Re: [Samba] Samba 4 AD DC and BIND

[Gerry Reno]

On 03/11/2013 08:50 PM, Ricky Nance wrote:
> I am not 100% sure, but anywhere in the named.conf config should be 
> sufficient, DLZ is Dynamically Loadable Zones, so
> samba ends up being its own zone as far as I know.
>
> Ricky
>
>
> On Mon, Mar 11, 2013 at 7:43 PM, Gerry Reno  > wrote:
>
> On 03/11/2013 08:27 PM, Ricky Nance wrote:
> > Sorry I don't understand what you mean by views... the provision 
> generated named.conf should be inserted into your
> > /etc/named/named.conf (again this varies on different distros) as an 
> include directive, it is not meant to be a full
> > named.conf.
> >
> > Ricky
> >
> >
> > On Mon, Mar 11, 2013 at 6:16 PM, Gerry Reno  
> >> wrote:
> >
> > Since I am using views, where should I include the 
> provision-generated named.conf?
> >
> > Just in the local network view?
> >
> > -Gerry
> >
>
> This is BIND views:   
> http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/
>
> aka  Split-DNS  related to Stealth-DNS.
>
> My question is asking where in our main named.conf do we include this 
> provision-generated named.conf when we are using
> BIND views.
>
> -Gerry
>

Ricky, that will not work.   By definition, all zones need to be inside of one 
or more views when you are using views.  
So we need to know in what view(s) we need to include this file.

-Gerry

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Ricky Nance]

I am not 100% sure, but anywhere in the named.conf config should be
sufficient, DLZ is Dynamically Loadable Zones, so samba ends up being its
own zone as far as I know.

Ricky


On Mon, Mar 11, 2013 at 7:43 PM, Gerry Reno  wrote:

> On 03/11/2013 08:27 PM, Ricky Nance wrote:
> > Sorry I don't understand what you mean by views... the provision
> generated named.conf should be inserted into your
> > /etc/named/named.conf (again this varies on different distros) as an
> include directive, it is not meant to be a full
> > named.conf.
> >
> > Ricky
> >
> >
> > On Mon, Mar 11, 2013 at 6:16 PM, Gerry Reno  gr...@verizon.net>> wrote:
> >
> > Since I am using views, where should I include the
> provision-generated named.conf?
> >
> > Just in the local network view?
> >
> > -Gerry
> >
>
> This is BIND views:
> http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/
>
> aka  Split-DNS  related to Stealth-DNS.
>
> My question is asking where in our main named.conf do we include this
> provision-generated named.conf when we are using
> BIND views.
>
> -Gerry
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Gerry Reno]

On 03/11/2013 08:27 PM, Ricky Nance wrote:
> Sorry I don't understand what you mean by views... the provision generated 
> named.conf should be inserted into your
> /etc/named/named.conf (again this varies on different distros) as an include 
> directive, it is not meant to be a full
> named.conf.
>
> Ricky
>
>
> On Mon, Mar 11, 2013 at 6:16 PM, Gerry Reno  > wrote:
>
> Since I am using views, where should I include the provision-generated 
> named.conf?
>
> Just in the local network view?
>
> -Gerry
>

This is BIND views:   
http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/

aka  Split-DNS  related to Stealth-DNS.

My question is asking where in our main named.conf do we include this 
provision-generated named.conf when we are using
BIND views.

-Gerry

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Ricky Nance]

Sorry I don't understand what you mean by views... the provision generated
named.conf should be inserted into your /etc/named/named.conf (again this
varies on different distros) as an include directive, it is not meant to be
a full named.conf.

Ricky


On Mon, Mar 11, 2013 at 6:16 PM, Gerry Reno  wrote:

> Since I am using views, where should I include the provision-generated
> named.conf?
>
> Just in the local network view?
>
> -Gerry
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Gerry Reno]

Since I am using views, where should I include the provision-generated 
named.conf?

Just in the local network view?

-Gerry

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Rowland Penny]

On 11/03/13 16:30, Gerry Reno wrote:

When I ran the provision I selected BIND9_DLZ.

The provision did not prompt me for a DNS forwarder IP.

So after the provision finished I entered the DNS forwarder IP manually into 
smb.conf.

Should the provision have prompted for the DNS forwarder IP?


Hi, No, you only require the forwarder in smb.conf if you using the 
internal DNS.


Rowland

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Gerry Reno]

On 03/11/2013 12:53 PM, Ricky Nance wrote:
> With the BIND9_DLZ backend, bind actually handles the forwarding, so you will 
> need to set that up in your named conf,
> something like the following:
>
> options {
> forwarders { 192.249.249.1; 192.249.249.3; };
> };
>
> Although, some distros break apart the named stuff, so you may need to find 
> information specific to your distro on this.
>
> Ricky
>
>
> On Mon, Mar 11, 2013 at 11:30 AM, Gerry Reno  > wrote:
>
> When I ran the provision I selected BIND9_DLZ.
>
> The provision did not prompt me for a DNS forwarder IP.
>
> So after the provision finished I entered the DNS forwarder IP manually 
> into smb.conf.
>
> Should the provision have prompted for the DNS forwarder IP?
>
>

Thanks.  That makes sense.  So the provision only prompts for the DNS forwarder 
IP when you select SAMBA_INTERNAL as the
DNS backend.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Ricky Nance]

With the BIND9_DLZ backend, bind actually handles the forwarding, so you
will need to set that up in your named conf, something like the following:

options {
forwarders { 192.249.249.1; 192.249.249.3; };
};

Although, some distros break apart the named stuff, so you may need to find
information specific to your distro on this.

Ricky


On Mon, Mar 11, 2013 at 11:30 AM, Gerry Reno  wrote:

> When I ran the provision I selected BIND9_DLZ.
>
> The provision did not prompt me for a DNS forwarder IP.
>
> So after the provision finished I entered the DNS forwarder IP manually
> into smb.conf.
>
> Should the provision have prompted for the DNS forwarder IP?
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Gerry Reno]

When I ran the provision I selected BIND9_DLZ.

The provision did not prompt me for a DNS forwarder IP.

So after the provision finished I entered the DNS forwarder IP manually into 
smb.conf.

Should the provision have prompted for the DNS forwarder IP?


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Gerry Reno]

On 03/11/2013 03:52 AM, Daniel Müller wrote:
> I think it is NO.
> If you think about what bind is doing?!: bind needs to read/write in
> ex.:/usr/local/samba/private/dns and reads
> /usr/local/samba/private/named.conf. 
> In my case the named conf: 
> dlz "AD DNS Zone" {
> # For BIND 9.8.0
> database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
>
> In my production environment I point bind on my samba4 ads to addresses
> outside the domain with the forwarder option to another
> bind running.
>
> Greetings
> Daniel
>
>
>
> ---
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: muel...@tropenklinik.de
> Internet: www.tropenklinik.de
> ---
> -Ursprüngliche Nachricht-
> Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
> Auftrag von Gerry Reno
> Gesendet: Sonntag, 10. März 2013 14:14
> An: samba@lists.samba.org
> Betreff: [Samba] Samba 4 AD DC and BIND
>
> When setting up Samba 4 AD DC to use BIND DNS is it possible to use BIND
> located on a separate server?
>
> Or do you need to run BIND on the same machine as Samba 4 AD DC?
>
>
Thanks.   That is how I ended up setting it up with a forwarder to the existing 
BIND server in the network.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC and BIND

[Daniel Müller]

I think it is NO.
If you think about what bind is doing?!: bind needs to read/write in
ex.:/usr/local/samba/private/dns and reads
/usr/local/samba/private/named.conf. 
In my case the named conf: 
dlz "AD DNS Zone" {
# For BIND 9.8.0
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";

In my production environment I point bind on my samba4 ads to addresses
outside the domain with the forwarder option to another
bind running.

Greetings
Daniel



---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Gerry Reno
Gesendet: Sonntag, 10. März 2013 14:14
An: samba@lists.samba.org
Betreff: [Samba] Samba 4 AD DC and BIND

When setting up Samba 4 AD DC to use BIND DNS is it possible to use BIND
located on a separate server?

Or do you need to run BIND on the same machine as Samba 4 AD DC?


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] SaMBa 4 - authenticate ftp server

[Nico Kadel-Garcia]

On Fri, Mar 8, 2013 at 9:14 PM, Celso Viana  wrote:
> Hello guys,
>
> Does anyone know if it is possible to authenticate an ftp server
> (proftpd or vsftpd) based LDAP Samba 4?
>
> Thanks

Why would you *want* to? FTP handles passwords in clear text. FTPS can
be done more securely, but there are so many different technologies
called FTPS that it's confusiong.

In general, I've tossed FTP out the window and go with HTTPS based
access, including WebDAV over HTTPS which works very well for uploads.
It's the technology underlying Subversion source control web access,
and it's a lot easier to deal with the firewalls and managing web
based access.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 migration from dead SBS 2003

[Christian Stippler]

Hello,

I have successfully joined a SBS 2003 (SRVACMPDC01) domain with two
additional Samba 4 DCs (SAMBA4PDC and SAMBA4DEDI, currently both
4.0.4-GIT-9899851). Everything worked fine: DNS / AD replication etc.
The windows server was still responsible for DNS / DHCP / all FSMO
roles. Now the original SBS 2003 crashed and refuses to start again
(long story).

In order to get a temporary workaround going I did...
- point all clients to the SAMBA DNS servers only
- get a DCHP Server running on one SAMBA4PDC and forced all clients to reboot
- seize all FSMO roles to SAMBA4PDC (naming role failed. See Bug 9461)
- Add allow dns updates to dns conf.
- Edit server services in smb.conf to: s3fs, rpc, nbt, wrepl, ldap,
cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns  (which
originally has been empty after joining)

But I currently strugle with some issues:
1. Overall network seems completely broken. Countless connection
interrupts / timeouts. Strange IP conflicts on clients.
2 . We use the internal DNS server on both Samba machines, but it does
not do any dynamic updates (nslookup for client computers still points
to the IPs which had been assigned by the no longer running SBS).
3. AD replication stopped completely (see samba-tool drs showrepl output below)
4. DNS lookups for LDAP / Kerberos still deliver the old SBS entry and
in addition the other Samba machine:
samba4pdc:~$ host -t SRV _ldap._tcp.office.local
_ldap._tcp.office.local has SRV record 0 100 389 srvacmpdc01.office.local.
_ldap._tcp.office.local has SRV record 0 100 389 samba4dedi.office.local.
5. User login on Windows desktops can take up to 10 minutes

Any help is highly appreciated, as this is not a lab testing environment.

Nevertheless, many thanks to the Samba developers - without Samba we
would not have the possibility to still allow user to log into their
accounts and offer them basic filesharing.

Best Regards
Chris





=

samba-tool drs showrepl output:
Standardname-des-ersten-Standorts\SAMBA4PDC
DSA Options: 0x0001
DSA object GUID: 3cc2f4b8-9f6d-4d80-863c-208053444982
DSA invocationId: 3dafab35-13c4-496a-8543-5b2ed86caa23

 INBOUND NEIGHBORS 

DC=ForestDnsZones,DC=office,DC=local
Standardname-des-ersten-Standorts\SRVACMPDC01 via RPC
DSA object GUID: 805e09e9-375f-498a-a842-d7d20f174f8b
Last attempt @ Sun Mar 10 15:38:24 2013 CET failed, result 1232

(WERR_HOST_UNREACHABLE)
4283 consecutive failure(s).
Last success @ Sat Feb 23 12:19:57 2013 CET

DC=DomainDnsZones,DC=office,DC=local
Standardname-des-ersten-Standorts\SRVACMPDC01 via RPC
DSA object GUID: 805e09e9-375f-498a-a842-d7d20f174f8b
Last attempt @ Sun Mar 10 15:38:27 2013 CET failed, result 1232

(WERR_HOST_UNREACHABLE)
4283 consecutive failure(s).
Last success @ Sat Feb 23 12:19:57 2013 CET

 OUTBOUND NEIGHBORS 

 KCC CONNECTION OBJECTS 

Connection --
Connection name: 7653ea37-51ff-41e3-88a2-e5263b205169
Enabled: TRUE
Server DNS name : SAMBA4DEDI.office.local
Server DN name  : CN=NTDS
Settings,CN=SAMBA4DEDI,CN=Servers,CN=Standardname-

des-ersten-Standorts,CN=Sites,CN=Configuration,DC=office,DC=local
TransportType: RPC
options: 0x0001
Warning: No NC replicated for Connection!
Connection --
Connection name: 170a1e3b-c722-49cd-a0cd-70c73dcc9fdd
Enabled: TRUE
Server DNS name : SRVACMPDC01.office.local
Server DN name  : CN=NTDS
Settings,CN=SRVACMPDC01,CN=Servers,CN=Standardname-

des-ersten-Standorts,CN=Sites,CN=Configuration,DC=office,DC=local
TransportType: RPC
options: 0x0001
Warning: No NC replicated for Connection!


=


samba_dnsupdate --verbose --all-names

IPs: ['192.168.180.5']
Calling nsupdate for A office.local 192.168.180.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
office.local.   900 IN  A   192.168.180.5

; Communication with 192.168.180.8#53 failed: operation canceled
could not find enclosing zone
Failed nsupdate: 1
Calling nsupdate for A samba4pdc.office.local 192.168.180.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samba4pdc.office.local. 900 IN  A   192.168.180.5

...


=


testparm -v

Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[printers]"

[Samba] Samba 4 AD DC and BIND

[Gerry Reno]

When setting up Samba 4 AD DC to use BIND DNS is it possible to use BIND 
located on a separate server?

Or do you need to run BIND on the same machine as Samba 4 AD DC?


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SaMBa 4 - authenticate ftp server

[Celso Viana]

Hello guys,

Does anyone know if it is possible to authenticate an ftp server
(proftpd or vsftpd) based LDAP Samba 4?

Thanks

-- 
Celso Vianna
BSD User: 51318
http://www.bsdcounter.org

Palmas/TO
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

Hello again everyone,

On 08 March 2013 13:10, Michael Wood wrote:
>> ...
>> <---Cut here.
>
> Sorry, I forgot a step.  You would have needed a "git fetch gd" in there
before the checkout.

Ah ha!  That would explain it then.
Well, forgotten command or not, the help was much appreciated and I now have
a version built and running from Günther's branch.
So many thanks for the assistance, and I now know slightly more about "git"
than I did before :-)

So, back to the original problem ...

Compiled up against Günther's branch, installed, tested.
The results are interesting:

1) User access:
From my perspective, it's cured the issue.  My problematic user can
once again access resources.
This is very good news; many, many thanks to everyone who has
assisted getting to this stage.
2) Core dumps:
The code has now been running for a few hours, with some reasonably
intensive access requests going on (lots of sessions being established and
closed).
By now, I'd normally have expected an "smbd" core-dump, but haven't
had a single one.
So this might have been the cause of that as well.  However I'll
leave things for a few days before considering that to be fixed.
3) PAC dumps.
I put my patch code back into "kerberos_pac.c"
("kerberos_decode_pac()") to see whether I now got PAC dumps named by
Kerberos principal name.
Previously, all other users were causing PAC dumps named by their
Kerberos principal name, but there were none for the problematic user.  As
Andrew had indicated he considered that unusual, I thought I see what
happened with Günther's changes.
On the plus side, all the PAC dumps are now consistently named, all
(currently) ~110 of them; on the minus side, not a single one is named with
the Kerberos principal name.
So it seems that with these changes, "kerberos_decode_pac()" is
never entered with "client_principal" anything other than a NULL pointer.

So I'm (very) happy that these changes fix my problem.  However it does seem
a little curious that "client_principal" now never appears to be set - I
don't know whether that's expected behaviour?
I'll leave my patch in for a few more days and see whether that changes
(with sessions being established after Kerberos tickets have been renewed or
re-acquired, for example), but previously I'd have had quite a few PAC dumps
named by Kerberos principal by now, and I have nary a one (and while I've
typed this, I'm up to ~160 PAC dumps and they're still all named by PID
rather than by Kerberos principal).
For both this, in case it's significant, and the core-dumps, I'll send an
update in a few days.

Very much appreciated everyone - thank you!

Cheers,

Tris.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Michael Wood]

Hi

On 8 March 2013 13:37, Tris Mabbs  wrote:
> Hiya Michael,
>
> Many thanks for that - very much appreciated.
>
> I think I should learn more about "git" than currently I know - however this
> is not the time to do so.
> So I ran your commands, first not worrying about any local changes so just
> updating my local copy:
>
> --->Cut here:
> samba-master % git remote add gd git://gitweb.samba.org/gd/samba
> samba-master % git checkout -b master-krb5pac gd/master-krb5pac
> fatal: git checkout: updating paths is incompatible with switching
> branches/forcing
> Did you intend to checkout 'gd/master-krb5pac' which can not be resolved as
> commit?
> samba-master %
> <---Cut here.

Sorry, I forgot a step.  You would have needed a "git fetch gd" in
there before the checkout.

> OK, not so good ...
> So then I (effectively) completely removed and recreated my "samba-master"
> and tried your second option:
>
> --->Cut here:
> samba-master % cd ..
> samba % mv samba-master samba-master.tmp ; mkdir samba-master ; cd
> samba-master
> samba-master % git clone git://gitweb.samba.org/gd/samba samba-gd
> Initialized empty Git repository in
> /var/tmp/samba/samba-master/samba-gd/.git/
> remote: Counting objects: 928083, done.
> ...
> Resolving deltas: 100% (708307/708307), done.
> samba-master % cd samba-gd
> samba-gd % git checkout -b master-krb5pac origin/master-krb5pac
> Branch master-krb5pac set up to track remote branch
> refs/remotes/origin/master-krb5pac.
> Switched to a new branch "master-krb5pac"
> samba-gd % dircmp . ../../samba-master.tmp |& grep -i '^different' | grep -v
> '/\.git/'
> different   ./auth/credentials/pycredentials.c
> different   ./auth/kerberos/kerberos_pac.c
> different   ./lib/torture/torture.h
> different   ./lib/util/samba_util.h
> different   ./lib/util/tevent_debug.c
> different   ./librpc/idl/krb5pac.idl
> different   ./librpc/ndr/ndr_krb5pac.c
> different   ./pidl/wscript
> different   ./source3/auth/auth_generic.c
> different   ./source3/auth/auth_util.c
> different   ./source3/lib/events.c
> different   ./source3/libnet/libnet_join.c
> different   ./source3/libnet/libnet_join.h
> different   ./source3/libsmb/pylibsmb.c
> different   ./source3/smbd/oplock.c
> different   ./source4/auth/gensec/pygensec.c
> different   ./source4/lib/events/tevent_s4.c
> different   ./source4/lib/registry/pyregistry.c
> different   ./source4/torture/ndr/drsblobs.c
> different   ./source4/torture/ndr/nbt.c
> different   ./source4/torture/ndr/ndr.c
> different   ./source4/torture/ndr/ndr.h
> different   ./source4/torture/ndr/ntprinting.c
> different   ./source4/torture/wscript_build
> different   ./source4/winbind/wb_cmd_getgrgid.c
> different   ./source4/winbind/wb_cmd_getgrnam.c
> different   ./source4/winbind/wb_cmd_getpwnam.c
> samba-gd %
> <---Cut here.
>
> That does actually seem to have done something, and the files which are
> changed look as though they might be relevant to this problem.
> Not sure why that worked but the first option didn't, but there you go ...

Well, as I said I forgot a step.  Sorry :)

> So, again, many thanks - I'll now try building from that branch and testing;
> I'll send an update once done.
>
> Cheers!
>
> Tris.
>
> -Original Message-
> From: Michael Wood
> Sent: 08 March 2013 10:33
> To: Tris Mabbs
> Cc: Guenther Deschner; Andrew Bartlett; samba@lists.samba.org
> Subject: Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
> NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
> 2008 R2" domain, "Server 2008" functional level forest).
>
> On 8 March 2013 11:03, Tris Mabbs  wrote:
>> Hiya Andrew, Günther,
>>
>> Andrew, many thanks for following up on this.
>>> Where did we get with this?
>>
>> Currently stalled, temporarily I'm sure, by my ignorance of "git" I'm
>> afraid.
>
> If you have no local changes, try this:
>
> Change to the directory where you have the Samba git repository.
>
> $ cd /path/to/samba-master
> $ git remote add gd git://gitweb.samba.org/gd/samba
> $ git checkout -b master-krb5pac gd/master-krb5pac
>
> If you have local changes and don't want to learn more about git than you
> need right now, clone the repository to a separate directory:
>
> $ cd somewhere
> $ git clone git://gitweb.samba.org/gd/samba samba-gd
> $ cd samba-gd
> $ git checkout -b master-krb5pac origin/master-krb5pac
>
> ...
>



-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

Hiya Michael,

Many thanks for that - very much appreciated.

I think I should learn more about "git" than currently I know - however this
is not the time to do so.
So I ran your commands, first not worrying about any local changes so just
updating my local copy:

--->Cut here:
samba-master % git remote add gd git://gitweb.samba.org/gd/samba
samba-master % git checkout -b master-krb5pac gd/master-krb5pac
fatal: git checkout: updating paths is incompatible with switching
branches/forcing
Did you intend to checkout 'gd/master-krb5pac' which can not be resolved as
commit?
samba-master %
<---Cut here.

