Re: [Samba] windows 7 machine account fails to authenticate against samba PDC

2013-09-10 Thread Fabio Muzzi 

On 06/22/2011 12:31 AM, mrArcabuz wrote:

Hi, it's been a while since the original message appeared, but here's my
experience in case someone finds it useful:


[...]


  I changed the machine account name to uppercase in the passwd & shadow
files and the message does not appear anymore in the logs.

  This would explain why it's not an issue on an LDAP backend, as the uid
there is case insensitive.


I have experienced the same issue with the same configuration (PDB 
backend, no LDAP) and I can confirm that /etc/passwd entries created by 
adding machines to domain (via the "add machine script") show an 
UPPERCASE name in Samba (that is, when I issue a "pdbedit -L" command) 
but a lowercase name in /etc/passwd, resulting in errors being logged 
when the machine connects to Samba because its username (uppercase) 
cannot be found in /etc/passwd (where it is written in lowercase).


The workaround is in fact to edit /etc/passwd to se the machines 
usernames to uppercase.


I don't understand why and when this behaviour changed.

I have a very old Samba installation that shows the older machine 
entries in PDB file being lowercase, as in this example:


#pdbedit -L
...
nb-gmg$:1051:NB-GMG$
...


and other entries in the same PDB file being all uppercase, like this:

NOTEBOOK-FLAVIA$:4294967295:NOTEBOOK-FLAVIA$

Since all of the /etc/passwd file entries are lowercase, the second 
example (NOTEBOOK-FLAVIA$) does not authenticate correctly. You can also 
see that the output of the "pdbedit -L" command reports a wrong unix UID 
(4294967295) for the uppercase entry, because it cannot find it in 
/etc/passwd (being lowercase in passwd).


If I edit /etc/passwd and set the username in uppercase there, then 
everything works, and also the unix UID shown by "pdbedit -L" is correct.





--

Fabio "Kurgan" Muzzi

- IZ4UFQ -

Ginn! L'ottimismo e' il profumo di quella gnocca di tua 
sorella!Corri anche tu alla UniEuro!Ci sono radio che traspirano, cani 
di un'altra galassia!!!

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: System SID missing / inconsistent with domain SID

2013-08-26 Thread Eric Shubert 

On 08/26/2013 01:21 PM, Eric Shubert wrote:

I'm guessing that adding a TACS-DC record to the old host would fix the
problem of not being able to get its SID.


This appears to work now.


I'm also guessing that adding a LANYARD record to the new host *might*
make it recognize that it's a domain controller. I hope to test this
later today, when users are gone.


This didn't appear to help. The new DC still doesn't recognize itself as 
a DC:

# net rpc trustdom list -U shubes
Unable to find a suitable server for domain R3I
Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL
#

I do have the SID of the domain/host that was created by this host. I 
wonder if restoring those records in secrets.tdb, then using the net 
command to change the SID of the domain and host might fix things up. 
Does the net setdomainsid command do anything more than change the value 
of the record in the tdb file? If it does, that could be a solution.


Anyone have any insight about how to go about changing the host name of 
a domain controller (while migrating it)?


Thanks.

--
-Eric 'shubes'

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: System SID missing / inconsistent with domain SID

2013-08-26 Thread Eric Shubert 
I've recently come across the same situation, while migrating a 3.0.33 
PDC host to 3.6.9. I had renamed the old host some time ago from LANYARD 
to TACS-DC. The old host still functions fine, except for not being able 
to get its own SID.


Old DC host:
[root@tacs-dc samba]# net getdomainsid
Could not fetch local SID
[root@tacs-dc samba]# tdbdump secrets.tdb
{
key(19) = "SECRETS/DOMGUID/R3I"
data(16) = "\DF\DDA\01\F62\8CG\A8\80\B4\1CFM\1D\0B"
}
{
key(19) = "SECRETS/SID/LANYARD"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)"
}
{
key(15) = "SECRETS/SID/R3I"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)"
}
[root@tacs-dc samba]# net rpc trustdom list -U shubes
Password:
Trusted domains list:

none

Trusting domains list:

none
[root@tacs-dc samba]#


I've migrated everything (accounts, tdb files) to a new host, and 
changed the LANYARD record to TACS-DC in the secrets.tdb, which 
corresponds to the new hostname:

[root@tacs-dc private]# net getdomainsid
SID for local machine TACS-DC is: S-1-5-21-93357678-3857568473-1617xx
SID for domain R3I is: S-1-5-21-93357678-3857568473-1617xx
[root@tacs-dc private]# tdbdump secrets.tdb
{
key(19) = "SECRETS/DOMGUID/R3I"
data(16) = "\DF\DDA\01\F62\8CG\A8\80\B4\1CFM\1D\0B"
}
{
key(19) = "SECRETS/SID/TACS-DC"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)"
}
{
key(15) = "SECRETS/SID/R3I"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)"
}
[root@tacs-dc private]# net rpc trustdom list -U shubes
Unable to find a suitable server for domain R3I
Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL
[root@tacs-dc private]#

Everything appears to be working, except that the new host isn't 
recognized as a domain controller. Note that workstations are able to 
log on to the domain using the new DC host though.


I'm guessing that adding a TACS-DC record to the old host would fix the 
problem of not being able to get its SID.


I'm also guessing that adding a LANYARD record to the new host *might* 
make it recognize that it's a domain controller. I hope to test this 
later today, when users are gone.


It appears to me that the original host name which created the domain is 
stored in some way somewhere else (I see it in the USER_ records in the 
passdb.tdb file). If so, can this somehow be changed? The documentation 
I've found all says how to migrate to another host keeping the host name 
the same, but I haven't been able to find anything about changing the 
host name.


Does anyone have any other ideas why this new host isn't being 
recognized as a DC?


Thanks.

--
-Eric 'shubes'
On 04/29/2010 03:08 AM, Frank Stanek wrote:

Hello,

I recently noticed a problem on our PDC (samba 3.0.32
on SLES 10 SP2) which I kind of know how to solve after
web research but I am unclear about the possible
consequences for our domain and clients.

The situation is this:
Originally samba was set up on this machine to test. Back
then its hostname was infrahostnew, so there is a SID for
that NETBIOS name in secrets.tdb. When the PDC went in
production, we had to change the hostname to infrahost.
We then provisioned our domain MYDOMAIN. Now there is also
a SID for MYDOMAIN in secrets.tdb which is different than
the SID of infrahostnew. Also there is no SID at all for
the new NETBIOS name infrahost. This causes for example
net getlocalsid to fail.

My research suggests that the NETBIOS name SID of the PDC
infrahost should be the same as the domain SID, is that
correct? Also, I found an article that dealt with inconsistent
SIDs; it suggested to set the NETBIOS SID to be the same
as the domain SID. But this article dealt with the case
that there actually _is_ a NETBIOS SID in secrets.tdb but
it's not the same as the domain SID. This is not our case
however since there is no SID at all for the NETBIOS name.

We haven't noticed any problems because of this at all,
I just stumbled upon it when I went to check the SIDs
routinely. How would you suggest I proceed in this situation?
Should we set the NETBIOS SID to be the same as the domain
SID with net setlocalsid? What possible consequences could
there be? We are very concerned that this may introduce problems
for our clients that we don't have at the moment. But I
wouldn't like to keep things in an inconsistent state like
this either.

I'd be glad for any insights.

Regards
Frank





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Replication Samba PDC to Samba BDC

2013-06-04 Thread David González Herrera - [DGHVoIP] 

On 6/4/2013 8:35 AM, Ricky Nance wrote:

@Giedrius
"Not exactly, as I wrote in my other posts to mailing list, this is 
glibc's nss dns resolvers'  (libnss_dns.so) issue that is ignoring 
hostnames with "_" (*_*msdcs)"


Which OS's does that affect?

PDC  is Ubuntu 12.0.4

root@samba:~# cat /etc/debian_version
wheezy/sid

root@samba:~# samba -V
Version 4.1.0pre1-GIT-8bf3112

BDC is on Ubuntu Server 12.0.4

root@bdc:~# samba -V
Version 4.1.0pre1-GIT-b238008




@David, Is your nameserver (in /etc/resolv.conf) on dcA ip.to.dc.a and 
on dcB ip.to.dc.b if so, what happens when you set them both to A? how 
about when you set them both to B? I'd play around with that a bit 
until you get a good replication, then restart samba on both DC's and 
set them properly (dcA needs ip.to.dc.a and dcB needs ip.to.dc.b) .


Yes, after putting ip.to.dc.a on DCB and vice-versa I get the same can't 
find bla.blah.msc A record, it only works back again when I add the 
name to /etc/hosts.


Is there any patch I can apply to samba or the like to have this fixed?.

Thanks.



Ricky


On Tue, Jun 4, 2013 at 1:59 AM, "David González Herrera - [DGHVoIP]" 
mailto:i...@dghvoip.com>> wrote:


On 6/4/2013 1:28 AM, Giedrius wrote:

2013.06.04 09:10, "David González Herrera - [DGHVoIP]" rašė:

On 6/3/2013 11:57 PM, Giedrius wrote:

Hi,

2013.06.04 04:16, "David González Herrera - [DGHVoIP]"
rašė:

Hi,

Let's see if any of the questions gets answered or
at least I get
ponte dto something that can help me.

I followed this wiki:

http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain

I have my S4 domain running, I compiled and
installed another S4 to
replicate the first server and joined successfully
to the domain but
replication seems to be broken.

Commandused:


root@bdc:~# samba-tool domain join mundo.local DC
-Uadministrator
--realm=mundo.local --password=Mugr3P0pO
--dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'mundo.local'
Found DC samba.mundo.local
workgroup is mundo
realm is mundo.local
checking sAMAccountName
Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
Adding

CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
Adding CN=NTDS

Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
Adding SPNs to CN=BDC,OU=Domain
Controllers,DC=mundo,DC=local
Setting account password for BDC$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=mundo,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=mundo,DC=local]
objects[402/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local]
objects[804/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local]
objects[1206/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local]
objects[1608/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local]
objects[1614/1614]
linked_values[28/0]
Replicating critical objects from the base DN of
the domain
Partition[DC=mundo,DC=local] objects[98/98]
linked_values[31/0]
Partition[DC=mundo,DC=local] objects[336/238]
linked_values[74/0]
D

Re: [Samba] Replication Samba PDC to Samba BDC

2013-06-04 Thread Giedrius 
Hi,
2013.06.04 16:35, Ricky Nance rašė:
> @Giedrius
> "Not exactly, as I wrote in my other posts to mailing list, this
> is glibc's nss dns resolvers'  (libnss_dns.so) issue that is
> ignoring hostnames with "_" (*_*msdcs)"
>
> Which OS's does that affect?
I personally tested this on openSUSE 12.2 and 12.3 (bug report:
https://bugzilla.novell.com/show_bug.cgi?id=822414)
From the mailing list - seems this bug is much more wildspread
>
> @David, Is your nameserver (in /etc/resolv.conf) on dcA ip.to.dc.a and
> on dcB ip.to.dc.b if so, what happens when you set them both to A? how
> about when you set them both to B? I'd play around with that a bit
> until you get a good replication, then restart samba on both DC's and
> set them properly (dcA needs ip.to.dc.a and dcB needs ip.to.dc.b) .
I doubt this would change anything, given there is a working DNS,
allow-query / firewall setup. but this is easily checked with host /
dig / nslookup commands.
And for that matter - his DNS setup is working: host / dig tests are not
failing
The problem is with the RESOLVER LIBRARY failing(at least in my case) to
return replies from DNS , so changing DNS servers address will not in
any way fix the problem.
It simply will not be returned to the program through the system calls
(at lease for me, tcpdump shown DNS *is* replying)
Better solution is to fix that damn bug in glibc (or use /etc/hosts |
mdns | whatever) and specify BOTH dcA AND dcB in resolv.conf.
So that if one of them fails - the other replies.
>
> Ricky
>
>
> On Tue, Jun 4, 2013 at 1:59 AM, "David González Herrera - [DGHVoIP]"
> mailto:i...@dghvoip.com>> wrote:
>
> On 6/4/2013 1:28 AM, Giedrius wrote:
>
> 2013.06.04 09:10, "David González Herrera - [DGHVoIP]" rašė:
>
> On 6/3/2013 11:57 PM, Giedrius wrote:
>
> Hi,
>
> 2013.06.04 04:16, "David González Herrera - [DGHVoIP]"
> rašė:
>
> Hi,
>
> Let's see if any of the questions gets answered or
> at least I get
> ponte dto something that can help me.
>
> I followed this wiki:
> 
> http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
>
> I have my S4 domain running, I compiled and
> installed another S4 to
> replicate the first server and joined successfully
> to the domain but
> replication seems to be broken.
>
> Commandused:
>
>
> root@bdc:~# samba-tool domain join mundo.local DC
> -Uadministrator
> --realm=mundo.local --password=Mugr3P0pO
> --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'mundo.local'
> Found DC samba.mundo.local
> workgroup is mundo
> realm is mundo.local
> checking sAMAccountName
> Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
> Adding
> 
> CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
> Adding CN=NTDS
> 
> Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
> Adding SPNs to CN=BDC,OU=Domain
> Controllers,DC=mundo,DC=local
> Setting account password for BDC$
> Enabling account
> Calling bare provision
> No IPv6 address will be assigned
> Provision OK for domain DN DC=mundo,DC=local
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=mundo,DC=local]
> objects[402/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mundo,DC=local]
> objects[804/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mundo,DC=local]
> objects[1206/1614]
> linked_values[0/0]
> Partition[CN=Conf

Re: [Samba] Replication Samba PDC to Samba BDC

2013-06-04 Thread Ricky Nance 
@Giedrius
"Not exactly, as I wrote in my other posts to mailing list, this is glibc's
nss dns resolvers'  (libnss_dns.so) issue that is ignoring hostnames with
"_" (*_*msdcs)"

Which OS's does that affect?

@David, Is your nameserver (in /etc/resolv.conf) on dcA ip.to.dc.a and on
dcB ip.to.dc.b if so, what happens when you set them both to A? how about
when you set them both to B? I'd play around with that a bit until you get
a good replication, then restart samba on both DC's and set them properly
(dcA needs ip.to.dc.a and dcB needs ip.to.dc.b) .

Ricky


On Tue, Jun 4, 2013 at 1:59 AM, "David González Herrera - [DGHVoIP]" <
i...@dghvoip.com> wrote:

> On 6/4/2013 1:28 AM, Giedrius wrote:
>
>> 2013.06.04 09:10, "David González Herrera - [DGHVoIP]" rašė:
>>
>>> On 6/3/2013 11:57 PM, Giedrius wrote:
>>>
 Hi,

 2013.06.04 04:16, "David González Herrera - [DGHVoIP]" rašė:

> Hi,
>
> Let's see if any of the questions gets answered or at least I get
> ponte dto something that can help me.
>
> I followed this wiki:
> http://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_**
> domain_as_a_DC#Getting_ready_**for_joining_Samba_as_a_DC_to_**
> an_existing_domain
>
> I have my S4 domain running, I compiled and installed another S4 to
> replicate the first server and joined successfully to the domain but
> replication seems to be broken.
>
> Commandused:
>
>
> root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator
> --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'mundo.local'
> Found DC samba.mundo.local
> workgroup is mundo
> realm is mundo.local
> checking sAMAccountName
> Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
> Adding
> CN=BDC,CN=Servers,CN=Default-**First-Site-Name,CN=Sites,CN=**
> Configuration,DC=mundo,DC=**local
> Adding CN=NTDS
> Settings,CN=BDC,CN=Servers,CN=**Default-First-Site-Name,CN=**
> Sites,CN=Configuration,DC=**mundo,DC=local
> Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
> Setting account password for BDC$
> Enabling account
> Calling bare provision
> No IPv6 address will be assigned
> Provision OK for domain DN DC=mundo,DC=local
> Starting replication
> Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=**Configuration,DC=mundo,DC=**local]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=**mundo,DC=local] objects[402/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=**mundo,DC=local] objects[804/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=**mundo,DC=local] objects[1206/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=**mundo,DC=local] objects[1608/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=**mundo,DC=local] objects[1614/1614]
> linked_values[28/0]
> Replicating critical objects from the base DN of the domain
> Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0]
> Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0]
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=mundo,DC=**local
> Partition[DC=DomainDnsZones,**DC=mundo,DC=local] objects[42/42]
> linked_values[0/0]
> Replicating DC=ForestDnsZones,DC=mundo,DC=**local
> Partition[DC=ForestDnsZones,**DC=mundo,DC=local] objects[18/18]
> linked_values[0/0]
> Partition[DC=ForestDnsZones,**DC=mundo,DC=local] objects[36/18]
> linked_values[0/0]
> Committing SAM database
> Sending DsReplicateUpdateRefs for all the replicated partitions
> Setting isSynchronized and dsServiceName
> Setting up secrets database
> Joined domain mundo (SID S-1-5-21-1918558401-**2200574552-2151153235)
> as
> a DC
>
> Seemed to have succeded, then I radn the recommended tests
>
> # ldbsearch -H /usr/local/samba/private/sam.**ldb '(invocationid=*)'
> --cross-ncs objectguid
> # record 1
> dn: CN=NTDS
> Settings,CN=BDC,CN=Servers,CN=**Default-First-Site-Name,CN=**
> Sites,CN=Configuration,DC=**mundo,DC=local
> objectGUID: 7106cbf4-3cf6-4ed9-b019-**dd937035b1e7
>
> # record 2
> dn: CN=NTDS
> Settings,CN=SAMBA,CN=Servers,**CN=Default-First-Site-Name,CN=**
> Sites,CN=Configuration,DC=**mundo,DC=local
> objectGUID: ad828198-a723-44c2-8d7f-**d5f801e

Re: [Samba] Replication Samba PDC to Samba BDC

2013-06-03 Thread David González Herrera - [DGHVoIP] 

On 6/4/2013 1:28 AM, Giedrius wrote:

2013.06.04 09:10, "David González Herrera - [DGHVoIP]" rašė:

On 6/3/2013 11:57 PM, Giedrius wrote:

Hi,

2013.06.04 04:16, "David González Herrera - [DGHVoIP]" rašė:

Hi,

Let's see if any of the questions gets answered or at least I get
ponte dto something that can help me.

I followed this wiki:
http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain

I have my S4 domain running, I compiled and installed another S4 to
replicate the first server and joined successfully to the domain but
replication seems to be broken.

Commandused:


root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator
--realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'mundo.local'
Found DC samba.mundo.local
workgroup is mundo
realm is mundo.local
checking sAMAccountName
Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
Adding
CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
Adding CN=NTDS
Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
Setting account password for BDC$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=mundo,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614]
linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0]
Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=mundo,DC=local
Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=mundo,DC=local
Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18]
linked_values[0/0]
Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18]
linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as
a DC

Seemed to have succeded, then I radn the recommended tests

# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)'
--cross-ncs objectguid
# record 1
dn: CN=NTDS
Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7

# record 2
dn: CN=NTDS
Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f

# returned 2 records
# 2 entries
# 0 referrals


These testes run from the BDC seem to work.

host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local
ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias
for samba.mundo.local.

host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local
7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias
for bdc.mundo.local.

root@bdc:~# host -t A bdc.mundo.local.
bdc.mundo.local has address 10.10.10.20

root@bdc:~# host -t A samba.mundo.local.
samba.mundo.local has address 10.10.10.5


Error showing up on the BDC

dns child failed to find name
'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A
dreplsrv_notify: Failed to send DsReplicaSync to
ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for
CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND
: WERR_BADFILE *

Did you AT LEAST search the mailing list???
Check if ping (or any program using GLIBC's *NSS* DNS resolver) can
resolve your 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local name

Yes I searched the ML with no luck.

Yes, I did and it works, I had to add
7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.loca lto /etc/hosts
and it works.

So I thinks it's a DNS issue.

Not exactly, as I wrote in my other posts to mailing list, this is
glibc's nss dns resolvers'  (libnss_dns.so) issue that is ignoring
hostnames with "_" (

Re: [Samba] Replication Samba PDC to Samba BDC

2013-06-03 Thread Giedrius 
2013.06.04 09:10, "David González Herrera - [DGHVoIP]" rašė:
> On 6/3/2013 11:57 PM, Giedrius wrote:
>> Hi,
>>
>> 2013.06.04 04:16, "David González Herrera - [DGHVoIP]" rašė:
>>> Hi,
>>>
>>> Let's see if any of the questions gets answered or at least I get
>>> ponte dto something that can help me.
>>>
>>> I followed this wiki:
>>> http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
>>>
>>> I have my S4 domain running, I compiled and installed another S4 to
>>> replicate the first server and joined successfully to the domain but
>>> replication seems to be broken.
>>>
>>> Commandused:
>>>
>>>
>>> root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator
>>> --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ
>>> Finding a writeable DC for domain 'mundo.local'
>>> Found DC samba.mundo.local
>>> workgroup is mundo
>>> realm is mundo.local
>>> checking sAMAccountName
>>> Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
>>> Adding
>>> CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
>>> Adding CN=NTDS
>>> Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
>>> Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
>>> Setting account password for BDC$
>>> Enabling account
>>> Calling bare provision
>>> No IPv6 address will be assigned
>>> Provision OK for domain DN DC=mundo,DC=local
>>> Starting replication
>>> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
>>> objects[402/1550] linked_values[0/0]
>>> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
>>> objects[804/1550] linked_values[0/0]
>>> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
>>> objects[1206/1550] linked_values[0/0]
>>> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
>>> objects[1550/1550] linked_values[0/0]
>>> Analyze and apply schema objects
>>> Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614]
>>> linked_values[0/0]
>>> Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614]
>>> linked_values[28/0]
>>> Replicating critical objects from the base DN of the domain
>>> Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0]
>>> Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0]
>>> Done with always replicated NC (base, config, schema)
>>> Replicating DC=DomainDnsZones,DC=mundo,DC=local
>>> Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42]
>>> linked_values[0/0]
>>> Replicating DC=ForestDnsZones,DC=mundo,DC=local
>>> Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18]
>>> linked_values[0/0]
>>> Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18]
>>> linked_values[0/0]
>>> Committing SAM database
>>> Sending DsReplicateUpdateRefs for all the replicated partitions
>>> Setting isSynchronized and dsServiceName
>>> Setting up secrets database
>>> Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as
>>> a DC
>>>
>>> Seemed to have succeded, then I radn the recommended tests
>>>
>>> # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)'
>>> --cross-ncs objectguid
>>> # record 1
>>> dn: CN=NTDS
>>> Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
>>> objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7
>>>
>>> # record 2
>>> dn: CN=NTDS
>>> Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
>>> objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f
>>>
>>> # returned 2 records
>>> # 2 entries
>>> # 0 referrals
>>>
>>>
>>> These testes run from the BDC seem to work.
>>>
>>> host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local
>>> ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias
>>> for samba.mundo.local.
>>>
>>> host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local
>>> 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias
>>> for bdc.mundo.local.
>>>
>>> root@bdc:~# host -t A bdc.mundo.local.
>>> bdc.mundo.local has address 10.10.10.20
>>>
>>> root@bdc:~# host -t A samba.mundo.local.
>>> samba.mundo.local has address 10.10.10.5
>>>
>>>
>>> Error showing up on the BDC
>>>
>>> dns child failed to find name
>>> 'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A
>>> dreplsrv_notify: Failed to send DsReplicaSync to
>>> ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for
>>> CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND
>>> : WERR_BADFILE *
>> Did you AT LEAST search the mailing list???
>> Check if ping (or any program using GLIBC's *NSS* DNS resolver) can
>>

Re: [Samba] Replication Samba PDC to Samba BDC

2013-06-03 Thread David González Herrera - [DGHVoIP] 

On 6/3/2013 11:57 PM, Giedrius wrote:

Hi,

2013.06.04 04:16, "David González Herrera - [DGHVoIP]" rašė:

Hi,

Let's see if any of the questions gets answered or at least I get
ponte dto something that can help me.

