Re: [Samba] Winbind problem
I'm looking into the same kind of problem. I have found that it is related to something on the AD Server itself. By rolling the Windows server back a few days, things work again, without making any changes in Linux. It seems to have something to do with the definition of Security groups or policies in Windows, causing Winbind on Linux to blow up. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind problem
0n Fri, Oct 05, 2007 at 06:45:21AM +0800, mail wrote: >I have a Centos 4.4 Linux server that setup Winbind with windows 2003AD >integration, the winbind suddenly can't receive AD accounts, I can use >wbinfo -u to show AD user name and group etc, but getent passwd isn't >pulling across all of the domain accounts. Is your idmap range large enough ? Try increaing it. e.g. idmap config dsto:range = 1-50 -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind problem
Hello, I have a Centos 4.4 Linux server that setup Winbind with windows 2003AD integration, the winbind suddenly can't receive AD accounts, I can use wbinfo -u to show AD user name and group etc, but getent passwd isn't pulling across all of the domain accounts. Here is the winbind log: [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2439 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC40$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2438 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC42$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2437 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC37$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2436 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC38$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2435 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) could not lookup domain user SFA07ITLC44$ [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_fill_pwent(50) error getting user id for sid S-1-5-21-106390638-1002753184-2220938350-2434 [2007/10/04 23:31:08, 1] nsswitch/winbindd_user.c:winbindd_getpwent(566) Thx !! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind & AD group membership caching
I've been playing with joining RHEL4 (CentOS) machines to a Win2k3
Active Directory.
I've got everything pretty well squared away, except that the linux box
never seems to see changes to users' group memberships. For example, I
created a user, testuser, who initially just a member of Domain Users.
I logged into the linux box with testuser successfully and both 'id' and
'wbinfo' displayed correct information. I then logged out and using AD
Users and Groups, I added testuser to a new global group, testgroup.
Logging back into the linux box as testuser, I checked both 'id' and
'wbinfo' and the new group membership is not reflected. I understand
that by default winbind caches such things for 5 minutes, and since I
have not changed this value, I waited for at least 5 minutes and tried
again with the same results. Just to be sure, I even let it sit over
night, but the new group membership still does not show up.
The reason this is important to me is because I've set up Domain Admins
in /etc/sudoers. If a user is added to the Domain Admins group, or
removed for that matter, and this isn't reflected, that'd be bad.
Is there any way to even force the cache to clear?
smb.conf:
[global]
workgroup = LINUXAUTHTEST
realm = LINUXAUTHTEST.AD
server string = Samba Server
security = ADS
password server = linuxauthtestdc.linuxauthtest.ad
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
printcap name = /etc/printcap
preferred master = No
local master = No
domain master = No
dns proxy = No
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/bash
winbind use default domain = Yes
cups options = raw
krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = LINUXAUTHTEST.AD
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}
LINUXAUTHTEST.AD = {
kdc = linuxauthtestdc.linuxauthtest.ad:88
admin_server = linuxauthtestdc.linuxauthtest.ad:749
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
uname -a
Linux LinuxTestVM 2.6.9-55.ELsmp #1 SMP Wed May 2 14:28:44 EDT 2007 i686
i686 i386 GNU/Linux
winbindd --version
Version 3.0.10-1.4E.12.2
Any insight would be appreciated.
Kris
___
Kristoffer Knigga
Systems Administrator
Arrow Financial Services
[EMAIL PROTECTED]
847-324-7962
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba (winbind) integration into an Active Directory domain
Hello, I have an existing Active Directory domain with a couple hundred users. I am trying to setup our Linux (Gentoo specifically) servers to allow "seamless" login integration at the console, via ssh and possibly using smbmount. I think I've got it pretty close, but seem to be missing something. When my test user logs in, a home directory is created for them, the console throws up the last login information, and then immediately logs them back out. I've searched the log files (messages, log.smbd/nmbd/winbind) but don't see anything blatently obvious. I followed the Samba docs, and have since tried variations that are abundant around the web. Technical bits: I'm authenticating via kerberos using winbind against an Active Directory implementation on top of a Windows 2003-r2 server. I'm running a fresh up-to-date (as of today) install of gentoo (not ~x86, just x86) 2.6.22-r5, samba 3.0.24-r3, pam 0.78-r5 My smb.conf is: [global] workgroup = MYDOMAIN realm = MYDOMAIN.COM security = ADS password server = MYACTIVEDIRECTORYSERVER.MYDOMAIN.COM log level = 2 idmap uid = 1-2 idmap gid = 1-2 winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes I tried changing the separator to \ to give the "feel" of Windows, but samba didn't like it, and assumed I had no character there, so I switched it to the often used example of +. Other than that, I can't see anything obviously wrong. I can post up my nsswitch.conf and my pam.d/login - pam.d/system-auth files if anyone thinks it's a problem in one of those. Thanks! -Chad -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind and local groups
On Fri, 2007-21-09 at 00:30 +0200, Philipp Wagner wrote: > Hello, > > I got a Samba setup with an samba server being part of a Windows Domain, > which is working great. I can authenticate using all domain users and so > on without any problem. > Now I added a local group named "rai-additional" to my samba system and > added a domain user to that group (using DOMAIN+username). > "getent passwd DOMAIN+username" the domain groups and "rai-additional" > as groups, which is exactly what I want. > Unfortunately, when I set "valid users = @rai-additional", the user > DOMAIN+username cannot access the share. It works if I use a domain > group, e.g. "valid users = @DOMAIN+some-group". So it seems Samba just > ignores local groups. That also seems the conclusion made some other > times in the past (unfortunately, all of them around two years ago) [1]. > Did you do a groupmap of your local group? Something like: net groupmap add ntgroup="Windows group" unixgroup=yourunixgroup type=d rid=yourunixgroupid Example: net groupmap add ntgroup="Domain Admins" unixgroup=wheel type=d rid=512 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind and local groups
Hello, I got a Samba setup with an samba server being part of a Windows Domain, which is working great. I can authenticate using all domain users and so on without any problem. Now I added a local group named "rai-additional" to my samba system and added a domain user to that group (using DOMAIN+username). "getent passwd DOMAIN+username" the domain groups and "rai-additional" as groups, which is exactly what I want. Unfortunately, when I set "valid users = @rai-additional", the user DOMAIN+username cannot access the share. It works if I use a domain group, e.g. "valid users = @DOMAIN+some-group". So it seems Samba just ignores local groups. That also seems the conclusion made some other times in the past (unfortunately, all of them around two years ago) [1]. Now my question would be: is there a workaround for this or is this planned for a future samba release? Or am I just doing something wrong and it is already possible? Unfortunately, I couldn't find any notice of that in the official documentation (maybe I just use the right search words?) Thank you for your help! Philipp [1] http://groups.google.com/group/mailing.unix.samba/browse_thread/thread/615bcd6ba0731aed/c988151e7ff6000e?lnk=st&q=group%3Amailing.unix.samba*+%22local+group%22+winbind&rnum=9#c988151e7ff6000e -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind Join AD 2003 failled, why ?
Hi
now, i have resolved the dns problems ;=) thanks
i have change order into smb.conf for put lmhost.
But now, i have a new problems:
Sep 12 10:10:03 gw net: kerberos_kinit_password [EMAIL PROTECTED] failed:
Client not found in Kerberos database
Sep 12 10:10:03 gw net: [2007/09/12 10:10:03, 0]
utils/net_ads.c:ads_startup(191)
Sep 12 10:10:03 gw net: ads_connect: Client not found in Kerberos database
Anyone know this error ?
> Message du 11/09/07 17:19
> De : "Angelina Paunovic" <[EMAIL PROTECTED]>
> A : [EMAIL PROTECTED]
> Copie à :
> Objet : Re: [Samba] Winbind Join AD 2003 failled, why ?
>
> email me your config files as well as /etc/host and /etc/nsswitch.conf
>
> I never used lmhost :)
>
> @
>
> On 9/10/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >
> > Hi
> >
> > thanks for your answer, i have add my server into /etc/hosts and
> > /etc/samba/lmhost but no change:
> >
> >
> > [2007/09/10 22:34:09, 3] libsmb/namequery.c:get_dc_list(1426)
> > get_dc_list: preferred server list: ", *"
> > [2007/09/10 22:34:09, 1] libads/dns.c:ads_dns_lookup_srv(260)
> > ads_dns_lookup_srv: Failed to resolve
> > _ldap._tcp.dc._msdcs.INTRANET.SOCIETY.FR (Succès)
> > [2007/09/10 22:34:09, 4] libsmb/namequery.c:get_dc_list(1454)
> > get_dc_list: no servers found
> > [2007/09/10 22:34:09, 3] libsmb/namequery.c:get_dc_list(1426)
> > get_dc_list: preferred server list: ", *"
> > [2007/09/10 22:34:09, 4] libsmb/namequery.c:get_dc_list(1529)
> > get_dc_list: returning 1 ip addresses in an unordered list
> > [2007/09/10 22:34:09, 4] libsmb/namequery.c:get_dc_list(1530)
> > get_dc_list: 192.168.16.53:0
> > [2007/09/10 22:34:09, 1] libads/cldap.c:recv_cldap_netlogon(215)
> > no reply received to cldap netlogon
> > [2007/09/10 22:34:09, 3] libads/ldap.c:ads_try_connect(136)
> > ads_try_connect: CLDAP request 192.168.16.53 failed.
> > [2007/09/10 22:34:09, 0] utils/net_ads.c:ads_startup(289)
> > ads_connect: Connexion refusée
> > [2007/09/10 22:34:09, 2] utils/net.c:main(988)
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > > Message du 10/09/07 20:28
> > > De : "Peter Gehirnforce" <[EMAIL PROTECTED]>
> > > A : [EMAIL PROTECTED]
> > > Copie à :
> > > Objet : Re: [Samba] Winbind Join AD 2003 failled, why ?
> > >
> > > this looks like beeing a missing /etc/hosts entry. take a look if your
> > machine name and ip adress are mapped somewhere (LinuxSrv to X.X.X.X).
> > >
> > > this happens because your broadcast is not beeing answered.
> > >
> > > Et voila, tout sera bien.
> > >
> > > gm.
> > >
> > > Original-Nachricht
> > > > Datum: Mon, 10 Sep 2007 20:10:22 +0200 (CEST)
> > > > Von: [EMAIL PROTECTED]
> > > > An: samba@lists.samba.org
> > > > Betreff: [Samba] Winbind Join AD 2003 failled, why ?
> > >
> > > >
> > > >
> > > > Hi
> > > >
> > > > i want add my linux server to my Active Directory running on Windows
> > 2003
> > > > Server.
> > > >
> > > > My krb:
> > > >
> > > > [libdefaults]
> > > > default_realm = INTRANET.SOCIETY.FR
> > > >
> > > > [realms]
> > > > INTRANET.SOCIETY.FR = {
> > > > kdc = 192.168.16.1
> > > > kdc = 19.168.16.7
> > > > kpasswd_server = 192.168.16.1
> > > > default_domain = SOCIETY}
> > > >
> > > > [domain_realms]
> > > > .cv216.intranet.society.fr = INTRANET.SOCIETY.FR
> > > > .cv217.intranet.society.fr = INTRANET.SOCIETY.FR
> > > > .intranet.society.fr = INTRANET.SOCIETY.FR
> > > >
> > > > [logging]
> > > > kdc = FILE:/var/log/kerberos/krb5kdc.log
> > > > admin_server = FILE:/var/log/kerberos/kadmin.log
> > > > default = FILE:/var/log/kerberos/krb5lib.log
> > > >
> > > >
> > > > when i test with a:
> > > > kinit [EMAIL PROTECTED] it's correct, that's work.
> > > >
> > > > my smb.conf:
> > > > [global]
> > > >workgroup = SOCIETY
> > > >netbios name = LinxSrv
> > > >server string = LinuxSrv Proxy Server
> > > >
> > > >
Re: [Samba] Winbind Join AD 2003 failled, why ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] wrote: > Hi > > thanks for your answer, i have add my server into /etc/hosts and > /etc/samba/lmhost but no change: > > > [2007/09/10 22:34:09, 3] libsmb/namequery.c:get_dc_list(1426) > get_dc_list: preferred server list: ", *" > [2007/09/10 22:34:09, 1] libads/dns.c:ads_dns_lookup_srv(260) > ads_dns_lookup_srv: Failed to resolve > _ldap._tcp.dc._msdcs.INTRANET.SOCIETY.FR (Succès) > [2007/09/10 22:34:09, 4] libsmb/namequery.c:get_dc_list(1454) > get_dc_list: no servers found > [2007/09/10 22:34:09, 3] libsmb/namequery.c:get_dc_list(1426) > get_dc_list: preferred server list: ", *" > [2007/09/10 22:34:09, 4] libsmb/namequery.c:get_dc_list(1529) > get_dc_list: returning 1 ip addresses in an unordered list > [2007/09/10 22:34:09, 4] libsmb/namequery.c:get_dc_list(1530) > get_dc_list: 192.168.16.53:0 > [2007/09/10 22:34:09, 1] libads/cldap.c:recv_cldap_netlogon(215) > no reply received to cldap netlogon > [2007/09/10 22:34:09, 3] libads/ldap.c:ads_try_connect(136) > ads_try_connect: CLDAP request 192.168.16.53 failed. Is this a real DC? > [2007/09/10 22:34:09, 0] utils/net_ads.c:ads_startup(289) > ads_connect: Connexion refusée Looks to be refusing connections on tcp/389. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG5bH3IR7qMdg1EfYRAhLuAJ4lxEz6eeOxbeiWqz1oImA9yzbw7gCg7Ny5 n5SL9JGs2cDlVXH8ZnR5aIY= =vfU6 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind Join AD 2003 failled, why ?
Hi
thanks for your answer, i have add my server into /etc/hosts and
/etc/samba/lmhost but no change:
[2007/09/10 22:34:09, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", *"
[2007/09/10 22:34:09, 1] libads/dns.c:ads_dns_lookup_srv(260)
ads_dns_lookup_srv: Failed to resolve
_ldap._tcp.dc._msdcs.INTRANET.SOCIETY.FR (Succès)
[2007/09/10 22:34:09, 4] libsmb/namequery.c:get_dc_list(1454)
get_dc_list: no servers found
[2007/09/10 22:34:09, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", *"
[2007/09/10 22:34:09, 4] libsmb/namequery.c:get_dc_list(1529)
get_dc_list: returning 1 ip addresses in an unordered list
[2007/09/10 22:34:09, 4] libsmb/namequery.c:get_dc_list(1530)
get_dc_list: 192.168.16.53:0
[2007/09/10 22:34:09, 1] libads/cldap.c:recv_cldap_netlogon(215)
no reply received to cldap netlogon
[2007/09/10 22:34:09, 3] libads/ldap.c:ads_try_connect(136)
ads_try_connect: CLDAP request 192.168.16.53 failed.
[2007/09/10 22:34:09, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Connexion refusée
[2007/09/10 22:34:09, 2] utils/net.c:main(988)
> Message du 10/09/07 20:28
> De : "Peter Gehirnforce" <[EMAIL PROTECTED]>
> A : [EMAIL PROTECTED]
> Copie à :
> Objet : Re: [Samba] Winbind Join AD 2003 failled, why ?
>
> this looks like beeing a missing /etc/hosts entry. take a look if your
> machine name and ip adress are mapped somewhere (LinuxSrv to X.X.X.X).
>
> this happens because your broadcast is not beeing answered.
>
> Et voila, tout sera bien.