OK, not so good ...
So then I (effectively) completely removed and recreated my "samba-master"
and tried your second option:

--->Cut here:
samba-master % cd ..
samba % mv samba-master samba-master.tmp ; mkdir samba-master ; cd
samba-master
samba-master % git clone git://gitweb.samba.org/gd/samba samba-gd
Initialized empty Git repository in
/var/tmp/samba/samba-master/samba-gd/.git/
remote: Counting objects: 928083, done.
...
Resolving deltas: 100% (708307/708307), done.
samba-master % cd samba-gd
samba-gd % git checkout -b master-krb5pac origin/master-krb5pac
Branch master-krb5pac set up to track remote branch
refs/remotes/origin/master-krb5pac.
Switched to a new branch "master-krb5pac"
samba-gd % dircmp . ../../samba-master.tmp |& grep -i '^different' | grep -v
'/\.git/'
different   ./auth/credentials/pycredentials.c
different   ./auth/kerberos/kerberos_pac.c
different   ./lib/torture/torture.h
different   ./lib/util/samba_util.h
different   ./lib/util/tevent_debug.c
different   ./librpc/idl/krb5pac.idl
different   ./librpc/ndr/ndr_krb5pac.c
different   ./pidl/wscript
different   ./source3/auth/auth_generic.c
different   ./source3/auth/auth_util.c
different   ./source3/lib/events.c
different   ./source3/libnet/libnet_join.c
different   ./source3/libnet/libnet_join.h
different   ./source3/libsmb/pylibsmb.c
different   ./source3/smbd/oplock.c
different   ./source4/auth/gensec/pygensec.c
different   ./source4/lib/events/tevent_s4.c
different   ./source4/lib/registry/pyregistry.c
different   ./source4/torture/ndr/drsblobs.c
different   ./source4/torture/ndr/nbt.c
different   ./source4/torture/ndr/ndr.c
different   ./source4/torture/ndr/ndr.h
different   ./source4/torture/ndr/ntprinting.c
different   ./source4/torture/wscript_build
different   ./source4/winbind/wb_cmd_getgrgid.c
different   ./source4/winbind/wb_cmd_getgrnam.c
different   ./source4/winbind/wb_cmd_getpwnam.c
samba-gd % 
<---Cut here.

That does actually seem to have done something, and the files which are
changed look as though they might be relevant to this problem.
Not sure why that worked but the first option didn't, but there you go ...

So, again, many thanks - I'll now try building from that branch and testing;
I'll send an update once done.

Cheers!

Tris.

-Original Message-
From: Michael Wood
Sent: 08 March 2013 10:33
To: Tris Mabbs
Cc: Guenther Deschner; Andrew Bartlett; samba@lists.samba.org
Subject: Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
2008 R2" domain, "Server 2008" functional level forest).

On 8 March 2013 11:03, Tris Mabbs  wrote:
> Hiya Andrew, Günther,
>
> Andrew, many thanks for following up on this.
>> Where did we get with this?
>
> Currently stalled, temporarily I'm sure, by my ignorance of "git" I'm 
> afraid.

If you have no local changes, try this:

Change to the directory where you have the Samba git repository.

$ cd /path/to/samba-master
$ git remote add gd git://gitweb.samba.org/gd/samba
$ git checkout -b master-krb5pac gd/master-krb5pac

If you have local changes and don't want to learn more about git than you
need right now, clone the repository to a separate directory:

$ cd somewhere
$ git clone git://gitweb.samba.org/gd/samba samba-gd
$ cd samba-gd 
$ git checkout -b master-krb5pac origin/master-krb5pac

...

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Michael Wood]

On 8 March 2013 11:03, Tris Mabbs  wrote:
> Hiya Andrew, Günther,
>
> Andrew, many thanks for following up on this.
>> Where did we get with this?
>
> Currently stalled, temporarily I'm sure, by my ignorance of "git" I'm
> afraid.

If you have no local changes, try this:

Change to the directory where you have the Samba git repository.

$ cd /path/to/samba-master
$ git remote add gd git://gitweb.samba.org/gd/samba
$ git checkout -b master-krb5pac gd/master-krb5pac

If you have local changes and don't want to learn more about git than
you need right now, clone the repository to a separate directory:

$ cd somewhere
$ git clone git://gitweb.samba.org/gd/samba samba-gd
$ cd samba-gd
$ git checkout -b master-krb5pac origin/master-krb5pac

> Günther pointed me at a branch with some changes but I've been unable to
> find it, either through the Samba GitWeb view on the repository or by trying
> to persuade "git" itself to locate the branch.
> I've asked Günther for some pointers on how to retrieve the branch but he's
> apparently understandably been too busy to answer what is honestly a pretty
> noob question on "git".
>
> So my fault I'm afraid - not been able to try Günther's changes yet.
>
> Hopefully I'll be able to figure out how to access his changes, or someone
> will enlighten me, at which point I'll test it; then I'll put my patch back
> in and see whether I then also get a PAC dump written under the Kerberos
> principal name (which would hopefully confirm that the changes then also
> cause normal code paths to be followed for this user).
>
> Many thanks for the follow-up - much appreciated,
>
> Cheers,
>
> Tris.
>
> -Original Message-
> From: Tris Mabbs
> Sent: 07 March 2013 12:16
> To: 'Guenther Deschner'
> Subject: RE: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
> NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
> 2008 R2" domain, "Server 2008" functional level forest).
>
> Hiya again Günther,
>
> Sorry to bother you again, but is there any chance of some quick words of
> wisdom on how to retrieve that branch please?  I'd really like to test the
> code but cannot find it, or how to pull that into my local Samba source
> tree.
>
> Again, apologies for my current complete lack of experience with "git".
>
> Many thanks, and regards,
>
> Tris.
>
> -Original Message-
> From: Tris Mabbs
> Sent: 01 March 2013 18:24
> To: 'Guenther Deschner'
> Subject: RE: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
> NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
> 2008 R2" domain, "Server 2008" functional level forest).
>
> Hiya again Günther,
>
> I'm *really* sorry - I must be being completely dense but I can't actually
> find that branch.
> If I look for it using the Samba GitWeb, it doesn't seem to show anything in
> there since 2009.
> I also can't persuade "git" itself to recognise anything related to it.
>
> I'm afraid I only started using "git", for anything other than a simple
> clone (or update) of the Samba source, a couple of days ago.  Prior to that,
> all my RCS experience is with the somewhat dated (!) SCCS, or more recently
> SubVersion.
>
> If you have a moment to jot down a couple of basic instructions for pulling
> the branch with your changes in it, I'd greatly appreciate it, and would
> then be able to try the code.
>
> Apologies for my complete incompetence with "git"!
>
> Many thanks, and regards,
>
> Tris.
>
> -Original Message-
> From: Tris Mabbs
> Sent: 28 February 2013 22:33
> To: 'Guenther Deschner'; Tris Mabbs
> Cc: samba@lists.samba.org
> Subject: RE: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
> NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
> 2008 R2" domain, "Server 2008" functional level forest).
>
> Hiya Günther,
>
> Absolutely - I'm really sorry, I intended to try this today but haven't had
> the chance.
>
> Hopefully I will get the chance tomorrow, and I'll let you know the results.
>
> Many thanks, much appreciated :-)
>
> Tris.
>
> -Original Message-
> From: Guenther Deschner
> Sent: 28 February 2013 15:09
> To: Tris Mabbs
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
> NT_STATUS_BUFFER_TOO_

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

Hiya Andrew, Günther,

Andrew, many thanks for following up on this.
> Where did we get with this?

Currently stalled, temporarily I'm sure, by my ignorance of "git" I'm
afraid.

Günther pointed me at a branch with some changes but I've been unable to
find it, either through the Samba GitWeb view on the repository or by trying
to persuade "git" itself to locate the branch.
I've asked Günther for some pointers on how to retrieve the branch but he's
apparently understandably been too busy to answer what is honestly a pretty
noob question on "git".

So my fault I'm afraid - not been able to try Günther's changes yet.

Hopefully I'll be able to figure out how to access his changes, or someone
will enlighten me, at which point I'll test it; then I'll put my patch back
in and see whether I then also get a PAC dump written under the Kerberos
principal name (which would hopefully confirm that the changes then also
cause normal code paths to be followed for this user).

Many thanks for the follow-up - much appreciated,

Cheers,

Tris.

-Original Message-
From: Tris Mabbs
Sent: 07 March 2013 12:16
To: 'Guenther Deschner'
Subject: RE: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
2008 R2" domain, "Server 2008" functional level forest).

Hiya again Günther,

Sorry to bother you again, but is there any chance of some quick words of
wisdom on how to retrieve that branch please?  I'd really like to test the
code but cannot find it, or how to pull that into my local Samba source
tree.

Again, apologies for my current complete lack of experience with "git".

Many thanks, and regards,

Tris.

-Original Message-
From: Tris Mabbs 
Sent: 01 March 2013 18:24
To: 'Guenther Deschner'
Subject: RE: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
2008 R2" domain, "Server 2008" functional level forest).

Hiya again Günther,

I'm *really* sorry - I must be being completely dense but I can't actually
find that branch.
If I look for it using the Samba GitWeb, it doesn't seem to show anything in
there since 2009.
I also can't persuade "git" itself to recognise anything related to it.

I'm afraid I only started using "git", for anything other than a simple
clone (or update) of the Samba source, a couple of days ago.  Prior to that,
all my RCS experience is with the somewhat dated (!) SCCS, or more recently
SubVersion.

If you have a moment to jot down a couple of basic instructions for pulling
the branch with your changes in it, I'd greatly appreciate it, and would
then be able to try the code.

Apologies for my complete incompetence with "git"!

Many thanks, and regards,

Tris.

-Original Message-
From: Tris Mabbs 
Sent: 28 February 2013 22:33
To: 'Guenther Deschner'; Tris Mabbs
Cc: samba@lists.samba.org
Subject: RE: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
2008 R2" domain, "Server 2008" functional level forest).

Hiya Günther,

Absolutely - I'm really sorry, I intended to try this today but haven't had
the chance.

Hopefully I will get the chance tomorrow, and I'll let you know the results.

Many thanks, much appreciated :-)

Tris.

-Original Message-
From: Guenther Deschner
Sent: 28 February 2013 15:09
To: Tris Mabbs
Cc: samba@lists.samba.org
Subject: Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
2008 R2" domain, "Server 2008" functional level forest).

Hi Triss,

can you test this branch?

https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pa
c

It contains fixes for various pac buffer types.

Let us know if it resolves your issues.

Thanks,
Guenther


-- 
Günther DeschnerGPG-ID: 8EE11688
Red Hat gdesch...@redhat.com
Samba Team  g...@samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Andrew Bartlett]

On Thu, 2013-02-28 at 22:33 +, Tris Mabbs wrote:
> Hiya Günther,
> 
> Absolutely - I'm really sorry, I intended to try this today but haven't had
> the chance.
> 
> Hopefully I will get the chance tomorrow, and I'll let you know the results.
> 
> Many thanks, much appreciated :-)

Where did we get with this?

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 classicupgrade: Error converting string to value for line:"CurrentVersion"

[samba-debug]

Hello,

I've seen this upgrade error posted before:

https://lists.samba.org/archive/samba/2013-January/171022.html

but either there is a different issue or I'm misreading the post.

Basically when I run the classicupgrade (samba3 to 4) on a test machine, 
I get the following (the full debug output will be at the end of my post):

...
key added: key=CurrentVersion,key=Windows 
NT,key=Microsoft,key=SOFTWARE,hive=NONE

About to write CurrentVersion with type (null), length 3: 6.1
convert_string_talloc: Conversion not supported.
Error converting string to value for line:
"CurrentVersion"
ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE')
  File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
line 175, in _run

return self.run(*args, **kwargs)
  File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", 
line 1318, in run

useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", line 
841, in upgrade_from_samba3

use_ntvfs=use_ntvfs, skip_sysvolacl=True)
  File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py", 
line 2100, in provision

setup_registry(paths.hklm, session_info, lp=lp)
  File 
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py", 
line 1002, in setup_registry

reg.diff_apply(provision_reg)
The connection to the LDAP server was closed

As suggested by the post referred to above, I've moved my registry.tdb 
away, but without any effect. I've traced the upgrade and it seems it 
doesn't look for registry.tdb (or at least I cannot find any attempt to 
open it).


I would be grateful for any hints!

Thanks!

Best regards,
Andrei


Full debug follows:

# /usr/local/samba/bin/samba-tool domain classicupgrade -d 200 
--dbdir=/root/work/samba/ --use-xattrs=yes --realm=windom.gbif.org 
/root/work/smb.conf

INFO: Current debug levels:
  all: 200
  tdb: 200
  printdrivers: 200
  lanman: 200
  smb: 200
  rpc_parse: 200
  rpc_srv: 200
  rpc_cli: 200
  passdb: 200
  sam: 200
  auth: 200
  winbind: 200
  vfs: 200
  idmap: 200
  quota: 200
  acls: 200
  locking: 200
  msdfs: 200
  dmapi: 200
  registry: 200
Reading smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/root/work/smb.conf"
Processing section "[global]"
doing parameter unix charset = LOCALE
doing parameter unix extensions = off
doing parameter workgroup = GBIF
doing parameter netbios name = newaino
doing parameter server string = GBIF mail and file server
doing parameter hide dot files = yes
doing parameter hide unreadable = yes
doing parameter veto files = /*netlogon*/Maildir/
doing parameter interfaces = em1 , lo
doing parameter bind interfaces only = Yes
doing parameter passdb backend = ldapsam:"ldap://localhost";
doing parameter username map = /etc/samba/smbusers
doing parameter log level = 1
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Unknown parameter encountered: "printer admin"
Ignoring unknown parameter "printer admin"
Unknown parameter encountered: "share modes"
Ignoring unknown parameter "share modes"
Unknown parameter encountered: "printer admin"
Ignoring unknown parameter "printer admin"
Unknown parameter encountered: "printer admin"
Ignoring unknown parameter "printer admin"
Unknown parameter encountered: "printer admin"
Ignoring unknown parameter "printer admin"
Unknown parameter encountered: "printer admin"
Ignoring unknown parameter "printer admin"
Unknown parameter encountered: "printer admin"
Ignoring unknown parameter "printer admin"
Unknown parameter encountered: "printer admin"
Ignoring unknown parameter "printer admin"
Provisioning
Exporting account policy
Exporting groups
Exporting users
Ignoring group memberships of 'root' 
S-1-5-21-1963682937-3502233201-1541774305-1000: Unable to enumerate 
group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)

Next rid = 41026
Exporting posix attributes
Reading WINS database
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
INFO: Current debug levels:
  all: 200
  tdb: 200
  printdrivers: 200
  lanman: 200
  smb: 200
  rpc_parse: 200
  rpc_srv: 200
  rpc_cli: 200
  passdb: 200
  sam: 200
  auth: 200
  winbind: 200
  vfs: 200
  idmap: 200
  quota: 200
  acls: 200
  locking: 200
  msdfs: 200
  dmapi: 200
  registry: 200
doing parameter idmap_ldb:use rfc2307 = yes
Processing section "[netlogon]"
doing parameter path = 
/usr/local/samba/var/locks/sysvol/windom.gbif.org/scripts

doing parameter read only = No
Processing section "[sysvol]"
add_a_service: Creating snum = 16 for sysvol
hash_a_service: hashing index 16 for service name sysvol
doing parameter path = /usr/local/samba/var/locks/s

[Samba] Samba 4 DC benefit + filesharing without ACLS

[ask-Q-view]

Hi Folks, 

I think about to migrate my smb3 PDC to samba 4 due to the administrative 
benefit regarding my win-clients. For file sharing I do not have to use the ACL 
at all. My problem is on smb4 the understanding of right management in this 
case. If I just put 'nt acl support = no' to my share defs. followed by chmod 
-R 777 SHARE It will be fine and or enough? 

Further I realized that if a osx (not joined) client connect (common user) to a 
share it is possible to delete the 'netlogon' + 'sysvol' per default !?

I would appreciate a quick explanation about smb4  + file sharing without  ACL 
support at all.  

Best,
Q

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 , dhcp, and dynamic dns

[jimc]

Is there a reasonable to get the Samba 4 dns to deal with dynamic dns 
and dhcp?


-jimc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4, dynamic DNS, Kerberos

[Michael Mol]

Dynamic DNS updating is failing (which is bizarre, because I could have
sworn I'd had it working before). Help?

Setup: Samba 4 DC running bind 9.9.2, Samba 3.6.3 member


The output of "net -d10 ads join" is attached, compressed.

Interesting portions of named.conf:

options {
  (no allow-updates section)

  ...

  tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

};


include "/etc/bind/samba.conf"; /* hardlink to
/var/lib/samba/private/named.conf */



Server's smb.conf:

# Global parameters
[global]
workgroup = FIREFLY
realm = FIREFLY.MICHAEL.MOL.NAME
netbios name = KAYLEE
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate

# Force auth toward NTLM2
lanman auth = no
# Re-enabled NTLMv1, as Debian Squeeze comes with Samba 3.5.6, which
# Doesn't appear to support NTLMv2
# ntlm auth = no

# Since we use ext4, a filesystem which supports extents, we can
# enable strict allocate. (Generally a good thing; it reduces
# fragmentation.) Granted, this is a file-servig specific behavior,
# and we're not using samba as a fileserver as I write this...
strict allocate = yes

# Another fileserving optimization. See smb.conf(5) for details.
use sendfile = true

# And another. I enable this one because I've got gobs of RAM...
write cache size = 262144

idmap config * : backend = ad
idmap config * : range = 10 - 20

winbind max domain connections = 8

# Use Services for Unix LDAP extensions.
winbind nss info = sfu

# We want to use LDAP for credentials, anyway.
ldapsam:trusted = yes
ldapsam:editposix = yes

ldap ssl = start tls
ldap ssl ads = yes

log level all:10

# We don't need netbios.
disable netbios = yes

[netlogon]
path = /var/lib/samba/sysvol/firefly.michael.mol.name/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

Client smb.conf:
[global]
security = ads
realm = FIREFLY.MICHAEL.MOL.NAME
workgroup = FIREFLY
kerberos method = system keytab
smb ports = 455
disable netbios = yes
name resolve order = hosts
idmap uid = 20 - 30
idmap gid = 20 - 30


named logging from server:

04-Mar-2013 20:18:45.883 database: info: samba_dlz: starting transaction
on zone firefly.michael.mol.name
04-Mar-2013 20:18:45.884 update: info: client 192.168.83.146#43330:
updating zone 'firefly.michael.mol.name/NONE': update unsuccessful:
saffron.firefly.michael.mol.name/A: 'RRset exists (value dependent)'
prerequisite not satisfied (NXRRSET)
04-Mar-2013 20:18:45.884 database: info: samba_dlz: cancelling
transaction on zone firefly.michael.mol.name
04-Mar-2013 20:18:45.928 database: info: samba_dlz: starting transaction
on zone firefly.michael.mol.name
04-Mar-2013 20:18:45.929 database: error: samba_dlz: spnego update failed
04-Mar-2013 20:18:45.929 update: info: client 192.168.83.146#43330:
updating zone 'firefly.michael.mol.name/NONE': update failed: rejected
by secure update (REFUSED)
04-Mar-2013 20:18:45.929 database: info: samba_dlz: cancelling
transaction on zone firefly.michael.mol.name
04-Mar-2013 20:18:46.001 database: info: samba_dlz: starting transaction
on zone firefly.michael.mol.name
04-Mar-2013 20:18:46.003 database: info: samba_dlz: disallowing update
of signer=SAFFRON\$\@FIREFLY.MICHAEL.MOL.NAME
name=saffron.firefly.michael.mol.name type=A error=insufficient access
rights
04-Mar-2013 20:18:46.004 update: info: client 192.168.83.146#43330/key
SAFFRON\$\@FIREFLY.MICHAEL.MOL.NAME: updating zone
'firefly.michael.mol.name/NONE': update failed: rejected by secure
update (REFUSED)
04-Mar-2013 20:18:46.004 database: info: samba_dlz: cancelling
transaction on zone firefly.michael.mol.name

samba logging from server:

Kerberos: AS-REQ administra...@firefly.michael.mol.name from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:43555 for
krbtgt/firefly.michael.mol.n...@firefly.michael.mol.name
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
administra...@firefly.michael.mol.name
Kerberos: AS-REQ administra...@firefly.michael.mol.name from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:41982 for
krbtgt/firefly.michael.mol.n...@firefly.michael.mol.name
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data --
administra...@firefly.michael.mol.name
Kerberos: Looking for ENC-TS pa-data --
administra...@firefly.michael.mol.name
Kerberos: ENC-TS Pre-authentication succeeded --
administra...@firefly.michael.mol.name using arcfour-hmac-md5
authsam_account_ok: Checking SMB password for user
administra...@firefly.michael.mol.name
Kerberos: AS-REQ authtime: 2013-03-04T20:18:45 starttime: unset endtime:
2

Re: [Samba] Samba 4 Replication Problem

[Ricardo Suguita]

Ok, I will reinstall samba4 by FreeBSD port.

Thanks!


On 28-02-2013 16:47, Timur I. Bakeyev wrote:

Hi, Ricardo!

That's not the FreeBSD port. Dunno, where did you get that. Please, update
your ports tree with 'make update' via SVN or portsnap. And better before
building one remove all the installed dependencies you got from this port.

Regards,
Timur.


On Thu, Feb 28, 2013 at 6:14 PM, Ricardo Suguita wrote:


Yes, Samba4 was installed by ports

===

cd /usr/ports
fetch -o - -q https://bitbucket.org/gugabsd/**freebsd-samba4-port/get/**
default.tar.gz|
 tar zxvf -
mv gugabsd-freebsd-samba4-port-**d638b66aa1fe net/samba4
cd net/samba4

make install clean

==

Thanks!




On 28-02-2013 13:13, Timur I. Bakeyev wrote:


Do yo use port version of Samba4? If not - why?


On Thu, Feb 28, 2013 at 4:50 PM, Ricardo Suguita 
wrote:

  Hi ,

I 've been trying to get my 2 Samba DCs to replicate between each other
but it fails

DC1: Freebsd-9.1-Release, Samba 4.02, hostname ldap1, objectGUID:
a2454bb4-9f94-4879-a5ff-c1a40537cb5e

DC2: Freebsd-9.1-Release, Samba 4.02, hostname ldap2, objectGUID:
0103c98e-0b54-4ca4-a4e5-2259fa6b0563


===the output showrepl command==
[root@ldap1 ~]# samba-tool drs showrepl
Default-First-Site-Name\LDAP1
DSA Options: 0x0001
DSA object GUID: 0103c98e-0b54-4ca4-a4e5-2259fa6b0563
DSA invocationId: d9975fad-ca2d-447d-8138-0fd5957f8fa3

 INBOUND NEIGHBORS 
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723,
'NT_STATUS_RPC_PROTOCOL_ERROR')
====


===the output host -t 
[root@ldap1 ~]# host -t CNAME 0103c98e-0b54-4ca4-a4e5-2259fa6b0563._
msdcs.**prefeitura.unicamp.br 


.

0103c98e-0b54-4ca4-a4e5-2259fa6b0563._msdcs.**prefeitu**
ra.unicamp.br >is an alias
for
ldap1.prefeitura.unicamp.br.
0103c98e-0b54-4ca4-a4e5-2259fa6b0563._msdcs.**prefeitu**
ra.unicamp.br >is an alias
for

dc1.prefeitura.unicamp.br.
[root@ldap1 ~]#

===the output host -t 
[root@ldap1 ~]# host -t CNAME a2454bb4-9f94-4879-a5ff-c1a40537cb5e._
msdcs.**prefeitura.unicamp.br 


.

a2454bb4-9f94-4879-a5ff-c1a40537cb5e._msdcs.**prefeitu**
ra.unicamp.br >is an alias
for

ldap2.prefeitura.unicamp.br.
[root@ldap1 ~]#

=== the log error on DC1=
dns child failed to find name 'a2454bb4-9f94-4879-a5ff-
c1a40537cb5e._
msdcs.**prefeitura.unicamp.br 
>'
of

type A

=== the log error on DC2 =
dns child failed to find name '0103c98e-0b54-4ca4-a4e5-
2259fa6b0563._
msdcs.**prefeitura.unicamp.br 
>'
of

type A


I followed step-by-step the Samba 4 Wiki and I don't know whats wrong.
Any ideas ?

Thanks !

--
Ricardo Suguita
Analista de Redes
CSCO11723146
Prefeitura Unicamp
Ramal 14619 // Fone +55(19)3521-4619
http://www.prefeitura.unicamp.br 

Cidade Universitária Zeferino Vaz
Rua Roxo Moreira, 1831
Campinas, SP – Brasil

--
To unsubscribe from this list go to the following URL and read the
instructions:  
https://lists.samba.org/mailman/options/samba



--
Ricardo Suguita
Analista de Redes
CSCO11723146
Prefeitura Unicamp
Ramal 14619 // Fone +55(19)3521-4619
http://www.prefeitura.unicamp.**br 
Cidade Universitária Zeferino Vaz
Rua Roxo Moreira, 1831
Campinas, SP – Brasil





--
Ricardo Suguita
Analista de Redes
CSCO11723146
Prefeitura Unicamp
Ramal 14619 // Fone +55(19)3521-4619
http://www.prefeitura.unicamp.br
Cidade Universitária Zeferino Vaz
Rua Roxo Moreira, 1831
Campinas, SP – Brasil

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 selftest errors

[Andrew Bartlett]

On Thu, 2013-02-28 at 15:51 -0800, The Jimmest wrote:
> Hi.
> 
> Where might I find some kind of reference for the messages generated by
> 'make test'? I would at least like to know which ones I can safely ignore.

Failing tests are already screened out by our 'knownfail' and 'flapping'
and 'skip' files in selftest/

The only additions I'm aware of are that on some platforms (ext4 in
particular) the raw.search and base.dir2 tests spin for 5 mins each.
Git master has these listed in skip, but it looks like I need to get
that patch into 4.0.4.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 selftest errors

[The Jimmest]

Hi.

Where might I find some kind of reference for the messages generated by
'make test'? I would at least like to know which ones I can safely ignore.

Thanks

-jimc
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

Hiya Günther,

Absolutely - I'm really sorry, I intended to try this today but haven't had
the chance.

Hopefully I will get the chance tomorrow, and I'll let you know the results.

Many thanks, much appreciated :-)

Tris.

-Original Message-
From: Guenther Deschner [mailto:g...@samba.org] 
Sent: 28 February 2013 15:09
To: Tris Mabbs
Cc: samba@lists.samba.org
Subject: Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC:
NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server
2008 R2" domain, "Server 2008" functional level forest).

Hi Triss,

can you test this branch?

https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pa
c

It contains fixes for various pac buffer types.

Let us know if it resolves your issues.

Thanks,
Guenther


-- 
Günther DeschnerGPG-ID: 8EE11688
Red Hat gdesch...@redhat.com
Samba Team  g...@samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Replication Problem

[Timur I. Bakeyev]

Hi, Ricardo!

That's not the FreeBSD port. Dunno, where did you get that. Please, update
your ports tree with 'make update' via SVN or portsnap. And better before
building one remove all the installed dependencies you got from this port.

Regards,
Timur.


On Thu, Feb 28, 2013 at 6:14 PM, Ricardo Suguita wrote:

> Yes, Samba4 was installed by ports
>
> ===
>
> cd /usr/ports
> fetch -o - -q https://bitbucket.org/gugabsd/**freebsd-samba4-port/get/**
> default.tar.gz|
>  tar zxvf -
> mv gugabsd-freebsd-samba4-port-**d638b66aa1fe net/samba4
> cd net/samba4
>
> make install clean
>
> ==
>
> Thanks!
>
>
>
>
> On 28-02-2013 13:13, Timur I. Bakeyev wrote:
>
>> Do yo use port version of Samba4? If not - why?
>>
>>
>> On Thu, Feb 28, 2013 at 4:50 PM, Ricardo Suguita > >wrote:
>>
>>  Hi ,
>>>
>>> I 've been trying to get my 2 Samba DCs to replicate between each other
>>> but it fails
>>>
>>> DC1: Freebsd-9.1-Release, Samba 4.02, hostname ldap1, objectGUID:
>>> a2454bb4-9f94-4879-a5ff-c1a40537cb5e
>>>
>>> DC2: Freebsd-9.1-Release, Samba 4.02, hostname ldap2, objectGUID:
>>> 0103c98e-0b54-4ca4-a4e5-2259fa6b0563
>>>
>>>
>>> ===the output showrepl command==
>>> [root@ldap1 ~]# samba-tool drs showrepl
>>> Default-First-Site-Name\LDAP1
>>> DSA Options: 0x0001
>>> DSA object GUID: 0103c98e-0b54-4ca4-a4e5-2259fa6b0563
>>> DSA invocationId: d9975fad-ca2d-447d-8138-0fd5957f8fa3
>>>
>>>  INBOUND NEIGHBORS 
>>> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723,
>>> 'NT_STATUS_RPC_PROTOCOL_ERROR')
>>> ====
>>>
>>>
>>> ===the output host -t 
>>> [root@ldap1 ~]# host -t CNAME 0103c98e-0b54-4ca4-a4e5-2259fa6b0563._
>>> msdcs.**prefeitura.unicamp.br 
>>> 
>>> >.
>>> 0103c98e-0b54-4ca4-a4e5-2259fa6b0563._msdcs.**prefeitu**
>>> ra.unicamp.br >> prefeitura.unicamp.br >is an alias
>>> for
>>> ldap1.prefeitura.unicamp.br.
>>> 0103c98e-0b54-4ca4-a4e5-2259fa6b0563._msdcs.**prefeitu**
>>> ra.unicamp.br >> prefeitura.unicamp.br >is an alias
>>> for
>>>
>>> dc1.prefeitura.unicamp.br.
>>> [root@ldap1 ~]#
>>>
>>> ===the output host -t 
>>> [root@ldap1 ~]# host -t CNAME a2454bb4-9f94-4879-a5ff-c1a40537cb5e._
>>> msdcs.**prefeitura.unicamp.br 
>>> 
>>> >.
>>> a2454bb4-9f94-4879-a5ff-c1a40537cb5e._msdcs.**prefeitu**
>>> ra.unicamp.br >> prefeitura.unicamp.br >is an alias
>>> for
>>>
>>> ldap2.prefeitura.unicamp.br.
>>> [root@ldap1 ~]#
>>>
>>> === the log error on DC1=
>>> dns child failed to find name 'a2454bb4-9f94-4879-a5ff-
>>> c1a40537cb5e._
>>> msdcs.**prefeitura.unicamp.br 
>>> >'
>>> of
>>>
>>> type A
>>>
>>> === the log error on DC2 =
>>> dns child failed to find name '0103c98e-0b54-4ca4-a4e5-
>>> 2259fa6b0563._
>>> msdcs.**prefeitura.unicamp.br 
>>> >'
>>> of
>>>
>>> type A
>>>
>>>
>>> I followed step-by-step the Samba 4 Wiki and I don't know whats wrong.
>>> Any ideas ?
>>>
>>> Thanks !
>>>
>>> --
>>> Ricardo Suguita
>>> Analista de Redes
>>> CSCO11723146
>>> Prefeitura Unicamp
>>> Ramal 14619 // Fone +55(19)3521-4619
>>> http://www.prefeitura.unicamp.br 
>>> 
>>> >
>>>
>>> Cidade Universitária Zeferino Vaz
>>> Rua Roxo Moreira, 1831
>>> Campinas, SP – Brasil
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  
>>> https://lists.samba.org/mailman/options/samba
>>> 
>>> >
>>>
>>>
>
> --
> Ricardo Suguita
> Analista de Redes
> CSCO11723146
> Prefeitura Unicamp
> Ramal 14619 // Fone +55(19)3521-4619
> http://www.prefeitura.unicamp.**br 
> Cidade Universitária Zeferino Vaz
> Rua Roxo Moreira, 1831
> Campinas, SP – Brasil
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Replication Problem

[Ricardo Suguita]

I changed my /etc/krb5.conf but the replication still fails.

Thanks!


On 28-02-2013 13:02, Johan Johansson wrote:

I had similar problems and resolved it by making sure my /etc/krb5.conf got
updated to this (change realm to your realm):

[libdefaults]
 default_realm = CORP.LO
 dns_lookup_realm = true
 dns_lookup_kdc = true


On Thu, Feb 28, 2013 at 4:50 PM, Ricardo Suguita wrote:


Hi ,

I 've been trying to get my 2 Samba DCs to replicate between each other
but it fails

DC1: Freebsd-9.1-Release, Samba 4.02, hostname ldap1, objectGUID:
a2454bb4-9f94-4879-a5ff-**c1a40537cb5e
DC2: Freebsd-9.1-Release, Samba 4.02, hostname ldap2, objectGUID:
0103c98e-0b54-4ca4-a4e5-**2259fa6b0563

===the output showrepl command==
[root@ldap1 ~]# samba-tool drs showrepl
Default-First-Site-Name\LDAP1
DSA Options: 0x0001
DSA object GUID: 0103c98e-0b54-4ca4-a4e5-**2259fa6b0563
DSA invocationId: d9975fad-ca2d-447d-8138-**0fd5957f8fa3
 INBOUND NEIGHBORS 
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723,
'NT_STATUS_RPC_PROTOCOL_ERROR'**)
==**==

===the output host -t 
[root@ldap1 ~]# host -t CNAME 0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._
msdcs.**prefeitura.unicamp.br .
0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._msdcs.**prefeitura.unicamp.bris
 an alias for
ldap1.prefeitura.unicamp.br.
0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._msdcs.**prefeitura.unicamp.bris
 an alias for
dc1.prefeitura.unicamp.br.
[root@ldap1 ~]#

===the output host -t 
[root@ldap1 ~]# host -t CNAME a2454bb4-9f94-4879-a5ff-**c1a40537cb5e._
msdcs.**prefeitura.unicamp.br .
a2454bb4-9f94-4879-a5ff-**c1a40537cb5e._msdcs.**prefeitura.unicamp.bris
 an alias for
ldap2.prefeitura.unicamp.br.
[root@ldap1 ~]#

=== the log error on DC1=
dns child failed to find name 'a2454bb4-9f94-4879-a5ff-**c1a40537cb5e._
msdcs.**prefeitura.unicamp.br ' of
type A

=== the log error on DC2 =
dns child failed to find name '0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._
msdcs.**prefeitura.unicamp.br ' of
type A


I followed step-by-step the Samba 4 Wiki and I don't know whats wrong.
Any ideas ?

Thanks !

--
Ricardo Suguita
Analista de Redes
CSCO11723146
Prefeitura Unicamp
Ramal 14619 // Fone +55(19)3521-4619
http://www.prefeitura.unicamp.**br 
Cidade Universitária Zeferino Vaz
Rua Roxo Moreira, 1831
Campinas, SP – Brasil

--
To unsubscribe from this list go to the following URL and read the
instructions:  
https://lists.samba.org/**mailman/options/samba







--
Ricardo Suguita
Analista de Redes
CSCO11723146
Prefeitura Unicamp
Ramal 14619 // Fone +55(19)3521-4619
http://www.prefeitura.unicamp.br
Cidade Universitária Zeferino Vaz
Rua Roxo Moreira, 1831
Campinas, SP – Brasil

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Replication Problem

[Ricardo Suguita]

Yes, Samba4 was installed by ports

===

cd /usr/ports
fetch -o - -q 
https://bitbucket.org/gugabsd/freebsd-samba4-port/get/default.tar.gz | 
tar zxvf -

mv gugabsd-freebsd-samba4-port-d638b66aa1fe net/samba4
cd net/samba4

make install clean

==

Thanks!



On 28-02-2013 13:13, Timur I. Bakeyev wrote:

Do yo use port version of Samba4? If not - why?


On Thu, Feb 28, 2013 at 4:50 PM, Ricardo Suguita wrote:


Hi ,

I 've been trying to get my 2 Samba DCs to replicate between each other
but it fails

DC1: Freebsd-9.1-Release, Samba 4.02, hostname ldap1, objectGUID:
a2454bb4-9f94-4879-a5ff-**c1a40537cb5e
DC2: Freebsd-9.1-Release, Samba 4.02, hostname ldap2, objectGUID:
0103c98e-0b54-4ca4-a4e5-**2259fa6b0563

===the output showrepl command==
[root@ldap1 ~]# samba-tool drs showrepl
Default-First-Site-Name\LDAP1
DSA Options: 0x0001
DSA object GUID: 0103c98e-0b54-4ca4-a4e5-**2259fa6b0563
DSA invocationId: d9975fad-ca2d-447d-8138-**0fd5957f8fa3
 INBOUND NEIGHBORS 
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723,
'NT_STATUS_RPC_PROTOCOL_ERROR'**)
==**==

===the output host -t 
[root@ldap1 ~]# host -t CNAME 0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._
msdcs.**prefeitura.unicamp.br .
0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._msdcs.**prefeitura.unicamp.bris
 an alias for
ldap1.prefeitura.unicamp.br.
0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._msdcs.**prefeitura.unicamp.bris
 an alias for
dc1.prefeitura.unicamp.br.
[root@ldap1 ~]#

===the output host -t 
[root@ldap1 ~]# host -t CNAME a2454bb4-9f94-4879-a5ff-**c1a40537cb5e._
msdcs.**prefeitura.unicamp.br .
a2454bb4-9f94-4879-a5ff-**c1a40537cb5e._msdcs.**prefeitura.unicamp.bris
 an alias for
ldap2.prefeitura.unicamp.br.
[root@ldap1 ~]#

=== the log error on DC1=
dns child failed to find name 'a2454bb4-9f94-4879-a5ff-**c1a40537cb5e._
msdcs.**prefeitura.unicamp.br ' of
type A

=== the log error on DC2 =
dns child failed to find name '0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._
msdcs.**prefeitura.unicamp.br ' of
type A


I followed step-by-step the Samba 4 Wiki and I don't know whats wrong.
Any ideas ?

Thanks !

--
Ricardo Suguita
Analista de Redes
CSCO11723146
Prefeitura Unicamp
Ramal 14619 // Fone +55(19)3521-4619
http://www.prefeitura.unicamp.**br 
Cidade Universitária Zeferino Vaz
Rua Roxo Moreira, 1831
Campinas, SP – Brasil

--
To unsubscribe from this list go to the following URL and read the
instructions:  
https://lists.samba.org/**mailman/options/samba




--
Ricardo Suguita
Analista de Redes
CSCO11723146
Prefeitura Unicamp
Ramal 14619 // Fone +55(19)3521-4619
http://www.prefeitura.unicamp.br
Cidade Universitária Zeferino Vaz
Rua Roxo Moreira, 1831
Campinas, SP – Brasil

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 Replication Problem

[Timur I. Bakeyev]

Do yo use port version of Samba4? If not - why?


On Thu, Feb 28, 2013 at 4:50 PM, Ricardo Suguita wrote:

> Hi ,
>
> I 've been trying to get my 2 Samba DCs to replicate between each other
> but it fails
>
> DC1: Freebsd-9.1-Release, Samba 4.02, hostname ldap1, objectGUID:
> a2454bb4-9f94-4879-a5ff-**c1a40537cb5e
> DC2: Freebsd-9.1-Release, Samba 4.02, hostname ldap2, objectGUID:
> 0103c98e-0b54-4ca4-a4e5-**2259fa6b0563
>
> ===the output showrepl command==
> [root@ldap1 ~]# samba-tool drs showrepl
> Default-First-Site-Name\LDAP1
> DSA Options: 0x0001
> DSA object GUID: 0103c98e-0b54-4ca4-a4e5-**2259fa6b0563
> DSA invocationId: d9975fad-ca2d-447d-8138-**0fd5957f8fa3
>  INBOUND NEIGHBORS 
> ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723,
> 'NT_STATUS_RPC_PROTOCOL_ERROR'**)
> ==**==
>
> ===the output host -t 
> [root@ldap1 ~]# host -t CNAME 0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._
> msdcs.**prefeitura.unicamp.br .
> 0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._msdcs.**prefeitura.unicamp.bris
>  an alias for
> ldap1.prefeitura.unicamp.br.
> 0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._msdcs.**prefeitura.unicamp.bris
>  an alias for
> dc1.prefeitura.unicamp.br.
> [root@ldap1 ~]#
>
> ===the output host -t 
> [root@ldap1 ~]# host -t CNAME a2454bb4-9f94-4879-a5ff-**c1a40537cb5e._
> msdcs.**prefeitura.unicamp.br .
> a2454bb4-9f94-4879-a5ff-**c1a40537cb5e._msdcs.**prefeitura.unicamp.bris
>  an alias for
> ldap2.prefeitura.unicamp.br.
> [root@ldap1 ~]#
>
> === the log error on DC1=
> dns child failed to find name 'a2454bb4-9f94-4879-a5ff-**c1a40537cb5e._
> msdcs.**prefeitura.unicamp.br ' of
> type A
>
> === the log error on DC2 =
> dns child failed to find name '0103c98e-0b54-4ca4-a4e5-**2259fa6b0563._
> msdcs.**prefeitura.unicamp.br ' of
> type A
>
>
> I followed step-by-step the Samba 4 Wiki and I don't know whats wrong.
> Any ideas ?
>
> Thanks !
>
> --
> Ricardo Suguita
> Analista de Redes
> CSCO11723146
> Prefeitura Unicamp
> Ramal 14619 // Fone +55(19)3521-4619
> http://www.prefeitura.unicamp.**br 
> Cidade Universitária Zeferino Vaz
> Rua Roxo Moreira, 1831
> Campinas, SP – Brasil
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 Replication Problem

[Ricardo Suguita]

Hi ,

I 've been trying to get my 2 Samba DCs to replicate between each other 
but it fails


DC1: Freebsd-9.1-Release, Samba 4.02, hostname ldap1, objectGUID: 
a2454bb4-9f94-4879-a5ff-c1a40537cb5e
DC2: Freebsd-9.1-Release, Samba 4.02, hostname ldap2, objectGUID: 
0103c98e-0b54-4ca4-a4e5-2259fa6b0563


===the output showrepl command==
[root@ldap1 ~]# samba-tool drs showrepl
Default-First-Site-Name\LDAP1
DSA Options: 0x0001
DSA object GUID: 0103c98e-0b54-4ca4-a4e5-2259fa6b0563
DSA invocationId: d9975fad-ca2d-447d-8138-0fd5957f8fa3
 INBOUND NEIGHBORS 
ERROR(runtime): DsReplicaGetInfo of type 0 failed - (-1073610723, 
'NT_STATUS_RPC_PROTOCOL_ERROR')



===the output host -t 
[root@ldap1 ~]# host -t CNAME 
0103c98e-0b54-4ca4-a4e5-2259fa6b0563._msdcs.prefeitura.unicamp.br.
0103c98e-0b54-4ca4-a4e5-2259fa6b0563._msdcs.prefeitura.unicamp.br is an 
alias for ldap1.prefeitura.unicamp.br.
0103c98e-0b54-4ca4-a4e5-2259fa6b0563._msdcs.prefeitura.unicamp.br is an 
alias for dc1.prefeitura.unicamp.br.

[root@ldap1 ~]#

===the output host -t 
[root@ldap1 ~]# host -t CNAME 
a2454bb4-9f94-4879-a5ff-c1a40537cb5e._msdcs.prefeitura.unicamp.br.
a2454bb4-9f94-4879-a5ff-c1a40537cb5e._msdcs.prefeitura.unicamp.br is an 
alias for ldap2.prefeitura.unicamp.br.

[root@ldap1 ~]#

=== the log error on DC1=
dns child failed to find name 
'a2454bb4-9f94-4879-a5ff-c1a40537cb5e._msdcs.prefeitura.unicamp.br' of 
type A


=== the log error on DC2 =
dns child failed to find name 
'0103c98e-0b54-4ca4-a4e5-2259fa6b0563._msdcs.prefeitura.unicamp.br' of 
type A



I followed step-by-step the Samba 4 Wiki and I don't know whats wrong.
Any ideas ?

Thanks !

--
Ricardo Suguita
Analista de Redes
CSCO11723146
Prefeitura Unicamp
Ramal 14619 // Fone +55(19)3521-4619
http://www.prefeitura.unicamp.br
Cidade Universitária Zeferino Vaz
Rua Roxo Moreira, 1831
Campinas, SP – Brasil

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Guenther Deschner]

Hi Triss,

can you test this branch?

https://git.samba.org/?p=gd/samba/.git;a=shortlog;h=refs/heads/master-krb5pac

It contains fixes for various pac buffer types.

Let us know if it resolves your issues.

Thanks,
Guenther


--
Günther DeschnerGPG-ID: 8EE11688
Red Hat gdesch...@redhat.com
Samba Team  g...@samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

> I do so enjoy working with users who I can ask to 'put some code in' and who 
> can handle this so well :-).
Why thank you, kind Sir :-)
I do so enjoy working with people who quite obviously really, REALLY, know 
their subject :-) In my case, evidence only of far too many years stuck in 
front of a keyboard, I'm afraid ...  Anyway, the code wasn't that good - for 
some reason it's not actually replacing the '\' in any principal names - never 
mind, it'll do for this purpose ...

