[Samba] upgrade from 3.0.14a to 3.0.27a; CUPS log files flooding!

[Alex de Vaal]

On Mon Mar 24 at 12:39:30, Adrian Sender wrote:

> I have observed a similar problem; my main concern was cpu load caused by
samba querying cups
> for printer "comment" and "description" fields instead of its local
database.
> Set this through windows by mapping the printers as a print admin user.

> Once fields were set on all printers and samba restarted cpu load dropped
from 50+% to almost 0.
> This should also resolve logging problems.

My users get the Windows (Samba/CUPS) printers installed via the logon
script of the W2k3 AD domain.
The windows users have user level on the XP client.

If I add those users (as member of a AD group) to the "printer admin =" in
smb.conf, then the problem should vanish?

Thnx for your reply,
Alex.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] upgrade from 3.0.14a to 3.0.27a; CUPS log files flooding!

[Alex de Vaal]

Hello,

I've upgraded 2 of my Samba servers (out of 100+ Samba servers) in my live
environment from version 3.0.14a to 3.0.27a.
I'm using CUPS as print system for Samba (Samba is compiled with cups-devel)
and I use the "Point 'n Print" mechanism of Samba (Windows) to provide XP
users with the appropriate drives for the attached printers.
CUPS is configured with RAW queues and all printers are connected via the HP
JetDirectCard to the network. In CUPS I configured to send the print jobs to
the JetDirectCard of the printer.

So far so good, but after the upgrade from Samba 3.0.14a to 3.0.27a the logs
files of CUPS (in /var/log/cups) are flooded, especially the access_log and
error_log files. On a site with 100+ PC's and 20 CUPS printers these log
files generate together 450 Mb of entries per day!
With version 3.0.14a these log files generated 20 Mb of entries in one week…

This happens on the Samba 3.0.27a packages of both RHEL and RHL9, so it is
not the underlying Linux OS (RHEL4, CentOS4.x and RHL9) causing the problem.

In the log files of CUPS I see entries like these flooding the error_log
file:

E [19/Mar/2008:13:13:30 +0100] get_printer_attrs: resource name '/printers'
no good!
E [19/Mar/2008:13:13:30 +0100] get_printer_attrs: resource name
'/TEST_ADM06' no good!
E [19/Mar/2008:13:13:30 +0100] get_printer_attrs: resource name
'/TEST_ADM05' no good!
E [19/Mar/2008:13:13:30 +0100] get_printer_attrs: resource name '/printers'
no good!
E [19/Mar/2008:13:13:30 +0100] get_printer_attrs: resource name '/printers'
no good!
E [19/Mar/2008:13:13:30 +0100] get_printer_attrs: resource name '/printers'
no good!
E [19/Mar/2008:13:13:31 +0100] get_printer_attrs: resource name '/printers'
no good!
E [19/Mar/2008:13:13:31 +0100] get_printer_attrs: resource name
'/TEST_ADM06' no good!
E [19/Mar/2008:13:13:31 +0100] get_printer_attrs: resource name
'/TEST_ADM05' no good!
E [19/Mar/2008:13:13:31 +0100] get_printer_attrs: resource name '/printers'
no good!
E [19/Mar/2008:13:13:31 +0100] get_printer_attrs: resource name
'/TEST_ADM06' no good!
E [19/Mar/2008:13:13:31 +0100] get_printer_attrs: resource name
'/TEST_ADM05'

In access_log I see entries like these flooding the file:

localhost - - [16/Mar/2008:03:38:55 +0100] "POST / HTTP/1.1" 200 195
localhost - - [16/Mar/2008:03:38:55 +0100] "POST / HTTP/1.1" 200 278
localhost - - [16/Mar/2008:03:38:55 +0100] "POST / HTTP/1.1" 200 195
localhost - - [16/Mar/2008:03:38:55 +0100] "POST / HTTP/1.1" 200 199
localhost - - [16/Mar/2008:03:38:55 +0100] "POST / HTTP/1.1" 200 278
localhost - - [16/Mar/2008:03:38:55 +0100] "POST / HTTP/1.1" 200 199
localhost - - [16/Mar/2008:03:38:56 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:03:38:56 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:03:41:54 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:03:41:54 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:03:49:56 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:03:49:56 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:03:51:41 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:03:51:41 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:03:53:04 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:03:53:04 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:04:00:56 +0100] "POST / HTTP/1.1" 200 134
localhost - - [16/Mar/2008:04:00:56 +0100] "POST / HTTP/1.1" 200 134

Printing from XP clients to the mentioned printers works fine, also when I
create a new printer in CUPS it shows up in Samba and I can upload the
windows printers drivers to the Samba server.
>From an XP client I can connect to this Samba printer and send a print job,
which is being printed by the printer via CUPS!

To avoid flooding of the CUPS log files I've changed the following in
/etc/cups/cupsd.conf:

==

#AccessLog /var/log/cups/access_log
AccessLog /dev/null

# info  Log all requests and state changes. (default)
# warn  Log errors and warnings.
# error Log only errors.
# none  Log nothing.
#

LogLevel none

==

This result in 0 bytes log files and no real logging of CUPS, besides the
page_log file.

Can anyone tell me if they encountered the same issue and what they did to
solve it?


My smb.conf looks like this:

# Global parameters
[global]
workgroup = TEST
realm = TEST.COM
server string = %h server (Samba %v)
security = ADS
password server = adm04.test.com, adm01.test.com
log file = /var/log/samba/%m.log
max log size = 200
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap cache time = 660
domain master = No
ldap timeout = 15
ldap page size = 100
idmap uid = 1-2
idmap gid = 1-2
template homedir = /data/hom/%U
template shell = /bin/bash
winbind cache time = 660
printer admin = root, "@TEST.COM\Domain Admins"

Re: [Samba] Samba server joining domain and browsing group shares

[Alex de Vaal]

On Tue, Mar 11, 2008 at 12:25 AM, Victor Mendez <[EMAIL PROTECTED]>
wrote:

Alex thanks a lot. The problem was solved. The configuration information you
> provided me was very precise and correct. The problem was with SuSE and
> the
> YAST2 SAMBA GUI.


Hello Victor,

I'm glad that my configuration information put you on the right track to get
things going.
The configuration information I gave you runs on more than 100 Samba sites
that are a Domain Member of a W2k3 Domain Controller.

Thanks a lot,  over the weekend we converted the 1st production server with
> this setup and we are converting 2 more win2k servers to samba servers. We
> are only keeping the PDC(It only contains the Active directory
> information,
> nothing else).
>

We have more or less the same setup, we have around 7 W2k3 Domain
Controllers on several European sites.
On more than 100 sites we have only CentOS/Red Hat Enterprise Linux servers
running with Samba as domain member.
The Samba domain members are connected to the remote DC's and this works
fine for more than 3 years now!


> The following is for SuSE user with 10.3 x-64,  shares names defined
> in /etc/samba/smb.conf should be in lower case. It will not work when
> using
> upper case characters. Another thing when creating groups on the windows
> PDC
> make sure that the groups are global not local otherwise linux function
> getent will not see them.
> Well that does it for us.


I have my shares configured in lower case (as you said), like this:

[grp]
comment = Group Directory
path = /data/grp
valid users = @TEST.COM\DEP_TEST_MEMBER
read only = No
inherit permissions = Yes
hide unreadable = Yes

The AD group DEP_TEST_MEMBER has access to this share.

In the AD we have also a group DEP_TEST_IT and IT users (in the test
environment) are member of both AD groups, so the users have access to the
share.

On Linux file system level I have in the /data/grp directory a directory
called: IT.

I gave the AD group DEP_TEST_IT as follow rights on the IT directory:

chmod 2770 /data/grp/IT
chown 0:"TEST\dep_test_it" IT

"TEST\dep_test_it" must be between " " because \ is a meta character, like
this it is the \ separator for winbind.

The group names in the AD that are in capital case stored in the AD are
resolved in lower case by the winbind daemon.

Indeed, the group dep_test_it must NOT exist in the Linux group entry.

Cheers Alex and thanks again ;-)
> Regards
> Victor
>

You're welcome.

Regards,
Alex.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba server joining domain and browsing group shares

[Alex de Vaal]

On Mon, Mar 3, 2008 at 2:06 PM, Alex de Vaal wrote:

Did you configure /etc/krb5.conf too?
>
> My /etc/krb5.conf looks like this:
>
> [libdefaults]
>  default_realm = TEST.COM
>
> [realms]
>  NH-HOTELES.COM = {
>   kdc = adm01.test.com:88
>   kdc = adm03.test.com:88
>   kdc = adm04.test.com:88
>  }
>
>
This is the correct /etc/krb5.conf file (sorry):

[libdefaults]
 default_realm = TEST.COM

[realms]
 TEST.COM = {
  kdc = adm01.test.com:88
  kdc = adm03.test.com:88
  kdc = adm04.test.com:88
 }

"kdc" equals a Domain Controller in your AD (Kerberos server).

Regards,
Alex.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba server joining domain and browsing group shares

[Alex de Vaal]

On Fri, Feb 29, 2008 at 5:06 PM, Victor Mendez <[EMAIL PROTECTED]>
wrote:

Output of getent command:
>
> cuzco:~ # getent group "NETSYS\Documentaries"
> documentaries:x:10008:netsys\fmendez,netsys\vmendez,amendez
>
> cuzco:~ # getent group "NETSYS\Series"
> series:x:10007:netsys\fmendez,netsys\vmendez,amendez
>
> cuzco:~ # getent group "NETSYS\Movies"
> movies:x:10005:netsys\vmendez,amendez,fmendez
>
> So it looks as we have solved the winbind separator problem .
>

Hi Victor,

This is the correct output of then "getent group" command. This is how I see
it on my Samba servers too, so it seems that your winbind problem is solved
indeed!

But we still get no directory browse. I include the output of
> the /var/log/samba/* files group when I try to login from a workstation
> see smb-logs.tar.gz
>
> In this file there is two errors that brough my attention:
> 1st error =
>  02/29/2008 10:22:01 AM libads/kerberos_verify.c
>  ads_keytab_verify_ticket172
> ads_keytab_verify_ticket: krb5_rd_req failed for all 12 matched keytab
> principals
>
> 2nd error =
> 02/29/2008 10:22:01 AM  lib/util_sid.c  string_to_sid   223
> string_to_sid: Sid
> @NETSYSTEMSINFO>COM\Documentaries does not start with 'S-'.
>
> what I try to do is I try to browse/connect to the Documentaries share
>


Error messages of winbind can be found in the /var/log/samba/winbindd.log.
Look in this file or on the log file of the IP number that tries to connect
(via browse) to the share but you'll probably see "Failed to verify incoming
ticket".
This can be a number of things. Where did you get the Samba packages?
Which Kerberos version are you using on your server?

Did you configure /etc/krb5.conf too?

My /etc/krb5.conf looks like this:

[libdefaults]
 default_realm = TEST.COM

[realms]
 NH-HOTELES.COM = {
  kdc = adm01.test.com:88
  kdc = adm03.test.com:88
  kdc = adm04.test.com:88
 }


I have Red Hat Linux servers and to connect to a Windows Server 2003 I need
at least MIT Kerberos version 1.3.1 on my Linux server with the Samba Red
Hat packages downloaded from samba.org
Your Linux server must be in timesync with the DC too; use "ntpdate -b " to synchronize time.
Use the "net ads info" command to see if you're in timesync (look at "Server
time offset", must be around 0, but not more than 300!)

Sometimes you need to reboot your workstation too that need to connect to
the share on the samba server.

If you don't use MIT kerberos, but HEIMDAL kerberos, you have to look in the
Samba documentation how to configure this (it is well described).


I hope this helps!

Regards,
Alex.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Samba server joining domain and browsing group shares

[Alex de Vaal]

On Fri, Feb 29, 2008 at 5:12 AM, Victor Mendez <[EMAIL PROTECTED]>
wrote:

Alex thank you  for your support, can you please explain the command below:
> Specially the chown I'm not familiar with the syntax you are using. If I
> try
> to apply this to our TEST configuration it does not work we get the
> following
> error:
> cuzco:~ # chown 0:"NETSYS\Series" /Series
> chown: `0:NETSYS\\Series': invalid group
>
> Being NETSYS = workgroup name
> Being Series = group Series defined on the ADS windows PDC
> Being  /Series = a disk share on the samba machine
>
> > On the server you have to use the chown command and chmod command to
> give
> > the AD group DEP_TEST_MEMBER access on the Linux filesystem:
> > chmod g+s /data/grp
> > chown 0:"TEST\DEP_TEST_MEMBER" /data/grp
>
> QUESTION: does DEP_TEST_MEMBER is a group defined on the Linux box and on
> the
> ADS. or is only defined on the ADS.?



DEP_TEST_MEMBER is a group only defined in the AD.


>
> on my linux TEST box on the /etc/groups there is no "Series" group
> on my windows TEST ADS there is a group called "Series"  with 4 users
>
> Another thing maybe I have not been clear, from our windows workstations
> we
> want to connect to a share in the Linux box but the user logged in the
> workstation does NOT have an account on linux machine he has an account on
> the windows ADS PDC.
>


AD users don't need a account on the Linux machine. But for Samba to work
properly with AD users, you also need  the winbind daemon to run.
winbind is a daemon of Samba. If winbind runs properly then AD users/groups
will be a (virtual) part of /etc/passwd and /etc/group.

The file /etc/nsswitch.conf must look like this for winbind to run properly:
passwd: files winbind
shadow: files
group:  files winbind

You can test that by using the getent command:
getent group "TEST\DEP_TEST_MEMBER"

The AD group DEP_TEST_MEMBER will be now translated to a Linux GID.

- Joining the Domain see command below:
>  cuzco:~ # net ads join -U Administrator
>  Administrator's password:
>  Using short domain name -- NETSYS
>  Joined 'CUZCO' to realm 'NETSYSTEMSINFO.COM'


That looks fine.


> We have adjusted the /etc/samba/smb.conf file to match your sample file
> config. Here I include a copy:
> .[global]
>workgroup = NETSYS
>realm = NETSYSTEMSINFO.COM
>preferred master = no
>server string = Linux file server
>security = ADS
>encrypt passwords = yes
>log level = 3
>printcap name = cups
>printing = cups
>cups options = raw
>winbind enum users  = yes
>winbind enum groups = yes
>winbind use default domain = yes
>winbind nested groups = no
>winbind separator = +


The problem resides here: "winbind separator = +"
Remove that entry and now the seperator will be "\"


>
> [series]
>comment = Series media files
>#inherit acls = Yes
>inherit permissions = Yes
>path = /Series
>read only = No
>valid users = @NETSYSTEMSINFO.COM\Series
>hide unreadable =yes


If you want to use "winbind separator = +" then the "valid users" must be
like this: @NETSYSTEMSINFO.COM+Series

Regards,
Alex.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] krb5.conf file in /var/lib/samba/smb_krb5; Samba 3.0.27a

[Alex de Vaal]

Hello Eric,

Thnx for your answer, now I know I couldn't find anything about the
subject... ;-)
Before I asked the question about the krb5.conf file in
/var/lib/samba/smb_krb5 I searched all Samba documentation and googled
around, but I didn't find an answer that satisfied me.
I already noticed that this file has a link with the gencache.tdb file, I
played around with this in my test environment (remove the files and start
the daemons and look what is in it with a binary editor).

I'd like to understand what the file does, because my Samba domain members
in the live environment have no DC's in the same IP net, they are all behind
routers. So I want to know how this works, before I use Samba 3.0.27a in my
live AD environment.

BTW; you can see with "netstat -na | grep 445" to which DC the Samba server
is talking to...

Regards,
Alex.



On Wed, Feb 27, 2008 at 5:52 PM, Eric Roseme <[EMAIL PROTECTED]>
wrote:

> I asked a co-worker who attended the Samba workshop last September to
> pose the following question.  The answer follows (maybe it will help):
>
> Q1.   Will the new (3.0.25b) krb5 code (that creates a
> Samba-specific krb5.conf file) be documented somewhere?
>
>
> A1.  Samba does not have documentation about the Samba-specific
> krb5.conf that is placed in locking directory. And also, after running
> kinit to obtain Kerberos ticket, Samba stores the ticket into memory
> tdb, probbaly gencache.tdb. But Samba doesn't provide a tool to allow
> users to see which DC Samba is talking to. Currently, we can use klist
> to see which domain is being used by Samba.
>
> Obviously this does not answer your question about how it works, but it
> might get you closer.
>
> Eric Roseme
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba server joining domain and browsing group shares

[Alex de Vaal]

Hello,

Want you want is rather easy, I have it running.

My Samba server (on Red Hat) is Domain member of a W2k3 native AD, so it is
joined to the domain (net ads join -Uusername%password)

This is how my smb.conf looks like:


# Global Parameters Needed For Samba 3.0.27a
[global]
workgroup = TEST
realm = TEST.COM
server string = %h server (Samba %v)
security = ADS
password server = adm04.test.com, adm01.test.com
log file = /var/log/samba/%m.log
max log size = 200
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap cache time = 660
domain master = No
ldap timeout = 15
idmap uid = 1-3
idmap gid = 1-3
template homedir = /data/hom/%U
template shell = /bin/bash
winbind cache time = 660
printer admin = "@TEST.COM\Domain Admins", @TEST.COM\DEP_ADMIN
oplocks = No
level2 oplocks = No
default devmode = No
enable privileges = Yes
host msdfs = No
msdfs root = No
winbind enum users = Yes
winbind enum groups = Yes
winbind nested groups = No
printing = cups
strict locking = Yes

[homes]
comment = Home Directories
read only = No
create mask = 0600
directory mask = 0700
browseable = No

[grp]
comment = Group Directory
path = /data/grp
valid users = @TEST.COM\DEP_TEST_MEMBER
read only = No
inherit permissions = Yes
hide unreadable = Yes


On the server you have to use the chown command and chmod command to give
the AD group DEP_TEST_MEMBER access on the Linux filesystem:
chmod g+s /data/grp
chown 0:"TEST\DEP_TEST_MEMBER" /data/grp

I have 200+ sites running like this... ;-)

Regards,
Alex.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] krb5.conf file in /var/lib/samba/smb_krb5; Samba 3.0.27a

[Alex de Vaal]

Hello list,

I've upgraded from Samba 3.0.14a to 3.0.27a (Samba is a domain member of a
W2k3 native AD) and I see that in the /var/lib/samba/smb_krb5 directory a
krb5.conf file is created.
Is this krb5.conf file extracted from my original /etc/krb5.conf? Or is this
file created from the "password server =" entry in my smb.conf file?
My original /etc/krb5.conf contains the DC's in DNS name and the
krb5.conffile in /var/lib/samba/smb_krb5 contains DC's on IP address.

I noticed also that the krb5.conf file in /var/lib/samba/smb_krb5 is only
renewed if /var/lib/samba/gencache.tdb is deleted before winbind is
restarted and it also uses the DC that is configured as primary DC in Sites
and Services in the Active Directory.

Can anyone shed a light how this work?

Thnx,
Alex.

Some info:

/etc/samba/smb.conf
===

password server = adm02.test.com, adm03.test.com


/etc/krb5.conf
==

[libdefaults]
 default_realm = TEST.COM

[realms]
 TEST.COM = {
  kdc = adm02.test.com:88
  kdc = adm03.test.com:88
  kdc = adm01.test.com:88


/etc/hosts


192.168.100.100adm01.test.com
10.0.0.100adm02.test.com
192.168.100.110 nhadm03.test.com


/var/lib/samba/smb_krb5/krb5.conf.TEST
=

[libdefaults]
default_realm = TEST.COM

[realms]
TEST.COM = {
kdc = 192.168.100.110
kdc = 10.0.0.100
}
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Prevent drag and drop within Samba shares

[Alex de Vaal]

Hello,
 
Is there a parameter in smb.conf that prevent users to use drag and drop
within Samba shares?
 
I know this is a Winedow$ function, but some users (hum, hum) use Explorer
to open their files and
accidentally they drag and drop sometimes a directory in the root of the
share to another directory in the root of the share.
 
My samba server is member of a native W2k3 server Active Directory and AD
users are able to access the Samba shares.
 
The share is configured like this in smb.conf:
 
[grp]
comment = Group Directory
path = /data/grp
valid users = @NH-HOTELES.COM\DEP_RHEL4_MEMBER
read only = No
inherit permissions = Yes
hide unreadable = Yes

The /data/grp directory looks like this:
 
drwxrws---  2 root NH-HOTELES\dep_rhel4_adm 4096 Sep 11  2006 adm
drwxrws---  4 root NH-HOTELES\dep_rhel4_fog 4096 Mar  9  2007 fog

If a user is member of dep_rhel4_adm and dep_rhel4_fog he/she is able to
drag and drop the fog directory into the adm directory.
 
If it is not possible to configure this within smb.conf, can I do something
on the Linux side?
 
Thanx for any answer.
 
Alex.



Visit our Web site: http://www.nh-hotels.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does 
not waive legal protection rights.
If you receive this message by mistake, please delete it from your system and 
report the sender.
Although this message has been cleared for viruses using currently available 
virus definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Prevent drag and drop within Samba shares

[Alex de Vaal]

Hello,

Is there a parameter in smb.conf that prevent users to use drag and drop
within Samba shares?

I know this is a Winedow$ function, but some users (hum, hum) use Explorer
to open their files and accidentally they drag and drop sometimes a
directory in the root of the share to another directory in the root of the
share.

My samba server is member of a native W2k3 server Active Directory and AD
users are able to access the Samba shares.

The share is configured like this in smb.conf:

[grp]
comment = Group Directory
path = /data/grp
valid users = @NH-HOTELES.COM\DEP_RHEL4_MEMBER
read only = No
inherit permissions = Yes
hide unreadable = Yes

The /data/grp directory looks like this:

drwxrws---  2 root NH-HOTELES\dep_rhel4_adm 4096 Sep 11  2006 adm
drwxrws---  4 root NH-HOTELES\dep_rhel4_fog 4096 Mar  9  2007 fog

If a user is member of dep_rhel4_adm and dep_rhel4_fog he/she is able to
drag and drop the fog directory into the adm directory.

If it is not possible to configure this within smb.conf, can I do something
on the Linux side?

Thanx for any answer.

Alex.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] RE: Support of Samba on RHEL4?

[Alex de Vaal]

The only reason I stepped into RHEL4 was the hardware support. I have a new
Dell PE2900 server with SAS drives and for RHL9 no drivers are available, so
I had to step forward to RHEL4 (which is obvious for me).
I have almost 100 Linux servers running with Red Hat Linux 9, you know, the
obsolete version. ;) All these servers are running flawlessly with Samba
3.0.14a from samba.org

I can't remember I ever signed a contract with you to support my servers :-)
However, my opinion is that I the support I receive from samba.org is (up
until now) sufficient for me; if I may quote the patch for W2k3 SP1, that
came out a few hours after the release of SP1.
What took more effort concerning the support of Samba, was the flaw of LDAP
failover with W2k3 DC's. I was banging my head regarding this issue and
entering a bug on bugzilla about this issue didn't help me. I was however
actively involved to tackle that issue and it was solved with a proposed
patch of "my partner in crime".  So I was not only consuming support from
Samba but also contributing support to Samba. :-)

When RHEL5 is released I'll take a look which version of Samba they will use
as default and hopefully this will be one of the latest Samba versions. I
can change at any time the Samba packages from samba.org to the RH Samba
packages, which give me full support from RH then... :-)
Maybe I have to consider CENTOS instead of RHEL4, because I didn't need
RHEL4 for support from Red Hat, I only needed for hardware reasons. 

Regards,
Alex.
 

-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] 
Sent: Monday 18 September 2006 2:15
To: Alex de Vaal
Cc: samba@lists.samba.org
Subject: Re: Support of Samba on RHEL4?

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alex de Vaal wrote:

> Is there any technical reason NOT to use the packages of samba.org on 
> RHEL4?

Nope.  No reason at all other than RH support.

> Regarding the above info I'd like to use the original samba packages 
> on RHEL4. If I only void support for Samba at Red Hat, so be it. I'm 
> convinced I'm better off with Samba support at samba.org...

For those with more complex setups that a single PDC or standalone server, I
would agree.  But I'm not signing a contract to support you servers :-)

cheers, jerry


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Support of Samba on RHEL4?

[Alex de Vaal]

Hello Aaron,

It is always good that people are thinking along and actually you ask right
questions to me, which I asked myself too.
To answer your questions:

1) No.
2) Yes
3) No, not yet.
4) They do that anyway ;)
5) YES!

I have almost 100 Linux servers running with Red Hat Linux 9, you know, the
obsolete version. ;) All these servers are running with Samba, which I
tested and tested in our test environment against a real copy of our Active
Directory.
With RHL9 and Samba I have no support anyway and I'm "on my own" for
support.
Whenever a new update comes out I test it thoroughly in my test environment
before I install it on all other servers. Before I roll-out an updated
version of Samba I test it for a month on 1 or 2 production sites anyway.
On my production servers I still run 3.0.14a of Samba, because that version
works great against W2k3 server SP1. As soon as SP1 came out, samba.org
immediately came up with a patch for Samba and this is the kind of support I
need... Not how to install and configure it... ;)

The only reason I stepped into RHEL4 was the hardware support. I have a new
Dell PE2900 server with SAS drives and for RHL9 no drivers are available, so
I had to step forward to RHEL4 (which is obvious for me).

Maybe I have to consider CENTOS instead of RHEL4, because I didn't need
RHEL4 for support from Red Hat, just for technical reasons. CENTOS4 is a 1:1
copy of RHEL4, but without the RedHat logo... (and the Red Hat support)

Regards,
Alex.

-Original Message-
From: Aaron Kincer [mailto:[EMAIL PROTECTED] 
Sent: Friday 15 September 2006 18:17
To: Alex de Vaal
Cc: samba@lists.samba.org
Subject: Re: [Samba] Support of Samba on RHEL4?

Alex,

I tried running Samba on RHEL4 Update 2 (on VMWare) and ran into some issues
and I can provide you my opinion. Take care when making any decisions. There
are quite a few things to consider:

1) Is having support from Red Hat on Samba necessary?
2) Are you confident enough in yourself to go off the beaten path from Red
Hat?
3) Have you considered other vendors for support on Samba itself?
4) Would upper management (if any) hold you responsible for going off the
support path in the event of an issue?
5) Do you have an adequate test environment?

If you are going away from Red Hat support, #5 is critical. They test and
test and test (or at least should) packages prior to pushing them out. They
will know or be able to quickly find solutions to common problems with their
packages. There are some caveats to that statement, so let me get to a bit
more meat.

Let's face it--the packages in RHEL4 for Samba are just plain old. Red Hat
has back-ported security fixes and even some bug fixes, but I know without a
doubt that not all bugs have been addressed. RHEL5 will be out in the coming
future. Perhaps it will provide newer packages. I urge you to investigate
and consider that route if you are extremely nervous about losing support on
Samba from them.

In my case, I've chosen to move my production File Server to Ubuntu 6.06
Server (well, I have loaded the latest distro upgrade) running Samba
3.0.22 after I complete quite a bit of testing. I just found myself banging
my head against the wall with my smb.conf in ways that I shouldn't have to
since the problems were with bugs in the older Samba that haven't been
back-ported. The instant I transferred my smb.conf over to the new Ubuntu
server, my bugs went away. The one exception is the archive bit issue I've
been posting about lately.

The bottom line in my humble opinion is that if you go your own way, you
shift burden of responsibility more to yourself than Red Hat. Of course, if
you have the hardware (or a VMWare/Xen virtual server) you could always run
parallel using two servers with a Red Hat approved Samba version as a
control and your own Samba server with identical configurations (minus Samba
version) for production and work out non-bug related issues with their help
on your reference server. This won't help you in resolving bug-related
issues, but it could help provide you with a warm fuzzy-feeling. This would
be less than ideal since the versions are so far apart.

I know you asked for technical reasons, but you should be aware that not all
of the factors in the equation are technical when considering a production
server.

Hope that helps.

Aaron Kincer


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] RE: Support of Samba on RHEL4?

[Alex de Vaal]

Hello Gianluca,

The "rpm -q --changelog package" command was known to me, but the original
Samba packages doesn't contain a changelog.

As for the RHEL4 Samba packages; the changes are applied by RedHat
engineers, but if you are looking into the patches itself, they come mostly
from samba.org
How can otherwise statements of Jeremy Allison of samba.org be in patches of
RedHat... ;) and the only way to find out is to dig in the patches
themselves...

Regards,
Alex.


-Original Message-
From: Gianluca Cecchi [mailto:[EMAIL PROTECTED] 
Sent: Friday 15 September 2006 15:42
To: [EMAIL PROTECTED]
Cc: samba@lists.samba.org
Subject: re: Support of Samba on RHEL4?

Alex,
I could not agree more with you.
BTW, perhaps you already know, but just in case:
If you want to see the patches applied to a package during its history, and
you don't need to dig into the sources themselves, you can query the
changelog for an rpm package without having to download
sources:

rpm -q --changelog package

for example  for my samba-3.0.10-1.4E.2
rpm -q --changelog samba
* Wed May 11 2005 Jay Fenlason <[EMAIL PROTECTED]> 3.0.10-1.4E.2

- include the -bug157208 patch. to close
  bz#157208 CRM 511318 - smbfs dont respect uid and gid options when
mounting

* Fri Apr 29 2005 Jay Fenlason <[EMAIL PROTECTED]>

- include the -smbspool pattch from RHEL-3, to close
  bz#155350 SAMBA client working, printer configuration not working
- include the -winbindd_2k3sp1 patch to allow Samba to authenticate
  against a Windows 2003 SP1 machine.  This closes
  bz#154558 Winbind refuses to authenticate against Windows 2003 SP1

* Wed Mar 30 2005 Jay Fenlason <[EMAIL PROTECTED]> 3.0.10-1.4E.1

- try the -gcc4 patch, to see if it solves problems with nmbd crashing.
  bz#150582 ? nmbd dies when windows client requests browse list

* Tue Jan 04 2005 Jay Fenlason <[EMAIL PROTECTED]> 3.0.10-1.4E

- Upgrade to 3.0.10, to close bz#143983  This obsoletes
  the -CAN-2004-1154 patch.
- Include the -64bit patch from Nalin.  This closes bz#142873


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Support of Samba on RHEL4?

[Alex de Vaal]

Hello,

A while ago I asked what kind of Samba packages I could use on
RHEL4. If I use the packages from www.samba.org then I'd void
the support agreement with Red Hat. (...)
Downloading and investigating the latest Samba source package from
RHN (samba-3.0.10-1.4E.9.src.rpm) told me that the Samba package
of RHN is based on the native 3.0.10 Samba package of samba.org
with some necessary patches (samba-3.0.10-winbindd_2k3sp1.patch, 
samba-3.0.10-ldap-failover-timeout-backport.patch are the most important
ones for me), while even the patches come from samba.org

In samba-3.0.10-ldap-failover-timeout-backport.patch I found this statement:
+   /* Setup alarm timeout Do we need both of these ? JRA. */

This is from Jeremy Allison of samba.org...

Is there any technical reason NOT to use the packages of samba.org on RHEL4?

Regarding the above info I'd like to use the original samba packages on
RHEL4.
If I only void support for Samba at Red Hat, so be it. I'm convinced I'm
better off
with Samba support at samba.org...

Regards,
Alex.

-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] 
Sent: Wednesday 12 July 2006 13:22
To: Alex de Vaal
Cc: samba@lists.samba.org
Subject: Re: [Samba] Fedora packages or Enterprise packages of Samba on
RHEL4?

-BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex de Vaal wrote:
>  
> Can somebody of the Samba team explain me the difference of Fedora 
> packages or Enterprise packages
> (http://enterprisesamba.com/) of Samba on Red Hat Enterprise Linux 4?
...
> First I tried the RHEL4 packages from enterprisesamba.com, but these 
> packages always ended up with the error message "Segmentation fault" 
> while I used "net ads join";

If you need support for the SerNet packages, you will have to contact
SerNet.

> Therefore I compiled the Fedora source package on RHEL4; this went 
> well.
...
> I'd like to continue with the Fedora Samba package on my RHEL4 server, 
> but I'd like to know why or why NOT to use it! (and why I have to use 
> the packages of
> enterprisesamba.com)

The Fedora specfile provided with Samba is compatible with RHEL4.  I don't
build RHEL4 packages only because IMO if you pay for support for RedHat,
installing non-vendor supplied packages would void your support agreement.

Althought I could provide RPMS for the lates version of CentOS which should
be binary comatible with RHEL4 systems.

While I'm at it, is there any pressing need for 64-bit rpms as well?




cheers, jerry
=
Samba--- http://www.samba.org
Centeris ---  http://www.centeris.com
"What man is a man who does not make the world better?"  --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

iD8DBQFEtNtRIR7qMdg1EfYRAisqAKDja37hQJsPyRdnflsgIefpmdCdBACg6iBC
HrDJ2aTmeSFe5WkZa6UlxH0=
=8Vw4
-END PGP SIGNATURE-


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Fedora packages or Enterprise packages of Samba on RHEL4?

[Alex de Vaal]

Don Meyer wrote:

> OK, my advice is to do the following:

> 1) Grab the latest 3.0.23 tarball from one of the Samba mirrors
> 2) expand it into a directory on your RHEL4 systems where you've been
building packages
> 3) cd ./samba-3.0.23/packaging/RHEL/
> 4) exec the command: ". makerpms.sh"
> 5) when the package build is finished: cd /usr/src/redhat/RPMS/i386/

> You should have a nice set of up-to-date packages for your RHEL4 
> system in this directory.   Thanks to Jerry and all the others for 
> the attention in the last couple versions to the RHEL packaging...

Thanx for the tip Don! Didn't know there was a RHEL section in the packaging
directory. I played before with the "makerpms.sh" script for RHL9, so I know
the drill... ;)
Good tip for newbies though. ;)


> There are two caveats with this:

> a) The cache directory is moved from /var/cache/samba/ to 
> /var/lib/samba/.   This move does not adjust the SELinux labels when 
> it creates the new directory, and since it copies files - the files are
created with the incorrect labels inherited from the new 
> directory.  I only had to do it once, but IIRC - executing "mv 
> /var/cache/samba /var/lib" before installing the new packages worked for
me on a new system.

Ok, the Samba databases are in RHL9 and Fedora already in the
/var/lib/samba/ dir. The Samba database of hte Fedora source package I
compiled and installed on RHEL4 are also in the /var/lib/samba/ dir.

> b) The smbd and nmbd services run fine under the standard RHEL4 
> selinux-policy-targeted ruleset.   However, winbindd rules aren't in 
> this set, and will fail if SELinux is enabled/enforcing.If you 
> are running winbindd, (which you probably are in ads mode) you can deal
with this problem in a number of ways:
...
> This will load some additional rules that will allow winbindd to run 
> without any (significant) AVC errors.   This should only need to be done
once.

Running winbindd failed indeed in the first instance on RHEL4 because of
SELinux. In SELinux there is however a "winbind_disable_trans" boolean (in
the file: /etc/selinux/targeted/booleans), which is default 0. If you change
this to 1 and reboot the server, winbind will run smoothly on RHEL4.

Regards,
Alex.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Fedora packages or Enterprise packages of Samba on RHEL4?

[Alex de Vaal]

Gerald (Jerry) Carter wrote:

> If you need support for the SerNet packages, you will have to contact
SerNet.

Ok, clear. Does SerNet have their own SVN source of Samba then? Or are they
using the one of samba.org?
If not, what is the technical difference of enterprisesamba and the
"original" samba then?

> The Fedora specfile provided with Samba is compatible with RHEL4.  
> I don't build RHEL4 packages only because IMO if you pay for support for
RedHat,
> installing non-vendor supplied packages would void your support agreement.

Right, I only wanted to know if there are technical issues NOT to use the
Fedora packages on RHEL4. 
Somebody in the list already gave a tip that there is a RHEL section in the
packaging directory (tarball of 3.0.23), which contains the "makerpms.sh"
script to create the RPMS for RHEL4.
I'll use this one to create the RPMS for RHEL4, unless you say there is no
difference with the src.rpm of Fedora.
I'll ask Red Hat if I void the support agreement if I only use the Samba
packages of samba.org on my RHEL4 server. I'd like to use the samba packages
from "the source" on my servers, because I have very good experience with
that. I'd like to mention the patch for W2k3 server SP1 that was created
almost instantly by the Samba Team after the release of SP1 and a few other
issues I had, like the DC (LDAP) server failover, were solved by the Samba
Team. I doubt if I get this kind of support for Samba from Red Hat...

> Althought I could provide RPMS for the lates version of CentOS
> which should be binary comatible with RHEL4 systems.

Correct, my Swiss colleague uses CentOS and he uses the Red Hat
enterprisesamba packages of RHEL4 on his servers without problems.

> While I'm at it, is there any pressing need for 64-bit rpms as well?

For me not, but maybe for others out there... ;)

Regards,
Alex.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Fedora packages or Enterprise packages of Samba on RHEL4?

[Alex de Vaal]

Hello,
 

Can somebody of the Samba team explain me the difference of Fedora packages
or Enterprise packages ( 
http://enterprisesamba.com/) of Samba on Red Hat Enterprise Linux 4?

I tried to find any information about this subject, but googleing doesn't
help me.

 

The standard Samba package (3.0.10EL) of RHEL4 doesn't communicate with a
W2k3 server SP1, while "security=ads" on Samba. This is solved in Samba
version 3.0.14a, so I want to use this package; I use this version on all my
RHL9 servers and this package is very stable!

 

First I tried the RHEL4 packages from enterprisesamba.com, but these
packages always ended up with the error message "Segmentation fault" while I
used "net ads join"; I recompiled the source of this package because I have
to use the default Kerberos of RHEL4 (which is MIT instead of Heimdal) .
Version 3.0.22 of enterprisesamba doesn't have this problem, but it has the
problem that "security=ads" can't be used (look at thread

http://lists.samba.org/archive/samba/2006-May/120688.html). I need to use
Kerberos on Samba, so "security=domain" (and use NTLM as authentication
mechanism) is no option for me .

 

Therefore I compiled the Fedora source package on RHEL4 (Fedora is the
playground of RHEL as we all know ;) and this went well. I installed the
Samba rpm's and configured Samba as I have it on RHL9 and started the Samba
daemons (smbd, nmbd and winbindd). The Fedora Samba package is working well
on RHEl4, my XP clients can connect to the shares and I see no error
messages appearing in my Samba logs.

 

I'd like to continue with the Fedora Samba package on my RHEL4 server, but
I'd like to know why or why NOT to use it! (and why I have to use the
packages of enterprisesamba.com)

 

Please advise.

 

Best regards,

Alex.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: Samba 3.0.21 Available for Download

[Alex de Vaal]

>>> >> Binary packages are available at
>>> >>
>>> >> http://download.samba.org/samba/ftp/Binary_Packages/
>>> >
>>> > How long usually before the SRPM's are available?
>>>
>>> For what platform?
>> 
>> Redhat.

> RedHat xx ?  Enterprise?   I stopped producing SRPMS for RedHat
> 7.3 + in hopes that it wouldn't be noticed.   I'm assuming you
> noticed.  Is there still a great demand for RedHat 9 ?

A lot of my install base is still RHL9, I guess a lot of more people do.

I'd appreciate the SRPMS for RHL9 to be available at the SAMBA FTP site.

I didn't look at the tar.gz file yet, but can I still make the SRPM for RHL9
by myself  with the "makerpms.sh" command in the "packaging/RedHat" dir?

Regards,
Alex.



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Can't Install Samba 3.0.14a

[Alex de Vaal]

> However, when I run rpm -U samba-common-3.0.14a-1.i386.rpm (for 
> instance), I just get:
>
>error: Failed dependencies:
>samba-common = 0:3.0.8 is needed by (installed)
>samba-3.0.8-0.pre1.3.i386
>samba-common = 0:3.0.8 is needed by (installed)
>samba-client-3.0.8-0.pre1.3.i38

The Samba packages on Fedora 3 should be installed like this:

rpm -Uhv --nodeps /usr/src/redhat/RPMS/i386/samba-common-3.0.14a-1.i386.rpm
rpm -Uhv /usr/src/redhat/RPMS/i386/samba-3.0.14a-1.i386.rpm
rpm -Uhv /usr/src/redhat/RPMS/i386/samba-client-3.0.14a-1.i386.rpm 

Don't forget to backup /var/lib/samba/* and /etc/samba/* before the update
and after the
shutdown of all samba deamons.

Alex.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Upcoming 3.0.13 release -- please test now

[Alex de Vaal]

 
> Heads up everyone:
>
> Due to the win98 explorer bug (https://bugzilla.samba.org/bug/2501),
> we will be release 3.0.13 on Thursday morning, March 24 (GMT-6).
>
> So if you have any outstanding bugs in the 3.0.12 that we
> should know about, let us know now.  Please file any defect
> reports at https://bugzilla.samba.org/. 
>
> Thanks.
>
> cheers, jerry

The "net ads info" command doesn't work when "disable netbios = Yes" is 
being used; it responds with "Didn't find the ldap server!"
It's a bit annoying, because I use "net ads info" for retrieving the 
Time difference info between the AD and the Samba server.

The LDAP servers in my production environment are behind routers that 
doesn't route NETBIOS.

I tested also "net ads testjoin" and that does work ("net ads join" too).

Bug is entered in bugzilla (with debug level 10 output):
https://bugzilla.samba.org/show_bug.cgi?id=2517

Regards,
Alex.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Re: [PATCH] bug in 3.0.11 winbindd when 'disable netbios = yes'

[Alex de Vaal]

On Thu 10 Feb, at  23:03h, Gerald (Jerry) Carter wrote:

> | Heads up
> |
> | If anyone has had problems with winbindd not being able
> | to locate any domain controllers after upgrading to 3.0.11
> | *and* you have 'disable netbios = yes' in smb.conf, please
> | test this preliminary patch (winbind_find_dc.patch).  It's
> | pretty rough currently but needs some more widespread
> | testing.  You can download it from :
> |
> | http://www.samba.org/~jerry/patches/post-3.0.11/


> Forgot to mention that you need to run

>   $ make proto
>   $ make

> after applying the patch.

I tested winbind_find_dc_v2.patch in my test environment with 3.0.11 
and winbind seems to work as it was 3.0.10 ;) 
Samba is a domain member in a W2k3 AD and my XP clients get their 
shares (and have access to their files) on the Samba server. In fact I don't
see
a difference between 3.0.10 and 3.0.11 patched with the winbind patch.

The DC's in my production environment are behind routers that doesn't
route NETBIOS, so with the original 3.0.11 I would have gained a lot of 
problems ;)
In my test environment I have only one subnet and there I used 
'disable netbios = yes' in smb.conf to simulate my real environment, so
no DC's can be found via NETBIOS.

Where is "make proto" and "make" needed for? I didn't use it and 3.0.11 
compiled well and winbind seem to work well... (both on RHL9 and FC2).

Regards,
Alex.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] new printing patch for 3.0.10 may fix the 'failure to remove print jobs from queue list display'

[Alex de Vaal]

On Wed 5 Jan 2005, at 17:57, Gerald (Jerry) Carter wrote:

> I've uploaded a new draft of the printing patch for 3.0.10
> to http://www.samba.org/~jerry/patches/post-3.0.10/
> The only change is a small fix to fix the register_message_flags()
> error messages in the logs.  After some thought, I think this
> might address the 'jobs failing to be removed from the queue
> list' bug.  If people could test and let me know, I would
> appreciate it.

Hi Jerry,

The patch (version #2) is working; when I print from an XP client to a CUPS
queue
(queue on hold), the print icon appears in the taskbar of the XP client.
When I remove 
the print job from the CUPS queue, within 30 seconds the print icon on the
XP client
disappears.

I also added this patch from Jerome Borsboom to your patch.

--- samba-3.0.10/source/printing/printing.c 2005-01-10
15:07:27.060999122 +0100
+++ samba-3.0.10.new/source/printing/printing.c 2005-01-10
15:07:36.784464292 +0100
@@ -1077,6 +1077,7 @@
 
if ( !print_cache_expired(sharename, False) ) {
DEBUG(5,("print_queue_update_internal: print cache for %s is
still ok\n", sharename));
+   release_print_db( pdb );
return;
}

Is your printing patch Ok to use in production environments? 

I saw that in the SAMBA_3_0 branch that printing/printing.c is changed with 
your patch, but your patch also patches:

param/loadparm.c
smbd/lanman.c 
smbd/negprot.c
smbd/reply.c 
smbd/server.c

but I can see that these files are not updated with your patch in the
SAMBA_3_0
branch, or am I wrong?

Regards,
Alex.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Samba as W2k3 AD domain member; how to configure domain controller failover?

[Alex de Vaal]

Dear list,

I have a question how you configure Samba (configured as a W2k3 domain
member) to failover to a secondary AD domain controller when the connection
to the primary domain controller fails.

First some info:

- Windows 2003 Active directory (native mode), currently running with 2
domain controllers.
- Samba (version 3.0.9) running on a RHL9 server (updated with kerberos
1.3.1-7), 
   samba is compiled against kerberos 1.3.1-7 and configured as AD domain
member. 
   The winbind daemon is used for AD user validation.
- IP addresses W2k3 domain controllers: 192.168.100.100 (adm01= domain
master) and 192.168.100.101 (adm02)
- IP address RHL9 server: 192.168.100.151
- DNS is properly configured on RHL9 server and W2k3 servers.

My smb.conf file looks like this:
[global] 
workgroup = TEST
realm = TEST.COM
security = ADS
password server = 192.168.100.100, 192.168.100.101
domain master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template homedir = /data/hom/%U
template shell = /bin/bash 

[grp]
comment = Group Directory
path = /data/grp
valid users = @TEST.COM\DEP_TEST_MEMBER
read only = No
inherit permissions = Yes


resolv.conf looks like this:
nameserver 192.168.100.100
nameserver 192.168.100.101
search test.com
domain test.com 

nsswitch.conf looks like this:
passwd: files winbind
shadow: files
group:  files winbind
hosts:  files dns wins


"wbinfo -g" and "getent group" give the appropriate output. Via the chown
command I was able to give the AD group DEP_TEST_MEMBER access to the
/data/grp directory on the linux server (chmod 770 and chown "root:TEST\
DEP_TEST_MEMBER" 
XP clients can connect to the [grp] share on the samba server when they are
member of the AD group DEP_TEST_MEMBER and can store files on the share. So
far so good.

If I look with "netstat -na" I can see that the Samba server is connected to
the primary domain controller:
tcp0  0 192.168.100.151:33837   192.168.100.100:389
ESTABLISHED
tcp0  0 192.168.100.151:33843   192.168.100.100:445
ESTABLISHED

When the connection with the primary domain controller (192.168.100.100) is
suddenly lost, then samba will NOT failover to the second domain controller
(192.168.100.101). It is just trying to connect to the first configured one
all the time. "net ads info" will do a request at the second DC (after a
timeout of 15 sec, which I can configure to 2 seconds with "ldap timeout
=2").
"wbinfo -u" will give after a short while the error message: "Error looking
up domain users" and I have difficulty to connect to the Linux server with
Telnet (it tries the user that logonwith Telnet, even the root user,  to
validate against the AD). The XP clients will loose the connection to the
[grp] share after a short while. This will become a "status quo", nothing
changes.

The only thing I can do is manually failover to get Samba working properly
again. I changed the global option "password server" to "password server =
192.168.100.101, 192.168.100.100", rebooted the Linux server and now the
Samba server connected to the second DC:
netstat -na

tcp0  0 192.168.100.151:33998   192.168.100.101:389
ESTABLISHED
tcp0  0 192.168.100.151:34004   192.168.100.101:445
ESTABLISHED

"wbinfo -g" and "getent group" give the appropriate output and the XP client
can connect to the [grp] share again.

How can I configure Samba to failover to the second DC, so even XP clients
with connection to Samba shares won't even notice it when the connection to
the primary DC gets lost? I googled for  h o u r s  for this answer and I
found that someone used "net ads join -S" option and used the "join" option
on all DC's in the AD. (look at
http://lists.samba.org/archive/samba/2004-October/093721.html). I tried that
too, but it didn't help.

This problem is bugging me for quite a while now (also in my real
environment), so it became a very important question for me (but the
solution is more important ;-), therefore any help is very much appreciated!

Regards,
Alex.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

[Samba] Printers Showing up on Alternate Server Names

[Alex de Vaal]

 
It's a known issue of Samba 3.0.6/7
 
Look at this link for more info concerning this:
http://lists.samba.org/archive/samba/2004-September/093045.html
 
-- 
Regards, 

Alex.



Visit our Web site: http://www.nh-hotels.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does not waive 
legal protection rights.
If you receive this message by mistake, please delete it from your system and report 
the sender.
Although this message has been cleared for viruses using currently available virus 
definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba 3.0.7, WinXP Pro SP2 printing issues with netbiosnames.

[Alex de Vaal]

 
> We're currently experiencing some problems that wasn't a problem in 3.0.4.
> Since SP2 was installed printers get connected
\\\
> instead of \\\. It's more common on SP2
> machines but it happens on non-SP2 machines.
 
> Although these issues are not consistent.
 
> Which some windows applications seems to have a problem with.
> (Citrix-stuff etc.)
 
> With 3.0.4 printers get connected as \\\
> regardless of SP2 or not.
> As a result were having problems pinpointing the problem wheter it's SP2
> or Samba 3.0.7.
 
> So is there anyone else experiencing this and/or know of a workaround ?

Hello Erik,
 
I'm experiencing the same problem as you have with 3.0.7 on XP SP1 clients,
downgrading to 3.0.4 solves this problem.
 
Look at the mail I posted here about this:
http://lists.samba.org/archive/samba/2004-September/092848.html
 
I don't dare to use 3.0.7 on my production sites at this time, because my
clients get their printers installed via the ADS logon script. Because of
this behavior in 3.0.7 the clients get the printers double installed; the
\\\ printer (which is already in the profile of
the user) and the \\\ printer (which is actually
the same printer). New profiles at the clients get only the
\\\ printer installed.
A lot of scripts on our ADS servers use the \\\
naming convention and I don't want to change the scripts at this time,
because the problem seems to be fixed in 3.0.8; look at this mail:
http://lists.samba.org/archive/samba/2004-September/091804.html

-- 
Regards, 

Alex de Vaal. 


Visit our Web site: http://www.nh-hotels.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does not waive 
legal protection rights.
If you receive this message by mistake, please delete it from your system and report 
the sender.
Although this message has been cleared for viruses using currently available virus 
definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] 3.0.7; "string overflow by 1 (32 - 31) in safe_strcpy"

[Alex de Vaal]

Hello,

I'm using samba 3.0.4 (on RHL9) as a W2k3 domain member in an ADS realm. For
printing I'm using CUPS of RHL9. The XP clients get the CUPS printers (CUPS
redirects the printjob to the JetDirect card of the printer) and the
appropriate PCL drivers installed via the "Point 'n Print" mechanism. The
clients get their printers installed via de AD login script and the there
are installed via de DNS name of the printer (e.g.
\\dussel.nh-hoteles.com\DUSSEL_LASER01)
A printer driver that is being used is, for example, the "HP LaserJet 4200
PCL 5e".
The above works fine, XP clients get the printer installed ("DUSSEL_LASER01
on dussel" in their own "Printer and Faxes" folder and the appropriate
drivers are installed on the client too.

So far so good.

After the upgrade to samba 3.0.7 however (had the same with 3.0.6) I see in
the log files of the clients the following messages (a lot of them):
\\192.168.100.151\DUSSEL_LASER01]
[2004/09/21 12:10:34, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy 

Besides that, the XP clients get a second printer installed "DUSSEL_LASER01
on 192.168.100.151" besides the "DUSSEL_LASER01 on dussel" printer (which is
actually the same).

I played a little with downgrading to 3.0.4 and upgrading 3.0.7 and the way
the XP clients get their printers installed.
This is what I encountered:

- 3.0.4; printer installed via DNS name; "DUSSEL_LASER01 on dussel" as
printer on client.
- 3.0.7; printer installed via NETBIOS name (\\DUSSEL\DUSSEL_LASER01);
"DUSSEL_LASER01 on dussel" as printer; 
   "string overflow by 1" messages.
- 3.0.7; printer installed via DNS name; "DUSSEL_LASER01 on dussel" and
"DUSSEL_LASER01 on 192.168.100.151" as printer on client;
   "string overflow by 1" messages.

Removing user profiles on the XP client:
- 3.0.7; printer installed via DNS name; "DUSSEL_LASER01 on 192.168.100.151"
as printer on client;
   "string overflow by 1" messages.

How I have to deal with this new behavior of samba with CUPS? I'd like to
upgrade my other samba sites to 3.0.7, but when I get troubles with printers
on the clients some people are gonna shoot me :)

I posted a similar message before, but I didn't get any response. I can't
imagine that I'm the only one with the "string overflow by 1" messages and
this behavior of 3.0.7 and CUPS... Or am I? :)

Thanx for any answer.

-- 
Regards, 

Alex de Vaal. 




Visit our Web site: http://www.nh-hotels.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does not waive 
legal protection rights.
If you receive this message by mistake, please delete it from your system and report 
the sender.
Although this message has been cleared for viruses using currently available virus 
definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] 3.0.6 & "string overflow by 1" revisited

[Alex de Vaal]

Gerald Carter wrote:
 
>| every time I access a printer my logs flood with messages
>| like to those below.  It seems I can set printer
>| properites, etc...  but when I print the jobs seem to go
>| to never-never land (still researching where the jobs go).
>|
>| [2004/08/20 08:46:27, 0] lib/util_str.c:safe_strcpy_fn(600)
>|   ERROR: string overflow by 1 (32 - 31) in safe_strcpy
>| [\\192.168.1.12\HP Business Inkjet 2250 PS]
 
> This is a warning a shouldn't impact the print jobs in any way.
 
Gerald Carter wrote:
 
>| This messages are side-effects of setting the printername
>| To "\\servername\drivername", when assigning drivers to
>| printers.
 
>| AFAIK the message is caused by the safe_strcpy call in
>| printing/nt_printing.c : construct_nt_devicemode ()
>| or get_a_printer2 ().
>|
>| The MAXDEVICENAME macro is set to 32 whereas printername plus
>| servername is usually longer than that.
> 
> This is the size defined by MS.  (see MSDN and one the
> wire traces).
 
Hello Jerry,
 
After the upgrade from 3.0.4 to 3.0.6 I also get the
lib/util_str.c:safe_strcpy_fn(600)
ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
messages in my logs. 
 
I use Samba on a RHL9 server with CUPS and the Samba server is a domain
member in a W2k3 ADS environment.
>From the ADS login script my workstations get their printers installed via
DNS name(e.g \\DUSSEL.XX-XXX.COM\DUSSEL_LASER01) and this obvious longer
than 32 characters. My workstatations get with 3.0.6 besides the
"DUSSEL_LASER01 on dussel" printer (installed by 3.0.4) also the
"DUSSEL_LASER01 on 192.168.100.151" printer (which is the same) installed. 
When I remove the profile of the user on the workstation and put in the
login script \\DUSSEL\DUSSEL_LASER01 as printer (the old NETBIOS name, which
is less than 32 characters) I still get the "string overflow by 1 (32 - 31)
in safe_strcpy" error messages. This new profile gets the "DUSSEL_LASER01 on
192.168.100.151" printer installed and after a reboot also the
"DUSSEL_LASER01 on dussel" printer (which is the same).
 
Even when I login as administrator on the workstation, browse via "My
Network Places" to the printer (\\DUSSEL\DUSSEL_LASER01) and use "Connect"
then I also get the "string overflow by 1 (32 - 31) in safe_strcpy" error
messages.
 
Whatever I do with 3.0.6 I always get these error messages, while printing
seems to be Ok. Only a new profile on a workstation doesn't get the default
printer installed (first printer in the ADS login script) and that's quite
annoying (this works fine with 3.0.4).
Besides that my (samba) log files are flooded with these messages and, not
nice, also my /var/log/messages file.
 
Downgrading to 3.0.4 resolves all of the above. I'd like to upgrade my samba
sites to 3.0.6, but if I encounter these kind of problems with printers I'm
really considering to wait with the upgrade on real production sites (I've
upgraded an experimental production site so far).
 
Can you tell me what can be expected in future versions of samba concerning
this and how to act on this current issue?
 
Thanx,
 
Alex.

(sorry for the stupid disclaimer).





Visit our Web site: http://www.nh-hotels.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does not waive 
legal protection rights.
If you receive this message by mistake, please delete it from your system and report 
the sender.
Although this message has been cleared for viruses using currently available virus 
definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Issues after upgrade to 3.0.6 from 3.0.4; fixed in 3.0.7?

[Alex de Vaal]

w by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER02]
[2004/09/01 16:16:19, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER02]
[2004/09/01 16:16:19, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER02]
[2004/09/01 16:16:20, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER02]
[2004/09/01 16:16:23, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:24, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER02]
[2004/09/01 16:16:24, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER02]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER02]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:16:25, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER02]
[2004/09/01 16:17:12, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:17:12, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:17:12, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER02]
[2004/09/01 16:17:12, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:17:13, 0] smbd/connection.c:register_message_flags(220)
  register_message_flags: tdb_fetch failed
[2004/09/01 16:17:13, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01]
[2004/09/01 16:17:13, 0] lib/util_str.c:safe_strcpy_fn(600)
  ERROR: string overflow by 1 (32 - 31) in safe_strcpy
[\\192.168.100.151\DUSSEL_LASER01] 

Is there any way I can change this CUPS behaviour in 3.0.6? Or some things
will be changed in 3.0.7? 

-- 
Regards, 

Alex de Vaal. 


(sorry for the stupid disclaimer; this is put by our mail server, not by me
;)


Visit our Web site: http://www.nh-hotels.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does not waive 
legal protection rights.
If you receive this message by mistake, please delete it from your system and report 
the sender.
Although this message has been cleared for viruses using currently available virus 
definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] PANIC: internal error; winbind daemon (3.0.4) crashes

[Alex de Vaal]

39
[2004/07/19 21:47:15, 1] libsmb/cliconnect.c:cli_connect(1297)
  Error connecting to 10.2.20.240 (Operation already in progress)
[2004/07/19 21:47:15, 1] libsmb/cliconnect.c:cli_start_connection(1377)
  cli_full_connection: failed to connect to NHADM01<20> (10.2.20.240)
[2004/07/19 21:47:15, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
  user 'prisma-fo1$' does not exist
[2004/07/19 21:47:15, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
  user 'prisma-fo1$' does not exist
[2004/07/19 21:47:15, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
  user 'prisma-fo1$' does not exist
[2004/07/19 21:47:15, 1] nsswitch/winbindd_user.c:winbindd_getpwnam(159)
  user 'PRISMA-FO1$' does not exist
[2004/07/19 21:55:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/07/19 22:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist 

My smb.conf is like this (only global section):

[global]
workgroup = 
realm = .COM
server string = %h server (Samba %v)
security = ADS
password server = adm03.XXX.com, adm01.XXX.com, *
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 200
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
domain master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template homedir = /data/hom/%U
template shell = /bin/bash
printer admin = root, '@.COM\Domain Admins',
@.COM\DEP_ADMIN_GERMANY
oplocks = No
level2 oplocks = No 

My krb5.conf file is like this:

[libdefaults]
 dns_fallback = true
 

-- 
Regards, 

Alex de Vaal. 


Visit our Web site: http://www.nh-hotels.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does not waive 
legal protection rights.
If you receive this message by mistake, please delete it from your system and report 
the sender.
Although this message has been cleared for viruses using currently available virus 
definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Samba 3.0.4 and kerberos 1.3.1

[Alex de Vaal]

Hello,
I had the same problem as you and it took me a while to figure it out
exactly.
I’ve now a RHL9 server running with Samba 3.0.4 as a domain member of a W2k3
realm.
Actually I updated Kerberos to version 1.3.1-7 on my RHL9 server to achieve
this; otherwise samba can’t verify the incoming ticket.
You are right; if you install the Kerberos 1.3.1 rpm’s with --force
--nodeps, it will break the dependencies, but this is the only way to do it.
After the update of the krb5 packages the “libcom_err.so.3” dependency of
other packages (example: httpd-2.0.40-21) is broken.
A TEMPORARY workaround is to change to the /lib directory and make the
following symbolic link: “ln -fs libcom_err.so.2.0 libcom_err.so.3” (This
restores the libcom_err.so.3 dependency of other packages after the krb5
update.) Now you can see if Samba 3.0.4 is working properly in a W2k3 realm.
What you should do afterwards is to recompile all the packages (on the
machine with the Kerberos 1.3.1 rpm’s installed) that had a dependency with
the old Kerberos packages and install those new recompiled packages. Now all
the packages (that had a dependency with the old Kerberos packages) have a
new dependency to Kerberos 1.3.1. After that you can remove the symbolic
link with “libcom_err.so.3”.
This cost me several headaches too… ;-)
Regards,
Alex.
_
Talk with your online friends with MSN Messenger http://messenger.msn.nl/
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] (no subject)

[Alex de Vaal]

Hello,
I had the same problem as you and it took me a while to figure it out 
exactly.
I’ve now a RHL9 server running with Samba 3.0.4 as a domain member of a W2k3 
realm.
Actually I updated Kerberos to version 1.3.1-7 on my RHL9 server to achieve 
this; otherwise samba can’t verify the incoming ticket.

You are right; if you install the Kerberos 1.3.1 rpm’s with --force 
--nodeps, it will break the dependencies, but this is the only way to do it. 
After the update of the krb5 packages the “libcom_err.so.3” dependency of 
other packages (example: httpd-2.0.40-21) is broken.

A TEMPORARY workaround is to change to the /lib directory and make the 
following symbolic link: “ln -fs libcom_err.so.2.0 libcom_err.so.3” (This 
restores the libcom_err.so.3 dependency of other packages after the krb5 
update.) Now you can see if Samba 3.0.4 is working properly in a W2k3 realm.

What you should do afterwards is to recompile all the packages (on the 
machine with the Kerberos 1.3.1 rpm’s installed) that had a dependency with 
the old Kerberos packages and install those new recompiled packages. Now all 
the packages (that had a dependency with the old Kerberos packages) have a 
new dependency to Kerberos 1.3.1. After that you can remove the symbolic 
link with “libcom_err.so.3”.

This cost me several headaches too… ;-)
Regards,
Alex.
_
Play online games with your friends with MSN Messenger 
http://messenger.msn.nl/

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] ADS server fallback

[Alex de Vaal]

Dear list,

I have a question about ADS server fallback of a Samba domain member in a
W2k3 environment.

I describe now a little our real production ADS environment;

Madrid: two W2k3 ADS servers (ADM01 and ADM02) in a cluster; both are a
global catalog servers in the .COM realm.
Berlin; one W2k3 ADS server (ADM03); is also a global catalog server in the
.COM realm.
The ADS servers in Madrid and Berlin are replicated.

Düsseldorf; RHL9 server with Samba 3.0.4 (compiled with MIT 1.3.1-7 and
CUPS) as a domain member of the .COM realm. Winbind and Kerberos are
used as authentication method against ADS.

Connections between the various sites: leased line, 128 Kb/s


The RHL9 server in Düsseldorf is joined to the .COM realm and is working
properly. XP clients in Düsseldorf logon to the ADS domain and via the login
script they'll get their shares on the local Samba server and this works
fine. Normally the Samba server in Düsseldorf is communicating with the
ADM03 server in Berlin (The 1st DNS server is the ADM03 server; ADS is
configured that clients and domain members in the subnet of Düsseldorf first
contact the ADS server in Berlin).

Question:
How can I configure Samba 3.0.4 that an ADS server fallback is performed if
the connection with the ADS server in Berlin fails? In other
words; when communication with the ADM03 server fails (leased line with
Berlin breaks down), Samba must automatically contact the ADM01 or ADM02
server in Madrid for its ADS queries.

I already used the entry  " password server = adm03..com,
adm01..com, * "  in my smb.conf file. My krb5.conf file doesn't exist,
because MIT 1.3.1 searches its KDC servers via DNS, or must I specify for
Kerberos also a fallback (contents of krb5.conf: [libdefaults]
 dns_fallback = true)?

The winbind cache time is default (300 sec). Must I specify a larger value
(e.g. 900 sec.) on remote sites with a relative slow connection?

Thanx for any suggestion,
Alex.
(sorry for the stupid disclaimer underneath this e-mail, I can't help it...
:)


Here is my smb.conf file (only the global section):

[global]
workgroup = 
realm = .COM
server string = %h server (Samba %v)
security = ADS
password server = adm03.XXX.com, adm01.XXX.com, *
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 200
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
domain master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template homedir = /data/hom/%U
template shell = /bin/bash
printer admin = root, '@.COM\Domain Admins',
@.COM\DEP_ADMIN_GERMANY
oplocks = No
level2 oplocks = No 


Visit our Web site: http://www.nh-hotels.com
This message is from NH HOTELES and it is private and confidential.
Its content may be legally protected.Reception by a non-intended person does not waive 
legal protection rights.
If you receive this message by mistake, please delete it from your system and report 
the sender.
Although this message has been cleared for viruses using currently available virus 
definitions before sending,
it is the responsibility of the receiver to ensure it is virus-free.Thank you.

 
--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Automatic ADS server fallback

[Alex de Vaal]

Dear list,

I have a question about automatic ADS server fallback of a Samba domain member
in a W2k3 environment.

I describe now a little our real production ADS environment;

Madrid: 2 W2k3 ADS servers (ADM01 and ADM02) in a cluster; both are a global
catalog server in the .COM realm.
Berlin; 1 W2k3 ADS server (ADM03); is also a global catalog server in the
.COM realm.

The ADS servers in Madrid and Berlin are replicated.

Düsseldorf; RHL9 server with Samba 3.0.4 (compiled with MIT 1.3.1-7 and CUPS)
as a domain member of the .COM realm. Winbind and Kerberos are used as
authentication method against ADS.

Connections between the various sites: Intranet, 128 Kb/s


The RHL9 server in Düsseldorf is joined to the domain and is working properly. XP
clients in Düsseldorf logon to the ADS domain and via the login script they’ll get 
their
shares on the local Samba server and this works fine.
Normally the Samba server is communicating with the ADM03 server in Berlin (The
1st DNS server is the ADM03 server; ADS is configured that clients and domain
members in the subnet of Düsseldorf first contact the ADS server in Berlin).

Question:
How can I configure Samba 3.0.4 that an automatic ADS server fallback is executed
if the connection with the ADS server in Berlin fails?
In other words; when communication with the ADM03 server fails, Samba must
automatically contact the ADM01 or ADM03 server in Madrid for its ADS queries.

I already used the entry “ password server = adm03..com, adm02..com,
* ” in my smb.conf file.
My krb5.conf file doesn’t exist, because MIT 1.3.1 searches its KDC servers via
DNS, or must I specify for Kerberos also a fallback?

The winbind cache time is default (300 sec). Must I specify a larger value (e.g. 900
sec.) on remote sites with a relative slow connection?

Thanx for any suggestion,
Alex.

Here is my smb.conf file (only the global section):

# Global parameters
[global]
workgroup = 
realm = .COM
server string = %h server (Samba %v)
security = ADS
password server = adm03..com, adm01..com, *
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
%u
domain master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template homedir = /data/hom/%U
template shell = /bin/bash
printer admin = root, '@.COM\Domain Admins',
@.COM\DEP_ADMIN_GERMANY
oplocks = No
level2 oplocks = No


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] use password server= when security=ADS or not???

[Alex de Vaal]

On 9 Jun 2004 at 8:00, Gerald (Jerry) Carter wrote:

> | In the man page of samba also reside about  password server 
> | the following: The advantage of using  security = domain 
> | is that if you list several hosts in the  password server 
> | option then smbd will try each in turn till it finds one
> | that responds.  This is useful in case your primary
> | server goes down. Does this also work, when  security = ADS 
> | ?  I d like that the samba domain server
> | tries to contact each password server in the list
> | till it finds one that responds.
> 
> When 'security = ads', Samba uses the password server
> for any NTLM authentication as well as ldap queries.
> Krb5 ticket verification is handled by the krb5 libs
> (outside of Samba).

Right.

I'm using winbind (which is the Samba-3 NTLM authentication daemon) in my 
configuration, so in my case it is better to specify at "password server" all the DNS 
names of my ADS servers instead of leaving it blank?

I know that Krb5 ticket is handled by the krb5 libs. I have no krb5.conf specified, so 
it 
uses the DNS for resolving the KDC servers (the ADS servers create SRV records in 
DNS for each KDC in the realm)

In my case "password server=" is not specified in smb.conf. I see however 
sometimes strange things in winbindd.log on a remote Samba domain member 
server that it can't find sometimes the LDAP server, port 445 and port 139, because 
the connection to the ADS server is sometimes very slow (is a router connection).
I was wondering if it is better to specify all the ADS servers in the realm at 
"password 
server=", so it is looking for the other servers in the realm if the connection to an 
ADS server is slow.


Winbindd.log
==

[2004/06/08 19:28:41, 1] libads/ldap.c:ads_connect(222)
  Failed to get ldap server info
[2004/06/08 19:28:50, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:445
[2004/06/08 19:29:07, 1] libsmb/cliconnect.c:cli_start_connection(1388)
  session request to NHADM01 failed (Call timed out: server did not respond after 
1 milliseconds)
[2004/06/08 19:29:15, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:139
[2004/06/08 19:29:15, 1] libsmb/cliconnect.c:cli_connect(1297)
  Error connecting to 10.2.20.240 (Operation already in progress)
[2004/06/08 19:29:15, 1] libsmb/cliconnect.c:cli_start_connection(1377)
  cli_full_connection: failed to connect to *SMBSERVER<20> (10.2.20.240)
[2004/06/08 19:29:34, 1] libsmb/cliconnect.c:cli_start_connection(1408)
  failed negprot
[2004/06/08 19:29:43, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:445
[2004/06/08 19:29:52, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:139
[2004/06/08 19:29:52, 1] libsmb/cliconnect.c:cli_connect(1297)
  Error connecting to 10.2.20.240 (Operation already in progress)
[2004/06/08 19:29:52, 1] libsmb/cliconnect.c:cli_start_connection(1377)
  cli_full_connection: failed to connect to NHADM01<20> (10.2.20.240)
[2004/06/08 19:30:02, 0] rpc_client/cli_pipe.c:rpc_api_pipe(424)
  cli_pipe: return critical error. Error was Call timed out: server did not respond 
after 
1 milliseconds
[2004/06/08 19:30:35, 1] libads/ldap.c:ads_connect(222)
  Failed to get ldap server info
[2004/06/08 19:30:39, 1] nsswitch/winbindd_user.c:winbindd_getpwuid(246)
  could not lookup sid S-1-5-21-1130960580-3026470530-2041411792-1380
[2004/06/08 19:30:39, 1] nsswitch/winbindd_user.c:winbindd_getpwuid(246)
  could not lookup sid S-1-5-21-1130960580-3026470530-2041411792-1380
[2004/06/08 19:30:59, 1] libads/ldap.c:ads_connect(222)
  Failed to get ldap server info
[2004/06/08 19:31:11, 1] lib/util_sock.c:open_socket_out(757)
  timeout connecting to 10.2.20.240:445

and somewhat later.

[2004/06/08 20:45:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 20:46:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 20:46:28, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 20:55:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:05:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:15:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:15:53, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:16:28, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist
[2004/06/08 21:25:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032)
  user 'root' does not exist

which is normal... (in 3.0.4) ;-)

Regards,

[Samba] use password server= when security=ADS or not???

[Alex de Vaal]

Dear list,

I’m using samba 3.0.4 on a RHL9 server as domain member in a W2k3 ADS (native)
environment.
The shares on the Samba server are used by XP clients and these clients get the
shares via scripting while they logon on the ADS.
In the ADS domain there are several ADS servers (on remote locations, connected
via routers) that have the same global catalog. This means that an XP client that
logon on the ADS will get a response from the “fastest” server on the network. The
XP clients and the Samba domain member are on remote locations and connected
to the ADS environment via routers too.

The smb.conf file that I use on the Samba domain members doesn’t contain the
“password server” statement; this means that samba handles as follows about
“password server” according to the man pages:
If the “password server” option is set to the character '*' (is the same as no password
server), then Samba will attempt to auto-locate the Primary or Backup Domain
controllers to authenticate against by doing a query for the name
“WORKGROUP<1C>” and then contacting each server returned in the list of IP
addresses from the name resolution source. This means that Samba uses the old
NETBIOS name and this is not in our DNS and a broadcast is not allowed on our
routers!

In the man page of samba also reside about “password server” the following:
The advantage of using “security = domain” is that if you list several hosts in the
“password server” option then smbd will try each in turn till it finds one that 
responds.
This is useful in case your primary server goes down.
Does this also work, when “security = ADS”?  I’d like that the samba domain server
tries to contact each password server in the list till it finds one that responds.

Can you tell me what is preferable? I use Samba 3.0.4 on RHL9 compiled with MIT
1.3.1-7 kerberos and CUPS, Kerberos and winbind is used for authentication against
the ADS server.

Here is my smb.conf file (only the global section):

[global]
workgroup = 
realm = .COM
server string = %h server (Samba %v)
security = ADS
passwd program = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
%u
domain master = No
dns proxy = No
idmap uid = 1-2
idmap gid = 1-2
template homedir = /data/hom/%U
template shell = /bin/bash
printer admin = root, '@.COM\Domain Admins',
@.COM\DEP_ADMIN_GERMANY
oplocks = No
level2 oplocks = No



Regards,
Alex.

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] How to apply a patch?

[Alex de Vaal]

On 18 May 2004 at 10:28, Gerald (Jerry) Carter wrote:

> please see the patch attached to bug 1319 (as of yesterday) and
> try it out.  The bug is actually an interaction between
> 'force user' adn 'write list'

Sorry for the late answer.

Can you tell me how to apply this patch (or tell me where I can find the 
documentation how to do it)? 
I always compile Samba from the source RPMS (of RHL9) on the Samba FTP site 
on my RHL9 Linux server (don't know how to do it else... ;-).

Cheers,
Alex.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

write list bug reports [was Re: [Samba] OTHER BUG IN SAMBA 3.0.4?! FORCE USE

[Alex de Vaal]

> On Tue, May 18, 2004 at 05:20:59PM +0200, Alex de Vaal wrote:
>
>> [print$]
>> comment = Printer Driver Download Area
>> path = /etc/samba/drivers
>> write list = root, '@TEST.COM\Domain Admins', 
>>  @TEST.COM\DEP_ADMIN_GERMANY
>> force user = root
>>  guest ok = Yes 

> On a related note, what's the point of having every user connected as
> root and also use a write list, specially for other users besides root?
> What is the expected behaviour here? Wouldn't it be best to use "valid
> users" instead of the write list? I'm a little confused about this scenario.

> What takes precedence, force user or write list?

The print$ share is in my case a "read only" share, that can be accessed by anybody 
(guest ok = Yes). Normally any user doesn't have write access to a "read only" share, 
but with "write list" you can define which users or groups can have write access here.
Normally this is sufficient.

My Samba server is however a real domain member of a native W2k3 ADS and no 
real linux users exist on my Linux server (except the default, root and my backdoor 
root). That means that only ADS users or groups have access to my Samba shares. 
Because we have multiple country delegated admins (member of 'Domain Admins') 
they can all upload printer drivers. The reason that I use "force user = root" is that 
the 
uploaded printer drivers will be owned by the linux user root (uid=0 and gid=0) and 
not any Windows domain admin.

If you want to use "valid users" on your share then you have to define the users or 
groups that can have access to your share. In case of a printer driver download area 
I don't want to define users, just anybody is allowed to download them (less 
administration).

So, it just a matter of the choice you make. On the choice you make you have to use 
the "cause and effect" principle... :)

Regards,
Alex.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

write list bug reports [was Re: [Samba] OTHER BUG IN SAMBA 3.0.4?! FORCE USE

[Alex de Vaal]

> Hi jerry, and hi everyone !!!
> I've seen the bug 1319 has appeared...
> (Remember I previously applied the 1315 ?)

> Has this one something to do with ADS domain member and winbind 
> authentification for shares ?

My Samba 3.0.4 server is an W2k3 ADS domain member, it uses winbind and 
kerberos as authentication for shares, so "security = ADS". 

I have the same problem (bug 1319) on my print$ share (Printer Driver Upload 
share) for CUPS printers. After upgrading to 3.0.4 I couldn't upload printer drivers 
anymore, I received the following message when I used the APW for installing a new 
driver: "Printer x not installed; access denied" (or a message like that). 
My print$ share looks like this:
 
[print$]
comment = Printer Driver Download Area
path = /etc/samba/drivers
write list = root, '@TEST.COM\Domain Admins', 
@TEST.COM\DEP_ADMIN_GERMANY
force user = root
guest ok = Yes 

This means this share is standard in "read-only" mode and it uses the "write list" for 
write access. 

I had to add "read only = No" to the print$ share, so I could upload printer drivers. 
For now I can use "read only = No" if I have to upload printer drivers and "read only 
= 
Yes" when I'm finished, but it is just a workaround... 

Regards, 
Alex.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] "user 'root' does not exist" in winbindd.log after upgrade from 3.0.2a to 3.0.3

[Alex de Vaal]

Dear list,

After the upgrade from 3.0.2a to 3.0.3 I see in my winbindd.log file all the time 
"user 
'root' does not exist" messages.
I didn't get these messages with my 3.0.2a samba setup, but after the upgrade to 
3.0.3 it is flooding my winbindd.log file, sometimes I get this message every minute 
in 
my log file.

winbindd.log
==

[2004/05/10 00:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1029)
user 'root' does not exist
[2004/05/10 01:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1029)
user 'root' does not exist
[2004/05/10 02:01:01, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1029)
user 'root' does not exist
[2004/05/10 03:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1029)
user 'root' does not exist
[2004/05/10 04:01:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1029)
user 'root' does not exist

My samba server is a W2k3 domain member of a native W2k3 server, it uses 
winbind (obvious) and kerberos.
wbinfo -u, wbinfo -g, getent passwd and getent group works fine.

The samba shares are available to the Windows domain users without problems.
Samba is compiled with MIT 1.3.1 and CUPS and runs on a RHL9 server.

I performed the upgrade as follows:
- Stopped samba daemons.
- net ads leave.
- performed Samba upgrade
- net ads join (Join Ok).
- Reboot RHL9 server (Samba deamons are started).

Regards,

Alex.

-- 
Regards,

Alex de Vaal.
NHS Department

NH Hotels
P.O. Box 619
1200 AP  Hilversum
The Netherlands
Visiting address: Noorderweg 68
Tel: +31 (0) 35 6299277
Fax: +31 (0) 35 6284412
Mobile (Cell): +31 (0) 6 21280531
E-mail: [EMAIL PROTECTED]
Visit us at http://www.nh-hotels.com

"NH HOTELES EYE FOR DETAIL"

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

[Samba] Bug report 3.0.2a; INTERNAL ERROR: Signal 11 in smbd; PANIC: internal error

[Alex de Vaal]

smbd [0x80c8779]
Apr 20 18:20:26 dussel smbd[2601]:#21 smbd(process_smb+0x8f)
[0x80c898f]
Apr 20 18:20:26 dussel smbd[2601]:#22 smbd(smbd_process+0x167)
[0x80c95d7]
Apr 20 18:20:26 dussel smbd[2601]:#23 smbd(main+0x4bf) [0x822fd2f]
Apr 20 18:20:26 dussel smbd[2601]:#24
/lib/tls/libc.so.6(__libc_start_main+0xe4) [0x42015574]
Apr 20 18:20:26 dussel smbd[2601]:#25 smbd(ldap_msgfree+0x8d)
[0x8077061]
Apr 20 18:20:26 dussel smbd[2601]:
Apr 20 18:20:27 dussel smbd[2666]: [2004/04/20 18:20:27, 0]
smbd/connection.c:register_message_flags(220)
Apr 20 18:20:27 dussel smbd[2666]:   register_message_flags: tdb_fetch
failed
Apr 20 18:20:39 dussel smbd[2666]: [2004/04/20 18:20:39, 0]

I have 4 print shares (with the same printer driver), so I saw the same
messages appear while I was changing the Printing Defaults on all printer
shares.

The “INTERNAL ERROR: Signal 11 in smbd” error appeared as well in my
test environment as in my “live” environment.

The utilization of the RHL9 server went up a little after 4 panic messages, but
after a reboot the utilization was normal.

The good news is however that everything seems to work fine!!! Windows
XP workstations get their Samba printer shares (+ drivers + appropriate
configuration) in their local "Printers and Faxes" from the logon script and
they can print from Office.
However my log files are flooded with “register_message_flags: tdb_fetch
failed” messages all the time when users print something or when they login
(but no "INTERNAL ERROR: Signal 11 in smbd" messages anymore).
Subjoined an example when a user login:

[2004/04/21 16:23:19, 1] smbd/service.c:make_connection_snum(705)
  10.20.63.86 (10.20.63.86) connect to service print$ initially as user root
(uid=0, gid=0) (pid 10299)
[2004/04/21 16:23:38, 1] smbd/service.c:close_cnum(887)
  10.20.63.86 (10.20.63.86) closed connection to service print$
[2004/04/21 16:24:14, 0] smbd/connection.c:register_message_flags(220)
  register_message_flags: tdb_fetch failed
[2004/04/21 16:24:43, 0] smbd/connection.c:register_message_flags(220)
  register_message_flags: tdb_fetch failed

tdbbackup on all samba tdb files doesn’t help! (I used the “locate .tdb”
command to locate all the tdb files).

If more info is required, please let me know.

--
Regards,

Alex de Vaal.


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

RE: [Samba] Serious bug in Samba 3.0.2pre1 !!!

[Alex de Vaal]

Hi Jerry,

I actually read the WHATSNEW of 3.0.2pre1, but it wasn't that obvious
for me that I had to disable "winbind use default domain = yes" in my
configuration.
My samba setup was working with 3.0.0-2 and the only thing I did was
upgrading to 3.0.2pre1 and not changing my smb.conf file.

After the upgrade to 3.0.2pre1 my samba setup wasn't working anymore, of
course I tested a few things, but everything failed. Downgrading to
3.0.0-2 solved "the problem" again, so I thought I had a bug on my
hands.

After your e-mail I changed "winbind use default domain = yes" to
"winbind use default domain = no" and I upgraded my machine again to
3.0.2pre1 and now it is working.

However, I see still in /var/log/samba/.log
"Username (null) is invalid on this system" appear, when I "net use" two
mappings to my samba machine (one to the "grp" and one to the "pub"
share) via the Wk3 login script.
Subjoined the output of the log file when this workstation gets the 2
mappings to my samba shares:

[2004/01/23 15:34:26, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
  Username (null) is invalid on this system
[2004/01/23 15:34:28, 1] smbd/service.c:make_connection_snum(705)
  10.15.69.101 (10.15.69.101) connect to service grp initially as user
NH-TEST\fo6 (uid=10004, gid=1) (pid 1831)
[2004/01/23 15:34:28, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
  Username (null) is invalid on this system
[2004/01/23 15:34:28, 1] smbd/service.c:make_connection_snum(705)
  10.15.69.101 (10.15.69.101) connect to service pub initially as user
NH-TEST\fo6 (uid=10004, gid=1) (pid 1831)
[2004/01/23 15:34:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
  Username (null) is invalid on this system
[2004/01/23 15:34:29, 1] smbd/service.c:make_connection_snum(705)
  10.15.69.101 (10.15.69.101) connect to service grp initially as user
NH-TEST\fo6 (uid=10004, gid=1) (pid 1831)
[2004/01/23 15:34:29, 1] smbd/sesssetup.c:reply_spnego_kerberos(248)
  Username (null) is invalid on this system
[2004/01/23 15:34:29, 1] smbd/service.c:make_connection_snum(705)
  10.15.69.101 (10.15.69.101) connect to service pub initially as user
NH-TEST\fo6 (uid=10004, gid=1) (pid 1831)
[2004/01/23 15:35:31, 1] smbd/service.c:close_cnum(887)
  10.15.69.101 (10.15.69.101) closed connection to service grp
[2004/01/23 15:35:31, 1] smbd/service.c:close_cnum(887)
  10.15.69.101 (10.15.69.101) closed connection to service pub 

Both the "grp" and the "pub" share have the following configuration:
valid users = @NH-TEST.NL\FO_GRP
getent group: 
NH-TEST\FO_GRP:x:10014:NH-TEST\fo6
getent passwd:
NH-TEST\fo6:x:10004:1:fo6:/data/hom/fo6:/bin/bash
"ls -l" of the "grp" share:
drwxrws---6 root NH-TEST\FO_GRP 4096 Jan 21 17:34 fog

The "fo6" ADS user can now access the "fog" directory! But where does
the "Username (null) is invalid on this system" still comes from?


When I set "winbind use default domain" to "yes" and set the following
configuration to my "grp" share:
valid users = @FO_GRP
getent group: 
FO_GRP:x:10014:fo6
fo6:x:10004:1:fo6:/data/hom/fo6:/bin/bash
"ls -l" of the "grp" share:
drwxrws---6 root FO_GRP 4096 Jan 21 17:34 fog

then I only see "Username (null) is invalid on this system" and the W2k
ws has NO access to the "grp" share.

What has changed in 3.0.2pre1 compared to 3.0.0-2 that "winbind use
default domain" have to be set to "no" in my original samba setup?
There is no real need for me to see and use the domain component and
that's why I've set "winbind use default domain" to "yes" in my original
samba setup.
But If I want to work only with ADS groups as valid user on a samba
share, I have to set "winbind use default domain" to "yes" to make it
work, right?

Last question; around which week is the final 3.0.2 release expected?
(Just curious, no other strings attached. ;) 

Best regards,
Alex.

-Original Message-
From: Gerald (Jerry) Carter [mailto:[EMAIL PROTECTED] 
Sent: Wednesday 21 January 2004 5:07
To: Alex de Vaal

Alex de Vaal wrote:

> Summarization of the bug in Samba 3.0.2pre1:
> It seems that an ADS group is not valid or detected anymore to access 
> a samba share, in case only an ADS group is used a valid user on a 
> Samba share, because Kerberos is reporting: Username (null) is invalid

> on this system. Besides that, connecting to a share (service) reports 
> with Samba 3.0.0-2 REALM\username (NH-TEST.NL\fo6), but with Samba 
> 3.0.2pre1 connecting to a share (service) reports only username (fo6)
> Downgrading to Samba 3.0.0-2 solves this problem!

Please read the release notes (WHATSNEW).

>winbind use default domain = yes

Disable this parameter and you will 

[Samba] Serious bug in Samba 3.0.2pre1 !!!

[Alex de Vaal]

username (NH-TEST.NL\fo6), but with Samba 3.0.2pre1 connecting to
a share (service) reports only username (fo6)
Downgrading to Samba 3.0.0-2 solves this problem!
 
 
smb.conf
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash) 
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
"testparm"
# to check that you have not made any basic syntactic errors. 
#
#=== Global Settings
=
[global]
   log file = /var/log/samba/%m.log
   smb passwd file = /etc/samba/smbpasswd
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#"domain master = yes" can't be set in ADS
   domain master = no
   encrypt passwords = yes
   passwd program = /usr/bin/passwd %u
   dns proxy = no 
#netbios name changed for Samba in ADS
   netbios name = LINUX
   level2 oplocks = no
   oplocks = no
   server string = %h server (Samba %v)
   unix password sync = yes
#Workgroup changed for Samba in ADS
   workgroup = NH-TEST
   add user script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false
-M %u
#Security changed to "ADS" for Samba in ADS
   security = ADS
   max log size = 0
#domain logons set to "No" for ADS domain membership
   domain logons = no
 
#Below added for Samba in ADS
   winbind enum users = yes
   winbind enum groups = yes
   template shell = /bin/bash
   template homedir = /data/hom/%U
   winbind uid = 1-2
   winbind gid = 1-2
   winbind use default domain = yes
#"realm =" added for Samba in ADS
   realm = NH-TEST.NL
#"password server =" added for Samba in ADS
   password server = tstsrvr01.nh-test.nl
#"client use spnego = yes" set for Windows 2003. Wk3 requires SMB
singing.
   client use spnego = yes
   add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s
/bin/false -M %u
 
 
# default home share settings
[homes]
   comment = Home Directories
   browseable = no
   writable = yes
##   valid users = %S
   create mode = 0660
   directory mode = 0770
 
# Group Directory
[grp]
   writeable = yes
   inherit permissions = yes
   path = /data/grp
   comment = Group Directory
   valid users = @NH-TEST.NL\FO_GRP,@NH-TEST.NL\SALES_GRP
   browsable = yes
 
# Public Files
[pub]
   path = /data/public
   comment = Public files
   guest ok = yes
   writable = no
   browsable = yes
   write list = @NH-TEST.NL\SALES_GRP
 
# Root data Directory
[root]
   writeable = yes
   inherit permissions = yes
   path = /data
   comment = Root data Directory
   valid users = @NH-TEST.NL\"Domain Admins"
   browsable = yes
 
 
 
krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 ticket_lifetime = 24000
 default_realm = NH-TEST.NL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 forwardable = true
 proxiable = true
 
[realms]
 NH-TEST.NL = {
  kdc = tstsrvr01.nh-test.nl:88
  admin_server = tstsrvr01.nh-test.nl:749
  default_domain = nh-test.nl
 }
 
[domain_realm]
 .nh-test.nl = NH-TEST.NL
 nh-test.nl = NH-TEST.NL
 
[kdc]
 profile = /var/kerberos/krb5kdc/kdc.conf
 
[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
 
pam.d\login
#%PAM-1.0
auth   required   pam_securetty.so
auth   sufficient  pam_winbind.so
auth   sufficient  pam_unix.so nodelay use_first_pass
auth   required   pam_stack.so service=system-auth
auth   required   pam_nologin.so
accountsufficientpam_winbind.so
accountrequired pam_stack.so service=system-auth
password   requiredpam_stack.so service=system-auth
sessionrequired     pam_stack.so service=system-auth
sessionoptional  pam_console.so
 
 
nsswitch.conf
passwd: files winbind
shadow: files
group:  files winbind
hosts:  files winbind dns
 

-- 
Regards, 
Alex de Vaal. 


Visit our Web site: http://www.nh-hoteles.com 
This message is from NH HOTELES and it is private and confidential.  
Its content may be legally protected.Reception by a non-intended person does not waive 
legal protection rights.  
If you receive this message by mistake, please delete it from your system and report 
the sender. 
Although this message has been cleared for viruses using currently available virus 
definitions before sending, 
it is the responsibility of the receiver to ensure it is virus-free.Thank you. 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba