[Samba] Invitation to connect on LinkedIn
LinkedIn Anil Wakhare requested to add you as a connection on LinkedIn: -- Serge, I'd like to add you to my professional network on LinkedIn. - Anil Accept invitation from Anil Wakhare http://www.linkedin.com/e/mzateh-gxvlnh7s-4j/vTWyDe4yCEPPQyWVLZMh1H4yCEPPQGFCi7/blk/I285850148_25/1BpC5vrmRLoRZcjkkZt5YCpnlOt3RApnhMpmdzgmhxrSNBszYRcBYUd34MdjwRe399bSRekScVejhvbP4VdjkUdz8PdzkLrCBxbOYWrSlI/EML_comm_afe/?hs=falsetok=1tdGOENYhHDB41 View profile of Anil Wakhare http://www.linkedin.com/e/mzateh-gxvlnh7s-4j/vpn/66523000/R_2K/NAME_BASED/?hs=falsetok=2ukniNbQhHDB41 -- -- (c) 2012, LinkedIn Corporation -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Samba and Citrix
Hi, Is it possible use the version os Citrix (Xen App 6.x) with Samba? Has somebody test it? Maybe I need a specific version. My actual Samba version is 3.3.8. Any suggestion would be welcome. Regards, Moses. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 member of AD, help
Thanks Volker I'll gine that a shot. Regards -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] winbind errors and panics
Hi, I'm setting up a Samba AD member server on CentOS 6. Everything seems to work, except that Windows users don't get automatically created in the idmap backend (which is an LDAP tree, btw). I do get the following errors in the winbind logging: [2012/01/26 13:04:20.634990, 1] winbindd/idmap_ldap.c:193(verify_idpool) Unable to verify the idpool, cannot continue initialization! [2012/01/26 13:04:20.635125, 0] winbindd/idmap.c:599(idmap_alloc_init) ERROR: Initialization failed for alloc backend, deferred! and a panic by winbind: [2012/01/26 13:06:50.726749, 0] lib/fault.c:46(fault_report) === [2012/01/26 13:06:50.726893, 0] lib/fault.c:47(fault_report) INTERNAL ERROR: Signal 11 in pid 2730 (3.5.10-114.el6) Please read the Trouble-Shooting section of the Samba3-HOWTO [2012/01/26 13:06:50.726931, 0] lib/fault.c:49(fault_report) From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf [2012/01/26 13:06:50.726967, 0] lib/fault.c:50(fault_report) === [2012/01/26 13:06:50.727005, 0] lib/util.c:1490(smb_panic) PANIC (pid 2730): internal error [2012/01/26 13:06:50.730324, 0] lib/util.c:1594(log_stack_trace) BACKTRACE: 19 stack frames: #0 winbindd(log_stack_trace+0x2e) [0x95a88e] #1 winbindd(smb_panic+0x2e) [0x95a9ae] #2 winbindd(+0x170f9f) [0x947f9f] #3 [0x110400] #4 /lib/libldap-2.4.so.2(ldap_unbind_ext+0x25) [0x186855] #5 /lib/libldap-2.4.so.2(ldap_unbind+0x70) [0x1869a0] #6 winbindd(+0x52d07f) [0xd0407f] #7 winbindd(+0x52d325) [0xd04325] #8 winbindd(run_events+0x110) [0x96c800] #9 winbindd(+0xbffd8) [0x896fd8] #10 winbindd(+0xc0f1d) [0x897f1d] #11 winbindd(+0x198d08) [0x96fd08] #12 winbindd(tevent_common_loop_immediate+0xe6) [0x96e4f6] #13 winbindd(run_events+0x3e) [0x96c72e] #14 winbindd(+0x195bc1) [0x96cbc1] #15 winbindd(_tevent_loop_once+0x98) [0x96d2c8] #16 winbindd(main+0xa9a) [0x86804a] #17 /lib/libc.so.6(__libc_start_main+0xe6) [0xf9ace6] #18 winbindd(+0x8e531) [0x865531] [2012/01/26 13:06:50.731949, 0] lib/fault.c:326(dump_core) dumping core in /var/log/samba/cores/winbindd Here's my testparm output with domain replacing our internal domainname: Load smb config files from /etc/samba/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [homes] Processing section [printers] Processing section [Profiles] Processing section [domain] Loaded services file OK. Server role: ROLE_DOMAIN_MEMBER Press enter to see a dump of your service definitions [global] workgroup = domain realm = domain.LOCAL server string = Samba Server Version %v security = ADS passdb backend = ldapsam:ldap://limara.mgt.domain.local log file = /var/log/samba/log.%m max log size = 50 ldap admin dn = cn=Manager,dc=domain,dc=local ldap group suffix = ou=Group,dc=office ldap idmap suffix = ou=People,ou=Domain Users,dc=office ldap machine suffix = ou=Computers,dc=office ldap suffix = dc=domain,dc=local ldap ssl = no idmap backend = ldap:ldap://limara.mgt.domain.local idmap alloc backend = ldap idmap uid = 1-1 idmap gid = 1-1 idmap alloc config : ldap_base_dn = dc=office,dc=domain,dc=local idmap alloc config : ldap_url = ldap://limara.mgt.domain.local ldapsam:editposix = yes ldapsam:trusted = yes cups options = raw [homes] comment = Home Directories path = /srv/windows/users/%S valid users = domain\%S read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [Profiles] path = /srv/windows/profiles/ read only = No guest ok = Yes browseable = No [Domain] path = /srv/windows/shared/ read only = No Searching on the errors on Google gives me only parts of the source code, questions, and no answers. For a sidenote: if I do create the user objects manually, the idmappings get created without problems. I could run production with the server as it is now, but I'd prefer to have the account creation/idmapping to go automatically, as that saves me a lot of admin work. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] LDAP issues