>> That was very slightly more complicated as I wanted to use the 
>> Kerberos principal name (if known) in creating the dump file name, so 
>> it would be easy to work out which dump file was which.
>> 
>> In leaving that code running for a while, it was perhaps of interest 
>> to note that although several user accounts caused dump files to be 
>> created named with their Kerberos principal name, this did not happen 
>> at all for the problematic user.  I'm not sure whether or not that's 
>> significant, but I thought it at least worth mentioning - I'm not 
>> sure what the potential code paths are into this function which may, 
>> or may not, result in the principal name being known on entry ...
>
> I think it is quite significant.  We should dig into this some more, once we 
> sort out the PAC.

Excellent - I'm certainly up for that.  Thanks.

>> ===
>> INTERNAL ERROR: Signal 11 in pid 8122 (4.1.0pre1-GIT-3e5acc1) Please 
>> read the Trouble-Shooting section of the Samba HOWTO 
>> ===
>> PANIC: internal error
>
> I don't get the panic, so getting a 'bt full' on that under gdb would be very 
> helpful.  
>
> gdb --args 'ndrdump krb5pac decode_pac' in /var/tmp/PAC-NDR-1819

As requested:


Program received signal SIGSEGV, Segmentation fault.
0xfe264ccb in strlen () from /usr/lib/libc.so.1
(gdb) bt full
#0  0xfe264ccb in strlen () from /usr/lib/libc.so.1 No symbol table info 
available.
#1  0xfe2b1a69 in _ndoprnt () from /usr/lib/libc.so.1 No symbol table info 
available.
#2  0xfe2b43c6 in vprintf () from /usr/lib/libc.so.1 No symbol table info 
available.
#3  0xfea5c2fa in ndr_print_printf_helper () <--- Remember 
this address (take 1) ...
   from /var/tmp/samba/samba-master/bin/shared/libndr.so.0
No symbol table info available.
#4  0xfea55e22 in ndr_print_string ()
   from /var/tmp/samba/samba-master/bin/shared/libndr.so.0
No symbol table info available.
#5  0xfeac540d in ndr_print_PAC_UPN_DNS_INFO () <--- ... 
and this one (take 2) ...
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#6  0xfeac65ec in ndr_print_PAC_INFO ()
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#7  0xfeac3895 in ndr_print_PAC_BUFFER ()
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#8  0xfeac6bf9 in ndr_print_PAC_DATA ()
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#9  0xfeac8240 in ndr_print_decode_pac ()
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#10 0x080533d2 in main ()
No symbol table info available.
(gdb)


That's not particularly helpful is it ...  Not sure where the symbol table has 
gone:


% file ndrdump
ndrdump:ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically 
linked, not stripped
%


(also not sure why it's a 32-bit image on a 64-bit system, so something 
somewhere seems not to have figured out the appropriate architecture - probably 
not significant, but I might try and look into that sometime; anyway, a 32-bit 
image should be fine for this executable).

So, next best thing is a dump of that address:


(gdb) disas 0xfea5c2fa
Dump of assembler code for function ndr_print_printf_helper:
0xfea5c29f : push   %ebp
0xfea5c2a0 : mov%esp,%ebp
0xfea5c2a2 : push   %ebx
0xfea5c2a3 : sub$0x14,%esp
0xfea5c2a6 : call   0xfea5c2ab 

0xfea5c2ab :pop%ebx
0xfea5c2ac :add$0x161c1,%ebx
0xfea5c2b2 :mov0x8(%ebp),%eax
0xfea5c2b5 :cmpb   $0x0,0x14(%eax)
0xfea5c2b9 :jne0xfea5c2e6 

0xfea5c2bb :movl   $0x0,-0xc(%ebp)
0xfea5c2c2 :mov0x8(%ebp),%eax
0xfea5c2c5 :mov0x4(%eax),%eax
0xfea5c2c8 :cmp-0xc(%ebp),%eax
0xfea5c2cb :jbe0xfea5c2e6 

0xfea5c2cd :sub$0xc,%esp
0xfea5c2d0 :lea-0x10fe3(%ebx),%eax
0xfea5c2d6 :push   %eax
0xfea5c2d7 :call   0xfea54d38 
0xfea5c2dc :add$0x10,%esp
0xfea5c2df :lea-0xc(%ebp),%eax
0xfea5c2e2 :incl   (%eax)
0xfea5c2e4 :jmp0xfea5c2c2 

0xfea5c2e6 :lea0x10(%ebp),%eax
0xfea5c2e9 :mov%eax,-0x8(%ebp)
0xfea5c2ec :sub$0x8,%esp
0xfea5c2ef :

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Gregory Sloop]

>> I do so enjoy working with users who I can ask to 'put some code in' and who 
>> can handle this so well :-).
TM> Why thank you, kind Sir :-)

TM> I do so enjoy working with people who quite obviously really, REALLY, know 
their subject :-)
TM> In my case, evidence only of far too many years stuck in front of
TM> a keyboard, I'm afraid ...  Anyway, the code wasn't that good -
TM> for some reason it's not actually replacing the '\' in any
TM> principal names - never mind, it'll do for this purpose ...


Ok, I have nothing to add, constructively, to this conversation - but I
have to say...

Watching this thread has been like going out for a Sunday afternoon lap swim, 
and finding you're
in the pool with Lochte and Phelps.

It's *really* cool to watch, but it also makes you question what on
earth you're doing in the pool with these guys.

Sheesh, thanks.
We're questioning the reason for our existence now. :)

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

> I do so enjoy working with users who I can ask to 'put some code in' and who 
> can handle this so well :-).
Why thank you, kind Sir :-)
I do so enjoy working with people who quite obviously really, REALLY, know 
their subject :-)
In my case, evidence only of far too many years stuck in front of a keyboard, 
I'm afraid ...  Anyway, the code wasn't that good - for some reason it's not 
actually replacing the '\' in any principal names - never mind, it'll do for 
this purpose ...

>> That was very slightly more complicated as I wanted to use the 
>> Kerberos principal name (if known) in creating the dump file name, so 
>> it would be easy to work out which dump file was which.
>> 
>> In leaving that code running for a while, it was perhaps of interest 
>> to note that although several user accounts caused dump files to be 
>> created named with their Kerberos principal name, this did not happen 
>> at all for the problematic user.  I'm not sure whether or not that's 
>> significant, but I thought it at least worth mentioning - I'm not sure 
>> what the potential code paths are into this function which may, or may 
>> not, result in the principal name being known on entry ...
>
> I think it is quite significant.  We should dig into this some more, once we 
> sort out the PAC.

Excellent - I'm certainly up for that.  Thanks.

>> ===
>> INTERNAL ERROR: Signal 11 in pid 8122 (4.1.0pre1-GIT-3e5acc1) Please 
>> read the Trouble-Shooting section of the Samba HOWTO 
>> ===
>> PANIC: internal error
>
> I don't get the panic, so getting a 'bt full' on that under gdb would be very 
> helpful.  
>
> gdb --args 'ndrdump krb5pac decode_pac' in /var/tmp/PAC-NDR-1819

As requested:


Program received signal SIGSEGV, Segmentation fault.
0xfe264ccb in strlen () from /usr/lib/libc.so.1
(gdb) bt full
#0  0xfe264ccb in strlen () from /usr/lib/libc.so.1
No symbol table info available.
#1  0xfe2b1a69 in _ndoprnt () from /usr/lib/libc.so.1
No symbol table info available.
#2  0xfe2b43c6 in vprintf () from /usr/lib/libc.so.1
No symbol table info available.
#3  0xfea5c2fa in ndr_print_printf_helper () <--- Remember 
this address (take 1) ...
   from /var/tmp/samba/samba-master/bin/shared/libndr.so.0
No symbol table info available.
#4  0xfea55e22 in ndr_print_string ()
   from /var/tmp/samba/samba-master/bin/shared/libndr.so.0
No symbol table info available.
#5  0xfeac540d in ndr_print_PAC_UPN_DNS_INFO () <--- ... 
and this one (take 2) ...
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#6  0xfeac65ec in ndr_print_PAC_INFO ()
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#7  0xfeac3895 in ndr_print_PAC_BUFFER ()
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#8  0xfeac6bf9 in ndr_print_PAC_DATA ()
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#9  0xfeac8240 in ndr_print_decode_pac ()
   from /var/tmp/samba/samba-master/bin/shared/libndr-krb5pac.so.0
No symbol table info available.
#10 0x080533d2 in main ()
No symbol table info available.
(gdb)


That's not particularly helpful is it ...  Not sure where the symbol table has 
gone:


% file ndrdump
ndrdump:ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically 
linked, not stripped
%


(also not sure why it's a 32-bit image on a 64-bit system, so something 
somewhere seems not to have figured out the appropriate architecture - probably 
not significant, but I might try and look into that sometime; anyway, a 32-bit 
image should be fine for this executable).

So, next best thing is a dump of that address:


(gdb) disas 0xfea5c2fa
Dump of assembler code for function ndr_print_printf_helper:
0xfea5c29f : push   %ebp
0xfea5c2a0 : mov%esp,%ebp
0xfea5c2a2 : push   %ebx
0xfea5c2a3 : sub$0x14,%esp
0xfea5c2a6 : call   0xfea5c2ab 

0xfea5c2ab :pop%ebx
0xfea5c2ac :add$0x161c1,%ebx
0xfea5c2b2 :mov0x8(%ebp),%eax
0xfea5c2b5 :cmpb   $0x0,0x14(%eax)
0xfea5c2b9 :jne0xfea5c2e6 

0xfea5c2bb :movl   $0x0,-0xc(%ebp)
0xfea5c2c2 :mov0x8(%ebp),%eax
0xfea5c2c5 :mov0x4(%eax),%eax
0xfea5c2c8 :cmp-0xc(%ebp),%eax
0xfea5c2cb :jbe0xfea5c2e6 

0xfea5c2cd :sub$0xc,%esp
0xfea5c2d0 :lea-0x10fe3(%ebx),%eax
0xfea5c2d6 :push   %eax
0xfea5c2d7 :call   0xfea54d38 
0xfea5c2dc :add$0x10,%esp
0xfea5c2df :lea-0xc(%ebp),%eax
0xfea5c2e2 :incl   (%eax)
0xfea5c2e4 :jmp0xfea5c2c2 

0xfea5c2e6 :lea0x10(%ebp),%eax
0xfea5c2e9 :mov%eax,-0x8(%ebp)
0xfea5c2ec :sub$0x8,%esp
0xfea5c2ef :   

Re: [Samba] Samba 4 and freeradius

[Kinglok, Fong]

On 27 Feb 2013, at 2:26 PM, Andrew Bartlett wrote:

> On Wed, 2013-02-27 at 12:17 +0800, Kinglok, Fong wrote:
>> In fact, I have tried using NTLM already.
>> 
>> I have successfully setup winbind bundled with Samba 4, including the steps 
>> to join Samba 4 as member server and start up winbindd as daemon.
>> 
>> However, I encounter two difficulties with using NTLM to authenticate 
>> freeradius to Samba 4.
>> - I have to run freeradius as root in order to read output from winbindd.  
>> Even I change the permission / ownership of 
>> /usr/local/samba/var/run/winbindd to freerad.  It still cannot work!
> 
> You need to change the winbind_privileged directory, not the winbindd
> directory.  The group ownership of this directory should be a group that
> servers doing NTLM authentication (such as squid, apache, pptpd and
> freeradius) are in. 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> 
> 


Thank you all for giving me the hint!

I have solved the problem by making use of ntlm_auth and with group support by

1. change the permission of the winbindd folder
chgrp freerad /usr/local/samba/var/locks/winbindd_privileged
(freerad is the user to run freeradius)

2. edit the file /usr/local/freeradius/etc/raddb/modules/mschap
ntlm_auth = "/path/to/ntlm_auth --request-nt-key 
--username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN} 
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}   
--require-membership-of=MYDOMAIN\\Certain_Group"
(Pay attention to the double back slashes and restart the freeradius)

However, I am still very eager to authenticate user with using ldap directly.  
I cannot fix it as the freeradius log complain: (I have tried binding the samba 
ac with administrator)
2013-02-28 00:19:32.393910500 [ldap] performing user authorization for peter
2013-02-28 00:19:32.394014500 [ldap]expand: %{Stripped-User-Name} -> 
2013-02-28 00:19:32.394016500 [ldap]... expanding second conditional
2013-02-28 00:19:32.394018500 [ldap]expand: %{User-Name} -> peter
2013-02-28 00:19:32.394020500 [ldap]expand: 
(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(sAMAccountName=peter)
2013-02-28 00:19:32.394022500 [ldap]expand: ou=Accounting,dc=samdom,dc=org 
-> ou=Accounting,dc=samdom,dc=org
2013-02-28 00:19:32.394123500   [ldap] ldap_get_conn: Checking Id: 0
2013-02-28 00:19:32.394125500   [ldap] ldap_get_conn: Got Id: 0
2013-02-28 00:19:32.394127500   [ldap] performing search in 
ou=Accounting,dc=samdom,dc=org, with filter (sAMAccountName=peter)
2013-02-28 00:19:32.395423500 [ldap] looking for check items in directory...
2013-02-28 00:19:32.395426500 [ldap] looking for reply items in directory...
2013-02-28 00:19:32.395427500 WARNING: No "known good" password was found in 
LDAP.  Are you sure that the user is configured correctly?
2013-02-28 00:19:32.395430500 [ldap] user peter authorized to use remote access

Any hint?

Kinglok, Fong
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

> What I was getting at about the full name is that if this was a odd character 
> encoding issue, knowing that this was a user with non-ascii full name would 
> be an important data point.  

Yes, I see what you mean.
No, neither the full username, nor the login name, contain anything other than 
Good 'Ole ASCII.

> See, the PAC is much more than just SIDs, it is a lot of different bits of 
> information that a user needs to log in to a desktop, or (less so) to operate 
> against a file server.

I can see I'm going to have to look into the contents of the PAC in a bit more 
detail.  Although I have some familiarity with Kerberos, I've not had to dig 
into a PAC before; so far as I was aware it was mainly supplemental group 
membership, and similar information - obviously there's more in there than I 
was aware of.
Still, a day where something is learned is never a day wasted - it will be 
interesting to have a dig!

> The key password in this case isn't the user's password (it isn't involved), 
> but the machine account password of the server.  

Sorry, yes - I meant that I had no problem sending you any data which might be 
contained in any WireShark capture; as you pointed out, any password can easily 
be changed (including the Samba machine account password on the AD server).  
Apologies for not being clearer.

> Andrew Bartlett

Once again, many thanks - I'll update you when I have anything useful.

Tris Mabbs.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Andrew Bartlett]

On Tue, 2013-02-26 at 11:22 +, Tris Mabbs wrote:
> Wow.
> 
> Hiya Andrew,
> 
> OK, this sounds like a very promising approach, and potentially saves me 
> working through a large number of "git bisect"s (as also most helpfully 
> suggested by Michael Wood) - so far, I'm right back into the beta code and 
> there have been a lot of commits since then...
> 
> I'm not easily in a position to set up a test domain for this, but I have no 
> problem with your suggestion of capturing on the live domain and sending to 
> you (especially since changing the password doesn't affect the issue).  Or of 
> dumping the information and decoding the PAC using "ndrdump" (wasn't aware of 
> that).
> 
> I'll work through your suggestions and see if I can get anywhere; when I 
> reach a stage where I can't figure it out any further I'll send you what I've 
> got.  Any useful conclusions that don't contain sensitive information, I'll 
> put back onto this thread in case they're of use to anyone else as well.
> 
> It will probably take me a few days to get anywhere useful, as I can only 
> really poke this out of normal working hours.  So if there's no update for a 
> few days, please don't think that means I've stopped.
> 
> BTW, to answer your question, access is based on the username not the full 
> name (haven't tried that, which in itself is an interesting point - not sure 
> whether that would affect it as presumably that just forms an alternative 
> mapping back to the underlying internal AD entity, but ...).
> 
> Many thanks, I'll update as soon as I can.

What I was getting at about the full name is that if this was a odd
character encoding issue, knowing that this was a user with non-ascii
full name would be an important data point.  

See, the PAC is much more than just SIDs, it is a lot of different bits
of information that a user needs to log in to a desktop, or (less so) to
operate against a file server.

The key password in this case isn't the user's password (it isn't
involved), but the machine account password of the server.  

Once you get this PAC isolated, you won't have to work on your
production server BTW, just on a development box. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

Wow.

Hiya Andrew,

OK, this sounds like a very promising approach, and potentially saves me 
working through a large number of "git bisect"s (as also most helpfully 
suggested by Michael Wood) - so far, I'm right back into the beta code and 
there have been a lot of commits since then...

I'm not easily in a position to set up a test domain for this, but I have no 
problem with your suggestion of capturing on the live domain and sending to you 
(especially since changing the password doesn't affect the issue).  Or of 
dumping the information and decoding the PAC using "ndrdump" (wasn't aware of 
that).

I'll work through your suggestions and see if I can get anywhere; when I reach 
a stage where I can't figure it out any further I'll send you what I've got.  
Any useful conclusions that don't contain sensitive information, I'll put back 
onto this thread in case they're of use to anyone else as well.

It will probably take me a few days to get anywhere useful, as I can only 
really poke this out of normal working hours.  So if there's no update for a 
few days, please don't think that means I've stopped.

BTW, to answer your question, access is based on the username not the full name 
(haven't tried that, which in itself is an interesting point - not sure whether 
that would affect it as presumably that just forms an alternative mapping back 
to the underlying internal AD entity, but ...).

Many thanks, I'll update as soon as I can.

Cheers!

Tris.

-Original Message-
From: Andrew Bartlett [mailto:abart...@samba.org] 
Sent: 26 February 2013 11:05
To: Tris Mabbs
Cc: samba@lists.samba.org
Subject: Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: 
NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 
2008 R2" domain, "Server 2008" functional level forest).

On Mon, 2013-02-25 at 11:51 +, Tris Mabbs wrote:
> Hello,
>...
> When accessing our main server using that account, "smbd" always 
> reports "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL".  This has 
> come from "../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", 
> trying to use NDR to pull a blob from the Kerberos ticket (that's 
> reported as
> "ndr_pull_error(11): Pull bytes 34  (../librpc/ndr/ndr_string.c:591)").
>...

'Clearly' (as in, clear as mud, but the general direction to look at) either 
the IDL in librpc/idl/krb5pac.idl is incorrect, or the parsing code in Heimdal 
in unpacking this particular user's PAC incorrectly.

It is interesting that this user causes the issue regardless of being 
re-created.  Is this triggered on their full or user name?

Does this happen if you set up a new testing domain?  If so, what would be 
really, really helpful would be a network capture including the server keytab.  
(Or if you don't mind, and change the server password after, on your live 
domain to me personally).

The procedure you or I will need to follow is to extract the decrypted 'PAC'.  
You could do this either from wireshark (export selected packet bytes, after 
running wireshark -k /tmp/server.keytab, or by patching the code to call:

_PUBLIC_ bool file_save(const char *fname, const void *packet, size_t
length)

somewhere near auth3_generate_session_info_pac()

Then, using that file, run 

bin/ndrdump krb5pac decode_pac in /tmp/pac

Then essentially we keep changing the idl in librpc/idl/krb5pac.idl and the C 
helpers in librpc/ndr/ndr_krb5pac.c until this works.

See also http://msdn.microsoft.com/en-us/library/cc237917.aspx

Good luck!

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Andrew Bartlett]

On Mon, 2013-02-25 at 11:51 +, Tris Mabbs wrote:
> Hello,
> 
>  
> 
> We're having a problem with "Samba 4" joined to a "Server 2008 R2" domain
> (at "Server 2008" functional level across the forest).
> 
> The interesting thing is that this only affects a single user - all other
> accounts work without problems.
> 
>  
> 
> When accessing our main server using that account, "smbd" always reports
> "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL".  This has come from
> "../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", trying to use
> NDR to pull a blob from the Kerberos ticket (that's reported as
> "ndr_pull_error(11): Pull bytes 34  (../librpc/ndr/ndr_string.c:591)").
> 
>  
> So can anyone suggest any way forward to resolve this please?  It would
> appear that something is incorrectly being decoded somewhere, so it's
> probably to everyone's advantage to get this sorted out - I know it would
> certainly be to mine :-)

'Clearly' (as in, clear as mud, but the general direction to look at) either 
the IDL in librpc/idl/krb5pac.idl is incorrect, or the parsing code in Heimdal 
in unpacking this particular user's PAC incorrectly.

It is interesting that this user causes the issue regardless of being
re-created.  Is this triggered on their full or user name?

Does this happen if you set up a new testing domain?  If so, what would
be really, really helpful would be a network capture including the
server keytab.  (Or if you don't mind, and change the server password
after, on your live domain to me personally).

The procedure you or I will need to follow is to extract the decrypted
'PAC'.  You could do this either from wireshark (export selected packet
bytes, after running wireshark -k /tmp/server.keytab, or by patching the
code to call:

_PUBLIC_ bool file_save(const char *fname, const void *packet, size_t
length)

somewhere near auth3_generate_session_info_pac()

Then, using that file, run 

bin/ndrdump krb5pac decode_pac in /tmp/pac

Then essentially we keep changing the idl in librpc/idl/krb5pac.idl and
the C helpers in librpc/ndr/ndr_krb5pac.c until this works.

See also http://msdn.microsoft.com/en-us/library/cc237917.aspx

Good luck!

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4, DHCP and Bind

[Rowland Penny]

On 25/02/13 22:44, Scott Whitten wrote:

Hi All,

I'm trying to integrate Samba 4 DHCPD and Bind 9.9 into a complete solution.

I'm using the BIND/Samba 4 DLZ plugin.

DHCP by itself works and hands out IP addresses.