>
> gm.
>
> Original-Nachricht
> > Datum: Mon, 10 Sep 2007 20:10:22 +0200 (CEST)
> > Von: [EMAIL PROTECTED]
> > An: samba@lists.samba.org
> > Betreff: [Samba] Winbind Join AD 2003 failled, why ?
>
> >
> >
> > Hi
> >
> > i want add my linux server to my Active Directory running on Windows 2003
> > Server.
> >
> > My krb:
> >
> > [libdefaults]
> > default_realm = INTRANET.SOCIETY.FR
> >
> > [realms]
> > INTRANET.SOCIETY.FR = {
> > kdc = 192.168.16.1
> > kdc = 19.168.16.7
> > kpasswd_server = 192.168.16.1
> > default_domain = SOCIETY}
> >
> > [domain_realms]
> > .cv216.intranet.society.fr = INTRANET.SOCIETY.FR
> > .cv217.intranet.society.fr = INTRANET.SOCIETY.FR
> > .intranet.society.fr = INTRANET.SOCIETY.FR
> >
> > [logging]
> > kdc = FILE:/var/log/kerberos/krb5kdc.log
> > admin_server = FILE:/var/log/kerberos/kadmin.log
> > default = FILE:/var/log/kerberos/krb5lib.log
> >
> >
> > when i test with a:
> > kinit [EMAIL PROTECTED] it's correct, that's work.
> >
> > my smb.conf:
> > [global]
> >workgroup = SOCIETY
> >netbios name = LinxSrv
> >server string = LinuxSrv Proxy Server
> >
> >log file = /var/log/samba/log.%m
> >max log size = 500
> >log level = 10
> >
> >map to guest = bad user
> >
> >security = ads
> >realm = INTRANET.SOCIETY.FR
> >password server = *
> >encrypt passwords = yes
> >idmap uid = 1-2
> >idmap gid = 1-2
> >winbind separator = /
> >winbind use default domain = yes
> >winbind enum users = yes
> >winbind enum groups = yes
> >
> >encrypt passwords = yes
> >smb passwd file = /etc/samba/smbpasswd
> >socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> >
> >interfaces = 192.168.16.58/23
> >
> >
> > when i start join:
> > net ads join -U administrateur
> >
> > i have this error
> >
> > [EMAIL PROTECTED] etc]# net ads join -U administrateur --debuglevel=4
> > [2007/09/10 21:09:30, 3] param/loadparm.c:lp_load(4945)
> > lp_load: refreshing parameters
> > [2007/09/10 21:09:30, 3] param/loadparm.c:init_globals(1410)
> > Initialising global parameters
> > [2007/09/10 21:09:30, 3] param/params.c:pm_process(572)
> > params.c:pm_process() - Processing configuration file
> > "/etc/samba/smb.conf"
> > [2007/09/10 21:09:30, 3] param/loadparm.c:do_section(3687)
> > Processing section "[global]"
> > doing parameter workgroup = SOCIETY doing parameter netbios name =
> > Ophelys
> > [2007/09/10 21:09:30, 4] param/loadparm.c:handle_netbios_name(3045)
> > handle_netbios_name: set global_myname to: LINUXSRV
> > doing parameter server string = LinuxSrv Proxy Server
[Samba] Winbind Join AD 2003 failled, why ?
Hi
i want add my linux server to my Active Directory running on Windows 2003
Server.
My krb:
[libdefaults]
default_realm = INTRANET.SOCIETY.FR
[realms]
INTRANET.SOCIETY.FR = {
kdc = 192.168.16.1
kdc = 19.168.16.7
kpasswd_server = 192.168.16.1
default_domain = SOCIETY}
[domain_realms]
.cv216.intranet.society.fr = INTRANET.SOCIETY.FR
.cv217.intranet.society.fr = INTRANET.SOCIETY.FR
.intranet.society.fr = INTRANET.SOCIETY.FR
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
when i test with a:
kinit [EMAIL PROTECTED] it's correct, that's work.
my smb.conf:
[global]
workgroup = SOCIETY
netbios name = LinxSrv
server string = LinuxSrv Proxy Server
log file = /var/log/samba/log.%m
max log size = 500
log level = 10
map to guest = bad user
security = ads
realm = INTRANET.SOCIETY.FR
password server = *
encrypt passwords = yes
idmap uid = 1-2
idmap gid = 1-2
winbind separator = /
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
encrypt passwords = yes
smb passwd file = /etc/samba/smbpasswd
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = 192.168.16.58/23
when i start join:
net ads join -U administrateur
i have this error
[EMAIL PROTECTED] etc]# net ads join -U administrateur --debuglevel=4
[2007/09/10 21:09:30, 3] param/loadparm.c:lp_load(4945)
lp_load: refreshing parameters
[2007/09/10 21:09:30, 3] param/loadparm.c:init_globals(1410)
Initialising global parameters
[2007/09/10 21:09:30, 3] param/params.c:pm_process(572)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
[2007/09/10 21:09:30, 3] param/loadparm.c:do_section(3687)
Processing section "[global]"
doing parameter workgroup = SOCIETY doing parameter netbios name = Ophelys
[2007/09/10 21:09:30, 4] param/loadparm.c:handle_netbios_name(3045)
handle_netbios_name: set global_myname to: LINUXSRV
doing parameter server string = LinuxSrv Proxy Server
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 500
doing parameter log level = 10
doing parameter map to guest = bad user
doing parameter security = ads
doing parameter realm = INTRANET.SOCIETY.FR
doing parameter password server = *
doing parameter encrypt passwords = yes
doing parameter idmap uid = 1-2
doing parameter idmap gid = 1-2
doing parameter winbind separator = /
doing parameter winbind use default domain = yes
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter encrypt passwords = yes
doing parameter smb passwd file = /etc/samba/smbpasswd
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter interfaces = 192.168.16.58/23
[2007/09/10 21:09:30, 4] param/loadparm.c:lp_load(4976)
pm_process() returned Yes
[2007/09/10 21:09:30, 2] lib/interface.c:add_interface(81)
added interface ip=192.168.16.58 bcast=192.168.17.255 nmask=255.255.254.0
administrateur's password:
[2007/09/10 21:09:32, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", *"
[2007/09/10 21:09:32, 1] libads/dns.c:ads_dns_lookup_srv(260)
ads_dns_lookup_srv: Failed to resolve
_ldap._tcp.dc._msdcs.INTRANET.SOCIETY.FR (Succès)
[2007/09/10 21:09:32, 4] libsmb/namequery.c:get_dc_list(1454)
get_dc_list: no servers found
[2007/09/10 21:09:32, 3] libsmb/namequery.c:get_dc_list(1426)
get_dc_list: preferred server list: ", *"
[2007/09/10 21:09:32, 4] libsmb/namequery.c:get_dc_list(1529)
get_dc_list: returning 1 ip addresses in an unordered list
[2007/09/10 21:09:32, 4] libsmb/namequery.c:get_dc_list(1530)
get_dc_list: 10.37.16.53:0
[2007/09/10 21:09:32, 1] libads/cldap.c:recv_cldap_netlogon(215)
no reply received to cldap netlogon
[2007/09/10 21:09:32, 3] libads/ldap.c:ads_try_connect(136)
ads_try_connect: CLDAP request 192.168.16.53 failed.
[2007/09/10 21:09:32, 0] utils/net_ads.c:ads_startup(289)
ads_connect: Connexion refusée
[2007/09/10 21:09:32, 2] utils/net.c:main(988)
return code = -1
[EMAIL PROTECTED] etc]#
Anyone know this problems ? i run on Mandriva with Samba-winbind 3.0.23d
Thanks for your help
Olivier
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind crash due to Kerberos broken implementation
Quoting hagai yaffe <[EMAIL PROTECTED]>: > obviously 3.0.14a & 1.2.7 is broken 1.2.7 is so old, I'm amazed that it haven't self-destructed automatically already! I doubt you will find ANY software that works with this version. Upgrade. -- Why can't programmers tell the difference between halloween and christmas day? Because 25 DEC = 31 OCT. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind crash due to Kerberos broken implementation
Hello, I am working on RHEL 3 update 4. The Kerberos version that comes with the OS is 1.2.7. I have installed samba 3.0.14a and encountered multiple winbind crashes. I have done some debugging and found the cause, samba function "ads_cleanup_expired_creds" calls Kerberos function krb5_cc_remove_cred (if the ticket is expired), the Kerberos implementation holds a struct of function pointers and the function for removing a ticket from the cache is not initialized (NULL), therefore in this scenario the winbind will crash. I checked and seen that the relevant Kerberos function is implemented in the recent 1.5 release (I don’t know exactly when it was fixed) so I guess that upgrading will solve my problem. How ever it seems strange to me that the default Kerberos that comes with the OS does not work with samba (I must say that I am a little new to the Red Hat & samba world so I might be missing something). I have tried to look for recommendation regarding which Kerberos version should be used with each samba version and could not found any (obviously 3.0.14a & 1.2.7 is broken), can someone assist on directing me? Apart for the option of upgrade is there a way for me to avoid the ticket expiration? (It does not happen on all machines, only on a samba machine which is configured as a member of a domain with multiple domain controllers, I can also see in the winbind log that different domain controllers are often used for authentication, could this be the cause)? Any information on any of the issues would be great, TX, Hagai. -- View this message in context: http://www.nabble.com/Winbind-crash-due-to-Kerberos-broken-implementation-tf4400943.html#a12553966 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind and LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel L. Miller wrote: > I've been having a miserable time trying to get Winbind working. All of > the literature I've found seems to indicate it "just works" - which I'd > love - but it hasn't gone that way for me. Because I'm already using > LDAP, it seemed to make sense to use the LDAP support for Winbind. But > Winbind continues to give errors and generally be unhappy. > > Besides using the current schema, and setting the idmap > parameters in smb.conf - is there another magic trick to > getting it to work? That's pretty much it. The idmap suffix container has to already exist and be writeable by the "ldap admin dn". I'd suggest you get Winbind working with the tdb backend first though to make sure you understand how things work. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG3+L3IR7qMdg1EfYRAuT0AJsEMbYhFcQkKsL6F9KOLvJvaIm85ACgubRc JTsSOvQcCb4sbY8bZJmkE5o= =G+ZB -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind and LDAP
I've been having a miserable time trying to get Winbind working. All of the literature I've found seems to indicate it "just works" - which I'd love - but it hasn't gone that way for me. Because I'm already using LDAP, it seemed to make sense to use the LDAP support for Winbind. But Winbind continues to give errors and generally be unhappy. Besides using the current schema, and setting the idmap parameters in smb.conf - is there another magic trick to getting it to work? -- Daniel A spam trap for your crawler pleasure: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind partial data
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon Chappell wrote: > Hello All > > got a nasty problem that has reared its head this morning. > > Windows 2003 ADS controller. > Samba 3.022 > Ubuntu 6.06LTS > > getent passwd returns users but not all of them. > I am missing a couple of hundred. > Also if i add a new user they do not appear in getent. however they all > show in in wbinfo -u. > Just a quick reply. Check in smb.conf winbind enum groups = yes winbind enum users = yes The default changed from yes to no at some point. and check if nscd is running. I don't use it and people have reported problems with caching with it running. Have to go. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFG3Ka6FqWysr/jOHMRAl8DAJ9E0GVvbGSQ4Uoli87GITKtbrG4LgCdFP/b t83swZohuPwheLToMXwCmCk= =5wMN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind partial data
Hello All got a nasty problem that has reared its head this morning. Windows 2003 ADS controller. Samba 3.022 Ubuntu 6.06LTS getent passwd returns users but not all of them. I am missing a couple of hundred. Also if i add a new user they do not appear in getent. however they all show in in wbinfo -u. Has anyone seen this before? I am really up against it with a school full of kids returning tomorrow. Thanks in advance Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] How to - Samba, winbind and Active Directory
Hi,
I finally was able to to get samba/winbind to
authenticate off W2k3 Active Directory. I seen a lot
of info on the web on how to do this but I never seem
to have one site that got me through it all. Anyway,
with all the info I gathered I was able to put it all
together, get it working and documented all the steps
I used. I'm running Redhat 4 (2.6.9-55.0.2) with
compiled Samba 3.0.25c (you'll need Samba 3.0.24
though because of a *bug* in 3.0.25c net binary? -
more info below). Hope this helps anyone trying to do
Samba/AD integration.
Compile/Install Samba 3.0.25c
./configure --with-winbind --with-ldap --with-ads
--with-krb5
make
make install
Samba will be installed in /usr/local/samba
Edit krb5.conf
vi /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MY.DOMAIN.COM
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MY.DOMAIN.COM = {
# I used the Windows DC IP address instead of the
FQDN for the kdc
kdc = 10.2.30.63
default_domain = my.domain.com
}
[domain_realm]
.my.domain.com = MY.DOMAIN.COM
my.domain.com = MY.DOMAIN.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
Edit /etc/nsswitch.conf
vi /etc/nsswitch.conf (only need add winbind to
passwd and group everything else stays the same)
passwd: files winbind
shadow: files
group: files winbind
Edit /etc/samba/smb.conf
vi /etc/samba/smb.conf
[global]
security = ADS
workgroup = MY
netbios name = sambatest
realm = MY.DOMAIN.COM
#I used the Windows DC IP address instead of the FQDN
for the "password server".
password server = 10.2.30.63
encrypt passwords = yes
client use spnego = no
server signing = auto
log file = /var/log/samba/%m
# enum users/group is needed for getent passwd|groups
to work but otherwise samba still works fine without
this option
winbind enum users = yes
winbind enum groups = yes
winbind separator = .
winbind use default domain = no
idmap uid = 1-2
idmap gid = 1-2
# Shares
[smbtest]
comment = test share
path = /smbtest
valid users = MY.user1 MY.user2
browseable = no
printable = no
writable = yes
Link smb.conf
Note: By default Samba will look in
/usr/local/samba/lib for smb.conf but I kept my
smb.conf in /etc/samba/smb.conf so I just softlinked
to it.
ln s /etc/samba/smb.conf
/usr/local/samba/lib/smb.conf
Net binary
Note: the net binary supplied with Samba 3.0.25c is
buggy and does not work when trying to joint a domain.
What I did was copy the net binary from a 3.0.24
install to the 3.0.25c server
(/usr/local/etc/samba/bin) and it worked like a charm.
mv /usr/local/samba/bin/net
/usr/local/esamba/bin/net.BAK
cp /usr/local/samba/bin/net (from 3.0.24 install)
/usr/local/samba/bin/net
Update libnss_winbind.so lib
unlink /lib/libnss_winbind.so
mv /lib/libniss_winbind.so.2
/lib/libniss_winbind.so.2.BAK
cp /BUILDSOURCE/source/nsswitch/libnss_winbind.so
/lib/libniss_winbind.so.2 (yes, I changed the file
name to libniss_winbind.so.2)
ln s /lib/libniss_winbind.so.2
/lib/libniss_winbind.so
Get Kerberos ticket
kinit [EMAIL PROTECTED]
kinit (this will show you cached tickets on the
system)
Join Samba server to the Windows Domain
/usr/local/samba/bin/net ads join U
administrator
You should see the following:
[EMAIL PROTECTED] bin]# /usr/local/samba/bin/net ads
join -U administrator
Administrators password:
Using short domain name -- MY
Joined 'SAMBATEST2' to realm 'MY.DOMAIN.COM'
Check for domain accounts/groups
/usr/local/samba/bin/wbinfo u (this should
return MY.user1, MY.user2, MY.user3
etc..)