Centos 6 Samba 3 smbldap-tools installed. LDAP directory not on local host. Example user LDIF: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc mailHost: mailserver.mydomain.com loginShell: /bin/bash gidNumber: 500 uidNumber: 53112 uid: testu...@mydomain.com sn: user cn: test user mail: testu...@mydomain.com homeDirectory: /cust/mydomain/users/testuser gecos: test user,,662-6123 objectClass: mirapointmailuser objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSAMAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224 sambaAcctFlags: [UX] sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\mydomain\users sambaPwdLastSet: 1327615956 sambaPwdMustChange: 2147483647 getent passwd shows: testu...@mydomain.com:x:53112:500:test user,,662-6123:/cust/mydomain/ users/testuser:/bin/bash I can ssh to the server with this account. So, the linux/ldap stuff seems to work properly. However, I cannot connect with the smb proto. Continue to get a username/password prompt. My suspicion is the @ in the uid, which as I understand it, in the windoze world signifies a group... I think I am confusing something in the process. My question is: can Samba be configured to append the @mydomain.com to the username, then authenticate the user? So the user could use the testuser login via the windoze login and drive mapping processes, but Samba would actually use testu...@mydomain.com to actually authenticate? All these accounts are already in use in the LDAP directory, and so the uid cannot be changed. lmk if there's anything else needed here... I'm willing to share configs, command outputs, etc. to get this solved. TIA! Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] winbind craps out, NT_STATUS_PIPE_BROKEN
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Jay, many thanks for your response. I have a similar set of scripts currently they only run wbinfo -t and a script to check net ads testjoin is sane. They don't catch this. I was thinking about processing the log with something like swatch but it's a kludge. I would be interested in seeing your sanity checks if you don't mind? Cheers, Matt On 26/01/12 16:32, Jay Sullivan wrote: I am still experiencing this problem. I've scripted out some winbind sanity checks that catch when it poops out and restart winbind automagically. I recently migrated our biggest samba host from Debian 5 to RHEL 6. The problem persists, albeit slightly less frequently (not very scientific, I know...). I typically only have problems with winbind when there are 200 users connected _or_ 500 open files as reported by smbstatus. Unfortunately for me, these conditions describe a typical samba load during off-peak hours. =( ~Jay -- Jay Sullivan Rochester Institute of Technology College of Imaging Arts and Sciences jay.sulli...@rit.edu -Original Message- From: Matthew Baker [mailto:matt.ba...@bristol.ac.uk] Sent: Tuesday, January 24, 2012 3:34 AM To: Jay Sullivan; samba@lists.samba.org Subject: Re: winbind craps out, NT_STATUS_PIPE_BROKEN Hi Jay/Samba peeps, Emailing in reference to http://lists.samba.org/archive/samba/2011-April/162277.html I have seen a very similar issue with a similar setup. Users fail to be verified with: getent passwd username Entry in the log at same time is: [2012/01/23 16:58:53.159761, 3] winbindd/winbindd_misc.c:352(winbindd_interface_version) [18510]: request interface version [2012/01/23 16:58:53.159966, 3] winbindd/winbindd_misc.c:385(winbindd_priv_pipe_dir) [18510]: request location of privileged pipe [2012/01/23 16:58:53.160214, 3] winbindd/winbindd_getpwnam.c:55(winbindd_getpwnam_send) getpwnam username [2012/01/23 16:58:53.162493, 5] winbindd/winbindd_getpwnam.c:138(winbindd_getpwnam_recv) Could not convert sid S-1-5-21-1117850145-1682116191-196506527-126617: NT_STATUS_PIPE_BROKEN Restarting winbindd solves the problem temporarily. I've attached a copy of the smb.conf. OS: Debian Squeeze 6.0.3 Kernel: 2.6.32-5-686-bigmem samba 2:3.5.6~dfsg-3squeeze5 winbind 2:3.5.6~dfsg-3squeeze5 Jay did you find a solution to your problem? Has anyone else on the list seen similar issues or have any ideas of what might be happening? Any advice or pointers would be very much appreciated. Thanks, Matt - -- Matthew Baker :: Senior Systems Administrator :: University of Bristol +--+ | Infrastructure, Systems and Operations it-sys...