What I would like to have happen is the following:
- PC is joined to the Samba 4 domain (this works)
- PC gets an IP via DHCPD
- DHCP or the PC registers the IP in BIND

Network PC's should resolve cleanly when pinging pc01.office.local

My logs are full of messges aalong the lines of:
Feb 25 14:36:24 knottypine named[22655]: samba_dlz: starting transaction on
zone office.local
Feb 25 14:36:24 knottypine named[22655]: client 192.168.65.101#57781:
update 'office.local/IN' denied
Feb 25 14:36:24 knottypine named[22655]: samba_dlz: cancelling transaction
on zone office.local

Clearly I'm missing something but not sure what exactly.

Thanks for any suggestions you might have.

For reference... here are my various config files:
==
smb.conf
---
# Global parameters
[global]
 server role = active directory domain controller
 workgroup = OFFICE
 interfaces = eth0
 bind interfaces only = yes
 realm = office.local
 netbios name = KNOTTYPINE
 passdb backend = samba4
 idmap_ldb:use rfc2307 = yes
 allow dns updates = True

[netlogon]
 path = /usr/local/samba/var/locks/sysvol/office.local/scripts
 read only = No

[sysvol]
 path = /usr/local/samba/var/locks/sysvol
 read only = No

[IPC$]
 path = /tmp
 read only = No

[Data]
 path = /u0/sambashares/data
 read only = no
==
ddns-update-style ad-hoc;
allow unknown-clients;

subnet 192.168.65.0 netmask 255.255.255.0 {

# --- default gateway
 option routers  192.168.65.1;
 option subnet-mask  255.255.255.0;

 option domain-name  "office.local";
 option domain-name-servers  192.168.65.2;

 option netbios-name-servers 192.168.65.2;
 option netbios-node-type 2;

 default-lease-time 21600;
 max-lease-time 43200;
 allow unknown-clients;

 range 192.168.65.100 192.168.65.150;
}
==

//
// sample BIND configuration file
//
acl mynet {
 192.168.65.0/24;
 127.0.0.1;
};

options {
   listen-on { 127.0.0.1; 192.168.65.0/24; };
   allow-query { 192.168.65.0/24; localhost; };
   allow-recursion { 192.168.65.0/24; localhost; };
   tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
   forwarders {8.8.8.8;};
};

// Where the localhost hostname is defined
zone "localhost" IN {
   type master;
   file "/etc/namedb/zone.localhost";
   allow-update { none; };
};

// Where the 127.0.0.0 network is defined
zone "0.0.127.in-addr.arpa" IN {
   type master;
   file "/etc/namedb/revp.127.0.0";
   allow-update { none; };
};

zone "65.168.192.in-addr.arpa" {
 type master;
 file "/etc/namedb/192.168.65.0.rev";
 allow-query {
 mynet;
 };
 allow-transfer {
 mynet;
 };
 allow-update {
 mynet;
 };
};

include "/usr/local/samba/private/named.conf";
Hi, you appear to be trying to get DHCP to carry out the updates 
directly, this does not work, or at least I could not get it to work, 
try starting here: 
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
This works for me, Ubuntu 12.04, DHCP, Bind 9.9.1 and a version of the 
script found on Michael Kurons webpage.


Rowland


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4, DHCP and Bind

[Scott Whitten]

Hi All,

I'm trying to integrate Samba 4 DHCPD and Bind 9.9 into a complete solution.

I'm using the BIND/Samba 4 DLZ plugin.

DHCP by itself works and hands out IP addresses.

What I would like to have happen is the following:
- PC is joined to the Samba 4 domain (this works)
- PC gets an IP via DHCPD
- DHCP or the PC registers the IP in BIND

Network PC's should resolve cleanly when pinging pc01.office.local

My logs are full of messges aalong the lines of:
Feb 25 14:36:24 knottypine named[22655]: samba_dlz: starting transaction on
zone office.local
Feb 25 14:36:24 knottypine named[22655]: client 192.168.65.101#57781:
update 'office.local/IN' denied
Feb 25 14:36:24 knottypine named[22655]: samba_dlz: cancelling transaction
on zone office.local

Clearly I'm missing something but not sure what exactly.

Thanks for any suggestions you might have.

For reference... here are my various config files:
==
smb.conf
---
# Global parameters
[global]
server role = active directory domain controller
workgroup = OFFICE
interfaces = eth0
bind interfaces only = yes
realm = office.local
netbios name = KNOTTYPINE
passdb backend = samba4
idmap_ldb:use rfc2307 = yes
allow dns updates = True

[netlogon]
path = /usr/local/samba/var/locks/sysvol/office.local/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[IPC$]
path = /tmp
read only = No

[Data]
path = /u0/sambashares/data
read only = no
==
ddns-update-style ad-hoc;
allow unknown-clients;

subnet 192.168.65.0 netmask 255.255.255.0 {

# --- default gateway
option routers  192.168.65.1;
option subnet-mask  255.255.255.0;

option domain-name  "office.local";
option domain-name-servers  192.168.65.2;

option netbios-name-servers 192.168.65.2;
option netbios-node-type 2;

default-lease-time 21600;
max-lease-time 43200;
allow unknown-clients;

range 192.168.65.100 192.168.65.150;
}
==

//
// sample BIND configuration file
//
acl mynet {
192.168.65.0/24;
127.0.0.1;
};

options {
  listen-on { 127.0.0.1; 192.168.65.0/24; };
  allow-query { 192.168.65.0/24; localhost; };
  allow-recursion { 192.168.65.0/24; localhost; };
  tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
  forwarders {8.8.8.8;};
};

// Where the localhost hostname is defined
zone "localhost" IN {
  type master;
  file "/etc/namedb/zone.localhost";
  allow-update { none; };
};

// Where the 127.0.0.0 network is defined
zone "0.0.127.in-addr.arpa" IN {
  type master;
  file "/etc/namedb/revp.127.0.0";
  allow-update { none; };
};

zone "65.168.192.in-addr.arpa" {
type master;
file "/etc/namedb/192.168.65.0.rev";
allow-query {
mynet;
};
allow-transfer {
mynet;
};
allow-update {
mynet;
};
};

include "/usr/local/samba/private/named.conf";
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

Hiya Michael,

 

Many thanks for the quick and helpful response.

 

Yes, I can certainly try a packet capture; I think I'll go with your other
suggestion first though, that of using "git bisect" to track down the
problematic version.

I'm sorry, that should have occurred to me .

Once I've identified the problematic version, I can post that information
and then start capturing packets if necessary.  Who knows - finding where
the break occurred might make someone such as yourself slap your forehead in
a Homer Simpson like way ("Doh!") and say "Of *course*, that's what will
have done it ." :-).

 

It's not in a test environment; we don't run one here (the development work
we do doesn't require a separate test network), so this is on our production
network.  However I have considerable freedom in taking servers out of
service so long as it's not during the most active times, so I'm quite happy
to bounce versions around (and perform any other tests required).

 

As for what was common between the original and the re-created user - the
username.  That's it.  I didn't even bother setting up the description
information.   However I also tried renaming the account and the problem
still occurred, so I'm not at all sure exactly what is causing it.

I did originally set the password to be the same, but have since reset it
several times (to varying lengths; I know that shouldn't affect this sort of
problem but by then I was running out of ideas .).

 

You're also quite correct in that Samba shouldn't core dump.  However I
think I'll get to the bottom of this problem and then perhaps start a
separate thread on that, rather than obfuscating this one with multiple
problems.  So thanks for the thought - I'll raise a new problem for that
once this has been sorted.

 

I can't take that server down just at the moment - middle of the working day
here.  However I'll see whether I can switch versions around until I can
find the problem hopefully later on this-evening.

 

Once again, many thanks for the most helpful suggestions.  Watch this space
for the responses.

 

Tris.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Michael Wood]

Hi

You might try getting a packet capture.

By the way, what's common between the user before you deleted the
account and the one you created later, besides the username?  The
password?  Can you replicate this in a test environment?

If you can replicate this in a test environment and you know more or
less when the problem started, perhaps you could use git bisect to
find exactly when it happened.

e.g. roll back samba to a version from 3 months ago.  If it works
there, tell git bisect that that is the last good version you know of.
 Then tell it that your current version is bad and let it choose the
versions for you to compile and test.  You keep telling it that the
version you've just tested is either good or bad and it will
eventually tell you which commit broke it.

Then you can post that information to the list.  (I suspect
samba-technical would be a better list for this sort of thing.)

Also, I'm pretty sure Samba should never core dump, so you might want
to post stack traces etc. when that happens.

On 25 February 2013 13:51, Tris Mabbs  wrote:
> Hello,
>
>
>
> We're having a problem with "Samba 4" joined to a "Server 2008 R2" domain
> (at "Server 2008" functional level across the forest).
>
> The interesting thing is that this only affects a single user - all other
> accounts work without problems.
>
>
>
> When accessing our main server using that account, "smbd" always reports
> "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL".  This has come from
> "../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", trying to use
> NDR to pull a blob from the Kerberos ticket (that's reported as
> "ndr_pull_error(11): Pull bytes 34  (../librpc/ndr/ndr_string.c:591)").
>
>
>
> I can't see any reason for the error affecting this one specific user.
>
> As the Kerberos PAC is mainly concerned with information such as
> supplemental groups, I've altered the group membership for the user.  I've
> removed the user from all groups.  I've even completely deleted and
> re-created the user (so a different SID, in case there was any corrupted
> cached information anywhere).  Nothing makes any difference - that one user
> consistently gets this error, and no others do.  I've even tried changing
> the Kerberos encryption types in case that had any effect (was it the result
> of a decryption problem?) but again, no difference.
>
> It's not a client problem either, as I've tried accessing the Samba shares
> from various different platforms (even including an embedded Linux based
> network media player - "Dune HD Max" - I happened to have on the network) -
> everything attempting to access as that user causes exactly the same
> problem.
>
>
>
> As this is happening in a call to the "NDR_PULL_NEED_BYTES()" macro, I
> modified that slightly to print out a bit more information.  That resulted
> in "ndr_pull_error(11): Pull bytes 34, data_size=88, offset=58,
> unlikely(34)=1 (../librpc/ndr/ndr_string.c:591)", so it's quite right -
> pulling 34 bytes from 88 of data at an offset of 58 will exceed the size of
> the contents in the data buffer.
>
>
>
> So the question is either why is it trying to pull 34 bytes from offset 58
> of 88 data bytes (is that number 34 correct or has that been mis-decoded?),
> why is the existing offset 58 (has something caused this to be set too far
> into the data buffer already?) or why is the data size 88 bytes (has this
> been decoded incorrectly somehow and should there be more?).
>
>
>
> At this point, my knowledge of the internals of Samba and Kerberos stopped
> me and I felt I had to ask people who know somewhat more than me - that
> would be the readers of this list!
>
>
>
> Incidentally, this used to work.
>
> We've been running "Samba 4" for quite a while; we're not using its' AD
> server facilities, but found it considerably easier to get the version 4
> codebase to compile up and run on this server (running "OpenSolaris") - the
> version 3 codebase gets very fiddly to persuade to work with the
> "OpenSolaris" LDAP and Kerberos whereas the version 4 correctly figures it
> all out for itself very nicely thank you .
>
> We also periodically update the code as we have (since first moving to
> version 4) experienced occasional core-dumps.  They don't cause a major
> problem, they're just a minor inconvenience, but it would be nice to lose
> that inconvenience and I trust the Samba developers to have beta code that's
> vastly more stable than most vendor's release code, so I don't mind
> periodically updating the code straight from the current source snapshot
> (via "git").
>
> This user used not to have any problems, then about (from memory) 3 months
> ago a code update caused this problem.  Unfortunately I don't know the
> precise version numbers at which it was working and at which it broke - pity
> as that would doubtless make it considerably easier to work out what might
> have caused the problem :-(.
>
> In poking around with "Google", I did find a single reference to a change in
> whic

[Samba] "Samba 4" - "smbd"; "can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL" error but only for a single domain user ("Server 2008 R2" domain, "Server 2008" functional level forest).

[Tris Mabbs]

Hello,

 

We're having a problem with "Samba 4" joined to a "Server 2008 R2" domain
(at "Server 2008" functional level across the forest).

The interesting thing is that this only affects a single user - all other
accounts work without problems.

 

When accessing our main server using that account, "smbd" always reports
"can't parse the PAC: NT_STATUS_BUFFER_TOO_SMALL".  This has come from
"../auth/kerberos/kerberos_pac.c:149(kerberos_decode_pac)", trying to use
NDR to pull a blob from the Kerberos ticket (that's reported as
"ndr_pull_error(11): Pull bytes 34  (../librpc/ndr/ndr_string.c:591)").

 

I can't see any reason for the error affecting this one specific user.

As the Kerberos PAC is mainly concerned with information such as
supplemental groups, I've altered the group membership for the user.  I've
removed the user from all groups.  I've even completely deleted and
re-created the user (so a different SID, in case there was any corrupted
cached information anywhere).  Nothing makes any difference - that one user
consistently gets this error, and no others do.  I've even tried changing
the Kerberos encryption types in case that had any effect (was it the result
of a decryption problem?) but again, no difference.

It's not a client problem either, as I've tried accessing the Samba shares
from various different platforms (even including an embedded Linux based
network media player - "Dune HD Max" - I happened to have on the network) -
everything attempting to access as that user causes exactly the same
problem.

 

As this is happening in a call to the "NDR_PULL_NEED_BYTES()" macro, I
modified that slightly to print out a bit more information.  That resulted
in "ndr_pull_error(11): Pull bytes 34, data_size=88, offset=58,
unlikely(34)=1 (../librpc/ndr/ndr_string.c:591)", so it's quite right -
pulling 34 bytes from 88 of data at an offset of 58 will exceed the size of
the contents in the data buffer.

 

So the question is either why is it trying to pull 34 bytes from offset 58
of 88 data bytes (is that number 34 correct or has that been mis-decoded?),
why is the existing offset 58 (has something caused this to be set too far
into the data buffer already?) or why is the data size 88 bytes (has this
been decoded incorrectly somehow and should there be more?).

 

At this point, my knowledge of the internals of Samba and Kerberos stopped
me and I felt I had to ask people who know somewhat more than me - that
would be the readers of this list!

 

Incidentally, this used to work.

We've been running "Samba 4" for quite a while; we're not using its' AD
server facilities, but found it considerably easier to get the version 4
codebase to compile up and run on this server (running "OpenSolaris") - the
version 3 codebase gets very fiddly to persuade to work with the
"OpenSolaris" LDAP and Kerberos whereas the version 4 correctly figures it
all out for itself very nicely thank you .

We also periodically update the code as we have (since first moving to
version 4) experienced occasional core-dumps.  They don't cause a major
problem, they're just a minor inconvenience, but it would be nice to lose
that inconvenience and I trust the Samba developers to have beta code that's
vastly more stable than most vendor's release code, so I don't mind
periodically updating the code straight from the current source snapshot
(via "git").

This user used not to have any problems, then about (from memory) 3 months
ago a code update caused this problem.  Unfortunately I don't know the
precise version numbers at which it was working and at which it broke - pity
as that would doubtless make it considerably easier to work out what might
have caused the problem :-(.

In poking around with "Google", I did find a single reference to a change in
which the submitter said they had found exactly this error, again on just a
single account, but unfortunately I can't locate the post again (despite
searching my "Chrome" history).  As I recall, the code change was committed
anyway as it was just a single account which had experienced the problem and
the change author didn't consider it to be significant.

 

There's obviously a whole lot more information I could attach; "smb.conf"
file, full debug traces, the fact that "wbinfo -u"/"wbinfo -g" etc. all work
correctly, . but there didn't seem any point attaching any of that unless it
would actually be useful.

What might be useful info. is that "smbd -V" reports "Version
4.1.0pre1-GIT-3e5acc1"; "testparm" is happy, as is "net ads testjoin" (and
"net rpc testjoin", for that matter).

 

I'm not at all averse to going into the source code and adding debug code to
dig this problem out - with over 30 years 'C' experience (including working
as a kernel/system developer on "mainstream" Unix) I'm quite happy to dive
in and add code to the source tree, if that would contribute any useful
information.

 

So can anyone suggest any way forward to resolve this please?  It would
appear that something is in

[Samba] Samba 4 and freeradius

[Kinglok, Fong]

Hi,

My goal is to make use of samba 4 and freeradius to authenticate user to use 
wifi network (WPA2 enterprise).

The setup is to setup Samba 4.0.3 in machine A and setup freeradius in machine 
B.

By reading: 
Document A: http://wiki.samba.org/index.php/Samba4/beyond
Document B: 
https://wiki.samba.org/index.php/Samba4/HOWTO/Virtual_Private_Network
Document C: 
http://www.linuxgfx.co.uk/karoshi/documentation/wiki/index.php?title=Samba4_Testing

The testing to bind the samba 4 server from machine B shows successfully:
ldapsearch -x -W -h file.sambadom.org -b "ou=accounting,dc=sambadom,dc=org" -D 
"cn=ldapuser,cn=users,dc=sambadom,dc=org" "(cn=peter)"

Also, ldap module of freeradius is configured as follows (ldap part in 
sites-enabled/default and inner-tunnel is configured also.)

/usr/local/freeradius/etc/raddb/modules/ldap 
=
ldap {
server = "file.sambadom.org"
password = "asecurepassword"
identity = "cn=ldapuser,cn=users,dc=samba4,dc=yauoi,dc=org"
basedn = "ou=accounting,dc=sambadom,dc=org"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"
ldap_connections_number = 5
max_uses = 0
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
keepalive {
idle = 60
probes = 3
interval = 3
}
}
=

When I try authentication test in machine B,
eapol_test -c ./peap-mschapv2.conf -s testing123

peap-mschapv2.conf

network={
ssid="amazonforest"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="peter"
#anonymous_identity="anonymous"
password="asecurepassword"
phase2="autheap=MSCHAPV2"

#
#  Uncomment the following to perform server certificate validation.
ca_cert="/usr/local/freeradius/etc/raddb/certs/ca.der"
}


The result is failed.


Is there anything I did wrongly?

Kinglok, Fong


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4

[Adam Tauno Williams]

On Thu, 2013-02-21 at 12:20 +0100, Markus Bajones wrote:
> first hit on google.
> http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

Or, even *BETTER*, skip the stupid search engines [which will lead you
astray as often as not] - and just go to www.samba.org.  Huge time
saver!


-- 
Adam Tauno Williams  GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4

[Markus Bajones]

Hi,

first hit on google.
http://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

grettings,
Markus

On 2013-02-21 12:17, Friedrich Locke wrote:

Hi,

where could i find documentation on setting up samba 4?

Thanks in advance.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC - idmap config on a samba 4 member server

[Thomas Simmons]

Did you compile Samba "--with-shared-modules=idmap_ad"?


On Thu, Feb 21, 2013 at 2:21 AM, Hervé Hénoch  wrote:

> Hello Franck
>
> I had the same problem. When I removed "config" in the two lines, getent
> group worked.
>
>
> idmap config *:backend = tdb
> idmap config *:range = 70001-8
>
> For the role of idmap you can read : http://www.samba.org/samba/**
> docs/man/Samba-HOWTO-**Collection/idmapper.html
>
> Regards
>
> Le 20/02/2013 21:39, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI a
> écrit :
>
>  Without idmap line, it work too.
>>
>> [global]
>>
>> workgroup = DDCS
>> security = ADS
>> realm = DDCS.LOCAL
>> encrypt passwords = yes
>>
>> # idmap config *:backend = tdb
>> # idmap config *:range = 70001-8
>> # idmap config DDCS:backend = ad
>> # idmap config DDCS:schema_mode = rfc2307
>> # idmap config DDCS:range = 500-4
>>
>> winbind nss info = rfc2307
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>>
>> What is the really role of idmap's line ?
>>
>> I have of to miss something
>>
>
> --
>
> Hervé Hénoch
> Responsable informatique
> Institut Sainte Catherine
> 250 chemin de Baigne-Pieds
> CS 80005 — 84918 AVIGNON cedex 9
> Téléphone : 04.90.27.57.44
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4

[Friedrich Locke]

Hi,

where could i find documentation on setting up samba 4?

Thanks in advance.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC - idmap config on a samba 4 member server

[Hervé Hénoch]

Hello Franck

I had the same problem. When I removed "config" in the two lines, getent 
group worked.


idmap config *:backend = tdb
idmap config *:range = 70001-8

For the role of idmap you can read : 
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html


Regards

Le 20/02/2013 21:39, BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI a 
écrit :

Without idmap line, it work too.

[global]

workgroup = DDCS
security = ADS
realm = DDCS.LOCAL
encrypt passwords = yes

# idmap config *:backend = tdb
# idmap config *:range = 70001-8
# idmap config DDCS:backend = ad
# idmap config DDCS:schema_mode = rfc2307
# idmap config DDCS:range = 500-4

winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes

What is the really role of idmap's line ?

I have of to miss something


--

Hervé Hénoch
Responsable informatique
Institut Sainte Catherine
250 chemin de Baigne-Pieds
CS 80005 — 84918 AVIGNON cedex 9
Téléphone : 04.90.27.57.44
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 cross-compile for ARM

[Liam]

I'm about to fund development of an OpenEmbedded recipe to build Samba 4 on
a Beagleboard XM (TI OMAP family).

If anyone's done this already or is actively working on it, please get in
touch with me so we can avoid duplicating efforts.

Thanks!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 DC - idmap config on a samba 4 member server

[BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI]

Without idmap line, it work too.

[global]

   workgroup = DDCS
   security = ADS
   realm = DDCS.LOCAL
   encrypt passwords = yes

#   idmap config *:backend = tdb
#   idmap config *:range = 70001-8
#   idmap config DDCS:backend = ad
#   idmap config DDCS:schema_mode = rfc2307
#   idmap config DDCS:range = 500-4

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

What is the really role of idmap's line ?

I have of to miss something
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 DC - idmap config on a samba 4 member server

[BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI]

Hi

I configure a member server  as discribe on this page : 
http://wiki.samba.org/index.php/Samba4/Domain_Member


My smb.conf looks like that :

[global]

   workgroup = DDCS
   security = ADS
   realm = DDCS.LOCAL
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-8
   idmap config DDCS:backend = ad
   idmap config DDCS:schema_mode = rfc2307
   idmap config DDCS:range = 500-4

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

With this config, wbinfo -u and -g works fine but getent passwd or group 
don't display AD user or group.