/usr/local/samba/bin/wbinfo g (this should
return MY.group1, MY.group2, MY.group3
etc..)
getent passwd (this should return accounts from
the local server and domain depending if you used the
winbind enum users/group in the smb.conf)
getent groups (this should return groups from the
local server and domain depending if you used the
winbind enum users/group in the smb.conf)
Fire up Samba and Winbind
./smb start
test your share by accessing it from a windows
computer (\\sambaServer\shareName)
Samba/Winbind startup script
#!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd and
nmbd daemons \
# used to provide SMB network services.
#
# pidfile: /var/run/samba/smbd.pid
# pidfile: /var/run/samba/nmbd.pid
#config: /etc/samba/smb.conf
# Source function library.
if [ -f /etc/init.d/functions ] ; then
. /etc/init.d/functions
elif [ -f /etc/rc.d/init.d/functions ] ; then
. /etc/rc.d/init.d/functions
else
exit 0
fi
# Avoid using root&#x
Re: [Samba] winbind offline logon
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Frederic,
> I'd like to have more information about the winbind offline logon.
>
> Could I for example use pam_winbind on a linux system (domain member)
> for ssh, this works fine (the PDC is samba also). What I understood is
> that if I stop my PDC, I should still be able to connect with ssh as it
> uses pam_winbind. But that doesn't work :(
You to to enable this in winbindd ("winbind offline logon
= yes" in smb.conf) and for pam_winbind ("cached_login = yes"
in /etc/security/pam_winbind.conf).
In 3.0.25, the offline logons only work with the tdb backend
but all backends are supported in the 3.2.0 tree.
cheers, jerry
=
Samba--- http://www.samba.org
Centeris --- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFG1axBIR7qMdg1EfYRAhOOAKCxKFZIZgK2gXLPzdQlq6pFXHSZHwCdFyEB
2KfuNZfkPnsBHsR/N7vuSec=
=6xVF
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind deadlock with AD and nss
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ed, > # time wbinfo -U 100 > S-1-22-1-100 > > real0m0.047s > user0m0.014s > sys 0m0.007s > > # time wbinfo -U 1001 > S-1-22-1-1001 > > real5m35.097s > user0m0.015s > sys 0m0.011s Stop nscd if it is running. There are some problems in 3.0.25 when interacting with nscd. Winbindd does enough caching that its not normally needed anyways (except possible in really large environment to help take some load off of winbindd). cheer,s jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFG1aMlIR7qMdg1EfYRAgUKAKC7gNQXwUAMvu2vxltpPBMhdkDR7gCfW/fo n/r21XlBwFXLzFTiiU9fApY= =VkXX -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind with NSS backend incorrect convert UIDs to SIDs
Hi I have PDC on samba 3.0.10 with LDAP (OpenDirectory on MacOSX). I need configure fileserver(both NFS and SMB) in domain(samba 3.0.25a on Solaris) Server get NSS information from LDAP(OpenDirectory) and winbind get UIDs from NSS: idmap backend = nss Users authentication works fine. Users can use shares. I can view ACLs, but can't set it. log: > [2007/08/28 16:47:44, 0] smbd/posix_acls.c:create_canon_ace_lists(1423) > create_canon_ace_lists: unable to map SID > S-1-5-21-3080563779-3861918993-2104958209-3150 to uid or gid. > homes0# id viruzzz > uid=1024(viruzzz) gid=80(admin) Then i try convert my UID to SID > homes0# wbinfo -U 1024 > S-1-22-1-1024 This SID looks very strange > homes0# wbinfo -S S-1-22-1-1024 > Could not convert sid S-1-22-1-1024 to uid And this SID not converted backward to UID :( this is my config: > [global] > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > debug level = 3 > idmap domains = default appek > idmap backend = nss > workgroup = appek > netbios name = filebox > server string = Homes > load printers = no > inherit acls = Yes > map acl inherit = Yes > nt acl support = yes > max log size = 500 > security = domain > password server = xsrv > encrypt passwords = yes > unix charset = UTF-8 > delete readonly = no > dns proxy = no > wins server = 192.168.8.3 > name resolve order = wins lmhosts host bcast > log file = /opt/samba/var/log.%m_%U > local master = yes > domain master = no > preferred master = no > host msdfs = yes Sorry for my english. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind and force user
I have winbind up and running and changed all of my users from the Windows 2003 server to the SAMBA server over the weekend, and no-one noticed. I have run into a problem with force user, and it may just be my understanding of how the paramter works. Following is my configuration for the share. [Barbara.Slevin] comment = Barbaba Slevin's Home Directory browseable = No valid users = mo+barbara.slevin,mo+jay.hall force user = mo+barbara.slevin create mode = 0770 directory mode = 0770 writeable = Yes I am logged in as jay.hall. With the force user statement in the configuration, I receive a message stating, "The specified network name is no longer available." This happens whether the force user name is in quotes or not. If I remove the force user statement from the share, I am able to connect to the share without any problems. Can I use the force user statement to map to a Windows 2003 user id (e.g. mo+barbara.slevin)? In reading the smb.conf documentation, I got the impression, it must map to a user id on the local system. If this is not the case, any suggestions as to what I am doing wrong would be greatly appreciated. Thanks, Jay -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind (I think) problems
OK I'm running on a Dell 1950 supporting Ubuntu LTS 6.0.1. I've tried to set up the Kerberos/ADS/Samba installation with the Ubuntu server as a member server on a 2003 ADS Domain. Kerberos v5 Samba v 3.0.22 Originally, I would have been writing to find out why my samba shares are accessible for about 30 minutes, and then they magically aren't found when trying to access them. Now however, I've screwed things up so bad, I don't really know what's going on. Here's the symptoms: I can successfully install and configure Samba and Kerberos. I can successfully issue a kinit and receive a ticket for a user with an account on the ADS. I can successfully run wbinfo -u and list all users. I can successfully run wbinfo -p and ping the winbind daemon. When I try to run getent $ passwd "domain\username" All I receive is a prompt ($) I don't see any errors, I don't see any output, just a prompt comes up. This happens as well with groups. I've placed the winbind reference in nsswitch.conf, I've run 'ldconfig', I've verified FQDN in my /etc/hosts file, I haven't configured PAM yet, but I don't believe that would have any bearing on anything unless I'm trying to initiate an interactive login via ADS credentialsI've uninstalled and reinstalled all packages and configuration files, but I really am lost at this point. My next step is to start all over again, but I really don't want to do that because this server is also hosting the Windows AD controller via vmware, and I really don't want to have to rebuild the entire domain again. Please help!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind deadlock with AD and nss
Hi, I'm testing out Samba 3.0.25c with Active Directory using the rid idmap backend. In certain cases there seems to be a repeatable deadlock in winbind. I have a local user "ed" created with uid 100 and no user exists with uid 1001. Here's the behavior I'm seeing with wbinfo: # time wbinfo -U 100 S-1-22-1-100 real0m0.047s user0m0.014s sys 0m0.007s # time wbinfo -U 1001 S-1-22-1-1001 real5m35.097s user0m0.015s sys 0m0.011s The first command behaves as expected but the expected result of the second command is "Could not convert uid 1001 to sid" with an execution time of much less than 1 second as is seen with Samba 3.0.24 and lower. This is running on Solaris 10 (x86) and compiled with Sun Studio 11 using the OpenLDAP and MIT Kerberos 5 libraries from Blastwave. The exact same configuration works fine with 3.0.24 with the only difference being the idmap configuration changes between 3.0.24 and 3.0.25. In /etc/nsswitch.conf I have: passwd: files winbind group: files winbind During the query to winbindd, uid 1001 is not within the range used for the MYAD rid backend which causes the lookup to then be attempted by passdb. passdb in turn calls getpwuid which ends up querying winbind through nss_winbind which is what leads to the deadlock. When I remove winbind from nsswitch.conf the 5 minute delay is gone but wbinfo returns "S-1-22-1-1001" which is different from what previous Samba versions returned. Here's the contents smb.conf: [global] workgroup = MYAD realm = MYAD.ORG security = ads encrypt passwords = yes smb passwd file = /etc/samba/private/smbpasswd winbind separator = + winbind use default domain = yes winbind nested groups = no obey pam restrictions = yes winbind enum users = yes winbind enum groups = yes allow trusted domains = no idmap uid = 1-1 idmap gid = 1-1 idmap domains = MYAD idmap config MYAD: default = yes idmap config MYAD: backend = rid idmap config MYAD: range = 1-1 idmap config MYAD: readonly = yes name resolve order = host dns proxy = no In Samba versions prior to 3.0.25 the idmap options in smb.conf were: idmap uid = 1-1 idmap gid = 1-1 idmap backend = idmap_rid:MYAD=1-1 Is there something wrong with my new idmap configuration or is this a bug? 3.0.25 implicitly adds the passdb backend which I don't think older versions did. Disabling this might fix the problem but is there any way to do that? Any other ideas on things to try? Thanks, Ed Plese -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind uid problem
Thank you. This worked wonderfully. Jay > You probably need to remove the winbindd_idmap.tdb file and restart > winbindd. Be advised this will delete all current mappings so any > files with those UID/GID's may get different "owners". The other more > complicated option is to run tdbtool on the file and only delete the > "bad" mappings. > > If you don't know where to find that file run > > smbd -b | grep LOCKDIR > > [EMAIL PROTECTED] wrote: >> I have installed winbind and it is working, but I need to change the >> uid/gid being used by winbind since I am running into some conflicts >> with >> UIDs. >> >> UID 10071 is being used by my spamfilter and winbindd is also mapping >> one >> of the user IDs from the W2K3 server to 10071. >> >> In an attempt to change this, I modified my smb.conf file as follows. >> >> [global] >> workgroup = MO >> idmap gid = 15000-2 >> idmap uid = 15000-2 >> winbind enum users = yes >> winbind enum groups = yes >> winbind separator = + >> security = domain >> password server = 10.129.10.41 >> wins server = 10.129.10.41 >> >> I restarted the server thinking my users would be remapped in the range >> 15000-2. However, they are still mapped in the 1-2 as I had >> originally set in the smb.conf file. I confirmed this using getent >> passwd. >> >> I am running 3.0.23c on FreeBSD 6.2. >> >> Any suggestions would be greatly appreciated. >> >> Thanks, >> >> >> Jay >> > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind uid problem
Thank you!!! I had thought it was stored somewhere, but did not know where. I will give this a try tomorrow, after all of the storms pass. Thanks again. Jay > Once a uid mapping has been made,it is persistent, and it is stored in > the winbindd_idmap.tdb file in the locks directory. > If you want the mapping to remap your users, you would have to remove this > file. I'd suggest copying it somewhere safe until you're sure this new > mapping works for you. > hope this helps, > Don > > > - Original Message > From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> > To: samba@lists.samba.org > Sent: Thursday, August 23, 2007 7:42:40 PM > Subject: [Samba] winbind uid problem > > > I have installed winbind and it is working, but I need to change the > uid/gid being used by winbind since I am running into some conflicts with > UIDs. > > UID 10071 is being used by my spamfilter and winbindd is also mapping one > of the user IDs from the W2K3 server to 10071. > > In an attempt to change this, I modified my smb.conf file as follows. > > [global] > workgroup = MO > idmap gid = 15000-2 > idmap uid = 15000-2 > winbind enum users = yes > winbind enum groups = yes > winbind separator = + > security = domain > password server = 10.129.10.41 > wins server = 10.129.10.41 > > I restarted the server thinking my users would be remapped in the range > 15000-2. However, they are still mapped in the 1-2 as I had > originally set in the smb.conf file. I confirmed this using getent > passwd. > > I am running 3.0.23c on FreeBSD 6.2. > > Any suggestions would be greatly appreciated. > > Thanks, > > > Jay > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > Looking for a deal? Find great prices on flights and hotels with Yahoo! > FareChase. > http://farechase.yahoo.com/ > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind usage
On Friday 24 August 2007, Daniel L. Miller wrote: > With only a Samba PDC, with everything defined in LDAP, is there any > requirement for Winbind? I think the only reason to use it in this case (or even with a different passdb backend - any time when you are not authenticating against a Windows DC) is to absolutely distinguish between access from non-local domain member systems and local domain member systems. From the Official HOWTO: http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/winbind.html#id412001 "If the Samba server will be accessed from a domain other than the local Samba domain, or if there will be access from machines that are not local domain members, winbind will permit the allocation of UIDs and GIDs from the assigned pool that will keep the identity of the foreign user separate from users that are members of the Samba domain." -- Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind usage
On 8/24/07, Daniel L. Miller <[EMAIL PROTECTED]> wrote: > With only a Samba PDC, with everything defined in LDAP, is there any > requirement for Winbind? > We have never used it in our samba PDC/LDAP environment however with this setup the security dialog of windows does not correctly list the groups who have permissions on each file or folder. For each object regardless of the ACL we see only entries for Administrators, Everyone and Users. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind usage
With only a Samba PDC, with everything defined in LDAP, is there any requirement for Winbind? -- Daniel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind uid problem
You probably need to remove the winbindd_idmap.tdb file and restart winbindd. Be advised this will delete all current mappings so any files with those UID/GID's may get different "owners". The other more complicated option is to run tdbtool on the file and only delete the "bad" mappings. If you don't know where to find that file run smbd -b | grep LOCKDIR [EMAIL PROTECTED] wrote: I have installed winbind and it is working, but I need to change the uid/gid being used by winbind since I am running into some conflicts with UIDs. UID 10071 is being used by my spamfilter and winbindd is also mapping one of the user IDs from the W2K3 server to 10071. In an attempt to change this, I modified my smb.conf file as follows. [global] workgroup = MO idmap gid = 15000-2 idmap uid = 15000-2 winbind enum users = yes winbind enum groups = yes winbind separator = + security = domain password server = 10.129.10.41 wins server = 10.129.10.41 I restarted the server thinking my users would be remapped in the range 15000-2. However, they are still mapped in the 1-2 as I had originally set in the smb.conf file. I confirmed this using getent passwd. I am running 3.0.23c on FreeBSD 6.2. Any suggestions would be greatly appreciated. Thanks, Jay -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba, Winbind and Active Directory
On 8/23/07, Kevin Gutch <[EMAIL PROTECTED]> wrote: > I am trying to set up Samba joining Active Directory. I have done this > successfully before and have most of my previous files. > > Here is the issue I am seeing. > > I can "kinit [EMAIL PROTECTED]" > > I cannot "net ads join -U administrator" > > I get thus message: "Failed to join domain: Invalid credentials" I was seeing this same behavior. Joining the domain as a different user in the Domain Admins group worked fine though. Once joined the adminisitrator user was able to access the shares as normal. Ed Plese -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba, Winbind and Active Directory
Hi, I am trying to set up Samba joining Active Directory. I have done this successfully before and have most of my previous files. Here is the issue I am seeing. I can "kinit [EMAIL PROTECTED]" I cannot "net ads join -U administrator" I get thus message: "Failed to join domain: Invalid credentials" The only error I seem to find is in my winbind log file. [2007/08/23 13:06:50, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [14116]: request interface version [2007/08/23 13:06:50, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [14116]: request location of privileged pipe [2007/08/23 13:06:50, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273) [14116]: getgroups root [2007/08/23 13:06:50, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(491) [14119]: request interface version [2007/08/23 13:06:50, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(524) [14119]: request location of privileged pipe [2007/08/23 13:06:50, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1273) [14119]: getgroups root -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind problem, have workaround but...
