[Samba] Samba 4 DNS failing on one server

2013-10-14 Thread dahopkins 
I have two samba 4 AD DC running using the internal DNS. On one of them, DNS 
will fail after a short time (10-15 minutes).  Restarting samba on this AD DC 
corrects the issue temporarily. This behavior started about 2 weeks ago. We had 
not made any changes to either system during this time so it is a complete 
mystery.  I unfortunately used the latest version of samba from git (4.2) for 
creating these systems.  I am in the process of building a new 4.1 server and 
will join it to the domain as an AD DC (hoping that this will work correctly).  
In /etc/krb5.conf, the server with failing dns is also listed as the 
admin_server for the realm. No idea what the effect of this is if I can point 
to the other server and still resolve dns.

First though, what log files I should even be looking at for the DNS issues. 

I can run all the tests for a properly operating DNS and they all return the 
correct values (up until DNS fails).
e.g.
host -t SRV _ldap._tcp.ncs.k12.de.us
host -t SRV _kerberos._udp.ncs.k12.de.us
host -t A ncssamba1.ncs.k12.de.us

all return correct information. kinit also works correctly, smbclient -L server 
-U% returns the correct information. I am running nslcd on both servers and 
that is also working.

Completely lost on what to try to fix this dns issue.

Sincerely,
Dave Hopkins





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-10-14 Thread Jacó Ramos 
Hi, guys...

What line command for modify  SOA record?

Thanks!
Jacó Ramos


2013/10/14 Rustam K. 

> Hey guys,
>
> Just wanted to update this thread, I upgrade my samba installation to 4.1
> and updated SOA record. Now dynamic DNS works fine for me!! Thanks for
> implementing the feature!!!
>
> Cheers!!
>
>
> 2013/8/9 Rustam K. 
>
> > I thought I would update this email thread. So far editing the records
> via
> > ADSI messes up ldb database, if you do that zones won't load anymore,
> just
> > like Dmitry stated in his first email.
> > I had to revert to a snapshot to get samba back, up and running.
> >
> > I am curious If I have to modify record manually via ldbmodify(ldbedit),
> > would it understand hex/binary?
> > because when I run ldbedit it shows me nothing compared to hex in my
> > previous email, what is this format?
> >
> > # record 50
> > dn:
> DC=@,DC=officenet.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=officenet,DC=local
> > objectClass: top
> > objectClass: dnsNode
> >
> > . (cut)
> >
> > dnsRecord:: BAABAAXwAAB6AAADhAAAwKj6Aw==
> > dnsRecord:: BAABAAXwAABuAAACWAAAwKj6Bg==
> > dnsRecord::
> GwACAAXwAAB6AAAjKzcAGQMHc3J2LXdpbglvZmZpY2VuZXQFbG9jYW
> >  wA
> > dnsRecord::
> GgACAAXwAACGAAADhAArtw0IGAMGYWxmYWRjCW9mZmljZW5ldAVsb2NhbA
> >  A=
> > dnsRecord::
> TgAGAAXwAAC9AAAYMDcAvQAAA4QAAAJYAAFRgAAaAwhzcn
> >  YtYWxmYQlvZmZpY2VuZXQFbG9jYWwAHAMKaG9zdG1hc3RlcglvZmZpY2VuZXQFbG9jYWwA
> >
> > Cheers
> >
> >
> >
> > 2013/8/9 Rustam K. 
> >
> > Hi,
> >>
> >> thanks for the follow up.
> >>
> >> I found the SOA record via ADSI edit :
> >>
> >>
> >>
> DC=@,DC=officenet.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=officenet,DC=local
> >>
> >>
> DC=@,DC=_msdcs.officenet.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=officenet,DC=local
> >>
> >> there are two of them,and every one of them has attribute dnsRecord
> which
> >> is in hex, and it has string "srv-alfa" (apart from hostmaster email ttl
> >> etc) which I need to change to "alfadc"
> >>
> >> 4E 00 06 00 05 F0 00 00 BE 00 00 00 00 00 00 00 00 00 00 00 1C 30 37 00
> >> 00 00 00 BE 00 00 03 84 00 00 02 58 00 01 51 80 00 00 00 00 1A 03 08 73
> 72
> >> 76 2D 61 6C 66 61 09 6F 66 66 69 63 65 6E 65 74 05 6C 6F 63 61 6C 00 1C
> 03
> >> 0A 68 6F 73 74 6D 61 73 74 65 72 09 6F 66 66 69 63 65 6E 65 74 05 6C 6F
> 63
> >> 61 6C 00
> >>
> >> This is where I am headed, and I'll try not to screw it up.
> >>
> >>
> >> Cheers
> >>
> >>
> >> 2013/8/9 Nico Kadel-Garcia 
> >>
> >>> On Thu, Aug 8, 2013 at 4:14 AM, Kai Blin  wrote:
> >>> > On 2013-08-08 10:02, Rustam K. wrote:
> >>> >>
> >>> >> Hello,
> >>> >> I run samba 4.0.7, samba tool can't do the job, at least help/syntax
> >>> >> doesn't show that I can
> >>> >
> >>> >
> >>> > Ah, yes. Apparently this functionality only exists in 4.1 and master,
> >>> sorry.
> >>> > Should you try and run with that the command syntax is
> >>> >
> >>> > samba-tool dns update SOA "fqdn_dns fqdn_email serial refresh retry
> >>> expire
> >>> > minimumttl"
> >>> >
> >>> > HTH,
> >>> >
> >>> > Kai
> >>>
> >>> Rustam, I do hope that if you're manipulating your SOA directly, that
> >>> you've actually looked up the guidelines for manipulating them? Just
> >>> so you don't get surprised by things like the wraparound values for
> >>> the serial numbers, or what reasonable values are for TTL's.
> >>>
> >>
> >>
> >>
> >> --
> >>
> >> Rustam
> >>
> >
> >
> >
> >
>
>
> --
>
> Rustam
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 

*"O homem não foi criado para ser feliz nem para vencer, mas para viver
para Deus. Quando vive para Deus é feliz e vence." Isaltino Gomes
*
*
$whoami*

   - Perito Forense Computacional
   - Pentester
   - Esp. em Segurança de Redes de Computadores com enfâse a Perícia
   Forense Computacional - FACID
   - Bacharel em Ciência da Computação - UESPI
   - Administrador de Redes de Computadores
   - CCNA Modulo II
   - Lattes: *http://lattes.cnpq.br/1591329268136905*


Esta mensagem pode conter informações confidenciais e/ou privilegiadas. Se
você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
não deve usar, copiar ou divulgar as informações nela contida ou tomar
qualquer ação baseada nessas informações.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 internal DNS and reverse zones

2013-10-14 Thread Julian Pilfold-Bagwell 

Hi All,

I currently have another thread  open on squid authentication with Samba 
4 and am going to try authenticating against kerberos instead of NTLM.


According to the docs for the web filter I'm using, it's essential for 
Kerberos to be able to resolve reverse DNS so I've spent the last 
weekend trying to get this working. Various different documents and 
howtos exist but none of them worked out of the box.  The Samba wiki 
suggests creating the zones with the RSAT DNS tool and various people 
I've come across have commented that from that point onwards records 
were added by Windows clients joining.
I couldn't get this working so I tried the  script on Michael Kuron's 
site as it threw up messages about GSS failing before DHCP server would 
eventually hang.  While it ran, it would add entries consisting of the 
mac address as it failed to pick up the name of the machine.


Is there an easy way to achieve this or do I carry on plugging away with 
the script?  Should, as come people have claimed, reverse entries just 
happen if you manually create zones.  It's tricy to get a definitive 
answer on this and where people claim it's worked, they don't seem to 
advertise the method.


Thanks,

Julian




--
Borden Grammar School,
Avenue of Remembrance,
Sittingbourne,
Kent,
ME10 4DB.

Tel: 01795 424192


This e-mail is from Borden Grammar School Trust.

This e-mail, together with any files transmitted with it, are confidential, and 
are intended solely for the use of the individual or entity to whom they are 
addressed. Any unauthorised dissemination or
copying of this e-mail or its attachments, and any use or disclosure of any 
information contained in them, is strictly prohibited, and may also be illegal. 
If you are not the intended recipient you must not use, disclose,
distribute, copy, print or relay this e-mail.

Please note that any views expressed by an individual within this e-mail, do 
not necessarily reflect the views of the Borden Grammar School Trust. Borden 
Grammar School Trust has taken reasonable precautions to ensure no
viruses are present in this e-mail, the Academy cannot accept responsibility 
for any loss or damage arising from the use of this e-mail and/or files 
attached.

Registered office: Borden Grammar School, Avenue of Remembrance, Sittingbourne, 
Kent, ME10 4DB

Registered in England: 07827591

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-10-13 Thread Rustam K. 
Hey guys,

Just wanted to update this thread, I upgrade my samba installation to 4.1
and updated SOA record. Now dynamic DNS works fine for me!! Thanks for
implementing the feature!!!

Cheers!!


2013/8/9 Rustam K. 

> I thought I would update this email thread. So far editing the records via
> ADSI messes up ldb database, if you do that zones won't load anymore, just
> like Dmitry stated in his first email.
> I had to revert to a snapshot to get samba back, up and running.
>
> I am curious If I have to modify record manually via ldbmodify(ldbedit),
> would it understand hex/binary?
> because when I run ldbedit it shows me nothing compared to hex in my
> previous email, what is this format?
>
> # record 50
> dn: 
> DC=@,DC=officenet.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=officenet,DC=local
> objectClass: top
> objectClass: dnsNode
>
> . (cut)
>
> dnsRecord:: BAABAAXwAAB6AAADhAAAwKj6Aw==
> dnsRecord:: BAABAAXwAABuAAACWAAAwKj6Bg==
> dnsRecord:: GwACAAXwAAB6AAAjKzcAGQMHc3J2LXdpbglvZmZpY2VuZXQFbG9jYW
>  wA
> dnsRecord:: GgACAAXwAACGAAADhAArtw0IGAMGYWxmYWRjCW9mZmljZW5ldAVsb2NhbA
>  A=
> dnsRecord:: TgAGAAXwAAC9AAAYMDcAvQAAA4QAAAJYAAFRgAAaAwhzcn
>  YtYWxmYQlvZmZpY2VuZXQFbG9jYWwAHAMKaG9zdG1hc3RlcglvZmZpY2VuZXQFbG9jYWwA
>
> Cheers
>
>
>
> 2013/8/9 Rustam K. 
>
> Hi,
>>
>> thanks for the follow up.
>>
>> I found the SOA record via ADSI edit :
>>
>>
>> DC=@,DC=officenet.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=officenet,DC=local
>>
>> DC=@,DC=_msdcs.officenet.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=officenet,DC=local
>>
>> there are two of them,and every one of them has attribute dnsRecord which
>> is in hex, and it has string "srv-alfa" (apart from hostmaster email ttl
>> etc) which I need to change to "alfadc"
>>
>> 4E 00 06 00 05 F0 00 00 BE 00 00 00 00 00 00 00 00 00 00 00 1C 30 37 00
>> 00 00 00 BE 00 00 03 84 00 00 02 58 00 01 51 80 00 00 00 00 1A 03 08 73 72
>> 76 2D 61 6C 66 61 09 6F 66 66 69 63 65 6E 65 74 05 6C 6F 63 61 6C 00 1C 03
>> 0A 68 6F 73 74 6D 61 73 74 65 72 09 6F 66 66 69 63 65 6E 65 74 05 6C 6F 63
>> 61 6C 00
>>
>> This is where I am headed, and I'll try not to screw it up.
>>
>>
>> Cheers
>>
>>
>> 2013/8/9 Nico Kadel-Garcia 
>>
>>> On Thu, Aug 8, 2013 at 4:14 AM, Kai Blin  wrote:
>>> > On 2013-08-08 10:02, Rustam K. wrote:
>>> >>
>>> >> Hello,
>>> >> I run samba 4.0.7, samba tool can't do the job, at least help/syntax
>>> >> doesn't show that I can
>>> >
>>> >
>>> > Ah, yes. Apparently this functionality only exists in 4.1 and master,
>>> sorry.
>>> > Should you try and run with that the command syntax is
>>> >
>>> > samba-tool dns update SOA "fqdn_dns fqdn_email serial refresh retry
>>> expire
>>> > minimumttl"
>>> >
>>> > HTH,
>>> >
>>> > Kai
>>>
>>> Rustam, I do hope that if you're manipulating your SOA directly, that
>>> you've actually looked up the guidelines for manipulating them? Just
>>> so you don't get surprised by things like the wraparound values for
>>> the serial numbers, or what reasonable values are for TTL's.
>>>
>>
>>
>>
>> --
>>
>> Rustam
>>
>
>
>
>


-- 

Rustam
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 DC slow users bulk load

2013-10-11 Thread Nikos Mitas 
it is much clearer,

thanks again for your help
On Oct 11, 2013 5:23 AM, "Andrew Bartlett"  wrote:

> On Mon, 2013-10-07 at 23:46 +0300, Nikos Mitas wrote:
> > sorry, but can you give me more details about 'full build tree' ?
>
> What I was suggesting is that the perf.data file isn't something I can
> use directly.  I need you to run 'perf report -g' on it, and do some of
> the investigation, because it relies on system-specific symbols.
>
> I hope this is clearer.
>
> Andrew Bartlett
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> Samba Developer, Catalyst IT   http://catalyst.net.nz
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 DC slow users bulk load

2013-10-10 Thread Andrew Bartlett 
On Mon, 2013-10-07 at 23:46 +0300, Nikos Mitas wrote:
> sorry, but can you give me more details about 'full build tree' ?

What I was suggesting is that the perf.data file isn't something I can
use directly.  I need you to run 'perf report -g' on it, and do some of
the investigation, because it relies on system-specific symbols. 

I hope this is clearer.

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 and squid ntlm auth

2013-10-10 Thread Andrew Bartlett 
On Thu, 2013-10-10 at 16:36 +0100, Julian Pilfold-Bagwell wrote:
> Hi List,
> 
> Looking for assistance with a squid authentication problem against Samba 4.
> 
> The squid proxy we're using worked fine on our old Samba 3 domain with 
> 500+ users but keeps freezing on our new Samba 4 domain.  I've joined 
> the proxy using net ads join and the samba 4 network is a clean build as 
> we wanted to leave any baggage from the old one behind.
> 
> What we now have is a situation where Samba 4 authenticates squid using 
> NTLM perfectly up until around 120 users are using it. Once we get above 
> 120, it starts to down and as we approach 140 it dies altogether.  At 
> this point, we restart samba and it works perfectly well for a period of 
> about 5 minutes with the 140+ users connected at which point it will 
> either slow to a crawl then fall over or sometimes will just fall over.
> 
> The network has three Samba 4 Domain controllers.  replication works 
> across the three and at any given time, they are running at around 25% 
> CPU load and consuming around 500MB of RAM.  All three are 3GHz, quad 
> core Xeons with between 4 and 12GB of RAM.
> 
> The odd thing is that at no point when Samba seems to be hanging, do we 
> lose access to shares on our fileserver and I also have Owncloud 
> authenticating via a read only LDAP proxy which is caching.  The really 
> odd thing is that I'm not seeing any obvious messages on either squid, 
> the samba 3 install or the DCs that points towards any major problem.  
> Given the numbers issue, I thought maybe I was hitting a ulimit wall but 
> the hard and soft limits are both unlimited.
> 
> Does anyone have a similar setup and any info on where to go from here, 
> i.e. which logs to check, etc.?
> 
> The OS details are as follows:
> 
> DC1 and DC1 - centos 6.4 Samba 4.0.10 (compiled from source) with 
> internal DNS
> DC3 - Debian Squeeze with Samba 4.0.10 (compiled from source) with Bind 
> 9.8 with dlz
> Squid proxy - Debian squeeze with Squid 2.7 Stable 9.2 from .deb package

My guess is that the single thread that is doing the lookups in the
sam.ldb and the subsequent authentication is choking on the constant
barrage of NTLM authentication traffic.

You might want to look into using kerberos, rather than NTLM
authentication, now you have an AD domain.  This will not need to place
load on the DC for each page load.

However, we should cope with lots of authentication, so if you have the
skill, running 'perf record -g PID' on the busy PID could be quite
illuminating, once analyzed with 'perf report -g'.  Please don't try and
mail me the perf.data output (it needs the build tree and symbols), but
examine it and tell me where the CPU is being used and what callers
responsible for it (screen-shots are OK in this specific instance). 

Also, just have a look at a wireshark trace of the success and failure
modes, and see if you can show a difference.  If the traces are not
massive, these you can mail to me.  Either way, the wireshark 'service
response time' over DCE/RPC would be particularly interesting to see. 

I hope this helps,

Andrew Bartlett

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 and squid ntlm auth

2013-10-10 Thread Julian Pilfold-Bagwell 

Hi List,

Looking for assistance with a squid authentication problem against Samba 4.

The squid proxy we're using worked fine on our old Samba 3 domain with 
500+ users but keeps freezing on our new Samba 4 domain.  I've joined 
the proxy using net ads join and the samba 4 network is a clean build as 
we wanted to leave any baggage from the old one behind.


What we now have is a situation where Samba 4 authenticates squid using 
NTLM perfectly up until around 120 users are using it. Once we get above 
120, it starts to down and as we approach 140 it dies altogether.  At 
this point, we restart samba and it works perfectly well for a period of 
about 5 minutes with the 140+ users connected at which point it will 
either slow to a crawl then fall over or sometimes will just fall over.


The network has three Samba 4 Domain controllers.  replication works 
across the three and at any given time, they are running at around 25% 
CPU load and consuming around 500MB of RAM.  All three are 3GHz, quad 
core Xeons with between 4 and 12GB of RAM.


The odd thing is that at no point when Samba seems to be hanging, do we 
lose access to shares on our fileserver and I also have Owncloud 
authenticating via a read only LDAP proxy which is caching.  The really 
odd thing is that I'm not seeing any obvious messages on either squid, 
the samba 3 install or the DCs that points towards any major problem.  
Given the numbers issue, I thought maybe I was hitting a ulimit wall but 
the hard and soft limits are both unlimited.


Does anyone have a similar setup and any info on where to go from here, 
i.e. which logs to check, etc.?


The OS details are as follows:

DC1 and DC1 - centos 6.4 Samba 4.0.10 (compiled from source) with 
internal DNS
DC3 - Debian Squeeze with Samba 4.0.10 (compiled from source) with Bind 
9.8 with dlz

Squid proxy - Debian squeeze with Squid 2.7 Stable 9.2 from .deb package

Clients Windows 7 & XP SP3

Cheers,

Julian

--
Borden Grammar School,
Avenue of Remembrance,
Sittingbourne,
Kent,
ME10 4DB.

Tel: 01795 424192


This e-mail is from Borden Grammar School Trust.

This e-mail, together with any files transmitted with it, are confidential, and 
are intended solely for the use of the individual or entity to whom they are 
addressed. Any unauthorised dissemination or
copying of this e-mail or its attachments, and any use or disclosure of any 
information contained in them, is strictly prohibited, and may also be illegal. 
If you are not the intended recipient you must not use, disclose,
distribute, copy, print or relay this e-mail.