@bristol.ac.uk | | T: Berkeley Square: +44(0)117 3314325 (Mon, Thur Fri)| | T: Computer Centre: +44(0)117 3317467 (Tue, Wed) | | A: Uni of Bristol, Computer Centre, Tyndall Ave, Bristol. BS81UD | +--+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk8hggMACgkQLvm7pB/aicMZyACfYGhlYW/Xd2ULgMPdp4K5oL7b 8noAnAz4VjjvHEb/cuhbOj+97Rxc9bJ2 =uAtp -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
Forgot to add... If I create a Unix account, and add it to the local smbpasswd subsystem, it works fine. I can log in using the credentials that I create. So, samba is working, and linux/ldap is working, but samba/ldap has issues... Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 On Jan 26, 2012, at 9:54 AM, Alex Moen wrote: Centos 6 Samba 3 smbldap-tools installed. LDAP directory not on local host. Example user LDIF: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc mailHost: mailserver.mydomain.com loginShell: /bin/bash gidNumber: 500 uidNumber: 53112 uid: testu...@mydomain.com sn: user cn: test user mail: testu...@mydomain.com homeDirectory: /cust/mydomain/users/testuser gecos: test user,,662-6123 objectClass: mirapointmailuser objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSAMAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224 sambaAcctFlags: [UX] sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\mydomain\users sambaPwdLastSet: 1327615956 sambaPwdMustChange: 2147483647 getent passwd shows: testu...@mydomain.com:x:53112:500:test user,,662-6123:/cust/mydomain/ users/testuser:/bin/bash I can ssh to the server with this account. So, the linux/ldap stuff seems to work properly. However, I cannot connect with the smb proto. Continue to get a username/password prompt. My suspicion is the @ in the uid, which as I understand it, in the windoze world signifies a group... I think I am confusing something in the process. My question is: can Samba be configured to append the @mydomain.com to the username, then authenticate the user? So the user could use the testuser login via the windoze login and drive mapping processes, but Samba would actually use testu...@mydomain.com to actually authenticate? All these accounts are already in use in the LDAP directory, and so the uid cannot be changed. lmk if there's anything else needed here... I'm willing to share configs, command outputs, etc. to get this solved. TIA! Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
Am 26.01.2012 17:51, schrieb Alex Moen: Forgot to add... If I create a Unix account, and add it to the local smbpasswd subsystem, it works fine. I can log in using the credentials that I create. So, samba is working, and linux/ldap is working, but samba/ldap has issues... Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 On Jan 26, 2012, at 9:54 AM, Alex Moen wrote: Centos 6 Samba 3 smbldap-tools installed. LDAP directory not on local host. Example user LDIF: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc mailHost: mailserver.mydomain.com loginShell: /bin/bash gidNumber: 500 uidNumber: 53112 uid: testu...@mydomain.com sn: user cn: test user mail: testu...@mydomain.com homeDirectory: /cust/mydomain/users/testuser gecos: test user,,662-6123 objectClass: mirapointmailuser objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSAMAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224 sambaAcctFlags: [UX] sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\mydomain\users sambaPwdLastSet: 1327615956 sambaPwdMustChange: 2147483647 getent passwd shows: testu...@mydomain.com:x:53112:500:test user,,662-6123:/cust/mydomain/users/testuser:/bin/bash I can ssh to the server with this account. So, the linux/ldap stuff seems to work properly. However, I cannot connect with the smb proto. Continue to get a username/password prompt. My suspicion is the @ in the uid, which as I understand it, in the windoze world signifies a group... I think I am confusing something in the process. My question is: can Samba be configured to append the @mydomain.com to the username, then authenticate the user? So the user could use the testuser login via the windoze login and drive mapping processes, but Samba would actually use testu...