that's not the ticket cache you should be using. Actually, kinit nslcd-service produced a file with the same name. That's because you were logged in as root when you ran kinit. That's what I meant when I said it was "root's ticket cache". This seems to be better: Extracted the keytab using samba-tool spn and k5start'ed from it: k5start -v -f /etc/nslcd.keytab -U -o nslcd-user -K 360 -k /tmp/krb5cc_0 -v verbose -f use keytab, not password -o the user the file should be chown'ed to -U Use the first principal in the keytab as the client principal -K run as daemon -k name of ticket cache The alternative would be: k5start -v -u nslcd-service -U -o nslcd-user -K 360 -k /tmp/krb5cc_0 -u the user who needs to get the ticket But this prompts for a password. I suppose the power of the keytab is the kerberos magic that does it for you. Next episode: How to create the keytab on a Linux client without samba-tool installed. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
I can't find k5start for openSUSE. I'll ask the guys over at the suse list for that one. Otherwise you could probably compile it yourself. If I get time, I'll go through this on Ubuntu (where Geza pointed me to k5start). Thanks again. Steve Got an old k5start from the openSUSE vaults and got the keytab working with it: samba-tool domain exportkeytab /etc/nslcd.keytab --principal=nslcd-service Then: k5start -v -f /etc/nslcd.keytab -u nslcd-service -o nslcd-user -k /tmp/krb5cc_0 Kerberos initialization for nslcd-service@SITE k5start: authenticating as nslcd-service@SITE k5start: getting tickets for krbtgt/SITE@SITE It didn't ask for a password:) A few bits of stuff. This is not ideal. It renews every 5 mins, which too often. Probably need some k5list --help Maybe /tmp is a bad place to put the cache. On openSUSE (and probably other distros), anyone can get in there and have a look around. Don't get this: ls -la /etc/nslcd.keytab -rw--- 1 root root 178 Jan 20 15:19 /etc/nslcd.keytab yet k5start can get at it. I still think there must be a better way. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 20/01/12 12:41, Michael Wood wrote: Michael. Thanks for your comments. Getting there slowly but surely. Have made some adjustments as in-line. wbinfo -i steve2 CACTUS\steve2:*:300:100::/home/CACTUS/steve2:/bin/bash Optimistically: getent passwd steve2 _nothing_! But nslcd-user can't read the ticket. So: chmod 0644 /tmp/ Obviously you meant the following: chmod 644 /tmp/krb5cc_0 Yes. I should have copied it from the terminal rather than type it. This is BAD! It means anyone on that machine will be able to do anything as Administrator. Better (but not the way you're supposed to do it) would be to chown the file to the user that is running nslcd. What you want to do is create a domain user for nslcd (separate from the local user that the process runs as. i.e. it will probably need a different username. This is just for authenticating against Samba.) samba-tool user add nslcd-service Now if you "kinit nslcd-service" and chown the file to the right UID, nslcd should work as it did for Administrator. Still not quite right, though, I think. I think you want to create a service principal name, export it as a keytab and then use that for nslcd, but this is where I am a bit unsure. I did this: samba-tool user add nslcd-service New Password: User 'nslcd-service' created successfully kinit nslcd-service Password for nslcd-service@SITE: Warning: Your password will expire in 41 days on Fri Mar 2 13:47:22 2012 hh3:/tmp # chown nslcd-user:nslcd-user krb5cc_0 rcnslcd restart redirecting to systemctl hh3:/tmp # getent passwd steve2 steve2:x:300:100:steve2:/home/CACTUS/steve2:/bin/bash Seems to work OK. I know I should use a keytab, then presumably I'd not need to keep refreshing the ticket using k5start. I really would like like to find out how to do that. I've tried before. Thinking out loud, maybe this: with getent passwd, samba gives this: ldb_wrap open of secrets.ldb Kerberos: TGS-REQ nslcd-service@SITE from ipv4:192.168.1.3:50765 for ldap/hh3.site@SITE [canonicalize, renewable] I tried removing /tmp/krbcc_0 and doing this: hh3:/tmp # samba tool spn add ldap/hh3.site nslcd-service hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site hh3:/tmp # chown nslcd-user:nslcd-user /etc/ldap.keytab But: Jan 20 14:16:15 hh3 nslcd[3575]: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/tmp/krb5cc_0' not found) So the next qn. would be how do I tell nslcd to look in the keytab rather than the cache file? Or maybe go the k5start way. Don't know! Is there no principal specified? Maybe it's not necessary. [...] Yes. I think this is it: ldap/hh3.site@SITE Pls see samba output above. Next stage: getting nslcd-user to be able to read the ticket and keep the ticket up to date. Well, /tmp/krb5cc_0 is root's ticket cache. Since you're running nslcd as "nslcd-user", that's not the ticket cache you should be using. Actually, kinit nslcd-service produced a file with the same name. Either you should be generating a new ticket cache (maybe using k5start), maybe not in /tmp, with the right permissions and where nslcd can use it. I can't find k5start for openSUSE. I'll ask the guys over at the suse list for that one. Otherwise you could probably compile it yourself. If I get time, I'll go through this on Ubuntu (where Geza pointed me to k5start). Thanks again. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 20/01/12 07:55, steve wrote: Hi, Even if you are scared of death of samba-technical I'm posting it there as well, maybe someone can answer the questions which arise when I tried to check out your use case. So I've tried first: # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI gives: SASL/GSSAPI authentication started SASL username: administra...@kzsdabas.hu SASL SSF: 56 SASL data security layer installed. No such object (32) Additional information: empty base DN at ../source4/dsdb/samdb/ldb_modules/partition.c:617 The issue appears to be related to there being not 'base dn' being specified. Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'. This behaviour may not match windows - if you can test against that, please let us know the difference and we can sort it out. Base DN specification and defaults changed mid last year. Thanks! Specifying the base dn was the problem, but that still doesn't explain (although suggest that the problem lies with nslcd itself) the original problem. Hi Nothing: hh3:/tmp # kinit Administrator Password for administra...