I found what may be the key to this whole thing. our domain administrators decided to through a switch in Group policy that limited communication to ntlmv2 only. we've had a a whole lot of admins scratching thier heads as to how to fix it. I think I have it squared away now. the fix was to add "client ntlmv2 auth = yes" , and "host msdfs = no" in the globals. rename the secrets.tdb file and rejoin to the domain. i'm not sure what happened in the guts of samba to make it act like it did. but there we are. thanks for the help > Greetings list, > > I have a member server in a w2k3 AD domain that has been happily spinning > for a couple of years. As of yesterday morning, we've been having some > issues with it. I've had it configured correctly, and haven't touched it. > I'll provide the configs if needed. > > I've kept it updated as time's gone on for security updates etc.. > > the wonkyness seems to rear is head when winbindd gets restartes. In the > log.winbindd file I get a tremendous amount of these > > 2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) > Could not initialise \PIPE\NETLOGON > [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) > Could not initialise \PIPE\NETLOGON > [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) > Could not initialise \PIPE\NETLOGON > [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) > Could not initialise \PIPE\NETLOGON > > but they stop as soon as I issue > > # net ads changetrustpw > > then it seems to connect and all is well until winbind gets restarted. > > I was following a lot of logs at lev3 yesterday, and some users were able > to authenticate, on one machine but not on others..etc.. it was all very > wonky until I did the net ads changetrustpw > > I can provide any information needed. I'm running mandriva corp server 3 > with samba 3.014a. patched up to (CVE-2007-2444) (I think that's post > 3.023d) > > I'm perplexed, and not sure what the proper permanent fix for it is. I'm > thinking about removing it from the domain, and re-joining it, but I'm not > sure what precisely is needed. (what files to delete, which ones to copy > off etc..) I don't want to lose the winbindd_idmap.tdb or anything > important. (I do back these up...) > > any help would be greatly appreciated. > > Kindest regards, > Fred dussault > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind uid problem
I have installed winbind and it is working, but I need to change the uid/gid being used by winbind since I am running into some conflicts with UIDs. UID 10071 is being used by my spamfilter and winbindd is also mapping one of the user IDs from the W2K3 server to 10071. In an attempt to change this, I modified my smb.conf file as follows. [global] workgroup = MO idmap gid = 15000-2 idmap uid = 15000-2 winbind enum users = yes winbind enum groups = yes winbind separator = + security = domain password server = 10.129.10.41 wins server = 10.129.10.41 I restarted the server thinking my users would be remapped in the range 15000-2. However, they are still mapped in the 1-2 as I had originally set in the smb.conf file. I confirmed this using getent passwd. I am running 3.0.23c on FreeBSD 6.2. Any suggestions would be greatly appreciated. Thanks, Jay -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind 3.0.25c: Problem joining 3.0.24 domain
I have a machine with a running samba 3.0.24 with winbind. After an update to 3.0.25c I couldn't connect from win clients. So I first tried to rejoin and got some errors about trust account problems - sorry didn't save them. Then I deletet the account the tried a fresh join from the machine: net rpc join -Uaga -Waag -Serde Password: [2007/08/23 11:13:39, 0] ./source/utils/net_rpc_join.c:net_rpc_join_newstyle(304) error setting trust account password: NT code 0x1c010002 Unable to join domain AAG. When going back to 3.0.24 there is no problem with joining. I found some similar posting when googling, but no solution. Is it a known problem with 3.0.25 or could somebody point me to a solution? Thanks Angela -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind problem, have workaround but...
Greetings list, I have a member server in a w2k3 AD domain that has been happily spinning for a couple of years. As of yesterday morning, we've been having some issues with it. I've had it configured correctly, and haven't touched it. I'll provide the configs if needed. I've kept it updated as time's gone on for security updates etc.. the wonkyness seems to rear is head when winbindd gets restartes. In the log.winbindd file I get a tremendous amount of these 2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON [2007/08/22 10:23:42, 0] rpc_client/cli_pipe.c:cli_nt_setup_netsec(1622) Could not initialise \PIPE\NETLOGON but they stop as soon as I issue # net ads changetrustpw then it seems to connect and all is well until winbind gets restarted. I was following a lot of logs at lev3 yesterday, and some users were able to authenticate, on one machine but not on others..etc.. it was all very wonky until I did the net ads changetrustpw I can provide any information needed. I'm running mandriva corp server 3 with samba 3.014a. patched up to (CVE-2007-2444) (I think that's post 3.023d) I'm perplexed, and not sure what the proper permanent fix for it is. I'm thinking about removing it from the domain, and re-joining it, but I'm not sure what precisely is needed. (what files to delete, which ones to copy off etc..) I don't want to lose the winbindd_idmap.tdb or anything important. (I do back these up...) any help would be greatly appreciated. Kindest regards, Fred dussault -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind offline logon
Hello, I'd like to have more information about the winbind offline logon. Could I for example use pam_winbind on a linux system (domain member) for ssh, this works fine (the PDC is samba also). What I understood is that if I stop my PDC, I should still be able to connect with ssh as it uses pam_winbind. But that doesn't work :( thx fred -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "winbind enum = yes" ... oreilly samba books says "turn off" ... but things break. confused :-(
On Fri, Aug 17, 2007 at 03:39:33AM +0200, Timur I. Bakeyev wrote: > BUGS > The getgrouplist() function uses the routines based on getgrent(3). If > the invoking program uses any of these routines, the group structure will > be overwritten in the call to getgrouplist(). If getgrouplist really finds group members by doing the setgrent/getgrent/endgrent thing, then you're screwed. You just can't use FreeBSD as a member of large domains. I've seen a domain where "domain users" has more than 100.000 users, and doing getgrent on that one takes ages. This domain has other huge groups. > Another function, getgroups(2), seems, doesn't have such a comment in > the man page, but I can't really imagine, where else it can get user > group list information. getgroups(2) at least under Linux that fetches the group list from the kernel. Someone must have put them there with setgroups(2) first, so this is no help. > I thought, that Linux has similar approach, but from your question it > seems it's not. Can you give more details, please? Linux has an nss extension called initgroups that exactly asks the right question: "What are the groups for this user?". It does not delegate this to the login application which just would have to fall back to getgrent. Volker pgpQbHGM9A9m4.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "winbind enum = yes" ... oreilly samba books says "turn off" ... but things break. confused :-(
Hi, Jerry! On Wed, Aug 15, 2007 at 03:41:54PM -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Wilkinson, Alex wrote: > > > > In the Oreilly "Using Samba" book pg 292 it is recommended > > to turn off Winbindd(8) user and group enumeration (very > > expensive operation). However, when doing this on > > FreeBSD -CURRENT the groups that users are in are not recognised. > > > > If this is true, then it is a really bad design in > FreeBSD. Timur, can you confirm this? Does FreeBSD > rely on set/get/endgrent to to get group memberships? What do you mean exactly under "get group memberships"? I think, that if to scratch any of the group related functions, you'll find *grent functions underneath, in FreeBSD at least. I assume, you reffer to the getgrouplist(3). It's man page says: BUGS The getgrouplist() function uses the routines based on getgrent(3). If the invoking program uses any of these routines, the group structure will be overwritten in the call to getgrouplist(). Another function, getgroups(2), seems, doesn't have such a comment in the man page, but I can't really imagine, where else it can get user group list information. At the top of it, although passwd is shadowed in FreeBSD and stored in BerkeleyDB file, group is just a plain text file(or ldap, or nis) - in all cases *grent functions are called. I thought, that Linux has similar approach, but from your question it seems it's not. Can you give more details, please? with best regards, Timur. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind can do everything besides lookup by name
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Croft wrote: > Thanks, actually in smb.conf it was > > winbind separator = \ That's the default so don't define it in smb.conf -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGw25MIR7qMdg1EfYRAgD6AKCW/2NxGH9+KzacuXlV4Ant2k5gFACfSu0F HvHPsAfn/tyUa0mUe10eSH4= =i1kO -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind can do everything besides lookup by name
Thanks, actually in smb.conf it was winbind separator = \ Changing it to \\ works. testparm now whinges "ERROR: the 'winbind separator' parameter must be a single character", but everything works all the same! Regards, David On 15/08/07, Gerald (Jerry) Carter <[EMAIL PROTECTED]> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > David Croft wrote: > > > [0]: getpwnam david.croft > > could not find domain entry for domain DAVID.CROFT > > > > > winbind separator = > > I bet it's this line. Remove that. > > > > > cheers, jerry > = > Samba--- http://www.samba.org > Centeris --- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGw2Y5IR7qMdg1EfYRApQhAJ4lZ3wPcEHLUD3eh3eQr2r/PsqZzgCgwF/e > Gua/BX/sH0fFKAWSu1rAhLw= > =ZugE > -END PGP SIGNATURE- > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind can do everything besides lookup by name
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Croft wrote: > [0]: getpwnam david.croft > could not find domain entry for domain DAVID.CROFT > > winbind separator = I bet it's this line. Remove that. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGw2Y5IR7qMdg1EfYRApQhAJ4lZ3wPcEHLUD3eh3eQr2r/PsqZzgCgwF/e Gua/BX/sH0fFKAWSu1rAhLw= =ZugE -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] "winbind enum = yes" ... oreilly samba books says "turn off" ... but things break. confused :-(
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Wilkinson, Alex wrote: > Hi all, > > In the Oreilly "Using Samba" book pg 292 it is recommended > to turn off Winbindd(8) user and group enumeration (very > expensive operation). However, when doing this on > FreeBSD -CURRENT the groups that users are in are not recognised. > > When I enable user and group enumeration group > permissions work (at least for the first 16 groups) > i.e. via chown(1). > > So my question is: From peoples' experience what > do you do ? Turn "enum" on or off ? And do you experience > the same problem I do ? Or is this just a FreeBSD issue ? If this is true, then it is a really bad design in FreeBSD. Timur, can you confirm this? Does FreeBSD rely on set/get/endgrent to to get group memberships? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGw2USIR7qMdg1EfYRAvtbAJwLOdTiaHEZ5K/mPtQM+hbWl2YYCwCgrbaY H/tswsQvQKiIucK3xPlZHNc= =8UGD -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind can do everything besides lookup by name
Hi, I have winbind joined to a Win2003 AD domain with rid idmap backend. Almost everything's working. wbinfo -u and -g work fine, as does getent passwd and getent group. I can also getent by ID number. The only thing I can't do is getent by name, which is preventing logins: [EMAIL PROTECTED]:/etc/pam.d# net ads testjoin Join is OK [EMAIL PROTECTED]:/etc/pam.d# getent passwd | grep david.croft david.croft:*:11157:10513:David Croft:/home/ntuser/MYDOMAIN/david.croft:/bin/bash [EMAIL PROTECTED]:/etc/pam.d# getent passwd 11157 david.croft:*:11157:10513:David Croft:/home/ntuser/MYDOMAIN/david.croft:/bin/bash [EMAIL PROTECTED]:/etc/pam.d# getent passwd david.croft [EMAIL PROTECTED]:/etc/pam.d# getent group 11155 linux_users:x:11155:david.croft,joe.bloggs [EMAIL PROTECTED]:/etc/pam.d# getent group linux_users [EMAIL PROTECTED]:/etc/pam.d# Here's the debug log (-d 10) from the getent passwd by name: [2007/08/15 19:34:37, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 17 [2007/08/15 19:34:37, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn INTERFACE_VERSION [2007/08/15 19:34:37, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(483) [0]: request interface version [2007/08/15 19:34:37, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn WINBINDD_PRIV_PIPE_DIR [2007/08/15 19:34:37, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(516) [0]: request location of privileged pipe [2007/08/15 19:34:37, 6] nsswitch/winbindd.c:new_connection(601) accepted socket 18 [2007/08/15 19:34:37, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn GETPWNAM [2007/08/15 19:34:37, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336) [0]: getpwnam david.croft [2007/08/15 19:34:37, 7] nsswitch/winbindd_user.c:winbindd_getpwnam(352) could not find domain entry for domain DAVID.CROFT Here's the smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.COM server string = %h server security = ADS allow trusted domains = No obey pam restrictions = Yes password server = mydomain-fs1.mydomain.com passdb backend = tdbsam passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 dns proxy = No panic action = /usr/share/samba/panic-action %d idmap backend = rid:MYDOMAIN=1-1 idmap uid = 1-1 idmap gid = 1-1 template homedir = /home/ntuser/%D/%U template shell = /bin/bash winbind separator = winbind enum users = Yes winbind enum groups = Yes winbind use default domain = Yes invalid users = root Here's nsswitch.conf: passwd: compat winbind group: compat winbind shadow: compat Any thoughts? Cheers, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] "winbind enum = yes" ... oreilly samba books says "turn off" ... but things break. confused :-(
Hi all, In the Oreilly "Using Samba" book pg 292 it is recommended to turn off Winbindd(8) user and group enumeration (very expensive operation). However, when doing this on FreeBSD -CURRENT the groups that users are in are not recognised. When I enable user and group enumeration group permissions work (at least for the first 16 groups) i.e. via chown(1). So my question is: From peoples' experience what do you do ? Turn "enum" on or off ? And do you experience the same problem I do ? Or is this just a FreeBSD issue ? -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind fails to refresh Kerberos tickets (3.0.25b - Fedora Core 5) - 2nd Try