@mydomain.com to actually authenticate? All these accounts are already in use in the LDAP directory, and so the uid cannot be changed. lmk if there's anything else needed here... I'm willing to share configs, command outputs, etc. to get this solved. TIA! Alex Moen Network Services Technician II North Dakota Telephone Company 701-662-6481 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba sounds if samba isn't using LDAP properly. would you mind to show us your config? greets juergen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
On Jan 26, 2012, at 10:55 AM, Jürgen Echter wrote: Am 26.01.2012 17:51, schrieb Alex Moen: Forgot to add... If I create a Unix account, and add it to the local smbpasswd subsystem, it works fine. I can log in using the credentials that I create. So, samba is working, and linux/ldap is working, but samba/ldap has issues... On Jan 26, 2012, at 9:54 AM, Alex Moen wrote: Centos 6 Samba 3 smbldap-tools installed. LDAP directory not on local host. Example user LDIF: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc mailHost: mailserver.mydomain.com loginShell: /bin/bash gidNumber: 500 uidNumber: 53112 uid: testu...@mydomain.com sn: user cn: test user mail: testu...@mydomain.com homeDirectory: /cust/mydomain/users/testuser gecos: test user,,662-6123 objectClass: mirapointmailuser objectClass: inetorgperson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSAMAccount sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaSID: S-1-5-21-3311107553-3899660464-2674327009-107224 sambaAcctFlags: [UX] sambaHomeDrive: F: sambaHomePath: \\ndtc-fs\cust\mydomain\users sambaPwdLastSet: 1327615956 sambaPwdMustChange: 2147483647 getent passwd shows: testu...@mydomain.com:x:53112:500:test user,,662-6123:/cust/ mydomain/users/testuser:/bin/bash I can ssh to the server with this account. So, the linux/ldap stuff seems to work properly. However, I cannot connect with the smb proto. Continue to get a username/password prompt. My suspicion is the @ in the uid, which as I understand it, in the windoze world signifies a group... I think I am confusing something in the process. My question is: can Samba be configured to append the @mydomain.com to the username, then authenticate the user? So the user could use the testuser login via the windoze login and drive mapping processes, but Samba would actually use testu...@mydomain.com to actually authenticate? All these accounts are already in use in the LDAP directory, and so the uid cannot be changed. lmk if there's anything else needed here... I'm willing to share configs, command outputs, etc. to get this solved. TIA! sounds if samba isn't using LDAP properly. would you mind to show us your config? greets juergen Sure! Here it is: [global] workgroup = A36561 server string = My File Server netbios name = NDTC-FS interfaces = lo eth1 log file = /var/log/samba/log.%m max log size = 50 ldap debug level = 1 ldap debug threshold = 5 log level = 3 all:5 security = user passdb backend = ldapsam:ldap://66.163.128.204 ldap suffix = ou=mydomain,o=ndtc ldap machine suffix = ou=People ldap usersuffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,o=ndtc ldap ssl = off domain master = yes domain logons = yes wins support = yes load printers = yes cups options = raw [homes] comment = Home Directories browseable = no writable = yes [groups] comment = Group Directories path = /cust/mydomain/groups guest ok = no writable = yes [share] comment = Share space path = /cust/mydomain/share public = yes writeable = yes read only = no printable = no write list = +users force create mode = 660 force directory mode = 770 force user = nobody force group = nobody [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
On Jan 26, 2012, at 12:42 PM, Jorge Concha C. wrote: On Thu, 26 Jan 2012 14:59:24 -0300, Alex Moen al...@ndtel.com wrote: ldap usersuffix = ou=People maybe the problem is: this line must be ldap user suffix = ou=People Sorry, my english is not good. -- Jorge C. OK, fixed that, but it didn't help... Same issue. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