Please note that any views expressed by an individual within this e-mail, do 
not necessarily reflect the views of the Borden Grammar School Trust. Borden 
Grammar School Trust has taken reasonable precautions to ensure no
viruses are present in this e-mail, the Academy cannot accept responsibility 
for any loss or damage arising from the use of this e-mail and/or files 
attached.

Registered office: Borden Grammar School, Avenue of Remembrance, Sittingbourne, 
Kent, ME10 4DB

Registered in England: 07827591

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 DC slow users bulk load

2013-10-07 Thread Nikos Mitas 
sorry, but can you give me more details about 'full build tree' ?




2013/10/7 Andrew Bartlett 

> On Mon, 2013-10-07 at 22:52 +0300, Nikos Mitas wrote:
> > Hello again,
> >
> > all three samba4 DC's have 16 GB RAM each and 2 sockets with 4 cores each
> > (total 8 cores each) the three DC's and the identity manager are in the
> > same VLAN.
> >
> > but today i noticed that during bulk load only one core is busy 100% and
> > the rest are idle. i was unable to run samba under TDB_NO_FSYNC=1 today.
> > maybe tomorrow.
> >
> > this is the link for the perf.data file:
> > http://www.sendspace.com/file/9g46ll
> > this is my smb.conf:
>
> The pref.data file isn't any use to me without your full build tree, so
> the best way to use it is to then run 'perf report -g' and investigate
> where the highest CPU users are, and what calls them.  (it is
> curses-based tool).
>
> The 100% busy CPU is because the LDAP server is single-threaded, so that
> isn't really unexpected.
>
> I hope this helps you make some more progress chasing this down.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> Samba Developer, Catalyst IT   http://catalyst.net.nz
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 DC slow users bulk load

2013-10-07 Thread Andrew Bartlett 
On Mon, 2013-10-07 at 22:52 +0300, Nikos Mitas wrote:
> Hello again,
> 
> all three samba4 DC's have 16 GB RAM each and 2 sockets with 4 cores each
> (total 8 cores each) the three DC's and the identity manager are in the
> same VLAN.
> 
> but today i noticed that during bulk load only one core is busy 100% and
> the rest are idle. i was unable to run samba under TDB_NO_FSYNC=1 today.
> maybe tomorrow.
> 
> this is the link for the perf.data file:
> http://www.sendspace.com/file/9g46ll
> this is my smb.conf:

The pref.data file isn't any use to me without your full build tree, so
the best way to use it is to then run 'perf report -g' and investigate
where the highest CPU users are, and what calls them.  (it is
curses-based tool). 

The 100% busy CPU is because the LDAP server is single-threaded, so that
isn't really unexpected.

I hope this helps you make some more progress chasing this down. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 DC slow users bulk load

2013-10-07 Thread Nikos Mitas 
Hello again,

all three samba4 DC's have 16 GB RAM each and 2 sockets with 4 cores each
(total 8 cores each) the three DC's and the identity manager are in the
same VLAN.

but today i noticed that during bulk load only one core is busy 100% and
the rest are idle. i was unable to run samba under TDB_NO_FSYNC=1 today.
maybe tomorrow.

this is the link for the perf.data file:
http://www.sendspace.com/file/9g46ll
this is my smb.conf:

# Global parameters
[global]

workgroup = NKMITAS
realm = nkmitas.gr
netbios name = SAMBA4DC3
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate

[netlogon]
path = /usr/local/samba/var/locks/sysvol/nkmitas.gr/scripts
read only = No

[sysvol] path = /usr/local/samba/var/locks/sysvol
read only = No

thanks for your help
On Oct 6, 2013 11:49 PM, "Andrew Bartlett"  wrote:

> On Sun, 2013-10-06 at 13:48 +0300, Nikos Mitas wrote:
> > Hello,
> >
> > i have successfully installed samba 4 on three vmware VM's and everything
> > works fine (join pc to domain, user login, dns updates, ntp),
> > but i am facing some performance problems during users bulk loading.
> > my environment:
> >
> > 1st DC: RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp
> > 2nd DC:RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp
> > 3rd DC:RedHat Linux v6.4,samba 4.1rc4,ntp
> >
> >
> > to bulk load the users (around 20.000 accounts) i am using IBM Tivoli
> > Identity Manager to automatically create the AD accounts into Samba
> > but the performance is poor. 120 users per hour at most.
> >
> > Any ideas what to check or what needs to be tuned?
>
> We need to work out what specifically is slow, so we can deal with it.
>
> If you can capture the ldap server task under 'perf record -g -p PID'
> that might give some clues.  It shouldn't take 30 seconds to add a user,
> but at this size many O(n^2) things blow up badly, and we may need to
> re-investigate better approaches in some cases.
>
> Also, ensure you have plenty of memory, and for the period of the
> import, run samba under TDB_NO_FSYNC=1.  This makes samba unsafe against
> a poweroff event (equivalent to linking with libeatmydata), so don't use
> this in production, but it will make things much, much faster for the
> initial import.
>
> Andrew Bartlett
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> Samba Developer, Catalyst IT   http://catalyst.net.nz
>
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 DC slow users bulk load

2013-10-06 Thread Andrew Bartlett 
On Sun, 2013-10-06 at 13:48 +0300, Nikos Mitas wrote:
> Hello,
> 
> i have successfully installed samba 4 on three vmware VM's and everything
> works fine (join pc to domain, user login, dns updates, ntp),
> but i am facing some performance problems during users bulk loading.
> my environment:
> 
> 1st DC: RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp
> 2nd DC:RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp
> 3rd DC:RedHat Linux v6.4,samba 4.1rc4,ntp
> 
> 
> to bulk load the users (around 20.000 accounts) i am using IBM Tivoli
> Identity Manager to automatically create the AD accounts into Samba
> but the performance is poor. 120 users per hour at most.
> 
> Any ideas what to check or what needs to be tuned?

We need to work out what specifically is slow, so we can deal with it. 

If you can capture the ldap server task under 'perf record -g -p PID'
that might give some clues.  It shouldn't take 30 seconds to add a user,
but at this size many O(n^2) things blow up badly, and we may need to
re-investigate better approaches in some cases. 

Also, ensure you have plenty of memory, and for the period of the
import, run samba under TDB_NO_FSYNC=1.  This makes samba unsafe against
a poweroff event (equivalent to linking with libeatmydata), so don't use
this in production, but it will make things much, much faster for the
initial import. 

Andrew Bartlett

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 DC slow users bulk load

2013-10-06 Thread Nikos Mitas 
Hello,

i have successfully installed samba 4 on three vmware VM's and everything
works fine (join pc to domain, user login, dns updates, ntp),
but i am facing some performance problems during users bulk loading.
my environment:

1st DC: RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp
2nd DC:RedHat Linux v6.4,samba 4.1rc4,dns 9.9.3P2,ntp
3rd DC:RedHat Linux v6.4,samba 4.1rc4,ntp


to bulk load the users (around 20.000 accounts) i am using IBM Tivoli
Identity Manager to automatically create the AD accounts into Samba
but the performance is poor. 120 users per hour at most.

Any ideas what to check or what needs to be tuned?

Thanks for your time

Nikos
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 install packages for Ubuntu 10

2013-10-05 Thread Nico Kadel-Garcia 
Save yourself a lot of pain. Update to Ubuntu 12, at least, to keep your
Samba 4 releases up to date.


On Thu, Oct 3, 2013 at 10:03 PM, Derek Lewis  wrote:

> Hello,
>
> I want to upgrade my current samba 3.7 that I compiled, to samba 4, and
> wondered if I can get binaries compatible with Ubuntu 10?
>
> Sent from my iPhone
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 install packages for Ubuntu 10

2013-10-03 Thread Derek Lewis 
Hello,

I want to upgrade my current samba 3.7 that I compiled, to samba 4, and 
wondered if I can get binaries compatible with Ubuntu 10?

Sent from my iPhone
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 and vfs_recycle

2013-09-30 Thread Rowland Penny 

Hi,
I am trying to get vfs_recycle working on Samba 4, I compiled Samba 4 
myself, so the man page for vfs_recycle is in:

/usr/local/samba/share/man/man8/vfs_recycle.8

I have the recycle bin working on a share, the problem I have is with 
lists, for instance, how to list which files to exclude. The man page 
just says:


recycle:exclude = LIST
   List of files that should not be put into the repository when
   deleted, but deleted in the normal way. Wildcards such as * 
and ?

   are supported.

OK, but just how are you supposed to separate the components of the 
list? with commas, spaces or what?


Also, bearing in mind that I am using version 4.1.0rc3, why does the man 
page have this at the bottom.


VERSION
   This man page is correct for version 3.0.25 of the Samba suite.

Slightly out of date, I think ;-)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 RPMs for RHEL 6

2013-09-18 Thread Juan Asensio Sánchez 
Hi

You have updated precompiled packages from Sernet at
http://enterprisesamba.com/ (for Samba 3 and Samba 4, although you have to
register to use the Samba 4 repository). I have tried it and they works
fine.

Regards.


2013/9/19 Malcolm Cowe 

> My apologies if this is something of a FAQ, but I would be grateful of
> some assistance. I am evaluating Samba 4 and would like to be able to
> create packages for installation on RHEL and CentOS 6.x servers. I've
> cloned the git repository and checked out tag 4.0.9, then used the
> "./packaging/RHEL-CTDB/**makerpms.sh" script to build the RPMs. The
> process succeeds but the packages, while labelled 4.0.9, are not Samba 4
> packages.
>
> Closer inspection of the spec file indicates that this is only geared
> towards Samba 3 builds. Have I missed something in the process of creating
> these packages? Is there a better way for me to proceed? For the moment,
> I'm just using make && make install on the servers but would like to move
> away from this mode.
>
> Regards,
>
> Malcolm.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 RPMs for RHEL 6

2013-09-18 Thread Malcolm Cowe 
My apologies if this is something of a FAQ, but I would be grateful of 
some assistance. I am evaluating Samba 4 and would like to be able to 
create packages for installation on RHEL and CentOS 6.x servers. I've 
cloned the git repository and checked out tag 4.0.9, then used the 
"./packaging/RHEL-CTDB/makerpms.sh" script to build the RPMs. The 
process succeeds but the packages, while labelled 4.0.9, are not Samba 4 
packages.


Closer inspection of the spec file indicates that this is only geared 
towards Samba 3 builds. Have I missed something in the process of 
creating these packages? Is there a better way for me to proceed? For 
the moment, I'm just using make && make install on the servers but would 
like to move away from this mode.


Regards,

Malcolm.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 and automount

2013-09-13 Thread steve 
On Fri, 2013-09-13 at 09:54 +0100, Rowland Penny wrote:
> On 13/09/13 09:34, steve wrote:
> >
> Hi
> I re-read your post with all the info and found these:
> 
> DEFAULT_MASTER_MAP_NAME="CN=auto.master,CN=HOME,CN=defaultMigrationContainer30,DC=hh3,DC=site"
> SEARCH_BASE="CN=home,CN=defaultMigrationContainer30,DC=hh3,DC=site"
> 
> HOME & home are MY domain, you need to set them to YOUR domain

Hi Rowland
Yeah, I was being spectacularly thick yesterday.

I gave up with the /etc/sysconfig/autofs approach and went for sssd
instead. I sensed that this was gonna be a lot simpler with sssd.

Thanks for your guidance with the schema. I've put the details and the
maps converted for AD here:
http://linuxcostablanca.blogspot.com.es/2013/09/samba4-autofs.html

HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 failed with kerberos error (ubuntu)

2013-09-09 Thread Ryan Bair 
It looks like you're not pointing to yourself for DNS. Check to make sure
DNS is working correctly (especially the SRV kerberos records for this
issue).


On Mon, Sep 9, 2013 at 4:31 AM, Alexander Busam <
a.bu...@hofmann-foerdertechnik.com> wrote:

> Hello!
>
> I tried to install samba 4 as described in the samba AD DC HOWTO.
>
> Here my configuration:
>
> ubuntu 12.04 server 64 bit server
>
> /etc/network/interfaces:
>
> # The loopback network interface
> auto lo
> iface lo inet loopback
>
> # The primary network interface
> auto eth0
> iface eth0 inet static
> address 192.168.1.19
> netmask 255.255.252.0
> up route add default gw 192.168.1.4
> dns-search hofmann-intern.de
> dns-nameservers 192.168.1.26
>
> /etc/hosts:
>
> 127.0.0.1   localhost
> 192.168.1.19hmsmbctx.hofmann-intern.de  hmsmbctx
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
> I installed required software:
>
> apt-get install build-essential libacl1-dev libattr1-dev \
>   libblkid-dev libgnutls-dev libreadline-dev python-dev \
>   python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
>   dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl
>
> and run the provisioning script:
>
> samba-tool domain provision --use-rfc2307 --interactive
>
> with internal-dns
>
> Copied  /var/lib/samba/private/krb5.**conf to /etc/
>
>
> When i start samba with samba -i -M single
>
> I got the following error:
>
>
> root@hmsmbctx:/home/**administrator# samba -i -M single
> samba version 4.0.9-SerNet-Ubuntu-6.precise started.
> Copyright Andrew Tridgell and the Samba Team 1992-2012
> samba: using 'single' process model
> Attempting to autogenerate TLS self-signed keys for https for hostname '
> HMSMBCTX.hfmctx.hofmann-**intern.de
> '
> TLS self-signed keys generated OK
> /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
> /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 506,
> in 
> /usr/sbin/samba_dnsupdate: get_credentials(lp)
> /usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 119,
> in get_credentials
> /usr/sbin/samba_dnsupdate: creds.get_named_ccache(lp, ccachename)
> /usr/sbin/samba_dnsupdate: RuntimeError: kinit for HMSMBCTX$@
> HFMCTX.HOFMANN-**INTERN.DE  failed
> (Cannot contact any KDC for requested realm)
> /usr/sbin/samba_dnsupdate:
> ../source4/dsdb/dns/dns_**update.c:294: Failed DNS update -
> NT_STATUS_ACCESS_DENIED
>
> Whats going wrong ?
>
> Thx in advance.
>
> Alex
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 failed with kerberos error (ubuntu)

2013-09-09 Thread Alexander Busam 

Hello!

I tried to install samba 4 as described in the samba AD DC HOWTO.

Here my configuration:

ubuntu 12.04 server 64 bit server

/etc/network/interfaces:

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
address 192.168.1.19
netmask 255.255.252.0
up route add default gw 192.168.1.4
dns-search hofmann-intern.de
dns-nameservers 192.168.1.26

/etc/hosts:

127.0.0.1   localhost
192.168.1.19hmsmbctx.hofmann-intern.de  hmsmbctx

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

I installed required software:

apt-get install build-essential libacl1-dev libattr1-dev \
  libblkid-dev libgnutls-dev libreadline-dev python-dev \
  python-dnspython gdb pkg-config libpopt-dev libldap2-dev \
  dnsutils libbsd-dev attr krb5-user docbook-xsl libcups2-dev acl

and run the provisioning script:

samba-tool domain provision --use-rfc2307 --interactive

with internal-dns

Copied  /var/lib/samba/private/krb5.conf to /etc/


When i start samba with samba -i -M single

I got the following error:


root@hmsmbctx:/home/administrator# samba -i -M single
samba version 4.0.9-SerNet-Ubuntu-6.precise started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
samba: using 'single' process model
Attempting to autogenerate TLS self-signed keys for https for hostname 
'HMSMBCTX.hfmctx.hofmann-intern.de'

TLS self-signed keys generated OK
/usr/sbin/samba_dnsupdate: Traceback (most recent call last):
/usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 506, 
in 

/usr/sbin/samba_dnsupdate: get_credentials(lp)
/usr/sbin/samba_dnsupdate:   File "/usr/sbin/samba_dnsupdate", line 119, 
in get_credentials

/usr/sbin/samba_dnsupdate: creds.get_named_ccache(lp, ccachename)
/usr/sbin/samba_dnsupdate: RuntimeError: kinit for 
HMSMBCTX$@HFMCTX.HOFMANN-INTERN.DE failed (Cannot contact any KDC for 
requested realm)

/usr/sbin/samba_dnsupdate:
../source4/dsdb/dns/dns_update.c:294: Failed DNS update - 
NT_STATUS_ACCESS_DENIED


Whats going wrong ?

Thx in advance.

Alex
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 "TKEY is unacceptable" driving me NUTS!

2013-09-06 Thread Patrick Gray 
I've installed Samba 4.09 on ubuntu with bind 9.8.1-P1, the former compiled 
from git source and the latter installed from apt-get. I'm migrating from an 
existing Windows 2008 SBS domain controller that I want to retire (and be 
Windows free on the server side), and have followed the instructions on the 
Samba wiki for setting up Bind and migrating.

When I run a samba_dnsupate -verbose -all-names as per the wiki, all updates 
result in a "dns_tkey_negotiategss: TKEY is unacceptable". Syslog produces the 
following:

Sep  6 12:21:32 newdc samba[7735]: [2013/09/06 12:21:32.189272,  0] 
../source4/dsdb/dns/dns_update.c:294(dnsupdate_nameupdate_done)
Sep  6 12:21:32 newdc samba[7735]:   ../source4/dsdb/dns/dns_update.c:294: 
Failed DNS update - NT_STATUS_IO_TIMEOUT
Sep  6 12:23:29 newdc named[7690]: samba b9_putrr: unhandled record type 0

The same TKEY error occurred when I attempt a manual nsupdate. What's odd is 
that the updates actually appear in the Windows DNS manager when I use nsupdate 
or samba-tool to add entries. This works for both the new samba DC and the 
existing windows DC. I was going to chalk this up to gremlins and move on with 
life, but when I attempt to transfer or seize the naming role, from either 
samba or the existing Windows DC, I get:

sudo /usr/local/samba/bin/samba-tool fsmo transfer --role=naming -Uadministrator
ERROR(ldb): uncaught exception - Failed FSMO transfer: WERR_GENERAL_FAILURE
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", 
line 268, in run
transfer_role(self.outf, role, samdb)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/fsmo.py", 
line 53, in transfer_role
samdb.modify(m)

I believe these are related, but I cannot get the TKEY error resolved and have 
attempted every trick I've been able to find on this mailing list. I've tried 
the following based on days of googling:


  1.  Verified that apparmor isn't causing problems by setting the following in 
it's config:

  # Samba 4 support
  /usr/local/samba/private/** rkw,
  /usr/local/samba/private/dns.keytab rk,
  /usr/local/samba/private/dns/** rkw,
  /etc/krb5.conf r,
  /usr/local/samba/etc/smb.conf r,

  #Samba 4 BIND libraries
  /usr/local/samba/lib/bind9/dlz_bind9.so rm,
  /usr/local/samba/lib/** rm,
  /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/** rm,

  # with libdlz_bind9, named needs to access /var/tmp/DNS-${HOSTNAME}_xxx ticke$
  /var/tmp/** krw,
  /tmp/** krw,

2. Regenerated the dns.keytab
3. Ensured that the new DC is listed as the SOA record in the DNS for 
mydomain.local
4. Added the requested config to my named.com:

tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
#tried with and without the line below, no difference
tkey-domain "MYDOMAIN.LOCAL";
5. Attempted to transfer and seize roles from both Windows and Samba

I've run out of ideas here, and would appreciate any help or additional things 
to attempt. If I cannot seize the naming role, shutting down the windows box 
results in syslog being flooded with "Can't contact OLDDC.mydomain.local"-type 
errors. I want to rid the domain of all memories of SBS so I'm worried that not 
migrating the naming role will keep some dependency in place.