This is the second attempt at sending this. Apologies for any duplicates. I've got Winbind up and running to authenticate our users against our AD and to save kerberos tickets. I have used the "winbind refresh tickets = yes" setting expecting this to renew these kerberos tickets before they expire. This does not appear to work. Gnome will pop up a dialog box saying that the credentials have expired. At winbind log level 10 I can't see anything that suggests the refresh is happening. I'm running a vanilla samba 3.0.25b on 64bit Fedora Core 5. This was locally built into an RPM using the Fedora spec file for 2.0.24 (after removing all patches and adding the extra files that 3.0.25b has) Is there some setting I'm missing or is it something more complex? I'd very much appreciate any help I can get in getting this working. Many Thanks, Rick King Config/Log Files: smb.conf: [global] domain master = no local master = no preferred master = no winbind cache time = 300 template shell = /bin/bash template homedir = /home/%U idmap domains = ALLDOMAINS idmap config ALLDOMAINS:backend = ad idmap config ALLDOMAINS:default = yes idmap config ALLDOMAINS:range= 500 - 3 idmap config ALLDOMAINS:schema_mode = rfc2307 idmap alloc backend = tdb idmap alloc config:range = 30001 - 35000 winbind nss info = rfc2307 template winbind enum users = yes winbind enum groups = yes workgroup = XXX realm = XXX security = ads password server = * winbind refresh tickets = yes use kerberos keytab = yes client lanman auth = no client ntlmv2 auth = yes /etc/pam.d/system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authsufficientpam_winbind.so use_first_pass krb5_auth krb5_ccache_type=FILE debug authrequisite pam_succeed_if.so uid >= 500 quiet authrequired pam_deny.so account required pam_unix.so account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_winbind.so use_authtok passwordrequired pam_deny.so session required pam_limits.so session sufficientpam_winbind.so krb5_auth krb5_ccache_type=FILE debug session required pam_unix.so /var/log/secure: [The ticket expired during the night between these log events] ug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b220] ENTER: pam_sm_authenticate (flags: 0x) Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): getting password (0x0191) Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): pam_get_item returned a password Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): Verify user 'rking' Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): PAM config: krb5_ccache_type 'FILE' Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): enabling krb5 login flag Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): enabling request for a FILE krb5 ccache Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): user 'rking' granted access Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): request returned KRB5CCNAME: FILE:/tmp/krb5cc_10001 Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): Returned user was 'rking' Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:auth): [pamh: 0x0061b220] LEAVE: pam_sm_authenticate returning 0 Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:account): user 'rking' OK Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:account): user 'rking' granted access Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b220] ENTER: pam_sm_setcred (flags: 0x0008) Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:setcred): PAM_REINITIALIZE_CRED not implemented Aug 9 16:39:44 pc15 gnome-screensaver-dialog: pam_winbind(gnome-screensaver:setcred): [pamh: 0x0061b220] LEAVE: pam_sm_setcred returning 0 Aug 9 19:21:37 pc15 gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=10001 euid=10001 tty=:0.0 r
Re: [Samba] Samba winbind and nsswith.conf
0n Fri, Aug 10, 2007 at 02:23:37PM -0400, Mark Campbell wrote: >when I run wbinfo -u or -g it returns users and groups from AD. >When I do a getent passwd I get the results for /etc/passwd and nothing from AD. >When I auth to the samba server the permissions set based on groups do not work. This makes 2 of us. On FreeBSD 7.0-CURRENT #1: Wed Jul 25 17:31:15 WST 2007. e.g. #wbinfo -u | wc -l 9150 #getent passwd | wc -l 24 -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba winbind and nsswith.conf
On Fri, Aug 10, 2007 at 02:23:37PM -0400, Mark Campbell wrote: > When I do a getent passwd I get the results for /etc/passwd and nothing > from AD. That's planned. See "winbind enum users" / "winbind enum groups". > When I auth to the samba server the permissions set based on groups do > not work. How do you exactly test? Really logging in as the user or via "su - "? Volker pgpxwPW2pamPK.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba winbind and nsswith.conf
Hi Mark, Is nscd running? If so, stop it and try again. Please post a sanitized smb.conf if this was not the problem. Joshua M. Miller - RHCE, VCP Ditree Consulting http://ditree.com/ Mark Campbell wrote: > I have a Solaris 10 box running samba. I have it joined to a windows > 2003 domain. I can authenticate to the samba server. However I am > not getting group informaiton. > I have in nsswith.conf I have > > passwd: files winbind > group: files winbind > > winbindd is running > > libnss_windbind.so and so.1 are in /usr/lib > > when I run wbinfo -u or -g it returns users and groups from AD. > > When I do a getent passwd I get the results for /etc/passwd and > nothing from AD. > > When I auth to the samba server the permissions set based on groups do > not work. > > Any help is appreciated. > > Thanks > > Mark > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba winbind and nsswith.conf
I have a Solaris 10 box running samba. I have it joined to a windows 2003 domain. I can authenticate to the samba server. However I am not getting group informaiton. I have in nsswith.conf I have passwd: files winbind group: files winbind winbindd is running libnss_windbind.so and so.1 are in /usr/lib when I run wbinfo -u or -g it returns users and groups from AD. When I do a getent passwd I get the results for /etc/passwd and nothing from AD. When I auth to the samba server the permissions set based on groups do not work. Any help is appreciated. Thanks Mark -- Mark Campbell Systems Analyst Digital Library Technologies The Pennsylvania State University [EMAIL PROTECTED], 814-865-4774 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: home dir file permissions samba, winbind with ldap backend, AD Server 2003 R2 domain
Oops! I meant ls -l not ls -s it looks like I typed ls -n instead of ls -l From: Stang, Sharol Sent: Wednesday, August 08, 2007 3:52 PM To: 'samba@lists.samba.org' Subject: home dir file permissions samba, winbind with ldap backend, AD Server 2003 R2 domain I have samba 3.0.23 running as a clustered service on RHEL5 and I am wondering if it is okay that when I check the file permissions on the home directories they are numerical even if I reset the permissions. They stay in the long listing format until I restart the service and when I check again it looks like I typed ls -n instead of ls -s. I hadn't noticed it doing this before. It seems like everything works fine and the UIDs are correct I just want to make sure before I replace the RH9 samba server with it. Thanks so much! -sharol -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] home dir file permissions samba, winbind with ldap backend, AD Server 2003 R2 domain
I have samba 3.0.23 running as a clustered service on RHEL5 and I am wondering if it is okay that when I check the file permissions on the home directories they are numerical even if I reset the permissions. They stay in the long listing format until I restart the service and when I check again it looks like I typed ls -n instead of ls -s. I hadn't noticed it doing this before. It seems like everything works fine and the UIDs are correct I just want to make sure before I replace the RH9 samba server with it. Thanks so much! -sharol -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind Daemon
Hi, 1. Can any one please tell me how does winbind daemon decides when to create a new child process to service a request. I see that when winbind daemon starts it creates a new child process (apart from the main parent) to handle "WINBINDD_INIT_CONNECTION" command during its startup. When you execute any command say wbinfo -u or -g or --allocate-uid I could see that it creates a new child process some times and doesn't at sometimes. I couldn't come to any conclusions either through code study or through these experiments when and how it decides to create child process to handle a particular request. 2. I could see the fork call gets hit even when I run "winbindd -i" in interactive mode. The initialization sets Fork = False but fork() call is infact get called even in interactive mode. 3. If some one can point me to a document to understand the winbind daemon better it would be of very helpful to me. Thanks in advance for any help regarding this. regards Aravind -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind cache problem after upgrade to 3.0.25b.
I suspect you are using Ubuntu (and/or Debian), which have a bug regarding the Winbind cache. https://bugs.launchpad.net/ubuntu/+source/samba/+bug/118977 On Tue, 2007-07-24 at 11:24 +0100, Simon Ashford wrote: > Have just upgraded from 3.0.14a to 3.0.25b. > > On starting winbindd it puts the following in /var/log/messages: > > initialize_winbindd_cache: clearing cache and re-creating with version > number 1 > > All the winbind UID/GID mappings are lost and it starts again from > scratch. Hence all file ownership / ACLs on this samba server become > invalid. > > Anyone else seen this? > > Why does it see fit to destroy this important file in such a casual > manner?! It didn't even bother to make a backup copy. > > > Thanks in advance for any help... > > > Simon Ashford. > > --- > This e-mail and any attachments may contain confidential and/or > privileged material; it is for the intended addressee(s) only. > If you are not a named addressee, you must not use, retain or > disclose such information. > > NPL Management Ltd cannot guarantee that the e-mail or any > attachments are free from viruses. > > NPL Management Ltd. Registered in England and Wales. No: 2937881 > Registered Office: Serco House, 16 Bartley Wood Business Park, >Hook, Hampshire, United Kingdom RG27 9UY > --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind cache problem after upgrade to 3.0.25b.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon Ashford wrote: > Have just upgraded from 3.0.14a to 3.0.25b. > > On starting winbindd it puts the following in /var/log/messages: > > initialize_winbindd_cache: clearing cache and re-creating with version > number 1 > > All the winbind UID/GID mappings are lost and it starts again from > scratch. Hence all file ownership / ACLs on this samba server become > invalid. > > Anyone else seen this? > > Why does it see fit to destroy this important file in such a casual > manner?! It didn't even bother to make a backup copy. It's just a cache. Temporary high speed storage of lookups. By default, the data in the cache only lives for 300 seconds before winbind queries the server (again) for current mappings. If you're losing mappings or generating different mappings on a restart, something else is wrong. Not enough info here to make even an educated guess. Regards, Doug -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGph0SFqWysr/jOHMRAmZtAKDM17bmNAvVBV81y9OOFk9fjNl7rACfRJ0N hEbjP/7p4P/D4p7gcIuGfGA= =BbW/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind: string overflow in safe_strcpy_fn(659)
Hi, after rebooting the server last weekend, we're still getting the same error messages from winbind. Jul 24 13:10:01 cvk027 winbindd[20648]: [2007/07/24 13:10:01, 0] lib/util_str.c: safe_strcpy_fn(659) Jul 24 13:10:01 cvk027 winbindd[20648]: ERROR: string overflow by 1 (256 - 255) in safe_strcpy [S+²<9A>Ðåä<96>^_1ßQ"*F\ÄÍ1µkÓ<88>^?^Sl^CëO<9A>CáYíÿ¬ÑWªáäØß <8C>½t®] We've already set the winbind debug level to 10. Should we post the complete logs here again, or is there something we can do before that? Regards, -- i. A. Thomas Bartschies IT Systeme Cornelsen Verlagskontor GmbH & Co. KG Kammerratsheide 66, 33609 Bielefeld Telefon 0521.9719-310 Telefax 0521.9719-93310 http://www.cvk.de AG Bielefeld HRA 10578 - Geschäftsführer: Horst Keplinger Geschäftsführende Komplementärin: AG Bielefeld HRB 7107 - Cornelsen Verlagskontor Verwaltungs-GmbH Weitere Komplementärin: AG Charlottenburg HRA 20764 - Cornelsen Verlagsholding GmbH & Co., Berlin -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind cache problem after upgrade to 3.0.25b.
Have just upgraded from 3.0.14a to 3.0.25b. On starting winbindd it puts the following in /var/log/messages: initialize_winbindd_cache: clearing cache and re-creating with version number 1 All the winbind UID/GID mappings are lost and it starts again from scratch. Hence all file ownership / ACLs on this samba server become invalid. Anyone else seen this? Why does it see fit to destroy this important file in such a casual manner?! It didn't even bother to make a backup copy. Thanks in advance for any help... Simon Ashford. --- This e-mail and any attachments may contain confidential and/or privileged material; it is for the intended addressee(s) only. If you are not a named addressee, you must not use, retain or disclose such information. NPL Management Ltd cannot guarantee that the e-mail or any attachments are free from viruses. NPL Management Ltd. Registered in England and Wales. No: 2937881 Registered Office: Serco House, 16 Bartley Wood Business Park, Hook, Hampshire, United Kingdom RG27 9UY --- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > I have. This doesn't work. If I set it to "yes", then looks ups for 'DOM > \user' resolve to 'user'. I want everything to resolve to 'DOM\user'. > Even lookups for 'user'. Ahh.. my bad. I misread the original report. What you want is support for aliases which I have in a private branch. It's a little tricky since there are limitation to how well the feature can work. Basically I just added the alias<->login name translation as a shim just before and after the lookupname and lookupsid calls. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGlmkjIR7qMdg1EfYRApdFAJ4ihMoYHzN2sQxApZrIlebNE3AyHwCeIahq LRDsiCpBsDdqRpwS9OTYR30= =aQoe -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
I have. This doesn't work. If I set it to "yes", then looks ups for 'DOM \user' resolve to 'user'. I want everything to resolve to 'DOM\user'. Even lookups for 'user'. If I set it to "no", then lookups for 'DOM\user' resolve to 'DOM\user', but lookups for 'user' do not match at all. 'user' should resolve to 'DOM\user'. On Thu, 2007-07-12 at 10:17 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Jerome Haltom wrote: > > Then, at least, can lookups for 'username' return matches for 'DOM > > \username'? This would make it act more windows-like, anyways, where the > > user can login using 'username', unless it conflicts with a local user. > > Please read smb.conf(5) and look at the 'winbind use default domain' > option. > > > > > > jerry > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.2 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGlkX9IR7qMdg1EfYRAuABAJ9p0FBvIi5fU6AOyEEUHwF2YnCnQQCg6E40 > +0bNnB0r7nPYJAC/T+WH2YU= > =8Ntg > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > Then, at least, can lookups for 'username' return matches for 'DOM > \username'? This would make it act more windows-like, anyways, where the > user can login using 'username', unless it conflicts with a local user. Please read smb.conf(5) and look at the 'winbind use default domain' option. jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGlkX9IR7qMdg1EfYRAuABAJ9p0FBvIi5fU6AOyEEUHwF2YnCnQQCg6E40 +0bNnB0r7nPYJAC/T+WH2YU= =8Ntg -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