On Thu, 26 Jan 2012 14:59:24 -0300, Alex Moen al...@ndtel.com wrote: ldap usersuffix = ou=People maybe the problem is: this line must be ldap user suffix = ou=People Sorry, my english is not good. -- Jorge C. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] windows print job count keeps accumulating
running Samba 3.5.8 Our print jobs sent from windows keep accumulating the count as shown in the windows printers and faxes window till they reach 1000 and then that printer stops working. I have to delete the printer .tdb file for it to work again. The print jobs are printing and the jobs are deleted from the queue, just not from the .tdb. Any ideas are appreciated!!! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
Ok, I think that is the @ in the UID. Try creating a user without the @ and test the sambaconf with this. On Thu, 26 Jan 2012 15:46:30 -0300, Alex Moen al...@ndtel.com wrote: On Jan 26, 2012, at 12:42 PM, Jorge Concha C. wrote: On Thu, 26 Jan 2012 14:59:24 -0300, Alex Moen al...@ndtel.com wrote: ldap usersuffix = ou=People maybe the problem is: this line must be ldap user suffix = ou=People Sorry, my english is not good. -- Jorge C. OK, fixed that, but it didn't help... Same issue. Alex -- Jorge C. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 3.5.8 - windows XP workstations disapear from browselist
Hello! I'm afraid I have the same problem in my network. We have a domain where Samba (3.5.11) is the PDC. Clients include Windows XP's and 7's. I recently noticed that many stations are not visible in the browselist. I'll investigate it and let you know about the results. Daniel W dniu 2012-01-25 10:50, BartekR pisze: Hello ! I would like to refresh this topic beacuse I have discovered something new. This problem relates only to machines with WINDOWS XP with automatic system update enabled. Win XP sp2 (fresh install) with disabled updates does not dissapear! So should i try to uninstall some of updates ?Is there any way to find the one responsible for this problem? Thanks ! BartekR -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
I didn't go too deeply on your issue, but it seems to me that since you have: ldap user suffix = ou=People You cannot simply have: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc But should have instead: dn: uid=testu...@mydomain.com,ou=People,ou=mydomain,o=ndtc Am I wrong? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
I didn't go too deeply on your issue, but it seems to me that since you have: ldap user suffix = ou=People You cannot simply have: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc But should have instead: dn: uid=testu...@mydomain.com,ou=People,ou=mydomain,o=ndtc Am I wrong? Nope. You're right. I have removed the ou=People line. Still no joy. I suppose that you cannot simply remove it. You have to tell Samba where the user's container resides. Judging from your LDIF, your users seem to reside directly on ou=mydomain? Maybe you should look at the whole ldap arrangement... The structure just doesn't seem right... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] LDAP issues
I didn't go too deeply on your issue, but it seems to me that since you have: ldap user suffix = ou=People You cannot simply have: dn: uid=testu...@mydomain.com,ou=mydomain,o=ndtc But should have instead: dn: uid=testu...@mydomain.com,ou=People,ou=mydomain,o=ndtc Am I wrong? Nope. You're right. I have removed the ou=People line. Still no joy. I suppose that you cannot simply remove it. You have to tell Samba where the user's container resides. Judging from your LDIF, your users seem to reside directly on ou=mydomain? Maybe you should look at the whole ldap arrangement... The structure just doesn't seem right... I hear you, but this existing structure is in production, and has been for several years. It isn't really going to change now, without really causing a whole lot of trouble. New information: I finally got the username to be recognized. I have added username map = /etc/samba/usermap.txt in smb.conf, and added the entry al...@mydomain.com = alexm in usermap.txt. Eureka! The logs show that Get_Pwnam_internals did find user [al...