Re: [Samba] Samba4 - PDC - RHEL6 - Slow browsing from Mac clients

[Paul Older]

On 14 Oct 2013, at 15:59, Ryan Bair  wrote:

> I've been running netatalk for my OS X clients with great success. The 
> performance isn't as good as Windows to Samba, but its a HUGE improvement 
> over any version of OS X with any SMB server. 30 seconds with wireshark will 
> tell you why OS X's browsing performance is so horrible.

This is good news. I'm attempting to get Netatalk 3 up and running but am 
struggling to link the authentication into the Samba4 setup. On a slightly 
different note, I've been advised by an Apple Premium Reseller and Systems 
Integrator here in the UK that they recommend people use NFS in their Linux / 
Mac environments. I'd be interested to hear the voice of experience on that one 
if anyone care comment?

> Another point of OS X/Samba misinformation is that Apple dropped Samba which 
> is an SMB server. OS X's SMB client never shared any code with Samba any did 
> not change as a result of the Samba purge. 

Thanks for the clarification. Hopefully this thread will help dispel myths that 
I've obviously come across out there in internet land.

> Here's hoping 10.9's SMB driver is as improved as Apple is claiming it to be. 

>From my testing with my chosen problematic directory of 80 images, I found 
>directory listing times to be :

10.8 - about 60 seconds (very laggy scrolling)
10.9 (pre-release) - about 3 seconds, scrolling is fine
10.8 running Dave from Thursby, - near instant and no issues with scrolling

Apple should clearly buy the technology from Dave and implement it in their OS.

Paul




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 - PDC - RHEL6 - Slow browsing from Mac clients

[Ryan Bair]

I've been running netatalk for my OS X clients with great success. The
performance isn't as good as Windows to Samba, but its a HUGE improvement
over any version of OS X with any SMB server. 30 seconds with wireshark
will tell you why OS X's browsing performance is so horrible.

Another point of OS X/Samba misinformation is that Apple dropped Samba
which is an SMB server. OS X's SMB client never shared any code with Samba
any did not change as a result of the Samba purge.

Here's hoping 10.9's SMB driver is as improved as Apple is claiming it to
be.

On Oct 11, 2013 12:40 PM, "Jeremy Allison"  wrote:

> On Fri, Oct 11, 2013 at 04:15:35PM +, Paul Older wrote:
> > On 11/10/2013 17:04, "Jeremy Allison"  wrote:
> >
> >
> > >On Fri, Oct 11, 2013 at 11:36:41AM +, Paul Older wrote:
> > >>   *   A few years ago, Samba made changes to their licensing meaning
> > >>Apple could apparently no longer use it in a commercial release (so
> I've
> > >>read)
> > >
> > >No No No !
> > >
> > >"Apple could apparently no longer use it in a commercial release"
> > >
> > >I *hate* this myth, it's *completely* untrue. Where
> > >did you read this ?
> >
> > Apologies - my source is quite unofficial and now also apparently wrong.
> > For info, I read it here:
> >
> >
> http://www.tuaw.com/2011/03/24/apple-to-drop-samba-networking-tools-from-li
> > on
> >
> > As Mac OS X adopted more of Samba's tools, the team behind Samba
> gradually
> > transformed the open source licensing for its software. The latest
> version
> > of Samba is offered only with General Public License Version 3 (GPLv3
> > ) licensing, which includes
> > restrictions that essentially prevent Apple from incorporating it into
> > commercially packaged software like Mac OS X.
>
> "essentially prevent" == "Stops Apple from suing Samba or Samba users over
> their patents".
>
> Is how you have to read that.
>
> Jeremy.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 - PDC - RHEL6 - Slow browsing from Mac clients

[Jeremy Allison]

On Fri, Oct 11, 2013 at 04:15:35PM +, Paul Older wrote:
> On 11/10/2013 17:04, "Jeremy Allison"  wrote:
> 
> 
> >On Fri, Oct 11, 2013 at 11:36:41AM +, Paul Older wrote:
> >>   *   A few years ago, Samba made changes to their licensing meaning
> >>Apple could apparently no longer use it in a commercial release (so I've
> >>read)
> >
> >No No No !
> >
> >"Apple could apparently no longer use it in a commercial release"
> >
> >I *hate* this myth, it's *completely* untrue. Where
> >did you read this ?
> 
> Apologies - my source is quite unofficial and now also apparently wrong.
> For info, I read it here:
> 
> http://www.tuaw.com/2011/03/24/apple-to-drop-samba-networking-tools-from-li
> on
> 
> As Mac OS X adopted more of Samba's tools, the team behind Samba gradually
> transformed the open source licensing for its software. The latest version
> of Samba is offered only with General Public License Version 3 (GPLv3
> ) licensing, which includes
> restrictions that essentially prevent Apple from incorporating it into
> commercially packaged software like Mac OS X.

"essentially prevent" == "Stops Apple from suing Samba or Samba users over 
their patents".

Is how you have to read that.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 - PDC - RHEL6 - Slow browsing from Mac clients

[Paul Older]

On 11/10/2013 17:04, "Jeremy Allison"  wrote:


>On Fri, Oct 11, 2013 at 11:36:41AM +, Paul Older wrote:
>>   *   A few years ago, Samba made changes to their licensing meaning
>>Apple could apparently no longer use it in a commercial release (so I've
>>read)
>
>No No No !
>
>"Apple could apparently no longer use it in a commercial release"
>
>I *hate* this myth, it's *completely* untrue. Where
>did you read this ?

Apologies - my source is quite unofficial and now also apparently wrong.
For info, I read it here:

http://www.tuaw.com/2011/03/24/apple-to-drop-samba-networking-tools-from-li
on

As Mac OS X adopted more of Samba's tools, the team behind Samba gradually
transformed the open source licensing for its software. The latest version
of Samba is offered only with General Public License Version 3 (GPLv3
) licensing, which includes
restrictions that essentially prevent Apple from incorporating it into
commercially packaged software like Mac OS X.




__
Fresh Tech Ltd - www.fresh-tech.it email security by www.fresh-tech.it



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 - PDC - RHEL6 - Slow browsing from Mac clients

[Jeremy Allison]

On Fri, Oct 11, 2013 at 11:36:41AM +, Paul Older wrote:
> I think I'm unravelling the mystery  I have on this one. I believe the 
> situation to be as follows:
> 
>   *   Apple used to deploy the actual open source Samba system with it OSX.
>   *   A few years ago, Samba made changes to their licensing meaning Apple 
> could apparently no longer use it in a commercial release (so I've read)

No No No !

"Apple could apparently no longer use it in a commercial release"

I *hate* this myth, it's *completely* untrue. Where
did you read this ?

Samba changed from GPLv2+ to GPLv3+, a license that
Apple lawyers helped to create (they were on the
committees that did so).

GPLv3 has provisions protecting projects from
software patents asserted by contributing companies
against Samba users and developers.

Apple decided they didn't want to share their
software patents with Samba or other companies
using Samba, so decided to remove *all* GPLv3
software from their products. IBM, Google, HP,
and many, many other large companies do not
have a problem with GPLv3 code in commercial
products, only Apple.

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 join Windows 2003 Server with BIND9_DLZ

[Jacó Ramos]

Hi,



root@samba4:~# samba-tool domain join jacoramos.net.br DC -Uadministrador
--realm=jacoramos.net.br --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'jacoramos.net.br'
Found DC win2003.jacoramos.net.br
Password for [WORKGROUP\administrador]:
workgroup is JACORAMOS
realm is jacoramos.net.br
checking sAMAccountName
Adding CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
Adding
CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
Adding CN=NTDS
Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
Adding SPNs to CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
Setting account password for SAMBA4$
Enabling account
Adding DNS account CN=dns-SAMBA4,CN=Users,DC=jacoramos,DC=net,DC=br with
dns/ SPN
Join failed - cleaning up
checking sAMAccountName
Deleted CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
Deleted CN=NTDS
Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
Deleted
CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
<052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
> <>
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1169, in join_DC
ctx.do_join()
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1072, in do_join
ctx.join_add_objects()
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
616, in join_add_objects
ctx.samdb.add(msg)
root@samba4:~#

---

Any idea, to resolves?
-- 

*"O homem não foi criado para ser feliz nem para vencer, mas para viver
para Deus. Quando vive para Deus é feliz e vence." Isaltino Gomes
*
*
$whoami*

   - Perito Forense Computacional
   - Pentester
   - Esp. em Segurança de Redes de Computadores com enfâse a Perícia
   Forense Computacional - FACID
   - Bacharel em Ciência da Computação - UESPI
   - Administrador de Redes de Computadores
   - CCNA Modulo II
   - Lattes: *http://lattes.cnpq.br/1591329268136905*


Esta mensagem pode conter informações confidenciais e/ou privilegiadas. Se
você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
não deve usar, copiar ou divulgar as informações nela contida ou tomar
qualquer ação baseada nessas informações.



-- 

*"O homem não foi criado para ser feliz nem para vencer, mas para viver
para Deus. Quando vive para Deus é feliz e vence." Isaltino Gomes
*
*
$whoami*

   - Perito Forense Computacional
   - Pentester
   - Esp. em Segurança de Redes de Computadores com enfâse a Perícia
   Forense Computacional - FACID
   - Bacharel em Ciência da Computação - UESPI
   - Administrador de Redes de Computadores
   - CCNA Modulo II
   - Lattes: *http://lattes.cnpq.br/1591329268136905*


Esta mensagem pode conter informações confidenciais e/ou privilegiadas. Se
você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
não deve usar, copiar ou divulgar as informações nela contida ou tomar
qualquer ação baseada nessas informações.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 join Windows 2003 Server with BIND9_DLZ

[Jacó Ramos]

Hi,



root@samba4:~# samba-tool domain join jacoramos.net.br DC -Uadministrador
--realm=jacoramos.net.br --dns-backend=BIND9_DLZ
Finding a writeable DC for domain 'jacoramos.net.br'
Found DC win2003.jacoramos.net.br
Password for [WORKGROUP\administrador]:
workgroup is JACORAMOS
realm is jacoramos.net.br
checking sAMAccountName
Adding CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
Adding
CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
Adding CN=NTDS
Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
Adding SPNs to CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
Setting account password for SAMBA4$
Enabling account
Adding DNS account CN=dns-SAMBA4,CN=Users,DC=jacoramos,DC=net,DC=br with
dns/ SPN
Join failed - cleaning up
checking sAMAccountName
Deleted CN=SAMBA4,OU=Domain Controllers,DC=jacoramos,DC=net,DC=br
Deleted CN=NTDS
Settings,CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
Deleted
CN=SAMBA4,CN=Servers,CN=Primeiro-site-padrao,CN=Sites,CN=Configuration,DC=jacoramos,DC=net,DC=br
ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
<052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
> <>
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line
552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1169, in join_DC
ctx.do_join()
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
1072, in do_join
ctx.join_add_objects()
  File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line
616, in join_add_objects
ctx.samdb.add(msg)
root@samba4:~#

---

Any idea, to resolves?
-- 

*"O homem não foi criado para ser feliz nem para vencer, mas para viver
para Deus. Quando vive para Deus é feliz e vence." Isaltino Gomes
*
*
$whoami*

   - Perito Forense Computacional
   - Pentester
   - Esp. em Segurança de Redes de Computadores com enfâse a Perícia
   Forense Computacional - FACID
   - Bacharel em Ciência da Computação - UESPI
   - Administrador de Redes de Computadores
   - CCNA Modulo II
   - Lattes: *http://lattes.cnpq.br/1591329268136905*


Esta mensagem pode conter informações confidenciais e/ou privilegiadas. Se
você não for o destinatário ou a pessoa autorizada a receber esta mensagem,
não deve usar, copiar ou divulgar as informações nela contida ou tomar
qualquer ação baseada nessas informações.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 - PDC - RHEL6 - Slow browsing from Mac clients

[Paul Older]

I think I'm unravelling the mystery  I have on this one. I believe the 
situation to be as follows:

  *   Apple used to deploy the actual open source Samba system with it OSX.
  *   A few years ago, Samba made changes to their licensing meaning Apple 
could apparently no longer use it in a commercial release (so I've read)
  *   In OSX 10.6 Apple dropped Samba and implemented their own version of SMB 
client software
  *   These early releases of Apple's SMB have been a bit ropey, hence the need 
for things like Dave from Thursby which replace the SMB client
  *   At this time from personal recent experience it seems that Apple's SMB 
implementation in OSX 10.8 is more happy working with Windows Server than it is 
with Samba4
  *   Apple will be releasing a version of the SMB client that supports SMB2 in 
forthcoming Mavericks and is expected to solve a number of current SMB issues

I have a 100% reproducible use case for testing purposes which simply involves 
slow listing times in a directory with about 80 images.

In OSX 10.8 the listing time is about 60 seconds and then scrolling that 
directory listing is a very laggy
In OSX 10.9 (pre-release) the listing time is about 3 seconds, scrolling is fine
In OSX 10.8 running Dave, the directory listing is near instant and no issues 
with scrolling

So, for my current situation I have two verified client side solutions:

  1.  Wait for OSX Mavericks to be released and gently roll that out
  2.  Deploy "Dave" or similar

I am now going to investigate two server side solutions:

  1.  Run NFS alongside the existing Samba setup
  2.  Run AFP using Netatalk software

I'm slightly wary on Netatalk as we've had a nightmare with various NAS boxes 
recently, including QNAP and I believe these run Netatalk.

I'll report back in case it's useful for someone searching the archives in the 
future.

Paul

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 - PDC - RHEL6 - Slow browsing from Mac clients

[Paul Older]

Hi,

I'm in the process of rolling out a brand new server as a Samba4 PDC to a 
customer with about 30 users. It's going well except for the fact that I now 
have some serious slow browsing issues from Mac clients, and that’s when only a 
handful of them are connected to the server.  Note that if I install software 
such as Dave from Thursby on the Macs, the speed issues vanish. Also, browsing 
speed is instant from the pcs on the network. Some details of the setup are 
below. I will post log files if that's useful but didn't want to clutter this 
communication if there is an obvious point I'm missing. Thanks in advance for 
assistance.

- Installation completed using guidelines here: 
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
- the Macs are NOT bound to the directory, nor are most of the pcs (yet) but 
they are browsing fine
- Running RHEL6.4
- Using Samba internal DNS & LDAP
- Running on HP Proliant ML350p Gen8 with 8GB RAM
- uname: Linux hostname 2.6.32-358.el6.x86_64 #1 SMP Tue Jan 29 11:47:41 EST 
2013 x86_64 x86_64 x86_64 GNU/Linux

smb.conf:

[global]
workgroup = CLIENT
realm = CLIENT.LOCAL
netbios name = TSCSRV01
server role = active directory domain controller
dns forwarder = 8.8.8.8
idmap_ldb:use rfc2307 = yes
interfaces= eth0
bind interfaces only = yes

[netlogon]
path = /usr/local/samba/var/locks/sysvol/CLIENT.local/scripts
read only = No
hide unreadable = Yes

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
hide unreadable = Yes

[Other Shares]
path = /mnt/data/
read only = No
hide unreadable = Yes

Can anyone help advise if I'm missing something please?

Thanks,

Paul
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 can't join domain - drsuapi.DsBindInfoFallBack object has no attribute

[Mauricio Alvarez]

I have a Win2k3 server and am trying to manage a Samba4 box (name:UBUNTUSERVER, 
running Ubuntu 12.04.3 + Samba 4.0.10) as a backup. All seemed well, but after 
a problem with replication (result 1306 WERR_REVISION_MISMATCH), I couldn't 
even demote the samba4 DC. So I deleted from SERVERW2K3, deleted 
/usr/local/samba and re-compiled everything. Also ran make quicktest, all seems 
OK.


Now, this is what I get:   Any idea what is going on?

user@ubuntuserver:/usr/local/samba$ sudo /usr/local/samba/bin/samba-tool domain 
join acme.local DC -Uadministrator --realm=ACME.LOCAL  -d9
INFO: Current debug levels:
  all: 9
  tdb: 9
  printdrivers: 9
  lanman: 9
  smb: 9
  rpc_parse: 9
  rpc_srv: 9
  rpc_cli: 9
  passdb: 9
  sam: 9
  auth: 9
  winbind: 9
  vfs: 9
  idmap: 9
  quota: 9
  acls: 9
  locking: 9
  msdfs: 9
  dmapi: 9
  registry: 9
  scavenger: 9
  dns: 9
  ldb: 9
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
Finding a writeable DC for domain 'acme.local'
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
finddcs: searching for a DC by DNS domain acme.local
finddcs: looking for SRV records for _ldap._tcp.acme.local
ads_dns_lookup_srv: 1 records returned in the answer section.
finddcs: DNS SRV response 0 at '192.168.0.254'
finddcs: performing CLDAP query on 192.168.0.254
finddcs: Found matching DC 192.168.0.254 with server_type=0x21fd
Found DC serverw2k3.acme.local
lpcfg_servicenumber: couldn't find ldb
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [WORKGROUP\administrator]:
Received smb_krb5 packet of length 143
Received smb_krb5 packet of length 1256
Received smb_krb5 packet of length 1250
Received smb_krb5 packet of length 1232
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
workgroup is ACME
realm is acme.local
checking sAMAccountName
Adding CN=UBUNTUSERVER,OU=Domain Controllers,DC=acme,DC=local
Adding 
CN=UBUNTUSERVER,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=acme,DC=local
Adding CN=NTDS 
Settings,CN=UBUNTUSERVER,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=acme,DC=local
Using binding ncacn_ip_tcp:serverw2k3.acme.local[,seal,print]
Mapped to DCERPC endpoint 135
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
Mapped to DCERPC endpoint 1025
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
added interface eth0 ip=192.168.0.139 bcast=192.168.0.255 netmask=255.255.255.0
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Received smb_krb5 packet of length 144
Received smb_krb5 packet of length 1256
Received smb_krb5 packet of length 1250
Received smb_krb5 packet of length 1232
../librpc/rpc/dcerpc_util.c:140: auth_pad_length 0
gensec_gssapi: credentials were delegated
GSSAPI Connection will be cryptographically sealed
../librpc/rpc/dcerpc_util.c:140: auth_pad_length 0
     drsuapi_DsBind: struct drsuapi_DsBind
        in: struct drsuapi_DsBind
            bind_guid                : *
                bind_guid                : e42c210a-4fd6-11d1-a3da-f875ae0d
            bind_info                : *
                bind_info: struct drsuapi_DsBindInfoCtr
                    length                   : 0x001c (28)
                    info                     : union drsuapi_DsBindInfo(case 28)
                    info28: struct drsuapi_DsBindInfo28
                        supported_extensions     : 0x0fefff7f (267386751)
                               1: DRSUAPI_SUPPORTED_EXTENSION_BASE
                               1: DRSUAPI_SUPPORTED_EXTENSION_ASYNC_REPLICATION
                               1: DRSUAPI_SUPPORTED_EXTENSION_REMOVEAPI
                               1: DRSUAPI_SUPPORTED_EXTENSION_MOVEREQ_V2
                               1: DRSUAPI_SUPPORTED_EXTENSION_GETCHG_COMPRESS
                               1: DRSUAPI_SUPPORTED_EXTENSION_DCINFO_V1
                               1: 
DRSUAPI_SUPPORTED_EXTENSION_RESTORE_USN_OPTIMIZATION
                               0: 

Re: [Samba] Samba4: where are ACLs stored?

[Klaus Hartnegg]

On 01.10.2013 20:32, Andrew Bartlett wrote:


vfs objects = acl_xattr,


we put that in to the smb.conf 'by magic' whenever we see
'server role = active directory domain controller'.  Frankly I think it
should be the default, except for the fact that we didn't want to change
it for upgrading users.  We used the 'new' server role as a chance to at
least make it a default for this important use case.


The man-page for acl_xattr answers my original question: They *are* 
stored in EAs, but the output of 'getfattr -d' is incomplete. So the 
man-page for getfattr is wrong.


However the man page does *not* reveal the mentioned 'magic' to 
auto-enable this option.


Klaus

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: Home of Users

[Neurodesarrollo]

El 30/09/13 17:11, Rowland Penny escribió:
> On 30/09/13 21:45, Neurodesarrollo wrote:
>> El 26/09/13 16:09, Neurodesarrollo escribió:
>>> Hi List, I'm new in the list and with Samba4
>>> I was installed, samba4 ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
>>> Previously I had samba3.6.x installed in my server, the users could
>>> access to /home/(users) as like as users drive (U:) and modify every
>>> thing in theirs drive.
>>>
>>> But with Samba4:
>>> - How my users can modify theirs home(eg.User:erick, with home
>>> directory: /home/erick ) in the server, because in this, they can't
>>> modify(Delete, Create, Rename and so so) any thing.
>>> - When the user login in their session how can appear automatically the
>>> drive U: for example with their home files.
>>>
>>> My client PC are windows XP sp2 installed with theirs profiles "only local".
>>>
>>> Thanks
>>>
>>> T.I.A.
>>>
>>>
>>> I provide my "smb.conf" configuration if you could help me.
>>>
>>>
>>> [global]
>>> server string = Samba4 Server en NEURODESARROLLO
>>> workgroup = NEURODCAR
>>> realm = NEURODCAR.MTZ.SLD.CU
>>> netbios name = ALFA
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>> winbind, ntp_signd, kcc
>>> dns forwarder = 10.44.0.10
>>> logon path = \\%L\profiles\%U
>>> logon home = \\%N\%U
>>> logon drive = U:
>>> domain logons = Yes
>>> domain master = Yes
>>> local master = Yes
>>> preferred master = Yes
>>> os level = 65
>>> log level = 3
>>>
>>> [homes]
>>> comment = Home Directories
>>> valid users = %ACCOUNTNAME%, %S, %D%w%S
>>> browseable = No
>>> read only = No
>>>
>>> [profiles]
>>> path = /usr/local/samba/Profiles/
>>> read only = No
>>>
>>> [netlogon]
>>> path = /usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
>>> read only = No
>>>
>>> [sysvol]
>>> path = /usr/local/samba/var/locks/sysvol
>>> read only = No
>>>
>>> [printers]
>>> comment = All Printers
>>> path = /var/tmp
>>> printable = Yes
>>> create mask = 0600
>>> browseable = No
>>> 
>>> [print$]
>>> comment = Printer Drivers
>>> path = /var/lib/samba/drivers
>>> write list = @ntadmin root
>>> force group = ntadmin
>>> create mask = 0664
>>> directory mask = 0775
>>>
>>> ###
>>>
>>>
>>>
>> Any body in this list can help me ???
>>
>> Thanks in Advance
>>
>>
>>
> Hi, from your posted smb.conf, you seem to be mixing up the settings for
> an AD DC and an old-style NT-PDC, most of the global part of it could be
> removed. The [homes] section will not work as before, it needs to be
> [home] and you need to supply the path to where ever they are stored.
> 
> Have a look here:
> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
> 
> Rowland
> 

Thanks friends, all working fine now.

I want ask another question: Can do it without Window$, the last part in
the URL above (Change permitions of the share files) with a tools of Samba4.

-- 
Jesús Reyes Piedra
Admin Red Neurodearrollo,Cárdenas

La caja decía:"Requiere windows 95 o superior"...
Entonces instalé LINUX.



signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 result 1306 (WERR_REVISION_MISMATCH)

[Mauricio Alvarez]

Hello,

   I have a win2003 Server R2 as a main DC (with Windows 2003 functional level) 
and a separate Samba4 (4.0.10) box as DC on the same domain. 

   All was more or less running fine, until I realized from running samba-tool 
drs showrepl:

Default-First-Site\UBUNTUSERVER
[...]
 INBOUND NEIGHBORS 

CN=Schema,CN=Configuration,DC=acme,DC=loca
                   Default-First-Site\SERVERW2K3 via RPC
                                DSA object GUID: ..
                                Last attempt @ Tue Oct 8  2013 failed, 
result 1306 (WERR_REVISION_MISMATCH)
                                1853 consecutive failure(s).
                                Last success @ Thu Oct 3


Forcing a replication on the Win2k3 server results in the corresponding (to the 
WERR_REVISION_MIS...) error message (...Indicates two revision levels are 
incompatible).


Recently (probably around the Oct 3) I have instaled Active Directory Web 
Services on the Windows Server and also the RSAT packages to manage from Win7 
machine via the Group Policy Management Console (GPMCC). I believe the GPOs 
have been updated on the server to include windows7 GPOs and so on, so perhaps 
I am geting the VERSION_MISMATCH error?

Now I tried demoting the samba4 DC, but it won't work because of the same 
VERSION_MISMATCH problem: using samba-tool domain demote -UAdministrator I get 
a 
ERROR() uncaught exception - 
drsException: DRS connection to serverw2k3.acme.local failed: 
'drsuapi.DsBindInfoFallback' object has no attribute 'supported_extensions'


What can I do? Any suggestions?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 as AD member & local rights problem...

[Marc Muehlfeld]

Am 24.09.2013 09:13, schrieb Thomas Besser:

Like described here
(http://geekyprojects.com/ubuntu/getting-windows-printer-drivers-from-cups/)
I enabled 'root' for short and granted the 'SePrintOperator' right to a
normal account and switched back to security = ads

Now the next problem arises:

I can now upload the win drivers as described in your howto section
"Uploading printer drivers for Point'n'Print driver installation"
successfully. I can also see the files in the samba drivers share.

But I can not associate it with a printer! The dropdown on
https://wiki.samba.org/index.php/File:Choose_driver.png is empty!

Any hint what's wrong here? A bug in samba4?



I revalidated my HowTo today for someone else who is having a question 
about print server. And I could reproduce your problem: I upload a x64 
driver successfully, but the driver combobox with the drivers is empty.


If I associate the driver with the printer by rpcclient, as mentioned in 
the HowTo, too, everything is fine and I can configure the printer and 
continue.


But what confuses me more: If I upload a x86 driver for the printer, 
too, then the driver appears in the list. Also the driver appears if 
only a x86 driver is uploaded. This sounds a bit like a bug for me.


I'll try to find out more. But as workaround you can upload the x86 
driver (additionally to your x64 driver) or use rpcclient to associate 
the driver with the printer.


Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 consumes more CPU

[Thiago Fernandes Crepaldi]

Googling around copy_user_generic_unrolled() - a kernel space function -
seen in my previous smbd profiling, I found what might be a clue for the
performance drop. It is a comment on line #31 (see below) that says:

31 /*
32 * If CPU has ERMS feature, use copy_user_enhanced_fast_string.
33 * Otherwise, if CPU has rep_good feature, use copy_user_generic_string.
34 * Otherwise, use copy_user_generic_unrolled.
35 */

Which makes me guess that my Atom D2701 (
http://ark.intel.com/products/59683/Intel-Atom-Processor-D2700-1M-Cache-2_13-GHz)
is not compiled with REP_GOOD nor ERMS. It is not clear to me if the
processor does support those features, but apparently it does (looking at
/proc/cpuinfo from another user's NAS -
http://www.foxnetwork.ru/index.php/en/component/content/article/121-thecus-n4800eco.html
)

__

linux/arch/x86/include/asm/uaccess_64.h

Toggle line number - Style:
1 #ifndef _ASM_X86_UACCESS_64_H
2 #define _ASM_X86_UACCESS_64_H
3
4 /*
5 * User space memory access functions
6 */
7 #include 
8 #include 
9 #include 
10 #include 
11 #include 
12 #include 
13
14 /*
15 * Copy To/From Userspace
16 */
17
18 /* Handles exceptions in both to and from, but doesn't do access_ok */
19 __must_check unsigned long
20 copy_user_enhanced_fast_string(void *to, const void *from, unsigned len);
21 __must_check unsigned long
22 copy_user_generic_string(void *to, const void *from, unsigned len);
23 __must_check unsigned long
24 copy_user_generic_unrolled(void *to, const void *from, unsigned len);
25
26 static __always_inline __must_check unsigned long
27 copy_user_generic(void *to, const void *from, unsigned len)
28 {
29 unsigned ret;
30
31 /*
32 * If CPU has ERMS feature, use copy_user_enhanced_fast_string.
33 * Otherwise, if CPU has rep_good feature, use copy_user_generic_string.
34 * Otherwise, use copy_user_generic_unrolled.
35 */
36 alternative_call_2(copy_user_generic_unrolled,
37 copy_user_generic_string,
38 X86_FEATURE_REP_GOOD,
39 copy_user_enhanced_fast_string,
40 X86_FEATURE_ERMS,
41 ASM_OUTPUT2(""=a"" (ret), ""=D"" (to), ""=S"" (from),
42 ""=d"" (len)),
43 ""1"" (to), ""2"" (from), ""3"" (len)
44 : ""memory"", ""rcx"", ""r8"", ""r9"", ""r10"", ""r11"");
45 return ret;
46 }


On Tue, Oct 1, 2013 at 6:04 PM, Thiago Fernandes Crepaldi  wrote:

> That is funny. Now that I replaced samba 4 and libc-2.13.so with debug
> symbols, the perf profile seems to be have changed a bit after the same
> tests !
>
> Events: 54K cycles
> -   3.06%  smbd  [kernel.kallsyms] [k] copy_user_generic_unrolled
>- copy_user_generic_unrolled
> 52.63% __read_nocancel
> 36.20% __write_nocancel
> 2.70% __getdents64
> 2.44% __libc_readv
>   + 2.00% do_fcntl
> 0.87% __GI___libc_read
>   + 0.77% __fxstat64
> -   2.02%  smbd  libc-2.13.so  [.] _int_malloc
>+ _int_malloc
> -   1.62%  smbd  [kernel.kallsyms] [k] kmem_cache_alloc
>+ kmem_cache_alloc
> -   1.22%  smbd  libtalloc.so.2.0.7[.] _talloc_free
>+ _talloc_free
> -   0.99%  smbd  libtalloc.so.2.0.7[.]
> _talloc_free_children_internal.isra.4
>+ _talloc_free_children_internal.isra.4
> -   0.86%  smbd  libc-2.13.so  [.] __memcpy_ssse3
>+ __memcpy_ssse3
> +   0.81%  smbd  [kernel.kallsyms] [k] kmem_cache_free
> +   0.81%  smbd  libc-2.13.so  [.] _int_free
> +   0.79%  smbd  [kernel.kallsyms] [k] __kmalloc
> +   0.66%  smbd  libtalloc.so.2.0.7[.] _talloc_zero
> +   0.63%  smbd  [kernel.kallsyms] [k] link_path_walk
> +   0.63%  smbd  [kernel.kallsyms] [k] ext4_htree_store_dirent
> +   0.55%  smbd  libtalloc.so.2.0.7[.] talloc_alloc_pool
> +   0.55%  smbd  libc-2.13.so  [.] __memset_sse2
> +   0.53%  smbd  libc-2.13.so  [.] malloc
> +   0.53%  smbd  [kernel.kallsyms] [k] fcntl_setlk
> +   0.52%  smbd  [kernel.kallsyms] [k] get_page_from_freelist
> +   0.50%  smbd  libtalloc.so.2.0.7[.] talloc_get_name
> +   0.50%  smbd  [kernel.kallsyms] [k] tg3_start_xmit
> +   0.48%  smbd  [kernel.kallsyms] [k] memset
> +   0.47%  smbd  libc-2.13.so  [.] free
> +   0.47%  smbd  [kernel.kallsyms] [k] _raw_spin_lock
> +   0.45%  smbd  [kernel.kallsyms] [k] __d_lookup_rcu
> +   0.45%  smbd  libc-2.13.so  [.] __GI___strcmp_ssse3
> +   0.44%  smbd  libtalloc.so.2.0.7[.] _talloc_get_type_abort
> +   0.43%  smbd  [kernel.kallsyms] [k] system_call_after_swapgs
> +   0.43%  smbd  [kernel.kallsyms] [k] ext4_mark_iloc_dirty
>  +   0.42%  smbd  libtalloc.so.2.0.7[.] talloc_is_parent
> +   0.41%  smbd  [kernel.kallsyms] [k] __alloc_skb
> +   0.41%  smbd  [kernel.kallsyms] [k] __posix_lock_file
>  +   0.40%  smbd  [kernel.kallsyms] [k] __ext4_get_inode_loc
> +   0.39%  smbd  libc-2.13.so   

Re: [Samba] Samba4 consumes more CPU

[Thiago Fernandes Crepaldi]

That is funny. Now that I replaced samba 4 and libc-2.13.so with debug
symbols, the perf profile seems to be have changed a bit after the same
tests !