Then, at least, can lookups for 'username' return matches for 'DOM \username'? This would make it act more windows-like, anyways, where the user can login using 'username', unless it conflicts with a local user. On Fri, 2007-07-06 at 15:50 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Gerald (Jerry) Carter wrote: > > > Nope. You haven't looked at how much trouble this would > > be in the code. For example, Lookupsid() *always* returns > > the sAMAcountName but LookupName() will resolve a UPN to > > the same SID. > > > > So The conversion is asymetric. UPN->SID->sAMAcountName. > > But canonicalizing on the sAMAccountName does give you a > > symmetic mapping. > > > > Secondly, your 'unix' variant would break with trusted domains. > > > > So yes, it is a bad idea for very real technical reasons. > > I should clarify that you can easily convert form UPN > to sAMAcountName and vice versa using the DsCrackNames > calls but this requires a lot of plumbing we don't > have currently and would be a fundamental change in > design which would require a lot of code restabilization. > > Or of course you can use LDAP queries but remember that > machines do not have UPNs by default. So what do you > use then? > > > > > cheers, jerry > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.2 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGjqr5IR7qMdg1EfYRAp8cAKCXRYT54CMNBbnYUlRPsuDwErPfLACgoYQ3 > 7l3fIz4KrkEecX5dPZFDhFA= > =5nEl > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Michael Adam schrieb: > > could you please for debugging this raise your log level to 10 > (and possibly set max log size to 0 to prevent rotation of > log files). > > For the stack trace to be more meaningful, it would also be good > to have samba compiled with CFLAGS="-g" (debugging symbols) and > without optimizations (no -O, -O2, ... flag). Furthermore the > configure option --enable-pie=no is useful. > > As for your setup: Could you provide your smb.conf file (secret > stuff grayed out of course)? > > You should double check that no components are mixed between > your system package samba installation and your hand-compiled > version (sorry if I am stating obious things): > > * save your smb.conf > * clean all of /opt/samba32 > * recompile as stated above > * reinstall > * copy your smb.conf to /opt/samba32/lib > (don't forget to raise log level to 10 and max log size = 0) > * make sure to copy (or link) libnss_winbind.so > to /lib/libnss_winbind.so (and /lib/libnss_winbind.so.2) > * rejoin the domain > * start nmbd/smbd/winbindd daemons > * make your tests as before, using tools (wbinfo...) from > /opt/samba32/bin when not using system commands (id, getent, ...) > > Then provide us with the logs - maybe bugzilla.samba.org is more > approriate a place for this. I would prefere to send this data to you directly and not publish it on the bts. I can remove some of the critical data from the log files, but not all. > Also some key data about your AD environment would be interesting > to know: number of DCs, OS version of DCs, mode of AD (native > 2003, ...) number of users, number of groups, size of largest groups > involved in your tests, number of groups user is member of, ... I can also send you this information to your mail address. Which one should I use? Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Hello Ralf, could you please for debugging this raise your log level to 10 (and possibly set max log size to 0 to prevent rotation of log files). For the stack trace to be more meaningful, it would also be good to have samba compiled with CFLAGS="-g" (debugging symbols) and without optimizations (no -O, -O2, ... flag). Furthermore the configure option --enable-pie=no is useful. As for your setup: Could you provide your smb.conf file (secret stuff grayed out of course)? You should double check that no components are mixed between your system package samba installation and your hand-compiled version (sorry if I am stating obious things): * save your smb.conf * clean all of /opt/samba32 * recompile as stated above * reinstall * copy your smb.conf to /opt/samba32/lib (don't forget to raise log level to 10 and max log size = 0) * make sure to copy (or link) libnss_winbind.so to /lib/libnss_winbind.so (and /lib/libnss_winbind.so.2) * rejoin the domain * start nmbd/smbd/winbindd daemons * make your tests as before, using tools (wbinfo...) from /opt/samba32/bin when not using system commands (id, getent, ...) Then provide us with the logs - maybe bugzilla.samba.org is more approriate a place for this. Also some key data about your AD environment would be interesting to know: number of DCs, OS version of DCs, mode of AD (native 2003, ...) number of users, number of groups, size of largest groups involved in your tests, number of groups user is member of, ... Best, Michael On Thu, Jul 12, 2007 at 10:46:26AM +0200, Ralf Gross wrote: > Ralf Gross schrieb: > > Now after executing 'id -a' I got a panic: > > [2007/07/12 10:28:28, 3] nsswitch/winbindd_group.c:winbindd_getgrgid(886) > [ 6998]: getgrgid 2054 > [2007/07/12 10:28:38, 0] libsmb/clientgen.c:cli_receive_smb_internal(136) > Receiving SMB: Server stopped responding > [2007/07/12 10:28:38, 0] rpc_client/cli_pipe.c:rpc_api_pipe(789) > rpc_api_pipe: Remote machine smtcd001.emea.corpdir.net pipe \lsarpc fnum > 0x8005returned critical error. Error was Call timed out: server did not > respond > after 1 milliseconds > [2007/07/12 10:28:38, 0] lib/fault.c:fault_report(40) > === > [2007/07/12 10:28:38, 0] lib/fault.c:fault_report(41) > INTERNAL ERROR: Signal 11 in pid 6905 (3.2.1pre1-SVN-build-23823) > Please read the Trouble-Shooting section of the Samba3-HOWTO > [2007/07/12 10:28:38, 0] lib/fault.c:fault_report(43) > > From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf > [2007/07/12 10:28:38, 0] lib/fault.c:fault_report(44) > === > [2007/07/12 10:28:38, 0] lib/util.c:smb_panic(1655) > PANIC (pid 6905): internal error > [2007/07/12 10:28:38, 0] lib/util.c:log_stack_trace(1759) > BACKTRACE: 18 stack frames: >#0 /opt/samba32/sbin/winbindd(log_stack_trace+0x2d) [0x8142eab] >#1 /opt/samba32/sbin/winbindd(smb_panic+0x78) [0x8142fd9] >#2 /opt/samba32/sbin/winbindd [0x812e72e] >#3 [0xe420] >#4 /lib/tls/i686/cmov/libc.so.6(vsnprintf+0xb4) [0xb7d8eb54] >#5 /opt/samba32/sbin/winbindd(talloc_vasprintf+0x3b) [0x81254ec] >#6 /opt/samba32/sbin/winbindd(talloc_asprintf+0x2e) [0x812563f] >#7 /opt/samba32/sbin/winbindd [0x80d4662] >#8 /opt/samba32/sbin/winbindd [0x80ba8a9] >#9 /opt/samba32/sbin/winbindd [0x80afeea] >#10 /opt/samba32/sbin/winbindd [0x80b1c89] >#11 /opt/samba32/sbin/winbindd [0x80db102] >#12 /opt/samba32/sbin/winbindd [0x80dbe15] >#13 /opt/samba32/sbin/winbindd [0x80da383] >#14 /opt/samba32/sbin/winbindd [0x80a9220] >#15 /opt/samba32/sbin/winbindd(main+0xdef) [0x80aa0db] >#16 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc) [0xb7d45ebc] >#17 /opt/samba32/sbin/winbindd [0x80a8031] > [2007/07/12 10:28:38, 0] lib/fault.c:dump_core(180) > dumping core in /opt/samba32/var/cores/winbindd > > Ralf > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba -- i.A. Michael Adam -- Michael Adam <[EMAIL PROTECTED]> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Ralf Gross schrieb: Now after executing 'id -a' I got a panic: [2007/07/12 10:28:28, 3] nsswitch/winbindd_group.c:winbindd_getgrgid(886) [ 6998]: getgrgid 2054 [2007/07/12 10:28:38, 0] libsmb/clientgen.c:cli_receive_smb_internal(136) Receiving SMB: Server stopped responding [2007/07/12 10:28:38, 0] rpc_client/cli_pipe.c:rpc_api_pipe(789) rpc_api_pipe: Remote machine smtcd001.emea.corpdir.net pipe \lsarpc fnum 0x8005returned critical error. Error was Call timed out: server did not respond after 1 milliseconds [2007/07/12 10:28:38, 0] lib/fault.c:fault_report(40) === [2007/07/12 10:28:38, 0] lib/fault.c:fault_report(41) INTERNAL ERROR: Signal 11 in pid 6905 (3.2.1pre1-SVN-build-23823) Please read the Trouble-Shooting section of the Samba3-HOWTO [2007/07/12 10:28:38, 0] lib/fault.c:fault_report(43) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2007/07/12 10:28:38, 0] lib/fault.c:fault_report(44) === [2007/07/12 10:28:38, 0] lib/util.c:smb_panic(1655) PANIC (pid 6905): internal error [2007/07/12 10:28:38, 0] lib/util.c:log_stack_trace(1759) BACKTRACE: 18 stack frames: #0 /opt/samba32/sbin/winbindd(log_stack_trace+0x2d) [0x8142eab] #1 /opt/samba32/sbin/winbindd(smb_panic+0x78) [0x8142fd9] #2 /opt/samba32/sbin/winbindd [0x812e72e] #3 [0xe420] #4 /lib/tls/i686/cmov/libc.so.6(vsnprintf+0xb4) [0xb7d8eb54] #5 /opt/samba32/sbin/winbindd(talloc_vasprintf+0x3b) [0x81254ec] #6 /opt/samba32/sbin/winbindd(talloc_asprintf+0x2e) [0x812563f] #7 /opt/samba32/sbin/winbindd [0x80d4662] #8 /opt/samba32/sbin/winbindd [0x80ba8a9] #9 /opt/samba32/sbin/winbindd [0x80afeea] #10 /opt/samba32/sbin/winbindd [0x80b1c89] #11 /opt/samba32/sbin/winbindd [0x80db102] #12 /opt/samba32/sbin/winbindd [0x80dbe15] #13 /opt/samba32/sbin/winbindd [0x80da383] #14 /opt/samba32/sbin/winbindd [0x80a9220] #15 /opt/samba32/sbin/winbindd(main+0xdef) [0x80aa0db] #16 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xdc) [0xb7d45ebc] #17 /opt/samba32/sbin/winbindd [0x80a8031] [2007/07/12 10:28:38, 0] lib/fault.c:dump_core(180) dumping core in /opt/samba32/var/cores/winbindd Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Ralf Gross schrieb: > One thing I also noticed with the ubuntu package: the groupnames are > only numbers. I > > [EMAIL PROTECTED]:~$ /opt/samba32/bin/wbinfo -r ralfgro > 2003 > 2004 > 2005 > 2006 > 2007 > 2008 > 2009 > [...] I obviously screwed the nsswitch.conf. After correcting this, I get the group names. But the whole thing is still very fragile. A simpe 'id -a' takes ages and I just killed winbind after one minute with this result. [EMAIL PROTECTED]:~$ id -a uid=2000(ralfgro) gid=2000(emea\domain users) Gruppen=2000(emea\domain users),2003(emea\emtc_tsrv_restrict_cul_a),2004,2005,2006,2007,2008,2009,2010,2011,2012,2013,2014,2022,2025,2026,2028,2029,2033,2035,2036,2037,2038,2039,2041,2042,2043,2044,2046,2048,2049,2050,2051,2053,2054,2056,2057,2058,2059,2060,2062,2063,2064,2066,2067,2069,2070,2071,2072,2073,2075,2076,2079,2080,2081,2082,2083,2084,2085,2086,2088,2089,2090,2093,2094,2099,2103,2109,2111,2113,2114,2115,2116,2119,2122,2125,2126,2127,2130,2131,2133 This is the debug output of a second try... [2007/07/12 09:28:10, 3] nsswitch/winbindd_group.c:winbindd_getgrgid(886) [ 6914]: getgrgid 2004 [2007/07/12 09:28:10, 1] nsswitch/winbindd_group.c:getgrsid_sid2gid_recv(760) Can't find domain from name (EMEA\EMTC_ITS_MTC) [2007/07/12 09:28:10, 3] nsswitch/winbindd_group.c:winbindd_getgrgid(886) [ 6914]: getgrgid 2005 [2007/07/12 09:28:15, 3] nsswitch/winbindd_ads.c:lookup_groupmem(1099) ads lookup_groupmem for sid=S-1-5-21-1482476501-1450960922-725345543-152681 succeeded ---> pause [2007/07/12 09:30:33, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(521) [ 6914]: request interface version [2007/07/12 09:30:33, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(521) [ 6915]: request interface version [2007/07/12 09:30:33, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(521) [ 6914]: request interface version [2007/07/12 09:30:33, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(521) [ 6914]: request interface version [2007/07/12 09:30:33, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(521) [ 6914]: request interface version [2007/07/12 09:30:33, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(554) [ 6914]: request location of privileged pipe [2007/07/12 09:30:33, 3] nsswitch/winbindd_group.c:winbindd_getgrgid(886) [ 6914]: getgrgid 2008 [2007/07/12 09:30:33, 3] nsswitch/winbindd_ads.c:lookup_groupmem(1099) [...] [2007/07/12 09:39:21, 3] nsswitch/winbindd_group.c:winbindd_getgrgid(886) [ 6914]: getgrgid 2076 [...] During this command no connection to any share was possible! Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Volker Lendecke schrieb: > On Wed, Jul 11, 2007 at 06:16:12PM +0200, Ralf Gross wrote: > > [2007/07/11 18:06:02, 0] nsswitch/winbindd.c:request_len_recv(555) > > request_len_recv: Invalid request size received: 1848 > > Update /lib/libnss_winbind.so with the version you just > compiled and reboot. That worked and now I've got 3.2 running. One thing I also noticed with the ubuntu package: the groupnames are only numbers. I [EMAIL PROTECTED]:~$ /opt/samba32/bin/wbinfo -r ralfgro 2003 2004 2005 2006 2007 2008 2009 [...] [EMAIL PROTECTED]:~$ id -a uid=2000(ralfgro) gid=2000 Gruppen=2000 [EMAIL PROTECTED]:~$ ls -l insgesamt 0 lrwxrwxrwx 1 ralfgro 2000 26 2007-07-12 08:27 Examples -> /usr/share/example-content -rw-r--r-- 1 ralfgro 2000 0 2007-07-12 08:29 foo [EMAIL PROTECTED]:~$ ls -la insgesamt 24 drwxr-xr-x 2 ralfgro 2000 4096 2007-07-12 08:43 . drwxr-xr-x 4 rootroot 4096 2007-07-12 08:27 .. -rw-r--r-- 1 ralfgro 2000 220 2007-07-12 08:27 .bash_logout -rw-r--r-- 1 ralfgro 2000 414 2007-07-12 08:27 .bash_profile -rw-r--r-- 1 ralfgro 2000 2298 2007-07-12 08:27 .bashrc lrwxrwxrwx 1 ralfgro 2000 26 2007-07-12 08:27 Examples -> /usr/share/example-content -rwxr--r-- 1 ralfgro 20000 2007-07-12 08:29 foo -rw-r--r-- 1 ralfgro 2000 566 2007-07-12 08:27 .profile -rwxr--r-- 1 ralfgro 20000 2007-07-12 08:43 test [EMAIL PROTECTED]:~$ chgrp users test chgrp: Ändern der Gruppe für "test": Operation not permitted I must still be missing something... Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Volker Lendecke schrieb: > On Wed, Jul 11, 2007 at 06:16:12PM +0200, Ralf Gross wrote: > > [2007/07/11 18:06:02, 0] nsswitch/winbindd.c:request_len_recv(555) > > request_len_recv: Invalid request size received: 1848 > > Update /lib/libnss_winbind.so with the version you just > compiled and reboot. I changed the path to libnss_winbind.so in all relevant files in /etc/pam.d/, but I will try your suggestion tomrorrow and reboot. Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind failure
In case anyone was following along, I've solved the problem. I'm not sure what technically did it, but I upgraded Samba from 3.0.25a to 3.0.25b. Also, I used the "net" command that came with the package (bin/net) which I apparently wasn't using before (doing a "which net" command). After that I did a kdestroy, kinit, net ads join and all worked again! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
On Wed, Jul 11, 2007 at 06:16:12PM +0200, Ralf Gross wrote: > [2007/07/11 18:06:02, 0] nsswitch/winbindd.c:request_len_recv(555) > request_len_recv: Invalid request size received: 1848 Update /lib/libnss_winbind.so with the version you just compiled and reboot. Volker pgp1LGHcYlhv9.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Ralf Gross schrieb: > > I am interested to hear how the new version performs in your setup! > > This might take some more days but I'll give feedback! Ok, I was able to rejoin the domain. On host wu7e003: /opt/samba32# bin/wbinfo -t checking the trust secret via RPC calls succeeded /opt/samba32# bin/wbinfo -i ralfgro ralfgro:*:2000:2000::/home/ads/EMEA/ralfgro:/bin/bash But I can't connect to the host: smbclient //wu7e0003/ralfgro -U ralfgro -W emea Password: session setup failed: NT_STATUS_LOGON_FAILURE log.winbind: [2007/07/11 18:06:02, 3] nsswitch/winbindd_misc.c:winbindd_interface_version(521) [ 6340]: request interface version [2007/07/11 18:06:02, 3] nsswitch/winbindd_misc.c:winbindd_priv_pipe_dir(554) [ 6340]: request location of privileged pipe [2007/07/11 18:06:02, 3] nsswitch/winbindd_misc.c:winbindd_domain_info(415) [ 6340]: domain_info [EMEA] [2007/07/11 18:06:02, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(1727) [ 6340]: pam auth crap domain: [EMEA] user: ralfgro [2007/07/11 18:06:02, 0] nsswitch/winbindd.c:request_len_recv(555) request_len_recv: Invalid request size received: 1848 [2007/07/11 18:06:02, 0] nsswitch/winbindd.c:request_len_recv(555) request_len_recv: Invalid request size received: 1848 [2007/07/11 18:06:02, 0] nsswitch/winbindd.c:request_len_recv(555) request_len_recv: Invalid request size received: 1848 [2007/07/11 18:06:02, 0] nsswitch/winbindd.c:request_len_recv(555) request_len_recv: Invalid request size received: 1848 [2007/07/11 18:06:02, 0] nsswitch/winbindd.c:request_len_recv(555) request_len_recv: Invalid request size received: 1848 [2007/07/11 18:06:02, 3] nsswitch/winbindd_misc.c:winbindd_ping(500) [ 6340]: ping log.wb-EMEA [2007/07/11 18:06:02, 3] nsswitch/winbindd_pam.c:winbindd_dual_pam_auth_crap(1793) [ 6248]: pam auth crap domain: EMEA user: ralfgro log.smbd [2007/07/11 18:06:02, 2] auth/auth.c:check_ntlm_password(318) check_ntlm_password: Authentication for user [ralfgro] -> [ralfgro] FAILED with error NT_STATUS_NO_SUCH_USER Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Michael Adam schrieb: > > I was able to get it at home and put it on a cd :) > > Great! In the meantime I compiled 3.2, but I've some problems with the machine account. I joined the domain with the ubuntu package some weeks ago (my desktop) and installed samba 3.2 to /opt. I tried to copy the old samba tdb files from /var/lib/samba to /opt/... but it seems that something went wong (it was just a quick trial and error attempt). I have to look into that in the next days. > > Michael Adam schrieb: > > > By "that command" you mean "ls -ln"? > > > > And 'wbinfo -g' or 'wbinfo -u'. I couldnt't get the user and group and > > winbindd died after that command. > > wbinfo -u/-g get the list of users/groups even if "winbind enum > users/groups" is set to "no" in the config (it uses other means > than the getpwent/getgrent system functions). If your number of > users and groups is very large, wbinfo will currently time out, > but winbindd will continue to complete the request. Ok. > > > Well, let's see what improvement the new version brings. > > > BTW: The enhancements were made specifically for environments > > > with hundreds of thousands of users and groups (and large > > > groups!) in ad. > > > > Sounds promising! > > I am interested to hear how the new version performs in your setup! This might take some more days but I'll give feedback! Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind failure
On Tuesday 10 July 2007 6:03 pm, Michael Bann wrote: > After copying over the lock files and the secrets.tdb file, I get a new > error. (I attempted to reinstall Samba and did not copy those files over > before.) > > I removed the computer name... > > [2007/07/10 16:51:31, 0] smbd/server.c:main(986) > standard input is not a socket, assuming -D option > [2007/07/10 16:51:31, 0] > nsswitch/winbindd_cache.c:initialize_winbindd_cache(2221) > initialize_winbindd_cache: clearing cache and re-creating with version > number 1 > [2007/07/10 16:51:32, 0] libads/kerberos.c:ads_kinit_password(227) > kerberos_kinit_password [EMAIL PROTECTED] failed: > Preauthentication failed > [2007/07/10 16:51:32, 0] printing/nt_printing.c:nt_printing_init(650) > nt_printing_init: error checking published printers: WERR_ACCESS_DENIED > [2007/07/10 16:51:32, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853) > Kinit failed: Preauthentication failed > [2007/07/10 16:51:32, 1] nsswitch/winbindd_util.c:trustdom_recv(237) > Could not receive trustdoms > > Any ideas? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba This is probably of no use to you, but, who knows. I had the same thing happen on one of my CentOS 3 boxes; same errors. I generally like to roll my own RPMs from source RPMs, and use the source RPM from sernet. As the machine in question is VERY old (Dell PW 6100/200 - test machine that otherwise works very well), I couldn't do this without the machine hanging. So, I DL'd the full sernet RPMs. I believe I tried both the RedHat and CentOS RPMs and ... I got the exact same messages as you. After struggling to figure out what the problem was, the light bulb finally lit. I copied over RPMs I had created on another CentOS 3 box and ,,, all errors vanished, and I was able to connect the box to my AD network. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
On Mi, Jul 11, 2007 at 10:45:00 +0200, Ralf Gross wrote: > Ok, I thought there is a way to use svn+http to get the files. Yes, svn supports "svn co http://..."; But the server has to support that transport too. I think this is not supported on svnanon.samba.org currently, have to check. > I was able to get it at home and put it on a cd :) Great! > Michael Adam schrieb: > > By "that command" you mean "ls -ln"? > > And 'wbinfo -g' or 'wbinfo -u'. I couldnt't get the user and group and > winbindd died after that command. wbinfo -u/-g get the list of users/groups even if "winbind enum users/groups" is set to "no" in the config (it uses other means than the getpwent/getgrent system functions). If your number of users and groups is very large, wbinfo will currently time out, but winbindd will continue to complete the request. > > Well, let's see what improvement the new version brings. > > BTW: The enhancements were made specifically for environments > > with hundreds of thousands of users and groups (and large > > groups!) in ad. > > Sounds promising! I am interested to hear how the new version performs in your setup! Michael -- Michael Adam <[EMAIL PROTECTED]> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Michael Adam schrieb: > Assuming you have a web proxy, you can try rsync with setting > the environment variable RSYNC_PROXY to $proxy_ip:$proxy_port > (like "export RSYNC_PROXY=192.168.0.1:3128" in bash). Proxy only allows port 80 and 443, 873 is blocked. > > http://svnanon.samba.org/samba/docs/man/Samba-HOWTO-Collection/compiling.html#id442180 > > I can't reach http://svnweb.samba.org/. > > That should probably be websvn instead of svnweb, but this is > for inspecting single files and diffs, not for downloading the > sources anyway. Ok, I thought there is a way to use svn+http to get the files. > > Is there another way to get the 3_2 release by svn/http? > > If you can't get it with rsync through http, I could put > a tarball for download somewhere tomorrow. Just let me know. I was able to get it at home and put it on a cd :) > > > The reason why lookup_groupmem gets used in "ls -l" at all is > > > that the getgrgid library call is used to resolve the gids into > > > names, and this call returns not only the name but the whole > > > group structure, including the list of members. > > > > > > So to confirm my assumptions above, you could compare the > > > runtime of "ls -l" to that of "ls -ln": The latter should be > > > much faster! > > > > Thanks for your reply, I'll try to get the source and compile it. This > > might take some time. BTW: wbinfo also wasn't working right and > > winbindd was not responding after issuing that command. > > By "that command" you mean "ls -ln"? And 'wbinfo -g' or 'wbinfo -u'. I couldnt't get the user and group and winbindd died after that command. > Well, let's see what improvement the new version brings. > BTW: The enhancements were made specifically for environments > with hundreds of thousands of users and groups (and large > groups!) in ad. Sounds promising! Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
On Di, Jul 10, 2007 at 11:33:24 +0200, Ralf Gross wrote: > Michael Adam schrieb: > > > > I assume that you are using "security = ads" and I assume that > > your AD setup has groups with lots of members? > > Yes, that's right. > > > There is no way to improve the performance significantly with > > 3.0.24 (except patching). So I suggest that you grab the latest > > sources with svn (see http://www.samba.org/samba/devel/), you > > can also get the upcoming release branch SAMBA_3_2_0 here) or > > get the unpacked sources with rsync like so: > > "rsync -avSH samba.org::ftp/pub/unpacked/samba_3_2/ ./samba_3_2" > > and then compile it yourself. > > I can't use rsync or cvs from office. It seems that svnweb which is > mentioned in the howto is not working anymore. Assuming you have a web proxy, you can try rsync with setting the environment variable RSYNC_PROXY to $proxy_ip:$proxy_port (like "export RSYNC_PROXY=192.168.0.1:3128" in bash). > http://svnanon.samba.org/samba/docs/man/Samba-HOWTO-Collection/compiling.html#id442180 > > I can't reach http://svnweb.samba.org/. That should probably be websvn instead of svnweb, but this is for inspecting single files and diffs, not for downloading the sources anyway. > Is there another way to get the 3_2 release by svn/http? If you can't get it with rsync through http, I could put a tarball for download somewhere tomorrow. Just let me know. > > The reason why lookup_groupmem gets used in "ls -l" at all is > > that the getgrgid library call is used to resolve the gids into > > names, and this call returns not only the name but the whole > > group structure, including the list of members. > > > > So to confirm my assumptions above, you could compare the > > runtime of "ls -l" to that of "ls -ln": The latter should be > > much faster! > > Thanks for your reply, I'll try to get the source and compile it. This > might take some time. BTW: wbinfo also wasn't working right and > winbindd was not responding after issuing that command. By "that command" you mean "ls -ln"? Well, let's see what improvement the new version brings. BTW: The enhancements were made specifically for environments with hundreds of thousands of users and groups (and large groups!) in ad. Cheers, Michael -- Michael Adam <[EMAIL PROTECTED]> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind failure
After copying over the lock files and the secrets.tdb file, I get a new error. (I attempted to reinstall Samba and did not copy those files over before.) I removed the computer name... [2007/07/10 16:51:31, 0] smbd/server.c:main(986) standard input is not a socket, assuming -D option [2007/07/10 16:51:31, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2221) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2007/07/10 16:51:32, 0] libads/kerberos.c:ads_kinit_password(227) kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication failed [2007/07/10 16:51:32, 0] printing/nt_printing.c:nt_printing_init(650) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED [2007/07/10 16:51:32, 0] libsmb/cliconnect.c:cli_session_setup_spnego(853) Kinit failed: Preauthentication failed [2007/07/10 16:51:32, 1] nsswitch/winbindd_util.c:trustdom_recv(237) Could not receive trustdoms Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
On Tue, 2007-07-10 at 23:33 +0200, Ralf Gross wrote: > > I can't reach http://svnweb.samba.org/. Is there another way to get > the 3_2 release by svn/http? Use http://viewcvs.samba.org I will correct the howto. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Michael Adam schrieb: > > I assume that you are using "security = ads" and I assume that > your AD setup has groups with lots of members? Yes, that's right. > This is a known problem then that has been fixed in current > samba (SAMBA_3_2 as of today): The ads version of the function > lookup_groupmem (used to retrieve the members of a given group) > showed poor performance on large groups. I recently improved > the performance of this call (starting with svn revisions r23070 > and r23072). This is in SAMBA_3_2 and in SAMBA_3_2_0, so it will > be in the next release (3.2.0). Ok. > There is no way to improve the performance significantly with > 3.0.24 (except patching). So I suggest that you grab the latest > sources with svn (see http://www.samba.org/samba/devel/), you > can also get the upcoming release branch SAMBA_3_2_0 here) or > get the unpacked sources with rsync like so: > "rsync -avSH samba.org::ftp/pub/unpacked/samba_3_2/ ./samba_3_2" > and then compile it yourself. I can't use rsync or cvs from office. It seems that svnweb which is mentioned in the howto is not working anymore. http://svnanon.samba.org/samba/docs/man/Samba-HOWTO-Collection/compiling.html#id442180 I can't reach http://svnweb.samba.org/. Is there another way to get the 3_2 release by svn/http? > The reason why lookup_groupmem gets used in "ls -l" at all is > that the getgrgid library call is used to resolve the gids into > names, and this call returns not only the name but the whole > group structure, including the list of members. > > So to confirm my assumptions above, you could compare the > runtime of "ls -l" to that of "ls -ln": The latter should be > much faster! Thanks for your reply, I'll try to get the source and compile it. This might take some time. BTW: wbinfo also wasn't working right and winbindd was not responding after issuing that command. Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind + samba limits with large AD?
Hi Ralf, I assume that you are using "security = ads" and I assume that your AD setup has groups with lots of members? This is a known problem then that has been fixed in current samba (SAMBA_3_2 as of today): The ads version of the function lookup_groupmem (used to retrieve the members of a given group) showed poor performance on large groups. I recently improved the performance of this call (starting with svn revisions r23070 and r23072). This is in SAMBA_3_2 and in SAMBA_3_2_0, so it will be in the next release (3.2.0). There is no way to improve the performance significantly with 3.0.24 (except patching). So I suggest that you grab the latest sources with svn (see http://www.samba.org/samba/devel/), you can also get the upcoming release branch SAMBA_3_2_0 here) or get the unpacked sources with rsync like so: "rsync -avSH samba.org::ftp/pub/unpacked/samba_3_2/ ./samba_3_2" and then compile it yourself. The reason why lookup_groupmem gets used in "ls -l" at all is that the getgrgid library call is used to resolve the gids into names, and this call returns not only the name but the whole group structure, including the list of members. So to confirm my assumptions above, you could compare the runtime of "ls -l" to that of "ls -ln": The latter should be much faster! Cheers, Michael On Di, Jul 10, 2007 at 10:08:00 +0200, Ralf Gross wrote: > Hi, > > a few months ago I tried to setup samba + winbind (debian etch, > amd64, samba 3.0.24). I followed the howto and got the authentication > running. But I had not much success with winbind. I disabled the > user/group enumeration, but this didn't change it. A simple 'ls -l' in > a directory with 10-20 files took minutes to return the list and most > of the time winbindd just stopped working an no connection to the > samba shares were possible. I had to kill the daemon. > > I'm only responsible for a couple of linux workstations, but our AD is > quite large (>10 or more entries). Before I start a new attempt to > get winbindd working, I would like to know if this is possible at all > without any further patches or "secret" tweaks? > > Ralf -- Michael Adam <[EMAIL PROTECTED]> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen http://www.SerNet.DE, mailto: Info @ SerNet.DE -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind join with different domains
Jim Kusznir schrieb: > > We have an existing AD domain with about 500 windows systems in it. > Our AD domain, EECS.AD.WSU.EDU, is different than our DNS domain: > eecs.wsu.edu. We do have the DNS mappings for AD set up properly > (actually, the domain controllers manage them), and all windows -> > windows stuff works great. > > I am now trying to join a samba system so it can be the printserver to > windows systems with domain authentication. When I try and join it, I > get: > > Using short domain name -- EECS > Failed to set servicePrincipalNames. Please ensure that > the DNS domain of this server matches the AD domain, > Or rejoin with using Domain Admin credentials. > > I have attempted both with my personal domain admin account and with > the domain admin account with no difference. > > Some time ago (1.5-2yrs ago), I succeeded doing this, and the domain > layout was the same then as now. As I recall, I joined the same way > then, and "it just worked". > > How do I do it now? Changing domains to make them match is not an > option at this time. For the join I temp add the hostname + AD name to the /etc/hosts file. eg: y.x.c.v foobar.EECS.AD.WSU.EDU foobar.eecs.wsu.edu This works for me (I had a hard time to find this solution). Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind + samba limits with large AD?
Hi, a few months ago I tried to setup samba + winbind (debian etch, amd64, samba 3.0.24). I followed the howto and got the authentication running. But I had not much success with winbind. I disabled the user/group enumeration, but this didn't change it. A simple 'ls -l' in a directory with 10-20 files took minutes to return the list and most of the time winbindd just stopped working an no connection to the samba shares were possible. I had to kill the daemon. I'm only responsible for a couple of linux workstations, but our AD is quite large (>10 or more entries). Before I start a new attempt to get winbindd working, I would like to know if this is possible at all without any further patches or "secret" tweaks? Ralf -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind failure
After entering the command I get the following: Version 3.0.10-1.4E.12.2 Roberto Lizana wrote: what is your version of winbind??? (type winbindd --version in console). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind join with different domains
Hi all: We have an existing AD domain with about 500 windows systems in it. Our AD domain, EECS.AD.WSU.EDU, is different than our DNS domain: eecs.wsu.edu. We do have the DNS mappings for AD set up properly (actually, the domain controllers manage them), and all windows -> windows stuff works great. I am now trying to join a samba system so it can be the printserver to windows systems with domain authentication. When I try and join it, I get: Using short domain name -- EECS Failed to set servicePrincipalNames. Please ensure that the DNS domain of this server matches the AD domain, Or rejoin with using Domain Admin credentials. I have attempted both with my personal domain admin account and with the domain admin account with no difference. Some time ago (1.5-2yrs ago), I succeeded doing this, and the domain layout was the same then as now. As I recall, I joined the same way then, and "it just worked". How do I do it now? Changing domains to make them match is not an option at this time. Thanks! --Jim [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Winbind failure
Folks, I am setting up a server to use cups printing and samba to communicate with windows. Samba appeared to be working for a little while and then for some reason stopped working. Looking at the log files I see the following: [2007/07/10 12:49:16, 0] smbd/server.c:main(986) standard input is not a socket, assuming -D option [2007/07/10 12:49:16, 0] nsswitch/winbindd_cache.c:initialize_winbindd_cache(2221) initialize_winbindd_cache: clearing cache and re-creating with version number 1 [2007/07/10 12:49:16, 0] nsswitch/winbindd_util.c:init_domain_list(513) Could not fetch our SID - did we join? [2007/07/10 12:49:16, 0] nsswitch/winbindd.c:main(1088) unable to initalize domain list [2007/07/10 12:49:16, 0] printing/nt_printing.c:nt_printing_init(650) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED The command "getent passwd" lists users on the domain. The command "net ads testjoin" results in "Join is OK". Testparm says that the configuration file is fine. "net getlocalsid" and "net getlocalsid cems" both return a sid value. Klist shows valid tickets for my domain. Doing a /etc/init.d/smb restart shows that winbind starts up "ok" but will always "fail" on shutdown. This leads me to believe that it's not actually starting "ok", or that it is but it's crashing quickly thereafter. Does anyone have ideas about why this might be happening? Thanks, Michael -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerald (Jerry) Carter wrote: > Nope. You haven't looked at how much trouble this would > be in the code. For example, Lookupsid() *always* returns > the sAMAcountName but LookupName() will resolve a UPN to > the same SID. > > So The conversion is asymetric. UPN->SID->sAMAcountName. > But canonicalizing on the sAMAccountName does give you a > symmetic mapping. > > Secondly, your 'unix' variant would break with trusted domains. > > So yes, it is a bad idea for very real technical reasons. I should clarify that you can easily convert form UPN to sAMAcountName and vice versa using the DsCrackNames calls but this requires a lot of plumbing we don't have currently and would be a fundamental change in design which would require a lot of code restabilization. Or of course you can use LDAP queries but remember that machines do not have UPNs by default. So what do you use then? cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjqr5IR7qMdg1EfYRAp8cAKCXRYT54CMNBbnYUlRPsuDwErPfLACgoYQ3 7l3fIz4KrkEecX5dPZFDhFA= =5nEl -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > Okay, I agree then. There are a set of standard ways of representing a > user name on a domain. There is 'NT\username', there is > '[EMAIL PROTECTED]'. And there is 'username'. > > Is it so bad to think that [EMAIL PROTECTED] should be desired? I desire it > because I have non-Windows related things that use plain Kerberos > realms, and they use this form. And I like it. There is no short NT4 > style name in these circumstances. > > Perhaps then just a single option for the single canonical version? > "unix", "nt", "realm". > > winbind canonical form = realm > > All look ups of all forms would be mapped to this single representation. > That way users could login using any. Nope. You haven't looked at how much trouble this would be in the code. For example, Lookupsid() *always* returns the sAMAcountName but LookupName() will resolve a UPN to the same SID. So The conversion is asymetric. UPN->SID->sAMAcountName. But canonicalizing on the sAMAccountName does give you a symmetic mapping. Secondly, your 'unix' variant would break with trusted domains. So yes, it is a bad idea for very real technical reasons. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjqnYIR7qMdg1EfYRAsoLAKDoPhJ3hYBvMizMxZYShjqeK+TVjwCcDpFQ 93YK+cixGgFyqlQzoiOUoWM= =Gpru -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
Okay, I agree then. There are a set of standard ways of representing a user name on a domain. There is 'NT\username', there is '[EMAIL PROTECTED]'. And there is 'username'. Is it so bad to think that [EMAIL PROTECTED] should be desired? I desire it because I have non-Windows related things that use plain Kerberos realms, and they use this form. And I like it. There is no short NT4 style name in these circumstances. Perhaps then just a single option for the single canonical version? "unix", "nt", "realm". winbind canonical form = realm All look ups of all forms would be mapped to this single representation. That way users could login using any. On Fri, 2007-07-06 at 19:46 +, simo wrote: > > madness slip in again. Not unless it is really really necessary. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
On Fri, 2007-07-06 at 14:40 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Jerome Haltom wrote: > > Would it be much work to add some sort of format string policy to > > smb.conf to govern this mapping? > > > > winbind user name = [EMAIL PROTECTED] > > winbind group name = [EMAIL PROTECTED] > > > > This would ideally allow lookups for all of the various > > possibilities to resolve to the single canonical name. > > Yup. It would be a huge amount of work with no benefit > IMO. It would also make the code a lot more fragile imo, we have already been bitten by the winbind separator and winbind use default domain to allow madness slip in again. Not unless it is really really necessary. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > Would it be much work to add some sort of format string policy to > smb.conf to govern this mapping? > > winbind user name = [EMAIL PROTECTED] > winbind group name = [EMAIL PROTECTED] > > This would ideally allow lookups for all of the various > possibilities to resolve to the single canonical name. Yup. It would be a huge amount of work with no benefit IMO. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjpqxIR7qMdg1EfYRAj0zAKDo2989kubVrWLPOXQ/8M6T+PUZsQCgmlPf 5X0J7pQZwtqBs/Idpi2egOE= =AU5r -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
Would it be much work to add some sort of format string policy to smb.conf to govern this mapping? winbind user name = [EMAIL PROTECTED] winbind group name = [EMAIL PROTECTED] This would ideally allow lookups for all of the various possibilities to resolve to the single canonical name. On Fri, 2007-07-06 at 09:12 -0500, Gerald (Jerry) Carter wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Jerome Haltom wrote: > > I would like to have winbind map all of my AD users to their full > > [EMAIL PROTECTED] form on the Linux domain members. I'd like lookups to be > > properly canonical. Is this possible? > > No. But I go have a patch pending that does the reverse: > > $ getent passwd [EMAIL PROTECTED] > AD\lizard:*:100026:10:Lee Zard:/home/win/AD/lizard:/bin/bash > > > > > > > > cheers, jerry > = > Samba--- http://www.samba.org > Centeris --- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.2.2 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFGjk24IR7qMdg1EfYRAhv8AJ4qUXtX31nYsBfnu0n3vLUKOatsQACfQXUG > 7Q5h7Sf+FLGSuJAA866FU2U= > =GPfp > -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind local group memberships
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > I have a domain member system which has domain users. For instance, ISI > \jhaltom. This user is a member of a local group "admin", by virtue of > being in the /etc/group file on the line for admin. If I log into the > user (using su), and type "id", it shows him as a proper member of the > local group. > > However, when doing an operation over a share where with group > permissions set to "admin", I get permission denied. Samba does not seem > to realize I am in this group. Why is this? Look at the user tokens written in the level 10 debug logs. Also grep for NT_STATUS_ACCESS_DENIED and work backwards from there. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjlICIR7qMdg1EfYRAtkuAKC7NESXb41ZBu7TnM+DFzx/d40maQCfWkeB DwJa/ShquK/EJOvA9mst6iI= =Qt/5 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind idmap customization
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jerome Haltom wrote: > I would like to have winbind map all of my AD users to their full > [EMAIL PROTECTED] form on the Linux domain members. I'd like lookups to be > properly canonical. Is this possible? No. But I go have a patch pending that does the reverse: $ getent passwd [EMAIL PROTECTED] AD\lizard:*:100026:10:Lee Zard:/home/win/AD/lizard:/bin/bash cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjk24IR7qMdg1EfYRAhv8AJ4qUXtX31nYsBfnu0n3vLUKOatsQACfQXUG 7Q5h7Sf+FLGSuJAA866FU2U= =GPfp -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind rpc only
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thorkil, > I have sat the parameter in smb.conf: > > winbind rpc only = Yes > > Testparm says: > > Unknown parameter encountered: "winbind rpc only" > Ignoring unknown parameter "winbind rpc only" > > The man-page for smb.conf do document it. Is > that wrong? The parameter is only supported in the upcoming 3.0.26 series and later. Which is also why is is not mentioned in the release notes. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGjPf8IR7qMdg1EfYRAheWAJ9mx9IAwMdCNlBB8wNUOBKdfz3DbQCcDRR/ FNPKXqmFd9rEiT5oukNjq8c= =TKG/ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind rpc only
I have sat the parameter in smb.conf: winbind rpc only = Yes Testparm says: Unknown parameter encountered: "winbind rpc only" Ignoring unknown parameter "winbind rpc only" The man-page for smb.conf do document it. Is that wrong? Samba 3.0.25b. -- Thorkil Olesen, Hanstholm, Denmark. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind authentication performance: lookup_groupmem in large sites
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 SERGEYS Filip wrote: > 3) Per group list all members of that group -> BOTTLENECK > [2007/06/25 17:18:02, 10] nsswitch/winbindd_cache.c:lookup_groupmem(1665) > lookup_groupmem: [Cached] - doing backend query for info for domain > [2007/06/25 17:18:02, 10] nsswitch/winbindd_ads.c:lookup_groupmem(879) > ads: lookup_groupmem POST sid=S-1-5-21-xx-x-x- In older samba releases we needed to lookup each member in AD which in the upcoming 3.0.26 release will be done much more efficient. You can try the SAMBA_3_0_26 branch to check whether this fixes your performance problem. Thanks, Guenther - -- Günther DeschnerGPG-ID: 8EE11688 Red Hat [EMAIL PROTECTED] Samba Team [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGgPRWSOk3aI7hFogRAhrjAJ95hF6DjRjTaVQjktfvPLVbwZMtWQCfV63x vRtdQsQIF9JMKrEPEmNpXlw= =dlTH -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind authentication performance: lookup_groupmem in large sites
Hello, I have set up winbind to authenticate linux pc's to a windows 2003 AD. The authentication works, but the performance is not good (takes over 5 minutes) PRELIMINARY --- OS: ubuntu 7.04 Samba: 3.0.24 AD: windows 2003 ANALYSIS - After analyzing the log.winbindd file in log level 10, I can see three major parts 1) lookup and authenticate the user -> performance OK [2007/06/25 14:31:50, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn GETPWNAM [2007/06/25 14:31:50, 3] nsswitch/winbindd_user.c:winbindd_getpwnam(336) [0]: getpwnam sergeyf [2007/06/25 14:31:50, 10] sam/idmap_util.c:idmap_sid_to_uid(70) idmap_sid_to_uid: sid = [S-1-5-21-xx-x-x-x] internal_get_id_from_sid: record S-1-5-21-xx-x-x-x -> UID 87023 2) list all groups this user is member of. -> performance OK [2007/06/25 14:31:54, 10] nsswitch/winbindd.c:process_request(287) process_request: request fn GETGROUPS [2007/06/25 14:31:54, 3] nsswitch/winbindd_group.c:winbindd_getgroups(1017) [0]: getgroups sergeyf ... internal_get_id_from_sid: ID_GROUPID fetching record S-1-5-21-xx-x-x-xxx -> GID 10513 ... (more than 50 groups) 3) Per group list all members of that group -> BOTTLENECK [2007/06/25 17:18:02, 10] nsswitch/winbindd_cache.c:lookup_groupmem(1665) lookup_groupmem: [Cached] - doing backend query for info for domain [2007/06/25 17:18:02, 10] nsswitch/winbindd_ads.c:lookup_groupmem(879) ads: lookup_groupmem POST sid=S-1-5-21-xx-x-x- ... Step 3 is the one causing the delay because each group has about a 1000 users If I interrupt the login, I actually see I am logged in, but in the background the process of listing the groups continues. STEPS ALREADY TAKEN --- After I found this, I thought the problem had to be related to one of these settings: winbind expand groups = 0 winbind nested groups = no Both settings where default settings first (1 and yes respectively), but after setting them to the values 0 and no, winbind still performed the lookup group members . I also found this mailpost: http://archives.free.net.ph/message/20070613.052201.64562430.en.html It mentions that this step should actually be asynchronous. When will that be implemented? SOLUTION? - This is my question to the list: Is there a workaround or what settings do I need to apply. Thanks in advance, Filip Sergeys STRICTLY PERSONAL AND CONFIDENTIAL This message may contain confidential and proprietary material for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient please contact the sender and delete all copies. Dit bericht is enkel bestemd voor de aangeduide ontvangers en kan vertrouwelijke informatie bevatten. Als u niet de ontvanger bent, dan mag u de inhoud van dit bericht niet bekendmaken noch kopiëren. Als u dit bericht per vergissing ontvangen heeft, gelieve er de afzender of De Post onmiddellijk van op de hoogte te brengen en het bericht vervolgens te verwijderen. Ce message est uniquement destiné aux destinataires indiqués et peut contenir des informations confidentielles. Si vous n'êtes pas le destinataire, vous ne devez pas révéler le contenu de ce message ou en prendre copie. Si vous avez reçu ce message par erreur, veuillez en informer l'expéditeur, ou La Poste immédiatement, avant de le supprimer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind AIX
It's in /opt/pware/samba/3.0.25a/lib/security. Copy it to /usr/lib/security: cp -p /opt/pware/samba/3.0.25a/lib/security/WINBIND /usr/lib/security Then edit the /usr/lib/security/methods.cfg and add modify the SYSTEM attribute for the "default:" stanza in /etc/security/user. Cheers, Bill Original message >Date: Fri, 15 Jun 2007 23:23:03 +0100 >From: "Info" <[EMAIL PROTECTED]> >Subject: [Samba] winbind AIX >To: > >I have installed Samba (from Binary) 3.0.25a on AIX 5.3 >I'm trying to configure Winbind >I believe I need to copy winbind file to /usr/lib/security and modify >usr/lib/security/methods.cfg with ;- >"add WINBIND: > programs=/usr/lib/security/WINBIND." > >nmbd, smbd and winbindd all running > >My problem is I cannot find a file called winbind on my system ? > >Any help appreciated > >Selwyn >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] winbind AIX
I have installed Samba (from Binary) 3.0.25a on AIX 5.3 I'm trying to configure Winbind I believe I need to copy winbind file to /usr/lib/security and modify usr/lib/security/methods.cfg with ;- "add WINBIND: programs=/usr/lib/security/WINBIND." nmbd, smbd and winbindd all running My problem is I cannot find a file called winbind on my system ? Any help appreciated Selwyn -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind nss configuration
--- Jerome Haltom <[EMAIL PROTECTED]> wrote: > I'm having the hardest time trying to come up with the optimal > configuration with NSS Winbind support. I want it to work right > offline. > That is, name lookups shouldn't take 30 minutes to time out or lock > the > system up. And if the name lookup is for a local name, I want > Winbind to > be 100% out of hte picture. > > I've tried this, without much luck: > > passwd: compat [SUCCESS=return] winbind > groups: compat [SUCCESS=return] winbind > > My naive understanding is that this would make name lookups that > suceeded in `compat` completely avoid winbind. That was my > understanding > until I disconnected the machine and could not log in as root. > My nsswitch.conf looks like this (this is Solaris 8, btw): passwd: files winbind [NOTFOUND=return UNAVAIL=return TRYAGAIN=return] group: files winbind [NOTFOUND=return UNAVAIL=return TRYAGAIN=return] Actually, only the TRYAGAIN=return was necessary to prevent the "hang till timeout" in my scenario, but I put in the rest just in case. L8r, Mike Powered by Gee! - Wireless Access Anywhere -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] winbind nss configuration
On Thu, 2007-06-14 at 19:18 -0500, Jerome Haltom wrote: > I'm having the hardest time trying to come up with the optimal > configuration with NSS Winbind support. I want it to work right offline. > That is, name lookups shouldn't take 30 minutes to time out or lock the > system up. And if the name lookup is for a local name, I want Winbind to > be 100% out of hte picture. > > I've tried this, without much luck: > > passwd: compat [SUCCESS=return] winbind > groups: compat [SUCCESS=return] winbind > > My naive understanding is that this would make name lookups that > suceeded in `compat` completely avoid winbind. That was my understanding > until I disconnected the machine and could not log in as root. > > What am I missing? > > What do your PAM files look like?? What is your distribution? I know for a while that SUSE was putting winbind in as a required auth mechanism which kind of sucks for anything offline or for local users. Try looking at it from that path. Perhaps a method of 'sufficient' would be good for all 4 methods (auth, acc, sess, pass). Regards, Frank -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
