Trying to join a Solaris 8 box to Windows 2000 AD.
I am having major problems with SAMBA samba-3.0alpha20 in trying to connect to Windows 2000 AD. I have attached info if that helps. Any help you can give me would be greatly appreciated. Thanks in advance Clive Elsum I can get samba-3.0alpha20 working if I include reference to our NT PDC in the smb.conf file and do a net rpc join command. This joins our NT PDC domain which has a trust relationship with the Windows 2000 ADS. The "joined domian XXX" message appears and a wbinfo -m shows the Windows 2000 AD domain "Y" as a trusted-domain. I can then login using domain/userid and everything works correctly. The working smb.conf relvant bits are workgroup = xxx security = server encrypt passwords = yes stat cache = false winbind separator = / winbind uid = 1-3 winbind gid = 1-3 winbind use default domain = true winbind enum groups = yes winbind enum users = yes security = server template shell = /bin/tcsh However with the imminent departure of the local NT PDC I will be forced to use the net ads join command which at present fails. The kinit command works correctly (password entered prompt returned) The klist command appears to do the right thing. Suggesting that kerberos is set up OK. I have samba-3.0alpha20 version installed on Solaris 8. It was configured with ./configure --with-ads --with-ldap --with-krb5=/usr/local/kerberos --with-pam --with-winbind The include/config.h file shows #define HAVE_KRB5 1 #define HAVE_GSSAPI 1 #define WITH_ADS 1 #define HAVE_LDAP_H 1 I am using GCC Version 3.2; Kerberos krb5-1.2.6; LDAP openldap-2.1.8; on a Solaris 8 platform. I have modified the Makefile so as to overcome errors in compiling e.g passdb/pdb_ldap.c CFLAGS=-O -I/usr/local/kerberos/include -I/usr/local/openldap/include CPPFLAGS= -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/local/kerberos/include -I/usr/local/openldap/include LDFLAGS= -L/usr/local/kerberos/lib -L/usr/local/openldap/lib LDSHFLAGS=-G -L/usr/local/kerberos/lib -L/usr/local/openldap/lib -O -I/usr/local/kerberos/include -I/usr/local/openldap/includ e During compilation the following warnings show: lib/util_str.c: In function `str_list_make': lib/util_str.c:1160: warning: passing arg 3 of `next_token' discards qualifiers from pointer target type auth/pampass.c: In function `smb_setup_pam_conv': auth/pampass.c:422: warning: assignment from incompatible pointer type libads/ldap.c: In function `ads_do_paged_search': libads/ldap.c:405: warning: passing arg 2 of `str_list_copy' from incompatible pointer type libads/ldap.c: In function `ads_do_search': libads/ldap.c:631: warning: passing arg 2 of `str_list_copy' from incompatible pointer type libads/ldap_printer.c: In function `ads_mod_printer_entry': libads/ldap_printer.c:80: warning: passing arg 4 of `ads_mod_strlist' from incompatible pointer type libads/ldap_printer.c:96: warning: passing arg 4 of `ads_mod_strlist' from incompatible pointer type libads/ldap_printer.c:99: warning: passing arg 4 of `ads_mod_strlist' from incompatible pointer type libads/kerberos.c: In function `kerberos_kinit_password': libads/kerberos.c:80: warning: passing arg 6 of `krb5_get_init_creds_password' discards qualifiers from pointer target type utils/net.c: In function `net_getlocalsid': utils/net.c:348: warning: passing arg 1 of `secrets_fetch_domain_sid' discards qualifiers from pointer target type utils/net_ads.c: In function `net_ads_printer_info': utils/net_ads.c:722: warning: passing arg 4 of `ads_find_printer_on_server' discards qualifiers from pointer target type utils/net_ads.c: In function `net_ads_printer_publish': utils/net_ads.c:774: warning: assignment discards qualifiers from pointer target type utils/net_ads.c: In function `net_ads_printer_remove': utils/net_ads.c:812: warning: assignment discards qualifiers from pointer target type utils/net_rpc_join.c: In function `net_rpc_join_ok': utils/net_rpc_join.c:65: warning: passing arg 1 of `secrets_fetch_trust_account_password' discards qualifiers from pointer target type nsswitch/pam_winbind.c: In function `converse': nsswitch/pam_winbind.c:67: warning: passing arg 3 of `pam_get_item' from incompatible pointer type nsswitch/pam_winbind.c:70: warning: passing arg 2 of pointer to function from incompatible pointer type nsswitch/pam_winbind.c: In function `_make_remark': nsswitch/pam_winbind.c:85: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c: In function `_winbind_read_password': nsswitch/pam_winbind.c:278: warning: passing arg 3 of `pam_get_item' from incompatible pointer type nsswitch/pam_winbind.c:311: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c:319: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c:325: warning: assignment discards qualifiers from pointer target type nsswitch/pam_winbind.c:383: warning:
Re: Trying to join a Solaris 8 box to Windows 2000 AD.
On Sun, 2002-11-10 at 21:13, [EMAIL PROTECTED] wrote: > I am having major problems with SAMBA samba-3.0alpha20 in trying to connect > to > Windows 2000 AD. I have attached info if that helps. Any help you can give > me > would be greatly appreciated. > > Thanks in advance > > Clive Elsum > > I can get samba-3.0alpha20 working if I include reference to our NT PDC > in the smb.conf file and do a net rpc join command. > This joins our NT PDC domain which has a trust relationship with the > Windows 2000 ADS. > The "joined domian XXX" message appears and a wbinfo -m shows the > Windows 2000 AD domain "Y" as a trusted-domain. > I can then login using domain/userid and everything works correctly. > The working smb.conf relvant bits are > workgroup = xxx > security = server > encrypt passwords = yes > stat cache = false > winbind separator = / > winbind uid = 1-3 > winbind gid = 1-3 > winbind use default domain = true > winbind enum groups = yes > winbind enum users = yes > security = server > template shell = /bin/tcsh > > > However with the imminent departure of the local NT PDC I will be forced > to use the net ads join command which at present fails. There isn't a 'forced' here - you should still be able to 'net rpc join' a Win2k domain. But that doesn't solve your real problem. > The kinit command works correctly (password entered prompt returned) > The klist command appears to do the right thing. > Suggesting that kerberos is set up OK. > > I have samba-3.0alpha20 version installed on Solaris 8. It was configured > with > ./configure --with-ads --with-ldap --with-krb5=/usr/local/kerberos > --with-pam --with-winbind > > The include/config.h file shows > #define HAVE_KRB5 1 > #define HAVE_GSSAPI 1 > #define WITH_ADS 1 > #define HAVE_LDAP_H 1 > > > I am using GCC Version 3.2; Kerberos krb5-1.2.6; LDAP openldap-2.1.8; on a > Solaris 8 platform. > > I have modified the Makefile so as to overcome errors in compiling e.g > passdb/pdb_ldap.c What were they, btw? > I then do a make install and copy relevant files with relevant links: > cp pam_winbind.so /lib/security > cp libnss_winbind.so /lib/nss_winbind.so > > > Relevant bits from smb.conf: > workgroup = OUR > realm = OUR.2000AD.DOMAIN > security = ADS > encrypt passwords = yes > stat cache = false > winbind separator = / > winbind uid = 1-3 > winbind gid = 1-3 > winbind use default domain = true > winbind enum groups = yes > winbind enum users = yes > ads server = > template shell = /bin/tcsh > > WINBINDD adds the AD DOMAIN and relevant machines in lookup sequence but > then > aborts with: > > convert_string: Required 1521, available 2048 > === > INTERNAL ERROR: Signal 11 in pid 25953 (3.0alpha20) > Please read the file BUGS.txt in the distribution > === > PANIC: internal error > Abort (core dumped) Any chance of recompiling --enable-krb5developer and getting us a gdb backtrace? See 'panic action' in the smb.conf > Obviously the command net ads join also fails with: > [2002/11/10 20:36:44, 0] libads/kerberos.c:ads_kinit_password(122) > kerberos_kinit_password [EMAIL PROTECTED] failed: Preauthentication > failed > [2002/11/10 20:36:44, 1] utils/net_ads.c:ads_startup(148) > ads_connect: Invalid credentials Why is this 'obviously'? Anyway, a backtrace of this would be good. Anyway, if you can get that, and also try the lastest 3.0 CVS (pserver.samba.org), that will help us to chase it down. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
RE: Error code 0
> > The [EMAIL PROTECTED] list is for user discussions and help. > The [EMAIL PROTECTED] is for developer discussions. > It is rare and unusual for a message to be appropriate for > both lists. > Please, folks, don't cross-post unless it's really the right > thing to do. > > For error code listings, see the nterr.h and/or doserr.h files in > samba/source/include/. You can also look at: > > > http://msdn.microsoft.com/library/en-us/debug/base/system_erro > r_codes.asp?frame=false Err. AFAIK, "error code 0" means "Success", in nearly every errno system I've seen, btw. I've seen an error code 0 once in Samba, and I was told it has to do with the peer "going away". Since the packet doesn't exist or is all zeroed out in these cases, extraction of the error code field in the packet results in a "0". This is what gets reported to the end user. Am I right? > Finally, when posting a request for help to the > [EMAIL PROTECTED] mailing > list, please include all relevant information, including the > version of > Samba, and the OS type and version of both client and server. Without > context, no one can help you. > -- Nir Soffer -=- Software Engineer, Exanet Inc. -=- "The poor little kittens; They lost their mittens; And now you all must die. Mew, Mew, Mew, Mew, And now you all must die." www.sluggy.com, 24/10/02
Re: Error code 0
On Sun, Nov 10, 2002 at 03:52:03PM +0200, Nir Soffer wrote: > > http://msdn.microsoft.com/library/en-us/debug/base/system_erro > > r_codes.asp?frame=false > > Err. AFAIK, "error code 0" means "Success", in nearly every errno system > I've seen, btw. > > I've seen an error code 0 once in Samba, and I was told it has to do > with the peer "going away". Since the packet doesn't exist or is all > zeroed out in these cases, extraction of the error code field in the > packet results in a "0". This is what gets reported to the end user. > > Am I right? Pretty much. The error 0 appears when a SMB packet is sent but there is no response within 30 seconds. Tim.