I test that :

[global]

   workgroup = DDCS
   security = ADS
   realm = YOUR.SAMBA.DOMAIN.NAME
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-8
   idmap config TEST:backend = ad
   idmap config TEST:schema_mode = rfc2307
   idmap config TEST:range = 500-4

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

The workgroup name didn't change but on idmap config I replace DDCS with 
TEST (or anything else) and the getent commands are yet OK.


Why ?

Regards

Franck
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 using MIT Kerberos

[Gerry Reno]

I've been looking around trying to find status on Samba 4 AD DC using MIT 
Kerberos and didn't find anything real recent.

Most of the wiki, list posts I see are about a year old talking about this.

I'd like to know if there has been progress on this.  Is it 0% , 99%?

I saw that Fedora  F18 had Samba 4 but if you enable AD DC then it breaks or is 
incompatible with other packages using
MIT Kerberos which is basically anything using kerberos in Fedora.


Can someone from Samba comment on the state of things regarding Samba 4 AD DC 
using MIT Kerberos.   And if possible as
it relates to Fedora/CentOS/RedHat.

Thanks.


-Gerry


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC log.smd flooded with Conversion error

[Kinglok, Fong]

Dear all,

After setting dos charset = CP950 (which is the codepage for traditional 
chinese), the same error still remains.

Furthermore, I have tried testing in a real production environment by the 
following steps:

1.  In smb.conf,
 I create a share called Chinese and increase the log level to 10.
[global]
workgroup = YAUOICHURCH
realm = SAMBA4.YAUOI.ORG
netbios name = FILE
server role = active directory domain controller
dns forwarder = 192.168.107.1
log level = 10
unix charset = UTF8
dos charset = CP950
[netlogon]
path = 
/usr/local/samba/var/locks/sysvol/samba4.yauoi.org/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
...
[Chinese]
path = /home/chinese
read only = No

2.  In the file server, I have created a directory /home/chinese and also, 
inside it, I have open a folder called "$BCfJ8B,;n(B" and I have tested the 
name is in UTF-8.

3.  I made use of Windows 7 64-bit Traditional Chinese as client to try to 
browse the share Chinese and then the folder (the client has joined the domain 
already) and I install wireshark to capture the packet.
The wireshark capture is here:
http://kinglok.org/wireshark2.pcapng

4.  the log.smbd still show
[2013/02/13 18:12:11.869648,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+#"1$(C!)$(D)A(B<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.870614,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D"1$(C!)$(D)A(B<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.871426,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(C!)$(D)A(B<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.872210,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D)A(B<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.872970,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(<96><87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.873757,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(<87>$(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.874520,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D)A"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.875503,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D"1$B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.876199,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($B"L$(D+2"m"C(B)
[2013/02/13 18:12:11.876953,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+2"m"C(B)
[2013/02/13 18:12:11.877743,  3, pid=6810, effective(0, 100), real(0, 0)] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D"m"C(B)

The whole log is here:
http://kinglok.org/log.smbd.2

Should I file a bug for it?

Kinglok, Fong


On 11 Feb 2013, at 11:14 PM, TAKAHASHI Motonobu wrote:

> From: "Kinglok, Fong" 
> Date: Sun, 10 Feb 2013 09:40:49 +0800
> 
>> Thank you for your help but$B!D(B
>> 
>> I execute some commands to make sure the locale is in UTF-8 by
>> dpkg-reconfigure locales and even adding setting in /etc/environment
>> 
>> and using utility like convmv to turn all file and folder into UTF-8 (in 
>> fact, they were in UTF-8 already.)
>> 
>> I add option in smb.conf
>> unix charset = UTF8
>> dos charset is omitted as default (dos charset = CP850)
>> 
>> However, when I run
>> /usr/local/samba/bin/smbclient //localhost/Public 
>> -UAdministrator%'verysecurepasswd' -c 'ls'
>> 
>> The same error in my log 

Re: [Samba] Samba 4 : File server

[Andrew Bartlett]

On Mon, 2013-02-11 at 16:54 +0100, BOTZ Franck (Informaticien) - DDT
67/SG/MGI/CI wrote:
> Hi !
> 
> I have installed a DC with samba-tool command and it works perfectly !
> 
> Control AD with the 2003 tools is very amazing, thanks for the job !
> 
> So, my next step is to install a file server as a member of the AD and 
> not as a DC
> 
> I read carfully this one : 
> https://wiki.samba.org/index.php/Samba4/Domain_Member
> 
> Compiling samba :
> 
>* ./configure --with-ads --with-shared-modules=idmap_ad 
> --enable-debug --enable-selftest --prefix=/samba
> 
> First of all why --with-ads ? It is not the default feature ?

It is, but what this changes is that the compile will fail (prompting
you to install some development headers, typically) if the right things
are not found.  The is very helpful, and long ago I promised to make
that the default behaviour.  Sadly I never got around to it. 

>* make
>* make install
> 
> The krb5.conf was fill with that :
> 
> [logging]
>   default = FILE:/var/log/krb5libs.log
>   kdc = FILE:/var/log/krb5kdc.log
>   admin_server = FILE:/var/log/kadmind.log
> 
> [libdefaults]
>   default_realm = DDCS67.INTRA
>   dns_lookup_realm = true
>   dns_lookup_kdc = true
>   ticket_lifetime = 24h
>   forwardable = yes
> 
> [appdefaults]
>   pam = {
>debug = false
>ticket_lifetime = 36000
>renew_lifetime = 36000
>forwardable = true
>krb4_convert = false
>   }
> 
> What is appsection ? It is not necessary in a DC wich sharing a 
> directory. But why not.
> 
> After that , the smb.conf
> 
> I was wondering that the smb.conf must be fill by the hand. For the DC, 
> running samba-tool command will generate a smb.conf. Before doing this I 
> search the options of samba-tool and i find this :
> 
> samba-tool domain join DDCS67  --realm=DDCS67.intra -U Administrator
> Password for [WORKGROUP\Administrator]:
> Joined domain DDCS67 (S-1-5-21-1814795784-576591386-2449700327)
> 
> Fine, the domain is  join !! And the server appear as a Computer in the 
> MMC. Good !
> 
> Let's run /samba/sbin/samba
> 
> The log are :
> At this time the 'samba' binary should only be used for either: 'server 
> role = active directory domain controller' or to access the ntvfs file 
> server with 'server services = +smb' or the rpc proxy with 'dcerpc 
> endpoint servers = remote'
> You should start smbd/nmbd/winbindd instead for domain member and 
> standalone file server tasks
> 
> Is it me or i read the ntvfs is deprecatted ?
> 
> So I run the/samba/sbin/smbd, but with no smb.conf the server does not start
> 
> Tesparm give me :
> Load smb config files from /samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> params.c:OpenConfFile() - Unable to open configuration file 
> "/samba/etc/smb.conf":
> 
> Can i Genrate a valid smb.conf for a member with samba-tool ?

I do apologise for this not being as integrated as you would expect.
I'm very proud of the new level of ease of use found in 'samba-tool' and
in the AD DC configuration.  Sadly while this command will successfully
join you to the domain, it does not currently generate the smb.conf.

You don't need much, just set:

[globals]
 server role = domain member
 workgroup = DDCS67
 realm = DDCS67.intra

BTW, while I've hooked up 'samba-tool' to work, the advertised command
for joining a domain member is 'net ads join'.  We are working to
consolidate the code, but currently it is a different codebase.  From my
understanding however, it also will not generate the smb.conf.

I hope this helps, and feel free to file a bug as fixing this should not
be difficult. 

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 : File server

[BOTZ Franck (Informaticien) - DDT 67/SG/MGI/CI]

Hi !

I have installed a DC with samba-tool command and it works perfectly !

Control AD with the 2003 tools is very amazing, thanks for the job !

So, my next step is to install a file server as a member of the AD and 
not as a DC


I read carfully this one : 
https://wiki.samba.org/index.php/Samba4/Domain_Member


Compiling samba :

  * ./configure --with-ads --with-shared-modules=idmap_ad 
--enable-debug --enable-selftest --prefix=/samba


First of all why --with-ads ? It is not the default feature ?

  * make
  * make install

The krb5.conf was fill with that :

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = DDCS67.INTRA
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[appdefaults]
 pam = {
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true
  krb4_convert = false
 }

What is appsection ? It is not necessary in a DC wich sharing a 
directory. But why not.


After that , the smb.conf

I was wondering that the smb.conf must be fill by the hand. For the DC, 
running samba-tool command will generate a smb.conf. Before doing this I 
search the options of samba-tool and i find this :


samba-tool domain join DDCS67  --realm=DDCS67.intra -U Administrator
Password for [WORKGROUP\Administrator]:
Joined domain DDCS67 (S-1-5-21-1814795784-576591386-2449700327)

Fine, the domain is  join !! And the server appear as a Computer in the 
MMC. Good !


Let's run /samba/sbin/samba

The log are :
At this time the 'samba' binary should only be used for either: 'server 
role = active directory domain controller' or to access the ntvfs file 
server with 'server services = +smb' or the rpc proxy with 'dcerpc 
endpoint servers = remote'
You should start smbd/nmbd/winbindd instead for domain member and 
standalone file server tasks


Is it me or i read the ntvfs is deprecatted ?

So I run the/samba/sbin/smbd, but with no smb.conf the server does not start

Tesparm give me :
Load smb config files from /samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:OpenConfFile() - Unable to open configuration file 
"/samba/etc/smb.conf":


Can i Genrate a valid smb.conf for a member with samba-tool ?

Regards

Franck Botz
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC log.smd flooded with Conversion error

[TAKAHASHI Motonobu]

From: "Kinglok, Fong" 
Date: Sun, 10 Feb 2013 09:40:49 +0800

> Thank you for your help but…
> 
> I execute some commands to make sure the locale is in UTF-8 by
> dpkg-reconfigure locales and even adding setting in /etc/environment
> 
> and using utility like convmv to turn all file and folder into UTF-8 (in 
> fact, they were in UTF-8 already.)
> 
> I add option in smb.conf
> unix charset = UTF8
> dos charset is omitted as default (dos charset = CP850)
> 
> However, when I run
> /usr/local/samba/bin/smbclient //localhost/Public 
> -UAdministrator%'verysecurepasswd' -c 'ls'
> 
> The same error in my log floods……

No, you have to set 'dos charset' parameter correctly. In my Japanese
environment, same errors occur unless I set "dos charset = CP932", which
means Japanese. It seems that you use Chinese.

---
TAKAHASHI Motonobu  / @damemonyo 
   facebook.com/takahashi.motonobu

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC log.smd flooded with Conversion error

[Kinglok, Fong]

Dear all,

I have created another test case for the problem.

Rather testing in domU, running Debian Wheezy, I have constructed another 
machine without running xen and installed with Debian squeeze.

I have successfully setup samba 4.0.3 and create a folder called 
"$BCf9AL7=b(B" in share named "test".  And I have used convmv to make sure 
the name is in UTF-8

root@file:/home/test# convmv * -t utf8
Your Perl version has fleas #37757 #49830 
Starting a dry run without changes...
Skipping, already UTF-8: ./$BCf9AL7=b(B
No changes to your files done. Use --notest to finally rename the files.



When I issue a command:
/usr/local/samba/bin/smbclient //localhost/test 
-UAdministrator%'verysecurepassword' -c 'ls'

The log.smbd with log level = 3 is as follows: (the same conversion error!)
=
[2013/02/11 22:19:15.472365,  3] ../source3/smbd/vfs.c:1118(check_reduced_name)
  check_reduced_name [*] [/home/test]
[2013/02/11 22:19:15.472461,  3] ../source3/smbd/vfs.c:1248(check_reduced_name)
  check_reduced_name: * reduced to /home/test/*
[2013/02/11 22:19:15.472597,  3] ../source3/smbd/dir.c:663(dptr_create)
  creating new dirptr 256 for path ., expect_close = 1
[2013/02/11 22:19:15.472886,  3] 
../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
  Could not fetch share entry
[2013/02/11 22:19:15.472956,  3] 
../source3/smbd/dir.c:1136(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found ./. fname=. (.)
[2013/02/11 22:19:15.473110,  3] 
../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
  Could not fetch share entry
[2013/02/11 22:19:15.473173,  3] 
../source3/smbd/dir.c:1136(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found ./.. fname=.. (..)
[2013/02/11 22:19:15.473285,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+#"1$(C!)$(D)A"1"4+.(B<9f><9b>$(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473347,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D"1$(C!)$(D)A"1"4+.(B<9f><9b>$(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473404,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(C!)$(D)A"1"4+.(B<9f><9b>$(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473462,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D)A"1"4+.(B<9f><9b>$(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473535,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D"1"4+.(B<9f><9b>$(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473592,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence($(D"4+.(B<9f><9b>$(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473649,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+.(B<9f><9b>$(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473705,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(<9f><9b>$(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473762,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(<9b>$(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473819,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte 
sequence($(D+.(B<9b>$(C(z(B)
[2013/02/11 22:19:15.473875,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte 
sequence(<9b>$(C(z(B)
[2013/02/11 22:19:15.473964,  3] 
../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
  Could not fetch share entry
==

the smb.conf
==
# Global parameters
[global]
workgroup = PLKLSP2
realm = SAMBA4.PLKLSP.EDU.HK
netbios name = FILE
server role = active directory domain controller
dns forwarder = 192.168.107.1
log level = 3

[netlogon]
path = /usr/local/samba/var/locks/sysvol/samba4.plklsp.edu.hk/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[test]
path = /home/test
read only = No



As far as I know, I think the conversion error is not caused by Xen and deb

[Samba] Samba 4 talk from FOSDEM and linux.conf.au

[Andrew Bartlett]

On Thu, 2013-02-07 at 10:14 +0100, Andreas Schneider wrote:
> Hello,
> 
> you should watch the entertaining talk about Samba 4 from Jeremey he gave at 
> FOSDEM!
> 
> http://video.fosdem.org/2013/maintracks/Janson/Samba4.webm

I also spoke at two miniconfs this year about Samba 4.0.

This talk is a 25 min talk about the features and progress with Samba
4.0:
http://mirror.linux.org.au/linux.conf.au/2013/ogv/Samba_4.0.ogv

This is a talk about autobuild and testing in Samba (50mins):
http://mirror.linux.org.au/linux.conf.au/2013/ogv/Two_years_with_Sambas_autobuild.ogv

These videos really do give a great overview of where we are at with
Samba 4.0.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC log.smd flooded with Conversion error

[Kinglok, Fong]

Thank you for your help but…

I execute some commands to make sure the locale is in UTF-8 by
dpkg-reconfigure locales and even adding setting in /etc/environment

and using utility like convmv to turn all file and folder into UTF-8 (in fact, 
they were in UTF-8 already.)

I add option in smb.conf
unix charset = UTF8
dos charset is omitted as default (dos charset = CP850)

However, when I run
/usr/local/samba/bin/smbclient //localhost/Public 
-UAdministrator%'verysecurepasswd' -c 'ls'

The same error in my log floods……

Is it a bug?

Kinglok, Fong

On 10 Feb, 2013, at 1:35 AM, TAKAHASHI Motonobu  wrote:

> You had better set 'dos charset' parameter correctly and 'unix charset'
> parameter if you do not use UTF-8 on Linux.
> 
> From: Jeremy Allison 
> Date: Sat, 9 Feb 2013 09:04:47 -0800
> 
> On Sat, Feb 09, 2013 at 11:54:26PM +0800, Kinglok, Fong wrote:
> My machine is running samba 4.0.3 inside a DomU of Debian Wheezy.
> 
> Following the Samba AD Howto and running Samba 4.0.3 successfully but with 
> one pretty serious problem.  When I try access the folder with 1000 files, 
> the speed is *VERY* slow.
> 
> After employ log level to 3, log.smbd is flooded with:
> =
> [2013/02/09 23:44:05.910717,  3] 
> ../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
>   Could not fetch share entry
> [2013/02/09 23:44:05.911631,  3] 
> ../source3/smbd/dir.c:1136(smbd_dirptr_get_entry)
>   smbd_dirptr_get_entry mask=[*] found ./行政 fname=行政 (行政)
> [2013/02/09 23:44:05.912607,  3] 
> ../lib/util/charset/convert_string.c:316(convert_string_handle)
>   convert_string_internal: Conversion error: Illegal multibyte sequence(行政)
> [2013/02/09 23:44:05.913517,  3] 
> ../lib/util/charset/convert_string.c:297(convert_string_handle)
>   convert_string_internal: Conversion error: Incomplete multibyte 
> sequence(??政)
> [2013/02/09 23:44:05.914467,  3] 
> ../lib/util/charset/convert_string.c:297(convert_string_handle)
>   convert_string_internal: Conversion error: Incomplete multibyte sequence(?政)
> [2013/02/09 23:44:05.915412,  3] 
> ../lib/util/charset/convert_string.c:316(convert_string_handle)
>   convert_string_internal: Conversion error: Illegal multibyte sequence(政)
> [2013/02/09 23:44:05.916356,  3] 
> ../lib/util/charset/convert_string.c:297(convert_string_handle)
>   convert_string_internal: Conversion error: Incomplete multibyte sequence(??)
> ==
> 
> Is that filename '行政' in utf8 format on the disk ?
> Or is it in a previous encoding format such as big5 or
> Guobiao ?
> 
> Without a parameter setting Samba defaults to utf8
> encoding, and things can go wrong if filenames on
> disk aren't actually utf8.
> 
> Jeremy.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC log.smd flooded with Conversion error

[TAKAHASHI Motonobu]

You had better set 'dos charset' parameter correctly and 'unix charset'
parameter if you do not use UTF-8 on Linux.

From: Jeremy Allison 
Date: Sat, 9 Feb 2013 09:04:47 -0800

On Sat, Feb 09, 2013 at 11:54:26PM +0800, Kinglok, Fong wrote:
 My machine is running samba 4.0.3 inside a DomU of Debian Wheezy.
 
 Following the Samba AD Howto and running Samba 4.0.3 successfully but with one 
pretty serious problem.  When I try access the folder with 1000 files, the 
speed is *VERY* slow.
 
 After employ log level to 3, log.smbd is flooded with:
 =
 [2013/02/09 23:44:05.910717,  3] 
../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
   Could not fetch share entry
 [2013/02/09 23:44:05.911631,  3] 
../source3/smbd/dir.c:1136(smbd_dirptr_get_entry)
   smbd_dirptr_get_entry mask=[*] found ./行政 fname=行政 (行政)
 [2013/02/09 23:44:05.912607,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
   convert_string_internal: Conversion error: Illegal multibyte sequence(行政)
 [2013/02/09 23:44:05.913517,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
   convert_string_internal: Conversion error: Incomplete multibyte sequence(??政)
 [2013/02/09 23:44:05.914467,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
   convert_string_internal: Conversion error: Incomplete multibyte sequence(?政)
 [2013/02/09 23:44:05.915412,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
   convert_string_internal: Conversion error: Illegal multibyte sequence(政)
 [2013/02/09 23:44:05.916356,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
   convert_string_internal: Conversion error: Incomplete multibyte sequence(??)
 ==

Is that filename '行政' in utf8 format on the disk ?
Or is it in a previous encoding format such as big5 or
Guobiao ?

Without a parameter setting Samba defaults to utf8
encoding, and things can go wrong if filenames on
disk aren't actually utf8.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 DC log.smd flooded with Conversion error

[Jeremy Allison]

On Sat, Feb 09, 2013 at 11:54:26PM +0800, Kinglok, Fong wrote:
> My machine is running samba 4.0.3 inside a DomU of Debian Wheezy.
> 
> Following the Samba AD Howto and running Samba 4.0.3 successfully but with 
> one pretty serious problem.  When I try access the folder with 1000 files, 
> the speed is *VERY* slow.
> 
> After employ log level to 3, log.smbd is flooded with:
> =
> [2013/02/09 23:44:05.910717,  3] 
> ../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
>   Could not fetch share entry
> [2013/02/09 23:44:05.911631,  3] 
> ../source3/smbd/dir.c:1136(smbd_dirptr_get_entry)
>   smbd_dirptr_get_entry mask=[*] found ./行政 fname=行政 (行政)
> [2013/02/09 23:44:05.912607,  3] 
> ../lib/util/charset/convert_string.c:316(convert_string_handle)
>   convert_string_internal: Conversion error: Illegal multibyte sequence(行政)
> [2013/02/09 23:44:05.913517,  3] 
> ../lib/util/charset/convert_string.c:297(convert_string_handle)
>   convert_string_internal: Conversion error: Incomplete multibyte 
> sequence(??政)
> [2013/02/09 23:44:05.914467,  3] 
> ../lib/util/charset/convert_string.c:297(convert_string_handle)
>   convert_string_internal: Conversion error: Incomplete multibyte sequence(?政)
> [2013/02/09 23:44:05.915412,  3] 
> ../lib/util/charset/convert_string.c:316(convert_string_handle)
>   convert_string_internal: Conversion error: Illegal multibyte sequence(政)
> [2013/02/09 23:44:05.916356,  3] 
> ../lib/util/charset/convert_string.c:297(convert_string_handle)
>   convert_string_internal: Conversion error: Incomplete multibyte sequence(??)
> ==

Is that filename '行政' in utf8 format on the disk ?
Or is it in a previous encoding format such as big5 or
Guobiao ?

Without a parameter setting Samba defaults to utf8
encoding, and things can go wrong if filenames on
disk aren't actually utf8.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 DC log.smd flooded with Conversion error

[Kinglok, Fong]

My machine is running samba 4.0.3 inside a DomU of Debian Wheezy.

Following the Samba AD Howto and running Samba 4.0.3 successfully but with one 
pretty serious problem.  When I try access the folder with 1000 files, the 
speed is *VERY* slow.

After employ log level to 3, log.smbd is flooded with:
=
[2013/02/09 23:44:05.910717,  3] 
../source3/locking/share_mode_lock.c:408(fetch_share_mode_unlocked)
  Could not fetch share entry
[2013/02/09 23:44:05.911631,  3] 
../source3/smbd/dir.c:1136(smbd_dirptr_get_entry)
  smbd_dirptr_get_entry mask=[*] found ./行政 fname=行政 (行政)
[2013/02/09 23:44:05.912607,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte sequence(行政)
[2013/02/09 23:44:05.913517,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte sequence(??政)
[2013/02/09 23:44:05.914467,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte sequence(?政)
[2013/02/09 23:44:05.915412,  3] 
../lib/util/charset/convert_string.c:316(convert_string_handle)
  convert_string_internal: Conversion error: Illegal multibyte sequence(政)
[2013/02/09 23:44:05.916356,  3] 
../lib/util/charset/convert_string.c:297(convert_string_handle)
  convert_string_internal: Conversion error: Incomplete multibyte sequence(??)
==

I have googled the mailing list and I am sure that the iconv library is 
installed correctly and also pass the test for ACL in filesystem in linux 
listed here 
(https://wiki.samba.org/index.php/Samba_4/OS_Requirements#Testing_your_filesystem).
  Also, the folder permission is 770 and owned by root:root.

Can anyone help?

smb.conf
==
# Global parameters
[global]
workgroup = YAUOICHURCH
realm = SAMBA4.YAUOI.ORG
netbios name = FILE
server role = active directory domain controller
dns forwarder = 192.168.107.1
log level = 2

[netlogon]
path = /usr/local/samba/var/locks/sysvol/samba4.yauoi.org/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[printers]
comment = All Printers
path = /usr/local/samba/var/spool
browseable = Yes
read only = No
printable = Yes

[print$]
comment = Point and Print Printer Drivers
path = /usr/local/samba/var/print
read only = No

[profiles]
path = /usr/local/samba/var/profiles
read only = No

[Personal]
path = /home/personal/
read only = No

[Public]
path = /home/group
read only = No

=

Log level = 10 is as follows:
=
http://kinglok.org/log.smbd
=
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC "Element not found" error in Windows 8

[Nick Semenkovich]

Ah yeah, that definitely works #facepalm

I guess I figured \\corp.domain.com should just fail entirely (though
netlogon and sysvol work) -- \\dcname.corp.domain.com works perfectly.

Thanks!

On Thu, Feb 7, 2013 at 2:17 AM, Ufficiotecnico Acknow
 wrote:
> Using   \\dcname.corp.domain.com\share or \\your_ip\share works?
> Check also security tab on folder to set right permsission.
>
> Il 07/02/2013 08.14, Nick Semenkovich ha scritto:
>>
>> Hi:
>>
>>
>> I've just configured a Samba 4 install as an AD DC, following the Wiki
>> page at https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>>
>> I've successfully joined a few machines to the domain, and am now
>> trying to add some simple shares.
>>
>> When I add a share to smb.conf, it appears on client machines via
>> \\domain.example.com\sharename but trying to open any shares gives the
>> error "Element not found".
>>
>> I can only open the \netlogon and \sysvol existing shares, but nothing
>> else I create is openable (always prompts with "Element not found.")
>>
>> Running Ubuntu Raring Ringtail / Samba 4.0.0+dfsg1-1.
>>
>> All the clients are Windows 8, I'm logged on as the domain
>> administrator, and all machine clocks are NTP synced.
>>
>>
>> Thanks,
>> Nick
>>
>>
>> $> cat /etc/samba/smb.conf
>> [global]
>> workgroup = CORP
>> realm = CORP.DOMAIN.COM
>> netbios name = DCNAME
>> server role = active directory domain controller
>> allow dns updates = True
>> dns forwarder = 192.168.0.1
>> server services = +smb -s3fs
>> dcerpc endpoint servers = +winreg +srvsvc
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/corp.domain.com/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>> [profiles]
>> path = /srv/profiles
>> read only = No
>>
>> [homes]
>> directory_mode: parameter = 0700
>> path = /home
>> read only = No
>> csc policy = documents
>>
>> [dropbox]
>> path = /srv/samba-dropbox
>> read only = No
>> comment = Dropbox
>> browseable = Yes
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 AD DC "Element not found" error in Windows 8

[Ufficiotecnico Acknow]

Using   \\dcname.corp.domain.com\share or \\your_ip\share works?
Check also security tab on folder to set right permsission.

Il 07/02/2013 08.14, Nick Semenkovich ha scritto:

Hi:

I've just configured a Samba 4 install as an AD DC, following the Wiki
page at https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

I've successfully joined a few machines to the domain, and am now
trying to add some simple shares.

When I add a share to smb.conf, it appears on client machines via
\\domain.example.com\sharename but trying to open any shares gives the
error "Element not found".

I can only open the \netlogon and \sysvol existing shares, but nothing
else I create is openable (always prompts with "Element not found.")

Running Ubuntu Raring Ringtail / Samba 4.0.0+dfsg1-1.

All the clients are Windows 8, I'm logged on as the domain
administrator, and all machine clocks are NTP synced.


Thanks,
Nick


$> cat /etc/samba/smb.conf
[global]
workgroup = CORP
realm = CORP.DOMAIN.COM
netbios name = DCNAME
server role = active directory domain controller
allow dns updates = True
dns forwarder = 192.168.0.1
server services = +smb -s3fs
dcerpc endpoint servers = +winreg +srvsvc

[netlogon]
path = /var/lib/samba/sysvol/corp.domain.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[profiles]
path = /srv/profiles
read only = No

[homes]
directory_mode: parameter = 0700
path = /home
read only = No
csc policy = documents

[dropbox]
path = /srv/samba-dropbox
read only = No
comment = Dropbox
browseable = Yes


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 AD DC "Element not found" error in Windows 8

[Nick Semenkovich]

Hi:

I've just configured a Samba 4 install as an AD DC, following the Wiki
page at https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

I've successfully joined a few machines to the domain, and am now
trying to add some simple shares.

When I add a share to smb.conf, it appears on client machines via
\\domain.example.com\sharename but trying to open any shares gives the
error "Element not found".

I can only open the \netlogon and \sysvol existing shares, but nothing
else I create is openable (always prompts with "Element not found.")

Running Ubuntu Raring Ringtail / Samba 4.0.0+dfsg1-1.

All the clients are Windows 8, I'm logged on as the domain
administrator, and all machine clocks are NTP synced.


Thanks,
Nick


$> cat /etc/samba/smb.conf
[global]
workgroup = CORP
realm = CORP.DOMAIN.COM
netbios name = DCNAME
server role = active directory domain controller
allow dns updates = True
dns forwarder = 192.168.0.1
server services = +smb -s3fs
dcerpc endpoint servers = +winreg +srvsvc

[netlogon]
path = /var/lib/samba/sysvol/corp.domain.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[profiles]
path = /srv/profiles
read only = No

[homes]
directory_mode: parameter = 0700
path = /home
read only = No
csc policy = documents

[dropbox]
path = /srv/samba-dropbox
read only = No
comment = Dropbox
browseable = Yes
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] SaMBa 4 - homedir mapping

[TAKAHASHI Motonobu]

From: Celso Viana 
Date: Sat, 2 Feb 2013 22:17:07 -0300

> I'm testing the SaMBa 4 with FreeBSD 9.1 and am having difficulty.

(snip)

> bin/samba-tool user add fox '@Pipe120' --home-directory='\\samba\fox'
> --home-drive=M --given-name="User Test"
> 
> wbinfo -i fox
> BOX\fox:*:317:20::/home/BOX/fox:/bin/false
> 
> smbclient //localhost/fox -Ufox
> Enter fox's password:
> Domain=[BOX] OS=[Unix] Server=[Samba 4.0.2]
> tree connect failed: NT_STATUS_BAD_NETWORK_NAME
> 
> If I do this procedure with samba 4.0.0 mapping works.

What is your expected behavior?

I examined on my Samba 4.0.1 and Samba 4.0.0rc5 env and got same result.
And to run pdbedit, I saw the home directory setting was applied.

---
TAKAHASHI Motonobu  / @damemonyo 
   facebook.com/takahashi.motonobu

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] SaMBa 4 - homedir mapping

[Celso Viana]

Hi guys,

I'm testing the SaMBa 4 with FreeBSD 9.1 and am having difficulty.

I did so:
mkdir test
cd test
wget http://ftp.samba.org/pub/samba/stable/samba-4.0.2.tar.gz
tar zxvf samba-4.0.2.tar.gz
cd samba-4.0.2
./configure && make && make install
cd /usr/local/samba
bin/samba-tool domain provision --realm=box.blurr --domain=BOX
--server-role=dc --adminpass='@Tullip500' --use-xattrs=yes
--use-rfc2307
sbin/samba
bin/samba-tool user add fox '@Pipe120' --home-directory='\\samba\fox'
--home-drive=M --given-name="User Test"

wbinfo -i fox
BOX\fox:*:317:20::/home/BOX/fox:/bin/false

smbclient //localhost/fox -Ufox
Enter fox's password:
Domain=[BOX] OS=[Unix] Server=[Samba 4.0.2]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

If I do this procedure with samba 4.0.0 mapping works.

Could someone help me understand what is happening?

Thanks!

-- 
Celso Vianna
BSD User: 51318
http://www.bsdcounter.org

Palmas/TO
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 vs Samba 3

[Benjamin Huntsman]

Just to follow up, here is the excerpt from the log.smbd when running 3.6.10 
and connecting to the share:

[2013/02/01 13:38:58.729913,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user 
[10.33.72.67]\[root]@[10.33.75.164] with the new password interface
[2013/02/01 13:38:58.729995,  3] auth/auth.c:222(check_ntlm_password)
  check_ntlm_password:  mapped user is: [SYSTST]\[root]@[10.33.75.164]
[2013/02/01 13:38:58.744799,  3] passdb/lookup_sid.c:1754(get_primary_group_sid)
  Forcing Primary Group to 'Domain Users' for root
[2013/02/01 13:38:58.746405,  3] auth/auth.c:268(check_ntlm_password)
  check_ntlm_password: unix authentication for user [root] succeeded
[2013/02/01 13:38:58.746507,  2] auth/auth.c:309(check_ntlm_password)
  check_ntlm_password:  authentication for user [root] -> [root] -> [root] 
succeeded


I notice there's nothing in there about SPNEGO.  I also tried setting all the 
SPNEGO options to off under Samba 4.0.2, but that didn't work either, and the 
SPNEGO messages still appear in the log...
Is there a straightforward way to get Samba 4 to use the unencrypted passwords 
and the local UNIX password, or is it hopeless?

Thanks!

-Ben

From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] on behalf 
of Benjamin Huntsman [bhunts...@mail2.cu-portland.edu]
Sent: Friday, February 01, 2013 9:47 AM
To: samba@lists.samba.org
Subject: [Samba] Samba 4 vs Samba 3

So, I have "working" builds of Samba 3.6.10, and 4.0.2 using the traditional 
build system on AIX, both built with XLC.
For historical reasons, we're needing to use 'encrypt passwords = no', so that 
Samba uses the OS password.

The odd thing, is, the 3.6.10 Samba works just fine, but the 4.0.2 doesn't 
allow connections.  Here's the Samba config I'm using on both:


Samba 3:
[global]
encrypt passwords = No
log level = 3
os level = 8
local master = No
domain master = No
idmap config * : range =
idmap config * : backend = tdb

[testshare]
   path = /testshare
   read only = no

Samba 4:
[global]
encrypt passwords = No
log level = 3
client max protocol = SMB2
client min protocol = SMB2
os level = 8
local master = No
domain master = No
idmap config * : range =
idmap config * : backend = tdb

[testshare]
   path = /testshare
   read only = no


On both a test Windows XP and Windows 7 machine, I have the unencrypted 
passwords policy enabled.  When running Samba 3.6.10 using the config above, I 
can map the share just fine.  However, under 4.0.x (I've tried 4.0.0, 4.0.1, 
and 4.0.2), when mapping the share on Windows, the password prompt comes back 
immediately, and I get the following in the log:


[2013/02/01 09:34:56.256107,  3] auth/auth.c:177(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user 
[10.33.72.67]\[root]@[SAMBATEST] with the new password interface
[2013/02/01 09:34:56.256176,  3] auth/auth.c:180(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [SYSTST]\[root]@[SAMBATEST]
[2013/02/01 09:34:56.256843,  2] auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [root] -> [root] FAILED with 
error NT_STATUS_LOGON_FAILURE
[2013/02/01 09:34:56.256951,  2] 
../auth/gensec/spnego.c:745(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_LOGON_FAILURE
[2013/02/01 09:34:56.259280,  2] 
smbd/smb2_server.c:3123(smbd_smb2_request_incoming)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET


I am absolutely 100% certain that I'm typing the password correctly.  :)  
Perhaps my build of Samba 4 is broken after all?  Anyone know why I'd see 
different behavior between 3.6.10 and 4.0.2, even though the config files are 
basically identical (though both were generated by swat)?
I really want to move to Samba 4 if I can...

Thanks!
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 vs Samba 3

[Benjamin Huntsman]

So, I have "working" builds of Samba 3.6.10, and 4.0.2 using the traditional 
build system on AIX, both built with XLC.
For historical reasons, we're needing to use 'encrypt passwords = no', so that 
Samba uses the OS password.  

The odd thing, is, the 3.6.10 Samba works just fine, but the 4.0.2 doesn't 
allow connections.  Here's the Samba config I'm using on both:


Samba 3:
[global]
encrypt passwords = No
log level = 3
os level = 8
local master = No
domain master = No
idmap config * : range =
idmap config * : backend = tdb

[testshare]
   path = /testshare
   read only = no

Samba 4:
[global]
encrypt passwords = No
log level = 3
client max protocol = SMB2
client min protocol = SMB2
os level = 8
local master = No
domain master = No
idmap config * : range =
idmap config * : backend = tdb

[testshare]
   path = /testshare
   read only = no


On both a test Windows XP and Windows 7 machine, I have the unencrypted 
passwords policy enabled.  When running Samba 3.6.10 using the config above, I 
can map the share just fine.  However, under 4.0.x (I've tried 4.0.0, 4.0.1, 
and 4.0.2), when mapping the share on Windows, the password prompt comes back 
immediately, and I get the following in the log:


[2013/02/01 09:34:56.256107,  3] auth/auth.c:177(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user 
[10.33.72.67]\[root]@[SAMBATEST] with the new password interface
[2013/02/01 09:34:56.256176,  3] auth/auth.c:180(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [SYSTST]\[root]@[SAMBATEST]
[2013/02/01 09:34:56.256843,  2] auth/auth.c:288(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [root] -> [root] FAILED with 
error NT_STATUS_LOGON_FAILURE
[2013/02/01 09:34:56.256951,  2] 
../auth/gensec/spnego.c:745(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_LOGON_FAILURE
[2013/02/01 09:34:56.259280,  2] 
smbd/smb2_server.c:3123(smbd_smb2_request_incoming)
  smbd_smb2_request_incoming: client read error NT_STATUS_CONNECTION_RESET


I am absolutely 100% certain that I'm typing the password correctly.  :)  
Perhaps my build of Samba 4 is broken after all?  Anyone know why I'd see 
different behavior between 3.6.10 and 4.0.2, even though the config files are 
basically identical (though both were generated by swat)?
I really want to move to Samba 4 if I can...

Thanks!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 dc, shares without ACLS and group permission bug?

[ask-Q-view]

Hi,

ACLS are a pain in general. Fortunately we do not need it for our shares, so I 
thought to just add the following to my share definition in smb.conf.

nt acl support = no

This should be fine, isn't it?

Further I only need access permissions per share but I realized that the group 
permissions won't work:

valid users = @Domain Users

but per user it work well, eg.

valid users = demo01


Would be nice if somebody could clarify my issues.




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients

[Andrew Bartlett]

On Thu, 2013-01-24 at 14:32 +0100, Fred F wrote:
> Thanks for your statement, Andrew. I know about winbind and we've used
> it in the past, but I remember there were some issues when dealing
> with POSIX ACLs and windbind.
> 
> Now while winbind might work in some environments, I think it would be
> much nicer and cleaner to integrate Linux clients into a Samba AD
> domain with "native" Linux tools. The PAM part is very easy and works
> great already with Samba 4 and Linux clients using Kerberos. The only
> somewhat troublesome part is the NSS information
> (passwd/groups/shadow), which would also not really be an issue if
> Samba 4 properly implemented separation between users and groups in
> POSIX ACLs (#9521).

This bug is closed as invalid for very good reason.  There is not
separation between users and groups in windows ACLs, once you have to
handle groups owning files and SID History (users essentially becoming
groups), and we have no choice but to match.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients

[Fred F]

Thanks for your statement, Andrew. I know about winbind and we've used
it in the past, but I remember there were some issues when dealing
with POSIX ACLs and windbind.

Now while winbind might work in some environments, I think it would be
much nicer and cleaner to integrate Linux clients into a Samba AD
domain with "native" Linux tools. The PAM part is very easy and works
great already with Samba 4 and Linux clients using Kerberos. The only
somewhat troublesome part is the NSS information
(passwd/groups/shadow), which would also not really be an issue if
Samba 4 properly implemented separation between users and groups in
POSIX ACLs (#9521).

I guess I'll take a second look at winbind then.


Regards,
 Frederik

2013/1/24 Andrew Bartlett :
> On Wed, 2013-01-23 at 18:29 +0100, Fred F wrote:
>> 2013/1/22 Gémes Géza :
>> > I don't agree, because users can be members of multiple groups, not just 
>> > the
>> > group identified as their primary group
>> Well, yes. That is not the point. Users can still be members of
>> multiple groups (e.g. CN=Domain Admins,CN=Users,CN=DOMAIN), through
>> the "member" attributes of the AD/LDAP nodes, but the actual issue
>> here is that plain users do not show up in (CN=Domain
>> Users,CN=Users,CN=DOMAIN), because "Domain Users" is set as the
>> primary group directly. Additionally added groups show up on the Linux
>> side as well, just not the primary group (with my approach).
>>
>> Any other thoughts? Isn't this scenario one of the most common usage
>> scenarios ever? Serving both Windows and Linux? How come so little
>> information is available about Samba4 with Linux clients?
>
> That is because there isn't anything special about Samba 4.0 as an AD DC
> with Linux clients that hasn't already been done for a Windows AD
> domain.
>
> The Samba Team recommends winbind as the AD client to use on Linux,
> because it handles these and many other details much better than just
> nss_ldap.
>
> Andrew Bartlett
>
> --
> Andrew Bartletthttp://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
>
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients

[Andrew Bartlett]

On Wed, 2013-01-23 at 18:29 +0100, Fred F wrote:
> 2013/1/22 Gémes Géza :
> > I don't agree, because users can be members of multiple groups, not just the
> > group identified as their primary group
> Well, yes. That is not the point. Users can still be members of
> multiple groups (e.g. CN=Domain Admins,CN=Users,CN=DOMAIN), through
> the "member" attributes of the AD/LDAP nodes, but the actual issue
> here is that plain users do not show up in (CN=Domain
> Users,CN=Users,CN=DOMAIN), because "Domain Users" is set as the
> primary group directly. Additionally added groups show up on the Linux
> side as well, just not the primary group (with my approach).
> 
> Any other thoughts? Isn't this scenario one of the most common usage
> scenarios ever? Serving both Windows and Linux? How come so little
> information is available about Samba4 with Linux clients?

That is because there isn't anything special about Samba 4.0 as an AD DC
with Linux clients that hasn't already been done for a Windows AD
domain.  

The Samba Team recommends winbind as the AD client to use on Linux,
because it handles these and many other details much better than just
nss_ldap.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients

[Fred F]

2013/1/22 Gémes Géza :
> I don't agree, because users can be members of multiple groups, not just the
> group identified as their primary group
Well, yes. That is not the point. Users can still be members of
multiple groups (e.g. CN=Domain Admins,CN=Users,CN=DOMAIN), through
the "member" attributes of the AD/LDAP nodes, but the actual issue
here is that plain users do not show up in (CN=Domain
Users,CN=Users,CN=DOMAIN), because "Domain Users" is set as the
primary group directly. Additionally added groups show up on the Linux
side as well, just not the primary group (with my approach).

Any other thoughts? Isn't this scenario one of the most common usage
scenarios ever? Serving both Windows and Linux? How come so little
information is available about Samba4 with Linux clients?


Regards,
 Frederik
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients

[Gémes Géza]

2013-01-22 15:52 keltezéssel, Fred F írta:

Hi,

I am still experimenting with Samba 4 and I'd like to serve both
Windows and Linux clients with Samba (standalone AD server). The
Windows-side is already working well. For serving Linux-clients I need
to store the users' uidNumber and gidNumber in the Active Directory.

This is how I do that:
1. Create a user "test" with samba-tool
2. Get the internal UID which was assigned to this user by Samba through wbinfo
3. Add the UID to CN=test,CN=Users,CN=DOMAIN as uidNumber
4. Add gidNumber=100 (Domain Users) to CN=test,CN=Users,CN=DOMAIN

With the correct nss_ldap setup (mainly attribute mappings) the Linux
boxes can now get their passwd/shadow/group information directly from
AD. The Linux user now has the exact same attributes and groups as the
Windows user.

Now the issue is that Samba needs a group with the same gidNumber as
the uidNumber for each user to work correctly in this setup (see why
in #9521 [1]). The only logical way of doing that is storing this
gidNumber as the user's primary group in the AD. This way the user
loses the membership in the group "Domain Users" (gidNumber 100),
though - at least on the Linux side.

Are there any thoughts on how to solve this? Is this maybe a Samba
issue or is my setup just wrong?


Regards,
Frederik

[1] https://bugzilla.samba.org/show_bug.cgi?id=9521
I don't agree, because users can be members of multiple groups, not just 
the group identified as their primary group


Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients

[Fred F]

Hi,

I am still experimenting with Samba 4 and I'd like to serve both
Windows and Linux clients with Samba (standalone AD server). The
Windows-side is already working well. For serving Linux-clients I need
to store the users' uidNumber and gidNumber in the Active Directory.

This is how I do that:
1. Create a user "test" with samba-tool
2. Get the internal UID which was assigned to this user by Samba through wbinfo
3. Add the UID to CN=test,CN=Users,CN=DOMAIN as uidNumber
4. Add gidNumber=100 (Domain Users) to CN=test,CN=Users,CN=DOMAIN

With the correct nss_ldap setup (mainly attribute mappings) the Linux
boxes can now get their passwd/shadow/group information directly from
AD. The Linux user now has the exact same attributes and groups as the
Windows user.

Now the issue is that Samba needs a group with the same gidNumber as
the uidNumber for each user to work correctly in this setup (see why
in #9521 [1]). The only logical way of doing that is storing this
gidNumber as the user's primary group in the AD. This way the user
loses the membership in the group "Domain Users" (gidNumber 100),
though - at least on the Linux side.

Are there any thoughts on how to solve this? Is this maybe a Samba
issue or is my setup just wrong?


Regards,
Frederik

[1] https://bugzilla.samba.org/show_bug.cgi?id=9521
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 man pages?

[Bob Miller]

This was addressed on this list a while back, some people shared what
they had to do to get manpages.  For more information, search that out,
but the gist should be that if you have the right packages (xsltproc and
docbook, maybe docbook-xsl?) installed on your system, man pages will
compile and install with the rest of the program

-- 
Computerisms
Bob Miller  
867-334-7117 / 867-633-3760
http://computerisms.ca


On Mon, 2013-01-21 at 22:51 +, Benjamin Huntsman wrote:
> Are the man pages not included with the Samba 4 distribution?
> After running configure and make (using the old-style build environment under 
> source3), a "make installman" gives the the following error:
> 
> No manpages present.  Development version maybe?
> 
> How would I go about getting the man pages built and installed?
> 
> Thanks!
> 
> -Ben

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 man pages?

[Benjamin Huntsman]

Are the man pages not included with the Samba 4 distribution?
After running configure and make (using the old-style build environment under 
source3), a "make installman" gives the the following error:

No manpages present.  Development version maybe?

How would I go about getting the man pages built and installed?

Thanks!

-Ben
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 kinit: cannot contact any KDC in requested realm // TSIG error

[Markus Schaufler]

I had freshly installed an Ubuntu Server 12.04lts and Samba 4.0.1 using the
internal DNS.
I followed the official HowTo until "kinit administrator@DOMAIN.LOCAL"
It didn't work (cannot contact any kdc...)

A "netstat" showed that "avahi-daemon" was running at:
807/avahi-daemon: r
udp0  0 10.0.0.20:389   0.0.0.0:*

After removing that package kinit worked.
Removing "avahi-daemon" (a type of zeroconf?) deletes also
"libnss-mdns"...I hope, Samba doesn't have any need of that package?

however "/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names"
does not work!

[...]
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Calling nsupdate for SRV
_gc._tcp.default-first-site-name._sites.schau.local tuxsrv.schau.local 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.schau.local. 900 IN SRV 0 100 3268
tuxsrv.schau.local.

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 21 entries

--
[...]

Looking at record:
 discard_const(update): struct dns_res_rec
name : '_gc._tcp.schau.local'
rr_type  : DNS_QTYPE_SRV (0x21)
rr_class : DNS_QCLASS_IN (0x1)
ttl  : 0x0384 (900)
length   : 0x001a (26)
rdata: union dns_rdata(case 0x21)
srv_record: struct dns_srv_record
priority : 0x (0)
weight   : 0x0064 (100)
port : 0x0cc4 (3268)
target   : 'tuxsrv.schau.local'
unexpected   : DATA_BLOB length=0
Tkey handshake completed
Got a dns update request.
update count is 1
Looking at record:
 discard_const(update): struct dns_res_rec
name :
'_gc._tcp.default-first-site-name._sites.schau.local'
rr_type  : DNS_QTYPE_SRV (0x21)
rr_class : DNS_QCLASS_IN (0x1)
ttl  : 0x0384 (900)
length   : 0x001a (26)
rdata: union dns_rdata(case 0x21)
srv_record: struct dns_srv_record
priority : 0x (0)
weight   : 0x0064 (100)
port : 0x0cc4 (3268)
target   : 'tuxsrv.schau.local'
unexpected   : DATA_BLOB length=0

In a seperate installation with external BIND (9.8.1) I don't get these
errors...

Markus
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 vs UNIX password

[Benjamin Huntsman]

Anyone know how to set up pam_smbpass on AIX?
I'm thinking that's going to be the way to go...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 vs UNIX password

[Chris Weiss]

On Thu, Jan 17, 2013 at 3:12 PM, Jeremy Allison  wrote:
> On Thu, Jan 17, 2013 at 09:09:43PM +, Benjamin Huntsman wrote:
>> Ok, now I'm stuck...
>>
>> We have several stand-alone UNIX (AIX) systems that we need to share a few 
>> SMB shares from.  None of these are joined to our domain.
>>
>> We want the end-users to be able to map these shares to their Windows 
>> systems using the username in the form of AIXSERVER\username, and using the 
>> password from their local AIX account on the server.
>>
>> Asking the end-users to understand that they must run smbpasswd after 
>> updating their OS password is not realistic.  In the past, we were able to 
>> get around that by specifying "security = SHARE" in the smb.conf file.  Now 
>> that this is removed, what option do I have to ensure that users can always 
>> log in via their UNIX OS password, and don't need to run smbpasswd after 
>> running passwd?  Is there such a method?  pam_smbpass.so?
>>
>> Also, what was the last version of Samba that supported "security = share"?
>
> 3.6.x supports "security = share".
>
> But by using "security = share" you're not bypassing
> the password sync requirement. I bet you're just ignoring
> the fact they're logging in as guest.
>
> Chech out the "map to guest" parameter. You can keep
> using that with "security = user" (the default).
>
> Jeremy.

another option is to rename passwd executable and put a script in
place that runs both smbpasswd and the renamed passwd, keeping the
passwords in sync.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 vs UNIX password

[Jeremy Allison]

On Thu, Jan 17, 2013 at 09:09:43PM +, Benjamin Huntsman wrote:
> Ok, now I'm stuck...
> 
> We have several stand-alone UNIX (AIX) systems that we need to share a few 
> SMB shares from.  None of these are joined to our domain.
> 
> We want the end-users to be able to map these shares to their Windows systems 
> using the username in the form of AIXSERVER\username, and using the password 
> from their local AIX account on the server.
> 
> Asking the end-users to understand that they must run smbpasswd after 
> updating their OS password is not realistic.  In the past, we were able to 
> get around that by specifying "security = SHARE" in the smb.conf file.  Now 
> that this is removed, what option do I have to ensure that users can always 
> log in via their UNIX OS password, and don't need to run smbpasswd after 
> running passwd?  Is there such a method?  pam_smbpass.so?
> 
> Also, what was the last version of Samba that supported "security = share"?

3.6.x supports "security = share".

But by using "security = share" you're not bypassing
the password sync requirement. I bet you're just ignoring
the fact they're logging in as guest.

Chech out the "map to guest" parameter. You can keep
using that with "security = user" (the default).

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 vs UNIX password

[Benjamin Huntsman]

Ok, now I'm stuck...

We have several stand-alone UNIX (AIX) systems that we need to share a few SMB 
shares from.  None of these are joined to our domain.

We want the end-users to be able to map these shares to their Windows systems 
using the username in the form of AIXSERVER\username, and using the password 
from their local AIX account on the server.

Asking the end-users to understand that they must run smbpasswd after updating 
their OS password is not realistic.  In the past, we were able to get around 
that by specifying "security = SHARE" in the smb.conf file.  Now that this is 
removed, what option do I have to ensure that users can always log in via their 
UNIX OS password, and don't need to run smbpasswd after running passwd?  Is 
there such a method?  pam_smbpass.so?

Also, what was the last version of Samba that supported "security = share"?

Thanks!

-Ben
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba 4 - Logging data entry as LDIF?

[Robert Moggach]

Without knowing the process by which data is added to the directory,
is there any logging output that shows LDIF data as entries are added?
... Or is the LDIF component more of a
translation layer? I've been scripting some tools to more easily
automate some of the Linux things I need but I invariably corrupt my
test directory on a daily basis. I'd like to be able to add entries on
Windows and see the logging on Linux so I can more easily reconcile
where I'm making mistakes. I have a hunch it's something to do with
primary Group ID or gidNumber or uidNumber in combination with a
missing posixAccount or msSFU30NisDomain attribute.

Sent from my iPhone
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba 4 samba-tool user encrypted password

[Andrew Bartlett]

On Wed, 2013-01-16 at 10:41 +0100, sergio.conrad wrote:
> Hello,
> 
> thanks with the good job with samba 4.
> I was wondering, is there a possibility to use an already encrypted password 
> like sambaNTPassword or {SSHA} encrypted password with samba-tool user 
> command ?

We need the plaintext because we need to make not only arcfour-hmac-md5
key (the unicodePwd, the NT hash), but also AES keys and (if configured)
DES keys.

You can set only the unicodePwd if you must, to the NT hash value, but
not a {SSHA} value.  You cannnot currently do this via tools, but see
discussions on this list for examples of code that can set the magic
flags to allow this.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba 4 samba-tool user encrypted password

[sergio.conrad]

Hello,

thanks with the good job with samba 4.
I was wondering, is there a possibility to use an already encrypted password 
like sambaNTPassword or {SSHA} encrypted password with samba-tool user command ?

Regards,
Serge Conrad 

Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 on AIX with XLC

[Benjamin Huntsman]

Just to report back in on this, the traditional build system under source3 
worked for us, and we were able to build and install a working set of Samba 
binaries.  At this time, we only need the file server bits.
I'll give the new build system another shot when 4.0.1 comes out.

Thanks again!

-Ben
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 on AIX with XLC

[Volker Lendecke]

On Sat, Jan 12, 2013 at 01:09:55AM +, Benjamin Huntsman wrote:
> >Those should have been linked into smbd directly as configure on AIX
> >adds vfs_aixacl to the list of modules to be compiled statically.
> >
> >Would you mind opening a bug on https://bugzilla.samba.org for tracking?
> >
> >Cheers,
> >Christian
> 
> Hi there!
>Thanks for the reply!
>I have added Bug 9557:  https://bugzilla.samba.org/show_bug.cgi?id=9557
> 
>Any chance it'll be patched by the end of next week? :)  har har.
> 
>In the mean time, I think I'm going to revert to trying to build the most 
> recent stable version of Samba 3.6.x.
>I'll happily provide whatever data I can and assist with testing to get 
> Samba 4 building and running on AIX...  Just let me know.

Quick remark: if 3.6 is an option for you, then you seem
to be happy with just the file server without a DC. For
that, the autoconf based build system in source3 should
still work the same as it did in 3.6. This will not build
the AD DC however.

With best regards,

Volker Lendecke

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-37-0, fax: +49-551-37-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kont...@sernet.de
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 on AIX with XLC

[Benjamin Huntsman]

>Those should have been linked into smbd directly as configure on AIX
>adds vfs_aixacl to the list of modules to be compiled statically.
>
>Would you mind opening a bug on https://bugzilla.samba.org for tracking?
>
>Cheers,
>Christian

Hi there!
   Thanks for the reply!
   I have added Bug 9557:  https://bugzilla.samba.org/show_bug.cgi?id=9557

   Any chance it'll be patched by the end of next week? :)  har har.

   In the mean time, I think I'm going to revert to trying to build the most 
recent stable version of Samba 3.6.x.
   I'll happily provide whatever data I can and assist with testing to get 
Samba 4 building and running on AIX...  Just let me know.

Thanks again!

-Ben
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 on AIX with XLC

[Christian Ambach]

On 01/11/2013 06:04 PM, Benjamin Huntsman wrote:


1. What can be done about the libraries not getting copied?  Is this
a bug in my build, or in the build system?


I can see this as well on my AIX6.1 system. So it's probably an issue
with the build system.


2. Do I need to move certain ones of them to other subdirectories in
the lib directory?


No, the buildsystem should have copied them there as well.


3. If I tracked down the ones below and copied them by hand, might
there be others still that I missed?


Once the problem with the buildsystem gets sorted out, you wouldn't have
to care.

Please open a bug so we can track this problem.


4. With all the subdirectories under lib, am I going to have to
define a pretty complicated LD_LIBRARY_PATH to get this to run?


No, the binaries should be linked against those libraries with absolute
paths. You might only need to set LD_LIBRARY_PATH for libs like
libtalloc and libtdb that are supposed to be installed under a standard
library path like /usr/lib/. The private libs will be installed
somewhere else, but still be found due to the absolute linking.


5. Is there a way I can build the whole thing static from the
Python-based build system?  I didn't see an option for that with
./configure --help.


Not with the waf buildsystem. If you are only interested in the
file/print serving part, you can give the old buildsystem in source3 a
try instead.

Cheers,
Christian
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 on AIX with XLC

[Christian Ambach]

On 01/10/2013 12:18 AM, Benjamin Huntsman wrote:


There may be others, but by copying those into /opt/samba-4.0.0/lib, I was able 
to get my compiled smbd to at least spit out the following message:

bash-3.2# /opt/samba-4.0.0/sbin/smbd -b
exec(): 0509-036 Cannot load program /opt/samba-4.0.0/sbin/smbd because of the 
following errors:
rtld: 0712-001 Symbol aixacl_to_smbacl was referenced
   from module /opt/samba-4.0.0/lib/private/libsmbd_base.so(), but a 
runtime definition
   of the symbol was not found.
rtld: 0712-001 Symbol aixacl_smb_to_aixacl was referenced
   from module /opt/samba-4.0.0/lib/private/libsmbd_base.so(), but a 
runtime definition
   of the symbol was not found.
bash-3.2#


So looks like I'm still missing aixacl_to_smbacl and aixacl_smb_to_aixacl.  Any 
idea where I'd get those, and why they're not being found?


Those should have been linked into smbd directly as configure on AIX 
adds vfs_aixacl to the list of modules to be compiled statically.


Would you mind opening a bug on https://bugzilla.samba.org for tracking?

Cheers,
Christian




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] SAMBA 4 acting as Domain Server- Is Exchange 2010 capable of being installed?

[Matthew Gear]

Thank you Dominic, I will try this and see how it goes.  I will update and
let you know FYI.
Thank you for the interjection!


On Fri, Jan 11, 2013 at 5:14 AM, Dominic Evans  wrote:

> On 11 January 2013 05:02, Matthew Gear  wrote:
> > I am attempting to install an Exchange 2010 deployment for integrated UM
> > testing.
> > As I attempted to extend the schema of the SAMBA 4 AD (setup /ps), the
> > setup program came back and reported the following:
> >
> > "The Domain Controller 'smb4.homelab.int' is running the 4.0.0 version
> of
> > the
> > operating system. Minimal requested version is 5.2 (3790) Service Pack
> 1".
> >
> > Is it possible to install Exchange 2010 in a Samba4 Active Directory
> > environment ?
>
> Hmm. You could experiment with setting the 'server string' variable in
> smb.conf to something like "Windows Server 2003 R2 5.2" and seeing if
> the Exchange deployment is parsing server string or some other
> attribute in the samba publication.
>
> I don't believe there are currently any other options in smb.conf for
> masquerading Samba server type from UNIX to an arbitrary Windows.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba 4 on AIX with XLC

[Benjamin Huntsman]

Sorry to be an annoyance, but I'm at a loss here and begging for help...

The Python-based build says it completes successfully, and the make install 
also says it completes successfully.  Yet it doesn't copy all the required 
shared libraries, and the resultant binaries don't run.  I copied the missing 
shared objects by hand, which may or may not be a very good solution.  I put 
them all in /opt/samba-4.0.0/lib, but I suspect some of them were intended to 
live in different subdirectories thereof.

Once the named libraries were copied, it then tells me it can't find the 
following symbols:

aixacl_to_smbacl
aixacl_smb_to_aixacl

Don't know what to do next...

So, my questions are:

1. What can be done about the libraries not getting copied?  Is this a bug in 
my build, or in the build system?
2. Do I need to move certain ones of them to other subdirectories in the lib 
directory?
3. If I tracked down the ones below and copied them by hand, might there be 
others still that I missed?
4. With all the subdirectories under lib, am I going to have to define a pretty 
complicated LD_LIBRARY_PATH to get this to run?
5. Is there a way I can build the whole thing static from the Python-based 
build system?  I didn't see an option for that with ./configure --help.

Anyway, I think we're crazy close, but I'm still missing that last little 
hurdle.  Many thanks in advance!!

-Ben


From: samba-boun...@lists.samba.org [samba-boun...@lists.samba.org] on behalf 
of Benjamin Huntsman [bhunts...@mail2.cu-portland.edu]
Sent: Wednesday, January 09, 2013 3:18 PM
To: samba@lists.samba.org
Subject: Re: [Samba] Samba 4 on AIX with XLC

Just FYI, here are at least some of the shared objects that don't get copied to 
the destination when running "make install":

libtalloc.so
libgssapi-samba4.so
libtdb.so
libtevent.so
libkrb5-samba4.so
libroken-samba4.so
libasn1-samba4.so
libhcrypto-samba4.so
libcom_err-samba4.so
libwind-samba4.so
libldb.so
libheimbase-samba4.so
libhx509-samba4.so
libpyldb-util.so

There may be others, but by copying those into /opt/samba-4.0.0/lib, I was able 
to get my compiled smbd to at least spit out the following message:

bash-3.2# /opt/samba-4.0.0/sbin/smbd -b
exec(): 0509-036 Cannot load program /opt/samba-4.0.0/sbin/smbd because of the 
following errors:
rtld: 0712-001 Symbol aixacl_to_smbacl was referenced
  from module /opt/samba-4.0.0/lib/private/libsmbd_base.so(), but a runtime 
definition
  of the symbol was not found.
rtld: 0712-001 Symbol aixacl_smb_to_aixacl was referenced
  from module /opt/samba-4.0.0/lib/private/libsmbd_base.so(), but a runtime 
definition
  of the symbol was not found.
bash-3.2#


So looks like I'm still missing aixacl_to_smbacl and aixacl_smb_to_aixacl.  Any 
idea where I'd get those, and why they're not being found?

Thanks!

-Ben
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] [SAMBA] Samba 4: Workstations unable to join, "The specified network name is no longer available"

[Carlo Rengo]

Hi,

first of all, sorry for my poor english.
I have installed Samba4 (stable tarball) on a fresh Centos 6.3 x64 server,
with the "classicupgrade" command.

With great difficulty I managed to correctly configure the DNS server
(bind).
"kinit", "smbclient" and "samba_dnsupdate - verbose - all-names" give the
desired output.
Starting samba daemon, this is the output:

lpcfg_load: refreshing parameters from /etc/samba/smb.conf
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
samba version 4.0.0 started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
NTPTR backend 'simple_ldb'
NTVFS backend 'default' for type 1 registered
NTVFS backend 'posix' for type 1 registered
NTVFS backend 'unixuid' for type 1 registered
NTVFS backend 'unixuid' for type 3 registered
NTVFS backend 'unixuid' for type 2 registered
NTVFS backend 'cifs' for type 1 registered
NTVFS backend 'smb2' for type 1 registered
NTVFS backend 'simple' for type 1 registered
NTVFS backend 'cifsposix' for type 1 registered
NTVFS backend 'default' for type 3 registered
NTVFS backend 'default' for type 2 registered
NTVFS backend 'nbench' for type 1 registered
PROCESS_MODEL 'single' registered
PROCESS_MODEL 'onefork' registered
PROCESS_MODEL 'prefork' registered
PROCESS_MODEL 'standard' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
AUTH backend 'anonymous' registered
AUTH backend 'winbind' registered
AUTH backend 'winbind_wbclient' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'unix' registered
SHARE backend [classic] registered.
SHARE backend [ldb] registered.
ldb_wrap open of privilege.ldb
samba: using 'standard' process model
DCERPC endpoint server 'rpcecho' registered
DCERPC endpoint server 'epmapper' registered
DCERPC endpoint server 'remote' registered
DCERPC endpoint server 'srvsvc' registered
DCERPC endpoint server 'wkssvc' registered
DCERPC endpoint server 'unixinfo' registered
DCERPC endpoint server 'samr' registered
DCERPC endpoint server 'winreg' registered
DCERPC endpoint server 'netlogon' registered
DCERPC endpoint server 'dssetup' registered
DCERPC endpoint server 'lsarpc' registered
DCERPC endpoint server 'backupkey' registered
DCERPC endpoint server 'spoolss' registered
DCERPC endpoint server 'drsuapi' registered
DCERPC endpoint server 'browser' registered
DCERPC endpoint server 'eventlog6' registered
DCERPC endpoint server 'dnsserver' registered
ldb_wrap open of secrets.ldb
ldb_wrap open of idmap.ldb
dreplsrv_partition[CN=Configuration,DC=sede,DC=i-node,DC=it] loaded
dreplsrv_partition[CN=Schema,CN=Configuration,DC=sede,DC=i-node,DC=it]
loaded
dreplsrv_partition[DC=sede,DC=i-node,DC=it] loaded
dreplsrv_partition[DC=DomainDnsZones,DC=sede,DC=i-node,DC=it] loaded
dreplsrv_partition[DC=ForestDnsZones,DC=sede,DC=i-node,DC=it] loaded
kccsrv_partition[DC=sede,DC=i-node,DC=it] loaded
kccsrv_partition[CN=Configuration,DC=sede,DC=i-node,DC=it] loaded
kccsrv_partition[CN=Schema,CN=Configuration,DC=sede,DC=i-node,DC=it] loaded
kccsrv_partition[DC=DomainDnsZones,DC=sede,DC=i-node,DC=it] loaded
kccsrv_partition[DC=ForestDnsZones,DC=sede,DC=i-node,DC=it] loaded
Calling DNS name update script
Calling SPN name update script
/usr/sbin/smbd: smbd version 4.0.0 started.
/usr/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2012
/usr/sbin/smbd: standard input is not a socket, assuming -D option
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
Completed SPN update check OK
Completed DNS update check OK

These two lines
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
are very suspicious, and reappear everytime I try to connect a PC to the
server, with a slightly different text:

Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]

After a minute, I see this message on the Windows Computer:
"The specified network name is no longer available"

These errors appear even if I try a different samba 4 version, by compiling
it from GIT or by installing a beta RPM from a repo. I've tried also with a
fresh samba setup (no import from samba 3), still with the same errors.
There's something I'm missing, does anyone know how t