I followed this wiki:
http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain

I have my S4 domain running, I compiled and installed another S4 to
replicate the first server and joined successfully to the domain but
replication seems to be broken.

Commandused:


root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator
--realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'mundo.local'
Found DC samba.mundo.local
workgroup is mundo
realm is mundo.local
checking sAMAccountName
Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
Adding
CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
Adding CN=NTDS
Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
Setting account password for BDC$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=mundo,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
objects[1550/1550] linked_values[0/0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614]
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614]
linked_values[28/0]
Replicating critical objects from the base DN of the domain
Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0]
Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=mundo,DC=local
Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42]
linked_values[0/0]
Replicating DC=ForestDnsZones,DC=mundo,DC=local
Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18]
linked_values[0/0]
Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18]
linked_values[0/0]
Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as
a DC

Seemed to have succeded, then I radn the recommended tests

# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)'
--cross-ncs objectguid
# record 1
dn: CN=NTDS
Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7

# record 2
dn: CN=NTDS
Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f

# returned 2 records
# 2 entries
# 0 referrals


These testes run from the BDC seem to work.

host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local
ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias
for samba.mundo.local.

host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local
7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias
for bdc.mundo.local.

root@bdc:~# host -t A bdc.mundo.local.
bdc.mundo.local has address 10.10.10.20

root@bdc:~# host -t A samba.mundo.local.
samba.mundo.local has address 10.10.10.5


Error showing up on the BDC

dns child failed to find name
'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A
dreplsrv_notify: Failed to send DsReplicaSync to
ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for
CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND
: WERR_BADFILE *

Did you AT LEAST search the mailing list???
Check if ping (or any program using GLIBC's *NSS* DNS resolver) can
resolve your 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local name

Yes I searched the ML with no luck.

Yes, I did and it works, I had to add 
7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.loca lto /etc/hosts 
and it works.


So I thinks it's a DNS issue.

Thanks for your answer.

I tried to check replication status but this error shows

root@bdc:~# samba-tool drs showrepl
Default-First-Site-Name\BDC
DSA Options: 0x0001
DSA object GUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7
DSA invocationId: 609fd8be

Re: [Samba] Replication Samba PDC to Samba BDC

2013-06-03 Thread Giedrius 
Hi,

2013.06.04 04:16, "David González Herrera - [DGHVoIP]" rašė:
> Hi,
>
> Let's see if any of the questions gets answered or at least I get
> ponte dto something that can help me.
>
> I followed this wiki:
> http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain
>
> I have my S4 domain running, I compiled and installed another S4 to
> replicate the first server and joined successfully to the domain but
> replication seems to be broken.
>
> Commandused:
>
>
> root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator
> --realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ
> Finding a writeable DC for domain 'mundo.local'
> Found DC samba.mundo.local
> workgroup is mundo
> realm is mundo.local
> checking sAMAccountName
> Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
> Adding
> CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
> Adding CN=NTDS
> Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
> Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
> Setting account password for BDC$
> Enabling account
> Calling bare provision
> No IPv6 address will be assigned
> Provision OK for domain DN DC=mundo,DC=local
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
> objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
> objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
> objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local]
> objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614]
> linked_values[0/0]
> Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614]
> linked_values[28/0]
> Replicating critical objects from the base DN of the domain
> Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0]
> Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0]
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=mundo,DC=local
> Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42]
> linked_values[0/0]
> Replicating DC=ForestDnsZones,DC=mundo,DC=local
> Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18]
> linked_values[0/0]
> Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18]
> linked_values[0/0]
> Committing SAM database
> Sending DsReplicateUpdateRefs for all the replicated partitions
> Setting isSynchronized and dsServiceName
> Setting up secrets database
> Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as
> a DC
>
> Seemed to have succeded, then I radn the recommended tests
>
> # ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)'
> --cross-ncs objectguid
> # record 1
> dn: CN=NTDS
> Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
> objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7
>
> # record 2
> dn: CN=NTDS
> Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
> objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f
>
> # returned 2 records
> # 2 entries
> # 0 referrals
>
>
> These testes run from the BDC seem to work.
>
> host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local
> ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias
> for samba.mundo.local.
>
> host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local
> 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias
> for bdc.mundo.local.
>
> root@bdc:~# host -t A bdc.mundo.local.
> bdc.mundo.local has address 10.10.10.20
>
> root@bdc:~# host -t A samba.mundo.local.
> samba.mundo.local has address 10.10.10.5
>
>
> Error showing up on the BDC
>
> dns child failed to find name
> 'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A
> dreplsrv_notify: Failed to send DsReplicaSync to
> ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for
> CN=Configuration,DC=mundo,DC=local - *NT_STATUS_OBJECT_NAME_NOT_FOUND
> : WERR_BADFILE *
Did you AT LEAST search the mailing list???
Check if ping (or any program using GLIBC's *NSS* DNS resolver) can
resolve your 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local name
>
> I tried to check replication status but this error shows
>
> root@bdc:~# samba-tool drs showrepl
> Default-First-Site-Name\BDC
> DSA Options: 0x0001
> DSA object GUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7
> DSA invocationId: 609fd8be-7e0c-49ca-a5f5-1a68237ef03f
>
> =

[Samba] Replication Samba PDC to Samba BDC

2013-06-03 Thread David González Herrera - [DGHVoIP] 

Hi,

Let's see if any of the questions gets answered or at least I get ponte 
dto something that can help me.


I followed this wiki: 
http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC#Getting_ready_for_joining_Samba_as_a_DC_to_an_existing_domain


I have my S4 domain running, I compiled and installed another S4 to 
replicate the first server and joined successfully to the domain but 
replication seems to be broken.


Commandused:


root@bdc:~# samba-tool domain join mundo.local DC -Uadministrator 
--realm=mundo.local --password=Mugr3P0pO --dns-backend=BIND9_DLZ

Finding a writeable DC for domain 'mundo.local'
Found DC samba.mundo.local
workgroup is mundo
realm is mundo.local
checking sAMAccountName
Adding CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
Adding 
CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local
Adding CN=NTDS 
Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local

Adding SPNs to CN=BDC,OU=Domain Controllers,DC=mundo,DC=local
Setting account password for BDC$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=mundo,DC=local
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] 
objects[402/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] 
objects[804/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] 
objects[1206/1550] linked_values[0/0]
Schema-DN[CN=Schema,CN=Configuration,DC=mundo,DC=local] 
objects[1550/1550] linked_values[0/0]

Analyze and apply schema objects
Partition[CN=Configuration,DC=mundo,DC=local] objects[402/1614] 
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[804/1614] 
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[1206/1614] 
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[1608/1614] 
linked_values[0/0]
Partition[CN=Configuration,DC=mundo,DC=local] objects[1614/1614] 
linked_values[28/0]

Replicating critical objects from the base DN of the domain
Partition[DC=mundo,DC=local] objects[98/98] linked_values[31/0]
Partition[DC=mundo,DC=local] objects[336/238] linked_values[74/0]
Done with always replicated NC (base, config, schema)
Replicating DC=DomainDnsZones,DC=mundo,DC=local
Partition[DC=DomainDnsZones,DC=mundo,DC=local] objects[42/42] 
linked_values[0/0]

Replicating DC=ForestDnsZones,DC=mundo,DC=local
Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[18/18] 
linked_values[0/0]
Partition[DC=ForestDnsZones,DC=mundo,DC=local] objects[36/18] 
linked_values[0/0]

Committing SAM database
Sending DsReplicateUpdateRefs for all the replicated partitions
Setting isSynchronized and dsServiceName
Setting up secrets database
Joined domain mundo (SID S-1-5-21-1918558401-2200574552-2151153235) as a DC

Seemed to have succeded, then I radn the recommended tests

# ldbsearch -H /usr/local/samba/private/sam.ldb '(invocationid=*)' 
--cross-ncs objectguid

# record 1
dn: CN=NTDS 
Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local

objectGUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7

# record 2
dn: CN=NTDS 
Settings,CN=SAMBA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mundo,DC=local

objectGUID: ad828198-a723-44c2-8d7f-d5f801e2849f

# returned 2 records
# 2 entries
# 0 referrals


These testes run from the BDC seem to work.

host -t CNAME ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local
ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local is an alias for 
samba.mundo.local.


host -t CNAME 7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local
7106cbf4-3cf6-4ed9-b019-dd937035b1e7._msdcs.mundo.local is an alias for 
bdc.mundo.local.


root@bdc:~# host -t A bdc.mundo.local.
bdc.mundo.local has address 10.10.10.20

root@bdc:~# host -t A samba.mundo.local.
samba.mundo.local has address 10.10.10.5


Error showing up on the BDC

dns child failed to find name 
'ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local' of type A
dreplsrv_notify: Failed to send DsReplicaSync to 
ad828198-a723-44c2-8d7f-d5f801e2849f._msdcs.mundo.local for 
CN=Configuration,DC=mundo,DC=local - NT_STATUS_OBJECT_NAME_NOT_FOUND : 
WERR_BADFILE


I tried to check replication status but this error shows

root@bdc:~# samba-tool drs showrepl
Default-First-Site-Name\BDC
DSA Options: 0x0001
DSA object GUID: 7106cbf4-3cf6-4ed9-b019-dd937035b1e7
DSA invocationId: 609fd8be-7e0c-49ca-a5f5-1a68237ef03f

 INBOUND NEIGHBORS 

DC=mundo,DC=local
Default-First-Site-Name\SAMBA via RPC
DSA object GUID: ad828198-a723-44c2-8d7f-d5f801e2849f
Last attempt @ Mon Jun  3 20:58:43 2013 EDT failed, 
result 2 (WERR_BADFILE)

8 consecutive failure(s).
Last success @ Mon Jun  3 20:35:43 2013 EDT

CN=Schema,CN=Configuration,DC=mundo,DC=local
Default-First-Site-Name\SAMBA via RPC

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

2013-04-29 Thread Sreejith ir 
Hiii

Were you able to resolve the issue.
Thanks for the reply

-Sreejith
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC not in network environment (Windows 7/8)

2013-02-22 Thread Jörg Nissen 
Something weird...

I connected one notbook to another samba (v3.5.5) network. Logged in as
a local user on the notebook and guess what. The complete network 
environment is shown. 
The main difference between these two networks, apart form the version
number of smbd, is that the working network is based on ldap while the
not working network is based on tdb.

Another small difference in smb.conf:

3.5.5:  name resolve order = bcast lmhosts host
3.6.12: name resolve order = wins bcast lmhosts hosts


Going to check if it has any impact if I remove "wins" from 
"name resolve order".

And another small difference:

In v3.5.5 computers are members of "Domain Users" while v3.6.12 
lists them in "Domain Computers". Also going to check if this makes 
any difference.

The last thing I will check is if it makes any difference when 
I login to a local account on my client.

Will keep you updated.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC not in network environment (Windows 7/8)

2013-02-21 Thread Jörg Nissen 
Jörg Nissen  nissen.de.hm> writes:

Looks like I'm talking to myself all the time. 
Anyway, solved this small problem.
Accidentally the parameter "client use spnego" was set to "no" during testing. 
Setting it back to "yes" made the client tools on the server behave normally.

Still looking for help on my starting post.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC not in network environment (Windows 7/8)

2013-02-21 Thread Jörg Nissen 
Something I came across. Don't know if it is related. Trying to connect to a 
Windows 8 share from my PDC results in

cli_session_setup: NT1 session setup failed: NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER

when "client NTLMv2 auth = yes" set in smb.conf. "smbtree" executed by a domain 
admin user lists all shares on PDC and nas but only the name of the client.

Changing settings to

client NTLMv2 auth = no
client lanman auth = yes

gives access to shares on the Windows 8 client. "smbtree" lists all 
adminstrative shares (C$, D$, etc.) on Windows 8 client.

---
There are some entries in the samba logfile for client "JOGO" which seem to be 
problem related:

[2013/02/21 12:17:27.638163,  0] rpc_server/srv_pipe.c:500(pipe_schannel_auth_bi
nd)
  pipe_schannel_auth_bind: Attempt to bind using schannel without successful ser
verauth2
[2013/02/21 12:17:27.762403,  2] rpc_server/samr/srv_samr_nt.c:4071(_samr_Lookup
Domain)
  Returning domain sid for domain  -> S-1-5-21-3406496673-
2355577635-1274
693878
[2013/02/21 12:17:32.774569,  2] ../libcli/auth/credentials.c:308(netlogon_creds
_server_check_internal)
  credentials check failed
[2013/02/21 12:17:32.774681,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_S
erverAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth
request from client JOGO machine account JOGO$
[2013/02/21 12:17:32.777495,  2] rpc_server/samr/srv_samr_nt.c:4071(_samr_Lookup
Domain)
  Returning domain sid for domain  -> S-1-5-21-3406496673-
2355577635-1274
693878
[2013/02/21 12:17:45.665467,  2] smbd/smb2_server.c:2628(smbd_smb2_request_incom
ing)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET
[2013/02/21 12:18:03.168300,  2] smbd/smb2_server.c:2628(smbd_smb2_request_incom
ing)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET
[2013/02/21 12:18:50.279081,  2] smbd/smb2_server.c:2628(smbd_smb2_request_incom
ing)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET
[2013/02/21 12:21:36.293203,  2] smbd/smb2_server.c:2628(smbd_smb2_request_incom
ing)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba PDC not in network environment (Windows 7/8)

2013-02-21 Thread Jörg Nissen 
I recently changed my clients (3 notebooks, 2 desktop pcs) from Windows XP Pro 
to Windows 7/8 Pro. I followed the guides that can be found on samba.org and 
all 
over the internet. Client migration worked after some minor trouble. There is 
only one thing left that I could no resolve the last few days. All clients see 
each other under "Network" but no client sees my samba server.

Though the samba PDC cannot be seen most of the network related stuff works as 
expected. Domain logons work, the per user netlogon script ist executed 
(network 
shares on the PDC get mapped, time is synced), shares can be opened with 
"\\PDC\share". Executing "nbtstat" on the clients works except for 
"-[s|S|R|RR]" 
which results in "no connection". Executing "smbtree -N | smbclient -N" works 
on 
the PDC.

To prevent common questions:
- client installation is not older than 30 days
- disabled pw change after 30 days in registry
- no firewall on clients
- PDC firewall allows traffic to and from ports 137-139,445
- samba version Version 3.6.12-162.1-2943-SUSE-SL12.1-x86_64



Output of "netstat -an | egrep '13[789]|445'"
tcp0  0 0.0.0.0:139 0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:445 0.0.0.0:*   LISTEN
tcp0  0 192.168.11.10:60002 192.168.11.230:445  VERBUNDEN
udp0  0 192.168.11.255:137  0.0.0.0:*
udp0  0 192.168.11.10:137   0.0.0.0:*
udp0  0 0.0.0.0:137 0.0.0.0:*
udp0  0 192.168.11.255:138  0.0.0.0:*
udp0  0 192.168.11.10:138   0.0.0.0:*
udp0  0 0.0.0.0:138 0.0.0.0:*

Remark: 192.168.11.230 is a nas storage which cannot be seen from clients 
either.



My "smb.conf":
[global]
unix charset = UTF8
display charset = UTF8
workgroup = 
server string = 
netbios name = 
netbios aliases = PDC
interfaces = eth0, 127.0.0.0/8
bind interfaces only = no
map to guest = Bad User
passdb backend = tdbsam
username map = /etc/samba/smbusers
username level = 1
server signing = auto
max protocol = SMB2
client NTLMv2 auth = Yes
log level = 2 smb:1 auth:1 sam:1 acls:1 passdb:1 tdb:1 winbind:1 idmap:1
syslog = 0
log file = /var/log/samba/log.%m
max xmit = 65535
name resolve order = wins bcast lmhosts hosts
time server = Yes
deadtime = 10
paranoid server security = No
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_BROADCAST SO
_SNDBUF=16384 SO_RCVBUF=16384
hostname lookups = Yes
add user script = /usr/sbin/useradd -d /home/%u -g users -k /etc/samba/s
kel -m -s /bin/false %u
delete user script = /usr/sbin/userdel %u
add user to group script = /usr/sbin/usermod -G %g %u
set primary group script = /usr/sbin/usermod -g %g %u
delete user from group script = /usr/sbin/groupmod -R %u %g
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
 /bin/false -g machines %u
logon script = %U.bat
logon path = \\%N\profiles\%U\%a
domain logons = Yes
os level = 88
preferred master = Yes
domain master = Yes
local master = yes
time server = yes
wins support = Yes
client use spnego = no
ldap ssl = no
winbind enum users = Yes
winbind enum groups = Yes
winbind expand groups = 3
winbind use default domain = no
winbind rpc only = Yes
winbind offline logon = no
idmap config * : backend = tdb
idmap config * : range = 15000 - 25000
encrypt passwords = yes
pam password change = yes
passwd program = /usr/bin/passwd %u
passwd chat = Neues*Passwort* %n\nGeben Sie das neue Passwort erneut ein
* %n\nPass*dert.\n
veto files = /*.eml/*.nws/riched20.dll/*.{*}/
dos filetime resolution = Yes
printing = cups
printcap = cups

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = @samba-domain-admins @Administrators
read list = @samba-domain-users @machines @Familie
force group = samba-domain-users
browseable = No

[profiles]
path = /var/lib/samba/profiles
profile acls = yes
csc policy = disable
read only = No
browsable = no
 store dos attributes = yes
guest ok = no
printable = no
hide files = /desktop.ini/*Briefcase*/
write list = %S %S%w%D root
hosts allow = 192.168.11., 127.0.0.1, 10.168.11.
cre

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

2013-01-28 Thread Eimac Dude 

On 1/24/2013 7:31 PM, Nico Kadel-Garcia wrote:

On Thu, Jan 24, 2013 at 8:57 PM, Eimac Dude  wrote:

Brought in a new Windows 7 64-bit machine and that one works... So it seems
to be a Windows configuration issue, but what other settings could possibly
cause this authentication failure? The new machine is a recent clean install
and uses MSE as antivirus, whereas the older workstations use AVG and
Ad-Aware. But I doubt the antivirus could cause the difference. And I don't
see any difference in the network configuration of the machines. Any
suggestions? I can't simply replace all Windows clients on our network...

The new machine has a new hostname? Are they both statically
configured in DNS? Do they both have all the system patches? And have
you tried yanking out AVG and replacing it with MSE?
All have same new patches. The new machine has a different hostname. But 
I've also tried changing the hostname of the old machine... The only 
thing I didn't test yet is removing AVG.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

2013-01-28 Thread Moray Henderson 
> From: Eimac Dude [mailto:eimacd...@aol.com]
> Sent: 24 January 2013 19:43
> To: samba@lists.samba.org
> Subject: [Samba] PDC: "The trust relationship ... failed" from the
> beginning
> 
> Hi,
> 
> When I try a net logon from Windows 7 64-bit Business (don't have any
> other Windows machines), I get "The trust relationship between this
> workstation and the primary domain failed". The discussion I've found
> around the Web regarding this error message seems to be only in the
> context of the 30 day password expiry issue, where the solution is to
> simply rejoin the domain. Unfortunately, I have this problem *always*,
> and rejoining does not help. I have not been able to do a net login at
> all, from the first time I tried. At the same time, there's no problem
> accessing the Samba shares by going to \\SMB in Windows Explorer and
> logging in with the same user accounts.
> 
> # smbstatus
> Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
> 
> The LAN is on 172.16. and the Samba machine is also the LAN's DNS
> server; not using LDAP.
> 
> We had been using Samba for simple file sharing, with no domain
> functionality enabled, and with the Windows machines on the network
> configured as members of the workgroup. We recently decided to set
> Samba as a PDC and support roaming profiles, and have been blocked by
> this trust error.
> 
> I made some changes to smb.conf, which can be seen here:
> http://pastebin.com/raw.php?i=qKvQq3W2
> 
> The profiles directory was chmod 2775 and its group changed from root
> to users. The netlogon directory is 755. Initially, in smb.conf the
> name resolve order was starting with dns, but Windows 7 kept giving me
> an error about not finding the domain when I tried to change from
> workgroup to domain, so I took that out and set wins as the first item
> in the list.
> 
> # cat /etc/samba/smbusers:
> root = administrator Administrator admin nobody = guest pcguest
> smbguest
> 
> I added root to smbpasswd. I also executed the following:
> 
> net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d
> net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=d
> net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514
> type=d net rpc rights grant -U root "URBASE\Domain Admins"
> SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
> SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
> 
> The Windows machines are configured as specified on
> wiki.samba.org/index.php/Windows7 (that is, I only edited
> DomainCompatibilityMode and DNSNameResolutionRequired). Changing from
> workgroup to domain and rebooting, then trying to log in with one of
> the SMB users gives me the "The trust relationship between this
> workstation and the primary domain failed" error. I can only log into
> the local machine account. If, instead of changing from workgroup to
> domain directly, I try to use the network ID wizard, it eventually
> leads to the same error when it tries to set up the domain user.
> Looking at /etc/samba/smbpasswd, the machine account shows up there so
> the add machine script seems to be working; however,
> 
> # tail /var/log/samba/log.smbd
> [2013/01/23 14:26:16.350332, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client BRIX machine account BRIX$
> [2013/01/23 14:26:16.352562, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client BRIX machine account BRIX$
> [2013/01/23 14:37:22.518159, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client BRIX machine account BRIX$
> 
> Why is it not working? I don't know how to troubleshoot this. I've
> tried removing the machine from the domain then taking it out of
> smbpasswd and the Unix accounts, and then rejoining, but same errors. I
> tried manually adding the IP address in the Windows machine's WINS
> setting, but it doesn't make a difference.
> 
> One thing I'm unsure of is the DNS suffixes thing which seems to be
> mentioned on some sites in association with this. In the Windows
> clients, under "Append these DNS suffixes (in order)" we've normally
> had as suffix the DNS master zone for the LAN, which is different from
> the domain name in smb.conf -- if that matters at all given joining the
> domain should be using WINS instea

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

2013-01-24 Thread Nico Kadel-Garcia 
On Thu, Jan 24, 2013 at 8:57 PM, Eimac Dude  wrote:
> Brought in a new Windows 7 64-bit machine and that one works... So it seems
> to be a Windows configuration issue, but what other settings could possibly
> cause this authentication failure? The new machine is a recent clean install
> and uses MSE as antivirus, whereas the older workstations use AVG and
> Ad-Aware. But I doubt the antivirus could cause the difference. And I don't
> see any difference in the network configuration of the machines. Any
> suggestions? I can't simply replace all Windows clients on our network...

The new machine has a new hostname? Are they both statically
configured in DNS? Do they both have all the system patches? And have
you tried yanking out AVG and replacing it with MSE?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

2013-01-24 Thread Eimac Dude 
Brought in a new Windows 7 64-bit machine and that one works... So it 
seems to be a Windows configuration issue, but what other settings could 
possibly cause this authentication failure? The new machine is a recent 
clean install and uses MSE as antivirus, whereas the older workstations 
use AVG and Ad-Aware. But I doubt the antivirus could cause the 
difference. And I don't see any difference in the network configuration 
of the machines. Any suggestions? I can't simply replace all Windows 
clients on our network...