@mydomain.com]!. Now, I just have to figure out how to make the groups work... I have about 50 groups that I need to process. When I try to add a new group using the smbldap-tool smbldap-addgroup, I get an error stating failed to add entry: Attribute is not allowed : cn at /usr/share/ perl5/vendor_perl/smbldap_tools.pm line 789.. For some reason, it does not like the cn that is trying to be added to the dn: ou=Groups,ou=ndtel,o=ndtc, objectClass: organizationalUnit, ou: Groups organizational unit. Now, an OU is not allowed to have a cn, that's part of an organizational role or organizational person. So, I'll have to do some troubleshooting to find out what they intended, and make their scripts work properly. The docs aren't very up-to-date, so I'm fighting that a little. Thanks for all the help so far, everyone... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On Sun, 2012-01-22 at 15:32 +0100, steve wrote: even though I've made a ldap/hh3.site principal: hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site Why do I get the Decrypt integrity check failed error? Why do you keep doing this? What makes you think this is the right thing to do (so I can correct whatever gave you this misconception). Samba will not read /etc/ldap.keytab. Samba uses the private keytab containing it's own machine account only. Samba should not be contacted via the dns domain name, it should be contacted by the fully qualified domain name. The fact the dns domain name (hh3.site) resolves is an artefact of the default AD DNS zone, but should not be used. If your client uses the fully qualified name (dc.hh3.site), it will collect the correct ticket, and Samba will decrypt it. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Samba 4 and GSSAPI kerberos ldap connect
On 01/27/2012 05:37 AM, Andrew Bartlett wrote: On Sun, 2012-01-22 at 15:32 +0100, steve wrote: even though I've made a ldap/hh3.site principal: hh3:/tmp # samba-tool spn add ldap/hh3.site Administrator hh3:/tmp # samba-tool domain exportkeytab /etc/ldap.keytab --principal=ldap/hh3.site Why do I get the Decrypt integrity check failed error? Why do you keep doing this? What makes you think this is the right thing to do (so I can correct whatever gave you this misconception). Samba will not read /etc/ldap.keytab. Samba uses the private keytab containing it's own machine account only. Samba should not be contacted via the dns domain name, it should be contacted by the fully qualified domain name. The fact the dns domain name (hh3.site) resolves is an artefact of the default AD DNS zone, but should not be used. If your client uses the fully qualified name (dc.hh3.site), it will collect the correct ticket, and Samba will decrypt it. Thanks, Andrew Bartlett Hi Thanks for pointing this out. It turned out that when I provisioned, I had the fqdn wrong. Duh! I set that correctly in /etc/hosts, reprovisioned and everything sprang to life. ldapsearch -Y GSSAPI worked and I could extract stuff I'd put into the s4 LDAP database so our Linux users could connect. I have still not been able to get winbind nor the fileserver working, so I've added nfs4 for the Linux clients and there I did need to add a principal for the kerberized nfs, otherwise the nfs server would not start. It's a bit of a hack but it's good enough for us at the moment. I got around the user id mappings as described here: http://linuxcostablanca.blogspot.com/p/samba-4.html Thanks for your time, Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 0158858 s3:gse: return NT_STATUS_LOGON_FAILURE instead of NT_STATUS_INTERNAL_ERROR from b7becc0 s4-rpc_server: Fix search for existing trust to actually look for the dns name http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 01588585b172a1428ca2332514250be2f99490c7 Author: Stefan Metzmacher me...@samba.org Date: Wed Jan 25 11:18:00 2012 +0100 s3:gse: return NT_STATUS_LOGON_FAILURE instead of NT_STATUS_INTERNAL_ERROR This matches the behavior of ads_verify_ticket(). Note that ads_verify_ticket() calls krb5_to_nt_status(), but as a server it's likely to always returns NT_STATUS_UNSUCCESSFUL. ads_verify_ticket() maps NT_STATUS_UNSUCCESSFUL to NT_STATUS_LOGON_FAILURE. metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Thu Jan 26 10:48:36 CET 2012 on sn-devel-104 --- Summary of changes: source3/librpc/crypto/gse.c |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c index 0e664b7..ec37073 100644 --- a/source3/librpc/crypto/gse.c +++ b/source3/librpc/crypto/gse.c @@ -503,7 +503,7 @@ static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx, status = NT_STATUS_MORE_PROCESSING_REQUIRED; break; default: - DEBUG(0, (gss_init_sec_context failed with [%s]\n, + DEBUG(1, (gss_init_sec_context failed with [%s]\n, gse_errstr(talloc_tos(), gss_maj, gss_min))); if (gse_ctx-gssapi_context) { @@ -512,7 +512,7 @@ static NTSTATUS gse_get_server_auth_token(TALLOC_CTX *mem_ctx, GSS_C_NO_BUFFER); } - status = NT_STATUS_INTERNAL_ERROR; + status = NT_STATUS_LOGON_FAILURE; goto done; } -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 633a28b s3:auth/auth_generic: for now call sub_set_smb_name() and lp_load() from 0158858 s3:gse: return NT_STATUS_LOGON_FAILURE instead of NT_STATUS_INTERNAL_ERROR http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 633a28b276a98628c333b8c8b20dfe30c099caf5 Author: Stefan Metzmacher me...@samba.org Date: Thu Jan 26 09:21:21 2012 +0100 s3:auth/auth_generic: for now call sub_set_smb_name() and lp_load() This matches the auth_ntlmssp case and the smbd/sesssetup.c code. metze Autobuild-User: Stefan Metzmacher me...@samba.org Autobuild-Date: Thu Jan 26 17:58:17 CET 2012 on sn-devel-104 --- Summary of changes: source3/auth/auth_generic.c |6 ++ 1 files changed, 6 insertions(+), 0 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 6db761b..38968a7 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -127,6 +127,12 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, netsamlogon_cache_store(ntuser, logon_info-info3); } + /* setup the string used by %U */ + sub_set_smb_name(username); + + /* reload services so that the new %U is taken into account */ + lp_load(get_dyn_CONFIGFILE(), false, false, true, true); + status = make_session_info_krb5(mem_ctx, ntuser, ntdomain, username, pw, logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 17a77ea Fix a really slow memory leak (in master at least). Found by Ira Cooper i...@wakeful.net. from 633a28b s3:auth/auth_generic: for now call sub_set_smb_name() and lp_load() http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 17a77ea9b484a7040098fc66cf78625df4c14c65 Author: Jeremy Allison j...@samba.org Date: Thu Jan 26 14:53:43 2012 -0800 Fix a really slow memory leak (in master at least). Found by Ira Cooper i...@wakeful.net. Bug #8724 - Memory leak in parent smbd on connection. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Fri Jan 27 01:26:28 CET 2012 on sn-devel-104 --- Summary of changes: source3/lib/substitute.c |9 +++-- 1 files changed, 7 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c index eae6d15..5427ed8 100644 --- a/source3/lib/substitute.c +++ b/source3/lib/substitute.c @@ -195,7 +195,7 @@ void sub_set_smb_name(const char *name) } static char sub_peeraddr[INET6_ADDRSTRLEN]; -static const char *sub_peername = ; +static const char *sub_peername = NULL; static char sub_sockaddr[INET6_ADDRSTRLEN]; void sub_set_socket_ids(const char *peeraddr, const char *peername, @@ -208,6 +208,11 @@ void sub_set_socket_ids(const char *peeraddr, const char *peername, } strlcpy(sub_peeraddr, addr, sizeof(sub_peeraddr)); + if (sub_peername != NULL + sub_peername != sub_peeraddr) { + free(discard_const_p(char,sub_peername)); + sub_peername = NULL; + } sub_peername = SMB_STRDUP(peername); if (sub_peername == NULL) { sub_peername = sub_peeraddr; @@ -547,7 +552,7 @@ static char *alloc_sub_basic(const char *smb_name, const char *domain_name, break; case 'M' : a_string = realloc_string_sub(a_string, %M, - sub_peername); + sub_peername ? sub_peername : ); break; case 'R' : a_string = realloc_string_sub(a_string, %R, remote_proto); -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a9e0333 Finally remove all malloc()'s from the substitute code. Now totally talloc() based. from 17a77ea Fix a really slow memory leak (in master at least). Found by Ira Cooper i...@wakeful.net. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a9e03337c1dbf13dcab5bf1f825bc1853b61256e Author: Jeremy Allison j...@samba.org Date: Thu Jan 26 17:10:44 2012 -0800 Finally remove all malloc()'s from the substitute code. Now totally talloc() based. Autobuild-User: Jeremy Allison j...