@hh3.site: Warning: Your password will expire in 34 days on Fri Feb 24 04:49:26 2012 ldapsearch -H ldap://hh3.site cn=Administrator -b dc=hh3,dc=site -LLL -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) ldb_wrap open of secrets.ldb Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:52922 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server ldap/hh3.s...@hh3.site that was not found Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:52922 hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site hh3:/tmp # ldapsearch -H ldap://hh3.site cn=Administrator -b dc=hh3,dc=site -LLL -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL:[GSSAPI]: NT_STATUS_LOGON_FAILURE ldb_wrap open of secrets.ldb Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:48616 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime: 2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till: 2012-01-21T07:47:56 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed And again the integrity check failed error. Help! Cheers, Steve OK. Start from nothing. New checkout, /usr/local/samba deleted, keytabs gone. . . Nothing. ./source4/setup/provision --realm=site --domain=CACTUS --adminpass=abc@1234 --server-role='domain controller' kinit Administrator Password for Administrator@SITE: Warning: Your password will expire in 41 days on Fri Mar 2 10:11:08 2012 hh3:/tmp # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator@SITE Valid starting ExpiresService principal 01/20/12 10:36:20 01/20/12 20:36:20 krbtgt/SITE@SITE renew until 01/21/12 10:36:14 hh3:/tmp # ldapsearch -H ldap://192.168.1.3 cn=Administrator -b dc=site -LLL -Y GSSAPI SASL/GSSAPI authentication started SASL username: Administrator@SITE SASL SSF: 56 SASL data security layer installed. dn: CN=Administrator,CN=Users,DC=site objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Administrator description: Built-in account for administering the computer/domain instanceType: 4 whenCreated: 20120120091108.0Z whenChanged: 20120120091108.0Z uSNCreated: 3544 uSNChanged: 3544 name: Administrator objectGUID:: mGFPzUkB00u061KWBq0BbQ== userAccountControl: 512 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 12971524268000 primaryGroupID: 513 objectSid:: AQUAAAUV1QO34Lt6TetRTPlg9AEAAA== adminCount: 1 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: Administrator sAMAccountType: 805306368 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=site isCriticalSystemObject: TRUE memberOf: CN=Administrators,CN=Builtin,DC=site memberOf: CN=Group Policy Creator Owners,CN=Users,DC=site memberOf: CN=Enterprise Admins,CN=Users,DC=site memberOf: CN=Schema Admins,CN=Users,DC=site memberOf: CN=Domain Admins,CN=Users,DC=site distinguishedName: CN=Administrator,CN=Users,DC=site # refldap://site/CN=Configuration,DC=site # refldap://site/DC=DomainDns
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
Hi, Even if you are scared of death of samba-technical I'm posting it there as well, maybe someone can answer the questions which arise when I tried to check out your use case. So I've tried first: # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI gives: SASL/GSSAPI authentication started SASL username: administra...@kzsdabas.hu SASL SSF: 56 SASL data security layer installed. No such object (32) Additional information: empty base DN at ../source4/dsdb/samdb/ldb_modules/partition.c:617 The issue appears to be related to there being not 'base dn' being specified. Try with -b 'dc=samba4,dc=kzsdabas,dc=hu'. This behaviour may not match windows - if you can test against that, please let us know the difference and we can sort it out. Base DN specification and defaults changed mid last year. Thanks! Specifying the base dn was the problem, but that still doesn't explain (although suggest that the problem lies with nslcd itself) the original problem. Hi Nothing: hh3:/tmp # kinit Administrator Password for administra...@hh3.site: Warning: Your password will expire in 34 days on Fri Feb 24 04:49:26 2012 ldapsearch -H ldap://hh3.site cn=Administrator -b dc=hh3,dc=site -LLL -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) ldb_wrap open of secrets.ldb Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:52922 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server ldap/hh3.s...@hh3.site that was not found Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:52922 hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site hh3:/tmp # ldapsearch -H ldap://hh3.site cn=Administrator -b dc=hh3,dc=site -LLL -Y GSSAPI SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL:[GSSAPI]: NT_STATUS_LOGON_FAILURE ldb_wrap open of secrets.ldb Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:48616 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-20T07:48:01 starttime: 2012-01-20T07:53:37 endtime: 2012-01-20T17:48:01 renew till: 2012-01-21T07:47:56 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed And again the integrity check failed error. Help! Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed
Hi everyone I'm using nslcd to connect to Samba 4 LDAP. If I specify the binddn and bindpw in /etc/nslcd.conf no problem getent passwd works and everything is mapped just fine. But when I try try to do a kerberized bind to Samba 4 LDAP, I get this: ldb_wrap open of secrets.ldb Kerberos: TGS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:33002 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server ldap/hh3.s...@hh3.site that was not found Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:33002 OK fine. So I use samba-tool to make a principal ldap/hh3.site and stick it in a keytab. I use kinit to get a ticket for the principal holder. Now that it can find the principal I get this error: ldb_wrap open of secrets.ldb Kerberos: TGS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:33982 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-19T23:22:44 starttime: 2012-01-19T23:25:59 endtime: 2012-01-20T09:22:44 renew till: 2012-01-20T23:22:38 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed I think that this has something to do with what the KDC has and what the keytab has. The KDC and the keytab are on the same openSUSE machine. Deleting the principal brings me back to the first error and recreating it to the second. Can any Kerberos gurus help me with this one? Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] is winbind needed if i provide unix attributes?