On 1/24/2013 11:43 AM, Eimac Dude wrote:

Hi,

When I try a net logon from Windows 7 64-bit Business (don't have any 
other Windows machines), I get "The trust relationship between this 
workstation and the primary domain failed". The discussion I've found 
around the Web regarding this error message seems to be only in the 
context of the 30 day password expiry issue, where the solution is to 
simply rejoin the domain. Unfortunately, I have this problem *always*, 
and rejoining does not help. I have not been able to do a net login at 
all, from the first time I tried. At the same time, there's no problem 
accessing the Samba shares by going to \\SMB in Windows Explorer and 
logging in with the same user accounts.


# smbstatus
Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64

The LAN is on 172.16. and the Samba machine is also the LAN's DNS 
server; not using LDAP.


We had been using Samba for simple file sharing, with no domain 
functionality enabled, and with the Windows machines on the network 
configured as members of the workgroup. We recently decided to set 
Samba as a PDC and support roaming profiles, and have been blocked by 
this trust error.


I made some changes to smb.conf, which can be seen here: 
http://pastebin.com/raw.php?i=qKvQq3W2


The profiles directory was chmod 2775 and its group changed from root 
to users. The netlogon directory is 755. Initially, in smb.conf the 
name resolve order was starting with dns, but Windows 7 kept giving me 
an error about not finding the domain when I tried to change from 
workgroup to domain, so I took that out and set wins as the first item 
in the list.


# cat /etc/samba/smbusers:
root = administrator Administrator admin
nobody = guest pcguest smbguest

I added root to smbpasswd. I also executed the following:

net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d
net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d
net rpc rights grant -U root "URBASE\Domain Admins" 
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege 
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege


The Windows machines are configured as specified on 
wiki.samba.org/index.php/Windows7 (that is, I only edited 
DomainCompatibilityMode and DNSNameResolutionRequired). Changing from 
workgroup to domain and rebooting, then trying to log in with one of 
the SMB users gives me the "The trust relationship between this 
workstation and the primary domain failed" error. I can only log into 
the local machine account. If, instead of changing from workgroup to 
domain directly, I try to use the network ID wizard, it eventually 
leads to the same error when it tries to set up the domain user. 
Looking at /etc/samba/smbpasswd, the machine account shows up there so 
the add machine script seems to be working; however,


# tail /var/log/samba/log.smbd
[2013/01/23 14:26:16.350332, 0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client BRIX machine account BRIX$
[2013/01/23 14:26:16.352562, 0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client BRIX machine account BRIX$
[2013/01/23 14:37:22.518159, 0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client BRIX machine account BRIX$


Why is it not working? I don't know how to troubleshoot this. I've 
tried removing the machine from the domain then taking it out of 
smbpasswd and the Unix accounts, and then rejoining, but same errors. 
I tried manually adding the IP address in the Windows machine's WINS 
setting, but it doesn't make a difference.


One thing I'm unsure of is the DNS suffixes thing which seems to be 
mentioned on some sites in association with this. In the Windows 
clients, under "Append these DNS suffixes (in order)" we've normally 
had as suffix the DNS master zone for the LAN, which is different from 
the domain name in smb.conf -- if that matters at all given joining 
the domain should be using WINS instead of DNS for name resolution. I 
tried adding the domain in there anyway, but it doesn't help.


Can anyone kindly help? I've asked on a coupl

[Samba] PDC: "The trust relationship ... failed" from the beginning

2013-01-24 Thread Eimac Dude 

Hi,

When I try a net logon from Windows 7 64-bit Business (don't have any 
other Windows machines), I get "The trust relationship between this 
workstation and the primary domain failed". The discussion I've found 
around the Web regarding this error message seems to be only in the 
context of the 30 day password expiry issue, where the solution is to 
simply rejoin the domain. Unfortunately, I have this problem *always*, 
and rejoining does not help. I have not been able to do a net login at 
all, from the first time I tried. At the same time, there's no problem 
accessing the Samba shares by going to \\SMB in Windows Explorer and 
logging in with the same user accounts.


# smbstatus
Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64

The LAN is on 172.16. and the Samba machine is also the LAN's DNS 
server; not using LDAP.


We had been using Samba for simple file sharing, with no domain 
functionality enabled, and with the Windows machines on the network 
configured as members of the workgroup. We recently decided to set Samba 
as a PDC and support roaming profiles, and have been blocked by this 
trust error.


I made some changes to smb.conf, which can be seen here: 
http://pastebin.com/raw.php?i=qKvQq3W2


The profiles directory was chmod 2775 and its group changed from root to 
users. The netlogon directory is 755. Initially, in smb.conf the name 
resolve order was starting with dns, but Windows 7 kept giving me an 
error about not finding the domain when I tried to change from workgroup 
to domain, so I took that out and set wins as the first item in the list.


# cat /etc/samba/smbusers:
root = administrator Administrator admin
nobody = guest pcguest smbguest

I added root to smbpasswd. I also executed the following:

net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d
net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d
net rpc rights grant -U root "URBASE\Domain Admins" 
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege 
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege


The Windows machines are configured as specified on 
wiki.samba.org/index.php/Windows7 (that is, I only edited 
DomainCompatibilityMode and DNSNameResolutionRequired). Changing from 
workgroup to domain and rebooting, then trying to log in with one of the 
SMB users gives me the "The trust relationship between this workstation 
and the primary domain failed" error. I can only log into the local 
machine account. If, instead of changing from workgroup to domain 
directly, I try to use the network ID wizard, it eventually leads to the 
same error when it tries to set up the domain user. Looking at 
/etc/samba/smbpasswd, the machine account shows up there so the add 
machine script seems to be working; however,


# tail /var/log/samba/log.smbd
[2013/01/23 14:26:16.350332, 0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting 
auth request from client BRIX machine account BRIX$
[2013/01/23 14:26:16.352562, 0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting 
auth request from client BRIX machine account BRIX$
[2013/01/23 14:37:22.518159, 0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting 
auth request from client BRIX machine account BRIX$


Why is it not working? I don't know how to troubleshoot this. I've tried 
removing the machine from the domain then taking it out of smbpasswd and 
the Unix accounts, and then rejoining, but same errors. I tried manually 
adding the IP address in the Windows machine's WINS setting, but it 
doesn't make a difference.


One thing I'm unsure of is the DNS suffixes thing which seems to be 
mentioned on some sites in association with this. In the Windows 
clients, under "Append these DNS suffixes (in order)" we've normally had 
as suffix the DNS master zone for the LAN, which is different from the 
domain name in smb.conf -- if that matters at all given joining the 
domain should be using WINS instead of DNS for name resolution. I tried 
adding the domain in there anyway, but it doesn't help.


Can anyone kindly help? I've asked on a couple of other forums but to no 
avail...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-12-03 Thread Andrej Šimko 
 I give all of your indexes in my conf but nothing changed:

ls -l *bdb
-rw--- 1 openldap openldap  61440 Dec  3 14:22 cn.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 dc.bdb
-rw--- 1 openldap openldap  28672 Dec  3 14:22 displayName.bdb
-rw--- 1 openldap openldap  40960 Dec  3 12:29 dn2id.bdb
-rw--- 1 openldap openldap   8192 Nov 22 10:42 entryCSN.bdb
-rw--- 1 openldap openldap   8192 Nov 22 10:42 entryUUID.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 gidNumber.bdb
-rw--- 1 openldap openldap  36864 Dec  3 14:22 givenName.bdb
-rw--- 1 openldap openldap 294912 Dec  3 13:10 id2entry.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 loginShell.bdb
-rw--- 1 openldap openldap  45056 Dec  3 14:22 mail.bdb
-rw--- 1 openldap openldap  69632 Dec  3 14:22 memberUid.bdb
-rw--- 1 openldap openldap  36864 Dec  3 14:22 objectClass.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 ou.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaDomainName.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaGroupType.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaPrimaryGroupSID.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaSID.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 sambaSIDList.bdb
-rw--- 1 openldap openldap  40960 Dec  3 14:22 sn.bdb
-rw--- 1 openldap openldap  45056 Dec  3 14:22 uid.bdb
-rw--- 1 openldap openldap   8192 Dec  3 14:22 uidNumber.bdb
-rw--- 1 openldap openldap   8192 Nov 20 17:03 uniqueMember.bdb


Any other suggestion?


On Fri, Nov 30, 2012 at 6:16 PM, Harry Jede  wrote:

> Am Donnerstag, 29. November 2012 schrieben Sie:
> > I still dont understand why ldap search filter generated by samba ( i
> > have this from samba log ) cannot find anything in database:
> > smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter =>
> > [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-
> > 21-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> > [1024] [2012/11/29 18:15:14.227560,  3]
> > lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged:
> > search was successful
> > [2012/11/29 18:15:14.227647,  3]
> > rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context:
> > destroying talloc pool of size 0
> >
> > If I remove sambaSID and try to find it in ldap, I will get all my
> > groups. Filter =
> > (&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))
> >
> > Is this normal behavior or my ldap configuration can be incorrect?
> That's not normal.
>
> What indexes have you set?
> # ldapsearch -LLLY external -H ldapi:///  -b cn=config "(objectclass=*)"
>  olcDBIndex
>
> This are my indexes:
> dn: olcDatabase={1}hdb,cn=config
> olcDbIndex: objectClass eq
> olcDbIndex: uidNumber eq
> olcDbIndex: gidNumber eq
> olcDbIndex: loginShell eq
> olcDbIndex: uid eq,pres,sub
> olcDbIndex: memberUid eq,pres,sub
> olcDbIndex: uniqueMember eq,pres
> olcDbIndex: sambaSID eq
> olcDbIndex: sambaPrimaryGroupSID eq
> olcDbIndex: sambaGroupType eq
> olcDbIndex: sambaSIDList eq
> olcDbIndex: sambaDomainName eq
> olcDbIndex: displayName eq,sub
> olcDbIndex: givenName eq,sub
> olcDbIndex: mail eq,sub
> olcDbIndex: dhcpHWAddress eq
> olcDbIndex: dhcpClassData eq
> olcDbIndex: cn eq,pres,sub
> olcDbIndex: sn eq,pres,sub
> olcDbIndex: ou eq
> olcDbIndex: dc eq
> olcDbIndex: default sub
>
> And this shows the files:
> # cd /var/lib/ldap/
> # ls -l *bdb
> -rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb
> -rw--- 1 openldap openldap  8192  1. Jan 2012  dc.bdb
> -rw--- 1 openldap openldap  8192 18. Nov 15:49 dhcpHWAddress.bdb
> -rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb
> -rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 gidNumber.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 21:57 givenName.bdb
> -rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 loginShell.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 21:57 mail.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 2012  memberUid.bdb
> -rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 19:57 ou.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaDomainName.bdb
> -rw--- 1 openldap openldap  8192 10. Mai 2012  sambaGroupType.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 sambaSID.bdb
> -rw--- 1 openldap openldap  8192 27. Nov 22:54 sambaSIDList.bdb
> -rw--- 1 openldap openldap  8192  1. Jun 21:57 sn.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 uid.bdb
> -rw--- 1 openldap openldap  8192 23. Aug 10:08 uidNumber.bdb
> -rw--- 1 openldap openldap  8192  1. Jan 2012  uniqueMember.bdb
> root@capella:/var/lib/ldap#
>
> --
>
> Gruss
> Harry Jede

Re: [Samba] Samba PDC group list empty

2012-11-30 Thread Harry Jede 
Am Donnerstag, 29. November 2012 schrieben Sie:
> I still dont understand why ldap search filter generated by samba ( i
> have this from samba log ) cannot find anything in database:
> smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-
> 21-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> [1024] [2012/11/29 18:15:14.227560,  3]
> lib/smbldap.c:1591(smbldap_search_paged) smbldap_search_paged:
> search was successful
> [2012/11/29 18:15:14.227647,  3]
> rpc_server/srv_pipe_hnd.c:121(free_pipe_context) free_pipe_context:
> destroying talloc pool of size 0
> 
> If I remove sambaSID and try to find it in ldap, I will get all my
> groups. Filter =
> (&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))
> 
> Is this normal behavior or my ldap configuration can be incorrect?
That's not normal.

What indexes have you set?
# ldapsearch -LLLY external -H ldapi:///  -b cn=config "(objectclass=*)"  
olcDBIndex

This are my indexes:
dn: olcDatabase={1}hdb,cn=config
olcDbIndex: objectClass eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq,pres,sub
olcDbIndex: memberUid eq,pres,sub
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: displayName eq,sub
olcDbIndex: givenName eq,sub
olcDbIndex: mail eq,sub
olcDbIndex: dhcpHWAddress eq
olcDbIndex: dhcpClassData eq
olcDbIndex: cn eq,pres,sub
olcDbIndex: sn eq,pres,sub
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: default sub

And this shows the files:
# cd /var/lib/ldap/
# ls -l *bdb
-rw--- 1 openldap openldap 32768 18. Nov 15:49 cn.bdb
-rw--- 1 openldap openldap  8192  1. Jan 2012  dc.bdb
-rw--- 1 openldap openldap  8192 18. Nov 15:49 dhcpHWAddress.bdb
-rw--- 1 openldap openldap 24576 23. Aug 10:08 displayName.bdb
-rw--- 1 openldap openldap 24576 18. Nov 15:49 dn2id.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 gidNumber.bdb
-rw--- 1 openldap openldap  8192  1. Jun 21:57 givenName.bdb
-rw--- 1 openldap openldap 98304 27. Nov 22:54 id2entry.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 loginShell.bdb
-rw--- 1 openldap openldap  8192  1. Jun 21:57 mail.bdb
-rw--- 1 openldap openldap  8192  1. Jun 2012  memberUid.bdb
-rw--- 1 openldap openldap 16384 27. Nov 22:54 objectClass.bdb
-rw--- 1 openldap openldap  8192  1. Jun 19:57 ou.bdb
-rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaDomainName.bdb
-rw--- 1 openldap openldap  8192 10. Mai 2012  sambaGroupType.bdb
-rw--- 1 openldap openldap  8192 23. Aug 08:54 sambaPrimaryGroupSID.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 sambaSID.bdb
-rw--- 1 openldap openldap  8192 27. Nov 22:54 sambaSIDList.bdb
-rw--- 1 openldap openldap  8192  1. Jun 21:57 sn.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 uid.bdb
-rw--- 1 openldap openldap  8192 23. Aug 10:08 uidNumber.bdb
-rw--- 1 openldap openldap  8192  1. Jan 2012  uniqueMember.bdb
root@capella:/var/lib/ldap# 

-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-11-29 Thread Andrej Šimko 
Hello again,

I do not know what

On Tue, Nov 27, 2012 at 9:08 PM, Harry Jede  wrote:

> On 20:15:56 wrote Andrej Šimko:
> > net getdomainsid
> > SID for local machine HOST is:
> > S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is:
> > S-1-5-21-2390795950-2727105968-4008069955
> >
> > I compared my smb.conf with yours. I have "ldap suffix" before
> >  "ldap group suffix".
> >
> > I switched that but result still the same.
> >
> >  ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
> > dn: cn=admin,dc=example,dc=sk
> >
> > tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )
> >
> > ldapsearch -LLLY external -H ldapi:///
> > "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid
> > =users)))" 2>/dev/null
> > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> > objectClass: sambaSidEntry
> > objectClass: sambaGroupMapping
> > sambaSID: S-1-5-32-545
> > sambaGroupType: 4
> > displayName: Users
> > gidNumber: 1
> > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
>
> Sorry, that I haven't seen this in your mail at 09:07
>
> This is a working group object:
>
> # ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
> (uid=users)))"  2>/dev/null
> dn: cn=users,ou=groups,dc=europa,dc=xx
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 545
> cn: users
> description: Netbios Domain Users
> sambaSID: S-1-5-32-545
> sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
> sambaGroupType: 4
> displayName: Users
>
>
> The main difference ist the objectclass posixGroup instead of
> sambaSidEntry.
> Samba Group Mapping is not a simple task. Your definition with
> objectclass=sambasidentry is not totally wrong, but the intended use is
> that you store your posixgroups in /etc/group or in NIS.
> With an LDAP backend that is not the best approach.
>
>
I dont understand what are you trying to say :(
Do you think that if I have all necessary groups in /etc/group or in NIS,
than the windows computer will find grups in domain?


I still dont understand why ldap search filter generated by samba ( i have
this from samba log ) cannot find anything in database:
  smbldap_search_paged: base => [dc=gymsnv,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
[2012/11/29 18:15:14.227560,  3] lib/smbldap.c:1591(smbldap_search_paged)
  smbldap_search_paged: search was successful
[2012/11/29 18:15:14.227647,  3]
rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
  free_pipe_context: destroying talloc pool of size 0

If I remove sambaSID and try to find it in ldap, I will get all my groups.
Filter = (&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=*))

Is this normal behavior or my ldap configuration can be incorrect?





> Here the three standard definitions with objectclass=posixgroup
>
> ###
> A primary group: posix and windows primary
> members should NOT stored here
>
> dn: cn=teachers,ou=groups,dc=europa,dc=xx
> cn: teachers
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 1001
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003
> sambaGroupType: 2
> displayName: teachers
>
> # getent group teachers
> teachers:*:1001:
>
> # net  rpc group members teachers
> # 
>
>
>
> ###
> A regular group in posix, a global group in windows
> members are stored in memberUid
>
> dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: DomainAdmins
> memberUid: Administrator
> memberUid: root
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512
> sambaGroupType: 2
> displayName: Domain Admins
>
> # getent group domainadmins
> DomainAdmins:*:512:Administrator,root
>
>
> # Asking for the Windows name, which is stored in "displayName"
> # net rpc group members "domain admins"
> EUROPA\Administrator
> EUROPA\root
>
> # Asking for the posix name, which is stored in "cn"
> # net rpc group members domainadmins
> EUROPA\Administrator
> EUROPA\root
>
>
> ###
> A windows/samba builtin group
> no posix members
> Windows members must be stored in sambaSIDList. These type of groups
> will be used in Windows OS (client and/or server)
>
> # ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(cn=administrators))"  2>/dev/null
> dn: cn=Administrators,ou=groups,dc=europa,dc=xx
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 544
> cn: Administrators
> description: Netbios Domain Members can fully administer the computer
> sambaSID: S-1-5-32-544
> sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
> sambaGroupType: 4
> displayName: Administrators
>
>
> # getent group administrators
> Administrators:*:544:
>
> # net rpc g

Re: [Samba] Samba PDC group list empty

2012-11-27 Thread Harry Jede 
On 20:15:56 wrote Andrej Šimko:
> net getdomainsid
> SID for local machine HOST is:
> S-1-5-21-2390795950-2727105968-4008069955 SID for domain EXAMPLE is:
> S-1-5-21-2390795950-2727105968-4008069955
> 
> I compared my smb.conf with yours. I have "ldap suffix" before
>  "ldap group suffix".
> 
> I switched that but result still the same.
> 
>  ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
> dn: cn=admin,dc=example,dc=sk
> 
> tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )
> 
> ldapsearch -LLLY external -H ldapi:///
> "(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid
> =users)))" 2>/dev/null
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 1
> sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

Sorry, that I haven't seen this in your mail at 09:07

This is a working group object:

# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"  2>/dev/null
dn: cn=users,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: users
description: Netbios Domain Users
sambaSID: S-1-5-32-545
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
sambaGroupType: 4
displayName: Users


The main difference ist the objectclass posixGroup instead of 
sambaSidEntry.
Samba Group Mapping is not a simple task. Your definition with 
objectclass=sambasidentry is not totally wrong, but the intended use is 
that you store your posixgroups in /etc/group or in NIS.
With an LDAP backend that is not the best approach.

Here the three standard definitions with objectclass=posixgroup

###
A primary group: posix and windows primary
members should NOT stored here

dn: cn=teachers,ou=groups,dc=europa,dc=xx
cn: teachers
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 1001
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-3003
sambaGroupType: 2
displayName: teachers

# getent group teachers
teachers:*:1001:

# net  rpc group members teachers
# 



###
A regular group in posix, a global group in windows
members are stored in memberUid

dn: cn=DomainAdmins,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: DomainAdmins
memberUid: Administrator
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 2
displayName: Domain Admins

# getent group domainadmins
DomainAdmins:*:512:Administrator,root


# Asking for the Windows name, which is stored in "displayName"
# net rpc group members "domain admins"
EUROPA\Administrator
EUROPA\root

# Asking for the posix name, which is stored in "cn"
# net rpc group members domainadmins
EUROPA\Administrator
EUROPA\root


###
A windows/samba builtin group
no posix members
Windows members must be stored in sambaSIDList. These type of groups 
will be used in Windows OS (client and/or server)

# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(cn=administrators))"  2>/dev/null
dn: cn=Administrators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer
sambaSID: S-1-5-32-544
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 4
displayName: Administrators


# getent group administrators
Administrators:*:544:

# net rpc group members administrators
EUROPA\Domain Admins

###
-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-11-27 Thread Andrej Šimko 
net getdomainsid
SID for local machine HOST is: S-1-5-21-2390795950-2727105968-4008069955
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955

I compared my smb.conf with yours. I have "ldap suffix" before
 "ldap group suffix".

I switched that but result still the same.

 ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=example,dc=sk

tdbdump /var/lib/samba/secrets.tdb - looks ok ( the password too )

ldapsearch -LLLY external -H ldapi:///
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))"
2>/dev/null
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 1
sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513

ldapsearch -xLLL
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)(uid=users)))"
dn
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk


I do not see anything bad, I do not have installed windbindd


On Tue, Nov 27, 2012 at 2:46 PM, Harry Jede  wrote:

> (displayname=users)(uid=users)))"  dn
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-11-27 Thread Harry Jede 
Hi Simo,
please post to the list !!!

> On Tue, Nov 27, 2012 at 9:56 AM, Harry Jede  wrote:
> > Hi Simo,
> > 
> > > Hi this is my listing:
> > > 
> > > net -U administrator rpc group members Administrators
> > > Enter administrator's password:
> > > Couldn't list alias members
> > 
> > Your samba server WILL not list the members of this global group,
> > mostly a security issue.
> 
> User administrator has all rights, so I dont think it is a security
> issue. Or do you know some checks that I could try?
> 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=S-1-5-32*))'
> > > 
> > > ldapsearch -xLLL
> > > '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> > > (sambaSID=*))'
> > > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> > > objectClass: sambaSidEntry
> > > objectClass: sambaGroupMapping
> > > sambaSID: S-1-5-32-545
> > > sambaGroupType: 4
> > > displayName: Users
> > > gidNumber: 1
> > > sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
> > 
> > Your LDAP client WILL list the group members.
> > 
> > > Do you know what does this mean?
> > 
> > The reason is often "wrong configured" smbldap-tools. Check the
> > /etc/smbldap-tools/smbldap.conf file for the wrong SID entry.
> 
> > SID in smbldap.conf is:
> SID="S-1-5-21-2390795950-2727105968-4008069955"
> 
> So that is correct.
> 
> > > > > net getdomainsid
> > > > > SID for local machine HOST is:
> > > > > S-1-5-21-2242576961-186067218-2214866780 SID for domain
> > > > > EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
> > 
> > Your server and your domain have different SIDs, that may be is yor
> > problem. Try:
> > # net setlocalsid S-1-5-21-2390795950-2727105968-4008069955
> > 
> > and restart samba.
> 
> Tried that, nothing changed.
Post:
net getdomainsid


Do the following steps (enclosed with ###) in order
###

I compared my smb.conf with yours. I have "ldap suffix" before
 "ldap group suffix".

ldap suffix  = dc=europa,dc=xx
ldap admin dn= cn=admin,dc=europa,dc=xx
ldap group suffix= ou=groups
ldap user suffix = ou=people,ou=accounts
ldap machine suffix  = ou=machines,ou=accounts

and I have NOT installed winbindd!