libsmbclient problems
Hello. I'm having some weird problems trying to use libsmbclient in an application I'm creating. The thing is that I use smbc_read to read a file from another computer, however, sometimes I get kicked and smbc_read ends prematurely with less read than I requested. I thought "ok, I'lll just close it and try to reopen", but if I try to use smbc_close on the fd, everything comes crashing down in the blink of an eye. Another weird thing is that most times errno is set to 104 (connection reset by peer) after smbc_read ends like this, but sometimes errno is 0 (Success) after such a premature end...this baffles me, but I can work around it. If I skip trying to close the file from the remote computer after this happens I can go on to open other files on other computers, but if I ever try to open another file from the computer that kicked me (in the same session with my app), my app crashes. By crash I don't mean that it segfaults, it just ends...no error or anything (if I execute my app in the background, the shell just says "Broken pipe"). I definately know that the app dies inside the call to smbc_close or smbc_read (whichever I try to use I was kicked). Is there any way around this problem? Apart from this problem I would like to thank for a really good software package. Keep up the good work! =) Ps. I'm using samba Version 2.999+3.0.alpha20-3 for Debian. Ds. Sincerely Mikael Albertsson
Re: libsmbclient problems
On Sun, 10 Nov 2002, Mikael Albertsson wrote: Mail reformatted! > I'm having some weird problems trying to use libsmbclient in an > application I'm creating. > > The thing is that I use smbc_read to read a file from another computer, > however, sometimes I get kicked and smbc_read ends prematurely with less > read than I requested. I thought "ok, I'lll just close it and try to > reopen", but if I try to use smbc_close on the fd, everything comes > crashing down in the blink of an eye. > > Another weird thing is that most times errno is set to 104 (connection > reset by peer) after smbc_read ends like this, but sometimes errno is 0 > (Success) after such a premature end...this baffles me, but I can work > around it. OK, it would be very good to get a packet trace of what is happening on the wire when these errors occur. You can get a packet trace with: tcpdump -i [1] -s 1500 -w libsmbc.cap [1] Use the appropriate device, like eth0, xl0, depending on your OS and interface. Then send the trace to me as an attachment. Regards - Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], http://www.richardsharpe.com
Re: speed problem with 'valid users' and nss_ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 8 Nov 2002 [EMAIL PROTECTED] wrote: > We are using Samba 2.2.6 at our site on Solaris 8 in conjunction with > nss_ldap from padl.com. We often use the "valid users" option in our > smb.conf to restrict access to a given share to members of a certain group. > This causes the "get_users_in_group" function in lib/util_getent.c to use > getgrent to enumerate the entire list of groups. This is extremely slow > with nss_ldap (about 3 minutes for us). > > Looking at the code for "get_users_in_group," I see that there is a "fast" > path for winbindd users that uses "getgrnam", and a "slow" path for > everyone else that uses "getgrent." Is there any reason why the "fast" > path can't be uses all the time? I made this change to the code here, and > I solved my problem. Is there any reason I should not do this? Is there > any reason this shouldn't be changed in the Samba source? I was just looking at this and the comment says that it is a workaround for True64. I'm not sure this is a valid statement anymore and am checking in on it. The change you made is probably just fine. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9zyHyIR7qMdg1EfYRAn1yAJ9p4x3tHL6A18hMG7GL5Zp/M6dXlgCfUQyP yJmXeoQwOAbuOLSTRlZvTOw= =OaUs -END PGP SIGNATURE-