Events: 54K cycles
-   3.06%  smbd  [kernel.kallsyms] [k] copy_user_generic_unrolled
   - copy_user_generic_unrolled
52.63% __read_nocancel
36.20% __write_nocancel
2.70% __getdents64
2.44% __libc_readv
  + 2.00% do_fcntl
0.87% __GI___libc_read
  + 0.77% __fxstat64
-   2.02%  smbd  libc-2.13.so  [.] _int_malloc
   + _int_malloc
-   1.62%  smbd  [kernel.kallsyms] [k] kmem_cache_alloc
   + kmem_cache_alloc
-   1.22%  smbd  libtalloc.so.2.0.7[.] _talloc_free
   + _talloc_free
-   0.99%  smbd  libtalloc.so.2.0.7[.]
_talloc_free_children_internal.isra.4
   + _talloc_free_children_internal.isra.4
-   0.86%  smbd  libc-2.13.so  [.] __memcpy_ssse3
   + __memcpy_ssse3
+   0.81%  smbd  [kernel.kallsyms] [k] kmem_cache_free
+   0.81%  smbd  libc-2.13.so  [.] _int_free
+   0.79%  smbd  [kernel.kallsyms] [k] __kmalloc
+   0.66%  smbd  libtalloc.so.2.0.7[.] _talloc_zero
+   0.63%  smbd  [kernel.kallsyms] [k] link_path_walk
+   0.63%  smbd  [kernel.kallsyms] [k] ext4_htree_store_dirent
+   0.55%  smbd  libtalloc.so.2.0.7[.] talloc_alloc_pool
+   0.55%  smbd  libc-2.13.so  [.] __memset_sse2
+   0.53%  smbd  libc-2.13.so  [.] malloc
+   0.53%  smbd  [kernel.kallsyms] [k] fcntl_setlk
+   0.52%  smbd  [kernel.kallsyms] [k] get_page_from_freelist
+   0.50%  smbd  libtalloc.so.2.0.7[.] talloc_get_name
+   0.50%  smbd  [kernel.kallsyms] [k] tg3_start_xmit
+   0.48%  smbd  [kernel.kallsyms] [k] memset
+   0.47%  smbd  libc-2.13.so  [.] free
+   0.47%  smbd  [kernel.kallsyms] [k] _raw_spin_lock
+   0.45%  smbd  [kernel.kallsyms] [k] __d_lookup_rcu
+   0.45%  smbd  libc-2.13.so  [.] __GI___strcmp_ssse3
+   0.44%  smbd  libtalloc.so.2.0.7[.] _talloc_get_type_abort
+   0.43%  smbd  [kernel.kallsyms] [k] system_call_after_swapgs
+   0.43%  smbd  [kernel.kallsyms] [k] ext4_mark_iloc_dirty
+   0.42%  smbd  libtalloc.so.2.0.7[.] talloc_is_parent
+   0.41%  smbd  [kernel.kallsyms] [k] __alloc_skb
+   0.41%  smbd  [kernel.kallsyms] [k] __posix_lock_file
+   0.40%  smbd  [kernel.kallsyms] [k] __ext4_get_inode_loc
+   0.39%  smbd  libc-2.13.so  [.] __strlen_sse2
+   0.39%  smbd  [kernel.kallsyms] [k] kfree
+   0.39%  smbd  [kernel.kallsyms] [k] tcp_recvmsg
+   0.38%  smbd  libtalloc.so.2.0.7[.] talloc_named_const
+   0.37%  smbd  libtalloc.so.2.0.7[.] _talloc_array


On Mon, Sep 30, 2013 at 6:19 PM, Thiago Fernandes Crepaldi <
togn...@gmail.com> wrote:

> Agreed. For some strange reason I though perf would "follow" the new smbd
> forked and account their data too =)
>
> Unfortunately, I don't have the libc symbols (at least for today) to see
> what is going on there, but here is what I got in the child smbd process on
> the server side. The client side is a Windows 7 Virtual machine running
> NASPT
>
> Could this result mean that most of the time the performance drop I am
> experiencing is due to libc ?
> I've never worked with perf before, but I will still try to resolve those
> crazy addresses
>
> Events: 45K cycles
> -   7.37%  smbd  libc-2.13.so  [.] 0x11e465
>- 0x7ffab9f2043c
> 41.73% 0
> 5.32% 0x1b3fbe0
> 5.29% 0x2c4dab0
> 3.60% 0x1b0b130
> 3.37% 0x1b0b2a0
> 2.94% 0x1b5af80
> 2.70% 0x1b0d850
> 2.64% 0x2825fb0
> 1.86% 0x28e06d0
> 1.83% 0x2afcc80
> 1.71% 0x1b2ccb0
> 1.64% 0x2a4deb0
> 1.63% 0x1b56e00
> 1.51% 0x1b6bd00
> 1.16% 0x1b49eb0
> 1.15% 0x1b506e0
> 1.13% 0x1b4da00
> 1.07% 0x1b35100
> 0.93% 0x1af9050
> 0.92% 0x2b03680
> 0.91% 0x2ae21f0
> 0.90% 0x1b21210
> 0.89% 0x1b5de80
> 0.89% 0x1b5aa80
> 0.89% 0x1b2e0e0
> 0.88% 0x1b59be0
> 0.87% 0x1b4c600
> 0.86% 0x1b2aa20
> 0.85% 0x1b4a940
> 0.85% 0x1b45f50
> 0.84% 0x1b4a6d0
> 0.84% 0x1b23940
> 0.82% 0x1b37210
> 0.82% 0x1b2cf30
> 0.82% 0x1b33320
> 0.77% 0x2c96d50
> 0.76% 0x202f380
> 0.75% 0x2bd0bd0
> 0.66% 0x1b5e1d0
>- 0x7ffab9f27e10
> 37.72% 0x2f62696c2f3365
>   + 23.78% 0
>   + 11.24% 0x7fffc9f76d40
>   + 6.25% set_unix_security_ctx
> 3.13% 0x645f6e656b6f74
> 2.46% 0x10009
>   + 2.17% 0x11b9f22aac
> 2.16% 0x1b53000
>   + 2.12% 0x2a29850
> 2.08% 0xbe70f04c4c
> 2.01% 0x1b0af00
> 1.94% 0x1b07390
> 1.51% 0x1b49b00
> 1.41% 0x2010
>- 0x7ffab9fc6c10
>   + 18.08% 

Re: [Samba] Samba4: where are ACLs stored?

[Andrew Bartlett]

On Tue, 2013-10-01 at 13:48 +0530, Partha Sarathi wrote:
> I hope you shoud use the below parameter under all share sections to
> get the NTACL working.
> 
> 
> vfs objects = acl_xattr,

Indeed, you would expect that to be needed. 

However, we put that in to the smb.conf 'by magic' whenever we see
'server role = active directory domain controller'.  Frankly I think it
should be the default, except for the fact that we didn't want to change
it for upgrading users.  We used the 'new' server role as a chance to at
least make it a default for this important use case. 

Andrew Bartlett


-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: where are ACLs stored?

[Klaus Hartnegg]

Am 01.10.2013 10:18, schrieb Partha Sarathi:

I hope you shoud use the below parameter under all share sections to get
the NTACL working.

vfs objects = acl_xattr,


Doesn't make a difference. Seems to be on by default, even if not in 
smb.conf. When I run testparam it shows it in global section:

vfs objects = dfs_samba4, acl_xattr

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: where are ACLs stored?

[Partha Sarathi]

I hope you shoud use the below parameter under all share sections to get
the NTACL working.

vfs objects = acl_xattr,



On Tue, Oct 1, 2013 at 1:37 PM, Klaus Hartnegg <
klaus.hartn...@blickzentrum.de> wrote:

> On 30.09.2013 21:58, Andrew Bartlett wrote:
>
>> On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote:
>>
>>> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
>>> output changed when using windows to add individual right for a user
>>>
>>
> Meanwhile I found that 'cp -a' does transfer all rights settings. My
> conclusion is that the output of the commands 'getfattr -d' and/or
> 'samba-tool ntacl get' is incomplete.
>
>
> > Can you show me your smb.conf?
>
> Default of sernet samba:
>
> # Global parameters
> [global]
> workgroup = DC
> realm = DC.TESTDOMAIN.DE
> netbios name = ALPHA
> server role = active directory domain controller
> dns forwarder = 195.50.140.114
> dsdb:schema update allowed  = yes
>
> [netlogon]
> path = 
> /opt/samba/var/locks/sysvol/dc**.testdomain.de/scripts
> read only = No
>
> [sysvol]
> path = /opt/samba/var/locks/sysvol
> read only = No
>
> [test]
> path = /srv/samba
> read only = No
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>



-- 
Thanks & Regards
-Partha
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: where are ACLs stored?

[Klaus Hartnegg]

On 30.09.2013 21:58, Andrew Bartlett wrote:

On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote:

I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
output changed when using windows to add individual right for a user


Meanwhile I found that 'cp -a' does transfer all rights settings. My 
conclusion is that the output of the commands 'getfattr -d' and/or 
'samba-tool ntacl get' is incomplete.


> Can you show me your smb.conf?

Default of sernet samba:

# Global parameters
[global]
workgroup = DC
realm = DC.TESTDOMAIN.DE
netbios name = ALPHA
server role = active directory domain controller
dns forwarder = 195.50.140.114
dsdb:schema update allowed  = yes

[netlogon]
path = /opt/samba/var/locks/sysvol/dc.testdomain.de/scripts
read only = No

[sysvol]
path = /opt/samba/var/locks/sysvol
read only = No

[test]
path = /srv/samba
read only = No

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: Home of Users

[Daniel Müller]

[homes]<-- THis IS WRONG WITH SAMBA 4
IT should be -->[home]
No valid Users and so on anymore.
Important-->path
-->  readonly = No


---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---

-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von Rowland Penny
Gesendet: Montag, 30. September 2013 23:11
An: Neurodesarrollo; samba@lists.samba.org
Betreff: Re: [Samba] Samba4: Home of Users

On 30/09/13 21:45, Neurodesarrollo wrote:
> El 26/09/13 16:09, Neurodesarrollo escribió:
>> Hi List, I'm new in the list and with Samba4 I was installed, samba4 
>> ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
>> Previously I had samba3.6.x installed in my server, the users could 
>> access to /home/(users) as like as users drive (U:) and modify every 
>> thing in theirs drive.
>>
>> But with Samba4:
>> - How my users can modify theirs home(eg.User:erick, with home
>> directory: /home/erick ) in the server, because in this, they can't 
>> modify(Delete, Create, Rename and so so) any thing.
>> - When the user login in their session how can appear automatically 
>> the drive U: for example with their home files.
>>
>> My client PC are windows XP sp2 installed with theirs profiles "only
local".
>>
>> Thanks
>>
>>  T.I.A.
>>
>>
>> I provide my "smb.conf" configuration if you could help me.
>>
>>
>> [global]
>>  server string = Samba4 Server en NEURODESARROLLO
>>  workgroup = NEURODCAR
>>  realm = NEURODCAR.MTZ.SLD.CU
>>  netbios name = ALFA
>>  server role = active directory domain controller
>>  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>> winbind, ntp_signd, kcc
>>  dns forwarder = 10.44.0.10
>>  logon path = \\%L\profiles\%U
>>  logon home = \\%N\%U
>>  logon drive = U:
>>  domain logons = Yes
>>  domain master = Yes
>>  local master = Yes
>>  preferred master = Yes
>>  os level = 65
>>  log level = 3
>>
>> [homes]
>>  comment = Home Directories
>>  valid users = %ACCOUNTNAME%, %S, %D%w%S
>>  browseable = No
>>  read only = No
>>
>> [profiles]
>>  path = /usr/local/samba/Profiles/
>>  read only = No
>>
>> [netlogon]
>>  path =
/usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
>>  read only = No
>>
>> [sysvol]
>>  path = /usr/local/samba/var/locks/sysvol
>>  read only = No
>>
>> [printers]
>>  comment = All Printers
>>  path = /var/tmp
>>  printable = Yes
>>  create mask = 0600
>>  browseable = No
>>  
>> [print$]
>>  comment = Printer Drivers
>>  path = /var/lib/samba/drivers
>>  write list = @ntadmin root
>>  force group = ntadmin
>>  create mask = 0664
>>  directory mask = 0775
>>
>> ###
>>
>>
>>
> Any body in this list can help me ???
>
> Thanks in Advance
>
>
>
Hi, from your posted smb.conf, you seem to be mixing up the settings for an
AD DC and an old-style NT-PDC, most of the global part of it could be
removed. The [homes] section will not work as before, it needs to be [home]
and you need to supply the path to where ever they are stored.

Have a look here: 
https://wiki.samba.org/index.php/Setup_and_configure_file_shares

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 consumes more CPU

[Thiago Fernandes Crepaldi]

Agreed. For some strange reason I though perf would "follow" the new smbd
forked and account their data too =)

Unfortunately, I don't have the libc symbols (at least for today) to see
what is going on there, but here is what I got in the child smbd process on
the server side. The client side is a Windows 7 Virtual machine running
NASPT

Could this result mean that most of the time the performance drop I am
experiencing is due to libc ?
I've never worked with perf before, but I will still try to resolve those
crazy addresses

Events: 45K cycles
-   7.37%  smbd  libc-2.13.so  [.] 0x11e465
   - 0x7ffab9f2043c
41.73% 0
5.32% 0x1b3fbe0
5.29% 0x2c4dab0
3.60% 0x1b0b130
3.37% 0x1b0b2a0
2.94% 0x1b5af80
2.70% 0x1b0d850
2.64% 0x2825fb0
1.86% 0x28e06d0
1.83% 0x2afcc80
1.71% 0x1b2ccb0
1.64% 0x2a4deb0
1.63% 0x1b56e00
1.51% 0x1b6bd00
1.16% 0x1b49eb0
1.15% 0x1b506e0
1.13% 0x1b4da00
1.07% 0x1b35100
0.93% 0x1af9050
0.92% 0x2b03680
0.91% 0x2ae21f0
0.90% 0x1b21210
0.89% 0x1b5de80
0.89% 0x1b5aa80
0.89% 0x1b2e0e0
0.88% 0x1b59be0
0.87% 0x1b4c600
0.86% 0x1b2aa20
0.85% 0x1b4a940
0.85% 0x1b45f50
0.84% 0x1b4a6d0
0.84% 0x1b23940
0.82% 0x1b37210
0.82% 0x1b2cf30
0.82% 0x1b33320
0.77% 0x2c96d50
0.76% 0x202f380
0.75% 0x2bd0bd0
0.66% 0x1b5e1d0
   - 0x7ffab9f27e10
37.72% 0x2f62696c2f3365
  + 23.78% 0
  + 11.24% 0x7fffc9f76d40
  + 6.25% set_unix_security_ctx
3.13% 0x645f6e656b6f74
2.46% 0x10009
  + 2.17% 0x11b9f22aac
2.16% 0x1b53000
  + 2.12% 0x2a29850
2.08% 0xbe70f04c4c
2.01% 0x1b0af00
1.94% 0x1b07390
1.51% 0x1b49b00
1.41% 0x2010
   - 0x7ffab9fc6c10
  + 18.08% 0
  + 13.63% 0x2c5fc20
  + 11.62% 0x2be7b10
  + 7.90% 0x2be8560
  + 6.61% 0x2a29850
  + 6.30% 0x2b3d6c0
5.67% 0x4e6f5479706f43
  + 5.64% 0x29d7110
  + 5.54% 0x2467130
  + 5.53% 0x2b3d5e0
  + 5.31% 0x28c81a0
  + 4.20% 0x2c5fa30
  + 3.98% 0x2a98990
   + 0x7ffab9f20438
   + 0x7ffab9f2045c
 0x7ffab9fc8e03
   + 0x7ffab9fc425e
   + 0x7ffab9f2a715
   + 0x7ffab9f2a6d0
 0x7ffab9f1f851
 0x7ffab9f1f2ac
   + 0x7ffab9f27e25
   + 0x7ffab9f2a648
   + 0x7ffab9fc4240
 0x7ffab9fc8654
 0x7ffab9f206bf
   + 0x7ffab9f20548
   + 0x7ffab9f20bc2
   + 0x7ffab9f1f130
   + 0x7ffab9f26310
   + 0x7ffab9f20422
 0x7ffab9f1e0db
 0x7ffab9f1f179
   + 0x7ffab9f2a6f2
   + 0x7ffab9f20572
   + 0x7ffab9f2054c
   + 0x7ffab9fc42c5
-   1.72%  smbd  [kernel.kallsyms] [k] kmem_cache_alloc
   + kmem_cache_alloc
-   1.30%  smbd  libtalloc.so.2.0.7[.] _talloc_free
   + _talloc_free
-   1.10%  smbd  libtalloc.so.2.0.7[.]
_talloc_free_children_internal.i
   + _talloc_free_children_internal.isra.4
-   1.07%  smbd  [kernel.kallsyms] [k] copy_user_generic_unrolled
   + copy_user_generic_unrolled
-   0.95%  smbd  [kernel.kallsyms] [k] __kmalloc
   + __kmalloc
-   0.78%  smbd  [kernel.kallsyms] [k] ext4_htree_store_dirent
   + ext4_htree_store_dirent
   + 0x7ffab9f4f2f5
-   0.73%  smbd  [kernel.kallsyms] [k] kmem_cache_free
   + kmem_cache_free
-   0.73%  smbd  [kernel.kallsyms] [k] link_path_walk
   + link_path_walk
-   0.69%  smbd  libc-2.13.so  [.] malloc
   + malloc
-   0.69%  smbd  libtalloc.so.2.0.7[.] _talloc_zero
   + _talloc_zero
-   0.62%  smbd  [kernel.kallsyms] [k] fcntl_setlk
   + fcntl_setlk
   + 0x7ffabcf93238
-   0.59%  smbd  [kernel.kallsyms] [k] __d_lookup_rcu
   + __d_lookup_rcu
-   0.57%  smbd  libtalloc.so.2.0.7[.] talloc_alloc_pool
   + talloc_alloc_pool
-   0.55%  smbd  libtalloc.so.2.0.7[.] talloc_get_name
   + talloc_get_name
-   0.55%  smbd  [kernel.kallsyms] [k] __posix_lock_file
   + __posix_lock_file
   + 0x7ffabcf93238
-   0.50%  smbd  [kernel.kallsyms] [k] _raw_spin_lock
   + _raw_spin_lock
+   0.49%  smbd  [kernel.kallsyms] [k] tg3_start_xmit
+   0.48%  smbd  [kernel.kallsyms] [k] system_call_after_swapgs
+   0.46%  smbd  libtalloc.so.2.0.7[.] talloc_named_const
+   0.46%  smbd  [kernel.kallsyms] [k] memset
+   0.46%  smbd  libtalloc.so.2.0.7[.] _talloc_get_type_abort
+   0.45%  smbd  [kernel.kallsyms] [k] str2hashbuf_signed
+   0.45%  smbd  [kernel.kallsyms] [k] kfree
+   0.45%  smbd  libc-2.13.so  [.] free
+   0.44%  smbd  [kernel.kallsyms] [k] __alloc_skb
+   0.42%  smbd  libtalloc.so.2.0.7[.] talloc_is_parent
+   0.41%  smbd  libtalloc.so.2.0.7[.] _talloc_array





On Mon, Sep 30, 2013 at 5:39 PM, Jeremy Allison  wrote:

> On Mon, Sep 30, 2013 at 05:21:44PM -0300, Thiago Fernandes Crepa

Re: [Samba] Samba4: Home of Users

[Rowland Penny]

On 30/09/13 21:45, Neurodesarrollo wrote:

El 26/09/13 16:09, Neurodesarrollo escribió:

Hi List, I'm new in the list and with Samba4
I was installed, samba4 ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
Previously I had samba3.6.x installed in my server, the users could
access to /home/(users) as like as users drive (U:) and modify every
thing in theirs drive.

But with Samba4:
- How my users can modify theirs home(eg.User:erick, with home
directory: /home/erick ) in the server, because in this, they can't
modify(Delete, Create, Rename and so so) any thing.
- When the user login in their session how can appear automatically the
drive U: for example with their home files.

My client PC are windows XP sp2 installed with theirs profiles "only local".

Thanks

T.I.A.


I provide my "smb.conf" configuration if you could help me.


[global]
server string = Samba4 Server en NEURODESARROLLO
workgroup = NEURODCAR
realm = NEURODCAR.MTZ.SLD.CU
netbios name = ALFA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc
dns forwarder = 10.44.0.10
logon path = \\%L\profiles\%U
logon home = \\%N\%U
logon drive = U:
domain logons = Yes
domain master = Yes
local master = Yes
preferred master = Yes
os level = 65
log level = 3

[homes]
 comment = Home Directories
 valid users = %ACCOUNTNAME%, %S, %D%w%S
 browseable = No
 read only = No

[profiles]
 path = /usr/local/samba/Profiles/
 read only = No

[netlogon]
path = /usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

###




Any body in this list can help me ???

Thanks in Advance



Hi, from your posted smb.conf, you seem to be mixing up the settings for 
an AD DC and an old-style NT-PDC, most of the global part of it could be 
removed. The [homes] section will not work as before, it needs to be 
[home] and you need to supply the path to where ever they are stored.


Have a look here: 
https://wiki.samba.org/index.php/Setup_and_configure_file_shares


Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: Home of Users

[Neurodesarrollo]

El 26/09/13 16:09, Neurodesarrollo escribió:
> Hi List, I'm new in the list and with Samba4
> I was installed, samba4 ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
> Previously I had samba3.6.x installed in my server, the users could
> access to /home/(users) as like as users drive (U:) and modify every
> thing in theirs drive.
> 
> But with Samba4:
> - How my users can modify theirs home(eg.User:erick, with home
> directory: /home/erick ) in the server, because in this, they can't
> modify(Delete, Create, Rename and so so) any thing.
> - When the user login in their session how can appear automatically the
> drive U: for example with their home files.
> 
> My client PC are windows XP sp2 installed with theirs profiles "only local".
> 
> Thanks
> 
>   T.I.A.
> 
> 
> I provide my "smb.conf" configuration if you could help me.
> 
> 
> [global]
>   server string = Samba4 Server en NEURODESARROLLO
>   workgroup = NEURODCAR
>   realm = NEURODCAR.MTZ.SLD.CU
>   netbios name = ALFA
>   server role = active directory domain controller
>   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbind, ntp_signd, kcc
>   dns forwarder = 10.44.0.10
>   logon path = \\%L\profiles\%U
>   logon home = \\%N\%U
>   logon drive = U:
>   domain logons = Yes
>   domain master = Yes
>   local master = Yes
>   preferred master = Yes
>   os level = 65
>   log level = 3
> 
> [homes]
> comment = Home Directories
> valid users = %ACCOUNTNAME%, %S, %D%w%S
> browseable = No
> read only = No
> 
> [profiles]
> path = /usr/local/samba/Profiles/
> read only = No
> 
> [netlogon]
>   path = /usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
>   read only = No
> 
> [sysvol]
>   path = /usr/local/samba/var/locks/sysvol
>   read only = No
> 
> [printers]
>   comment = All Printers
>   path = /var/tmp
>   printable = Yes
>   create mask = 0600
>   browseable = No
>   
> [print$]
>   comment = Printer Drivers
>   path = /var/lib/samba/drivers
>   write list = @ntadmin root
>   force group = ntadmin
>   create mask = 0664
>   directory mask = 0775
> 
> ###
> 
> 
> 
Any body in this list can help me ???

Thanks in Advance

-- 
Jesús Reyes Piedra
Admin Red Neurodearrollo,Cárdenas

La caja decía:"Requiere windows 95 o superior"...
Entonces instalé LINUX.



signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 consumes more CPU

[Jeremy Allison]

On Mon, Sep 30, 2013 at 05:21:44PM -0300, Thiago Fernandes Crepaldi wrote:
> Andrew, in my company we are also experiencing a higher CPU usage of Samba
> 4 (smbd) if compared to Samba 3.
> 
> In fact, it almost reaches 100% of CPU and uses all the memory during *dir
> copies* (individual file copy is as good as samba 3's). I strongly believe
> that this CPU usage is the responsible for a worse samba 4's throughput if
> compared to Samba 3 tests.
> 
> Giving that, I would like to contribute with this investigation and share
> my data regarding perf profiling on smbd (parent process)
> 
> Events: 7  cycles
> -  90.01%  smbd  [kernel.kallsyms]  [k] copy_pte_range
>  copy_pte_range
>  __libc_fork
>  smbd_accept_connection
> -   9.77%  smbd  [kernel.kallsyms]  [k] handle_edge_irq
>  handle_edge_irq
>  smbd_accept_connection
> -   0.22%  smbd  [kernel.kallsyms]  [k] perf_pmu_rotate_start.isra.57
>  perf_pmu_rotate_start.isra.57
>  __poll
> -   0.00%  smbd  [kernel.kallsyms]  [k] native_write_msr_safe
>  native_write_msr_safe
>  __poll

It's the client process that should have the interesting
profile data, the parent is just going to sit there doing
accept().

Jeremy.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 consumes more CPU

[Thiago Fernandes Crepaldi]

Andrew, in my company we are also experiencing a higher CPU usage of Samba
4 (smbd) if compared to Samba 3.

In fact, it almost reaches 100% of CPU and uses all the memory during *dir
copies* (individual file copy is as good as samba 3's). I strongly believe
that this CPU usage is the responsible for a worse samba 4's throughput if
compared to Samba 3 tests.