###
Check if you have the groups defined in LDAP and in /etc/groups. The 
groups should only be in LDAP.

###
check the admin account in ldap:

# ldapsearch -LLLY external -H ldapi:/// cn=admin dn 2>/dev/null
dn: cn=admin,dc=europa,dc=xx

Check that your ldap admin password is OK.
# tdbdump /var/lib/samba/secrets.tdb

look for:
{
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx"
data(12) = "ThePassword\00"
}



Try to bind with this password:
# ldapsearch -xLLL -D "cn=admin,dc=europa,dc=xx" -w ThePassword 
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"


Check if root get the same result:
# ldapsearch -LLLY external -H ldapi:///  
"(&(objectclass=sambaGroupMapping)(|(cn=users)(displayname=users)
(uid=users)))"  2>/dev/null

###

at last, search for duplicate names:
# ldapsearch -xLLL "(&(objectclass=sambaGroupMapping)(|(cn=users)
(displayname=users)(uid=users)))"  dn



You should get one result.
> 
> > > Thanks.
> > 
> > --
> > 
> > regards
> > 
> > Harry Jede
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba


-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-11-27 Thread Harry Jede 
Hi Simo,
> Hi this is my listing:
> 
> net -U administrator rpc group members Administrators
> Enter administrator's password:
> Couldn't list alias members
Your samba server WILL not list the members of this global group, mostly 
a security issue.

> ldapsearch -xLLL '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> (sambaSID=S-1-5-32*))'
> 
> ldapsearch -xLLL '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
> (sambaSID=*))'
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=example,dc=sk
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 1
> sambaSIDList: S-1-5-21-2390795950-2727105968-4008069955-513
Your LDAP client WILL list the group members.

> Do you know what does this mean?
The reason is often "wrong configured" smbldap-tools. Check the 
/etc/smbldap-tools/smbldap.conf file for the wrong SID entry.

> > > net getdomainsid
> > > SID for local machine HOST is:
> > > S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE
> > > is: S-1-5-21-2390795950-2727105968-4008069955
Your server and your domain have different SIDs, that may be is yor 
problem. Try:
# net setlocalsid S-1-5-21-2390795950-2727105968-4008069955

and restart samba.



> Thanks.

-- 

regards
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC group list empty

2012-11-26 Thread L . P . H . van Belle 
Hai, 

The debian 3.5.6 is buggy, use de 3.6.6 version from backports, fixed my 
problems also. 

Louis


 

>-Oorspronkelijk bericht-
>Van: andrej.si...@gmail.com 
>[mailto:samba-boun...@lists.samba.org] Namens Andrej Šimko
>Verzonden: vrijdag 23 november 2012 9:11
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] Samba PDC group list empty
>
>Dear samba users,
>
>I have very strange problem. I have Samba PDC up and running, but only
>thing is missing. I cannot see any Domain Groups at all.
>Here is my config:
>
>Debian Squeeze:
>ii  samba   2:3.5.6~dfsg-3squeeze8
>SMB/CIFS file, print, and login server for Unix
>ii  samba-common2:3.5.6~dfsg-3squeeze8 
>  common
>files used by both the Samba server and client
>ii  samba-common-bin2:3.5.6~dfsg-3squeeze8 
>  common
>files used by both the Samba server and client
>ii  samba-doc   2:3.5.6~dfsg-3squeeze8 
>  Samba
>documentation
>
>/etc/samba/smb.conf
>[global]
>dos charset = CP852
>unix charset = UTF8
>display charset = UTF8
>workgroup = EXAMPLE
>server string = %h server
>map to guest = Bad User
>passdb backend = ldapsam:ldap://127.0.0.1/
>pam password change = Yes
>passwd program = /usr/sbin/smbldap-passwd -u %u
>passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>*all*authentication*tokens*updated*
>syslog = 0
>time server = Yes
>log file = /var/log/samba/samba.log
>log level = 3
>max log size = 1000
>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u
>delete user script = /usr/sbin/smbldap-userdel %u -r %u
>add group script = /usr/sbin/smbldap-groupadd -p %g
>delete group script = /usr/sbin/smbldap-groupdel %g
>add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
>set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>add machine script = /usr/sbin/smbldap-useradd -w %u
>logon script = logon.bat
>domain logons = Yes
>os level = 10
>preferred master = Yes
>domain master = Yes
>dns proxy = No
>wins support = Yes
>ldap admin dn = cn=admin,dc=example,dc=sk
>ldap delete dn = Yes
>ldap group suffix = ou=Groups
>ldap idmap suffix = ou=Idmap
>ldap machine suffix = ou=Computers
>ldap suffix = dc=example,dc=sk
>ldap ssl = no
>ldap user suffix = ou=Users
>panic action = /usr/share/samba/panic-action %d
>map acl inherit = Yes
>case sensitive = No
>hide unreadable = Yes
>map hidden = Yes
>map system = Yes
>
>[homes]
>comment = Home Directories
>valid users = %S
>read only = No
>create mask = 0644
>directory mask = 0700
>browseable = No
>path = /data/samba/homes
>
>[netlogon]
>comment = Network Logon Service
>path = /data/samba/netlogon
>read only = No
>guest ok = Yes
>locking = No
>share modes = No
>
>[profiles]
>comment = Users profiles
>path = /data/samba/profiles
>read only = No
>create mask = 0600
>directory mask = 0700
>hide files = /desktop.ini/
>browseable = No
>
>/etc/nsswitch.conf
># /etc/nsswitch.conf
>#
># Example configuration of GNU Name Service Switch functionality.
># If you have the `glibc-doc-reference' and `info' packages 
>installed, try:
># `info libc "Name Service Switch"' for information about this file.
>
>passwd: compat ldap
>group:  compat ldap
>shadow: compat ldap
>
>hosts:  files dns
>networks:   files
>
>protocols:  db files
>services:   db files
>ethers: db files
>rpc:db files
>
>netgroup:   nis
>
>/etc/ldap/ldap.conf
>#
># LDAP Defaults
>#
>
># See ldap.conf(5) for details
># This file should be world readable but not world writable.
>host 127.0.0.1
>base dc=example,dc=sk
>binddn cn=admin,dc=example,dc=sk
>bindpw secret
>bind_policy soft
>pam_password exop
>timelimit 15
>
>nss_base_passwd ou=Users,dc=example,dc=sk
>nss_base_shadow ou=Users,dc=example,dc=sk
>nss_base_group  ou=Groups,dc=example,dc=sk
>
>net getdomainsid
>SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780
>SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955
>
>net groupmap list
>Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) -> Domain
>Admins
>Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) 
>-> Domain Users
>Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain
>Guests
>D

Re: [Samba] Samba PDC group list empty

2012-11-23 Thread Harry Jede 
On 18:32:29 wrote Andrej Šimko:
> Dear samba users,
> 
> I have very strange problem. I have Samba PDC up and running, but
> only thing is missing. I cannot see any Domain Groups at all.

...

> net getdomainsid
> SID for local machine HOST is:
> S-1-5-21-2242576961-186067218-2214866780 SID for domain EXAMPLE is:
> S-1-5-21-2390795950-2727105968-4008069955
> 
> net groupmap list
> Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) ->
> Domain Admins
> Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) ->
> Domain Users Domain Guests
> (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain Guests
> Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) ->
> Domain Computers
> Administrators (S-1-5-32-544) -> Administrators
> Account Operators (S-1-5-32-548) -> Account Operators
> Print Operators (S-1-5-32-550) -> Print Operators
> Backup Operators (S-1-5-32-551) -> Backup Operators
> Replicators (S-1-5-32-552) -> Replicators
> 
> 
> The strange thing is, if I try on Win XP to search groups, i see in
> logs: smbldap_search_paged: base => [dc=example,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-2
> 1-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> [1024]
>   smbldap_search_paged: base => [dc=example,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-2
> 1-2390795950-2727105968-4008069955*))],scope => [2], pagesize =>
> [1024]
>   smbldap_search_paged: base => [dc=example,dc=sk], filter =>
> [(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-3
# net help rpc group 
Usage:
net rpc group
Alias for net rpc group list global local builtin
net rpc group add
Create specified group
net rpc group delete
Delete specified group
net rpc group addmem
Add member to group
net rpc group delmem
Remove member from group
net rpc group list
List groups
net rpc group members
List group members
net rpc group rename
Rename group

# net -U root rpc group members Administrators
EUROPA\Domain Admins


view this output:

# ldapsearch -xLLL '(&(objectclass=sambaGroupMapping)(sambaGroupType=4)
(sambaSID=S-1-5-32*))'
dn: cn=Administrators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
memberUid: Administrator
description: Netbios Domain Members can fully administer the computer
sambaSID: S-1-5-32-544
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-512
sambaGroupType: 4
displayName: Administrators

dn: cn=users,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 545
cn: users
description: Netbios Domain Users
sambaSID: S-1-5-32-545
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-513
sambaGroupType: 4
displayName: Users

dn: cn=guests,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 546
cn: guests
memberUid: nobody
description: Netbios Domain Guests
sambaSID: S-1-5-32-546
sambaSIDList: S-1-5-21-3958726613-3318811842-4132420312-514
sambaGroupType: 4
displayName: Guests

dn: cn=AccountOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: AccountOperators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 4
displayName: Account Operators

dn: cn=PrintOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: PrintOperators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 4
displayName: Print Operators

dn: cn=BackupOperators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: BackupOperators
description: Netbios Domain Members can bypass file security to back up 
files
sambaSID: S-1-5-32-551
sambaGroupType: 4
displayName: Backup Operators

dn: cn=Replicators,ou=groups,dc=europa,dc=xx
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a 
sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 4
displayName: Replicators


> If I try to search in ldap with that filter, I always get zero
> matches.
> 
> I also tried to use wbinfo, wbinfo -u list all my users, wbinfo -g
> list is empty. If I try getent passwd and getent group I see all my
> users and groups.
> Can somebody help me with this?
> 
> Thank you!


-- 

Gruss
Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba PDC group list empty

2012-11-23 Thread Andrej Šimko 
Dear samba users,

I have very strange problem. I have Samba PDC up and running, but only
thing is missing. I cannot see any Domain Groups at all.
Here is my config:

Debian Squeeze:
ii  samba   2:3.5.6~dfsg-3squeeze8
SMB/CIFS file, print, and login server for Unix
ii  samba-common2:3.5.6~dfsg-3squeeze8   common
files used by both the Samba server and client
ii  samba-common-bin2:3.5.6~dfsg-3squeeze8   common
files used by both the Samba server and client
ii  samba-doc   2:3.5.6~dfsg-3squeeze8   Samba
documentation

/etc/samba/smb.conf
[global]
dos charset = CP852
unix charset = UTF8
display charset = UTF8
workgroup = EXAMPLE
server string = %h server
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
syslog = 0
time server = Yes
log file = /var/log/samba/samba.log
log level = 3
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -m %u -d /home/%u %u
delete user script = /usr/sbin/smbldap-userdel %u -r %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
logon script = logon.bat
domain logons = Yes
os level = 10
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=admin,dc=example,dc=sk
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=example,dc=sk
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
map acl inherit = Yes
case sensitive = No
hide unreadable = Yes
map hidden = Yes
map system = Yes

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0644
directory mask = 0700
browseable = No
path = /data/samba/homes

[netlogon]
comment = Network Logon Service
path = /data/samba/netlogon
read only = No
guest ok = Yes
locking = No
share modes = No

[profiles]
comment = Users profiles
path = /data/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
hide files = /desktop.ini/
browseable = No

/etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat ldap
group:  compat ldap
shadow: compat ldap

hosts:  files dns
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files

netgroup:   nis

/etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.
host 127.0.0.1
base dc=example,dc=sk
binddn cn=admin,dc=example,dc=sk
bindpw secret
bind_policy soft
pam_password exop
timelimit 15

nss_base_passwd ou=Users,dc=example,dc=sk
nss_base_shadow ou=Users,dc=example,dc=sk
nss_base_group  ou=Groups,dc=example,dc=sk

net getdomainsid
SID for local machine HOST is: S-1-5-21-2242576961-186067218-2214866780
SID for domain EXAMPLE is: S-1-5-21-2390795950-2727105968-4008069955

net groupmap list
Domain Admins (S-1-5-21-2390795950-2727105968-4008069955-512) -> Domain
Admins
Domain Users (S-1-5-21-2390795950-2727105968-4008069955-513) -> Domain Users
Domain Guests (S-1-5-21-2390795950-2727105968-4008069955-514) -> Domain
Guests
Domain Computers (S-1-5-21-2390795950-2727105968-4008069955-515) -> Domain
Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators


The strange thing is, if I try on Win XP to search groups, i see in logs:
smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=2)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
  smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaGroupType=4)(sambaSID=S-1-5-21-2390795950-2727105968-4008069955*))],scope
=> [2], pagesize => [1024]
  smbldap_search_paged: base => [dc=example,dc=sk], filter =>
[(&(objectclass=sambaGroupMapping)(sambaG

[Samba] Windows 7 clients not joining domain with Samba PDC

2012-11-22 Thread Daniel Foster 

Yes I searched, I tried fixes, I pulled my hair out and finally gave in.

New Windows 7 desktop trying to join a domain happily service XP clients 
from Samba 3.5.10 on Centos 6.3.


I've applied the registry fix from 
https://wiki.samba.org/index.php/Windows7#Windows_7_Registry_settings 
and rebooted, no joy.


I've tried nikonz' changes from 
http://www.tomshardware.com/forum/75-63-windows-samba-issue with no joy.


Each time I try to have the machine join the domain, I get the following 
in the machine specific error log:


[2012/11/22 15:28:45.189030,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2012/11/22 15:28:45.189331,  0] 
lib/util_sock.c:1441(get_peer_addr_internal)

  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by 
peer.


followed by the message:

"The join operation was not successful. This could be because an 
existing computer account having the name "MACHINENAME" was previously 
created using a different set of credentials. Use a different computer 
name, or contact your administrator to remove any stale conflicting 
account.  The error was:


Access is denied."

How can I get Windows 7 to play nice and join in with the domain?

--
Daniel Foster
Technical Director
34SP.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

2012-10-23 Thread Gémes Géza 

2012-10-23 23:52 keltezéssel, Michael Wood írta:

Hi Marcio

On 23 October 2012 21:01, Marcio Oli  wrote:

Ok Michalel, thanks.

But is not clear to me yet.
The samba PDCs and BDCs have obligation to be joined to domain?
In other words, I need to type a manual linux command within Samba Domain
Controllers (like: # net rpc join [DOMAIN] -U AdminUserofDomain) .

I think Geza was saying that you do (for Samba 3), but I have not run
a Samba 3 PDC/BDC before, so I am not the one to answer that question.


OK

First: Thanks Michael for correcting my typo
Second: For Samba3 PDC/BDC there is no need to be joined to the domain, 
if you do not plan to use winbind on them (e.g. for trusted domains, or 
ldapsam:editposix stuff)


Hope that is clearer now.

Regards,
Marcio.

2012/10/23 Michael Wood 

Hi

On 23 October 2012 16:48, Marcio Oli  wrote:

Thanks Gémes!

 I'sorry about my ignorance, but what is a aka classic domain?

"aka classic domain now" (I think Geza meant to say "now" instead of
"not") means that the type of domain that Samba3 implements is now
"also known as" a "classic domain".

I hope my explanation helps :)


 My samba version is 3.5.10-116.el6_2.
 OS: Red Hat Enterprise Linux Server release 6.2 / Linux
2.6.32-131.6.1.el6.x86_64

Best regards,

Marcio Oliveira.

2012/10/23 Gémes Géza 


2012-10-22 20:10 keltezéssel, Marcio Oli írta:

I think the question is simple, so anybody could help me with
this?

   The questions are:

1. The samba PDCs and BDCs have obligation to be joined to domain?


In a samba3 (aka classic domain not)

[...]

--
Michael Wood 

--
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)

Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

2012-10-23 Thread Michael Wood 
Hi Marcio

On 23 October 2012 21:01, Marcio Oli  wrote:
> Ok Michalel, thanks.
>
> But is not clear to me yet.
> The samba PDCs and BDCs have obligation to be joined to domain?
> In other words, I need to type a manual linux command within Samba Domain
> Controllers (like: # net rpc join [DOMAIN] -U AdminUserofDomain) .

I think Geza was saying that you do (for Samba 3), but I have not run
a Samba 3 PDC/BDC before, so I am not the one to answer that question.

> Regards,
> Marcio.
>
> 2012/10/23 Michael Wood 
>>
>> Hi
>>
>> On 23 October 2012 16:48, Marcio Oli  wrote:
>> > Thanks Gémes!
>> >
>> > I'sorry about my ignorance, but what is a aka classic domain?
>>
>> "aka classic domain now" (I think Geza meant to say "now" instead of
>> "not") means that the type of domain that Samba3 implements is now
>> "also known as" a "classic domain".
>>
>> I hope my explanation helps :)
>>
>> > My samba version is 3.5.10-116.el6_2.
>> > OS: Red Hat Enterprise Linux Server release 6.2 / Linux
>> > 2.6.32-131.6.1.el6.x86_64
>> >
>> > Best regards,
>> >
>> > Marcio Oliveira.
>> >
>> > 2012/10/23 Gémes Géza 
>> >
>> >> 2012-10-22 20:10 keltezéssel, Marcio Oli írta:
>> >>
>> >>I think the question is simple, so anybody could help me with
>> >> this?
>> >>>   The questions are:
>> >>>
>> >>> 1. The samba PDCs and BDCs have obligation to be joined to domain?
>> >>>
>> >> In a samba3 (aka classic domain not)
>> [...]
>>
>> --
>> Michael Wood 
>
> --
> Marcio Oliveira.
> "Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

2012-10-23 Thread Michael Wood 
Hi

On 23 October 2012 16:48, Marcio Oli  wrote:
> Thanks Gémes!
>
> I'sorry about my ignorance, but what is a aka classic domain?

"aka classic domain now" (I think Geza meant to say "now" instead of
"not") means that the type of domain that Samba3 implements is now
"also known as" a "classic domain".

I hope my explanation helps :)

> My samba version is 3.5.10-116.el6_2.
> OS: Red Hat Enterprise Linux Server release 6.2 / Linux
> 2.6.32-131.6.1.el6.x86_64
>
> Best regards,
>
> Marcio Oliveira.
>
> 2012/10/23 Gémes Géza 
>
>> 2012-10-22 20:10 keltezéssel, Marcio Oli írta:
>>
>>I think the question is simple, so anybody could help me with this?
>>>   The questions are:
>>>
>>> 1. The samba PDCs and BDCs have obligation to be joined to domain?
>>>
>> In a samba3 (aka classic domain not)
[...]

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

2012-10-23 Thread Marcio Oli 
Thanks Gémes!

I'sorry about my ignorance, but what is a aka classic domain?
My samba version is 3.5.10-116.el6_2.
OS: Red Hat Enterprise Linux Server release 6.2 / Linux
2.6.32-131.6.1.el6.x86_64

Best regards,

Marcio Oliveira.

2012/10/23 Gémes Géza 

> 2012-10-22 20:10 keltezéssel, Marcio Oli írta:
>
>I think the question is simple, so anybody could help me with this?
>>   The questions are:
>>
>> 1. The samba PDCs and BDCs have obligation to be joined to domain?
>>
> In a samba3 (aka classic domain not)
>
>
>> 2. The "net rpc testjoin" command must to return OK in this case?
>>
> IF joined yes
>
>
>>
>> Thanks,
>> Marcio Oliveira
>>
>>
>> 2012/10/19 Marcio Oli 
>>
>>  People,
>>>
>>>
>>>  I have one PDC and a BDC on the matrix side and two BDCs on the
>>> branch
>>> office.
>>>
>>>  I don't know if it is a problem. Anybody could help me?
>>>
>>> PDC # net rpc testjoin
>>> get_schannel_session_key: could not fetch trust account password for
>>> domain 'DOMAIN_NAME'
>>> net_rpc_join_ok: failed to get schannel session key from server PDC for
>>> domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_**INFO
>>> Join to domain 'DOMAIN_NAME' is not valid:
>>> NT_STATUS_CANT_ACCESS_DOMAIN_**INFO
>>>
>>> BDCs # net rpc testjoin
>>> net_rpc_join_ok: failed to get schannel session key from server PDC for
>>> domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED
>>> Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED
>>>
>>> What should I do to solve these problems?
>>>
>>>
>>> Thanks,
>>> --
>>> Marcio Oliveira.
>>> "Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
>>>
>>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>



-- 
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

2012-10-22 Thread Gémes Géza 

2012-10-22 20:10 keltezéssel, Marcio Oli írta:

  I think the question is simple, so anybody could help me with this?
  The questions are:

1. The samba PDCs and BDCs have obligation to be joined to domain?

In a samba3 (aka classic domain not)


2. The "net rpc testjoin" command must to return OK in this case?

IF joined yes



Thanks,
Marcio Oliveira


2012/10/19 Marcio Oli 


People,


 I have one PDC and a BDC on the matrix side and two BDCs on the branch
office.

 I don't know if it is a problem. Anybody could help me?

PDC # net rpc testjoin
get_schannel_session_key: could not fetch trust account password for
domain 'DOMAIN_NAME'
net_rpc_join_ok: failed to get schannel session key from server PDC for
domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain 'DOMAIN_NAME' is not valid:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO

BDCs # net rpc testjoin
net_rpc_join_ok: failed to get schannel session key from server PDC for
domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED
Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED

What should I do to solve these problems?


Thanks,
--
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

2012-10-22 Thread Marcio Oli 
 I think the question is simple, so anybody could help me with this?
 The questions are:

1. The samba PDCs and BDCs have obligation to be joined to domain?

2. The "net rpc testjoin" command must to return OK in this case?


Thanks,
Marcio Oliveira


2012/10/19 Marcio Oli 

> People,
>
>
> I have one PDC and a BDC on the matrix side and two BDCs on the branch
> office.
>
> I don't know if it is a problem. Anybody could help me?
>
> PDC # net rpc testjoin
> get_schannel_session_key: could not fetch trust account password for
> domain 'DOMAIN_NAME'
> net_rpc_join_ok: failed to get schannel session key from server PDC for
> domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Join to domain 'DOMAIN_NAME' is not valid:
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>
> BDCs # net rpc testjoin
> net_rpc_join_ok: failed to get schannel session key from server PDC for
> domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED
> Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED
>
> What should I do to solve these problems?
>
>
> Thanks,
> --
> Marcio Oliveira.
> "Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
>



-- 
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] PDC and BDCs : net rpc testjoin

2012-10-19 Thread Marcio Oli 
People,


I have one PDC and a BDC on the matrix side and two BDCs on the branch
office.

I don't know if it is a problem. Anybody could help me?

PDC # net rpc testjoin
get_schannel_session_key: could not fetch trust account password for domain
'DOMAIN_NAME'
net_rpc_join_ok: failed to get schannel session key from server PDC for
domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_CANT_ACCESS_DOMAIN_INFO

BDCs # net rpc testjoin
net_rpc_join_ok: failed to get schannel session key from server PDC for
domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED
Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED

What should I do to solve these problems?


Thanks,
-- 
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] PDC: realm changed: authentication aborted

2012-10-11 Thread Sebastian Neustein 
Hi list,

We have a network with some XP and some Windows 7 computer, we use samba 3.6.6
on debian 6.0.6 from debian-backports. It's a pdc with passdb backend = ldapsam.