Thanks for any help!

Kind Regards,

Pat
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 - nslcd setup on Debian

2013-09-04 Thread Chris Alavoine 
Hi folks,

Have been battling with this for a while.

I have a Debian 6/Samba 4 install working nicely. Have migrated my old
Samba 3 domain and can see all users/groups via AD management tools fine.

I am now trying to get the *nix side sorted. Have followed the guide here:

https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd

Which works up to a point. All users and groups and visible with getent
etc, but any new user that are created are not seen. Any existing
user/group updates are reflected but if I create a new user and then do

getent group | grep user

I get nothing, same with "id -Gn user" or "groups user".

If I do:

samba-tool user list | grep user

The user is found and I can see it using RSAT tools from a Windows Server
2008 R2 box.

Any suggestions?

Thanks,
Chris.

-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 - nslcd setup on Debian

2013-09-04 Thread steve 
On Wed, 2013-09-04 at 17:53 +0100, Chris Alavoine wrote:
> Hi folks,
> 
> Have been battling with this for a while.
> 
> I have a Debian 6/Samba 4 install working nicely. Have migrated my old
> Samba 3 domain and can see all users/groups via AD management tools fine.
> 
> I am now trying to get the *nix side sorted. Have followed the guide here:
> 
> https://wiki.samba.org/index.php/Local_user_management_and_authentication/nslcd
> 
> Which works up to a point. All users and groups and visible with getent
> etc, but any new user that are created are not seen. Any existing
> user/group updates are reflected but if I create a new user and then do
> 
> getent group | grep user
> 
> I get nothing, same with "id -Gn user" or "groups user".
> 
> If I do:
> 
> samba-tool user list | grep user
> 
> The user is found and I can see it using RSAT tools from a Windows Server
> 2008 R2 box.
> 
> Any suggestions?

Your old users had rfc2307 attributes but your new ones do not. When you
create the new user, you have to give him rfc2307 attributes such as
uidNumber and gidNumber. In later releases, you can use samba-tool to do
this. Otherwise you can use ldbedit or ldbmodify. I doubt whether your
debian install is recent enough. There are scripts here:
http://linuxcostablanca.blogspot.com.es/p/s4bind.html
I'd recommend building from source.
HTH
Steve




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 file-server usage

2013-08-30 Thread Stéphane PURNELLE 
>samba-tool user delete dpu
> getent passwd dpu
nothing
>samba-tool user create dpu
> getent passwd dpu
nothing

why getent return nothing, user exist, I can see by ldbsearch.
But not posixAccount objectclass !

samba 4.0.9



---
Stéphane PURNELLE Admin. Systèmes et Réseaux 
Service Informatique   Corman S.A.   Tel : 00 32 (0)87/342467

samba-boun...@lists.samba.org wrote on 30/08/2013 11:57:18:

> De : steve 
> A : samba@lists.samba.org, 
> Date : 30/08/2013 11:58
> Objet : Re: [Samba] Samba 4 file-server usage
> Envoyé par : samba-boun...@lists.samba.org
> 
> On Fri, 2013-08-30 at 11:25 +0200, Stéphane PURNELLE wrote:
> > Hi,
> > 
> > I test samba 4 for AD authentification and file-server usage.
> > 
> > My file-server use posix ACL (XFS filesystem) for manage acces between 

> > user.
> > 
> > So I must use some trick ("steve posix-tify script") for adding 
> > posixAccount to activedirectory tree.
> 
> You do not need to add posixAccount. For recent versions of Samba4:
> 
> samba-tool user add stephane --uid-number=322 gid-number=20513
> home-directory=/some/place lofin-shell=/bin/sh
> 
> You only need the hack for old versions of Samba.
> 
> We use a Samba 4.0.9 file server for a mix of about 80 xp and LXDE
> clients over cifs. It server profiles, home folders and loads of other
> rubbish. 
> HTH
> Steve
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 and bad lockout attempts

2013-08-30 Thread L . P . H . van Belle 
Some of these rules are bit stupid, sorry mean.. outdated.
A virus won't crack your password, but captures it with keyloggers.
solution for that is dont install java, dont install acrobat flash and acrobat 
reader. 
Dont work as Administrator.. with this your 99.999 safe.  ;-) 

If i look into this. 
>? temporary initial password, to be modified upon first connection,
= Ok
>? password chosen by the user and known only by him/her,
=Ok
>? at least 8 characters,
= if only characters, i suggest at least 12-14.
look here and test some passwords. 
http://www.passwordmeter.com/ 

for example. 
M1j0wnpw  gives strong, 65% score   ( 8 characters ) 
ThisIsMyOwnPassword, also strong, but 76 % score 19 characters. 
ThisIsMyOwnPassword! , very strong 100% score.  20 characters. 
Which one can you remember the best ;-) teach this to your users. ( i do ) 

My own password had 10 characters , is very strong and scores 92% 
and this is my "simple" password. My root passwords are 20+ character, cyfer, 
letter, symbols Caps/NoCaps. 
look here https://howsecureismypassword.net/ and test some. 
and remember it a guideline and thay talk about 1 desktop pc, think about what 
a cluster of servers can rehash.

>? renewed at least every three months (90 days),
=OK
>? no reuse of previous passwords (at least the last 10).
Dont care about this because users wil create.. 
Welkom01
Welkom02
Welkom03
Welkom04
etc.. 
so a check on this would be nice also if you want it really secure.


>? suspension after 5 incorrect password entries (automatic or manual 
>unlocking after a certain period)
but ,, , did you try and looked into.. 
net pwsettings show 
and with RATS you can set the windows policies for your passwords also. 


.. there is more info about this online ;-) 

Best regards, 

Louis


>-Oorspronkelijk bericht-
>Van: stephane.purne...@corman.be 
>[mailto:samba-boun...@lists.samba.org] Namens Stéphane PURNELLE
>Verzonden: vrijdag 30 augustus 2013 12:27
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] Samba 4 and bad lockout attempts
>
>Hi,
>
>I have a big problem.
>
>I see that samba 4 don't have bad lockout attempts and if 
>samba don't have 
>this, I cannot deploy samba 4.
>
>This setting is a security setting, it's very important.
>
>A virus attack can be modered by this setting (password crack) 
> and the 
>security bookfor IS from my compagny says : 
>
>11.1.3 User password management
>11.1.3.1  Recommendations  for access  account configuration 
>The recommendations for password configuration are as follows:
>? temporary initial password, to be modified upon first connection,
>? password chosen by the user and known only by him/her,
>? at least 8 characters,
>? renewed at least every three months (90 days),
>? no reuse of previous passwords (at least the last 10).
>
>The recommendations for account configuration are as follows:
>? suspension after 5 incorrect password entries (automatic or manual 
>unlocking after a certain period)
>? rapid unlock procedure that also works at a distance,
>? restriction of connection times during the week for external user 
>accounts (7am-10pm).
>
>With samba4, I cannot respect that. and I must
>
>best regards
>
>Stéphane 
>
>---
>Stéphane PURNELLE Admin. Systèmes et Réseaux 
>Service Informatique   Corman S.A.   Tel : 00 32 
>(0)87/342467
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 and bad lockout attempts

2013-08-30 Thread Stéphane PURNELLE 
Hi,

I have a big problem.

I see that samba 4 don't have bad lockout attempts and if samba don't have 
this, I cannot deploy samba 4.

This setting is a security setting, it's very important.

A virus attack can be modered by this setting (password crack)  and the 
security bookfor IS from my compagny says : 

11.1.3 User password management
11.1.3.1  Recommendations  for access  account configuration 
The recommendations for password configuration are as follows:
• temporary initial password, to be modified upon first connection,
• password chosen by the user and known only by him/her,
• at least 8 characters,
• renewed at least every three months (90 days),
• no reuse of previous passwords (at least the last 10).

The recommendations for account configuration are as follows:
• suspension after 5 incorrect password entries (automatic or manual 
unlocking after a certain period)
• rapid unlock procedure that also works at a distance,
• restriction of connection times during the week for external user 
accounts (7am-10pm).

With samba4, I cannot respect that. and I must

best regards

Stéphane 

---
Stéphane PURNELLE Admin. Systèmes et Réseaux 
Service Informatique   Corman S.A.   Tel : 00 32 (0)87/342467
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 file-server usage

2013-08-30 Thread steve 
On Fri, 2013-08-30 at 11:25 +0200, Stéphane PURNELLE wrote:
> Hi,
> 
> I test samba 4 for AD authentification and file-server usage.
> 
> My file-server use posix ACL (XFS filesystem) for manage acces between 
> user.
> 
> So I must use some trick ("steve posix-tify script") for adding 
> posixAccount to activedirectory tree.

You do not need to add posixAccount. For recent versions of Samba4:

samba-tool user add stephane --uid-number=322 gid-number=20513
home-directory=/some/place lofin-shell=/bin/sh

You only need the hack for old versions of Samba.

We use a Samba 4.0.9 file server for a mix of about 80 xp and LXDE
clients over cifs. It server profiles, home folders and loads of other
rubbish. 
HTH
Steve

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 file-server usage

2013-08-30 Thread Stéphane PURNELLE 
Hi,

I test samba 4 for AD authentification and file-server usage.

My file-server use posix ACL (XFS filesystem) for manage acces between 
user.

So I must use some trick ("steve posix-tify script") for adding 
posixAccount to activedirectory tree.

But my questions are : 

who use samba 4 file-server part ?
How other sys admin permit user to store data on a server (and not on 
user's workstation)?

I have more than 300 groups, more than 200 users and machines.
I have more than 800 Gb of data.

Create user or group in ADUC and after pass a "posix-tify" script) script 
will add complexity for management.

best regards

   Stéphane

PS : I see in smb.conf (valid for samba 4) that there is a add user 
script, but I don't understand how it work !

---
Stéphane PURNELLE Admin. Systèmes et Réseaux 
Service Informatique   Corman S.A.   Tel : 00 32 (0)87/342467
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 upgrade issues

2013-08-18 Thread dahopkins 
I have upgraded from Samba 3 to Samba 4 for authentication (Windows and Linux 
authentication are working). Samba 4 is acting as the DC. 

However, there are some issues that I can't resolve involving both profiles and 
automatic home folder mapping. 

I have 3 samba servers that are at Samba 3.5 (1 server) and 3.0 (2 servers). 
Prior to the upgrade, both roaming profiles and automatic mapping of home 
folders worked. I was able to join all 3 systems to the new samba 4 AD domain. 
Kerberos is working (I can get tickets via kinit) on all three of the samba 3 
servers. 

For the homes and profiles folders, the section of my smb.conf file is: 

[homes] 
comment = Home Directories 
browseable = yes 
writable = yes 
valid users = %S 
create mask = 0600 
directory mask = 0700 
csc policy = disable 
nt acl support = yes 

[profiles] 
comment = AUTH1 Network Profiles Service 
path = /opt/samba/profiles 
read only = no 
store dos attributes = Yes 
create mask = 0600 
directory mask = 0700 
csc policy = disable 
nt acl support = yes 
hide files = /desktop.ini 

[profiles.V2] 
copy = profiles 
browseable = no 
read only = no 

For the accounts, (in ADUC), a user has the profile path specified as 
\\auth1\profiles\USERNAME and the Home Folder using the Connect option to 
\\fs2\homes\USERNAME where auth1 is the server storing the profiles and fs2 is 
the file server with the users home directory. The filesystem are mounted with 
the acl option. The systems are running Centos5.9. 

I can get the profiles to work by nfs mounting the existing profiles to the new 
samba4 server and specifying the profiles and the samba 4 server via 

[Profiles] 
path = /opt/samba/Profiles 
read only = no 

where I have nfs mounted /opt/samba from auth1 /opt/samba. It is a kludge but 
works for the moment. I can't however get the home folders to map. I can browse 
to them and they are being shared (e.g. if I login as a user, I can browse to 
fs2 and I'll see homes and the username folders shared.) I can even manually 
map the folders. However, I can't change/add permissions as suggested here: 
https://wiki.samba.org/index.php/Samba_%26_Windows_Profiles#Profiles_share_on_a_Samba_4.x_server
 for the samba 3 servers. 

I will be upgrading these servers to Ubuntu 12.04 with Samba 4 but in the 
interim I need to get automatic mappings working if possible. I can use a 
startup script to map the folders if that is the only option as well. 

Sincerely, 
Dave Hopkins 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 LDAP NTLM password nightly injection

2013-08-13 Thread Bo Kersey 
Duh...  got it, nvm...


new_userdata = s4_passdb.getsampwnam("jtest")
print binascii.hexlify(new_userdata.nt_passwd)

And my troubleshooting was required by a typo that I made..  argh!


- Original Message -
> From: "Bo Kersey" 
> To: "Luc Lalonde" 
> Cc: samba@lists.samba.org, "Andrew Bartlett" 
> Sent: Tuesday, August 13, 2013 11:03:40 AM
> Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection
> 
> Luc,
> Very helpful...  I'm doing a migration from a very non-standard samba
> ldap implementation that we can't just migrate.  We would like to
> save the users' passwords though.
> 
> I'm testing using known password hashes and I'm having trouble
> authenticating after I change the passwords.
> 
> How can I extract what is being inserted in to samba4 in order to
> verify that I'm doing things correctly?
> 
> 
> Thanks!
> Bo
> 
> 
> - Original Message -
> > From: "Luc Lalonde" 
> > To: samba@lists.samba.org
> > Cc: "Andrew Bartlett" 
> > Sent: Tuesday, April 9, 2013 11:25:47 AM
> > Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection
> > 
> > Ok this works:
> > 
> > 
> > #!/usr/bin/env python
> > 
> > import sys
> > 
> > sys.path.insert(0,
> > "/usr/local/samba/lib64/python2.6/site-packages")
> > sys.path.insert(1, "/usr/local/samba/lib/python2.6/site-packages")
> > 
> > from samba import Ldb, registry
> > from samba.param import LoadParm
> > from samba.provision import provision, FILL_FULL,
> > ProvisioningError,
> > setsysvolacl
> > from samba.samba3 import passdb
> > from samba.samba3 import param as s3param
> > from samba.dcerpc import lsa, samr, security
> > from samba.dcerpc.security import dom_sid
> > from samba.credentials import Credentials
> > from samba import dsdb
> > from samba.ndr import ndr_pack
> > from samba import unix2nttime
> > 
> > # Convert Hex to Byte string
> > def HexToByte( hexStr ):
> > bytes = []
> > hexStr = ''.join( hexStr.split(" ") )
> > for i in range(0, len(hexStr), 2):
> > bytes.append( chr( int (hexStr[i:i+2], 16 ) ) )
> > return ''.join( bytes )
> > 
> > # Connect to samba4 backend
> > new_lp_ctx = s3param.get_context()
> > new_lp_ctx.load("/usr/local/samba/etc/smb.conf")
> > new_lp_ctx.set("private dir", "/usr/local/samba/private")
> > 
> > s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
> > 
> > # Change testuser password
> > new_userdata = s4_passdb.getsampwnam("testuser")
> > new_userdata.nt_passwd =
> > HexToByte("878D8014606CDA29677A44EFA1353FC7")
> > new_userdata.lanman_passwd =
> > HexToByte("552902031BEDE9EFAAD3B435B51404EE")
> > s4_passdb.update_sam_account(new_userdata)
> > ########
> > 
> > I was missing some module paths and the extra info for connecting
> > to
> > the LDB database...  Now I just have to generalize this procedure
> > so
> > that I can update the passwords every night like I do with
> > Samba3-LDAP.
> > 
> > Andrew, thanks for the pointers.  I'm posting this in case it can
> > help someone else.
> > 
> > - Original Message -
> > From: "Luc Lalonde" 
> > To: "Andrew Bartlett" 
> > Cc: samba@lists.samba.org
> > Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada
> > Eastern
> > Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection
> > 
> > Hello Andrew,
> > 
> > How would I convert the below base16 strings into raw bytes
> > acceptable to this routine?  We presently inject the NTLM passwords
> > directly into our LDAP database for Samba3.
> > 
> > Also, I can't seem to figure out the argument values for
> > 'passdb.PDB'.  I tried 'ldb', 'samba_dsdb'.
> > 
> > Thanks for your help!
> > 
> > On 2013-03-27, at 6:18 PM, Andrew Bartlett 
> > wrote:
> > 
> > > On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote:
> > >> Hello Andrew,
> > >> 
> > >> I'm finally diving into this project...
> > >> 
> > >> First off, my sysadmin stuff is mostly in Perl.  So my Python is
> > >>

Re: [Samba] samba 4 and roaming profiles

2013-08-13 Thread Dale Schroeder 
Jerry Carter provided this example long ago when Vista first started the 
v2 profile.  It might still be viable in Samba4.


https://lists.samba.org/archive/samba-technical/2007-April/053054.html

Dale

On 08/13/2013 9:09 AM, L.P.H. van Belle wrote:

Hai,

Profiles of XP and Win7(8) are different and should NOT be in the same folder.
This is why you have a V2 profile folder and this is NOT the "username" folder.
You can redirect desktop / documents / userhome to the same point.
but not the profile folder.





-Oorspronkelijk bericht-
Van: i...@antonellofacchetti.it
[mailto:samba-boun...@lists.samba.org] Namens antonello
Verzonden: dinsdag 13 augustus 2013 14:33
Aan: samba@lists.samba.org
Onderwerp: [Samba] samba 4 and roaming profiles

I've just setup a samba4 system (zentyal) to act as authentication and
file server in a mixed lan (windows and linux clients).
The problem is that my linux pcs and windows winxp clients point to a
"username" folder on the server, while the windows7 clients point to a
"username.V2" folder.
This is an issue due to the different types of roaming profiles in
different windows versions (xp & 7).
So I need a workaround to make the windows7 cliients point to
"username"
folders.

TIA
Antonello

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 LDAP NTLM password nightly injection

2013-08-13 Thread Bo Kersey 
Luc,
Very helpful...  I'm doing a migration from a very non-standard samba ldap 
implementation that we can't just migrate.  We would like to save the users' 
passwords though.

I'm testing using known password hashes and I'm having trouble authenticating 
after I change the passwords.

How can I extract what is being inserted in to samba4 in order to verify that 
I'm doing things correctly?


Thanks!
Bo


- Original Message -
> From: "Luc Lalonde" 
> To: samba@lists.samba.org
> Cc: "Andrew Bartlett" 
> Sent: Tuesday, April 9, 2013 11:25:47 AM
> Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection
> 
> Ok this works:
> 
> 
> #!/usr/bin/env python
> 
> import sys
> 
> sys.path.insert(0, "/usr/local/samba/lib64/python2.6/site-packages")
> sys.path.insert(1, "/usr/local/samba/lib/python2.6/site-packages")
> 
> from samba import Ldb, registry
> from samba.param import LoadParm
> from samba.provision import provision, FILL_FULL, ProvisioningError,
> setsysvolacl
> from samba.samba3 import passdb
> from samba.samba3 import param as s3param
> from samba.dcerpc import lsa, samr, security
> from samba.dcerpc.security import dom_sid
> from samba.credentials import Credentials
> from samba import dsdb
> from samba.ndr import ndr_pack
> from samba import unix2nttime
> 
> # Convert Hex to Byte string
> def HexToByte( hexStr ):
> bytes = []
> hexStr = ''.join( hexStr.split(" ") )
> for i in range(0, len(hexStr), 2):
> bytes.append( chr( int (hexStr[i:i+2], 16 ) ) )
> return ''.join( bytes )
> 
> # Connect to samba4 backend
> new_lp_ctx = s3param.get_context()
> new_lp_ctx.load("/usr/local/samba/etc/smb.conf")
> new_lp_ctx.set("private dir", "/usr/local/samba/private")
> 
> s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
> 
> # Change testuser password
> new_userdata = s4_passdb.getsampwnam("testuser")
> new_userdata.nt_passwd =
> HexToByte("878D8014606CDA29677A44EFA1353FC7")
> new_userdata.lanman_passwd =
> HexToByte("552902031BEDE9EFAAD3B435B51404EE")
> s4_passdb.update_sam_account(new_userdata)
> 
> 
> I was missing some module paths and the extra info for connecting to
> the LDB database...  Now I just have to generalize this procedure so
> that I can update the passwords every night like I do with
> Samba3-LDAP.
> 
> Andrew, thanks for the pointers.  I'm posting this in case it can
> help someone else.
> 
> - Original Message -
> From: "Luc Lalonde" 
> To: "Andrew Bartlett" 
> Cc: samba@lists.samba.org
> Sent: Wednesday, March 27, 2013 7:38:05 PM GMT -05:00 US/Canada
> Eastern
> Subject: Re: [Samba] Samba 4 LDAP NTLM password nightly injection
> 
> Hello Andrew,
> 
> How would I convert the below base16 strings into raw bytes
> acceptable to this routine?  We presently inject the NTLM passwords
> directly into our LDAP database for Samba3.
> 
> Also, I can't seem to figure out the argument values for
> 'passdb.PDB'.  I tried 'ldb', 'samba_dsdb'.
> 
> Thanks for your help!
> 
> On 2013-03-27, at 6:18 PM, Andrew Bartlett 
> wrote:
> 
> > On Tue, 2013-03-26 at 11:10 -0400, Luc Lalonde wrote:
> >> Hello Andrew,
> >> 
> >> I'm finally diving into this project...
> >> 
> >> First off, my sysadmin stuff is mostly in Perl.  So my Python is
> >> rudimentary at best.
> >> 
> >> Here we go anyway...  I've looked at the 'upgrade.py' but I can't
> >> seem to figure out how to connect to the Samba4 passwd database.
> >> 
> >> In the script I see these lines:
> >> 
> >> ###
> >> # Connect to samba4 backend
> >> s4_passdb = passdb.PDB(new_lp_ctx.get("passdb backend"))
> >> 
> >> 
> >> I would appreciate a hint on how to connect to the database
> >> please.  Where is the 'passdb' object referenced from?
> >> 
> >> Once that's done, from what I understand, I should be able to
> >> change the passwords directly:
> >> 
> >> ###
> >> # Change foo-user password
> >> admin_userdata = s4_passdb.getsampwna

Re: [Samba] samba 4 and roaming profiles

2013-08-13 Thread L . P . H . van Belle 
Hai, 

Profiles of XP and Win7(8) are different and should NOT be in the same folder.
This is why you have a V2 profile folder and this is NOT the "username" folder. 
You can redirect desktop / documents / userhome to the same point.
but not the profile folder. 




>-Oorspronkelijk bericht-
>Van: i...@antonellofacchetti.it 
>[mailto:samba-boun...@lists.samba.org] Namens antonello
>Verzonden: dinsdag 13 augustus 2013 14:33
>Aan: samba@lists.samba.org
>Onderwerp: [Samba] samba 4 and roaming profiles
>
>I've just setup a samba4 system (zentyal) to act as authentication and 
>file server in a mixed lan (windows and linux clients).
>The problem is that my linux pcs and windows winxp clients point to a 
>"username" folder on the server, while the windows7 clients point to a 
>"username.V2" folder.
>This is an issue due to the different types of roaming profiles in 
>different windows versions (xp & 7).
>So I need a workaround to make the windows7 cliients point to 
>"username" 
>folders.
>
>TIA
>Antonello
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 and roaming profiles

2013-08-13 Thread antonello 
I've just setup a samba4 system (zentyal) to act as authentication and 
file server in a mixed lan (windows and linux clients).
The problem is that my linux pcs and windows winxp clients point to a 
"username" folder on the server, while the windows7 clients point to a 
"username.V2" folder.
This is an issue due to the different types of roaming profiles in 
different windows versions (xp & 7).
So I need a workaround to make the windows7 cliients point to "username" 
folders.


TIA
Antonello

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 with LDAP proxy in DMZ

2013-08-12 Thread Marc Muehlfeld 

Hello Julian,

Am 08.08.2013 18:14, schrieb Julian Pilfold-Bagwell:

I'm setting up a Samba AD domain which works perfectly with the WIn 7
server tools and so far everything is going fine.  What has me stumped
is setting up an LDAP proxy in our DMZ against which I can authenticate
our email and web services.

I've got port 389 open on my main Samba 4 DC and if I use the domain
administrator account to bind the proxy, everything works.  In order to
give a degree of separation however, I've created a user called
ldapbindacc and have used the server remote admin tools to delegate
control of the directory server to that user with read only access to
user and group details.  When I try to access the directory using this
account, I get the following error message (the password is definitely
correct):

# ldapsearch -LLL -H ldap://127.0.0.1 -b
'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D
'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W
'(sAMAccountName=Test.User)'
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
 additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE

As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been
patching things together from various howto's.  Has anyone succeeded in
this who can give me some tips.



Here I described how to setup an openLDAP proxy to AD:
http://wiki.samba.org/index.php/Authenticating_other_services_against_AD
(incl. authenticating other ldap based services)



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 with LDAP proxy in DMZ

2013-08-11 Thread Andrew Bartlett 
On Thu, 2013-08-08 at 17:14 +0100, Julian Pilfold-Bagwell wrote:
> Hi All,
> 
> I'm setting up a Samba AD domain which works perfectly with the WIn 7 
> server tools and so far everything is going fine.  What has me stumped 
> is setting up an LDAP proxy in our DMZ against which I can authenticate 
> our email and web services.
> 
> I've got port 389 open on my main Samba 4 DC and if I use the domain 
> administrator account to bind the proxy, everything works.  In order to 
> give a degree of separation however, I've created a user called 
> ldapbindacc and have used the server remote admin tools to delegate 
> control of the directory server to that user with read only access to 
> user and group details.  When I try to access the directory using this 
> account, I get the following error message (the password is definitely 
> correct):
> 
> # ldapsearch -LLL -H ldap://127.0.0.1 -b 
> 'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D 
> 'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W 
> '(sAMAccountName=Test.User)'
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>  additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
> 
> As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been 
> patching things together from various howto's.  Has anyone succeeded in 
> this who can give me some tips.

Try just setting the DN as ldapbind...@bordengrammer.kent.sch.uk (AD
allows these kind of DNs for binds).

Otherwise, just turn up the logging on the Samba side and see what it
says. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 with LDAP proxy in DMZ

2013-08-11 Thread Julian Pilfold-Bagwell 

Hi All,

I'm setting up a Samba AD domain which works perfectly with the WIn 7 
server tools and so far everything is going fine.  What has me stumped 
is setting up an LDAP proxy in our DMZ against which I can authenticate 
our email and web services.


I've got port 389 open on my main Samba 4 DC and if I use the domain 
administrator account to bind the proxy, everything works.  In order to 
give a degree of separation however, I've created a user called 
ldapbindacc and have used the server remote admin tools to delegate 
control of the directory server to that user with read only access to 
user and group details.  When I try to access the directory using this 
account, I get the following error message (the password is definitely 
correct):


# ldapsearch -LLL -H ldap://127.0.0.1 -b 
'dc=bordengrammar,dc=kent,dc=sch,dc=uk' -D 
'cn=ldapbindacc,cn=Users,dc=bordengrammar,dc=kent,dc=sch,dc=uk' -W 
'(sAMAccountName=Test.User)'

Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE

As I'm moving fro Samba 3 to 4, my AD knowledge is limited so I've been 
patching things together from various howto's.  Has anyone succeeded in 
this who can give me some tips.


Thanks,

Julian

--
Borden Grammar School,
Avenue of Remembrance,
Sittingbourne,
Kent,
ME10 4DB.

Tel: 01795 424192


This e-mail is from Borden Grammar School Trust.

This e-mail, together with any files transmitted with it, are confidential, and 
are intended solely for the use of the individual or entity to whom they are 
addressed. Any unauthorised dissemination or
copying of this e-mail or its attachments, and any use or disclosure of any 
information contained in them, is strictly prohibited, and may also be illegal. 
If you are not the intended recipient you must not use, disclose,
distribute, copy, print or relay this e-mail.

Please note that any views expressed by an individual within this e-mail, do 
not necessarily reflect the views of the Borden Grammar School Trust. Borden 
Grammar School Trust has taken reasonable precautions to ensure no
viruses are present in this e-mail, the Academy cannot accept responsibility 
for any loss or damage arising from the use of this e-mail and/or files 
attached.

Registered office: Borden Grammar School, Avenue of Remembrance, Sittingbourne, 
Kent, ME10 4DB

Registered in England: 07827591

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-09 Thread Rustam K. 
I thought I would update this email thread. So far editing the records via
ADSI messes up ldb database, if you do that zones won't load anymore, just
like Dmitry stated in his first email.
I had to revert to a snapshot to get samba back, up and running.

I am curious If I have to modify record manually via ldbmodify(ldbedit),
would it understand hex/binary?
because when I run ldbedit it shows me nothing compared to hex in my
previous email, what is this format?

# record 50
dn: 
DC=@,DC=officenet.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=officenet,DC=local
objectClass: top
objectClass: dnsNode

. (cut)

dnsRecord:: BAABAAXwAAB6AAADhAAAwKj6Aw==
dnsRecord:: BAABAAXwAABuAAACWAAAwKj6Bg==
dnsRecord:: GwACAAXwAAB6AAAjKzcAGQMHc3J2LXdpbglvZmZpY2VuZXQFbG9jYW
 wA
dnsRecord:: GgACAAXwAACGAAADhAArtw0IGAMGYWxmYWRjCW9mZmljZW5ldAVsb2NhbA
 A=
dnsRecord:: TgAGAAXwAAC9AAAYMDcAvQAAA4QAAAJYAAFRgAAaAwhzcn
 YtYWxmYQlvZmZpY2VuZXQFbG9jYWwAHAMKaG9zdG1hc3RlcglvZmZpY2VuZXQFbG9jYWwA

Cheers



2013/8/9 Rustam K. 

> Hi,
>
> thanks for the follow up.
>
> I found the SOA record via ADSI edit :
>
>
> DC=@,DC=officenet.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=officenet,DC=local
>
> DC=@,DC=_msdcs.officenet.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=officenet,DC=local
>
> there are two of them,and every one of them has attribute dnsRecord which
> is in hex, and it has string "srv-alfa" (apart from hostmaster email ttl
> etc) which I need to change to "alfadc"
>
> 4E 00 06 00 05 F0 00 00 BE 00 00 00 00 00 00 00 00 00 00 00 1C 30 37 00 00
> 00 00 BE 00 00 03 84 00 00 02 58 00 01 51 80 00 00 00 00 1A 03 08 73 72 76
> 2D 61 6C 66 61 09 6F 66 66 69 63 65 6E 65 74 05 6C 6F 63 61 6C 00 1C 03 0A
> 68 6F 73 74 6D 61 73 74 65 72 09 6F 66 66 69 63 65 6E 65 74 05 6C 6F 63 61
> 6C 00
>
> This is where I am headed, and I'll try not to screw it up.
>
>
> Cheers
>
>
> 2013/8/9 Nico Kadel-Garcia 
>
>> On Thu, Aug 8, 2013 at 4:14 AM, Kai Blin  wrote:
>> > On 2013-08-08 10:02, Rustam K. wrote:
>> >>
>> >> Hello,
>> >> I run samba 4.0.7, samba tool can't do the job, at least help/syntax
>> >> doesn't show that I can
>> >
>> >
>> > Ah, yes. Apparently this functionality only exists in 4.1 and master,
>> sorry.
>> > Should you try and run with that the command syntax is
>> >
>> > samba-tool dns update SOA "fqdn_dns fqdn_email serial refresh retry
>> expire
>> > minimumttl"
>> >
>> > HTH,
>> >
>> > Kai
>>
>> Rustam, I do hope that if you're manipulating your SOA directly, that
>> you've actually looked up the guidelines for manipulating them? Just
>> so you don't get surprised by things like the wraparound values for
>> the serial numbers, or what reasonable values are for TTL's.
>>
>
>
>
> --
>
> Rustam
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-09 Thread Rustam K. 
Hi,

thanks for the follow up.

I found the SOA record via ADSI edit :

DC=@,DC=officenet.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=officenet,DC=local
DC=@,DC=_msdcs.officenet.local,CN=MicrosoftDNS,DC=ForestDnsZones,DC=officenet,DC=local

there are two of them,and every one of them has attribute dnsRecord which
is in hex, and it has string "srv-alfa" (apart from hostmaster email ttl
etc) which I need to change to "alfadc"

4E 00 06 00 05 F0 00 00 BE 00 00 00 00 00 00 00 00 00 00 00 1C 30 37 00 00
00 00 BE 00 00 03 84 00 00 02 58 00 01 51 80 00 00 00 00 1A 03 08 73 72 76
2D 61 6C 66 61 09 6F 66 66 69 63 65 6E 65 74 05 6C 6F 63 61 6C 00 1C 03 0A
68 6F 73 74 6D 61 73 74 65 72 09 6F 66 66 69 63 65 6E 65 74 05 6C 6F 63 61
6C 00

This is where I am headed, and I'll try not to screw it up.


Cheers


2013/8/9 Nico Kadel-Garcia 

> On Thu, Aug 8, 2013 at 4:14 AM, Kai Blin  wrote:
> > On 2013-08-08 10:02, Rustam K. wrote:
> >>
> >> Hello,
> >> I run samba 4.0.7, samba tool can't do the job, at least help/syntax
> >> doesn't show that I can
> >
> >
> > Ah, yes. Apparently this functionality only exists in 4.1 and master,
> sorry.
> > Should you try and run with that the command syntax is
> >
> > samba-tool dns update SOA "fqdn_dns fqdn_email serial refresh retry
> expire
> > minimumttl"
> >
> > HTH,
> >
> > Kai
>
> Rustam, I do hope that if you're manipulating your SOA directly, that
> you've actually looked up the guidelines for manipulating them? Just
> so you don't get surprised by things like the wraparound values for
> the serial numbers, or what reasonable values are for TTL's.
>



-- 

Rustam
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-08 Thread Nico Kadel-Garcia 
On Thu, Aug 8, 2013 at 4:14 AM, Kai Blin  wrote:
> On 2013-08-08 10:02, Rustam K. wrote:
>>
>> Hello,
>> I run samba 4.0.7, samba tool can't do the job, at least help/syntax
>> doesn't show that I can
>
>
> Ah, yes. Apparently this functionality only exists in 4.1 and master, sorry.
> Should you try and run with that the command syntax is
>
> samba-tool dns update SOA "fqdn_dns fqdn_email serial refresh retry expire
> minimumttl"
>
> HTH,
>
> Kai

Rustam, I do hope that if you're manipulating your SOA directly, that
you've actually looked up the guidelines for manipulating them? Just
so you don't get surprised by things like the wraparound values for
the serial numbers, or what reasonable values are for TTL's.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 empty password

2013-08-08 Thread Fink Oliver 


Hello Andrew,



Thanks for your reply.



We did try with following settings:

smb.conf

   null passwords = Yes



minimum password lenght set to 0





We set the password over a Windows 7 client.





Thanks a lot

Oliver







>>  Kerberos: Looking for ENC-TS pa-data -- media1@BC

>> [2013/08/07 13:31:46,  3]

>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

>>   Kerberos: Failed to decrypt PA-DATA -- media1@BC (enctype

>> aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum

>> type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96

>> [2013/08/07 13:31:46,  3]

>> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)

>>   Kerberos: Failed to decrypt PA-DATA -- media1@BC



>This means the KDC had a different hash to the one the user encrypted the time

>with.



>Aside from the flag 'ACB_NOPWREQ' (which does *not* mean no password

>required, it actually means no password requirements, ie no minimum

>length), the KDC doesn't know the length (even zero length) of the

>password, it just performs calculations based on the stored hash.



>How did you set the 'empty' password in Samba?



>Andrew Bartlett



--

Andrew Bartlett

http://samba.org/~abartlet/

Authentication Developer, Samba Team   http://samba.org

Samba Developer, Catalyst IT   http://catalyst.net.nz





--

To unsubscribe from this list go to the following URL and read the

instructions:  https://lists.samba.org/mailman/options/samba




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-08 Thread Kai Blin 

On 2013-08-08 10:02, Rustam K. wrote:

Hello,
I run samba 4.0.7, samba tool can't do the job, at least help/syntax
doesn't show that I can


Ah, yes. Apparently this functionality only exists in 4.1 and master, sorry.
Should you try and run with that the command syntax is

samba-tool dns update SOA "fqdn_dns fqdn_email serial refresh retry 
expire minimumttl"


HTH,
Kai

--
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-08 Thread Rustam K. 
Hello,
I run samba 4.0.7, samba tool can't do the job, at least help/syntax
doesn't show that I can

Cheers


2013/8/8 Kai Blin 

> On 2013-08-07 14:56, Rustam K. wrote:
>
>> Thank you for you emails.  Unfortunately samba tool can't update SOA
>> records.
>>
>
> IIRC that was fixed recently, but you seem to be running 4.0 rc3, if I
> understand the email correctly. That misses a lot of bug fixes, some for
> DNS as well.
>
> Cheers,
> Kai
>
> --
> Kai Blin
> Worldforge developer http://www.worldforge.org/
> Wine developer http://wiki.winehq.org/KaiBlin
> Samba team member 
> http://www.samba.org/samba/**team/
>



-- 

Rustam
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-08 Thread Kai Blin 

On 2013-08-07 14:56, Rustam K. wrote:

Thank you for you emails.  Unfortunately samba tool can't update SOA
records.


IIRC that was fixed recently, but you seem to be running 4.0 rc3, if I 
understand the email correctly. That misses a lot of bug fixes, some for 
DNS as well.