On 19/01/12 21:59, Angel Bosch wrote: We're running s3/LDAP with uid:gid, shell and home directory all in LDAP. No winbind anywhere. is this the only samba server? do you have any samba server as member of that one? anyway, i've read more carefully the docs and found that(1): "it stores mappings between UNIX UIDs, GIDs, and NT SIDs. This mapping is used only for users and groups that do not have a local UID/GID" so i can assume that local unix attributes are always looked first and winbind is used only if that first resolution fails. the key is that "local" here means any account seen by NSS (getent passwd), for example LDAP. i found much more usefull and even easy to configure NSS/PAM against LDAP than winbind, but in the docs(2), when talking about adding members, it seems that winbind is the only way to go. i think it would be really usefull that official docs provides an example of this other kind of setup. abosch References: 1 - http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html 2 - http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html Hi No. Only one Samba server. We have no local users on the clients apart from root on Linux and Administrator on win 7. Samba for the win 7 clients only, nfs for Linux file sharing. You do not need to join the Linux clients to the domain if you use LDAP. Ubuntu and openSUSE have a great little utility to join the Linux clients to LDAP via nss-ldap. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 19/01/12 19:11, steve wrote: http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#badpass I'm working as client and host on the same box here. Could this be the cause of the Decrypt integrity check failed ?? Cheers Steve Just to confirm: samba-tool spn delete host samba-tool spn add ldap/hh3.site host-account samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site kinit host-account chmod 0644 /tmp/krb500_0 rcnslcd restart samba gives: ldb_wrap open of secrets.ldb Kerberos: TGS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:37883 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-19T19:49:59 starttime: 2012-01-19T19:51:33 endtime: 2012-01-20T05:49:59 renew till: 2012-01-20T19:49:55 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' The key in the keytab is not the same as the key in the KDC Why??? If we can answer that, we're there. Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#badpass I'm working as client and host on the same box here. Could this be the cause of the Decrypt integrity check failed ?? Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 19/01/12 18:35, Gémes Géza wrote: Progress: klist -k /etc/krb5.keytab | grep host-account 1 host-acco...@hh3.site 1 host-acco...@hh3.site 1 host-acco...@hh3.site cat /etc/default/nslcd K5START_START="yes" # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/krb5.keytab K5START_CCREFRESH=60 K5START_PRINCIPAL="host-acco...@hh3.site" service nslcd restart Kerberos: AS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:49240 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- host-acco...@hh3.site Kerberos: Looking for ENC-TS pa-data -- host-acco...@hh3.site Kerberos: No preauth found, returning PREAUTH-REQUIRED -- host-acco...@hh3.site Kerberos: AS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:35595 for krbtgt/hh3.s...@hh3.site Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- host-acco...@hh3.site Kerberos: Looking for ENC-TS pa-data -- host-acco...@hh3.site Kerberos: ENC-TS Pre-authentication succeeded -- host-acco...@hh3.site using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2012-01-19T11:19:01 starttime: unset endtime: 2012-01-19T21:19:01 renew till: unset Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok service nslcd restart * Restarting LDAP connection daemon nslcd [ OK ] * Stopping Keep alive Kerberos ticket k5start [ OK ] * Starting Keep alive Kerberos ticket k5start [ OK ] getent passwd syslog gives: Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] failed to bind to LDAP server ldap://hh3.hh3.site: Unknown authentication method: Operation now in progress Jan 19 11:28:23 hh3 nslcd[21289]: [7b23c6] no available LDAP server found samba gives: ldb_wrap open of secrets.ldb Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' The only way I can bind is by removing the sasl_mech GSSAPI and giving the binddn and bindpw in /etc/nslcd.conf 'So I'm stuck with 'Unknown authentication method'. Are we sure that nslcd can bind using Kerbreros? Thanks for your patience, Steve Hi, Even if you are scared of death of samba-technical I'm posting it there as well, maybe someone can answer the questions which arise when I tried to check out your use case. So I've tried first: # ldapsearch -H ldap://samba4.kzsdabas.hu cn=Administrator -LLL -Y GSSAPI gives: SASL/GSSAPI authentication started SASL username: administra...@kzsdabas.hu SASL SSF: 56 SASL data security layer installed. No such object (32) Additional information: empty base DN at ../source4/dsdb/samdb/ldb_modules/partition.c:617 and # ldapwhoami -H ldap://samba4.kzsdabas.hu -Y GSSAPI SASL/GSSAPI authentication started SASL username: administra...@kzsdabas.hu SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported Result: Protocol error (2) Additional info: Extended Operation(1.3.6.1.4.1.4203.1.11.3) not supported So the question is does the Samba4 LDAP server support SASL/GSSAPI based binding? Cheers Thanks Geza. You're a star. Meanwhile, back with openSUSE some more progress: Here is the original error: ldb_wrap open of secrets.ldb Kerberos: TGS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:56661 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2012-01-19T18:28:38 starttime: 2012-01-19T18:34:01 endtime: 2012-01-20T04:28:38 renew till: 2012-01-20T18:28:32 GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed So I extracted a keytab for ldap: samba-tool spn add ldap/hh3.site host-account samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site klist -k /etc/ldap.keytab Keytab name: WRFILE:/etc/ldap.keytab KVNO Principal -- 1 ldap/hh3.s...@hh3.site 1 ldap/hh3.s...@hh3.site 1 ldap/hh3.s...@hh3.site NOW the error has changed: getent passwd gives: ldb_wrap open of secrets.ldb GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Decrypt integrity check failed host-account has done a kinit and there is a cache in /tmp/krb5cc_0 /etc/nslcd.conf contains: sasl_mech GSSAPI #sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 I feel that this is s close now! Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 LDAP security
Hi I'm using Samba 4 to serve Linux and win 7 clients. I'd like to use GSSAPI to bind to the Samba 4 LDAP to extract the attributes I've added for the Linux clients. nslcd advertises such support, but keeps telling me 'Unknown authentication method'. As a workaround I've done this: I'm using nss-ldapd to map user attributes via nfs4 to the Linux clients. Works fine, but the binddn and bindpw have to be stored in /etc. nslcd runs as user nslcd and I have the permissions on /etc/nslcd.conf set to 0400 nslcd:nslcd. I've discovered that any user can do the bind, so it's not the Admin password that is needed. Until I can get the kerberized bind working (probably never!), any comments about the security of this? Are there other processes where passwords have to be stored in a file? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] is winbind needed if i provide unix attributes?
On 01/19/2012 03:37 PM, Angel Bosch wrote: hi, short: in a tipical Samba PDC + LDAP environment is winbind needed if i already fulfill unix attributes? long: i've been runing Samba PDC with LDAP as backend without any problems. my objects contains both sambaSamAccount and posixAccount (and shadowAccount) with uid, gid, homedirectory, etc. i'm setting up another samba server just for file services. in official docs says i must set up winbind: http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-sambadc but if i've already got uids and gids i guess i need no mappings. is this right? can i ignore winbind in my setup? regards, abosch Hi. We're running s3/LDAP with uid:gid, shell and home directory all in LDAP. No winbind anywhere. HTH Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 will not start after new checkout [OK now]
All OK for me: samba --version Version 4.0.0alpha18-GIT-95c514a Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 01/18/2012 09:56 PM, Gémes Géza wrote: 2012-01-18 12:12 keltezéssel, steve írta: On 01/17/2012 09:40 PM, Gémes Géza wrote: Hi, See comments inline: Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI That should suffice, but please note, that nslcd should also have access to some kind of keytab, to authenticate itself. This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is looking like): # Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to "yes" to force starting k5start, any other value will not start # k5start. K5START_START="yes" # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/krb5.keytab K5START_CCREFRESH=60 K5START_PRINCIPAL="host/$(hostname -f)" And must have k5start installed (it is wrapper which keeps fresh tickets for long runing services) to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase supportedSASLMechanisms gives me: dn: supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: NTLM but ldapsearch -Y GSSAPI gives: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) before you can do an SASL/GSSAPI based ldap operation you must have valid kerberos tickets (so do a kinit first)! and Samba gives: Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:56859 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server ldap/hh3.s...@hh3.site that was not found Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859 I've tried making a ldap principal but samba-tool spn doesn't let me add an ldap principal. Any ideas anyone? Thanks, Steve Regards Geza Hi Geza OK. Now on Ubuntu. I have k5init installed and have made a host principal: klist -k /etc/host.keytab Keytab name: WRFILE:/etc/host.keytab KVNO Principal -- 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site Just to be sure I have: ls -la /etc/host.keytab -rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab cat /etc/default/nslcd # Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to "yes" to force starting k5start, any other value will not start # k5start. K5START_START="yes" # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/host.keytab K5START_CCREFRESH=60 #K5START_PRINCIPAL="host/$(hostname -f)" K5START_PRINCIPAL="host/HH3.SITE -f" I did kinit Administrator and have a cache in /tmp/krbcc_0 cat /etc/nslcd.conf uid nslcd gid nslcd uri ldap://127.0.0.1 base dc=hh3,dc=site binddn cn=Administrator,cn=Users,dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 But: service nslcd restart * Restarting LDAP connection daemon nslcd [ OK ] * Stopping Keep alive Kerberos ticket k5start No process in pidfile '/var/run/nslcd/k5start_nslcd.pid' found running; none killed. [ OK ] * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database [fail] [ OK ] and Samba gives: Kerberos: AS-REQ host/hh3.s...@hh3.site from ipv4:192.168.1.3:38618 for krbtgt/hh3.s...@hh3.site Kerberos: UNKNOWN -- host/hh3.s...@hh3.site: no such entry found in hdb Why isn't the host principal being found? Ahhgg!! Where to start? Any ideas? Cheers, Steve Hi, First of all /etc/host.keytab shouldn't be writable. But that is a different story. On the other hand kerberos could get confused by having a
Re: [Samba] Samba 4 will not start after new checkout [URGENT]
On 01/19/2012 09:23 AM, Michael Wood wrote: On 19 January 2012 10:05, steve wrote: Hi everyone I've marked the thread as URGENT. Another post has reported similar during provisioning. Could someone on samba-technical send a copy there too? It's been mentioned on samba-technical and I believe a fix was committed yesterday/last night, but I haven't tried compiling Samba4 in the last week or so. If you're still stuck, just roll back to a version from a few days ago. If you want some specify fix, cherry-pick it. Also, you might want to subscribe to samba-technical if you're using Samba4, since the HOWTO still says to report problems there (while Samba4 is still in alpha). Hi I'm building the latest checkout now. Fingers crossed. As for samba-technical, it scares me. I think even Dennis Ritchie would have thought twice about subscribing! make is at 1388/3933 Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 will not start after new checkout [URGENT]
Hi everyone
I've marked the thread as URGENT. Another post has reported similar
during provisioning.
Could someone on samba-technical send a copy there too?
Thanks,
Steve
On 01/18/2012 08:40 PM, Charles Tryon wrote:
Ummm... no, unless it's with using ANY external bind rather than the
internal one. I'm now finding that ALL the test systems that I have
tried to update to the latest GIT repository are failing.
I'm dead in the water. =8-0
On Wed, Jan 18, 2012 at 1:48 PM, steve <mailto:st...@steve-ss.com>> wrote:
Hi
I couldn't get any bind to work for Ubuntu on previous checkouts
except 9.9.0b1
Have modified source4/dns_server/dlz_minimal.h
Is bind the prob? If so how do I use the internal bind?
Thanks
Steve
On 01/18/2012 07:31 PM, Charles Tryon wrote:
Are you using bind9.8, 9.7 or the internal bind server?
On Wed, Jan 18, 2012 at 11:21 AM, steve mailto:st...@steve-ss.com> <mailto:st...@steve-ss.com
<mailto:st...@steve-ss.com>>> wrote:
Version 4.0.0alpha18-GIT-e75c436
Ubuntu 11.10 Built now with
make clean
./configure.developer
make
make install
samba -i -d3 gives this:
ldb: unable to stat module ${PREFIX}/modules/ldb : No such
file or
directory
ldb_wrap open of privilege.ldb
samba: using 'standard' process model
Unknown process model 'standard'
my $PREFIX should be /usr/local/samba I think. The path is
there
and I can export PREFIX="/usr/local/samba" but nada. Also,
what
about Unknown process model 'standard'.
Can anyone help?
Thanks
Steve
-- To unsubscribe from this list go to the following
URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Charles Tryon
_
"It's the job that's never started that takes longest to
finish."
-- Samwise Gamgee
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Charles Tryon
_
"It's the job that's never started that takes longest to finish."
-- Samwise Gamgee
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 will not start after new checkout
Hi
I couldn't get any bind to work for Ubuntu on previous checkouts except
9.9.0b1
Have modified source4/dns_server/dlz_minimal.h
Is bind the prob? If so how do I use the internal bind?
Thanks
Steve
On 01/18/2012 07:31 PM, Charles Tryon wrote:
Are you using bind9.8, 9.7 or the internal bind server?
On Wed, Jan 18, 2012 at 11:21 AM, steve <mailto:st...@steve-ss.com>> wrote:
Version 4.0.0alpha18-GIT-e75c436
Ubuntu 11.10 Built now with
make clean
./configure.developer
make
make install
samba -i -d3 gives this:
ldb: unable to stat module ${PREFIX}/modules/ldb : No such file or
directory
ldb_wrap open of privilege.ldb
samba: using 'standard' process model
Unknown process model 'standard'
my $PREFIX should be /usr/local/samba I think. The path is there
and I can export PREFIX="/usr/local/samba" but nada. Also, what
about Unknown process model 'standard'.
Can anyone help?
Thanks
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Charles Tryon
_
"It's the job that's never started that takes longest to finish."
-- Samwise Gamgee
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 will not start after new checkout
Version 4.0.0alpha18-GIT-e75c436
Ubuntu 11.10 Built now with
make clean
./configure.developer
make
make install
samba -i -d3 gives this:
ldb: unable to stat module ${PREFIX}/modules/ldb : No such file or directory
ldb_wrap open of privilege.ldb
samba: using 'standard' process model
Unknown process model 'standard'
my $PREFIX should be /usr/local/samba I think. The path is there and I
can export PREFIX="/usr/local/samba" but nada. Also, what about Unknown
process model 'standard'.
Can anyone help?
Thanks
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 01/17/2012 09:40 PM, Gémes Géza wrote: Hi, See comments inline: Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI That should suffice, but please note, that nslcd should also have access to some kind of keytab, to authenticate itself. This is done on Debian/Ubuntu via the /etc/default/nsldcd.conf (mine is looking like): # Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to "yes" to force starting k5start, any other value will not start # k5start. K5START_START="yes" # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/krb5.keytab K5START_CCREFRESH=60 K5START_PRINCIPAL="host/$(hostname -f)" And must have k5start installed (it is wrapper which keeps fresh tickets for long runing services) to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase supportedSASLMechanisms gives me: dn: supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: NTLM but ldapsearch -Y GSSAPI gives: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) before you can do an SASL/GSSAPI based ldap operation you must have valid kerberos tickets (so do a kinit first)! and Samba gives: Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:56859 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server ldap/hh3.s...@hh3.site that was not found Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859 I've tried making a ldap principal but samba-tool spn doesn't let me add an ldap principal. Any ideas anyone? Thanks, Steve Regards Geza Hi Geza OK. Now on Ubuntu. I have k5init installed and have made a host principal: klist -k /etc/host.keytab Keytab name: WRFILE:/etc/host.keytab KVNO Principal -- 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site Just to be sure I have: ls -la /etc/host.keytab -rw-rw-rw- 1 root root 193 2012-01-18 11:34 /etc/host.keytab cat /etc/default/nslcd # Defaults for nslcd init script # Whether to start k5start (for obtaining and keeping a Kerberos ticket) # By default k5start is started if nslcd.conf has sasl_mech set to GSSAPI # and krb5_ccname is set to a file-type ticket cache. # Set to "yes" to force starting k5start, any other value will not start # k5start. K5START_START="yes" # Options for k5start. K5START_BIN=/usr/bin/k5start K5START_KEYTAB=/etc/host.keytab K5START_CCREFRESH=60 #K5START_PRINCIPAL="host/$(hostname -f)" K5START_PRINCIPAL="host/HH3.SITE -f" I did kinit Administrator and have a cache in /tmp/krbcc_0 cat /etc/nslcd.conf uid nslcd gid nslcd uri ldap://127.0.0.1 base dc=hh3,dc=site binddn cn=Administrator,cn=Users,dc=hh3,dc=site mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory mapshadow uid sAMAccountName sasl_mech GSSAPI sasl_realm HH3.SITE krb5_ccname /tmp/krb5cc_0 But: service nslcd restart * Restarting LDAP connection daemon nslcd [ OK ] * Stopping Keep alive Kerberos ticket k5start No process in pidfile '/var/run/nslcd/k5start_nslcd.pid' found running; none killed. [ OK ] * Starting Keep alive Kerberos ticket k5start k5start: error getting credentials: Client not found in Kerberos database [fail] [ OK ] and Samba gives: Kerberos: AS-REQ host/hh3.s...@hh3.site from ipv4:192.168.1.3:38618 for krbtgt/hh3.s...@hh3.site Kerberos: UNKNOWN -- host/hh3.s...@hh3.site: no such entry found in hdb Why isn't the host principal being found? Ahhgg!! Where to start? Any ideas? Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 ldb_wrap open of idmap.ldb