Giving that, I would like to contribute with this investigation and share
my data regarding perf profiling on smbd (parent process)

Events: 7  cycles
-  90.01%  smbd  [kernel.kallsyms]  [k] copy_pte_range
 copy_pte_range
 __libc_fork
 smbd_accept_connection
-   9.77%  smbd  [kernel.kallsyms]  [k] handle_edge_irq
 handle_edge_irq
 smbd_accept_connection
-   0.22%  smbd  [kernel.kallsyms]  [k] perf_pmu_rotate_start.isra.57
 perf_pmu_rotate_start.isra.57
 __poll
-   0.00%  smbd  [kernel.kallsyms]  [k] native_write_msr_safe
 native_write_msr_safe
 __poll

My smb.conf is:

[Global]
available= yes
client signing= auto
server signing= auto
server string= LenovoEMCâ
 ¢ px4-400r
Workgroup= WORKGROUP
security= user
domain master= auto
preferred master= auto
local master= yes
os level= 20
invalid users= bin daemon adm sync shutdown halt mail news uucp gopher
map to guest= Bad User
host msdfs= yes
restrict anonymous= 0
strict allocate= yes
encrypt passwords= yes
passdb backend= smbpasswd
printcap name= lpstat
printable= no
load printers= yes
max smbd processes= 500
getwd cache= yes
syslog= 0
use sendfile= yes
browse directory= /tmp/samba
winbind sequence directory= /tmp/samba
log level= 0
max log size= 50
unix extensions= no
veto files= /.AppleDouble/.AppleDB/.bin/.AppleDesktop/Network Trash
Folder/Temporary Items/:2eDS_Store/

[Printers]
path= /mnt/system/samba/spool
printable= yes
only guest= yes
use client driver= yes
comment= All Printers

[USB_UnkVend_USB_DISK_MOD_a_1]
path= /mnt/ext/USB_UnkVend_USB_DISK_MOD_a_1/
max connections= 150
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
strict allocate= no
nt acl support= no
dos filemode= no
writeable= yes
public= yes
store dos attributes= yes
write list= guest

[Backups]
path= /mnt/pools/A/A0/Backups/
max connections= 150
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= no
dos filemode= no
writeable= yes
public= yes
store dos attributes= yes
write list= guest

[Documents]
path= /mnt/pools/A/A0/Documents/
max connections= 150
directory mode= 0777
create mode= 0777
follow symlinks= yes
wide links= no
nt acl support= no
dos filemode= no
writeable= yes
public= yes
store dos attributes= yes
write list= guest

My samba 4.0.9 was compiled with the following options:
CPPFLAGS="-D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE
-march=atom -O2 -pipe -fomit-frame-pointer" \
samba_cv_HAVE_GETTIMEOFDAY_TZ=yes \
samba_cv_HAVE_IFACE_IFCONF=yes \
samba_cv_HAVE_IFACE_IFREQ=yes \
ac_cv_have_setresuid=yes \
ac_cv_have_setresgid=yes \
ac_cv_file__proc_sys_kernel_core_pattern=yes \
samba_cv_USE_SETRESUID=yes \
samba_cv_HAVE_KERNEL_OPLOCKS_LINUX=yes \
samba_cv_HAVE_WRFILE_KEYTAB=yes \
samba_cv_HAVE_OFF64_T=yes \
samba_cv_have_longlong=yes \
samba_cv_HAVE_MMAP=yes \
samba_cv_HAVE_INO64_T=yes \
samba_cv_CC_NEGATIVE_ENUM_VALUES=yes \
smb_krb5_cv_enctype_to_string_takes_krb5_context_arg=no \
smb_krb5_cv_enctype_to_string_takes_size_t_arg=yes \
./configure \
--without-pie \
--disable-cups \
--disable-iprint \
--with-configdir=/etc/samba \
--with-logfilebase=/tmp/samba \
--with-lockdir=/tmp/samba \
--with-piddir=/tmp/samba \
--with-privatedir=/etc/samba/private \
--with-sendfile-support \
--with-ldap \
--with-ads \
--with-pam \
--with-pammodulesdir=/lib/x86_64-linux-gnu/security \
--with-pam_smbpass \
--with-winbind \
--with-acl-support \
--with-automount \
--enable-pthreadpool \
--with-dnsupdate \
--with-shared-modules=idmap_ad,idmap_rid \
--localstatedir=/var \
--with-libiconv=/usr \
--with-cachedir=/mnt/system/samba/system \
--prefix=/usr/local/samba \
--without-ad-dc \
--without-swat \
--without-quotas \
--with-aio-support \
--fail-immediately \
--jobs=8 \
--enable-debug \ # i added this to use with perf only #

Please, let me know if I can do help more !
Thiago


On Mon, Sep 2, 2013 at 5:50 PM, Andrew Bartlett  wrote:

> On Mon, 2013-08-26 at 22:39 +0530, Prema wrote:
> > Dear Andrew,
> >
> > As per your suggestion , I have attached the gdb log of the samba and
> smbd
> > process log running in the single server mode.
> > Also when I noted in the perf top, libndr.so consumes the maximum cpu.
> > I noticed that it happens soon after sometime the samba process is
> started
> > and the CPU is filled up.
> > Since the samba process occupies 100% atleast two or

Re: [Samba] Samba4: where are ACLs stored?

[Andrew Bartlett]

On Thu, 2013-09-26 at 16:12 +0200, Klaus Hartnegg wrote:
> Hi,
> 
> most file access rights sync between ACLs of linux and the security tab 
> of windows file properties, but not all. Where are the other infos stored?
> 
> I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither 
> output changed when using windows to add individual right for a user 
> that already has rights inherited from the parent directory. Windows 
> remembers every detail of these changes, even after a reboot, so it must 
> be stored somewhere.
> 
> I'm concerned that backups might be incomplete when part of the access 
> rights are hidden somewhere else. Will 'cp -a' really copy everything?

Can you show me your smb.conf?

Thanks,

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4: Home of Users

[Neurodesarrollo]

Hi List, I'm new in the list and with Samba4
I was installed, samba4 ver. 4.0.9 in a server with openSUSE 12.3, 32 bits.
Previously I had samba3.6.x installed in my server, the users could
access to /home/(users) as like as users drive (U:) and modify every
thing in theirs drive.

But with Samba4:
- How my users can modify theirs home(eg.User:erick, with home
directory: /home/erick ) in the server, because in this, they can't
modify(Delete, Create, Rename and so so) any thing.
- When the user login in their session how can appear automatically the
drive U: for example with their home files.

My client PC are windows XP sp2 installed with theirs profiles "only local".

Thanks

T.I.A.


I provide my "smb.conf" configuration if you could help me.


[global]
server string = Samba4 Server en NEURODESARROLLO
workgroup = NEURODCAR
realm = NEURODCAR.MTZ.SLD.CU
netbios name = ALFA
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc
dns forwarder = 10.44.0.10
logon path = \\%L\profiles\%U
logon home = \\%N\%U
logon drive = U:
domain logons = Yes
domain master = Yes
local master = Yes
preferred master = Yes
os level = 65
log level = 3

[homes]
comment = Home Directories
valid users = %ACCOUNTNAME%, %S, %D%w%S
browseable = No
read only = No

[profiles]
path = /usr/local/samba/Profiles/
read only = No

[netlogon]
path = /usr/local/samba/var/locks/sysvol/neurodcar.mtz.sld.cu/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No

[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

###

-- 
Jesús Reyes Piedra
Admin Red Neurodearrollo,Cárdenas

La caja decía:"Requiere windows 95 o superior"...
Entonces instalé LINUX.



signature.asc
Description: OpenPGP digital signature
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: where are ACLs stored?

[Thomas Harold]

On 9/26/2013 10:12 AM, Klaus Hartnegg wrote:

Hi,

most file access rights sync between ACLs of linux and the security tab
of windows file properties, but not all. Where are the other infos stored?

I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither
output changed when using windows to add individual right for a user
that already has rights inherited from the parent directory. Windows
remembers every detail of these changes, even after a reboot, so it must
be stored somewhere.

I'm concerned that backups might be incomplete when part of the access
rights are hidden somewhere else. Will 'cp -a' really copy everything?



Under ext4, we mount with "rw,noatime,user_xattr,acl".

http://docs.fedoraproject.org/en-US/Fedora/14/html/Storage_Administration_Guide/ext4mount.html

https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System

https://wiki.samba.org/index.php/Samba_4/OS_Requirements#ext3.2Fext4_File_System

According to the ext4 documentation page, barrier=barrier (a.k.a. 
barrier=1) is the default, but it doesn't hurt to specify it in your 
/etc/fstab file for the file system where your TDB files are stored. 
Use "cat /proc/mounts" to see current file system mount options.


You can check kernel defaults for xattr and ACL support by finding your 
config.gz or config file.  Under CentOS, this is stored in /boot


# grep CONFIG_EXT4_FS /boot/config-2.6.32-358.18.1.el6.x86_64
or
# zgrep CONFIG_EXT4_FS /proc/config.gz

Command to check ACLs:

# getfacl

Command to check xattrs:

# getfattr

...

All that to say my guess is that the ACLs get stored in "acl" ext4 mount 
option.


I know that rdiff-backup stores: "preserves subdirectories, hard links, 
dev files, permissions, uid/gid ownership, modification times, extended 
attributes, acls, and resource forks".  So you would need to check that 
your backup software supports both "extended attributes" and "ACLs".


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4: where are ACLs stored?

[Klaus Hartnegg]

Hi,

most file access rights sync between ACLs of linux and the security tab 
of windows file properties, but not all. Where are the other infos stored?


I tried in linux 'getfattr -d' and 'samba-tool ntacl get', but neither 
output changed when using windows to add individual right for a user 
that already has rights inherited from the parent directory. Windows 
remembers every detail of these changes, even after a reboot, so it must 
be stored somewhere.


I'm concerned that backups might be incomplete when part of the access 
rights are hidden somewhere else. Will 'cp -a' really copy everything?


Thanks,
Klaus

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4, ZFS and FreeBSD

[Petros]

Hi Andrew,

thanks for the quick answer. Apologies that some of my "guesswork"  
wasn't right.


From: "Andrew Bartlett" 


smbd has NFSv4 ACLs


Great!


On Thu, 2013-09-26 at 14:55 +1000, Petros wrote:

I am happy to become a FreeBSD beta tester for any kind of FreeBSD ZFS
support. But I am afraid I am not good enough to code it myself. I am
a sysadmin who reads C code frequently, it does not make me a good
coder..


The issue is essentially that the python-based provision code need to
detect the use of zfs, load the zfsacl module in the generated smb.conf,
and instead of testing simple posix ACLs, proceed to setting a full NT
ACL when we create the sysvol share.


Okay.. python is one of the languages I did not learn so far. Well, I  
will see what I can do.


For the sake of clarification: In case

- I get the provisioning right,
- Have the zfsacl module in the generated smb.conf

I will have a working smbd?

Thanks again
Peter


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4, ZFS and FreeBSD

[Andrew Bartlett]

On Thu, 2013-09-26 at 14:55 +1000, Petros wrote:
> Hi all,
> I am in the process of finding the best way to use Samba4 as an AD  
> under FreeBSD and ZFS.
> 
> The following is based on own research, google, mail archives, a bit  
> of source code etc. So please correct me if I am wrong.
> 
> 1. ZFS is using NFSv4 ACLs.
> 2. NFSv4 ACLs are modelled with NTFS (Windows) ACLs in mind.
> 3. Samba4 started with a new ntvfs file server but that was abandoned  
> (or delayed?) to get samba4 released
> 4. Samba4 was released with s3fs as a default (the "old" Samba3 smbd)
> 5. s3fs is relying on POSIX ACLs which are not implemented on ZFS
> 6. There is a libsunacl library, a wrapper around FreeBSD ZFS NFSv4 ACLs
> I can install an experimental module but cannot provision AD with s3fs.
> 7. The provisioning with ntvfs seems to work
> 
> For me, there are two uncertainties:
> a) Will be ntvfs supported in the future? Or will it be the default later?

No, and No.  We support the ntvfs file server with the existing
functionality, but are not developing it.  Essentially we are keeping it
as a technology demonstration, as well not breaking any existing users. 

> b) Will s3fs gain support for NFSv4 ACLs?

smbd has NFSv4 ACLs

> If a) is the case, I am happy to proceed with using ntvfs.
> 
> If b) is the case, I may try to use ZFS on volume management level  
> (for samba4 jails only, I am running other "stuff" on the FreeBSD  
> boxes with ZFS).
> 
> I may create ZFS volumes and create UFS volumes, with POSIX support.
> 
> Later I may revert them to ZFS, if s3fs provides ZFS NFSv4 ACL support.
> 
> The other option would be to run it with ntvfs for now, switching to  
> s3fs when it is "ZFS ready".
> 
> I do not know who has any plans in any directions. Of course, "Solaris  
> people" (Oracle, illumos) may have interests and plans in this area too.
> 
> I am happy to become a FreeBSD beta tester for any kind of FreeBSD ZFS  
> support. But I am afraid I am not good enough to code it myself. I am  
> a sysadmin who reads C code frequently, it does not make me a good  
> coder..

The issue is essentially that the python-based provision code need to
detect the use of zfs, load the zfsacl module in the generated smb.conf,
and instead of testing simple posix ACLs, proceed to setting a full NT
ACL when we create the sysvol share.

Thanks,

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4, ZFS and FreeBSD

[Petros]

Hi all,
I am in the process of finding the best way to use Samba4 as an AD  
under FreeBSD and ZFS.


The following is based on own research, google, mail archives, a bit  
of source code etc. So please correct me if I am wrong.


1. ZFS is using NFSv4 ACLs.
2. NFSv4 ACLs are modelled with NTFS (Windows) ACLs in mind.
3. Samba4 started with a new ntvfs file server but that was abandoned  
(or delayed?) to get samba4 released

4. Samba4 was released with s3fs as a default (the "old" Samba3 smbd)
5. s3fs is relying on POSIX ACLs which are not implemented on ZFS
6. There is a libsunacl library, a wrapper around FreeBSD ZFS NFSv4 ACLs
   I can install an experimental module but cannot provision AD with s3fs.
7. The provisioning with ntvfs seems to work

For me, there are two uncertainties:
a) Will be ntvfs supported in the future? Or will it be the default later?
b) Will s3fs gain support for NFSv4 ACLs?

If a) is the case, I am happy to proceed with using ntvfs.

If b) is the case, I may try to use ZFS on volume management level  
(for samba4 jails only, I am running other "stuff" on the FreeBSD  
boxes with ZFS).


I may create ZFS volumes and create UFS volumes, with POSIX support.

Later I may revert them to ZFS, if s3fs provides ZFS NFSv4 ACL support.

The other option would be to run it with ntvfs for now, switching to  
s3fs when it is "ZFS ready".


I do not know who has any plans in any directions. Of course, "Solaris  
people" (Oracle, illumos) may have interests and plans in this area too.


I am happy to become a FreeBSD beta tester for any kind of FreeBSD ZFS  
support. But I am afraid I am not good enough to code it myself. I am  
a sysadmin who reads C code frequently, it does not make me a good  
coder..


Can you give any hints or advice?

Thank you
Peter

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 DNS - setting up forwarding zones (or how to configure clients)?

[Thomas Harold]

On 9/25/2013 7:52 AM, Thomas Harold wrote:


#2 - Can Samba4 DNS be setup to forward all queries that are not for
"addomain.example.com" to the firewall BIND DNS server?  Or should we
continue to point our DHCP clients at the firewall as their primary DNS
server?



http://www.sloop.net/smb.conf.html

It looks like I just add the following to the [global] section of 
/etc/samba/smb.conf?


dns forwarder = .1

(Where .1 would be the IP address of the firewall server running BIND DNS.)
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 DNS - setting up forwarding zones (or how to configure clients)?

[Thomas Harold]

Let's assume that we have a network with:

domain = "addomain.example.com"

.1 - firewall server that runs BIND9, is not in the domain, but can 
resolve all DNS queries.  It is setup to forward any queries for the 
"addomain.example.com" to the internal Samba4 server.


.8 - Samba4 server (sernet packages on CentOS 6) running with integrated 
DNS in Active Directory mode.


Questions:

#1 - Where would you put the DHCPD service to hand out DHCP addresses 
(currently, our Windows 2003 domain controller handles this and 
registers the host names of clients in the "addomain.example.com" 
automatically).  I would like to put the DHCPD service on the .1 
firewall and have it send updates to the Samba4 server on .8.


#1a - Should we instead move to a setup where we create a second 
internal domain ("dhcp.example.com") for our DHCP clients?


#2 - Can Samba4 DNS be setup to forward all queries that are not for 
"addomain.example.com" to the firewall BIND DNS server?  Or should we 
continue to point our DHCP clients at the firewall as their primary DNS 
server?


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 as AD member & local rights problem...

[Thomas Besser]

Hi Marc,

Am 24.09.2013 23:46, schrieb Marc Muehlfeld:

Am 24.09.2013 09:13, schrieb Thomas Besser:
  > Like described here
  > (http://geekyprojects.com/ubuntu/getting-windows-printer-drivers-
  > from-cups/)
  > I enabled 'root' for short and granted the 'SePrintOperator' right
  > to a normal account and switched back to security = ads

I'm not sure if I understand this. Did you took the server out of the
domain and temporary downgrade it to a standalone server for granting
the privilege?


Yes.


Can you make sure, that the privilege was granted to a _domain account_?
# net rpc rights list accounts -Uadministrator


Okay, yes and no ;-)

It's a little bit difficult to describe...

We have a special setup in our large institution: we have an ldap and AD 
filled from an identity management with all employees separated by OU's. 
Thats the reason why I don't have an 'Domain Admin' account, because I 
administrate only a small part of it. For our OU my personal account is 
getting delegated rights (domain join, GPO, creating AD accounts).


Our samba4 server uses AD for authentication (User & Password exists), 
the underlaying linux (NSS & PAM) uses LDAP. Found this here: 
https://wiki.samba.org/index.php/Samba,_Active_Directory_%26_LDAP


The privileged account 'Admin' is only known in AD (created manually), 
not in LDAP. Therefore I created it locally in /etc/passwd on the samba4 
server.


That should be the reason, why the process of privileging in standalone 
mode worked!?



  > Now the next problem arises:
  >
  > I can now upload the win drivers as described in your howto section
  > "Uploading printer drivers for Point'n'Print driver installation"
  > successfully. I can also see the files in the samba drivers share.
  >
  > But I can not associate it with a printer! The dropdown on
  > https://wiki.samba.org/index.php/File:Choose_driver.png is empty!

I haven't had this case yet. Just some questions that may help us to
find the cause of your problem:

- Do you connect to to the server as the user you granted the
SePrintOperator permissions to?


Yes


- Is the user you granted the permission to is a domain account?


Yes (and locally created too on linux server). In samba it is shown like 
this:


net rpc rights list accounts -U Admin

[...]
Unix User\Admin
SePrintOperatorPrivilege
[...]


- The account you use to associate the driver with a printer is the same
than the one you used for uploading the drivers?


Yes


- Did the driver upload wizzard runs fine? Or any errors or untypical
messages?


Yes, no errors. After that I can see it over 'server properties'. I can 
also delete it. Only if I switch to the 'printer properties' the 
dropdown is empty. So I can not associate over windows.



- Can you associate the driver on *nix side by using 'rpcclient'? (see
https://wiki.samba.org/index.php/Samba_as_a_print_server#Associating_a_shared_printer_with_a_driver_and_preconfiguring)


Yes.

rpcclient localhost -U Admin -c 'setdriver "printername" "name of
printer driver"'

After that I can see also in windows that the dropdown is not empty any 
more.


I uploaded a second driver to test, if I can then switch to the second 
one. Result: no, I only see the orginally associated driver.


With 'rpcclient localhost -U Admin -c "enumdrivers" I see both drivers.


- Is the combobox still empty, if you use a domain admin account (grant
the privilege to first)?


I don't have a domain admin account (see our special environment above)

Regards
Thomas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 with glusterfs

[Daniel Müller]

It is also missing in glusterfs 3.4!
Just setup samba4 with glusterfs on centos 6.4. The same error.
Only the acl option is working. A work around to see the extended acls from
windows is to set the volume stat-prefetch off.

Greetings
Daniel

---
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: muel...@tropenklinik.de
Internet: www.tropenklinik.de
---
-Ursprüngliche Nachricht-
Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im
Auftrag von wil
Gesendet: Mittwoch, 25. September 2013 01:58
An: samba@lists.samba.org
Betreff: Re: [Samba] samba4 with glusterfs

Ulrich Schinz  schinz.de> writes:

> 
> Am 11.05.2013 03:31, schrieb Hisham Attar:
> > for mine to work (under ubuntu) I had to mount with the options at 
> > the end or it didnt work mount -t glusterfs 
> > gluster01:/vol01/samba/glusterfs -o acl,user_xattr
> >
> ah ok, maybe in earlier versions... for now it's an unkonwn option...
> 
> mount -t glusterfs sba-gluster01.intern.ksfh.de:/dfsvol01
> /samba/glusterfs/ -o acl,user_xattr
> unknown option user_xattr (ignored)
> 

the option does appear to be there but it is either miss-named or doesn't
have an appropriate alias setup

glusterfs --help | grep -i attr

correct option name appears to be selinux

you could modify the mount script...
nano /sbin/mount.glusterfs

I can confirm this option doesn't appear to be in glusterfs 3.2.5 built on
Jan 31 2012 either as user_xattr or selinux

the operation of mount.glusterfs appears to be buggy when issued user_xattr
option - the log in /var/log/gluster/mnt indicates its trying to resolve
it as a host name

options are only specified after the volume when using the mount.glusterfs
script directly...
Usage:  mount.glusterfs : -o 


I believe when working directly with mount it's more normal to do as per man
entry
mount [-fnrsvw] [-t vfstype] [-o options] device dir






-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 with glusterfs

[wil]

Ulrich Schinz  schinz.de> writes:

> 
> Am 11.05.2013 03:31, schrieb Hisham Attar:
> > for mine to work (under ubuntu) I had to mount with the options at the 
> > end or it didnt work
> > mount -t glusterfs gluster01:/vol01/samba/glusterfs -o acl,user_xattr
> >
> ah ok, maybe in earlier versions... for now it's an unkonwn option...
> 
> mount -t glusterfs sba-gluster01.intern.ksfh.de:/dfsvol01 
> /samba/glusterfs/ -o acl,user_xattr
> unknown option user_xattr (ignored)
> 

the option does appear to be there but it is either miss-named or doesn't
have an appropriate alias setup

glusterfs --help | grep -i attr

correct option name appears to be selinux

you could modify the mount script...
nano /sbin/mount.glusterfs

I can confirm this option doesn't appear to be in glusterfs 3.2.5 built on
Jan 31 2012 either as user_xattr or selinux

the operation of mount.glusterfs appears to be buggy when issued user_xattr
option - the log in /var/log/gluster/mnt indicates its trying to resolve
it as a host name

options are only specified after the volume when using the mount.glusterfs
script directly...
Usage:  mount.glusterfs : -o 


I believe when working directly with mount it's more normal to do as per man
entry
mount [-fnrsvw] [-t vfstype] [-o options] device dir






-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 as AD member & local rights problem...

[Marc Muehlfeld]

Hello Thomas,

Am 24.09.2013 09:13, schrieb Thomas Besser:
> Like described here
> (http://geekyprojects.com/ubuntu/getting-windows-printer-drivers-
> from-cups/)
> I enabled 'root' for short and granted the 'SePrintOperator' right
> to a normal account and switched back to security = ads

I'm not sure if I understand this. Did you took the server out of the 
domain and temporary downgrade it to a standalone server for granting 
the privilege?


Can you make sure, that the privilege was granted to a _domain account_?
# net rpc rights list accounts -Uadministrator




> Now the next problem arises:
>
> I can now upload the win drivers as described in your howto section
> "Uploading printer drivers for Point'n'Print driver installation"
> successfully. I can also see the files in the samba drivers share.
>
> But I can not associate it with a printer! The dropdown on
> https://wiki.samba.org/index.php/File:Choose_driver.png is empty!

I haven't had this case yet. Just some questions that may help us to 
find the cause of your problem:


- Do you connect to to the server as the user you granted the 
SePrintOperator permissions to?


- Is the user you granted the permission to is a domain account?

- The account you use to associate the driver with a printer is the same 
than the one you used for uploading the drivers?


- Did the driver upload wizzard runs fine? Or any errors or untypical 
messages?


- Can you associate the driver on *nix side by using 'rpcclient'? (see 
https://wiki.samba.org/index.php/Samba_as_a_print_server#Associating_a_shared_printer_with_a_driver_and_preconfiguring)


- Is the combobox still empty, if you use a domain admin account (grant 
the privilege to first)?




Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 as AD member & local rights problem...

[Thomas Besser]

Am 24.09.2013 09:13, schrieb Thomas Besser:

Hi Marc,

Am 19.09.2013 21:07, schrieb Marc Muehlfeld:

Am 19.09.2013 16:27, schrieb Thomas Besser:

have a samba4 server as AD member (security =ADS). I have no account
with "Domain Admin" rights, only a normal account with delegated
privilege to managing GPO and for domain join.

I can not manage the printserver resp. upload the win drivers. The
smb.conf option 'printer admin' is gone with v4.


Have a look at the print server HowTo, I wrote:
http://wiki.samba.org/index.php/Samba_as_a_print_server


The permission problem I got solved.

Like described here
(http://geekyprojects.com/ubuntu/getting-windows-printer-drivers-from-cups/)
I enabled 'root' for short and granted the 'SePrintOperator' right to a
normal account and switched back to security = ads

Now the next problem arises:

I can now upload the win drivers as described in your howto section
"Uploading printer drivers for Point'n'Print driver installation"
successfully. I can also see the files in the samba drivers share.

But I can not associate it with a printer! The dropdown on
https://wiki.samba.org/index.php/File:Choose_driver.png is empty!

Any hint what's wrong here? A bug in samba4?

Running the sernet samba4 debian package (sernet-samba 99:4.0.9-6) on
debian wheezy.


Over Windows I can't get work the association. but over Linux command 
line this worked:


rpcclient localhost -U Admin -c 'setdriver "printername" "name of 
printer driver"'


???

Regards
Thomas



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 as AD member & local rights problem...

[Thomas Besser]

Hi Marc,

Am 19.09.2013 21:07, schrieb Marc Muehlfeld:

Am 19.09.2013 16:27, schrieb Thomas Besser:

have a samba4 server as AD member (security =ADS). I have no account
with "Domain Admin" rights, only a normal account with delegated
privilege to managing GPO and for domain join.

I can not manage the printserver resp. upload the win drivers. The
smb.conf option 'printer admin' is gone with v4.


Have a look at the print server HowTo, I wrote:
http://wiki.samba.org/index.php/Samba_as_a_print_server


The permission problem I got solved.

Like described here 
(http://geekyprojects.com/ubuntu/getting-windows-printer-drivers-from-cups/) 
I enabled 'root' for short and granted the 'SePrintOperator' right to a 
normal account and switched back to security = ads


Now the next problem arises:

I can now upload the win drivers as described in your howto section 
"Uploading printer drivers for Point'n'Print driver installation" 
successfully. I can also see the files in the samba drivers share.


But I can not associate it with a printer! The dropdown on
https://wiki.samba.org/index.php/File:Choose_driver.png is empty!

Any hint what's wrong here? A bug in samba4?

Running the sernet samba4 debian package (sernet-samba 99:4.0.9-6) on 
debian wheezy.


Regards
Thomas





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 adding an index to sam.ldb

[Andrew Bartlett]

On Tue, 2013-09-17 at 17:05 -0500, Bo Kersey wrote:
> Anyone have a clue as to how I set the fINDEXED attrib?   I have an 
> additional attribute in samba4 ldap that I need indexed.
> 

You need to set the additional flag fATTINDEX into searchFlags where
fATTINDEX is value 1:
#define SEARCH_FLAG_ATTINDEX0x001

So, just add one to the existing value in the schema attribute, and you
will find it indexed.  Let me know if you have more trouble.