In our logs there are lots of:
ARCServer slapd[1263]: SASL [conn=46778] Failure: realm changed: authentication
aborted

I found out that at that time this emerges the tcpdump says:

12:59:54.656399 IP client.49551 > 192.168.43.202.ldap: Flags [S], seq
3802010171, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
12:59:54.656444 IP 192.168.43.202.ldap > client.49551: Flags [S.], seq
3999710145, ack 3802010172, win 5840, options [mss
1460,nop,nop,sackOK,nop,wscale 6], length 0
12:59:54.656831 IP client.49551 > 192.168.43.202.ldap: Flags [.], ack 1, win
256, length 0
12:59:54.665734 IP client.49551 > 192.168.43.202.ldap: Flags [P.], seq 1:351,
ack 1, win 256, length 350
12:59:54.665756 IP 192.168.43.202.ldap > client.49551: Flags [.], ack 351, win
108, length 0
12:59:54.677914 IP 192.168.43.202.ldap > client.49551: Flags [P.], seq 1:377,
ack 351, win 108, length 376
12:59:54.678040 IP 192.168.43.202.ldap > client.49551: Flags [P.], seq 377:391,
ack 351, win 108, length 14
12:59:54.678316 IP client.49551 > 192.168.43.202.ldap: Flags [.], ack 391, win
255, length 0
12:59:54.678707 IP client.49551 > 192.168.43.202.ldap: Flags [P.], seq 351:391,
ack 391, win 255, length 40
12:59:54.679001 IP 192.168.43.202.ldap > client.49551: Flags [P.], seq 391:672,
ack 391, win 108, length 281
12:59:54.679619 IP client.49551 > 192.168.43.202.ldap: Flags [P.], seq 391:678,
ack 672, win 254, length 287
12:59:54.679858 IP 192.168.43.202.ldap > client.49551: Flags [P.], seq 672:758,
ack 678, win 125, length 86
12:59:54.680464 IP client.49551 > 192.168.43.202.ldap: Flags [P.], seq 678:689,
ack 758, win 253, length 11
12:59:54.680480 IP client.49551 > 192.168.43.202.ldap: Flags [F.], seq 689, ack
758, win 253, length 0
12:59:54.680710 IP 192.168.43.202.ldap > client.49551: Flags [F.], seq 758, ack
690, win 125, length 0
12:59:54.680987 IP client.49551 > 192.168.43.202.ldap: Flags [.], ack 759, win
253, length 0

This happens every 15 minutes per Win7 machine


on the client wireshark says:

//client->server
0„   X   c„   O  
  
   x   ‡ objectclass0„   +  subschemaSubentry 
dsServiceName  namingContexts  defaultNamingContext  schemaNamingContext 
configurationNamingContext  rootDomainNamingContext  supportedControl 
supportedLDAPVersion  supportedLDAPPolicies  supportedSASLMechanisms
dnsHostName  ldapServiceName 
serverName  supportedCapabilities 

//server ->client
0‚ t   d‚ m 0‚ g0'  namingContexts1   dc=arc-aachen,dc=de0À 
supportedControl1«  2.16.840.1.113730.3.4.18  2.16.840.1.113730.3.4.2 
1.3.6.1.4.1.4203.1.10.1  1.2.840.113556.1.4.319  1.2.826.0.1.3344810.2.3 
1.3.6.1.1.13.2  1.3.6.1.1.13.1  1.3.6.1.1.120   supportedLDAPVersion1   307 
supportedSASLMechanisms1   CRAM-MD5 
DIGEST-MD5  NTLM0#  subschemaSubentry1   cn=Subschema0e 
   
//client->server
0„   "   `„ £„ 
DIGEST-MD5   

//server->client
0‚ a‚   
 @SASL(0): successful result: security flags do not match
required‡Änonce="cryptic1",realm="ARCServer.arc-aachen.de",qop="auth,auth-int,
auth-conf",cipher="rc4-40,rc4-56,rc4,des,3des",maxbuf=65536,charset=utf-8,
algorithm=md5-sess

//client->server
0„   `„ £„  
DIGEST-MD5 ‚ 
õusername="client$",realm="arcd",nonce="cryptic1",digest-uri="ldap/ARCSERVER",
cnonce="cryptic2",nc=0001,response=cryptic3,qop=auth-conf,cipher=3des,
charset=utf-8

//server->client
0T   aO 
 1   HSASL(-13): authentication failure: realm changed: authentication aborted

//client->server
0„   B  



I understand that the win7 machine tries to ask the server something concernig
the network, but the problem is, that the server expects a reply from
client.arc-aachen.de but gets a reply from client.arcd. But why?

extracts from smb.conf:
[global]
  workgroup = ARCD
  netbios name = ARCServer

  # domain settings
  domain master = yes
  domain logons = yes

  os level = 100
  preferred master = yes
  wins support = no

  passdb backend = ldapsam
  ldap suffix = dc=arc-aachen,dc=de
  ldap admin dn = cn=samba,dc=arc-aachen,dc=de
  ldap user suffix = ou=users
  ldap group suffix = ou=groups
  ldap machine suffix = ou=computers
  ldap idmap suffix = ou=idmaps
[...]


I know this is a slapd problem if this server wouldn't be our samba file server
this problem would not emerge.


Does anybody know what to do?

Thanks for your help
Sebastian

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] failed to get machine password for account samba pdc + ldap

2012-10-04 Thread Jorge Armijo 
I have th next problen when a machine is already on in a mi domain after a few 
day this messages begin in /var/log/log.


[2012/10/04 09:51:51.004275,  0] 
rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: failed to get machine password for account 
PCU1$: NT_STATUS_ACCESS_DENIED
[2012/10/04 09:51:55.741838,  0] rpc_server/srv_netlog_nt.c:475(get_md4pw)
  get_md4pw: Workstation PCUIOZR03TN07$: no account in domain
[2012/10/04 09:51:55.741883,  0] 
rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: failed to get machine password for account 
PCU$: NT_STATUS_ACCESS_DENIED
[2012/10/04 09:51:55.744344,  0] rpc_server/srv_netlog_nt.c:475(get_md4pw)
  get_md4pw: Workstation PCUIOZR03TN07$: no account in domain
[2012/10/04 09:51:55.744371,  0] 
rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: failed to get machine password for account 
PCU333$: NT_STATUS_ACCESS_DENIED
[2012/10/04 09:51:55.747119,  0] rpc_server/srv_netlog_nt.c:475(get_md4pw)
  get_md4pw: Workstation PCUIOZR03TN07$: no account in domain
[2012/10/04 09:51:55.747150,  0] 
rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: failed to get machine password for account 
PCU4$: NT_STATUS_ACCESS_DENIED


I have the same error with th other pc in my domain if someone have a solution 
??? thanks

The strange thing is that the machines are on the domain in the LDAP
when you query the active directory returns the PC Information
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC: Admin tools?

2012-08-30 Thread steve 

On 30/08/12 18:57, Gaiseric Vandal wrote:

I use apache directory studio for LDAP management.  It is not samba
specific but  it is easy enough to use existing user, group or machine
objects as templates for new ones.  It runs on Windows and Linux (and
maybe on Mac.)



On 08/25/12 16:39, John Drescher wrote:

On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno  wrote:

  Guys.

  I have use smbldap-tools to handle my accounts for my PDC with samba+openldap.

  Now, I ask here because a lot of people have PDC running on their
networks, what tools do u use to manage your openldap db for samba:
users, machines, groups?

  Working with Centos 6.x.

  Any input will be appreciated, thanks!!!


I use ldap account manager to manage my users / machines / group accounts.

John




Hi
openSUSE's yast has a really nice and little known frontend to LDAP 
which handles samba objects too. You can point and click your way 
through adding/deleting samba specific users and groups. It also has an 
LDAP browser similar to phpldapadmin. I'm not sure if Yast will fire up 
on Centos but may be worth a look.

Cheers,
Steve

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC: Admin tools?

2012-08-30 Thread Gaiseric Vandal 
I use apache directory studio for LDAP management.  It is not samba
specific but  it is easy enough to use existing user, group or machine
objects as templates for new ones.  It runs on Windows and Linux (and
maybe on Mac.)



On 08/25/12 16:39, John Drescher wrote:
> On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno  wrote:
>>  Guys.
>>
>>  I have use smbldap-tools to handle my accounts for my PDC with 
>> samba+openldap.
>>
>>  Now, I ask here because a lot of people have PDC running on their
>> networks, what tools do u use to manage your openldap db for samba:
>> users, machines, groups?
>>
>>  Working with Centos 6.x.
>>
>>  Any input will be appreciated, thanks!!!
>>
> I use ldap account manager to manage my users / machines / group accounts.
>
> John


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC: Admin tools?

2012-08-25 Thread John Drescher 
On Sat, Aug 25, 2012 at 4:34 PM, Alberto Moreno  wrote:
>  Guys.
>
>  I have use smbldap-tools to handle my accounts for my PDC with 
> samba+openldap.
>
>  Now, I ask here because a lot of people have PDC running on their
> networks, what tools do u use to manage your openldap db for samba:
> users, machines, groups?
>
>  Working with Centos 6.x.
>
>  Any input will be appreciated, thanks!!!
>
I use ldap account manager to manage my users / machines / group accounts.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba PDC: Admin tools?

2012-08-25 Thread Alberto Moreno 
 Guys.

 I have use smbldap-tools to handle my accounts for my PDC with samba+openldap.

 Now, I ask here because a lot of people have PDC running on their
networks, what tools do u use to manage your openldap db for samba:
users, machines, groups?

 Working with Centos 6.x.

 Any input will be appreciated, thanks!!!

-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-10 Thread Gaiseric Vandal 
The Domain Users group should have automatically been added to the local
users group when you joined the domain. 

When I upgraded from Samba 3.0.x to 3.5.x I had a error in the group
mappings on one of the DC's that cause problems for a while.   I also
had to explicitly add a mapping for the nobody user and group.

I think I may have  explicitly granted the domain administrator the
privileged to add machines to the domain

http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html#rp-privs

But I think I only had to do that because the administrator was not
recognized as being a domain admin (or local admin) because the group
mapping was broken.

If you add a network user to the local admin group, and login works,
then there is definitely a local security issue.My guess is that the
OS creates the new user local profile directory but then has problems
assigning file permissions/ownership for the network user. 


On XP , if you right click My Computer and look at profiles, you could
see if the profile for a user was local, roaming or temporary.  Win 7
should have the same option.




On 08/09/12 18:03, Brandon wrote:
>> Are your group mappings correct?   I ask because it may be that the
>> "Domain Users" is not properly recognized as a member of the "Users"
>> group on the PC.  Can you login as the domain (or local) admins and
>> explicitly add domain users and domain groups to a local group?
>
> An update to this: I was able to add domain users after a reboot.  So
> I've added MYWORKGROUP\myadmin to my Users group on the local machine.
>
> I was also able to search my domain for users, and came up with a list
> of my users, a nobody user, and a Domain Admins group.  I've added
> MYWORKGROUP\myadmin (user) and MYWORKGROUP\Domain Admins (group) to
> the User group on the local machine.  I am still getting the same
> errors when logging on though.
>
> It seems to me like it's trying to pull a roaming profile when I have
> roaming profiles disabled (or I thought I did), and/or windows doesn't
> actually know the netbios name, based on the series of these events:
>
> Windows cannot copy file \\?\C:\Users\Default\Documents to location
> \\?\C:\Users\TEMP.MYWORKGROUP\Documents. This error may be caused by
> network problems or insufficient security rights.
>
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-09 Thread Brandon 

Are your group mappings correct?   I ask because it may be that the
"Domain Users" is not properly recognized as a member of the "Users"
group on the PC.  Can you login as the domain (or local) admins and
explicitly add domain users and domain groups to a local group?


An update to this: I was able to add domain users after a reboot.  So 
I've added MYWORKGROUP\myadmin to my Users group on the local machine.


I was also able to search my domain for users, and came up with a list 
of my users, a nobody user, and a Domain Admins group.  I've added 
MYWORKGROUP\myadmin (user) and MYWORKGROUP\Domain Admins (group) to the 
User group on the local machine.  I am still getting the same errors 
when logging on though.


It seems to me like it's trying to pull a roaming profile when I have 
roaming profiles disabled (or I thought I did), and/or windows doesn't 
actually know the netbios name, based on the series of these events:


Windows cannot copy file \\?\C:\Users\Default\Documents to location 
\\?\C:\Users\TEMP.MYWORKGROUP\Documents. This error may be caused by 
network problems or insufficient security rights.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-09 Thread Brandon 

On 8/9/2012 10:58 AM, Gaiseric Vandal wrote:

that looks OK.

You should not need a login script defined for a computer account.


This must have been generated from smb.conf, I didn't actually change 
anything.




Are you able to login as the Domain Administrator?


No.  myadmin is supposed to be the domain administrator.  I followed 
this guide for setting up domain admins (even though I'm running 12.04):

https://help.ubuntu.com/11.04/serverguide/samba-dc.html

# net rpc rights list -U myadmin
Enter myadmin's password:
 SeMachineAccountPrivilege  Add machines to domain
  SeTakeOwnershipPrivilege  Take ownership of files or other objects
 SeBackupPrivilege  Back up files and directories
SeRestorePrivilege  Restore files and directories
 SeRemoteShutdownPrivilege  Force shutdown from a remote system
  SePrintOperatorPrivilege  Manage printers
   SeAddUsersPrivilege  Add users and groups to the domain
   SeDiskOperatorPrivilege  Manage disk shares
   SeSecurityPrivilege  System security

Is this correct?


Are your group mappings correct?   I ask because it may be that the
"Domain Users" is not properly recognized as a member of the "Users"
group on the PC.  Can you login as the domain (or local) admins and
explicitly add domain users and domain groups to a local group?


When I try to add MYWORKGROUP\myadmin to Users group from the local 
admin I get this:


"The following error occurred while using the user name and password you 
entered: Multiple connections to a server or shared resource by the same 
user, using more than one user name, are not allowed.  Disconnect all 
previous connections to the server or shared resource and try again."


As far as I know, I don't have any other connections going with the 
server (except SSH).




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-09 Thread Gaiseric Vandal 
that looks OK.

You should not need a login script defined for a computer account.

Are you able to login as the Domain Administrator?

Are your group mappings correct?   I ask because it may be that the
"Domain Users" is not properly recognized as a member of the "Users"
group on the PC.  Can you login as the domain (or local) admins and
explicitly add domain users and domain groups to a local group?



On 08/09/12 10:37, Brandon wrote:
> > did you make the appropriate registry changes on Win 7 as per
> > http://wiki.samba.org/index.php/Windows7
>
> Yes, I've downloaded the 3.6.3 script and ran it on the client, as
> well as manually checked that the settings were only the two described
> in the wiki article
>
> > Have you tried adding a machine account for your CLIENTPC
> > i.e.  #> pdbedit -a -m -u CLIENTPC
>
> Yes, I let the account be auto-generated when connecting to the
> domain.  I should have specified that there are other users I didn't
> include in the print out.  Here is the machine account from pdbedit
> (note that I changed the logon script in smb.conf from .cmd to .bat a
> few minutes ago, and the update can be seen here):
>
> ---
> Unix username:CLIENTPC$
> NT username:
> Account Flags:[W  ]
> User SID: S-1-5-21-2762049607-2166809996-183419993-1001
> Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513
> Full Name:CLIENTPC$
> Home Directory:
> HomeDir Drive:
> Logon Script: logon.bat
> Profile Path:
> Domain:   MYWORKGROUP
> Account desc:
> Workstations:
> Munged dial:
> Logon time:   0
> Logoff time:  Wed, 06 Feb 2036 10:06:39 EST
> Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
> Password last set:Wed, 08 Aug 2012 13:44:36 EDT
> Password can change:  Wed, 08 Aug 2012 13:44:36 EDT
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours : FF
> ---
>
> Also, I've got a bit more information from the log.CLIENTPC:
>
> [2012/08/09 10:14:56.686577,  0]
> rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind)
>   pipe_schannel_auth_bind: Attempt to bind using schannel without
> successful serverauth2
> [2012/08/09 10:14:56.794994,  0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client CLIENTPC machine account CLIENTPC$
>
>
> There are also a number of windows events:
>
> --- begin windows events paste ---
> The winlogon notification subscriber  failed a critical
> notification event.
> Windows cannot copy file C:\Users\Default\NTUSER.DAT to location
> C:\Users\myadmin\NTUSER.DAT. This error may be caused by network
> problems or insufficient security rights.
> Windows cannot copy file \\?\C:\Users\Default\Videos to location
> \\?\C:\Users\myadmin\Videos. This error may be caused by network
> problems or insufficient security rights.
> Windows cannot copy file \\?\C:\Users\Default\Saved Games to location
> \\?\C:\Users\myadmin\Saved Games. This error may be caused by network
> problems or insufficient security rights.
>  events repeat with a bunch of similar directories>
> There are too many profile copy errors. Refer to the previous events
> for details. Windows will not log any additional copy errors for this
> copy process.
> Windows cannot find the local profile and is logging you on with a
> temporary profile. Changes you make to this profile will be lost when
> you log off.
> Windows cannot copy file C:\Users\Default\NTUSER.DAT to location
> C:\Users\TEMP.MYWORKGROUP\NTUSER.DAT. This error may be caused by
> network problems or insufficient security rights.
>  directories>
> There are too many profile copy errors. Refer to the previous events
> for details. Windows will not log any additional copy errors for this
> copy process.
> Windows cannot log you on because your profile cannot be loaded. Check
> that you are connected to the network, and that your network is
> functioning correctly.
> The winlogon notification subscriber  failed a notification event.
> --- end windows events paste ---
>
>
>
>
>
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-09 Thread Brandon 

> did you make the appropriate registry changes on Win 7 as per
> http://wiki.samba.org/index.php/Windows7

Yes, I've downloaded the 3.6.3 script and ran it on the client, as well 
as manually checked that the settings were only the two described in the 
wiki article


> Have you tried adding a machine account for your CLIENTPC
> i.e.  #> pdbedit -a -m -u CLIENTPC

Yes, I let the account be auto-generated when connecting to the domain. 
 I should have specified that there are other users I didn't include in 
the print out.  Here is the machine account from pdbedit (note that I 
changed the logon script in smb.conf from .cmd to .bat a few minutes 
ago, and the update can be seen here):


---
Unix username:CLIENTPC$
NT username:
Account Flags:[W  ]
User SID: S-1-5-21-2762049607-2166809996-183419993-1001
Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513
Full Name:CLIENTPC$
Home Directory:
HomeDir Drive:
Logon Script: logon.bat
Profile Path:
Domain:   MYWORKGROUP
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set:Wed, 08 Aug 2012 13:44:36 EDT
Password can change:  Wed, 08 Aug 2012 13:44:36 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF
---

Also, I've got a bit more information from the log.CLIENTPC:

[2012/08/09 10:14:56.686577,  0] 
rpc_server/srv_pipe.c:500(pipe_schannel_auth_bind)
  pipe_schannel_auth_bind: Attempt to bind using schannel without 
successful serverauth2
[2012/08/09 10:14:56.794994,  0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client CLIENTPC machine account CLIENTPC$



There are also a number of windows events:

--- begin windows events paste ---
The winlogon notification subscriber  failed a critical 
notification event.
Windows cannot copy file C:\Users\Default\NTUSER.DAT to location 
C:\Users\myadmin\NTUSER.DAT. This error may be caused by network 
problems or insufficient security rights.
Windows cannot copy file \\?\C:\Users\Default\Videos to location 
\\?\C:\Users\myadmin\Videos. This error may be caused by network 
problems or insufficient security rights.
Windows cannot copy file \\?\C:\Users\Default\Saved Games to location 
\\?\C:\Users\myadmin\Saved Games. This error may be caused by network 
problems or insufficient security rights.
events repeat with a bunch of similar directories>
There are too many profile copy errors. Refer to the previous events for 
details. Windows will not log any additional copy errors for this copy 
process.
Windows cannot find the local profile and is logging you on with a 
temporary profile. Changes you make to this profile will be lost when 
you log off.
Windows cannot copy file C:\Users\Default\NTUSER.DAT to location 
C:\Users\TEMP.MYWORKGROUP\NTUSER.DAT. This error may be caused by 
network problems or insufficient security rights.


There are too many profile copy errors. Refer to the previous events for 
details. Windows will not log any additional copy errors for this copy 
process.
Windows cannot log you on because your profile cannot be loaded. Check 
that you are connected to the network, and that your network is 
functioning correctly.

The winlogon notification subscriber  failed a notification event.
--- end windows events paste ---






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-09 Thread Andrew Mark 

Have you tried adding a machine account for your CLIENTPC
i.e.  #> pdbedit -a -m -u CLIENTPC

This will create the CLIENTPC$ account it was squawking about.
In my experience, the machine needs a Samba account too.

Cheers,
 


Andrew Mark | Development Analyst | www.aimsystems.ca
local: 519-837-1072 | fax: 519-837-4063 | int'l 800-465-2961
12-350 Speedvale Ave. W. | Guelph, ON | N1H 7M7 | Canada

On 12-08-09 09:28 AM, Brandon wrote:

Here's some more information on my problem:

smb.conf:
--- begin smb.conf ---
[global]
workgroup = MYWORKGROUP
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
add machine script = /usr/sbin/useradd -g machines -c "%u 
machine account" -d /var/lib/samba -s /bin/false %u

logon script = logon.cmd
logon path =
logon home =
domain logons = Yes
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
browseable = No

[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = Yes

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
--- end smb.conf ---

Here's the pdbedit -Lv spitout for my user:

--- begin output---
Unix username:myadmin
NT username:
Account Flags:[U  ]
User SID: S-1-5-21-2762049607-2166809996-183419993-1000
Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513
Full Name:
Home Directory:
HomeDir Drive:
Logon Script: logon.cmd
Profile Path:
Domain:   MYWORKGROUP
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set:Wed, 08 Aug 2012 17:54:50 EDT
Password can change:  Wed, 08 Aug 2012 17:54:50 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF
--- end output ---





--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-09 Thread Gaiseric Vandal 
did you make the appropriate registry changes on Win 7 as per

http://wiki.samba.org/index.php/Windows7





On 08/09/12 09:28, Brandon wrote:
> Here's some more information on my problem:
>
> smb.conf:
> --- begin smb.conf ---
> [global]
> workgroup = MYWORKGROUP
> server string = %h server (Samba, Ubuntu)
> map to guest = Bad User
> obey pam restrictions = Yes
> pam password change = Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
> unix password sync = Yes
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> add machine script = /usr/sbin/useradd -g machines -c "%u
> machine account" -d /var/lib/samba -s /bin/false %u
> logon script = logon.cmd
> logon path =
> logon home =
> domain logons = Yes
> dns proxy = No
> usershare allow guests = Yes
> panic action = /usr/share/samba/panic-action %d
> idmap config * : backend = tdb
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> create mask = 0700
> directory mask = 0700
> browseable = No
>
> [netlogon]
> comment = Network Logon Service
> path = /srv/samba/netlogon
> guest ok = Yes
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> create mask = 0700
> printable = Yes
> print ok = Yes
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/printers
> --- end smb.conf ---
>
> Here's the pdbedit -Lv spitout for my user:
>
> --- begin output---
> Unix username:myadmin
> NT username:
> Account Flags:[U  ]
> User SID: S-1-5-21-2762049607-2166809996-183419993-1000
> Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513
> Full Name:
> Home Directory:
> HomeDir Drive:
> Logon Script: logon.cmd
> Profile Path:
> Domain:   MYWORKGROUP
> Account desc:
> Workstations:
> Munged dial:
> Logon time:   0
> Logoff time:  Wed, 06 Feb 2036 10:06:39 EST
> Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
> Password last set:Wed, 08 Aug 2012 17:54:50 EDT
> Password can change:  Wed, 08 Aug 2012 17:54:50 EDT
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours : FF
> --- end output ---
>
>


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problems connecting win7 client to new Samba PDC

2012-08-09 Thread Brandon 

Here's some more information on my problem:

smb.conf:
--- begin smb.conf ---
[global]
workgroup = MYWORKGROUP
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
add machine script = /usr/sbin/useradd -g machines -c "%u 
machine account" -d /var/lib/samba -s /bin/false %u

logon script = logon.cmd
logon path =
logon home =
domain logons = Yes
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb

[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0700
directory mask = 0700
browseable = No

[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
guest ok = Yes

[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
printable = Yes
print ok = Yes
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
--- end smb.conf ---

Here's the pdbedit -Lv spitout for my user:

--- begin output---
Unix username:myadmin
NT username:
Account Flags:[U  ]
User SID: S-1-5-21-2762049607-2166809996-183419993-1000
Primary Group SID:S-1-5-21-2762049607-2166809996-183419993-513
Full Name:
Home Directory:
HomeDir Drive:
Logon Script: logon.cmd
Profile Path:
Domain:   MYWORKGROUP
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  Wed, 06 Feb 2036 10:06:39 EST
Kickoff time: Wed, 06 Feb 2036 10:06:39 EST
Password last set:Wed, 08 Aug 2012 17:54:50 EDT
Password can change:  Wed, 08 Aug 2012 17:54:50 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF
--- end output ---


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problems connecting win7 client to new Samba PDC

2012-08-08 Thread Brandon Stepp 
Hey, I'm running the latest Ubuntu 12.04 Samba 3.6.3, I just want a 
simple PDC for authentication.  Client is win7 32 bit with latest 
updates.  The client can join the domain, but I can't log in with any 
users, it gives me "The User Profile Service service failed the logon.  
User profile cannot be loaded."  Looking at the log, I've found this:


"[2012/08/08 17:08:39.747592,  0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client CLIENTPC machine account CLIENTPC$"


Any ideas on what the problem is?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC and Local Group Policies on XP

2012-08-01 Thread Daniel Müller 
What did you use kixtart,poledit...?
It seems that you did not set the rights on your netlogon the right way!?

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von benedikt.wies...@bw-systems.net
Gesendet: Montag, 30. Juli 2012 18:39
An: samba@lists.samba.org
Betreff: [Samba] Samba PDC and Local Group Policies on XP

Hi *,

I have reinstalled a server with the newest version of samba and configured
it as PDC based on this tutorial
(http://www.nicht-blau.de/2010/12/28/howto-samba-3-5-6-pdc-primary-domain-co
ntroller-und-windows-7-2/).

I then copied the old profiles folder onto the new server and set the
permissions. But however before the reinstallation every Domainuser in the
Domain accepted the Group Policies I set up at every Win XP computer (i.e.
Setting a specific Wallpaper, Setting a specific design, deny access to
system controls) and now they are consequently ignored.

Example:

I log on as Administrator (locally):
- I have no access to system controls
- I have my Wallpaper
- I have my Design
(Group policies are working)

I log on as Domainuser:
- I have full rights, I can do everything
- I have a blue Wallpaper
- Nothing happened to the design

What the hell is going wrong? Why does a Domainuser has more rights than the
administrator and why does the group policies do nothing?

I hope somebody can help me.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba PDC and Local Group Policies on XP

2012-08-01 Thread benedikt.wies...@bw-systems.net 
Hi *,

I have reinstalled a server with the newest version of samba and configured it 
as PDC based on this tutorial 
(http://www.nicht-blau.de/2010/12/28/howto-samba-3-5-6-pdc-primary-domain-controller-und-windows-7-2/).

I then copied the old profiles folder onto the new server and set the 
permissions. But however before the reinstallation every Domainuser in the 
Domain accepted the Group Policies I set up at every Win XP computer (i.e. 
Setting a specific Wallpaper, Setting a specific design, deny access to system 
controls) and now they are consequently ignored.

Example:

I log on as Administrator (locally):
- I have no access to system controls
- I have my Wallpaper
- I have my Design
(Group policies are working)

I log on as Domainuser:
- I have full rights, I can do everything
- I have a blue Wallpaper
- Nothing happened to the design

What the hell is going wrong? Why does a Domainuser has more rights than the 
administrator and why does the group policies do nothing?

I hope somebody can help me.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Unable to join Samba PDC with version 3.6.5 (works with 3.3.15)

2012-06-14 Thread Luc Lalonde 
Hello Folks,

I am unable to join any linux Samba clients to my Samba-3.6.5 PDC with clients 
running 3.4.x, 3.5.x, or 3.6.x versions.   However, 3.3.x works fine and so do 
my Windows clients.

When I do a 'net rpc join' I get a 'successfuly joined domain' message with say 
3.6.5, but I am unable to authenticate on the domain thereafter.

Any clues?  I can send the configurations (smb.conf) of the server and client 
if it can help solve this mystery.  I suspect I'm just missing a configuration 
directive on the client side... but I can't seem to find any reference in the 
documentation.

On the Samba-3.6.5 PDC, we're using a LDAP backend.

Thanks in advance! 

-- 
Luc Lalonde, analyste
-
Département de génie informatique:
École polytechnique de Montréal
(514) 340-4711 x5049
luc.lalo...@polymtl.ca
-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

2012-05-29 Thread Alberto Moreno 
Will be easy, but I don't want to install something that I normally
don't use to just change 1 field.
But appreciated your input thanks!!!

On Mon, May 28, 2012 at 1:37 PM, John Drescher  wrote:
>> Got it, I will give a try, thanks!!!
>>
> One easy way to do that is Ldap account manager.
>
> http://www.ldap-account-manager.org/lamcms/changelog
>
> John



-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

2012-05-28 Thread John Drescher 
> Got it, I will give a try, thanks!!!
>
One easy way to do that is Ldap account manager.

http://www.ldap-account-manager.org/lamcms/changelog

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

2012-05-28 Thread Alberto Moreno 
On Mon, May 28, 2012 at 2:07 AM, Andrew Bartlett  wrote:
> On Sun, 2012-05-27 at 21:15 -0700, Alberto Moreno wrote:
>> Maybe I wasn't clear.
>>
>> In a NT4 domain, u have a option to setup on which machines a user can
>> login, this way u can know that a X user can only use his own
>> computer.
>>
>> Once u migrate NT4 to SAMBA-LDAP, that setting goes to "Workstation" field.
>>
>> check this:
>>
>> pdbedit -L -v -u user1
>> smbldap_search_domain_info: Searching
>> for:[(&(objectClass=sambaDomain)(sambaDomainName=X))]
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> init_sam_from_ldap: Entry found for user: itello
>> Unix username:        user1
>> NT username:          user1
>> Account Flags:        [U          ]
>> User SID:             XXX
>> Primary Group SID:    XXX
>> Full Name:            One User
>> Home Directory:
>> HomeDir Drive:        O:
>> Logon Script:         /sbin/nologin
>> Profile Path:
>> Domain:               XXX
>> Account desc:        kITCHEN
>> Workstations:         MACHINE-X  <<<=
>> Munged dial:
>> Logon time:           Tue, 04 Jan 2011 07:08:28 PST
>> Logoff time:          never
>> Kickoff time:         never
>> Password last set:    Sat, 26 May 2012 13:07:23 PDT
>> Password can change:  Sat, 26 May 2012 13:07:23 PDT
>> Password must change: never
>> Last bad password   : 0
>> Bad password count  : 0
>> Logon hours         : FF
>>
>> As u can see the field Workstations it means that this user can only
>> login on this machine on this domain.
>> How can I change that field?
>
> If you are using LDAP, the easy option might be to change it directly in
> LDAP - just remove the ldap attribute.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>

Got it, I will give a try, thanks!!!

-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

2012-05-28 Thread Andrew Bartlett 
On Sun, 2012-05-27 at 21:15 -0700, Alberto Moreno wrote:
> Maybe I wasn't clear.
> 
> In a NT4 domain, u have a option to setup on which machines a user can
> login, this way u can know that a X user can only use his own
> computer.
> 
> Once u migrate NT4 to SAMBA-LDAP, that setting goes to "Workstation" field.
> 
> check this:
> 
> pdbedit -L -v -u user1
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=X))]
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> init_sam_from_ldap: Entry found for user: itello
> Unix username:user1
> NT username:  user1
> Account Flags:[U  ]
> User SID: XXX
> Primary Group SID:XXX
> Full Name:One User
> Home Directory:
> HomeDir Drive:O:
> Logon Script: /sbin/nologin
> Profile Path:
> Domain:   XXX
> Account desc:kITCHEN
> Workstations: MACHINE-X  <<<=
> Munged dial:
> Logon time:   Tue, 04 Jan 2011 07:08:28 PST
> Logoff time:  never
> Kickoff time: never
> Password last set:Sat, 26 May 2012 13:07:23 PDT
> Password can change:  Sat, 26 May 2012 13:07:23 PDT
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours : FF
> 
> As u can see the field Workstations it means that this user can only
> login on this machine on this domain.
> How can I change that field?

If you are using LDAP, the easy option might be to change it directly in
LDAP - just remove the ldap attribute.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

2012-05-27 Thread Alberto Moreno 
Maybe I wasn't clear.

In a NT4 domain, u have a option to setup on which machines a user can
login, this way u can know that a X user can only use his own
computer.

Once u migrate NT4 to SAMBA-LDAP, that setting goes to "Workstation" field.

check this:

pdbedit -L -v -u user1
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=X))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: itello
Unix username:user1
NT username:  user1
Account Flags:[U  ]
User SID: XXX
Primary Group SID:XXX
Full Name:One User
Home Directory:
HomeDir Drive:O:
Logon Script: /sbin/nologin
Profile Path:
Domain:   XXX
Account desc:kITCHEN
Workstations: MACHINE-X  <<<=
Munged dial:
Logon time:   Tue, 04 Jan 2011 07:08:28 PST
Logoff time:  never
Kickoff time: never
Password last set:Sat, 26 May 2012 13:07:23 PDT
Password can change:  Sat, 26 May 2012 13:07:23 PDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

As u can see the field Workstations it means that this user can only
login on this machine on this domain.
How can I change that field?

Thanks!!!

On Sun, May 27, 2012 at 4:41 PM, Dewayne Geraghty
 wrote:
> If you're asking where on the PC, its in Control Panel-> System -> Computer
> Name -> Change button.  This will help you to connect to the samba domain;
> but there is a lot more that you'll need.
>
> Also I'd recommend going to the samba 3.6 series, as there are
> configuration changes that you'll need to make from samba 3.3 to the more
> recent stream.
>
> Unfortunately you'll need to be clearer on what your problem is.
>
> Regards, Dewayne.
>



-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] PDC How to change workstation setting?

2012-05-27 Thread Alberto Moreno 
Hi people.

I migrate some PDC NT4 to samba 3.3.x, some users have info the
Workstations parameter, I need to remove that info, because they
cannot login on any other machine, I have read the pdbedit,
smbldap-usermod but wont't where I can do that.

Any info will be appreciated, thanks!!!

-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Problem joining to a Samba PDC (Probably caused by "unix charset")

2012-05-25 Thread Jeremy Allison 
On Fri, May 25, 2012 at 12:56:50PM +0200, Ralf Aumueller wrote:
> Hello,
> 
> trying to join a Windows 7 64-Bit PC to a Samba PDC (3.6.5) fails with message
> "Domain not found or no connection possible". After some testing I found that
> the problem was caused by the Samba-parameter "unix charset = ISO8859-1".
> When I start the nmbd with same config-file just without the "unix charset" 
> the
> PC can join the domain (smbd runs with org. config-file. Samba runs on CentOS6
> (en_US.UTF-8)).
> 
> Is this the expected behavior?
> 
> (At the moment I need ISO8859-1 because the files were saved with this 
> charset).

We think this is bug #8373

https://bugzilla.samba.org/show_bug.cgi?id=8373

for which we have a patch currently undergoing test. With more testing it'll
be fixed in the next 3.6.x release.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Problem joining to a Samba PDC (Probably caused by "unix charset")

2012-05-25 Thread Ralf Aumueller 
Hello,

trying to join a Windows 7 64-Bit PC to a Samba PDC (3.6.5) fails with message
"Domain not found or no connection possible". After some testing I found that
the problem was caused by the Samba-parameter "unix charset = ISO8859-1".
When I start the nmbd with same config-file just without the "unix charset" the
PC can join the domain (smbd runs with org. config-file. Samba runs on CentOS6
(en_US.UTF-8)).

Is this the expected behavior?

(At the moment I need ISO8859-1 because the files were saved with this charset).

Best regards,

Ralf
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba PDC + ldap: segfault in uid_to_sid/_nss_ldap_getpwuid_r

2012-05-11 Thread Guenter Bartsch 
All,

on a fairly large (73 TB XFS) file server running CentOS 6.2, samba
3.5.10-116.el6_2 I see pretty frequently backtraces like this one:


May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793851,  0]
lib/fault.c:46(fault_report)
May 11 15:54:19 vrfs001 smbd[11709]:
===
May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793921,  0]
lib/fault.c:47(fault_report)
May 11 15:54:19 vrfs001 smbd[11709]:   INTERNAL ERROR: Signal 11 in
pid 11709 (3.5.10-116.el6_2.slrdbg2)
May 11 15:54:19 vrfs001 smbd[11709]:   Please read the
Trouble-Shooting section of the Samba3-HOWTO
May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793947,  0]
lib/fault.c:49(fault_report)
May 11 15:54:19 vrfs001 smbd[11709]:
May 11 15:54:19 vrfs001 smbd[11709]:   From:
http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.793982,  0]
lib/fault.c:50(fault_report)
May 11 15:54:19 vrfs001 smbd[11709]:
===
May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.794010,  0]
lib/util.c:1490(smb_panic)
May 11 15:54:19 vrfs001 smbd[11709]:   PANIC (pid 11709): internal error
May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.826895,  0]
lib/util.c:1594(log_stack_trace)
May 11 15:54:19 vrfs001 smbd[11709]:   BACKTRACE: 29 stack frames:
May 11 15:54:19 vrfs001 smbd[11709]:#0 smbd(log_stack_trace+0x1a)
[0x7fae111cc8aa]
May 11 15:54:19 vrfs001 smbd[11709]:#1 smbd(smb_panic+0x1f) [0x7fae111cc96f]
May 11 15:54:19 vrfs001 smbd[11709]:#2 smbd(+0x36b26d) [0x7fae111bc26d]
May 11 15:54:19 vrfs001 smbd[11709]:#3 /lib64/libc.so.6(+0x32900)
[0x7fae0e030900]
May 11 15:54:19 vrfs001 smbd[11709]:#4
/lib64/libnss_ldap.so.2(_nss_ldap_getpwuid_r+0x15d) [0x7fae03586a6d]
May 11 15:54:19 vrfs001 smbd[11709]:#5
/lib64/libc.so.6(getpwuid_r+0xdd) [0x7fae0e0a84ed]
May 11 15:54:19 vrfs001 smbd[11709]:#6
/lib64/libc.so.6(getpwuid+0x6f) [0x7fae0e0a7ddf]
May 11 15:54:19 vrfs001 smbd[11709]:#7 smbd(+0x31bd5d) [0x7fae1116cd5d]
May 11 15:54:19 vrfs001 smbd[11709]:#8 smbd(+0x32174f) [0x7fae1117274f]
May 11 15:54:19 vrfs001 smbd[11709]:#9 smbd(uid_to_sid+0x10b)
[0x7fae1117291b]
May 11 15:54:19 vrfs001 smbd[11709]:#10
smbd(create_file_sids+0x1f) [0x7fae10facd0f]
May 11 15:54:19 vrfs001 smbd[11709]:#11 smbd(+0x164689) [0x7fae10fb5689]
May 11 15:54:19 vrfs001 smbd[11709]:#12
smbd(posix_get_nt_acl+0x10b) [0x7fae10fb63fb]
May 11 15:54:19 vrfs001 smbd[11709]:#13 smbd(+0x1872bd) [0x7fae10fd82bd]
May 11 15:54:19 vrfs001 smbd[11709]:#14
smbd(smb_vfs_call_get_nt_acl+0x2d) [0x7fae10fa7b9d]
May 11 15:54:19 vrfs001 smbd[11709]:#15
smbd(can_access_file_acl+0x6f) [0x7fae10fc7d1f]
May 11 15:54:19 vrfs001 smbd[11709]:#16
smbd(reply_ntcreate_and_X+0xf25) [0x7fae10f69a65]
May 11 15:54:19 vrfs001 smbd[11709]:#17 smbd(+0x1690f5) [0x7fae10fba0f5]
May 11 15:54:19 vrfs001 smbd[11709]:#18 smbd(+0x169497) [0x7fae10fba497]
May 11 15:54:19 vrfs001 smbd[11709]:#19 smbd(+0x1699f8) [0x7fae10fba9f8]
May 11 15:54:19 vrfs001 smbd[11709]:#20 smbd(run_events+0x22b)
[0x7fae111dcbbb]
May 11 15:54:19 vrfs001 smbd[11709]:#21 smbd(smbd_process+0x82b)
[0x7fae10fb966b]
May 11 15:54:19 vrfs001 smbd[11709]:#22 smbd(+0x678fce) [0x7fae114c9fce]
May 11 15:54:19 vrfs001 smbd[11709]:#23 smbd(run_events+0x22b)
[0x7fae111dcbbb]
May 11 15:54:19 vrfs001 smbd[11709]:#24 smbd(+0x38bee1) [0x7fae111dcee1]
May 11 15:54:19 vrfs001 smbd[11709]:#25
smbd(_tevent_loop_once+0x90) [0x7fae111dd2c0]
May 11 15:54:19 vrfs001 smbd[11709]:#26 smbd(main+0xb7b) [0x7fae114cad2b]
May 11 15:54:19 vrfs001 smbd[11709]:#27
/lib64/libc.so.6(__libc_start_main+0xfd) [0x7fae0e01ccdd]
May 11 15:54:19 vrfs001 smbd[11709]:#28 smbd(+0xea849) [0x7fae10f3b849]
May 11 15:54:19 vrfs001 smbd[11709]: [2012/05/11 15:54:19.827188,  0]
lib/fault.c:326(dump_core)
May 11 15:54:19 vrfs001 smbd[11709]:   dumping core in /var/log/samba/cores/smbd

pwuid information is stored in OpenLDAP on this machine - could this be related?

anyone ever seen this - any clue how to debug this further?

thanks,

guenter
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Update Samba PDC - win7 stop working

2012-03-29 Thread Daniel Müller 
Samba 3.4 will work but 3.5 Samba sernet and 3.6 Samba sernet  are closer to 
win7 and w2008.

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im 
Auftrag von Dr.Peer-Joachim Koch
Gesendet: Donnerstag, 29. März 2012 10:56
An: samba@lists.samba.org
Betreff: Re: [Samba] Update Samba PDC - win7 stop working

Hi,

thanks for the hints.

Am 29.03.2012 10:13, schrieb Daniel Müller:
> You need to run samba 3.5 or samba 3.6 from sernet.
So 3.4 from Novell will *never* work ?
After running the update of the OS we simply have to use the sernet rpm and 
everything is fine ?
>
> To get your Win 7 and W2008 Server in the domain you need to do some registry 
> entries.
> See: http://wiki.samba.org/index.php/Windows7
We are already running the WIN7 machines with the registry entries. On the old 
installation everything is fine.
>
> If you are running a virtual machine I suggest to move from SLES to 
> centos
>
>
> Good Luck
> Daniel
>
> ---
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: muel...@tropenklinik.de
> Internet: www.tropenklinik.de
> ---
> -Ursprüngliche Nachricht-
> Von: samba-boun...@lists.samba.org 
> [mailto:samba-boun...@lists.samba.org] Im Auftrag von Dr.Peer-Joachim 
> Koch
> Gesendet: Donnerstag, 29. März 2012 08:31
> An: samba@lists.samba.org
> Betreff: [Samba] Update Samba PDC - win7 stop working
>
> Hi,
>
> we have tried to update our rather old samba PDC. The system is running on 
> Novell SLES 10  SP2 with the samba RPM from Sernet.
> We stopped everything and updated (booting from DVD, using offline update) 
> the machine to SLES 11 SP1 started samba and everything was fine - expect all 
> WIN 7 and W2008XX Server.
> Those clients were not able to use the domain.
> XP and Vista (32 and 64) worked without any problems. After 2h of searching 
> we switched back to the old Installation, to get everything back to work.
> The PDC is a virtual machine. so using the snapshot worked very well 
> ;)
>
> However I do not have the log files anymore :(
>
> OLD
> OSSamba ver
> SLES 10 SP2 (i586)samba3-3.3.4-39
>
> NEW
> OSSamba ver
> SLES 11 SP1 (i586)samba-3.4.3
>
>
>
> *) Has anybody seen this kind of behavior ?
> (Doing samba update ->  Win7 is not able to use the domain 
> anymore)
>
> *) Is there a way to test those steps ? The pdc is using our LDAP Server, so 
> we can not simply clone the pdc and test everything in a separate network...
> (or we have to clone a couple of server ...)
>
> *) When we update the PDC and we get everything working  - which version is 
> recommended (3.4.X // 3.5.X. // 3.6.X ) ?
>
> --
> Bye,
>   Peer
> _
> Max-Planck-Institut fuer Biogeochemie
> Dr. Peer-Joachim Koch
> Hans-Knöll Str.10Telefon: ++49 3641 57-6705
> D-07745 Jena Telefax: ++49 3641 57-7705
>
>


--
Mit freundlichem Gruß
 Peer-Joachim Koch
_
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Update Samba PDC - win7 stop working

2012-03-29 Thread Dr.Peer-Joachim Koch 

Hi,

thanks for the hints.

Am 29.03.2012 10:13, schrieb Daniel Müller:

You need to run samba 3.5 or samba 3.6 from sernet.

So 3.4 from Novell will *never* work ?
After running the update of the OS we simply have to use the sernet rpm
and everything is fine ?


To get your Win 7 and W2008 Server in the domain you need to do some registry 
entries.
See: http://wiki.samba.org/index.php/Windows7

We are already running the WIN7 machines
with the registry entries. On the old installation everything is fine.


If you are running a virtual machine I suggest to move from SLES to centos


Good Luck
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im 
Auftrag von Dr.Peer-Joachim Koch
Gesendet: Donnerstag, 29. März 2012 08:31
An: samba@lists.samba.org
Betreff: [Samba] Update Samba PDC - win7 stop working

Hi,

we have tried to update our rather old samba PDC. The system is running on 
Novell SLES 10  SP2 with the samba RPM from Sernet.
We stopped everything and updated (booting from DVD, using offline update) the 
machine to SLES 11 SP1 started samba and everything was fine - expect all WIN 7 
and W2008XX Server.
Those clients were not able to use the domain.
XP and Vista (32 and 64) worked without any problems. After 2h of searching we 
switched back to the old Installation, to get everything back to work.
The PDC is a virtual machine. so using the snapshot worked very well ;)

However I do not have the log files anymore :(

OLD
OSSamba ver
SLES 10 SP2 (i586)samba3-3.3.4-39

NEW
OSSamba ver
SLES 11 SP1 (i586)samba-3.4.3



*) Has anybody seen this kind of behavior ?
(Doing samba update ->  Win7 is not able to use the domain anymore)

*) Is there a way to test those steps ? The pdc is using our LDAP Server, so we 
can not simply clone the pdc and test everything in a separate network...
(or we have to clone a couple of server ...)

*) When we update the PDC and we get everything working  - which version is 
recommended (3.4.X // 3.5.X. // 3.6.X ) ?

--
Bye,
  Peer
_
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705





--
Mit freundlichem Gruß
Peer-Joachim Koch
_
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Update Samba PDC - win7 stop working

2012-03-29 Thread Daniel Müller 
You need to run samba 3.5 or samba 3.6 from sernet.

To get your Win 7 and W2008 Server in the domain you need to do some registry 
entries.
See: http://wiki.samba.org/index.php/Windows7


If you are running a virtual machine I suggest to move from SLES to centos


Good Luck
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im 
Auftrag von Dr.Peer-Joachim Koch
Gesendet: Donnerstag, 29. März 2012 08:31
An: samba@lists.samba.org
Betreff: [Samba] Update Samba PDC - win7 stop working

Hi,

we have tried to update our rather old samba PDC. The system is running on 
Novell SLES 10  SP2 with the samba RPM from Sernet.
We stopped everything and updated (booting from DVD, using offline update) the 
machine to SLES 11 SP1 started samba and everything was fine - expect all WIN 7 
and W2008XX Server.
Those clients were not able to use the domain.
XP and Vista (32 and 64) worked without any problems. After 2h of searching we 
switched back to the old Installation, to get everything back to work.
The PDC is a virtual machine. so using the snapshot worked very well ;)

However I do not have the log files anymore :(

OLD
OSSamba ver
SLES 10 SP2 (i586)samba3-3.3.4-39

NEW
OSSamba ver
SLES 11 SP1 (i586)samba-3.4.3



*) Has anybody seen this kind of behavior ?
   (Doing samba update -> Win7 is not able to use the domain anymore)

*) Is there a way to test those steps ? The pdc is using our LDAP Server, so we 
can not simply clone the pdc and test everything in a separate network...
(or we have to clone a couple of server ...)

*) When we update the PDC and we get everything working  - which version is 
recommended (3.4.X // 3.5.X. // 3.6.X ) ?

--
Bye,
 Peer
_
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Update Samba PDC - win7 stop working

2012-03-28 Thread Dr.Peer-Joachim Koch 

Hi,

we have tried to update our rather old samba PDC. The system is running
on Novell SLES 10  SP2 with the samba RPM from Sernet.
We stopped everything and updated (booting from DVD, using offline update)
the machine to SLES 11 SP1 started samba and everything was fine -
expect all WIN 7 and W2008XX Server.
Those clients were not able to use the domain.
XP and Vista (32 and 64) worked without any problems. After 2h of searching
we switched back to the old Installation, to get everything back to work.
The PDC is a virtual machine. so using the snapshot worked very well ;)

However I do not have the log files anymore :(

OLD
OSSamba ver
SLES 10 SP2 (i586)samba3-3.3.4-39

NEW
OSSamba ver
SLES 11 SP1 (i586)samba-3.4.3



*) Has anybody seen this kind of behavior ?
  (Doing samba update -> Win7 is not able to use the domain anymore)

*) Is there a way to test those steps ? The pdc is using our LDAP Server,
so we can not simply clone the pdc and test everything in a separate 
network...

(or we have to clone a couple of server ...)

*) When we update the PDC and we get everything working  - which version
is recommended (3.4.X // 3.5.X. // 3.6.X ) ?

--
Bye,
Peer
_
Max-Planck-Institut fuer Biogeochemie
Dr. Peer-Joachim Koch
Hans-Knöll Str.10Telefon: ++49 3641 57-6705
D-07745 Jena Telefax: ++49 3641 57-7705

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC with Windows 7 support request

2012-03-28 Thread Gaiseric Vandal 
On 02/16/12 06:21, Dermot wrote:
> 2012/1/31 Jiří Procházka :
>> Dear Samba support team,
>>
>> I have a question on Samba 3.5.8 please, which is not solved by searching
>> the forums. I tried all suggested solutions, but nothing take effect.
>>
> ...
>> Domain users experience a slow login performance on Windows 7 clients that
>> are
>> joined into a samba domain (Samba version 3.5.4). The Windows 7 client was
>> joined successfully into the domain with the Windows 7 registry settings
>> adjusted according to http://wiki.samba.org/index.php/Windows7
>> (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0).
> ...
>
> I have had similar problems. I was referred to the message in the
> mailing list archive [1]. I have applied what was described - used
> gpedit.msc -  this but I am still experiencing slow login times,
> exactly 40 seconds on each workstation.
>
> I just checked on one workstation where the user had a jpeg as his
> desktop background, I mention this because there are references to a
> Window7 bug about slow login and a plain desktop, and that has the
> correct group policy setting and still the login time was exactly 40
> seconds.
>
> I too be interested in hearing what others have to say on this.
> Thanks,
> Dermot.
>
> 1) http://www.mail-archive.com/samba@lists.samba.org/msg104494.html


Are you using roaming profiles ? 
Are you using offline folders-  I had problems with offline folders and
Windows 7-  it could break offline authentication. 

Does the Windows event log show anything about problems locating a
domain controller? 



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and Windows 2003 R2

2012-03-16 Thread Bob Miller 
To do cross-subnet domain control you will need to use WINS


On Fri, 2012-03-16 at 19:57 -0300, jp_listero wrote:
> Hi,
> 
> I need to join a windows 2003 R2 to a samba (3.5.7-3.5.1) PDC through
> a cisco VPN ... (nice!).
> The error at the windows :
> 
> "A doming controller for the domain MyDomain could not be contacted"
> 
> any ideas ?
> 
> thanks !
> Jp

-- 
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
b...@computerisms.ca
Network, Internet, Server,
and Open Source Solutions

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] PDC and Windows 2003 R2

2012-03-16 Thread jp_listero 
Hi,

I need to join a windows 2003 R2 to a samba (3.5.7-3.5.1) PDC through
a cisco VPN ... (nice!).
The error at the windows :

"A doming controller for the domain MyDomain could not be contacted"

any ideas ?

thanks !
Jp
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

2012-03-12 Thread Tony Molloy 
On Monday 12 March 2012 17:33:28 Simon Matthews wrote:
> On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy  
wrote:
> > On Sunday 11 March 2012 05:31:35 Simon Matthews wrote:
> > > On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal
> > > 
> > > wrote:
> > > > Do you have password sync enabled?If password sync is
> > > > enabled, samba will try to use the passwd command to set the
> > > > unix password.  But with nis, you probably might need
> > > > something nis specific. On solaris it was “passwd –r nis” - 
> > > > not sure about linux.Probably better to just disable
> > > > password sync.
> > 
> > I've got a very similar setup to you. Except I use a smbpasswd
> > file.
> > 
> > > No, I don't have this option enabled. I am not sure how it is
> > > relevant. Problem summary:
> > > The samba PDC is an NIS client
> > > "getent passwd" retruns the passwd data.
> > > The user's SAMBA password was set  using smbpasswd
> > > The user's NIS passwd was set using yppasswd
> > 
> > So far all the same.
> > 
> > > ALL I had to do to allow domain logins was:
> > > ypcat passwd | grep  >> /etc/passwd
> > 
> > Why duplicate the password entries. I just have them in NIS and
> > /etc/passwd just has the system passwords.
> > 
> > > Note that after copying the user details to /etc/passwd, the
> > > password that was set with "smbpasswd" was the password that
> > > was used with the successful domain login.
> > 
> > Don't really uinderstand what you mean by "domain logins"
> > 
> > 1.  Create the user under linux first
> > 2.  Use smbpasswd to add the user to samba
> > 
> > You now have a user in both linux and samba but remember the
> > passwords are stored separately, changing one does not change
> > the other.
> > 
> > 3.   Edit /etc/nsswitch.conf. Set
> > 
> > passwd:files nis
> > shdow:  files
> 
> Removing the "nis" entry from "shadow:" in /etc/nsswitch.conf
> solved the issue. I don't understand why, but it did .
> 
> Simon


The shadow file /etc/shadow stores the passwords associated with the 
entries in the password file /etc/passwd.

It has nothing to do with the NIS password database which stores the 
passwords in the actual database entries.

Tony
> 
> > That works for me. YMMV
> > 
> > Tony
> > 
> > > Simon
> > 
> > --
> > To unsubscribe from this list go to the following URL and read
> > the instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

2012-03-12 Thread Gaiseric Vandal 
If your NIS passwd file did NOT have a valid password, maybe samba or 
unix was rejecting logins as a security measure.




On 03/12/12 13:33, Simon Matthews wrote:

On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy  wrote:


On Sunday 11 March 2012 05:31:35 Simon Matthews wrote:

On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal

wrote:

Do you have password sync enabled?If password sync is
enabled, samba will try to use the passwd command to set the
unix password.  But with nis, you probably might need something
nis specific. On solaris it was “passwd –r nis” -  not sure
about linux.Probably better to just disable password sync.

I've got a very similar setup to you. Except I use a smbpasswd file.


No, I don't have this option enabled. I am not sure how it is
relevant. Problem summary:
The samba PDC is an NIS client
"getent passwd" retruns the passwd data.
The user's SAMBA password was set  using smbpasswd
The user's NIS passwd was set using yppasswd

So far all the same.


ALL I had to do to allow domain logins was:
ypcat passwd | grep  >>  /etc/passwd

Why duplicate the password entries. I just have them in NIS and
/etc/passwd just has the system passwords.


Note that after copying the user details to /etc/passwd, the
password that was set with "smbpasswd" was the password that was
used with the successful domain login.

Don't really uinderstand what you mean by "domain logins"

1.  Create the user under linux first
2.  Use smbpasswd to add the user to samba

You now have a user in both linux and samba but remember the passwords
are stored separately, changing one does not change the other.

3.   Edit /etc/nsswitch.conf. Set

passwd:files nis
shdow:  files



Removing the "nis" entry from "shadow:" in /etc/nsswitch.conf solved the
issue. I don't understand why, but it did .

Simon


That works for me. YMMV

Tony


Simon

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

2012-03-12 Thread Simon Matthews 
On Sun, Mar 11, 2012 at 4:09 AM, Tony Molloy  wrote:

> On Sunday 11 March 2012 05:31:35 Simon Matthews wrote:
> > On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal
> >
> > wrote:
> > > Do you have password sync enabled?If password sync is
> > > enabled, samba will try to use the passwd command to set the
> > > unix password.  But with nis, you probably might need something
> > > nis specific. On solaris it was “passwd –r nis” -  not sure
> > > about linux.Probably better to just disable password sync.
> >
>
> I've got a very similar setup to you. Except I use a smbpasswd file.
>
> > No, I don't have this option enabled. I am not sure how it is
> > relevant. Problem summary:
> > The samba PDC is an NIS client
> > "getent passwd" retruns the passwd data.
> > The user's SAMBA password was set  using smbpasswd
> > The user's NIS passwd was set using yppasswd
>
> So far all the same.
>
> > ALL I had to do to allow domain logins was:
> > ypcat passwd | grep  >> /etc/passwd
>
> Why duplicate the password entries. I just have them in NIS and
> /etc/passwd just has the system passwords.
>
> > Note that after copying the user details to /etc/passwd, the
> > password that was set with "smbpasswd" was the password that was
> > used with the successful domain login.
>
> Don't really uinderstand what you mean by "domain logins"
>
> 1.  Create the user under linux first
> 2.  Use smbpasswd to add the user to samba
>
> You now have a user in both linux and samba but remember the passwords
> are stored separately, changing one does not change the other.
>
> 3.   Edit /etc/nsswitch.conf. Set
>
> passwd:files nis
> shdow:  files
>


Removing the "nis" entry from "shadow:" in /etc/nsswitch.conf solved the
issue. I don't understand why, but it did .

Simon

>
> That works for me. YMMV
>
> Tony
>
> >
> > Simon
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

2012-03-11 Thread Tony Molloy 
On Sunday 11 March 2012 05:31:35 Simon Matthews wrote:
> On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal
> 
> wrote:
> > Do you have password sync enabled?If password sync is
> > enabled, samba will try to use the passwd command to set the
> > unix password.  But with nis, you probably might need something
> > nis specific. On solaris it was “passwd –r nis” -  not sure
> > about linux.Probably better to just disable password sync.
> 

I've got a very similar setup to you. Except I use a smbpasswd file.

> No, I don't have this option enabled. I am not sure how it is
> relevant. Problem summary:
> The samba PDC is an NIS client
> "getent passwd" retruns the passwd data.
> The user's SAMBA password was set  using smbpasswd
> The user's NIS passwd was set using yppasswd

So far all the same.

> ALL I had to do to allow domain logins was:
> ypcat passwd | grep  >> /etc/passwd

Why duplicate the password entries. I just have them in NIS and 
/etc/passwd just has the system passwords.

> Note that after copying the user details to /etc/passwd, the
> password that was set with "smbpasswd" was the password that was
> used with the successful domain login.

Don't really uinderstand what you mean by "domain logins"

1.  Create the user under linux first
2.  Use smbpasswd to add the user to samba

You now have a user in both linux and samba but remember the passwords 
are stored separately, changing one does not change the other.

3.   Edit /etc/nsswitch.conf. Set

passwd:files nis
shdow:  files

That works for me. YMMV

Tony

> 
> Simon

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

2012-03-10 Thread Simon Matthews 
On Sat, Mar 10, 2012 at 4:24 PM, Gaiseric Vandal
wrote:

> Do you have password sync enabled?If password sync is enabled, samba
> will try to use the passwd command to set the unix password.  But with
> nis, you probably might need something nis specific. On solaris it was
> “passwd –r nis” -  not sure about linux.Probably better to just disable
> password sync.
>

No, I don't have this option enabled. I am not sure how it is relevant.
Problem summary:
The samba PDC is an NIS client
"getent passwd" retruns the passwd data.
The user's SAMBA password was set  using smbpasswd
The user's NIS passwd was set using yppasswd
ALL I had to do to allow domain logins was:
ypcat passwd | grep  >> /etc/passwd
Note that after copying the user details to /etc/passwd, the password that
was set with "smbpasswd" was the password that was used with the successful
domain login.

Simon



> 
>
> ** **
>
> ** **
>
> ** **
>
> *From:* Simon Matthews [mailto:simon.d.matth...@gmail.com]
> *Sent:* Friday, March 09, 2012 4:04 PM
> *To:* gaiseric.van...@gmail.com
> *Cc:* samba@lists.samba.org
> *Subject:* Re: [Samba] samba PDC/NIS client
>
> ** **
>
> ** **
>
> On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal 
> wrote:
>
> I don't think is this a samba issue.   Samba accounts need to have a
> corresponding unix account.   Shouldn't matter if they are in NIS or
> /etc/passwd.   If you have users in both it could get a problem.
>
> Is "getent passwd" really showing the users from NIS?
>
> ** **
>
> Yes.  In fact, for those users who are in both the /etc/passwd and nis
> tables, it shows both entries (and the details match between both entries)
> 
>
> ** **
>
>  How about "getent shadow" (assuming a linux machine and not solaris,
>
>  
>
> No, this only shows the users with entries in /etc/shadow. However:
>
> 1. getent passwd includes the hashed passwords of users in the nis tables*
> ***
>
> 2. It was not necessary to add the user to /etc/shadow in order to allow
> samba domain logins. All I had to do was add the user to /etc/passwd.
>
>  
>
> and probably doesn't matter anyway.)   Do you have an /etc/nsswitch.conf
> entry for
>
>shadow:  files nis
>
> Yes 
>
>
>
> Are you missing the : in the nsswitch.conf entries?
>
> No. 
>
>
> Are your user names all in lower case?  Are they all 8 characters or under.
> 
>
> ** **
>
>  Yes. 
>
> ** **
>
> Simon
>
>
>
>
>
>
>
>
> On 03/08/12 22:46, Simon Matthews wrote:
>
> I have a server which is a samba PDC and has recently been converted to an
> NIS client. For historic reasons, many users login information is in the
> local machine's /etc/passwd and /etc/shadow files.
>
> samba is set up to use a tdbsam database.
>
> I got the first indication of problems when I tried to add a user using the
> smbpasswd -a command. I found that smbpasswd would not recognize the user
> unless either the username was in the /etc/passwd file, or I changed
> /etc/nsswitch.conf from
> passwd compat
> TO:
> passwd files nis
>
> However, if I make the latter change, the user cannot log into any Windows
> machines that are controlled by my PDC. To allow logins, all I have to do
> is
> ypcat passwd | grep  >>  /etc/passwd
> After this, the user can log in.
>
> Is there any configuration of samba that will allow it to properly
> recognize user data from the NIS map and not require the user to be listed
> in the /etc/passwd file?
>
> Simon
>
> ** **
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> ** **
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

2012-03-10 Thread Gaiseric Vandal 
Do you have password sync enabled?If password sync is enabled, samba
will try to use the passwd command to set the unix password.  But with  nis,
you probably might need something nis specific. On solaris it was "passwd -r
nis" -  not sure about linux.Probably better to just disable password
sync.

 

 

 

From: Simon Matthews [mailto:simon.d.matth...@gmail.com] 
Sent: Friday, March 09, 2012 4:04 PM
To: gaiseric.van...@gmail.com
Cc: samba@lists.samba.org
Subject: Re: [Samba] samba PDC/NIS client

 

 

On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal 
wrote:

I don't think is this a samba issue.   Samba accounts need to have a
corresponding unix account.   Shouldn't matter if they are in NIS or
/etc/passwd.   If you have users in both it could get a problem.

Is "getent passwd" really showing the users from NIS?

 

Yes.  In fact, for those users who are in both the /etc/passwd and nis
tables, it shows both entries (and the details match between both entries)

 

 How about "getent shadow" (assuming a linux machine and not solaris,

 

No, this only shows the users with entries in /etc/shadow. However:

1. getent passwd includes the hashed passwords of users in the nis tables

2. It was not necessary to add the user to /etc/shadow in order to allow
samba domain logins. All I had to do was add the user to /etc/passwd.

 

and probably doesn't matter anyway.)   Do you have an /etc/nsswitch.conf
entry for

   shadow:  files nis

Yes 



Are you missing the : in the nsswitch.conf entries?

No. 


Are your user names all in lower case?  Are they all 8 characters or under.

 

 Yes. 

 

Simon








On 03/08/12 22:46, Simon Matthews wrote:

I have a server which is a samba PDC and has recently been converted to an
NIS client. For historic reasons, many users login information is in the
local machine's /etc/passwd and /etc/shadow files.

samba is set up to use a tdbsam database.

I got the first indication of problems when I tried to add a user using the
smbpasswd -a command. I found that smbpasswd would not recognize the user
unless either the username was in the /etc/passwd file, or I changed
/etc/nsswitch.conf from
passwd compat
TO:
passwd files nis

However, if I make the latter change, the user cannot log into any Windows
machines that are controlled by my PDC. To allow logins, all I have to do is
ypcat passwd | grep  >>  /etc/passwd
After this, the user can log in.

Is there any configuration of samba that will allow it to properly
recognize user data from the NIS map and not require the user to be listed
in the /etc/passwd file?

Simon

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

2012-03-09 Thread Simon Matthews 
On Fri, Mar 9, 2012 at 6:15 AM, Gaiseric Vandal
wrote:

> I don't think is this a samba issue.   Samba accounts need to have a
> corresponding unix account.   Shouldn't matter if they are in NIS or
> /etc/passwd.   If you have users in both it could get a problem.
>
> Is "getent passwd" really showing the users from NIS?


Yes.  In fact, for those users who are in both the /etc/passwd and nis
tables, it shows both entries (and the details match between both entries)

 How about "getent shadow" (assuming a linux machine and not solaris,


No, this only shows the users with entries in /etc/shadow. However:
1. getent passwd includes the hashed passwords of users in the nis tables
2. It was not necessary to add the user to /etc/shadow in order to allow
samba domain logins. All I had to do was add the user to /etc/passwd.


> and probably doesn't matter anyway.)   Do you have an /etc/nsswitch.conf
> entry for
>
>shadow:  files nis
>
Yes

>
>
> Are you missing the : in the nsswitch.conf entries?
>
No.

>
> Are your user names all in lower case?  Are they all 8 characters or under.


 Yes.

Simon

>
>
>
>
>
>
>
> On 03/08/12 22:46, Simon Matthews wrote:
>
>> I have a server which is a samba PDC and has recently been converted to an
>> NIS client. For historic reasons, many users login information is in the
>> local machine's /etc/passwd and /etc/shadow files.
>>
>> samba is set up to use a tdbsam database.
>>
>> I got the first indication of problems when I tried to add a user using
>> the
>> smbpasswd -a command. I found that smbpasswd would not recognize the user
>> unless either the username was in the /etc/passwd file, or I changed
>> /etc/nsswitch.conf from
>> passwd compat
>> TO:
>> passwd files nis
>>
>> However, if I make the latter change, the user cannot log into any Windows
>> machines that are controlled by my PDC. To allow logins, all I have to do
>> is
>> ypcat passwd | grep  >>  /etc/passwd
>> After this, the user can log in.
>>
>> Is there any configuration of samba that will allow it to properly
>> recognize user data from the NIS map and not require the user to be listed
>> in the /etc/passwd file?
>>
>> Simon
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC/NIS client

2012-03-09 Thread Gaiseric Vandal 
I don't think is this a samba issue.   Samba accounts need to have a 
corresponding unix account.   Shouldn't matter if they are in NIS or 
/etc/passwd.   If you have users in both it could get a problem.


Is "getent passwd" really showing the users from NIS?  How about 
"getent shadow" (assuming a linux machine and not solaris, and probably 
doesn't matter anyway.)   Do you have an /etc/nsswitch.conf entry for


shadow:  files nis


Are you missing the : in the nsswitch.conf entries?

Are your user names all in lower case?  Are they all 8 characters or under.






On 03/08/12 22:46, Simon Matthews wrote:

I have a server which is a samba PDC and has recently been converted to an
NIS client. For historic reasons, many users login information is in the
local machine's /etc/passwd and /etc/shadow files.

samba is set up to use a tdbsam database.

I got the first indication of problems when I tried to add a user using the
smbpasswd -a command. I found that smbpasswd would not recognize the user
unless either the username was in the /etc/passwd file, or I changed
/etc/nsswitch.conf from
passwd compat
TO:
passwd files nis

However, if I make the latter change, the user cannot log into any Windows
machines that are controlled by my PDC. To allow logins, all I have to do is
ypcat passwd | grep  >>  /etc/passwd
After this, the user can log in.

Is there any configuration of samba that will allow it to properly
recognize user data from the NIS map and not require the user to be listed
in the /etc/passwd file?

Simon


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba PDC/NIS client

2012-03-08 Thread Simon Matthews 
I have a server which is a samba PDC and has recently been converted to an
NIS client. For historic reasons, many users login information is in the
local machine's /etc/passwd and /etc/shadow files.

samba is set up to use a tdbsam database.

I got the first indication of problems when I tried to add a user using the
smbpasswd -a command. I found that smbpasswd would not recognize the user
unless either the username was in the /etc/passwd file, or I changed
/etc/nsswitch.conf from
passwd compat
TO:
passwd files nis

However, if I make the latter change, the user cannot log into any Windows
machines that are controlled by my PDC. To allow logins, all I have to do is
ypcat passwd | grep  >> /etc/passwd
After this, the user can log in.

Is there any configuration of samba that will allow it to properly
recognize user data from the NIS map and not require the user to be listed
in the /etc/passwd file?

Simon
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC with Windows 7 support request

2012-02-16 Thread Cain, Marc 
Have you tried these settings (posted here about a year ago)?


When the following local GPO is left in its default setting Samba domain logons 
are delayed for 30 seconds: "Computer Configuration\Administrative 
Templates\System\User Profiles\Set maximum wait time for the network if the 
user has a roaming user profile or remote home directory."  

Enable this and set the value to 0 to work around this timeout.  The timeout 
does not occur when logging into an Active Directory PDC running Server 2008 
R2.  I have not tested this with w2k8 R2 client.

In addition, if the user's desktop is set to a solid background color logons of 
any kind (local, AD, samba) will be delayed by 30 seconds.  Set the background 
to any .jpg image or apply Microsoft's hotfix to work around this issue.  This 
is a cumulative timeout; that is, if the above timeout is in affect and the 
solid background color timeout is also in affect the delay is 60 seconds.

I also experienced a 30 second timeout when I set the local GPO to "Run logon 
scripts synchronously".  This problem has inexplicably vanished and I can't 
replicate it though I don't see it listed in any Windows 7 updates.  Might have 
been happening to me with Windows 7 PRO.  I'll check that if anyone is 
interested. The fix was to apply an old Vista reg setting.  Can be Googled as 
"Vista Run logon scripts synchronously".

Marc Cain

On Jan 31, 2012, at 11:45 AM, Jiří Procházka wrote:

> Dear Samba support team,
> 
> I have a question on Samba 3.5.8 please, which is not solved by searching
> the forums. I tried all suggested solutions, but nothing take effect.
> 
> 
> 
> Situation: 
> 
> - small public school
> 
> - We have Ubuntu Server 11.04 64-bit
> 
> - Samba 3.5.8 as PDC
> 
> - Windows XP and Windows 7 Pro SP1 clients
> 
> - On Windows XP everything works. Login is quick and reliable there.
> 
> 
> 
> Problem:
> 
> But our problem is with Windows 7 domain clients, where login and logout
> takes more than 1,5 minute with clear user profile. Yes, we have only 100
> Mbit LAN, but why XP can operate so much faster? We are using Aero with
> background images, but logon locally is very fast. Only using travel
> profiles is very slow.
> 
> 
> 
> I have tried:
> 
> -  Disable IPv6, 
> 
> -  Disabled UAC
> 
> -  set policies time to wait on server, 
> 
> -  I applied all performace recommended settings suggested at
> samba.org for Windows 7 (http://wiki.samba.org/index.php/Windows7)
> 
> 
> 
> 
> 
> 
> 
> Very similar post I have found here:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=8300
> 
> 
> 
> Domain users experience a slow login performance on Windows 7 clients that
> are
> joined into a samba domain (Samba version 3.5.4). The Windows 7 client was
> joined successfully into the domain with the Windows 7 registry settings
> adjusted according to http://wiki.samba.org/index.php/Windows7
> (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0).
> 
> 
> 
> 
> 
> We need solve this bug, in other case we can’t use Samba as PDC and we must
> change the platform. Please put this request on free support boards or send
> me an offer for paid support.
> 
> 
> 
> Can help adding this to GLOBAL section?
> 
>   domain master = yes
> 
>   local master = yes
> 
>   preffered master = yes
> 
>   os level = 64
> 
> 
> 
> 
> 
> Thanks a lot,
> 
> I hope I’m not disturbing main Samba developers,
> 
> 
> 
> With best regards,
> 
> Jiri Prochazka
> 
> Teacher from Waldorf high school in Prague
> 
> 
> 
> 
> 
> Czech and English only :-)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC with Windows 7 support request

2012-02-16 Thread Dermot 
2012/1/31 Jiří Procházka :
> Dear Samba support team,
>
> I have a question on Samba 3.5.8 please, which is not solved by searching
> the forums. I tried all suggested solutions, but nothing take effect.
>
...
>
> Domain users experience a slow login performance on Windows 7 clients that
> are
> joined into a samba domain (Samba version 3.5.4). The Windows 7 client was
> joined successfully into the domain with the Windows 7 registry settings
> adjusted according to http://wiki.samba.org/index.php/Windows7
> (DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0).
...

I have had similar problems. I was referred to the message in the
mailing list archive [1]. I have applied what was described - used
gpedit.msc -  this but I am still experiencing slow login times,
exactly 40 seconds on each workstation.

I just checked on one workstation where the user had a jpeg as his
desktop background, I mention this because there are references to a
Window7 bug about slow login and a plain desktop, and that has the
correct group policy setting and still the login time was exactly 40
seconds.

I too be interested in hearing what others have to say on this.
Thanks,
Dermot.

1) http://www.mail-archive.com/samba@lists.samba.org/msg104494.html
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba PDC with Windows 7 support request

2012-02-15 Thread Jiří Procházka 
Dear Samba support team,

I have a question on Samba 3.5.8 please, which is not solved by searching
the forums. I tried all suggested solutions, but nothing take effect.

 

Situation: 

- small public school

- We have Ubuntu Server 11.04 64-bit

- Samba 3.5.8 as PDC

- Windows XP and Windows 7 Pro SP1 clients

- On Windows XP everything works. Login is quick and reliable there.

 

Problem:

But our problem is with Windows 7 domain clients, where login and logout
takes more than 1,5 minute with clear user profile. Yes, we have only 100
Mbit LAN, but why XP can operate so much faster? We are using Aero with
background images, but logon locally is very fast. Only using travel
profiles is very slow.

 

I have tried:

-  Disable IPv6, 

-  Disabled UAC

-  set policies time to wait on server, 

-  I applied all performace recommended settings suggested at
samba.org for Windows 7 (http://wiki.samba.org/index.php/Windows7)

 

 

 

Very similar post I have found here:

https://bugzilla.samba.org/show_bug.cgi?id=8300

 

Domain users experience a slow login performance on Windows 7 clients that
are
joined into a samba domain (Samba version 3.5.4). The Windows 7 client was
joined successfully into the domain with the Windows 7 registry settings
adjusted according to http://wiki.samba.org/index.php/Windows7
(DomainCompatibilityMode = 0 and DNSNameResolutionRequired = 0).

 

 

We need solve this bug, in other case we can’t use Samba as PDC and we must
change the platform. Please put this request on free support boards or send
me an offer for paid support.

 

Can help adding this to GLOBAL section?

   domain master = yes

   local master = yes

   preffered master = yes

   os level = 64

 

 

Thanks a lot,

I hope I’m not disturbing main Samba developers,

 

With best regards,

Jiri Prochazka

Teacher from Waldorf high school in Prague

 

 

Czech and English only :-)

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#behaviour of Samba but the option is considered important
#enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 
# A well-established practice is to name the original file
# "smb.conf.master" and create the "real" config file with
# testparm -s smb.conf.master >smb.conf
# This minimizes the size of the really used smb.conf file
# which, according to the Samba Team, impacts performance
# However, use this with caution if your smb.conf file contains nested
# "include" statements. See Debian bug #483187 for a case
# where using a master file is not a good idea.
#

#=== Global Settings ===

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = LYCEUM

# server string is the equivalent of the NT Description field
   server string = %h server (Samba, Ubuntu)

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

# What naming service and in what order should we use to resolve host names
# to IP addresses
;   name resolve order = lmhosts host wins bcast

 Networking 

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



 Debugging/Accounting 

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog

[Samba] debian samba pdc

2012-01-11 Thread linux-service.be bvba 
I try to join a debian squeeze box with a debian woody samba pdc.
I use samba and winbind on the squeeze box to join with the woody but keeps 
getting this error when doing 
net rpc info or net rpc testdomain

root@steinerpc1:~# net rpc testjoin
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe \netlogon failed with error 
NT_STATUS_UNSUCCESSFUL
net_rpc_join_ok: failed to get schannel session key from server woodyserver for 
domain domain on woody box. 
Error was NT_STATUS_UNSUCCESSFUL
Join to domain 'domain on woody box' is not valid: NT_STATUS_UNSUCCESSFUL

joining to another debian squeeze pdc is possible however.

i have no log files access at the debian woody box
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC cluster with RHCS

2011-12-14 Thread Daniel Müller 
If you running samba3 you will need  to setup a bdc to take over business of
your pdc. Or a real time synced pdc copy on the other node that starts up
when the real pdc is going down.
In cases of ha I made also best experiences with samba4 in replication mode.

Good Luck
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Md. Shyfur Rahman
Gesendet: Sonntag, 11. Dezember 2011 19:04
An: ob...@samba.org
Cc: samba@lists.samba.org
Betreff: [Samba] Samba PDC cluster with RHCS

Dear Sir,

I have implemented Samba PDC. Its working fine. But o do Highly Available,
I have been trying to make it in 2 node cluster. Everything is running
fine. But facing a problem, which I want to share.

When I shift PDC to another cluster node. Everything is shifting fine. But
my existing user can not log in. The can logged in again if I rejoined that
mechine again to domain. I am explaining little bit more.

Suppose user X can log in to my ClusterNode 1 PDC from a machine Y. If my
ClusterNode 1 goes down all the resources are shifting to the ClusterNode
2. When user X try to log in from the same machine Y. X cant. I need to
rejoined machine Y to the ClusterNode 2 then user X can log in.

My believe. I will get a solution from you. Please.

-- 
Rgds.
*Shyfur*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba PDC cluster with RHCS

2011-12-14 Thread Md. Shyfur Rahman 
Dear Sir,

I have implemented Samba PDC. Its working fine. But o do Highly Available,
I have been trying to make it in 2 node cluster. Everything is running
fine. But facing a problem, which I want to share.

When I shift PDC to another cluster node. Everything is shifting fine. But
my existing user can not log in. The can logged in again if I rejoined that
mechine again to domain. I am explaining little bit more.

Suppose user X can log in to my ClusterNode 1 PDC from a machine Y. If my
ClusterNode 1 goes down all the resources are shifting to the ClusterNode
2. When user X try to log in from the same machine Y. X cant. I need to
rejoined machine Y to the ClusterNode 2 then user X can log in.

My believe. I will get a solution from you. Please.

-- 
Rgds.
*Shyfur*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

2011-12-12 Thread Gaiseric Vandal 
Windows clients will give preference to a BDC (if available) when 
selecting a logon server over a PDC.


On 12/08/2011 08:36 AM, Aaron E. wrote:
I have a s3.4 pdc with a bdc,, pdc is serving around 80 users on 
terminal services and another 50 fat clients,,, acts as the file 
server.. roaming profiles etc... I have no issues other than the 
network card only being 100mb,, I do have a throughput issues.. but 
that is on the table..


On 12/07/2011 06:03 PM, John Heim wrote:

How much of a resource hog is a PDC? My understanding is that
authentication is done vs a BDC if available. I configured my new file
server as the domain PDC because I figured it would already have to run
samba. I have two other machines configured as BDCs to serve as logon
servers.

I'm looking for opinions on whether I'm asking for performance problems
by making my file server the PDC. Actually, this machine is already
serving as PDC but its not in production yet as a file server. So right
now, its just the domain PDC. When I log into the domain and "echo
%logonserver%", it shows that one of the BDCs was the logon server, not
the PDC. It doesn't look like the PDC has to do anything but handle
joining machines to the domain.








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

2011-12-08 Thread John Heim 

From: "Adam Tauno Williams" 

 With Samba3 domain control there isn't really a BDC/PDC distinction.
Every box is a PDC that operates in parallel with the other DCs.  That
is a bit different than a true NT4 domain.



But one machine has to have the master copy of the user/machine database.

From the samba documentation:


* Primary Domain Controller the one that seeds the domain SAM.
* Backup Domain Controller one that obtains a copy of the domain SAM.

On my file server, I have a custom add user script that configures mail,
sets a disk quota, configures the user's profile, and several other things.
That script has to run on the file server or it can't create all the proper
directories,e tc. That's why I also made that machine the PDC. Its the only
machine with the ability to update the ldap database. If I made some other
machine the PDC, I'd have to have2 machines with the ability to update the
ldap database. In my configuration, the BDCs are also slave ldap servers. So
when a user logs into the domain, I *think* it will talk to a BDC which will
query its own copy of the ldap database, and log them on.



But if being the PDC adds significantly to the load of the file server, I
could give up on the idea of having just the one machine with the ability to
update the ldap database. Having only one machine with update abilities is
cleaner but if it doesn't work, it doesn't work.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

2011-12-08 Thread Adam Tauno Williams 
On Thu, 2011-12-08 at 08:36 -0500, Aaron E. wrote:
> I have a s3.4 pdc with a bdc,, pdc is serving around 80 users on 
> terminal services and another 50 fat clients,,, acts as the file 
> server.. roaming profiles etc... I have no issues other than the network 
> card only being 100mb,, I do have a throughput issues.. but that is on 
> the table..

Our "P"DC is a virtual machine.  It search ~200 desktops and ~300 users.
That includes roaming profiles, netlogin, and some redirected folers
[some folders in the roaming profile are redirected to shares on the
server].  Backend is LDAPSAM.  Load is very low [with current-ish
version of OpenLDAP - slapd used to burn much more juice than it does
now].

Actual file-serving traffic burns up network bandwidth; but CPU and
memory requirements are surprisingly low.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

2011-12-08 Thread Aaron E. 
I have a s3.4 pdc with a bdc,, pdc is serving around 80 users on 
terminal services and another 50 fat clients,,, acts as the file 
server.. roaming profiles etc... I have no issues other than the network 
card only being 100mb,, I do have a throughput issues.. but that is on 
the table..


On 12/07/2011 06:03 PM, John Heim wrote:

How much of a resource hog is a PDC? My understanding is that
authentication is done vs a BDC if available. I configured my new file
server as the domain PDC because I figured it would already have to run
samba. I have two other machines configured as BDCs to serve as logon
servers.

I'm looking for opinions on whether I'm asking for performance problems
by making my file server the PDC. Actually, this machine is already
serving as PDC but its not in production yet as a file server. So right
now, its just the domain PDC. When I log into the domain and "echo
%logonserver%", it shows that one of the BDCs was the logon server, not
the PDC. It doesn't look like the PDC has to do anything but handle
joining machines to the domain.






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

2011-12-08 Thread steve 

On 08/12/11 12:15, Adam Tauno Williams wrote:

On Wed, 2011-12-07 at 17:03 -0600, John Heim wrote:

How much of a resource hog is a PDC? My understanding is that authentication
is done vs a BDC if available. I configured my new file server as the domain
PDC because I figured it would already have to run samba. I have two other
machines configured as BDCs to serve as logon servers
I'm looking for opinions on whether I'm asking for performance problems by
making my file server the PDC. Actually, this machine is already serving as
PDC but its not in production yet as a file server. So right now, its just
the domain PDC. When I log into the domain and "echo %logonserver%", it
shows that one of the BDCs was the logon server, not the PDC. It doesn't
look like the PDC has to do anything but handle joining machines to the
domain.


There really isn't an answer for your question.  The load implied by
being a DC depends on the number of clients and how heavily they are
used.  If you have only a hundred or so clients, in my experience, the
load is pretty mild [for modern hardware/networks].

With Samba3 domain control there isn't really a BDC/PDC distinction.
Every box is a PDC that operates in parallel with the other DCs.  That
is a bit different than a true NT4 domain.


Maybe what the OP is asking here is for examples. I realise that for 
security reasons admins may not be allowed to reveal their setup but it 
would be helpful to give some concrete figures of hardware, clients and 
servers that works for us.

Cheers.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

2011-12-08 Thread Adam Tauno Williams 
On Wed, 2011-12-07 at 17:03 -0600, John Heim wrote:
> How much of a resource hog is a PDC? My understanding is that authentication 
> is done vs a BDC if available. I configured my new file server as the domain 
> PDC because I figured it would already have to run samba. I have two other 
> machines configured as BDCs to serve as logon servers
> I'm looking for opinions on whether I'm asking for performance problems by 
> making my file server the PDC. Actually, this machine is already serving as 
> PDC but its not in production yet as a file server. So right now, its just 
> the domain PDC. When I log into the domain and "echo %logonserver%", it 
> shows that one of the BDCs was the logon server, not the PDC. It doesn't 
> look like the PDC has to do anything but handle joining machines to the 
> domain.

There really isn't an answer for your question.  The load implied by
being a DC depends on the number of clients and how heavily they are
used.  If you have only a hundred or so clients, in my experience, the
load is pretty mild [for modern hardware/networks].

With Samba3 domain control there isn't really a BDC/PDC distinction.
Every box is a PDC that operates in parallel with the other DCs.  That
is a bit different than a true NT4 domain.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

2011-12-08 Thread steve 

On 08/12/11 00:03, John Heim wrote:

How much of a resource hog is a PDC? My understanding is that
authentication is done vs a BDC if available. I configured my new file
server as the domain PDC because I figured it would already have to run
samba. I have two other machines configured as BDCs to serve as logon
servers.

I'm looking for opinions on whether I'm asking for performance problems
by making my file server the PDC. Actually, this machine is already
serving as PDC but its not in production yet as a file server. So right
now, its just the domain PDC. When I log into the domain and "echo
%logonserver%", it shows that one of the BDCs was the logon server, not
the PDC. It doesn't look like the PDC has to do anything but handle
joining machines to the domain.




We have to work within a tight budget and can't afford a backup server. 
We serve 600 home folders and logins to 25 clients from the same box. In 
an educational environment we experience slow logons which we think is 
due to everyone logging on at once. Windows 7 logons are particularly 
bad. Looking at top you can see slapd and nmbd throw a fit for a minute 
or so. With files it's OK unless we have a group working with gimp and 
photoshop. Usually it's when everyone is doing the same thing at the 
same time e.g. when a teacher has given an instruction to do something. 
On a normal lan I don't think you'd have these situations.

HTH
Steve.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] PDC & file server on same machine?

2011-12-07 Thread John Heim 
How much of a resource hog is a PDC? My understanding is that authentication 
is done vs a BDC if available. I configured my new file server as the domain 
PDC because I figured it would already have to run samba. I have two other 
machines configured as BDCs to serve as logon servers.


I'm looking for opinions on whether I'm asking for performance problems by 
making my file server the PDC. Actually, this machine is already serving as 
PDC but its not in production yet as a file server. So right now, its just 
the domain PDC. When I log into the domain and "echo %logonserver%", it 
shows that one of the BDCs was the logon server, not the PDC. It doesn't 
look like the PDC has to do anything but handle joining machines to the 
domain.





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Conversion Error in migration of printer drivers from Windows seven 64 to Samba PDC 3.5.11

2011-11-28 Thread ple001 

I get problem migrating printer drivers from Windows seven 64 bits
workstation  to Samba PDC 3.5.11

The driver works fine on the workstation

The migration command
net -d 4 rpc printer MIGRATE DRIVERS XeroxM24 -S xxx.xxx.xxx.36 -U
'username'

returns the messages:

convert_string_internal: Conversion error: Illegal multibyte sequence
(..)
ndr_push_error(5): Bad character conversion
cannot add driver: DOS code 0xb75c1223

All the driver files are copied on the samba server after the net rpc
command and the size of each is the same between workstation and samba
server.
The driver is not installed in the printing tdb files.

enumdrivers in rpcclient does not list anything.

Is the driver faulty or not supported by Samba ?
What can I do ?


Below is the end of level 4 debugging output of net rcp command.

got printer handle for printer: \\xxx.xxx.xxx.36\XeroxM24, server:
\\xxx.xxx.xxx.36
got 1 printers
migrating printer driver for:   [\\xxx.xxx.xxx.36\XeroxM24] / [XeroxM24]
got printer handle for printer: \\127.0.0.1\XeroxM24, server: \\127.0.0.1
got printer handle for printer: \\xxx.xxx.xxx.36\XeroxM24, server:
\\xxx.xxx.xxx.36
cannot get driver (for architecture: Windows 4.0):
WERR_UNKNOWN_PRINTER_DRIVER
cannot get driver (for architecture: Windows NT x86):
WERR_UNKNOWN_PRINTER_DRIVER
cannot get driver (for architecture: Windows NT x86):
WERR_UNKNOWN_PRINTER_DRIVER
cannot get driver (for architecture: Windows NT R4000):
WERR_INVALID_ENVIRONMENT
cannot get driver (for architecture: Windows NT Alpha_AXP):
WERR_INVALID_ENVIRONMENT
cannot get driver (for architecture: Windows NT PowerPC):
WERR_INVALID_ENVIRONMENT
cannot get driver (for architecture: Windows IA64):
WERR_UNKNOWN_PRINTER_DRIVER
cannot create directory \x64: NT_STATUS_OBJECT_NAME_COLLISION
opening file \x64\3\PSCRIPT5.DLL on originating server
opening file \x64\PSCRIPT5.DLL on destination server
opening file \x64\3\XRCC2EE2.PPD on originating server
opening file \x64\XRCC2EE2.PPD on destination server
opening file \x64\3\PS5UI.DLL on originating server
opening file \x64\PS5UI.DLL on destination server
opening file \x64\3\PSCRIPT.HLP on originating server
opening file \x64\PSCRIPT.HLP on destination server
opening file \x64\3\PSCRIPT.NTF on originating server
opening file \x64\PSCRIPT.NTF on destination server
opening file \x64\3\PS_SCHM.GDL on originating server
opening file \x64\PS_SCHM.GDL on destination server
convert_string_internal: Conversion error: Illegal multibyte sequence
(..)
ndr_push_error(5): Bad character conversion
cannot add driver: DOS code 0xb75c1223
rpc command function failed! (NT_STATUS_UNSUCCESSFUL)
return code = -1


Thank you for your help

LG

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba PDC [profiles] how to add AppData/Local

2011-11-09 Thread Jelle de Jong 
Hello everybody,

# smbd -V
Version 3.5.6

I am running a domain controller for windows 7 clients and there is the
Kerio mailserver saves important data to AppData/Local/Kerio

The default [profiles] only saves AppData/Roaming how can I add
AppData/Local or even the complete AppData to the profiles stored by our
Samba DC?

Thanks in advance,

Kind regards,

Jelle



signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] PDC emulator overloaded

2011-10-17 Thread blizza...@libero.it 
Hello all,

i'm using samba + winbind yo connect to AD win 2003 on many linux box.
I use winbind to retrive users and groups list quering PDC emulator.
When PDC get many requests (i use squid with ntml transparent auth + winbind 
also) it get overloaded and slow down reply to my servers.
The problem is that when this situation occur, all services stop to work, and 
the users (10.000) became very angry.
How can i solve this problem?
I know that there was only i PDC on network, so can i build a dedicate samba 
server to act as PDC or BDC or other to help real PDC emulator to load the 
share?
Someone can give me advices?
Thank you.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba PDC disabling roaming profiles

2011-10-13 Thread ESGLinux 
Hi all,

I have tested it with several users (with winxp and win7) and it works
fine.

Hope that helps anyone who has this problem,

Greetings,

ESG

2011/10/11 ESGLinux 

> Hi again,
>
> I have found this:
>
>
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ProfileMgmt.html#id2660484
>
> In smb.conf
>
> Affect the following settings and ALL clients will be forced to use a local
> profile: logon home =
> <http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONHOME>and
>  logon
> path =
> <http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/smb.conf.5.html#LOGONPATH>
>
> The arguments to these parameters must be left blank. It is necessary to
> include the = sign to specifically assign the empty value.
>
>
> Anyone can confirm that this is right? can I have problems with existing
> profiles?
>
> Thanks,
>
> ESG
>
> 2011/10/11 ESGLinux 
>
>> Hi All,
>>
>> I recently have updated my samba server to 3.3.7-1. I use this server as
>> PDC of my Windows Domain,
>>
>> The problem is that the profiles of the server are saved in the home dir
>> of the users. The users have a lot of GigaB so I want to disable this
>> feature.
>>
>> I have read (
>> http://www.linuxquestions.org/questions/linux-general-1/samba-pdc-without-roaming-profiles-2-a-47604/,
>> for example) that this feature is disabled in the client side but I have a
>> lof of them. So my question is if is there any way to disable it on the
>> server side,
>>
>> Thanks in advance
>>
>> ESG
>>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

  1   2   3   4   5   6   7   8   9   10   >