Cheers,
Kai

--
Kai Blin
Worldforge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin
Samba team member http://www.samba.org/samba/team/
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 empty password

2013-08-07 Thread Andrew Bartlett 
On Wed, 2013-08-07 at 13:56 +, Fink Oliver wrote:
> Hello,
> 
> We are trying to setup a SAMBA-Server with users that have empty passwords.
> 
> We are using:
> Samba 4.0.8
> Kernel 3.10.5
> Slackware 14.0 x64
> 
> When we set a password the login successes!
> 
> That's what we get when trying to login:

>  Kerberos: Looking for ENC-TS pa-data -- media1@BC
> [2013/08/07 13:31:46,  3] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Failed to decrypt PA-DATA -- media1@BC (enctype 
> aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum 
> type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
> [2013/08/07 13:31:46,  3] 
> ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>   Kerberos: Failed to decrypt PA-DATA -- media1@BC

This means the KDC had a different hash to the one the user encrypted the time 
with.  

Aside from the flag 'ACB_NOPWREQ' (which does *not* mean no password
required, it actually means no password requirements, ie no minimum
length), the KDC doesn't know the length (even zero length) of the
password, it just performs calculations based on the stored hash. 

How did you set the 'empty' password in Samba?

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 empty password

2013-08-07 Thread Fink Oliver 
Hello,

We are trying to setup a SAMBA-Server with users that have empty passwords.

We are using:
Samba 4.0.8
Kernel 3.10.5
Slackware 14.0 x64

When we set a password the login successes!

That's what we get when trying to login:

[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ media1@BC from ipv4:10.0.99.100:62078 for krbtgt/BC@BC
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: 128
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- media1@BC
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- media1@BC
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- media1@BC
[2013/08/07 13:31:46,  3] 
../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'
[2013/08/07 13:31:46,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED]
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ media1@BC from ipv4:10.0.99.100:62079 for krbtgt/BC@BC
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- media1@BC
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- media1@BC
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- media1@BC (enctype 
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- media1@BC
[2013/08/07 13:31:46,  3] 
../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'
[2013/08/07 13:31:46,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED]
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ media1@BC from ipv4:10.0.99.100:62080 for krbtgt/BC@BC
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp, 128
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- media1@BC
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- media1@BC
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- media1@BC (enctype 
aes256-cts-hmac-sha1-96) error Decrypt integrity check failed for checksum type 
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96
[2013/08/07 13:31:46,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed to decrypt PA-DATA -- media1@BC
[2013/08/07 13:31:46,  3] 
../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'
[2013/08/07 13:31:46,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED]

Does somebody know what we can do???

Thanks a lot in advance

Oliver




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-07 Thread Rustam K. 
Thank you for you emails.  Unfortunately samba tool can't update SOA
records.
I'll stick to Dmitry's action plan

Cheers


2013/8/7 Matthieu Patou 

> On 08/06/2013 02:34 PM, Rustam K. wrote:
>
>> Hello,
>>
>> I have the very same problem, does anybody know a way?
>> I am thinking of converting to BIND, modifying and then converting it back
>> to Internal DNS implementation.
>>
>
> Did you had a look at samba-tool dns update to do this ?
> Kai has a good experience in DNS related things in Samba I just put him in
> this thread just in case he has some insights.
>
> Matthieu.
>
>
>>
>> Hello.
>> How could one modify a SOA record in rc3? For example, NS part (not NS
>> record) of SOA record points to an absent Windows server. This
>> effectively breaks DNS updates, since there is no such server and if
>> corresponding A record is added, update requests from clients will
>> come unsigned.
>> Editing it directly via LDAP breaks Samba (some sort of
>> checksum/hash?) MMC snap-in says "Zone not loaded by DNS server", so
>> it is not possible to use it either. samba-tool dns add|delete|update
>> can't operate on SOA record.
>> Maybe someone could give a link to some document describing dnsRecord,
>> so one could forge a valid record and just change dnsRecord in DC=@
>> using some LDAP tool?
>>
>> Thanks in advance.
>>
>
>
> --
> Matthieu Patou
> Samba Team
> http://samba.org
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-06 Thread Matthieu Patou 

On 08/06/2013 02:34 PM, Rustam K. wrote:

Hello,

I have the very same problem, does anybody know a way?
I am thinking of converting to BIND, modifying and then converting it back
to Internal DNS implementation.


Did you had a look at samba-tool dns update to do this ?
Kai has a good experience in DNS related things in Samba I just put him 
in this thread just in case he has some insights.


Matthieu.



Hello.
How could one modify a SOA record in rc3? For example, NS part (not NS
record) of SOA record points to an absent Windows server. This
effectively breaks DNS updates, since there is no such server and if
corresponding A record is added, update requests from clients will
come unsigned.
Editing it directly via LDAP breaks Samba (some sort of
checksum/hash?) MMC snap-in says "Zone not loaded by DNS server", so
it is not possible to use it either. samba-tool dns add|delete|update
can't operate on SOA record.
Maybe someone could give a link to some document describing dnsRecord,
so one could forge a valid record and just change dnsRecord in DC=@
using some LDAP tool?

Thanks in advance.



--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-06 Thread Dmitry Khromov 
>> How could one modify a SOA record in rc3? For example, NS part (not NS 
>> record) of SOA record points to an absent Windows server. This effectively 
>> breaks DNS updates, since there is no such server and if corresponding A 
>> record is added, update requests from clients will come unsigned.
>> Editing it directly via LDAP breaks Samba (some sort of checksum/hash?) MMC 
>> snap-in says "Zone not loaded by DNS server", so it is not possible to use 
>> it either. samba-tool dns add|delete|update can't operate on SOA record.
>> Maybe someone could give a link to some document describing dnsRecord, so 
>> one could forge a valid record and just change dnsRecord in DC=@ using some 
>> LDAP tool?
>
> I have the very same problem, does anybody know a way?
> I am thinking of converting to BIND, modifying and then converting it
> back to Internal DNS implementation.

I doubt that will do the job. As I recall, I forged the dnsRecord
manually (record's structure description could be found on the MSDN) and
ldbmodify'ed the corresponding ldb on every DC (Samba should not be
run). Alternatively, you may just capture the conversation between Samba
and MMC snap-in - the value you need is being sent in clear text.

Regards,
- Dmitry
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 internal DNS - how to modify SOA record

2013-08-06 Thread Rustam K. 
Hello,

I have the very same problem, does anybody know a way?
I am thinking of converting to BIND, modifying and then converting it back
to Internal DNS implementation.




Hello.
How could one modify a SOA record in rc3? For example, NS part (not NS
record) of SOA record points to an absent Windows server. This
effectively breaks DNS updates, since there is no such server and if
corresponding A record is added, update requests from clients will
come unsigned.
Editing it directly via LDAP breaks Samba (some sort of
checksum/hash?) MMC snap-in says "Zone not loaded by DNS server", so
it is not possible to use it either. samba-tool dns add|delete|update
can't operate on SOA record.
Maybe someone could give a link to some document describing dnsRecord,
so one could forge a valid record and just change dnsRecord in DC=@
using some LDAP tool?

Thanks in advance.
-- 
Best regards,
Dmitry Khromov
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread Ricky Nance 
How does your /etc/krb5.conf file look?


On Tue, Aug 6, 2013 at 2:21 PM, Klaus Rörig  wrote:

> Hi!
>
> Authentication works when I set 'password server = server01', but then
> testparm complains:
> WARNING: The setting 'security=ads' should NOT be combined with the
> 'password server' parameter.
> (by default Samba will discover the correct DC to contact automatically).
>
> But Samba doesn't. DNS is working:
>
> host -t srv _kerberos._tcp
> _kerberos._tcp.verwaltung.leibniz-remscheid.de has SRV record 0 100 88
> server01.verwaltung.leibniz-remscheid.de.
>
> host server01
> server01.verwaltung.leibniz-remscheid.de has address 192.168.20.200
>
>
> Klaus
>
>
>
> On Tue, Aug 6, 2013 at 5:13 PM, steve  wrote:
>
> > On Tue, 2013-08-06 at 14:34 +0200, Klaus Rörig wrote:
> > > Hi!
> > >
> > > I set up s3 on the fileserver now but I cannot connect to my share.
> > >
> > > 'wbinfo -u' lists all user
> > > 'wbinfo-g' lists all groups
> > >
> > > getent also list the queried user.
> > >
> > > But when I try to connect from Win7 to my s3 share, it asks for creds
> > > but does not accept any. I cannot see any log entries.
> > >
> > > What's wrong now?
> >
> > Hi
> > Too general without knowing a bit more:
> > Who is logged in on the Win7 box?
> > Is the Win7 box joined to the domain?
> > What are the permissions on /srv and /srv/share?
> > Can the user access the share if logged in on the file server?
> > Can the user access the share using smbclient?
> > Does the share appear as a folder in explorer?
> > What does the windows security tab give for the share?
> >
> > Steve
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread Klaus Rörig 
Hi!

Authentication works when I set 'password server = server01', but then
testparm complains:
WARNING: The setting 'security=ads' should NOT be combined with the
'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).

But Samba doesn't. DNS is working:

host -t srv _kerberos._tcp
_kerberos._tcp.verwaltung.leibniz-remscheid.de has SRV record 0 100 88
server01.verwaltung.leibniz-remscheid.de.

host server01
server01.verwaltung.leibniz-remscheid.de has address 192.168.20.200


Klaus



On Tue, Aug 6, 2013 at 5:13 PM, steve  wrote:

> On Tue, 2013-08-06 at 14:34 +0200, Klaus Rörig wrote:
> > Hi!
> >
> > I set up s3 on the fileserver now but I cannot connect to my share.
> >
> > 'wbinfo -u' lists all user
> > 'wbinfo-g' lists all groups
> >
> > getent also list the queried user.
> >
> > But when I try to connect from Win7 to my s3 share, it asks for creds
> > but does not accept any. I cannot see any log entries.
> >
> > What's wrong now?
>
> Hi
> Too general without knowing a bit more:
> Who is logged in on the Win7 box?
> Is the Win7 box joined to the domain?
> What are the permissions on /srv and /srv/share?
> Can the user access the share if logged in on the file server?
> Can the user access the share using smbclient?
> Does the share appear as a folder in explorer?
> What does the windows security tab give for the share?
>
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread steve 
On Tue, 2013-08-06 at 14:34 +0200, Klaus Rörig wrote:
> Hi!
> 
> I set up s3 on the fileserver now but I cannot connect to my share.
> 
> 'wbinfo -u' lists all user
> 'wbinfo-g' lists all groups
> 
> getent also list the queried user.
> 
> But when I try to connect from Win7 to my s3 share, it asks for creds 
> but does not accept any. I cannot see any log entries.
> 
> What's wrong now?

Hi
Too general without knowing a bit more:
Who is logged in on the Win7 box?
Is the Win7 box joined to the domain?
What are the permissions on /srv and /srv/share?
Can the user access the share if logged in on the file server?
Can the user access the share using smbclient?
Does the share appear as a folder in explorer?
What does the windows security tab give for the share?

Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread Klaus Rörig 

Hi!

I set up s3 on the fileserver now but I cannot connect to my share.

'wbinfo -u' lists all user
'wbinfo-g' lists all groups

getent also list the queried user.

But when I try to connect from Win7 to my s3 share, it asks for creds 
but does not accept any. I cannot see any log entries.


What's wrong now?

Klaus

Am 06.08.2013 12:58, schrieb steve:

On Tue, 2013-08-06 at 12:36 +0200, Klaus Rörig wrote:

Hi,

it seems that the ntvfs module is not working on Ubuntu, I get lots of
error messages about this.
I don't see Samba4 servers on network neighborhood, so users cannot
browses shares but I do see Samba3 servers, so I have to get Samba3
working with Samba4.

Or I have to build Samba4 by myself.

Klaus

Hi
I don't think you can have (or would want?) network neighbourhood with
AD. It may be best to have real shares and control access using ACL's or
smb.conf. If you can, I really would advise building s4 from source:
4.0.8 for both DC and file server and using samba for the DC and smbd
for the file server. It takes longer but it's easy to do and you can be
sure to have the latest version. If you want to stick with Ubuntu then I
see the s4 DC and separate s3 file server the best way to go.
Cheers,
Steve


  



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread steve 
On Tue, 2013-08-06 at 12:36 +0200, Klaus Rörig wrote:
> Hi,
> 
> it seems that the ntvfs module is not working on Ubuntu, I get lots of 
> error messages about this.
> I don't see Samba4 servers on network neighborhood, so users cannot 
> browses shares but I do see Samba3 servers, so I have to get Samba3 
> working with Samba4.
> 
> Or I have to build Samba4 by myself.
> 
> Klaus

Hi
I don't think you can have (or would want?) network neighbourhood with
AD. It may be best to have real shares and control access using ACL's or
smb.conf. If you can, I really would advise building s4 from source:
4.0.8 for both DC and file server and using samba for the DC and smbd
for the file server. It takes longer but it's easy to do and you can be
sure to have the latest version. If you want to stick with Ubuntu then I
see the s4 DC and separate s3 file server the best way to go.
Cheers,
Steve


 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread Klaus Rörig 

Hi,

it seems that the ntvfs module is not working on Ubuntu, I get lots of 
error messages about this.
I don't see Samba4 servers on network neighborhood, so users cannot 
browses shares but I do see Samba3 servers, so I have to get Samba3 
working with Samba4.


Or I have to build Samba4 by myself.

Klaus

Am 06.08.2013 11:59, schrieb steve:

On Tue, 2013-08-06 at 10:57 +0200, Klaus Rörig wrote:

OK, than I have to use the Samba 3.6 packages shipped with Ubuntu.
Anything special I have to care about?


Hi, no, but as you have only a few clients, it may be simpler to use the
dc itself as file server, especially as you have specified ntvfs. If you
want rfc2307 from winbind though, you'll have to either build samba
4.0.x from source on a separate box and use smbd or use the Ubuntu 3.6
packages, also on a separate box. If you're OK with ntvfs and you only
have win7 clients, I'd go with the single DC/fileserver and forget about
rfc2307.
HTH
Steve




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread steve 
On Tue, 2013-08-06 at 10:57 +0200, Klaus Rörig wrote:
> OK, than I have to use the Samba 3.6 packages shipped with Ubuntu.
> Anything special I have to care about?
> 
Hi, no, but as you have only a few clients, it may be simpler to use the
dc itself as file server, especially as you have specified ntvfs. If you
want rfc2307 from winbind though, you'll have to either build samba
4.0.x from source on a separate box and use smbd or use the Ubuntu 3.6
packages, also on a separate box. If you're OK with ntvfs and you only
have win7 clients, I'd go with the single DC/fileserver and forget about
rfc2307.
HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread Klaus Rörig 

OK, than I have to use the Samba 3.6 packages shipped with Ubuntu.
Anything special I have to care about?

Am 06.08.2013 09:33, schrieb steve:

On Tue, 2013-08-06 at 09:21 +0200, Klaus Rörig wrote:


But there are no smb/nmbd/winbindd binaries.


Hi
Oh, I see. The Ubuntu packages must only be for AD then. Sorry, I missed
that you only wanted ntvfs.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread steve 
On Tue, 2013-08-06 at 09:21 +0200, Klaus Rörig wrote:

> 
> But there are no smb/nmbd/winbindd binaries.


Hi
Oh, I see. The Ubuntu packages must only be for AD then. Sorry, I missed
that you only wanted ntvfs.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-06 Thread Klaus Rörig 

Hi Steve,

when I start samba without the 'server services' optinion I get:

"At this time the 'samba' binary should only be used for either: 'server 
role = active directory domain controller' or to access the ntvfs file 
server with 'server services= +smb' oder the rpc proxy with 'dcerpc 
endpoint servers = remote'
You should start start smbd/nmbd/winbindd instead for domain member an 
standalone file server tasks"


But there are no smb/nmbd/winbindd binaries.

Klaus

Am 05.08.2013 23:01, schrieb steve:

On Mon, 2013-08-05 at 22:25 +0200, Klaus Rörig wrote:

  I cannot the member server working.

My smb.conf:


Hi
Leave the domain and remove the .tdb files in /var/lib/smb. Then rejoin
with this:


[global]
 workgroup = VERWALTUNG
 security = ads
 realm = VERWALTUNG.LEIBNIZ-REMSCHEID.DE
 encrypt passwords = true
 idmap config *:backend = tdb
 idmap config *:range = 70001-8
 idmap config VERWALTUNG:backend = ad
 idmap config VERWALTUNG:schema_mode = rfc2307
 idmap config VERWALTUNG:range = 500-4

 winbind nss info = rfc2307
 winbind trusted domains only = no
 winbind use default domain = yes
 winbind enum users = yes
 winbind enum groups = yes

[verwaltung]
 path = /srv/shares
 read only = no

Start it with:
smbd; winbindd

Prolly not perfect, but should get you a bit close.
hth
Steve



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 and DFS replication

2013-08-05 Thread Andrew Bartlett 
On Mon, 2013-08-05 at 17:24 -0500, Kristofer Pettijohn wrote:
> I realize that Samba 4 doesn't yet support DFS replication. But my
> question is if Samba 4 as an AD server supports DFS replication within
> the environment. For example, if all we have are Samba 4 servers for
> AD domain controllers, and we have 2+ Windows servers doing DFS
> between each other (where the Samba 4 file server isn't involved at
> all), is that supported? 

That should be fine, we just don't implement that protocol yet. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 and DFS replication

2013-08-05 Thread Kristofer Pettijohn 
I realize that Samba 4 doesn't yet support DFS replication. But my question is 
if Samba 4 as an AD server supports DFS replication within the environment. For 
example, if all we have are Samba 4 servers for AD domain controllers, and we 
have 2+ Windows servers doing DFS between each other (where the Samba 4 file 
server isn't involved at all), is that supported? 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 as member server

2013-08-05 Thread steve 
On Mon, 2013-08-05 at 22:25 +0200, Klaus Rörig wrote:
>  I cannot the member server working.
> 
> My smb.conf:
> 

Hi
Leave the domain and remove the .tdb files in /var/lib/smb. Then rejoin
with this:

> [global]
> workgroup = VERWALTUNG
> security = ads
> realm = VERWALTUNG.LEIBNIZ-REMSCHEID.DE
> encrypt passwords = true

> idmap config *:backend = tdb
> idmap config *:range = 70001-8
> idmap config VERWALTUNG:backend = ad
> idmap config VERWALTUNG:schema_mode = rfc2307
> idmap config VERWALTUNG:range = 500-4
> 
> winbind nss info = rfc2307
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind enum users = yes
> winbind enum groups = yes
> 
> [verwaltung]
> path = /srv/shares
> read only = no

Start it with:
smbd; winbindd

Prolly not perfect, but should get you a bit close.
hth
Steve

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 as member server

2013-08-05 Thread Klaus Rörig 
Hello list,

I'm trying to setup a small samba4 domain ( 1 DC, 1 member server, 12 Win7
clients) on Ubuntu with the packages shipped with Ubuntu 13.04 (Samba
4.0.0), I also tried on Ubuntu 13.10 (Samba 4.0.3).

DC seems to work fine, I can manage users an gpo, clients can join and
logon. But I cannot the member server working.

My smb.conf:

[global]
workgroup = VERWALTUNG
security = ads
realm = VERWALTUNG.LEIBNIZ-REMSCHEID.DE
encrypt passwords = true
server services = +smb -s3fs

idmap config *:backend = tdb
idmap config *:range = 70001-8
idmap config VERWALTUNG:backend = ad
idmap config VERWALTUNG:schema_mode = rfc2307
idmap config VERWALTUNG:range = 500-4

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

  server role = domain controller
  dcerpc endpoint servers = -winreg -srvsvc
[verwaltung]
path = /srv/shares
read only = no

[sysvol]
  path = /var/lib/samba/sysvol
  read only = no

[netlogon]
  path = /var/lib/samba/sysvol/VERWALTUNG.LEIBNIZ-REMSCHEID.DE/scripts
  read only = no


I did 'samba-tool domain join VERWALTUNG -UAdministrator' with success:
"Joined domain SID". The server is listet in AD Tools.

But 'samba -i -M single -d1' stops working with:

samba: /usr/lib/x86_64-linux-gnu/libwbclient.so.0: no version information
available (required by /usr/lib/x86_64-linux-gnu/samba/libauth4.so)
samba version 4.0.3 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
samba: using 'single' process model
task_server_terminate: [ldap_server: no LDAP server required in member
server configuration]
task_server_terminate: [cldap_server: no CLDAP server required in member
server configuration]
task_server_terminate: [kdc: no KDC required in member server configuration]
task_server_terminate: [dreplsrv: no DSDB replication required in domain
member configuration]
task_server_terminate: [Cannot start Winbind (domain member): Failed to
find record for VERWALTUNG in /var/lib/samba/private/secrets.ldb: No such
object: (null): Have you joined the VERWALTUNG domain?]
samba_terminate: Cannot start Winbind (domain member): Failed to find
record for VERWALTUNG in /var/lib/samba/private/secrets.ldb: No such
object: (null): Have you joined the VERWALTUNG domain?


root@server04:/var/lib/samba/private# ls -la
insgesamt 3784
drwxr-xr-x 3 root root4096 Aug  5 21:50 .
drwxr-xr-x 7 root root4096 Aug  5 21:47 ..
-rw--- 1 root root 1286144 Aug  5 21:50 privilege.ldb
-rw--- 1 root root 696 Aug  5 21:50 randseed.tdb
-rw--- 1 root root 1286144 Aug  5 21:50 sam.ldb
-rw--- 1 root root 1286144 Aug  5 21:50 secrets.ldb
drwxr-xr-x 3 root root4096 Aug  5 21:50 smbd.tmp


Please help!

Thx,

Klaus
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Slow Performance

2013-08-04 Thread Matthieu Patou 

On 07/27/2013 08:20 AM, Kinglok, Fong wrote:

Dear all,

After using samba 3 for two years, I have just spent totally one week finishing 
setting up a samba 4 file system in my working school.  There are about 200 
computers, 80+ staff, 1000 students and 10 printers.  The AD was properly 
setup, mandatory profile and one GPO policy (which is printer download trust) 
is effective for all users.  Logon script is for mapping four shares and 10 
printers from the file server.   Also, I have setup two additional DCs (with AD 
replication and DHCP server) for two other subnets in the hope to speed up the 
logon process.

The benefits of Samba 4 are clear: more robust file serving (supporting the 
windows ACL), speedy printing (with the help of point and printer driver) and 
administration of AD through with windows remote admin tool.  However, logon 
speed is just far from good.

In the days of Samba 3.6, users can logon the system within 20 seconds, even 
with more than 80 users logon in the same time (two classes students login 
during computer lesson).  Now, with only one user logging in (who is me), it 
takes nearly 60 seconds to do the logon.  I have tried disabling drive and 
printer mapping in logon script and applying a registry hack (note 1) shorten 
the profile waiting time in windows 7 client side but it makes no difference in 
logon speed.

I have taken a look on the document in sambaXP 2013:
http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf

and two thread in samba-technical mailing list:
https://lists.samba.org/archive/samba-technical/2013-January/089755.html
https://lists.samba.org/archive/samba-technical/2013-May/092332.html

It seems that samba team is doing some great work in spotting the unindexed 
search in LDB as one of block in performance.  Certainly, I can wait for the 
new version 4.0.X for the boost of performance.  However, I am in deep panic 
when lessons are going to be launched on 1st September 2013 here in Hong Kong.  
Are there any patches so that I can a hot / dirty fix?

I don't think the problem is in the database in your case, can you do a 
tcpdump trace starting just before the client is logging on and stopping 
it after the logon (ie the 60 sec or so), see 
https://wiki.samba.org/index.php/Capture_Packets on how to the tcpdump 
capture.


With this trace we should be able to see where is the delay.
Matthieu.

--
Matthieu Patou
Samba Team
http://samba.org

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Slow Performance

2013-07-30 Thread Andrew Bartlett 
On Wed, 2013-07-31 at 10:07 +0800, Kinglok, Fong wrote:
> On 29 Jul, 2013, at 1:13 PM, Andrew Bartlett  wrote:
> 
> > On Sat, 2013-07-27 at 23:20 +0800, Kinglok, Fong wrote:
> >> Dear all,
> >> 
> >> After using samba 3 for two years, I have just spent totally one week
> >> finishing setting up a samba 4 file system in my working school.
> >> There are about 200 computers, 80+ staff, 1000 students and 10
> >> printers.  The AD was properly setup, mandatory profile and one GPO
> >> policy (which is printer download trust) is effective for all users.
> >> Logon script is for mapping four shares and 10 printers from the file
> >> server.   Also, I have setup two additional DCs (with AD replication
> >> and DHCP server) for two other subnets in the hope to speed up the
> >> logon process.
> >> 
> >> The benefits of Samba 4 are clear: more robust file serving
> >> (supporting the windows ACL), speedy printing (with the help of point
> >> and printer driver) and administration of AD through with windows
> >> remote admin tool.  However, logon speed is just far from good.
> >> 
> >> In the days of Samba 3.6, users can logon the system within 20
> >> seconds, even with more than 80 users logon in the same time (two
> >> classes students login during computer lesson).  Now, with only one
> >> user logging in (who is me), it takes nearly 60 seconds to do the
> >> logon.  I have tried disabling drive and printer mapping in logon
> >> script and applying a registry hack (note 1) shorten the profile
> >> waiting time in windows 7 client side but it makes no difference in
> >> logon speed.
> >> 
> >> I have taken a look on the document in sambaXP 2013:
> >> http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf
> >> 
> >> and two thread in samba-technical mailing list:
> >> https://lists.samba.org/archive/samba-technical/2013-January/089755.html
> >> https://lists.samba.org/archive/samba-technical/2013-May/092332.html
> >> 
> >> It seems that samba team is doing some great work in spotting the
> >> unindexed search in LDB as one of block in performance. 
> > 
> > It is one block, but it is the one we expect to really hit at around
> > 1, not 1000-2000.  As Richard has indicated, what we need from you
> > is an indication of what operation is slow.  Timeouts of this order
> > indicate something different to a slow database - they indicate things
> > like DNS timeing out. 
> > 
> > Once you work out which specific operation is blocking, we can
> > investigate more - be it in regards to your network, or our code, we
> > don't mind either way, but we need to work out which to look into.
> > 
> > Andrew Bartlett
> > 
> > -- 
> > Andrew Bartlett
> > http://samba.org/~abartlet/
> > Authentication Developer, Samba Team   http://samba.org
> > Samba Developer, Catalyst IT   http://catalyst.net.nz
> > 
> > 
> 
> 
> Thank you all for responding.
> 
> In these days, I am trying hard to understand the reason of the delay in 
> logon.
> 
> Following your advice, I've done some test on
> 1. Profile deploying
> 2. GPO
> 
> For the first one, I try using roaming profile for one testing user, it turns 
> out 7 seconds to logon the system.  It seems that the culprit of the delay is 
> in the my old mandatory profile.
> For the second one, I try disable all GPO (I only enable point and printer 
> driver trust and folder redirection), turning it on / off does not change the 
> logon time significantly.
> 
> So, I try digging into how to create mandatory profile properly once again.  
> Here I found:
> http://oakdome.com/k5/tutorials/windows-7-mandatory-roaming-profile.php
> 
> By following the link's instruction, I found it needs 20 seconds in logon.  I 
> hope I can further decrease the logon time (anyone got a hint?)
> 
> I will keep updating the list if I found something worth sharing.

Thanks for getting back to us.  It sounds like this is mostly a
client-side delay than a Samba issue. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Slow Performance

2013-07-30 Thread Kinglok, Fong 

On 29 Jul, 2013, at 1:13 PM, Andrew Bartlett  wrote:

> On Sat, 2013-07-27 at 23:20 +0800, Kinglok, Fong wrote:
>> Dear all,
>> 
>> After using samba 3 for two years, I have just spent totally one week
>> finishing setting up a samba 4 file system in my working school.
>> There are about 200 computers, 80+ staff, 1000 students and 10
>> printers.  The AD was properly setup, mandatory profile and one GPO
>> policy (which is printer download trust) is effective for all users.
>> Logon script is for mapping four shares and 10 printers from the file
>> server.   Also, I have setup two additional DCs (with AD replication
>> and DHCP server) for two other subnets in the hope to speed up the
>> logon process.
>> 
>> The benefits of Samba 4 are clear: more robust file serving
>> (supporting the windows ACL), speedy printing (with the help of point
>> and printer driver) and administration of AD through with windows
>> remote admin tool.  However, logon speed is just far from good.
>> 
>> In the days of Samba 3.6, users can logon the system within 20
>> seconds, even with more than 80 users logon in the same time (two
>> classes students login during computer lesson).  Now, with only one
>> user logging in (who is me), it takes nearly 60 seconds to do the
>> logon.  I have tried disabling drive and printer mapping in logon
>> script and applying a registry hack (note 1) shorten the profile
>> waiting time in windows 7 client side but it makes no difference in
>> logon speed.
>> 
>> I have taken a look on the document in sambaXP 2013:
>> http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf
>> 
>> and two thread in samba-technical mailing list:
>> https://lists.samba.org/archive/samba-technical/2013-January/089755.html
>> https://lists.samba.org/archive/samba-technical/2013-May/092332.html
>> 
>> It seems that samba team is doing some great work in spotting the
>> unindexed search in LDB as one of block in performance. 
> 
> It is one block, but it is the one we expect to really hit at around
> 1, not 1000-2000.  As Richard has indicated, what we need from you
> is an indication of what operation is slow.  Timeouts of this order
> indicate something different to a slow database - they indicate things
> like DNS timeing out. 
> 
> Once you work out which specific operation is blocking, we can
> investigate more - be it in regards to your network, or our code, we
> don't mind either way, but we need to work out which to look into.
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> Samba Developer, Catalyst IT   http://catalyst.net.nz
> 
> 


Thank you all for responding.

In these days, I am trying hard to understand the reason of the delay in logon.

Following your advice, I've done some test on
1. Profile deploying
2. GPO

For the first one, I try using roaming profile for one testing user, it turns 
out 7 seconds to logon the system.  It seems that the culprit of the delay is 
in the my old mandatory profile.
For the second one, I try disable all GPO (I only enable point and printer 
driver trust and folder redirection), turning it on / off does not change the 
logon time significantly.

So, I try digging into how to create mandatory profile properly once again.  
Here I found:
http://oakdome.com/k5/tutorials/windows-7-mandatory-roaming-profile.php

By following the link's instruction, I found it needs 20 seconds in logon.  I 
hope I can further decrease the logon time (anyone got a hint?)

I will keep updating the list if I found something worth sharing.

Thanks.

Kinglok, Fong



signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Slow Performance

2013-07-28 Thread Andrew Bartlett 
On Sat, 2013-07-27 at 23:20 +0800, Kinglok, Fong wrote:
> Dear all,
> 
> After using samba 3 for two years, I have just spent totally one week
> finishing setting up a samba 4 file system in my working school.
> There are about 200 computers, 80+ staff, 1000 students and 10
> printers.  The AD was properly setup, mandatory profile and one GPO
> policy (which is printer download trust) is effective for all users.
> Logon script is for mapping four shares and 10 printers from the file
> server.   Also, I have setup two additional DCs (with AD replication
> and DHCP server) for two other subnets in the hope to speed up the
> logon process.
> 
> The benefits of Samba 4 are clear: more robust file serving
> (supporting the windows ACL), speedy printing (with the help of point
> and printer driver) and administration of AD through with windows
> remote admin tool.  However, logon speed is just far from good.
> 
> In the days of Samba 3.6, users can logon the system within 20
> seconds, even with more than 80 users logon in the same time (two
> classes students login during computer lesson).  Now, with only one
> user logging in (who is me), it takes nearly 60 seconds to do the
> logon.  I have tried disabling drive and printer mapping in logon
> script and applying a registry hack (note 1) shorten the profile
> waiting time in windows 7 client side but it makes no difference in
> logon speed.
> 
> I have taken a look on the document in sambaXP 2013:
> http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf
> 
> and two thread in samba-technical mailing list:
> https://lists.samba.org/archive/samba-technical/2013-January/089755.html
> https://lists.samba.org/archive/samba-technical/2013-May/092332.html
> 
> It seems that samba team is doing some great work in spotting the
> unindexed search in LDB as one of block in performance. 

It is one block, but it is the one we expect to really hit at around
1, not 1000-2000.  As Richard has indicated, what we need from you
is an indication of what operation is slow.  Timeouts of this order
indicate something different to a slow database - they indicate things
like DNS timeing out. 

Once you work out which specific operation is blocking, we can
investigate more - be it in regards to your network, or our code, we
don't mind either way, but we need to work out which to look into.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 userid mapping

2013-07-28 Thread steve 
On Tue, 2013-07-09 at 18:22 -0700, Nick B wrote:

Hi
None of this works on a s4 DC
> 
>  # Setup user maps
> 
> idmap config * : backend = tdb
> 
> idmap config * : range = 10-19
> 
> idmap config MYDOMAIN : backend = ad
> 
> idmap config MYDOMAIN : schema_mode = rfc2307
> 
> idmap config MYDOMAIN : range = 5-9
> 
> winbind nss info = rfc2307
> 
> winbind trusted domains only = No
> 
> winbind use default domain = Yes
> 
> winbind enum users = Yes
> 
> winbind enum groups = Yes

replace it with this:
idmap_ldb use:rfc2307 = Yes

make the winbind links:
ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/libnss_winbind.so
ln -s libnss_winbind.so /lib64/libnss_winbind.so.2

and the nss stuff in /etc/nsswitch.conf:
passwd:  files winbind
group:   files winbind

Now add the uidNumber and gidNumber attributes to the user or group DN
in AD. YOu can use ldbmodify or ldbedit for that. If you are brave, you
can build the master and use samba-tool add the attributes when you
create the user.

Note: if you want the whole of rfc2307 as your smb.conf suggests, then
use sssd and forget about winbind.

HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Slow Performance

2013-07-28 Thread Richard Sharpe 
On Sat, Jul 27, 2013 at 8:20 AM, Kinglok, Fong  wrote:
> Dear all,
>
> After using samba 3 for two years, I have just spent totally one week 
> finishing setting
> up a samba 4 file system in my working school.  There are about 200 computers,
> 80+ staff, 1000 students and 10 printers.  The AD was properly setup, 
> mandatory
> profile and one GPO policy (which is printer download trust) is effective for 
> all users.
> Logon script is for mapping four shares and 10 printers from the file server. 
>   Also, I
> have setup two additional DCs (with AD replication and DHCP server) for two 
> other
> subnets in the hope to speed up the logon process.

Hmmm, some further info might be useful.

Is the Samba server an AD DC or a simple member server?

Do you know (perhaps from a capture) whether the excess logon time is
mostly caused by the initial authentication or by trying to retrieve
the GPO and/or roaming profiles?

Do you know whether or not Kerberos is being used or if the client is
falling back to NTLM?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 userid mapping

2013-07-28 Thread Nick B 
Complete new user here.  Setting up my first samba configuration, using
samba 4.0.6 as a primary domain controller.  I have user profiles, network
shares, active directory, and domain controller working.  But I can not
understand how to map windows userid to linux userid (and map groupid as
well).  I am struggling because much of the documentation is outdated and
meant for samba 3.x or targetted for samba as a domain member.  I followed
some documentation to try the userid mapping through active directory, but
that required Microsoft services for Unix 3.5, which will not install on 64
versions of MS.  I find myself without any orientation of how to proceed.

I am suffering from documentation overload, much of it contradictory or not
applicable.  I am not even sure how to use winbind, or if that is required
for my situation.  I really need a simple step by step howto that is
specific to samba 4 as a PDC.  If you want to reference documentation,
great, but please reference specific sections instead of whole general
chapters.  Any help greatly appreciated.  Thank you.

Configuration information follows:

Server

OS:  OpenSuSE 12.1, 64 bit
Samba:  Samba 4.0.6
Configuration:  Primary domain controller with active directory support
Using BIND 9 DNS server


Client

OS:  Windows 7 Professional, 64 bit


Samba configuration file


# Global parameters

[global]

workgroup = MYDOMAIN

realm = MYDOMAIN.ORG

netbios name = SERVER

wins support = Yes

server role = active directory domain controller

server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate

encrypt passwords = yes

 # Setup user maps

idmap config * : backend = tdb

idmap config * : range = 10-19

idmap config MYDOMAIN : backend = ad

idmap config MYDOMAIN : schema_mode = rfc2307

idmap config MYDOMAIN : range = 5-9

winbind nss info = rfc2307

winbind trusted domains only = No

winbind use default domain = Yes

winbind enum users = Yes

winbind enum groups = Yes

# Logon path tells samba where to put Windows roaming profiles

logon path = \\%h\profiles\%u

  # Logon home is used to specify home directory and

# Windows 95/98/ME roaming profile location

logon home = \\%h\%u\.win_profiles

# Allow Samba to send correct time to windows

time server = Yes

# Set logging options

log file = /var/log/samba/log.odeon

# Shares configurations follows.  Not included for brevity . . .

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 Slow Performance

2013-07-27 Thread Kinglok, Fong 
Dear all,

After using samba 3 for two years, I have just spent totally one week finishing 
setting up a samba 4 file system in my working school.  There are about 200 
computers, 80+ staff, 1000 students and 10 printers.  The AD was properly 
setup, mandatory profile and one GPO policy (which is printer download trust) 
is effective for all users.  Logon script is for mapping four shares and 10 
printers from the file server.   Also, I have setup two additional DCs (with AD 
replication and DHCP server) for two other subnets in the hope to speed up the 
logon process.

The benefits of Samba 4 are clear: more robust file serving (supporting the 
windows ACL), speedy printing (with the help of point and printer driver) and 
administration of AD through with windows remote admin tool.  However, logon 
speed is just far from good.

In the days of Samba 3.6, users can logon the system within 20 seconds, even 
with more than 80 users logon in the same time (two classes students login 
during computer lesson).  Now, with only one user logging in (who is me), it 
takes nearly 60 seconds to do the logon.  I have tried disabling drive and 
printer mapping in logon script and applying a registry hack (note 1) shorten 
the profile waiting time in windows 7 client side but it makes no difference in 
logon speed.

I have taken a look on the document in sambaXP 2013:
http://sambaxp.org/fileadmin/user_upload/SambaXP2013-DATA/thu/track1/Matthieu_Patou-Smaller_Faster_Scalier.pdf

and two thread in samba-technical mailing list:
https://lists.samba.org/archive/samba-technical/2013-January/089755.html
https://lists.samba.org/archive/samba-technical/2013-May/092332.html

It seems that samba team is doing some great work in spotting the unindexed 
search in LDB as one of block in performance.  Certainly, I can wait for the 
new version 4.0.X for the boost of performance.  However, I am in deep panic 
when lessons are going to be launched on 1st September 2013 here in Hong Kong.  
Are there any patches so that I can a hot / dirty fix?

Thanks for attending.

Kinglok, Fong

Note: "Set maximum wait time for the network if a user has a roaming" to 1 
(setting it to 0 will default it to 30 seconds) and "Startup policy processing 
wait time..." to 1


signature.asc
Description: Message signed with OpenPGP using GPGMail
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 dnsupdate errors

2013-07-26 Thread Dave Hawkes 
This has now been fixed - apparmor was preventing bind from writing to 
the /var/tmp directory.


On 13-07-26 09:22 AM, Dave Hawkes wrote:
I have installed samba from source (I've tried both V4-0-stable and 
v4-1-stable) using BIND9_DLZ on Ubuntu server 13.04 and I'm unable to 
get samba_dnsupdate to function.


# samba_dnsupdate --all-names --fail-immediately

will return

dns_tkey_negotiategss: TKEY is unacceptable

If I then try nsupdate directly:

nsupdate -g /tmp/tmpEk4_WK

I also get:

dns_tkey_negotiategss: TKEY is unacceptable

The credential cache looks like:

# klist -c /tmp/tmpQoCe89

Ticket cache: FILE:/tmp/tmpQoCe89
Default principal: ADS1$@INTERNAL.DOMAIN.COM

Valid startingExpires   Service principal
26/07/2013 09:03  26/07/2013 19:03 
krbtgt/internal.domain@internal.domain.com
26/07/2013 09:03  26/07/2013 19:03 
DNS/ads1.internal.domain@internal.domain.com


Dns appears to be functioning correctly with forward and reverse 
lookups correct.


Can anyone help with ideas to track down this problem?

Thanks,
Dave







--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 dnsupdate errors

2013-07-26 Thread Dave Hawkes 
I have installed samba from source (I've tried both V4-0-stable and 
v4-1-stable) using BIND9_DLZ on Ubuntu server 13.04 and I'm unable to 
get samba_dnsupdate to function.


# samba_dnsupdate --all-names --fail-immediately

will return

dns_tkey_negotiategss: TKEY is unacceptable

If I then try nsupdate directly:

nsupdate -g /tmp/tmpEk4_WK

I also get:

dns_tkey_negotiategss: TKEY is unacceptable

The credential cache looks like:

# klist -c /tmp/tmpQoCe89

Ticket cache: FILE:/tmp/tmpQoCe89
Default principal: ADS1$@INTERNAL.DOMAIN.COM

Valid startingExpires   Service principal
26/07/2013 09:03  26/07/2013 19:03 
krbtgt/internal.domain@internal.domain.com
26/07/2013 09:03  26/07/2013 19:03 
DNS/ads1.internal.domain@internal.domain.com


Dns appears to be functioning correctly with forward and reverse lookups 
correct.


Can anyone help with ideas to track down this problem?

Thanks,
Dave




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

2013-07-25 Thread Tris Mabbs 
Good day, one and all ...

I just had to rebuild our main Samba server ("OpenSlowlaris" -> "Slowlaris 
11.11"), during which I put the latest (at the time; currently 
4.2.0pre1-GIT-b505111) Samba4 on there.  I thought that by now that Gunther's 
speculative changes to improve the PAC decode might have made their way into 
the trunk revision - obviously I was wrong, as I'm once again getting a load of 
"Can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" messages and a user who can't 
access any Samba shares.

Whoops ...

So as we previously discussed looking into things in more detail (specifically 
finding out why there is no "client_principal" being passed into 
"kerberos_decode_pac()"), but nothing else ever happened, is there anything I 
can do to assist in getting the improved PAC decoding included into the trunk 
revision?  Whilst I can't guarantee immediate responses to any request, I'm 
quite happy to stick any code in anywhere you might want if you don't mind 
potentially waiting a day or so for the results :-)

Also:
I appreciate this is off-topic, but I was wondering whether anyone is 
interested in/would like me to open a separate thread on any of these ...
Built the code, installed the code, set it up (joined the domain, etc. etc. 
etc. etc.).  Had 2(-and-a-bit) problems (one of which I've fixed):
1. Although "bin/default/source3/winbindd/idmap_ad_4.o" gets built, 
"bin/default/source3/winbindd/libidmap-ad.so" doesn't, so 
"/lib/idmap/ad.so" doesn't get installed.  No "ad" idmap backend; no 
AD UID/SID mapping; much administrator (me) confusion if said administrator is 
expecting AD UID/SID mapping to work ...
  I'd completely forgotten about this little "hiccup" - it's been a 
while since I initially shoe-horned Samba4 onto "OpenSlowlaris", but 
fortunately I'd made a note of this in the build script I used so after 2 days 
of banging my head against a wall, I finally remembered to check my own darn' 
script and saw the comment "If ''/usr/local/samba/lib/idmap/ad.so'' doesn't 
build and install then ...".  Bang bang bang bang ...  Doh!
   Linked "libidmap-ad.so" manually and copied into 
"/usr/local/samba/lib/idmap/ad.so" and, as if by magic, my UID/SID mapping 
started working ...
2. "net ads testjoin" works; "wbinfo -t" works (as do "wbinfo -u", 
"wbinfo -g", ).  In fact everything works (after installing "ad.so"!) 
*except* ...  If I do a "net rpc testjoin" (and remember, "wbinfo -t" *does* 
work here) I get an error stating that it can't connect to "GATEWAY" (local 
server name) and therefore the join to the "FIRSTGRADE" domain isn't valid.
   Duh?
   So for some reason, "net rpc testjoin" is trying to connect to the 
local server rather than any DC for the domain.  No particular reason apparent 
in the log files, and it doesn't seem to be affecting anything, but it is an 
odd disparity.  Ramped up debugging but couldn't see any sensible explanation 
in the logs ...
[3. Kinda ...  Sorta ...  Can't build Samba4 on "Slowlaris 11.11" 
without complaints about "no ldap_add_result_entry() support in LDAP libs!" 
filling every log file on the system.
So I kicked and forced and prodded and poked and finally managed to 
persuade Samba to build using OpenLDAP-2.4, which gets rid of this problem.
However that involved fiddling with "CPPFLAGS" and "LDFLAGS" before 
calling any build scripts; it's nasty, messy and dirty - I don't approve of any 
"solution" which involves that sort of messing around (yuk).  There has to be a 
better way ...
From looking at other discussions, it seems Samba4 as a DC isn't 
supported (yet?) using OpenLDAP, but might it be worthwhile providing some way 
to "encourage" the use of OpenLDAP, rather than the OS native LDAP (whatever 
that may be), if it *can* be used?  Perhaps a 
"--I-cant-believe-its-not-OpenLDAP" flag of some sort (sorry, British humour - 
that probably doesn't mean anything to anyone else ...)?]
If you think it's worth opening a thread on any of these (probably, I'd guess, 
in the main Samba discussion rather than Samba-Technical?) then please say so 
and I'll do so.  Otherwise I'll continue quietly to ignore them :-)

Many thanks folks, and have a great week/weekend,

Cheers,

Tris.

-Original Message-
From: Tris Mabbs [mailto:tm-samba201...@firstgrade.co.uk] 
Sent: 15 March 2013 17:59
To: Andrew Bartlett
Cc: 'Michael Wood'; Guenther Deschner; samba@lists.samba.org; 
sa

Re: [Samba] Samba 4 not honoring setgid

2013-07-25 Thread steve 
On Thu, 2013-07-25 at 08:17 -0400, Ryan Bair wrote:
> Thank you for confirming. I do have g+s on the directory. I'll file a
> bug about this issue today. 

No problem. If you go with the bugzilla, could you post the link here?
Thanks.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 not honoring setgid

2013-07-25 Thread Ryan Bair 
Thank you for confirming. I do have g+s on the directory. I'll file a bug
about this issue today.


On Thu, Jul 25, 2013 at 3:30 AM, steve  wrote:

> On Wed, 2013-07-24 at 22:34 -0400, Ryan Bair wrote:
> > I'm running Samba 4.0.7 on CentOS 6.4 as a AD DC with s3fs.
> >
> > I have a shared directory with the setgid bit set. From the shell on the
> > server, new files and directories inherit the group as expected. However,
> > new items created through samba get the user's primary group instead.
> >
> > Config for the share is super simple:
> >
> > [test]
> > path = /srv/test
> > read only = no
> >
> >
> > Sounds like a bug. Has any one else experienced this?
>
> Hi
> openSUSE 12.3 DC 4.0.7 also tested with latest git
>
> Not sure what /srv/test has but am guessing that you have set chmod g+s?
>
> If so, I can reproduce what you see. The g+s is ignored when accessed on
> a cifs mounted share and instead the primaryGroupID is used.
>
> Cheers,
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 not honoring setgid

2013-07-25 Thread steve 
On Wed, 2013-07-24 at 22:34 -0400, Ryan Bair wrote:
> I'm running Samba 4.0.7 on CentOS 6.4 as a AD DC with s3fs.
> 
> I have a shared directory with the setgid bit set. From the shell on the
> server, new files and directories inherit the group as expected. However,
> new items created through samba get the user's primary group instead.
> 
> Config for the share is super simple:
> 
> [test]
> path = /srv/test
> read only = no
> 
> 
> Sounds like a bug. Has any one else experienced this?

Hi
openSUSE 12.3 DC 4.0.7 also tested with latest git

Not sure what /srv/test has but am guessing that you have set chmod g+s?

If so, I can reproduce what you see. The g+s is ignored when accessed on
a cifs mounted share and instead the primaryGroupID is used.

Cheers,
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 not honoring setgid

2013-07-24 Thread Ryan Bair 
I'm running Samba 4.0.7 on CentOS 6.4 as a AD DC with s3fs.

I have a shared directory with the setgid bit set. From the shell on the
server, new files and directories inherit the group as expected. However,
new items created through samba get the user's primary group instead.

Config for the share is super simple:

[test]
path = /srv/test
read only = no


Sounds like a bug. Has any one else experienced this?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 domain members

2013-07-16 Thread steve 
On Tue, 2013-07-16 at 09:40 +0100, Chris Alavoine wrote:
> Hi there,
> 
> Just to add I've been using Ubuntu as my distro of choice (cos it's the one
> I know best). Has anyone had any successes with other Distros they could
> share? I am willing to jump ship if it works!

Hi
openSUSE. One install we did has 2 DC's and a 4.0.7 file server. But I
think that if you build from source, it doesn't make much difference.
HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 domain members

2013-07-16 Thread Chris Alavoine 
Hi there,

Just to add I've been using Ubuntu as my distro of choice (cos it's the one
I know best). Has anyone had any successes with other Distros they could
share? I am willing to jump ship if it works!

Thanks,
Chris.


On 12 July 2013 15:21, Chris Alavoine  wrote:

> Hi there,
>
> I would like to setup a Samba 4 member server to act as a separate
> fileserver within my Samba 4 domain.
>
> Does anyone have any recommendations for this setup?
>
> I've tried to create one following this:
>
> https://wiki.samba.org/index.php/Samba4/Domain_Member
>
> Which seems to work ok until I try to change any permission on any shares
> (or anything within the shares). I then get "access denied" errors.
> Obviously, this is unworkable as a solution as I need to set permissions.
>
> Any help much appreciated.
>
> Thanks,
> Chris.
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730
> www.alavoinecs.co.uk
> http://twitter.com/#!/alavoinecs
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>



-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 domain members

2013-07-12 Thread steve 
On Fri, 2013-07-12 at 15:21 +0100, Chris Alavoine wrote:
> Hi there,
> 
> I would like to setup a Samba 4 member server to act as a separate
> fileserver within my Samba 4 domain.
> 
> Does anyone have any recommendations for this setup?
> 
> I've tried to create one following this:
> 
> https://wiki.samba.org/index.php/Samba4/Domain_Member
> 
> Which seems to work ok until I try to change any permission on any shares
> (or anything within the shares). I then get "access denied" errors.
> Obviously, this is unworkable as a solution as I need to set permissions.

Hi
Give us an example of a share that's working. Then, what you change
within it and what permissions you change to get the 'access denied'.
Which version have you installed?
Cheers,
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 domain members

2013-07-12 Thread Chris Alavoine 
Hi there,

I would like to setup a Samba 4 member server to act as a separate
fileserver within my Samba 4 domain.

Does anyone have any recommendations for this setup?

I've tried to create one following this:

https://wiki.samba.org/index.php/Samba4/Domain_Member

Which seems to work ok until I try to change any permission on any shares
(or anything within the shares). I then get "access denied" errors.
Obviously, this is unworkable as a solution as I need to set permissions.

Any help much appreciated.

Thanks,
Chris.

-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Rhedhat 6 And classicupgrade errors

2013-07-04 Thread Andrew Bartlett 
On Wed, 2013-07-03 at 12:28 +0100, GUEI née worou noee wrote:
> Hi,
> i upgrade on a new server samba3 to samba4 with a LDAP Backend.
> I have followed this HowTO 
>  http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO
> 
> until de classicupgrade step
> Here is the errors I get 

> Following sids are both user and group sids:
>S-1-5-21-1770481708-1631662840-68360779-3221

> raise ProvisioningError("Please remove duplicate sid entries before 
> upgrade.")

> Please, could anyone help me. 
> I have this error since one week and coud not figure it out.
> i need help.

Read the above message carefully, and ensure no user has the same SID as
a group in your source databases. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 installation failing several troubleshooting steps

2013-07-03 Thread Joe Johnson 
Troubleshooting steps fail.  Trying to replace a standalone Netware
server with a Samba4 server with AD.  To isolate this test setup,
changed server's static IP address and separated the wiring.  Then
went through the Troubleshooting portion of The Samba Checklist.  Some
tests pass.  Some tests fail.  I'm weak on Samba, DNS and AD.  I
appreciate your instructions on how to overcome the indicated test
failures.

The setup:
- an inexpensive router provides DHCP to a network of three computers
- Samba4 server (SERVER) has static ip 192.168.3.210
- Windows XP Pro SP3 workstation (WORKSTATION)
- Linux Mint workstation (used for ssh to SERVER)
- Domain is domane.lan
- workgroup is OFFICE
- Samba4 downloaded from git, version 4.1.0pre1-GIT-3e66cb7, using internal DNS
- SERVER runs Ubuntu 12 LTS, recent download with updates, no firewall

smb.conf, resolv.conf, and a query result for DNS records may all be seen at
http://pastebin.com/B5gyDi1s  ("samba 4 configurations as part of
troubleshooting questions")

When making suggestions, please detail the commands you would like me to try.

1)  WORKSTATION can log into the domain and can ping SERVER by its ip
address.  WORKSTATION initially could not ping SERVER by its name, but
could after an entry for SERVER was added in
C:\windows\system32\drivers\etc\hosts.

2)  SERVER can ping WORKSTATION by its ip address but cannot ping the
workstation by its name.

3)  /usr/local/samba/bin/testparm /usr/local/samba/etc/smb.conf  does
not report any errors.

4)  On WORKSTATION I was never able to get a browse list of shares.
An early error seen in /usr/local/samba/var/log.samba is:

[2013/06/21 22:43:29,  0] ../source4/dsdb/common/util_samr.c:185(dsdb_add_user)
  Failed to create user record
CN=WORKSTATION,CN=Computers,DC=domane,DC=lan: dsdb_access: Access
check failed on CN=Computers,DC=domane,DC=lan

5)  host -t SRV _ldap._tcp.domane.lan.  gives expected results
host -t SRV _kerberos._udp.domane.lan.  gives expected results
host -t A server.domane.lan.  gives expected results

6)  On WORKSTATION, checked the box “Use this connection's DNS suffix in DNS
 registration” in Windows XP's TCP/IP properties, General, Advanced,
DNS.  SERVER still cannot ping workstation by name.

7)  smbclient -L SERVER  does provide a list of shares.

8)  /usr/local/samba/bin/nmblookup -B SERVER __SAMBA__.responds with
querying __SAMBA__. on 127.0.0.1
name_query failed to find name __SAMBA__.

9)  nmblookup -B WORKSTATION.domane.lan '*'
  gives the confusing response
querying * on 192.168.3.255
192.168.3.2 *<00>
This is confusing because 192.168.3.2 is the ip addres of the Mint
computer running ssh to SERVER.  WORKSTATION has an ip address of
192.168.3.3

10)  nmblookup -d 2 '*'
  responds with
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
added interface eth0 ip=fe80::211:11ff:fe6f:8df0%eth0
bcast=fe80:::::%eth0 netmask=:::::
added interface eth0 ip=192.168.3.210 bcast=192.168.3.255 netmask=255.255.255.0
querying * on 192.168.3.255
Got a positive name query response from 192.168.3.2 ( 192.168.3.2 )
192.168.3.2 *<00>
Again, this is confusing because 192.168.3.2 is the ip address of the
Minut computer running ssh to SERVER.  WORKSTATION has an ip address
of 192.168.3.3

11)  smbclient //SERVER/INVOICES
  -UAdministrator  requests a password and responds with
session setup failed: NT_STATUS_LOGON_FAILURE
Domain=[OFFICE] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-3e66cb7]
smb: \>

12)  smbclient //SERVER/INVOICES
   with a user other and Administrator requests a password and responds with
session setup failed: NT_STATUS_LOGON_FAILURE

13)  On WORKSTATION, the command   net view \\SERVER   responds with a
list of shares.

14)  On WORKSTATION, the command   net use x: \\SERVER\INVOICES
responds well.  If logged in as administrator, it is possible to use
the dir command to see a list of files.

15)  On WORKSTATION, when graphically browsing the network SERVER is
seen but it does not contain a list of shares.  There is nothing to
graphically select to map.  If a share name is known, it can be
manually mapped similar to prior example.