> > - Original Message -
> > > From: "Bo Kersey" 
> > > To: "Andrew Bartlett" 
> > > Sent: Sunday, September 15, 2013 7:53:49 AM
> > > Subject: Re: [Samba] samba4 adding an index to sam.ldb
> > > 
> > > Andrew,
> > > I'm not sure where to find that part of the schema...
> > > 
> > > This is what I find for othermailbox
> > > dn: CN=Other-Mailbox,CN=Schema,CN=Configuration,
> > > objectClass: top
> > > objectClass: attributeSchema
> > > cn: Other-Mailbox
> > > instanceType: 4
> > > whenCreated: 20130913000849.0Z
> > > whenChanged: 20130913000849.0Z
> > > uSNCreated: 1011
> > > attributeID: 1.2.840.113556.1.4.651
> > > attributeSyntax: 2.5.5.12
> > > isSingleValued: FALSE
> > > uSNChanged: 1011
> > > showInAdvancedViewOnly: TRUE
> > > adminDisplayName: Other-Mailbox
> > > adminDescription: Other-Mailbox
> > > oMSyntax: 64
> > > searchFlags: 0
> > > lDAPDisplayName: otherMailbox
> > > name: Other-Mailbox
> > > objectGUID: bd150920-231c-437c-a5a4-726c2c136708
> > > schemaIDGUID: 0296c123-40da-11d1-a9c0-f80367c1
> > > attributeSecurityGUID: e48d0154-bcf8-11d1-8702-00c04fb96050
> > > systemOnly: FALSE
> > > objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,
> > > distinguishedName: CN=Other-Mailbox,CN=Schema,CN=Configuration,
> > > 
> > > And when I grep through the other objects at this level, I don't find an
> > > fINDEXED attrib or any /index/i attribs that make sense for that matter.
> > > 
> > > Thanks!
> > > Bo
> > > 
> > > 
> > > 
> > > - Original Message -
> > > > From: "Andrew Bartlett" 
> > > > To: "Bo Kersey" 
> > > > Cc: samba@lists.samba.org
> > > > Sent: Saturday, September 14, 2013 5:46:21 PM
> > > > Subject: Re: [Samba] samba4 adding an index to sam.ldb
> > > > 
> > > > On Sat, 2013-09-14 at 09:10 -0500, Bo Kersey wrote:
> > > > > I have a large installation >20k users.  We're using samba4 for AD
> > > > > Authentication, and also email address validation.  I'm trying to edit
> > > > > the
> > > > > @INDEXLIST in sam.ldb to add an index on otherMailbox to speed up
> > > > > searches
> > > > > (0.05 sec for indexed, vs 2.5 sec for non-indexed searches) I'm 
> > > > > finding
> > > > > that when I use ldbedit to do this, it appears to add the additional
> > > > > @IDXATTR.  However, when I go back and check via ldbsearch, the
> > > > > attribute
> > > > > is not there.  Seems to be failing silently...  How do I debug this?
> > > > > 
> > > > 
> > > > We override that list with a list from the fINDEXED attribute in the
> > > > schema.  Just modify that and the new index will be created.
> > > > 
> > > > I'm also keen to hear more about how you have gone with an installation
> > > > that large, as there are not many installations as large as yours, and
> > > > it will help us advise others.
> > > > 
> > > > Thanks!
> > > > 
> > > > Andrew Bartlett
> > > > 
> > > > --
> > > > Andrew Bartlett
> > > > http://samba.org/~abartlet/
> > > > Authentication Developer, Samba Team   http://samba.org
> > > > 
> > > > 
> > > > 
> > > 
> > > --
> > > Bo Kersey
> > > VirCIO - managed network solutions
> > > 4314 Avenue C
> > > Austin, TX 78751
> > > phone: (512)374-0500
> > > 
> > > If it is free, you are the product.
> > > 
> > > 
> > 
> > --
> > Bo Kersey
> > VirCIO - managed network solutions
> > 4314 Avenue C
> > Austin, TX 78751
> > phone: (512)374-0500
> > 
> > 
> 
> -- 
> Bo Kersey 
> VirCIO - managed network solutions 
> 4314 Avenue C 
> Austin, TX 78751 
> phone: (512)374-0500 
> 

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 as AD member & local rights problem...

[Thomas Besser]

Hi Marc,

Am 19.09.2013 21:07, schrieb Marc Muehlfeld:

Am 19.09.2013 16:27, schrieb Thomas Besser:

have a samba4 server as AD member (security =ADS). I have no account
with "Domain Admin" rights, only a normal account with delegated
privilege to managing GPO and for domain join.

I can not manage the printserver resp. upload the win drivers. The
smb.conf option 'printer admin' is gone with v4.


Have a look at the print server HowTo, I wrote:
http://wiki.samba.org/index.php/Samba_as_a_print_server


I know that.

But "net rpc rights list accounts -Uadministrator" let me estimate, that 
there samba4 is running as AD PDC!?


So in my environment samba4 is running as "AD member", a so called user 
'Administrator' is not there.


I have a 'root' accont on linux, but this user is not known in AD 
(Windows 2008 R2).



Also I tried to grant the SePrintOperatorPrivilege to a normal domain
user. Got also stuck.


What went wrong?

http://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges


net rpc rights grant "DOM\admin" SePrintOperatorPrivilege -U myaccount
Enter myaccount's password:
Failed to grant privileges for DOM\admin (NT_STATUS_ACCESS_DENIED)

'myaccount' has no "Domain Admin" privileges, so the error is logically.

I also tried that command with the help of a "Domain Admin", but same 
error message.



Every time the net command wants the 'root' password, but root is
unknown in the AD environment:

net rpc group addmem "SAMBASERVER\Administrators"
Enter root's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE


 -Uadministrator ?


That account does IMO not exist, because of AD member! The same with 'root'.

Regards
Thomas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4: Can't create shares outside sysvol and netlogon

[Thomas Harold]

On 9/17/2013 6:45 AM, "Th. Söldenwagner" wrote:

Hi,

I am trying to create shares for my users in our new Samba4 domain, but
with no luck so far.


Which flavor of Linux are you trying this on?

If CentOS/RHEL, one thing I always forget to check is SELinux issues. 
Maybe you have as well?


# getenforce
- Will tell you whether SELinux is disabled, permissive or enforcing.

# setenforce permissive
- Setting it /temporarily/ to "permissive" is a useful check to see 
whether you have a SELinux issue somewhere that need addressed.


Assuming that you have "auditd" running, try looking at:
# cat /var/log/audit/audit.log | audit2allow
Which may show you an overall view of how many exceptions you have.

In general, SELinux issues boil down to a few root causes and fixes:

#1 - There's a boolean that you need to maybe turn on.  If you dig 
through the "sealert -a UUID" messages in the system log, it does a good 
job of explaining when this might apply.


#2 - There's a file system labeling problem.  i.e. you are trying to let 
a process access things in a non-standard place and/or with a 
non-standard label.  These are fixed with "restorecon" and "semanage 
fcontext" changes.


#3 - There's no way to fix labels or booleans to allow what you need, so 
you need to create a local exception policy.  This can be done using 
"audit2allow" and "semodule -i".  You should be careful about which 
exceptions you feed to audit2allow and try to keep the resulting 
exception policy as minimal as possible.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 as AD member & local rights problem...

[Marc Muehlfeld]

Hello Thomas,

Am 19.09.2013 16:27, schrieb Thomas Besser:

have a samba4 server as AD member (security =ADS). I have no account
with "Domain Admin" rights, only a normal account with delegated
privilege to managing GPO and for domain join.

I can not manage the printserver resp. upload the win drivers. The
smb.conf option 'printer admin' is gone with v4.


Have a look at the print server HowTo, I wrote:
http://wiki.samba.org/index.php/Samba_as_a_print_server




Also I tried to grant the SePrintOperatorPrivilege to a normal domain
user. Got also stuck.


What went wrong?

http://wiki.samba.org/index.php/Samba_as_a_print_server#Granting_print_operator_privileges




Every time the net command wants the 'root' password, but root is
unknown in the AD environment:

net rpc group addmem "SAMBASERVER\Administrators"
Enter root's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE


 -Uadministrator ?





Regards,
Marc
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 as AD member & local rights problem...

[Thomas Besser]

Hi all,

have a samba4 server as AD member (security =ADS). I have no account 
with "Domain Admin" rights, only a normal account with delegated 
privilege to managing GPO and for domain join.


I can not manage the printserver resp. upload the win drivers. The 
smb.conf option 'printer admin' is gone with v4.


I asked already in irc on #samba and got the advice to "make any user 
member of the local administrators group", but got stuck how to do this.


Also I tried to grant the SePrintOperatorPrivilege to a normal domain 
user. Got also stuck.


Every time the net command wants the 'root' password, but root is 
unknown in the AD environment:


net rpc group addmem "SAMBASERVER\Administrators"
Enter root's password:
Could not connect to server 127.0.0.1
The username or password was not correct.
Connection failed: NT_STATUS_LOGON_FAILURE

Any hints what I'm doing wrong? Somebody out there who solved this 
problem with samba4?


I don't want to switch back to samba3 to get the 'printer admin' 
configuration option.


Regards
Thomas


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 adding an index to sam.ldb

[Bo Kersey]

Anyone have a clue as to how I set the fINDEXED attrib?   I have an additional 
attribute in samba4 ldap that I need indexed.


> - Original Message -
> > From: "Bo Kersey" 
> > To: "Andrew Bartlett" 
> > Sent: Sunday, September 15, 2013 7:53:49 AM
> > Subject: Re: [Samba] samba4 adding an index to sam.ldb
> > 
> > Andrew,
> > I'm not sure where to find that part of the schema...
> > 
> > This is what I find for othermailbox
> > dn: CN=Other-Mailbox,CN=Schema,CN=Configuration,
> > objectClass: top
> > objectClass: attributeSchema
> > cn: Other-Mailbox
> > instanceType: 4
> > whenCreated: 20130913000849.0Z
> > whenChanged: 20130913000849.0Z
> > uSNCreated: 1011
> > attributeID: 1.2.840.113556.1.4.651
> > attributeSyntax: 2.5.5.12
> > isSingleValued: FALSE
> > uSNChanged: 1011
> > showInAdvancedViewOnly: TRUE
> > adminDisplayName: Other-Mailbox
> > adminDescription: Other-Mailbox
> > oMSyntax: 64
> > searchFlags: 0
> > lDAPDisplayName: otherMailbox
> > name: Other-Mailbox
> > objectGUID: bd150920-231c-437c-a5a4-726c2c136708
> > schemaIDGUID: 0296c123-40da-11d1-a9c0-f80367c1
> > attributeSecurityGUID: e48d0154-bcf8-11d1-8702-00c04fb96050
> > systemOnly: FALSE
> > objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,
> > distinguishedName: CN=Other-Mailbox,CN=Schema,CN=Configuration,
> > 
> > And when I grep through the other objects at this level, I don't find an
> > fINDEXED attrib or any /index/i attribs that make sense for that matter.
> > 
> > Thanks!
> > Bo
> > 
> > 
> > 
> > - Original Message -
> > > From: "Andrew Bartlett" 
> > > To: "Bo Kersey" 
> > > Cc: samba@lists.samba.org
> > > Sent: Saturday, September 14, 2013 5:46:21 PM
> > > Subject: Re: [Samba] samba4 adding an index to sam.ldb
> > > 
> > > On Sat, 2013-09-14 at 09:10 -0500, Bo Kersey wrote:
> > > > I have a large installation >20k users.  We're using samba4 for AD
> > > > Authentication, and also email address validation.  I'm trying to edit
> > > > the
> > > > @INDEXLIST in sam.ldb to add an index on otherMailbox to speed up
> > > > searches
> > > > (0.05 sec for indexed, vs 2.5 sec for non-indexed searches) I'm finding
> > > > that when I use ldbedit to do this, it appears to add the additional
> > > > @IDXATTR.  However, when I go back and check via ldbsearch, the
> > > > attribute
> > > > is not there.  Seems to be failing silently...  How do I debug this?
> > > > 
> > > 
> > > We override that list with a list from the fINDEXED attribute in the
> > > schema.  Just modify that and the new index will be created.
> > > 
> > > I'm also keen to hear more about how you have gone with an installation
> > > that large, as there are not many installations as large as yours, and
> > > it will help us advise others.
> > > 
> > > Thanks!
> > > 
> > > Andrew Bartlett
> > > 
> > > --
> > > Andrew Bartlett
> > > http://samba.org/~abartlet/
> > > Authentication Developer, Samba Team   http://samba.org
> > > 
> > > 
> > > 
> > 
> > --
> > Bo Kersey
> > VirCIO - managed network solutions
> > 4314 Avenue C
> > Austin, TX 78751
> > phone: (512)374-0500
> > 
> > If it is free, you are the product.
> > 
> > 
> 
> --
> Bo Kersey
> VirCIO - managed network solutions
> 4314 Avenue C
> Austin, TX 78751
> phone: (512)374-0500
> 
> 

-- 
Bo Kersey 
VirCIO - managed network solutions 
4314 Avenue C 
Austin, TX 78751 
phone: (512)374-0500 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4: Can't create shares outside sysvol and netlogon

[Th. Söldenwagner]

Hi,

I am trying to create shares for my users in our new Samba4 domain, but 
with no luck so far.

My current /etc/samba/smb.conf looks like this:

[global]
workgroup = ADLS
realm = ADLS.EXAMPLE.COM
netbios name = CASTOR
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbind, ntp_signd, kcc, dnsupdate

idmap_ldb:use rfc2307 = yes

[netlogon]
path = /var/lib/samba/sysvol/adls.example.com/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[homes]
path = /var/lib/samba/exchange_folder
read only = No
map acl inherit = Yes

I am connected to the server with a Win7 client, no problem to bring it 
into the new domain. I can view and browse sysvol and netlogon. I can 
create subfolders under sysvol and netlogon but clicking on my 
homes-share gives me error code 0x80070035.

I also see no security tab when right-clicking on it.

I assume bind and samba are working fine together, otherwise I shouldn't 
be able to join the domain at all, right?
Any productive hint with this is appreciated, as I read several howtos 
and tried so many configuration, all with no success.

BR
Thoralf



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 AD with bind DNS / TKEY is unacceptable

[Stefan Schäfer]

Hello,

after resolving my problem (more or less), i try to migrate an W2k3 SBS. 
Here i found new but similar problems. It seems that the LDAP Structure 
for the DNS Zones of a SBS is different from w2k3 standard or enterprise.


It seems that the BIND9_DLZ  driver, samba-tool and samba_dnsupdate have 
problems with this structure. We switched the DNS to samba internal. 
After this resolving names is possible:


s4ad:~ # dig @localhost  s4ad..local

; <<>> DiG 9.9.3-P2 <<>> @localhost s4ad..local
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61943
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;s4ad..local.  IN  A

;; ANSWER SECTION:
s4ad..local. 900   IN  A   192.168.1.10

...but using samba-tool didn't work:

samba-tool dns zonelist s4ad..local
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:s4ad..local[,sign]
Ticket in credentials cache for administrator@.LOCAL expired, will 
refresh

Password for [administrator@.LOCAL]:
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", 
line 175, in _run

return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 
812, in run

request_filter)

The Samba Logfile shows:

[2013/09/16 11:12:30.197554,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)

  Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2013/09/16 11:12:30.197757,  3] 
../source4/smbd/process_single.c:114(single_terminate)

  single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
[2013/09/16 11:12:39.875479,  3] 
../lib/ldb-samba/ldb_wrap.c:320(ldb_wrap_connect)

  ldb_wrap open of secrets.ldb
[2013/09/16 11:12:39.903960,  2] 
../source4/rpc_server/dnsserver/dnsdb.c:140(dnsserver_db_enumerate_zones)

  dnsserver: Found DNS zone .
[2013/09/16 11:12:39.908238,  3] 
../source4/smbd/service_stream.c:66(stream_terminate_connection)

  Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2013/09/16 11:12:39.908471,  3] 
../source4/smbd/process_single.c:114(single_terminate)

  single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]

It seems, that samba-tool and samba_dnsupdate didn't know where to find 
the DNS Zones in the LDAP DID of the SBS LDAP-Structure.


Does anybody knows this behavior or any workarounds?

Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 AD with bind DNS / TKEY is unacceptable

[Stefan Schäfer]

Am 14.09.2013 07:18, schrieb Thomas Harold:

On 9/12/2013 2:00 AM, Stefan Schäfer wrote:

Sorry my English isn't as good as it should be. ;-)

Am 12.09.2013 00:01, schrieb Patrick Gray:

Is your existing server SBS by any
chance?


What's the meaning of this sentence?


SBS = Small Business Server

- Which was always a cut-down version of the full-blown Windows Server 
with lots of restrictions.

No,

in our tests it was a w2k3 Standard Server, but last weekend I tried to 
migrate a w2k3 sbs to samba 4.


I think that Patricks question pointed at the differences in the LDAP 
structure for DNS zones between Standard and SBS.


With SBS it seems to be impossible to use bind with BIND9_DLZ driver as 
a nameserver. bind didn't find any DNS Records, but the samba internal 
DNS works.


With the internal DNS evereything seems to work, just "samba_dnsupdate" 
did'nt. It produces the same error message (dns_tkey_negotiategss: TKEY 
is unacceptable) as before in our tests.


Does anybody have any experiences with migration of w2k3 SBS to Samba4?

In my first tests I used VMs, every VM had two network interfaces, one internal for 
connection between the VMs and one bridged interface to my physical net. This tests 
results in the problems discribed above. I repeated the test with just one internal 
interface on every VM and everything worked. I think that the "double 
connection" between the VMs over the brigded network interfaces caused my problems.


Stefan

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 provides high I/O load

[Anton Markelov]

I use sernet-samba package (version 4.0.9-6) on Debian 7. Samba configured
as additional AD controller. Samba process infinitely writes something to
disk and makes high I/O load:

Total DISK READ:   0.00 B/s | Total DISK WRITE: 204.37 K/s
TID  PRIO  USER DISK READ  DISK WRITE  SWAPIN IO>COMMAND
140 be/3 root0.00 B/s0.00 B/s  0.00 % 58.45 % [jbd2/vda1-8]
4081 be/4 root0.00 B/s  110.05 K/s  0.00 %  3.49 % samba -D

It is not logs, I think, because they relatively small.

/etc/samba/smb.conf

# Global parameters
[global]
workgroup = DALSTRAZH
realm = dalstrazh.localnet
netbios name = SAMBA4K76
server role = active directory domain controller
server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, smb
dcerpc endpoint servers = +winreg +srvsvc
log level = 1
[netlogon]
path = /var/lib/samba/sysvol/dalstrazh.localnet/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No

lsof -p 4081 - http://pastebin.com/BZVuNyA2

mount

sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,relatime,size=10240k,nr_inodes=217587,mode=755)
devpts on /dev/pts type devpts
(rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,noexec,relatime,size=313936k,mode=755)
/dev/disk/by-uuid/b7ff5fd8-dc08-4b00-be23-6c9c91eecec5 on / type ext4
(rw,noatime,errors=remount-ro,user_xattr,commit=60,barrier=1,data=writeback)
tmpfs on /run/lock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs on /run/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=909660k)
rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw,relatime)

data=journal and data=ordered takes no effect.

On second server (with same configuration) i/o seems normal.

How to find file which causes this problem, and how to fix it?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Victor Adsuar Abaldea]

Hi Rowland

We got it With these files is imported correctly. I'm going to comment
some details...

- The files are in DOS format if you open with vim you must convert to UNIX
format (:set ff=unix)
- The attribute file can be imported full, but the class file must be split
in different files one by class.

I would like to know how you convert the schemas files to ldif format
with oLschema2ldif,
I can't get it. I want write the steps for Samba and Asterisk forums. If
someone wants Asterisk and Samba4 integration will have to do the same
steps than me

Thank you for all, without your support it hadn't got.


On 10 September 2013 12:10, Rowland Penny wrote:

>  On 10/09/13 09:07, Victor Adsuar Abaldea wrote:
>
> Sorry, here are the files
>
>
> On 10 September 2013 09:59, Victor Adsuar Abaldea wrote:
>
>> Sorry I forgot the files!
>>
>>
>>
>> On 10 September 2013 09:58, Victor Adsuar Abaldea wrote:
>>
>>> Hi Rowland,
>>>
>>>  I split schema file in two files( Attribute file and Object file) and
>>> I have replaced the name of attribute/object with his OID. I attach both.
>>> The output of oLschema2ldif for attribute file is perfect!
>>>
>>>  /usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
>>> ./asterisk-atr.ldap-schema -O ./asterisk-atr-ldb.ldif
>>> Converted 68 records with 0 failures
>>>
>>>  However the object file a get the same errors. The output is:
>>>
>>>  /usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
>>> ./asterisk-obj.ldap-schema -O ./asterisk-obj-ldb.ldif
>>>  No valid msg from entry
>>>  [objectIdentifier AsteriskRoot 1.3.6.1.4.1.22736objectIdentifier
>>> AsteriskLDAP AsteriskRoot:5objectIdentifier AstAttrType
>>> AsteriskLDAP:4objectIdentifier AstContext AstAttrType:1objectIdentifier
>>> AstExtension AstAttrType:2objectIdentifier AstPriority
>>> AstAttrType:3objectIdentifier AstApplication AstAttrType:4objectIdentifier
>>> AstApplicationData AstAttrType:5objectIdentifier AstAccountAMAFlags
>>> AstAttrType:6objectIdentifier AstAccountCallerID
>>> AstAttrType:7objectIdentifier AstAccountContext
>>> AstAttrType:8objectIdentifier AstAccountMailbox
>>> AstAttrType:9objectIdentifier AstMD5secret AstAttrType:10objectIdentifier
>>> AstAccountDeny AstAttrType:11objectIdentifier AstAccountPermit
>>> AstAttrType:12objectIdentifier AstAccountQualify
>>> AstAttrType:13objectIdentifier AstAccountType
>>> AstAttrType:14objectIdentifier AstAccountDisallowedCodec
>>> AstAttrType:15objectIdentifier AstAccountExpirationTimestamp
>>> AstAttrType:16objectIdentifier AstAccountRegistrationContext
>>> AstAttrType:17objectIdentifier AstAccountRegistrationExten
>>> AstAttrType:18objectIdentifier AstAccountNoTransfer
>>> AstAttrType:19objectIdentifier AstAccountCallGroup
>>> AstAttrType:20objectIdentifier AstAccountCanReinvite
>>> AstAttrType:21objectIdentifier AstAccountDTMFMode
>>> AstAttrType:22objectIdentifier AstAccountFromUser
>>> AstAttrType:23objectIdentifier AstAccountFromDomain
>>> AstAttrType:24objectIdentifier AstAccountFullContact
>>> AstAttrType:25objectIdentifier AstAccountHost
>>> AstAttrType:26objectIdentifier AstAccountInsecure
>>> AstAttrType:27objectIdentifier AstAccountNAT AstAttrType:28objectIdentifier
>>> AstAccountPickupGroup AstAttrType:29objectIdentifier AstAccountPort
>>> AstAttrType:30objectIdentifier AstAccountRestrictCID
>>> AstAttrType:31objectIdentifier AstAccountRTPTimeout
>>> AstAttrType:32objectIdentifier AstAccountRTPHoldTimeout
>>> AstAttrType:33objectIdentifier AstAccountRealmedPassword
>>> AstAttrType:34objectIdentifier AstAccountAllowedCodec
>>> AstAttrType:35objectIdentifier AstAccountMusicOnHold
>>> AstAttrType:36objectIdentifier AstAccountCanCallForward
>>> AstAttrType:37objectIdentifier AstAccountSecret
>>> AstAttrType:38objectIdentifier AstAccountName
>>> AstAttrType:39objectIdentifier AstConfigFilename
>>> AstAttrType:40objectIdentifier AstConfigCategory
>>> AstAttrType:41objectIdentifier AstConfigCategoryMetric
>>> AstAttrType:42objectIdentifier AstConfigVariableName
>>> AstAttrType:43objectIdentifier AstConfigVariableValue
>>> AstAttrType:44objectIdentifier AstConfigCommented
>>> AstAttrType:45objectIdentifier AstAccountIPAddress
>>> AstAttrType:46objectIdentifier AstAccountDefaultUser
>>> AstAttrType:47objectIdentifier AstAccountRegistrationServer
>>> AstAttrType:48objectIdentifier AstAccountLastQualifyMilliseconds
>>> AstAttrType:49objectIdentifier AstAccountCallLimit
>>> AstAttrType:50objectIdentifier AstVoicemailMailbox
>>> AstAttrType:51objectIdentifier AstVoicemailPassword
>>> AstAttrType:52objectIdentifier AstVoicemailFullname
>>> AstAttrType:53objectIdentifier AstVoicemailEmail
>>> AstAttrType:54objectIdentifier AstVoicemailPager
>>> AstAttrType:55objectIdentifier AstVoicemailOptions
>>> AstAttrType:56objectIdentifier AstVoicemailTimestamp
>>> AstAttrType:57objectIdentifier AstVoicemailContext
>>> AstAttrType:58objectIdentifier AstAccountSubscribeContext
>>> AstAttrType:59objectIdentifier AstAccountUserAgent
>>> AstAttrType:61objectIdent

[Samba] Samba4 not able to set proc title.

[Nathaniel Jackson]

Hey guys I currently am using the samba4 archlinux package to run my home
domain, everything seems to be working
however in my error log I get samba: setproctitle not initialized, please
either call setproctitle_init() or link against libbsd-ctor.

So my question is, how do I setproctitle_init() or link against
libbsd-ctor, or more rather, how do I get samba to?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 upgradeprovision

[Andrew Bartlett]

On Fri, 2013-09-13 at 16:28 -0700, Robert Watson wrote:
> I have the latest samba4 4.2 git running on centos6.4 but when I originally
> provisioned it I didn't include the --use-rfc2307 for AD posix attributes.
> I'd like to map certain AD users to unix users so should I do a samba-tool
> upgradeprovision --use-rfc2307 to add this option?

You can set the magic setting 'idmap_ldb:use rfc2307=yes' in the
smb.conf, what you won't get is the NIS server objects that allows ADUC
to display the uidNumber and gidNumber.

I've seen reference to a windows tool to turn on a NIS server, perhaps
it works remotly against Samba.  Otherwise, I asked a user on IRC to
consider plumbing in the code that adds these objects (a python
function) into a new 'samba-tool domain enablerfc2307' (or similar)
command.  I've not heard any progress yet however.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 adding an index to sam.ldb

[Andrew Bartlett]

On Sat, 2013-09-14 at 09:10 -0500, Bo Kersey wrote:
> I have a large installation >20k users.  We're using samba4 for AD 
> Authentication, and also email address validation.  I'm trying to edit the 
> @INDEXLIST in sam.ldb to add an index on otherMailbox to speed up searches 
> (0.05 sec for indexed, vs 2.5 sec for non-indexed searches) I'm finding that 
> when I use ldbedit to do this, it appears to add the additional @IDXATTR.  
> However, when I go back and check via ldbsearch, the attribute is not there.  
> Seems to be failing silently...  How do I debug this?
> 

We override that list with a list from the fINDEXED attribute in the
schema.  Just modify that and the new index will be created.

I'm also keen to hear more about how you have gone with an installation
that large, as there are not many installations as large as yours, and
it will help us advise others.

Thanks!

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 adding an index to sam.ldb

[Bo Kersey]

I have a large installation >20k users.  We're using samba4 for AD 
Authentication, and also email address validation.  I'm trying to edit the 
@INDEXLIST in sam.ldb to add an index on otherMailbox to speed up searches 
(0.05 sec for indexed, vs 2.5 sec for non-indexed searches) I'm finding that 
when I use ldbedit to do this, it appears to add the additional @IDXATTR.  
However, when I go back and check via ldbsearch, the attribute is not there.  
Seems to be failing silently...  How do I debug this?


ldbsearch -P -s base -b @INDEXLIST -H sam.ldb 
# record 1
dn: @INDEXLIST
@IDXONE: 1
@IDXVERSION: 2
@IDXATTR: mail
@IDXATTR: mSMQLabelEx
 detail removed for brevity
@IDXATTR: msSFU30IsValidContainer
distinguishedName: @INDEXLIST

# returned 1 records
# 1 entries
# 0 referrals


ldbedit -v -P -s base -b @INDEXLIST -H sam.ldb

dn: @INDEXLIST
changetype: modify
replace: @IDXATTR
@IDXATTR: mail
@IDXATTR: otherMailbox
@IDXATTR: mSMQLabelEx
 detail removed for brevity
@IDXATTR: msSFU30IsValidContainer
-

# 0 adds  1 modifies  0 deletes

wait for indexing to complete

Then:
ldbsearch -P -s base -b @INDEXLIST -H sam.ldb
and it takes a long long time, like it is reindexing again...
# record 1
dn: @INDEXLIST
@IDXONE: 1
@IDXVERSION: 2
@IDXATTR: mail
@IDXATTR: mSMQLabelEx
 detail removed for brevity
@IDXATTR: msSFU30IsValidContainer
distinguishedName: @INDEXLIST

# returned 1 records
# 1 entries
# 0 referrals



-- 
Bo Kersey
VirCIO - managed network solutions
4314 Avenue C
Austin, TX 78751
phone: (512)374-0500

If it is free, you are the product.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 upgradeprovision

[steve]

On Fri, 2013-09-13 at 16:28 -0700, Robert Watson wrote:
> I have the latest samba4 4.2 git running on centos6.4 but when I originally
> provisioned it I didn't include the --use-rfc2307 for AD posix attributes.
> I'd like to map certain AD users to unix users so should I do a samba-tool
> upgradeprovision --use-rfc2307 to add this option?

You only need to extend the schema if you want to use ADUC. If you're
happy managing rfc2307 from the centos DC, then you're ready to go. For
the git you have, you can use the new samba-tool user add which now has
the ability to add rfc2307 attributes.

samba-tool user add --help for the syntax details.
HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 AD with bind DNS / TKEY is unacceptable

[Thomas Harold]

On 9/12/2013 2:00 AM, Stefan Schäfer wrote:

Sorry my English isn't as good as it should be. ;-)

Am 12.09.2013 00:01, schrieb Patrick Gray:

Is your existing server SBS by any
chance?


What's the meaning of this sentence?