On 18/01/12 04:54, Andrew Bartlett wrote: On Sun, 2012-01-15 at 14:49 +0100, steve wrote: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 I'm using nslcd to map Samba 4 users to uid:gid and home directory. At startup I get this: Why are you not using nss_winbind? I know the Samba4 winbindd (started as a component of 'samba') isn't in great shape, but it is the only way to get at the correct id mapping at the moment. There are many requests to get the UID/GID number back into LDAP (it once was!), but we haven't done that work yet. Part of the issue is what to do when we need to allocate a new UID, as Microsoft's implementation has no allocation procedure to use as a pattern. Andrew Bartlett Hi I'm using nslcd because I'm using nfs4 as a file server and because it just works. I've added the uid:gid, home directory and shell to each samba 4 user and nslcd is mapping them fine. Linux and win 7 domain machines can read and write the shares from the samba 4 smb.conf just fine. We can work logged onto a Linux or win 7 box. The point I'm stuck on is getting the Samba 4 kerberos to authenticate to the Samba 4 LDAP. I can connect by specifying the binnddn and password in nslcd.conf but it seems as though GSSAPI cannot find the ldap principal. But samba will not let me make a principal: samba-tool spn add ldap host-account hh3:/home/steve # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/HH3.SITE ERROR(runtime): uncaught exception - Key table entry not found File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 167, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 88, in run net.export_keytab(keytab=keytab, principal=principal) and the error on trying to connect: ldb_wrap open of secrets.ldb Kerberos: TGS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:54046 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server ldap/hh3.s...@hh3.site that was not found Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:54046 Kerberos: TGS-REQ host-acco...@hh3.site from ipv4:192.168.1.3:34450 for krbtgt/s...@hh3.site [renewable] Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:34450 Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Question: how do I create a ldap principal for the realm HH3.SITE? I'm on openSUSE 12.1 Thanks for your time and patience, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 and GSSAPI kerberos ldap connect
Hi everyone I'm trying to use kerberos to authenticate to Samba 4 ldap. At the moment, I authenticate by specifying the binddn and password in /etc/nslcd.conf and all works fine If I add the line: sasl_mech GSSAPI to /etc/nslcd.conf and restart nslcd, no one can connect to the database. Nothing works. ldapsearch and getent passwd draw a blank. ldapsearch -x -b '' -sbase supportedSASLMechanisms gives me: dn: supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: NTLM but ldapsearch -Y GSSAPI gives: SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) and Samba gives: Kerberos: TGS-REQ administra...@hh3.site from ipv4:192.168.1.3:56859 for ldap/hh3.s...@hh3.site [canonicalize, renewable] Kerberos: Searching referral for hh3.site Kerberos: Returning a referral to realm SITE for server ldap/hh3.s...@hh3.site that was not found Failed find a single entry for (&(objectClass=trustedDomain)(|(flatname=SITE)(trustPartner=SITE))): got 0 Kerberos: samba_kdc_fetch: could not find principal in DB Kerberos: Server not found in database: krbtgt/s...@hh3.site: no such entry found in hdb Kerberos: Failed building TGS-REP to ipv4:192.168.1.3:56859 I've tried making a ldap principal but samba-tool spn doesn't let me add an ldap principal. Any ideas anyone? Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 kerberos and kinit
(apology. forgot to send only to list) On 01/16/2012 07:18 PM, steve wrote: Well, either it will need to have the password hard coded in the config file like you have it at the moment, I believe, or it will need a ticket to access the directory. Anyway, I've a 10 hour experiment in progress as on the other thread. Fingers crossed! Well, 24 hours later and nslcd is still running and still mapping uid and gid's from LDAP both over the nfs4 network and on the Samba 4 server itself. The /tmp/krbcc_0 ticket cache for steve2 got destroyed at some stage but steve2 can still logon OK without doing a kinit. He does of course have to give his password to logon, but not to access anything else e.g his roaming profile on an nfs share. One annoying thing is that on a Linux client, xscreensaver will not deactivate using steve2's kerberos password. He's locked out. Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 ldb_wrap open of idmap.ldb
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Administrator,cn=Users,dc=hh3,dc=site I think you want CN=nslcd-user,CN=Users,DC=hh3,DC=site here. # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. bindpw 1234@Abc I think if your Kerberos config is working correctly this should not be necessary. If I don't put the password it will not connect to LDAP. If I do a kinit Administrator and restart nslcd, it does connect without a password. But then that will only last for 10 hours before Administrator has to a kinit again. Is there a way around this? I know it's something to do with principals but have so far not been able to wor out which to apply. Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 kerberos and kinit
On 01/15/2012 10:23 PM, Michael Wood wrote: On 15 January 2012 18:32, steve wrote: On 01/15/2012 04:04 PM, Michael Wood wrote: On 14 January 2012 12:52, steve wrote: On 14/01/12 03:19, Michael Wood wrote: On 14 January 2012 01:24, steve wrote: [...] drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc -rw--- 1 root root 1225 Jan 13 12:12 krb5.keytab That's fine, but is that what nslcd is using? Ah. Well spotted! The nslcd docs recommends you run it as a separate user, so I created a user and group for nslcd and specified them in nslcd.conf. nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is that correct? (can't test it as am not by the DC at the moment) Sounds likely. So you probably need to export a keytab for your nslcd principal to a new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd has permission to read it. No other user should have read access. The problem is that I can't have a principal for nslcd. IOW I can't do this: samba-tool spn add nslcd some-user I must admit that I don't know why you can't do something like this: # samba-tool user create nslcd-user --random-password User 'nslcd-user' created successfully # samba-tool spn add nslcd/hh3.hh3.site nslcd-user # samba-tool spn list nslcd-user nslcd-user User CN=nslcd-user,CN=Users,DC=hh3,DC=site has the following servicePrincipalName: nslcd/hh3.hh3.site # samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab # ls -l nslcd.keytab -rw--- 1 root root 253 2012-01-15 23:10 nslcd.keytab If that works, try getting nslcd to use it. Hi Michael. The problem is this: root@hh3:/home/steve# samba-tool user add nslcd-user New Password: User 'nslcd-user' created successfully root@hh3:/home/steve# samba-tool spn add nslcd nslcd-user root@hh3:/home/steve# samba-tool domain exportkeytab nslcd.keytab --principal=nslcd/HH3.SITE ERROR(runtime): uncaught exception - Key table entry not found File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 167, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 88, in run net.export_keytab(keytab=keytab, principal=principal) root@hh3:/home/steve# samba-tool domain exportkeytab --principal=nslcd/hh3.hh3.site nslcd.keytab ERROR(runtime): uncaught exception - Key table entry not found File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 167, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 88, in run net.export_keytab(keytab=keytab, principal=principal) And finally, just for good measure: root@hh3:/home/steve# samba-tool domain exportkeytab --principal=nslcd/HH3.SITE nslcd.keytab ERROR(runtime): uncaught exception - Key table entry not found File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 167, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 88, in run net.export_keytab(keytab=keytab, principal=principal) i.e., unlike host and nfs, nslcd cannot be made made into a principal to put in a keytab. Do you think that the host principal will take care of this even though it is in root:root /etc/krb5.keytab and nslcd is running as nslcd-user? Anyway, just 4 hours to go to see if the world collapses when steve2's ticket expires. Meanwhile, he's been creating and editing files on both win 7 and Linux clients without once being asked for a password. As you say, fingers crossed. Do I win 10 €uros! Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 ldb_wrap open of idmap.ldb
#sasl_mech GSSAPI sasl_realm HH3.SITE #krb5_ccname /tmp/krb5cc_0 Try using /var/run/nslcd/nslcd.tkt after exporting the nslcd-user's SPN to it and making sure nslcd can read it. On openSUSE, /var/run/nslcd is deleted on stopping nslcd so it would have to go somewhere else. (On Ubuntu, it survives a restart however). Just here for the record in case others had a problem. Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 kerberos and kinit
On 01/15/2012 04:04 PM, Michael Wood wrote: On 14 January 2012 12:52, steve wrote: On 14/01/12 03:19, Michael Wood wrote: On 14 January 2012 01:24, stevewrote: [...] drwxr-xr-x 118 root root 12288 Jan 13 23:55 etc -rw--- 1 root root 1225 Jan 13 12:12 krb5.keytab That's fine, but is that what nslcd is using? Ah. Well spotted! The nslcd docs recommends you run it as a separate user, so I created a user and group for nslcd and specified them in nslcd.conf. nslcd is running as nslcd:nslcd So nslcd can't get inside the keytab. Is that correct? (can't test it as am not by the DC at the moment) Sounds likely. So you probably need to export a keytab for your nslcd principal to a new keytab (e.g. /var/run/nslcd/nslcd.tkt) and make sure that nslcd has permission to read it. No other user should have read access. The problem is that I can't have a principal for nslcd. IOW I can't do this: samba-tool spn add nslcd some-user I could do this samba-tool spn add host someuser but already have a host principal added to the main keytab. I keep coming back to this. I can have a principal for host and I can have a principal for nfs but I can't have a principal for nslcd. Even tough /etc/nslcd.conf allows me to add a kerberos realm, is that good enough? Anyway, I've a 10 hour experiment in progress as on the other thread. Fingers crossed! Thanks, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 ldb_wrap open of idmap.ldb
On 01/15/2012 04:17 PM, Michael Wood wrote: Hi On 15 January 2012 15:49, steve wrote: Hi everyone Version 4.0.0alpha18-GIT-bfc7481 I'm using nslcd to map Samba 4 users to uid:gid and home directory. At startup I get this: ldb_wrap open of secrets.ldb WARNING: no socket to connect to and /var/log/messages shows: Jan 15 14:20:13 hh3 nslcd[2425]: [334873] failed to bind to LDAP server ldap://h h3.site/: Can't contact LDAP server: Transport endpoint is not connected Jan 15 14:20:13 hh3 nslcd[2425]: [334873] no available LDAP server found, sleepi ng 1 seconds [...] I don't know why the above happens, but...: cat /etc/nslcd.conf [...] # The user and group nslcd should run as. #uid nslcd #gid nslcd uid nslcd-user gid nslcd-user Just a guess, but this might cause a problem. I believe you created a Samba user called nslcd-user and it looks like this is what you're trying to use here. (Also, AD does not support using the same name for a user and a group, I believe.) So before nslcd starts fully it would need to look up those values, but in order to do that it needs to talk to Samba. It seems to me that this might be problematic. Maybe you should use a local Linux user for running nslcd and just use the Samba nslcd-user account for nslcd's authentication to Samba. OK. I think you're correct there. I've deleted the Samba 4 user nslcd-user and created a host principal instead (you can't create a principal for just nslcd, but I thought that as it's running on the host then, well. . .): samba-tool user add host-account samba-tool spn add host host account samba-tool domain exportkeytab /etc/krb5.keytab --principal=/host/HH3.SITE gives me the following keytab: KVNO Principal -- 1 HH3$@HH3.SITE 1 HH3$@HH3.SITE 1 HH3$@HH3.SITE 1 administra...@hh3.site 1 administra...@hh3.site 1 administra...@hh3.site 1 host-acco...@hh3.site 1 host-acco...@hh3.site 1 host-acco...@hh3.site 1 dns-...@hh3.site 1 dns-...@hh3.site 1 dns-...@hh3.site 1 krb...@hh3.site 1 krb...@hh3.site 1 krb...@hh3.site 1 ste...@hh3.site 1 ste...@hh3.site 1 ste...@hh3.site 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site 1 host/hh3.s...@hh3.site # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=Administrator,cn=Users,dc=hh3,dc=site I think you want CN=nslcd-user,CN=Users,DC=hh3,DC=site here. # The credentials to bind with. # Optional: default is no credentials. # Note that if you set a bindpw you should check the permissions of this file. bindpw 1234@Abc I think if your Kerberos config is working correctly this should not be necessary. It seems as though the Samba 4 LDAP needs authentication. Without the binddn and password I get: ldb_wrap open of secrets.ldb auth_check_password_send: Checking password for unmapped user []\[]@[(null)] auth_check_password_send: mapped user is: []\[]@[(null)] and getent passwd fails to show the Samba 4 users. With the binddn and passwd: ldb_wrap open of secrets.ldb auth_check_password_send: Checking password for unmapped user [CACTUS]\[Administrator]@[(null)] auth_check_password_send: mapped user is: [CACTUS]\[Administrator]@[(null)] Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' getent springs to life and all is well. #sasl_mech GSSAPI sasl_realm HH3.SITE #krb5_ccname /tmp/krb5cc_0 Try using /var/run/nslcd/nslcd.tkt after exporting the nslcd-user's SPN to it and making sure nslcd can read it. That seems impossible to do. But I'll return here if what I've done so far doesn't work. I think this comes down to the differences between kerberos user accounts, with passwords, and kerberos machine accounts without passwords but with principals instead. Does that make sense? All seems well. steve2 can login both here on the server, on an openSUSE client and on a win 7 client, so he must have a ticket somewhere. klist gives: klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0) so the tickets must be stored internally somewhere or maybe somewhere in Australia;) After kinit steve2 Password for ste...@hh3.site: Warning: Your password will expire in 40 days on Fri Feb 24 18:37:06 2012 and klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ste...@hh3.site Valid starting ExpiresService principal 01/15/12 16:58:00 01/16/12 02:58:00 krbtgt/hh3.s...@hh3.site renew until 01/16/12 16:57:54 It looks as though steve2 is good for 10 hours. What is the significance of Default principal? Surely, if I have created a host principal then I want that to be the default principal. Otherwise, everything will collape in 10 hours unless steve2 gets another ticket! My next question is, will the host principal keep nslcd alive b
[Samba] Samba 4 ldb_wrap open of idmap.ldb
d passwordChar #mappasswd uidNumberuid #mappasswd gidNumbergid #filter group (objectClass=aixAccessGroup) #mapgroup cn groupName #mapgroup uniqueMember member #mapgroup gidNumbergid #sasl_mech GSSAPI sasl_realm HH3.SITE #krb5_ccname /tmp/krb5cc_0 Thanks Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba 4 Screenshots
Hi everyone I asked a while ago about screenshots, and in an effort to move Samba 4 away from the realms (geddit?) of 'rocket scientists only need apply', I've made some screenshots. Hope you like them. http://linuxcostablanca.blogspot.com/2012/01/samba-4-screenshots.html Cheers, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Linux hidden files on windows 7
Hi everyone win7 machine joined to Samba4 domain Windows is set to hide hidden files, but viewing my Linux home folder in explorer shows all the files, dot or no dot. It's OK but it looks a mess. Is there anyway I can stop the hidden Linux files from showing? Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] RFC2307 & Samba4 [Was: Linux users and Samba 4]
On 13/01/12 16:32, Adam Tauno Williams wrote: On Fri, 2012-01-13 at 02:51 +0100, steve wrote: On 12/01/12 23:02, Adam Tauno Williams wrote: Quoting steve: Samba4's winbind does not support RFC2307, so doing this is pretty rough. I think you need to either use CIFS + winbind everywhere or somehow maintain an external idmap. Yea, it is horrible. We are staring down the barrell of the same gun. As Jeremy said, they are discussing what needs to be done before releasing Samba 4.0.0 and how to reconcile Samba 3's winbind and Samba 4's winbind etc., so if something that is critical for you does not currently work, you should file a bug report. Yep. I realise the 'alphaness' of Samba 4 but I think I am not alone with my issue. I think I should be easy to fix now before it goes beta. https://bugzilla.samba.org/show_bug.cgi?id=8635 Holy awesome; it got better. I just tested an upgrade of our production domain and it appears that Samba4 took [and kept] the UID number from the existing account. Production - [root@littleboy ~]# id adam uid=437(adam) gid=230(cis) groups=230(cis) Test Server barbel:~ # wbinfo -i adam BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false Home directory is a bit wierd, and the gidNumber didn't stick. But at least I have the uidNumber. 4.0.0alpha18-GIT-103c1cb [openSUSE 12.1 x86_64] transitioned via "samba-tool domain samba3upgrade" from Samba S3w/LDAPSAM. Nice find you have there. Meanwhile I've got it working. Very rough. But working for 10 hour Kerberos sessions at a time;) http://linuxcostablanca.blogspot.com/2011/12/samba-4-linux-integration-first-i-want.html Steve What I'm puzzled by [and maybe this is a deficiency in Samba4 still] is that while the LDAP modify works the wbinfo output doesn't change. dn: CN=adam,CN=Users,DC=micore,DC=us changetype: modify add: objectclass objectclass: posixaccount - add: objectclass objectclass: shadowaccount - add: uidnumber uidnumber: 437 - add: gidnumber gidnumber: 230 - add:unixhomedirectory unixhomedirectory: /home/adam - add: loginshell loginshell: /bin/ksh barbel:~ # wbinfo -i adam BACKBONE\adam:*:437:100:Adam Williams:/home/BACKBONE/adam:/bin/false So obviously the gidNumber attribute is ignored. The uidNumber attribute didn't exist in the object - so that is obviously coming from elsewhere. Guess I need to dig into winbind. I'm currently *assuming* that these attributes are compatible with SFU for Windows and that they'd replicate to a Windows AD server. Yes, you can change the uidnumber but not the gidnumber. In your example, it missed the shell too although it works if you put e.g. template shell = /bin/bash in smb.conf. Using the openSUSE nss-pam-ldapd module I have this: # Mappings for Services for UNIX 3.5 #filter passwd (objectClass=User) #mappasswd uid msSFU30Name #mappasswd userPassword msSFU30Password #mappasswd homeDirectorymsSFU30HomeDirectory #mappasswd homeDirectorymsSFUHomeDirectory #filter shadow (objectClass=User) #mapshadow uid msSFU30Name #mapshadow userPassword msSFU30Password #filter group (objectClass=Group) #mapgroup uniqueMember msSFU30PosixMember # Mappings for Active Directory #pagesize 1000 #referrals off #filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) mappasswd uid sAMAccountName mappasswd homeDirectoryunixHomeDirectory #mappasswd gecosdisplayName #filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*)) mapshadow uid sAMAccountName #mapshadow shadowLastChange pwdLastSet #filter group (objectClass=group) #map group uniqueMember member I feel I'm getting somewhere at last! Cheers Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