@samba.org Autobuild-Date: Fri Jan 27 03:43:21 CET 2012 on sn-devel-104 --- Summary of changes: source3/lib/substitute.c | 147 ++--- source3/lib/substitute_generic.c |8 +- source3/passdb/pdb_ldap.c|6 +- source3/printing/printing.c |4 +- 4 files changed, 64 insertions(+), 101 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/lib/substitute.c b/source3/lib/substitute.c index 5427ed8..7acb021 100644 --- a/source3/lib/substitute.c +++ b/source3/lib/substitute.c @@ -24,9 +24,6 @@ #include secrets.h #include auth.h -static char *alloc_sub_basic(const char *smb_name, const char *domain_name, -const char *str); - userdom_struct current_user_info; fstring remote_proto=UNKNOWN; @@ -40,7 +37,7 @@ static char *local_machine; void free_local_machine_name(void) { - SAFE_FREE(local_machine); + TALLOC_FREE(local_machine); } bool set_local_machine_name(const char *local_name, bool perm) @@ -53,24 +50,24 @@ bool set_local_machine_name(const char *local_name, bool perm) return true; } - tmp_local_machine = SMB_STRDUP(local_name); + tmp_local_machine = talloc_strdup(NULL, local_name); if (!tmp_local_machine) { return false; } trim_char(tmp_local_machine,' ',' '); - SAFE_FREE(local_machine); + TALLOC_FREE(local_machine); len = strlen(tmp_local_machine); - local_machine = SMB_CALLOC_ARRAY(char, len+1); + local_machine = (char *)TALLOC_ZERO(NULL, len+1); if (!local_machine) { - SAFE_FREE(tmp_local_machine); + TALLOC_FREE(tmp_local_machine); return false; } /* alpha_strcpy includes the space for the terminating nul. */ alpha_strcpy(local_machine,tmp_local_machine, SAFE_NETBIOS_CHARS,len+1); strlower_m(local_machine); - SAFE_FREE(tmp_local_machine); + TALLOC_FREE(tmp_local_machine); already_perm = perm; @@ -104,17 +101,17 @@ bool set_remote_machine_name(const char *remote_name, bool perm) return true; } - tmp_remote_machine = SMB_STRDUP(remote_name); + tmp_remote_machine = talloc_strdup(NULL, remote_name); if (!tmp_remote_machine) { return false; } trim_char(tmp_remote_machine,' ',' '); - SAFE_FREE(remote_machine); + TALLOC_FREE(remote_machine); len = strlen(tmp_remote_machine); - remote_machine = SMB_CALLOC_ARRAY(char, len+1); + remote_machine = (char *)TALLOC_ZERO(NULL, len+1); if (!remote_machine) { - SAFE_FREE(tmp_remote_machine); + TALLOC_FREE(tmp_remote_machine); return false; } @@ -122,7 +119,7 @@ bool set_remote_machine_name(const char *remote_name, bool perm) alpha_strcpy(remote_machine,tmp_remote_machine, SAFE_NETBIOS_CHARS,len+1); strlower_m(remote_machine); - SAFE_FREE(tmp_remote_machine); + TALLOC_FREE(tmp_remote_machine); already_perm = perm; @@ -151,7 +148,7 @@ void sub_set_smb_name(const char *name) return; } - tmp = SMB_STRDUP(name); + tmp = talloc_strdup(NULL, name); if (!tmp) { return; } @@ -161,7 +158,7 @@ void sub_set_smb_name(const char *name) len = strlen(tmp); if (len == 0) { - SAFE_FREE(tmp); + TALLOC_FREE(tmp); return; } @@ -174,10 +171,10 @@ void sub_set_smb_name(const char *name) is_machine_account = True; } - SAFE_FREE(smb_user_name); - smb_user_name = SMB_CALLOC_ARRAY(char, len+1); + TALLOC_FREE(smb_user_name); + smb_user_name = (char *)TALLOC_ZERO(NULL, len+1); if (!smb_user_name) { - SAFE_FREE(tmp); + TALLOC_FREE(tmp); return; } @@ -186,7 +183,7 @@ void sub_set_smb_name(const char *name) SAFE_NETBIOS_CHARS, len+1); - SAFE_FREE(tmp); + TALLOC_FREE(tmp);
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 5bdadd1 build: Add missing dependencies on popt from a9e0333 Finally remove all malloc()'s from the substitute code. Now totally talloc() based. http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 5bdadd15013e69b6e8869386301628611268bf30 Author: Amitay Isaacs ami...@gmail.com Date: Fri Jan 27 16:57:46 2012 +1100 build: Add missing dependencies on popt This fixes compilation issues on freebsd where system popt is installed under /usr/local. Autobuild-User: Amitay Isaacs ami...@samba.org Autobuild-Date: Fri Jan 27 08:33:52 CET 2012 on sn-devel-104 --- Summary of changes: examples/libsmbclient/wscript_build |2 +- source3/wscript_build |2 ++ 2 files changed, 3 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/examples/libsmbclient/wscript_build b/examples/libsmbclient/wscript_build index 84e03f3..aa39965 100644 --- a/examples/libsmbclient/wscript_build +++ b/examples/libsmbclient/wscript_build @@ -21,5 +21,5 @@ names = ['testsmbc', for name in names: bld.SAMBA_BINARY(name, source='%s.c' % name, - deps='smbclient', + deps='popt smbclient', install=False) diff --git a/source3/wscript_build b/source3/wscript_build index 5adc2a1..7ae60be 100755 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -643,6 +643,7 @@ bld.SAMBA3_LIBRARY('netapi', source=LIBNETAPI_SRC, public_deps=''' talloc +popt msrpc3 ads NDR_LIBNETAPI @@ -1414,6 +1415,7 @@ bld.SAMBA3_BINARY('smbget', source=SMBGET_SRC, deps=''' talloc + popt smbclient''', vars=locals()) -- Samba Shared Repository