16)  /usr/local/samba/bin
/nmblookup -M OFFICE
  responds with
name_query failed to find name OFFICE#1d
This is in spite of having  preferred master = yes   in smb.conf

Thank you for helping to identify what is going wrong, and for your
suggestions for fixes.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 Rhedhat 6 And classicupgrade errors

2013-07-03 Thread GUEI née worou noee 
Hi,
i upgrade on a new server samba3 to samba4 with a LDAP Backend.
I have followed this HowTO 
 http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO

until de classicupgrade step
Here is the errors I get 

 /usr/local/samba/bin/samba-tool domain classicupgrade 
--dbdir=/root/samba3/tdbfiles --use-xattrs=yes  --realm=bceao.int 
/root/samba3/tdbfiles/smb.conf

Reading smb.conf
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Provisioning
Exporting account policy
Exporting groups
Ignoring group 'Administrateurs' S-1-5-32-544 listed but then not found: Unable 
to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Operateurs de compte' S-1-5-32-548 listed but then not found: 
Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Operateurs impression' S-1-5-32-550 listed but then not found: 
Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Operateurs de sauvegarde' S-1-5-32-551 listed but then not 
found: Unable to enumerate members for alias, 
(-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Replicateurs' S-1-5-32-552 listed but then not found: Unable to 
enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Invites' S-1-5-32-546 listed but then not found: Unable to 
enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Operateurs de serveur' S-1-5-32-549 listed but then not found: 
Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Ignoring group 'Utilisateurs' S-1-5-32-545 listed but then not found: Unable to 
enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Exporting users
sid S-1-5-21-3933610348-2251462730-2069165054-1000 does not belong to our domain
  Demoting BDC account trust for z00-dc3, this DC must be elevated to an AD DC 
using 'samba-tool domain promote'
  Skipping wellknown rid=500 (for username=pdc_admin)
  Skipping wellknown rid=501 (for username=nobody)
Ignoring group memberships of 'toto' 
S-1-5-21-1770481708-1631662840-68360779-30866: Unable to enumerate group 
memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
Ignoring group memberships of 'etoto' 
S-1-5-21-1770481708-1631662840-68360779-66424: Unable to enumerate group 
memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
  Demoting BDC account trust for z00-dc02, this DC must be elevated to an AD DC 
using 'samba-tool domain promote'
Next rid = 66425
Following sids are both user and group sids:
   S-1-5-21-1770481708-1631662840-68360779-3221
ERROR(): uncaught exception - 
ProvisioningError: Please remove duplicate sid entries before upgrade.
  File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 
175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", line 
778, in upgrade_from_samba3
    raise ProvisioningError("Please remove duplicate sid entries before 
upgrade.")

I create a link to all files wich are in the same directory as the secret.tdb 
file. But this didn't solve the problem.

Please, could anyone help me. 
I have this error since one week and coud not figure it out.
i need help.


MMe GUEI NOEE MELAINE
BP 3108 DAKAR SENEGAL
SERVICE INFORMATIQUE
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 with FreeIPA as Backend

2013-06-29 Thread Andrew Bartlett 
On Fri, 2013-06-28 at 14:09 +0800, Mail Robot wrote:
> Hi everyone,
> 
> I am new to this mailing list.
> 
> At the moment I would like to migrate all of my users from Microsoft Active
> Directory to Open Source, and what I have in mind is getting it into Samba
> 4.
> 
> In extending the functionality of it, I decided to intergrate FreeIPA as
> the backend to Samba 4.
> 
> I saw some obsolete reference on how to use FreeIPA as Samba 4 backend, but
> I don't know where are the new reference.
> 
> Herewith I would seek advise on how to go for my mission.

Samba 4.0 as an AD DC can not use anything other than it's own LDB
database as a backend.

FreeIPA I understand is able to sync or integrate with an AD DC, but you
would need to ask them about that.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 with FreeIPA as Backend

2013-06-27 Thread Mail Robot 
Hi everyone,

I am new to this mailing list.

At the moment I would like to migrate all of my users from Microsoft Active
Directory to Open Source, and what I have in mind is getting it into Samba
4.

In extending the functionality of it, I decided to intergrate FreeIPA as
the backend to Samba 4.

I saw some obsolete reference on how to use FreeIPA as Samba 4 backend, but
I don't know where are the new reference.

Herewith I would seek advise on how to go for my mission.

Thank you

Regards
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Dino Edwards 
That's exactly what I did

From: Michael De Groote [mailto:i...@sint-pietersschool.be]
Sent: Tuesday, June 11, 2013 4:15 PM
To: Dino Edwards
Cc: Marc Muehlfeld; samba@lists.samba.org
Subject: Re: [Samba] Samba 4 Additional DC existing domain

did you put in a

dns forwarder = ip.of.external.dns.server
line?

2013/6/11 Dino Edwards 
mailto:dino.edwa...@mydirectmail.net>>

> You haven't answered my previous question:
>
>  > Did you followed *all* steps from the  >
> http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
>  > HowTo? I didn't saw, in the steps you had listed, that you joined
> the  > domain, etc.

I believe I answered it albeit indirectly. One of the first steps of joining a 
domain as a DC was to run the kinit command and upon success proceed with 
joining the domain. Since I wasn't getting any output from running that 
command, I stopped and didn't go any further with joining the domain because I 
thought there was something wrong. I wasn't aware that I had to run klist in 
Ubuntu in order to get the output that I needed. Once I did that, I went ahead 
and followed the steps to join the domain and I was able to get it working. Now 
I have a smb.conf file like I should. However, now I have a few other questions 
if you could be so kind to answer. When I pointed one of the windows machines 
to use the samba 4 DC as its DNS server, I was able to resolve hosts in the 
mydomain.local domain. However, I wasn't able to resolve hosts outside my 
domain. A Windows DNS server is able to do that. Is this behavior because I'm 
not using Bind with the samba 4 DC but instead I'm using the int
 ernal samba DNS? What do I need to do to rectify that?

I'm also assuming that I should use 127.0.0.1 or the IP of the samba 4 DC as 
the DNS server of the samba 4 DC in /etc/network/interfaces file vs. pointing 
to the Windows DC. Is that a correct assumption?

And finally, rebooting the server does not automatically start samba. I have to 
start it manually. Do I need to create a script in /etc/init.d/ and if that's 
the case, is there a template for that somewhere?

Thanks in advance.

Dino


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
Michael De Groote
ICT-coordinator Sint-Pietersschool Korbeek-Lo
ICT-support Sancta Maria Basisschool Leuven
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Dino Edwards 


> -Original Message-
> From: Marc Muehlfeld [mailto:sa...@marc-muehlfeld.de]
> Sent: Tuesday, June 11, 2013 4:19 PM
> To: Dino Edwards
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Samba 4 Additional DC existing domain
> 
> Hello Dino,
> 
> 
> I changed the HowTo a bit, to make it more clear, that the output shown
> is from "klist" and not "kinit".
> 

Awesome, thanks!



> > When I pointed one of the windows machines to use the samba 4 DC
>  > as its DNS server, I was able to resolve hosts in the mydomain.local
>  > domain. However, I wasn't able to resolve hosts outside my domain.
>  > A Windows DNS server is able to do that.
> 
> You have to add
> dns forwarder = 8.8.8.8
> to your smb.conf and restart Samba. Adapt 8.8.8.8 to whatever you host
> is, to which you want to forward queries to, your Samba isn't
> authoritative for.

I added it in the [global] section of the smb.conf and it seems to work

 
> > I'm also assuming that I should use 127.0.0.1 or the IP of the samba
> 4
>  > DC as the DNS server of the samba 4 DC in /etc/network/interfaces
> file
>  > vs. pointing to the Windows DC. Is that a correct assumption?
> 
> You can use the IP of any host, that is able to resolve your AD DNS
> domain(s).
> 


> 
> > And finally, rebooting the server does not automatically start samba.
>  > I have to start it manually. Do I need to create a script in
>  > /etc/init.d/ and if that's the case, is there a template for
> > that somewhere?
> 
> Yes, you need something that start the service if you want Samba to
> come
> up on reboots. See
> https://wiki.samba.org/index.php/Samba4/InitScript
> 
>

Awesome that worked too.


Cheers,

Dino
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Ricky Nance 
On Tue, Jun 11, 2013 at 3:19 PM, Marc Muehlfeld wrote:

> I changed the HowTo a bit, to make it more clear, that the output shown is
> from "klist" and not "kinit".


Marc, thanks for adding that :).

Also dns forwarder = 8.8.8.8 the 8.8.8.8 there is a Google dns server, so
that ip WILL work :) but if you have a local one you'd rather use, then use
it. (8.8.4.4 is another google one if I recall right)

Ricky
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Marc Muehlfeld 

Hello Dino,


Am 11.06.2013 22:04, schrieb Dino Edwards:

I believe I answered it albeit indirectly. One of the first steps of

> joining a domain as a DC was to run the kinit command and upon success
> proceed with joining the domain. Since I wasn't getting any output from
> running that command, I stopped and didn't go any further with joining
> the domain because I thought there was something wrong.

I changed the HowTo a bit, to make it more clear, that the output shown 
is from "klist" and not "kinit".





When I pointed one of the windows machines to use the samba 4 DC

> as its DNS server, I was able to resolve hosts in the mydomain.local
> domain. However, I wasn't able to resolve hosts outside my domain.
> A Windows DNS server is able to do that.

You have to add
dns forwarder = 8.8.8.8
to your smb.conf and restart Samba. Adapt 8.8.8.8 to whatever you host 
is, to which you want to forward queries to, your Samba isn't 
authoritative for.





I'm also assuming that I should use 127.0.0.1 or the IP of the samba 4

> DC as the DNS server of the samba 4 DC in /etc/network/interfaces file
> vs. pointing to the Windows DC. Is that a correct assumption?

You can use the IP of any host, that is able to resolve your AD DNS 
domain(s).





And finally, rebooting the server does not automatically start samba.

> I have to start it manually. Do I need to create a script in
> /etc/init.d/ and if that's the case, is there a template for

that somewhere?


Yes, you need something that start the service if you want Samba to come 
up on reboots. See

https://wiki.samba.org/index.php/Samba4/InitScript


Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Michael De Groote 
did you put in a

dns forwarder = ip.of.external.dns.server

line?


2013/6/11 Dino Edwards 

>
> > You haven't answered my previous question:
> >
> >  > Did you followed *all* steps from the  >
> > http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
> >  > HowTo? I didn't saw, in the steps you had listed, that you joined
> > the  > domain, etc.
>
>
> I believe I answered it albeit indirectly. One of the first steps of
> joining a domain as a DC was to run the kinit command and upon success
> proceed with joining the domain. Since I wasn't getting any output from
> running that command, I stopped and didn't go any further with joining the
> domain because I thought there was something wrong. I wasn't aware that I
> had to run klist in Ubuntu in order to get the output that I needed. Once I
> did that, I went ahead and followed the steps to join the domain and I was
> able to get it working. Now I have a smb.conf file like I should. However,
> now I have a few other questions if you could be so kind to answer. When I
> pointed one of the windows machines to use the samba 4 DC as its DNS
> server, I was able to resolve hosts in the mydomain.local domain. However,
> I wasn't able to resolve hosts outside my domain. A Windows DNS server is
> able to do that. Is this behavior because I'm not using Bind with the samba
> 4 DC but instead I'm using the int
>  ernal samba DNS? What do I need to do to rectify that?
>
> I'm also assuming that I should use 127.0.0.1 or the IP of the samba 4 DC
> as the DNS server of the samba 4 DC in /etc/network/interfaces file vs.
> pointing to the Windows DC. Is that a correct assumption?
>
> And finally, rebooting the server does not automatically start samba. I
> have to start it manually. Do I need to create a script in /etc/init.d/ and
> if that's the case, is there a template for that somewhere?
>
> Thanks in advance.
>
> Dino
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
Michael De Groote
ICT-coordinator Sint-Pietersschool Korbeek-Lo
ICT-support Sancta Maria Basisschool Leuven
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Dino Edwards 

> You haven't answered my previous question:
> 
>  > Did you followed *all* steps from the  >
> http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
>  > HowTo? I didn't saw, in the steps you had listed, that you joined
> the  > domain, etc.


I believe I answered it albeit indirectly. One of the first steps of joining a 
domain as a DC was to run the kinit command and upon success proceed with 
joining the domain. Since I wasn't getting any output from running that 
command, I stopped and didn't go any further with joining the domain because I 
thought there was something wrong. I wasn't aware that I had to run klist in 
Ubuntu in order to get the output that I needed. Once I did that, I went ahead 
and followed the steps to join the domain and I was able to get it working. Now 
I have a smb.conf file like I should. However, now I have a few other questions 
if you could be so kind to answer. When I pointed one of the windows machines 
to use the samba 4 DC as its DNS server, I was able to resolve hosts in the 
mydomain.local domain. However, I wasn't able to resolve hosts outside my 
domain. A Windows DNS server is able to do that. Is this behavior because I'm 
not using Bind with the samba 4 DC but instead I'm using the int
 ernal samba DNS? What do I need to do to rectify that?

I'm also assuming that I should use 127.0.0.1 or the IP of the samba 4 DC as 
the DNS server of the samba 4 DC in /etc/network/interfaces file vs. pointing 
to the Windows DC. Is that a correct assumption?

And finally, rebooting the server does not automatically start samba. I have to 
start it manually. Do I need to create a script in /etc/init.d/ and if that's 
the case, is there a template for that somewhere?

Thanks in advance.

Dino


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Marc Muehlfeld 

Am 11.06.2013 18:21, schrieb Dino Edwards:

samba version 4.0.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
At this time the 'samba' binary should only be used for either:
'server role = active directory domain controller' or to access the ntvfs file 
server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint 
servers = remote'
You should start smbd/nmbd/winbindd instead for domain member and standalone 
file server tasks



You haven't answered my previous question:

> Did you followed *all* steps from the
> http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
> HowTo? I didn't saw, in the steps you had listed, that you joined the
> domain, etc.


Because, if you haven't joined the domain, then you don't have an 
smb.conf either. And without a smb.conf, you get this error, too



If you have an smb.conf, then please post it.



Regards,
Marc



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Dino Edwards 

> > Kinit doesn't have output on all systems (ubuntu is one of them)
> after
> > running that, klist should show that you have an active ticket. 

Running:
Klist

I get the following:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@MYDOMAIN.LOCAL

Valid starting ExpiresService principal
06/11/13 12:22:52  06/11/13 22:22:42  krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL
renew until 06/12/13 12:22:52
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Dino Edwards 
> -Original Message-
> From: samba-boun...@lists.samba.org [mailto:samba-
> boun...@lists.samba.org] On Behalf Of "David González Herrera -
> [DGHVoIP]"
> Sent: Tuesday, June 11, 2013 12:02 PM
> To: Ricky Nance
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] Samba 4 Additional DC existing domain
> 
> On 6/11/2013 10:58 AM, Ricky Nance wrote:
> > Kinit doesn't have output on all systems (ubuntu is one of them)
> after
> > running that, klist should show that you have an active ticket. Also
> > do what Marc says samba -i -M single and see where samba is failing
> > the startup.
> If I migh add issue the command with some debug level so you see some
> more info:
> 
> samba -i -M single -d3
> 

When I run:
/usr/local/samba/sbin/samba -i -M single -d3

I get the following: 

samba version 4.0.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
NTPTR backend 'simple_ldb'
NTVFS backend 'default' for type 1 registered
NTVFS backend 'posix' for type 1 registered
NTVFS backend 'unixuid' for type 1 registered
NTVFS backend 'unixuid' for type 3 registered
NTVFS backend 'unixuid' for type 2 registered
NTVFS backend 'cifs' for type 1 registered
NTVFS backend 'smb2' for type 1 registered
NTVFS backend 'simple' for type 1 registered
NTVFS backend 'cifsposix' for type 1 registered
NTVFS backend 'default' for type 3 registered
NTVFS backend 'default' for type 2 registered
NTVFS backend 'nbench' for type 1 registered
PROCESS_MODEL 'single' registered
PROCESS_MODEL 'onefork' registered
PROCESS_MODEL 'prefork' registered
PROCESS_MODEL 'standard' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
AUTH backend 'anonymous' registered
AUTH backend 'winbind' registered
AUTH backend 'winbind_wbclient' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'unix' registered
SHARE backend [classic] registered.
SHARE backend [ldb] registered.
At this time the 'samba' binary should only be used for either:
'server role = active directory domain controller' or to access the ntvfs file 
server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint 
servers = remote'
You should start smbd/nmbd/winbindd instead for domain member and standalone 
file server task
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread Dino Edwards 
I'm pretty sure I did unless I'm missing something. According to what I'm 
reading, the very first step is running the kinit administrator command which 
of course shows no output on the screen. So, to address the second suggestion 
when I run:

/usr/local/samba/sbin/samba -i -M single

I get this:

samba version 4.0.6 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
At this time the 'samba' binary should only be used for either:
'server role = active directory domain controller' or to access the ntvfs file 
server with 'server services = +smb' or the rpc proxy with 'dcerpc endpoint 
servers = remote'
You should start smbd/nmbd/winbindd instead for domain member and standalone 
file server tasks

Dino



Did you followed *all* steps from the
http://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC
HowTo? I didn't saw, in the steps you had listed, that you joined the domain, 
etc.


Can you start Samba with the following command and see, what it outputs:
# samba -i -M single



Regards,
Marc

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Additional DC existing domain

2013-06-11 Thread David González Herrera - [DGHVoIP] 

On 6/11/2013 10:58 AM, Ricky Nance wrote:

Kinit doesn't have output on all systems (ubuntu is one of them) after
running that, klist should show that you have an active ticket. Also do
what Marc says samba -i -M single and see where samba is failing the
startup.
If I migh add issue the command with some debug level so you see some 
more info:


samba -i -M single -d3

Cheers




Ricky


On Tue, Jun 11, 2013 at 10:38 AM, Marc Muehlfeld wrote:


Hello Dino,

Am 11.06.2013 17:11, schrieb Dino Edwards:

  Using Ubuntu 10.04 LTS 32-bit. Tried following the wiki to install an

additional DC in an existing AD domain. Here are the steps I took:


1.   Installed the Ubuntu prerequisites and then I built from source.
It compiled and installed successfully to /usr/local/samba

2.   Skipped Step 1 Provision Samba according to the wiki It's not
required to install as an additional DC in existing domain

3.   Went to step 2 Starting your Samba AD DC located here:
http://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_**domain_as_a_DC

4.   Set /etc/krb5.conf with the following:


[libdefaults]

   dns_lookup_realm = true

   dns_lookup_kdc = true

   default_realm = mydomain.local



5.   Ran kinit Administrator and put in the domain admin password and
I got absolutely no output. The command ran and I got no error or any
indication that anything happened. Apparently I'm supposed to get something
like this:

6.  Ticket cache: FILE:/tmp/krb5cc_0

7.  Default principal: administrator@mydomain.local

8.

9.  Valid starting ExpiresService principal

10.11/11/12 17:29:51  11/12/12 03:29:51  krbtgt/

Additionally, running /usr/local/samba/sbin/samba does nothing also. When
I c heck for any samba running processes I get nothing. I'm stuck. I would
appreciate some assistance on this.

Thanks a lot




Did you followed *all* steps from the
http://wiki.samba.org/index.**php/Samba4/HOWTO/Join_a_**domain_as_a_DC
HowTo? I didn't saw, in the steps you had listed, that you joined the
domain, etc.


Can you start Samba with the following command and see, what it outputs:
# samba -i -M single



Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  
https://lists.samba.org/**mailman/options/samba




--
David Gonzalez
DGHVoIP
USA:
MOBILE: +1.646.559.6200
COL: +57.1.382.6718
COL: +57.4.247.0985
URL: www.dghvoip.com
Skype: davidgonzalezh
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

  1   2   3   4   5   6   7   8   9   10   >