SBS = Small Business Server

- Which was always a cut-down version of the full-blown Windows Server 
with lots of restrictions.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4 upgradeprovision

[Robert Watson]

I have the latest samba4 4.2 git running on centos6.4 but when I originally
provisioned it I didn't include the --use-rfc2307 for AD posix attributes.
I'd like to map certain AD users to unix users so should I do a samba-tool
upgradeprovision --use-rfc2307 to add this option?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4+bind9.9 will not start: samba_dlz: dns_rdata_fromtext: buffer-0x7f1c0cbcd680:1: near 'hostmaster.domain.de': not a valid number

[Noël Köthe]

Am Donnerstag, den 12.09.2013, 15:56 +0100 schrieb Rowland Penny:

> > 
> > 12-Sep-2013 15:43:07.495 samba_dlz: started for DN DC=domain,DC=de
> > 12-Sep-2013 15:43:07.495 samba_dlz: starting configure
> > 12-Sep-2013 15:43:07.496 dns_rdata_fromtext: buffer-0x7f1c0cbcd680:1: near 
> > 'hostmaster.domain.de': not a valid number
> > 12-Sep-2013 15:43:07.496 Failed to put rr
> > 12-Sep-2013 15:43:07.496 zone domain.de/NONE: has 0 SOA records
> > 12-Sep-2013 15:43:07.496 samba_dlz: Failed to configure zone 'domain.de'
> > 12-Sep-2013 15:43:07.497 samba_dlz: shutting down

> How did you provision samba 4?

with the command
# samba-tool domain provision --use-rfc2307 --dns-backend=BIND9_DLZ \
--interactive

from https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO additional the
--dns-backend


-- 
Noël Köthe 
Debian GNU/Linux, www.debian.org


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4+bind9.9 will not start: samba_dlz: dns_rdata_fromtext: buffer-0x7f1c0cbcd680:1: near 'hostmaster.domain.de': not a valid number

[Rowland Penny]

On 12/09/13 15:16, Noël Köthe wrote:

Hello,

running on Debian jessie 64bit samba 4.0.8 and bind 9.9 but with the
description from https://wiki.samba.org/index.php/Dns-backend_bind I run
into the following problem:

# named -u bind -g 2>&1 |tee named.log
12-Sep-2013 15:43:07.287 starting BIND 
9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4 -u bind -g
12-Sep-2013 15:43:07.287 built with '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' 
'--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' 
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' 
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-filter-' 
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
12-Sep-2013 15:43:07.287 
12-Sep-2013 15:43:07.287 BIND 9 is maintained by Internet Systems Consortium,
12-Sep-2013 15:43:07.287 Inc. (ISC), a non-profit 501(c)(3) public-benefit
12-Sep-2013 15:43:07.288 corporation.  Support and training for BIND 9 are
12-Sep-2013 15:43:07.288 available at https://www.isc.org/support
12-Sep-2013 15:43:07.288 
12-Sep-2013 15:43:07.288 adjusted limit on open files from 4096 to 1048576
12-Sep-2013 15:43:07.288 found 2 CPUs, using 2 worker threads
12-Sep-2013 15:43:07.288 using 2 UDP listeners per interface
12-Sep-2013 15:43:07.289 using up to 4096 sockets
12-Sep-2013 15:43:07.292 loading configuration from '/etc/bind/named.conf'
12-Sep-2013 15:43:07.292 reading built-in trusted keys from file 
'/etc/bind/bind.keys'
12-Sep-2013 15:43:07.292 using default UDP/IPv4 port range: [1024, 65535]
12-Sep-2013 15:43:07.292 using default UDP/IPv6 port range: [1024, 65535]
12-Sep-2013 15:43:07.293 listening on IPv6 interfaces, port 53
12-Sep-2013 15:43:07.295 listening on IPv4 interface lo, 127.0.0.1#53
12-Sep-2013 15:43:07.295 listening on IPv4 interface eth0, 10.1.1.138#53
12-Sep-2013 15:43:07.296 generating session key for dynamic DNS
12-Sep-2013 15:43:07.296 sizing zone task pool based on 25 zones
12-Sep-2013 15:43:07.297 Loading 'AD DNS Zone' using driver dlopen
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'gssapi_spnego' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'gssapi_krb5' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'schannel' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'spnego' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'ntlmssp' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'krb5' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered
12-Sep-2013 15:43:07.495 samba_dlz: started for DN DC=domain,DC=de
12-Sep-2013 15:43:07.495 samba_dlz: starting configure
12-Sep-2013 15:43:07.496 dns_rdata_fromtext: buffer-0x7f1c0cbcd680:1: near 
'hostmaster.domain.de': not a valid number
12-Sep-2013 15:43:07.496 Failed to put rr
12-Sep-2013 15:43:07.496 zone domain.de/NONE: has 0 SOA records
12-Sep-2013 15:43:07.496 samba_dlz: Failed to configure zone 'domain.de'
12-Sep-2013 15:43:07.497 samba_dlz: shutting down
12-Sep-2013 15:43:07.497 loading configuration: bad zone
12-Sep-2013 15:43:07.497 exiting (due to fatal error)

The smb.conf is:
[global]
workgroup = domain
realm = DOMAIN.DE
netbios name = sso-test System
server services = -dns
wins support = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
syslog = 10
panic action = /usr/share/samba/panic-action %d
server role = domain controller
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
pam password change = yes
map to guest = bad user

[sysvol]
   path = /var/lib/samba/sysvol
   read only = no

[netlogon]
   path = /var/lib/samba/sysvol/domain.de/scripts
   read only = no

Enabling the internal samba DNS and it works. Kerberos things like kinit
and klist works.

Commenting the database "dlopen ... in private/named.conf out let the
bind server start but of course without the samba Zone.

Any idea what could be wrong or how can I debug the wrong zone?

Thank you.

Regards
Noel




How did you provision samba 4?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba4+bind9.9 will not start: samba_dlz: dns_rdata_fromtext: buffer-0x7f1c0cbcd680:1: near 'hostmaster.domain.de': not a valid number

[Noël Köthe]

Hello,

running on Debian jessie 64bit samba 4.0.8 and bind 9.9 but with the
description from https://wiki.samba.org/index.php/Dns-backend_bind I run
into the following problem:

# named -u bind -g 2>&1 |tee named.log
12-Sep-2013 15:43:07.287 starting BIND 
9.9.3-rpz2+rl.13214.22-P2-Debian-1:9.9.3.dfsg.P2-4 -u bind -g
12-Sep-2013 15:43:07.287 built with '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' 
'--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' 
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' 
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-filter-' 
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
12-Sep-2013 15:43:07.287 
12-Sep-2013 15:43:07.287 BIND 9 is maintained by Internet Systems Consortium,
12-Sep-2013 15:43:07.287 Inc. (ISC), a non-profit 501(c)(3) public-benefit 
12-Sep-2013 15:43:07.288 corporation.  Support and training for BIND 9 are 
12-Sep-2013 15:43:07.288 available at https://www.isc.org/support
12-Sep-2013 15:43:07.288 
12-Sep-2013 15:43:07.288 adjusted limit on open files from 4096 to 1048576
12-Sep-2013 15:43:07.288 found 2 CPUs, using 2 worker threads
12-Sep-2013 15:43:07.288 using 2 UDP listeners per interface
12-Sep-2013 15:43:07.289 using up to 4096 sockets
12-Sep-2013 15:43:07.292 loading configuration from '/etc/bind/named.conf'
12-Sep-2013 15:43:07.292 reading built-in trusted keys from file 
'/etc/bind/bind.keys'
12-Sep-2013 15:43:07.292 using default UDP/IPv4 port range: [1024, 65535]
12-Sep-2013 15:43:07.292 using default UDP/IPv6 port range: [1024, 65535]
12-Sep-2013 15:43:07.293 listening on IPv6 interfaces, port 53
12-Sep-2013 15:43:07.295 listening on IPv4 interface lo, 127.0.0.1#53
12-Sep-2013 15:43:07.295 listening on IPv4 interface eth0, 10.1.1.138#53
12-Sep-2013 15:43:07.296 generating session key for dynamic DNS
12-Sep-2013 15:43:07.296 sizing zone task pool based on 25 zones
12-Sep-2013 15:43:07.297 Loading 'AD DNS Zone' using driver dlopen
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'gssapi_spnego' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'gssapi_krb5' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'schannel' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'spnego' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'ntlmssp' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'krb5' registered
12-Sep-2013 15:43:07.313 samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered
12-Sep-2013 15:43:07.495 samba_dlz: started for DN DC=domain,DC=de
12-Sep-2013 15:43:07.495 samba_dlz: starting configure
12-Sep-2013 15:43:07.496 dns_rdata_fromtext: buffer-0x7f1c0cbcd680:1: near 
'hostmaster.domain.de': not a valid number
12-Sep-2013 15:43:07.496 Failed to put rr
12-Sep-2013 15:43:07.496 zone domain.de/NONE: has 0 SOA records
12-Sep-2013 15:43:07.496 samba_dlz: Failed to configure zone 'domain.de'
12-Sep-2013 15:43:07.497 samba_dlz: shutting down
12-Sep-2013 15:43:07.497 loading configuration: bad zone
12-Sep-2013 15:43:07.497 exiting (due to fatal error)

The smb.conf is:
[global]
   workgroup = domain
   realm = DOMAIN.DE
   netbios name = sso-test System
   server services = -dns
   wins support = yes
   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog only = no
   syslog = 10
   panic action = /usr/share/samba/panic-action %d
   server role = domain controller
   passdb backend = tdbsam
   obey pam restrictions = yes
   unix password sync = yes
   pam password change = yes
   map to guest = bad user

[sysvol]
  path = /var/lib/samba/sysvol
  read only = no

[netlogon]
  path = /var/lib/samba/sysvol/domain.de/scripts
  read only = no

Enabling the internal samba DNS and it works. Kerberos things like kinit
and klist works.

Commenting the database "dlopen ... in private/named.conf out let the
bind server start but of course without the samba Zone.

Any idea what could be wrong or how can I debug the wrong zone?

Thank you.

Regards
Noel

-- 
Noël Köthe 
Debian GNU/Linux, www.debian.org


signature.asc
Description: This is a digitally signed message part
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 AD with bind DNS / TKEY is unacceptable

[Stefan Schäfer]

Sorry my English isn't as good as it should be. ;-)

Am 12.09.2013 00:01, schrieb Patrick Gray:

Is your existing server SBS by any
chance?


What's the meaning of this sentence?

Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 AD with bind DNS / TKEY is unacceptable

[Stefan Schäfer]

Hi,

i try to migrate an existing W2k3 AD to Samba4 with bind.

Everything works fine, but dnsupdate fails with error: 
"dns_tkey_negotiategss: TKEY is unaccepteable".


I found a lot of discussions around this topic, but no solution.

Envirenment:

OS: SLES11 SP3 with bind 9.9.3P2
Samba Packages from Servet: sernet-samba-4.0.9-5.suse111

I checked the following Points:

After joining the domain bind starts and replication from the w2k3 PDC 
works.


Then i changed the DNS NS RRs to get the Samba Server as the primary DNS 
and transfer all FSMO roles to the samba server.


In named.conf I made the following entries:

options {
...
  # Samba AD
  auth-nxdomain yes;
  empty-zones-enable no;
  tkey-gssapi-keytab "/var/lib/named/samba/private/dns.keytab";
}

...

include "/var/lib/named/samba/private/named.conf";

Both files are readeable for the bind system user:

ls -l /var/lib/samba/private/
insgesamt 11696
drwxrwx--- 3 root named4096 11. Sep 18:13 dns
-rw-r- 1 root named 987 11. Sep 18:12 dns.keytab
-rw-r--r-- 1 root root 2270 11. Sep 13:41 dns_update_list
-rw-r--r-- 1 root root  544 11. Sep 18:17 named.conf
-r--r--r-- 1 root root  312 11. Sep 19:18 named.conf.update

Changing DNS RRs manualy with samba-tool dns add|delete and so on works 
fine.


klist -k for the keytab-file gives the followin output:

Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
 
--

   1 DNS/samba4ad.fsproductions.local@FSPRODUCTIONS.LOCAL
   1 dns-SAMBA4AD.FSPRODUCTIONS.local@FSPRODUCTIONS.LOCAL
   1 DNS/samba4ad.fsproductions.local@FSPRODUCTIONS.LOCAL
   1 dns-SAMBA4AD.FSPRODUCTIONS.local@FSPRODUCTIONS.LOCAL
   1 DNS/samba4ad.fsproductions.local@FSPRODUCTIONS.LOCAL
   1 dns-SAMBA4AD.FSPRODUCTIONS.local@FSPRODUCTIONS.LOCAL
   1 DNS/samba4ad.fsproductions.local@FSPRODUCTIONS.LOCAL
   1 dns-SAMBA4AD.FSPRODUCTIONS.local@FSPRODUCTIONS.LOCAL
   1 DNS/samba4ad.fsproductions.local@FSPRODUCTIONS.LOCAL
   1 dns-SAMBA4AD.FSPRODUCTIONS.local@FSPRODUCTIONS.LOCAL

What's wrong? Any ideas?

Stefan
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Victor Adsuar Abaldea]

Hi Bob,

Unfortunally yes! I'm using Freepbx, but it's a test environment, I want to
evaluate Samba4's integration capabilities, one of them was Asterisk, but
also I want to evaluate with Cisco devices, and software developed in my
company. But after I read your post I have been searching about coexistence
between Asterisk-Freepbx and LDAP, like you well say is very difficult sync
them. I think I will have to choice: Freepbx or LDAP integration...

You are right! Asterisk and Samba4 integration have been a painful task,
thanks to support from Rowland I can do it. I'm writing a how-to that I
will send to Samba forum. I hope support someone in a future.

Thank you for share your experience and knowledge.


On 10 September 2013 17:53, Bob Miller  wrote:

> Hi Victor,
>
> I looked at using asterisk real-time ldap with samba4 a few years ago.
> I determined that by using it, though, I would be unable to use freepbx.
> Basically it makes a situation where the extensions database needs to be
> in ldap and mysql at the same time, and I did not find a way where they
> would both be reliably in sync when something changed on one side or the
> other.
>
> So in reading this thread I find myself wondering; are you using some
> kind of web-based app like freepbx to manage your asterisk and use
> real-time ldap in asterisk at the same time?  If so, can you point me in
> the direction you took to accomplish that?  I am very interested to know
> your approach...
>
> For the record, I also tried importing the asterisk schema into ldb, and
> as I recall I ran into many of the problems you are running into now.
> Around that time I was trying to import lots of schema's (which I later
> found was mostly unnecessary), and most times the oLschema2ldif program
> wouldn't completely convert a schema, or if it did ldb wouldn't usually
> import the whole thing.  In some cases, I was able to import what did
> work using the ldb commands, and then I used active directory tools to
> add attributes manually in windows: the one thing I really remember
> about that was how tedious it was.  Not sure if that worked with the
> asterisk schema, but if all else fails, it is something you can try...
>
> --
> Computerisms
> Bob Miller
> 867-334-7117 / 867-633-3760
> http://computerisms.ca
>
>
> On Tue, 2013-09-10 at 10:07 +0200, Victor Adsuar Abaldea wrote:
> > Sorry, here are the files
> >
> >
> > On 10 September 2013 09:59, Victor Adsuar Abaldea  >wrote:
> >
> > > Sorry I forgot the files!
> > >
> > >
> > >
> > > On 10 September 2013 09:58, Victor Adsuar Abaldea  >wrote:
> > >
> > >> Hi Rowland,
> > >>
> > >> I split schema file in two files( Attribute file and Object file) and
> I
> > >> have replaced the name of attribute/object with his OID. I attach
> both. The
> > >> output of oLschema2ldif for attribute file is perfect!
> > >>
> > >> /usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
> > >> ./asterisk-atr.ldap-schema -O ./asterisk-atr-ldb.ldif
> > >> Converted 68 records with 0 failures
> > >>
> > >> However the object file a get the same errors. The output is:
> > >>
> > >> /usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
> > >> ./asterisk-obj.ldap-schema -O ./asterisk-obj-ldb.ldif
> > >>  No valid msg from entry
> > >> [objectIdentifier AsteriskRoot 1.3.6.1.4.1.22736objectIdentifier
> > >> AsteriskLDAP AsteriskRoot:5objectIdentifier AstAttrType
> > >> AsteriskLDAP:4objectIdentifier AstContext
> AstAttrType:1objectIdentifier
> > >> AstExtension AstAttrType:2objectIdentifier AstPriority
> > >> AstAttrType:3objectIdentifier AstApplication
> AstAttrType:4objectIdentifier
> > >> AstApplicationData AstAttrType:5objectIdentifier AstAccountAMAFlags
> > >> AstAttrType:6objectIdentifier AstAccountCallerID
> > >> AstAttrType:7objectIdentifier AstAccountContext
> > >> AstAttrType:8objectIdentifier AstAccountMailbox
> > >> AstAttrType:9objectIdentifier AstMD5secret
> AstAttrType:10objectIdentifier
> > >> AstAccountDeny AstAttrType:11objectIdentifier AstAccountPermit
> > >> AstAttrType:12objectIdentifier AstAccountQualify
> > >> AstAttrType:13objectIdentifier AstAccountType
> > >> AstAttrType:14objectIdentifier AstAccountDisallowedCodec
> > >> AstAttrType:15objectIdentifier AstAccountExpirationTimestamp
> > >> AstAttrType:16objectIdentifier AstAccountRegistrationContext
> > >> AstAttrType:17objectIdentifier AstAccountRegistrationExten
> > >> AstAttrType:18objectIdentifier AstAccountNoTransfer
> > >> AstAttrType:19objectIdentifier AstAccountCallGroup
> > >> AstAttrType:20objectIdentifier AstAccountCanReinvite
> > >> AstAttrType:21objectIdentifier AstAccountDTMFMode
> > >> AstAttrType:22objectIdentifier AstAccountFromUser
> > >> AstAttrType:23objectIdentifier AstAccountFromDomain
> > >> AstAttrType:24objectIdentifier AstAccountFullContact
> > >> AstAttrType:25objectIdentifier AstAccountHost
> > >> AstAttrType:26objectIdentifier AstAccountInsecure
> > >> AstAttrType:27objectIdentifier AstAccountNAT
> AstAttrType:28objectIdentifier
> >

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Bob Miller]

Hi Victor, 

I looked at using asterisk real-time ldap with samba4 a few years ago.
I determined that by using it, though, I would be unable to use freepbx.
Basically it makes a situation where the extensions database needs to be
in ldap and mysql at the same time, and I did not find a way where they
would both be reliably in sync when something changed on one side or the
other.

So in reading this thread I find myself wondering; are you using some
kind of web-based app like freepbx to manage your asterisk and use
real-time ldap in asterisk at the same time?  If so, can you point me in
the direction you took to accomplish that?  I am very interested to know
your approach...

For the record, I also tried importing the asterisk schema into ldb, and
as I recall I ran into many of the problems you are running into now.
Around that time I was trying to import lots of schema's (which I later
found was mostly unnecessary), and most times the oLschema2ldif program
wouldn't completely convert a schema, or if it did ldb wouldn't usually
import the whole thing.  In some cases, I was able to import what did
work using the ldb commands, and then I used active directory tools to
add attributes manually in windows: the one thing I really remember
about that was how tedious it was.  Not sure if that worked with the
asterisk schema, but if all else fails, it is something you can try...

-- 
Computerisms
Bob Miller  
867-334-7117 / 867-633-3760
http://computerisms.ca


On Tue, 2013-09-10 at 10:07 +0200, Victor Adsuar Abaldea wrote:
> Sorry, here are the files
> 
> 
> On 10 September 2013 09:59, Victor Adsuar Abaldea wrote:
> 
> > Sorry I forgot the files!
> >
> >
> >
> > On 10 September 2013 09:58, Victor Adsuar Abaldea 
> > wrote:
> >
> >> Hi Rowland,
> >>
> >> I split schema file in two files( Attribute file and Object file) and I
> >> have replaced the name of attribute/object with his OID. I attach both. The
> >> output of oLschema2ldif for attribute file is perfect!
> >>
> >> /usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
> >> ./asterisk-atr.ldap-schema -O ./asterisk-atr-ldb.ldif
> >> Converted 68 records with 0 failures
> >>
> >> However the object file a get the same errors. The output is:
> >>
> >> /usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
> >> ./asterisk-obj.ldap-schema -O ./asterisk-obj-ldb.ldif
> >>  No valid msg from entry
> >> [objectIdentifier AsteriskRoot 1.3.6.1.4.1.22736objectIdentifier
> >> AsteriskLDAP AsteriskRoot:5objectIdentifier AstAttrType
> >> AsteriskLDAP:4objectIdentifier AstContext AstAttrType:1objectIdentifier
> >> AstExtension AstAttrType:2objectIdentifier AstPriority
> >> AstAttrType:3objectIdentifier AstApplication AstAttrType:4objectIdentifier
> >> AstApplicationData AstAttrType:5objectIdentifier AstAccountAMAFlags
> >> AstAttrType:6objectIdentifier AstAccountCallerID
> >> AstAttrType:7objectIdentifier AstAccountContext
> >> AstAttrType:8objectIdentifier AstAccountMailbox
> >> AstAttrType:9objectIdentifier AstMD5secret AstAttrType:10objectIdentifier
> >> AstAccountDeny AstAttrType:11objectIdentifier AstAccountPermit
> >> AstAttrType:12objectIdentifier AstAccountQualify
> >> AstAttrType:13objectIdentifier AstAccountType
> >> AstAttrType:14objectIdentifier AstAccountDisallowedCodec
> >> AstAttrType:15objectIdentifier AstAccountExpirationTimestamp
> >> AstAttrType:16objectIdentifier AstAccountRegistrationContext
> >> AstAttrType:17objectIdentifier AstAccountRegistrationExten
> >> AstAttrType:18objectIdentifier AstAccountNoTransfer
> >> AstAttrType:19objectIdentifier AstAccountCallGroup
> >> AstAttrType:20objectIdentifier AstAccountCanReinvite
> >> AstAttrType:21objectIdentifier AstAccountDTMFMode
> >> AstAttrType:22objectIdentifier AstAccountFromUser
> >> AstAttrType:23objectIdentifier AstAccountFromDomain
> >> AstAttrType:24objectIdentifier AstAccountFullContact
> >> AstAttrType:25objectIdentifier AstAccountHost
> >> AstAttrType:26objectIdentifier AstAccountInsecure
> >> AstAttrType:27objectIdentifier AstAccountNAT AstAttrType:28objectIdentifier
> >> AstAccountPickupGroup AstAttrType:29objectIdentifier AstAccountPort
> >> AstAttrType:30objectIdentifier AstAccountRestrictCID
> >> AstAttrType:31objectIdentifier AstAccountRTPTimeout
> >> AstAttrType:32objectIdentifier AstAccountRTPHoldTimeout
> >> AstAttrType:33objectIdentifier AstAccountRealmedPassword
> >> AstAttrType:34objectIdentifier AstAccountAllowedCodec
> >> AstAttrType:35objectIdentifier AstAccountMusicOnHold
> >> AstAttrType:36objectIdentifier AstAccountCanCallForward
> >> AstAttrType:37objectIdentifier AstAccountSecret
> >> AstAttrType:38objectIdentifier AstAccountName
> >> AstAttrType:39objectIdentifier AstConfigFilename
> >> AstAttrType:40objectIdentifier AstConfigCategory
> >> AstAttrType:41objectIdentifier AstConfigCategoryMetric
> >> AstAttrType:42objectIdentifier AstConfigVariableName
> >> AstAttrType:43objectIdentifier AstConfigVariableValue
> >> AstAttrType:44objectIdentifier AstConfigCommented

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Victor Adsuar Abaldea]

Sorry, here are the files


On 10 September 2013 09:59, Victor Adsuar Abaldea wrote:

> Sorry I forgot the files!
>
>
>
> On 10 September 2013 09:58, Victor Adsuar Abaldea wrote:
>
>> Hi Rowland,
>>
>> I split schema file in two files( Attribute file and Object file) and I
>> have replaced the name of attribute/object with his OID. I attach both. The
>> output of oLschema2ldif for attribute file is perfect!
>>
>> /usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
>> ./asterisk-atr.ldap-schema -O ./asterisk-atr-ldb.ldif
>> Converted 68 records with 0 failures
>>
>> However the object file a get the same errors. The output is:
>>
>> /usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
>> ./asterisk-obj.ldap-schema -O ./asterisk-obj-ldb.ldif
>>  No valid msg from entry
>> [objectIdentifier AsteriskRoot 1.3.6.1.4.1.22736objectIdentifier
>> AsteriskLDAP AsteriskRoot:5objectIdentifier AstAttrType
>> AsteriskLDAP:4objectIdentifier AstContext AstAttrType:1objectIdentifier
>> AstExtension AstAttrType:2objectIdentifier AstPriority
>> AstAttrType:3objectIdentifier AstApplication AstAttrType:4objectIdentifier
>> AstApplicationData AstAttrType:5objectIdentifier AstAccountAMAFlags
>> AstAttrType:6objectIdentifier AstAccountCallerID
>> AstAttrType:7objectIdentifier AstAccountContext
>> AstAttrType:8objectIdentifier AstAccountMailbox
>> AstAttrType:9objectIdentifier AstMD5secret AstAttrType:10objectIdentifier
>> AstAccountDeny AstAttrType:11objectIdentifier AstAccountPermit
>> AstAttrType:12objectIdentifier AstAccountQualify
>> AstAttrType:13objectIdentifier AstAccountType
>> AstAttrType:14objectIdentifier AstAccountDisallowedCodec
>> AstAttrType:15objectIdentifier AstAccountExpirationTimestamp
>> AstAttrType:16objectIdentifier AstAccountRegistrationContext
>> AstAttrType:17objectIdentifier AstAccountRegistrationExten
>> AstAttrType:18objectIdentifier AstAccountNoTransfer
>> AstAttrType:19objectIdentifier AstAccountCallGroup
>> AstAttrType:20objectIdentifier AstAccountCanReinvite
>> AstAttrType:21objectIdentifier AstAccountDTMFMode
>> AstAttrType:22objectIdentifier AstAccountFromUser
>> AstAttrType:23objectIdentifier AstAccountFromDomain
>> AstAttrType:24objectIdentifier AstAccountFullContact
>> AstAttrType:25objectIdentifier AstAccountHost
>> AstAttrType:26objectIdentifier AstAccountInsecure
>> AstAttrType:27objectIdentifier AstAccountNAT AstAttrType:28objectIdentifier
>> AstAccountPickupGroup AstAttrType:29objectIdentifier AstAccountPort
>> AstAttrType:30objectIdentifier AstAccountRestrictCID
>> AstAttrType:31objectIdentifier AstAccountRTPTimeout
>> AstAttrType:32objectIdentifier AstAccountRTPHoldTimeout
>> AstAttrType:33objectIdentifier AstAccountRealmedPassword
>> AstAttrType:34objectIdentifier AstAccountAllowedCodec
>> AstAttrType:35objectIdentifier AstAccountMusicOnHold
>> AstAttrType:36objectIdentifier AstAccountCanCallForward
>> AstAttrType:37objectIdentifier AstAccountSecret
>> AstAttrType:38objectIdentifier AstAccountName
>> AstAttrType:39objectIdentifier AstConfigFilename
>> AstAttrType:40objectIdentifier AstConfigCategory
>> AstAttrType:41objectIdentifier AstConfigCategoryMetric
>> AstAttrType:42objectIdentifier AstConfigVariableName
>> AstAttrType:43objectIdentifier AstConfigVariableValue
>> AstAttrType:44objectIdentifier AstConfigCommented
>> AstAttrType:45objectIdentifier AstAccountIPAddress
>> AstAttrType:46objectIdentifier AstAccountDefaultUser
>> AstAttrType:47objectIdentifier AstAccountRegistrationServer
>> AstAttrType:48objectIdentifier AstAccountLastQualifyMilliseconds
>> AstAttrType:49objectIdentifier AstAccountCallLimit
>> AstAttrType:50objectIdentifier AstVoicemailMailbox
>> AstAttrType:51objectIdentifier AstVoicemailPassword
>> AstAttrType:52objectIdentifier AstVoicemailFullname
>> AstAttrType:53objectIdentifier AstVoicemailEmail
>> AstAttrType:54objectIdentifier AstVoicemailPager
>> AstAttrType:55objectIdentifier AstVoicemailOptions
>> AstAttrType:56objectIdentifier AstVoicemailTimestamp
>> AstAttrType:57objectIdentifier AstVoicemailContext
>> AstAttrType:58objectIdentifier AstAccountSubscribeContext
>> AstAttrType:59objectIdentifier AstAccountUserAgent
>> AstAttrType:61objectIdentifier AstAccountLanguage
>> AstAttrType:62objectIdentifier AstAccountTransport
>> AstAttrType:63objectIdentifier AstAccountPromiscRedir
>> AstAttrType:64objectIdentifier AstAccountAccountCode
>> AstAttrType:65objectIdentifier AstAccountSetVar
>> AstAttrType:66objectIdentifier AstAccountAllowOverlap
>> AstAttrType:67objectIdentifier AstAccountVideoSupport
>> AstAttrType:68objectIdentifier AstAccountIgnoreSDPVersion
>> AstAttrType:69objectIdentifier AstObjectClass
>> AsteriskLDAP:2objectIdentifier AsteriskExtension
>> AstObjectClass:1objectIdentifier AsteriskIAXUser
>> AstObjectClass:2objectIdentifier AsteriskSIPUser
>> AstObjectClass:3objectIdentifier AsteriskConfig
>> AstObjectClass:4objectIdentifier AsteriskVoiceMail
>> AstObjectClass:5objectIdentifier AsteriskDialplan
>> AstObjectClass:6objectIdentifier 

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Victor Adsuar Abaldea]

Hi Rowland,

I split schema file in two files( Attribute file and Object file) and I
have replaced the name of attribute/object with his OID. I attach both. The
output of oLschema2ldif for attribute file is perfect!

/usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
./asterisk-atr.ldap-schema -O ./asterisk-atr-ldb.ldif
Converted 68 records with 0 failures

However the object file a get the same errors. The output is:

/usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
./asterisk-obj.ldap-schema -O ./asterisk-obj-ldb.ldif
No valid msg from entry
[objectIdentifier AsteriskRoot 1.3.6.1.4.1.22736objectIdentifier
AsteriskLDAP AsteriskRoot:5objectIdentifier AstAttrType
AsteriskLDAP:4objectIdentifier AstContext AstAttrType:1objectIdentifier
AstExtension AstAttrType:2objectIdentifier AstPriority
AstAttrType:3objectIdentifier AstApplication AstAttrType:4objectIdentifier
AstApplicationData AstAttrType:5objectIdentifier AstAccountAMAFlags
AstAttrType:6objectIdentifier AstAccountCallerID
AstAttrType:7objectIdentifier AstAccountContext
AstAttrType:8objectIdentifier AstAccountMailbox
AstAttrType:9objectIdentifier AstMD5secret AstAttrType:10objectIdentifier
AstAccountDeny AstAttrType:11objectIdentifier AstAccountPermit
AstAttrType:12objectIdentifier AstAccountQualify
AstAttrType:13objectIdentifier AstAccountType
AstAttrType:14objectIdentifier AstAccountDisallowedCodec
AstAttrType:15objectIdentifier AstAccountExpirationTimestamp
AstAttrType:16objectIdentifier AstAccountRegistrationContext
AstAttrType:17objectIdentifier AstAccountRegistrationExten
AstAttrType:18objectIdentifier AstAccountNoTransfer
AstAttrType:19objectIdentifier AstAccountCallGroup
AstAttrType:20objectIdentifier AstAccountCanReinvite
AstAttrType:21objectIdentifier AstAccountDTMFMode
AstAttrType:22objectIdentifier AstAccountFromUser
AstAttrType:23objectIdentifier AstAccountFromDomain
AstAttrType:24objectIdentifier AstAccountFullContact
AstAttrType:25objectIdentifier AstAccountHost
AstAttrType:26objectIdentifier AstAccountInsecure
AstAttrType:27objectIdentifier AstAccountNAT AstAttrType:28objectIdentifier
AstAccountPickupGroup AstAttrType:29objectIdentifier AstAccountPort
AstAttrType:30objectIdentifier AstAccountRestrictCID
AstAttrType:31objectIdentifier AstAccountRTPTimeout
AstAttrType:32objectIdentifier AstAccountRTPHoldTimeout
AstAttrType:33objectIdentifier AstAccountRealmedPassword
AstAttrType:34objectIdentifier AstAccountAllowedCodec
AstAttrType:35objectIdentifier AstAccountMusicOnHold
AstAttrType:36objectIdentifier AstAccountCanCallForward
AstAttrType:37objectIdentifier AstAccountSecret
AstAttrType:38objectIdentifier AstAccountName
AstAttrType:39objectIdentifier AstConfigFilename
AstAttrType:40objectIdentifier AstConfigCategory
AstAttrType:41objectIdentifier AstConfigCategoryMetric
AstAttrType:42objectIdentifier AstConfigVariableName
AstAttrType:43objectIdentifier AstConfigVariableValue
AstAttrType:44objectIdentifier AstConfigCommented
AstAttrType:45objectIdentifier AstAccountIPAddress
AstAttrType:46objectIdentifier AstAccountDefaultUser
AstAttrType:47objectIdentifier AstAccountRegistrationServer
AstAttrType:48objectIdentifier AstAccountLastQualifyMilliseconds
AstAttrType:49objectIdentifier AstAccountCallLimit
AstAttrType:50objectIdentifier AstVoicemailMailbox
AstAttrType:51objectIdentifier AstVoicemailPassword
AstAttrType:52objectIdentifier AstVoicemailFullname
AstAttrType:53objectIdentifier AstVoicemailEmail
AstAttrType:54objectIdentifier AstVoicemailPager
AstAttrType:55objectIdentifier AstVoicemailOptions
AstAttrType:56objectIdentifier AstVoicemailTimestamp
AstAttrType:57objectIdentifier AstVoicemailContext
AstAttrType:58objectIdentifier AstAccountSubscribeContext
AstAttrType:59objectIdentifier AstAccountUserAgent
AstAttrType:61objectIdentifier AstAccountLanguage
AstAttrType:62objectIdentifier AstAccountTransport
AstAttrType:63objectIdentifier AstAccountPromiscRedir
AstAttrType:64objectIdentifier AstAccountAccountCode
AstAttrType:65objectIdentifier AstAccountSetVar
AstAttrType:66objectIdentifier AstAccountAllowOverlap
AstAttrType:67objectIdentifier AstAccountVideoSupport
AstAttrType:68objectIdentifier AstAccountIgnoreSDPVersion
AstAttrType:69objectIdentifier AstObjectClass
AsteriskLDAP:2objectIdentifier AsteriskExtension
AstObjectClass:1objectIdentifier AsteriskIAXUser
AstObjectClass:2objectIdentifier AsteriskSIPUser
AstObjectClass:3objectIdentifier AsteriskConfig
AstObjectClass:4objectIdentifier AsteriskVoiceMail
AstObjectClass:5objectIdentifier AsteriskDialplan
AstObjectClass:6objectIdentifier AsteriskAccount
AstObjectClass:7objectIdentifier AsteriskMailbox
AstObjectClass:8objectclass ( 1.3.6.1.4.1.22736.5.5.1NAME
'AsteriskExtension'DESC 'PBX Extension Information for Asterisk'SUP
top AUXILIARYMUST cnMAY ( AstContext $ AstExtension
$ AstPriority $AstApplication $ AstApplicationData
   ) )]
 at line 102
No valid msg from entry
[objectClass ( 1.3.6.1.4.1.22736.5.5.6 NAM

Re: [Samba] Samba4 automount schema: convert from flat files to LDAP

[steve]

On Mon, 2013-09-09 at 15:00 +0200, steve wrote:
> Hi
> I think I've managed to get the automount classes into the the schema:
> 
>  ldbsearch
> --url=/usr/local/samba/private/sam.ldb.d/"CN=SCHEMA,CN=CONFIGURATION,DC=HH3,DC=SITE.ldb"
>  | grep "dn: CN=automount"
> dn: CN=automountKey,CN=Schema,CN=Configuration,DC=hh3,DC=site
> dn: CN=automount,CN=Schema,CN=Configuration,DC=hh3,DC=site
> dn: CN=automountInformation,CN=Schema,CN=Configuration,DC=hh3,DC=site
> dn: CN=automountMapName,CN=Schema,CN=Configuration,DC=hh3,DC=site
> dn: CN=automountMap,CN=Schema,CN=Configuration,DC=hh3,DC=site
> 
> 1. Samba fires up fine. Does that look about right?
> 2. I now have to convert the following files to LDAP syntax:
> /etc/auto.master
> /home/users /etc/auto.users
> and:
> /etc/auto.users
> * -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/users/&
> 
> There's so much unreadable stuff out there. Do we have anything
> followable for this? Can anyone point me in the right direction?
> 
> Cheers,
> Steve
> 
> 
Hi again
Really struggling with this. I've translated the flat files to this:

dn: automountmapname=auto.master,dc=hh3,dc=site
automountMapName: auto.master
objectClass: automountMapobjectClass: top
instanceType: 4

dn: automountKey=/home/users,automountmapname=auto.master,dc=hh3,dc=site
automountInformation: auto.users
automountKey: /home/users
objectClass: top
objectClass: automount

dn: automountmapname=auto.users,dc=hh3,dc=site
automountMapName: auto.users
objectClass: automountMap
objectClass: top

dn: automountKey=*,automountmapname=auto.users,dc=hh3,dc=site
automountInformation:
-fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/users/&
automountKey: *
objectClass: top
objectClass: automount

It will not accept the automountMapName atribute when trying to add it
with ldbadd.

However, in this post:
https://lists.samba.org/archive/samba/2013-January/170907.html
it seems I'm not allowed to have either the automountMapName nor
automountKey attributes.

How do I do this without those attributes?

There's a wiki item here:
https://wiki.samba.org/index.php/Samba4/Schema_extenstions
which I used to extend the schema. It doesn't work as it stands but at
least I seem to have got the stuff into AD now.

Is there anyone who has managed to:
1. Extend the schema to include automounter maps?
2. Constructed automount maps in AD?

Any help most grateful.
Thanks,
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Rowland Penny]

On 09/09/13 14:06, Victor Adsuar Abaldea wrote:

Hi Rowland!!

1) First I want to excuse me. I was confused I'm sorry! At this moment 
and in a future I will referrer to you through your first name ;-)
2) Now when I use de schema file i get only 4 new errors, so I think 
i'm in correct way... I attach the asterisk ldap schema file and paste 
the oLschema2ldif output. Also I tried split the file, but always I 
get this 4 errors in object file.


Thank you so much!! I think I'm the first person trying integrate 
Asterisk with Samba4! Because I don't find anything about this topic.


/usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I 
./asterisk.ldap-schema -O ./asterisk-ldb.ldif

No valid msg from entry
[objectIdentifier AsteriskRoot 1.3.6.1.4.1.22736objectIdentifier 
AsteriskLDAP 
AsteriskRoot:5## 
Attribute group OIDs.  e.g.: objectIdentifier AstAttrType 
AsteriskLDAP:4#objectIdentifier 
AstAttrType 
AsteriskLDAP:4## 
Attribute OIDs e.g.: objectIdentifier AstContext 
AstAttrType:1#objectIdentifier 
AstContext AstAttrType:1objectIdentifier AstExtension 
AstAttrType:2objectIdentifier AstPriority 
AstAttrType:3objectIdentifier AstApplication 
AstAttrType:4objectIdentifier AstApplicationData 
AstAttrType:5objectIdentifier AstAccountAMAFlags 
AstAttrType:6objectIdentifier AstAccountCallerID 
AstAttrType:7objectIdentifier AstAccountContext 
AstAttrType:8objectIdentifier AstAccountMailbox 
AstAttrType:9objectIdentifier AstMD5secret 
AstAttrType:10objectIdentifier AstAccountDeny 
AstAttrType:11objectIdentifier AstAccountPermit 
AstAttrType:12objectIdentifier AstAccountQualify 
AstAttrType:13objectIdentifier AstAccountType 
AstAttrType:14objectIdentifier AstAccountDisallowedCodec 
AstAttrType:15objectIdentifier AstAccountExpirationTimestamp 
AstAttrType:16objectIdentifier AstAccountRegistrationContext 
AstAttrType:17objectIdentifier AstAccountRegistrationExten 
AstAttrType:18objectIdentifier AstAccountNoTransfer 
AstAttrType:19objectIdentifier AstAccountCallGroup 
AstAttrType:20objectIdentifier AstAccountCanReinvite 
AstAttrType:21objectIdentifier AstAccountDTMFMode 
AstAttrType:22objectIdentifier AstAccountFromUser 
AstAttrType:23objectIdentifier AstAccountFromDomain 
AstAttrType:24objectIdentifier AstAccountFullContact 
AstAttrType:25objectIdentifier AstAccountHost 
AstAttrType:26objectIdentifier AstAccountInsecure 
AstAttrType:27objectIdentifier AstAccountNAT 
AstAttrType:28objectIdentifier AstAccountPickupGroup 
AstAttrType:29objectIdentifier AstAccountPort 
AstAttrType:30objectIdentifier AstAccountRestrictCID 
AstAttrType:31objectIdentifier AstAccountRTPTimeout 
AstAttrType:32objectIdentifier AstAccountRTPHoldTimeout 
AstAttrType:33objectIdentifier AstAccountRealmedPassword 
AstAttrType:34objectIdentifier AstAccountAllowedCodec 
AstAttrType:35objectIdentifier AstAccountMusicOnHold 
AstAttrType:36objectIdentifier AstAccountCanCallForward 
AstAttrType:37objectIdentifier AstAccountSecret 
AstAttrType:38objectIdentifier AstAccountName 
AstAttrType:39objectIdentifier AstConfigFilename 
AstAttrType:40objectIdentifier AstConfigCategory 
AstAttrType:41objectIdentifier AstConfigCategoryMetric 
AstAttrType:42objectIdentifier AstConfigVariableName 
AstAttrType:43objectIdentifier AstConfigVariableValue 
AstAttrType:44objectIdentifier AstConfigCommented 
AstAttrType:45objectIdentifier AstAccountIPAddress 
AstAttrType:46objectIdentifier AstAccountDefaultUser 
AstAttrType:47objectIdentifier AstAccountRegistrationServer 
AstAttrType:48objectIdentifier AstAccountLastQualifyMilliseconds 
AstAttrType:49objectIdentifier AstAccountCallLimit 
AstAttrType:50objectIdentifier AstVoicemailMailbox 
AstAttrType:51objectIdentifier AstVoicemailPassword 
AstAttrType:52objectIdentifier AstVoicemailFullname 
AstAttrType:53objectIdentifier AstVoicemailEmail 
AstAttrType:54objectIdentifier AstVoicemailPager 
AstAttrType:55objectIdentifier AstVoicemailOptions 
AstAttrType:56objectIdentifier AstVoicemailTimestamp 
AstAttrType:57objectIdentifier AstVoicemailContext 
AstAttrType:58objectIdentifier AstAccountSubscribeContext 
AstAttrType:59objectIdentifier AstAccountUserAgent 
AstAttrType:61objectIdentifier AstAccountLanguage 
AstAttrType:62objectIdentifier AstAccountTransport 
AstAttrType:63objectIdentifier AstAccountPromiscRedir 
AstAttrType:64objectIdentifier AstAccountAccountCode 
AstAttrType:65objectIdentifier AstAccountSetVar 
AstAttrType:66objectIdentifier AstAccountAllowOverlap 
AstAttrType:67objectIdentifier AstAccountVideoSupport 
AstAttrType:68objectIdentifier AstAccountIgnoreSDPVersion 
AstAttrType:69## 
Object Class 
OIDs##

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Victor Adsuar Abaldea]

Hi Rowland!!

1) First I want to excuse me. I was confused I'm sorry! At this moment and
in a future I will referrer to you through your first name ;-)
2) Now when I use de schema file i get only 4 new errors, so I think i'm in
correct way... I attach the asterisk ldap schema file and paste the
oLschema2ldif output. Also I tried split the file, but always I get this 4
errors in object file.

Thank you so much!! I think I'm the first person trying integrate Asterisk
with Samba4! Because I don't find anything about this topic.

/usr/local/samba/bin/oLschema2ldif -b "DC=XXX,DC=LOCAL" -I
./asterisk.ldap-schema -O ./asterisk-ldb.ldif
No valid msg from entry
[objectIdentifier AsteriskRoot 1.3.6.1.4.1.22736objectIdentifier
AsteriskLDAP
AsteriskRoot:5##
Attribute group OIDs.  e.g.: objectIdentifier AstAttrType
AsteriskLDAP:4#objectIdentifier
AstAttrType
AsteriskLDAP:4##
Attribute OIDs e.g.: objectIdentifier AstContext
AstAttrType:1#objectIdentifier
AstContext AstAttrType:1objectIdentifier AstExtension
AstAttrType:2objectIdentifier AstPriority AstAttrType:3objectIdentifier
AstApplication AstAttrType:4objectIdentifier AstApplicationData
AstAttrType:5objectIdentifier AstAccountAMAFlags
AstAttrType:6objectIdentifier AstAccountCallerID
AstAttrType:7objectIdentifier AstAccountContext
AstAttrType:8objectIdentifier AstAccountMailbox
AstAttrType:9objectIdentifier AstMD5secret AstAttrType:10objectIdentifier
AstAccountDeny AstAttrType:11objectIdentifier AstAccountPermit
AstAttrType:12objectIdentifier AstAccountQualify
AstAttrType:13objectIdentifier AstAccountType
AstAttrType:14objectIdentifier AstAccountDisallowedCodec
AstAttrType:15objectIdentifier AstAccountExpirationTimestamp
AstAttrType:16objectIdentifier AstAccountRegistrationContext
AstAttrType:17objectIdentifier AstAccountRegistrationExten
AstAttrType:18objectIdentifier AstAccountNoTransfer
AstAttrType:19objectIdentifier AstAccountCallGroup
AstAttrType:20objectIdentifier AstAccountCanReinvite
AstAttrType:21objectIdentifier AstAccountDTMFMode
AstAttrType:22objectIdentifier AstAccountFromUser
AstAttrType:23objectIdentifier AstAccountFromDomain
AstAttrType:24objectIdentifier AstAccountFullContact
AstAttrType:25objectIdentifier AstAccountHost
AstAttrType:26objectIdentifier AstAccountInsecure
AstAttrType:27objectIdentifier AstAccountNAT AstAttrType:28objectIdentifier
AstAccountPickupGroup AstAttrType:29objectIdentifier AstAccountPort
AstAttrType:30objectIdentifier AstAccountRestrictCID
AstAttrType:31objectIdentifier AstAccountRTPTimeout
AstAttrType:32objectIdentifier AstAccountRTPHoldTimeout
AstAttrType:33objectIdentifier AstAccountRealmedPassword
AstAttrType:34objectIdentifier AstAccountAllowedCodec
AstAttrType:35objectIdentifier AstAccountMusicOnHold
AstAttrType:36objectIdentifier AstAccountCanCallForward
AstAttrType:37objectIdentifier AstAccountSecret
AstAttrType:38objectIdentifier AstAccountName
AstAttrType:39objectIdentifier AstConfigFilename
AstAttrType:40objectIdentifier AstConfigCategory
AstAttrType:41objectIdentifier AstConfigCategoryMetric
AstAttrType:42objectIdentifier AstConfigVariableName
AstAttrType:43objectIdentifier AstConfigVariableValue
AstAttrType:44objectIdentifier AstConfigCommented
AstAttrType:45objectIdentifier AstAccountIPAddress
AstAttrType:46objectIdentifier AstAccountDefaultUser
AstAttrType:47objectIdentifier AstAccountRegistrationServer
AstAttrType:48objectIdentifier AstAccountLastQualifyMilliseconds
AstAttrType:49objectIdentifier AstAccountCallLimit
AstAttrType:50objectIdentifier AstVoicemailMailbox
AstAttrType:51objectIdentifier AstVoicemailPassword
AstAttrType:52objectIdentifier AstVoicemailFullname
AstAttrType:53objectIdentifier AstVoicemailEmail
AstAttrType:54objectIdentifier AstVoicemailPager
AstAttrType:55objectIdentifier AstVoicemailOptions
AstAttrType:56objectIdentifier AstVoicemailTimestamp
AstAttrType:57objectIdentifier AstVoicemailContext
AstAttrType:58objectIdentifier AstAccountSubscribeContext
AstAttrType:59objectIdentifier AstAccountUserAgent
AstAttrType:61objectIdentifier AstAccountLanguage
AstAttrType:62objectIdentifier AstAccountTransport
AstAttrType:63objectIdentifier AstAccountPromiscRedir
AstAttrType:64objectIdentifier AstAccountAccountCode
AstAttrType:65objectIdentifier AstAccountSetVar
AstAttrType:66objectIdentifier AstAccountAllowOverlap
AstAttrType:67objectIdentifier AstAccountVideoSupport
AstAttrType:68objectIdentifier AstAccountIgnoreSDPVersion
AstAttrType:69##
Object Class
OIDs#objectIdentifier
AstObjectClass AsteriskLDAP:2objectIdentifier AsteriskExtension
AstObjectClas

[Samba] Samba4 automount schema: convert from flat files to LDAP

[steve]

Hi
I think I've managed to get the automount classes into the the schema:

 ldbsearch
--url=/usr/local/samba/private/sam.ldb.d/"CN=SCHEMA,CN=CONFIGURATION,DC=HH3,DC=SITE.ldb"
 | grep "dn: CN=automount"
dn: CN=automountKey,CN=Schema,CN=Configuration,DC=hh3,DC=site
dn: CN=automount,CN=Schema,CN=Configuration,DC=hh3,DC=site
dn: CN=automountInformation,CN=Schema,CN=Configuration,DC=hh3,DC=site
dn: CN=automountMapName,CN=Schema,CN=Configuration,DC=hh3,DC=site
dn: CN=automountMap,CN=Schema,CN=Configuration,DC=hh3,DC=site

1. Samba fires up fine. Does that look about right?
2. I now have to convert the following files to LDAP syntax:
/etc/auto.master
/home/users /etc/auto.users
and:
/etc/auto.users
* -fstype=cifs,sec=krb5,username=cifsuser,multiuser ://altea/users/&

There's so much unreadable stuff out there. Do we have anything
followable for this? Can anyone point me in the right direction?

Cheers,
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Rowland Penny]

On 09/09/13 12:23, Victor Adsuar Abaldea wrote:

Hi Penny,

Oh!!! I didn't notice the ldif format can be translate to ldb. Even 
when I try to convert with oLschema2ldif I got errors.


I attach two files one with the errors and ldif file.

Thank you to much for your support!


On 9 September 2013 12:03, Rowland Penny > wrote:


On 09/09/13 10:12, Victor Adsuar Abaldea wrote:

Hi Penny,

Thank you for response, but I'm not able to import Alterisk ldif
into SAMBA 4. I split the files in asterisk_attr.ldif and
asterisk_obj.ldif but still get the same error. I've been
searching answer to this topic and sincerely  and ldap syntax
have been changed to Microsoft world. I think the new Samba4 is a
close project, Samba have jumped to Active Directory and now the
integration with other services are a utopia, it's a pity because
the new version it's a great step to go back.

I post opinions about this topic.
http://lifecs.likai.org/2013_06_01_archive.html

In Asterisk forum none answer me, and I don't find anyone with a
response to How modify the schema. In this post
https://lists.samba.org/archive/samba/2013-January/170901.html you can
see a example and you will see the changes. oMSyntax is a
Microsoft variable!
http://technet.microsoft.com/en-us/library/cc961740.aspx

Samba 4 it's not compatible with OpenLdap ldif files. Maybe I'm
wrong and someone can open my mind...

Thanks!




On 6 September 2013 14:24, Rowland Penny
mailto:rowlandpe...@googlemail.com>> wrote:

On 06/09/13 11:04, Victor Adsuar Abaldea wrote:

Hi,

I am turning crazy. I try to integrate Asterisk 11.5.1
into Samba4 LDAP,
but when I import the ldif file from contrib directory I
get this error.

ldbmodify -H /usr/local/samba/private/sam.ldb asterisk.ldif
--option="dsdb:schema update allowed"=true
ERR: (No such object) "objectclass: Cannot add
cn=asterisk,cn=schema,cn=config, parent does not exist!"
on DN
cn=asterisk,cn=schema,cn=config at block before line 835
Modify failed after processing 0 records

LDAP and Asterisk are in diferents boxes. Please can
someone help me?

Thank you in advance!

  *Victor Adsuar*
*Departamento de Sistemas*
*Teralco Tecnologías Informáticas*
vads...@teralco.com


www.teralco.com 

*AVISO LEGAL:

Este mensaje se dirige exclusivamente a su destinatario y
puede contener
información reservada y/o CONFIDENCIAL. Si Vd. no es el
destinatario
original no está autorizado a copiar o distribuir esta
comunicación a
ninguna otra persona. Si ha recibido este mensaje por
error, le rogamos nos
lo comunique inmediatamente por esta misma vía y proceda
a su borrado. **
Gracias**.*


*DISCLAIMER:

This message is intended exclusively for its addressee
and may contain
information that is CONFIDENTIAL and protected by
professional privilege.
If you are not the intended recipient you are hereby
notified that any
dissemination, copy or disclosure of this communication
is strictly
prohibited by law. If this message has been received in
error, please
immediately notify us via e-mail and delete it. **Thank**
you.*

*
*

*
*

*Antes de imprimir este email piense bien si es necesario
hacerlo.*

*Cosider your environmental responsibility before
printing this enail*

Hi, split the ldif in two, one containing the attributes, the
other the objectclasses, add the attributes one first, then
the objectclasses.

Rowland




-- 


*Victor Adsuar*
*Departamento de Sistemas*
*Teralco Tecnologías Informáticas*
vads...@teralco.com 
· Tel. +34 965 68 87 02  · Móv.
+34 627 26 87 54 
Avda. de Cartagena 1 Entlo, · 03195 El Altet - Elche (Alicante) ·
SPAIN ·
www.teralco.com 

/AVISO LEGAL:
Este mensaje se dirige exclusivamente a su destinatario y puede
contener información reservada y/o CONFIDENCIAL. Si Vd. no es el
destinatario original no está autorizado a copiar o distribuir
esta comunicación a ninguna otra persona. Si ha recibido este
mensaje por error, le rogamos nos lo comunique inmediatamente por
esta misma vía y p

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Victor Adsuar Abaldea]

Hi Penny,

Oh!!! I didn't notice the ldif format can be translate to ldb. Even when I
try to convert with oLschema2ldif I got errors.

I attach two files one with the errors and ldif file.

Thank you to much for your support!


On 9 September 2013 12:03, Rowland Penny wrote:

>  On 09/09/13 10:12, Victor Adsuar Abaldea wrote:
>
> Hi Penny,
>
>  Thank you for response, but I'm not able to import Alterisk ldif into
> SAMBA 4. I split the files in asterisk_attr.ldif and asterisk_obj.ldif but
> still get the same error. I've been searching answer to this topic and
> sincerely  and ldap syntax have been changed to Microsoft world. I think
> the new Samba4 is a close project, Samba have jumped to Active Directory
> and now the integration with other services are a utopia, it's a pity
> because the new version it's a great step to go back.
>
>  I post opinions about this topic.
> http://lifecs.likai.org/2013_06_01_archive.html
>
>  In Asterisk forum none answer me, and I don't find anyone with a
> response to How modify the schema. In this post
> https://lists.samba.org/archive/samba/2013-January/170901.html you can
> see a example and you will see the changes. oMSyntax is a Microsoft
> variable! http://technet.microsoft.com/en-us/library/cc961740.aspx
>
>  Samba 4 it's not compatible with OpenLdap ldif files. Maybe I'm wrong
> and someone can open my mind...
>
>  Thanks!
>
>
>
>
> On 6 September 2013 14:24, Rowland Penny wrote:
>
>> On 06/09/13 11:04, Victor Adsuar Abaldea wrote:
>>
>>>  Hi,
>>>
>>> I am turning crazy. I try to integrate Asterisk 11.5.1 into Samba4 LDAP,
>>> but when I import the ldif file from contrib directory I get this error.
>>>
>>> ldbmodify -H /usr/local/samba/private/sam.ldb asterisk.ldif
>>> --option="dsdb:schema update allowed"=true
>>> ERR: (No such object) "objectclass: Cannot add
>>> cn=asterisk,cn=schema,cn=config, parent does not exist!" on DN
>>> cn=asterisk,cn=schema,cn=config at block before line 835
>>> Modify failed after processing 0 records
>>>
>>> LDAP and Asterisk are in diferents boxes. Please can someone help me?
>>>
>>> Thank you in advance!
>>>
>>>*Victor Adsuar*
>>> *Departamento de Sistemas*
>>> *Teralco Tecnologías Informáticas*
>>> vads...@teralco.com<
>>> https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=micor...@teralco.com>
>>> www.teralco.com
>>>
>>> *AVISO LEGAL:
>>>
>>> Este mensaje se dirige exclusivamente a su destinatario y puede contener
>>> información reservada y/o CONFIDENCIAL. Si Vd. no es el destinatario
>>> original no está autorizado a copiar o distribuir esta comunicación a
>>> ninguna otra persona. Si ha recibido este mensaje por error, le rogamos
>>> nos
>>>  lo comunique inmediatamente por esta misma vía y proceda a su borrado.
>>> **
>>> Gracias**.*
>>>
>>>
>>> *DISCLAIMER:
>>>
>>> This message is intended exclusively for its addressee and may contain
>>> information that is CONFIDENTIAL and protected by professional privilege.
>>> If you are not the intended recipient you are hereby notified that any
>>> dissemination, copy or disclosure of this communication is strictly
>>> prohibited by law. If this message has been received in error, please
>>>  immediately notify us via e-mail and delete it. **Thank** you.*
>>>
>>> *
>>> *
>>>
>>> *
>>> *
>>>
>>> *Antes de imprimir este email piense bien si es necesario hacerlo.*
>>>
>>> *Cosider your environmental responsibility before printing this enail*
>>>
>> Hi, split the ldif in two, one containing the attributes, the other the
>> objectclasses, add the attributes one first, then the objectclasses.
>>
>> Rowland
>>
>>
>
>
>  --
>
>   *Victor Adsuar*
> *Departamento de Sistemas*
> *Teralco Tecnologías Informáticas*
> vads...@teralco.com
> · Tel. +34 965 68 87 02 · Móv. +34 627 26 87 54
> Avda. de Cartagena 1 Entlo, · 03195 El Altet - Elche (Alicante) · SPAIN ·
> www.teralco.com
>
>*AVISO LEGAL:
> Este mensaje se dirige exclusivamente a su destinatario y puede contener
> información reservada y/o CONFIDENCIAL. Si Vd. no es el destinatario
> original no está autorizado a copiar o distribuir esta comunicación a
> ninguna otra persona. Si ha recibido este mensaje por error, le rogamos nos
> lo comunique inmediatamente por esta misma vía y proceda a su borrado. **
> Gracias**.*
>
>
> *DISCLAIMER:
> This message is intended exclusively for its addressee and may contain
> information that is CONFIDENTIAL and protected by professional privilege.
> If you are not the intended recipient you are hereby notified that any
> dissemination, copy or disclosure of this communication is strictly
> prohibited by law. If this message has been received in error, please
> immediately notify us via e-mail and delete it. **Thank** you.*
>
> *
> *
>
> *
> *
>
> *Antes de imprimir este email piense bien si es necesario hacerlo.*
>
> *Cosider your environmental responsibility before printing this enail*
>
> OOPS, I missed that you are trying to use an LDAP ldif, this will not
> work, you need the Asterix schema and 

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Rowland Penny]

On 09/09/13 10:12, Victor Adsuar Abaldea wrote:

Hi Penny,

Thank you for response, but I'm not able to import Alterisk ldif into 
SAMBA 4. I split the files in asterisk_attr.ldif and asterisk_obj.ldif 
but still get the same error. I've been searching answer to this topic 
and sincerely  and ldap syntax have been changed to Microsoft world. I 
think the new Samba4 is a close project, Samba have jumped to Active 
Directory and now the integration with other services are a utopia, 
it's a pity because the new version it's a great step to go back.


I post opinions about this topic.
http://lifecs.likai.org/2013_06_01_archive.html

In Asterisk forum none answer me, and I don't find anyone with a 
response to How modify the schema. In this post 
https://lists.samba.org/archive/samba/2013-January/170901.html you can 
see a example and you will see the changes. oMSyntax is a Microsoft 
variable! http://technet.microsoft.com/en-us/library/cc961740.aspx


Samba 4 it's not compatible with OpenLdap ldif files. Maybe I'm wrong 
and someone can open my mind...


Thanks!




On 6 September 2013 14:24, Rowland Penny > wrote:


On 06/09/13 11:04, Victor Adsuar Abaldea wrote:

Hi,

I am turning crazy. I try to integrate Asterisk 11.5.1 into
Samba4 LDAP,
but when I import the ldif file from contrib directory I get
this error.

ldbmodify -H /usr/local/samba/private/sam.ldb asterisk.ldif
--option="dsdb:schema update allowed"=true
ERR: (No such object) "objectclass: Cannot add
cn=asterisk,cn=schema,cn=config, parent does not exist!" on DN
cn=asterisk,cn=schema,cn=config at block before line 835
Modify failed after processing 0 records

LDAP and Asterisk are in diferents boxes. Please can someone
help me?

Thank you in advance!

  *Victor Adsuar*
*Departamento de Sistemas*
*Teralco Tecnologías Informáticas*
vads...@teralco.com


www.teralco.com 

*AVISO LEGAL:

Este mensaje se dirige exclusivamente a su destinatario y
puede contener
información reservada y/o CONFIDENCIAL. Si Vd. no es el
destinatario
original no está autorizado a copiar o distribuir esta
comunicación a
ninguna otra persona. Si ha recibido este mensaje por error,
le rogamos nos
lo comunique inmediatamente por esta misma vía y proceda a su
borrado. **
Gracias**.*


*DISCLAIMER:

This message is intended exclusively for its addressee and may
contain
information that is CONFIDENTIAL and protected by professional
privilege.
If you are not the intended recipient you are hereby notified
that any
dissemination, copy or disclosure of this communication is
strictly
prohibited by law. If this message has been received in error,
please
immediately notify us via e-mail and delete it. **Thank** you.*

*
*

*
*

*Antes de imprimir este email piense bien si es necesario
hacerlo.*

*Cosider your environmental responsibility before printing
this enail*

Hi, split the ldif in two, one containing the attributes, the
other the objectclasses, add the attributes one first, then the
objectclasses.

Rowland




--

*Victor Adsuar*
*Departamento de Sistemas*
*Teralco Tecnologías Informáticas*
vads...@teralco.com 
· Tel. +34 965 68 87 02 · Móv. +34 627 26 87 54
Avda. de Cartagena 1 Entlo, · 03195 El Altet - Elche (Alicante) · SPAIN ·
www.teralco.com 

/AVISO LEGAL:
Este mensaje se dirige exclusivamente a su destinatario y puede 
contener información reservada y/o CONFIDENCIAL. Si Vd. no es el 
destinatario original no está autorizado a copiar o distribuir esta 
comunicación a ninguna otra persona. Si ha recibido este mensaje por 
error, le rogamos nos lo comunique inmediatamente por esta misma vía y 
proceda a su borrado. //Gracias//./



/DISCLAIMER:
This message is intended exclusively for its addressee and may contain 
information that is CONFIDENTIAL and protected by professional 
privilege. If you are not the intended recipient you are hereby 
notified that any dissemination, copy or disclosure of this 
communication is strictly prohibited by law. If this message has been 
received in error, please immediately notify us via e-mail and delete 
it. //Thank//you./


/
/

/
/

/Antes de imprimir este email piense bien si es necesario hacerlo./

/Cosider your environmental responsibility before printing this enail/

OOPS, I missed that you are trying to use an LDAP ldif, this will not 
work, you need the Asterix schema and then run it through oLsche

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Victor Adsuar Abaldea]

Hi Penny,

Thank you for response, but I'm not able to import Alterisk ldif into SAMBA
4. I split the files in asterisk_attr.ldif and asterisk_obj.ldif but still
get the same error. I've been searching answer to this topic and sincerely
 and ldap syntax have been changed to Microsoft world. I think the new
Samba4 is a close project, Samba have jumped to Active Directory and now
the integration with other services are a utopia, it's a pity because the
new version it's a great step to go back.

I post opinions about this topic.
http://lifecs.likai.org/2013_06_01_archive.html

In Asterisk forum none answer me, and I don't find anyone with a response
to How modify the schema. In this post
https://lists.samba.org/archive/samba/2013-January/170901.html you can see
a example and you will see the changes. oMSyntax is a Microsoft variable!
http://technet.microsoft.com/en-us/library/cc961740.aspx

Samba 4 it's not compatible with OpenLdap ldif files. Maybe I'm wrong and
someone can open my mind...

Thanks!




On 6 September 2013 14:24, Rowland Penny wrote:

> On 06/09/13 11:04, Victor Adsuar Abaldea wrote:
>
>> Hi,
>>
>> I am turning crazy. I try to integrate Asterisk 11.5.1 into Samba4 LDAP,
>> but when I import the ldif file from contrib directory I get this error.
>>
>> ldbmodify -H /usr/local/samba/private/sam.**ldb asterisk.ldif
>> --option="dsdb:schema update allowed"=true
>> ERR: (No such object) "objectclass: Cannot add
>> cn=asterisk,cn=schema,cn=**config, parent does not exist!" on DN
>> cn=asterisk,cn=schema,cn=**config at block before line 835
>> Modify failed after processing 0 records
>>
>> LDAP and Asterisk are in diferents boxes. Please can someone help me?
>>
>> Thank you in advance!
>>
>>   *Victor Adsuar*
>> *Departamento de Sistemas*
>> *Teralco Tecnologías Informáticas*
>> vads...@teralco.com> fs=1&tf=1&to=micorreo@teralco.**com
>> >
>> www.teralco.com
>>
>> *AVISO LEGAL:
>>
>> Este mensaje se dirige exclusivamente a su destinatario y puede contener
>> información reservada y/o CONFIDENCIAL. Si Vd. no es el destinatario
>> original no está autorizado a copiar o distribuir esta comunicación a
>> ninguna otra persona. Si ha recibido este mensaje por error, le rogamos
>> nos
>> lo comunique inmediatamente por esta misma vía y proceda a su borrado. **
>> Gracias**.*
>>
>>
>> *DISCLAIMER:
>>
>> This message is intended exclusively for its addressee and may contain
>> information that is CONFIDENTIAL and protected by professional privilege.
>> If you are not the intended recipient you are hereby notified that any
>> dissemination, copy or disclosure of this communication is strictly
>> prohibited by law. If this message has been received in error, please
>> immediately notify us via e-mail and delete it. **Thank** you.*
>>
>> *
>> *
>>
>> *
>> *
>>
>> *Antes de imprimir este email piense bien si es necesario hacerlo.*
>>
>> *Cosider your environmental responsibility before printing this enail*
>>
> Hi, split the ldif in two, one containing the attributes, the other the
> objectclasses, add the attributes one first, then the objectclasses.
>
> Rowland
>
>


-- 

 *Victor Adsuar*
*Departamento de Sistemas*
*Teralco Tecnologías Informáticas*
vads...@teralco.com
· Tel. +34 965 68 87 02 · Móv. +34 627 26 87 54
Avda. de Cartagena 1 Entlo, · 03195 El Altet - Elche (Alicante) · SPAIN ·
www.teralco.com

 *AVISO LEGAL:
Este mensaje se dirige exclusivamente a su destinatario y puede contener
información reservada y/o CONFIDENCIAL. Si Vd. no es el destinatario
original no está autorizado a copiar o distribuir esta comunicación a
ninguna otra persona. Si ha recibido este mensaje por error, le rogamos nos
lo comunique inmediatamente por esta misma vía y proceda a su borrado. **
Gracias**.*


*DISCLAIMER:
This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it. **Thank** you.*

*
*

*
*

*Antes de imprimir este email piense bien si es necesario hacerlo.*

*Cosider your environmental responsibility before printing this enail*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 python errors in /var/log/messages

[George Itee]

Hello,

I've set up a test environment with Samba 4.0.9 as AD DC and noticed these
messages in */var/log/messages* and *log.samba*


*Sep  8 19:36:09 samba samba[15867]: [2013/09/08 19:36:09.840914,  0]
../source4/dsdb/kcc/kcc_periodic.c:664(kccsrv_samba_kcc)
Sep  8 19:36:09 samba samba[15867]:   Calling samba_kcc script
Sep  8 19:36:10 samba abrt: detected unhandled Python exception in
'/usr/local/samba/sbin/samba_kcc'
Sep  8 19:36:10 samba abrtd: New client connected
Sep  8 19:36:10 samba abrtd: Directory 'pyhook-2013-09-08-19:36:10-15875'
creation detected
Sep  8 19:36:10 samba abrt-server[15878]: Saved Python crash dump of pid
15875 to /var/spool/abrt/pyhook-2013-09-08-19:36:10-15875
Sep  8 19:36:10 samba samba[15867]: [2013/09/08 19:36:10.114975,  0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Sep  8 19:36:10 samba samba[15867]:   /usr/local/samba/sbin/samba_kcc:
close failed in file object destructor:
Sep  8 19:36:10 samba samba[15867]: [2013/09/08 19:36:10.115305,  0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Sep  8 19:36:10 samba samba[15867]:   /usr/local/samba/sbin/samba_kcc:
IOError: [Errno 10] No child processes
Sep  8 19:36:10 samba samba[15867]: [2013/09/08 19:36:10.125229,  0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Sep  8 19:36:10 samba samba[15867]:   /usr/local/samba/sbin/samba_kcc:
close failed in file object destructor:
Sep  8 19:36:10 samba samba[15867]: [2013/09/08 19:36:10.125329,  0]
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
Sep  8 19:36:10 samba samba[15867]:   /usr/local/samba/sbin/samba_kcc:
IOError: [Errno 10] No child processes
Sep  8 19:36:10 samba abrtd: Executable '/usr/local/samba/sbin/samba_kcc'
doesn't belong to any package
Sep  8 19:36:10 samba abrtd: 'post-create' on '/var/spool/abrt/pyhook-
2013-09-08-19:36:10-15875' exited with 1
Sep  8 19:36:10 samba abrtd: Corrupted or bad directory
'/var/spool/abrt/pyhook-2013-09-08-19:36:10-15875', deleting*



This is a clean installation, the DNS is samba's internal pointing to
google 8.8.8.8. There is only 1 client, windows 7 with RSAT tools that
accesses the server.

This error pops up *precisely* *every 5 minutes*. I did not encounter this
with Samba 4.0.7. It does not seem to affect the server in anyway until
now, but I am curios what it means and why every 5 minutes.

Any ideas ?

Thanks,

George
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 LDAP Integration with Asterisk

[Rowland Penny]

On 06/09/13 11:04, Victor Adsuar Abaldea wrote:

Hi,

I am turning crazy. I try to integrate Asterisk 11.5.1 into Samba4 LDAP,
but when I import the ldif file from contrib directory I get this error.

ldbmodify -H /usr/local/samba/private/sam.ldb asterisk.ldif
--option="dsdb:schema update allowed"=true
ERR: (No such object) "objectclass: Cannot add
cn=asterisk,cn=schema,cn=config, parent does not exist!" on DN
cn=asterisk,cn=schema,cn=config at block before line 835
Modify failed after processing 0 records

LDAP and Asterisk are in diferents boxes. Please can someone help me?

Thank you in advance!

  *Victor Adsuar*
*Departamento de Sistemas*
*Teralco Tecnologías Informáticas*
vads...@teralco.com
www.teralco.com

*AVISO LEGAL:
Este mensaje se dirige exclusivamente a su destinatario y puede contener
información reservada y/o CONFIDENCIAL. Si Vd. no es el destinatario
original no está autorizado a copiar o distribuir esta comunicación a
ninguna otra persona. Si ha recibido este mensaje por error, le rogamos nos
lo comunique inmediatamente por esta misma vía y proceda a su borrado. **
Gracias**.*


*DISCLAIMER:
This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it. **Thank** you.*

*
*

*
*

*Antes de imprimir este email piense bien si es necesario hacerlo.*

*Cosider your environmental responsibility before printing this enail*
Hi, split the ldif in two, one containing the attributes, the other the 
objectclasses, add the attributes one first, then the objectclasses.


Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 LDAP Integration with Asterisk

[Victor Adsuar Abaldea]

Hi,

I am turning crazy. I try to integrate Asterisk 11.5.1 into Samba4 LDAP,
but when I import the ldif file from contrib directory I get this error.

ldbmodify -H /usr/local/samba/private/sam.ldb asterisk.ldif
--option="dsdb:schema update allowed"=true
ERR: (No such object) "objectclass: Cannot add
cn=asterisk,cn=schema,cn=config, parent does not exist!" on DN
cn=asterisk,cn=schema,cn=config at block before line 835
Modify failed after processing 0 records

LDAP and Asterisk are in diferents boxes. Please can someone help me?

Thank you in advance!

 *Victor Adsuar*
*Departamento de Sistemas*
*Teralco Tecnologías Informáticas*
vads...@teralco.com
www.teralco.com

*AVISO LEGAL:
Este mensaje se dirige exclusivamente a su destinatario y puede contener
información reservada y/o CONFIDENCIAL. Si Vd. no es el destinatario
original no está autorizado a copiar o distribuir esta comunicación a
ninguna otra persona. Si ha recibido este mensaje por error, le rogamos nos
lo comunique inmediatamente por esta misma vía y proceda a su borrado. **
Gracias**.*


*DISCLAIMER:
This message is intended exclusively for its addressee and may contain
information that is CONFIDENTIAL and protected by professional privilege.
If you are not the intended recipient you are hereby notified that any
dissemination, copy or disclosure of this communication is strictly
prohibited by law. If this message has been received in error, please
immediately notify us via e-mail and delete it. **Thank** you.*

*
*

*
*

*Antes de imprimir este email piense bien si es necesario hacerlo.*

*Cosider your environmental responsibility before printing this enail*
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4/Windows DNS replication and administration issue

[steve]

On Thu, 2013-09-05 at 20:39 -0700, Pete Storkey wrote:

> 
> I have tried manually recreating dns.keytab:
> 
> # samba-tool domain exportkeytab --principal=DNS/server.domain.com 
> /var/lib/samba/private/dns.keytab
> # samba-tool domain exportkeytab --principal=DNS/windowsserver.domain.com 
> /var/lib/samba/private/dns.keytab
> 

That syntax seems wrong.
# samba-tool domain exportkeytab /path/to/dns.keytab
--principal=server1.your.domain
 

> The contents of dns.keytab are as follows:
> 
> # ktutil
> ktutil:  read_kt /var/lib/samba/private/dns.keytab
> ktutil:  list
> slot KVNO Principal
>   
> -
>   11  DNS/server.domain@domain.com
>   21  DNS/server.domain@domain.com
>   31  DNS/server.domain@domain.com
>   4   31 DNS/windowsserver.domain@domain.com
>   5   31 DNS/windowsserver.domain@domain.com
>   6   31 DNS/windowsserver.domain@domain.com
>   7   31 DNS/windowsserver.domain@domain.com
> 
> The problem persists after recreating dns.keytab and restarting Samba and 
> Bind daemons.
> 
> Is this the correct way to generate the dns.keytab? Is there anything I'm 
> missing?

Maybe you didn't recreate the keytab? Look for the timestamp:
klist -kte /path/to/dns.keytab

The only difference I can see with our keytab is that we have:
DNS/fqdn@REALM
and
short-hostname@REALM

Maybe this isn't a keytab issue?
HTH
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4/Windows DNS replication and administration issue

[Pete Storkey]

t looks as though I have a bad key in my dns.keytab. I see the following 
messages in /var/named/data/named.run:

process_gsstkey(): dns_tsigerror_badkey

If I manually trigger replication from the Linux/samba server, I see denied 
messages for dynamic dns updates coming from the windows server in 
/var/log/messages:

# samba-tool drs replicate server.domain.com windowsserver.domain.com 
dc=domain,dc=com

named[24467]: samba_dlz: starting transaction on zone _msdcs.domain.com
named[24467]: client 192.168.0.2#62937: update '_msdcs.domain.com/IN' denied
named[24467]: samba_dlz: cancelling transaction on zone _msdcs.domain.com

If I manually trigger replication from the Windows server via Active Directory 
Sites and Services, I get an error dialog about DomainDnsZones.domain.com 
naming context in the process of being removed or is not replicated from the 
specified server.

named.conf has the following line:

tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

I have tried manually recreating dns.keytab:

# samba-tool domain exportkeytab --principal=DNS/server.domain.com 
/var/lib/samba/private/dns.keytab
# samba-tool domain exportkeytab --principal=DNS/windowsserver.domain.com 
/var/lib/samba/private/dns.keytab

The contents of dns.keytab are as follows:

# ktutil
ktutil:  read_kt /var/lib/samba/private/dns.keytab
ktutil:  list
slot KVNO Principal
  -
  11  DNS/server.domain@domain.com
  21  DNS/server.domain@domain.com
  31  DNS/server.domain@domain.com
  4   31 DNS/windowsserver.domain@domain.com
  5   31 DNS/windowsserver.domain@domain.com
  6   31 DNS/windowsserver.domain@domain.com
  7   31 DNS/windowsserver.domain@domain.com

The problem persists after recreating dns.keytab and restarting Samba and Bind 
daemons.

Is this the correct way to generate the dns.keytab? Is there anything I'm 
missing?

Thanks,

Pete

On Sep 1, 2013, at 4:14 PM, Pete Storkey  wrote:

> 
> Hi all,
> 
> I am having trouble with DNS replication between a Linux/Samba 4.0.9 box and 
> Windows Server 2012 domain controller, as well as administering the Linux DNS 
> from the Windows DNS Manager snap-in.
> 
> First a little background. I am trying to integrate a Samba 4.0.9 server as a 
> domain controller in an existing Windows Active Directory domain. The domain 
> and forest are at Windows 2008R2 functional level with a single domain 
> controller which was upgraded from Windows Server 2008 R2 to Windows Server 
> 2012.
> 
> I am running CentOS 6.4 x64, patched to current levels. I downloaded  and 
> installed the Sernet binaries for Samba 4.0.9 but ran into problems joining 
> the domain. It failed with the following error:
> 
> ERROR: no subClassOf 'top' for 'samDomain'
> I found a bug report for this error at 
> https://bugzilla.samba.org/show_bug.cgi?id=8680 and rebuilt the Sernet RPMs 
> with the patches implemented. This time I was able to successfully join the 
> domain. Replication seems to be working but I do get a warning from 
> samba-tool drs showrepl:
> 
>  KCC CONNECTION OBJECTS 
> 
> Connection --
>   Connection name: 3c20a62a-ad94-40ef-b346-ba8b15f829f8
>   Enabled: TRUE
>   Server DNS name : server.example.com
>   Server DN name  : CN=NTDS 
> Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
>   TransportType: RPC
>   options: 0x0001
> Warning: No NC replicated for Connection!
> 
> The inbound and outbound neighbors all appear to be ok.
> 
> I started out with internal DNS but when I was unable to get it working 
> correctly, I switched to bind (Centos package 
> bind-9.8.2-0.17.rc1.el6_4.6.x86_64). 
> 
> The problem is that when I try to administer DNS through the Windows DNS 
> Manager snap-in, my forward domain fails to load, with an error indicating 
> zone data may be corrupt (it opens fine on the Windows DNS server). 
> Additionally, my reverse zone does not appear to have replicated to the Linux 
> server. 
> 
> When I click on the forward zone in DNS Manager, I see the following in 
> /var/log/messages:
> 
> smbd[24043]: [2013/09/01 15:30:21.091035,  0] 
> ../source3/rpc_server/svcctl/srv_svcctl_nt.c:326(_svcctl_OpenServiceW)
> smbd[24043]:   _svcctl_OpenServiceW: Failed to get a valid security 
> descriptorfree_pipe_context: destroying talloc pool of size 275
> samba[19596]: [2013/09/01 15:30:25.505483,  0] 
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1068(dnsserver_query_zone)
> samba[19596]:   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid 
> zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: 
> Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record 
> type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found 
> Unhandled DNS record type=49ndr_push_error(2): Bad switch value 49 at 
> default/librpc/

[Samba] Samba4/Windows DNS replication and administration issue

[Peter Storkey]

Hi all,

I am having trouble with DNS replication between a Linux/Samba 4.0.9 box and 
Windows Server 2012 domain controller, as well as administering the Linux DNS 
from the Windows DNS Manager snap-in.

First a little background. I am trying to integrate a Samba 4.0.9 server as a 
domain controller in an existing Windows Active Directory domain. The domain 
and forest are at Windows 2008R2 functional level with a single domain 
controller which was upgraded from Windows Server 2008 R2 to Windows Server 
2012.

I am running CentOS 6.4 x64, patched to current levels. I downloaded  and 
installed the Sernet binaries for Samba 4.0.9 but ran into problems joining the 
domain. It failed with the following error:

ERROR: no subClassOf 'top' for 'samDomain'
I found a bug report for this error at 
https://bugzilla.samba.org/show_bug.cgi?id=8680 and rebuilt the Sernet RPMs 
with the patches implemented. This time I was able to successfully join the 
domain. Replication seems to be working but I do get a warning from samba-tool 
drs showrepl:

 KCC CONNECTION OBJECTS 

Connection --
Connection name: 3c20a62a-ad94-40ef-b346-ba8b15f829f8
Enabled: TRUE
Server DNS name : server.example.com
Server DN name  : CN=NTDS 
Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
TransportType: RPC
options: 0x0001
Warning: No NC replicated for Connection!

The inbound and outbound neighbors all appear to be ok.

I started out with internal DNS but when I was unable to get it working 
correctly, I switched to bind (Centos package 
bind-9.8.2-0.17.rc1.el6_4.6.x86_64). 

The problem is that when I try to administer DNS through the Windows DNS 
Manager snap-in, my forward domain fails to load, with an error indicating zone 
data may be corrupt (it opens fine on the Windows DNS server). Additionally, my 
reverse zone does not appear to have replicated to the Linux server. 

When I click on the forward zone in DNS Manager, I see the following in 
/var/log/messages:

smbd[24043]: [2013/09/01 15:30:21.091035,  0] 
../source3/rpc_server/svcctl/srv_svcctl_nt.c:326(_svcctl_OpenServiceW)
smbd[24043]:   _svcctl_OpenServiceW: Failed to get a valid security 
descriptorfree_pipe_context: destroying talloc pool of size 275
samba[19596]: [2013/09/01 15:30:25.505483,  0] 
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1068(dnsserver_query_zone)
samba[19596]:   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid 
zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: 
Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record 
type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled 
DNS record type=49ndr_push_error(2): Bad switch value 49 at 
default/librpc/gen_ndr/ndr_dnsserver.c:544
samba[19596]: [2013/09/01 15:30:26.272723,  0] 
../source4/rpc_server/dnsserver/dnsdata.c:354(dnsp_to_dns_copy)
samba[19596]:   dnsserver: Found Unhandled DNS record type=49dnsserver: Found 
Unhandled DNS record type=49dnsserver: Found Unhandled DNS record 
type=49dnsserver: Found Unhandled DNS record type=49ndr_push_error(2): Bad 
switch value 49 at default/librpc/gen_ndr/ndr_dnsserver.c:544

Querying DNS via nslookup/dig/host works fine but querying through samba-tool 
gives an error:

# samba-tool dns query server.domain.com domain.com @ ALL
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:server.example.com[,sign]
ERROR(runtime): uncaught exception - (-1073545204, 
'NT_STATUS_RPC_BAD_STUB_DATA')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, 
in _run
return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 974, in 
run
None, record_type, select_flags, None, None)

and I see the following in /var/log/messages:

samba[19596]: [2013/09/01 15:31:55.207112,  0] 
../source4/rpc_server/dnsserver/dnsdata.c:354(dnsp_to_dns_copy)
samba[19596]:   dnsserver: Found Unhandled DNS record type=49dnsserver: Found 
Unhandled DNS record type=49dnsserver: Found Unhandled DNS record 
type=49dnsserver: Found Unhandled DNS record type=49ndr_push_error(2): Bad 
switch value 49 at default/librpc/gen_ndr/ndr_dnsserver.c:544

Any help would be much appreciated.

Thanks,

Pete
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 consumes more CPU

[Andrew Bartlett]

On Mon, 2013-08-26 at 22:39 +0530, Prema wrote:
> Dear Andrew,
> 
> As per your suggestion , I have attached the gdb log of the samba and smbd
> process log running in the single server mode.
> Also when I noted in the perf top, libndr.so consumes the maximum cpu.
> I noticed that it happens soon after sometime the samba process is started
> and the CPU is filled up.
> Since the samba process occupies 100% atleast two or more CPUs out of 8 CPU
> , the clients are not able to get authenticate to the server.
> Kindly go through the logs and suggest what can be done to lessen the CPU
> consumption.

Digging into the libndr issue some more:

Sadly I can't use the perf.data without your full build tree, so I'm
going to need you to do some more digging on this side of things. 

Can you show me what exact code in libndr is spinning?  (That is, dig
into the perf screen)

Then, can you re-run it under 

'perf record -g -p '?

And then show me the output of perf report -g, expanding the first
function call stacks to find out what is the eventual high-level caller
of the spinning routine.  This may give us the critical clues we need.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4/Windows DNS replication and administration issue

[Pete Storkey]

Hi all,

I am having trouble with DNS replication between a Linux/Samba 4.0.9 box and 
Windows Server 2012 domain controller, as well as administering the Linux DNS 
from the Windows DNS Manager snap-in.

First a little background. I am trying to integrate a Samba 4.0.9 server as a 
domain controller in an existing Windows Active Directory domain. The domain 
and forest are at Windows 2008R2 functional level with a single domain 
controller which was upgraded from Windows Server 2008 R2 to Windows Server 
2012.

I am running CentOS 6.4 x64, patched to current levels. I downloaded  and 
installed the Sernet binaries for Samba 4.0.9 but ran into problems joining the 
domain. It failed with the following error:

ERROR: no subClassOf 'top' for 'samDomain'
I found a bug report for this error at 
https://bugzilla.samba.org/show_bug.cgi?id=8680 and rebuilt the Sernet RPMs 
with the patches implemented. This time I was able to successfully join the 
domain. Replication seems to be working but I do get a warning from samba-tool 
drs showrepl:

 KCC CONNECTION OBJECTS 

Connection --
Connection name: 3c20a62a-ad94-40ef-b346-ba8b15f829f8
Enabled: TRUE
Server DNS name : server.example.com
Server DN name  : CN=NTDS 
Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
TransportType: RPC
options: 0x0001
Warning: No NC replicated for Connection!

The inbound and outbound neighbors all appear to be ok.

I started out with internal DNS but when I was unable to get it working 
correctly, I switched to bind (Centos package 
bind-9.8.2-0.17.rc1.el6_4.6.x86_64). 

The problem is that when I try to administer DNS through the Windows DNS 
Manager snap-in, my forward domain fails to load, with an error indicating zone 
data may be corrupt (it opens fine on the Windows DNS server). Additionally, my 
reverse zone does not appear to have replicated to the Linux server. 

When I click on the forward zone in DNS Manager, I see the following in 
/var/log/messages:

smbd[24043]: [2013/09/01 15:30:21.091035,  0] 
../source3/rpc_server/svcctl/srv_svcctl_nt.c:326(_svcctl_OpenServiceW)
smbd[24043]:   _svcctl_OpenServiceW: Failed to get a valid security 
descriptorfree_pipe_context: destroying talloc pool of size 275
samba[19596]: [2013/09/01 15:30:25.505483,  0] 
../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1068(dnsserver_query_zone)
samba[19596]:   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid 
zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: 
Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record 
type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found Unhandled 
DNS record type=49ndr_push_error(2): Bad switch value 49 at 
default/librpc/gen_ndr/ndr_dnsserver.c:544
samba[19596]: [2013/09/01 15:30:26.272723,  0] 
../source4/rpc_server/dnsserver/dnsdata.c:354(dnsp_to_dns_copy)
samba[19596]:   dnsserver: Found Unhandled DNS record type=49dnsserver: Found 
Unhandled DNS record type=49dnsserver: Found Unhandled DNS record 
type=49dnsserver: Found Unhandled DNS record type=49ndr_push_error(2): Bad 
switch value 49 at default/librpc/gen_ndr/ndr_dnsserver.c:544

Querying DNS via nslookup/dig/host works fine but querying through samba-tool 
gives an error:

# samba-tool dns query server.domain.com domain.com @ ALL
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:server.example.com[,sign]
ERROR(runtime): uncaught exception - (-1073545204, 
'NT_STATUS_RPC_BAD_STUB_DATA')
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, 
in _run
return self.run(*args, **kwargs)
  File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 974, in 
run
None, record_type, select_flags, None, None)

and I see the following in /var/log/messages:

samba[19596]: [2013/09/01 15:31:55.207112,  0] 
../source4/rpc_server/dnsserver/dnsdata.c:354(dnsp_to_dns_copy)
samba[19596]:   dnsserver: Found Unhandled DNS record type=49dnsserver: Found 
Unhandled DNS record type=49dnsserver: Found Unhandled DNS record 
type=49dnsserver: Found Unhandled DNS record type=49ndr_push_error(2): Bad 
switch value 49 at default/librpc/gen_ndr/ndr_dnsserver.c:544

Any help would be much appreciated.

Thanks,

Pete
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 consumes more CPU

[Prema]

Dear Andrew,

As per your suggestion , I have attached the gdb log of the samba and smbd
process log running in the single server mode.
Also when I noted in the perf top, libndr.so consumes the maximum cpu.
I noticed that it happens soon after sometime the samba process is started
and the CPU is filled up.
Since the samba process occupies 100% atleast two or more CPUs out of 8 CPU
, the clients are not able to get authenticate to the server.
Kindly go through the logs and suggest what can be done to lessen the CPU
consumption.



On Mon, Aug 12, 2013 at 11:45 AM, Andrew Bartlett wrote:

> On Sun, 2013-08-11 at 10:12 +0530, Prema wrote:
> >
> > Also one more point  I would like to clarify., what is the maximum
> > User limit that Samba4 as a DC supports.
> >
> > I read somewhere that , there is a proportion between the system RAM +
> > hard disk size and user limit accepted in Samba4.
> >
> > Is that true., and in that case, how many users can be supported by a
> > 8 GB RAM and 500 GB hard disk size.
> >
> >
> > Kindly clarify this , since we have around 6k+ users spreaded for 20
> > DCs.
>
> G'Day,
>
> There are a few things going on here:
>  - The CPU utilisation isn't normal, for any use case.  If you were
> loading your system up to the maximum number of objects, for example, it
> would be slower, but as incoming authentication drop of, it would
> decrease back to normal levels.   To track down this, we need to work
> out what routine it consuing the CPU time, say with the linux 'perf'
> tools.  At the very least, attach to the process spinning with 'gdb -p
> ' and get me the output of 'bt full', in the hope that this
> indicates the spinning routine.
>
>  - Samba does have limits in terms of the number of users it can
> currently efficiently serve, but that isn't at the 6000 user level, as
> far as we are aware
>
> Also you need to set your expectations regarding when I might be able to
> assist you:
>  - Please send all mail, unless confidential to the
> samba@lists.samba.org mailing list.  That way, others can help you.
> You may send it to me if you like, but ensure you always also send it to
> the list.  This also means that others can learn from any answers I
> give, rather than them staying private, and others can help you when I'm
> not available.
>  - While I work on Samba, and I'm very grateful to my employers for the
> time I'm able to spend on it, but you need to give us all a reasonable
> time to reply, understanding that we may not work the same hours and
> days that you do.  For example, I'll be on leave most of this coming
> week.
>
> Finally, a crash in Samba, and this is essentially what you describe, is
> serious, and I certainly understand your worry.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team   http://samba.org
> Samba Developer, Catalyst IT   http://catalyst.net.nz
>
>
>


-- 
Regards.,
Prema S
CDAC
Chennai
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba4 active directory users qouta on their homes share

[joel valenzuela]

anyone?




 From: joel valenzuela 
To: "samba@lists.samba.org"  
Sent: Friday, August 30, 2013 2:45 PM
Subject: samba4 active directory users qouta on their homes share
 


Hi.


I've succesfully setup a samba4 active directory and want to limit AD users on 
their disk quota on their respective home folder via RSAT but cannot find any 
tutorial on the net about it. Can anyone post me a Howto links for this or any 
info that i should read about it. Thanks!


Joel
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[Carlos Alberto Borges Garcia]

I give up.
Configured the server as Secundary Domain Controller.
Now it works.


2013/8/29 steve 

> On 29/08/13 20:29, Carlos Alberto Borges Garcia wrote:
>
>>
>> >
>> > But if I run:
>> > id test
>> > id MYNET\test
>> > id MYNET\\test
>> > id t...@mynet.net 
>>
>> >
>> >
>> > I get "No such ser"
>> >
>>
>>
> That should be:
> id test
> not:
> id MYNET\\test
>
>
>


-- 
http://www.endomondo.com/profile/3312580

Veja: " http://naofoiacidente.org/blog/por-quem/ "
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On 29/08/13 20:29, Carlos Alberto Borges Garcia wrote:


>
> But if I run:
> id test
> id MYNET\test
> id MYNET\\test
> id t...@mynet.net 
>
>
> I get "No such ser"
>



That should be:
id test
not:
id MYNET\\test


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 15:29 -0300, Carlos Alberto Borges Garcia wrote:
> Still not working :(

Turn off nscd? Give up? Use nslcd or sssd instead?
Can't think of anything else:(


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[Carlos Alberto Borges Garcia]

Still not working :(


2013/8/29 steve 

> On Thu, 2013-08-29 at 14:59 -0300, Carlos Alberto Borges Garcia wrote:
> > Still not working:
> >
> >
> > I created a test user:
> >
> >
> >
> >
> > dn: CN=test,CN=Users,DC=mynet,DC=net
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > cn: test
> > givenName: test
> > instanceType: 4
> > whenCreated: 20130827212151.0Z
> > displayName: test
> > uSNCreated: 45308
> > name: teste
> > objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d
> > badPwdCount: 0
> > codePage: 0
> > countryCode: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > lastLogon: 0
> > primaryGroupID: 513
> > objectSid: S-1-5-21-3124563532-696977291-52706181-1501131
> > accountExpires: 9223372036854775807
> > logonCount: 0
> > sAMAccountName: test
> > sAMAccountType: 805306368
> > userPrincipalName: t...@mynet.net
> > objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net
> > pwdLastSet: 13022112112000
> > url: uidNumber
> > userAccountControl: 512
> > msDS-SupportedEncryptionTypes: 0
> > gidNumber: 12345
> > uidNumber: 1234567
> > whenChanged: 20130829175016.0Z
> > uSNChanged: 47069
> > distinguishedName: CN=test,CN=Users,DC=mynet,DC=net
> >
> >
> >
> >
> > But if I run:
> > id test
> > id MYNET\test
> > id MYNET\\test
> > id t...@mynet.net
> >
> >
> > I get "No such ser"
> >
>
> Change:
> uidNumber: 3000100
> gidNumber: 80513
>
> and in smb.conf:
> idmap config MYNET:range = 80001-310
>
>
>
>
>
>


-- 
http://www.endomondo.com/profile/3312580

Veja: " http://naofoiacidente.org/blog/por-quem/ "
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 14:59 -0300, Carlos Alberto Borges Garcia wrote:
> Still not working:
> 
> 
> I created a test user:
> 
> 
> 
> 
> dn: CN=test,CN=Users,DC=mynet,DC=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: test
> givenName: test
> instanceType: 4
> whenCreated: 20130827212151.0Z
> displayName: test
> uSNCreated: 45308
> name: teste
> objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> primaryGroupID: 513
> objectSid: S-1-5-21-3124563532-696977291-52706181-1501131
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: test
> sAMAccountType: 805306368
> userPrincipalName: t...@mynet.net
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net
> pwdLastSet: 13022112112000
> url: uidNumber
> userAccountControl: 512
> msDS-SupportedEncryptionTypes: 0
> gidNumber: 12345
> uidNumber: 1234567
> whenChanged: 20130829175016.0Z
> uSNChanged: 47069
> distinguishedName: CN=test,CN=Users,DC=mynet,DC=net
> 
> 
> 
> 
> But if I run:
> id test
> id MYNET\test
> id MYNET\\test
> id t...@mynet.net
> 
> 
> I get "No such ser"
> 

Change:
uidNumber: 3000100
gidNumber: 80513

and in smb.conf:
idmap config MYNET:range = 80001-310





-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[Carlos Alberto Borges Garcia]

Still not working:

I created a test user:


dn: CN=test,CN=Users,DC=mynet,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: test
givenName: test
instanceType: 4
whenCreated: 20130827212151.0Z
displayName: test
uSNCreated: 45308
name: teste
objectGUID: fee0d4a4-fd48-48ac-abb3-ce6fb180b10d
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-3124563532-696977291-52706181-1501131
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test
sAMAccountType: 805306368
userPrincipalName: t...@mynet.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mynet,DC=net
pwdLastSet: 13022112112000
url: uidNumber
userAccountControl: 512
msDS-SupportedEncryptionTypes: 0
gidNumber: 12345
uidNumber: 1234567
whenChanged: 20130829175016.0Z
uSNChanged: 47069
distinguishedName: CN=test,CN=Users,DC=mynet,DC=net


But if I run:
id test
id MYNET\test
id MYNET\\test
id t...@mynet.net

I get "No such ser"


2013/8/29 steve 

> On Thu, 2013-08-29 at 14:21 -0300, Carlos Alberto Borges Garcia wrote:
> > Hi,
> >
> >
> > Where can I enter this values in AD?
> >
>
> Hi
> If you have a recent version of Samba4, you can add them when you create
> new users:
>
> samba-tool user add --help
> will give the options.
>
> If you already have the users, just edit their entries e.g.:
>
> ldbedit --url=/usr/local/samba/private/sam.ldb cn=carlos
> Add a minimum of:
> uidNumber: 1234567
> gidNumber: 12345
>
> Your winbind will then pull this information from AD when needed.
>
> You can get sensible values for uidNumber from idmap e.g.:
> wbinfo -i carlos
>
> HTH
> Steve
>
>
>
>


-- 
http://www.endomondo.com/profile/3312580

Veja: " http://naofoiacidente.org/blog/por-quem/ "
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 19:46 +0200, steve wrote:

> You can get sensible values for uidNumber from idmap e.g.:
> wbinfo -i carlos

** Don't forget to change:
idmap config MYNET:range = 500-4
to include your new values. Something like:
300-310



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 14:21 -0300, Carlos Alberto Borges Garcia wrote:
> Hi,
> 
> 
> Where can I enter this values in AD?
> 

Hi
If you have a recent version of Samba4, you can add them when you create
new users:

samba-tool user add --help
will give the options.

If you already have the users, just edit their entries e.g.:

ldbedit --url=/usr/local/samba/private/sam.ldb cn=carlos
Add a minimum of:
uidNumber: 1234567
gidNumber: 12345

Your winbind will then pull this information from AD when needed.

You can get sensible values for uidNumber from idmap e.g.:
wbinfo -i carlos

HTH
Steve



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[Carlos Alberto Borges Garcia]

Hi,

Where can I enter this values in AD?


2013/8/29 steve 

> On Thu, 2013-08-29 at 11:14 +1200, Andrew Bartlett wrote:
> > On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote:
> > > Hi,
> > >
> > > I have one Samba4 server running as Active Directory Domain Controller.
> > > It's working like a charm.
> > >
> > > So I needed to add another server to be a Member Server (File Server).
> > >
> > > The server is running samba-4.0.9.
> > >
> > > Configured and compiled ok:
> > >
> > > ./configure --prefix=/usr/local/samba --sysconfdir=/etc
> > > --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
> > > --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
> > > --with-shared-modules=idmap_ad,pam
> > >
> > > Installed ok.
> > >
> > > Kerberos OK.
> > > I can run kinit and klist
> > >
> > > root@MYNETSRV08:/etc/samba# kinit Administrator
> > > Password for administra...@mynet.net:
> > > root@MYSRV08:/etc/samba#
> > >
> > > root@MYNETSRV08:/etc/samba# klist
> > > Ticket cache: FILE:/tmp/krb5cc_0
> > > Default principal: administra...@mynet.net
> > >
> > > Valid startingExpires   Service principal
> > > 28/08/2013 19:59  29/08/2013 05:59  krbtgt/mynet@mynet.net
> > > renew until 29/08/2013 19:59
> > > root@MYNETSRV08:/etc/samba#
> > >
> > > My SMB.CONF is below:
> > >
> > > [global]
> > >
> > >workgroup = MYNET
> > >security = ADS
> > >realm = MYNET.NET
> > >encrypt passwords = yes
> > >
> > >idmap config *:backend = tdb
> > >idmap config *:range = 70001-8
> > >idmap config MYNET:backend = ad
> > >idmap config MYNET:schema_mode = rfc2307
> > >
> > >idmap config MYNET:range = 500-4
> > >
> > >winbind nss info = rfc2307
> > >winbind trusted domains only = no
> > >winbind use default domain = yes
> > >winbind enum users  = yes
> > >winbind enum groups = yes
> > >
> > > [test]
> > >path = /mnt/files
> > >read only = no
> > >
> > >
> > >
> > > I can add my server to domain:
> > >
> > > root@PCOSRV08:/etc/samba# net ads join -U administrator
> > > Enter administrator's password:
> > > Using short domain name -- MYNET
> > > Joined 'MYNETSRV08' to dns domain 'mynet.net'
> > > root@MYNETSRV08:/etc/samba#
> > >
> > > libnss_winbind.so is in the right place:
> > >
> > > root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
> > > /lib/libnss_winbind.so  /lib/libnss_winbind.so.2
> > >
> > > The libs are loaded fine:
> > >
> > > root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
> > > libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
> > > libnss_compat.so.2 -> libnss_compat-2.13.so
> > > libnss_dns.so.2 -> libnss_dns-2.13.so
> > > libnss_ldap.so.2 -> libnss_ldap.so.2
> > > libnss_nis.so.2 -> libnss_nis-2.13.so
> > > libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
> > > libnss_files.so.2 -> libnss_files-2.13.so
> > > libnss_wins.so -> libnss_wins.so.2
> > > libnss_winbind.so -> libnss_winbind.so.2
> > > libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
> > > libnss_compat.so.2 -> libnss_compat-2.13.so
> > > libnss_dns.so.2 -> libnss_dns-2.13.so
> > > libnss_nis.so.2 -> libnss_nis-2.13.so
> > > libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
> > > libnss_files.so.2 -> libnss_files-2.13.so
> > > root@MYNETSRV08:/etc/samba#
> > >
> > > I added winbind to my nsswitch.conf
> > >
> > > passwd: compat winbind
> > > group:  compat winbind
> > >
> > > I can start the daemon without issues:
> > >
> > > smbd
> > > nmbd
> > > winbindd
> > >
> > > "wbinfo -u" list all my domain users
> > >
> > > "wbinfo -g" list all my domain groups
> > >
> > >
> > > Here is the problems:
> > >
> > > When I run "getent passwd", it lists only the local users.
> >
> > For performance reasons, by default we do not list users in the AD
> > domain.  See winbind enum users in your smb.conf
>
> His smb.conf above shows that the OP has those lines for both users and
> groups.
> >
> > > When I run "id Administrator", it returns "No such user".
> >
> > You need to use 'id MYNET\\administrator'
> >
> smb.conf has: winbind use default domain = Yes
> Do we still need MYNET\\?
>
> Do your users have entries for:
> uidNumber
> and
> gidNumber
> in AD?
>
> Cheers
> Steve
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
http://www.endomondo.com/profile/3312580

Veja: " http://naofoiacidente.org/blog/por-quem/ "
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[steve]

On Thu, 2013-08-29 at 11:14 +1200, Andrew Bartlett wrote:
> On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote:
> > Hi,
> > 
> > I have one Samba4 server running as Active Directory Domain Controller.
> > It's working like a charm.
> > 
> > So I needed to add another server to be a Member Server (File Server).
> > 
> > The server is running samba-4.0.9.
> > 
> > Configured and compiled ok:
> > 
> > ./configure --prefix=/usr/local/samba --sysconfdir=/etc
> > --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
> > --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
> > --with-shared-modules=idmap_ad,pam
> > 
> > Installed ok.
> > 
> > Kerberos OK.
> > I can run kinit and klist
> > 
> > root@MYNETSRV08:/etc/samba# kinit Administrator
> > Password for administra...@mynet.net:
> > root@MYSRV08:/etc/samba#
> > 
> > root@MYNETSRV08:/etc/samba# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: administra...@mynet.net
> > 
> > Valid startingExpires   Service principal
> > 28/08/2013 19:59  29/08/2013 05:59  krbtgt/mynet@mynet.net
> > renew until 29/08/2013 19:59
> > root@MYNETSRV08:/etc/samba#
> > 
> > My SMB.CONF is below:
> > 
> > [global]
> > 
> >workgroup = MYNET
> >security = ADS
> >realm = MYNET.NET
> >encrypt passwords = yes
> > 
> >idmap config *:backend = tdb
> >idmap config *:range = 70001-8
> >idmap config MYNET:backend = ad
> >idmap config MYNET:schema_mode = rfc2307
> > 
> >idmap config MYNET:range = 500-4
> > 
> >winbind nss info = rfc2307
> >winbind trusted domains only = no
> >winbind use default domain = yes
> >winbind enum users  = yes
> >winbind enum groups = yes
> > 
> > [test]
> >path = /mnt/files
> >read only = no
> > 
> > 
> > 
> > I can add my server to domain:
> > 
> > root@PCOSRV08:/etc/samba# net ads join -U administrator
> > Enter administrator's password:
> > Using short domain name -- MYNET
> > Joined 'MYNETSRV08' to dns domain 'mynet.net'
> > root@MYNETSRV08:/etc/samba#
> > 
> > libnss_winbind.so is in the right place:
> > 
> > root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
> > /lib/libnss_winbind.so  /lib/libnss_winbind.so.2
> > 
> > The libs are loaded fine:
> > 
> > root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
> > libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
> > libnss_compat.so.2 -> libnss_compat-2.13.so
> > libnss_dns.so.2 -> libnss_dns-2.13.so
> > libnss_ldap.so.2 -> libnss_ldap.so.2
> > libnss_nis.so.2 -> libnss_nis-2.13.so
> > libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
> > libnss_files.so.2 -> libnss_files-2.13.so
> > libnss_wins.so -> libnss_wins.so.2
> > libnss_winbind.so -> libnss_winbind.so.2
> > libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
> > libnss_compat.so.2 -> libnss_compat-2.13.so
> > libnss_dns.so.2 -> libnss_dns-2.13.so
> > libnss_nis.so.2 -> libnss_nis-2.13.so
> > libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
> > libnss_files.so.2 -> libnss_files-2.13.so
> > root@MYNETSRV08:/etc/samba#
> > 
> > I added winbind to my nsswitch.conf
> > 
> > passwd: compat winbind
> > group:  compat winbind
> > 
> > I can start the daemon without issues:
> > 
> > smbd
> > nmbd
> > winbindd
> > 
> > "wbinfo -u" list all my domain users
> > 
> > "wbinfo -g" list all my domain groups
> > 
> > 
> > Here is the problems:
> > 
> > When I run "getent passwd", it lists only the local users.
> 
> For performance reasons, by default we do not list users in the AD
> domain.  See winbind enum users in your smb.conf

His smb.conf above shows that the OP has those lines for both users and
groups.
> 
> > When I run "id Administrator", it returns "No such user".
> 
> You need to use 'id MYNET\\administrator'
> 
smb.conf has: winbind use default domain = Yes
Do we still need MYNET\\?

Do your users have entries for:
uidNumber
and
gidNumber
in AD?

Cheers
Steve


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 Member Server not working

[Andrew Bartlett]

On Wed, 2013-08-28 at 20:11 -0300, Carlos Alberto Borges Garcia wrote:
> Hi,
> 
> I have one Samba4 server running as Active Directory Domain Controller.
> It's working like a charm.
> 
> So I needed to add another server to be a Member Server (File Server).
> 
> The server is running samba-4.0.9.
> 
> Configured and compiled ok:
> 
> ./configure --prefix=/usr/local/samba --sysconfdir=/etc
> --localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
> --sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
> --with-shared-modules=idmap_ad,pam
> 
> Installed ok.
> 
> Kerberos OK.
> I can run kinit and klist
> 
> root@MYNETSRV08:/etc/samba# kinit Administrator
> Password for administra...@mynet.net:
> root@MYSRV08:/etc/samba#
> 
> root@MYNETSRV08:/etc/samba# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administra...@mynet.net
> 
> Valid startingExpires   Service principal
> 28/08/2013 19:59  29/08/2013 05:59  krbtgt/mynet@mynet.net
> renew until 29/08/2013 19:59
> root@MYNETSRV08:/etc/samba#
> 
> My SMB.CONF is below:
> 
> [global]
> 
>workgroup = MYNET
>security = ADS
>realm = MYNET.NET
>encrypt passwords = yes
> 
>idmap config *:backend = tdb
>idmap config *:range = 70001-8
>idmap config MYNET:backend = ad
>idmap config MYNET:schema_mode = rfc2307
> 
>idmap config MYNET:range = 500-4
> 
>winbind nss info = rfc2307
>winbind trusted domains only = no
>winbind use default domain = yes
>winbind enum users  = yes
>winbind enum groups = yes
> 
> [test]
>path = /mnt/files
>read only = no
> 
> 
> 
> I can add my server to domain:
> 
> root@PCOSRV08:/etc/samba# net ads join -U administrator
> Enter administrator's password:
> Using short domain name -- MYNET
> Joined 'MYNETSRV08' to dns domain 'mynet.net'
> root@MYNETSRV08:/etc/samba#
> 
> libnss_winbind.so is in the right place:
> 
> root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
> /lib/libnss_winbind.so  /lib/libnss_winbind.so.2
> 
> The libs are loaded fine:
> 
> root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
> libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
> libnss_compat.so.2 -> libnss_compat-2.13.so
> libnss_dns.so.2 -> libnss_dns-2.13.so
> libnss_ldap.so.2 -> libnss_ldap.so.2
> libnss_nis.so.2 -> libnss_nis-2.13.so
> libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
> libnss_files.so.2 -> libnss_files-2.13.so
> libnss_wins.so -> libnss_wins.so.2
> libnss_winbind.so -> libnss_winbind.so.2
> libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
> libnss_compat.so.2 -> libnss_compat-2.13.so
> libnss_dns.so.2 -> libnss_dns-2.13.so
> libnss_nis.so.2 -> libnss_nis-2.13.so
> libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
> libnss_files.so.2 -> libnss_files-2.13.so
> root@MYNETSRV08:/etc/samba#
> 
> I added winbind to my nsswitch.conf
> 
> passwd: compat winbind
> group:  compat winbind
> 
> I can start the daemon without issues:
> 
> smbd
> nmbd
> winbindd
> 
> "wbinfo -u" list all my domain users
> 
> "wbinfo -g" list all my domain groups
> 
> 
> Here is the problems:
> 
> When I run "getent passwd", it lists only the local users.

For performance reasons, by default we do not list users in the AD
domain.  See winbind enum users in your smb.conf

> When I run "id Administrator", it returns "No such user".

You need to use 'id MYNET\\administrator'

> If I try to access the share defined in smb.conf, the server does not
> recognizes my user/password.

Can you give more detail on this part of the issue, and include logs
etc?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 Member Server not working

[Carlos Alberto Borges Garcia]

Hi,

I have one Samba4 server running as Active Directory Domain Controller.
It's working like a charm.

So I needed to add another server to be a Member Server (File Server).

The server is running samba-4.0.9.

Configured and compiled ok:

./configure --prefix=/usr/local/samba --sysconfdir=/etc
--localstatedir=/var --mandir=/usr/man --bindir=/usr/bin
--sbindir=/usr/sbin --libdir=/lib --enable-fhs --with-ads
--with-shared-modules=idmap_ad,pam

Installed ok.

Kerberos OK.
I can run kinit and klist

root@MYNETSRV08:/etc/samba# kinit Administrator
Password for administra...@mynet.net:
root@MYSRV08:/etc/samba#

root@MYNETSRV08:/etc/samba# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@mynet.net

Valid startingExpires   Service principal
28/08/2013 19:59  29/08/2013 05:59  krbtgt/mynet@mynet.net
renew until 29/08/2013 19:59
root@MYNETSRV08:/etc/samba#

My SMB.CONF is below:

[global]

   workgroup = MYNET
   security = ADS
   realm = MYNET.NET
   encrypt passwords = yes

   idmap config *:backend = tdb
   idmap config *:range = 70001-8
   idmap config MYNET:backend = ad
   idmap config MYNET:schema_mode = rfc2307

   idmap config MYNET:range = 500-4

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes
   winbind enum users  = yes
   winbind enum groups = yes

[test]
   path = /mnt/files
   read only = no



I can add my server to domain:

root@PCOSRV08:/etc/samba# net ads join -U administrator
Enter administrator's password:
Using short domain name -- MYNET
Joined 'MYNETSRV08' to dns domain 'mynet.net'
root@MYNETSRV08:/etc/samba#

libnss_winbind.so is in the right place:

root@MYNETSRV08:/etc/samba# ls /lib/libnss_winbind.so*
/lib/libnss_winbind.so  /lib/libnss_winbind.so.2

The libs are loaded fine:

root@MYNETSRV08:/etc/samba# ldconfig -v | grep libnss
libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
libnss_compat.so.2 -> libnss_compat-2.13.so
libnss_dns.so.2 -> libnss_dns-2.13.so
libnss_ldap.so.2 -> libnss_ldap.so.2
libnss_nis.so.2 -> libnss_nis-2.13.so
libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
libnss_files.so.2 -> libnss_files-2.13.so
libnss_wins.so -> libnss_wins.so.2
libnss_winbind.so -> libnss_winbind.so.2
libnss_hesiod.so.2 -> libnss_hesiod-2.13.so
libnss_compat.so.2 -> libnss_compat-2.13.so
libnss_dns.so.2 -> libnss_dns-2.13.so
libnss_nis.so.2 -> libnss_nis-2.13.so
libnss_nisplus.so.2 -> libnss_nisplus-2.13.so
libnss_files.so.2 -> libnss_files-2.13.so
root@MYNETSRV08:/etc/samba#

I added winbind to my nsswitch.conf

passwd: compat winbind
group:  compat winbind

I can start the daemon without issues:

smbd
nmbd
winbindd

"wbinfo -u" list all my domain users

"wbinfo -g" list all my domain groups


Here is the problems:

When I run "getent passwd", it lists only the local users.

When I run "id Administrator", it returns "No such user".


If I try to access the share defined in smb.conf, the server does not
recognizes my user/password.

I'm lost.


Thanks in advance.






-- 
http://www.endomondo.com/profile/3312580

Veja: " http://naofoiacidente.org/blog/por-quem/ "
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba4 consumes more CPU

[Andrew Bartlett]

On Mon, 2013-08-26 at 22:39 +0530, Prema wrote:
> 
> 
> Dear Andrew,
> 
> 
> As per your suggestion , I have attached the gdb log of the samba and
> smbd process log running in the single server mode.
> 
> Also when I noted in the perf top, libndr.so consumes the maximum cpu.

> I noticed that it happens soon after sometime the samba process is
> started and the CPU is filled up.
> 
> Since the samba process occupies 100% atleast two or more CPUs out of
> 8 CPU , the clients are not able to get authenticate to the server.
> 
> Kindly go through the logs and suggest what can be done to lessen the
> CPU consumption.

Sadly the gdb backtrace does not happen to be from the point that is
consuming the CPU, if that really is in libndr.  It is in both cases in
a poll() loop.

Are you using the internal DNS server?  If so, please change to using
DLZ_BIND9 using the samba_upgradedns script, and see if that helps.  I
have had a more successful investigation with another user that
indicates an issue there, trigged by double-processing of secure DNS
updates from clients in our DNS server.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org
Samba Developer, Catalyst IT   http://catalyst.net.nz


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba4 - Wrong ipv6 DNS entry

[Andreas Grabner]

Hello,
i am using samba 4.0.8 with integrated DNS. Now i notice a wrong DNS 
entry of the PDC.


ip addr (GGG for security ;-):
br0:  mtu 1500
inet6 2GGG:::G::/64 scope global
inet6 fe80::225:90ff:fe77:18e4/64 scope link

# ./samba-tool dns query PDC GG.GG.local PDC 
Password for []:
  Name=, Records=1, Children=0
: 2GGG:::G:0225:90ff:fe77:18e4 (flags=f0, serial=1, 
ttl=900)


It is a combination of the "link" and the global "address". The global 
address ends with 0  which is intended.

May this is responsible for slow OSX-clients? Hope so.

Is it a bug or just an config error?

Thanks
Andreas

--
Andreas Grabner
+43 676 840 775 101
andr...@vianova.cc
 
Via Nova Mediendesign GMBH

Augasse 24
A- 7400 oberwart
+4333 52 / 32 860
www.vianova.cc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba